aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorVenkat Yekkirala <vyekkirala@TrustedCS.com>2006-07-25 02:32:20 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-09-22 17:53:28 -0400
commitcb969f072b6d67770b559617f14e767f47e77ece (patch)
tree4112eb0182e8b3e28b42aebaa40ca25454fc6b76 /security/selinux
parentbeb8d13bed80f8388f1a9a107d07ddd342e627e8 (diff)
[MLSXFRM]: Default labeling of socket specific IPSec policies
This defaults the label of socket-specific IPSec policies to be the same as the socket they are set on. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/include/xfrm.h3
-rw-r--r--security/selinux/xfrm.c33
2 files changed, 24 insertions, 12 deletions
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 8e45c1d588a8..1822c73e5085 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -7,7 +7,8 @@
7#ifndef _SELINUX_XFRM_H_ 7#ifndef _SELINUX_XFRM_H_
8#define _SELINUX_XFRM_H_ 8#define _SELINUX_XFRM_H_
9 9
10int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx); 10int selinux_xfrm_policy_alloc(struct xfrm_policy *xp,
11 struct xfrm_user_sec_ctx *sec_ctx, struct sock *sk);
11int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new); 12int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new);
12void selinux_xfrm_policy_free(struct xfrm_policy *xp); 13void selinux_xfrm_policy_free(struct xfrm_policy *xp);
13int selinux_xfrm_policy_delete(struct xfrm_policy *xp); 14int selinux_xfrm_policy_delete(struct xfrm_policy *xp);
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index c750ef7af66f..d3690f985135 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -208,10 +208,8 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
208 208
209 BUG_ON(uctx && pol); 209 BUG_ON(uctx && pol);
210 210
211 if (pol) 211 if (!uctx)
212 goto from_policy; 212 goto not_from_user;
213
214 BUG_ON(!uctx);
215 213
216 if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX) 214 if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX)
217 return -EINVAL; 215 return -EINVAL;
@@ -251,11 +249,14 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
251 249
252 return rc; 250 return rc;
253 251
254from_policy: 252not_from_user:
255 BUG_ON(!pol); 253 if (pol) {
256 rc = security_sid_mls_copy(pol->ctx_sid, sid, &ctx_sid); 254 rc = security_sid_mls_copy(pol->ctx_sid, sid, &ctx_sid);
257 if (rc) 255 if (rc)
258 goto out; 256 goto out;
257 }
258 else
259 ctx_sid = sid;
259 260
260 rc = security_sid_to_context(ctx_sid, &ctx_str, &str_len); 261 rc = security_sid_to_context(ctx_sid, &ctx_str, &str_len);
261 if (rc) 262 if (rc)
@@ -293,13 +294,23 @@ out2:
293 * LSM hook implementation that allocs and transfers uctx spec to 294 * LSM hook implementation that allocs and transfers uctx spec to
294 * xfrm_policy. 295 * xfrm_policy.
295 */ 296 */
296int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *uctx) 297int selinux_xfrm_policy_alloc(struct xfrm_policy *xp,
298 struct xfrm_user_sec_ctx *uctx, struct sock *sk)
297{ 299{
298 int err; 300 int err;
301 u32 sid;
299 302
300 BUG_ON(!xp); 303 BUG_ON(!xp);
304 BUG_ON(uctx && sk);
305
306 if (sk) {
307 struct sk_security_struct *ssec = sk->sk_security;
308 sid = ssec->sid;
309 }
310 else
311 sid = SECSID_NULL;
301 312
302 err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, NULL, 0); 313 err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, NULL, sid);
303 return err; 314 return err;
304} 315}
305 316