aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to 'include')
-rw-r--r--include/linux/security.h55
-rw-r--r--include/net/request_sock.h1
-rw-r--r--include/net/sock.h1
3 files changed, 57 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 8e3dc6c51a6d..bb4c80fdfe7a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -90,6 +90,7 @@ extern int cap_netlink_recv(struct sk_buff *skb, int cap);
90struct nfsctl_arg; 90struct nfsctl_arg;
91struct sched_param; 91struct sched_param;
92struct swap_info_struct; 92struct swap_info_struct;
93struct request_sock;
93 94
94/* bprm_apply_creds unsafe reasons */ 95/* bprm_apply_creds unsafe reasons */
95#define LSM_UNSAFE_SHARE 1 96#define LSM_UNSAFE_SHARE 1
@@ -819,6 +820,14 @@ struct swap_info_struct;
819 * @sk_getsecid: 820 * @sk_getsecid:
820 * Retrieve the LSM-specific secid for the sock to enable caching of network 821 * Retrieve the LSM-specific secid for the sock to enable caching of network
821 * authorizations. 822 * authorizations.
823 * @sock_graft:
824 * Sets the socket's isec sid to the sock's sid.
825 * @inet_conn_request:
826 * Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
827 * @inet_csk_clone:
828 * Sets the new child socket's sid to the openreq sid.
829 * @req_classify_flow:
830 * Sets the flow's sid to the openreq sid.
822 * 831 *
823 * Security hooks for XFRM operations. 832 * Security hooks for XFRM operations.
824 * 833 *
@@ -1358,6 +1367,11 @@ struct security_operations {
1358 void (*sk_free_security) (struct sock *sk); 1367 void (*sk_free_security) (struct sock *sk);
1359 void (*sk_clone_security) (const struct sock *sk, struct sock *newsk); 1368 void (*sk_clone_security) (const struct sock *sk, struct sock *newsk);
1360 void (*sk_getsecid) (struct sock *sk, u32 *secid); 1369 void (*sk_getsecid) (struct sock *sk, u32 *secid);
1370 void (*sock_graft)(struct sock* sk, struct socket *parent);
1371 int (*inet_conn_request)(struct sock *sk, struct sk_buff *skb,
1372 struct request_sock *req);
1373 void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req);
1374 void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl);
1361#endif /* CONFIG_SECURITY_NETWORK */ 1375#endif /* CONFIG_SECURITY_NETWORK */
1362 1376
1363#ifdef CONFIG_SECURITY_NETWORK_XFRM 1377#ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -2926,6 +2940,28 @@ static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
2926{ 2940{
2927 security_ops->sk_getsecid(sk, &fl->secid); 2941 security_ops->sk_getsecid(sk, &fl->secid);
2928} 2942}
2943
2944static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
2945{
2946 security_ops->req_classify_flow(req, fl);
2947}
2948
2949static inline void security_sock_graft(struct sock* sk, struct socket *parent)
2950{
2951 security_ops->sock_graft(sk, parent);
2952}
2953
2954static inline int security_inet_conn_request(struct sock *sk,
2955 struct sk_buff *skb, struct request_sock *req)
2956{
2957 return security_ops->inet_conn_request(sk, skb, req);
2958}
2959
2960static inline void security_inet_csk_clone(struct sock *newsk,
2961 const struct request_sock *req)
2962{
2963 security_ops->inet_csk_clone(newsk, req);
2964}
2929#else /* CONFIG_SECURITY_NETWORK */ 2965#else /* CONFIG_SECURITY_NETWORK */
2930static inline int security_unix_stream_connect(struct socket * sock, 2966static inline int security_unix_stream_connect(struct socket * sock,
2931 struct socket * other, 2967 struct socket * other,
@@ -3055,6 +3091,25 @@ static inline void security_sk_clone(const struct sock *sk, struct sock *newsk)
3055static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl) 3091static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
3056{ 3092{
3057} 3093}
3094
3095static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
3096{
3097}
3098
3099static inline void security_sock_graft(struct sock* sk, struct socket *parent)
3100{
3101}
3102
3103static inline int security_inet_conn_request(struct sock *sk,
3104 struct sk_buff *skb, struct request_sock *req)
3105{
3106 return 0;
3107}
3108
3109static inline void security_inet_csk_clone(struct sock *newsk,
3110 const struct request_sock *req)
3111{
3112}
3058#endif /* CONFIG_SECURITY_NETWORK */ 3113#endif /* CONFIG_SECURITY_NETWORK */
3059 3114
3060#ifdef CONFIG_SECURITY_NETWORK_XFRM 3115#ifdef CONFIG_SECURITY_NETWORK_XFRM
diff --git a/include/net/request_sock.h b/include/net/request_sock.h
index c5d7f920c352..8e165ca16bd8 100644
--- a/include/net/request_sock.h
+++ b/include/net/request_sock.h
@@ -53,6 +53,7 @@ struct request_sock {
53 unsigned long expires; 53 unsigned long expires;
54 struct request_sock_ops *rsk_ops; 54 struct request_sock_ops *rsk_ops;
55 struct sock *sk; 55 struct sock *sk;
56 u32 secid;
56}; 57};
57 58
58static inline struct request_sock *reqsk_alloc(struct request_sock_ops *ops) 59static inline struct request_sock *reqsk_alloc(struct request_sock_ops *ops)
diff --git a/include/net/sock.h b/include/net/sock.h
index 91cdceb3c028..337ebec84c70 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -969,6 +969,7 @@ static inline void sock_graft(struct sock *sk, struct socket *parent)
969 sk->sk_sleep = &parent->wait; 969 sk->sk_sleep = &parent->wait;
970 parent->sk = sk; 970 parent->sk = sk;
971 sk->sk_socket = parent; 971 sk->sk_socket = parent;
972 security_sock_graft(sk, parent);
972 write_unlock_bh(&sk->sk_callback_lock); 973 write_unlock_bh(&sk->sk_callback_lock);
973} 974}
974 975