diff options
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r-- | security/selinux/hooks.c | 38 |
1 files changed, 32 insertions, 6 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5f02b4be1917..885a9a958b8d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -77,7 +77,7 @@ | |||
77 | #include "objsec.h" | 77 | #include "objsec.h" |
78 | #include "netif.h" | 78 | #include "netif.h" |
79 | #include "xfrm.h" | 79 | #include "xfrm.h" |
80 | #include "selinux_netlabel.h" | 80 | #include "netlabel.h" |
81 | 81 | ||
82 | #define XATTR_SELINUX_SUFFIX "selinux" | 82 | #define XATTR_SELINUX_SUFFIX "selinux" |
83 | #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX | 83 | #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX |
@@ -3123,6 +3123,34 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, | |||
3123 | return ret; | 3123 | return ret; |
3124 | } | 3124 | } |
3125 | 3125 | ||
3126 | /** | ||
3127 | * selinux_skb_extlbl_sid - Determine the external label of a packet | ||
3128 | * @skb: the packet | ||
3129 | * @base_sid: the SELinux SID to use as a context for MLS only external labels | ||
3130 | * @sid: the packet's SID | ||
3131 | * | ||
3132 | * Description: | ||
3133 | * Check the various different forms of external packet labeling and determine | ||
3134 | * the external SID for the packet. | ||
3135 | * | ||
3136 | */ | ||
3137 | static void selinux_skb_extlbl_sid(struct sk_buff *skb, | ||
3138 | u32 base_sid, | ||
3139 | u32 *sid) | ||
3140 | { | ||
3141 | u32 xfrm_sid; | ||
3142 | u32 nlbl_sid; | ||
3143 | |||
3144 | selinux_skb_xfrm_sid(skb, &xfrm_sid); | ||
3145 | if (selinux_netlbl_skbuff_getsid(skb, | ||
3146 | (xfrm_sid == SECSID_NULL ? | ||
3147 | base_sid : xfrm_sid), | ||
3148 | &nlbl_sid) != 0) | ||
3149 | nlbl_sid = SECSID_NULL; | ||
3150 | |||
3151 | *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); | ||
3152 | } | ||
3153 | |||
3126 | /* socket security operations */ | 3154 | /* socket security operations */ |
3127 | static int socket_has_perm(struct task_struct *task, struct socket *sock, | 3155 | static int socket_has_perm(struct task_struct *task, struct socket *sock, |
3128 | u32 perms) | 3156 | u32 perms) |
@@ -3664,9 +3692,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * | |||
3664 | if (sock && sock->sk->sk_family == PF_UNIX) | 3692 | if (sock && sock->sk->sk_family == PF_UNIX) |
3665 | selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); | 3693 | selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); |
3666 | else if (skb) | 3694 | else if (skb) |
3667 | security_skb_extlbl_sid(skb, | 3695 | selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid); |
3668 | SECINITSID_UNLABELED, | ||
3669 | &peer_secid); | ||
3670 | 3696 | ||
3671 | if (peer_secid == SECSID_NULL) | 3697 | if (peer_secid == SECSID_NULL) |
3672 | err = -EINVAL; | 3698 | err = -EINVAL; |
@@ -3727,7 +3753,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, | |||
3727 | u32 newsid; | 3753 | u32 newsid; |
3728 | u32 peersid; | 3754 | u32 peersid; |
3729 | 3755 | ||
3730 | security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid); | 3756 | selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid); |
3731 | if (peersid == SECSID_NULL) { | 3757 | if (peersid == SECSID_NULL) { |
3732 | req->secid = sksec->sid; | 3758 | req->secid = sksec->sid; |
3733 | req->peer_secid = SECSID_NULL; | 3759 | req->peer_secid = SECSID_NULL; |
@@ -3765,7 +3791,7 @@ static void selinux_inet_conn_established(struct sock *sk, | |||
3765 | { | 3791 | { |
3766 | struct sk_security_struct *sksec = sk->sk_security; | 3792 | struct sk_security_struct *sksec = sk->sk_security; |
3767 | 3793 | ||
3768 | security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid); | 3794 | selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid); |
3769 | } | 3795 | } |
3770 | 3796 | ||
3771 | static void selinux_req_classify_flow(const struct request_sock *req, | 3797 | static void selinux_req_classify_flow(const struct request_sock *req, |