diff options
author | Harry Ciao <qingtao.cao@windriver.com> | 2011-03-02 00:32:34 -0500 |
---|---|---|
committer | Eric Paris <eparis@redhat.com> | 2011-03-03 15:19:44 -0500 |
commit | 2ad18bdf3b8f84c85c7da7e4de365f7c5701fb3f (patch) | |
tree | 7b45743dee9e9de69714da3801aa3f987a3db365 /security | |
parent | 6f5317e730505d5cbc851c435a2dfe3d5a21d343 (diff) |
SELinux: Compute SID for the newly created socket
The security context for the newly created socket shares the same
user, role and MLS attribute as its creator but may have a different
type, which could be specified by a type_transition rule in the relevant
policy package.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
[fix call to security_transition_sid to include qstr, Eric Paris]
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/hooks.c | 27 |
1 files changed, 21 insertions, 6 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8294dbfd1f16..3decf07b8dc1 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -3591,9 +3591,16 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) | |||
3591 | 3591 | ||
3592 | /* socket security operations */ | 3592 | /* socket security operations */ |
3593 | 3593 | ||
3594 | static u32 socket_sockcreate_sid(const struct task_security_struct *tsec) | 3594 | static int socket_sockcreate_sid(const struct task_security_struct *tsec, |
3595 | u16 secclass, u32 *socksid) | ||
3595 | { | 3596 | { |
3596 | return tsec->sockcreate_sid ? : tsec->sid; | 3597 | if (tsec->sockcreate_sid > SECSID_NULL) { |
3598 | *socksid = tsec->sockcreate_sid; | ||
3599 | return 0; | ||
3600 | } | ||
3601 | |||
3602 | return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, | ||
3603 | socksid); | ||
3597 | } | 3604 | } |
3598 | 3605 | ||
3599 | static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms) | 3606 | static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms) |
@@ -3617,12 +3624,16 @@ static int selinux_socket_create(int family, int type, | |||
3617 | const struct task_security_struct *tsec = current_security(); | 3624 | const struct task_security_struct *tsec = current_security(); |
3618 | u32 newsid; | 3625 | u32 newsid; |
3619 | u16 secclass; | 3626 | u16 secclass; |
3627 | int rc; | ||
3620 | 3628 | ||
3621 | if (kern) | 3629 | if (kern) |
3622 | return 0; | 3630 | return 0; |
3623 | 3631 | ||
3624 | newsid = socket_sockcreate_sid(tsec); | ||
3625 | secclass = socket_type_to_security_class(family, type, protocol); | 3632 | secclass = socket_type_to_security_class(family, type, protocol); |
3633 | rc = socket_sockcreate_sid(tsec, secclass, &newsid); | ||
3634 | if (rc) | ||
3635 | return rc; | ||
3636 | |||
3626 | return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); | 3637 | return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); |
3627 | } | 3638 | } |
3628 | 3639 | ||
@@ -3634,12 +3645,16 @@ static int selinux_socket_post_create(struct socket *sock, int family, | |||
3634 | struct sk_security_struct *sksec; | 3645 | struct sk_security_struct *sksec; |
3635 | int err = 0; | 3646 | int err = 0; |
3636 | 3647 | ||
3648 | isec->sclass = socket_type_to_security_class(family, type, protocol); | ||
3649 | |||
3637 | if (kern) | 3650 | if (kern) |
3638 | isec->sid = SECINITSID_KERNEL; | 3651 | isec->sid = SECINITSID_KERNEL; |
3639 | else | 3652 | else { |
3640 | isec->sid = socket_sockcreate_sid(tsec); | 3653 | err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid)); |
3654 | if (err) | ||
3655 | return err; | ||
3656 | } | ||
3641 | 3657 | ||
3642 | isec->sclass = socket_type_to_security_class(family, type, protocol); | ||
3643 | isec->initialized = 1; | 3658 | isec->initialized = 1; |
3644 | 3659 | ||
3645 | if (sock->sk) { | 3660 | if (sock->sk) { |