aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/xfrm.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/xfrm.c')
-rw-r--r--security/selinux/xfrm.c40
1 files changed, 3 insertions, 37 deletions
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 4d5a043cdfa1..8fef74271f22 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -184,7 +184,8 @@ int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm,
184} 184}
185 185
186/* 186/*
187 * LSM hook implementation that determines the sid for the session. 187 * LSM hook implementation that checks and/or returns the xfrm sid for the
188 * incoming packet.
188 */ 189 */
189 190
190int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) 191int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
@@ -403,43 +404,8 @@ void selinux_xfrm_state_free(struct xfrm_state *x)
403} 404}
404 405
405/* 406/*
406 * SELinux internal function to retrieve the context of a connected
407 * (sk->sk_state == TCP_ESTABLISHED) TCP socket based on its security
408 * association used to connect to the remote socket.
409 *
410 * Retrieve via getsockopt SO_PEERSEC.
411 */
412u32 selinux_socket_getpeer_stream(struct sock *sk)
413{
414 struct dst_entry *dst, *dst_test;
415 u32 peer_sid = SECSID_NULL;
416
417 if (sk->sk_state != TCP_ESTABLISHED)
418 goto out;
419
420 dst = sk_dst_get(sk);
421 if (!dst)
422 goto out;
423
424 for (dst_test = dst; dst_test != 0;
425 dst_test = dst_test->child) {
426 struct xfrm_state *x = dst_test->xfrm;
427
428 if (x && selinux_authorizable_xfrm(x)) {
429 struct xfrm_sec_ctx *ctx = x->security;
430 peer_sid = ctx->ctx_sid;
431 break;
432 }
433 }
434 dst_release(dst);
435
436out:
437 return peer_sid;
438}
439
440/*
441 * SELinux internal function to retrieve the context of a UDP packet 407 * SELinux internal function to retrieve the context of a UDP packet
442 * based on its security association used to connect to the remote socket. 408 * based on its security association.
443 * 409 *
444 * Retrieve via setsockopt IP_PASSSEC and recvmsg with control message 410 * Retrieve via setsockopt IP_PASSSEC and recvmsg with control message
445 * type SCM_SECURITY. 411 * type SCM_SECURITY.