aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-01-29 08:38:13 -0500
committerJames Morris <jmorris@namei.org>2008-01-29 16:17:23 -0500
commit224dfbd81e1ff672eb46e7695469c395bd531083 (patch)
treec89c3ab606634a7174db8807b2633df8bb024b8c /security/selinux/hooks.c
parentda5645a28a15aed2e541a814ecf9f7ffcd4c4673 (diff)
SELinux: Add a network node caching mechanism similar to the sel_netif_*() functions
This patch adds a SELinux IP address/node SID caching mechanism similar to the sel_netif_*() functions. The node SID queries in the SELinux hooks files are also modified to take advantage of this new functionality. In addition, remove the address length information from the sk_buff parsing routines as it is redundant since we already have the address family. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c33
1 files changed, 17 insertions, 16 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1a1fa3f20ef0..4bca0af4f2af 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -76,6 +76,7 @@
76#include "avc.h" 76#include "avc.h"
77#include "objsec.h" 77#include "objsec.h"
78#include "netif.h" 78#include "netif.h"
79#include "netnode.h"
79#include "xfrm.h" 80#include "xfrm.h"
80#include "netlabel.h" 81#include "netlabel.h"
81 82
@@ -3395,7 +3396,7 @@ out:
3395#endif /* IPV6 */ 3396#endif /* IPV6 */
3396 3397
3397static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, 3398static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3398 char **addrp, int *len, int src, u8 *proto) 3399 char **addrp, int src, u8 *proto)
3399{ 3400{
3400 int ret = 0; 3401 int ret = 0;
3401 3402
@@ -3404,7 +3405,6 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3404 ret = selinux_parse_skb_ipv4(skb, ad, proto); 3405 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3405 if (ret || !addrp) 3406 if (ret || !addrp)
3406 break; 3407 break;
3407 *len = 4;
3408 *addrp = (char *)(src ? &ad->u.net.v4info.saddr : 3408 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3409 &ad->u.net.v4info.daddr); 3409 &ad->u.net.v4info.daddr);
3410 break; 3410 break;
@@ -3414,7 +3414,6 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3414 ret = selinux_parse_skb_ipv6(skb, ad, proto); 3414 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3415 if (ret || !addrp) 3415 if (ret || !addrp)
3416 break; 3416 break;
3417 *len = 16;
3418 *addrp = (char *)(src ? &ad->u.net.v6info.saddr : 3417 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3419 &ad->u.net.v6info.daddr); 3418 &ad->u.net.v6info.daddr);
3420 break; 3419 break;
@@ -3614,7 +3613,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3614 break; 3613 break;
3615 } 3614 }
3616 3615
3617 err = security_node_sid(family, addrp, addrlen, &sid); 3616 err = sel_netnode_sid(addrp, family, &sid);
3618 if (err) 3617 if (err)
3619 goto out; 3618 goto out;
3620 3619
@@ -3826,7 +3825,8 @@ static int selinux_socket_unix_may_send(struct socket *sock,
3826} 3825}
3827 3826
3828static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 3827static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3829 struct avc_audit_data *ad, u16 family, char *addrp, int len) 3828 struct avc_audit_data *ad,
3829 u16 family, char *addrp)
3830{ 3830{
3831 int err = 0; 3831 int err = 0;
3832 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0; 3832 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
@@ -3886,7 +3886,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3886 if (err) 3886 if (err)
3887 goto out; 3887 goto out;
3888 3888
3889 err = security_node_sid(family, addrp, len, &node_sid); 3889 err = sel_netnode_sid(addrp, family, &node_sid);
3890 if (err) 3890 if (err)
3891 goto out; 3891 goto out;
3892 3892
@@ -3915,7 +3915,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3915{ 3915{
3916 u16 family; 3916 u16 family;
3917 char *addrp; 3917 char *addrp;
3918 int len, err = 0; 3918 int err = 0;
3919 struct avc_audit_data ad; 3919 struct avc_audit_data ad;
3920 struct sk_security_struct *sksec = sk->sk_security; 3920 struct sk_security_struct *sksec = sk->sk_security;
3921 3921
@@ -3931,13 +3931,12 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3931 ad.u.net.netif = skb->iif; 3931 ad.u.net.netif = skb->iif;
3932 ad.u.net.family = family; 3932 ad.u.net.family = family;
3933 3933
3934 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL); 3934 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
3935 if (err) 3935 if (err)
3936 goto out; 3936 goto out;
3937 3937
3938 if (selinux_compat_net) 3938 if (selinux_compat_net)
3939 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family, 3939 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family, addrp);
3940 addrp, len);
3941 else 3940 else
3942 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET, 3941 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
3943 PACKET__RECV, &ad); 3942 PACKET__RECV, &ad);
@@ -4158,9 +4157,11 @@ out:
4158 4157
4159#ifdef CONFIG_NETFILTER 4158#ifdef CONFIG_NETFILTER
4160 4159
4161static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev, 4160static int selinux_ip_postroute_last_compat(struct sock *sk,
4161 struct net_device *dev,
4162 struct avc_audit_data *ad, 4162 struct avc_audit_data *ad,
4163 u16 family, char *addrp, int len) 4163 u16 family,
4164 char *addrp)
4164{ 4165{
4165 int err = 0; 4166 int err = 0;
4166 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0; 4167 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
@@ -4211,7 +4212,7 @@ static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *
4211 if (err) 4212 if (err)
4212 goto out; 4213 goto out;
4213 4214
4214 err = security_node_sid(family, addrp, len, &node_sid); 4215 err = sel_netnode_sid(addrp, family, &node_sid);
4215 if (err) 4216 if (err)
4216 goto out; 4217 goto out;
4217 4218
@@ -4245,7 +4246,7 @@ static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
4245 u16 family) 4246 u16 family)
4246{ 4247{
4247 char *addrp; 4248 char *addrp;
4248 int len, err = 0; 4249 int err = 0;
4249 struct sock *sk; 4250 struct sock *sk;
4250 struct avc_audit_data ad; 4251 struct avc_audit_data ad;
4251 struct net_device *dev = (struct net_device *)out; 4252 struct net_device *dev = (struct net_device *)out;
@@ -4262,13 +4263,13 @@ static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
4262 ad.u.net.netif = dev->ifindex; 4263 ad.u.net.netif = dev->ifindex;
4263 ad.u.net.family = family; 4264 ad.u.net.family = family;
4264 4265
4265 err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto); 4266 err = selinux_parse_skb(skb, &ad, &addrp, 0, &proto);
4266 if (err) 4267 if (err)
4267 goto out; 4268 goto out;
4268 4269
4269 if (selinux_compat_net) 4270 if (selinux_compat_net)
4270 err = selinux_ip_postroute_last_compat(sk, dev, &ad, 4271 err = selinux_ip_postroute_last_compat(sk, dev, &ad,
4271 family, addrp, len); 4272 family, addrp);
4272 else 4273 else
4273 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET, 4274 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
4274 PACKET__SEND, &ad); 4275 PACKET__SEND, &ad);
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-06 21:48:47 -0500