diff options
author | James Morris <james.l.morris@oracle.com> | 2013-10-22 07:26:41 -0400 |
---|---|---|
committer | James Morris <james.l.morris@oracle.com> | 2013-10-22 07:26:41 -0400 |
commit | 6f799c97f37fc0ee2c9c427fa0dada637394886c (patch) | |
tree | 1953a953770b8047a95ef4d431bb693433922043 /security/selinux/include | |
parent | eb8948a03704f3dbbfc7e83090e20e93c6c476d2 (diff) | |
parent | 42d64e1add3a1ce8a787116036163b8724362145 (diff) |
Merge branch 'master' of git://git.infradead.org/users/pcmoore/selinux into ra-next
Diffstat (limited to 'security/selinux/include')
-rw-r--r-- | security/selinux/include/objsec.h | 4 | ||||
-rw-r--r-- | security/selinux/include/security.h | 13 | ||||
-rw-r--r-- | security/selinux/include/xfrm.h | 45 |
3 files changed, 29 insertions, 33 deletions
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index aa47bcabb5f6..b1dfe1049450 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h | |||
@@ -58,8 +58,8 @@ struct superblock_security_struct { | |||
58 | u32 sid; /* SID of file system superblock */ | 58 | u32 sid; /* SID of file system superblock */ |
59 | u32 def_sid; /* default SID for labeling */ | 59 | u32 def_sid; /* default SID for labeling */ |
60 | u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */ | 60 | u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */ |
61 | unsigned int behavior; /* labeling behavior */ | 61 | unsigned short behavior; /* labeling behavior */ |
62 | unsigned char flags; /* which mount options were specified */ | 62 | unsigned short flags; /* which mount options were specified */ |
63 | struct mutex lock; | 63 | struct mutex lock; |
64 | struct list_head isec_head; | 64 | struct list_head isec_head; |
65 | spinlock_t isec_lock; | 65 | spinlock_t isec_lock; |
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 8fd8e18ea340..fe341ae37004 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
@@ -45,14 +45,15 @@ | |||
45 | /* Mask for just the mount related flags */ | 45 | /* Mask for just the mount related flags */ |
46 | #define SE_MNTMASK 0x0f | 46 | #define SE_MNTMASK 0x0f |
47 | /* Super block security struct flags for mount options */ | 47 | /* Super block security struct flags for mount options */ |
48 | /* BE CAREFUL, these need to be the low order bits for selinux_get_mnt_opts */ | ||
48 | #define CONTEXT_MNT 0x01 | 49 | #define CONTEXT_MNT 0x01 |
49 | #define FSCONTEXT_MNT 0x02 | 50 | #define FSCONTEXT_MNT 0x02 |
50 | #define ROOTCONTEXT_MNT 0x04 | 51 | #define ROOTCONTEXT_MNT 0x04 |
51 | #define DEFCONTEXT_MNT 0x08 | 52 | #define DEFCONTEXT_MNT 0x08 |
53 | #define SBLABEL_MNT 0x10 | ||
52 | /* Non-mount related flags */ | 54 | /* Non-mount related flags */ |
53 | #define SE_SBINITIALIZED 0x10 | 55 | #define SE_SBINITIALIZED 0x0100 |
54 | #define SE_SBPROC 0x20 | 56 | #define SE_SBPROC 0x0200 |
55 | #define SE_SBLABELSUPP 0x40 | ||
56 | 57 | ||
57 | #define CONTEXT_STR "context=" | 58 | #define CONTEXT_STR "context=" |
58 | #define FSCONTEXT_STR "fscontext=" | 59 | #define FSCONTEXT_STR "fscontext=" |
@@ -68,12 +69,15 @@ extern int selinux_enabled; | |||
68 | enum { | 69 | enum { |
69 | POLICYDB_CAPABILITY_NETPEER, | 70 | POLICYDB_CAPABILITY_NETPEER, |
70 | POLICYDB_CAPABILITY_OPENPERM, | 71 | POLICYDB_CAPABILITY_OPENPERM, |
72 | POLICYDB_CAPABILITY_REDHAT1, | ||
73 | POLICYDB_CAPABILITY_ALWAYSNETWORK, | ||
71 | __POLICYDB_CAPABILITY_MAX | 74 | __POLICYDB_CAPABILITY_MAX |
72 | }; | 75 | }; |
73 | #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) | 76 | #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) |
74 | 77 | ||
75 | extern int selinux_policycap_netpeer; | 78 | extern int selinux_policycap_netpeer; |
76 | extern int selinux_policycap_openperm; | 79 | extern int selinux_policycap_openperm; |
80 | extern int selinux_policycap_alwaysnetwork; | ||
77 | 81 | ||
78 | /* | 82 | /* |
79 | * type_datum properties | 83 | * type_datum properties |
@@ -172,8 +176,7 @@ int security_get_allow_unknown(void); | |||
172 | #define SECURITY_FS_USE_NATIVE 7 /* use native label support */ | 176 | #define SECURITY_FS_USE_NATIVE 7 /* use native label support */ |
173 | #define SECURITY_FS_USE_MAX 7 /* Highest SECURITY_FS_USE_XXX */ | 177 | #define SECURITY_FS_USE_MAX 7 /* Highest SECURITY_FS_USE_XXX */ |
174 | 178 | ||
175 | int security_fs_use(const char *fstype, unsigned int *behavior, | 179 | int security_fs_use(struct super_block *sb); |
176 | u32 *sid); | ||
177 | 180 | ||
178 | int security_genfs_sid(const char *fstype, char *name, u16 sclass, | 181 | int security_genfs_sid(const char *fstype, char *name, u16 sclass, |
179 | u32 *sid); | 182 | u32 *sid); |
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index 6713f04e30ba..0dec76c64cf5 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h | |||
@@ -10,29 +10,21 @@ | |||
10 | #include <net/flow.h> | 10 | #include <net/flow.h> |
11 | 11 | ||
12 | int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, | 12 | int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, |
13 | struct xfrm_user_sec_ctx *sec_ctx); | 13 | struct xfrm_user_sec_ctx *uctx); |
14 | int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, | 14 | int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, |
15 | struct xfrm_sec_ctx **new_ctxp); | 15 | struct xfrm_sec_ctx **new_ctxp); |
16 | void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx); | 16 | void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx); |
17 | int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx); | 17 | int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx); |
18 | int selinux_xfrm_state_alloc(struct xfrm_state *x, | 18 | int selinux_xfrm_state_alloc(struct xfrm_state *x, |
19 | struct xfrm_user_sec_ctx *sec_ctx, u32 secid); | 19 | struct xfrm_user_sec_ctx *uctx); |
20 | int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, | ||
21 | struct xfrm_sec_ctx *polsec, u32 secid); | ||
20 | void selinux_xfrm_state_free(struct xfrm_state *x); | 22 | void selinux_xfrm_state_free(struct xfrm_state *x); |
21 | int selinux_xfrm_state_delete(struct xfrm_state *x); | 23 | int selinux_xfrm_state_delete(struct xfrm_state *x); |
22 | int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); | 24 | int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); |
23 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, | 25 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, |
24 | struct xfrm_policy *xp, const struct flowi *fl); | 26 | struct xfrm_policy *xp, |
25 | 27 | const struct flowi *fl); | |
26 | /* | ||
27 | * Extract the security blob from the sock (it's actually on the socket) | ||
28 | */ | ||
29 | static inline struct inode_security_struct *get_sock_isec(struct sock *sk) | ||
30 | { | ||
31 | if (!sk->sk_socket) | ||
32 | return NULL; | ||
33 | |||
34 | return SOCK_INODE(sk->sk_socket)->i_security; | ||
35 | } | ||
36 | 28 | ||
37 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 29 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
38 | extern atomic_t selinux_xfrm_refcount; | 30 | extern atomic_t selinux_xfrm_refcount; |
@@ -42,10 +34,10 @@ static inline int selinux_xfrm_enabled(void) | |||
42 | return (atomic_read(&selinux_xfrm_refcount) > 0); | 34 | return (atomic_read(&selinux_xfrm_refcount) > 0); |
43 | } | 35 | } |
44 | 36 | ||
45 | int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, | 37 | int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb, |
46 | struct common_audit_data *ad); | 38 | struct common_audit_data *ad); |
47 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, | 39 | int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb, |
48 | struct common_audit_data *ad, u8 proto); | 40 | struct common_audit_data *ad, u8 proto); |
49 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); | 41 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); |
50 | 42 | ||
51 | static inline void selinux_xfrm_notify_policyload(void) | 43 | static inline void selinux_xfrm_notify_policyload(void) |
@@ -64,19 +56,21 @@ static inline int selinux_xfrm_enabled(void) | |||
64 | return 0; | 56 | return 0; |
65 | } | 57 | } |
66 | 58 | ||
67 | static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, | 59 | static inline int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb, |
68 | struct common_audit_data *ad) | 60 | struct common_audit_data *ad) |
69 | { | 61 | { |
70 | return 0; | 62 | return 0; |
71 | } | 63 | } |
72 | 64 | ||
73 | static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, | 65 | static inline int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb, |
74 | struct common_audit_data *ad, u8 proto) | 66 | struct common_audit_data *ad, |
67 | u8 proto) | ||
75 | { | 68 | { |
76 | return 0; | 69 | return 0; |
77 | } | 70 | } |
78 | 71 | ||
79 | static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) | 72 | static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, |
73 | int ckall) | ||
80 | { | 74 | { |
81 | *sid = SECSID_NULL; | 75 | *sid = SECSID_NULL; |
82 | return 0; | 76 | return 0; |
@@ -87,10 +81,9 @@ static inline void selinux_xfrm_notify_policyload(void) | |||
87 | } | 81 | } |
88 | #endif | 82 | #endif |
89 | 83 | ||
90 | static inline void selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid) | 84 | static inline int selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid) |
91 | { | 85 | { |
92 | int err = selinux_xfrm_decode_session(skb, sid, 0); | 86 | return selinux_xfrm_decode_session(skb, sid, 0); |
93 | BUG_ON(err); | ||
94 | } | 87 | } |
95 | 88 | ||
96 | #endif /* _SELINUX_XFRM_H_ */ | 89 | #endif /* _SELINUX_XFRM_H_ */ |