diff options
| author | Venkat Yekkirala <vyekkirala@trustedcs.com> | 2006-11-08 18:04:09 -0500 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-12-03 00:21:33 -0500 |
| commit | 6b877699c6f1efede4545bcecc367786a472eedb (patch) | |
| tree | c0a60dc90578fa9f16d4496e2700bc285eab47c0 /security/selinux/xfrm.c | |
| parent | c1a856c9640c9ff3d70bbd8214b6a0974609eef8 (diff) | |
SELinux: Return correct context for SO_PEERSEC
Fix SO_PEERSEC for tcp sockets to return the security context of
the peer (as represented by the SA from the peer) as opposed to the
SA used by the local/source socket.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/xfrm.c')
| -rw-r--r-- | security/selinux/xfrm.c | 40 |
1 files changed, 3 insertions, 37 deletions
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 4d5a043cdfa1..8fef74271f22 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c | |||
| @@ -184,7 +184,8 @@ int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm, | |||
| 184 | } | 184 | } |
| 185 | 185 | ||
| 186 | /* | 186 | /* |
| 187 | * LSM hook implementation that determines the sid for the session. | 187 | * LSM hook implementation that checks and/or returns the xfrm sid for the |
| 188 | * incoming packet. | ||
| 188 | */ | 189 | */ |
| 189 | 190 | ||
| 190 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) | 191 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) |
| @@ -403,43 +404,8 @@ void selinux_xfrm_state_free(struct xfrm_state *x) | |||
| 403 | } | 404 | } |
| 404 | 405 | ||
| 405 | /* | 406 | /* |
| 406 | * SELinux internal function to retrieve the context of a connected | ||
| 407 | * (sk->sk_state == TCP_ESTABLISHED) TCP socket based on its security | ||
| 408 | * association used to connect to the remote socket. | ||
| 409 | * | ||
| 410 | * Retrieve via getsockopt SO_PEERSEC. | ||
| 411 | */ | ||
| 412 | u32 selinux_socket_getpeer_stream(struct sock *sk) | ||
| 413 | { | ||
| 414 | struct dst_entry *dst, *dst_test; | ||
| 415 | u32 peer_sid = SECSID_NULL; | ||
| 416 | |||
| 417 | if (sk->sk_state != TCP_ESTABLISHED) | ||
| 418 | goto out; | ||
| 419 | |||
| 420 | dst = sk_dst_get(sk); | ||
| 421 | if (!dst) | ||
| 422 | goto out; | ||
| 423 | |||
| 424 | for (dst_test = dst; dst_test != 0; | ||
| 425 | dst_test = dst_test->child) { | ||
| 426 | struct xfrm_state *x = dst_test->xfrm; | ||
| 427 | |||
| 428 | if (x && selinux_authorizable_xfrm(x)) { | ||
| 429 | struct xfrm_sec_ctx *ctx = x->security; | ||
| 430 | peer_sid = ctx->ctx_sid; | ||
| 431 | break; | ||
| 432 | } | ||
| 433 | } | ||
| 434 | dst_release(dst); | ||
| 435 | |||
| 436 | out: | ||
| 437 | return peer_sid; | ||
| 438 | } | ||
| 439 | |||
| 440 | /* | ||
| 441 | * SELinux internal function to retrieve the context of a UDP packet | 407 | * SELinux internal function to retrieve the context of a UDP packet |
| 442 | * based on its security association used to connect to the remote socket. | 408 | * based on its security association. |
| 443 | * | 409 | * |
| 444 | * Retrieve via setsockopt IP_PASSSEC and recvmsg with control message | 410 | * Retrieve via setsockopt IP_PASSSEC and recvmsg with control message |
| 445 | * type SCM_SECURITY. | 411 | * type SCM_SECURITY. |