aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/selinux/netlabel.c36
1 files changed, 21 insertions, 15 deletions
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index bf8750791dd1..e64eca246f1a 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -36,8 +36,8 @@
36#include "security.h" 36#include "security.h"
37 37
38/** 38/**
39 * selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism 39 * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism
40 * @sock: the socket to label 40 * @sk: the socket to label
41 * @sid: the SID to use 41 * @sid: the SID to use
42 * 42 *
43 * Description: 43 * Description:
@@ -47,17 +47,17 @@
47 * this function and rcu_read_unlock() after this function returns. 47 * this function and rcu_read_unlock() after this function returns.
48 * 48 *
49 */ 49 */
50static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid) 50static int selinux_netlbl_sock_setsid(struct sock *sk, u32 sid)
51{ 51{
52 int rc; 52 int rc;
53 struct sk_security_struct *sksec = sock->sk->sk_security; 53 struct sk_security_struct *sksec = sk->sk_security;
54 struct netlbl_lsm_secattr secattr; 54 struct netlbl_lsm_secattr secattr;
55 55
56 rc = security_netlbl_sid_to_secattr(sid, &secattr); 56 rc = security_netlbl_sid_to_secattr(sid, &secattr);
57 if (rc != 0) 57 if (rc != 0)
58 return rc; 58 return rc;
59 59
60 rc = netlbl_socket_setattr(sock, &secattr); 60 rc = netlbl_sock_setattr(sk, &secattr);
61 if (rc == 0) { 61 if (rc == 0) {
62 spin_lock_bh(&sksec->nlbl_lock); 62 spin_lock_bh(&sksec->nlbl_lock);
63 sksec->nlbl_state = NLBL_LABELED; 63 sksec->nlbl_state = NLBL_LABELED;
@@ -206,7 +206,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
206 /* Try to set the NetLabel on the socket to save time later, if we fail 206 /* Try to set the NetLabel on the socket to save time later, if we fail
207 * here we will pick up the pieces in later calls to 207 * here we will pick up the pieces in later calls to
208 * selinux_netlbl_inode_permission(). */ 208 * selinux_netlbl_inode_permission(). */
209 selinux_netlbl_socket_setsid(sock, sksec->sid); 209 selinux_netlbl_sock_setsid(sk, sksec->sid);
210 210
211 rcu_read_unlock(); 211 rcu_read_unlock();
212} 212}
@@ -223,14 +223,15 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
223int selinux_netlbl_socket_post_create(struct socket *sock) 223int selinux_netlbl_socket_post_create(struct socket *sock)
224{ 224{
225 int rc = 0; 225 int rc = 0;
226 struct sock *sk = sock->sk;
226 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 227 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
227 struct sk_security_struct *sksec = sock->sk->sk_security; 228 struct sk_security_struct *sksec = sk->sk_security;
228 229
229 sksec->sclass = isec->sclass; 230 sksec->sclass = isec->sclass;
230 231
231 rcu_read_lock(); 232 rcu_read_lock();
232 if (sksec->nlbl_state == NLBL_REQUIRE) 233 if (sksec->nlbl_state == NLBL_REQUIRE)
233 rc = selinux_netlbl_socket_setsid(sock, sksec->sid); 234 rc = selinux_netlbl_sock_setsid(sk, sksec->sid);
234 rcu_read_unlock(); 235 rcu_read_unlock();
235 236
236 return rc; 237 return rc;
@@ -251,14 +252,16 @@ int selinux_netlbl_socket_post_create(struct socket *sock)
251int selinux_netlbl_inode_permission(struct inode *inode, int mask) 252int selinux_netlbl_inode_permission(struct inode *inode, int mask)
252{ 253{
253 int rc; 254 int rc;
254 struct sk_security_struct *sksec; 255 struct sock *sk;
255 struct socket *sock; 256 struct socket *sock;
257 struct sk_security_struct *sksec;
256 258
257 if (!S_ISSOCK(inode->i_mode) || 259 if (!S_ISSOCK(inode->i_mode) ||
258 ((mask & (MAY_WRITE | MAY_APPEND)) == 0)) 260 ((mask & (MAY_WRITE | MAY_APPEND)) == 0))
259 return 0; 261 return 0;
260 sock = SOCKET_I(inode); 262 sock = SOCKET_I(inode);
261 sksec = sock->sk->sk_security; 263 sk = sock->sk;
264 sksec = sk->sk_security;
262 265
263 rcu_read_lock(); 266 rcu_read_lock();
264 if (sksec->nlbl_state != NLBL_REQUIRE) { 267 if (sksec->nlbl_state != NLBL_REQUIRE) {
@@ -266,9 +269,9 @@ int selinux_netlbl_inode_permission(struct inode *inode, int mask)
266 return 0; 269 return 0;
267 } 270 }
268 local_bh_disable(); 271 local_bh_disable();
269 bh_lock_sock_nested(sock->sk); 272 bh_lock_sock_nested(sk);
270 rc = selinux_netlbl_socket_setsid(sock, sksec->sid); 273 rc = selinux_netlbl_sock_setsid(sk, sksec->sid);
271 bh_unlock_sock(sock->sk); 274 bh_unlock_sock(sk);
272 local_bh_enable(); 275 local_bh_enable();
273 rcu_read_unlock(); 276 rcu_read_unlock();
274 277
@@ -345,14 +348,17 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
345 int optname) 348 int optname)
346{ 349{
347 int rc = 0; 350 int rc = 0;
348 struct sk_security_struct *sksec = sock->sk->sk_security; 351 struct sock *sk = sock->sk;
352 struct sk_security_struct *sksec = sk->sk_security;
349 struct netlbl_lsm_secattr secattr; 353 struct netlbl_lsm_secattr secattr;
350 354
351 rcu_read_lock(); 355 rcu_read_lock();
352 if (level == IPPROTO_IP && optname == IP_OPTIONS && 356 if (level == IPPROTO_IP && optname == IP_OPTIONS &&
353 sksec->nlbl_state == NLBL_LABELED) { 357 sksec->nlbl_state == NLBL_LABELED) {
354 netlbl_secattr_init(&secattr); 358 netlbl_secattr_init(&secattr);
355 rc = netlbl_socket_getattr(sock, &secattr); 359 lock_sock(sk);
360 rc = netlbl_sock_getattr(sk, &secattr);
361 release_sock(sk);
356 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 362 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
357 rc = -EACCES; 363 rc = -EACCES;
358 netlbl_secattr_destroy(&secattr); 364 netlbl_secattr_destroy(&secattr);
generated by cgit v1.2.2 (git 2.25.0) at 2024-09-24 05:23:24 -0400