aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/include/selinux_netlabel.h
diff options
context:
space:
mode:
authorVenkat Yekkirala <vyekkirala@TrustedCS.com>2006-08-05 02:17:57 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-09-22 17:53:36 -0400
commit7420ed23a4f77480b5b7b3245e5da30dd24b7575 (patch)
tree016f5bb996c5eae66754b10243c5be6226d773f2 /security/selinux/include/selinux_netlabel.h
parent96cb8e3313c7a12e026c1ed510522ae6f6023875 (diff)
[NetLabel]: SELinux support
Add NetLabel support to the SELinux LSM and modify the socket_post_create() LSM hook to return an error code. The most significant part of this patch is the addition of NetLabel hooks into the following SELinux LSM hooks: * selinux_file_permission() * selinux_socket_sendmsg() * selinux_socket_post_create() * selinux_socket_sock_rcv_skb() * selinux_socket_getpeersec_stream() * selinux_socket_getpeersec_dgram() * selinux_sock_graft() * selinux_inet_conn_request() The basic reasoning behind this patch is that outgoing packets are "NetLabel'd" by labeling their socket and the NetLabel security attributes are checked via the additional hook in selinux_socket_sock_rcv_skb(). NetLabel itself is only a labeling mechanism, similar to filesystem extended attributes, it is up to the SELinux enforcement mechanism to perform the actual access checks. In addition to the changes outlined above this patch also includes some changes to the extended bitmap (ebitmap) and multi-level security (mls) code to import and export SELinux TE/MLS attributes into and out of NetLabel. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/selinux/include/selinux_netlabel.h')
-rw-r--r--security/selinux/include/selinux_netlabel.h125
1 files changed, 125 insertions, 0 deletions
diff --git a/security/selinux/include/selinux_netlabel.h b/security/selinux/include/selinux_netlabel.h
new file mode 100644
index 000000000000..88c463eef1e1
--- /dev/null
+++ b/security/selinux/include/selinux_netlabel.h
@@ -0,0 +1,125 @@
1/*
2 * SELinux interface to the NetLabel subsystem
3 *
4 * Author : Paul Moore <paul.moore@hp.com>
5 *
6 */
7
8/*
9 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
19 * the GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24 *
25 */
26
27#ifndef _SELINUX_NETLABEL_H_
28#define _SELINUX_NETLABEL_H_
29
30#ifdef CONFIG_NETLABEL
31void selinux_netlbl_cache_invalidate(void);
32int selinux_netlbl_socket_post_create(struct socket *sock,
33 int sock_family,
34 u32 sid);
35void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
36u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid);
37int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
38 struct sk_buff *skb,
39 struct avc_audit_data *ad);
40u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock);
41u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb);
42
43int __selinux_netlbl_inode_permission(struct inode *inode, int mask);
44/**
45 * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
46 * @inode: the file descriptor's inode
47 * @mask: the permission mask
48 *
49 * Description:
50 * Looks at a file's inode and if it is marked as a socket protected by
51 * NetLabel then verify that the socket has been labeled, if not try to label
52 * the socket now with the inode's SID. Returns zero on success, negative
53 * values on failure.
54 *
55 */
56static inline int selinux_netlbl_inode_permission(struct inode *inode,
57 int mask)
58{
59 int rc = 0;
60 struct inode_security_struct *isec;
61 struct sk_security_struct *sksec;
62
63 if (!S_ISSOCK(inode->i_mode))
64 return 0;
65
66 isec = inode->i_security;
67 sksec = SOCKET_I(inode)->sk->sk_security;
68 down(&isec->sem);
69 if (unlikely(sksec->nlbl_state == NLBL_REQUIRE &&
70 (mask & (MAY_WRITE | MAY_APPEND))))
71 rc = __selinux_netlbl_inode_permission(inode, mask);
72 up(&isec->sem);
73
74 return rc;
75}
76#else
77static inline void selinux_netlbl_cache_invalidate(void)
78{
79 return;
80}
81
82static inline int selinux_netlbl_socket_post_create(struct socket *sock,
83 int sock_family,
84 u32 sid)
85{
86 return 0;
87}
88
89static inline void selinux_netlbl_sock_graft(struct sock *sk,
90 struct socket *sock)
91{
92 return;
93}
94
95static inline u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb,
96 u32 sock_sid)
97{
98 return SECSID_NULL;
99}
100
101static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
102 struct sk_buff *skb,
103 struct avc_audit_data *ad)
104{
105 return 0;
106}
107
108static inline u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
109{
110 return SECSID_NULL;
111}
112
113static inline u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
114{
115 return SECSID_NULL;
116}
117
118static inline int selinux_netlbl_inode_permission(struct inode *inode,
119 int mask)
120{
121 return 0;
122}
123#endif /* CONFIG_NETLABEL */
124
125#endif