mirrors/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2025-11-04 10:40:15 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

selinux: cleanup selinux_xfrm_sock_rcv_skb() and selinux_xfrm_postroute_last()

Browse source 
Some basic simplification and comment reformatting.

Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
Paul Moore 2013-07-23 17:38:39 -04:00 committed by Eric Paris
parent 96484348ad
commit eef9b41622
2 changed files with 42 additions and 60 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

17
security/selinux/include/xfrm.h
View file

@ -44,10 +44,10 @@ static inline int selinux_xfrm_enabled(void)
return (atomic_read(&selinux_xfrm_refcount) > 0); return (atomic_read(&selinux_xfrm_refcount) > 0);
} }
int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
struct common_audit_data *ad); struct common_audit_data *ad);
int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
struct common_audit_data *ad, u8 proto); struct common_audit_data *ad, u8 proto);
int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
static inline void selinux_xfrm_notify_policyload(void) static inline void selinux_xfrm_notify_policyload(void)
@ -61,14 +61,15 @@ static inline int selinux_xfrm_enabled(void)
return 0; return 0;
} }
static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, static inline int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
struct common_audit_data *ad) struct common_audit_data *ad)
{ {
return 0; return 0;
} }
static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, static inline int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
struct common_audit_data *ad, u8 proto) struct common_audit_data *ad,
u8 proto)
{ {
return 0; return 0;
} }

85
security/selinux/xfrm.c
View file

@ -367,14 +367,12 @@ int selinux_xfrm_state_delete(struct xfrm_state *x)
* we need to check for unlabelled access since this may not have * we need to check for unlabelled access since this may not have
* gone thru the IPSec process. * gone thru the IPSec process.
*/ */
int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
struct common_audit_data *ad) struct common_audit_data *ad)
{ {
int i, rc = 0; int i;
struct sec_path *sp; struct sec_path *sp = skb->sp;
u32 sel_sid = SECINITSID_UNLABELED; u32 peer_sid = SECINITSID_UNLABELED;
sp = skb->sp;
if (sp) { if (sp) {
for (i = 0; i < sp->len; i++) { for (i = 0; i < sp->len; i++) {
@ -382,23 +380,17 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
if (x && selinux_authorizable_xfrm(x)) { if (x && selinux_authorizable_xfrm(x)) {
struct xfrm_sec_ctx *ctx = x->security; struct xfrm_sec_ctx *ctx = x->security;
sel_sid = ctx->ctx_sid; peer_sid = ctx->ctx_sid;
break; break;
} }
} }
} }
/* /* This check even when there's no association involved is intended,
* This check even when there's no association involved is * according to Trent Jaeger, to make sure a process can't engage in
* intended, according to Trent Jaeger, to make sure a * non-IPsec communication unless explicitly allowed by policy. */
* process can't engage in non-ipsec communication unless return avc_has_perm(sk_sid, peer_sid,
* explicitly allowed by policy. SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad);
*/
rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION,
ASSOCIATION__RECVFROM, ad);
return rc;
} }
/* /*
@ -408,49 +400,38 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
* If we do have a authorizable security association, then it has already been * If we do have a authorizable security association, then it has already been
* checked in the selinux_xfrm_state_pol_flow_match hook above. * checked in the selinux_xfrm_state_pol_flow_match hook above.
*/ */
int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
struct common_audit_data *ad, u8 proto) struct common_audit_data *ad, u8 proto)
{ {
struct dst_entry *dst; struct dst_entry *dst;
int rc = 0;
dst = skb_dst(skb);
if (dst) {
struct dst_entry *dst_test;
for (dst_test = dst; dst_test != NULL;
dst_test = dst_test->child) {
struct xfrm_state *x = dst_test->xfrm;
if (x && selinux_authorizable_xfrm(x))
goto out;
}
}
switch (proto) { switch (proto) {
case IPPROTO_AH: case IPPROTO_AH:
case IPPROTO_ESP: case IPPROTO_ESP:
case IPPROTO_COMP: case IPPROTO_COMP:
/* /* We should have already seen this packet once before it
* We should have already seen this packet once before * underwent xfrm(s). No need to subject it to the unlabeled
* it underwent xfrm(s). No need to subject it to the * check. */
* unlabeled check. return 0;
*/
goto out;
default: default:
break; break;
} }
/* dst = skb_dst(skb);
* This check even when there's no association involved is if (dst) {
* intended, according to Trent Jaeger, to make sure a struct dst_entry *iter;
* process can't engage in non-ipsec communication unless
* explicitly allowed by policy.
*/
rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION, for (iter = dst; iter != NULL; iter = iter->child) {
ASSOCIATION__SENDTO, ad); struct xfrm_state *x = iter->xfrm;
out:
return rc; if (x && selinux_authorizable_xfrm(x))
return 0;
}
}
/* This check even when there's no association involved is intended,
* according to Trent Jaeger, to make sure a process can't engage in
* non-IPsec communication unless explicitly allowed by policy. */
return avc_has_perm(sk_sid, SECINITSID_UNLABELED,
SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad);
} }