aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c26
1 files changed, 21 insertions, 5 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b222e966babe..4fbf2c5f26ce 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -136,12 +136,28 @@ static struct kmem_cache *sel_inode_cache;
136 * This function checks the SECMARK reference counter to see if any SECMARK 136 * This function checks the SECMARK reference counter to see if any SECMARK
137 * targets are currently configured, if the reference counter is greater than 137 * targets are currently configured, if the reference counter is greater than
138 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 138 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
139 * enabled, false (0) if SECMARK is disabled. 139 * enabled, false (0) if SECMARK is disabled. If the always_check_network
140 * policy capability is enabled, SECMARK is always considered enabled.
140 * 141 *
141 */ 142 */
142static int selinux_secmark_enabled(void) 143static int selinux_secmark_enabled(void)
143{ 144{
144 return (atomic_read(&selinux_secmark_refcount) > 0); 145 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
146}
147
148/**
149 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
150 *
151 * Description:
152 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
153 * (1) if any are enabled or false (0) if neither are enabled. If the
154 * always_check_network policy capability is enabled, peer labeling
155 * is always considered enabled.
156 *
157 */
158static int selinux_peerlbl_enabled(void)
159{
160 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
145} 161}
146 162
147/* 163/*
@@ -4197,7 +4213,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4197 return selinux_sock_rcv_skb_compat(sk, skb, family); 4213 return selinux_sock_rcv_skb_compat(sk, skb, family);
4198 4214
4199 secmark_active = selinux_secmark_enabled(); 4215 secmark_active = selinux_secmark_enabled();
4200 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4216 peerlbl_active = selinux_peerlbl_enabled();
4201 if (!secmark_active && !peerlbl_active) 4217 if (!secmark_active && !peerlbl_active)
4202 return 0; 4218 return 0;
4203 4219
@@ -4579,7 +4595,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4579 4595
4580 secmark_active = selinux_secmark_enabled(); 4596 secmark_active = selinux_secmark_enabled();
4581 netlbl_active = netlbl_enabled(); 4597 netlbl_active = netlbl_enabled();
4582 peerlbl_active = netlbl_active || selinux_xfrm_enabled(); 4598 peerlbl_active = selinux_peerlbl_enabled();
4583 if (!secmark_active && !peerlbl_active) 4599 if (!secmark_active && !peerlbl_active)
4584 return NF_ACCEPT; 4600 return NF_ACCEPT;
4585 4601
@@ -4731,7 +4747,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4731 return NF_ACCEPT; 4747 return NF_ACCEPT;
4732#endif 4748#endif
4733 secmark_active = selinux_secmark_enabled(); 4749 secmark_active = selinux_secmark_enabled();
4734 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); 4750 peerlbl_active = selinux_peerlbl_enabled();
4735 if (!secmark_active && !peerlbl_active) 4751 if (!secmark_active && !peerlbl_active)
4736 return NF_ACCEPT; 4752 return NF_ACCEPT;
4737 4753
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-14 21:05:52 -0500