aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/ss
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2006-08-29 20:53:48 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-09-22 18:18:34 -0400
commit99f59ed073d3c1b890690064ab285a201dea2e35 (patch)
tree0f6ae012cf4f988d3ae0c665fd3b12ea05409ec8 /security/selinux/ss
parentfc747e82b40ea50a62eb2aef55bedd4465607cb0 (diff)
[NetLabel]: Correctly initialize the NetLabel fields.
Fix a problem where the NetLabel specific fields of the sk_security_struct structure were not being initialized early enough in some cases. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/selinux/ss')
-rw-r--r--security/selinux/ss/services.c45
1 files changed, 43 insertions, 2 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 910afa1ffc31..835b485b2afd 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2423,6 +2423,45 @@ netlbl_socket_setsid_return:
2423} 2423}
2424 2424
2425/** 2425/**
2426 * selinux_netlbl_sk_security_init - Setup the NetLabel fields
2427 * @ssec: the sk_security_struct
2428 * @family: the socket family
2429 *
2430 * Description:
2431 * Called when a new sk_security_struct is allocated to initialize the NetLabel
2432 * fields.
2433 *
2434 */
2435void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
2436 int family)
2437{
2438 if (family == PF_INET)
2439 ssec->nlbl_state = NLBL_REQUIRE;
2440 else
2441 ssec->nlbl_state = NLBL_UNSET;
2442}
2443
2444/**
2445 * selinux_netlbl_sk_clone_security - Copy the NetLabel fields
2446 * @ssec: the original sk_security_struct
2447 * @newssec: the cloned sk_security_struct
2448 *
2449 * Description:
2450 * Clone the NetLabel specific sk_security_struct fields from @ssec to
2451 * @newssec.
2452 *
2453 */
2454void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,
2455 struct sk_security_struct *newssec)
2456{
2457 newssec->sclass = ssec->sclass;
2458 if (ssec->nlbl_state != NLBL_UNSET)
2459 newssec->nlbl_state = NLBL_REQUIRE;
2460 else
2461 newssec->nlbl_state = NLBL_UNSET;
2462}
2463
2464/**
2426 * selinux_netlbl_socket_post_create - Label a socket using NetLabel 2465 * selinux_netlbl_socket_post_create - Label a socket using NetLabel
2427 * @sock: the socket to label 2466 * @sock: the socket to label
2428 * @sock_family: the socket family 2467 * @sock_family: the socket family
@@ -2440,10 +2479,11 @@ int selinux_netlbl_socket_post_create(struct socket *sock,
2440 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 2479 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
2441 struct sk_security_struct *sksec = sock->sk->sk_security; 2480 struct sk_security_struct *sksec = sock->sk->sk_security;
2442 2481
2482 sksec->sclass = isec->sclass;
2483
2443 if (sock_family != PF_INET) 2484 if (sock_family != PF_INET)
2444 return 0; 2485 return 0;
2445 2486
2446 sksec->sclass = isec->sclass;
2447 sksec->nlbl_state = NLBL_REQUIRE; 2487 sksec->nlbl_state = NLBL_REQUIRE;
2448 return selinux_netlbl_socket_setsid(sock, sid); 2488 return selinux_netlbl_socket_setsid(sock, sid);
2449} 2489}
@@ -2463,12 +2503,13 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
2463 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 2503 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
2464 struct sk_security_struct *sksec = sk->sk_security; 2504 struct sk_security_struct *sksec = sk->sk_security;
2465 2505
2506 sksec->sclass = isec->sclass;
2507
2466 if (sk->sk_family != PF_INET) 2508 if (sk->sk_family != PF_INET)
2467 return; 2509 return;
2468 2510
2469 sksec->nlbl_state = NLBL_REQUIRE; 2511 sksec->nlbl_state = NLBL_REQUIRE;
2470 sksec->peer_sid = sksec->sid; 2512 sksec->peer_sid = sksec->sid;
2471 sksec->sclass = isec->sclass;
2472 2513
2473 /* Try to set the NetLabel on the socket to save time later, if we fail 2514 /* Try to set the NetLabel on the socket to save time later, if we fail
2474 * here we will pick up the pieces in later calls to 2515 * here we will pick up the pieces in later calls to