aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorVenkat Yekkirala <vyekkirala@TrustedCS.com>2006-08-05 02:17:57 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-09-22 17:53:36 -0400
commit7420ed23a4f77480b5b7b3245e5da30dd24b7575 (patch)
tree016f5bb996c5eae66754b10243c5be6226d773f2 /include
parent96cb8e3313c7a12e026c1ed510522ae6f6023875 (diff)
[NetLabel]: SELinux support
Add NetLabel support to the SELinux LSM and modify the socket_post_create() LSM hook to return an error code. The most significant part of this patch is the addition of NetLabel hooks into the following SELinux LSM hooks: * selinux_file_permission() * selinux_socket_sendmsg() * selinux_socket_post_create() * selinux_socket_sock_rcv_skb() * selinux_socket_getpeersec_stream() * selinux_socket_getpeersec_dgram() * selinux_sock_graft() * selinux_inet_conn_request() The basic reasoning behind this patch is that outgoing packets are "NetLabel'd" by labeling their socket and the NetLabel security attributes are checked via the additional hook in selinux_socket_sock_rcv_skb(). NetLabel itself is only a labeling mechanism, similar to filesystem extended attributes, it is up to the SELinux enforcement mechanism to perform the actual access checks. In addition to the changes outlined above this patch also includes some changes to the extended bitmap (ebitmap) and multi-level security (mls) code to import and export SELinux TE/MLS attributes into and out of NetLabel. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r--include/linux/security.h25
1 files changed, 13 insertions, 12 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index bb4c80fdfe7a..9f56fb8a4a6c 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1341,8 +1341,8 @@ struct security_operations {
1341 int (*unix_may_send) (struct socket * sock, struct socket * other); 1341 int (*unix_may_send) (struct socket * sock, struct socket * other);
1342 1342
1343 int (*socket_create) (int family, int type, int protocol, int kern); 1343 int (*socket_create) (int family, int type, int protocol, int kern);
1344 void (*socket_post_create) (struct socket * sock, int family, 1344 int (*socket_post_create) (struct socket * sock, int family,
1345 int type, int protocol, int kern); 1345 int type, int protocol, int kern);
1346 int (*socket_bind) (struct socket * sock, 1346 int (*socket_bind) (struct socket * sock,
1347 struct sockaddr * address, int addrlen); 1347 struct sockaddr * address, int addrlen);
1348 int (*socket_connect) (struct socket * sock, 1348 int (*socket_connect) (struct socket * sock,
@@ -2824,13 +2824,13 @@ static inline int security_socket_create (int family, int type,
2824 return security_ops->socket_create(family, type, protocol, kern); 2824 return security_ops->socket_create(family, type, protocol, kern);
2825} 2825}
2826 2826
2827static inline void security_socket_post_create(struct socket * sock, 2827static inline int security_socket_post_create(struct socket * sock,
2828 int family, 2828 int family,
2829 int type, 2829 int type,
2830 int protocol, int kern) 2830 int protocol, int kern)
2831{ 2831{
2832 security_ops->socket_post_create(sock, family, type, 2832 return security_ops->socket_post_create(sock, family, type,
2833 protocol, kern); 2833 protocol, kern);
2834} 2834}
2835 2835
2836static inline int security_socket_bind(struct socket * sock, 2836static inline int security_socket_bind(struct socket * sock,
@@ -2982,11 +2982,12 @@ static inline int security_socket_create (int family, int type,
2982 return 0; 2982 return 0;
2983} 2983}
2984 2984
2985static inline void security_socket_post_create(struct socket * sock, 2985static inline int security_socket_post_create(struct socket * sock,
2986 int family, 2986 int family,
2987 int type, 2987 int type,
2988 int protocol, int kern) 2988 int protocol, int kern)
2989{ 2989{
2990 return 0;
2990} 2991}
2991 2992
2992static inline int security_socket_bind(struct socket * sock, 2993static inline int security_socket_bind(struct socket * sock,