diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/netlabel.c | 38 |
1 files changed, 10 insertions, 28 deletions
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 89b418392f11..b9ce5fcf3432 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c | |||
@@ -66,22 +66,24 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb, | |||
66 | /** | 66 | /** |
67 | * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism | 67 | * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism |
68 | * @sk: the socket to label | 68 | * @sk: the socket to label |
69 | * @sid: the SID to use | ||
70 | * | 69 | * |
71 | * Description: | 70 | * Description: |
72 | * Attempt to label a socket using the NetLabel mechanism using the given | 71 | * Attempt to label a socket using the NetLabel mechanism. Returns zero values |
73 | * SID. Returns zero values on success, negative values on failure. | 72 | * on success, negative values on failure. |
74 | * | 73 | * |
75 | */ | 74 | */ |
76 | static int selinux_netlbl_sock_setsid(struct sock *sk, u32 sid) | 75 | static int selinux_netlbl_sock_setsid(struct sock *sk) |
77 | { | 76 | { |
78 | int rc; | 77 | int rc; |
79 | struct sk_security_struct *sksec = sk->sk_security; | 78 | struct sk_security_struct *sksec = sk->sk_security; |
80 | struct netlbl_lsm_secattr secattr; | 79 | struct netlbl_lsm_secattr secattr; |
81 | 80 | ||
81 | if (sksec->nlbl_state != NLBL_REQUIRE) | ||
82 | return 0; | ||
83 | |||
82 | netlbl_secattr_init(&secattr); | 84 | netlbl_secattr_init(&secattr); |
83 | 85 | ||
84 | rc = security_netlbl_sid_to_secattr(sid, &secattr); | 86 | rc = security_netlbl_sid_to_secattr(sksec->sid, &secattr); |
85 | if (rc != 0) | 87 | if (rc != 0) |
86 | goto sock_setsid_return; | 88 | goto sock_setsid_return; |
87 | rc = netlbl_sock_setattr(sk, &secattr); | 89 | rc = netlbl_sock_setattr(sk, &secattr); |
@@ -174,24 +176,10 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, | |||
174 | */ | 176 | */ |
175 | void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) | 177 | void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) |
176 | { | 178 | { |
177 | struct sk_security_struct *sksec = sk->sk_security; | ||
178 | struct netlbl_lsm_secattr secattr; | ||
179 | u32 nlbl_peer_sid; | ||
180 | |||
181 | if (sksec->nlbl_state != NLBL_REQUIRE) | ||
182 | return; | ||
183 | |||
184 | netlbl_secattr_init(&secattr); | ||
185 | if (netlbl_sock_getattr(sk, &secattr) == 0 && | ||
186 | secattr.flags != NETLBL_SECATTR_NONE && | ||
187 | security_netlbl_secattr_to_sid(&secattr, &nlbl_peer_sid) == 0) | ||
188 | sksec->peer_sid = nlbl_peer_sid; | ||
189 | netlbl_secattr_destroy(&secattr); | ||
190 | |||
191 | /* Try to set the NetLabel on the socket to save time later, if we fail | 179 | /* Try to set the NetLabel on the socket to save time later, if we fail |
192 | * here we will pick up the pieces in later calls to | 180 | * here we will pick up the pieces in later calls to |
193 | * selinux_netlbl_inode_permission(). */ | 181 | * selinux_netlbl_inode_permission(). */ |
194 | selinux_netlbl_sock_setsid(sk, sksec->sid); | 182 | selinux_netlbl_sock_setsid(sk); |
195 | } | 183 | } |
196 | 184 | ||
197 | /** | 185 | /** |
@@ -205,13 +193,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) | |||
205 | */ | 193 | */ |
206 | int selinux_netlbl_socket_post_create(struct socket *sock) | 194 | int selinux_netlbl_socket_post_create(struct socket *sock) |
207 | { | 195 | { |
208 | struct sock *sk = sock->sk; | 196 | return selinux_netlbl_sock_setsid(sock->sk); |
209 | struct sk_security_struct *sksec = sk->sk_security; | ||
210 | |||
211 | if (sksec->nlbl_state != NLBL_REQUIRE) | ||
212 | return 0; | ||
213 | |||
214 | return selinux_netlbl_sock_setsid(sk, sksec->sid); | ||
215 | } | 197 | } |
216 | 198 | ||
217 | /** | 199 | /** |
@@ -246,7 +228,7 @@ int selinux_netlbl_inode_permission(struct inode *inode, int mask) | |||
246 | local_bh_disable(); | 228 | local_bh_disable(); |
247 | bh_lock_sock_nested(sk); | 229 | bh_lock_sock_nested(sk); |
248 | if (likely(sksec->nlbl_state == NLBL_REQUIRE)) | 230 | if (likely(sksec->nlbl_state == NLBL_REQUIRE)) |
249 | rc = selinux_netlbl_sock_setsid(sk, sksec->sid); | 231 | rc = selinux_netlbl_sock_setsid(sk); |
250 | else | 232 | else |
251 | rc = 0; | 233 | rc = 0; |
252 | bh_unlock_sock(sk); | 234 | bh_unlock_sock(sk); |