aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/include/xfrm.h3
-rw-r--r--security/selinux/xfrm.c33
2 files changed, 24 insertions, 12 deletions
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 8e45c1d588a8..1822c73e5085 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -7,7 +7,8 @@
7#ifndef _SELINUX_XFRM_H_ 7#ifndef _SELINUX_XFRM_H_
8#define _SELINUX_XFRM_H_ 8#define _SELINUX_XFRM_H_
9 9
10int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx); 10int selinux_xfrm_policy_alloc(struct xfrm_policy *xp,
11 struct xfrm_user_sec_ctx *sec_ctx, struct sock *sk);
11int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new); 12int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new);
12void selinux_xfrm_policy_free(struct xfrm_policy *xp); 13void selinux_xfrm_policy_free(struct xfrm_policy *xp);
13int selinux_xfrm_policy_delete(struct xfrm_policy *xp); 14int selinux_xfrm_policy_delete(struct xfrm_policy *xp);
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index c750ef7af66f..d3690f985135 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -208,10 +208,8 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
208 208
209 BUG_ON(uctx && pol); 209 BUG_ON(uctx && pol);
210 210
211 if (pol) 211 if (!uctx)
212 goto from_policy; 212 goto not_from_user;
213
214 BUG_ON(!uctx);
215 213
216 if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX) 214 if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX)
217 return -EINVAL; 215 return -EINVAL;
@@ -251,11 +249,14 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
251 249
252 return rc; 250 return rc;
253 251
254from_policy: 252not_from_user:
255 BUG_ON(!pol); 253 if (pol) {
256 rc = security_sid_mls_copy(pol->ctx_sid, sid, &ctx_sid); 254 rc = security_sid_mls_copy(pol->ctx_sid, sid, &ctx_sid);
257 if (rc) 255 if (rc)
258 goto out; 256 goto out;
257 }
258 else
259 ctx_sid = sid;
259 260
260 rc = security_sid_to_context(ctx_sid, &ctx_str, &str_len); 261 rc = security_sid_to_context(ctx_sid, &ctx_str, &str_len);
261 if (rc) 262 if (rc)
@@ -293,13 +294,23 @@ out2:
293 * LSM hook implementation that allocs and transfers uctx spec to 294 * LSM hook implementation that allocs and transfers uctx spec to
294 * xfrm_policy. 295 * xfrm_policy.
295 */ 296 */
296int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *uctx) 297int selinux_xfrm_policy_alloc(struct xfrm_policy *xp,
298 struct xfrm_user_sec_ctx *uctx, struct sock *sk)
297{ 299{
298 int err; 300 int err;
301 u32 sid;
299 302
300 BUG_ON(!xp); 303 BUG_ON(!xp);
304 BUG_ON(uctx && sk);
305
306 if (sk) {
307 struct sk_security_struct *ssec = sk->sk_security;
308 sid = ssec->sid;
309 }
310 else
311 sid = SECSID_NULL;
301 312
302 err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, NULL, 0); 313 err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, NULL, sid);
303 return err; 314 return err;
304} 315}
305 316