Commit ba6ff9f2 authored by Paul Moore's avatar Paul Moore Committed by David S. Miller

[NetLabel]: consolidate the struct socket/sock handling to just struct sock

The current NetLabel code has some redundant APIs which allow both
"struct socket" and "struct sock" types to be used; this may have made
sense at some point but it is wasteful now.  Remove the functions that
operate on sockets and convert the callers.  Not only does this make
the code smaller and more consistent but it pushes the locking burden
up to the caller which can be more intelligent about the locks.  Also,
perform the same conversion (socket to sock) on the SELinux/NetLabel
glue code where it make sense.
Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
Acked-by: default avatarJames Morris <jmorris@namei.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 6363097c
...@@ -203,12 +203,10 @@ static inline int cipso_v4_cache_add(const struct sk_buff *skb, ...@@ -203,12 +203,10 @@ static inline int cipso_v4_cache_add(const struct sk_buff *skb,
#ifdef CONFIG_NETLABEL #ifdef CONFIG_NETLABEL
void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway); void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway);
int cipso_v4_socket_setattr(const struct socket *sock, int cipso_v4_sock_setattr(struct sock *sk,
const struct cipso_v4_doi *doi_def, const struct cipso_v4_doi *doi_def,
const struct netlbl_lsm_secattr *secattr); const struct netlbl_lsm_secattr *secattr);
int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr); int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr);
int cipso_v4_socket_getattr(const struct socket *sock,
struct netlbl_lsm_secattr *secattr);
int cipso_v4_skbuff_getattr(const struct sk_buff *skb, int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
struct netlbl_lsm_secattr *secattr); struct netlbl_lsm_secattr *secattr);
int cipso_v4_validate(unsigned char **option); int cipso_v4_validate(unsigned char **option);
...@@ -220,7 +218,7 @@ static inline void cipso_v4_error(struct sk_buff *skb, ...@@ -220,7 +218,7 @@ static inline void cipso_v4_error(struct sk_buff *skb,
return; return;
} }
static inline int cipso_v4_socket_setattr(const struct socket *sock, static inline int cipso_v4_sock_setattr(struct sock *sk,
const struct cipso_v4_doi *doi_def, const struct cipso_v4_doi *doi_def,
const struct netlbl_lsm_secattr *secattr) const struct netlbl_lsm_secattr *secattr)
{ {
...@@ -233,12 +231,6 @@ static inline int cipso_v4_sock_getattr(struct sock *sk, ...@@ -233,12 +231,6 @@ static inline int cipso_v4_sock_getattr(struct sock *sk,
return -ENOSYS; return -ENOSYS;
} }
static inline int cipso_v4_socket_getattr(const struct socket *sock,
struct netlbl_lsm_secattr *secattr)
{
return -ENOSYS;
}
static inline int cipso_v4_skbuff_getattr(const struct sk_buff *skb, static inline int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
struct netlbl_lsm_secattr *secattr) struct netlbl_lsm_secattr *secattr)
{ {
......
...@@ -332,17 +332,15 @@ static inline int netlbl_secattr_catmap_setrng( ...@@ -332,17 +332,15 @@ static inline int netlbl_secattr_catmap_setrng(
*/ */
#ifdef CONFIG_NETLABEL #ifdef CONFIG_NETLABEL
int netlbl_socket_setattr(const struct socket *sock, int netlbl_sock_setattr(struct sock *sk,
const struct netlbl_lsm_secattr *secattr); const struct netlbl_lsm_secattr *secattr);
int netlbl_sock_getattr(struct sock *sk, int netlbl_sock_getattr(struct sock *sk,
struct netlbl_lsm_secattr *secattr); struct netlbl_lsm_secattr *secattr);
int netlbl_socket_getattr(const struct socket *sock,
struct netlbl_lsm_secattr *secattr);
int netlbl_skbuff_getattr(const struct sk_buff *skb, int netlbl_skbuff_getattr(const struct sk_buff *skb,
struct netlbl_lsm_secattr *secattr); struct netlbl_lsm_secattr *secattr);
void netlbl_skbuff_err(struct sk_buff *skb, int error); void netlbl_skbuff_err(struct sk_buff *skb, int error);
#else #else
static inline int netlbl_socket_setattr(const struct socket *sock, static inline int netlbl_sock_setattr(struct sock *sk,
const struct netlbl_lsm_secattr *secattr) const struct netlbl_lsm_secattr *secattr)
{ {
return -ENOSYS; return -ENOSYS;
...@@ -354,12 +352,6 @@ static inline int netlbl_sock_getattr(struct sock *sk, ...@@ -354,12 +352,6 @@ static inline int netlbl_sock_getattr(struct sock *sk,
return -ENOSYS; return -ENOSYS;
} }
static inline int netlbl_socket_getattr(const struct socket *sock,
struct netlbl_lsm_secattr *secattr)
{
return -ENOSYS;
}
static inline int netlbl_skbuff_getattr(const struct sk_buff *skb, static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,
struct netlbl_lsm_secattr *secattr) struct netlbl_lsm_secattr *secattr)
{ {
......
...@@ -1709,20 +1709,20 @@ void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway) ...@@ -1709,20 +1709,20 @@ void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway)
} }
/** /**
* cipso_v4_socket_setattr - Add a CIPSO option to a socket * cipso_v4_sock_setattr - Add a CIPSO option to a socket
* @sock: the socket * @sk: the socket
* @doi_def: the CIPSO DOI to use * @doi_def: the CIPSO DOI to use
* @secattr: the specific security attributes of the socket * @secattr: the specific security attributes of the socket
* *
* Description: * Description:
* Set the CIPSO option on the given socket using the DOI definition and * Set the CIPSO option on the given socket using the DOI definition and
* security attributes passed to the function. This function requires * security attributes passed to the function. This function requires
* exclusive access to @sock->sk, which means it either needs to be in the * exclusive access to @sk, which means it either needs to be in the
* process of being created or locked via lock_sock(sock->sk). Returns zero on * process of being created or locked. Returns zero on success and negative
* success and negative values on failure. * values on failure.
* *
*/ */
int cipso_v4_socket_setattr(const struct socket *sock, int cipso_v4_sock_setattr(struct sock *sk,
const struct cipso_v4_doi *doi_def, const struct cipso_v4_doi *doi_def,
const struct netlbl_lsm_secattr *secattr) const struct netlbl_lsm_secattr *secattr)
{ {
...@@ -1732,7 +1732,6 @@ int cipso_v4_socket_setattr(const struct socket *sock, ...@@ -1732,7 +1732,6 @@ int cipso_v4_socket_setattr(const struct socket *sock,
u32 buf_len = 0; u32 buf_len = 0;
u32 opt_len; u32 opt_len;
struct ip_options *opt = NULL; struct ip_options *opt = NULL;
struct sock *sk;
struct inet_sock *sk_inet; struct inet_sock *sk_inet;
struct inet_connection_sock *sk_conn; struct inet_connection_sock *sk_conn;
...@@ -1740,7 +1739,6 @@ int cipso_v4_socket_setattr(const struct socket *sock, ...@@ -1740,7 +1739,6 @@ int cipso_v4_socket_setattr(const struct socket *sock,
* defined yet but it is not a problem as the only users of these * defined yet but it is not a problem as the only users of these
* "lite" PF_INET sockets are functions which do an accept() call * "lite" PF_INET sockets are functions which do an accept() call
* afterwards so we will label the socket as part of the accept(). */ * afterwards so we will label the socket as part of the accept(). */
sk = sock->sk;
if (sk == NULL) if (sk == NULL)
return 0; return 0;
...@@ -1891,29 +1889,6 @@ int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr) ...@@ -1891,29 +1889,6 @@ int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
return ret_val; return ret_val;
} }
/**
* cipso_v4_socket_getattr - Get the security attributes from a socket
* @sock: the socket
* @secattr: the security attributes
*
* Description:
* Query @sock to see if there is a CIPSO option attached to the socket and if
* there is return the CIPSO security attributes in @secattr. Returns zero on
* success and negative values on failure.
*
*/
int cipso_v4_socket_getattr(const struct socket *sock,
struct netlbl_lsm_secattr *secattr)
{
int ret_val;
lock_sock(sock->sk);
ret_val = cipso_v4_sock_getattr(sock->sk, secattr);
release_sock(sock->sk);
return ret_val;
}
/** /**
* cipso_v4_skbuff_getattr - Get the security attributes from the CIPSO option * cipso_v4_skbuff_getattr - Get the security attributes from the CIPSO option
* @skb: the packet * @skb: the packet
......
...@@ -246,18 +246,17 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap, ...@@ -246,18 +246,17 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
/** /**
* netlbl_socket_setattr - Label a socket using the correct protocol * netlbl_socket_setattr - Label a socket using the correct protocol
* @sock: the socket to label * @sk: the socket to label
* @secattr: the security attributes * @secattr: the security attributes
* *
* Description: * Description:
* Attach the correct label to the given socket using the security attributes * Attach the correct label to the given socket using the security attributes
* specified in @secattr. This function requires exclusive access to * specified in @secattr. This function requires exclusive access to @sk,
* @sock->sk, which means it either needs to be in the process of being * which means it either needs to be in the process of being created or locked.
* created or locked via lock_sock(sock->sk). Returns zero on success, * Returns zero on success, negative values on failure.
* negative values on failure.
* *
*/ */
int netlbl_socket_setattr(const struct socket *sock, int netlbl_sock_setattr(struct sock *sk,
const struct netlbl_lsm_secattr *secattr) const struct netlbl_lsm_secattr *secattr)
{ {
int ret_val = -ENOENT; int ret_val = -ENOENT;
...@@ -269,7 +268,7 @@ int netlbl_socket_setattr(const struct socket *sock, ...@@ -269,7 +268,7 @@ int netlbl_socket_setattr(const struct socket *sock,
goto socket_setattr_return; goto socket_setattr_return;
switch (dom_entry->type) { switch (dom_entry->type) {
case NETLBL_NLTYPE_CIPSOV4: case NETLBL_NLTYPE_CIPSOV4:
ret_val = cipso_v4_socket_setattr(sock, ret_val = cipso_v4_sock_setattr(sk,
dom_entry->type_def.cipsov4, dom_entry->type_def.cipsov4,
secattr); secattr);
break; break;
...@@ -308,30 +307,6 @@ int netlbl_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr) ...@@ -308,30 +307,6 @@ int netlbl_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
return netlbl_unlabel_getattr(secattr); return netlbl_unlabel_getattr(secattr);
} }
/**
* netlbl_socket_getattr - Determine the security attributes of a socket
* @sock: the socket
* @secattr: the security attributes
*
* Description:
* Examines the given socket to see any NetLabel style labeling has been
* applied to the socket, if so it parses the socket label and returns the
* security attributes in @secattr. Returns zero on success, negative values
* on failure.
*
*/
int netlbl_socket_getattr(const struct socket *sock,
struct netlbl_lsm_secattr *secattr)
{
int ret_val;
ret_val = cipso_v4_socket_getattr(sock, secattr);
if (ret_val == 0)
return 0;
return netlbl_unlabel_getattr(secattr);
}
/** /**
* netlbl_skbuff_getattr - Determine the security attributes of a packet * netlbl_skbuff_getattr - Determine the security attributes of a packet
* @skb: the packet * @skb: the packet
......
...@@ -36,8 +36,8 @@ ...@@ -36,8 +36,8 @@
#include "security.h" #include "security.h"
/** /**
* selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism
* @sock: the socket to label * @sk: the socket to label
* @sid: the SID to use * @sid: the SID to use
* *
* Description: * Description:
...@@ -47,17 +47,17 @@ ...@@ -47,17 +47,17 @@
* this function and rcu_read_unlock() after this function returns. * this function and rcu_read_unlock() after this function returns.
* *
*/ */
static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid) static int selinux_netlbl_sock_setsid(struct sock *sk, u32 sid)
{ {
int rc; int rc;
struct sk_security_struct *sksec = sock->sk->sk_security; struct sk_security_struct *sksec = sk->sk_security;
struct netlbl_lsm_secattr secattr; struct netlbl_lsm_secattr secattr;
rc = security_netlbl_sid_to_secattr(sid, &secattr); rc = security_netlbl_sid_to_secattr(sid, &secattr);
if (rc != 0) if (rc != 0)
return rc; return rc;
rc = netlbl_socket_setattr(sock, &secattr); rc = netlbl_sock_setattr(sk, &secattr);
if (rc == 0) { if (rc == 0) {
spin_lock_bh(&sksec->nlbl_lock); spin_lock_bh(&sksec->nlbl_lock);
sksec->nlbl_state = NLBL_LABELED; sksec->nlbl_state = NLBL_LABELED;
...@@ -206,7 +206,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) ...@@ -206,7 +206,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
/* Try to set the NetLabel on the socket to save time later, if we fail /* Try to set the NetLabel on the socket to save time later, if we fail
* here we will pick up the pieces in later calls to * here we will pick up the pieces in later calls to
* selinux_netlbl_inode_permission(). */ * selinux_netlbl_inode_permission(). */
selinux_netlbl_socket_setsid(sock, sksec->sid); selinux_netlbl_sock_setsid(sk, sksec->sid);
rcu_read_unlock(); rcu_read_unlock();
} }
...@@ -223,14 +223,15 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) ...@@ -223,14 +223,15 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
int selinux_netlbl_socket_post_create(struct socket *sock) int selinux_netlbl_socket_post_create(struct socket *sock)
{ {
int rc = 0; int rc = 0;
struct sock *sk = sock->sk;
struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
struct sk_security_struct *sksec = sock->sk->sk_security; struct sk_security_struct *sksec = sk->sk_security;
sksec->sclass = isec->sclass; sksec->sclass = isec->sclass;
rcu_read_lock(); rcu_read_lock();
if (sksec->nlbl_state == NLBL_REQUIRE) if (sksec->nlbl_state == NLBL_REQUIRE)
rc = selinux_netlbl_socket_setsid(sock, sksec->sid); rc = selinux_netlbl_sock_setsid(sk, sksec->sid);
rcu_read_unlock(); rcu_read_unlock();
return rc; return rc;
...@@ -251,14 +252,16 @@ int selinux_netlbl_socket_post_create(struct socket *sock) ...@@ -251,14 +252,16 @@ int selinux_netlbl_socket_post_create(struct socket *sock)
int selinux_netlbl_inode_permission(struct inode *inode, int mask) int selinux_netlbl_inode_permission(struct inode *inode, int mask)
{ {
int rc; int rc;
struct sk_security_struct *sksec; struct sock *sk;
struct socket *sock; struct socket *sock;
struct sk_security_struct *sksec;
if (!S_ISSOCK(inode->i_mode) || if (!S_ISSOCK(inode->i_mode) ||
((mask & (MAY_WRITE | MAY_APPEND)) == 0)) ((mask & (MAY_WRITE | MAY_APPEND)) == 0))
return 0; return 0;
sock = SOCKET_I(inode); sock = SOCKET_I(inode);
sksec = sock->sk->sk_security; sk = sock->sk;
sksec = sk->sk_security;
rcu_read_lock(); rcu_read_lock();
if (sksec->nlbl_state != NLBL_REQUIRE) { if (sksec->nlbl_state != NLBL_REQUIRE) {
...@@ -266,9 +269,9 @@ int selinux_netlbl_inode_permission(struct inode *inode, int mask) ...@@ -266,9 +269,9 @@ int selinux_netlbl_inode_permission(struct inode *inode, int mask)
return 0; return 0;
} }
local_bh_disable(); local_bh_disable();
bh_lock_sock_nested(sock->sk); bh_lock_sock_nested(sk);
rc = selinux_netlbl_socket_setsid(sock, sksec->sid); rc = selinux_netlbl_sock_setsid(sk, sksec->sid);
bh_unlock_sock(sock->sk); bh_unlock_sock(sk);
local_bh_enable(); local_bh_enable();
rcu_read_unlock(); rcu_read_unlock();
...@@ -345,14 +348,17 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock, ...@@ -345,14 +348,17 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
int optname) int optname)
{ {
int rc = 0; int rc = 0;
struct sk_security_struct *sksec = sock->sk->sk_security; struct sock *sk = sock->sk;
struct sk_security_struct *sksec = sk->sk_security;
struct netlbl_lsm_secattr secattr; struct netlbl_lsm_secattr secattr;
rcu_read_lock(); rcu_read_lock();
if (level == IPPROTO_IP && optname == IP_OPTIONS && if (level == IPPROTO_IP && optname == IP_OPTIONS &&
sksec->nlbl_state == NLBL_LABELED) { sksec->nlbl_state == NLBL_LABELED) {
netlbl_secattr_init(&secattr); netlbl_secattr_init(&secattr);
rc = netlbl_socket_getattr(sock, &secattr); lock_sock(sk);
rc = netlbl_sock_getattr(sk, &secattr);
release_sock(sk);
if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
rc = -EACCES; rc = -EACCES;
netlbl_secattr_destroy(&secattr); netlbl_secattr_destroy(&secattr);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment