| services.c (7420ed23a4f77480b5b7b3245e5da30dd24b7575) | services.c (99f59ed073d3c1b890690064ab285a201dea2e35) |
|---|---|
| 1/* 2 * Implementation of the security services. 3 * 4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> 5 * James Morris <jmorris@redhat.com> 6 * 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 8 * --- 2409 unchanged lines hidden (view full) --- 2418 netlbl_secattr_destroy(&secattr, 0); 2419 2420netlbl_socket_setsid_return: 2421 POLICY_RDUNLOCK; 2422 return rc; 2423} 2424 2425/** | 1/* 2 * Implementation of the security services. 3 * 4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> 5 * James Morris <jmorris@redhat.com> 6 * 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 8 * --- 2409 unchanged lines hidden (view full) --- 2418 netlbl_secattr_destroy(&secattr, 0); 2419 2420netlbl_socket_setsid_return: 2421 POLICY_RDUNLOCK; 2422 return rc; 2423} 2424 2425/** |
| 2426 * selinux_netlbl_sk_security_init - Setup the NetLabel fields 2427 * @ssec: the sk_security_struct 2428 * @family: the socket family 2429 * 2430 * Description: 2431 * Called when a new sk_security_struct is allocated to initialize the NetLabel 2432 * fields. 2433 * 2434 */ 2435void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec, 2436 int family) 2437{ 2438 if (family == PF_INET) 2439 ssec->nlbl_state = NLBL_REQUIRE; 2440 else 2441 ssec->nlbl_state = NLBL_UNSET; 2442} 2443 2444/** 2445 * selinux_netlbl_sk_clone_security - Copy the NetLabel fields 2446 * @ssec: the original sk_security_struct 2447 * @newssec: the cloned sk_security_struct 2448 * 2449 * Description: 2450 * Clone the NetLabel specific sk_security_struct fields from @ssec to 2451 * @newssec. 2452 * 2453 */ 2454void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec, 2455 struct sk_security_struct *newssec) 2456{ 2457 newssec->sclass = ssec->sclass; 2458 if (ssec->nlbl_state != NLBL_UNSET) 2459 newssec->nlbl_state = NLBL_REQUIRE; 2460 else 2461 newssec->nlbl_state = NLBL_UNSET; 2462} 2463 2464/** |
|
| 2426 * selinux_netlbl_socket_post_create - Label a socket using NetLabel 2427 * @sock: the socket to label 2428 * @sock_family: the socket family 2429 * @sid: the SID to use 2430 * 2431 * Description: 2432 * Attempt to label a socket using the NetLabel mechanism using the given 2433 * SID. Returns zero values on success, negative values on failure. 2434 * 2435 */ 2436int selinux_netlbl_socket_post_create(struct socket *sock, 2437 int sock_family, 2438 u32 sid) 2439{ 2440 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 2441 struct sk_security_struct *sksec = sock->sk->sk_security; 2442 | 2465 * selinux_netlbl_socket_post_create - Label a socket using NetLabel 2466 * @sock: the socket to label 2467 * @sock_family: the socket family 2468 * @sid: the SID to use 2469 * 2470 * Description: 2471 * Attempt to label a socket using the NetLabel mechanism using the given 2472 * SID. Returns zero values on success, negative values on failure. 2473 * 2474 */ 2475int selinux_netlbl_socket_post_create(struct socket *sock, 2476 int sock_family, 2477 u32 sid) 2478{ 2479 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 2480 struct sk_security_struct *sksec = sock->sk->sk_security; 2481 |
| 2482 sksec->sclass = isec->sclass; 2483 |
|
| 2443 if (sock_family != PF_INET) 2444 return 0; 2445 | 2484 if (sock_family != PF_INET) 2485 return 0; 2486 |
| 2446 sksec->sclass = isec->sclass; | |
| 2447 sksec->nlbl_state = NLBL_REQUIRE; 2448 return selinux_netlbl_socket_setsid(sock, sid); 2449} 2450 2451/** 2452 * selinux_netlbl_sock_graft - Netlabel the new socket 2453 * @sk: the new connection 2454 * @sock: the new socket 2455 * 2456 * Description: 2457 * The connection represented by @sk is being grafted onto @sock so set the 2458 * socket's NetLabel to match the SID of @sk. 2459 * 2460 */ 2461void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) 2462{ 2463 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 2464 struct sk_security_struct *sksec = sk->sk_security; 2465 | 2487 sksec->nlbl_state = NLBL_REQUIRE; 2488 return selinux_netlbl_socket_setsid(sock, sid); 2489} 2490 2491/** 2492 * selinux_netlbl_sock_graft - Netlabel the new socket 2493 * @sk: the new connection 2494 * @sock: the new socket 2495 * 2496 * Description: 2497 * The connection represented by @sk is being grafted onto @sock so set the 2498 * socket's NetLabel to match the SID of @sk. 2499 * 2500 */ 2501void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) 2502{ 2503 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 2504 struct sk_security_struct *sksec = sk->sk_security; 2505 |
| 2506 sksec->sclass = isec->sclass; 2507 |
|
| 2466 if (sk->sk_family != PF_INET) 2467 return; 2468 2469 sksec->nlbl_state = NLBL_REQUIRE; 2470 sksec->peer_sid = sksec->sid; | 2508 if (sk->sk_family != PF_INET) 2509 return; 2510 2511 sksec->nlbl_state = NLBL_REQUIRE; 2512 sksec->peer_sid = sksec->sid; |
| 2471 sksec->sclass = isec->sclass; | |
| 2472 2473 /* Try to set the NetLabel on the socket to save time later, if we fail 2474 * here we will pick up the pieces in later calls to 2475 * selinux_netlbl_inode_permission(). */ 2476 selinux_netlbl_socket_setsid(sock, sksec->sid); 2477} 2478 2479/** --- 144 unchanged lines hidden --- | 2513 2514 /* Try to set the NetLabel on the socket to save time later, if we fail 2515 * here we will pick up the pieces in later calls to 2516 * selinux_netlbl_inode_permission(). */ 2517 selinux_netlbl_socket_setsid(sock, sksec->sid); 2518} 2519 2520/** --- 144 unchanged lines hidden --- |