aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorVenkat Yekkirala <vyekkirala@TrustedCS.com>2006-08-05 02:08:56 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-09-22 17:53:22 -0400
commit892c141e62982272b9c738b5520ad0e5e1ad7b42 (patch)
treec8e0c9b3e55106d2cb085a5047b9d02dbbb28653 /security/selinux
parent08554d6b33e60aa8ee40bbef94505941c0eefef2 (diff)
[MLSXFRM]: Add security sid to sock
This adds security for IP sockets at the sock level. Security at the sock level is needed to enforce the SELinux security policy for security associations even when a sock is orphaned (such as in the TCP LAST_ACK state). This will also be used to enforce SELinux controls over data arriving at or leaving a child socket while it's still waiting to be accepted. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c38
-rw-r--r--security/selinux/include/objsec.h1
2 files changed, 22 insertions, 17 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5d1b8c733199..d67abf77584a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -269,15 +269,13 @@ static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
269{ 269{
270 struct sk_security_struct *ssec; 270 struct sk_security_struct *ssec;
271 271
272 if (family != PF_UNIX)
273 return 0;
274
275 ssec = kzalloc(sizeof(*ssec), priority); 272 ssec = kzalloc(sizeof(*ssec), priority);
276 if (!ssec) 273 if (!ssec)
277 return -ENOMEM; 274 return -ENOMEM;
278 275
279 ssec->sk = sk; 276 ssec->sk = sk;
280 ssec->peer_sid = SECINITSID_UNLABELED; 277 ssec->peer_sid = SECINITSID_UNLABELED;
278 ssec->sid = SECINITSID_UNLABELED;
281 sk->sk_security = ssec; 279 sk->sk_security = ssec;
282 280
283 return 0; 281 return 0;
@@ -287,9 +285,6 @@ static void sk_free_security(struct sock *sk)
287{ 285{
288 struct sk_security_struct *ssec = sk->sk_security; 286 struct sk_security_struct *ssec = sk->sk_security;
289 287
290 if (sk->sk_family != PF_UNIX)
291 return;
292
293 sk->sk_security = NULL; 288 sk->sk_security = NULL;
294 kfree(ssec); 289 kfree(ssec);
295} 290}
@@ -3068,6 +3063,7 @@ static void selinux_socket_post_create(struct socket *sock, int family,
3068{ 3063{
3069 struct inode_security_struct *isec; 3064 struct inode_security_struct *isec;
3070 struct task_security_struct *tsec; 3065 struct task_security_struct *tsec;
3066 struct sk_security_struct *sksec;
3071 u32 newsid; 3067 u32 newsid;
3072 3068
3073 isec = SOCK_INODE(sock)->i_security; 3069 isec = SOCK_INODE(sock)->i_security;
@@ -3078,6 +3074,11 @@ static void selinux_socket_post_create(struct socket *sock, int family,
3078 isec->sid = kern ? SECINITSID_KERNEL : newsid; 3074 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3079 isec->initialized = 1; 3075 isec->initialized = 1;
3080 3076
3077 if (sock->sk) {
3078 sksec = sock->sk->sk_security;
3079 sksec->sid = isec->sid;
3080 }
3081
3081 return; 3082 return;
3082} 3083}
3083 3084
@@ -3551,22 +3552,24 @@ static void selinux_sk_free_security(struct sock *sk)
3551 sk_free_security(sk); 3552 sk_free_security(sk);
3552} 3553}
3553 3554
3554static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir) 3555static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
3555{ 3556{
3556 struct inode_security_struct *isec; 3557 struct sk_security_struct *ssec = sk->sk_security;
3557 u32 sock_sid = SECINITSID_ANY_SOCKET; 3558 struct sk_security_struct *newssec = newsk->sk_security;
3558 3559
3560 newssec->sid = ssec->sid;
3561 newssec->peer_sid = ssec->peer_sid;
3562}
3563
3564static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3565{
3559 if (!sk) 3566 if (!sk)
3560 return selinux_no_sk_sid(fl); 3567 return selinux_no_sk_sid(fl);
3568 else {
3569 struct sk_security_struct *sksec = sk->sk_security;
3561 3570
3562 read_lock_bh(&sk->sk_callback_lock); 3571 return sksec->sid;
3563 isec = get_sock_isec(sk); 3572 }
3564
3565 if (isec)
3566 sock_sid = isec->sid;
3567
3568 read_unlock_bh(&sk->sk_callback_lock);
3569 return sock_sid;
3570} 3573}
3571 3574
3572static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 3575static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
@@ -4618,6 +4621,7 @@ static struct security_operations selinux_ops = {
4618 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram, 4621 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
4619 .sk_alloc_security = selinux_sk_alloc_security, 4622 .sk_alloc_security = selinux_sk_alloc_security,
4620 .sk_free_security = selinux_sk_free_security, 4623 .sk_free_security = selinux_sk_free_security,
4624 .sk_clone_security = selinux_sk_clone_security,
4621 .sk_getsid = selinux_sk_getsid_security, 4625 .sk_getsid = selinux_sk_getsid_security,
4622 4626
4623#ifdef CONFIG_SECURITY_NETWORK_XFRM 4627#ifdef CONFIG_SECURITY_NETWORK_XFRM
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 940178865fc7..79b9e0af19a0 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -99,6 +99,7 @@ struct netif_security_struct {
99 99
100struct sk_security_struct { 100struct sk_security_struct {
101 struct sock *sk; /* back pointer to sk object */ 101 struct sock *sk; /* back pointer to sk object */
102 u32 sid; /* SID of this object */
102 u32 peer_sid; /* SID of peer */ 103 u32 peer_sid; /* SID of peer */
103}; 104};
104 105