1 files changed, 39 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index fc774436a264..3d496eae1b47 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -73,6 +73,7 @@
 #include "avc.h"
 #include "objsec.h"
 #include "netif.h"
+#include "xfrm.h"
 #define XATTR_SELINUX_SUFFIX "selinux"
 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
@@ -3349,6 +3350,10 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
                err = avc_has_perm(sock_sid, port_sid,
                                   sock_class, recv_perm, &ad);
        }
+        if (!err)
+                err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
 out:    
        return err;
 }
@@ -3401,6 +3406,24 @@ static void selinux_sk_free_security(struct sock *sk)
        sk_free_security(sk);
 }
+static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
+{
+        struct inode_security_struct *isec;
+        u32 sock_sid = SECINITSID_ANY_SOCKET;
+        if (!sk)
+                return selinux_no_sk_sid(fl);
+        read_lock_bh(&sk->sk_callback_lock);
+        isec = get_sock_isec(sk);
+        if (isec)
+                sock_sid = isec->sid;
+        read_unlock_bh(&sk->sk_callback_lock);
+        return sock_sid;
+}
 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
 {
        int err = 0;
@@ -3536,6 +3559,11 @@ static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
                                   send_perm, &ad) ? NF_DROP : NF_ACCEPT;
        }
+        if (err != NF_ACCEPT)
+                goto out;
+        err = selinux_xfrm_postroute_last(isec->sid, skb);
 out:
        return err;
 }
@@ -4380,6 +4408,16 @@ static struct security_operations selinux_ops = {
        .socket_getpeersec =            selinux_socket_getpeersec,
        .sk_alloc_security =            selinux_sk_alloc_security,
        .sk_free_security =             selinux_sk_free_security,
+        .sk_getsid =                    selinux_sk_getsid_security,
+#endif
+#ifdef CONFIG_SECURITY_NETWORK_XFRM
+        .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
+        .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
+        .xfrm_policy_free_security =    selinux_xfrm_policy_free,
+        .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
+        .xfrm_state_free_security =     selinux_xfrm_state_free,
+        .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
 #endif
 };
@@ -4491,6 +4529,7 @@ static int __init selinux_nf_ip_init(void)
                panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
 #endif  /* IPV6 */
 out:
        return err;
 }

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index fc774436a264..3d496eae1b47 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -73,6 +73,7 @@
73	#include "avc.h"	73	#include "avc.h"
74	#include "objsec.h"	74	#include "objsec.h"
75	#include "netif.h"	75	#include "netif.h"
		76	#include "xfrm.h"
76		77
77	#define XATTR_SELINUX_SUFFIX "selinux"	78	#define XATTR_SELINUX_SUFFIX "selinux"
78	#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX	79	#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
@@ -3349,6 +3350,10 @@ static int selinux_socket_sock_rcv_skb(struct sock sk, struct sk_buff skb)
3349	err = avc_has_perm(sock_sid, port_sid,	3350	err = avc_has_perm(sock_sid, port_sid,
3350	sock_class, recv_perm, &ad);	3351	sock_class, recv_perm, &ad);
3351	}	3352	}
		3353
		3354	if (!err)
		3355	err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
		3356
3352	out:	3357	out:
3353	return err;	3358	return err;
3354	}	3359	}
@@ -3401,6 +3406,24 @@ static void selinux_sk_free_security(struct sock *sk)
3401	sk_free_security(sk);	3406	sk_free_security(sk);
3402	}	3407	}
3403		3408
		3409	static unsigned int selinux_sk_getsid_security(struct sock sk, struct flowi fl, u8 dir)
		3410	{
		3411	struct inode_security_struct *isec;
		3412	u32 sock_sid = SECINITSID_ANY_SOCKET;
		3413
		3414	if (!sk)
		3415	return selinux_no_sk_sid(fl);
		3416
		3417	read_lock_bh(&sk->sk_callback_lock);
		3418	isec = get_sock_isec(sk);
		3419
		3420	if (isec)
		3421	sock_sid = isec->sid;
		3422
		3423	read_unlock_bh(&sk->sk_callback_lock);
		3424	return sock_sid;
		3425	}
		3426
3404	static int selinux_nlmsg_perm(struct sock sk, struct sk_buff skb)	3427	static int selinux_nlmsg_perm(struct sock sk, struct sk_buff skb)
3405	{	3428	{
3406	int err = 0;	3429	int err = 0;
@@ -3536,6 +3559,11 @@ static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3536	send_perm, &ad) ? NF_DROP : NF_ACCEPT;	3559	send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3537	}	3560	}
3538		3561
		3562	if (err != NF_ACCEPT)
		3563	goto out;
		3564
		3565	err = selinux_xfrm_postroute_last(isec->sid, skb);
		3566
3539	out:	3567	out:
3540	return err;	3568	return err;
3541	}	3569	}
@@ -4380,6 +4408,16 @@ static struct security_operations selinux_ops = {
4380	.socket_getpeersec = selinux_socket_getpeersec,	4408	.socket_getpeersec = selinux_socket_getpeersec,
4381	.sk_alloc_security = selinux_sk_alloc_security,	4409	.sk_alloc_security = selinux_sk_alloc_security,
4382	.sk_free_security = selinux_sk_free_security,	4410	.sk_free_security = selinux_sk_free_security,
		4411	.sk_getsid = selinux_sk_getsid_security,
		4412	#endif
		4413
		4414	#ifdef CONFIG_SECURITY_NETWORK_XFRM
		4415	.xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
		4416	.xfrm_policy_clone_security = selinux_xfrm_policy_clone,
		4417	.xfrm_policy_free_security = selinux_xfrm_policy_free,
		4418	.xfrm_state_alloc_security = selinux_xfrm_state_alloc,
		4419	.xfrm_state_free_security = selinux_xfrm_state_free,
		4420	.xfrm_policy_lookup = selinux_xfrm_policy_lookup,
4383	#endif	4421	#endif
4384	};	4422	};
4385		4423
@@ -4491,6 +4529,7 @@ static int __init selinux_nf_ip_init(void)
4491	panic("SELinux: nf_register_hook for IPv6: error %d\n", err);	4529	panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4492		4530
4493	#endif /* IPV6 */	4531	#endif /* IPV6 */
		4532
4494	out:	4533	out:
4495	return err;	4534	return err;
4496	}	4535	}