1 files changed, 55 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 8e3dc6c51a6d..bb4c80fdfe7a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -90,6 +90,7 @@ extern int cap_netlink_recv(struct sk_buff *skb, int cap);
 struct nfsctl_arg;
 struct sched_param;
 struct swap_info_struct;
+struct request_sock;
 /* bprm_apply_creds unsafe reasons */
 #define LSM_UNSAFE_SHARE        1
@@ -819,6 +820,14 @@ struct swap_info_struct;
 * @sk_getsecid:
 *      Retrieve the LSM-specific secid for the sock to enable caching of network
 *      authorizations.
+ * @sock_graft:
+ *      Sets the socket's isec sid to the sock's sid.
+ * @inet_conn_request:
+ *      Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
+ * @inet_csk_clone:
+ *      Sets the new child socket's sid to the openreq sid.
+ * @req_classify_flow:
+ *      Sets the flow's sid to the openreq sid.
 *
 * Security hooks for XFRM operations.
 *
@@ -1358,6 +1367,11 @@ struct security_operations {
        void (*sk_free_security) (struct sock *sk);
        void (*sk_clone_security) (const struct sock *sk, struct sock *newsk);
        void (*sk_getsecid) (struct sock *sk, u32 *secid);
+        void (*sock_graft)(struct sock* sk, struct socket *parent);
+        int (*inet_conn_request)(struct sock *sk, struct sk_buff *skb,
+                                        struct request_sock *req);
+        void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req);
+        void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl);
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -2926,6 +2940,28 @@ static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
 {
        security_ops->sk_getsecid(sk, &fl->secid);
 }
+static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
+{
+        security_ops->req_classify_flow(req, fl);
+}
+static inline void security_sock_graft(struct sock* sk, struct socket *parent)
+{
+        security_ops->sock_graft(sk, parent);
+}
+static inline int security_inet_conn_request(struct sock *sk,
+                        struct sk_buff *skb, struct request_sock *req)
+{
+        return security_ops->inet_conn_request(sk, skb, req);
+}
+static inline void security_inet_csk_clone(struct sock *newsk,
+                        const struct request_sock *req)
+{
+        security_ops->inet_csk_clone(newsk, req);
+}
 #else   /* CONFIG_SECURITY_NETWORK */
 static inline int security_unix_stream_connect(struct socket * sock,
                                               struct socket * other, 
@@ -3055,6 +3091,25 @@ static inline void security_sk_clone(const struct sock *sk, struct sock *newsk)
 static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
 {
 }
+static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
+{
+}
+static inline void security_sock_graft(struct sock* sk, struct socket *parent)
+{
+}
+static inline int security_inet_conn_request(struct sock *sk,
+                        struct sk_buff *skb, struct request_sock *req)
+{
+        return 0;
+}
+static inline void security_inet_csk_clone(struct sock *newsk,
+                        const struct request_sock *req)
+{
+}
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM

diff --git a/include/linux/security.h b/include/linux/security.h index 8e3dc6c51a6d..bb4c80fdfe7a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h
@@ -90,6 +90,7 @@ extern int cap_netlink_recv(struct sk_buff *skb, int cap);
90	struct nfsctl_arg;	90	struct nfsctl_arg;
91	struct sched_param;	91	struct sched_param;
92	struct swap_info_struct;	92	struct swap_info_struct;
		93	struct request_sock;
93		94
94	/* bprm_apply_creds unsafe reasons */	95	/* bprm_apply_creds unsafe reasons */
95	#define LSM_UNSAFE_SHARE 1	96	#define LSM_UNSAFE_SHARE 1
@@ -819,6 +820,14 @@ struct swap_info_struct;
819	* @sk_getsecid:	820	* @sk_getsecid:
820	* Retrieve the LSM-specific secid for the sock to enable caching of network	821	* Retrieve the LSM-specific secid for the sock to enable caching of network
821	* authorizations.	822	* authorizations.
		823	* @sock_graft:
		824	* Sets the socket's isec sid to the sock's sid.
		825	* @inet_conn_request:
		826	* Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
		827	* @inet_csk_clone:
		828	* Sets the new child socket's sid to the openreq sid.
		829	* @req_classify_flow:
		830	* Sets the flow's sid to the openreq sid.
822	*	831	*
823	* Security hooks for XFRM operations.	832	* Security hooks for XFRM operations.
824	*	833	*
@@ -1358,6 +1367,11 @@ struct security_operations {
1358	void (sk_free_security) (struct sock sk);	1367	void (sk_free_security) (struct sock sk);
1359	void (sk_clone_security) (const struct sock sk, struct sock *newsk);	1368	void (sk_clone_security) (const struct sock sk, struct sock *newsk);
1360	void (sk_getsecid) (struct sock sk, u32 *secid);	1369	void (sk_getsecid) (struct sock sk, u32 *secid);
		1370	void (sock_graft)(struct sock sk, struct socket *parent);
		1371	int (inet_conn_request)(struct sock sk, struct sk_buff *skb,
		1372	struct request_sock *req);
		1373	void (inet_csk_clone)(struct sock newsk, const struct request_sock *req);
		1374	void (req_classify_flow)(const struct request_sock req, struct flowi *fl);
1361	#endif /* CONFIG_SECURITY_NETWORK */	1375	#endif /* CONFIG_SECURITY_NETWORK */
1362		1376
1363	#ifdef CONFIG_SECURITY_NETWORK_XFRM	1377	#ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -2926,6 +2940,28 @@ static inline void security_sk_classify_flow(struct sock sk, struct flowi fl)
2926	{	2940	{
2927	security_ops->sk_getsecid(sk, &fl->secid);	2941	security_ops->sk_getsecid(sk, &fl->secid);
2928	}	2942	}
		2943
		2944	static inline void security_req_classify_flow(const struct request_sock req, struct flowi fl)
		2945	{
		2946	security_ops->req_classify_flow(req, fl);
		2947	}
		2948
		2949	static inline void security_sock_graft(struct sock* sk, struct socket *parent)
		2950	{
		2951	security_ops->sock_graft(sk, parent);
		2952	}
		2953
		2954	static inline int security_inet_conn_request(struct sock *sk,
		2955	struct sk_buff skb, struct request_sock req)
		2956	{
		2957	return security_ops->inet_conn_request(sk, skb, req);
		2958	}
		2959
		2960	static inline void security_inet_csk_clone(struct sock *newsk,
		2961	const struct request_sock *req)
		2962	{
		2963	security_ops->inet_csk_clone(newsk, req);
		2964	}
2929	#else /* CONFIG_SECURITY_NETWORK */	2965	#else /* CONFIG_SECURITY_NETWORK */
2930	static inline int security_unix_stream_connect(struct socket * sock,	2966	static inline int security_unix_stream_connect(struct socket * sock,
2931	struct socket * other,	2967	struct socket * other,
@@ -3055,6 +3091,25 @@ static inline void security_sk_clone(const struct sock sk, struct sock newsk)
3055	static inline void security_sk_classify_flow(struct sock sk, struct flowi fl)	3091	static inline void security_sk_classify_flow(struct sock sk, struct flowi fl)
3056	{	3092	{
3057	}	3093	}
		3094
		3095	static inline void security_req_classify_flow(const struct request_sock req, struct flowi fl)
		3096	{
		3097	}
		3098
		3099	static inline void security_sock_graft(struct sock* sk, struct socket *parent)
		3100	{
		3101	}
		3102
		3103	static inline int security_inet_conn_request(struct sock *sk,
		3104	struct sk_buff skb, struct request_sock req)
		3105	{
		3106	return 0;
		3107	}
		3108
		3109	static inline void security_inet_csk_clone(struct sock *newsk,
		3110	const struct request_sock *req)
		3111	{
		3112	}
3058	#endif /* CONFIG_SECURITY_NETWORK */	3113	#endif /* CONFIG_SECURITY_NETWORK */
3059		3114
3060	#ifdef CONFIG_SECURITY_NETWORK_XFRM	3115	#ifdef CONFIG_SECURITY_NETWORK_XFRM