secmark: make secmark object handling generic

Right now secmark has lots of direct selinux calls. Use all LSM calls and remove all SELinux specific knowledge. The only SELinux specific knowledge we leave is the mode. The only point is to make sure that other LSMs at least test this generic code before they assume it works. (They may also have to make changes if they do not represent labels as strings) Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Paul Moore <paul.moore@hp.com> Acked-by: Patrick McHardy <kaber@trash.net> Signed-off-by: James Morris <jmorris@namei.org>
author: Eric Paris <eparis@redhat.com> 2010-10-13 16:24:41 -0400
committer: James Morris <jmorris@namei.org> 2010-10-20 19:12:48 -0400
commit: 2606fd1fa5710205b23ee859563502aa18362447 (patch)
tree: f79becd7010a2da1a765829fce0e09327cd50531 /security/selinux
parent: 15714f7b58011cf3948cab2988abea560240c74f (diff)
3 files changed, 25 insertions, 49 deletions
diff --git a/security/selinux/exports.c b/security/selinux/exports.c
index c0a454aee1e0..90664385dead 100644
--- a/security/selinux/exports.c
+++ b/security/selinux/exports.c
@@ -11,58 +11,9 @@
 * it under the terms of the GNU General Public License version 2,
 * as published by the Free Software Foundation.
 */
-#include <linux/types.h>
-#include <linux/kernel.h>
 #include <linux/module.h>
-#include <linux/selinux.h>
-#include <linux/fs.h>
-#include <linux/ipc.h>
-#include <asm/atomic.h>
 #include "security.h"
-#include "objsec.h"
-/* SECMARK reference count */
-extern atomic_t selinux_secmark_refcount;
-int selinux_string_to_sid(char *str, u32 *sid)
-{
-        if (selinux_enabled)
-                return security_context_to_sid(str, strlen(str), sid);
-        else {
-                *sid = 0;
-                return 0;
-        }
-}
-EXPORT_SYMBOL_GPL(selinux_string_to_sid);
-int selinux_secmark_relabel_packet_permission(u32 sid)
-{
-        if (selinux_enabled) {
-                const struct task_security_struct *__tsec;
-                u32 tsid;
-                __tsec = current_security();
-                tsid = __tsec->sid;
-                return avc_has_perm(tsid, sid, SECCLASS_PACKET,
-                                    PACKET__RELABELTO, NULL);
-        }
-        return 0;
-}
-EXPORT_SYMBOL_GPL(selinux_secmark_relabel_packet_permission);
-void selinux_secmark_refcount_inc(void)
-{
-        atomic_inc(&selinux_secmark_refcount);
-}
-EXPORT_SYMBOL_GPL(selinux_secmark_refcount_inc);
-void selinux_secmark_refcount_dec(void)
-{
-        atomic_dec(&selinux_secmark_refcount);
-}
-EXPORT_SYMBOL_GPL(selinux_secmark_refcount_dec);
 bool selinux_is_enabled(void)
 {
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index db2b331de89a..d9154cf90ae1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4279,6 +4279,27 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
        selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
 }
+static int selinux_secmark_relabel_packet(u32 sid)
+{
+        const struct task_security_struct *__tsec;
+        u32 tsid;
+        __tsec = current_security();
+        tsid = __tsec->sid;
+        return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
+}
+static void selinux_secmark_refcount_inc(void)
+{
+        atomic_inc(&selinux_secmark_refcount);
+}
+static void selinux_secmark_refcount_dec(void)
+{
+        atomic_dec(&selinux_secmark_refcount);
+}
 static void selinux_req_classify_flow(const struct request_sock *req,
                                      struct flowi *fl)
 {
@@ -5533,6 +5554,9 @@ static struct security_operations selinux_ops = {
        .inet_conn_request =            selinux_inet_conn_request,
        .inet_csk_clone =               selinux_inet_csk_clone,
        .inet_conn_established =        selinux_inet_conn_established,
+        .secmark_relabel_packet =       selinux_secmark_relabel_packet,
+        .secmark_refcount_inc =         selinux_secmark_refcount_inc,
+        .secmark_refcount_dec =         selinux_secmark_refcount_dec,
        .req_classify_flow =            selinux_req_classify_flow,
        .tun_dev_create =               selinux_tun_dev_create,
        .tun_dev_post_create =          selinux_tun_dev_post_create,
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 4b66f19bb1f3..611a526afae7 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -9,6 +9,7 @@
 #define _SELINUX_SECURITY_H_
 #include <linux/magic.h>
+#include <linux/types.h>
 #include "flask.h"
 #define SECSID_NULL                     0x00000000 /* unspecified SID */
author	Eric Paris <eparis@redhat.com>	2010-10-13 16:24:41 -0400
committer	James Morris <jmorris@namei.org>	2010-10-20 19:12:48 -0400
commit	2606fd1fa5710205b23ee859563502aa18362447 (patch)
tree	f79becd7010a2da1a765829fce0e09327cd50531 /security/selinux
parent	15714f7b58011cf3948cab2988abea560240c74f (diff)