7 files changed, 110 insertions, 44 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index f75303831d09..aa5b8043dc38 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1109,6 +1109,16 @@ struct swap_info_struct;
 *      @name contains the name of the security module being unstacked.
 *      @ops contains a pointer to the struct security_operations of the module to unstack.
 * 
+ * @secid_to_secctx:
+ *      Convert secid to security context.
+ *      @secid contains the security ID.
+ *      @secdata contains the pointer that stores the converted security context.
+ *
+ * @release_secctx:
+ *      Release the security context.
+ *      @secdata contains the security context.
+ *      @seclen contains the length of the security context.
+ *
 * This is the main security structure.
 */
 struct security_operations {
@@ -1289,6 +1299,8 @@ struct security_operations {
        int (*getprocattr)(struct task_struct *p, char *name, void *value, size_t size);
        int (*setprocattr)(struct task_struct *p, char *name, void *value, size_t size);
+        int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen);
+        void (*release_secctx)(char *secdata, u32 seclen);
 #ifdef CONFIG_SECURITY_NETWORK
        int (*unix_stream_connect) (struct socket * sock,
@@ -1317,7 +1329,7 @@ struct security_operations {
        int (*socket_shutdown) (struct socket * sock, int how);
        int (*socket_sock_rcv_skb) (struct sock * sk, struct sk_buff * skb);
        int (*socket_getpeersec_stream) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len);
-        int (*socket_getpeersec_dgram) (struct sk_buff *skb, char **secdata, u32 *seclen);
+        int (*socket_getpeersec_dgram) (struct socket *sock, struct sk_buff *skb, u32 *secid);
        int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority);
        void (*sk_free_security) (struct sock *sk);
        unsigned int (*sk_getsid) (struct sock *sk, struct flowi *fl, u8 dir);
@@ -2059,6 +2071,16 @@ static inline int security_netlink_recv(struct sk_buff * skb, int cap)
        return security_ops->netlink_recv(skb, cap);
 }
+static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+{
+        return security_ops->secid_to_secctx(secid, secdata, seclen);
+}
+static inline void security_release_secctx(char *secdata, u32 seclen)
+{
+        return security_ops->release_secctx(secdata, seclen);
+}
 /* prototypes */
 extern int security_init        (void);
 extern int register_security    (struct security_operations *ops);
@@ -2725,6 +2747,15 @@ static inline void securityfs_remove(struct dentry *dentry)
 {
 }
+static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+{
+        return -EOPNOTSUPP;
+}
+static inline void security_release_secctx(char *secdata, u32 seclen)
+{
+        return -EOPNOTSUPP;
+}
 #endif  /* CONFIG_SECURITY */
 #ifdef CONFIG_SECURITY_NETWORK
@@ -2840,10 +2871,9 @@ static inline int security_socket_getpeersec_stream(struct socket *sock, char __
        return security_ops->socket_getpeersec_stream(sock, optval, optlen, len);
 }
-static inline int security_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata,
+static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
-                                                   u32 *seclen)
 {
-        return security_ops->socket_getpeersec_dgram(skb, secdata, seclen);
+        return security_ops->socket_getpeersec_dgram(sock, skb, secid);
 }
 static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
@@ -2968,8 +2998,7 @@ static inline int security_socket_getpeersec_stream(struct socket *sock, char __
        return -ENOPROTOOPT;
 }
-static inline int security_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata,
+static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
-                                                   u32 *seclen)
 {
        return -ENOPROTOOPT;
 }
diff --git a/include/net/af_unix.h b/include/net/af_unix.h
index 2fec827c8801..c0398f5a8cb9 100644
--- a/include/net/af_unix.h
+++ b/include/net/af_unix.h
@@ -54,15 +54,13 @@ struct unix_skb_parms {
        struct ucred            creds;          /* Skb credentials      */
        struct scm_fp_list      *fp;            /* Passed files         */
 #ifdef CONFIG_SECURITY_NETWORK
-        char                    *secdata;       /* Security context     */
+        u32                     secid;          /* Security ID          */
-        u32                     seclen;         /* Security length      */
 #endif
 };
 #define UNIXCB(skb)     (*(struct unix_skb_parms*)&((skb)->cb))
 #define UNIXCREDS(skb)  (&UNIXCB((skb)).creds)
-#define UNIXSECDATA(skb)        (&UNIXCB((skb)).secdata)
+#define UNIXSID(skb)    (&UNIXCB((skb)).secid)
-#define UNIXSECLEN(skb)         (&UNIXCB((skb)).seclen)
 #define unix_state_rlock(s)     spin_lock(&unix_sk(s)->lock)
 #define unix_state_runlock(s)   spin_unlock(&unix_sk(s)->lock)
diff --git a/include/net/scm.h b/include/net/scm.h
index 02daa097cdcd..5637d5e22d5f 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -3,6 +3,7 @@
 #include <linux/limits.h>
 #include <linux/net.h>
+#include <linux/security.h>
 /* Well, we should have at least one descriptor open
 * to accept passed FDs 8)
@@ -20,8 +21,7 @@ struct scm_cookie
        struct ucred            creds;          /* Skb credentials      */
        struct scm_fp_list      *fp;            /* Passed files         */
 #ifdef CONFIG_SECURITY_NETWORK
-        char                    *secdata;       /* Security context     */
+        u32                     secid;          /* Passed security ID   */
-        u32                     seclen;         /* Security length      */
 #endif
        unsigned long           seq;            /* Connection seqno     */
 };
@@ -32,6 +32,16 @@ extern int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie
 extern void __scm_destroy(struct scm_cookie *scm);
 extern struct scm_fp_list * scm_fp_dup(struct scm_fp_list *fpl);
+#ifdef CONFIG_SECURITY_NETWORK
+static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm)
+{
+        security_socket_getpeersec_dgram(sock, NULL, &scm->secid);
+}
+#else
+static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm)
+{ }
+#endif /* CONFIG_SECURITY_NETWORK */
 static __inline__ void scm_destroy(struct scm_cookie *scm)
 {
        if (scm && scm->fp)
@@ -47,6 +57,7 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg,
        scm->creds.pid = p->tgid;
        scm->fp = NULL;
        scm->seq = 0;
+        unix_get_peersec_dgram(sock, scm);
        if (msg->msg_controllen <= 0)
                return 0;
        return __scm_send(sock, msg, scm);
@@ -55,8 +66,18 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg,
 #ifdef CONFIG_SECURITY_NETWORK
 static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm)
 {
-        if (test_bit(SOCK_PASSSEC, &sock->flags) && scm->secdata != NULL)
+        char *secdata;
-                put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, scm->seclen, scm->secdata);
+        u32 seclen;
+        int err;
+        if (test_bit(SOCK_PASSSEC, &sock->flags)) {
+                err = security_secid_to_secctx(scm->secid, &secdata, &seclen);
+                if (!err) {
+                        put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
+                        security_release_secctx(secdata, seclen);
+                }
+        }
 }
 #else
 static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm)
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 84f43a3c9098..2d05c4133d3e 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -112,14 +112,19 @@ static void ip_cmsg_recv_retopts(struct msghdr *msg, struct sk_buff *skb)
 static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
 {
        char *secdata;
-        u32 seclen;
+        u32 seclen, secid;
        int err;
-        err = security_socket_getpeersec_dgram(skb, &secdata, &seclen);
+        err = security_socket_getpeersec_dgram(NULL, skb, &secid);
+        if (err)
+                return;
+        err = security_secid_to_secctx(secid, &secdata, &seclen);
        if (err)
                return;
        put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata);
+        security_release_secctx(secdata, seclen);
 }
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 6f2909279268..de6ec519272e 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -128,23 +128,17 @@ static atomic_t unix_nr_socks = ATOMIC_INIT(0);
 #define UNIX_ABSTRACT(sk)       (unix_sk(sk)->addr->hash != UNIX_HASH_SIZE)
 #ifdef CONFIG_SECURITY_NETWORK
-static void unix_get_peersec_dgram(struct sk_buff *skb)
+static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
 {
-        int err;
+        memcpy(UNIXSID(skb), &scm->secid, sizeof(u32));
-        err = security_socket_getpeersec_dgram(skb, UNIXSECDATA(skb),
-                                               UNIXSECLEN(skb));
-        if (err)
-                *(UNIXSECDATA(skb)) = NULL;
 }
 static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
 {
-        scm->secdata = *UNIXSECDATA(skb);
+        scm->secid = *UNIXSID(skb);
-        scm->seclen = *UNIXSECLEN(skb);
 }
 #else
-static inline void unix_get_peersec_dgram(struct sk_buff *skb)
+static inline void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
 { }
 static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
@@ -1322,8 +1316,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
        memcpy(UNIXCREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
        if (siocb->scm->fp)
                unix_attach_fds(siocb->scm, skb);
+        unix_get_secdata(siocb->scm, skb);
-        unix_get_peersec_dgram(skb);
        skb->h.raw = skb->data;
        err = memcpy_fromiovec(skb_put(skb,len), msg->msg_iov, len);
diff --git a/security/dummy.c b/security/dummy.c
index bbbfda70e131..58c6d399c844 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -791,8 +791,7 @@ static int dummy_socket_getpeersec_stream(struct socket *sock, char __user *optv
        return -ENOPROTOOPT;
 }
-static int dummy_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata,
+static int dummy_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
-                                         u32 *seclen)
 {
        return -ENOPROTOOPT;
 }
@@ -876,6 +875,15 @@ static int dummy_setprocattr(struct task_struct *p, char *name, void *value, siz
        return -EINVAL;
 }
+static int dummy_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+{
+        return -EOPNOTSUPP;
+}
+static void dummy_release_secctx(char *secdata, u32 seclen)
+{
+}
 #ifdef CONFIG_KEYS
 static inline int dummy_key_alloc(struct key *key, struct task_struct *ctx,
                                  unsigned long flags)
@@ -1028,6 +1036,8 @@ void security_fixup_ops (struct security_operations *ops)
        set_to_dummy_if_null(ops, d_instantiate);
        set_to_dummy_if_null(ops, getprocattr);
        set_to_dummy_if_null(ops, setprocattr);
+        set_to_dummy_if_null(ops, secid_to_secctx);
+        set_to_dummy_if_null(ops, release_secctx);
 #ifdef CONFIG_SECURITY_NETWORK
        set_to_dummy_if_null(ops, unix_stream_connect);
        set_to_dummy_if_null(ops, unix_may_send);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a91c961ba38b..5d1b8c733199 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3524,25 +3524,21 @@ out:
        return err;
 }
-static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
+static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
 {
+        u32 peer_secid = SECSID_NULL;
        int err = 0;
-        u32 peer_sid;
-        if (skb->sk->sk_family == PF_UNIX)
+        if (sock && (sock->sk->sk_family == PF_UNIX))
-                selinux_get_inode_sid(SOCK_INODE(skb->sk->sk_socket),
+                selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
-                                      &peer_sid);
+        else if (skb)
-        else
+                peer_secid = selinux_socket_getpeer_dgram(skb);
-                peer_sid = selinux_socket_getpeer_dgram(skb);
-        if (peer_sid == SECSID_NULL)
-                return -EINVAL;
-        err = security_sid_to_context(peer_sid, secdata, seclen);
+        if (peer_secid == SECSID_NULL)
-        if (err)
+                err = -EINVAL;
-                return err;
+        *secid = peer_secid;
-        return 0;
+        return err;
 }
 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
@@ -4407,6 +4403,17 @@ static int selinux_setprocattr(struct task_struct *p,
        return size;
 }
+static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+{
+        return security_sid_to_context(secid, secdata, seclen);
+}
+static void selinux_release_secctx(char *secdata, u32 seclen)
+{
+        if (secdata)
+                kfree(secdata);
+}
 #ifdef CONFIG_KEYS
 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
@@ -4587,6 +4594,9 @@ static struct security_operations selinux_ops = {
        .getprocattr =                  selinux_getprocattr,
        .setprocattr =                  selinux_setprocattr,
+        .secid_to_secctx =              selinux_secid_to_secctx,
+        .release_secctx =               selinux_release_secctx,
        .unix_stream_connect =          selinux_socket_unix_stream_connect,
        .unix_may_send =                selinux_socket_unix_may_send,

diff --git a/include/linux/security.h b/include/linux/security.h index f75303831d09..aa5b8043dc38 100644 --- a/include/linux/security.h +++ b/include/linux/security.h
@@ -1109,6 +1109,16 @@ struct swap_info_struct;
1109	* @name contains the name of the security module being unstacked.	1109	* @name contains the name of the security module being unstacked.
1110	* @ops contains a pointer to the struct security_operations of the module to unstack.	1110	* @ops contains a pointer to the struct security_operations of the module to unstack.
1111	*	1111	*
		1112	* @secid_to_secctx:
		1113	* Convert secid to security context.
		1114	* @secid contains the security ID.
		1115	* @secdata contains the pointer that stores the converted security context.
		1116	*
		1117	* @release_secctx:
		1118	* Release the security context.
		1119	* @secdata contains the security context.
		1120	* @seclen contains the length of the security context.
		1121	*
1112	* This is the main security structure.	1122	* This is the main security structure.
1113	*/	1123	*/
1114	struct security_operations {	1124	struct security_operations {
@@ -1289,6 +1299,8 @@ struct security_operations {
1289		1299
1290	int (getprocattr)(struct task_struct p, char name, void value, size_t size);	1300	int (getprocattr)(struct task_struct p, char name, void value, size_t size);
1291	int (setprocattr)(struct task_struct p, char name, void value, size_t size);	1301	int (setprocattr)(struct task_struct p, char name, void value, size_t size);
		1302	int (secid_to_secctx)(u32 secid, char secdata, u32 seclen);
		1303	void (release_secctx)(char secdata, u32 seclen);
1292		1304
1293	#ifdef CONFIG_SECURITY_NETWORK	1305	#ifdef CONFIG_SECURITY_NETWORK
1294	int (unix_stream_connect) (struct socket sock,	1306	int (unix_stream_connect) (struct socket sock,
@@ -1317,7 +1329,7 @@ struct security_operations {
1317	int (socket_shutdown) (struct socket sock, int how);	1329	int (socket_shutdown) (struct socket sock, int how);
1318	int (socket_sock_rcv_skb) (struct sock sk, struct sk_buff * skb);	1330	int (socket_sock_rcv_skb) (struct sock sk, struct sk_buff * skb);
1319	int (socket_getpeersec_stream) (struct socket sock, char __user optval, int __user optlen, unsigned len);	1331	int (socket_getpeersec_stream) (struct socket sock, char __user optval, int __user optlen, unsigned len);
1320	int (socket_getpeersec_dgram) (struct sk_buff skb, char *secdata, u32 seclen);	1332	int (socket_getpeersec_dgram) (struct socket sock, struct sk_buff skb, u32 secid);
1321	int (sk_alloc_security) (struct sock sk, int family, gfp_t priority);	1333	int (sk_alloc_security) (struct sock sk, int family, gfp_t priority);
1322	void (sk_free_security) (struct sock sk);	1334	void (sk_free_security) (struct sock sk);
1323	unsigned int (sk_getsid) (struct sock sk, struct flowi *fl, u8 dir);	1335	unsigned int (sk_getsid) (struct sock sk, struct flowi *fl, u8 dir);
@@ -2059,6 +2071,16 @@ static inline int security_netlink_recv(struct sk_buff * skb, int cap)
2059	return security_ops->netlink_recv(skb, cap);	2071	return security_ops->netlink_recv(skb, cap);
2060	}	2072	}
2061		2073
		2074	static inline int security_secid_to_secctx(u32 secid, char *secdata, u32 seclen)
		2075	{
		2076	return security_ops->secid_to_secctx(secid, secdata, seclen);
		2077	}
		2078
		2079	static inline void security_release_secctx(char *secdata, u32 seclen)
		2080	{
		2081	return security_ops->release_secctx(secdata, seclen);
		2082	}
		2083
2062	/* prototypes */	2084	/* prototypes */
2063	extern int security_init (void);	2085	extern int security_init (void);
2064	extern int register_security (struct security_operations *ops);	2086	extern int register_security (struct security_operations *ops);
@@ -2725,6 +2747,15 @@ static inline void securityfs_remove(struct dentry *dentry)
2725	{	2747	{
2726	}	2748	}
2727		2749
		2750	static inline int security_secid_to_secctx(u32 secid, char *secdata, u32 seclen)
		2751	{
		2752	return -EOPNOTSUPP;
		2753	}
		2754
		2755	static inline void security_release_secctx(char *secdata, u32 seclen)
		2756	{
		2757	return -EOPNOTSUPP;
		2758	}
2728	#endif /* CONFIG_SECURITY */	2759	#endif /* CONFIG_SECURITY */
2729		2760
2730	#ifdef CONFIG_SECURITY_NETWORK	2761	#ifdef CONFIG_SECURITY_NETWORK
@@ -2840,10 +2871,9 @@ static inline int security_socket_getpeersec_stream(struct socket *sock, char __
2840	return security_ops->socket_getpeersec_stream(sock, optval, optlen, len);	2871	return security_ops->socket_getpeersec_stream(sock, optval, optlen, len);
2841	}	2872	}
2842		2873
2843	static inline int security_socket_getpeersec_dgram(struct sk_buff skb, char *secdata,	2874	static inline int security_socket_getpeersec_dgram(struct socket sock, struct sk_buff skb, u32 *secid)
2844	u32 *seclen)
2845	{	2875	{
2846	return security_ops->socket_getpeersec_dgram(skb, secdata, seclen);	2876	return security_ops->socket_getpeersec_dgram(sock, skb, secid);
2847	}	2877	}
2848		2878
2849	static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority)	2879	static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
@@ -2968,8 +2998,7 @@ static inline int security_socket_getpeersec_stream(struct socket *sock, char __
2968	return -ENOPROTOOPT;	2998	return -ENOPROTOOPT;
2969	}	2999	}
2970		3000
2971	static inline int security_socket_getpeersec_dgram(struct sk_buff skb, char *secdata,	3001	static inline int security_socket_getpeersec_dgram(struct socket sock, struct sk_buff skb, u32 *secid)
2972	u32 *seclen)
2973	{	3002	{
2974	return -ENOPROTOOPT;	3003	return -ENOPROTOOPT;
2975	}	3004	}


diff --git a/include/net/af_unix.h b/include/net/af_unix.h index 2fec827c8801..c0398f5a8cb9 100644 --- a/include/net/af_unix.h +++ b/include/net/af_unix.h
@@ -54,15 +54,13 @@ struct unix_skb_parms {
54	struct ucred creds; /* Skb credentials */	54	struct ucred creds; /* Skb credentials */
55	struct scm_fp_list fp; / Passed files */	55	struct scm_fp_list fp; / Passed files */
56	#ifdef CONFIG_SECURITY_NETWORK	56	#ifdef CONFIG_SECURITY_NETWORK
57	char secdata; / Security context */	57	u32 secid; /* Security ID */
58	u32 seclen; /* Security length */
59	#endif	58	#endif
60	};	59	};
61		60
62	#define UNIXCB(skb) ((struct unix_skb_parms)&((skb)->cb))	61	#define UNIXCB(skb) ((struct unix_skb_parms)&((skb)->cb))
63	#define UNIXCREDS(skb) (&UNIXCB((skb)).creds)	62	#define UNIXCREDS(skb) (&UNIXCB((skb)).creds)
64	#define UNIXSECDATA(skb) (&UNIXCB((skb)).secdata)	63	#define UNIXSID(skb) (&UNIXCB((skb)).secid)
65	#define UNIXSECLEN(skb) (&UNIXCB((skb)).seclen)
66		64
67	#define unix_state_rlock(s) spin_lock(&unix_sk(s)->lock)	65	#define unix_state_rlock(s) spin_lock(&unix_sk(s)->lock)
68	#define unix_state_runlock(s) spin_unlock(&unix_sk(s)->lock)	66	#define unix_state_runlock(s) spin_unlock(&unix_sk(s)->lock)


diff --git a/include/net/scm.h b/include/net/scm.h index 02daa097cdcd..5637d5e22d5f 100644 --- a/include/net/scm.h +++ b/include/net/scm.h
@@ -3,6 +3,7 @@
3		3
4	#include <linux/limits.h>	4	#include <linux/limits.h>
5	#include <linux/net.h>	5	#include <linux/net.h>
		6	#include <linux/security.h>
6		7
7	/* Well, we should have at least one descriptor open	8	/* Well, we should have at least one descriptor open
8	* to accept passed FDs 8)	9	* to accept passed FDs 8)
@@ -20,8 +21,7 @@ struct scm_cookie
20	struct ucred creds; /* Skb credentials */	21	struct ucred creds; /* Skb credentials */
21	struct scm_fp_list fp; / Passed files */	22	struct scm_fp_list fp; / Passed files */
22	#ifdef CONFIG_SECURITY_NETWORK	23	#ifdef CONFIG_SECURITY_NETWORK
23	char secdata; / Security context */	24	u32 secid; /* Passed security ID */
24	u32 seclen; /* Security length */
25	#endif	25	#endif
26	unsigned long seq; /* Connection seqno */	26	unsigned long seq; /* Connection seqno */
27	};	27	};
@@ -32,6 +32,16 @@ extern int __scm_send(struct socket sock, struct msghdr msg, struct scm_cookie
32	extern void __scm_destroy(struct scm_cookie *scm);	32	extern void __scm_destroy(struct scm_cookie *scm);
33	extern struct scm_fp_list * scm_fp_dup(struct scm_fp_list *fpl);	33	extern struct scm_fp_list * scm_fp_dup(struct scm_fp_list *fpl);
34		34
		35	#ifdef CONFIG_SECURITY_NETWORK
		36	static __inline__ void unix_get_peersec_dgram(struct socket sock, struct scm_cookie scm)
		37	{
		38	security_socket_getpeersec_dgram(sock, NULL, &scm->secid);
		39	}
		40	#else
		41	static __inline__ void unix_get_peersec_dgram(struct socket sock, struct scm_cookie scm)
		42	{ }
		43	#endif /* CONFIG_SECURITY_NETWORK */
		44
35	static __inline__ void scm_destroy(struct scm_cookie *scm)	45	static __inline__ void scm_destroy(struct scm_cookie *scm)
36	{	46	{
37	if (scm && scm->fp)	47	if (scm && scm->fp)
@@ -47,6 +57,7 @@ static __inline__ int scm_send(struct socket sock, struct msghdr msg,
47	scm->creds.pid = p->tgid;	57	scm->creds.pid = p->tgid;
48	scm->fp = NULL;	58	scm->fp = NULL;
49	scm->seq = 0;	59	scm->seq = 0;
		60	unix_get_peersec_dgram(sock, scm);
50	if (msg->msg_controllen <= 0)	61	if (msg->msg_controllen <= 0)
51	return 0;	62	return 0;
52	return __scm_send(sock, msg, scm);	63	return __scm_send(sock, msg, scm);
@@ -55,8 +66,18 @@ static __inline__ int scm_send(struct socket sock, struct msghdr msg,
55	#ifdef CONFIG_SECURITY_NETWORK	66	#ifdef CONFIG_SECURITY_NETWORK
56	static inline void scm_passec(struct socket sock, struct msghdr msg, struct scm_cookie *scm)	67	static inline void scm_passec(struct socket sock, struct msghdr msg, struct scm_cookie *scm)
57	{	68	{
58	if (test_bit(SOCK_PASSSEC, &sock->flags) && scm->secdata != NULL)	69	char *secdata;
59	put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, scm->seclen, scm->secdata);	70	u32 seclen;
		71	int err;
		72
		73	if (test_bit(SOCK_PASSSEC, &sock->flags)) {
		74	err = security_secid_to_secctx(scm->secid, &secdata, &seclen);
		75
		76	if (!err) {
		77	put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
		78	security_release_secctx(secdata, seclen);
		79	}
		80	}
60	}	81	}
61	#else	82	#else
62	static inline void scm_passec(struct socket sock, struct msghdr msg, struct scm_cookie *scm)	83	static inline void scm_passec(struct socket sock, struct msghdr msg, struct scm_cookie *scm)


diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 84f43a3c9098..2d05c4133d3e 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c
@@ -112,14 +112,19 @@ static void ip_cmsg_recv_retopts(struct msghdr msg, struct sk_buff skb)
112	static void ip_cmsg_recv_security(struct msghdr msg, struct sk_buff skb)	112	static void ip_cmsg_recv_security(struct msghdr msg, struct sk_buff skb)
113	{	113	{
114	char *secdata;	114	char *secdata;
115	u32 seclen;	115	u32 seclen, secid;
116	int err;	116	int err;
117		117
118	err = security_socket_getpeersec_dgram(skb, &secdata, &seclen);	118	err = security_socket_getpeersec_dgram(NULL, skb, &secid);
		119	if (err)
		120	return;
		121
		122	err = security_secid_to_secctx(secid, &secdata, &seclen);
119	if (err)	123	if (err)
120	return;	124	return;
121		125
122	put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata);	126	put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata);
		127	security_release_secctx(secdata, seclen);
123	}	128	}
124		129
125		130


diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 6f2909279268..de6ec519272e 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c
@@ -128,23 +128,17 @@ static atomic_t unix_nr_socks = ATOMIC_INIT(0);
128	#define UNIX_ABSTRACT(sk) (unix_sk(sk)->addr->hash != UNIX_HASH_SIZE)	128	#define UNIX_ABSTRACT(sk) (unix_sk(sk)->addr->hash != UNIX_HASH_SIZE)
129		129
130	#ifdef CONFIG_SECURITY_NETWORK	130	#ifdef CONFIG_SECURITY_NETWORK
131	static void unix_get_peersec_dgram(struct sk_buff *skb)	131	static void unix_get_secdata(struct scm_cookie scm, struct sk_buff skb)
132	{	132	{
133	int err;	133	memcpy(UNIXSID(skb), &scm->secid, sizeof(u32));
134
135	err = security_socket_getpeersec_dgram(skb, UNIXSECDATA(skb),
136	UNIXSECLEN(skb));
137	if (err)
138	*(UNIXSECDATA(skb)) = NULL;
139	}	134	}
140		135
141	static inline void unix_set_secdata(struct scm_cookie scm, struct sk_buff skb)	136	static inline void unix_set_secdata(struct scm_cookie scm, struct sk_buff skb)
142	{	137	{
143	scm->secdata = *UNIXSECDATA(skb);	138	scm->secid = *UNIXSID(skb);
144	scm->seclen = *UNIXSECLEN(skb);
145	}	139	}
146	#else	140	#else
147	static inline void unix_get_peersec_dgram(struct sk_buff *skb)	141	static inline void unix_get_secdata(struct scm_cookie scm, struct sk_buff skb)
148	{ }	142	{ }
149		143
150	static inline void unix_set_secdata(struct scm_cookie scm, struct sk_buff skb)	144	static inline void unix_set_secdata(struct scm_cookie scm, struct sk_buff skb)
@@ -1322,8 +1316,7 @@ static int unix_dgram_sendmsg(struct kiocb kiocb, struct socket sock,
1322	memcpy(UNIXCREDS(skb), &siocb->scm->creds, sizeof(struct ucred));	1316	memcpy(UNIXCREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
1323	if (siocb->scm->fp)	1317	if (siocb->scm->fp)
1324	unix_attach_fds(siocb->scm, skb);	1318	unix_attach_fds(siocb->scm, skb);
1325		1319	unix_get_secdata(siocb->scm, skb);
1326	unix_get_peersec_dgram(skb);
1327		1320
1328	skb->h.raw = skb->data;	1321	skb->h.raw = skb->data;
1329	err = memcpy_fromiovec(skb_put(skb,len), msg->msg_iov, len);	1322	err = memcpy_fromiovec(skb_put(skb,len), msg->msg_iov, len);


diff --git a/security/dummy.c b/security/dummy.c index bbbfda70e131..58c6d399c844 100644 --- a/security/dummy.c +++ b/security/dummy.c
@@ -791,8 +791,7 @@ static int dummy_socket_getpeersec_stream(struct socket sock, char __user optv
791	return -ENOPROTOOPT;	791	return -ENOPROTOOPT;
792	}	792	}
793		793
794	static int dummy_socket_getpeersec_dgram(struct sk_buff skb, char *secdata,	794	static int dummy_socket_getpeersec_dgram(struct socket sock, struct sk_buff skb, u32 *secid)
795	u32 *seclen)
796	{	795	{
797	return -ENOPROTOOPT;	796	return -ENOPROTOOPT;
798	}	797	}
@@ -876,6 +875,15 @@ static int dummy_setprocattr(struct task_struct p, char name, void *value, siz
876	return -EINVAL;	875	return -EINVAL;
877	}	876	}
878		877
		878	static int dummy_secid_to_secctx(u32 secid, char *secdata, u32 seclen)
		879	{
		880	return -EOPNOTSUPP;
		881	}
		882
		883	static void dummy_release_secctx(char *secdata, u32 seclen)
		884	{
		885	}
		886
879	#ifdef CONFIG_KEYS	887	#ifdef CONFIG_KEYS
880	static inline int dummy_key_alloc(struct key key, struct task_struct ctx,	888	static inline int dummy_key_alloc(struct key key, struct task_struct ctx,
881	unsigned long flags)	889	unsigned long flags)
@@ -1028,6 +1036,8 @@ void security_fixup_ops (struct security_operations *ops)
1028	set_to_dummy_if_null(ops, d_instantiate);	1036	set_to_dummy_if_null(ops, d_instantiate);
1029	set_to_dummy_if_null(ops, getprocattr);	1037	set_to_dummy_if_null(ops, getprocattr);
1030	set_to_dummy_if_null(ops, setprocattr);	1038	set_to_dummy_if_null(ops, setprocattr);
		1039	set_to_dummy_if_null(ops, secid_to_secctx);
		1040	set_to_dummy_if_null(ops, release_secctx);
1031	#ifdef CONFIG_SECURITY_NETWORK	1041	#ifdef CONFIG_SECURITY_NETWORK
1032	set_to_dummy_if_null(ops, unix_stream_connect);	1042	set_to_dummy_if_null(ops, unix_stream_connect);
1033	set_to_dummy_if_null(ops, unix_may_send);	1043	set_to_dummy_if_null(ops, unix_may_send);


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a91c961ba38b..5d1b8c733199 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -3524,25 +3524,21 @@ out:
3524	return err;	3524	return err;
3525	}	3525	}
3526		3526
3527	static int selinux_socket_getpeersec_dgram(struct sk_buff skb, char secdata, u32 seclen)	3527	static int selinux_socket_getpeersec_dgram(struct socket sock, struct sk_buff skb, u32 *secid)
3528	{	3528	{
		3529	u32 peer_secid = SECSID_NULL;
3529	int err = 0;	3530	int err = 0;
3530	u32 peer_sid;
3531		3531
3532	if (skb->sk->sk_family == PF_UNIX)	3532	if (sock && (sock->sk->sk_family == PF_UNIX))
3533	selinux_get_inode_sid(SOCK_INODE(skb->sk->sk_socket),	3533	selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3534	&peer_sid);	3534	else if (skb)
3535	else	3535	peer_secid = selinux_socket_getpeer_dgram(skb);
3536	peer_sid = selinux_socket_getpeer_dgram(skb);
3537
3538	if (peer_sid == SECSID_NULL)
3539	return -EINVAL;
3540		3536
3541	err = security_sid_to_context(peer_sid, secdata, seclen);	3537	if (peer_secid == SECSID_NULL)
3542	if (err)	3538	err = -EINVAL;
3543	return err;	3539	*secid = peer_secid;
3544		3540
3545	return 0;	3541	return err;
3546	}	3542	}
3547		3543
3548	static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)	3544	static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
@@ -4407,6 +4403,17 @@ static int selinux_setprocattr(struct task_struct *p,
4407	return size;	4403	return size;
4408	}	4404	}
4409		4405
		4406	static int selinux_secid_to_secctx(u32 secid, char *secdata, u32 seclen)
		4407	{
		4408	return security_sid_to_context(secid, secdata, seclen);
		4409	}
		4410
		4411	static void selinux_release_secctx(char *secdata, u32 seclen)
		4412	{
		4413	if (secdata)
		4414	kfree(secdata);
		4415	}
		4416
4410	#ifdef CONFIG_KEYS	4417	#ifdef CONFIG_KEYS
4411		4418
4412	static int selinux_key_alloc(struct key k, struct task_struct tsk,	4419	static int selinux_key_alloc(struct key k, struct task_struct tsk,
@@ -4587,6 +4594,9 @@ static struct security_operations selinux_ops = {
4587	.getprocattr = selinux_getprocattr,	4594	.getprocattr = selinux_getprocattr,
4588	.setprocattr = selinux_setprocattr,	4595	.setprocattr = selinux_setprocattr,
4589		4596
		4597	.secid_to_secctx = selinux_secid_to_secctx,
		4598	.release_secctx = selinux_release_secctx,
		4599
4590	.unix_stream_connect = selinux_socket_unix_stream_connect,	4600	.unix_stream_connect = selinux_socket_unix_stream_connect,
4591	.unix_may_send = selinux_socket_unix_may_send,	4601	.unix_may_send = selinux_socket_unix_may_send,
4592		4602