diff options
| -rw-r--r-- | security/smack/smack_lsm.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index a0ccce4e46f8..ed94f6f836e7 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
| @@ -3818,6 +3818,18 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, | |||
| 3818 | } | 3818 | } |
| 3819 | #endif /* CONFIG_IPV6 */ | 3819 | #endif /* CONFIG_IPV6 */ |
| 3820 | 3820 | ||
| 3821 | #ifdef CONFIG_SECURITY_SMACK_NETFILTER | ||
| 3822 | /* | ||
| 3823 | * If there is a secmark use it rather than the CIPSO label. | ||
| 3824 | * If there is no secmark fall back to CIPSO. | ||
| 3825 | * The secmark is assumed to reflect policy better. | ||
| 3826 | */ | ||
| 3827 | if (skb && skb->secmark != 0) { | ||
| 3828 | skp = smack_from_secid(skb->secmark); | ||
| 3829 | goto access_check; | ||
| 3830 | } | ||
| 3831 | #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ | ||
| 3832 | |||
| 3821 | netlbl_secattr_init(&secattr); | 3833 | netlbl_secattr_init(&secattr); |
| 3822 | rc = netlbl_skbuff_getattr(skb, family, &secattr); | 3834 | rc = netlbl_skbuff_getattr(skb, family, &secattr); |
| 3823 | if (rc == 0) | 3835 | if (rc == 0) |
| @@ -3826,6 +3838,10 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, | |||
| 3826 | skp = &smack_known_huh; | 3838 | skp = &smack_known_huh; |
| 3827 | netlbl_secattr_destroy(&secattr); | 3839 | netlbl_secattr_destroy(&secattr); |
| 3828 | 3840 | ||
| 3841 | #ifdef CONFIG_SECURITY_SMACK_NETFILTER | ||
| 3842 | access_check: | ||
| 3843 | #endif | ||
| 3844 | |||
| 3829 | #ifdef CONFIG_AUDIT | 3845 | #ifdef CONFIG_AUDIT |
| 3830 | smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); | 3846 | smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); |
| 3831 | ad.a.u.net->family = family; | 3847 | ad.a.u.net->family = family; |