aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2006-02-05 02:27:50 -0500
committerLinus Torvalds <torvalds@g5.osdl.org>2006-02-05 14:06:52 -0500
commitc2b507fda390b8ae90deba9b8cdc3fe727482193 (patch)
tree6c839e9682fd1610dc6a9fb7cca9df2899ff05ca
parent5c0d5d262aa4c5e93f9f5de298cf25d6d8b558c4 (diff)
[PATCH] selinux: require SECURITY_NETWORK
Make SELinux depend on SECURITY_NETWORK (which depends on SECURITY), as it requires the socket hooks for proper operation even in the local case. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--security/selinux/Kconfig2
-rw-r--r--security/selinux/Makefile4
-rw-r--r--security/selinux/hooks.c21
3 files changed, 5 insertions, 22 deletions
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index b59582b92283..502f78f13f5f 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -1,6 +1,6 @@
1config SECURITY_SELINUX 1config SECURITY_SELINUX
2 bool "NSA SELinux Support" 2 bool "NSA SELinux Support"
3 depends on SECURITY && NET && INET 3 depends on SECURITY_NETWORK && NET && INET
4 default n 4 default n
5 help 5 help
6 This selects NSA Security-Enhanced Linux (SELinux). 6 This selects NSA Security-Enhanced Linux (SELinux).
diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index 06d54d9d20a5..688c0a267b62 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -4,9 +4,7 @@
4 4
5obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/ 5obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/
6 6
7selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o 7selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o
8
9selinux-$(CONFIG_SECURITY_NETWORK) += netif.o
10 8
11selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o 9selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
12 10
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4ae834d89bce..b7773bf68efa 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -232,7 +232,6 @@ static void superblock_free_security(struct super_block *sb)
232 kfree(sbsec); 232 kfree(sbsec);
233} 233}
234 234
235#ifdef CONFIG_SECURITY_NETWORK
236static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) 235static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
237{ 236{
238 struct sk_security_struct *ssec; 237 struct sk_security_struct *ssec;
@@ -261,7 +260,6 @@ static void sk_free_security(struct sock *sk)
261 sk->sk_security = NULL; 260 sk->sk_security = NULL;
262 kfree(ssec); 261 kfree(ssec);
263} 262}
264#endif /* CONFIG_SECURITY_NETWORK */
265 263
266/* The security server must be initialized before 264/* The security server must be initialized before
267 any labeling or access decisions can be provided. */ 265 any labeling or access decisions can be provided. */
@@ -2736,8 +2734,6 @@ static void selinux_task_to_inode(struct task_struct *p,
2736 return; 2734 return;
2737} 2735}
2738 2736
2739#ifdef CONFIG_SECURITY_NETWORK
2740
2741/* Returns error only if unable to parse addresses */ 2737/* Returns error only if unable to parse addresses */
2742static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad) 2738static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2743{ 2739{
@@ -3556,15 +3552,6 @@ static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3556 3552
3557#endif /* CONFIG_NETFILTER */ 3553#endif /* CONFIG_NETFILTER */
3558 3554
3559#else
3560
3561static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3562{
3563 return 0;
3564}
3565
3566#endif /* CONFIG_SECURITY_NETWORK */
3567
3568static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 3555static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3569{ 3556{
3570 struct task_security_struct *tsec; 3557 struct task_security_struct *tsec;
@@ -4340,7 +4327,6 @@ static struct security_operations selinux_ops = {
4340 .getprocattr = selinux_getprocattr, 4327 .getprocattr = selinux_getprocattr,
4341 .setprocattr = selinux_setprocattr, 4328 .setprocattr = selinux_setprocattr,
4342 4329
4343#ifdef CONFIG_SECURITY_NETWORK
4344 .unix_stream_connect = selinux_socket_unix_stream_connect, 4330 .unix_stream_connect = selinux_socket_unix_stream_connect,
4345 .unix_may_send = selinux_socket_unix_may_send, 4331 .unix_may_send = selinux_socket_unix_may_send,
4346 4332
@@ -4362,7 +4348,6 @@ static struct security_operations selinux_ops = {
4362 .sk_alloc_security = selinux_sk_alloc_security, 4348 .sk_alloc_security = selinux_sk_alloc_security,
4363 .sk_free_security = selinux_sk_free_security, 4349 .sk_free_security = selinux_sk_free_security,
4364 .sk_getsid = selinux_sk_getsid_security, 4350 .sk_getsid = selinux_sk_getsid_security,
4365#endif
4366 4351
4367#ifdef CONFIG_SECURITY_NETWORK_XFRM 4352#ifdef CONFIG_SECURITY_NETWORK_XFRM
4368 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 4353 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
@@ -4440,7 +4425,7 @@ next_sb:
4440 all processes and objects when they are created. */ 4425 all processes and objects when they are created. */
4441security_initcall(selinux_init); 4426security_initcall(selinux_init);
4442 4427
4443#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER) 4428#if defined(CONFIG_NETFILTER)
4444 4429
4445static struct nf_hook_ops selinux_ipv4_op = { 4430static struct nf_hook_ops selinux_ipv4_op = {
4446 .hook = selinux_ipv4_postroute_last, 4431 .hook = selinux_ipv4_postroute_last,
@@ -4501,13 +4486,13 @@ static void selinux_nf_ip_exit(void)
4501} 4486}
4502#endif 4487#endif
4503 4488
4504#else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */ 4489#else /* CONFIG_NETFILTER */
4505 4490
4506#ifdef CONFIG_SECURITY_SELINUX_DISABLE 4491#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4507#define selinux_nf_ip_exit() 4492#define selinux_nf_ip_exit()
4508#endif 4493#endif
4509 4494
4510#endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */ 4495#endif /* CONFIG_NETFILTER */
4511 4496
4512#ifdef CONFIG_SECURITY_SELINUX_DISABLE 4497#ifdef CONFIG_SECURITY_SELINUX_DISABLE
4513int selinux_disable(void) 4498int selinux_disable(void)