diff options
author | Venkat Yekkirala <vyekkirala@trustedcs.com> | 2006-11-08 18:04:26 -0500 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-12-03 00:21:34 -0500 |
commit | 67f83cbf081a70426ff667e8d14f94e13ed3bdca (patch) | |
tree | 776a40733eacb9071478f865e6791daa3f6fd602 /include/linux | |
parent | 6b877699c6f1efede4545bcecc367786a472eedb (diff) |
SELinux: Fix SA selection semantics
Fix the selection of an SA for an outgoing packet to be at the same
context as the originating socket/flow. This eliminates the SELinux
policy's ability to use/sendto SAs with contexts other than the socket's.
With this patch applied, the SELinux policy will require one or more of the
following for a socket to be able to communicate with/without SAs:
1. To enable a socket to communicate without using labeled-IPSec SAs:
allow socket_t unlabeled_t:association { sendto recvfrom }
2. To enable a socket to communicate with labeled-IPSec SAs:
allow socket_t self:association { sendto };
allow socket_t peer_sa_t:association { recvfrom };
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'include/linux')
-rw-r--r-- | include/linux/security.h | 19 |
1 files changed, 0 insertions, 19 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 84cebcdb3f83..83cdefae9931 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -886,11 +886,6 @@ struct request_sock; | |||
886 | * @xp contains the policy to check for a match. | 886 | * @xp contains the policy to check for a match. |
887 | * @fl contains the flow to check for a match. | 887 | * @fl contains the flow to check for a match. |
888 | * Return 1 if there is a match. | 888 | * Return 1 if there is a match. |
889 | * @xfrm_flow_state_match: | ||
890 | * @fl contains the flow key to match. | ||
891 | * @xfrm points to the xfrm_state to match. | ||
892 | * @xp points to the xfrm_policy to match. | ||
893 | * Return 1 if there is a match. | ||
894 | * @xfrm_decode_session: | 889 | * @xfrm_decode_session: |
895 | * @skb points to skb to decode. | 890 | * @skb points to skb to decode. |
896 | * @secid points to the flow key secid to set. | 891 | * @secid points to the flow key secid to set. |
@@ -1388,8 +1383,6 @@ struct security_operations { | |||
1388 | int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 fl_secid, u8 dir); | 1383 | int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 fl_secid, u8 dir); |
1389 | int (*xfrm_state_pol_flow_match)(struct xfrm_state *x, | 1384 | int (*xfrm_state_pol_flow_match)(struct xfrm_state *x, |
1390 | struct xfrm_policy *xp, struct flowi *fl); | 1385 | struct xfrm_policy *xp, struct flowi *fl); |
1391 | int (*xfrm_flow_state_match)(struct flowi *fl, struct xfrm_state *xfrm, | ||
1392 | struct xfrm_policy *xp); | ||
1393 | int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall); | 1386 | int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall); |
1394 | #endif /* CONFIG_SECURITY_NETWORK_XFRM */ | 1387 | #endif /* CONFIG_SECURITY_NETWORK_XFRM */ |
1395 | 1388 | ||
@@ -3186,12 +3179,6 @@ static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x, | |||
3186 | return security_ops->xfrm_state_pol_flow_match(x, xp, fl); | 3179 | return security_ops->xfrm_state_pol_flow_match(x, xp, fl); |
3187 | } | 3180 | } |
3188 | 3181 | ||
3189 | static inline int security_xfrm_flow_state_match(struct flowi *fl, | ||
3190 | struct xfrm_state *xfrm, struct xfrm_policy *xp) | ||
3191 | { | ||
3192 | return security_ops->xfrm_flow_state_match(fl, xfrm, xp); | ||
3193 | } | ||
3194 | |||
3195 | static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) | 3182 | static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) |
3196 | { | 3183 | { |
3197 | return security_ops->xfrm_decode_session(skb, secid, 1); | 3184 | return security_ops->xfrm_decode_session(skb, secid, 1); |
@@ -3255,12 +3242,6 @@ static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x, | |||
3255 | return 1; | 3242 | return 1; |
3256 | } | 3243 | } |
3257 | 3244 | ||
3258 | static inline int security_xfrm_flow_state_match(struct flowi *fl, | ||
3259 | struct xfrm_state *xfrm, struct xfrm_policy *xp) | ||
3260 | { | ||
3261 | return 1; | ||
3262 | } | ||
3263 | |||
3264 | static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) | 3245 | static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) |
3265 | { | 3246 | { |
3266 | return 0; | 3247 | return 0; |