diff options
author | Paul Moore <paul.moore@hp.com> | 2008-10-10 10:16:33 -0400 |
---|---|---|
committer | Paul Moore <paul.moore@hp.com> | 2008-10-10 10:16:33 -0400 |
commit | 014ab19a69c325f52d7bae54ceeda73d6307ae0c (patch) | |
tree | 8a69c490accb7d5454bdfeb8c078d846729aeb60 /include | |
parent | 948bf85c1bc9a84754786a9d5dd99b7ecc46451e (diff) |
selinux: Set socket NetLabel based on connection endpoint
Previous work enabled the use of address based NetLabel selectors, which while
highly useful, brought the potential for additional per-packet overhead when
used. This patch attempts to solve that by applying NetLabel socket labels
when sockets are connect()'d. This should alleviate the per-packet NetLabel
labeling for all connected sockets (yes, it even works for connected DGRAM
sockets).
Signed-off-by: Paul Moore <paul.moore@hp.com>
Reviewed-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/net/cipso_ipv4.h | 5 | ||||
-rw-r--r-- | include/net/netlabel.h | 13 |
2 files changed, 18 insertions, 0 deletions
diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h index 2ce093ba553d..811febf97caf 100644 --- a/include/net/cipso_ipv4.h +++ b/include/net/cipso_ipv4.h | |||
@@ -207,6 +207,7 @@ void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway); | |||
207 | int cipso_v4_sock_setattr(struct sock *sk, | 207 | int cipso_v4_sock_setattr(struct sock *sk, |
208 | const struct cipso_v4_doi *doi_def, | 208 | const struct cipso_v4_doi *doi_def, |
209 | const struct netlbl_lsm_secattr *secattr); | 209 | const struct netlbl_lsm_secattr *secattr); |
210 | void cipso_v4_sock_delattr(struct sock *sk); | ||
210 | int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr); | 211 | int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr); |
211 | int cipso_v4_skbuff_setattr(struct sk_buff *skb, | 212 | int cipso_v4_skbuff_setattr(struct sk_buff *skb, |
212 | const struct cipso_v4_doi *doi_def, | 213 | const struct cipso_v4_doi *doi_def, |
@@ -230,6 +231,10 @@ static inline int cipso_v4_sock_setattr(struct sock *sk, | |||
230 | return -ENOSYS; | 231 | return -ENOSYS; |
231 | } | 232 | } |
232 | 233 | ||
234 | static inline void cipso_v4_sock_delattr(struct sock *sk) | ||
235 | { | ||
236 | } | ||
237 | |||
233 | static inline int cipso_v4_sock_getattr(struct sock *sk, | 238 | static inline int cipso_v4_sock_getattr(struct sock *sk, |
234 | struct netlbl_lsm_secattr *secattr) | 239 | struct netlbl_lsm_secattr *secattr) |
235 | { | 240 | { |
diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 3f67e6d49e40..074cad40ac66 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h | |||
@@ -380,8 +380,12 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap, | |||
380 | int netlbl_enabled(void); | 380 | int netlbl_enabled(void); |
381 | int netlbl_sock_setattr(struct sock *sk, | 381 | int netlbl_sock_setattr(struct sock *sk, |
382 | const struct netlbl_lsm_secattr *secattr); | 382 | const struct netlbl_lsm_secattr *secattr); |
383 | void netlbl_sock_delattr(struct sock *sk); | ||
383 | int netlbl_sock_getattr(struct sock *sk, | 384 | int netlbl_sock_getattr(struct sock *sk, |
384 | struct netlbl_lsm_secattr *secattr); | 385 | struct netlbl_lsm_secattr *secattr); |
386 | int netlbl_conn_setattr(struct sock *sk, | ||
387 | struct sockaddr *addr, | ||
388 | const struct netlbl_lsm_secattr *secattr); | ||
385 | int netlbl_skbuff_setattr(struct sk_buff *skb, | 389 | int netlbl_skbuff_setattr(struct sk_buff *skb, |
386 | u16 family, | 390 | u16 family, |
387 | const struct netlbl_lsm_secattr *secattr); | 391 | const struct netlbl_lsm_secattr *secattr); |
@@ -449,11 +453,20 @@ static inline int netlbl_sock_setattr(struct sock *sk, | |||
449 | { | 453 | { |
450 | return -ENOSYS; | 454 | return -ENOSYS; |
451 | } | 455 | } |
456 | static inline void netlbl_sock_delattr(struct sock *sk) | ||
457 | { | ||
458 | } | ||
452 | static inline int netlbl_sock_getattr(struct sock *sk, | 459 | static inline int netlbl_sock_getattr(struct sock *sk, |
453 | struct netlbl_lsm_secattr *secattr) | 460 | struct netlbl_lsm_secattr *secattr) |
454 | { | 461 | { |
455 | return -ENOSYS; | 462 | return -ENOSYS; |
456 | } | 463 | } |
464 | static inline int netlbl_conn_setattr(struct sock *sk, | ||
465 | struct sockaddr *addr, | ||
466 | const struct netlbl_lsm_secattr *secattr) | ||
467 | { | ||
468 | return -ENOSYS; | ||
469 | } | ||
457 | static inline int netlbl_skbuff_setattr(struct sk_buff *skb, | 470 | static inline int netlbl_skbuff_setattr(struct sk_buff *skb, |
458 | u16 family, | 471 | u16 family, |
459 | const struct netlbl_lsm_secattr *secattr) | 472 | const struct netlbl_lsm_secattr *secattr) |