aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorHarry Ciao <qingtao.cao@windriver.com>2011-03-02 00:32:34 -0500
committerEric Paris <eparis@redhat.com>2011-03-03 15:19:44 -0500
commit2ad18bdf3b8f84c85c7da7e4de365f7c5701fb3f (patch)
tree7b45743dee9e9de69714da3801aa3f987a3db365 /security/selinux
parent6f5317e730505d5cbc851c435a2dfe3d5a21d343 (diff)
SELinux: Compute SID for the newly created socket
The security context for the newly created socket shares the same user, role and MLS attribute as its creator but may have a different type, which could be specified by a type_transition rule in the relevant policy package. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> [fix call to security_transition_sid to include qstr, Eric Paris] Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c27
1 files changed, 21 insertions, 6 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8294dbfd1f16..3decf07b8dc1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3591,9 +3591,16 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3591 3591
3592/* socket security operations */ 3592/* socket security operations */
3593 3593
3594static u32 socket_sockcreate_sid(const struct task_security_struct *tsec) 3594static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3595 u16 secclass, u32 *socksid)
3595{ 3596{
3596 return tsec->sockcreate_sid ? : tsec->sid; 3597 if (tsec->sockcreate_sid > SECSID_NULL) {
3598 *socksid = tsec->sockcreate_sid;
3599 return 0;
3600 }
3601
3602 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3603 socksid);
3597} 3604}
3598 3605
3599static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms) 3606static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
@@ -3617,12 +3624,16 @@ static int selinux_socket_create(int family, int type,
3617 const struct task_security_struct *tsec = current_security(); 3624 const struct task_security_struct *tsec = current_security();
3618 u32 newsid; 3625 u32 newsid;
3619 u16 secclass; 3626 u16 secclass;
3627 int rc;
3620 3628
3621 if (kern) 3629 if (kern)
3622 return 0; 3630 return 0;
3623 3631
3624 newsid = socket_sockcreate_sid(tsec);
3625 secclass = socket_type_to_security_class(family, type, protocol); 3632 secclass = socket_type_to_security_class(family, type, protocol);
3633 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3634 if (rc)
3635 return rc;
3636
3626 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 3637 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3627} 3638}
3628 3639
@@ -3634,12 +3645,16 @@ static int selinux_socket_post_create(struct socket *sock, int family,
3634 struct sk_security_struct *sksec; 3645 struct sk_security_struct *sksec;
3635 int err = 0; 3646 int err = 0;
3636 3647
3648 isec->sclass = socket_type_to_security_class(family, type, protocol);
3649
3637 if (kern) 3650 if (kern)
3638 isec->sid = SECINITSID_KERNEL; 3651 isec->sid = SECINITSID_KERNEL;
3639 else 3652 else {
3640 isec->sid = socket_sockcreate_sid(tsec); 3653 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
3654 if (err)
3655 return err;
3656 }
3641 3657
3642 isec->sclass = socket_type_to_security_class(family, type, protocol);
3643 isec->initialized = 1; 3658 isec->initialized = 1;
3644 3659
3645 if (sock->sk) { 3660 if (sock->sk) {