diff options
-rw-r--r-- | security/selinux/hooks.c | 36 | ||||
-rw-r--r-- | security/selinux/include/security.h | 3 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 27 |
3 files changed, 31 insertions, 35 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 7f8d0b1ee02f..68629aa039ed 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -3123,6 +3123,34 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, | |||
3123 | return ret; | 3123 | return ret; |
3124 | } | 3124 | } |
3125 | 3125 | ||
3126 | /** | ||
3127 | * selinux_skb_extlbl_sid - Determine the external label of a packet | ||
3128 | * @skb: the packet | ||
3129 | * @base_sid: the SELinux SID to use as a context for MLS only external labels | ||
3130 | * @sid: the packet's SID | ||
3131 | * | ||
3132 | * Description: | ||
3133 | * Check the various different forms of external packet labeling and determine | ||
3134 | * the external SID for the packet. | ||
3135 | * | ||
3136 | */ | ||
3137 | static void selinux_skb_extlbl_sid(struct sk_buff *skb, | ||
3138 | u32 base_sid, | ||
3139 | u32 *sid) | ||
3140 | { | ||
3141 | u32 xfrm_sid; | ||
3142 | u32 nlbl_sid; | ||
3143 | |||
3144 | selinux_skb_xfrm_sid(skb, &xfrm_sid); | ||
3145 | if (selinux_netlbl_skbuff_getsid(skb, | ||
3146 | (xfrm_sid == SECSID_NULL ? | ||
3147 | base_sid : xfrm_sid), | ||
3148 | &nlbl_sid) != 0) | ||
3149 | nlbl_sid = SECSID_NULL; | ||
3150 | |||
3151 | *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); | ||
3152 | } | ||
3153 | |||
3126 | /* socket security operations */ | 3154 | /* socket security operations */ |
3127 | static int socket_has_perm(struct task_struct *task, struct socket *sock, | 3155 | static int socket_has_perm(struct task_struct *task, struct socket *sock, |
3128 | u32 perms) | 3156 | u32 perms) |
@@ -3664,9 +3692,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * | |||
3664 | if (sock && sock->sk->sk_family == PF_UNIX) | 3692 | if (sock && sock->sk->sk_family == PF_UNIX) |
3665 | selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); | 3693 | selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); |
3666 | else if (skb) | 3694 | else if (skb) |
3667 | security_skb_extlbl_sid(skb, | 3695 | selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid); |
3668 | SECINITSID_UNLABELED, | ||
3669 | &peer_secid); | ||
3670 | 3696 | ||
3671 | if (peer_secid == SECSID_NULL) | 3697 | if (peer_secid == SECSID_NULL) |
3672 | err = -EINVAL; | 3698 | err = -EINVAL; |
@@ -3727,7 +3753,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, | |||
3727 | u32 newsid; | 3753 | u32 newsid; |
3728 | u32 peersid; | 3754 | u32 peersid; |
3729 | 3755 | ||
3730 | security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid); | 3756 | selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid); |
3731 | if (peersid == SECSID_NULL) { | 3757 | if (peersid == SECSID_NULL) { |
3732 | req->secid = sksec->sid; | 3758 | req->secid = sksec->sid; |
3733 | req->peer_secid = SECSID_NULL; | 3759 | req->peer_secid = SECSID_NULL; |
@@ -3765,7 +3791,7 @@ static void selinux_inet_conn_established(struct sock *sk, | |||
3765 | { | 3791 | { |
3766 | struct sk_security_struct *sksec = sk->sk_security; | 3792 | struct sk_security_struct *sksec = sk->sk_security; |
3767 | 3793 | ||
3768 | security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid); | 3794 | selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid); |
3769 | } | 3795 | } |
3770 | 3796 | ||
3771 | static void selinux_req_classify_flow(const struct request_sock *req, | 3797 | static void selinux_req_classify_flow(const struct request_sock *req, |
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 605b07165af8..bfe562c36469 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
@@ -34,7 +34,6 @@ | |||
34 | #define POLICYDB_VERSION_MAX POLICYDB_VERSION_RANGETRANS | 34 | #define POLICYDB_VERSION_MAX POLICYDB_VERSION_RANGETRANS |
35 | #endif | 35 | #endif |
36 | 36 | ||
37 | struct sk_buff; | ||
38 | struct netlbl_lsm_secattr; | 37 | struct netlbl_lsm_secattr; |
39 | 38 | ||
40 | extern int selinux_enabled; | 39 | extern int selinux_enabled; |
@@ -83,8 +82,6 @@ int security_netif_sid(char *name, u32 *if_sid, | |||
83 | int security_node_sid(u16 domain, void *addr, u32 addrlen, | 82 | int security_node_sid(u16 domain, void *addr, u32 addrlen, |
84 | u32 *out_sid); | 83 | u32 *out_sid); |
85 | 84 | ||
86 | void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid); | ||
87 | |||
88 | int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, | 85 | int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, |
89 | u16 tclass); | 86 | u16 tclass); |
90 | 87 | ||
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index f4129f589313..8ee4aaef1094 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -39,7 +39,6 @@ | |||
39 | #include <linux/sched.h> | 39 | #include <linux/sched.h> |
40 | #include <linux/audit.h> | 40 | #include <linux/audit.h> |
41 | #include <linux/mutex.h> | 41 | #include <linux/mutex.h> |
42 | #include <net/sock.h> | ||
43 | #include <net/netlabel.h> | 42 | #include <net/netlabel.h> |
44 | 43 | ||
45 | #include "flask.h" | 44 | #include "flask.h" |
@@ -2198,32 +2197,6 @@ void selinux_audit_set_callback(int (*callback)(void)) | |||
2198 | aurule_callback = callback; | 2197 | aurule_callback = callback; |
2199 | } | 2198 | } |
2200 | 2199 | ||
2201 | /** | ||
2202 | * security_skb_extlbl_sid - Determine the external label of a packet | ||
2203 | * @skb: the packet | ||
2204 | * @base_sid: the SELinux SID to use as a context for MLS only external labels | ||
2205 | * @sid: the packet's SID | ||
2206 | * | ||
2207 | * Description: | ||
2208 | * Check the various different forms of external packet labeling and determine | ||
2209 | * the external SID for the packet. | ||
2210 | * | ||
2211 | */ | ||
2212 | void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid) | ||
2213 | { | ||
2214 | u32 xfrm_sid; | ||
2215 | u32 nlbl_sid; | ||
2216 | |||
2217 | selinux_skb_xfrm_sid(skb, &xfrm_sid); | ||
2218 | if (selinux_netlbl_skbuff_getsid(skb, | ||
2219 | (xfrm_sid == SECSID_NULL ? | ||
2220 | base_sid : xfrm_sid), | ||
2221 | &nlbl_sid) != 0) | ||
2222 | nlbl_sid = SECSID_NULL; | ||
2223 | |||
2224 | *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); | ||
2225 | } | ||
2226 | |||
2227 | #ifdef CONFIG_NETLABEL | 2200 | #ifdef CONFIG_NETLABEL |
2228 | /* | 2201 | /* |
2229 | * NetLabel cache structure | 2202 | * NetLabel cache structure |