aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorVenkat Yekkirala <vyekkirala@TrustedCS.com>2006-08-05 02:17:57 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-09-22 17:53:36 -0400
commit7420ed23a4f77480b5b7b3245e5da30dd24b7575 (patch)
tree016f5bb996c5eae66754b10243c5be6226d773f2 /net
parent96cb8e3313c7a12e026c1ed510522ae6f6023875 (diff)
[NetLabel]: SELinux support
Add NetLabel support to the SELinux LSM and modify the socket_post_create() LSM hook to return an error code. The most significant part of this patch is the addition of NetLabel hooks into the following SELinux LSM hooks: * selinux_file_permission() * selinux_socket_sendmsg() * selinux_socket_post_create() * selinux_socket_sock_rcv_skb() * selinux_socket_getpeersec_stream() * selinux_socket_getpeersec_dgram() * selinux_sock_graft() * selinux_inet_conn_request() The basic reasoning behind this patch is that outgoing packets are "NetLabel'd" by labeling their socket and the NetLabel security attributes are checked via the additional hook in selinux_socket_sock_rcv_skb(). NetLabel itself is only a labeling mechanism, similar to filesystem extended attributes, it is up to the SELinux enforcement mechanism to perform the actual access checks. In addition to the changes outlined above this patch also includes some changes to the extended bitmap (ebitmap) and multi-level security (mls) code to import and export SELinux TE/MLS attributes into and out of NetLabel. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/socket.c13
1 files changed, 11 insertions, 2 deletions
diff --git a/net/socket.c b/net/socket.c
index 6d261bf206fc..6756e57e1ff0 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -973,11 +973,18 @@ int sock_create_lite(int family, int type, int protocol, struct socket **res)
973 goto out; 973 goto out;
974 } 974 }
975 975
976 security_socket_post_create(sock, family, type, protocol, 1);
977 sock->type = type; 976 sock->type = type;
977 err = security_socket_post_create(sock, family, type, protocol, 1);
978 if (err)
979 goto out_release;
980
978out: 981out:
979 *res = sock; 982 *res = sock;
980 return err; 983 return err;
984out_release:
985 sock_release(sock);
986 sock = NULL;
987 goto out;
981} 988}
982 989
983/* No kernel lock held - perfect */ 990/* No kernel lock held - perfect */
@@ -1214,7 +1221,9 @@ static int __sock_create(int family, int type, int protocol, struct socket **res
1214 */ 1221 */
1215 module_put(net_families[family]->owner); 1222 module_put(net_families[family]->owner);
1216 *res = sock; 1223 *res = sock;
1217 security_socket_post_create(sock, family, type, protocol, kern); 1224 err = security_socket_post_create(sock, family, type, protocol, kern);
1225 if (err)
1226 goto out_release;
1218 1227
1219out: 1228out:
1220 net_family_read_unlock(); 1229 net_family_read_unlock();