aboutsummaryrefslogtreecommitdiffstats
path: root/net/netlabel/netlabel_cipso_v4.c
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2007-07-18 12:28:45 -0400
committerJames Morris <jmorris@namei.org>2007-07-19 10:21:11 -0400
commit23bcdc1adebd3cb47d5666f2e9ecada95c0134e4 (patch)
tree71caf0ac9fa86e4a9cf423d968a2486656c2e196 /net/netlabel/netlabel_cipso_v4.c
parent589f1e81bde732dd0b1bc5d01b6bddd4bcb4527b (diff)
SELinux: enable dynamic activation/deactivation of NetLabel/SELinux enforcement
Create a new NetLabel KAPI interface, netlbl_enabled(), which reports on the current runtime status of NetLabel based on the existing configuration. LSMs that make use of NetLabel, i.e. SELinux, can use this new function to determine if they should perform NetLabel access checks. This patch changes the NetLabel/SELinux glue code such that SELinux only enforces NetLabel related access checks when netlbl_enabled() returns true. At present NetLabel is considered to be enabled when there is at least one labeled protocol configuration present. The result is that by default NetLabel is considered to be disabled, however, as soon as an administrator configured a CIPSO DOI definition NetLabel is enabled and SELinux starts enforcing NetLabel related access controls - including unlabeled packet controls. This patch also tries to consolidate the multiple "#ifdef CONFIG_NETLABEL" blocks into a single block to ease future review as recommended by Linus. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'net/netlabel/netlabel_cipso_v4.c')
-rw-r--r--net/netlabel/netlabel_cipso_v4.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
index 24b660f16ce3..c060e3f991f1 100644
--- a/net/netlabel/netlabel_cipso_v4.c
+++ b/net/netlabel/netlabel_cipso_v4.c
@@ -41,6 +41,7 @@
41 41
42#include "netlabel_user.h" 42#include "netlabel_user.h"
43#include "netlabel_cipso_v4.h" 43#include "netlabel_cipso_v4.h"
44#include "netlabel_mgmt.h"
44 45
45/* Argument struct for cipso_v4_doi_walk() */ 46/* Argument struct for cipso_v4_doi_walk() */
46struct netlbl_cipsov4_doiwalk_arg { 47struct netlbl_cipsov4_doiwalk_arg {
@@ -419,6 +420,8 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
419 ret_val = netlbl_cipsov4_add_pass(info); 420 ret_val = netlbl_cipsov4_add_pass(info);
420 break; 421 break;
421 } 422 }
423 if (ret_val == 0)
424 netlbl_mgmt_protocount_inc();
422 425
423 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, 426 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
424 &audit_info); 427 &audit_info);
@@ -694,6 +697,8 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info)
694 ret_val = cipso_v4_doi_remove(doi, 697 ret_val = cipso_v4_doi_remove(doi,
695 &audit_info, 698 &audit_info,
696 netlbl_cipsov4_doi_free); 699 netlbl_cipsov4_doi_free);
700 if (ret_val == 0)
701 netlbl_mgmt_protocount_dec();
697 702
698 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL, 703 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,
699 &audit_info); 704 &audit_info);