SELinux: Better integration between peer labeling subsystems

Rework the handling of network peer labels so that the different peer labeling subsystems work better together. This includes moving both subsystems to a single "peer" object class which involves not only changes to the permission checks but an improved method of consolidating multiple packet peer labels. As part of this work the inbound packet permission check code has been heavily modified to handle both the old and new behavior in as sane a fashion as possible. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
author: Paul Moore <paul.moore@hp.com> 2008-01-29 08:38:23 -0500
committer: James Morris <jmorris@namei.org> 2008-01-29 16:17:25 -0500
commit: 220deb966ea51e0dedb6a187c0763120809f3e64 (patch)
tree: 7d0e5dd8048907c364b4eeff294991937b466c7e /security/selinux/netlabel.c
parent: f67f4f315f31e7907779adb3296fb6682e755342 (diff)
1 files changed, 3 insertions, 7 deletions
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index f4bcbf12a4c9..b54d28fd3b5d 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -137,7 +137,6 @@ void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
         * lock as other threads could have access to ssec */
        rcu_read_lock();
        selinux_netlbl_sk_security_reset(newssec, ssec->sk->sk_family);
-        newssec->sclass = ssec->sclass;
        rcu_read_unlock();
 }
@@ -146,6 +145,7 @@ void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
 * @skb: the packet
 * @family: protocol family
 * @base_sid: the SELinux SID to use as a context for MLS only attributes
+ * @type: NetLabel labeling protocol type
 * @sid: the SID
 *
 * Description:
@@ -157,6 +157,7 @@ void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
 int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
                                 u16 family,
                                 u32 base_sid,
+                                 u32 *type,
                                 u32 *sid)
 {
        int rc;
@@ -177,6 +178,7 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
                        netlbl_cache_add(skb, &secattr);
        } else
                *sid = SECSID_NULL;
+        *type = secattr.type;
        netlbl_secattr_destroy(&secattr);
        return rc;
@@ -194,13 +196,10 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
 */
 void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
 {
-        struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
        struct sk_security_struct *sksec = sk->sk_security;
        struct netlbl_lsm_secattr secattr;
        u32 nlbl_peer_sid;
-        sksec->sclass = isec->sclass;
        rcu_read_lock();
        if (sksec->nlbl_state != NLBL_REQUIRE) {
@@ -238,11 +237,8 @@ int selinux_netlbl_socket_post_create(struct socket *sock)
 {
        int rc = 0;
        struct sock *sk = sock->sk;
-        struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
        struct sk_security_struct *sksec = sk->sk_security;
-        sksec->sclass = isec->sclass;
        rcu_read_lock();
        if (sksec->nlbl_state == NLBL_REQUIRE)
                rc = selinux_netlbl_sock_setsid(sk, sksec->sid);
author	Paul Moore <paul.moore@hp.com>	2008-01-29 08:38:23 -0500
committer	James Morris <jmorris@namei.org>	2008-01-29 16:17:25 -0500
commit	220deb966ea51e0dedb6a187c0763120809f3e64 (patch)
tree	7d0e5dd8048907c364b4eeff294991937b466c7e /security/selinux/netlabel.c
parent	f67f4f315f31e7907779adb3296fb6682e755342 (diff)