| hooks.c (4d1e24514d80cb266231d0c1b6c02161970ad019) | hooks.c (d4f2d97841827cb876da8b607df05a3dab812416) |
|---|---|
| 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 3657 unchanged lines hidden (view full) --- 3666 " unable to determine packet's peer label\n"); 3667 return -EACCES; 3668 } 3669 3670 return 0; 3671} 3672 3673/* socket security operations */ | 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 3657 unchanged lines hidden (view full) --- 3666 " unable to determine packet's peer label\n"); 3667 return -EACCES; 3668 } 3669 3670 return 0; 3671} 3672 3673/* socket security operations */ |
| 3674 3675static u32 socket_sockcreate_sid(const struct task_security_struct *tsec) 3676{ 3677 return tsec->sockcreate_sid ? : tsec->sid; 3678} 3679 |
|
| 3674static int socket_has_perm(struct task_struct *task, struct socket *sock, 3675 u32 perms) 3676{ 3677 struct inode_security_struct *isec; 3678 struct common_audit_data ad; 3679 u32 sid; 3680 int err = 0; 3681 --- 11 unchanged lines hidden (view full) --- 3693 return err; 3694} 3695 3696static int selinux_socket_create(int family, int type, 3697 int protocol, int kern) 3698{ 3699 const struct cred *cred = current_cred(); 3700 const struct task_security_struct *tsec = cred->security; | 3680static int socket_has_perm(struct task_struct *task, struct socket *sock, 3681 u32 perms) 3682{ 3683 struct inode_security_struct *isec; 3684 struct common_audit_data ad; 3685 u32 sid; 3686 int err = 0; 3687 --- 11 unchanged lines hidden (view full) --- 3699 return err; 3700} 3701 3702static int selinux_socket_create(int family, int type, 3703 int protocol, int kern) 3704{ 3705 const struct cred *cred = current_cred(); 3706 const struct task_security_struct *tsec = cred->security; |
| 3701 u32 sid, newsid; | 3707 u32 newsid; |
| 3702 u16 secclass; | 3708 u16 secclass; |
| 3703 int err = 0; | |
| 3704 3705 if (kern) | 3709 3710 if (kern) |
| 3706 goto out; | 3711 return 0; |
| 3707 | 3712 |
| 3708 sid = tsec->sid; 3709 newsid = tsec->sockcreate_sid ?: sid; 3710 | 3713 newsid = socket_sockcreate_sid(tsec); |
| 3711 secclass = socket_type_to_security_class(family, type, protocol); | 3714 secclass = socket_type_to_security_class(family, type, protocol); |
| 3712 err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL); 3713 3714out: 3715 return err; | 3715 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); |
| 3716} 3717 3718static int selinux_socket_post_create(struct socket *sock, int family, 3719 int type, int protocol, int kern) 3720{ 3721 const struct cred *cred = current_cred(); 3722 const struct task_security_struct *tsec = cred->security; | 3716} 3717 3718static int selinux_socket_post_create(struct socket *sock, int family, 3719 int type, int protocol, int kern) 3720{ 3721 const struct cred *cred = current_cred(); 3722 const struct task_security_struct *tsec = cred->security; |
| 3723 struct inode_security_struct *isec; | 3723 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; |
| 3724 struct sk_security_struct *sksec; | 3724 struct sk_security_struct *sksec; |
| 3725 u32 sid, newsid; | |
| 3726 int err = 0; 3727 | 3725 int err = 0; 3726 |
| 3728 sid = tsec->sid; 3729 newsid = tsec->sockcreate_sid; 3730 3731 isec = SOCK_INODE(sock)->i_security; 3732 | |
| 3733 if (kern) 3734 isec->sid = SECINITSID_KERNEL; | 3727 if (kern) 3728 isec->sid = SECINITSID_KERNEL; |
| 3735 else if (newsid) 3736 isec->sid = newsid; | |
| 3737 else | 3729 else |
| 3738 isec->sid = sid; | 3730 isec->sid = socket_sockcreate_sid(tsec); |
| 3739 3740 isec->sclass = socket_type_to_security_class(family, type, protocol); 3741 isec->initialized = 1; 3742 3743 if (sock->sk) { 3744 sksec = sock->sk->sk_security; 3745 sksec->sid = isec->sid; 3746 sksec->sclass = isec->sclass; --- 2058 unchanged lines hidden --- | 3731 3732 isec->sclass = socket_type_to_security_class(family, type, protocol); 3733 isec->initialized = 1; 3734 3735 if (sock->sk) { 3736 sksec = sock->sk->sk_security; 3737 sksec->sid = isec->sid; 3738 sksec->sclass = isec->sclass; --- 2058 unchanged lines hidden --- |