| hooks.c (3d5271f9883cba7b54762bc4fe027d4172f06db7) | hooks.c (d28d1e080132f28ab773291f10ad6acca4c8bba2) |
|---|---|
| 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 59 unchanged lines hidden (view full) --- 68#include <linux/personality.h> 69#include <linux/sysctl.h> 70#include <linux/audit.h> 71#include <linux/string.h> 72 73#include "avc.h" 74#include "objsec.h" 75#include "netif.h" | 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 59 unchanged lines hidden (view full) --- 68#include <linux/personality.h> 69#include <linux/sysctl.h> 70#include <linux/audit.h> 71#include <linux/string.h> 72 73#include "avc.h" 74#include "objsec.h" 75#include "netif.h" |
| 76#include "xfrm.h" |
|
| 76 77#define XATTR_SELINUX_SUFFIX "selinux" 78#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX 79 80extern unsigned int policydb_loaded_version; 81extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 82 83#ifdef CONFIG_SECURITY_SELINUX_DEVELOP --- 3260 unchanged lines hidden (view full) --- 3344 sk->sk_protocol, ntohs(ad.u.net.sport), 3345 &port_sid); 3346 if (err) 3347 goto out; 3348 3349 err = avc_has_perm(sock_sid, port_sid, 3350 sock_class, recv_perm, &ad); 3351 } | 77 78#define XATTR_SELINUX_SUFFIX "selinux" 79#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX 80 81extern unsigned int policydb_loaded_version; 82extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 83 84#ifdef CONFIG_SECURITY_SELINUX_DEVELOP --- 3260 unchanged lines hidden (view full) --- 3345 sk->sk_protocol, ntohs(ad.u.net.sport), 3346 &port_sid); 3347 if (err) 3348 goto out; 3349 3350 err = avc_has_perm(sock_sid, port_sid, 3351 sock_class, recv_perm, &ad); 3352 } |
| 3353 3354 if (!err) 3355 err = selinux_xfrm_sock_rcv_skb(sock_sid, skb); 3356 |
|
| 3352out: 3353 return err; 3354} 3355 3356static int selinux_socket_getpeersec(struct socket *sock, char __user *optval, 3357 int __user *optlen, unsigned len) 3358{ 3359 int err = 0; --- 36 unchanged lines hidden (view full) --- 3396 return sk_alloc_security(sk, family, priority); 3397} 3398 3399static void selinux_sk_free_security(struct sock *sk) 3400{ 3401 sk_free_security(sk); 3402} 3403 | 3357out: 3358 return err; 3359} 3360 3361static int selinux_socket_getpeersec(struct socket *sock, char __user *optval, 3362 int __user *optlen, unsigned len) 3363{ 3364 int err = 0; --- 36 unchanged lines hidden (view full) --- 3401 return sk_alloc_security(sk, family, priority); 3402} 3403 3404static void selinux_sk_free_security(struct sock *sk) 3405{ 3406 sk_free_security(sk); 3407} 3408 |
| 3409static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir) 3410{ 3411 struct inode_security_struct *isec; 3412 u32 sock_sid = SECINITSID_ANY_SOCKET; 3413 3414 if (!sk) 3415 return selinux_no_sk_sid(fl); 3416 3417 read_lock_bh(&sk->sk_callback_lock); 3418 isec = get_sock_isec(sk); 3419 3420 if (isec) 3421 sock_sid = isec->sid; 3422 3423 read_unlock_bh(&sk->sk_callback_lock); 3424 return sock_sid; 3425} 3426 |
|
| 3404static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 3405{ 3406 int err = 0; 3407 u32 perm; 3408 struct nlmsghdr *nlh; 3409 struct socket *sock = sk->sk_socket; 3410 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 3411 --- 119 unchanged lines hidden (view full) --- 3531 &port_sid) ? NF_DROP : NF_ACCEPT; 3532 if (err != NF_ACCEPT) 3533 goto out; 3534 3535 err = avc_has_perm(isec->sid, port_sid, isec->sclass, 3536 send_perm, &ad) ? NF_DROP : NF_ACCEPT; 3537 } 3538 | 3427static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 3428{ 3429 int err = 0; 3430 u32 perm; 3431 struct nlmsghdr *nlh; 3432 struct socket *sock = sk->sk_socket; 3433 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 3434 --- 119 unchanged lines hidden (view full) --- 3554 &port_sid) ? NF_DROP : NF_ACCEPT; 3555 if (err != NF_ACCEPT) 3556 goto out; 3557 3558 err = avc_has_perm(isec->sid, port_sid, isec->sclass, 3559 send_perm, &ad) ? NF_DROP : NF_ACCEPT; 3560 } 3561 |
| 3562 if (err != NF_ACCEPT) 3563 goto out; 3564 3565 err = selinux_xfrm_postroute_last(isec->sid, skb); 3566 |
|
| 3539out: 3540 return err; 3541} 3542 3543static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum, 3544 struct sk_buff **pskb, 3545 const struct net_device *in, 3546 const struct net_device *out, --- 828 unchanged lines hidden (view full) --- 4375 .socket_getpeername = selinux_socket_getpeername, 4376 .socket_getsockopt = selinux_socket_getsockopt, 4377 .socket_setsockopt = selinux_socket_setsockopt, 4378 .socket_shutdown = selinux_socket_shutdown, 4379 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, 4380 .socket_getpeersec = selinux_socket_getpeersec, 4381 .sk_alloc_security = selinux_sk_alloc_security, 4382 .sk_free_security = selinux_sk_free_security, | 3567out: 3568 return err; 3569} 3570 3571static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum, 3572 struct sk_buff **pskb, 3573 const struct net_device *in, 3574 const struct net_device *out, --- 828 unchanged lines hidden (view full) --- 4403 .socket_getpeername = selinux_socket_getpeername, 4404 .socket_getsockopt = selinux_socket_getsockopt, 4405 .socket_setsockopt = selinux_socket_setsockopt, 4406 .socket_shutdown = selinux_socket_shutdown, 4407 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, 4408 .socket_getpeersec = selinux_socket_getpeersec, 4409 .sk_alloc_security = selinux_sk_alloc_security, 4410 .sk_free_security = selinux_sk_free_security, |
| 4411 .sk_getsid = selinux_sk_getsid_security, |
|
| 4383#endif | 4412#endif |
| 4413 4414#ifdef CONFIG_SECURITY_NETWORK_XFRM 4415 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 4416 .xfrm_policy_clone_security = selinux_xfrm_policy_clone, 4417 .xfrm_policy_free_security = selinux_xfrm_policy_free, 4418 .xfrm_state_alloc_security = selinux_xfrm_state_alloc, 4419 .xfrm_state_free_security = selinux_xfrm_state_free, 4420 .xfrm_policy_lookup = selinux_xfrm_policy_lookup, 4421#endif |
|
| 4384}; 4385 4386static __init int selinux_init(void) 4387{ 4388 struct task_security_struct *tsec; 4389 4390 if (!selinux_enabled) { 4391 printk(KERN_INFO "SELinux: Disabled at boot.\n"); --- 94 unchanged lines hidden (view full) --- 4486 4487#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4488 4489 err = nf_register_hook(&selinux_ipv6_op); 4490 if (err) 4491 panic("SELinux: nf_register_hook for IPv6: error %d\n", err); 4492 4493#endif /* IPV6 */ | 4422}; 4423 4424static __init int selinux_init(void) 4425{ 4426 struct task_security_struct *tsec; 4427 4428 if (!selinux_enabled) { 4429 printk(KERN_INFO "SELinux: Disabled at boot.\n"); --- 94 unchanged lines hidden (view full) --- 4524 4525#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4526 4527 err = nf_register_hook(&selinux_ipv6_op); 4528 if (err) 4529 panic("SELinux: nf_register_hook for IPv6: error %d\n", err); 4530 4531#endif /* IPV6 */ |
| 4532 |
|
| 4494out: 4495 return err; 4496} 4497 4498__initcall(selinux_nf_ip_init); 4499 4500#ifdef CONFIG_SECURITY_SELINUX_DISABLE 4501static void selinux_nf_ip_exit(void) --- 52 unchanged lines hidden --- | 4533out: 4534 return err; 4535} 4536 4537__initcall(selinux_nf_ip_init); 4538 4539#ifdef CONFIG_SECURITY_SELINUX_DISABLE 4540static void selinux_nf_ip_exit(void) --- 52 unchanged lines hidden --- |