aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/ss
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2006-11-17 17:38:54 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2006-12-03 00:24:14 -0500
commit3de4bab5b9f8848a0c16a4b1ffe0452f0d670237 (patch)
treef65c12b53bf2ad02645ea31522f67e7318019498 /security/selinux/ss
parent9f2ad66509b182b399a5b03de487f45bde623524 (diff)
SELinux: peer secid consolidation for external network labeling
Now that labeled IPsec makes use of the peer_sid field in the sk_security_struct we can remove a lot of the special cases between labeled IPsec and NetLabel. In addition, create a new function, security_skb_extlbl_sid(), which we can use in several places to get the security context of the packet's external label which allows us to further simplify the code in a few places. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/ss')
-rw-r--r--security/selinux/ss/services.c90
1 files changed, 28 insertions, 62 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index b66b454fe72b..b43dd803fd5e 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -54,6 +54,7 @@
54#include "mls.h" 54#include "mls.h"
55#include "objsec.h" 55#include "objsec.h"
56#include "selinux_netlabel.h" 56#include "selinux_netlabel.h"
57#include "xfrm.h"
57 58
58extern void selnl_notify_policyload(u32 seqno); 59extern void selnl_notify_policyload(u32 seqno);
59unsigned int policydb_loaded_version; 60unsigned int policydb_loaded_version;
@@ -2191,6 +2192,32 @@ void selinux_audit_set_callback(int (*callback)(void))
2191 aurule_callback = callback; 2192 aurule_callback = callback;
2192} 2193}
2193 2194
2195/**
2196 * security_skb_extlbl_sid - Determine the external label of a packet
2197 * @skb: the packet
2198 * @base_sid: the SELinux SID to use as a context for MLS only external labels
2199 * @sid: the packet's SID
2200 *
2201 * Description:
2202 * Check the various different forms of external packet labeling and determine
2203 * the external SID for the packet.
2204 *
2205 */
2206void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid)
2207{
2208 u32 xfrm_sid;
2209 u32 nlbl_sid;
2210
2211 selinux_skb_xfrm_sid(skb, &xfrm_sid);
2212 if (selinux_netlbl_skbuff_getsid(skb,
2213 (xfrm_sid == SECSID_NULL ?
2214 base_sid : xfrm_sid),
2215 &nlbl_sid) != 0)
2216 nlbl_sid = SECSID_NULL;
2217
2218 *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
2219}
2220
2194#ifdef CONFIG_NETLABEL 2221#ifdef CONFIG_NETLABEL
2195/* 2222/*
2196 * This is the structure we store inside the NetLabel cache block. 2223 * This is the structure we store inside the NetLabel cache block.
@@ -2408,9 +2435,7 @@ netlbl_secattr_to_sid_return_cleanup:
2408 * assign to the packet. Returns zero on success, negative values on failure. 2435 * assign to the packet. Returns zero on success, negative values on failure.
2409 * 2436 *
2410 */ 2437 */
2411static int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, 2438int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
2412 u32 base_sid,
2413 u32 *sid)
2414{ 2439{
2415 int rc; 2440 int rc;
2416 struct netlbl_lsm_secattr secattr; 2441 struct netlbl_lsm_secattr secattr;
@@ -2616,29 +2641,6 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
2616} 2641}
2617 2642
2618/** 2643/**
2619 * selinux_netlbl_inet_conn_request - Handle a new connection request
2620 * @skb: the packet
2621 * @sock_sid: the SID of the parent socket
2622 *
2623 * Description:
2624 * If present, use the security attributes of the packet in @skb and the
2625 * parent sock's SID to arrive at a SID for the new child sock. Returns the
2626 * SID of the connection or SECSID_NULL on failure.
2627 *
2628 */
2629u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid)
2630{
2631 int rc;
2632 u32 peer_sid;
2633
2634 rc = selinux_netlbl_skbuff_getsid(skb, sock_sid, &peer_sid);
2635 if (rc != 0)
2636 return SECSID_NULL;
2637
2638 return peer_sid;
2639}
2640
2641/**
2642 * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled 2644 * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
2643 * @inode: the file descriptor's inode 2645 * @inode: the file descriptor's inode
2644 * @mask: the permission mask 2646 * @mask: the permission mask
@@ -2728,42 +2730,6 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
2728} 2730}
2729 2731
2730/** 2732/**
2731 * selinux_netlbl_socket_getpeersec_stream - Return the connected peer's SID
2732 * @sock: the socket
2733 *
2734 * Description:
2735 * Examine @sock to find the connected peer's SID. Returns the SID on success
2736 * or SECSID_NULL on error.
2737 *
2738 */
2739u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
2740{
2741 struct sk_security_struct *sksec = sock->sk->sk_security;
2742 return sksec->peer_sid;
2743}
2744
2745/**
2746 * selinux_netlbl_socket_getpeersec_dgram - Return the SID of a NetLabel packet
2747 * @skb: the packet
2748 *
2749 * Description:
2750 * Examine @skb to find the SID assigned to it by NetLabel. Returns the SID on
2751 * success, SECSID_NULL on error.
2752 *
2753 */
2754u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
2755{
2756 int peer_sid;
2757
2758 if (selinux_netlbl_skbuff_getsid(skb,
2759 SECINITSID_UNLABELED,
2760 &peer_sid) != 0)
2761 return SECSID_NULL;
2762
2763 return peer_sid;
2764}
2765
2766/**
2767 * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel 2733 * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
2768 * @sock: the socket 2734 * @sock: the socket
2769 * @level: the socket level or protocol 2735 * @level: the socket level or protocol