aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--security/selinux/Makefile1
-rw-r--r--security/selinux/hooks.c20
-rw-r--r--security/selinux/include/objsec.h6
-rw-r--r--security/selinux/include/security.h3
-rw-r--r--security/selinux/ss/services.c8
5 files changed, 17 insertions, 21 deletions
diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index 00afd85f1edb..d47fc5e545e0 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -11,6 +11,7 @@ selinux-y := avc.o \
11 nlmsgtab.o \ 11 nlmsgtab.o \
12 netif.o \ 12 netif.o \
13 netnode.o \ 13 netnode.o \
14 netport.o \
14 exports.o 15 exports.o
15 16
16selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o 17selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 93c809a6e4fa..34f2d46c7984 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -80,6 +80,7 @@
80#include "objsec.h" 80#include "objsec.h"
81#include "netif.h" 81#include "netif.h"
82#include "netnode.h" 82#include "netnode.h"
83#include "netport.h"
83#include "xfrm.h" 84#include "xfrm.h"
84#include "netlabel.h" 85#include "netlabel.h"
85 86
@@ -3670,10 +3671,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3670 inet_get_local_port_range(&low, &high); 3671 inet_get_local_port_range(&low, &high);
3671 3672
3672 if (snum < max(PROT_SOCK, low) || snum > high) { 3673 if (snum < max(PROT_SOCK, low) || snum > high) {
3673 err = security_port_sid(sk->sk_family, 3674 err = sel_netport_sid(sk->sk_protocol,
3674 sk->sk_type, 3675 snum, &sid);
3675 sk->sk_protocol, snum,
3676 &sid);
3677 if (err) 3676 if (err)
3678 goto out; 3677 goto out;
3679 AVC_AUDIT_DATA_INIT(&ad,NET); 3678 AVC_AUDIT_DATA_INIT(&ad,NET);
@@ -3761,8 +3760,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
3761 snum = ntohs(addr6->sin6_port); 3760 snum = ntohs(addr6->sin6_port);
3762 } 3761 }
3763 3762
3764 err = security_port_sid(sk->sk_family, sk->sk_type, 3763 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3765 sk->sk_protocol, snum, &sid);
3766 if (err) 3764 if (err)
3767 goto out; 3765 goto out;
3768 3766
@@ -3993,9 +3991,8 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3993 3991
3994 if (!recv_perm) 3992 if (!recv_perm)
3995 return 0; 3993 return 0;
3996 err = security_port_sid(sk->sk_family, sk->sk_type, 3994 err = sel_netport_sid(sk->sk_protocol,
3997 sk->sk_protocol, ntohs(ad->u.net.sport), 3995 ntohs(ad->u.net.sport), &port_sid);
3998 &port_sid);
3999 if (unlikely(err)) { 3996 if (unlikely(err)) {
4000 printk(KERN_WARNING 3997 printk(KERN_WARNING
4001 "SELinux: failure in" 3998 "SELinux: failure in"
@@ -4416,9 +4413,8 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4416 if (send_perm != 0) 4413 if (send_perm != 0)
4417 return 0; 4414 return 0;
4418 4415
4419 err = security_port_sid(sk->sk_family, sk->sk_type, 4416 err = sel_netport_sid(sk->sk_protocol,
4420 sk->sk_protocol, ntohs(ad->u.net.dport), 4417 ntohs(ad->u.net.dport), &port_sid);
4421 &port_sid);
4422 if (unlikely(err)) { 4418 if (unlikely(err)) {
4423 printk(KERN_WARNING 4419 printk(KERN_WARNING
4424 "SELinux: failure in" 4420 "SELinux: failure in"
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 957b10d0f76f..300b61bad7b3 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -103,6 +103,12 @@ struct netnode_security_struct {
103 u16 family; /* address family */ 103 u16 family; /* address family */
104}; 104};
105 105
106struct netport_security_struct {
107 u32 sid; /* SID for this node */
108 u16 port; /* port number */
109 u8 protocol; /* transport protocol */
110};
111
106struct sk_security_struct { 112struct sk_security_struct {
107 u32 sid; /* SID of this object */ 113 u32 sid; /* SID of this object */
108 u32 peer_sid; /* SID of peer */ 114 u32 peer_sid; /* SID of peer */
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index bc823ef70a12..1904c462a605 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -102,8 +102,7 @@ int security_context_to_sid_default(char *scontext, u32 scontext_len,
102int security_get_user_sids(u32 callsid, char *username, 102int security_get_user_sids(u32 callsid, char *username,
103 u32 **sids, u32 *nel); 103 u32 **sids, u32 *nel);
104 104
105int security_port_sid(u16 domain, u16 type, u8 protocol, u16 port, 105int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
106 u32 *out_sid);
107 106
108int security_netif_sid(char *name, u32 *if_sid); 107int security_netif_sid(char *name, u32 *if_sid);
109 108
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 098c96b6f9de..d75050819b06 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1472,17 +1472,11 @@ err:
1472 1472
1473/** 1473/**
1474 * security_port_sid - Obtain the SID for a port. 1474 * security_port_sid - Obtain the SID for a port.
1475 * @domain: communication domain aka address family
1476 * @type: socket type
1477 * @protocol: protocol number 1475 * @protocol: protocol number
1478 * @port: port number 1476 * @port: port number
1479 * @out_sid: security identifier 1477 * @out_sid: security identifier
1480 */ 1478 */
1481int security_port_sid(u16 domain, 1479int security_port_sid(u8 protocol, u16 port, u32 *out_sid)
1482 u16 type,
1483 u8 protocol,
1484 u16 port,
1485 u32 *out_sid)
1486{ 1480{
1487 struct ocontext *c; 1481 struct ocontext *c;
1488 int rc = 0; 1482 int rc = 0;
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-06 22:01:15 -0500