aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux/security.h
diff options
context:
space:
mode:
authorVenkat Yekkirala <vyekkirala@TrustedCS.com>2006-08-05 02:08:56 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-09-22 17:53:22 -0400
commit892c141e62982272b9c738b5520ad0e5e1ad7b42 (patch)
treec8e0c9b3e55106d2cb085a5047b9d02dbbb28653 /include/linux/security.h
parent08554d6b33e60aa8ee40bbef94505941c0eefef2 (diff)
[MLSXFRM]: Add security sid to sock
This adds security for IP sockets at the sock level. Security at the sock level is needed to enforce the SELinux security policy for security associations even when a sock is orphaned (such as in the TCP LAST_ACK state). This will also be used to enforce SELinux controls over data arriving at or leaving a child socket while it's still waiting to be accepted. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/linux/security.h')
-rw-r--r--include/linux/security.h12
1 files changed, 12 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 6bc2aad494ff..4d7fb59996b0 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -812,6 +812,8 @@ struct swap_info_struct;
812 * which is used to copy security attributes between local stream sockets. 812 * which is used to copy security attributes between local stream sockets.
813 * @sk_free_security: 813 * @sk_free_security:
814 * Deallocate security structure. 814 * Deallocate security structure.
815 * @sk_clone_security:
816 * Clone/copy security structure.
815 * @sk_getsid: 817 * @sk_getsid:
816 * Retrieve the LSM-specific sid for the sock to enable caching of network 818 * Retrieve the LSM-specific sid for the sock to enable caching of network
817 * authorizations. 819 * authorizations.
@@ -1332,6 +1334,7 @@ struct security_operations {
1332 int (*socket_getpeersec_dgram) (struct socket *sock, struct sk_buff *skb, u32 *secid); 1334 int (*socket_getpeersec_dgram) (struct socket *sock, struct sk_buff *skb, u32 *secid);
1333 int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority); 1335 int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority);
1334 void (*sk_free_security) (struct sock *sk); 1336 void (*sk_free_security) (struct sock *sk);
1337 void (*sk_clone_security) (const struct sock *sk, struct sock *newsk);
1335 unsigned int (*sk_getsid) (struct sock *sk, struct flowi *fl, u8 dir); 1338 unsigned int (*sk_getsid) (struct sock *sk, struct flowi *fl, u8 dir);
1336#endif /* CONFIG_SECURITY_NETWORK */ 1339#endif /* CONFIG_SECURITY_NETWORK */
1337 1340
@@ -2885,6 +2888,11 @@ static inline void security_sk_free(struct sock *sk)
2885 return security_ops->sk_free_security(sk); 2888 return security_ops->sk_free_security(sk);
2886} 2889}
2887 2890
2891static inline void security_sk_clone(const struct sock *sk, struct sock *newsk)
2892{
2893 return security_ops->sk_clone_security(sk, newsk);
2894}
2895
2888static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir) 2896static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir)
2889{ 2897{
2890 return security_ops->sk_getsid(sk, fl, dir); 2898 return security_ops->sk_getsid(sk, fl, dir);
@@ -3011,6 +3019,10 @@ static inline void security_sk_free(struct sock *sk)
3011{ 3019{
3012} 3020}
3013 3021
3022static inline void security_sk_clone(const struct sock *sk, struct sock *newsk)
3023{
3024}
3025
3014static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir) 3026static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir)
3015{ 3027{
3016 return 0; 3028 return 0;
generated by cgit v1.2.2 (git 2.25.0) at 2024-09-21 07:33:43 -0400