diff options
author | Paul Moore <paul.moore@hp.com> | 2008-01-29 08:38:23 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2008-01-29 16:17:25 -0500 |
commit | 220deb966ea51e0dedb6a187c0763120809f3e64 (patch) | |
tree | 7d0e5dd8048907c364b4eeff294991937b466c7e /security/selinux/include | |
parent | f67f4f315f31e7907779adb3296fb6682e755342 (diff) |
SELinux: Better integration between peer labeling subsystems
Rework the handling of network peer labels so that the different peer labeling
subsystems work better together. This includes moving both subsystems to a
single "peer" object class which involves not only changes to the permission
checks but an improved method of consolidating multiple packet peer labels.
As part of this work the inbound packet permission check code has been heavily
modified to handle both the old and new behavior in as sane a fashion as
possible.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/include')
-rw-r--r-- | security/selinux/include/netlabel.h | 3 | ||||
-rw-r--r-- | security/selinux/include/objsec.h | 2 | ||||
-rw-r--r-- | security/selinux/include/security.h | 4 |
3 files changed, 8 insertions, 1 deletions
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h index 272769a1cb96..c8c05a6f298c 100644 --- a/security/selinux/include/netlabel.h +++ b/security/selinux/include/netlabel.h | |||
@@ -49,6 +49,7 @@ void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec, | |||
49 | int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, | 49 | int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, |
50 | u16 family, | 50 | u16 family, |
51 | u32 base_sid, | 51 | u32 base_sid, |
52 | u32 *type, | ||
52 | u32 *sid); | 53 | u32 *sid); |
53 | 54 | ||
54 | void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock); | 55 | void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock); |
@@ -89,8 +90,10 @@ static inline void selinux_netlbl_sk_security_clone( | |||
89 | static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, | 90 | static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, |
90 | u16 family, | 91 | u16 family, |
91 | u32 base_sid, | 92 | u32 base_sid, |
93 | u32 *type, | ||
92 | u32 *sid) | 94 | u32 *sid) |
93 | { | 95 | { |
96 | *type = NETLBL_NLTYPE_NONE; | ||
94 | *sid = SECSID_NULL; | 97 | *sid = SECSID_NULL; |
95 | return 0; | 98 | return 0; |
96 | } | 99 | } |
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 95fb5ec17354..c6c2bb4ebacc 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h | |||
@@ -113,8 +113,8 @@ struct sk_security_struct { | |||
113 | struct sock *sk; /* back pointer to sk object */ | 113 | struct sock *sk; /* back pointer to sk object */ |
114 | u32 sid; /* SID of this object */ | 114 | u32 sid; /* SID of this object */ |
115 | u32 peer_sid; /* SID of peer */ | 115 | u32 peer_sid; /* SID of peer */ |
116 | #ifdef CONFIG_NETLABEL | ||
117 | u16 sclass; /* sock security class */ | 116 | u16 sclass; /* sock security class */ |
117 | #ifdef CONFIG_NETLABEL | ||
118 | enum { /* NetLabel state */ | 118 | enum { /* NetLabel state */ |
119 | NLBL_UNSET = 0, | 119 | NLBL_UNSET = 0, |
120 | NLBL_REQUIRE, | 120 | NLBL_REQUIRE, |
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index a22de9771806..9347e2daa8d4 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
@@ -99,6 +99,10 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, | |||
99 | 99 | ||
100 | int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid); | 100 | int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid); |
101 | 101 | ||
102 | int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type, | ||
103 | u32 xfrm_sid, | ||
104 | u32 *peer_sid); | ||
105 | |||
102 | int security_get_classes(char ***classes, int *nclasses); | 106 | int security_get_classes(char ***classes, int *nclasses); |
103 | int security_get_permissions(char *class, char ***perms, int *nperms); | 107 | int security_get_permissions(char *class, char ***perms, int *nperms); |
104 | int security_get_reject_unknown(void); | 108 | int security_get_reject_unknown(void); |