diff options
author | Paul Moore <paul.moore@hp.com> | 2006-11-17 17:38:54 -0500 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-12-03 00:24:14 -0500 |
commit | 3de4bab5b9f8848a0c16a4b1ffe0452f0d670237 (patch) | |
tree | f65c12b53bf2ad02645ea31522f67e7318019498 /security/selinux/ss | |
parent | 9f2ad66509b182b399a5b03de487f45bde623524 (diff) |
SELinux: peer secid consolidation for external network labeling
Now that labeled IPsec makes use of the peer_sid field in the
sk_security_struct we can remove a lot of the special cases between labeled
IPsec and NetLabel. In addition, create a new function,
security_skb_extlbl_sid(), which we can use in several places to get the
security context of the packet's external label which allows us to further
simplify the code in a few places.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/ss')
-rw-r--r-- | security/selinux/ss/services.c | 90 |
1 files changed, 28 insertions, 62 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index b66b454fe72b..b43dd803fd5e 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -54,6 +54,7 @@ | |||
54 | #include "mls.h" | 54 | #include "mls.h" |
55 | #include "objsec.h" | 55 | #include "objsec.h" |
56 | #include "selinux_netlabel.h" | 56 | #include "selinux_netlabel.h" |
57 | #include "xfrm.h" | ||
57 | 58 | ||
58 | extern void selnl_notify_policyload(u32 seqno); | 59 | extern void selnl_notify_policyload(u32 seqno); |
59 | unsigned int policydb_loaded_version; | 60 | unsigned int policydb_loaded_version; |
@@ -2191,6 +2192,32 @@ void selinux_audit_set_callback(int (*callback)(void)) | |||
2191 | aurule_callback = callback; | 2192 | aurule_callback = callback; |
2192 | } | 2193 | } |
2193 | 2194 | ||
2195 | /** | ||
2196 | * security_skb_extlbl_sid - Determine the external label of a packet | ||
2197 | * @skb: the packet | ||
2198 | * @base_sid: the SELinux SID to use as a context for MLS only external labels | ||
2199 | * @sid: the packet's SID | ||
2200 | * | ||
2201 | * Description: | ||
2202 | * Check the various different forms of external packet labeling and determine | ||
2203 | * the external SID for the packet. | ||
2204 | * | ||
2205 | */ | ||
2206 | void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid) | ||
2207 | { | ||
2208 | u32 xfrm_sid; | ||
2209 | u32 nlbl_sid; | ||
2210 | |||
2211 | selinux_skb_xfrm_sid(skb, &xfrm_sid); | ||
2212 | if (selinux_netlbl_skbuff_getsid(skb, | ||
2213 | (xfrm_sid == SECSID_NULL ? | ||
2214 | base_sid : xfrm_sid), | ||
2215 | &nlbl_sid) != 0) | ||
2216 | nlbl_sid = SECSID_NULL; | ||
2217 | |||
2218 | *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); | ||
2219 | } | ||
2220 | |||
2194 | #ifdef CONFIG_NETLABEL | 2221 | #ifdef CONFIG_NETLABEL |
2195 | /* | 2222 | /* |
2196 | * This is the structure we store inside the NetLabel cache block. | 2223 | * This is the structure we store inside the NetLabel cache block. |
@@ -2408,9 +2435,7 @@ netlbl_secattr_to_sid_return_cleanup: | |||
2408 | * assign to the packet. Returns zero on success, negative values on failure. | 2435 | * assign to the packet. Returns zero on success, negative values on failure. |
2409 | * | 2436 | * |
2410 | */ | 2437 | */ |
2411 | static int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, | 2438 | int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid) |
2412 | u32 base_sid, | ||
2413 | u32 *sid) | ||
2414 | { | 2439 | { |
2415 | int rc; | 2440 | int rc; |
2416 | struct netlbl_lsm_secattr secattr; | 2441 | struct netlbl_lsm_secattr secattr; |
@@ -2616,29 +2641,6 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) | |||
2616 | } | 2641 | } |
2617 | 2642 | ||
2618 | /** | 2643 | /** |
2619 | * selinux_netlbl_inet_conn_request - Handle a new connection request | ||
2620 | * @skb: the packet | ||
2621 | * @sock_sid: the SID of the parent socket | ||
2622 | * | ||
2623 | * Description: | ||
2624 | * If present, use the security attributes of the packet in @skb and the | ||
2625 | * parent sock's SID to arrive at a SID for the new child sock. Returns the | ||
2626 | * SID of the connection or SECSID_NULL on failure. | ||
2627 | * | ||
2628 | */ | ||
2629 | u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid) | ||
2630 | { | ||
2631 | int rc; | ||
2632 | u32 peer_sid; | ||
2633 | |||
2634 | rc = selinux_netlbl_skbuff_getsid(skb, sock_sid, &peer_sid); | ||
2635 | if (rc != 0) | ||
2636 | return SECSID_NULL; | ||
2637 | |||
2638 | return peer_sid; | ||
2639 | } | ||
2640 | |||
2641 | /** | ||
2642 | * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled | 2644 | * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled |
2643 | * @inode: the file descriptor's inode | 2645 | * @inode: the file descriptor's inode |
2644 | * @mask: the permission mask | 2646 | * @mask: the permission mask |
@@ -2728,42 +2730,6 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, | |||
2728 | } | 2730 | } |
2729 | 2731 | ||
2730 | /** | 2732 | /** |
2731 | * selinux_netlbl_socket_getpeersec_stream - Return the connected peer's SID | ||
2732 | * @sock: the socket | ||
2733 | * | ||
2734 | * Description: | ||
2735 | * Examine @sock to find the connected peer's SID. Returns the SID on success | ||
2736 | * or SECSID_NULL on error. | ||
2737 | * | ||
2738 | */ | ||
2739 | u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock) | ||
2740 | { | ||
2741 | struct sk_security_struct *sksec = sock->sk->sk_security; | ||
2742 | return sksec->peer_sid; | ||
2743 | } | ||
2744 | |||
2745 | /** | ||
2746 | * selinux_netlbl_socket_getpeersec_dgram - Return the SID of a NetLabel packet | ||
2747 | * @skb: the packet | ||
2748 | * | ||
2749 | * Description: | ||
2750 | * Examine @skb to find the SID assigned to it by NetLabel. Returns the SID on | ||
2751 | * success, SECSID_NULL on error. | ||
2752 | * | ||
2753 | */ | ||
2754 | u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb) | ||
2755 | { | ||
2756 | int peer_sid; | ||
2757 | |||
2758 | if (selinux_netlbl_skbuff_getsid(skb, | ||
2759 | SECINITSID_UNLABELED, | ||
2760 | &peer_sid) != 0) | ||
2761 | return SECSID_NULL; | ||
2762 | |||
2763 | return peer_sid; | ||
2764 | } | ||
2765 | |||
2766 | /** | ||
2767 | * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel | 2733 | * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel |
2768 | * @sock: the socket | 2734 | * @sock: the socket |
2769 | * @level: the socket level or protocol | 2735 | * @level: the socket level or protocol |