diff options
author | Paul Moore <paul.moore@hp.com> | 2006-08-29 20:53:48 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-09-22 18:18:34 -0400 |
commit | 99f59ed073d3c1b890690064ab285a201dea2e35 (patch) | |
tree | 0f6ae012cf4f988d3ae0c665fd3b12ea05409ec8 /security/selinux/ss | |
parent | fc747e82b40ea50a62eb2aef55bedd4465607cb0 (diff) |
[NetLabel]: Correctly initialize the NetLabel fields.
Fix a problem where the NetLabel specific fields of the sk_security_struct
structure were not being initialized early enough in some cases.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/selinux/ss')
-rw-r--r-- | security/selinux/ss/services.c | 45 |
1 files changed, 43 insertions, 2 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 910afa1ffc31..835b485b2afd 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -2423,6 +2423,45 @@ netlbl_socket_setsid_return: | |||
2423 | } | 2423 | } |
2424 | 2424 | ||
2425 | /** | 2425 | /** |
2426 | * selinux_netlbl_sk_security_init - Setup the NetLabel fields | ||
2427 | * @ssec: the sk_security_struct | ||
2428 | * @family: the socket family | ||
2429 | * | ||
2430 | * Description: | ||
2431 | * Called when a new sk_security_struct is allocated to initialize the NetLabel | ||
2432 | * fields. | ||
2433 | * | ||
2434 | */ | ||
2435 | void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec, | ||
2436 | int family) | ||
2437 | { | ||
2438 | if (family == PF_INET) | ||
2439 | ssec->nlbl_state = NLBL_REQUIRE; | ||
2440 | else | ||
2441 | ssec->nlbl_state = NLBL_UNSET; | ||
2442 | } | ||
2443 | |||
2444 | /** | ||
2445 | * selinux_netlbl_sk_clone_security - Copy the NetLabel fields | ||
2446 | * @ssec: the original sk_security_struct | ||
2447 | * @newssec: the cloned sk_security_struct | ||
2448 | * | ||
2449 | * Description: | ||
2450 | * Clone the NetLabel specific sk_security_struct fields from @ssec to | ||
2451 | * @newssec. | ||
2452 | * | ||
2453 | */ | ||
2454 | void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec, | ||
2455 | struct sk_security_struct *newssec) | ||
2456 | { | ||
2457 | newssec->sclass = ssec->sclass; | ||
2458 | if (ssec->nlbl_state != NLBL_UNSET) | ||
2459 | newssec->nlbl_state = NLBL_REQUIRE; | ||
2460 | else | ||
2461 | newssec->nlbl_state = NLBL_UNSET; | ||
2462 | } | ||
2463 | |||
2464 | /** | ||
2426 | * selinux_netlbl_socket_post_create - Label a socket using NetLabel | 2465 | * selinux_netlbl_socket_post_create - Label a socket using NetLabel |
2427 | * @sock: the socket to label | 2466 | * @sock: the socket to label |
2428 | * @sock_family: the socket family | 2467 | * @sock_family: the socket family |
@@ -2440,10 +2479,11 @@ int selinux_netlbl_socket_post_create(struct socket *sock, | |||
2440 | struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; | 2479 | struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; |
2441 | struct sk_security_struct *sksec = sock->sk->sk_security; | 2480 | struct sk_security_struct *sksec = sock->sk->sk_security; |
2442 | 2481 | ||
2482 | sksec->sclass = isec->sclass; | ||
2483 | |||
2443 | if (sock_family != PF_INET) | 2484 | if (sock_family != PF_INET) |
2444 | return 0; | 2485 | return 0; |
2445 | 2486 | ||
2446 | sksec->sclass = isec->sclass; | ||
2447 | sksec->nlbl_state = NLBL_REQUIRE; | 2487 | sksec->nlbl_state = NLBL_REQUIRE; |
2448 | return selinux_netlbl_socket_setsid(sock, sid); | 2488 | return selinux_netlbl_socket_setsid(sock, sid); |
2449 | } | 2489 | } |
@@ -2463,12 +2503,13 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) | |||
2463 | struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; | 2503 | struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; |
2464 | struct sk_security_struct *sksec = sk->sk_security; | 2504 | struct sk_security_struct *sksec = sk->sk_security; |
2465 | 2505 | ||
2506 | sksec->sclass = isec->sclass; | ||
2507 | |||
2466 | if (sk->sk_family != PF_INET) | 2508 | if (sk->sk_family != PF_INET) |
2467 | return; | 2509 | return; |
2468 | 2510 | ||
2469 | sksec->nlbl_state = NLBL_REQUIRE; | 2511 | sksec->nlbl_state = NLBL_REQUIRE; |
2470 | sksec->peer_sid = sksec->sid; | 2512 | sksec->peer_sid = sksec->sid; |
2471 | sksec->sclass = isec->sclass; | ||
2472 | 2513 | ||
2473 | /* Try to set the NetLabel on the socket to save time later, if we fail | 2514 | /* Try to set the NetLabel on the socket to save time later, if we fail |
2474 | * here we will pick up the pieces in later calls to | 2515 | * here we will pick up the pieces in later calls to |