1 files changed, 37 insertions, 8 deletions
diff --git a/include/linux/selinux.h b/include/linux/selinux.h
index 6080f73fc85f..8c2cc4c02526 100644
--- a/include/linux/selinux.h
+++ b/include/linux/selinux.h
@@ -120,16 +120,35 @@ void selinux_get_task_sid(struct task_struct *tsk, u32 *sid);
 int selinux_string_to_sid(char *str, u32 *sid);
 /**
- *     selinux_relabel_packet_permission - check permission to relabel a packet
+ *     selinux_secmark_relabel_packet_permission - secmark permission check
- *     @sid: ID value to be applied to network packet (via SECMARK, most likely)
+ *     @sid: SECMARK ID value to be applied to network packet
 *
- *     Returns 0 if the current task is allowed to label packets with the
+ *     Returns 0 if the current task is allowed to set the SECMARK label of
- *     supplied security ID.  Note that it is implicit that the packet is always
+ *     packets with the supplied security ID.  Note that it is implicit that
- *     being relabeled from the default unlabled value, and that the access
+ *     the packet is always being relabeled from the default unlabeled value,
- *     control decision is made in the AVC.
+ *     and that the access control decision is made in the AVC.
 */
-int selinux_relabel_packet_permission(u32 sid);
+int selinux_secmark_relabel_packet_permission(u32 sid);
+/**
+ *     selinux_secmark_refcount_inc - increments the secmark use counter
+ *
+ *     SELinux keeps track of the current SECMARK targets in use so it knows
+ *     when to apply SECMARK label access checks to network packets.  This
+ *     function incements this reference count to indicate that a new SECMARK
+ *     target has been configured.
+ */
+void selinux_secmark_refcount_inc(void);
+/**
+ *     selinux_secmark_refcount_dec - decrements the secmark use counter
+ *
+ *     SELinux keeps track of the current SECMARK targets in use so it knows
+ *     when to apply SECMARK label access checks to network packets.  This
+ *     function decements this reference count to indicate that one of the
+ *     existing SECMARK targets has been removed/flushed.
+ */
+void selinux_secmark_refcount_dec(void);
 #else
 static inline int selinux_audit_rule_init(u32 field, u32 op,
@@ -184,11 +203,21 @@ static inline int selinux_string_to_sid(const char *str, u32 *sid)
       return 0;
 }
-static inline int selinux_relabel_packet_permission(u32 sid)
+static inline int selinux_secmark_relabel_packet_permission(u32 sid)
 {
        return 0;
 }
+static inline void selinux_secmark_refcount_inc(void)
+{
+        return;
+}
+static inline void selinux_secmark_refcount_dec(void)
+{
+        return;
+}
 #endif  /* CONFIG_SECURITY_SELINUX */
 #endif /* _LINUX_SELINUX_H */

diff --git a/include/linux/selinux.h b/include/linux/selinux.h index 6080f73fc85f..8c2cc4c02526 100644 --- a/include/linux/selinux.h +++ b/include/linux/selinux.h
@@ -120,16 +120,35 @@ void selinux_get_task_sid(struct task_struct tsk, u32 sid);
120	int selinux_string_to_sid(char str, u32 sid);	120	int selinux_string_to_sid(char str, u32 sid);
121		121
122	/**	122	/**
123	* selinux_relabel_packet_permission - check permission to relabel a packet	123	* selinux_secmark_relabel_packet_permission - secmark permission check
124	* @sid: ID value to be applied to network packet (via SECMARK, most likely)	124	* @sid: SECMARK ID value to be applied to network packet
125	*	125	*
126	* Returns 0 if the current task is allowed to label packets with the	126	* Returns 0 if the current task is allowed to set the SECMARK label of
127	* supplied security ID. Note that it is implicit that the packet is always	127	* packets with the supplied security ID. Note that it is implicit that
128	* being relabeled from the default unlabled value, and that the access	128	* the packet is always being relabeled from the default unlabeled value,
129	* control decision is made in the AVC.	129	* and that the access control decision is made in the AVC.
130	*/	130	*/
131	int selinux_relabel_packet_permission(u32 sid);	131	int selinux_secmark_relabel_packet_permission(u32 sid);
132		132
		133	/**
		134	* selinux_secmark_refcount_inc - increments the secmark use counter
		135	*
		136	* SELinux keeps track of the current SECMARK targets in use so it knows
		137	* when to apply SECMARK label access checks to network packets. This
		138	* function incements this reference count to indicate that a new SECMARK
		139	* target has been configured.
		140	*/
		141	void selinux_secmark_refcount_inc(void);
		142
		143	/**
		144	* selinux_secmark_refcount_dec - decrements the secmark use counter
		145	*
		146	* SELinux keeps track of the current SECMARK targets in use so it knows
		147	* when to apply SECMARK label access checks to network packets. This
		148	* function decements this reference count to indicate that one of the
		149	* existing SECMARK targets has been removed/flushed.
		150	*/
		151	void selinux_secmark_refcount_dec(void);
133	#else	152	#else
134		153
135	static inline int selinux_audit_rule_init(u32 field, u32 op,	154	static inline int selinux_audit_rule_init(u32 field, u32 op,
@@ -184,11 +203,21 @@ static inline int selinux_string_to_sid(const char str, u32 sid)
184	return 0;	203	return 0;
185	}	204	}
186		205
187	static inline int selinux_relabel_packet_permission(u32 sid)	206	static inline int selinux_secmark_relabel_packet_permission(u32 sid)
188	{	207	{
189	return 0;	208	return 0;
190	}	209	}
191		210
		211	static inline void selinux_secmark_refcount_inc(void)
		212	{
		213	return;
		214	}
		215
		216	static inline void selinux_secmark_refcount_dec(void)
		217	{
		218	return;
		219	}
		220
192	#endif /* CONFIG_SECURITY_SELINUX */	221	#endif /* CONFIG_SECURITY_SELINUX */
193		222
194	#endif /* _LINUX_SELINUX_H */	223	#endif /* _LINUX_SELINUX_H */