diff options
author | Paul Moore <paul.moore@hp.com> | 2008-10-10 10:16:32 -0400 |
---|---|---|
committer | Paul Moore <paul.moore@hp.com> | 2008-10-10 10:16:32 -0400 |
commit | 948bf85c1bc9a84754786a9d5dd99b7ecc46451e (patch) | |
tree | a4706be1f4a5a37408774ef3c4cab8cf2e7775b5 /security/selinux/include | |
parent | 63c41688743760631188cf0f4ae986a6793ccb0a (diff) |
netlabel: Add functionality to set the security attributes of a packet
This patch builds upon the new NetLabel address selector functionality by
providing the NetLabel KAPI and CIPSO engine support needed to enable the
new packet-based labeling. The only new addition to the NetLabel KAPI at
this point is shown below:
* int netlbl_skbuff_setattr(skb, family, secattr)
... and is designed to be called from a Netfilter hook after the packet's
IP header has been populated such as in the FORWARD or LOCAL_OUT hooks.
This patch also provides the necessary SELinux hooks to support this new
functionality. Smack support is not currently included due to uncertainty
regarding the permissions needed to expand the Smack network access controls.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Reviewed-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/include')
-rw-r--r-- | security/selinux/include/netlabel.h | 9 | ||||
-rw-r--r-- | security/selinux/include/objsec.h | 1 |
2 files changed, 10 insertions, 0 deletions
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h index d4e3ac8a7fbf..b3e6ae071fc3 100644 --- a/security/selinux/include/netlabel.h +++ b/security/selinux/include/netlabel.h | |||
@@ -48,6 +48,9 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, | |||
48 | u16 family, | 48 | u16 family, |
49 | u32 *type, | 49 | u32 *type, |
50 | u32 *sid); | 50 | u32 *sid); |
51 | int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, | ||
52 | u16 family, | ||
53 | u32 sid); | ||
51 | 54 | ||
52 | void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock); | 55 | void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock); |
53 | int selinux_netlbl_socket_post_create(struct socket *sock); | 56 | int selinux_netlbl_socket_post_create(struct socket *sock); |
@@ -88,6 +91,12 @@ static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, | |||
88 | *sid = SECSID_NULL; | 91 | *sid = SECSID_NULL; |
89 | return 0; | 92 | return 0; |
90 | } | 93 | } |
94 | static inline int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, | ||
95 | u16 family, | ||
96 | u32 sid) | ||
97 | { | ||
98 | return 0; | ||
99 | } | ||
91 | 100 | ||
92 | static inline void selinux_netlbl_sock_graft(struct sock *sk, | 101 | static inline void selinux_netlbl_sock_graft(struct sock *sk, |
93 | struct socket *sock) | 102 | struct socket *sock) |
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 91070ab874ce..f46dd1c3d01c 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h | |||
@@ -117,6 +117,7 @@ struct sk_security_struct { | |||
117 | NLBL_UNSET = 0, | 117 | NLBL_UNSET = 0, |
118 | NLBL_REQUIRE, | 118 | NLBL_REQUIRE, |
119 | NLBL_LABELED, | 119 | NLBL_LABELED, |
120 | NLBL_REQSKB, | ||
120 | } nlbl_state; | 121 | } nlbl_state; |
121 | #endif | 122 | #endif |
122 | }; | 123 | }; |