aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--security/selinux/hooks.c32
1 files changed, 12 insertions, 20 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 190fd0ffb13e..2d94a406574e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3671,6 +3671,12 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3671} 3671}
3672 3672
3673/* socket security operations */ 3673/* socket security operations */
3674
3675static u32 socket_sockcreate_sid(const struct task_security_struct *tsec)
3676{
3677 return tsec->sockcreate_sid ? : tsec->sid;
3678}
3679
3674static int socket_has_perm(struct task_struct *task, struct socket *sock, 3680static int socket_has_perm(struct task_struct *task, struct socket *sock,
3675 u32 perms) 3681 u32 perms)
3676{ 3682{
@@ -3698,21 +3704,15 @@ static int selinux_socket_create(int family, int type,
3698{ 3704{
3699 const struct cred *cred = current_cred(); 3705 const struct cred *cred = current_cred();
3700 const struct task_security_struct *tsec = cred->security; 3706 const struct task_security_struct *tsec = cred->security;
3701 u32 sid, newsid; 3707 u32 newsid;
3702 u16 secclass; 3708 u16 secclass;
3703 int err = 0;
3704 3709
3705 if (kern) 3710 if (kern)
3706 goto out; 3711 return 0;
3707
3708 sid = tsec->sid;
3709 newsid = tsec->sockcreate_sid ?: sid;
3710 3712
3713 newsid = socket_sockcreate_sid(tsec);
3711 secclass = socket_type_to_security_class(family, type, protocol); 3714 secclass = socket_type_to_security_class(family, type, protocol);
3712 err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL); 3715 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3713
3714out:
3715 return err;
3716} 3716}
3717 3717
3718static int selinux_socket_post_create(struct socket *sock, int family, 3718static int selinux_socket_post_create(struct socket *sock, int family,
@@ -3720,22 +3720,14 @@ static int selinux_socket_post_create(struct socket *sock, int family,
3720{ 3720{
3721 const struct cred *cred = current_cred(); 3721 const struct cred *cred = current_cred();
3722 const struct task_security_struct *tsec = cred->security; 3722 const struct task_security_struct *tsec = cred->security;
3723 struct inode_security_struct *isec; 3723 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3724 struct sk_security_struct *sksec; 3724 struct sk_security_struct *sksec;
3725 u32 sid, newsid;
3726 int err = 0; 3725 int err = 0;
3727 3726
3728 sid = tsec->sid;
3729 newsid = tsec->sockcreate_sid;
3730
3731 isec = SOCK_INODE(sock)->i_security;
3732
3733 if (kern) 3727 if (kern)
3734 isec->sid = SECINITSID_KERNEL; 3728 isec->sid = SECINITSID_KERNEL;
3735 else if (newsid)
3736 isec->sid = newsid;
3737 else 3729 else
3738 isec->sid = sid; 3730 isec->sid = socket_sockcreate_sid(tsec);
3739 3731
3740 isec->sclass = socket_type_to_security_class(family, type, protocol); 3732 isec->sclass = socket_type_to_security_class(family, type, protocol);
3741 isec->initialized = 1; 3733 isec->initialized = 1;