aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2007-07-18 12:28:45 -0400
committerJames Morris <jmorris@namei.org>2007-07-19 10:21:11 -0400
commit23bcdc1adebd3cb47d5666f2e9ecada95c0134e4 (patch)
tree71caf0ac9fa86e4a9cf423d968a2486656c2e196 /security/selinux
parent589f1e81bde732dd0b1bc5d01b6bddd4bcb4527b (diff)
SELinux: enable dynamic activation/deactivation of NetLabel/SELinux enforcement
Create a new NetLabel KAPI interface, netlbl_enabled(), which reports on the current runtime status of NetLabel based on the existing configuration. LSMs that make use of NetLabel, i.e. SELinux, can use this new function to determine if they should perform NetLabel access checks. This patch changes the NetLabel/SELinux glue code such that SELinux only enforces NetLabel related access checks when netlbl_enabled() returns true. At present NetLabel is considered to be enabled when there is at least one labeled protocol configuration present. The result is that by default NetLabel is considered to be disabled, however, as soon as an administrator configured a CIPSO DOI definition NetLabel is enabled and SELinux starts enforcing NetLabel related access controls - including unlabeled packet controls. This patch also tries to consolidate the multiple "#ifdef CONFIG_NETLABEL" blocks into a single block to ease future review as recommended by Linus. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/netlabel.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index e64eca246f1a..ed9155b29c1a 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -155,6 +155,11 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
155 int rc; 155 int rc;
156 struct netlbl_lsm_secattr secattr; 156 struct netlbl_lsm_secattr secattr;
157 157
158 if (!netlbl_enabled()) {
159 *sid = SECSID_NULL;
160 return 0;
161 }
162
158 netlbl_secattr_init(&secattr); 163 netlbl_secattr_init(&secattr);
159 rc = netlbl_skbuff_getattr(skb, &secattr); 164 rc = netlbl_skbuff_getattr(skb, &secattr);
160 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 165 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
@@ -298,6 +303,9 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
298 u32 netlbl_sid; 303 u32 netlbl_sid;
299 u32 recv_perm; 304 u32 recv_perm;
300 305
306 if (!netlbl_enabled())
307 return 0;
308
301 rc = selinux_netlbl_skbuff_getsid(skb, 309 rc = selinux_netlbl_skbuff_getsid(skb,
302 SECINITSID_UNLABELED, 310 SECINITSID_UNLABELED,
303 &netlbl_sid); 311 &netlbl_sid);