aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorDarrel Goeddel <dgoeddel@trustedcs.com>2006-06-27 16:26:11 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-06-29 19:57:55 -0400
commitc7bdb545d23026b18be53289fd866d1ac07f5f8c (patch)
tree6d9a218871d88f7579dd53f14692df2529b6e712 /security/selinux
parent576a30eb6453439b3c37ba24455ac7090c247b5a (diff)
[NETLINK]: Encapsulate eff_cap usage within security framework.
This patch encapsulates the usage of eff_cap (in netlink_skb_params) within the security framework by extending security_netlink_recv to include a required capability parameter and converting all direct usage of eff_caps outside of the lsm modules to use the interface. It also updates the SELinux implementation of the security_netlink_send and security_netlink_recv hooks to take advantage of the sid in the netlink_skb_params struct. This also enables SELinux to perform auditing of netlink capability checks. Please apply, for 2.6.18 if possible. Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c26
1 files changed, 13 insertions, 13 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 28832e689800..b6c378dd4f12 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3641,32 +3641,32 @@ static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3641 3641
3642static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 3642static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3643{ 3643{
3644 struct task_security_struct *tsec;
3645 struct av_decision avd;
3646 int err; 3644 int err;
3647 3645
3648 err = secondary_ops->netlink_send(sk, skb); 3646 err = secondary_ops->netlink_send(sk, skb);
3649 if (err) 3647 if (err)
3650 return err; 3648 return err;
3651 3649
3652 tsec = current->security;
3653
3654 avd.allowed = 0;
3655 avc_has_perm_noaudit(tsec->sid, tsec->sid,
3656 SECCLASS_CAPABILITY, ~0, &avd);
3657 cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3658
3659 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) 3650 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3660 err = selinux_nlmsg_perm(sk, skb); 3651 err = selinux_nlmsg_perm(sk, skb);
3661 3652
3662 return err; 3653 return err;
3663} 3654}
3664 3655
3665static int selinux_netlink_recv(struct sk_buff *skb) 3656static int selinux_netlink_recv(struct sk_buff *skb, int capability)
3666{ 3657{
3667 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) 3658 int err;
3668 return -EPERM; 3659 struct avc_audit_data ad;
3669 return 0; 3660
3661 err = secondary_ops->netlink_recv(skb, capability);
3662 if (err)
3663 return err;
3664
3665 AVC_AUDIT_DATA_INIT(&ad, CAP);
3666 ad.u.cap = capability;
3667
3668 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
3669 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
3670} 3670}
3671 3671
3672static int ipc_alloc_security(struct task_struct *task, 3672static int ipc_alloc_security(struct task_struct *task,