hooks.c (9f2ad66509b182b399a5b03de487f45bde623524) hooks.c (3de4bab5b9f8848a0c16a4b1ffe0452f0d670237)
1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>

--- 3560 unchanged lines hidden (view full) ---

3569static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3570 int __user *optlen, unsigned len)
3571{
3572 int err = 0;
3573 char *scontext;
3574 u32 scontext_len;
3575 struct sk_security_struct *ssec;
3576 struct inode_security_struct *isec;
1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>

--- 3560 unchanged lines hidden (view full) ---

3569static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3570 int __user *optlen, unsigned len)
3571{
3572 int err = 0;
3573 char *scontext;
3574 u32 scontext_len;
3575 struct sk_security_struct *ssec;
3576 struct inode_security_struct *isec;
3577 u32 peer_sid = 0;
3577 u32 peer_sid = SECSID_NULL;
3578
3579 isec = SOCK_INODE(sock)->i_security;
3580
3578
3579 isec = SOCK_INODE(sock)->i_security;
3580
3581 /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3582 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3581 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
3582 isec->sclass == SECCLASS_TCP_SOCKET) {
3583 ssec = sock->sk->sk_security;
3584 peer_sid = ssec->peer_sid;
3585 }
3583 ssec = sock->sk->sk_security;
3584 peer_sid = ssec->peer_sid;
3585 }
3586 else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3587 peer_sid = selinux_netlbl_socket_getpeersec_stream(sock);
3588 if (peer_sid == SECSID_NULL) {
3589 ssec = sock->sk->sk_security;
3590 peer_sid = ssec->peer_sid;
3591 }
3592 if (peer_sid == SECSID_NULL) {
3593 err = -ENOPROTOOPT;
3594 goto out;
3595 }
3596 }
3597 else {
3586 if (peer_sid == SECSID_NULL) {
3598 err = -ENOPROTOOPT;
3599 goto out;
3600 }
3601
3602 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3603
3604 if (err)
3605 goto out;

--- 15 unchanged lines hidden (view full) ---

3621 return err;
3622}
3623
3624static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
3625{
3626 u32 peer_secid = SECSID_NULL;
3627 int err = 0;
3628
3587 err = -ENOPROTOOPT;
3588 goto out;
3589 }
3590
3591 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3592
3593 if (err)
3594 goto out;

--- 15 unchanged lines hidden (view full) ---

3610 return err;
3611}
3612
3613static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
3614{
3615 u32 peer_secid = SECSID_NULL;
3616 int err = 0;
3617
3629 if (sock && (sock->sk->sk_family == PF_UNIX))
3618 if (sock && sock->sk->sk_family == PF_UNIX)
3630 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3619 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3631 else if (skb) {
3632 peer_secid = selinux_netlbl_socket_getpeersec_dgram(skb);
3633 if (peer_secid == SECSID_NULL)
3634 peer_secid = selinux_socket_getpeer_dgram(skb);
3635 }
3620 else if (skb)
3621 security_skb_extlbl_sid(skb,
3622 SECINITSID_UNLABELED,
3623 &peer_secid);
3636
3637 if (peer_secid == SECSID_NULL)
3638 err = -EINVAL;
3639 *secid = peer_secid;
3640
3641 return err;
3642}
3643

--- 44 unchanged lines hidden (view full) ---

3688static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3689 struct request_sock *req)
3690{
3691 struct sk_security_struct *sksec = sk->sk_security;
3692 int err;
3693 u32 newsid;
3694 u32 peersid;
3695
3624
3625 if (peer_secid == SECSID_NULL)
3626 err = -EINVAL;
3627 *secid = peer_secid;
3628
3629 return err;
3630}
3631

--- 44 unchanged lines hidden (view full) ---

3676static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3677 struct request_sock *req)
3678{
3679 struct sk_security_struct *sksec = sk->sk_security;
3680 int err;
3681 u32 newsid;
3682 u32 peersid;
3683
3696 newsid = selinux_netlbl_inet_conn_request(skb, sksec->sid);
3697 if (newsid != SECSID_NULL) {
3698 req->secid = newsid;
3699 return 0;
3700 }
3701
3702 selinux_skb_xfrm_sid(skb, &peersid);
3703
3684 security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
3704 if (peersid == SECSID_NULL) {
3705 req->secid = sksec->sid;
3685 if (peersid == SECSID_NULL) {
3686 req->secid = sksec->sid;
3706 req->peer_secid = 0;
3687 req->peer_secid = SECSID_NULL;
3707 return 0;
3708 }
3709
3710 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
3711 if (err)
3712 return err;
3713
3714 req->secid = newsid;

--- 18 unchanged lines hidden (view full) ---

3733 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
3734}
3735
3736static void selinux_inet_conn_established(struct sock *sk,
3737 struct sk_buff *skb)
3738{
3739 struct sk_security_struct *sksec = sk->sk_security;
3740
3688 return 0;
3689 }
3690
3691 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
3692 if (err)
3693 return err;
3694
3695 req->secid = newsid;

--- 18 unchanged lines hidden (view full) ---

3714 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
3715}
3716
3717static void selinux_inet_conn_established(struct sock *sk,
3718 struct sk_buff *skb)
3719{
3720 struct sk_security_struct *sksec = sk->sk_security;
3721
3741 selinux_skb_xfrm_sid(skb, &sksec->peer_sid);
3722 security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
3742}
3743
3744static void selinux_req_classify_flow(const struct request_sock *req,
3745 struct flowi *fl)
3746{
3747 fl->secid = req->secid;
3748}
3749

--- 1270 unchanged lines hidden --- 		3723}
3724
3725static void selinux_req_classify_flow(const struct request_sock *req,
3726 struct flowi *fl)
3727{
3728 fl->secid = req->secid;
3729}
3730

--- 1270 unchanged lines hidden ---