Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6

* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6: (235 commits)
  [NETFILTER]: Add H.323 conntrack/NAT helper
  [TG3]: Don't mark tg3_test_registers() as returning const.
  [IPV6]: Cleanups for net/ipv6/addrconf.c (kzalloc, early exit) v2
  [IPV6]: Nearly complete kzalloc cleanup for net/ipv6
  [IPV6]: Cleanup of net/ipv6/reassambly.c
  [BRIDGE]: Remove duplicate const from is_link_local() argument type.
  [DECNET]: net/decnet/dn_route.c: fix inconsequent NULL checking
  [TG3]: make drivers/net/tg3.c:tg3_request_irq() static
  [BRIDGE]: use LLC to send STP
  [LLC]: llc_mac_hdr_init const arguments
  [BRIDGE]: allow show/store of group multicast address
  [BRIDGE]: use llc for receiving STP packets
  [BRIDGE]: stp timer to jiffies cleanup
  [BRIDGE]: forwarding remove unneeded preempt and bh diasables
  [BRIDGE]: netfilter inline cleanup
  [BRIDGE]: netfilter VLAN macro cleanup
  [BRIDGE]: netfilter dont use __constant_htons
  [BRIDGE]: netfilter whitespace
  [BRIDGE]: optimize frame pass up
  [BRIDGE]: use kzalloc
  ...

1 files changed, 68 insertions, 0 deletions

diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index b2af7ca496c1..dfab6c886698 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -225,6 +225,74 @@ void selinux_xfrm_state_free(struct xfrm_state *x)
 }
 
 /*
+ * SELinux internal function to retrieve the context of a connected
+ * (sk->sk_state == TCP_ESTABLISHED) TCP socket based on its security
+ * association used to connect to the remote socket.
+ *
+ * Retrieve via getsockopt SO_PEERSEC.
+ */
+u32 selinux_socket_getpeer_stream(struct sock *sk)
+{
+        struct dst_entry *dst, *dst_test;
+        u32 peer_sid = SECSID_NULL;
+
+        if (sk->sk_state != TCP_ESTABLISHED)
+                goto out;
+
+        dst = sk_dst_get(sk);
+        if (!dst)
+                goto out;
+
+        for (dst_test = dst; dst_test != 0;
+             dst_test = dst_test->child) {
+                struct xfrm_state *x = dst_test->xfrm;
+
+                if (x && selinux_authorizable_xfrm(x)) {
+                        struct xfrm_sec_ctx *ctx = x->security;
+                        peer_sid = ctx->ctx_sid;
+                        break;
+                }
+        }
+        dst_release(dst);
+
+out:
+        return peer_sid;
+}
+
+/*
+ * SELinux internal function to retrieve the context of a UDP packet
+ * based on its security association used to connect to the remote socket.
+ *
+ * Retrieve via setsockopt IP_PASSSEC and recvmsg with control message
+ * type SCM_SECURITY.
+ */
+u32 selinux_socket_getpeer_dgram(struct sk_buff *skb)
+{
+        struct sec_path *sp;
+
+        if (skb == NULL)
+                return SECSID_NULL;
+
+        if (skb->sk->sk_protocol != IPPROTO_UDP)
+                return SECSID_NULL;
+
+        sp = skb->sp;
+        if (sp) {
+                int i;
+
+                for (i = sp->len-1; i >= 0; i--) {
+                        struct xfrm_state *x = sp->x[i].xvec;
+                        if (selinux_authorizable_xfrm(x)) {
+                                struct xfrm_sec_ctx *ctx = x->security;
+                                return ctx->ctx_sid;
+                        }
+                }
+        }
+
+        return SECSID_NULL;
+}
+
+/*
  * LSM hook that controls access to unlabelled packets.  If
  * a xfrm_state is authorizable (defined by macro) then it was
  * already authorized by the IPSec process.  If not, then