aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux
diff options
context:
space:
mode:
authorVenkat Yekkirala <vyekkirala@trustedcs.com>2006-11-08 18:04:26 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2006-12-03 00:21:34 -0500
commit67f83cbf081a70426ff667e8d14f94e13ed3bdca (patch)
tree776a40733eacb9071478f865e6791daa3f6fd602 /include/linux
parent6b877699c6f1efede4545bcecc367786a472eedb (diff)
SELinux: Fix SA selection semantics
Fix the selection of an SA for an outgoing packet to be at the same context as the originating socket/flow. This eliminates the SELinux policy's ability to use/sendto SAs with contexts other than the socket's. With this patch applied, the SELinux policy will require one or more of the following for a socket to be able to communicate with/without SAs: 1. To enable a socket to communicate without using labeled-IPSec SAs: allow socket_t unlabeled_t:association { sendto recvfrom } 2. To enable a socket to communicate with labeled-IPSec SAs: allow socket_t self:association { sendto }; allow socket_t peer_sa_t:association { recvfrom }; Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'include/linux')
-rw-r--r--include/linux/security.h19
1 files changed, 0 insertions, 19 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 84cebcdb3f83..83cdefae9931 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -886,11 +886,6 @@ struct request_sock;
886 * @xp contains the policy to check for a match. 886 * @xp contains the policy to check for a match.
887 * @fl contains the flow to check for a match. 887 * @fl contains the flow to check for a match.
888 * Return 1 if there is a match. 888 * Return 1 if there is a match.
889 * @xfrm_flow_state_match:
890 * @fl contains the flow key to match.
891 * @xfrm points to the xfrm_state to match.
892 * @xp points to the xfrm_policy to match.
893 * Return 1 if there is a match.
894 * @xfrm_decode_session: 889 * @xfrm_decode_session:
895 * @skb points to skb to decode. 890 * @skb points to skb to decode.
896 * @secid points to the flow key secid to set. 891 * @secid points to the flow key secid to set.
@@ -1388,8 +1383,6 @@ struct security_operations {
1388 int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 fl_secid, u8 dir); 1383 int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 fl_secid, u8 dir);
1389 int (*xfrm_state_pol_flow_match)(struct xfrm_state *x, 1384 int (*xfrm_state_pol_flow_match)(struct xfrm_state *x,
1390 struct xfrm_policy *xp, struct flowi *fl); 1385 struct xfrm_policy *xp, struct flowi *fl);
1391 int (*xfrm_flow_state_match)(struct flowi *fl, struct xfrm_state *xfrm,
1392 struct xfrm_policy *xp);
1393 int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall); 1386 int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall);
1394#endif /* CONFIG_SECURITY_NETWORK_XFRM */ 1387#endif /* CONFIG_SECURITY_NETWORK_XFRM */
1395 1388
@@ -3186,12 +3179,6 @@ static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
3186 return security_ops->xfrm_state_pol_flow_match(x, xp, fl); 3179 return security_ops->xfrm_state_pol_flow_match(x, xp, fl);
3187} 3180}
3188 3181
3189static inline int security_xfrm_flow_state_match(struct flowi *fl,
3190 struct xfrm_state *xfrm, struct xfrm_policy *xp)
3191{
3192 return security_ops->xfrm_flow_state_match(fl, xfrm, xp);
3193}
3194
3195static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) 3182static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
3196{ 3183{
3197 return security_ops->xfrm_decode_session(skb, secid, 1); 3184 return security_ops->xfrm_decode_session(skb, secid, 1);
@@ -3255,12 +3242,6 @@ static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
3255 return 1; 3242 return 1;
3256} 3243}
3257 3244
3258static inline int security_xfrm_flow_state_match(struct flowi *fl,
3259 struct xfrm_state *xfrm, struct xfrm_policy *xp)
3260{
3261 return 1;
3262}
3263
3264static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) 3245static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
3265{ 3246{
3266 return 0; 3247 return 0;