4 files changed, 7 insertions, 234 deletions
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 02ea3773535e..049a96247f58 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -355,17 +355,6 @@ Who:	Hans de Goede <hdegoede@redhat.com>
 ---------------------------
-What:   SELinux "compat_net" functionality
-When:   2.6.30 at the earliest
-Why:    In 2.6.18 the Secmark concept was introduced to replace the "compat_net"
-        network access control functionality of SELinux.  Secmark offers both
-        better performance and greater flexibility than the "compat_net"
-        mechanism.  Now that the major Linux distributions have moved to
-        Secmark, it is time to deprecate the older mechanism and start the
-        process of removing the old code.
-Who:    Paul Moore <paul.moore@hp.com>
---------------------------
 What:   sysfs ui for changing p4-clockmod parameters
 When:   September 2009
 Why:    See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index fa4e1239a8fa..d1b082772e39 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -2019,15 +2019,6 @@ and is between 256 and 4096 characters. It is defined in the file
                        If enabled at boot time, /selinux/disable can be used
                        later to disable prior to initial policy load.
-        selinux_compat_net =
-                        [SELINUX] Set initial selinux_compat_net flag value.
-                        Format: { "0" | "1" }
-                        0 -- use new secmark-based packet controls
-                        1 -- use legacy packet controls
-                        Default value is 0 (preferred).
-                        Value can be changed at runtime via
-                        /selinux/compat_net.
        serialnumber    [BUGS=X86-32]
        shapers=        [NET]
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ee2e781d11d7..ba808ef6babb 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -93,7 +93,6 @@
 extern unsigned int policydb_loaded_version;
 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
-extern int selinux_compat_net;
 extern struct security_operations *security_ops;
 /* SECMARK reference count */
@@ -4019,72 +4018,6 @@ static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
                            SECCLASS_NODE, NODE__RECVFROM, ad);
 }
-static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
-                                                struct sk_buff *skb,
-                                                struct avc_audit_data *ad,
-                                                u16 family,
-                                                char *addrp)
-{
-        int err;
-        struct sk_security_struct *sksec = sk->sk_security;
-        u16 sk_class;
-        u32 netif_perm, node_perm, recv_perm;
-        u32 port_sid, node_sid, if_sid, sk_sid;
-        sk_sid = sksec->sid;
-        sk_class = sksec->sclass;
-        switch (sk_class) {
-        case SECCLASS_UDP_SOCKET:
-                netif_perm = NETIF__UDP_RECV;
-                node_perm = NODE__UDP_RECV;
-                recv_perm = UDP_SOCKET__RECV_MSG;
-                break;
-        case SECCLASS_TCP_SOCKET:
-                netif_perm = NETIF__TCP_RECV;
-                node_perm = NODE__TCP_RECV;
-                recv_perm = TCP_SOCKET__RECV_MSG;
-                break;
-        case SECCLASS_DCCP_SOCKET:
-                netif_perm = NETIF__DCCP_RECV;
-                node_perm = NODE__DCCP_RECV;
-                recv_perm = DCCP_SOCKET__RECV_MSG;
-                break;
-        default:
-                netif_perm = NETIF__RAWIP_RECV;
-                node_perm = NODE__RAWIP_RECV;
-                recv_perm = 0;
-                break;
-        }
-        err = sel_netif_sid(skb->iif, &if_sid);
-        if (err)
-                return err;
-        err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
-        if (err)
-                return err;
-        err = sel_netnode_sid(addrp, family, &node_sid);
-        if (err)
-                return err;
-        err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
-        if (err)
-                return err;
-        if (!recv_perm)
-                return 0;
-        err = sel_netport_sid(sk->sk_protocol,
-                              ntohs(ad->u.net.sport), &port_sid);
-        if (unlikely(err)) {
-                printk(KERN_WARNING
-                       "SELinux: failure in"
-                       " selinux_sock_rcv_skb_iptables_compat(),"
-                       " network port label not found\n");
-                return err;
-        }
-        return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
-}
 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
                                       u16 family)
 {
@@ -4102,14 +4035,12 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
        if (err)
                return err;
-        if (selinux_compat_net)
+        if (selinux_secmark_enabled()) {
-                err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
-                                                           family, addrp);
-        else if (selinux_secmark_enabled())
                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
                                   PACKET__RECV, &ad);
-        if (err)
+                if (err)
-                return err;
+                        return err;
+        }
        if (selinux_policycap_netpeer) {
                err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
@@ -4151,7 +4082,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
         * to the selinux_sock_rcv_skb_compat() function to deal with the
         * special handling.  We do this in an attempt to keep this function
         * as fast and as clean as possible. */
-        if (selinux_compat_net || !selinux_policycap_netpeer)
+        if (!selinux_policycap_netpeer)
                return selinux_sock_rcv_skb_compat(sk, skb, family);
        secmark_active = selinux_secmark_enabled();
@@ -4516,71 +4447,6 @@ static unsigned int selinux_ipv4_output(unsigned int hooknum,
        return selinux_ip_output(skb, PF_INET);
 }
-static int selinux_ip_postroute_iptables_compat(struct sock *sk,
-                                                int ifindex,
-                                                struct avc_audit_data *ad,
-                                                u16 family, char *addrp)
-{
-        int err;
-        struct sk_security_struct *sksec = sk->sk_security;
-        u16 sk_class;
-        u32 netif_perm, node_perm, send_perm;
-        u32 port_sid, node_sid, if_sid, sk_sid;
-        sk_sid = sksec->sid;
-        sk_class = sksec->sclass;
-        switch (sk_class) {
-        case SECCLASS_UDP_SOCKET:
-                netif_perm = NETIF__UDP_SEND;
-                node_perm = NODE__UDP_SEND;
-                send_perm = UDP_SOCKET__SEND_MSG;
-                break;
-        case SECCLASS_TCP_SOCKET:
-                netif_perm = NETIF__TCP_SEND;
-                node_perm = NODE__TCP_SEND;
-                send_perm = TCP_SOCKET__SEND_MSG;
-                break;
-        case SECCLASS_DCCP_SOCKET:
-                netif_perm = NETIF__DCCP_SEND;
-                node_perm = NODE__DCCP_SEND;
-                send_perm = DCCP_SOCKET__SEND_MSG;
-                break;
-        default:
-                netif_perm = NETIF__RAWIP_SEND;
-                node_perm = NODE__RAWIP_SEND;
-                send_perm = 0;
-                break;
-        }
-        err = sel_netif_sid(ifindex, &if_sid);
-        if (err)
-                return err;
-        err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
-                return err;
-        err = sel_netnode_sid(addrp, family, &node_sid);
-        if (err)
-                return err;
-        err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
-        if (err)
-                return err;
-        if (send_perm != 0)
-                return 0;
-        err = sel_netport_sid(sk->sk_protocol,
-                              ntohs(ad->u.net.dport), &port_sid);
-        if (unlikely(err)) {
-                printk(KERN_WARNING
-                       "SELinux: failure in"
-                       " selinux_ip_postroute_iptables_compat(),"
-                       " network port label not found\n");
-                return err;
-        }
-        return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
-}
 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
                                                int ifindex,
                                                u16 family)
@@ -4601,15 +4467,10 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
        if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
                return NF_DROP;
-        if (selinux_compat_net) {
+        if (selinux_secmark_enabled())
-                if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
-                                                         &ad, family, addrp))
-                        return NF_DROP;
-        } else if (selinux_secmark_enabled()) {
                if (avc_has_perm(sksec->sid, skb->secmark,
                                 SECCLASS_PACKET, PACKET__SEND, &ad))
                        return NF_DROP;
-        }
        if (selinux_policycap_netpeer)
                if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
@@ -4633,7 +4494,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
         * to the selinux_ip_postroute_compat() function to deal with the
         * special handling.  We do this in an attempt to keep this function
         * as fast and as clean as possible. */
-        if (selinux_compat_net || !selinux_policycap_netpeer)
+        if (!selinux_policycap_netpeer)
                return selinux_ip_postroute_compat(skb, ifindex, family);
 #ifdef CONFIG_XFRM
        /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index d3c8b982cfb0..2d5136ec3d54 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -47,8 +47,6 @@ static char *policycap_names[] = {
 unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
-int selinux_compat_net = 0;
 static int __init checkreqprot_setup(char *str)
 {
        unsigned long checkreqprot;
@@ -58,16 +56,6 @@ static int __init checkreqprot_setup(char *str)
 }
 __setup("checkreqprot=", checkreqprot_setup);
-static int __init selinux_compat_net_setup(char *str)
-{
-        unsigned long compat_net;
-        if (!strict_strtoul(str, 0, &compat_net))
-                selinux_compat_net = compat_net ? 1 : 0;
-        return 1;
-}
-__setup("selinux_compat_net=", selinux_compat_net_setup);
 static DEFINE_MUTEX(sel_mutex);
 /* global data for booleans */
@@ -450,61 +438,6 @@ static const struct file_operations sel_checkreqprot_ops = {
        .write          = sel_write_checkreqprot,
 };
-static ssize_t sel_read_compat_net(struct file *filp, char __user *buf,
-                                   size_t count, loff_t *ppos)
-{
-        char tmpbuf[TMPBUFLEN];
-        ssize_t length;
-        length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_compat_net);
-        return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
-}
-static ssize_t sel_write_compat_net(struct file *file, const char __user *buf,
-                                    size_t count, loff_t *ppos)
-{
-        char *page;
-        ssize_t length;
-        int new_value;
-        length = task_has_security(current, SECURITY__LOAD_POLICY);
-        if (length)
-                return length;
-        if (count >= PAGE_SIZE)
-                return -ENOMEM;
-        if (*ppos != 0) {
-                /* No partial writes. */
-                return -EINVAL;
-        }
-        page = (char *)get_zeroed_page(GFP_KERNEL);
-        if (!page)
-                return -ENOMEM;
-        length = -EFAULT;
-        if (copy_from_user(page, buf, count))
-                goto out;
-        length = -EINVAL;
-        if (sscanf(page, "%d", &new_value) != 1)
-                goto out;
-        if (new_value) {
-                printk(KERN_NOTICE
-                       "SELinux: compat_net is deprecated, please use secmark"
-                       " instead\n");
-                selinux_compat_net = 1;
-        } else
-                selinux_compat_net = 0;
-        length = count;
-out:
-        free_page((unsigned long) page);
-        return length;
-}
-static const struct file_operations sel_compat_net_ops = {
-        .read           = sel_read_compat_net,
-        .write          = sel_write_compat_net,
-};
 /*
 * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
 */
@@ -1665,7 +1598,6 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent)
                [SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR},
                [SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO},
                [SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR},
-                [SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO|S_IWUSR},
                [SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO},
                [SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO},
                /* last one */ {""}

diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt index 02ea3773535e..049a96247f58 100644 --- a/Documentation/feature-removal-schedule.txt +++ b/Documentation/feature-removal-schedule.txt
@@ -355,17 +355,6 @@ Who: Hans de Goede <hdegoede@redhat.com>
355		355
356	---------------------------	356	---------------------------
357		357
358	What: SELinux "compat_net" functionality
359	When: 2.6.30 at the earliest
360	Why: In 2.6.18 the Secmark concept was introduced to replace the "compat_net"
361	network access control functionality of SELinux. Secmark offers both
362	better performance and greater flexibility than the "compat_net"
363	mechanism. Now that the major Linux distributions have moved to
364	Secmark, it is time to deprecate the older mechanism and start the
365	process of removing the old code.
366	Who: Paul Moore <paul.moore@hp.com>
367	---------------------------
368
369	What: sysfs ui for changing p4-clockmod parameters	358	What: sysfs ui for changing p4-clockmod parameters
370	When: September 2009	359	When: September 2009
371	Why: See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and	360	Why: See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and


diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index fa4e1239a8fa..d1b082772e39 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt
@@ -2019,15 +2019,6 @@ and is between 256 and 4096 characters. It is defined in the file
2019	If enabled at boot time, /selinux/disable can be used	2019	If enabled at boot time, /selinux/disable can be used
2020	later to disable prior to initial policy load.	2020	later to disable prior to initial policy load.
2021		2021
2022	selinux_compat_net =
2023	[SELINUX] Set initial selinux_compat_net flag value.
2024	Format: { "0" \| "1" }
2025	0 -- use new secmark-based packet controls
2026	1 -- use legacy packet controls
2027	Default value is 0 (preferred).
2028	Value can be changed at runtime via
2029	/selinux/compat_net.
2030
2031	serialnumber [BUGS=X86-32]	2022	serialnumber [BUGS=X86-32]
2032		2023
2033	shapers= [NET]	2024	shapers= [NET]


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ee2e781d11d7..ba808ef6babb 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -93,7 +93,6 @@
93		93
94	extern unsigned int policydb_loaded_version;	94	extern unsigned int policydb_loaded_version;
95	extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);	95	extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96	extern int selinux_compat_net;
97	extern struct security_operations *security_ops;	96	extern struct security_operations *security_ops;
98		97
99	/* SECMARK reference count */	98	/* SECMARK reference count */
@@ -4019,72 +4018,6 @@ static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4019	SECCLASS_NODE, NODE__RECVFROM, ad);	4018	SECCLASS_NODE, NODE__RECVFROM, ad);
4020	}	4019	}
4021		4020
4022	static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4023	struct sk_buff *skb,
4024	struct avc_audit_data *ad,
4025	u16 family,
4026	char *addrp)
4027	{
4028	int err;
4029	struct sk_security_struct *sksec = sk->sk_security;
4030	u16 sk_class;
4031	u32 netif_perm, node_perm, recv_perm;
4032	u32 port_sid, node_sid, if_sid, sk_sid;
4033
4034	sk_sid = sksec->sid;
4035	sk_class = sksec->sclass;
4036
4037	switch (sk_class) {
4038	case SECCLASS_UDP_SOCKET:
4039	netif_perm = NETIF__UDP_RECV;
4040	node_perm = NODE__UDP_RECV;
4041	recv_perm = UDP_SOCKET__RECV_MSG;
4042	break;
4043	case SECCLASS_TCP_SOCKET:
4044	netif_perm = NETIF__TCP_RECV;
4045	node_perm = NODE__TCP_RECV;
4046	recv_perm = TCP_SOCKET__RECV_MSG;
4047	break;
4048	case SECCLASS_DCCP_SOCKET:
4049	netif_perm = NETIF__DCCP_RECV;
4050	node_perm = NODE__DCCP_RECV;
4051	recv_perm = DCCP_SOCKET__RECV_MSG;
4052	break;
4053	default:
4054	netif_perm = NETIF__RAWIP_RECV;
4055	node_perm = NODE__RAWIP_RECV;
4056	recv_perm = 0;
4057	break;
4058	}
4059
4060	err = sel_netif_sid(skb->iif, &if_sid);
4061	if (err)
4062	return err;
4063	err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4064	if (err)
4065	return err;
4066
4067	err = sel_netnode_sid(addrp, family, &node_sid);
4068	if (err)
4069	return err;
4070	err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4071	if (err)
4072	return err;
4073
4074	if (!recv_perm)
4075	return 0;
4076	err = sel_netport_sid(sk->sk_protocol,
4077	ntohs(ad->u.net.sport), &port_sid);
4078	if (unlikely(err)) {
4079	printk(KERN_WARNING
4080	"SELinux: failure in"
4081	" selinux_sock_rcv_skb_iptables_compat(),"
4082	" network port label not found\n");
4083	return err;
4084	}
4085	return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4086	}
4087
4088	static int selinux_sock_rcv_skb_compat(struct sock sk, struct sk_buff skb,	4021	static int selinux_sock_rcv_skb_compat(struct sock sk, struct sk_buff skb,
4089	u16 family)	4022	u16 family)
4090	{	4023	{
@@ -4102,14 +4035,12 @@ static int selinux_sock_rcv_skb_compat(struct sock sk, struct sk_buff skb,
4102	if (err)	4035	if (err)
4103	return err;	4036	return err;
4104		4037
4105	if (selinux_compat_net)	4038	if (selinux_secmark_enabled()) {
4106	err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4107	family, addrp);
4108	else if (selinux_secmark_enabled())
4109	err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,	4039	err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4110	PACKET__RECV, &ad);	4040	PACKET__RECV, &ad);
4111	if (err)	4041	if (err)
4112	return err;	4042	return err;
		4043	}
4113		4044
4114	if (selinux_policycap_netpeer) {	4045	if (selinux_policycap_netpeer) {
4115	err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);	4046	err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
@@ -4151,7 +4082,7 @@ static int selinux_socket_sock_rcv_skb(struct sock sk, struct sk_buff skb)
4151	* to the selinux_sock_rcv_skb_compat() function to deal with the	4082	* to the selinux_sock_rcv_skb_compat() function to deal with the
4152	* special handling. We do this in an attempt to keep this function	4083	* special handling. We do this in an attempt to keep this function
4153	* as fast and as clean as possible. */	4084	* as fast and as clean as possible. */
4154	if (selinux_compat_net \|\| !selinux_policycap_netpeer)	4085	if (!selinux_policycap_netpeer)
4155	return selinux_sock_rcv_skb_compat(sk, skb, family);	4086	return selinux_sock_rcv_skb_compat(sk, skb, family);
4156		4087
4157	secmark_active = selinux_secmark_enabled();	4088	secmark_active = selinux_secmark_enabled();
@@ -4516,71 +4447,6 @@ static unsigned int selinux_ipv4_output(unsigned int hooknum,
4516	return selinux_ip_output(skb, PF_INET);	4447	return selinux_ip_output(skb, PF_INET);
4517	}	4448	}
4518		4449
4519	static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4520	int ifindex,
4521	struct avc_audit_data *ad,
4522	u16 family, char *addrp)
4523	{
4524	int err;
4525	struct sk_security_struct *sksec = sk->sk_security;
4526	u16 sk_class;
4527	u32 netif_perm, node_perm, send_perm;
4528	u32 port_sid, node_sid, if_sid, sk_sid;
4529
4530	sk_sid = sksec->sid;
4531	sk_class = sksec->sclass;
4532
4533	switch (sk_class) {
4534	case SECCLASS_UDP_SOCKET:
4535	netif_perm = NETIF__UDP_SEND;
4536	node_perm = NODE__UDP_SEND;
4537	send_perm = UDP_SOCKET__SEND_MSG;
4538	break;
4539	case SECCLASS_TCP_SOCKET:
4540	netif_perm = NETIF__TCP_SEND;
4541	node_perm = NODE__TCP_SEND;
4542	send_perm = TCP_SOCKET__SEND_MSG;
4543	break;
4544	case SECCLASS_DCCP_SOCKET:
4545	netif_perm = NETIF__DCCP_SEND;
4546	node_perm = NODE__DCCP_SEND;
4547	send_perm = DCCP_SOCKET__SEND_MSG;
4548	break;
4549	default:
4550	netif_perm = NETIF__RAWIP_SEND;
4551	node_perm = NODE__RAWIP_SEND;
4552	send_perm = 0;
4553	break;
4554	}
4555
4556	err = sel_netif_sid(ifindex, &if_sid);
4557	if (err)
4558	return err;
4559	err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4560	return err;
4561
4562	err = sel_netnode_sid(addrp, family, &node_sid);
4563	if (err)
4564	return err;
4565	err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4566	if (err)
4567	return err;
4568
4569	if (send_perm != 0)
4570	return 0;
4571
4572	err = sel_netport_sid(sk->sk_protocol,
4573	ntohs(ad->u.net.dport), &port_sid);
4574	if (unlikely(err)) {
4575	printk(KERN_WARNING
4576	"SELinux: failure in"
4577	" selinux_ip_postroute_iptables_compat(),"
4578	" network port label not found\n");
4579	return err;
4580	}
4581	return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4582	}
4583
4584	static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,	4450	static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4585	int ifindex,	4451	int ifindex,
4586	u16 family)	4452	u16 family)
@@ -4601,15 +4467,10 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4601	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))	4467	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4602	return NF_DROP;	4468	return NF_DROP;
4603		4469
4604	if (selinux_compat_net) {	4470	if (selinux_secmark_enabled())
4605	if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4606	&ad, family, addrp))
4607	return NF_DROP;
4608	} else if (selinux_secmark_enabled()) {
4609	if (avc_has_perm(sksec->sid, skb->secmark,	4471	if (avc_has_perm(sksec->sid, skb->secmark,
4610	SECCLASS_PACKET, PACKET__SEND, &ad))	4472	SECCLASS_PACKET, PACKET__SEND, &ad))
4611	return NF_DROP;	4473	return NF_DROP;
4612	}
4613		4474
4614	if (selinux_policycap_netpeer)	4475	if (selinux_policycap_netpeer)
4615	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))	4476	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
@@ -4633,7 +4494,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4633	* to the selinux_ip_postroute_compat() function to deal with the	4494	* to the selinux_ip_postroute_compat() function to deal with the
4634	* special handling. We do this in an attempt to keep this function	4495	* special handling. We do this in an attempt to keep this function
4635	* as fast and as clean as possible. */	4496	* as fast and as clean as possible. */
4636	if (selinux_compat_net \|\| !selinux_policycap_netpeer)	4497	if (!selinux_policycap_netpeer)
4637	return selinux_ip_postroute_compat(skb, ifindex, family);	4498	return selinux_ip_postroute_compat(skb, ifindex, family);
4638	#ifdef CONFIG_XFRM	4499	#ifdef CONFIG_XFRM
4639	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec	4500	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec


diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index d3c8b982cfb0..2d5136ec3d54 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c
@@ -47,8 +47,6 @@ static char *policycap_names[] = {
47		47
48	unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;	48	unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
49		49
50	int selinux_compat_net = 0;
51
52	static int __init checkreqprot_setup(char *str)	50	static int __init checkreqprot_setup(char *str)
53	{	51	{
54	unsigned long checkreqprot;	52	unsigned long checkreqprot;
@@ -58,16 +56,6 @@ static int __init checkreqprot_setup(char *str)
58	}	56	}
59	__setup("checkreqprot=", checkreqprot_setup);	57	__setup("checkreqprot=", checkreqprot_setup);
60		58
61	static int __init selinux_compat_net_setup(char *str)
62	{
63	unsigned long compat_net;
64	if (!strict_strtoul(str, 0, &compat_net))
65	selinux_compat_net = compat_net ? 1 : 0;
66	return 1;
67	}
68	__setup("selinux_compat_net=", selinux_compat_net_setup);
69
70
71	static DEFINE_MUTEX(sel_mutex);	59	static DEFINE_MUTEX(sel_mutex);
72		60
73	/* global data for booleans */	61	/* global data for booleans */
@@ -450,61 +438,6 @@ static const struct file_operations sel_checkreqprot_ops = {
450	.write = sel_write_checkreqprot,	438	.write = sel_write_checkreqprot,
451	};	439	};
452		440
453	static ssize_t sel_read_compat_net(struct file filp, char __user buf,
454	size_t count, loff_t *ppos)
455	{
456	char tmpbuf[TMPBUFLEN];
457	ssize_t length;
458
459	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_compat_net);
460	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
461	}
462
463	static ssize_t sel_write_compat_net(struct file file, const char __user buf,
464	size_t count, loff_t *ppos)
465	{
466	char *page;
467	ssize_t length;
468	int new_value;
469
470	length = task_has_security(current, SECURITY__LOAD_POLICY);
471	if (length)
472	return length;
473
474	if (count >= PAGE_SIZE)
475	return -ENOMEM;
476	if (*ppos != 0) {
477	/* No partial writes. */
478	return -EINVAL;
479	}
480	page = (char *)get_zeroed_page(GFP_KERNEL);
481	if (!page)
482	return -ENOMEM;
483	length = -EFAULT;
484	if (copy_from_user(page, buf, count))
485	goto out;
486
487	length = -EINVAL;
488	if (sscanf(page, "%d", &new_value) != 1)
489	goto out;
490
491	if (new_value) {
492	printk(KERN_NOTICE
493	"SELinux: compat_net is deprecated, please use secmark"
494	" instead\n");
495	selinux_compat_net = 1;
496	} else
497	selinux_compat_net = 0;
498	length = count;
499	out:
500	free_page((unsigned long) page);
501	return length;
502	}
503	static const struct file_operations sel_compat_net_ops = {
504	.read = sel_read_compat_net,
505	.write = sel_write_compat_net,
506	};
507
508	/*	441	/*
509	* Remaining nodes use transaction based IO methods like nfsd/nfsctl.c	442	* Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
510	*/	443	*/
@@ -1665,7 +1598,6 @@ static int sel_fill_super(struct super_block sb, void data, int silent)
1665	[SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR},	1598	[SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR},
1666	[SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO\|S_IWUGO},	1599	[SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO\|S_IWUGO},
1667	[SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO\|S_IWUSR},	1600	[SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO\|S_IWUSR},
1668	[SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO\|S_IWUSR},
1669	[SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO},	1601	[SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO},
1670	[SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO},	1602	[SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO},
1671	/* last one */ {""}	1603	/* last one */ {""}