diff options
| author | Eric Paris <eparis@redhat.com> | 2010-10-13 16:24:41 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2010-10-20 19:12:48 -0400 |
| commit | 2606fd1fa5710205b23ee859563502aa18362447 (patch) | |
| tree | f79becd7010a2da1a765829fce0e09327cd50531 /net | |
| parent | 15714f7b58011cf3948cab2988abea560240c74f (diff) | |
secmark: make secmark object handling generic
Right now secmark has lots of direct selinux calls. Use all LSM calls and
remove all SELinux specific knowledge. The only SELinux specific knowledge
we leave is the mode. The only point is to make sure that other LSMs at
least test this generic code before they assume it works. (They may also
have to make changes if they do not represent labels as strings)
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Paul Moore <paul.moore@hp.com>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/xt_CT.c | 1 | ||||
| -rw-r--r-- | net/netfilter/xt_SECMARK.c | 35 |
2 files changed, 17 insertions, 19 deletions
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c index 0cb6053f02fd..782e51986a6f 100644 --- a/net/netfilter/xt_CT.c +++ b/net/netfilter/xt_CT.c | |||
| @@ -9,7 +9,6 @@ | |||
| 9 | #include <linux/module.h> | 9 | #include <linux/module.h> |
| 10 | #include <linux/gfp.h> | 10 | #include <linux/gfp.h> |
| 11 | #include <linux/skbuff.h> | 11 | #include <linux/skbuff.h> |
| 12 | #include <linux/selinux.h> | ||
| 13 | #include <linux/netfilter_ipv4/ip_tables.h> | 12 | #include <linux/netfilter_ipv4/ip_tables.h> |
| 14 | #include <linux/netfilter_ipv6/ip6_tables.h> | 13 | #include <linux/netfilter_ipv6/ip6_tables.h> |
| 15 | #include <linux/netfilter/x_tables.h> | 14 | #include <linux/netfilter/x_tables.h> |
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c index 364ad1600129..9faf5e050b79 100644 --- a/net/netfilter/xt_SECMARK.c +++ b/net/netfilter/xt_SECMARK.c | |||
| @@ -14,8 +14,8 @@ | |||
| 14 | */ | 14 | */ |
| 15 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | 15 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
| 16 | #include <linux/module.h> | 16 | #include <linux/module.h> |
| 17 | #include <linux/security.h> | ||
| 17 | #include <linux/skbuff.h> | 18 | #include <linux/skbuff.h> |
| 18 | #include <linux/selinux.h> | ||
| 19 | #include <linux/netfilter/x_tables.h> | 19 | #include <linux/netfilter/x_tables.h> |
| 20 | #include <linux/netfilter/xt_SECMARK.h> | 20 | #include <linux/netfilter/xt_SECMARK.h> |
| 21 | 21 | ||
| @@ -39,9 +39,8 @@ secmark_tg(struct sk_buff *skb, const struct xt_action_param *par) | |||
| 39 | 39 | ||
| 40 | switch (mode) { | 40 | switch (mode) { |
| 41 | case SECMARK_MODE_SEL: | 41 | case SECMARK_MODE_SEL: |
| 42 | secmark = info->u.sel.selsid; | 42 | secmark = info->secid; |
| 43 | break; | 43 | break; |
| 44 | |||
| 45 | default: | 44 | default: |
| 46 | BUG(); | 45 | BUG(); |
| 47 | } | 46 | } |
| @@ -50,33 +49,33 @@ secmark_tg(struct sk_buff *skb, const struct xt_action_param *par) | |||
| 50 | return XT_CONTINUE; | 49 | return XT_CONTINUE; |
| 51 | } | 50 | } |
| 52 | 51 | ||
| 53 | static int checkentry_selinux(struct xt_secmark_target_info *info) | 52 | static int checkentry_lsm(struct xt_secmark_target_info *info) |
| 54 | { | 53 | { |
| 55 | int err; | 54 | int err; |
| 56 | struct xt_secmark_target_selinux_info *sel = &info->u.sel; | ||
| 57 | 55 | ||
| 58 | sel->selctx[SECMARK_SELCTX_MAX - 1] = '\0'; | 56 | info->secctx[SECMARK_SECCTX_MAX - 1] = '\0'; |
| 57 | info->secid = 0; | ||
| 59 | 58 | ||
| 60 | err = selinux_string_to_sid(sel->selctx, &sel->selsid); | 59 | err = security_secctx_to_secid(info->secctx, strlen(info->secctx), |
| 60 | &info->secid); | ||
| 61 | if (err) { | 61 | if (err) { |
| 62 | if (err == -EINVAL) | 62 | if (err == -EINVAL) |
| 63 | pr_info("invalid SELinux context \'%s\'\n", | 63 | pr_info("invalid security context \'%s\'\n", info->secctx); |
| 64 | sel->selctx); | ||
| 65 | return err; | 64 | return err; |
| 66 | } | 65 | } |
| 67 | 66 | ||
| 68 | if (!sel->selsid) { | 67 | if (!info->secid) { |
| 69 | pr_info("unable to map SELinux context \'%s\'\n", sel->selctx); | 68 | pr_info("unable to map security context \'%s\'\n", info->secctx); |
| 70 | return -ENOENT; | 69 | return -ENOENT; |
| 71 | } | 70 | } |
| 72 | 71 | ||
| 73 | err = selinux_secmark_relabel_packet_permission(sel->selsid); | 72 | err = security_secmark_relabel_packet(info->secid); |
| 74 | if (err) { | 73 | if (err) { |
| 75 | pr_info("unable to obtain relabeling permission\n"); | 74 | pr_info("unable to obtain relabeling permission\n"); |
| 76 | return err; | 75 | return err; |
| 77 | } | 76 | } |
| 78 | 77 | ||
| 79 | selinux_secmark_refcount_inc(); | 78 | security_secmark_refcount_inc(); |
| 80 | return 0; | 79 | return 0; |
| 81 | } | 80 | } |
| 82 | 81 | ||
| @@ -100,16 +99,16 @@ static int secmark_tg_check(const struct xt_tgchk_param *par) | |||
| 100 | 99 | ||
| 101 | switch (info->mode) { | 100 | switch (info->mode) { |
| 102 | case SECMARK_MODE_SEL: | 101 | case SECMARK_MODE_SEL: |
| 103 | err = checkentry_selinux(info); | ||
| 104 | if (err) | ||
| 105 | return err; | ||
| 106 | break; | 102 | break; |
| 107 | |||
| 108 | default: | 103 | default: |
| 109 | pr_info("invalid mode: %hu\n", info->mode); | 104 | pr_info("invalid mode: %hu\n", info->mode); |
| 110 | return -EINVAL; | 105 | return -EINVAL; |
| 111 | } | 106 | } |
| 112 | 107 | ||
| 108 | err = checkentry_lsm(info); | ||
| 109 | if (err) | ||
| 110 | return err; | ||
| 111 | |||
| 113 | if (!mode) | 112 | if (!mode) |
| 114 | mode = info->mode; | 113 | mode = info->mode; |
| 115 | return 0; | 114 | return 0; |
| @@ -119,7 +118,7 @@ static void secmark_tg_destroy(const struct xt_tgdtor_param *par) | |||
| 119 | { | 118 | { |
| 120 | switch (mode) { | 119 | switch (mode) { |
| 121 | case SECMARK_MODE_SEL: | 120 | case SECMARK_MODE_SEL: |
| 122 | selinux_secmark_refcount_dec(); | 121 | security_secmark_refcount_dec(); |
| 123 | } | 122 | } |
| 124 | } | 123 | } |
| 125 | 124 | ||