diff options
Diffstat (limited to 'security/selinux/xfrm.c')
| -rw-r--r-- | security/selinux/xfrm.c | 39 |
1 files changed, 16 insertions, 23 deletions
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 7e158205d081..874d17c83c61 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c | |||
| @@ -77,20 +77,18 @@ static inline int selinux_authorizable_xfrm(struct xfrm_state *x) | |||
| 77 | * LSM hook implementation that authorizes that a flow can use | 77 | * LSM hook implementation that authorizes that a flow can use |
| 78 | * a xfrm policy rule. | 78 | * a xfrm policy rule. |
| 79 | */ | 79 | */ |
| 80 | int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir) | 80 | int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) |
| 81 | { | 81 | { |
| 82 | int rc; | 82 | int rc; |
| 83 | u32 sel_sid; | 83 | u32 sel_sid; |
| 84 | struct xfrm_sec_ctx *ctx; | ||
| 85 | 84 | ||
| 86 | /* Context sid is either set to label or ANY_ASSOC */ | 85 | /* Context sid is either set to label or ANY_ASSOC */ |
| 87 | if ((ctx = xp->security)) { | 86 | if (ctx) { |
| 88 | if (!selinux_authorizable_ctx(ctx)) | 87 | if (!selinux_authorizable_ctx(ctx)) |
| 89 | return -EINVAL; | 88 | return -EINVAL; |
| 90 | 89 | ||
| 91 | sel_sid = ctx->ctx_sid; | 90 | sel_sid = ctx->ctx_sid; |
| 92 | } | 91 | } else |
| 93 | else | ||
| 94 | /* | 92 | /* |
| 95 | * All flows should be treated as polmatch'ing an | 93 | * All flows should be treated as polmatch'ing an |
| 96 | * otherwise applicable "non-labeled" policy. This | 94 | * otherwise applicable "non-labeled" policy. This |
| @@ -103,7 +101,7 @@ int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir) | |||
| 103 | NULL); | 101 | NULL); |
| 104 | 102 | ||
| 105 | if (rc == -EACCES) | 103 | if (rc == -EACCES) |
| 106 | rc = -ESRCH; | 104 | return -ESRCH; |
| 107 | 105 | ||
| 108 | return rc; | 106 | return rc; |
| 109 | } | 107 | } |
| @@ -287,15 +285,14 @@ out2: | |||
| 287 | * LSM hook implementation that allocs and transfers uctx spec to | 285 | * LSM hook implementation that allocs and transfers uctx spec to |
| 288 | * xfrm_policy. | 286 | * xfrm_policy. |
| 289 | */ | 287 | */ |
| 290 | int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, | 288 | int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, |
| 291 | struct xfrm_user_sec_ctx *uctx) | 289 | struct xfrm_user_sec_ctx *uctx) |
| 292 | { | 290 | { |
| 293 | int err; | 291 | int err; |
| 294 | 292 | ||
| 295 | BUG_ON(!xp); | ||
| 296 | BUG_ON(!uctx); | 293 | BUG_ON(!uctx); |
| 297 | 294 | ||
| 298 | err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, 0); | 295 | err = selinux_xfrm_sec_ctx_alloc(ctxp, uctx, 0); |
| 299 | if (err == 0) | 296 | if (err == 0) |
| 300 | atomic_inc(&selinux_xfrm_refcount); | 297 | atomic_inc(&selinux_xfrm_refcount); |
| 301 | 298 | ||
| @@ -307,32 +304,29 @@ int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, | |||
| 307 | * LSM hook implementation that copies security data structure from old to | 304 | * LSM hook implementation that copies security data structure from old to |
| 308 | * new for policy cloning. | 305 | * new for policy cloning. |
| 309 | */ | 306 | */ |
| 310 | int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new) | 307 | int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, |
| 308 | struct xfrm_sec_ctx **new_ctxp) | ||
| 311 | { | 309 | { |
| 312 | struct xfrm_sec_ctx *old_ctx, *new_ctx; | 310 | struct xfrm_sec_ctx *new_ctx; |
| 313 | |||
| 314 | old_ctx = old->security; | ||
| 315 | 311 | ||
| 316 | if (old_ctx) { | 312 | if (old_ctx) { |
| 317 | new_ctx = new->security = kmalloc(sizeof(*new_ctx) + | 313 | new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len, |
| 318 | old_ctx->ctx_len, | 314 | GFP_KERNEL); |
| 319 | GFP_KERNEL); | ||
| 320 | |||
| 321 | if (!new_ctx) | 315 | if (!new_ctx) |
| 322 | return -ENOMEM; | 316 | return -ENOMEM; |
| 323 | 317 | ||
| 324 | memcpy(new_ctx, old_ctx, sizeof(*new_ctx)); | 318 | memcpy(new_ctx, old_ctx, sizeof(*new_ctx)); |
| 325 | memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len); | 319 | memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len); |
| 320 | *new_ctxp = new_ctx; | ||
| 326 | } | 321 | } |
| 327 | return 0; | 322 | return 0; |
| 328 | } | 323 | } |
| 329 | 324 | ||
| 330 | /* | 325 | /* |
| 331 | * LSM hook implementation that frees xfrm_policy security information. | 326 | * LSM hook implementation that frees xfrm_sec_ctx security information. |
| 332 | */ | 327 | */ |
| 333 | void selinux_xfrm_policy_free(struct xfrm_policy *xp) | 328 | void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) |
| 334 | { | 329 | { |
| 335 | struct xfrm_sec_ctx *ctx = xp->security; | ||
| 336 | if (ctx) | 330 | if (ctx) |
| 337 | kfree(ctx); | 331 | kfree(ctx); |
| 338 | } | 332 | } |
| @@ -340,10 +334,9 @@ void selinux_xfrm_policy_free(struct xfrm_policy *xp) | |||
| 340 | /* | 334 | /* |
| 341 | * LSM hook implementation that authorizes deletion of labeled policies. | 335 | * LSM hook implementation that authorizes deletion of labeled policies. |
| 342 | */ | 336 | */ |
| 343 | int selinux_xfrm_policy_delete(struct xfrm_policy *xp) | 337 | int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) |
| 344 | { | 338 | { |
| 345 | struct task_security_struct *tsec = current->security; | 339 | struct task_security_struct *tsec = current->security; |
| 346 | struct xfrm_sec_ctx *ctx = xp->security; | ||
| 347 | int rc = 0; | 340 | int rc = 0; |
| 348 | 341 | ||
| 349 | if (ctx) { | 342 | if (ctx) { |