Commit 4f6a993f authored by Paul Moore's avatar Paul Moore Committed by James Morris

SELinux: move security_skb_extlbl_sid() out of the security server

As suggested, move the security_skb_extlbl_sid() function out of the security
server and into the SELinux hooks file.
Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 588a3157
...@@ -3123,6 +3123,34 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, ...@@ -3123,6 +3123,34 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
return ret; return ret;
} }
/**
* selinux_skb_extlbl_sid - Determine the external label of a packet
* @skb: the packet
* @base_sid: the SELinux SID to use as a context for MLS only external labels
* @sid: the packet's SID
*
* Description:
* Check the various different forms of external packet labeling and determine
* the external SID for the packet.
*
*/
static void selinux_skb_extlbl_sid(struct sk_buff *skb,
u32 base_sid,
u32 *sid)
{
u32 xfrm_sid;
u32 nlbl_sid;
selinux_skb_xfrm_sid(skb, &xfrm_sid);
if (selinux_netlbl_skbuff_getsid(skb,
(xfrm_sid == SECSID_NULL ?
base_sid : xfrm_sid),
&nlbl_sid) != 0)
nlbl_sid = SECSID_NULL;
*sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
}
/* socket security operations */ /* socket security operations */
static int socket_has_perm(struct task_struct *task, struct socket *sock, static int socket_has_perm(struct task_struct *task, struct socket *sock,
u32 perms) u32 perms)
...@@ -3664,9 +3692,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * ...@@ -3664,9 +3692,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
if (sock && sock->sk->sk_family == PF_UNIX) if (sock && sock->sk->sk_family == PF_UNIX)
selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
else if (skb) else if (skb)
security_skb_extlbl_sid(skb, selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid);
SECINITSID_UNLABELED,
&peer_secid);
if (peer_secid == SECSID_NULL) if (peer_secid == SECSID_NULL)
err = -EINVAL; err = -EINVAL;
...@@ -3727,7 +3753,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, ...@@ -3727,7 +3753,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
u32 newsid; u32 newsid;
u32 peersid; u32 peersid;
security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid); selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
if (peersid == SECSID_NULL) { if (peersid == SECSID_NULL) {
req->secid = sksec->sid; req->secid = sksec->sid;
req->peer_secid = SECSID_NULL; req->peer_secid = SECSID_NULL;
...@@ -3765,7 +3791,7 @@ static void selinux_inet_conn_established(struct sock *sk, ...@@ -3765,7 +3791,7 @@ static void selinux_inet_conn_established(struct sock *sk,
{ {
struct sk_security_struct *sksec = sk->sk_security; struct sk_security_struct *sksec = sk->sk_security;
security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid); selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
} }
static void selinux_req_classify_flow(const struct request_sock *req, static void selinux_req_classify_flow(const struct request_sock *req,
......
...@@ -34,7 +34,6 @@ ...@@ -34,7 +34,6 @@
#define POLICYDB_VERSION_MAX POLICYDB_VERSION_RANGETRANS #define POLICYDB_VERSION_MAX POLICYDB_VERSION_RANGETRANS
#endif #endif
struct sk_buff;
struct netlbl_lsm_secattr; struct netlbl_lsm_secattr;
extern int selinux_enabled; extern int selinux_enabled;
...@@ -83,8 +82,6 @@ int security_netif_sid(char *name, u32 *if_sid, ...@@ -83,8 +82,6 @@ int security_netif_sid(char *name, u32 *if_sid,
int security_node_sid(u16 domain, void *addr, u32 addrlen, int security_node_sid(u16 domain, void *addr, u32 addrlen,
u32 *out_sid); u32 *out_sid);
void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid);
int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
u16 tclass); u16 tclass);
......
...@@ -39,7 +39,6 @@ ...@@ -39,7 +39,6 @@
#include <linux/sched.h> #include <linux/sched.h>
#include <linux/audit.h> #include <linux/audit.h>
#include <linux/mutex.h> #include <linux/mutex.h>
#include <net/sock.h>
#include <net/netlabel.h> #include <net/netlabel.h>
#include "flask.h" #include "flask.h"
...@@ -2198,32 +2197,6 @@ void selinux_audit_set_callback(int (*callback)(void)) ...@@ -2198,32 +2197,6 @@ void selinux_audit_set_callback(int (*callback)(void))
aurule_callback = callback; aurule_callback = callback;
} }
/**
* security_skb_extlbl_sid - Determine the external label of a packet
* @skb: the packet
* @base_sid: the SELinux SID to use as a context for MLS only external labels
* @sid: the packet's SID
*
* Description:
* Check the various different forms of external packet labeling and determine
* the external SID for the packet.
*
*/
void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid)
{
u32 xfrm_sid;
u32 nlbl_sid;
selinux_skb_xfrm_sid(skb, &xfrm_sid);
if (selinux_netlbl_skbuff_getsid(skb,
(xfrm_sid == SECSID_NULL ?
base_sid : xfrm_sid),
&nlbl_sid) != 0)
nlbl_sid = SECSID_NULL;
*sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
}
#ifdef CONFIG_NETLABEL #ifdef CONFIG_NETLABEL
/* /*
* NetLabel cache structure * NetLabel cache structure
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment