aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c8
-rw-r--r--security/selinux/include/xfrm.h14
-rw-r--r--security/selinux/xfrm.c11
3 files changed, 12 insertions, 21 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5c189da07bc9..4e5989d584ce 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3561,14 +3561,14 @@ static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
3561 newssec->peer_sid = ssec->peer_sid; 3561 newssec->peer_sid = ssec->peer_sid;
3562} 3562}
3563 3563
3564static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir) 3564static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
3565{ 3565{
3566 if (!sk) 3566 if (!sk)
3567 return selinux_no_sk_sid(fl); 3567 *secid = SECINITSID_ANY_SOCKET;
3568 else { 3568 else {
3569 struct sk_security_struct *sksec = sk->sk_security; 3569 struct sk_security_struct *sksec = sk->sk_security;
3570 3570
3571 return sksec->sid; 3571 *secid = sksec->sid;
3572 } 3572 }
3573} 3573}
3574 3574
@@ -4622,7 +4622,7 @@ static struct security_operations selinux_ops = {
4622 .sk_alloc_security = selinux_sk_alloc_security, 4622 .sk_alloc_security = selinux_sk_alloc_security,
4623 .sk_free_security = selinux_sk_free_security, 4623 .sk_free_security = selinux_sk_free_security,
4624 .sk_clone_security = selinux_sk_clone_security, 4624 .sk_clone_security = selinux_sk_clone_security,
4625 .sk_getsid = selinux_sk_getsid_security, 4625 .sk_getsecid = selinux_sk_getsecid,
4626 4626
4627#ifdef CONFIG_SECURITY_NETWORK_XFRM 4627#ifdef CONFIG_SECURITY_NETWORK_XFRM
4628 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 4628 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index f51a3e84bd9b..8e45c1d588a8 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -19,7 +19,7 @@ int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir);
19int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, 19int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
20 struct xfrm_policy *xp, struct flowi *fl); 20 struct xfrm_policy *xp, struct flowi *fl);
21int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm); 21int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm);
22int selinux_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl); 22int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall);
23 23
24 24
25/* 25/*
@@ -33,18 +33,6 @@ static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
33 return SOCK_INODE(sk->sk_socket)->i_security; 33 return SOCK_INODE(sk->sk_socket)->i_security;
34} 34}
35 35
36
37static inline u32 selinux_no_sk_sid(struct flowi *fl)
38{
39 /* NOTE: no sock occurs on ICMP reply, forwards, ... */
40 /* icmp_reply: authorize as kernel packet */
41 if (fl && fl->proto == IPPROTO_ICMP) {
42 return SECINITSID_KERNEL;
43 }
44
45 return SECINITSID_ANY_SOCKET;
46}
47
48#ifdef CONFIG_SECURITY_NETWORK_XFRM 36#ifdef CONFIG_SECURITY_NETWORK_XFRM
49int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, 37int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
50 struct avc_audit_data *ad); 38 struct avc_audit_data *ad);
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index a502b0540e3d..c750ef7af66f 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -158,11 +158,11 @@ int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm)
158 * LSM hook implementation that determines the sid for the session. 158 * LSM hook implementation that determines the sid for the session.
159 */ 159 */
160 160
161int selinux_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl) 161int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
162{ 162{
163 struct sec_path *sp; 163 struct sec_path *sp;
164 164
165 fl->secid = SECSID_NULL; 165 *sid = SECSID_NULL;
166 166
167 if (skb == NULL) 167 if (skb == NULL)
168 return 0; 168 return 0;
@@ -177,10 +177,13 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl)
177 struct xfrm_sec_ctx *ctx = x->security; 177 struct xfrm_sec_ctx *ctx = x->security;
178 178
179 if (!sid_set) { 179 if (!sid_set) {
180 fl->secid = ctx->ctx_sid; 180 *sid = ctx->ctx_sid;
181 sid_set = 1; 181 sid_set = 1;
182
183 if (!ckall)
184 break;
182 } 185 }
183 else if (fl->secid != ctx->ctx_sid) 186 else if (*sid != ctx->ctx_sid)
184 return -EINVAL; 187 return -EINVAL;
185 } 188 }
186 } 189 }