aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/include
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-01-29 08:38:23 -0500
committerJames Morris <jmorris@namei.org>2008-01-29 16:17:25 -0500
commit220deb966ea51e0dedb6a187c0763120809f3e64 (patch)
tree7d0e5dd8048907c364b4eeff294991937b466c7e /security/selinux/include
parentf67f4f315f31e7907779adb3296fb6682e755342 (diff)
SELinux: Better integration between peer labeling subsystems
Rework the handling of network peer labels so that the different peer labeling subsystems work better together. This includes moving both subsystems to a single "peer" object class which involves not only changes to the permission checks but an improved method of consolidating multiple packet peer labels. As part of this work the inbound packet permission check code has been heavily modified to handle both the old and new behavior in as sane a fashion as possible. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/include')
-rw-r--r--security/selinux/include/netlabel.h3
-rw-r--r--security/selinux/include/objsec.h2
-rw-r--r--security/selinux/include/security.h4
3 files changed, 8 insertions, 1 deletions
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index 272769a1cb96..c8c05a6f298c 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -49,6 +49,7 @@ void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
49int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, 49int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
50 u16 family, 50 u16 family,
51 u32 base_sid, 51 u32 base_sid,
52 u32 *type,
52 u32 *sid); 53 u32 *sid);
53 54
54void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock); 55void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
@@ -89,8 +90,10 @@ static inline void selinux_netlbl_sk_security_clone(
89static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, 90static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
90 u16 family, 91 u16 family,
91 u32 base_sid, 92 u32 base_sid,
93 u32 *type,
92 u32 *sid) 94 u32 *sid)
93{ 95{
96 *type = NETLBL_NLTYPE_NONE;
94 *sid = SECSID_NULL; 97 *sid = SECSID_NULL;
95 return 0; 98 return 0;
96} 99}
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 95fb5ec17354..c6c2bb4ebacc 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -113,8 +113,8 @@ struct sk_security_struct {
113 struct sock *sk; /* back pointer to sk object */ 113 struct sock *sk; /* back pointer to sk object */
114 u32 sid; /* SID of this object */ 114 u32 sid; /* SID of this object */
115 u32 peer_sid; /* SID of peer */ 115 u32 peer_sid; /* SID of peer */
116#ifdef CONFIG_NETLABEL
117 u16 sclass; /* sock security class */ 116 u16 sclass; /* sock security class */
117#ifdef CONFIG_NETLABEL
118 enum { /* NetLabel state */ 118 enum { /* NetLabel state */
119 NLBL_UNSET = 0, 119 NLBL_UNSET = 0,
120 NLBL_REQUIRE, 120 NLBL_REQUIRE,
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index a22de9771806..9347e2daa8d4 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -99,6 +99,10 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
99 99
100int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid); 100int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid);
101 101
102int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
103 u32 xfrm_sid,
104 u32 *peer_sid);
105
102int security_get_classes(char ***classes, int *nclasses); 106int security_get_classes(char ***classes, int *nclasses);
103int security_get_permissions(char *class, char ***perms, int *nperms); 107int security_get_permissions(char *class, char ***perms, int *nperms);
104int security_get_reject_unknown(void); 108int security_get_reject_unknown(void);