aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2007-06-07 21:37:15 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2007-06-08 16:33:09 -0400
commitba6ff9f2b5c6018b293bd21083ffaa5ad710e671 (patch)
tree7a868d3a1948ab9e1aaf7b6e64e114e0f790370d /security/selinux
parent6363097cc4d182f93788131b5d8f72aa91d950a0 (diff)
[NetLabel]: consolidate the struct socket/sock handling to just struct sock
The current NetLabel code has some redundant APIs which allow both "struct socket" and "struct sock" types to be used; this may have made sense at some point but it is wasteful now. Remove the functions that operate on sockets and convert the callers. Not only does this make the code smaller and more consistent but it pushes the locking burden up to the caller which can be more intelligent about the locks. Also, perform the same conversion (socket to sock) on the SELinux/NetLabel glue code where it make sense. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/netlabel.c36
1 files changed, 21 insertions, 15 deletions
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index bf8750791dd1..e64eca246f1a 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -36,8 +36,8 @@
36#include "security.h" 36#include "security.h"
37 37
38/** 38/**
39 * selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism 39 * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism
40 * @sock: the socket to label 40 * @sk: the socket to label
41 * @sid: the SID to use 41 * @sid: the SID to use
42 * 42 *
43 * Description: 43 * Description:
@@ -47,17 +47,17 @@
47 * this function and rcu_read_unlock() after this function returns. 47 * this function and rcu_read_unlock() after this function returns.
48 * 48 *
49 */ 49 */
50static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid) 50static int selinux_netlbl_sock_setsid(struct sock *sk, u32 sid)
51{ 51{
52 int rc; 52 int rc;
53 struct sk_security_struct *sksec = sock->sk->sk_security; 53 struct sk_security_struct *sksec = sk->sk_security;
54 struct netlbl_lsm_secattr secattr; 54 struct netlbl_lsm_secattr secattr;
55 55
56 rc = security_netlbl_sid_to_secattr(sid, &secattr); 56 rc = security_netlbl_sid_to_secattr(sid, &secattr);
57 if (rc != 0) 57 if (rc != 0)
58 return rc; 58 return rc;
59 59
60 rc = netlbl_socket_setattr(sock, &secattr); 60 rc = netlbl_sock_setattr(sk, &secattr);
61 if (rc == 0) { 61 if (rc == 0) {
62 spin_lock_bh(&sksec->nlbl_lock); 62 spin_lock_bh(&sksec->nlbl_lock);
63 sksec->nlbl_state = NLBL_LABELED; 63 sksec->nlbl_state = NLBL_LABELED;
@@ -206,7 +206,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
206 /* Try to set the NetLabel on the socket to save time later, if we fail 206 /* Try to set the NetLabel on the socket to save time later, if we fail
207 * here we will pick up the pieces in later calls to 207 * here we will pick up the pieces in later calls to
208 * selinux_netlbl_inode_permission(). */ 208 * selinux_netlbl_inode_permission(). */
209 selinux_netlbl_socket_setsid(sock, sksec->sid); 209 selinux_netlbl_sock_setsid(sk, sksec->sid);
210 210
211 rcu_read_unlock(); 211 rcu_read_unlock();
212} 212}
@@ -223,14 +223,15 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
223int selinux_netlbl_socket_post_create(struct socket *sock) 223int selinux_netlbl_socket_post_create(struct socket *sock)
224{ 224{
225 int rc = 0; 225 int rc = 0;
226 struct sock *sk = sock->sk;
226 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 227 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
227 struct sk_security_struct *sksec = sock->sk->sk_security; 228 struct sk_security_struct *sksec = sk->sk_security;
228 229
229 sksec->sclass = isec->sclass; 230 sksec->sclass = isec->sclass;
230 231
231 rcu_read_lock(); 232 rcu_read_lock();
232 if (sksec->nlbl_state == NLBL_REQUIRE) 233 if (sksec->nlbl_state == NLBL_REQUIRE)
233 rc = selinux_netlbl_socket_setsid(sock, sksec->sid); 234 rc = selinux_netlbl_sock_setsid(sk, sksec->sid);
234 rcu_read_unlock(); 235 rcu_read_unlock();
235 236
236 return rc; 237 return rc;
@@ -251,14 +252,16 @@ int selinux_netlbl_socket_post_create(struct socket *sock)
251int selinux_netlbl_inode_permission(struct inode *inode, int mask) 252int selinux_netlbl_inode_permission(struct inode *inode, int mask)
252{ 253{
253 int rc; 254 int rc;
254 struct sk_security_struct *sksec; 255 struct sock *sk;
255 struct socket *sock; 256 struct socket *sock;
257 struct sk_security_struct *sksec;
256 258
257 if (!S_ISSOCK(inode->i_mode) || 259 if (!S_ISSOCK(inode->i_mode) ||
258 ((mask & (MAY_WRITE | MAY_APPEND)) == 0)) 260 ((mask & (MAY_WRITE | MAY_APPEND)) == 0))
259 return 0; 261 return 0;
260 sock = SOCKET_I(inode); 262 sock = SOCKET_I(inode);
261 sksec = sock->sk->sk_security; 263 sk = sock->sk;
264 sksec = sk->sk_security;
262 265
263 rcu_read_lock(); 266 rcu_read_lock();
264 if (sksec->nlbl_state != NLBL_REQUIRE) { 267 if (sksec->nlbl_state != NLBL_REQUIRE) {
@@ -266,9 +269,9 @@ int selinux_netlbl_inode_permission(struct inode *inode, int mask)
266 return 0; 269 return 0;
267 } 270 }
268 local_bh_disable(); 271 local_bh_disable();
269 bh_lock_sock_nested(sock->sk); 272 bh_lock_sock_nested(sk);
270 rc = selinux_netlbl_socket_setsid(sock, sksec->sid); 273 rc = selinux_netlbl_sock_setsid(sk, sksec->sid);
271 bh_unlock_sock(sock->sk); 274 bh_unlock_sock(sk);
272 local_bh_enable(); 275 local_bh_enable();
273 rcu_read_unlock(); 276 rcu_read_unlock();
274 277
@@ -345,14 +348,17 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
345 int optname) 348 int optname)
346{ 349{
347 int rc = 0; 350 int rc = 0;
348 struct sk_security_struct *sksec = sock->sk->sk_security; 351 struct sock *sk = sock->sk;
352 struct sk_security_struct *sksec = sk->sk_security;
349 struct netlbl_lsm_secattr secattr; 353 struct netlbl_lsm_secattr secattr;
350 354
351 rcu_read_lock(); 355 rcu_read_lock();
352 if (level == IPPROTO_IP && optname == IP_OPTIONS && 356 if (level == IPPROTO_IP && optname == IP_OPTIONS &&
353 sksec->nlbl_state == NLBL_LABELED) { 357 sksec->nlbl_state == NLBL_LABELED) {
354 netlbl_secattr_init(&secattr); 358 netlbl_secattr_init(&secattr);
355 rc = netlbl_socket_getattr(sock, &secattr); 359 lock_sock(sk);
360 rc = netlbl_sock_getattr(sk, &secattr);
361 release_sock(sk);
356 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 362 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
357 rc = -EACCES; 363 rc = -EACCES;
358 netlbl_secattr_destroy(&secattr); 364 netlbl_secattr_destroy(&secattr);