|
|
@@ -67,6 +67,38 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
|
|
|
return rc;
|
|
|
}
|
|
|
|
|
|
+/**
|
|
|
+ * selinux_netlbl_sock_genattr - Generate the NetLabel socket secattr
|
|
|
+ * @sk: the socket
|
|
|
+ *
|
|
|
+ * Description:
|
|
|
+ * Generate the NetLabel security attributes for a socket, making full use of
|
|
|
+ * the socket's attribute cache. Returns a pointer to the security attributes
|
|
|
+ * on success, NULL on failure.
|
|
|
+ *
|
|
|
+ */
|
|
|
+static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk)
|
|
|
+{
|
|
|
+ int rc;
|
|
|
+ struct sk_security_struct *sksec = sk->sk_security;
|
|
|
+ struct netlbl_lsm_secattr *secattr;
|
|
|
+
|
|
|
+ if (sksec->nlbl_secattr != NULL)
|
|
|
+ return sksec->nlbl_secattr;
|
|
|
+
|
|
|
+ secattr = netlbl_secattr_alloc(GFP_ATOMIC);
|
|
|
+ if (secattr == NULL)
|
|
|
+ return NULL;
|
|
|
+ rc = security_netlbl_sid_to_secattr(sksec->sid, secattr);
|
|
|
+ if (rc != 0) {
|
|
|
+ netlbl_secattr_free(secattr);
|
|
|
+ return NULL;
|
|
|
+ }
|
|
|
+ sksec->nlbl_secattr = secattr;
|
|
|
+
|
|
|
+ return secattr;
|
|
|
+}
|
|
|
+
|
|
|
/**
|
|
|
* selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism
|
|
|
* @sk: the socket to label
|
|
|
@@ -80,17 +112,15 @@ static int selinux_netlbl_sock_setsid(struct sock *sk)
|
|
|
{
|
|
|
int rc;
|
|
|
struct sk_security_struct *sksec = sk->sk_security;
|
|
|
- struct netlbl_lsm_secattr secattr;
|
|
|
+ struct netlbl_lsm_secattr *secattr;
|
|
|
|
|
|
if (sksec->nlbl_state != NLBL_REQUIRE)
|
|
|
return 0;
|
|
|
|
|
|
- netlbl_secattr_init(&secattr);
|
|
|
-
|
|
|
- rc = security_netlbl_sid_to_secattr(sksec->sid, &secattr);
|
|
|
- if (rc != 0)
|
|
|
- goto sock_setsid_return;
|
|
|
- rc = netlbl_sock_setattr(sk, &secattr);
|
|
|
+ secattr = selinux_netlbl_sock_genattr(sk);
|
|
|
+ if (secattr == NULL)
|
|
|
+ return -ENOMEM;
|
|
|
+ rc = netlbl_sock_setattr(sk, secattr);
|
|
|
switch (rc) {
|
|
|
case 0:
|
|
|
sksec->nlbl_state = NLBL_LABELED;
|
|
|
@@ -101,8 +131,6 @@ static int selinux_netlbl_sock_setsid(struct sock *sk)
|
|
|
break;
|
|
|
}
|
|
|
|
|
|
-sock_setsid_return:
|
|
|
- netlbl_secattr_destroy(&secattr);
|
|
|
return rc;
|
|
|
}
|
|
|
|
|
|
@@ -136,6 +164,20 @@ void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway)
|
|
|
netlbl_skbuff_err(skb, error, gateway);
|
|
|
}
|
|
|
|
|
|
+/**
|
|
|
+ * selinux_netlbl_sk_security_free - Free the NetLabel fields
|
|
|
+ * @sssec: the sk_security_struct
|
|
|
+ *
|
|
|
+ * Description:
|
|
|
+ * Free all of the memory in the NetLabel fields of a sk_security_struct.
|
|
|
+ *
|
|
|
+ */
|
|
|
+void selinux_netlbl_sk_security_free(struct sk_security_struct *ssec)
|
|
|
+{
|
|
|
+ if (ssec->nlbl_secattr != NULL)
|
|
|
+ netlbl_secattr_free(ssec->nlbl_secattr);
|
|
|
+}
|
|
|
+
|
|
|
/**
|
|
|
* selinux_netlbl_sk_security_reset - Reset the NetLabel fields
|
|
|
* @ssec: the sk_security_struct
|
|
|
@@ -209,7 +251,8 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
|
|
|
u32 sid)
|
|
|
{
|
|
|
int rc;
|
|
|
- struct netlbl_lsm_secattr secattr;
|
|
|
+ struct netlbl_lsm_secattr secattr_storage;
|
|
|
+ struct netlbl_lsm_secattr *secattr = NULL;
|
|
|
struct sock *sk;
|
|
|
|
|
|
/* if this is a locally generated packet check to see if it is already
|
|
|
@@ -219,16 +262,21 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
|
|
|
struct sk_security_struct *sksec = sk->sk_security;
|
|
|
if (sksec->nlbl_state != NLBL_REQSKB)
|
|
|
return 0;
|
|
|
+ secattr = sksec->nlbl_secattr;
|
|
|
+ }
|
|
|
+ if (secattr == NULL) {
|
|
|
+ secattr = &secattr_storage;
|
|
|
+ netlbl_secattr_init(secattr);
|
|
|
+ rc = security_netlbl_sid_to_secattr(sid, secattr);
|
|
|
+ if (rc != 0)
|
|
|
+ goto skbuff_setsid_return;
|
|
|
}
|
|
|
|
|
|
- netlbl_secattr_init(&secattr);
|
|
|
- rc = security_netlbl_sid_to_secattr(sid, &secattr);
|
|
|
- if (rc != 0)
|
|
|
- goto skbuff_setsid_return;
|
|
|
- rc = netlbl_skbuff_setattr(skb, family, &secattr);
|
|
|
+ rc = netlbl_skbuff_setattr(skb, family, secattr);
|
|
|
|
|
|
skbuff_setsid_return:
|
|
|
- netlbl_secattr_destroy(&secattr);
|
|
|
+ if (secattr == &secattr_storage)
|
|
|
+ netlbl_secattr_destroy(secattr);
|
|
|
return rc;
|
|
|
}
|
|
|
|
|
|
@@ -245,18 +293,18 @@ void selinux_netlbl_inet_conn_established(struct sock *sk, u16 family)
|
|
|
{
|
|
|
int rc;
|
|
|
struct sk_security_struct *sksec = sk->sk_security;
|
|
|
- struct netlbl_lsm_secattr secattr;
|
|
|
+ struct netlbl_lsm_secattr *secattr;
|
|
|
struct inet_sock *sk_inet = inet_sk(sk);
|
|
|
struct sockaddr_in addr;
|
|
|
|
|
|
if (sksec->nlbl_state != NLBL_REQUIRE)
|
|
|
return;
|
|
|
|
|
|
- netlbl_secattr_init(&secattr);
|
|
|
- if (security_netlbl_sid_to_secattr(sksec->sid, &secattr) != 0)
|
|
|
- goto inet_conn_established_return;
|
|
|
+ secattr = selinux_netlbl_sock_genattr(sk);
|
|
|
+ if (secattr == NULL)
|
|
|
+ return;
|
|
|
|
|
|
- rc = netlbl_sock_setattr(sk, &secattr);
|
|
|
+ rc = netlbl_sock_setattr(sk, secattr);
|
|
|
switch (rc) {
|
|
|
case 0:
|
|
|
sksec->nlbl_state = NLBL_LABELED;
|
|
|
@@ -266,13 +314,13 @@ void selinux_netlbl_inet_conn_established(struct sock *sk, u16 family)
|
|
|
* labeling protocols */
|
|
|
if (family != PF_INET) {
|
|
|
sksec->nlbl_state = NLBL_UNSET;
|
|
|
- goto inet_conn_established_return;
|
|
|
+ return;
|
|
|
}
|
|
|
|
|
|
addr.sin_family = family;
|
|
|
addr.sin_addr.s_addr = sk_inet->daddr;
|
|
|
if (netlbl_conn_setattr(sk, (struct sockaddr *)&addr,
|
|
|
- &secattr) != 0) {
|
|
|
+ secattr) != 0) {
|
|
|
/* we failed to label the connected socket (could be
|
|
|
* for a variety of reasons, the actual "why" isn't
|
|
|
* important here) so we have to go to our backup plan,
|
|
|
@@ -300,10 +348,6 @@ void selinux_netlbl_inet_conn_established(struct sock *sk, u16 family)
|
|
|
* return an error code */
|
|
|
break;
|
|
|
}
|
|
|
-
|
|
|
-inet_conn_established_return:
|
|
|
- netlbl_secattr_destroy(&secattr);
|
|
|
- return;
|
|
|
}
|
|
|
|
|
|
/**
|
|
|
@@ -468,13 +512,12 @@ int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
|
|
|
{
|
|
|
int rc;
|
|
|
struct sk_security_struct *sksec = sk->sk_security;
|
|
|
- struct netlbl_lsm_secattr secattr;
|
|
|
+ struct netlbl_lsm_secattr *secattr;
|
|
|
|
|
|
if (sksec->nlbl_state != NLBL_REQSKB &&
|
|
|
sksec->nlbl_state != NLBL_CONNLABELED)
|
|
|
return 0;
|
|
|
|
|
|
- netlbl_secattr_init(&secattr);
|
|
|
local_bh_disable();
|
|
|
bh_lock_sock_nested(sk);
|
|
|
|
|
|
@@ -487,17 +530,17 @@ int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
|
|
|
rc = 0;
|
|
|
goto socket_connect_return;
|
|
|
}
|
|
|
- rc = security_netlbl_sid_to_secattr(sksec->sid, &secattr);
|
|
|
- if (rc != 0)
|
|
|
+ secattr = selinux_netlbl_sock_genattr(sk);
|
|
|
+ if (secattr == NULL) {
|
|
|
+ rc = -ENOMEM;
|
|
|
goto socket_connect_return;
|
|
|
- rc = netlbl_conn_setattr(sk, addr, &secattr);
|
|
|
- if (rc != 0)
|
|
|
- goto socket_connect_return;
|
|
|
- sksec->nlbl_state = NLBL_CONNLABELED;
|
|
|
+ }
|
|
|
+ rc = netlbl_conn_setattr(sk, addr, secattr);
|
|
|
+ if (rc == 0)
|
|
|
+ sksec->nlbl_state = NLBL_CONNLABELED;
|
|
|
|
|
|
socket_connect_return:
|
|
|
bh_unlock_sock(sk);
|
|
|
local_bh_enable();
|
|
|
- netlbl_secattr_destroy(&secattr);
|
|
|
return rc;
|
|
|
}
|
Paul Moore