aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/include/xfrm.h
diff options
context:
space:
mode:
authorVenkat Yekkirala <vyekkirala@trustedcs.com>2006-11-08 18:04:26 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2006-12-03 00:21:34 -0500
commit67f83cbf081a70426ff667e8d14f94e13ed3bdca (patch)
tree776a40733eacb9071478f865e6791daa3f6fd602 /security/selinux/include/xfrm.h
parent6b877699c6f1efede4545bcecc367786a472eedb (diff)
SELinux: Fix SA selection semantics
Fix the selection of an SA for an outgoing packet to be at the same context as the originating socket/flow. This eliminates the SELinux policy's ability to use/sendto SAs with contexts other than the socket's. With this patch applied, the SELinux policy will require one or more of the following for a socket to be able to communicate with/without SAs: 1. To enable a socket to communicate without using labeled-IPSec SAs: allow socket_t unlabeled_t:association { sendto recvfrom } 2. To enable a socket to communicate with labeled-IPSec SAs: allow socket_t self:association { sendto }; allow socket_t peer_sa_t:association { recvfrom }; Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/include/xfrm.h')
-rw-r--r--security/selinux/include/xfrm.h7
1 files changed, 2 insertions, 5 deletions
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 27502365d706..ebd7246a4be5 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -19,9 +19,6 @@ int selinux_xfrm_state_delete(struct xfrm_state *x);
19int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir); 19int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir);
20int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, 20int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
21 struct xfrm_policy *xp, struct flowi *fl); 21 struct xfrm_policy *xp, struct flowi *fl);
22int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm,
23 struct xfrm_policy *xp);
24
25 22
26/* 23/*
27 * Extract the security blob from the sock (it's actually on the socket) 24 * Extract the security blob from the sock (it's actually on the socket)
@@ -38,7 +35,7 @@ static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
38int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, 35int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
39 struct avc_audit_data *ad); 36 struct avc_audit_data *ad);
40int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 37int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
41 struct avc_audit_data *ad); 38 struct avc_audit_data *ad, u8 proto);
42u32 selinux_socket_getpeer_dgram(struct sk_buff *skb); 39u32 selinux_socket_getpeer_dgram(struct sk_buff *skb);
43int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); 40int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
44#else 41#else
@@ -49,7 +46,7 @@ static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
49} 46}
50 47
51static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 48static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
52 struct avc_audit_data *ad) 49 struct avc_audit_data *ad, u8 proto)
53{ 50{
54 return 0; 51 return 0;
55} 52}