diff options
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/include/xfrm.h | 4 | ||||
-rw-r--r-- | security/selinux/xfrm.c | 35 |
2 files changed, 11 insertions, 28 deletions
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index 526b28019aca..8e329ddb5e37 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h | |||
@@ -8,12 +8,12 @@ | |||
8 | #define _SELINUX_XFRM_H_ | 8 | #define _SELINUX_XFRM_H_ |
9 | 9 | ||
10 | int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, | 10 | int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, |
11 | struct xfrm_user_sec_ctx *sec_ctx, struct sock *sk); | 11 | struct xfrm_user_sec_ctx *sec_ctx); |
12 | int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new); | 12 | int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new); |
13 | void selinux_xfrm_policy_free(struct xfrm_policy *xp); | 13 | void selinux_xfrm_policy_free(struct xfrm_policy *xp); |
14 | int selinux_xfrm_policy_delete(struct xfrm_policy *xp); | 14 | int selinux_xfrm_policy_delete(struct xfrm_policy *xp); |
15 | int selinux_xfrm_state_alloc(struct xfrm_state *x, | 15 | int selinux_xfrm_state_alloc(struct xfrm_state *x, |
16 | struct xfrm_user_sec_ctx *sec_ctx, struct xfrm_sec_ctx *pol, u32 secid); | 16 | struct xfrm_user_sec_ctx *sec_ctx, u32 secid); |
17 | void selinux_xfrm_state_free(struct xfrm_state *x); | 17 | void selinux_xfrm_state_free(struct xfrm_state *x); |
18 | int selinux_xfrm_state_delete(struct xfrm_state *x); | 18 | int selinux_xfrm_state_delete(struct xfrm_state *x); |
19 | int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir); | 19 | int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir); |
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 675b995a67c3..4d5a043cdfa1 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c | |||
@@ -226,16 +226,15 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) | |||
226 | * CTX does not have a meaningful value on input | 226 | * CTX does not have a meaningful value on input |
227 | */ | 227 | */ |
228 | static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, | 228 | static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, |
229 | struct xfrm_user_sec_ctx *uctx, struct xfrm_sec_ctx *pol, u32 sid) | 229 | struct xfrm_user_sec_ctx *uctx, u32 sid) |
230 | { | 230 | { |
231 | int rc = 0; | 231 | int rc = 0; |
232 | struct task_security_struct *tsec = current->security; | 232 | struct task_security_struct *tsec = current->security; |
233 | struct xfrm_sec_ctx *ctx = NULL; | 233 | struct xfrm_sec_ctx *ctx = NULL; |
234 | char *ctx_str = NULL; | 234 | char *ctx_str = NULL; |
235 | u32 str_len; | 235 | u32 str_len; |
236 | u32 ctx_sid; | ||
237 | 236 | ||
238 | BUG_ON(uctx && pol); | 237 | BUG_ON(uctx && sid); |
239 | 238 | ||
240 | if (!uctx) | 239 | if (!uctx) |
241 | goto not_from_user; | 240 | goto not_from_user; |
@@ -279,15 +278,7 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, | |||
279 | return rc; | 278 | return rc; |
280 | 279 | ||
281 | not_from_user: | 280 | not_from_user: |
282 | if (pol) { | 281 | rc = security_sid_to_context(sid, &ctx_str, &str_len); |
283 | rc = security_sid_mls_copy(pol->ctx_sid, sid, &ctx_sid); | ||
284 | if (rc) | ||
285 | goto out; | ||
286 | } | ||
287 | else | ||
288 | ctx_sid = sid; | ||
289 | |||
290 | rc = security_sid_to_context(ctx_sid, &ctx_str, &str_len); | ||
291 | if (rc) | 282 | if (rc) |
292 | goto out; | 283 | goto out; |
293 | 284 | ||
@@ -302,7 +293,7 @@ not_from_user: | |||
302 | 293 | ||
303 | ctx->ctx_doi = XFRM_SC_DOI_LSM; | 294 | ctx->ctx_doi = XFRM_SC_DOI_LSM; |
304 | ctx->ctx_alg = XFRM_SC_ALG_SELINUX; | 295 | ctx->ctx_alg = XFRM_SC_ALG_SELINUX; |
305 | ctx->ctx_sid = ctx_sid; | 296 | ctx->ctx_sid = sid; |
306 | ctx->ctx_len = str_len; | 297 | ctx->ctx_len = str_len; |
307 | memcpy(ctx->ctx_str, | 298 | memcpy(ctx->ctx_str, |
308 | ctx_str, | 299 | ctx_str, |
@@ -323,22 +314,14 @@ out2: | |||
323 | * xfrm_policy. | 314 | * xfrm_policy. |
324 | */ | 315 | */ |
325 | int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, | 316 | int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, |
326 | struct xfrm_user_sec_ctx *uctx, struct sock *sk) | 317 | struct xfrm_user_sec_ctx *uctx) |
327 | { | 318 | { |
328 | int err; | 319 | int err; |
329 | u32 sid; | ||
330 | 320 | ||
331 | BUG_ON(!xp); | 321 | BUG_ON(!xp); |
332 | BUG_ON(uctx && sk); | 322 | BUG_ON(!uctx); |
333 | |||
334 | if (sk) { | ||
335 | struct sk_security_struct *ssec = sk->sk_security; | ||
336 | sid = ssec->sid; | ||
337 | } | ||
338 | else | ||
339 | sid = SECSID_NULL; | ||
340 | 323 | ||
341 | err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, NULL, sid); | 324 | err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, 0); |
342 | return err; | 325 | return err; |
343 | } | 326 | } |
344 | 327 | ||
@@ -399,13 +382,13 @@ int selinux_xfrm_policy_delete(struct xfrm_policy *xp) | |||
399 | * xfrm_state. | 382 | * xfrm_state. |
400 | */ | 383 | */ |
401 | int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx, | 384 | int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx, |
402 | struct xfrm_sec_ctx *pol, u32 secid) | 385 | u32 secid) |
403 | { | 386 | { |
404 | int err; | 387 | int err; |
405 | 388 | ||
406 | BUG_ON(!x); | 389 | BUG_ON(!x); |
407 | 390 | ||
408 | err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, pol, secid); | 391 | err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid); |
409 | return err; | 392 | return err; |
410 | } | 393 | } |
411 | 394 | ||