aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/include
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-10-10 10:16:33 -0400
committerPaul Moore <paul.moore@hp.com>2008-10-10 10:16:33 -0400
commit014ab19a69c325f52d7bae54ceeda73d6307ae0c (patch)
tree8a69c490accb7d5454bdfeb8c078d846729aeb60 /security/selinux/include
parent948bf85c1bc9a84754786a9d5dd99b7ecc46451e (diff)
selinux: Set socket NetLabel based on connection endpoint
Previous work enabled the use of address based NetLabel selectors, which while highly useful, brought the potential for additional per-packet overhead when used. This patch attempts to solve that by applying NetLabel socket labels when sockets are connect()'d. This should alleviate the per-packet NetLabel labeling for all connected sockets (yes, it even works for connected DGRAM sockets). Signed-off-by: Paul Moore <paul.moore@hp.com> Reviewed-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/include')
-rw-r--r--security/selinux/include/netlabel.h19
-rw-r--r--security/selinux/include/objsec.h1
2 files changed, 17 insertions, 3 deletions
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index b3e6ae071fc3..982bac0ac328 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -52,7 +52,7 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
52 u16 family, 52 u16 family,
53 u32 sid); 53 u32 sid);
54 54
55void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock); 55void selinux_netlbl_inet_conn_established(struct sock *sk, u16 family);
56int selinux_netlbl_socket_post_create(struct socket *sock); 56int selinux_netlbl_socket_post_create(struct socket *sock);
57int selinux_netlbl_inode_permission(struct inode *inode, int mask); 57int selinux_netlbl_inode_permission(struct inode *inode, int mask);
58int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 58int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
@@ -62,6 +62,8 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
62int selinux_netlbl_socket_setsockopt(struct socket *sock, 62int selinux_netlbl_socket_setsockopt(struct socket *sock,
63 int level, 63 int level,
64 int optname); 64 int optname);
65int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr);
66
65#else 67#else
66static inline void selinux_netlbl_cache_invalidate(void) 68static inline void selinux_netlbl_cache_invalidate(void)
67{ 69{
@@ -98,8 +100,14 @@ static inline int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
98 return 0; 100 return 0;
99} 101}
100 102
101static inline void selinux_netlbl_sock_graft(struct sock *sk, 103static inline int selinux_netlbl_conn_setsid(struct sock *sk,
102 struct socket *sock) 104 struct sockaddr *addr)
105{
106 return 0;
107}
108
109static inline void selinux_netlbl_inet_conn_established(struct sock *sk,
110 u16 family)
103{ 111{
104 return; 112 return;
105} 113}
@@ -125,6 +133,11 @@ static inline int selinux_netlbl_socket_setsockopt(struct socket *sock,
125{ 133{
126 return 0; 134 return 0;
127} 135}
136static inline int selinux_netlbl_socket_connect(struct sock *sk,
137 struct sockaddr *addr)
138{
139 return 0;
140}
128#endif /* CONFIG_NETLABEL */ 141#endif /* CONFIG_NETLABEL */
129 142
130#endif 143#endif
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index f46dd1c3d01c..ad34787c6c02 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -118,6 +118,7 @@ struct sk_security_struct {
118 NLBL_REQUIRE, 118 NLBL_REQUIRE,
119 NLBL_LABELED, 119 NLBL_LABELED,
120 NLBL_REQSKB, 120 NLBL_REQSKB,
121 NLBL_CONNLABELED,
121 } nlbl_state; 122 } nlbl_state;
122#endif 123#endif
123}; 124};