hooks.c - OpenGrok cross reference for /openbmc/linux/security/selinux/hooks.c

Deleted Added

sdiffudifftextold (dd0a1181..)new (da2ea0d0..)

hooks.c (dd0a11815a339d6deeea8357574f8126a8404c92)	hooks.c (da2ea0d05671f878196cc949906aa89d15c567db)
1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 39 unchanged lines hidden (view full) --- 48#include <linux/mount.h> 49#include <linux/netfilter_ipv4.h> 50#include <linux/netfilter_ipv6.h> 51#include <linux/tty.h> 52#include <net/icmp.h> 53#include <net/ip.h> /* for local_port_range[] / 54#include <net/sock.h> 55#include <net/tcp.h> / struct or_callable used in sock_rcv_skb */	1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 39 unchanged lines hidden (view full) --- 48#include <linux/mount.h> 49#include <linux/netfilter_ipv4.h> 50#include <linux/netfilter_ipv6.h> 51#include <linux/tty.h> 52#include <net/icmp.h> 53#include <net/ip.h> /* for local_port_range[] / 54#include <net/sock.h> 55#include <net/tcp.h> / struct or_callable used in sock_rcv_skb */
	56#include <net/inet_connection_sock.h>
56#include <net/net_namespace.h> 57#include <net/netlabel.h> 58#include <linux/uaccess.h> 59#include <asm/ioctls.h> 60#include <linux/atomic.h> 61#include <linux/bitops.h> 62#include <linux/interrupt.h> 63#include <linux/netdevice.h> /* for network interface checks / --- 4662 unchanged lines hidden* (view full) --- 4726{ 4727 return selinux_ip_forward(skb, in->ifindex, PF_INET6); 4728} 4729#endif /* IPV6 / 4730 4731static unsigned int selinux_ip_output(struct sk_buff skb, 4732 u16 family) 4733{	57#include <net/net_namespace.h> 58#include <net/netlabel.h> 59#include <linux/uaccess.h> 60#include <asm/ioctls.h> 61#include <linux/atomic.h> 62#include <linux/bitops.h> 63#include <linux/interrupt.h> 64#include <linux/netdevice.h> /* for network interface checks / --- 4662 unchanged lines hidden* (view full) --- 4727{ 4728 return selinux_ip_forward(skb, in->ifindex, PF_INET6); 4729} 4730#endif /* IPV6 / 4731 4732static unsigned int selinux_ip_output(struct sk_buff skb, 4733 u16 family) 4734{
	4735 struct sock *sk;
4734 u32 sid; 4735 4736 if (!netlbl_enabled()) 4737 return NF_ACCEPT; 4738 4739 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 4740 * because we want to make sure we apply the necessary labeling 4741 * before IPsec is applied so we can leverage AH protection */	4736 u32 sid; 4737 4738 if (!netlbl_enabled()) 4739 return NF_ACCEPT; 4740 4741 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 4742 * because we want to make sure we apply the necessary labeling 4743 * before IPsec is applied so we can leverage AH protection */
4742 if (skb->sk) { 4743 struct sk_security_struct *sksec = skb->sk->sk_security;	4744 sk = skb->sk; 4745 if (sk) { 4746 struct sk_security_struct sksec; 4747 4748 if (sk->sk_state == TCP_LISTEN) 4749 / if the socket is the listening state then this 4750 * packet is a SYN-ACK packet which means it needs to 4751 * be labeled based on the connection/request_sock and 4752 * not the parent socket. unfortunately, we can't 4753 * lookup the request_sock yet as it isn't queued on 4754 * the parent socket until after the SYN-ACK is sent. 4755 * the "solution" is to simply pass the packet as-is 4756 * as any IP option based labeling should be copied 4757 * from the initial connection request (in the IP 4758 * layer). it is far from ideal, but until we get a 4759 * security label in the packet itself this is the 4760 * best we can do. / 4761 return NF_ACCEPT; 4762 4763 / standard practice, label using the parent socket */ 4764 sksec = sk->sk_security;
4744 sid = sksec->sid; 4745 } else 4746 sid = SECINITSID_KERNEL; 4747 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 4748 return NF_DROP; 4749 4750 return NF_ACCEPT; 4751} --- 1279 unchanged lines hidden ---	4765 sid = sksec->sid; 4766 } else 4767 sid = SECINITSID_KERNEL; 4768 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 4769 return NF_DROP; 4770 4771 return NF_ACCEPT; 4772} --- 1279 unchanged lines hidden ---