aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-10-10 10:16:31 -0400
committerPaul Moore <paul.moore@hp.com>2008-10-10 10:16:31 -0400
commitdfaebe9825ff34983778f287101bc5f3bce00640 (patch)
tree4dccdcdcecd57fc8bfc083ff30d9e0ecb2e7ecba /security/selinux
parent99d854d231ce141850b988bdc7e2e7c78f49b03a (diff)
selinux: Fix missing calls to netlbl_skbuff_err()
At some point I think I messed up and dropped the calls to netlbl_skbuff_err() which are necessary for CIPSO to send error notifications to remote systems. This patch re-introduces the error handling calls into the SELinux code. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c19
-rw-r--r--security/selinux/include/netlabel.h9
-rw-r--r--security/selinux/netlabel.c20
3 files changed, 43 insertions, 5 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b520667a24be..a91146a6b37d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4101,6 +4101,8 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4101 return err; 4101 return err;
4102 err = avc_has_perm(sk_sid, peer_sid, 4102 err = avc_has_perm(sk_sid, peer_sid,
4103 SECCLASS_PEER, PEER__RECV, &ad); 4103 SECCLASS_PEER, PEER__RECV, &ad);
4104 if (err)
4105 selinux_netlbl_err(skb, err, 0);
4104 } else { 4106 } else {
4105 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4107 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4106 if (err) 4108 if (err)
@@ -4156,10 +4158,14 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4156 return err; 4158 return err;
4157 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family, 4159 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4158 peer_sid, &ad); 4160 peer_sid, &ad);
4159 if (err) 4161 if (err) {
4162 selinux_netlbl_err(skb, err, 0);
4160 return err; 4163 return err;
4164 }
4161 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 4165 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4162 PEER__RECV, &ad); 4166 PEER__RECV, &ad);
4167 if (err)
4168 selinux_netlbl_err(skb, err, 0);
4163 } 4169 }
4164 4170
4165 if (secmark_active) { 4171 if (secmark_active) {
@@ -4396,6 +4402,7 @@ out:
4396static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, 4402static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4397 u16 family) 4403 u16 family)
4398{ 4404{
4405 int err;
4399 char *addrp; 4406 char *addrp;
4400 u32 peer_sid; 4407 u32 peer_sid;
4401 struct avc_audit_data ad; 4408 struct avc_audit_data ad;
@@ -4419,10 +4426,14 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4419 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 4426 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4420 return NF_DROP; 4427 return NF_DROP;
4421 4428
4422 if (peerlbl_active) 4429 if (peerlbl_active) {
4423 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family, 4430 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4424 peer_sid, &ad) != 0) 4431 peer_sid, &ad);
4432 if (err) {
4433 selinux_netlbl_err(skb, err, 1);
4425 return NF_DROP; 4434 return NF_DROP;
4435 }
4436 }
4426 4437
4427 if (secmark_active) 4438 if (secmark_active)
4428 if (avc_has_perm(peer_sid, skb->secmark, 4439 if (avc_has_perm(peer_sid, skb->secmark,
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index 487a7d81fe20..d4e3ac8a7fbf 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -39,6 +39,8 @@
39#ifdef CONFIG_NETLABEL 39#ifdef CONFIG_NETLABEL
40void selinux_netlbl_cache_invalidate(void); 40void selinux_netlbl_cache_invalidate(void);
41 41
42void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway);
43
42void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, 44void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
43 int family); 45 int family);
44 46
@@ -63,6 +65,13 @@ static inline void selinux_netlbl_cache_invalidate(void)
63 return; 65 return;
64} 66}
65 67
68static inline void selinux_netlbl_err(struct sk_buff *skb,
69 int error,
70 int gateway)
71{
72 return;
73}
74
66static inline void selinux_netlbl_sk_security_reset( 75static inline void selinux_netlbl_sk_security_reset(
67 struct sk_security_struct *ssec, 76 struct sk_security_struct *ssec,
68 int family) 77 int family)
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index b9ce5fcf3432..4053f7fc95fb 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -108,6 +108,24 @@ void selinux_netlbl_cache_invalidate(void)
108} 108}
109 109
110/** 110/**
111 * selinux_netlbl_err - Handle a NetLabel packet error
112 * @skb: the packet
113 * @error: the error code
114 * @gateway: true if host is acting as a gateway, false otherwise
115 *
116 * Description:
117 * When a packet is dropped due to a call to avc_has_perm() pass the error
118 * code to the NetLabel subsystem so any protocol specific processing can be
119 * done. This is safe to call even if you are unsure if NetLabel labeling is
120 * present on the packet, NetLabel is smart enough to only act when it should.
121 *
122 */
123void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway)
124{
125 netlbl_skbuff_err(skb, error, gateway);
126}
127
128/**
111 * selinux_netlbl_sk_security_reset - Reset the NetLabel fields 129 * selinux_netlbl_sk_security_reset - Reset the NetLabel fields
112 * @ssec: the sk_security_struct 130 * @ssec: the sk_security_struct
113 * @family: the socket family 131 * @family: the socket family
@@ -289,7 +307,7 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
289 return 0; 307 return 0;
290 308
291 if (nlbl_sid != SECINITSID_UNLABELED) 309 if (nlbl_sid != SECINITSID_UNLABELED)
292 netlbl_skbuff_err(skb, rc); 310 netlbl_skbuff_err(skb, rc, 0);
293 return rc; 311 return rc;
294} 312}
295 313