diff options
author | Venkat Yekkirala <vyekkirala@trustedcs.com> | 2006-11-08 18:04:26 -0500 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-12-03 00:21:34 -0500 |
commit | 67f83cbf081a70426ff667e8d14f94e13ed3bdca (patch) | |
tree | 776a40733eacb9071478f865e6791daa3f6fd602 /security/selinux/include/xfrm.h | |
parent | 6b877699c6f1efede4545bcecc367786a472eedb (diff) |
SELinux: Fix SA selection semantics
Fix the selection of an SA for an outgoing packet to be at the same
context as the originating socket/flow. This eliminates the SELinux
policy's ability to use/sendto SAs with contexts other than the socket's.
With this patch applied, the SELinux policy will require one or more of the
following for a socket to be able to communicate with/without SAs:
1. To enable a socket to communicate without using labeled-IPSec SAs:
allow socket_t unlabeled_t:association { sendto recvfrom }
2. To enable a socket to communicate with labeled-IPSec SAs:
allow socket_t self:association { sendto };
allow socket_t peer_sa_t:association { recvfrom };
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/include/xfrm.h')
-rw-r--r-- | security/selinux/include/xfrm.h | 7 |
1 files changed, 2 insertions, 5 deletions
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index 27502365d706..ebd7246a4be5 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h | |||
@@ -19,9 +19,6 @@ int selinux_xfrm_state_delete(struct xfrm_state *x); | |||
19 | int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir); | 19 | int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir); |
20 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, | 20 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, |
21 | struct xfrm_policy *xp, struct flowi *fl); | 21 | struct xfrm_policy *xp, struct flowi *fl); |
22 | int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm, | ||
23 | struct xfrm_policy *xp); | ||
24 | |||
25 | 22 | ||
26 | /* | 23 | /* |
27 | * Extract the security blob from the sock (it's actually on the socket) | 24 | * Extract the security blob from the sock (it's actually on the socket) |
@@ -38,7 +35,7 @@ static inline struct inode_security_struct *get_sock_isec(struct sock *sk) | |||
38 | int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, | 35 | int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, |
39 | struct avc_audit_data *ad); | 36 | struct avc_audit_data *ad); |
40 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, | 37 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, |
41 | struct avc_audit_data *ad); | 38 | struct avc_audit_data *ad, u8 proto); |
42 | u32 selinux_socket_getpeer_dgram(struct sk_buff *skb); | 39 | u32 selinux_socket_getpeer_dgram(struct sk_buff *skb); |
43 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); | 40 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); |
44 | #else | 41 | #else |
@@ -49,7 +46,7 @@ static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, | |||
49 | } | 46 | } |
50 | 47 | ||
51 | static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, | 48 | static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, |
52 | struct avc_audit_data *ad) | 49 | struct avc_audit_data *ad, u8 proto) |
53 | { | 50 | { |
54 | return 0; | 51 | return 0; |
55 | } | 52 | } |