3 files changed, 29 insertions, 19 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0753b20e23fe..3c3fff33d1ce 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -47,7 +47,7 @@
 #include <linux/netfilter_ipv6.h>
 #include <linux/tty.h>
 #include <net/icmp.h>
-#include <net/ip.h>             /* for sysctl_local_port_range[] */
+#include <net/ip.h>             /* for local_port_range[] */
 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
 #include <asm/uaccess.h>
 #include <asm/ioctls.h>
@@ -3232,8 +3232,6 @@ static int selinux_socket_post_create(struct socket *sock, int family,
 /* Range of port numbers used to automatically bind.
   Need to determine whether we should perform a name_bind
   permission check between the socket and the port number. */
-#define ip_local_port_range_0 sysctl_local_port_range[0]
-#define ip_local_port_range_1 sysctl_local_port_range[1]
 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
 {
@@ -3276,20 +3274,27 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
                        addrp = (char *)&addr6->sin6_addr.s6_addr;
                }
-                if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
+                if (snum) {
-                           snum > ip_local_port_range_1)) {
+                        int low, high;
-                        err = security_port_sid(sk->sk_family, sk->sk_type,
-                                                sk->sk_protocol, snum, &sid);
+                        inet_get_local_port_range(&low, &high);
-                        if (err)
-                                goto out;
+                        if (snum < max(PROT_SOCK, low) || snum > high) {
-                        AVC_AUDIT_DATA_INIT(&ad,NET);
+                                err = security_port_sid(sk->sk_family,
-                        ad.u.net.sport = htons(snum);
+                                                        sk->sk_type,
-                        ad.u.net.family = family;
+                                                        sk->sk_protocol, snum,
-                        err = avc_has_perm(isec->sid, sid,
+                                                        &sid);
-                                           isec->sclass,
+                                if (err)
-                                           SOCKET__NAME_BIND, &ad);
+                                        goto out;
-                        if (err)
+                                AVC_AUDIT_DATA_INIT(&ad,NET);
-                                goto out;
+                                ad.u.net.sport = htons(snum);
+                                ad.u.net.family = family;
+                                err = avc_has_perm(isec->sid, sid,
+                                                   isec->sclass,
+                                                   SOCKET__NAME_BIND, &ad);
+                                if (err)
+                                        goto out;
+                        }
                }
                
                switch(isec->sclass) {
diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index b10c34e8a743..e87ab948104c 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -20,6 +20,7 @@
 #include <linux/notifier.h>
 #include <linux/netdevice.h>
 #include <linux/rcupdate.h>
+#include <net/net_namespace.h>
 #include "security.h"
 #include "objsec.h"
@@ -234,6 +235,9 @@ static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
 {
        struct net_device *dev = ptr;
+        if (dev->nd_net != &init_net)
+                return NOTIFY_DONE;
        if (event == NETDEV_DOWN)
                sel_netif_kill(dev);
diff --git a/security/selinux/netlink.c b/security/selinux/netlink.c
index f49046de63a2..b59871d74dad 100644
--- a/security/selinux/netlink.c
+++ b/security/selinux/netlink.c
@@ -17,6 +17,7 @@
 #include <linux/skbuff.h>
 #include <linux/netlink.h>
 #include <linux/selinux_netlink.h>
+#include <net/net_namespace.h>
 static struct sock *selnl;
@@ -104,8 +105,8 @@ void selnl_notify_policyload(u32 seqno)
 static int __init selnl_init(void)
 {
-        selnl = netlink_kernel_create(NETLINK_SELINUX, SELNLGRP_MAX, NULL, NULL,
+        selnl = netlink_kernel_create(&init_net, NETLINK_SELINUX,
-                                      THIS_MODULE);
+                                      SELNLGRP_MAX, NULL, NULL, THIS_MODULE);
        if (selnl == NULL)
                panic("SELinux:  Cannot create netlink socket.");
        netlink_set_nonroot(NETLINK_SELINUX, NL_NONROOT_RECV);

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 0753b20e23fe..3c3fff33d1ce 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -47,7 +47,7 @@
47	#include <linux/netfilter_ipv6.h>	47	#include <linux/netfilter_ipv6.h>
48	#include <linux/tty.h>	48	#include <linux/tty.h>
49	#include <net/icmp.h>	49	#include <net/icmp.h>
50	#include <net/ip.h> /* for sysctl_local_port_range[] */	50	#include <net/ip.h> /* for local_port_range[] */
51	#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */	51	#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
52	#include <asm/uaccess.h>	52	#include <asm/uaccess.h>
53	#include <asm/ioctls.h>	53	#include <asm/ioctls.h>
@@ -3232,8 +3232,6 @@ static int selinux_socket_post_create(struct socket *sock, int family,
3232	/* Range of port numbers used to automatically bind.	3232	/* Range of port numbers used to automatically bind.
3233	Need to determine whether we should perform a name_bind	3233	Need to determine whether we should perform a name_bind
3234	permission check between the socket and the port number. */	3234	permission check between the socket and the port number. */
3235	#define ip_local_port_range_0 sysctl_local_port_range[0]
3236	#define ip_local_port_range_1 sysctl_local_port_range[1]
3237		3235
3238	static int selinux_socket_bind(struct socket sock, struct sockaddr address, int addrlen)	3236	static int selinux_socket_bind(struct socket sock, struct sockaddr address, int addrlen)
3239	{	3237	{
@@ -3276,20 +3274,27 @@ static int selinux_socket_bind(struct socket sock, struct sockaddr address, in
3276	addrp = (char *)&addr6->sin6_addr.s6_addr;	3274	addrp = (char *)&addr6->sin6_addr.s6_addr;
3277	}	3275	}
3278		3276
3279	if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) \|\|	3277	if (snum) {
3280	snum > ip_local_port_range_1)) {	3278	int low, high;
3281	err = security_port_sid(sk->sk_family, sk->sk_type,	3279
3282	sk->sk_protocol, snum, &sid);	3280	inet_get_local_port_range(&low, &high);
3283	if (err)	3281
3284	goto out;	3282	if (snum < max(PROT_SOCK, low) \|\| snum > high) {
3285	AVC_AUDIT_DATA_INIT(&ad,NET);	3283	err = security_port_sid(sk->sk_family,
3286	ad.u.net.sport = htons(snum);	3284	sk->sk_type,
3287	ad.u.net.family = family;	3285	sk->sk_protocol, snum,
3288	err = avc_has_perm(isec->sid, sid,	3286	&sid);
3289	isec->sclass,	3287	if (err)
3290	SOCKET__NAME_BIND, &ad);	3288	goto out;
3291	if (err)	3289	AVC_AUDIT_DATA_INIT(&ad,NET);
3292	goto out;	3290	ad.u.net.sport = htons(snum);
		3291	ad.u.net.family = family;
		3292	err = avc_has_perm(isec->sid, sid,
		3293	isec->sclass,
		3294	SOCKET__NAME_BIND, &ad);
		3295	if (err)
		3296	goto out;
		3297	}
3293	}	3298	}
3294		3299
3295	switch(isec->sclass) {	3300	switch(isec->sclass) {


diff --git a/security/selinux/netif.c b/security/selinux/netif.c index b10c34e8a743..e87ab948104c 100644 --- a/security/selinux/netif.c +++ b/security/selinux/netif.c
@@ -20,6 +20,7 @@
20	#include <linux/notifier.h>	20	#include <linux/notifier.h>
21	#include <linux/netdevice.h>	21	#include <linux/netdevice.h>
22	#include <linux/rcupdate.h>	22	#include <linux/rcupdate.h>
		23	#include <net/net_namespace.h>
23		24
24	#include "security.h"	25	#include "security.h"
25	#include "objsec.h"	26	#include "objsec.h"
@@ -234,6 +235,9 @@ static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
234	{	235	{
235	struct net_device *dev = ptr;	236	struct net_device *dev = ptr;
236		237
		238	if (dev->nd_net != &init_net)
		239	return NOTIFY_DONE;
		240
237	if (event == NETDEV_DOWN)	241	if (event == NETDEV_DOWN)
238	sel_netif_kill(dev);	242	sel_netif_kill(dev);
239		243


diff --git a/security/selinux/netlink.c b/security/selinux/netlink.c index f49046de63a2..b59871d74dad 100644 --- a/security/selinux/netlink.c +++ b/security/selinux/netlink.c
@@ -17,6 +17,7 @@
17	#include <linux/skbuff.h>	17	#include <linux/skbuff.h>
18	#include <linux/netlink.h>	18	#include <linux/netlink.h>
19	#include <linux/selinux_netlink.h>	19	#include <linux/selinux_netlink.h>
		20	#include <net/net_namespace.h>
20		21
21	static struct sock *selnl;	22	static struct sock *selnl;
22		23
@@ -104,8 +105,8 @@ void selnl_notify_policyload(u32 seqno)
104		105
105	static int __init selnl_init(void)	106	static int __init selnl_init(void)
106	{	107	{
107	selnl = netlink_kernel_create(NETLINK_SELINUX, SELNLGRP_MAX, NULL, NULL,	108	selnl = netlink_kernel_create(&init_net, NETLINK_SELINUX,
108	THIS_MODULE);	109	SELNLGRP_MAX, NULL, NULL, THIS_MODULE);
109	if (selnl == NULL)	110	if (selnl == NULL)
110	panic("SELinux: Cannot create netlink socket.");	111	panic("SELinux: Cannot create netlink socket.");
111	netlink_set_nonroot(NETLINK_SELINUX, NL_NONROOT_RECV);	112	netlink_set_nonroot(NETLINK_SELINUX, NL_NONROOT_RECV);