diff options
author | Venkat Yekkirala <vyekkirala@TrustedCS.com> | 2006-07-25 02:32:20 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-09-22 17:53:28 -0400 |
commit | cb969f072b6d67770b559617f14e767f47e77ece (patch) | |
tree | 4112eb0182e8b3e28b42aebaa40ca25454fc6b76 /security/selinux | |
parent | beb8d13bed80f8388f1a9a107d07ddd342e627e8 (diff) |
[MLSXFRM]: Default labeling of socket specific IPSec policies
This defaults the label of socket-specific IPSec policies to be the
same as the socket they are set on.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/include/xfrm.h | 3 | ||||
-rw-r--r-- | security/selinux/xfrm.c | 33 |
2 files changed, 24 insertions, 12 deletions
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index 8e45c1d588a8..1822c73e5085 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h | |||
@@ -7,7 +7,8 @@ | |||
7 | #ifndef _SELINUX_XFRM_H_ | 7 | #ifndef _SELINUX_XFRM_H_ |
8 | #define _SELINUX_XFRM_H_ | 8 | #define _SELINUX_XFRM_H_ |
9 | 9 | ||
10 | int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx); | 10 | int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, |
11 | struct xfrm_user_sec_ctx *sec_ctx, struct sock *sk); | ||
11 | int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new); | 12 | int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new); |
12 | void selinux_xfrm_policy_free(struct xfrm_policy *xp); | 13 | void selinux_xfrm_policy_free(struct xfrm_policy *xp); |
13 | int selinux_xfrm_policy_delete(struct xfrm_policy *xp); | 14 | int selinux_xfrm_policy_delete(struct xfrm_policy *xp); |
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index c750ef7af66f..d3690f985135 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c | |||
@@ -208,10 +208,8 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, | |||
208 | 208 | ||
209 | BUG_ON(uctx && pol); | 209 | BUG_ON(uctx && pol); |
210 | 210 | ||
211 | if (pol) | 211 | if (!uctx) |
212 | goto from_policy; | 212 | goto not_from_user; |
213 | |||
214 | BUG_ON(!uctx); | ||
215 | 213 | ||
216 | if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX) | 214 | if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX) |
217 | return -EINVAL; | 215 | return -EINVAL; |
@@ -251,11 +249,14 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, | |||
251 | 249 | ||
252 | return rc; | 250 | return rc; |
253 | 251 | ||
254 | from_policy: | 252 | not_from_user: |
255 | BUG_ON(!pol); | 253 | if (pol) { |
256 | rc = security_sid_mls_copy(pol->ctx_sid, sid, &ctx_sid); | 254 | rc = security_sid_mls_copy(pol->ctx_sid, sid, &ctx_sid); |
257 | if (rc) | 255 | if (rc) |
258 | goto out; | 256 | goto out; |
257 | } | ||
258 | else | ||
259 | ctx_sid = sid; | ||
259 | 260 | ||
260 | rc = security_sid_to_context(ctx_sid, &ctx_str, &str_len); | 261 | rc = security_sid_to_context(ctx_sid, &ctx_str, &str_len); |
261 | if (rc) | 262 | if (rc) |
@@ -293,13 +294,23 @@ out2: | |||
293 | * LSM hook implementation that allocs and transfers uctx spec to | 294 | * LSM hook implementation that allocs and transfers uctx spec to |
294 | * xfrm_policy. | 295 | * xfrm_policy. |
295 | */ | 296 | */ |
296 | int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *uctx) | 297 | int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, |
298 | struct xfrm_user_sec_ctx *uctx, struct sock *sk) | ||
297 | { | 299 | { |
298 | int err; | 300 | int err; |
301 | u32 sid; | ||
299 | 302 | ||
300 | BUG_ON(!xp); | 303 | BUG_ON(!xp); |
304 | BUG_ON(uctx && sk); | ||
305 | |||
306 | if (sk) { | ||
307 | struct sk_security_struct *ssec = sk->sk_security; | ||
308 | sid = ssec->sid; | ||
309 | } | ||
310 | else | ||
311 | sid = SECSID_NULL; | ||
301 | 312 | ||
302 | err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, NULL, 0); | 313 | err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, NULL, sid); |
303 | return err; | 314 | return err; |
304 | } | 315 | } |
305 | 316 | ||