selinux: Deprecate and schedule the removal of the the compat_net functionality

This patch is the first step towards removing the old "compat_net" code from the kernel. Secmark, the "compat_net" replacement was first introduced in 2.6.18 (September 2006) and the major Linux distributions with SELinux support have transitioned to Secmark so it is time to start deprecating the "compat_net" mechanism. Testing a patched version of 2.6.28-rc6 with the initial release of Fedora Core 5 did not show any problems when running in enforcing mode. This patch adds an entry to the feature-removal-schedule.txt file and removes the SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT configuration option, forcing Secmark on by default although it can still be disabled at runtime. The patch also makes the Secmark permission checks "dynamic" in the sense that they are only executed when Secmark is configured; this should help prevent problems with older distributions that have not yet migrated to Secmark. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org>
author: Paul Moore <paul.moore@hp.com> 2008-12-31 12:54:11 -0500
committer: Paul Moore <paul.moore@hp.com> 2008-12-31 12:54:11 -0500
commit: 277d342fc423fca5e66e677fe629d1b2f8f1b9e2 (patch)
tree: 733f8694020df6ff8d9e21e2419b0df71aeb4351 /security/selinux/hooks.c
parent: 6c2e8ac0953fccdd24dc6c4b9e08e8f1cd68cf07 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index dbeaa783b2a9..df30a7555d8a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4185,7 +4185,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
                                       u16 family)
 {
-        int err;
+        int err = 0;
        struct sk_security_struct *sksec = sk->sk_security;
        u32 peer_sid;
        u32 sk_sid = sksec->sid;
@@ -4202,7 +4202,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
        if (selinux_compat_net)
                err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
                                                           family, addrp);
-        else
+        else if (selinux_secmark_enabled())
                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
                                   PACKET__RECV, &ad);
        if (err)
@@ -4705,7 +4705,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
                if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
                                                         &ad, family, addrp))
                        return NF_DROP;
-        } else {
+        } else if (selinux_secmark_enabled()) {
                if (avc_has_perm(sksec->sid, skb->secmark,
                                 SECCLASS_PACKET, PACKET__SEND, &ad))
                        return NF_DROP;
author	Paul Moore <paul.moore@hp.com>	2008-12-31 12:54:11 -0500
committer	Paul Moore <paul.moore@hp.com>	2008-12-31 12:54:11 -0500
commit	277d342fc423fca5e66e677fe629d1b2f8f1b9e2 (patch)
tree	733f8694020df6ff8d9e21e2419b0df71aeb4351 /security/selinux/hooks.c
parent	6c2e8ac0953fccdd24dc6c4b9e08e8f1cd68cf07 (diff)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index dbeaa783b2a9..df30a7555d8a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -4185,7 +4185,7 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4185	static int selinux_sock_rcv_skb_compat(struct sock sk, struct sk_buff skb,	4185	static int selinux_sock_rcv_skb_compat(struct sock sk, struct sk_buff skb,
4186	u16 family)	4186	u16 family)
4187	{	4187	{
4188	int err;	4188	int err = 0;
4189	struct sk_security_struct *sksec = sk->sk_security;	4189	struct sk_security_struct *sksec = sk->sk_security;
4190	u32 peer_sid;	4190	u32 peer_sid;
4191	u32 sk_sid = sksec->sid;	4191	u32 sk_sid = sksec->sid;
@@ -4202,7 +4202,7 @@ static int selinux_sock_rcv_skb_compat(struct sock sk, struct sk_buff skb,
4202	if (selinux_compat_net)	4202	if (selinux_compat_net)
4203	err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,	4203	err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4204	family, addrp);	4204	family, addrp);
4205	else	4205	else if (selinux_secmark_enabled())
4206	err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,	4206	err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4207	PACKET__RECV, &ad);	4207	PACKET__RECV, &ad);
4208	if (err)	4208	if (err)
@@ -4705,7 +4705,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4705	if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,	4705	if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4706	&ad, family, addrp))	4706	&ad, family, addrp))
4707	return NF_DROP;	4707	return NF_DROP;
4708	} else {	4708	} else if (selinux_secmark_enabled()) {
4709	if (avc_has_perm(sksec->sid, skb->secmark,	4709	if (avc_has_perm(sksec->sid, skb->secmark,
4710	SECCLASS_PACKET, PACKET__SEND, &ad))	4710	SECCLASS_PACKET, PACKET__SEND, &ad))
4711	return NF_DROP;	4711	return NF_DROP;