services.c - OpenGrok cross reference for /openbmc/linux/security/selinux/ss/services.c

Deleted Added

sdiffudifftextold (9f2ad665..)new (3de4bab5..)

services.c (9f2ad66509b182b399a5b03de487f45bde623524)	services.c (3de4bab5b9f8848a0c16a4b1ffe0452f0d670237)
1/* 2 * Implementation of the security services. 3 * 4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> 5 * James Morris <jmorris@redhat.com> 6 * 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 8 * --- 40 unchanged lines hidden (view full) --- 49#include "context.h" 50#include "policydb.h" 51#include "sidtab.h" 52#include "services.h" 53#include "conditional.h" 54#include "mls.h" 55#include "objsec.h" 56#include "selinux_netlabel.h"	1/* 2 * Implementation of the security services. 3 * 4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> 5 * James Morris <jmorris@redhat.com> 6 * 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 8 * --- 40 unchanged lines hidden (view full) --- 49#include "context.h" 50#include "policydb.h" 51#include "sidtab.h" 52#include "services.h" 53#include "conditional.h" 54#include "mls.h" 55#include "objsec.h" 56#include "selinux_netlabel.h"
	57#include "xfrm.h"
57 58extern void selnl_notify_policyload(u32 seqno); 59unsigned int policydb_loaded_version; 60 61/* 62 * This is declared in avc.c 63 / 64extern const struct selinux_class_perm selinux_class_perm; --- 2121 unchanged lines hidden* (view full) --- 2186} 2187__initcall(aurule_init); 2188 2189void selinux_audit_set_callback(int (*callback)(void)) 2190{ 2191 aurule_callback = callback; 2192} 2193	58 59extern void selnl_notify_policyload(u32 seqno); 60unsigned int policydb_loaded_version; 61 62/* 63 * This is declared in avc.c 64 / 65extern const struct selinux_class_perm selinux_class_perm; --- 2121 unchanged lines hidden* (view full) --- 2187} 2188__initcall(aurule_init); 2189 2190void selinux_audit_set_callback(int (*callback)(void)) 2191{ 2192 aurule_callback = callback; 2193} 2194
	2195/** 2196 * security_skb_extlbl_sid - Determine the external label of a packet 2197 * @skb: the packet 2198 * @base_sid: the SELinux SID to use as a context for MLS only external labels 2199 * @sid: the packet's SID 2200 * 2201 * Description: 2202 * Check the various different forms of external packet labeling and determine 2203 * the external SID for the packet. 2204 * 2205 / 2206void security_skb_extlbl_sid(struct sk_buff skb, u32 base_sid, u32 sid) 2207{ 2208 u32 xfrm_sid; 2209 u32 nlbl_sid; 2210 2211 selinux_skb_xfrm_sid(skb, &xfrm_sid); 2212 if (selinux_netlbl_skbuff_getsid(skb, 2213 (xfrm_sid == SECSID_NULL ? 2214 base_sid : xfrm_sid), 2215 &nlbl_sid) != 0) 2216 nlbl_sid = SECSID_NULL; 2217 2218 sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); 2219} 2220
2194#ifdef CONFIG_NETLABEL 2195/* 2196 * This is the structure we store inside the NetLabel cache block. 2197 / 2198#define NETLBL_CACHE(x) ((struct netlbl_cache )(x)) 2199#define NETLBL_CACHE_T_NONE 0 2200#define NETLBL_CACHE_T_SID 1 2201#define NETLBL_CACHE_T_MLS 2 --- 201 unchanged lines hidden (view full) --- 2403 * @sid: the SID 2404 * 2405 * Description: 2406 * Call the NetLabel mechanism to get the security attributes of the given 2407 * packet and use those attributes to determine the correct context/SID to 2408 * assign to the packet. Returns zero on success, negative values on failure. 2409 * 2410 */	2221#ifdef CONFIG_NETLABEL 2222/* 2223 * This is the structure we store inside the NetLabel cache block. 2224 / 2225#define NETLBL_CACHE(x) ((struct netlbl_cache )(x)) 2226#define NETLBL_CACHE_T_NONE 0 2227#define NETLBL_CACHE_T_SID 1 2228#define NETLBL_CACHE_T_MLS 2 --- 201 unchanged lines hidden (view full) --- 2430 * @sid: the SID 2431 * 2432 * Description: 2433 * Call the NetLabel mechanism to get the security attributes of the given 2434 * packet and use those attributes to determine the correct context/SID to 2435 * assign to the packet. Returns zero on success, negative values on failure. 2436 * 2437 */
2411static int selinux_netlbl_skbuff_getsid(struct sk_buff skb, 2412 u32 base_sid, 2413 u32 sid)	2438int selinux_netlbl_skbuff_getsid(struct sk_buff skb, u32 base_sid, u32 sid)
2414{ 2415 int rc; 2416 struct netlbl_lsm_secattr secattr; 2417 2418 netlbl_secattr_init(&secattr); 2419 rc = netlbl_skbuff_getattr(skb, &secattr); 2420 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 2421 rc = selinux_netlbl_secattr_to_sid(skb, --- 189 unchanged lines hidden (view full) --- 2611 * here we will pick up the pieces in later calls to 2612 * selinux_netlbl_inode_permission(). / 2613 selinux_netlbl_socket_setsid(sock, sksec->sid); 2614 2615 rcu_read_unlock(); 2616} 2617 2618/*	2439{ 2440 int rc; 2441 struct netlbl_lsm_secattr secattr; 2442 2443 netlbl_secattr_init(&secattr); 2444 rc = netlbl_skbuff_getattr(skb, &secattr); 2445 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 2446 rc = selinux_netlbl_secattr_to_sid(skb, --- 189 unchanged lines hidden (view full) --- 2636 * here we will pick up the pieces in later calls to 2637 * selinux_netlbl_inode_permission(). / 2638 selinux_netlbl_socket_setsid(sock, sksec->sid); 2639 2640 rcu_read_unlock(); 2641} 2642 2643/*
2619 * selinux_netlbl_inet_conn_request - Handle a new connection request 2620 * @skb: the packet 2621 * @sock_sid: the SID of the parent socket 2622 * 2623 * Description: 2624 * If present, use the security attributes of the packet in @skb and the 2625 * parent sock's SID to arrive at a SID for the new child sock. Returns the 2626 * SID of the connection or SECSID_NULL on failure. 2627 * 2628 / 2629u32 selinux_netlbl_inet_conn_request(struct sk_buff skb, u32 sock_sid) 2630{ 2631 int rc; 2632 u32 peer_sid; 2633 2634 rc = selinux_netlbl_skbuff_getsid(skb, sock_sid, &peer_sid); 2635 if (rc != 0) 2636 return SECSID_NULL; 2637 2638 return peer_sid; 2639} 2640 2641/**
2642 * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled 2643 * @inode: the file descriptor's inode 2644 * @mask: the permission mask 2645 * 2646 * Description: 2647 * Looks at a file's inode and if it is marked as a socket protected by 2648 * NetLabel then verify that the socket has been labeled, if not try to label 2649 * the socket now with the inode's SID. Returns zero on success, negative --- 73 unchanged lines hidden (view full) --- 2723 if (rc == 0) 2724 return 0; 2725 2726 netlbl_skbuff_err(skb, rc); 2727 return rc; 2728} 2729 2730/**	2644 * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled 2645 * @inode: the file descriptor's inode 2646 * @mask: the permission mask 2647 * 2648 * Description: 2649 * Looks at a file's inode and if it is marked as a socket protected by 2650 * NetLabel then verify that the socket has been labeled, if not try to label 2651 * the socket now with the inode's SID. Returns zero on success, negative --- 73 unchanged lines hidden (view full) --- 2725 if (rc == 0) 2726 return 0; 2727 2728 netlbl_skbuff_err(skb, rc); 2729 return rc; 2730} 2731 2732/**
2731 * selinux_netlbl_socket_getpeersec_stream - Return the connected peer's SID 2732 * @sock: the socket 2733 * 2734 * Description: 2735 * Examine @sock to find the connected peer's SID. Returns the SID on success 2736 * or SECSID_NULL on error. 2737 * 2738 / 2739u32 selinux_netlbl_socket_getpeersec_stream(struct socket sock) 2740{ 2741 struct sk_security_struct sksec = sock->sk->sk_security; 2742 return sksec->peer_sid; 2743} 2744 2745/* 2746 * selinux_netlbl_socket_getpeersec_dgram - Return the SID of a NetLabel packet 2747 * @skb: the packet 2748 * 2749 * Description: 2750 * Examine @skb to find the SID assigned to it by NetLabel. Returns the SID on 2751 * success, SECSID_NULL on error. 2752 * 2753 / 2754u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff skb) 2755{ 2756 int peer_sid; 2757 2758 if (selinux_netlbl_skbuff_getsid(skb, 2759 SECINITSID_UNLABELED, 2760 &peer_sid) != 0) 2761 return SECSID_NULL; 2762 2763 return peer_sid; 2764} 2765 2766/**
2767 * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel 2768 * @sock: the socket 2769 * @level: the socket level or protocol 2770 * @optname: the socket option name 2771 * 2772 * Description: 2773 * Check the setsockopt() call and if the user is trying to replace the IP 2774 * options on a socket and a NetLabel is in place for the socket deny the --- 26 unchanged lines hidden ---	2733 * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel 2734 * @sock: the socket 2735 * @level: the socket level or protocol 2736 * @optname: the socket option name 2737 * 2738 * Description: 2739 * Check the setsockopt() call and if the user is trying to replace the IP 2740 * options on a socket and a NetLabel is in place for the socket deny the --- 26 unchanged lines hidden ---

services.c (9f2ad66509b182b399a5b03de487f45bde623524)	services.c (3de4bab5b9f8848a0c16a4b1ffe0452f0d670237)
1/* 2 * Implementation of the security services. 3 * 4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> 5 * James Morris <jmorris@redhat.com> 6 * 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 8 * --- 40 unchanged lines hidden (view full) --- 49#include "context.h" 50#include "policydb.h" 51#include "sidtab.h" 52#include "services.h" 53#include "conditional.h" 54#include "mls.h" 55#include "objsec.h" 56#include "selinux_netlabel.h"	1/* 2 * Implementation of the security services. 3 * 4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> 5 * James Morris <jmorris@redhat.com> 6 * 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 8 * --- 40 unchanged lines hidden (view full) --- 49#include "context.h" 50#include "policydb.h" 51#include "sidtab.h" 52#include "services.h" 53#include "conditional.h" 54#include "mls.h" 55#include "objsec.h" 56#include "selinux_netlabel.h"
	57#include "xfrm.h"
57 58extern void selnl_notify_policyload(u32 seqno); 59unsigned int policydb_loaded_version; 60 61/* 62 * This is declared in avc.c 63 / 64extern const struct selinux_class_perm selinux_class_perm; --- 2121 unchanged lines hidden* (view full) --- 2186} 2187__initcall(aurule_init); 2188 2189void selinux_audit_set_callback(int (*callback)(void)) 2190{ 2191 aurule_callback = callback; 2192} 2193	58 59extern void selnl_notify_policyload(u32 seqno); 60unsigned int policydb_loaded_version; 61 62/* 63 * This is declared in avc.c 64 / 65extern const struct selinux_class_perm selinux_class_perm; --- 2121 unchanged lines hidden* (view full) --- 2187} 2188__initcall(aurule_init); 2189 2190void selinux_audit_set_callback(int (*callback)(void)) 2191{ 2192 aurule_callback = callback; 2193} 2194
	2195/** 2196 * security_skb_extlbl_sid - Determine the external label of a packet 2197 * @skb: the packet 2198 * @base_sid: the SELinux SID to use as a context for MLS only external labels 2199 * @sid: the packet's SID 2200 * 2201 * Description: 2202 * Check the various different forms of external packet labeling and determine 2203 * the external SID for the packet. 2204 * 2205 / 2206void security_skb_extlbl_sid(struct sk_buff skb, u32 base_sid, u32 sid) 2207{ 2208 u32 xfrm_sid; 2209 u32 nlbl_sid; 2210 2211 selinux_skb_xfrm_sid(skb, &xfrm_sid); 2212 if (selinux_netlbl_skbuff_getsid(skb, 2213 (xfrm_sid == SECSID_NULL ? 2214 base_sid : xfrm_sid), 2215 &nlbl_sid) != 0) 2216 nlbl_sid = SECSID_NULL; 2217 2218 sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); 2219} 2220
2194#ifdef CONFIG_NETLABEL 2195/* 2196 * This is the structure we store inside the NetLabel cache block. 2197 / 2198#define NETLBL_CACHE(x) ((struct netlbl_cache )(x)) 2199#define NETLBL_CACHE_T_NONE 0 2200#define NETLBL_CACHE_T_SID 1 2201#define NETLBL_CACHE_T_MLS 2 --- 201 unchanged lines hidden (view full) --- 2403 * @sid: the SID 2404 * 2405 * Description: 2406 * Call the NetLabel mechanism to get the security attributes of the given 2407 * packet and use those attributes to determine the correct context/SID to 2408 * assign to the packet. Returns zero on success, negative values on failure. 2409 * 2410 */	2221#ifdef CONFIG_NETLABEL 2222/* 2223 * This is the structure we store inside the NetLabel cache block. 2224 / 2225#define NETLBL_CACHE(x) ((struct netlbl_cache )(x)) 2226#define NETLBL_CACHE_T_NONE 0 2227#define NETLBL_CACHE_T_SID 1 2228#define NETLBL_CACHE_T_MLS 2 --- 201 unchanged lines hidden (view full) --- 2430 * @sid: the SID 2431 * 2432 * Description: 2433 * Call the NetLabel mechanism to get the security attributes of the given 2434 * packet and use those attributes to determine the correct context/SID to 2435 * assign to the packet. Returns zero on success, negative values on failure. 2436 * 2437 */
2411static int selinux_netlbl_skbuff_getsid(struct sk_buff skb, 2412 u32 base_sid, 2413 u32 sid)	2438int selinux_netlbl_skbuff_getsid(struct sk_buff skb, u32 base_sid, u32 sid)
2414{ 2415 int rc; 2416 struct netlbl_lsm_secattr secattr; 2417 2418 netlbl_secattr_init(&secattr); 2419 rc = netlbl_skbuff_getattr(skb, &secattr); 2420 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 2421 rc = selinux_netlbl_secattr_to_sid(skb, --- 189 unchanged lines hidden (view full) --- 2611 * here we will pick up the pieces in later calls to 2612 * selinux_netlbl_inode_permission(). / 2613 selinux_netlbl_socket_setsid(sock, sksec->sid); 2614 2615 rcu_read_unlock(); 2616} 2617 2618/*	2439{ 2440 int rc; 2441 struct netlbl_lsm_secattr secattr; 2442 2443 netlbl_secattr_init(&secattr); 2444 rc = netlbl_skbuff_getattr(skb, &secattr); 2445 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 2446 rc = selinux_netlbl_secattr_to_sid(skb, --- 189 unchanged lines hidden (view full) --- 2636 * here we will pick up the pieces in later calls to 2637 * selinux_netlbl_inode_permission(). / 2638 selinux_netlbl_socket_setsid(sock, sksec->sid); 2639 2640 rcu_read_unlock(); 2641} 2642 2643/*
2619 * selinux_netlbl_inet_conn_request - Handle a new connection request 2620 * @skb: the packet 2621 * @sock_sid: the SID of the parent socket 2622 * 2623 * Description: 2624 * If present, use the security attributes of the packet in @skb and the 2625 * parent sock's SID to arrive at a SID for the new child sock. Returns the 2626 * SID of the connection or SECSID_NULL on failure. 2627 * 2628 / 2629u32 selinux_netlbl_inet_conn_request(struct sk_buff skb, u32 sock_sid) 2630{ 2631 int rc; 2632 u32 peer_sid; 2633 2634 rc = selinux_netlbl_skbuff_getsid(skb, sock_sid, &peer_sid); 2635 if (rc != 0) 2636 return SECSID_NULL; 2637 2638 return peer_sid; 2639} 2640 2641/**
2642 * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled 2643 * @inode: the file descriptor's inode 2644 * @mask: the permission mask 2645 * 2646 * Description: 2647 * Looks at a file's inode and if it is marked as a socket protected by 2648 * NetLabel then verify that the socket has been labeled, if not try to label 2649 * the socket now with the inode's SID. Returns zero on success, negative --- 73 unchanged lines hidden (view full) --- 2723 if (rc == 0) 2724 return 0; 2725 2726 netlbl_skbuff_err(skb, rc); 2727 return rc; 2728} 2729 2730/**	2644 * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled 2645 * @inode: the file descriptor's inode 2646 * @mask: the permission mask 2647 * 2648 * Description: 2649 * Looks at a file's inode and if it is marked as a socket protected by 2650 * NetLabel then verify that the socket has been labeled, if not try to label 2651 * the socket now with the inode's SID. Returns zero on success, negative --- 73 unchanged lines hidden (view full) --- 2725 if (rc == 0) 2726 return 0; 2727 2728 netlbl_skbuff_err(skb, rc); 2729 return rc; 2730} 2731 2732/**
2731 * selinux_netlbl_socket_getpeersec_stream - Return the connected peer's SID 2732 * @sock: the socket 2733 * 2734 * Description: 2735 * Examine @sock to find the connected peer's SID. Returns the SID on success 2736 * or SECSID_NULL on error. 2737 * 2738 / 2739u32 selinux_netlbl_socket_getpeersec_stream(struct socket sock) 2740{ 2741 struct sk_security_struct sksec = sock->sk->sk_security; 2742 return sksec->peer_sid; 2743} 2744 2745/* 2746 * selinux_netlbl_socket_getpeersec_dgram - Return the SID of a NetLabel packet 2747 * @skb: the packet 2748 * 2749 * Description: 2750 * Examine @skb to find the SID assigned to it by NetLabel. Returns the SID on 2751 * success, SECSID_NULL on error. 2752 * 2753 / 2754u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff skb) 2755{ 2756 int peer_sid; 2757 2758 if (selinux_netlbl_skbuff_getsid(skb, 2759 SECINITSID_UNLABELED, 2760 &peer_sid) != 0) 2761 return SECSID_NULL; 2762 2763 return peer_sid; 2764} 2765 2766/**
2767 * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel 2768 * @sock: the socket 2769 * @level: the socket level or protocol 2770 * @optname: the socket option name 2771 * 2772 * Description: 2773 * Check the setsockopt() call and if the user is trying to replace the IP 2774 * options on a socket and a NetLabel is in place for the socket deny the --- 26 unchanged lines hidden ---	2733 * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel 2734 * @sock: the socket 2735 * @level: the socket level or protocol 2736 * @optname: the socket option name 2737 * 2738 * Description: 2739 * Check the setsockopt() call and if the user is trying to replace the IP 2740 * options on a socket and a NetLabel is in place for the socket deny the --- 26 unchanged lines hidden ---