diff options
author | Eric Dumazet <edumazet@google.com> | 2013-04-08 13:58:11 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-04-09 13:23:11 -0400 |
commit | ca10b9e9a8ca7342ee07065289cbe74ac128c169 (patch) | |
tree | 33842f41a127f9da904ddd5d61839590e986e420 /include/linux | |
parent | c802d759623acbd6e1ee9fbdabae89159a513913 (diff) |
selinux: add a skb_owned_by() hook
Commit 90ba9b1986b5ac (tcp: tcp_make_synack() can use alloc_skb())
broke certain SELinux/NetLabel configurations by no longer correctly
assigning the sock to the outgoing SYNACK packet.
Cost of atomic operations on the LISTEN socket is quite big,
and we would like it to happen only if really needed.
This patch introduces a new security_ops->skb_owned_by() method,
that is a void operation unless selinux is active.
Reported-by: Miroslav Vadkerti <mvadkert@redhat.com>
Diagnosed-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: linux-security-module@vger.kernel.org
Acked-by: James Morris <james.l.morris@oracle.com>
Tested-by: Paul Moore <pmoore@redhat.com>
Acked-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/linux')
-rw-r--r-- | include/linux/security.h | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index eee7478cda70..6c3a78ace051 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -1638,6 +1638,7 @@ struct security_operations { | |||
1638 | int (*tun_dev_attach_queue) (void *security); | 1638 | int (*tun_dev_attach_queue) (void *security); |
1639 | int (*tun_dev_attach) (struct sock *sk, void *security); | 1639 | int (*tun_dev_attach) (struct sock *sk, void *security); |
1640 | int (*tun_dev_open) (void *security); | 1640 | int (*tun_dev_open) (void *security); |
1641 | void (*skb_owned_by) (struct sk_buff *skb, struct sock *sk); | ||
1641 | #endif /* CONFIG_SECURITY_NETWORK */ | 1642 | #endif /* CONFIG_SECURITY_NETWORK */ |
1642 | 1643 | ||
1643 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 1644 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
@@ -2588,6 +2589,8 @@ int security_tun_dev_attach_queue(void *security); | |||
2588 | int security_tun_dev_attach(struct sock *sk, void *security); | 2589 | int security_tun_dev_attach(struct sock *sk, void *security); |
2589 | int security_tun_dev_open(void *security); | 2590 | int security_tun_dev_open(void *security); |
2590 | 2591 | ||
2592 | void security_skb_owned_by(struct sk_buff *skb, struct sock *sk); | ||
2593 | |||
2591 | #else /* CONFIG_SECURITY_NETWORK */ | 2594 | #else /* CONFIG_SECURITY_NETWORK */ |
2592 | static inline int security_unix_stream_connect(struct sock *sock, | 2595 | static inline int security_unix_stream_connect(struct sock *sock, |
2593 | struct sock *other, | 2596 | struct sock *other, |
@@ -2779,6 +2782,11 @@ static inline int security_tun_dev_open(void *security) | |||
2779 | { | 2782 | { |
2780 | return 0; | 2783 | return 0; |
2781 | } | 2784 | } |
2785 | |||
2786 | static inline void security_skb_owned_by(struct sk_buff *skb, struct sock *sk) | ||
2787 | { | ||
2788 | } | ||
2789 | |||
2782 | #endif /* CONFIG_SECURITY_NETWORK */ | 2790 | #endif /* CONFIG_SECURITY_NETWORK */ |
2783 | 2791 | ||
2784 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 2792 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |