aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c2
-rw-r--r--security/selinux/include/xfrm.h2
-rw-r--r--security/selinux/xfrm.c39
3 files changed, 39 insertions, 4 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 90b4cdc0c948..cf7b62ca886a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4374,8 +4374,10 @@ static struct security_operations selinux_ops = {
4374 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 4374 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
4375 .xfrm_policy_clone_security = selinux_xfrm_policy_clone, 4375 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
4376 .xfrm_policy_free_security = selinux_xfrm_policy_free, 4376 .xfrm_policy_free_security = selinux_xfrm_policy_free,
4377 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
4377 .xfrm_state_alloc_security = selinux_xfrm_state_alloc, 4378 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
4378 .xfrm_state_free_security = selinux_xfrm_state_free, 4379 .xfrm_state_free_security = selinux_xfrm_state_free,
4380 .xfrm_state_delete_security = selinux_xfrm_state_delete,
4379 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 4381 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
4380#endif 4382#endif
4381}; 4383};
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index c10f1fc41502..f0f4e480ff99 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -9,8 +9,10 @@
9int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx); 9int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx);
10int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new); 10int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new);
11void selinux_xfrm_policy_free(struct xfrm_policy *xp); 11void selinux_xfrm_policy_free(struct xfrm_policy *xp);
12int selinux_xfrm_policy_delete(struct xfrm_policy *xp);
12int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx); 13int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx);
13void selinux_xfrm_state_free(struct xfrm_state *x); 14void selinux_xfrm_state_free(struct xfrm_state *x);
15int selinux_xfrm_state_delete(struct xfrm_state *x);
14int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir); 16int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir);
15 17
16/* 18/*
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index abe99d881376..0e24df41099f 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -132,10 +132,7 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_us
132 goto out; 132 goto out;
133 133
134 /* 134 /*
135 * Does the subject have permission to set security or permission to 135 * Does the subject have permission to set security context?
136 * do the relabel?
137 * Must be permitted to relabel from default socket type (process type)
138 * to specified context
139 */ 136 */
140 rc = avc_has_perm(tsec->sid, ctx->ctx_sid, 137 rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
141 SECCLASS_ASSOCIATION, 138 SECCLASS_ASSOCIATION,
@@ -201,6 +198,23 @@ void selinux_xfrm_policy_free(struct xfrm_policy *xp)
201} 198}
202 199
203/* 200/*
201 * LSM hook implementation that authorizes deletion of labeled policies.
202 */
203int selinux_xfrm_policy_delete(struct xfrm_policy *xp)
204{
205 struct task_security_struct *tsec = current->security;
206 struct xfrm_sec_ctx *ctx = xp->security;
207 int rc = 0;
208
209 if (ctx)
210 rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
211 SECCLASS_ASSOCIATION,
212 ASSOCIATION__SETCONTEXT, NULL);
213
214 return rc;
215}
216
217/*
204 * LSM hook implementation that allocs and transfers sec_ctx spec to 218 * LSM hook implementation that allocs and transfers sec_ctx spec to
205 * xfrm_state. 219 * xfrm_state.
206 */ 220 */
@@ -292,6 +306,23 @@ u32 selinux_socket_getpeer_dgram(struct sk_buff *skb)
292 return SECSID_NULL; 306 return SECSID_NULL;
293} 307}
294 308
309 /*
310 * LSM hook implementation that authorizes deletion of labeled SAs.
311 */
312int selinux_xfrm_state_delete(struct xfrm_state *x)
313{
314 struct task_security_struct *tsec = current->security;
315 struct xfrm_sec_ctx *ctx = x->security;
316 int rc = 0;
317
318 if (ctx)
319 rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
320 SECCLASS_ASSOCIATION,
321 ASSOCIATION__SETCONTEXT, NULL);
322
323 return rc;
324}
325
295/* 326/*
296 * LSM hook that controls access to unlabelled packets. If 327 * LSM hook that controls access to unlabelled packets. If
297 * a xfrm_state is authorizable (defined by macro) then it was 328 * a xfrm_state is authorizable (defined by macro) then it was