aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--security/selinux/hooks.c36
-rw-r--r--security/selinux/include/security.h3
-rw-r--r--security/selinux/ss/services.c27
3 files changed, 31 insertions, 35 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7f8d0b1ee02f..68629aa039ed 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3123,6 +3123,34 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3123 return ret; 3123 return ret;
3124} 3124}
3125 3125
3126/**
3127 * selinux_skb_extlbl_sid - Determine the external label of a packet
3128 * @skb: the packet
3129 * @base_sid: the SELinux SID to use as a context for MLS only external labels
3130 * @sid: the packet's SID
3131 *
3132 * Description:
3133 * Check the various different forms of external packet labeling and determine
3134 * the external SID for the packet.
3135 *
3136 */
3137static void selinux_skb_extlbl_sid(struct sk_buff *skb,
3138 u32 base_sid,
3139 u32 *sid)
3140{
3141 u32 xfrm_sid;
3142 u32 nlbl_sid;
3143
3144 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3145 if (selinux_netlbl_skbuff_getsid(skb,
3146 (xfrm_sid == SECSID_NULL ?
3147 base_sid : xfrm_sid),
3148 &nlbl_sid) != 0)
3149 nlbl_sid = SECSID_NULL;
3150
3151 *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
3152}
3153
3126/* socket security operations */ 3154/* socket security operations */
3127static int socket_has_perm(struct task_struct *task, struct socket *sock, 3155static int socket_has_perm(struct task_struct *task, struct socket *sock,
3128 u32 perms) 3156 u32 perms)
@@ -3664,9 +3692,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
3664 if (sock && sock->sk->sk_family == PF_UNIX) 3692 if (sock && sock->sk->sk_family == PF_UNIX)
3665 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); 3693 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3666 else if (skb) 3694 else if (skb)
3667 security_skb_extlbl_sid(skb, 3695 selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid);
3668 SECINITSID_UNLABELED,
3669 &peer_secid);
3670 3696
3671 if (peer_secid == SECSID_NULL) 3697 if (peer_secid == SECSID_NULL)
3672 err = -EINVAL; 3698 err = -EINVAL;
@@ -3727,7 +3753,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3727 u32 newsid; 3753 u32 newsid;
3728 u32 peersid; 3754 u32 peersid;
3729 3755
3730 security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid); 3756 selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
3731 if (peersid == SECSID_NULL) { 3757 if (peersid == SECSID_NULL) {
3732 req->secid = sksec->sid; 3758 req->secid = sksec->sid;
3733 req->peer_secid = SECSID_NULL; 3759 req->peer_secid = SECSID_NULL;
@@ -3765,7 +3791,7 @@ static void selinux_inet_conn_established(struct sock *sk,
3765{ 3791{
3766 struct sk_security_struct *sksec = sk->sk_security; 3792 struct sk_security_struct *sksec = sk->sk_security;
3767 3793
3768 security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid); 3794 selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
3769} 3795}
3770 3796
3771static void selinux_req_classify_flow(const struct request_sock *req, 3797static void selinux_req_classify_flow(const struct request_sock *req,
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 605b07165af8..bfe562c36469 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -34,7 +34,6 @@
34#define POLICYDB_VERSION_MAX POLICYDB_VERSION_RANGETRANS 34#define POLICYDB_VERSION_MAX POLICYDB_VERSION_RANGETRANS
35#endif 35#endif
36 36
37struct sk_buff;
38struct netlbl_lsm_secattr; 37struct netlbl_lsm_secattr;
39 38
40extern int selinux_enabled; 39extern int selinux_enabled;
@@ -83,8 +82,6 @@ int security_netif_sid(char *name, u32 *if_sid,
83int security_node_sid(u16 domain, void *addr, u32 addrlen, 82int security_node_sid(u16 domain, void *addr, u32 addrlen,
84 u32 *out_sid); 83 u32 *out_sid);
85 84
86void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid);
87
88int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 85int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
89 u16 tclass); 86 u16 tclass);
90 87
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index f4129f589313..8ee4aaef1094 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -39,7 +39,6 @@
39#include <linux/sched.h> 39#include <linux/sched.h>
40#include <linux/audit.h> 40#include <linux/audit.h>
41#include <linux/mutex.h> 41#include <linux/mutex.h>
42#include <net/sock.h>
43#include <net/netlabel.h> 42#include <net/netlabel.h>
44 43
45#include "flask.h" 44#include "flask.h"
@@ -2198,32 +2197,6 @@ void selinux_audit_set_callback(int (*callback)(void))
2198 aurule_callback = callback; 2197 aurule_callback = callback;
2199} 2198}
2200 2199
2201/**
2202 * security_skb_extlbl_sid - Determine the external label of a packet
2203 * @skb: the packet
2204 * @base_sid: the SELinux SID to use as a context for MLS only external labels
2205 * @sid: the packet's SID
2206 *
2207 * Description:
2208 * Check the various different forms of external packet labeling and determine
2209 * the external SID for the packet.
2210 *
2211 */
2212void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid)
2213{
2214 u32 xfrm_sid;
2215 u32 nlbl_sid;
2216
2217 selinux_skb_xfrm_sid(skb, &xfrm_sid);
2218 if (selinux_netlbl_skbuff_getsid(skb,
2219 (xfrm_sid == SECSID_NULL ?
2220 base_sid : xfrm_sid),
2221 &nlbl_sid) != 0)
2222 nlbl_sid = SECSID_NULL;
2223
2224 *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
2225}
2226
2227#ifdef CONFIG_NETLABEL 2200#ifdef CONFIG_NETLABEL
2228/* 2201/*
2229 * NetLabel cache structure 2202 * NetLabel cache structure