aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/capability.c2
-rw-r--r--security/commoncap.c3
-rw-r--r--security/security.c7
-rw-r--r--security/selinux/hooks.c8
-rw-r--r--security/selinux/include/xfrm.h2
-rw-r--r--security/selinux/xfrm.c6
6 files changed, 15 insertions, 13 deletions
diff --git a/security/capability.c b/security/capability.c
index ab3d807accc3..2984ea4f776f 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -761,7 +761,7 @@ static int cap_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 sk_sid, u8 dir)
761 761
762static int cap_xfrm_state_pol_flow_match(struct xfrm_state *x, 762static int cap_xfrm_state_pol_flow_match(struct xfrm_state *x,
763 struct xfrm_policy *xp, 763 struct xfrm_policy *xp,
764 struct flowi *fl) 764 const struct flowi *fl)
765{ 765{
766 return 1; 766 return 1;
767} 767}
diff --git a/security/commoncap.c b/security/commoncap.c
index dbfdaed4cc66..49c57fd60aea 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -52,13 +52,12 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
52 52
53int cap_netlink_send(struct sock *sk, struct sk_buff *skb) 53int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
54{ 54{
55 NETLINK_CB(skb).eff_cap = current_cap();
56 return 0; 55 return 0;
57} 56}
58 57
59int cap_netlink_recv(struct sk_buff *skb, int cap) 58int cap_netlink_recv(struct sk_buff *skb, int cap)
60{ 59{
61 if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) 60 if (!cap_raised(current_cap(), cap))
62 return -EPERM; 61 return -EPERM;
63 return 0; 62 return 0;
64} 63}
diff --git a/security/security.c b/security/security.c
index bab9b23c3ff4..9187665a3fdd 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1105,7 +1105,7 @@ void security_sk_clone(const struct sock *sk, struct sock *newsk)
1105 1105
1106void security_sk_classify_flow(struct sock *sk, struct flowi *fl) 1106void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
1107{ 1107{
1108 security_ops->sk_getsecid(sk, &fl->secid); 1108 security_ops->sk_getsecid(sk, &fl->flowi_secid);
1109} 1109}
1110EXPORT_SYMBOL(security_sk_classify_flow); 1110EXPORT_SYMBOL(security_sk_classify_flow);
1111 1111
@@ -1238,7 +1238,8 @@ int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
1238} 1238}
1239 1239
1240int security_xfrm_state_pol_flow_match(struct xfrm_state *x, 1240int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
1241 struct xfrm_policy *xp, struct flowi *fl) 1241 struct xfrm_policy *xp,
1242 const struct flowi *fl)
1242{ 1243{
1243 return security_ops->xfrm_state_pol_flow_match(x, xp, fl); 1244 return security_ops->xfrm_state_pol_flow_match(x, xp, fl);
1244} 1245}
@@ -1250,7 +1251,7 @@ int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
1250 1251
1251void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl) 1252void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
1252{ 1253{
1253 int rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0); 1254 int rc = security_ops->xfrm_decode_session(skb, &fl->flowi_secid, 0);
1254 1255
1255 BUG_ON(rc); 1256 BUG_ON(rc);
1256} 1257}
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d52a92507412..6475e1f0223e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4346,7 +4346,7 @@ static void selinux_secmark_refcount_dec(void)
4346static void selinux_req_classify_flow(const struct request_sock *req, 4346static void selinux_req_classify_flow(const struct request_sock *req,
4347 struct flowi *fl) 4347 struct flowi *fl)
4348{ 4348{
4349 fl->secid = req->secid; 4349 fl->flowi_secid = req->secid;
4350} 4350}
4351 4351
4352static int selinux_tun_dev_create(void) 4352static int selinux_tun_dev_create(void)
@@ -4695,6 +4695,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4695{ 4695{
4696 int err; 4696 int err;
4697 struct common_audit_data ad; 4697 struct common_audit_data ad;
4698 u32 sid;
4698 4699
4699 err = cap_netlink_recv(skb, capability); 4700 err = cap_netlink_recv(skb, capability);
4700 if (err) 4701 if (err)
@@ -4703,8 +4704,9 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4703 COMMON_AUDIT_DATA_INIT(&ad, CAP); 4704 COMMON_AUDIT_DATA_INIT(&ad, CAP);
4704 ad.u.cap = capability; 4705 ad.u.cap = capability;
4705 4706
4706 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, 4707 security_task_getsecid(current, &sid);
4707 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); 4708 return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
4709 CAP_TO_MASK(capability), &ad);
4708} 4710}
4709 4711
4710static int ipc_alloc_security(struct task_struct *task, 4712static int ipc_alloc_security(struct task_struct *task,
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 13128f9a3e5a..b43813c9e049 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -19,7 +19,7 @@ void selinux_xfrm_state_free(struct xfrm_state *x);
19int selinux_xfrm_state_delete(struct xfrm_state *x); 19int selinux_xfrm_state_delete(struct xfrm_state *x);
20int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); 20int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
21int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, 21int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
22 struct xfrm_policy *xp, struct flowi *fl); 22 struct xfrm_policy *xp, const struct flowi *fl);
23 23
24/* 24/*
25 * Extract the security blob from the sock (it's actually on the socket) 25 * Extract the security blob from the sock (it's actually on the socket)
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 728c57e3d65d..68178b76a2b3 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -112,7 +112,7 @@ int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
112 */ 112 */
113 113
114int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp, 114int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp,
115 struct flowi *fl) 115 const struct flowi *fl)
116{ 116{
117 u32 state_sid; 117 u32 state_sid;
118 int rc; 118 int rc;
@@ -135,10 +135,10 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *
135 135
136 state_sid = x->security->ctx_sid; 136 state_sid = x->security->ctx_sid;
137 137
138 if (fl->secid != state_sid) 138 if (fl->flowi_secid != state_sid)
139 return 0; 139 return 0;
140 140
141 rc = avc_has_perm(fl->secid, state_sid, SECCLASS_ASSOCIATION, 141 rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION,
142 ASSOCIATION__SENDTO, 142 ASSOCIATION__SENDTO,
143 NULL)? 0:1; 143 NULL)? 0:1;
144 144