diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2006-02-05 02:27:50 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-02-05 14:06:52 -0500 |
| commit | c2b507fda390b8ae90deba9b8cdc3fe727482193 (patch) | |
| tree | 6c839e9682fd1610dc6a9fb7cca9df2899ff05ca /security | |
| parent | 5c0d5d262aa4c5e93f9f5de298cf25d6d8b558c4 (diff) | |
[PATCH] selinux: require SECURITY_NETWORK
Make SELinux depend on SECURITY_NETWORK (which depends on SECURITY), as it
requires the socket hooks for proper operation even in the local case.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/Kconfig | 2 | ||||
| -rw-r--r-- | security/selinux/Makefile | 4 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 21 |
3 files changed, 5 insertions, 22 deletions
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index b59582b92283..502f78f13f5f 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | config SECURITY_SELINUX | 1 | config SECURITY_SELINUX |
| 2 | bool "NSA SELinux Support" | 2 | bool "NSA SELinux Support" |
| 3 | depends on SECURITY && NET && INET | 3 | depends on SECURITY_NETWORK && NET && INET |
| 4 | default n | 4 | default n |
| 5 | help | 5 | help |
| 6 | This selects NSA Security-Enhanced Linux (SELinux). | 6 | This selects NSA Security-Enhanced Linux (SELinux). |
diff --git a/security/selinux/Makefile b/security/selinux/Makefile index 06d54d9d20a5..688c0a267b62 100644 --- a/security/selinux/Makefile +++ b/security/selinux/Makefile | |||
| @@ -4,9 +4,7 @@ | |||
| 4 | 4 | ||
| 5 | obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/ | 5 | obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/ |
| 6 | 6 | ||
| 7 | selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o | 7 | selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o |
| 8 | |||
| 9 | selinux-$(CONFIG_SECURITY_NETWORK) += netif.o | ||
| 10 | 8 | ||
| 11 | selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o | 9 | selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o |
| 12 | 10 | ||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 4ae834d89bce..b7773bf68efa 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -232,7 +232,6 @@ static void superblock_free_security(struct super_block *sb) | |||
| 232 | kfree(sbsec); | 232 | kfree(sbsec); |
| 233 | } | 233 | } |
| 234 | 234 | ||
| 235 | #ifdef CONFIG_SECURITY_NETWORK | ||
| 236 | static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) | 235 | static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) |
| 237 | { | 236 | { |
| 238 | struct sk_security_struct *ssec; | 237 | struct sk_security_struct *ssec; |
| @@ -261,7 +260,6 @@ static void sk_free_security(struct sock *sk) | |||
| 261 | sk->sk_security = NULL; | 260 | sk->sk_security = NULL; |
| 262 | kfree(ssec); | 261 | kfree(ssec); |
| 263 | } | 262 | } |
| 264 | #endif /* CONFIG_SECURITY_NETWORK */ | ||
| 265 | 263 | ||
| 266 | /* The security server must be initialized before | 264 | /* The security server must be initialized before |
| 267 | any labeling or access decisions can be provided. */ | 265 | any labeling or access decisions can be provided. */ |
| @@ -2736,8 +2734,6 @@ static void selinux_task_to_inode(struct task_struct *p, | |||
| 2736 | return; | 2734 | return; |
| 2737 | } | 2735 | } |
| 2738 | 2736 | ||
| 2739 | #ifdef CONFIG_SECURITY_NETWORK | ||
| 2740 | |||
| 2741 | /* Returns error only if unable to parse addresses */ | 2737 | /* Returns error only if unable to parse addresses */ |
| 2742 | static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad) | 2738 | static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad) |
| 2743 | { | 2739 | { |
| @@ -3556,15 +3552,6 @@ static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum, | |||
| 3556 | 3552 | ||
| 3557 | #endif /* CONFIG_NETFILTER */ | 3553 | #endif /* CONFIG_NETFILTER */ |
| 3558 | 3554 | ||
| 3559 | #else | ||
| 3560 | |||
| 3561 | static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) | ||
| 3562 | { | ||
| 3563 | return 0; | ||
| 3564 | } | ||
| 3565 | |||
| 3566 | #endif /* CONFIG_SECURITY_NETWORK */ | ||
| 3567 | |||
| 3568 | static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) | 3555 | static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) |
| 3569 | { | 3556 | { |
| 3570 | struct task_security_struct *tsec; | 3557 | struct task_security_struct *tsec; |
| @@ -4340,7 +4327,6 @@ static struct security_operations selinux_ops = { | |||
| 4340 | .getprocattr = selinux_getprocattr, | 4327 | .getprocattr = selinux_getprocattr, |
| 4341 | .setprocattr = selinux_setprocattr, | 4328 | .setprocattr = selinux_setprocattr, |
| 4342 | 4329 | ||
| 4343 | #ifdef CONFIG_SECURITY_NETWORK | ||
| 4344 | .unix_stream_connect = selinux_socket_unix_stream_connect, | 4330 | .unix_stream_connect = selinux_socket_unix_stream_connect, |
| 4345 | .unix_may_send = selinux_socket_unix_may_send, | 4331 | .unix_may_send = selinux_socket_unix_may_send, |
| 4346 | 4332 | ||
| @@ -4362,7 +4348,6 @@ static struct security_operations selinux_ops = { | |||
| 4362 | .sk_alloc_security = selinux_sk_alloc_security, | 4348 | .sk_alloc_security = selinux_sk_alloc_security, |
| 4363 | .sk_free_security = selinux_sk_free_security, | 4349 | .sk_free_security = selinux_sk_free_security, |
| 4364 | .sk_getsid = selinux_sk_getsid_security, | 4350 | .sk_getsid = selinux_sk_getsid_security, |
| 4365 | #endif | ||
| 4366 | 4351 | ||
| 4367 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 4352 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
| 4368 | .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, | 4353 | .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, |
| @@ -4440,7 +4425,7 @@ next_sb: | |||
| 4440 | all processes and objects when they are created. */ | 4425 | all processes and objects when they are created. */ |
| 4441 | security_initcall(selinux_init); | 4426 | security_initcall(selinux_init); |
| 4442 | 4427 | ||
| 4443 | #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER) | 4428 | #if defined(CONFIG_NETFILTER) |
| 4444 | 4429 | ||
| 4445 | static struct nf_hook_ops selinux_ipv4_op = { | 4430 | static struct nf_hook_ops selinux_ipv4_op = { |
| 4446 | .hook = selinux_ipv4_postroute_last, | 4431 | .hook = selinux_ipv4_postroute_last, |
| @@ -4501,13 +4486,13 @@ static void selinux_nf_ip_exit(void) | |||
| 4501 | } | 4486 | } |
| 4502 | #endif | 4487 | #endif |
| 4503 | 4488 | ||
| 4504 | #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */ | 4489 | #else /* CONFIG_NETFILTER */ |
| 4505 | 4490 | ||
| 4506 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE | 4491 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE |
| 4507 | #define selinux_nf_ip_exit() | 4492 | #define selinux_nf_ip_exit() |
| 4508 | #endif | 4493 | #endif |
| 4509 | 4494 | ||
| 4510 | #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */ | 4495 | #endif /* CONFIG_NETFILTER */ |
| 4511 | 4496 | ||
| 4512 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE | 4497 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE |
| 4513 | int selinux_disable(void) | 4498 | int selinux_disable(void) |