aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux
diff options
context:
space:
mode:
authorEric Dumazet <edumazet@google.com>2013-04-08 13:58:11 -0400
committerDavid S. Miller <davem@davemloft.net>2013-04-09 13:23:11 -0400
commitca10b9e9a8ca7342ee07065289cbe74ac128c169 (patch)
tree33842f41a127f9da904ddd5d61839590e986e420 /include/linux
parentc802d759623acbd6e1ee9fbdabae89159a513913 (diff)
selinux: add a skb_owned_by() hook
Commit 90ba9b1986b5ac (tcp: tcp_make_synack() can use alloc_skb()) broke certain SELinux/NetLabel configurations by no longer correctly assigning the sock to the outgoing SYNACK packet. Cost of atomic operations on the LISTEN socket is quite big, and we would like it to happen only if really needed. This patch introduces a new security_ops->skb_owned_by() method, that is a void operation unless selinux is active. Reported-by: Miroslav Vadkerti <mvadkert@redhat.com> Diagnosed-by: Paul Moore <pmoore@redhat.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: linux-security-module@vger.kernel.org Acked-by: James Morris <james.l.morris@oracle.com> Tested-by: Paul Moore <pmoore@redhat.com> Acked-by: Paul Moore <pmoore@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/linux')
-rw-r--r--include/linux/security.h8
1 files changed, 8 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index eee7478cda70..6c3a78ace051 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1638,6 +1638,7 @@ struct security_operations {
1638 int (*tun_dev_attach_queue) (void *security); 1638 int (*tun_dev_attach_queue) (void *security);
1639 int (*tun_dev_attach) (struct sock *sk, void *security); 1639 int (*tun_dev_attach) (struct sock *sk, void *security);
1640 int (*tun_dev_open) (void *security); 1640 int (*tun_dev_open) (void *security);
1641 void (*skb_owned_by) (struct sk_buff *skb, struct sock *sk);
1641#endif /* CONFIG_SECURITY_NETWORK */ 1642#endif /* CONFIG_SECURITY_NETWORK */
1642 1643
1643#ifdef CONFIG_SECURITY_NETWORK_XFRM 1644#ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -2588,6 +2589,8 @@ int security_tun_dev_attach_queue(void *security);
2588int security_tun_dev_attach(struct sock *sk, void *security); 2589int security_tun_dev_attach(struct sock *sk, void *security);
2589int security_tun_dev_open(void *security); 2590int security_tun_dev_open(void *security);
2590 2591
2592void security_skb_owned_by(struct sk_buff *skb, struct sock *sk);
2593
2591#else /* CONFIG_SECURITY_NETWORK */ 2594#else /* CONFIG_SECURITY_NETWORK */
2592static inline int security_unix_stream_connect(struct sock *sock, 2595static inline int security_unix_stream_connect(struct sock *sock,
2593 struct sock *other, 2596 struct sock *other,
@@ -2779,6 +2782,11 @@ static inline int security_tun_dev_open(void *security)
2779{ 2782{
2780 return 0; 2783 return 0;
2781} 2784}
2785
2786static inline void security_skb_owned_by(struct sk_buff *skb, struct sock *sk)
2787{
2788}
2789
2782#endif /* CONFIG_SECURITY_NETWORK */ 2790#endif /* CONFIG_SECURITY_NETWORK */
2783 2791
2784#ifdef CONFIG_SECURITY_NETWORK_XFRM 2792#ifdef CONFIG_SECURITY_NETWORK_XFRM