aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c38
1 files changed, 32 insertions, 6 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5f02b4be1917..885a9a958b8d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -77,7 +77,7 @@
77#include "objsec.h" 77#include "objsec.h"
78#include "netif.h" 78#include "netif.h"
79#include "xfrm.h" 79#include "xfrm.h"
80#include "selinux_netlabel.h" 80#include "netlabel.h"
81 81
82#define XATTR_SELINUX_SUFFIX "selinux" 82#define XATTR_SELINUX_SUFFIX "selinux"
83#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX 83#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
@@ -3123,6 +3123,34 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3123 return ret; 3123 return ret;
3124} 3124}
3125 3125
3126/**
3127 * selinux_skb_extlbl_sid - Determine the external label of a packet
3128 * @skb: the packet
3129 * @base_sid: the SELinux SID to use as a context for MLS only external labels
3130 * @sid: the packet's SID
3131 *
3132 * Description:
3133 * Check the various different forms of external packet labeling and determine
3134 * the external SID for the packet.
3135 *
3136 */
3137static void selinux_skb_extlbl_sid(struct sk_buff *skb,
3138 u32 base_sid,
3139 u32 *sid)
3140{
3141 u32 xfrm_sid;
3142 u32 nlbl_sid;
3143
3144 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3145 if (selinux_netlbl_skbuff_getsid(skb,
3146 (xfrm_sid == SECSID_NULL ?
3147 base_sid : xfrm_sid),
3148 &nlbl_sid) != 0)
3149 nlbl_sid = SECSID_NULL;
3150
3151 *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
3152}
3153
3126/* socket security operations */ 3154/* socket security operations */
3127static int socket_has_perm(struct task_struct *task, struct socket *sock, 3155static int socket_has_perm(struct task_struct *task, struct socket *sock,
3128 u32 perms) 3156 u32 perms)
@@ -3664,9 +3692,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
3664 if (sock && sock->sk->sk_family == PF_UNIX) 3692 if (sock && sock->sk->sk_family == PF_UNIX)
3665 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); 3693 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3666 else if (skb) 3694 else if (skb)
3667 security_skb_extlbl_sid(skb, 3695 selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid);
3668 SECINITSID_UNLABELED,
3669 &peer_secid);
3670 3696
3671 if (peer_secid == SECSID_NULL) 3697 if (peer_secid == SECSID_NULL)
3672 err = -EINVAL; 3698 err = -EINVAL;
@@ -3727,7 +3753,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3727 u32 newsid; 3753 u32 newsid;
3728 u32 peersid; 3754 u32 peersid;
3729 3755
3730 security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid); 3756 selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
3731 if (peersid == SECSID_NULL) { 3757 if (peersid == SECSID_NULL) {
3732 req->secid = sksec->sid; 3758 req->secid = sksec->sid;
3733 req->peer_secid = SECSID_NULL; 3759 req->peer_secid = SECSID_NULL;
@@ -3765,7 +3791,7 @@ static void selinux_inet_conn_established(struct sock *sk,
3765{ 3791{
3766 struct sk_security_struct *sksec = sk->sk_security; 3792 struct sk_security_struct *sksec = sk->sk_security;
3767 3793
3768 security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid); 3794 selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
3769} 3795}
3770 3796
3771static void selinux_req_classify_flow(const struct request_sock *req, 3797static void selinux_req_classify_flow(const struct request_sock *req,