diff options
author | Venkat Yekkirala <vyekkirala@TrustedCS.com> | 2006-08-05 02:12:42 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-09-22 17:53:27 -0400 |
commit | beb8d13bed80f8388f1a9a107d07ddd342e627e8 (patch) | |
tree | 19d5763b9b3b8ff3969997565e5ec0edd6e4bd33 /security/selinux/include/xfrm.h | |
parent | 4e2ba18eae7f370c7c3ed96eaca747cc9b39f917 (diff) |
[MLSXFRM]: Add flow labeling
This labels the flows that could utilize IPSec xfrms at the points the
flows are defined so that IPSec policy and SAs at the right label can
be used.
The following protos are currently not handled, but they should
continue to be able to use single-labeled IPSec like they currently
do.
ipmr
ip_gre
ipip
igmp
sit
sctp
ip6_tunnel (IPv6 over IPv6 tunnel device)
decnet
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/selinux/include/xfrm.h')
-rw-r--r-- | security/selinux/include/xfrm.h | 14 |
1 files changed, 1 insertions, 13 deletions
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index f51a3e84bd9b..8e45c1d588a8 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h | |||
@@ -19,7 +19,7 @@ int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir); | |||
19 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, | 19 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, |
20 | struct xfrm_policy *xp, struct flowi *fl); | 20 | struct xfrm_policy *xp, struct flowi *fl); |
21 | int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm); | 21 | int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm); |
22 | int selinux_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl); | 22 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall); |
23 | 23 | ||
24 | 24 | ||
25 | /* | 25 | /* |
@@ -33,18 +33,6 @@ static inline struct inode_security_struct *get_sock_isec(struct sock *sk) | |||
33 | return SOCK_INODE(sk->sk_socket)->i_security; | 33 | return SOCK_INODE(sk->sk_socket)->i_security; |
34 | } | 34 | } |
35 | 35 | ||
36 | |||
37 | static inline u32 selinux_no_sk_sid(struct flowi *fl) | ||
38 | { | ||
39 | /* NOTE: no sock occurs on ICMP reply, forwards, ... */ | ||
40 | /* icmp_reply: authorize as kernel packet */ | ||
41 | if (fl && fl->proto == IPPROTO_ICMP) { | ||
42 | return SECINITSID_KERNEL; | ||
43 | } | ||
44 | |||
45 | return SECINITSID_ANY_SOCKET; | ||
46 | } | ||
47 | |||
48 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 36 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
49 | int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, | 37 | int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, |
50 | struct avc_audit_data *ad); | 38 | struct avc_audit_data *ad); |