diff options
| author | Paul Moore <paul.moore@hp.com> | 2008-01-29 08:38:04 -0500 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2008-01-29 16:17:20 -0500 |
| commit | 75e22910cf0c26802b09dac2e34c13e648d3ed02 (patch) | |
| tree | bf5f5c62f6db8a3057a0265dc7748bf310d26d4a /security/selinux/hooks.c | |
| parent | 16efd45435fa695b501b7f73c3259bd7c77cc12c (diff) | |
NetLabel: Add IP address family information to the netlbl_skbuff_getattr() function
In order to do any sort of IP header inspection of incoming packets we need to
know which address family, AF_INET/AF_INET6/etc., it belongs to and since the
sk_buff structure does not store this information we need to pass along the
address family separate from the packet itself.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 33 |
1 files changed, 22 insertions, 11 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 64d414efb404..5df12072c8d5 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -3429,6 +3429,7 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, | |||
| 3429 | /** | 3429 | /** |
| 3430 | * selinux_skb_extlbl_sid - Determine the external label of a packet | 3430 | * selinux_skb_extlbl_sid - Determine the external label of a packet |
| 3431 | * @skb: the packet | 3431 | * @skb: the packet |
| 3432 | * @family: protocol family | ||
| 3432 | * @sid: the packet's SID | 3433 | * @sid: the packet's SID |
| 3433 | * | 3434 | * |
| 3434 | * Description: | 3435 | * Description: |
| @@ -3441,13 +3442,16 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, | |||
| 3441 | * selinux_netlbl_skbuff_getsid(). | 3442 | * selinux_netlbl_skbuff_getsid(). |
| 3442 | * | 3443 | * |
| 3443 | */ | 3444 | */ |
| 3444 | static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid) | 3445 | static void selinux_skb_extlbl_sid(struct sk_buff *skb, |
| 3446 | u16 family, | ||
| 3447 | u32 *sid) | ||
| 3445 | { | 3448 | { |
| 3446 | u32 xfrm_sid; | 3449 | u32 xfrm_sid; |
| 3447 | u32 nlbl_sid; | 3450 | u32 nlbl_sid; |
| 3448 | 3451 | ||
| 3449 | selinux_skb_xfrm_sid(skb, &xfrm_sid); | 3452 | selinux_skb_xfrm_sid(skb, &xfrm_sid); |
| 3450 | if (selinux_netlbl_skbuff_getsid(skb, | 3453 | if (selinux_netlbl_skbuff_getsid(skb, |
| 3454 | family, | ||
| 3451 | (xfrm_sid == SECSID_NULL ? | 3455 | (xfrm_sid == SECSID_NULL ? |
| 3452 | SECINITSID_NETMSG : xfrm_sid), | 3456 | SECINITSID_NETMSG : xfrm_sid), |
| 3453 | &nlbl_sid) != 0) | 3457 | &nlbl_sid) != 0) |
| @@ -3940,7 +3944,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | |||
| 3940 | if (err) | 3944 | if (err) |
| 3941 | goto out; | 3945 | goto out; |
| 3942 | 3946 | ||
| 3943 | err = selinux_netlbl_sock_rcv_skb(sksec, skb, &ad); | 3947 | err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); |
| 3944 | if (err) | 3948 | if (err) |
| 3945 | goto out; | 3949 | goto out; |
| 3946 | 3950 | ||
| @@ -3996,18 +4000,25 @@ out: | |||
| 3996 | static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) | 4000 | static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) |
| 3997 | { | 4001 | { |
| 3998 | u32 peer_secid = SECSID_NULL; | 4002 | u32 peer_secid = SECSID_NULL; |
| 3999 | int err = 0; | 4003 | u16 family; |
| 4000 | 4004 | ||
| 4001 | if (sock && sock->sk->sk_family == PF_UNIX) | 4005 | if (sock) |
| 4006 | family = sock->sk->sk_family; | ||
| 4007 | else if (skb && skb->sk) | ||
| 4008 | family = skb->sk->sk_family; | ||
| 4009 | else | ||
| 4010 | goto out; | ||
| 4011 | |||
| 4012 | if (sock && family == PF_UNIX) | ||
| 4002 | selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); | 4013 | selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); |
| 4003 | else if (skb) | 4014 | else if (skb) |
| 4004 | selinux_skb_extlbl_sid(skb, &peer_secid); | 4015 | selinux_skb_extlbl_sid(skb, family, &peer_secid); |
| 4005 | 4016 | ||
| 4006 | if (peer_secid == SECSID_NULL) | 4017 | out: |
| 4007 | err = -EINVAL; | ||
| 4008 | *secid = peer_secid; | 4018 | *secid = peer_secid; |
| 4009 | 4019 | if (peer_secid == SECSID_NULL) | |
| 4010 | return err; | 4020 | return -EINVAL; |
| 4021 | return 0; | ||
| 4011 | } | 4022 | } |
| 4012 | 4023 | ||
| 4013 | static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) | 4024 | static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) |
| @@ -4062,7 +4073,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, | |||
| 4062 | u32 newsid; | 4073 | u32 newsid; |
| 4063 | u32 peersid; | 4074 | u32 peersid; |
| 4064 | 4075 | ||
| 4065 | selinux_skb_extlbl_sid(skb, &peersid); | 4076 | selinux_skb_extlbl_sid(skb, sk->sk_family, &peersid); |
| 4066 | if (peersid == SECSID_NULL) { | 4077 | if (peersid == SECSID_NULL) { |
| 4067 | req->secid = sksec->sid; | 4078 | req->secid = sksec->sid; |
| 4068 | req->peer_secid = SECSID_NULL; | 4079 | req->peer_secid = SECSID_NULL; |
| @@ -4100,7 +4111,7 @@ static void selinux_inet_conn_established(struct sock *sk, | |||
| 4100 | { | 4111 | { |
| 4101 | struct sk_security_struct *sksec = sk->sk_security; | 4112 | struct sk_security_struct *sksec = sk->sk_security; |
| 4102 | 4113 | ||
| 4103 | selinux_skb_extlbl_sid(skb, &sksec->peer_sid); | 4114 | selinux_skb_extlbl_sid(skb, sk->sk_family, &sksec->peer_sid); |
| 4104 | } | 4115 | } |
| 4105 | 4116 | ||
| 4106 | static void selinux_req_classify_flow(const struct request_sock *req, | 4117 | static void selinux_req_classify_flow(const struct request_sock *req, |