aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/include/xfrm.h4
-rw-r--r--security/selinux/xfrm.c35
2 files changed, 11 insertions, 28 deletions
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 526b28019aca..8e329ddb5e37 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -8,12 +8,12 @@
8#define _SELINUX_XFRM_H_ 8#define _SELINUX_XFRM_H_
9 9
10int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, 10int selinux_xfrm_policy_alloc(struct xfrm_policy *xp,
11 struct xfrm_user_sec_ctx *sec_ctx, struct sock *sk); 11 struct xfrm_user_sec_ctx *sec_ctx);
12int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new); 12int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new);
13void selinux_xfrm_policy_free(struct xfrm_policy *xp); 13void selinux_xfrm_policy_free(struct xfrm_policy *xp);
14int selinux_xfrm_policy_delete(struct xfrm_policy *xp); 14int selinux_xfrm_policy_delete(struct xfrm_policy *xp);
15int selinux_xfrm_state_alloc(struct xfrm_state *x, 15int selinux_xfrm_state_alloc(struct xfrm_state *x,
16 struct xfrm_user_sec_ctx *sec_ctx, struct xfrm_sec_ctx *pol, u32 secid); 16 struct xfrm_user_sec_ctx *sec_ctx, u32 secid);
17void selinux_xfrm_state_free(struct xfrm_state *x); 17void selinux_xfrm_state_free(struct xfrm_state *x);
18int selinux_xfrm_state_delete(struct xfrm_state *x); 18int selinux_xfrm_state_delete(struct xfrm_state *x);
19int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir); 19int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir);
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 675b995a67c3..4d5a043cdfa1 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -226,16 +226,15 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
226 * CTX does not have a meaningful value on input 226 * CTX does not have a meaningful value on input
227 */ 227 */
228static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, 228static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
229 struct xfrm_user_sec_ctx *uctx, struct xfrm_sec_ctx *pol, u32 sid) 229 struct xfrm_user_sec_ctx *uctx, u32 sid)
230{ 230{
231 int rc = 0; 231 int rc = 0;
232 struct task_security_struct *tsec = current->security; 232 struct task_security_struct *tsec = current->security;
233 struct xfrm_sec_ctx *ctx = NULL; 233 struct xfrm_sec_ctx *ctx = NULL;
234 char *ctx_str = NULL; 234 char *ctx_str = NULL;
235 u32 str_len; 235 u32 str_len;
236 u32 ctx_sid;
237 236
238 BUG_ON(uctx && pol); 237 BUG_ON(uctx && sid);
239 238
240 if (!uctx) 239 if (!uctx)
241 goto not_from_user; 240 goto not_from_user;
@@ -279,15 +278,7 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
279 return rc; 278 return rc;
280 279
281not_from_user: 280not_from_user:
282 if (pol) { 281 rc = security_sid_to_context(sid, &ctx_str, &str_len);
283 rc = security_sid_mls_copy(pol->ctx_sid, sid, &ctx_sid);
284 if (rc)
285 goto out;
286 }
287 else
288 ctx_sid = sid;
289
290 rc = security_sid_to_context(ctx_sid, &ctx_str, &str_len);
291 if (rc) 282 if (rc)
292 goto out; 283 goto out;
293 284
@@ -302,7 +293,7 @@ not_from_user:
302 293
303 ctx->ctx_doi = XFRM_SC_DOI_LSM; 294 ctx->ctx_doi = XFRM_SC_DOI_LSM;
304 ctx->ctx_alg = XFRM_SC_ALG_SELINUX; 295 ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
305 ctx->ctx_sid = ctx_sid; 296 ctx->ctx_sid = sid;
306 ctx->ctx_len = str_len; 297 ctx->ctx_len = str_len;
307 memcpy(ctx->ctx_str, 298 memcpy(ctx->ctx_str,
308 ctx_str, 299 ctx_str,
@@ -323,22 +314,14 @@ out2:
323 * xfrm_policy. 314 * xfrm_policy.
324 */ 315 */
325int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, 316int selinux_xfrm_policy_alloc(struct xfrm_policy *xp,
326 struct xfrm_user_sec_ctx *uctx, struct sock *sk) 317 struct xfrm_user_sec_ctx *uctx)
327{ 318{
328 int err; 319 int err;
329 u32 sid;
330 320
331 BUG_ON(!xp); 321 BUG_ON(!xp);
332 BUG_ON(uctx && sk); 322 BUG_ON(!uctx);
333
334 if (sk) {
335 struct sk_security_struct *ssec = sk->sk_security;
336 sid = ssec->sid;
337 }
338 else
339 sid = SECSID_NULL;
340 323
341 err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, NULL, sid); 324 err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, 0);
342 return err; 325 return err;
343} 326}
344 327
@@ -399,13 +382,13 @@ int selinux_xfrm_policy_delete(struct xfrm_policy *xp)
399 * xfrm_state. 382 * xfrm_state.
400 */ 383 */
401int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx, 384int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx,
402 struct xfrm_sec_ctx *pol, u32 secid) 385 u32 secid)
403{ 386{
404 int err; 387 int err;
405 388
406 BUG_ON(!x); 389 BUG_ON(!x);
407 390
408 err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, pol, secid); 391 err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid);
409 return err; 392 return err;
410} 393}
411 394