secmark: make secmark object handling generic

Right now secmark has lots of direct selinux calls. Use all LSM calls and remove all SELinux specific knowledge. The only SELinux specific knowledge we leave is the mode. The only point is to make sure that other LSMs at least test this generic code before they assume it works. (They may also have to make changes if they do not represent labels as strings) Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Paul Moore <paul.moore@hp.com> Acked-by: Patrick McHardy <kaber@trash.net> Signed-off-by: James Morris <jmorris@namei.org>
author: Eric Paris <eparis@redhat.com> 2010-10-13 16:24:41 -0400
committer: James Morris <jmorris@namei.org> 2010-10-20 19:12:48 -0400
commit: 2606fd1fa5710205b23ee859563502aa18362447 (patch)
tree: f79becd7010a2da1a765829fce0e09327cd50531 /include/linux/security.h
parent: 15714f7b58011cf3948cab2988abea560240c74f (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 294a0b228123..d70adc394f62 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -959,6 +959,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      Sets the new child socket's sid to the openreq sid.
 * @inet_conn_established:
 *      Sets the connection's peersid to the secmark on skb.
+ * @secmark_relabel_packet:
+ *      check if the process should be allowed to relabel packets to the given secid
+ * @security_secmark_refcount_inc
+ *      tells the LSM to increment the number of secmark labeling rules loaded
+ * @security_secmark_refcount_dec
+ *      tells the LSM to decrement the number of secmark labeling rules loaded
 * @req_classify_flow:
 *      Sets the flow's sid to the openreq sid.
 * @tun_dev_create:
@@ -1593,6 +1599,9 @@ struct security_operations {
                                  struct request_sock *req);
        void (*inet_csk_clone) (struct sock *newsk, const struct request_sock *req);
        void (*inet_conn_established) (struct sock *sk, struct sk_buff *skb);
+        int (*secmark_relabel_packet) (u32 secid);
+        void (*secmark_refcount_inc) (void);
+        void (*secmark_refcount_dec) (void);
        void (*req_classify_flow) (const struct request_sock *req, struct flowi *fl);
        int (*tun_dev_create)(void);
        void (*tun_dev_post_create)(struct sock *sk);
@@ -2547,6 +2556,9 @@ void security_inet_csk_clone(struct sock *newsk,
                        const struct request_sock *req);
 void security_inet_conn_established(struct sock *sk,
                        struct sk_buff *skb);
+int security_secmark_relabel_packet(u32 secid);
+void security_secmark_refcount_inc(void);
+void security_secmark_refcount_dec(void);
 int security_tun_dev_create(void);
 void security_tun_dev_post_create(struct sock *sk);
 int security_tun_dev_attach(struct sock *sk);
@@ -2701,6 +2713,19 @@ static inline void security_inet_conn_established(struct sock *sk,
 {
 }
+static inline int security_secmark_relabel_packet(u32 secid)
+{
+        return 0;
+}
+static inline void security_secmark_refcount_inc(void)
+{
+}
+static inline void security_secmark_refcount_dec(void)
+{
+}
 static inline int security_tun_dev_create(void)
 {
        return 0;
author	Eric Paris <eparis@redhat.com>	2010-10-13 16:24:41 -0400
committer	James Morris <jmorris@namei.org>	2010-10-20 19:12:48 -0400
commit	2606fd1fa5710205b23ee859563502aa18362447 (patch)
tree	f79becd7010a2da1a765829fce0e09327cd50531 /include/linux/security.h
parent	15714f7b58011cf3948cab2988abea560240c74f (diff)

diff --git a/include/linux/security.h b/include/linux/security.h index 294a0b228123..d70adc394f62 100644 --- a/include/linux/security.h +++ b/include/linux/security.h
@@ -959,6 +959,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
959	* Sets the new child socket's sid to the openreq sid.	959	* Sets the new child socket's sid to the openreq sid.
960	* @inet_conn_established:	960	* @inet_conn_established:
961	* Sets the connection's peersid to the secmark on skb.	961	* Sets the connection's peersid to the secmark on skb.
		962	* @secmark_relabel_packet:
		963	* check if the process should be allowed to relabel packets to the given secid
		964	* @security_secmark_refcount_inc
		965	* tells the LSM to increment the number of secmark labeling rules loaded
		966	* @security_secmark_refcount_dec
		967	* tells the LSM to decrement the number of secmark labeling rules loaded
962	* @req_classify_flow:	968	* @req_classify_flow:
963	* Sets the flow's sid to the openreq sid.	969	* Sets the flow's sid to the openreq sid.
964	* @tun_dev_create:	970	* @tun_dev_create:
@@ -1593,6 +1599,9 @@ struct security_operations {
1593	struct request_sock *req);	1599	struct request_sock *req);
1594	void (inet_csk_clone) (struct sock newsk, const struct request_sock *req);	1600	void (inet_csk_clone) (struct sock newsk, const struct request_sock *req);
1595	void (inet_conn_established) (struct sock sk, struct sk_buff *skb);	1601	void (inet_conn_established) (struct sock sk, struct sk_buff *skb);
		1602	int (*secmark_relabel_packet) (u32 secid);
		1603	void (*secmark_refcount_inc) (void);
		1604	void (*secmark_refcount_dec) (void);
1596	void (req_classify_flow) (const struct request_sock req, struct flowi *fl);	1605	void (req_classify_flow) (const struct request_sock req, struct flowi *fl);
1597	int (*tun_dev_create)(void);	1606	int (*tun_dev_create)(void);
1598	void (tun_dev_post_create)(struct sock sk);	1607	void (tun_dev_post_create)(struct sock sk);
@@ -2547,6 +2556,9 @@ void security_inet_csk_clone(struct sock *newsk,
2547	const struct request_sock *req);	2556	const struct request_sock *req);
2548	void security_inet_conn_established(struct sock *sk,	2557	void security_inet_conn_established(struct sock *sk,
2549	struct sk_buff *skb);	2558	struct sk_buff *skb);
		2559	int security_secmark_relabel_packet(u32 secid);
		2560	void security_secmark_refcount_inc(void);
		2561	void security_secmark_refcount_dec(void);
2550	int security_tun_dev_create(void);	2562	int security_tun_dev_create(void);
2551	void security_tun_dev_post_create(struct sock *sk);	2563	void security_tun_dev_post_create(struct sock *sk);
2552	int security_tun_dev_attach(struct sock *sk);	2564	int security_tun_dev_attach(struct sock *sk);
@@ -2701,6 +2713,19 @@ static inline void security_inet_conn_established(struct sock *sk,
2701	{	2713	{
2702	}	2714	}
2703		2715
		2716	static inline int security_secmark_relabel_packet(u32 secid)
		2717	{
		2718	return 0;
		2719	}
		2720
		2721	static inline void security_secmark_refcount_inc(void)
		2722	{
		2723	}
		2724
		2725	static inline void security_secmark_refcount_dec(void)
		2726	{
		2727	}
		2728
2704	static inline int security_tun_dev_create(void)	2729	static inline int security_tun_dev_create(void)
2705	{	2730	{
2706	return 0;	2731	return 0;