3 files changed, 109 insertions, 7 deletions

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b65c201e9ff5..5b16196f2823 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3318,24 +3318,38 @@ out:
         return err;
 }
 
-static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
-                                     int __user *optlen, unsigned len)
+static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
+                                            int __user *optlen, unsigned len)
 {
         int err = 0;
         char *scontext;
         u32 scontext_len;
         struct sk_security_struct *ssec;
         struct inode_security_struct *isec;
+        u32 peer_sid = 0;
 
         isec = SOCK_INODE(sock)->i_security;
-        if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
+
+        /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
+        if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
+                ssec = sock->sk->sk_security;
+                peer_sid = ssec->peer_sid;
+        }
+        else if (isec->sclass == SECCLASS_TCP_SOCKET) {
+                peer_sid = selinux_socket_getpeer_stream(sock->sk);
+
+                if (peer_sid == SECSID_NULL) {
+                        err = -ENOPROTOOPT;
+                        goto out;
+                }
+        }
+        else {
                 err = -ENOPROTOOPT;
                 goto out;
         }
 
-        ssec = sock->sk->sk_security;
-        
-        err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
+        err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
+
         if (err)
                 goto out;
 
@@ -3356,6 +3370,23 @@ out:
         return err;
 }
 
+static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
+{
+        int err = 0;
+        u32 peer_sid = selinux_socket_getpeer_dgram(skb);
+
+        if (peer_sid == SECSID_NULL)
+                return -EINVAL;
+
+        err = security_sid_to_context(peer_sid, secdata, seclen);
+        if (err)
+                return err;
+
+        return 0;
+}
+
+
+
 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
 {
         return sk_alloc_security(sk, family, priority);
@@ -4344,7 +4375,8 @@ static struct security_operations selinux_ops = {
         .socket_setsockopt =            selinux_socket_setsockopt,
         .socket_shutdown =              selinux_socket_shutdown,
         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
-        .socket_getpeersec =            selinux_socket_getpeersec,
+        .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
+        .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
         .sk_alloc_security =            selinux_sk_alloc_security,
         .sk_free_security =             selinux_sk_free_security,
         .sk_getsid =                    selinux_sk_getsid_security,
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 8e87996c6dd5..a7f388bff3f2 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -39,6 +39,8 @@ static inline u32 selinux_no_sk_sid(struct flowi *fl)
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
 int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb);
 int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb);
+u32 selinux_socket_getpeer_stream(struct sock *sk);
+u32 selinux_socket_getpeer_dgram(struct sk_buff *skb);
 #else
 static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb)
 {
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index b2af7ca496c1..dfab6c886698 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -225,6 +225,74 @@ void selinux_xfrm_state_free(struct xfrm_state *x)
 }
 
 /*
+ * SELinux internal function to retrieve the context of a connected
+ * (sk->sk_state == TCP_ESTABLISHED) TCP socket based on its security
+ * association used to connect to the remote socket.
+ *
+ * Retrieve via getsockopt SO_PEERSEC.
+ */
+u32 selinux_socket_getpeer_stream(struct sock *sk)
+{
+        struct dst_entry *dst, *dst_test;
+        u32 peer_sid = SECSID_NULL;
+
+        if (sk->sk_state != TCP_ESTABLISHED)
+                goto out;
+
+        dst = sk_dst_get(sk);
+        if (!dst)
+                goto out;
+
+        for (dst_test = dst; dst_test != 0;
+             dst_test = dst_test->child) {
+                struct xfrm_state *x = dst_test->xfrm;
+
+                if (x && selinux_authorizable_xfrm(x)) {
+                        struct xfrm_sec_ctx *ctx = x->security;
+                        peer_sid = ctx->ctx_sid;
+                        break;
+                }
+        }
+        dst_release(dst);
+
+out:
+        return peer_sid;
+}
+
+/*
+ * SELinux internal function to retrieve the context of a UDP packet
+ * based on its security association used to connect to the remote socket.
+ *
+ * Retrieve via setsockopt IP_PASSSEC and recvmsg with control message
+ * type SCM_SECURITY.
+ */
+u32 selinux_socket_getpeer_dgram(struct sk_buff *skb)
+{
+        struct sec_path *sp;
+
+        if (skb == NULL)
+                return SECSID_NULL;
+
+        if (skb->sk->sk_protocol != IPPROTO_UDP)
+                return SECSID_NULL;
+
+        sp = skb->sp;
+        if (sp) {
+                int i;
+
+                for (i = sp->len-1; i >= 0; i--) {
+                        struct xfrm_state *x = sp->x[i].xvec;
+                        if (selinux_authorizable_xfrm(x)) {
+                                struct xfrm_sec_ctx *ctx = x->security;
+                                return ctx->ctx_sid;
+                        }
+                }
+        }
+
+        return SECSID_NULL;
+}
+
+/*
  * LSM hook that controls access to unlabelled packets.  If
  * a xfrm_state is authorizable (defined by macro) then it was
  * already authorized by the IPSec process.  If not, then