aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/linux/security.h8
-rw-r--r--net/ipv4/tcp_output.c1
-rw-r--r--security/capability.c6
-rw-r--r--security/security.c5
-rw-r--r--security/selinux/hooks.c7
5 files changed, 27 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index eee7478cda70..6c3a78ace051 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1638,6 +1638,7 @@ struct security_operations {
1638 int (*tun_dev_attach_queue) (void *security); 1638 int (*tun_dev_attach_queue) (void *security);
1639 int (*tun_dev_attach) (struct sock *sk, void *security); 1639 int (*tun_dev_attach) (struct sock *sk, void *security);
1640 int (*tun_dev_open) (void *security); 1640 int (*tun_dev_open) (void *security);
1641 void (*skb_owned_by) (struct sk_buff *skb, struct sock *sk);
1641#endif /* CONFIG_SECURITY_NETWORK */ 1642#endif /* CONFIG_SECURITY_NETWORK */
1642 1643
1643#ifdef CONFIG_SECURITY_NETWORK_XFRM 1644#ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -2588,6 +2589,8 @@ int security_tun_dev_attach_queue(void *security);
2588int security_tun_dev_attach(struct sock *sk, void *security); 2589int security_tun_dev_attach(struct sock *sk, void *security);
2589int security_tun_dev_open(void *security); 2590int security_tun_dev_open(void *security);
2590 2591
2592void security_skb_owned_by(struct sk_buff *skb, struct sock *sk);
2593
2591#else /* CONFIG_SECURITY_NETWORK */ 2594#else /* CONFIG_SECURITY_NETWORK */
2592static inline int security_unix_stream_connect(struct sock *sock, 2595static inline int security_unix_stream_connect(struct sock *sock,
2593 struct sock *other, 2596 struct sock *other,
@@ -2779,6 +2782,11 @@ static inline int security_tun_dev_open(void *security)
2779{ 2782{
2780 return 0; 2783 return 0;
2781} 2784}
2785
2786static inline void security_skb_owned_by(struct sk_buff *skb, struct sock *sk)
2787{
2788}
2789
2782#endif /* CONFIG_SECURITY_NETWORK */ 2790#endif /* CONFIG_SECURITY_NETWORK */
2783 2791
2784#ifdef CONFIG_SECURITY_NETWORK_XFRM 2792#ifdef CONFIG_SECURITY_NETWORK_XFRM
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 5d0b4387cba6..b44cf81d8178 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2709,6 +2709,7 @@ struct sk_buff *tcp_make_synack(struct sock *sk, struct dst_entry *dst,
2709 skb_reserve(skb, MAX_TCP_HEADER); 2709 skb_reserve(skb, MAX_TCP_HEADER);
2710 2710
2711 skb_dst_set(skb, dst); 2711 skb_dst_set(skb, dst);
2712 security_skb_owned_by(skb, sk);
2712 2713
2713 mss = dst_metric_advmss(dst); 2714 mss = dst_metric_advmss(dst);
2714 if (tp->rx_opt.user_mss && tp->rx_opt.user_mss < mss) 2715 if (tp->rx_opt.user_mss && tp->rx_opt.user_mss < mss)
diff --git a/security/capability.c b/security/capability.c
index 579775088967..6783c3e6c88e 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -737,6 +737,11 @@ static int cap_tun_dev_open(void *security)
737{ 737{
738 return 0; 738 return 0;
739} 739}
740
741static void cap_skb_owned_by(struct sk_buff *skb, struct sock *sk)
742{
743}
744
740#endif /* CONFIG_SECURITY_NETWORK */ 745#endif /* CONFIG_SECURITY_NETWORK */
741 746
742#ifdef CONFIG_SECURITY_NETWORK_XFRM 747#ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -1071,6 +1076,7 @@ void __init security_fixup_ops(struct security_operations *ops)
1071 set_to_cap_if_null(ops, tun_dev_open); 1076 set_to_cap_if_null(ops, tun_dev_open);
1072 set_to_cap_if_null(ops, tun_dev_attach_queue); 1077 set_to_cap_if_null(ops, tun_dev_attach_queue);
1073 set_to_cap_if_null(ops, tun_dev_attach); 1078 set_to_cap_if_null(ops, tun_dev_attach);
1079 set_to_cap_if_null(ops, skb_owned_by);
1074#endif /* CONFIG_SECURITY_NETWORK */ 1080#endif /* CONFIG_SECURITY_NETWORK */
1075#ifdef CONFIG_SECURITY_NETWORK_XFRM 1081#ifdef CONFIG_SECURITY_NETWORK_XFRM
1076 set_to_cap_if_null(ops, xfrm_policy_alloc_security); 1082 set_to_cap_if_null(ops, xfrm_policy_alloc_security);
diff --git a/security/security.c b/security/security.c
index 7b88c6aeaed4..03f248b84e9f 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1290,6 +1290,11 @@ int security_tun_dev_open(void *security)
1290} 1290}
1291EXPORT_SYMBOL(security_tun_dev_open); 1291EXPORT_SYMBOL(security_tun_dev_open);
1292 1292
1293void security_skb_owned_by(struct sk_buff *skb, struct sock *sk)
1294{
1295 security_ops->skb_owned_by(skb, sk);
1296}
1297
1293#endif /* CONFIG_SECURITY_NETWORK */ 1298#endif /* CONFIG_SECURITY_NETWORK */
1294 1299
1295#ifdef CONFIG_SECURITY_NETWORK_XFRM 1300#ifdef CONFIG_SECURITY_NETWORK_XFRM
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 2fa28c88900c..7171a957b933 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -51,6 +51,7 @@
51#include <linux/tty.h> 51#include <linux/tty.h>
52#include <net/icmp.h> 52#include <net/icmp.h>
53#include <net/ip.h> /* for local_port_range[] */ 53#include <net/ip.h> /* for local_port_range[] */
54#include <net/sock.h>
54#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
55#include <net/net_namespace.h> 56#include <net/net_namespace.h>
56#include <net/netlabel.h> 57#include <net/netlabel.h>
@@ -4363,6 +4364,11 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4363 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 4364 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4364} 4365}
4365 4366
4367static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4368{
4369 skb_set_owner_w(skb, sk);
4370}
4371
4366static int selinux_secmark_relabel_packet(u32 sid) 4372static int selinux_secmark_relabel_packet(u32 sid)
4367{ 4373{
4368 const struct task_security_struct *__tsec; 4374 const struct task_security_struct *__tsec;
@@ -5664,6 +5670,7 @@ static struct security_operations selinux_ops = {
5664 .tun_dev_attach_queue = selinux_tun_dev_attach_queue, 5670 .tun_dev_attach_queue = selinux_tun_dev_attach_queue,
5665 .tun_dev_attach = selinux_tun_dev_attach, 5671 .tun_dev_attach = selinux_tun_dev_attach,
5666 .tun_dev_open = selinux_tun_dev_open, 5672 .tun_dev_open = selinux_tun_dev_open,
5673 .skb_owned_by = selinux_skb_owned_by,
5667 5674
5668#ifdef CONFIG_SECURITY_NETWORK_XFRM 5675#ifdef CONFIG_SECURITY_NETWORK_XFRM
5669 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 5676 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-11 16:34:12 -0500