diff options
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/hooks.c | 8 | ||||
-rw-r--r-- | security/selinux/include/xfrm.h | 14 | ||||
-rw-r--r-- | security/selinux/xfrm.c | 11 |
3 files changed, 12 insertions, 21 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5c189da07bc9..4e5989d584ce 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -3561,14 +3561,14 @@ static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) | |||
3561 | newssec->peer_sid = ssec->peer_sid; | 3561 | newssec->peer_sid = ssec->peer_sid; |
3562 | } | 3562 | } |
3563 | 3563 | ||
3564 | static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir) | 3564 | static void selinux_sk_getsecid(struct sock *sk, u32 *secid) |
3565 | { | 3565 | { |
3566 | if (!sk) | 3566 | if (!sk) |
3567 | return selinux_no_sk_sid(fl); | 3567 | *secid = SECINITSID_ANY_SOCKET; |
3568 | else { | 3568 | else { |
3569 | struct sk_security_struct *sksec = sk->sk_security; | 3569 | struct sk_security_struct *sksec = sk->sk_security; |
3570 | 3570 | ||
3571 | return sksec->sid; | 3571 | *secid = sksec->sid; |
3572 | } | 3572 | } |
3573 | } | 3573 | } |
3574 | 3574 | ||
@@ -4622,7 +4622,7 @@ static struct security_operations selinux_ops = { | |||
4622 | .sk_alloc_security = selinux_sk_alloc_security, | 4622 | .sk_alloc_security = selinux_sk_alloc_security, |
4623 | .sk_free_security = selinux_sk_free_security, | 4623 | .sk_free_security = selinux_sk_free_security, |
4624 | .sk_clone_security = selinux_sk_clone_security, | 4624 | .sk_clone_security = selinux_sk_clone_security, |
4625 | .sk_getsid = selinux_sk_getsid_security, | 4625 | .sk_getsecid = selinux_sk_getsecid, |
4626 | 4626 | ||
4627 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 4627 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
4628 | .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, | 4628 | .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, |
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index f51a3e84bd9b..8e45c1d588a8 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h | |||
@@ -19,7 +19,7 @@ int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir); | |||
19 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, | 19 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, |
20 | struct xfrm_policy *xp, struct flowi *fl); | 20 | struct xfrm_policy *xp, struct flowi *fl); |
21 | int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm); | 21 | int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm); |
22 | int selinux_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl); | 22 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall); |
23 | 23 | ||
24 | 24 | ||
25 | /* | 25 | /* |
@@ -33,18 +33,6 @@ static inline struct inode_security_struct *get_sock_isec(struct sock *sk) | |||
33 | return SOCK_INODE(sk->sk_socket)->i_security; | 33 | return SOCK_INODE(sk->sk_socket)->i_security; |
34 | } | 34 | } |
35 | 35 | ||
36 | |||
37 | static inline u32 selinux_no_sk_sid(struct flowi *fl) | ||
38 | { | ||
39 | /* NOTE: no sock occurs on ICMP reply, forwards, ... */ | ||
40 | /* icmp_reply: authorize as kernel packet */ | ||
41 | if (fl && fl->proto == IPPROTO_ICMP) { | ||
42 | return SECINITSID_KERNEL; | ||
43 | } | ||
44 | |||
45 | return SECINITSID_ANY_SOCKET; | ||
46 | } | ||
47 | |||
48 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 36 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
49 | int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, | 37 | int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, |
50 | struct avc_audit_data *ad); | 38 | struct avc_audit_data *ad); |
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index a502b0540e3d..c750ef7af66f 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c | |||
@@ -158,11 +158,11 @@ int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm) | |||
158 | * LSM hook implementation that determines the sid for the session. | 158 | * LSM hook implementation that determines the sid for the session. |
159 | */ | 159 | */ |
160 | 160 | ||
161 | int selinux_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl) | 161 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) |
162 | { | 162 | { |
163 | struct sec_path *sp; | 163 | struct sec_path *sp; |
164 | 164 | ||
165 | fl->secid = SECSID_NULL; | 165 | *sid = SECSID_NULL; |
166 | 166 | ||
167 | if (skb == NULL) | 167 | if (skb == NULL) |
168 | return 0; | 168 | return 0; |
@@ -177,10 +177,13 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl) | |||
177 | struct xfrm_sec_ctx *ctx = x->security; | 177 | struct xfrm_sec_ctx *ctx = x->security; |
178 | 178 | ||
179 | if (!sid_set) { | 179 | if (!sid_set) { |
180 | fl->secid = ctx->ctx_sid; | 180 | *sid = ctx->ctx_sid; |
181 | sid_set = 1; | 181 | sid_set = 1; |
182 | |||
183 | if (!ckall) | ||
184 | break; | ||
182 | } | 185 | } |
183 | else if (fl->secid != ctx->ctx_sid) | 186 | else if (*sid != ctx->ctx_sid) |
184 | return -EINVAL; | 187 | return -EINVAL; |
185 | } | 188 | } |
186 | } | 189 | } |