SELinux: peer secid consolidation for external network labeling

Now that labeled IPsec makes use of the peer_sid field in the sk_security_struct we can remove a lot of the special cases between labeled IPsec and NetLabel. In addition, create a new function, security_skb_extlbl_sid(), which we can use in several places to get the security context of the packet's external label which allows us to further simplify the code in a few places. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
author: Paul Moore <paul.moore@hp.com> 2006-11-17 17:38:54 -0500
committer: David S. Miller <davem@sunset.davemloft.net> 2006-12-03 00:24:14 -0500
commit: 3de4bab5b9f8848a0c16a4b1ffe0452f0d670237 (patch)
tree: f65c12b53bf2ad02645ea31522f67e7318019498 /security/selinux/include
parent: 9f2ad66509b182b399a5b03de487f45bde623524 (diff)
3 files changed, 12 insertions, 24 deletions
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 1ef79172cc8c..015f697e925f 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -8,6 +8,7 @@
 #ifndef _SELINUX_SECURITY_H_
 #define _SELINUX_SECURITY_H_
+#include <linux/skbuff.h>
 #include "flask.h"
 #define SECSID_NULL                     0x00000000 /* unspecified SID */
@@ -80,6 +81,8 @@ int security_netif_sid(char *name, u32 *if_sid,
 int security_node_sid(u16 domain, void *addr, u32 addrlen,
        u32 *out_sid);
+void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid);
 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
                                 u16 tclass);
diff --git a/security/selinux/include/selinux_netlabel.h b/security/selinux/include/selinux_netlabel.h
index 57943f4a8f90..2a732c9033e3 100644
--- a/security/selinux/include/selinux_netlabel.h
+++ b/security/selinux/include/selinux_netlabel.h
@@ -38,14 +38,12 @@
 #ifdef CONFIG_NETLABEL
 void selinux_netlbl_cache_invalidate(void);
+int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid);
 int selinux_netlbl_socket_post_create(struct socket *sock);
 void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
-u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid);
 int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
                                struct sk_buff *skb,
                                struct avc_audit_data *ad);
-u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock);
-u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb);
 void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
                                      int family);
 void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
@@ -62,6 +60,14 @@ static inline void selinux_netlbl_cache_invalidate(void)
        return;
 }
+static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
+                                               u32 base_sid,
+                                               u32 *sid)
+{
+        *sid = SECSID_NULL;
+        return 0;
+}
 static inline int selinux_netlbl_socket_post_create(struct socket *sock)
 {
        return 0;
@@ -73,12 +79,6 @@ static inline void selinux_netlbl_sock_graft(struct sock *sk,
        return;
 }
-static inline u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb,
-                                                   u32 sock_sid)
-{
-        return SECSID_NULL;
-}
 static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
                                              struct sk_buff *skb,
                                              struct avc_audit_data *ad)
@@ -86,16 +86,6 @@ static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
        return 0;
 }
-static inline u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
-{
-        return SECSID_NULL;
-}
-static inline u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
-{
-        return SECSID_NULL;
-}
 static inline void selinux_netlbl_sk_security_reset(
                                               struct sk_security_struct *ssec,
                                               int family)
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index ebd7246a4be5..161eb571c82d 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -36,7 +36,6 @@ int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
                        struct avc_audit_data *ad);
 int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
                        struct avc_audit_data *ad, u8 proto);
-u32 selinux_socket_getpeer_dgram(struct sk_buff *skb);
 int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
 #else
 static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
@@ -51,10 +50,6 @@ static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
        return 0;
 }
-static inline int selinux_socket_getpeer_dgram(struct sk_buff *skb)
-{
-        return SECSID_NULL;
-}
 static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
 {
        *sid = SECSID_NULL;
author	Paul Moore <paul.moore@hp.com>	2006-11-17 17:38:54 -0500
committer	David S. Miller <davem@sunset.davemloft.net>	2006-12-03 00:24:14 -0500
commit	3de4bab5b9f8848a0c16a4b1ffe0452f0d670237 (patch)
tree	f65c12b53bf2ad02645ea31522f67e7318019498 /security/selinux/include
parent	9f2ad66509b182b399a5b03de487f45bde623524 (diff)