selinux: Set socket NetLabel based on connection endpoint

Previous work enabled the use of address based NetLabel selectors, which while highly useful, brought the potential for additional per-packet overhead when used. This patch attempts to solve that by applying NetLabel socket labels when sockets are connect()'d. This should alleviate the per-packet NetLabel labeling for all connected sockets (yes, it even works for connected DGRAM sockets). Signed-off-by: Paul Moore <paul.moore@hp.com> Reviewed-by: James Morris <jmorris@namei.org>
author: Paul Moore <paul.moore@hp.com> 2008-10-10 10:16:33 -0400
committer: Paul Moore <paul.moore@hp.com> 2008-10-10 10:16:33 -0400
commit: 014ab19a69c325f52d7bae54ceeda73d6307ae0c (patch)
tree: 8a69c490accb7d5454bdfeb8c078d846729aeb60 /security/selinux/hooks.c
parent: 948bf85c1bc9a84754786a9d5dd99b7ecc46451e (diff)
1 files changed, 6 insertions, 5 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7432bdd5d367..632ac3e80a61 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3794,6 +3794,7 @@ out:
 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
 {
+        struct sock *sk = sock->sk;
        struct inode_security_struct *isec;
        int err;
@@ -3807,7 +3808,6 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
        isec = SOCK_INODE(sock)->i_security;
        if (isec->sclass == SECCLASS_TCP_SOCKET ||
            isec->sclass == SECCLASS_DCCP_SOCKET) {
-                struct sock *sk = sock->sk;
                struct avc_audit_data ad;
                struct sockaddr_in *addr4 = NULL;
                struct sockaddr_in6 *addr6 = NULL;
@@ -3841,6 +3841,8 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
                        goto out;
        }
+        err = selinux_netlbl_socket_connect(sk, address);
 out:
        return err;
 }
@@ -4290,8 +4292,6 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
            sk->sk_family == PF_UNIX)
                isec->sid = sksec->sid;
        sksec->sclass = isec->sclass;
-        selinux_netlbl_sock_graft(sk, parent);
 }
 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
@@ -4342,8 +4342,7 @@ static void selinux_inet_csk_clone(struct sock *newsk,
        selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
 }
-static void selinux_inet_conn_established(struct sock *sk,
+static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
-                                struct sk_buff *skb)
 {
        u16 family = sk->sk_family;
        struct sk_security_struct *sksec = sk->sk_security;
@@ -4353,6 +4352,8 @@ static void selinux_inet_conn_established(struct sock *sk,
                family = PF_INET;
        selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
+        selinux_netlbl_inet_conn_established(sk, family);
 }
 static void selinux_req_classify_flow(const struct request_sock *req,
author	Paul Moore <paul.moore@hp.com>	2008-10-10 10:16:33 -0400
committer	Paul Moore <paul.moore@hp.com>	2008-10-10 10:16:33 -0400
commit	014ab19a69c325f52d7bae54ceeda73d6307ae0c (patch)
tree	8a69c490accb7d5454bdfeb8c078d846729aeb60 /security/selinux/hooks.c
parent	948bf85c1bc9a84754786a9d5dd99b7ecc46451e (diff)