aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/net/netlabel.h2
-rw-r--r--net/netlabel/netlabel_user.c4
-rw-r--r--net/xfrm/xfrm_policy.c5
-rw-r--r--security/selinux/hooks.c3
-rw-r--r--security/selinux/netlabel.c16
5 files changed, 21 insertions, 9 deletions
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index ffbc7f28335a..2e5b2f6f9fa0 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -132,6 +132,8 @@ struct netlbl_lsm_secattr_catmap {
132#define NETLBL_SECATTR_CACHE 0x00000002 132#define NETLBL_SECATTR_CACHE 0x00000002
133#define NETLBL_SECATTR_MLS_LVL 0x00000004 133#define NETLBL_SECATTR_MLS_LVL 0x00000004
134#define NETLBL_SECATTR_MLS_CAT 0x00000008 134#define NETLBL_SECATTR_MLS_CAT 0x00000008
135#define NETLBL_SECATTR_CACHEABLE (NETLBL_SECATTR_MLS_LVL | \
136 NETLBL_SECATTR_MLS_CAT)
135struct netlbl_lsm_secattr { 137struct netlbl_lsm_secattr {
136 u32 flags; 138 u32 flags;
137 139
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 89dcc485653b..85a96a3fddaa 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -113,8 +113,10 @@ struct audit_buffer *netlbl_audit_start_common(int type,
113 if (audit_info->secid != 0 && 113 if (audit_info->secid != 0 &&
114 security_secid_to_secctx(audit_info->secid, 114 security_secid_to_secctx(audit_info->secid,
115 &secctx, 115 &secctx,
116 &secctx_len) == 0) 116 &secctx_len) == 0) {
117 audit_log_format(audit_buf, " subj=%s", secctx); 117 audit_log_format(audit_buf, " subj=%s", secctx);
118 security_release_secctx(secctx, secctx_len);
119 }
118 120
119 return audit_buf; 121 return audit_buf;
120} 122}
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 95a47304336d..e5a3be03aa0d 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2195,9 +2195,10 @@ void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
2195 } 2195 }
2196 2196
2197 if (sid != 0 && 2197 if (sid != 0 &&
2198 security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) 2198 security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) {
2199 audit_log_format(audit_buf, " subj=%s", secctx); 2199 audit_log_format(audit_buf, " subj=%s", secctx);
2200 else 2200 security_release_secctx(secctx, secctx_len);
2201 } else
2201 audit_log_task_context(audit_buf); 2202 audit_log_task_context(audit_buf);
2202 2203
2203 if (xp) { 2204 if (xp) {
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0fac6829c63a..6237933f7d82 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4658,8 +4658,7 @@ static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
4658 4658
4659static void selinux_release_secctx(char *secdata, u32 seclen) 4659static void selinux_release_secctx(char *secdata, u32 seclen)
4660{ 4660{
4661 if (secdata) 4661 kfree(secdata);
4662 kfree(secdata);
4663} 4662}
4664 4663
4665#ifdef CONFIG_KEYS 4664#ifdef CONFIG_KEYS
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 051b14c88e2d..d243ddc723a5 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -162,9 +162,13 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
162 162
163 netlbl_secattr_init(&secattr); 163 netlbl_secattr_init(&secattr);
164 rc = netlbl_skbuff_getattr(skb, &secattr); 164 rc = netlbl_skbuff_getattr(skb, &secattr);
165 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 165 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) {
166 rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid); 166 rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid);
167 else 167 if (rc == 0 &&
168 (secattr.flags & NETLBL_SECATTR_CACHEABLE) &&
169 (secattr.flags & NETLBL_SECATTR_CACHE))
170 netlbl_cache_add(skb, &secattr);
171 } else
168 *sid = SECSID_NULL; 172 *sid = SECSID_NULL;
169 netlbl_secattr_destroy(&secattr); 173 netlbl_secattr_destroy(&secattr);
170 174
@@ -307,11 +311,15 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
307 311
308 netlbl_secattr_init(&secattr); 312 netlbl_secattr_init(&secattr);
309 rc = netlbl_skbuff_getattr(skb, &secattr); 313 rc = netlbl_skbuff_getattr(skb, &secattr);
310 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 314 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) {
311 rc = security_netlbl_secattr_to_sid(&secattr, 315 rc = security_netlbl_secattr_to_sid(&secattr,
312 SECINITSID_NETMSG, 316 SECINITSID_NETMSG,
313 &nlbl_sid); 317 &nlbl_sid);
314 else 318 if (rc == 0 &&
319 (secattr.flags & NETLBL_SECATTR_CACHEABLE) &&
320 (secattr.flags & NETLBL_SECATTR_CACHE))
321 netlbl_cache_add(skb, &secattr);
322 } else
315 nlbl_sid = SECINITSID_UNLABELED; 323 nlbl_sid = SECINITSID_UNLABELED;
316 netlbl_secattr_destroy(&secattr); 324 netlbl_secattr_destroy(&secattr);
317 if (rc != 0) 325 if (rc != 0)
generated by cgit v1.2.2 (git 2.25.0) at 2025-12-26 03:57:05 -0500