hooks.c - OpenGrok cross reference for /openbmc/linux/security/selinux/hooks.c

Deleted Added

sdiffudifftextold (948bf85c..)new (014ab19a..)

hooks.c (948bf85c1bc9a84754786a9d5dd99b7ecc46451e)	hooks.c (014ab19a69c325f52d7bae54ceeda73d6307ae0c)
1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 3780 unchanged lines hidden (view full) --- 3789 goto out; 3790 } 3791out: 3792 return err; 3793} 3794 3795static int selinux_socket_connect(struct socket sock, struct sockaddr address, int addrlen) 3796{	1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 3780 unchanged lines hidden (view full) --- 3789 goto out; 3790 } 3791out: 3792 return err; 3793} 3794 3795static int selinux_socket_connect(struct socket sock, struct sockaddr address, int addrlen) 3796{
	3797 struct sock *sk = sock->sk;
3797 struct inode_security_struct isec; 3798 int err; 3799 3800 err = socket_has_perm(current, sock, SOCKET__CONNECT); 3801 if (err) 3802 return err; 3803 3804 / 3805 * If a TCP or DCCP socket, check name_connect permission for the port. 3806 */ 3807 isec = SOCK_INODE(sock)->i_security; 3808 if (isec->sclass == SECCLASS_TCP_SOCKET \|\| 3809 isec->sclass == SECCLASS_DCCP_SOCKET) {	3798 struct inode_security_struct isec; 3799 int err; 3800 3801 err = socket_has_perm(current, sock, SOCKET__CONNECT); 3802 if (err) 3803 return err; 3804 3805 / 3806 * If a TCP or DCCP socket, check name_connect permission for the port. 3807 */ 3808 isec = SOCK_INODE(sock)->i_security; 3809 if (isec->sclass == SECCLASS_TCP_SOCKET \|\| 3810 isec->sclass == SECCLASS_DCCP_SOCKET) {
3810 struct sock *sk = sock->sk;
3811 struct avc_audit_data ad; 3812 struct sockaddr_in addr4 = NULL; 3813 struct sockaddr_in6 addr6 = NULL; 3814 unsigned short snum; 3815 u32 sid, perm; 3816 3817 if (sk->sk_family == PF_INET) { 3818 addr4 = (struct sockaddr_in )address; --- 17 unchanged lines hidden* (view full) --- 3836 AVC_AUDIT_DATA_INIT(&ad, NET); 3837 ad.u.net.dport = htons(snum); 3838 ad.u.net.family = sk->sk_family; 3839 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); 3840 if (err) 3841 goto out; 3842 } 3843	3811 struct avc_audit_data ad; 3812 struct sockaddr_in addr4 = NULL; 3813 struct sockaddr_in6 addr6 = NULL; 3814 unsigned short snum; 3815 u32 sid, perm; 3816 3817 if (sk->sk_family == PF_INET) { 3818 addr4 = (struct sockaddr_in )address; --- 17 unchanged lines hidden* (view full) --- 3836 AVC_AUDIT_DATA_INIT(&ad, NET); 3837 ad.u.net.dport = htons(snum); 3838 ad.u.net.family = sk->sk_family; 3839 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); 3840 if (err) 3841 goto out; 3842 } 3843
	3844 err = selinux_netlbl_socket_connect(sk, address); 3845
3844out: 3845 return err; 3846} 3847 3848static int selinux_socket_listen(struct socket sock, int backlog) 3849{ 3850 return socket_has_perm(current, sock, SOCKET__LISTEN); 3851} --- 433 unchanged lines hidden* (view full) --- 4285{ 4286 struct inode_security_struct isec = SOCK_INODE(parent)->i_security; 4287 struct sk_security_struct sksec = sk->sk_security; 4288 4289 if (sk->sk_family == PF_INET \|\| sk->sk_family == PF_INET6 \|\| 4290 sk->sk_family == PF_UNIX) 4291 isec->sid = sksec->sid; 4292 sksec->sclass = isec->sclass;	3846out: 3847 return err; 3848} 3849 3850static int selinux_socket_listen(struct socket sock, int backlog) 3851{ 3852 return socket_has_perm(current, sock, SOCKET__LISTEN); 3853} --- 433 unchanged lines hidden* (view full) --- 4287{ 4288 struct inode_security_struct isec = SOCK_INODE(parent)->i_security; 4289 struct sk_security_struct sksec = sk->sk_security; 4290 4291 if (sk->sk_family == PF_INET \|\| sk->sk_family == PF_INET6 \|\| 4292 sk->sk_family == PF_UNIX) 4293 isec->sid = sksec->sid; 4294 sksec->sclass = isec->sclass;
4293 4294 selinux_netlbl_sock_graft(sk, parent);
4295} 4296 4297static int selinux_inet_conn_request(struct sock sk, struct sk_buff skb, 4298 struct request_sock req) 4299{ 4300 struct sk_security_struct sksec = sk->sk_security; 4301 int err; 4302 u16 family = sk->sk_family; --- 34 unchanged lines hidden (view full) --- 4337 So we will wait until sock_graft to do it, by which 4338 time it will have been created and available. / 4339 4340 / We don't need to take any sort of lock here as we are the only 4341 * thread with access to newsksec */ 4342 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family); 4343} 4344	4295} 4296 4297static int selinux_inet_conn_request(struct sock sk, struct sk_buff skb, 4298 struct request_sock req) 4299{ 4300 struct sk_security_struct sksec = sk->sk_security; 4301 int err; 4302 u16 family = sk->sk_family; --- 34 unchanged lines hidden (view full) --- 4337 So we will wait until sock_graft to do it, by which 4338 time it will have been created and available. / 4339 4340 / We don't need to take any sort of lock here as we are the only 4341 * thread with access to newsksec */ 4342 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family); 4343} 4344
4345static void selinux_inet_conn_established(struct sock sk, 4346 struct sk_buff skb)	4345static void selinux_inet_conn_established(struct sock sk, struct sk_buff skb)
4347{ 4348 u16 family = sk->sk_family; 4349 struct sk_security_struct sksec = sk->sk_security; 4350 4351 / handle mapped IPv4 packets arriving via IPv6 sockets */ 4352 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4353 family = PF_INET; 4354 4355 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);	4346{ 4347 u16 family = sk->sk_family; 4348 struct sk_security_struct sksec = sk->sk_security; 4349 4350 / handle mapped IPv4 packets arriving via IPv6 sockets */ 4351 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4352 family = PF_INET; 4353 4354 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
	4355 4356 selinux_netlbl_inet_conn_established(sk, family);
4356} 4357 4358static void selinux_req_classify_flow(const struct request_sock req, 4359 struct flowi fl) 4360{ 4361 fl->secid = req->secid; 4362} 4363 --- 1490 unchanged lines hidden ---	4357} 4358 4359static void selinux_req_classify_flow(const struct request_sock req, 4360 struct flowi fl) 4361{ 4362 fl->secid = req->secid; 4363} 4364 --- 1490 unchanged lines hidden ---

hooks.c (948bf85c1bc9a84754786a9d5dd99b7ecc46451e)	hooks.c (014ab19a69c325f52d7bae54ceeda73d6307ae0c)
1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 3780 unchanged lines hidden (view full) --- 3789 goto out; 3790 } 3791out: 3792 return err; 3793} 3794 3795static int selinux_socket_connect(struct socket sock, struct sockaddr address, int addrlen) 3796{	1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 3780 unchanged lines hidden (view full) --- 3789 goto out; 3790 } 3791out: 3792 return err; 3793} 3794 3795static int selinux_socket_connect(struct socket sock, struct sockaddr address, int addrlen) 3796{
	3797 struct sock *sk = sock->sk;
3797 struct inode_security_struct isec; 3798 int err; 3799 3800 err = socket_has_perm(current, sock, SOCKET__CONNECT); 3801 if (err) 3802 return err; 3803 3804 / 3805 * If a TCP or DCCP socket, check name_connect permission for the port. 3806 */ 3807 isec = SOCK_INODE(sock)->i_security; 3808 if (isec->sclass == SECCLASS_TCP_SOCKET \|\| 3809 isec->sclass == SECCLASS_DCCP_SOCKET) {	3798 struct inode_security_struct isec; 3799 int err; 3800 3801 err = socket_has_perm(current, sock, SOCKET__CONNECT); 3802 if (err) 3803 return err; 3804 3805 / 3806 * If a TCP or DCCP socket, check name_connect permission for the port. 3807 */ 3808 isec = SOCK_INODE(sock)->i_security; 3809 if (isec->sclass == SECCLASS_TCP_SOCKET \|\| 3810 isec->sclass == SECCLASS_DCCP_SOCKET) {
3810 struct sock *sk = sock->sk;
3811 struct avc_audit_data ad; 3812 struct sockaddr_in addr4 = NULL; 3813 struct sockaddr_in6 addr6 = NULL; 3814 unsigned short snum; 3815 u32 sid, perm; 3816 3817 if (sk->sk_family == PF_INET) { 3818 addr4 = (struct sockaddr_in )address; --- 17 unchanged lines hidden* (view full) --- 3836 AVC_AUDIT_DATA_INIT(&ad, NET); 3837 ad.u.net.dport = htons(snum); 3838 ad.u.net.family = sk->sk_family; 3839 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); 3840 if (err) 3841 goto out; 3842 } 3843	3811 struct avc_audit_data ad; 3812 struct sockaddr_in addr4 = NULL; 3813 struct sockaddr_in6 addr6 = NULL; 3814 unsigned short snum; 3815 u32 sid, perm; 3816 3817 if (sk->sk_family == PF_INET) { 3818 addr4 = (struct sockaddr_in )address; --- 17 unchanged lines hidden* (view full) --- 3836 AVC_AUDIT_DATA_INIT(&ad, NET); 3837 ad.u.net.dport = htons(snum); 3838 ad.u.net.family = sk->sk_family; 3839 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); 3840 if (err) 3841 goto out; 3842 } 3843
	3844 err = selinux_netlbl_socket_connect(sk, address); 3845
3844out: 3845 return err; 3846} 3847 3848static int selinux_socket_listen(struct socket sock, int backlog) 3849{ 3850 return socket_has_perm(current, sock, SOCKET__LISTEN); 3851} --- 433 unchanged lines hidden* (view full) --- 4285{ 4286 struct inode_security_struct isec = SOCK_INODE(parent)->i_security; 4287 struct sk_security_struct sksec = sk->sk_security; 4288 4289 if (sk->sk_family == PF_INET \|\| sk->sk_family == PF_INET6 \|\| 4290 sk->sk_family == PF_UNIX) 4291 isec->sid = sksec->sid; 4292 sksec->sclass = isec->sclass;	3846out: 3847 return err; 3848} 3849 3850static int selinux_socket_listen(struct socket sock, int backlog) 3851{ 3852 return socket_has_perm(current, sock, SOCKET__LISTEN); 3853} --- 433 unchanged lines hidden* (view full) --- 4287{ 4288 struct inode_security_struct isec = SOCK_INODE(parent)->i_security; 4289 struct sk_security_struct sksec = sk->sk_security; 4290 4291 if (sk->sk_family == PF_INET \|\| sk->sk_family == PF_INET6 \|\| 4292 sk->sk_family == PF_UNIX) 4293 isec->sid = sksec->sid; 4294 sksec->sclass = isec->sclass;
4293 4294 selinux_netlbl_sock_graft(sk, parent);
4295} 4296 4297static int selinux_inet_conn_request(struct sock sk, struct sk_buff skb, 4298 struct request_sock req) 4299{ 4300 struct sk_security_struct sksec = sk->sk_security; 4301 int err; 4302 u16 family = sk->sk_family; --- 34 unchanged lines hidden (view full) --- 4337 So we will wait until sock_graft to do it, by which 4338 time it will have been created and available. / 4339 4340 / We don't need to take any sort of lock here as we are the only 4341 * thread with access to newsksec */ 4342 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family); 4343} 4344	4295} 4296 4297static int selinux_inet_conn_request(struct sock sk, struct sk_buff skb, 4298 struct request_sock req) 4299{ 4300 struct sk_security_struct sksec = sk->sk_security; 4301 int err; 4302 u16 family = sk->sk_family; --- 34 unchanged lines hidden (view full) --- 4337 So we will wait until sock_graft to do it, by which 4338 time it will have been created and available. / 4339 4340 / We don't need to take any sort of lock here as we are the only 4341 * thread with access to newsksec */ 4342 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family); 4343} 4344
4345static void selinux_inet_conn_established(struct sock sk, 4346 struct sk_buff skb)	4345static void selinux_inet_conn_established(struct sock sk, struct sk_buff skb)
4347{ 4348 u16 family = sk->sk_family; 4349 struct sk_security_struct sksec = sk->sk_security; 4350 4351 / handle mapped IPv4 packets arriving via IPv6 sockets */ 4352 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4353 family = PF_INET; 4354 4355 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);	4346{ 4347 u16 family = sk->sk_family; 4348 struct sk_security_struct sksec = sk->sk_security; 4349 4350 / handle mapped IPv4 packets arriving via IPv6 sockets */ 4351 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4352 family = PF_INET; 4353 4354 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
	4355 4356 selinux_netlbl_inet_conn_established(sk, family);
4356} 4357 4358static void selinux_req_classify_flow(const struct request_sock req, 4359 struct flowi fl) 4360{ 4361 fl->secid = req->secid; 4362} 4363 --- 1490 unchanged lines hidden ---	4357} 4358 4359static void selinux_req_classify_flow(const struct request_sock req, 4360 struct flowi fl) 4361{ 4362 fl->secid = req->secid; 4363} 4364 --- 1490 unchanged lines hidden ---