From 4f6a993f96a256e83b9be7612f958c7bc4ca9f00 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 1 Mar 2007 14:35:22 -0500 Subject: SELinux: move security_skb_extlbl_sid() out of the security server As suggested, move the security_skb_extlbl_sid() function out of the security server and into the SELinux hooks file. Signed-off-by: Paul Moore Acked-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/hooks.c | 36 +++++++++++++++++++++++++++++++----- security/selinux/include/security.h | 3 --- security/selinux/ss/services.c | 27 --------------------------- 3 files changed, 31 insertions(+), 35 deletions(-) (limited to 'security') diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 7f8d0b1ee02..68629aa039e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3123,6 +3123,34 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, return ret; } +/** + * selinux_skb_extlbl_sid - Determine the external label of a packet + * @skb: the packet + * @base_sid: the SELinux SID to use as a context for MLS only external labels + * @sid: the packet's SID + * + * Description: + * Check the various different forms of external packet labeling and determine + * the external SID for the packet. + * + */ +static void selinux_skb_extlbl_sid(struct sk_buff *skb, + u32 base_sid, + u32 *sid) +{ + u32 xfrm_sid; + u32 nlbl_sid; + + selinux_skb_xfrm_sid(skb, &xfrm_sid); + if (selinux_netlbl_skbuff_getsid(skb, + (xfrm_sid == SECSID_NULL ? + base_sid : xfrm_sid), + &nlbl_sid) != 0) + nlbl_sid = SECSID_NULL; + + *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); +} + /* socket security operations */ static int socket_has_perm(struct task_struct *task, struct socket *sock, u32 perms) @@ -3664,9 +3692,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * if (sock && sock->sk->sk_family == PF_UNIX) selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); else if (skb) - security_skb_extlbl_sid(skb, - SECINITSID_UNLABELED, - &peer_secid); + selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid); if (peer_secid == SECSID_NULL) err = -EINVAL; @@ -3727,7 +3753,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, u32 newsid; u32 peersid; - security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid); + selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid); if (peersid == SECSID_NULL) { req->secid = sksec->sid; req->peer_secid = SECSID_NULL; @@ -3765,7 +3791,7 @@ static void selinux_inet_conn_established(struct sock *sk, { struct sk_security_struct *sksec = sk->sk_security; - security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid); + selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid); } static void selinux_req_classify_flow(const struct request_sock *req, diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 605b07165af..bfe562c3646 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -34,7 +34,6 @@ #define POLICYDB_VERSION_MAX POLICYDB_VERSION_RANGETRANS #endif -struct sk_buff; struct netlbl_lsm_secattr; extern int selinux_enabled; @@ -83,8 +82,6 @@ int security_netif_sid(char *name, u32 *if_sid, int security_node_sid(u16 domain, void *addr, u32 addrlen, u32 *out_sid); -void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid); - int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, u16 tclass); diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index f4129f58931..8ee4aaef109 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -39,7 +39,6 @@ #include #include #include -#include #include #include "flask.h" @@ -2198,32 +2197,6 @@ void selinux_audit_set_callback(int (*callback)(void)) aurule_callback = callback; } -/** - * security_skb_extlbl_sid - Determine the external label of a packet - * @skb: the packet - * @base_sid: the SELinux SID to use as a context for MLS only external labels - * @sid: the packet's SID - * - * Description: - * Check the various different forms of external packet labeling and determine - * the external SID for the packet. - * - */ -void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid) -{ - u32 xfrm_sid; - u32 nlbl_sid; - - selinux_skb_xfrm_sid(skb, &xfrm_sid); - if (selinux_netlbl_skbuff_getsid(skb, - (xfrm_sid == SECSID_NULL ? - base_sid : xfrm_sid), - &nlbl_sid) != 0) - nlbl_sid = SECSID_NULL; - - *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); -} - #ifdef CONFIG_NETLABEL /* * NetLabel cache structure -- cgit v1.2.3