5 files changed, 103 insertions, 33 deletions

diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
index 244f7cb08d68..37f8adb68c79 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
@@ -11,6 +11,7 @@
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
 #include <linux/percpu.h>
+#include <linux/security.h>
 #include <net/net_namespace.h>
 
 #include <linux/netfilter.h>
@@ -87,6 +88,29 @@ static void ct_seq_stop(struct seq_file *s, void *v)
         rcu_read_unlock();
 }
 
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+static int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
+{
+        int ret;
+        u32 len;
+        char *secctx;
+
+        ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
+        if (ret)
+                return ret;
+
+        ret = seq_printf(s, "secctx=%s ", secctx);
+
+        security_release_secctx(secctx, len);
+        return ret;
+}
+#else
+static inline int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
+{
+        return 0;
+}
+#endif
+
 static int ct_seq_show(struct seq_file *s, void *v)
 {
         struct nf_conntrack_tuple_hash *hash = v;
@@ -148,10 +172,8 @@ static int ct_seq_show(struct seq_file *s, void *v)
                 goto release;
 #endif
 
-#ifdef CONFIG_NF_CONNTRACK_SECMARK
-        if (seq_printf(s, "secmark=%u ", ct->secmark))
+        if (ct_show_secctx(s, ct))
                 goto release;
-#endif
 
         if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use)))
                 goto release;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 5bae1cd15eea..146476c6441a 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -22,6 +22,7 @@
 #include <linux/rculist_nulls.h>
 #include <linux/types.h>
 #include <linux/timer.h>
+#include <linux/security.h>
 #include <linux/skbuff.h>
 #include <linux/errno.h>
 #include <linux/netlink.h>
@@ -245,16 +246,31 @@ nla_put_failure:
 
 #ifdef CONFIG_NF_CONNTRACK_SECMARK
 static inline int
-ctnetlink_dump_secmark(struct sk_buff *skb, const struct nf_conn *ct)
+ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
 {
-        NLA_PUT_BE32(skb, CTA_SECMARK, htonl(ct->secmark));
-        return 0;
+        struct nlattr *nest_secctx;
+        int len, ret;
+        char *secctx;
+
+        ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
+        if (ret)
+                return ret;
+
+        ret = -1;
+        nest_secctx = nla_nest_start(skb, CTA_SECCTX | NLA_F_NESTED);
+        if (!nest_secctx)
+                goto nla_put_failure;
+
+        NLA_PUT_STRING(skb, CTA_SECCTX_NAME, secctx);
+        nla_nest_end(skb, nest_secctx);
 
+        ret = 0;
 nla_put_failure:
-        return -1;
+        security_release_secctx(secctx, len);
+        return ret;
 }
 #else
-#define ctnetlink_dump_secmark(a, b) (0)
+#define ctnetlink_dump_secctx(a, b) (0)
 #endif
 
 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
@@ -391,7 +407,7 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
             ctnetlink_dump_protoinfo(skb, ct) < 0 ||
             ctnetlink_dump_helpinfo(skb, ct) < 0 ||
             ctnetlink_dump_mark(skb, ct) < 0 ||
-            ctnetlink_dump_secmark(skb, ct) < 0 ||
+            ctnetlink_dump_secctx(skb, ct) < 0 ||
             ctnetlink_dump_id(skb, ct) < 0 ||
             ctnetlink_dump_use(skb, ct) < 0 ||
             ctnetlink_dump_master(skb, ct) < 0 ||
@@ -437,6 +453,17 @@ ctnetlink_counters_size(const struct nf_conn *ct)
                ;
 }
 
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+static int ctnetlink_nlmsg_secctx_size(const struct nf_conn *ct)
+{
+        int len;
+
+        security_secid_to_secctx(ct->secmark, NULL, &len);
+
+        return sizeof(char) * len;
+}
+#endif
+
 static inline size_t
 ctnetlink_nlmsg_size(const struct nf_conn *ct)
 {
@@ -453,7 +480,8 @@ ctnetlink_nlmsg_size(const struct nf_conn *ct)
                + nla_total_size(0) /* CTA_HELP */
                + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */
 #ifdef CONFIG_NF_CONNTRACK_SECMARK
-               + nla_total_size(sizeof(u_int32_t)) /* CTA_SECMARK */
+               + nla_total_size(0) /* CTA_SECCTX */
+               + nla_total_size(ctnetlink_nlmsg_secctx_size(ct)) /* CTA_SECCTX_NAME */
 #endif
 #ifdef CONFIG_NF_NAT_NEEDED
                + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
@@ -556,7 +584,7 @@ ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
 
 #ifdef CONFIG_NF_CONNTRACK_SECMARK
                 if ((events & (1 << IPCT_SECMARK) || ct->secmark)
-                    && ctnetlink_dump_secmark(skb, ct) < 0)
+                    && ctnetlink_dump_secctx(skb, ct) < 0)
                         goto nla_put_failure;
 #endif
 
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index eb973fcd67ab..0fb65705b44b 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -15,6 +15,7 @@
 #include <linux/seq_file.h>
 #include <linux/percpu.h>
 #include <linux/netdevice.h>
+#include <linux/security.h>
 #include <net/net_namespace.h>
 #ifdef CONFIG_SYSCTL
 #include <linux/sysctl.h>
@@ -108,6 +109,29 @@ static void ct_seq_stop(struct seq_file *s, void *v)
         rcu_read_unlock();
 }
 
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+static int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
+{
+        int ret;
+        u32 len;
+        char *secctx;
+
+        ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
+        if (ret)
+                return ret;
+
+        ret = seq_printf(s, "secctx=%s ", secctx);
+
+        security_release_secctx(secctx, len);
+        return ret;
+}
+#else
+static inline int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
+{
+        return 0;
+}
+#endif
+
 /* return 0 on success, 1 in case of error */
 static int ct_seq_show(struct seq_file *s, void *v)
 {
@@ -168,10 +192,8 @@ static int ct_seq_show(struct seq_file *s, void *v)
                 goto release;
 #endif
 
-#ifdef CONFIG_NF_CONNTRACK_SECMARK
-        if (seq_printf(s, "secmark=%u ", ct->secmark))
+        if (ct_show_secctx(s, ct))
                 goto release;
-#endif
 
 #ifdef CONFIG_NF_CONNTRACK_ZONES
         if (seq_printf(s, "zone=%u ", nf_ct_zone(ct)))
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 0cb6053f02fd..782e51986a6f 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -9,7 +9,6 @@
 #include <linux/module.h>
 #include <linux/gfp.h>
 #include <linux/skbuff.h>
-#include <linux/selinux.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter/x_tables.h>
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 23b2d6c486b5..9faf5e050b79 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -14,8 +14,8 @@
  */
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
+#include <linux/security.h>
 #include <linux/skbuff.h>
-#include <linux/selinux.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_SECMARK.h>
 
@@ -39,9 +39,8 @@ secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
 
         switch (mode) {
         case SECMARK_MODE_SEL:
-                secmark = info->u.sel.selsid;
+                secmark = info->secid;
                 break;
-
         default:
                 BUG();
         }
@@ -50,33 +49,33 @@ secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
         return XT_CONTINUE;
 }
 
-static int checkentry_selinux(struct xt_secmark_target_info *info)
+static int checkentry_lsm(struct xt_secmark_target_info *info)
 {
         int err;
-        struct xt_secmark_target_selinux_info *sel = &info->u.sel;
 
-        sel->selctx[SECMARK_SELCTX_MAX - 1] = '\0';
+        info->secctx[SECMARK_SECCTX_MAX - 1] = '\0';
+        info->secid = 0;
 
-        err = selinux_string_to_sid(sel->selctx, &sel->selsid);
+        err = security_secctx_to_secid(info->secctx, strlen(info->secctx),
+                                       &info->secid);
         if (err) {
                 if (err == -EINVAL)
-                        pr_info("invalid SELinux context \'%s\'\n",
-                                sel->selctx);
+                        pr_info("invalid security context \'%s\'\n", info->secctx);
                 return err;
         }
 
-        if (!sel->selsid) {
-                pr_info("unable to map SELinux context \'%s\'\n", sel->selctx);
+        if (!info->secid) {
+                pr_info("unable to map security context \'%s\'\n", info->secctx);
                 return -ENOENT;
         }
 
-        err = selinux_secmark_relabel_packet_permission(sel->selsid);
+        err = security_secmark_relabel_packet(info->secid);
         if (err) {
                 pr_info("unable to obtain relabeling permission\n");
                 return err;
         }
 
-        selinux_secmark_refcount_inc();
+        security_secmark_refcount_inc();
         return 0;
 }
 
@@ -100,16 +99,16 @@ static int secmark_tg_check(const struct xt_tgchk_param *par)
 
         switch (info->mode) {
         case SECMARK_MODE_SEL:
-                err = checkentry_selinux(info);
-                if (err <= 0)
-                        return err;
                 break;
-
         default:
                 pr_info("invalid mode: %hu\n", info->mode);
                 return -EINVAL;
         }
 
+        err = checkentry_lsm(info);
+        if (err)
+                return err;
+
         if (!mode)
                 mode = info->mode;
         return 0;
@@ -119,7 +118,7 @@ static void secmark_tg_destroy(const struct xt_tgdtor_param *par)
 {
         switch (mode) {
         case SECMARK_MODE_SEL:
-                selinux_secmark_refcount_dec();
+                security_secmark_refcount_dec();
         }
 }