Merge branch 'smack-for-3.20-rebased' of git://git.gitorious.org/smack-next/kernel into for-linus

author: James Morris <james.l.morris@oracle.com> 2015-02-15 21:47:53 -0500
committer: James Morris <james.l.morris@oracle.com> 2015-02-15 21:47:53 -0500
commit: 0d309cbddb49d4d948b3e9fe8423e80b3b64486b (patch)
tree: 80c2de7fa46339120d458e033612a9c71625d856 /security
parent: d0709f1e66e8066c4ac6a54620ec116aa41937c0 (diff)
parent: 7f368ad34f0657f4bc39bf5bad6692b5a81a1194 (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index a0ccce4e46f8..ed94f6f836e7 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3818,6 +3818,18 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
        }
 #endif /* CONFIG_IPV6 */
+#ifdef CONFIG_SECURITY_SMACK_NETFILTER
+        /*
+         * If there is a secmark use it rather than the CIPSO label.
+         * If there is no secmark fall back to CIPSO.
+         * The secmark is assumed to reflect policy better.
+         */
+        if (skb && skb->secmark != 0) {
+                skp = smack_from_secid(skb->secmark);
+                goto access_check;
+        }
+#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
        netlbl_secattr_init(&secattr);
        rc = netlbl_skbuff_getattr(skb, family, &secattr);
        if (rc == 0)
@@ -3826,6 +3838,10 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
                skp = &smack_known_huh;
        netlbl_secattr_destroy(&secattr);
+#ifdef CONFIG_SECURITY_SMACK_NETFILTER
+access_check:
+#endif
 #ifdef CONFIG_AUDIT
        smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
        ad.a.u.net->family = family;
author	James Morris <james.l.morris@oracle.com>	2015-02-15 21:47:53 -0500
committer	James Morris <james.l.morris@oracle.com>	2015-02-15 21:47:53 -0500
commit	0d309cbddb49d4d948b3e9fe8423e80b3b64486b (patch)
tree	80c2de7fa46339120d458e033612a9c71625d856 /security
parent	d0709f1e66e8066c4ac6a54620ec116aa41937c0 (diff)
parent	7f368ad34f0657f4bc39bf5bad6692b5a81a1194 (diff)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index a0ccce4e46f8..ed94f6f836e7 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c
@@ -3818,6 +3818,18 @@ static int smack_inet_conn_request(struct sock sk, struct sk_buff skb,
3818	}	3818	}
3819	#endif /* CONFIG_IPV6 */	3819	#endif /* CONFIG_IPV6 */
3820		3820
		3821	#ifdef CONFIG_SECURITY_SMACK_NETFILTER
		3822	/*
		3823	* If there is a secmark use it rather than the CIPSO label.
		3824	* If there is no secmark fall back to CIPSO.
		3825	* The secmark is assumed to reflect policy better.
		3826	*/
		3827	if (skb && skb->secmark != 0) {
		3828	skp = smack_from_secid(skb->secmark);
		3829	goto access_check;
		3830	}
		3831	#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
		3832
3821	netlbl_secattr_init(&secattr);	3833	netlbl_secattr_init(&secattr);
3822	rc = netlbl_skbuff_getattr(skb, family, &secattr);	3834	rc = netlbl_skbuff_getattr(skb, family, &secattr);
3823	if (rc == 0)	3835	if (rc == 0)
@@ -3826,6 +3838,10 @@ static int smack_inet_conn_request(struct sock sk, struct sk_buff skb,
3826	skp = &smack_known_huh;	3838	skp = &smack_known_huh;
3827	netlbl_secattr_destroy(&secattr);	3839	netlbl_secattr_destroy(&secattr);
3828		3840
		3841	#ifdef CONFIG_SECURITY_SMACK_NETFILTER
		3842	access_check:
		3843	#endif
		3844
3829	#ifdef CONFIG_AUDIT	3845	#ifdef CONFIG_AUDIT
3830	smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);	3846	smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3831	ad.a.u.net->family = family;	3847	ad.a.u.net->family = family;