diff options
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/security.h | 55 | ||||
-rw-r--r-- | include/net/request_sock.h | 1 | ||||
-rw-r--r-- | include/net/sock.h | 1 |
3 files changed, 57 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 8e3dc6c51a6d..bb4c80fdfe7a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -90,6 +90,7 @@ extern int cap_netlink_recv(struct sk_buff *skb, int cap); | |||
90 | struct nfsctl_arg; | 90 | struct nfsctl_arg; |
91 | struct sched_param; | 91 | struct sched_param; |
92 | struct swap_info_struct; | 92 | struct swap_info_struct; |
93 | struct request_sock; | ||
93 | 94 | ||
94 | /* bprm_apply_creds unsafe reasons */ | 95 | /* bprm_apply_creds unsafe reasons */ |
95 | #define LSM_UNSAFE_SHARE 1 | 96 | #define LSM_UNSAFE_SHARE 1 |
@@ -819,6 +820,14 @@ struct swap_info_struct; | |||
819 | * @sk_getsecid: | 820 | * @sk_getsecid: |
820 | * Retrieve the LSM-specific secid for the sock to enable caching of network | 821 | * Retrieve the LSM-specific secid for the sock to enable caching of network |
821 | * authorizations. | 822 | * authorizations. |
823 | * @sock_graft: | ||
824 | * Sets the socket's isec sid to the sock's sid. | ||
825 | * @inet_conn_request: | ||
826 | * Sets the openreq's sid to socket's sid with MLS portion taken from peer sid. | ||
827 | * @inet_csk_clone: | ||
828 | * Sets the new child socket's sid to the openreq sid. | ||
829 | * @req_classify_flow: | ||
830 | * Sets the flow's sid to the openreq sid. | ||
822 | * | 831 | * |
823 | * Security hooks for XFRM operations. | 832 | * Security hooks for XFRM operations. |
824 | * | 833 | * |
@@ -1358,6 +1367,11 @@ struct security_operations { | |||
1358 | void (*sk_free_security) (struct sock *sk); | 1367 | void (*sk_free_security) (struct sock *sk); |
1359 | void (*sk_clone_security) (const struct sock *sk, struct sock *newsk); | 1368 | void (*sk_clone_security) (const struct sock *sk, struct sock *newsk); |
1360 | void (*sk_getsecid) (struct sock *sk, u32 *secid); | 1369 | void (*sk_getsecid) (struct sock *sk, u32 *secid); |
1370 | void (*sock_graft)(struct sock* sk, struct socket *parent); | ||
1371 | int (*inet_conn_request)(struct sock *sk, struct sk_buff *skb, | ||
1372 | struct request_sock *req); | ||
1373 | void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req); | ||
1374 | void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl); | ||
1361 | #endif /* CONFIG_SECURITY_NETWORK */ | 1375 | #endif /* CONFIG_SECURITY_NETWORK */ |
1362 | 1376 | ||
1363 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 1377 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
@@ -2926,6 +2940,28 @@ static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl) | |||
2926 | { | 2940 | { |
2927 | security_ops->sk_getsecid(sk, &fl->secid); | 2941 | security_ops->sk_getsecid(sk, &fl->secid); |
2928 | } | 2942 | } |
2943 | |||
2944 | static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl) | ||
2945 | { | ||
2946 | security_ops->req_classify_flow(req, fl); | ||
2947 | } | ||
2948 | |||
2949 | static inline void security_sock_graft(struct sock* sk, struct socket *parent) | ||
2950 | { | ||
2951 | security_ops->sock_graft(sk, parent); | ||
2952 | } | ||
2953 | |||
2954 | static inline int security_inet_conn_request(struct sock *sk, | ||
2955 | struct sk_buff *skb, struct request_sock *req) | ||
2956 | { | ||
2957 | return security_ops->inet_conn_request(sk, skb, req); | ||
2958 | } | ||
2959 | |||
2960 | static inline void security_inet_csk_clone(struct sock *newsk, | ||
2961 | const struct request_sock *req) | ||
2962 | { | ||
2963 | security_ops->inet_csk_clone(newsk, req); | ||
2964 | } | ||
2929 | #else /* CONFIG_SECURITY_NETWORK */ | 2965 | #else /* CONFIG_SECURITY_NETWORK */ |
2930 | static inline int security_unix_stream_connect(struct socket * sock, | 2966 | static inline int security_unix_stream_connect(struct socket * sock, |
2931 | struct socket * other, | 2967 | struct socket * other, |
@@ -3055,6 +3091,25 @@ static inline void security_sk_clone(const struct sock *sk, struct sock *newsk) | |||
3055 | static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl) | 3091 | static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl) |
3056 | { | 3092 | { |
3057 | } | 3093 | } |
3094 | |||
3095 | static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl) | ||
3096 | { | ||
3097 | } | ||
3098 | |||
3099 | static inline void security_sock_graft(struct sock* sk, struct socket *parent) | ||
3100 | { | ||
3101 | } | ||
3102 | |||
3103 | static inline int security_inet_conn_request(struct sock *sk, | ||
3104 | struct sk_buff *skb, struct request_sock *req) | ||
3105 | { | ||
3106 | return 0; | ||
3107 | } | ||
3108 | |||
3109 | static inline void security_inet_csk_clone(struct sock *newsk, | ||
3110 | const struct request_sock *req) | ||
3111 | { | ||
3112 | } | ||
3058 | #endif /* CONFIG_SECURITY_NETWORK */ | 3113 | #endif /* CONFIG_SECURITY_NETWORK */ |
3059 | 3114 | ||
3060 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 3115 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
diff --git a/include/net/request_sock.h b/include/net/request_sock.h index c5d7f920c352..8e165ca16bd8 100644 --- a/include/net/request_sock.h +++ b/include/net/request_sock.h | |||
@@ -53,6 +53,7 @@ struct request_sock { | |||
53 | unsigned long expires; | 53 | unsigned long expires; |
54 | struct request_sock_ops *rsk_ops; | 54 | struct request_sock_ops *rsk_ops; |
55 | struct sock *sk; | 55 | struct sock *sk; |
56 | u32 secid; | ||
56 | }; | 57 | }; |
57 | 58 | ||
58 | static inline struct request_sock *reqsk_alloc(struct request_sock_ops *ops) | 59 | static inline struct request_sock *reqsk_alloc(struct request_sock_ops *ops) |
diff --git a/include/net/sock.h b/include/net/sock.h index 91cdceb3c028..337ebec84c70 100644 --- a/include/net/sock.h +++ b/include/net/sock.h | |||
@@ -969,6 +969,7 @@ static inline void sock_graft(struct sock *sk, struct socket *parent) | |||
969 | sk->sk_sleep = &parent->wait; | 969 | sk->sk_sleep = &parent->wait; |
970 | parent->sk = sk; | 970 | parent->sk = sk; |
971 | sk->sk_socket = parent; | 971 | sk->sk_socket = parent; |
972 | security_sock_graft(sk, parent); | ||
972 | write_unlock_bh(&sk->sk_callback_lock); | 973 | write_unlock_bh(&sk->sk_callback_lock); |
973 | } | 974 | } |
974 | 975 | ||