[MLSXFRM]: Default labeling of socket specific IPSec policies

This defaults the label of socket-specific IPSec policies to be the same as the socket they are set on. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Venkat Yekkirala <vyekkirala@TrustedCS.com> 2006-07-25 02:32:20 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2006-09-22 17:53:28 -0400
commit: cb969f072b6d67770b559617f14e767f47e77ece (patch)
tree: 4112eb0182e8b3e28b42aebaa40ca25454fc6b76 /security
parent: beb8d13bed80f8388f1a9a107d07ddd342e627e8 (diff)
3 files changed, 26 insertions, 13 deletions
diff --git a/security/dummy.c b/security/dummy.c
index c0ff6b9bfd7d..66cc06404930 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -815,7 +815,8 @@ static inline void dummy_sk_getsecid(struct sock *sk, u32 *secid)
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
-static int dummy_xfrm_policy_alloc_security(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
+static int dummy_xfrm_policy_alloc_security(struct xfrm_policy *xp,
+                struct xfrm_user_sec_ctx *sec_ctx, struct sock *sk)
 {
        return 0;
 }
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 8e45c1d588a8..1822c73e5085 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -7,7 +7,8 @@
 #ifndef _SELINUX_XFRM_H_
 #define _SELINUX_XFRM_H_
-int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx);
+int selinux_xfrm_policy_alloc(struct xfrm_policy *xp,
+                struct xfrm_user_sec_ctx *sec_ctx, struct sock *sk);
 int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new);
 void selinux_xfrm_policy_free(struct xfrm_policy *xp);
 int selinux_xfrm_policy_delete(struct xfrm_policy *xp);
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index c750ef7af66f..d3690f985135 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -208,10 +208,8 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
        BUG_ON(uctx && pol);
-        if (pol)
+        if (!uctx)
-                goto from_policy;
+                goto not_from_user;
-        BUG_ON(!uctx);
        if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX)
                return -EINVAL;
@@ -251,11 +249,14 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
        return rc;
-from_policy:
+not_from_user:
-        BUG_ON(!pol);
+        if (pol) {
-        rc = security_sid_mls_copy(pol->ctx_sid, sid, &ctx_sid);
+                rc = security_sid_mls_copy(pol->ctx_sid, sid, &ctx_sid);
-        if (rc)
+                if (rc)
-                goto out;
+                        goto out;
+        }
+        else
+                ctx_sid = sid;
        rc = security_sid_to_context(ctx_sid, &ctx_str, &str_len);
        if (rc)
@@ -293,13 +294,23 @@ out2:
 * LSM hook implementation that allocs and transfers uctx spec to
 * xfrm_policy.
 */
-int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *uctx)
+int selinux_xfrm_policy_alloc(struct xfrm_policy *xp,
+                struct xfrm_user_sec_ctx *uctx, struct sock *sk)
 {
        int err;
+        u32 sid;
        BUG_ON(!xp);
+        BUG_ON(uctx && sk);
+        if (sk) {
+                struct sk_security_struct *ssec = sk->sk_security;
+                sid = ssec->sid;
+        }
+        else
+                sid = SECSID_NULL;
-        err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, NULL, 0);
+        err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, NULL, sid);
        return err;
 }
author	Venkat Yekkirala <vyekkirala@TrustedCS.com>	2006-07-25 02:32:20 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2006-09-22 17:53:28 -0400
commit	cb969f072b6d67770b559617f14e767f47e77ece (patch)
tree	4112eb0182e8b3e28b42aebaa40ca25454fc6b76 /security
parent	beb8d13bed80f8388f1a9a107d07ddd342e627e8 (diff)