summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2007-03-01 20:35:22 +0100
committerJames Morris <jmorris@namei.org>2007-04-26 07:35:56 +0200
commit4f6a993f96a256e83b9be7612f958c7bc4ca9f00 (patch)
tree385e5ce4423583b65780d20fce075cd936fe1449
parentMAINTAINERS: update selinux entry (diff)
downloadlinux-4f6a993f96a256e83b9be7612f958c7bc4ca9f00.tar.xz
linux-4f6a993f96a256e83b9be7612f958c7bc4ca9f00.zip
SELinux: move security_skb_extlbl_sid() out of the security server
As suggested, move the security_skb_extlbl_sid() function out of the security server and into the SELinux hooks file. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--security/selinux/hooks.c36
-rw-r--r--security/selinux/include/security.h3
-rw-r--r--security/selinux/ss/services.c27
3 files changed, 31 insertions, 35 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7f8d0b1ee02f..68629aa039ed 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3123,6 +3123,34 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
return ret;
}
+/**
+ * selinux_skb_extlbl_sid - Determine the external label of a packet
+ * @skb: the packet
+ * @base_sid: the SELinux SID to use as a context for MLS only external labels
+ * @sid: the packet's SID
+ *
+ * Description:
+ * Check the various different forms of external packet labeling and determine
+ * the external SID for the packet.
+ *
+ */
+static void selinux_skb_extlbl_sid(struct sk_buff *skb,
+ u32 base_sid,
+ u32 *sid)
+{
+ u32 xfrm_sid;
+ u32 nlbl_sid;
+
+ selinux_skb_xfrm_sid(skb, &xfrm_sid);
+ if (selinux_netlbl_skbuff_getsid(skb,
+ (xfrm_sid == SECSID_NULL ?
+ base_sid : xfrm_sid),
+ &nlbl_sid) != 0)
+ nlbl_sid = SECSID_NULL;
+
+ *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
+}
+
/* socket security operations */
static int socket_has_perm(struct task_struct *task, struct socket *sock,
u32 perms)
@@ -3664,9 +3692,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
if (sock && sock->sk->sk_family == PF_UNIX)
selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
else if (skb)
- security_skb_extlbl_sid(skb,
- SECINITSID_UNLABELED,
- &peer_secid);
+ selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid);
if (peer_secid == SECSID_NULL)
err = -EINVAL;
@@ -3727,7 +3753,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
u32 newsid;
u32 peersid;
- security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
+ selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
if (peersid == SECSID_NULL) {
req->secid = sksec->sid;
req->peer_secid = SECSID_NULL;
@@ -3765,7 +3791,7 @@ static void selinux_inet_conn_established(struct sock *sk,
{
struct sk_security_struct *sksec = sk->sk_security;
- security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
+ selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
}
static void selinux_req_classify_flow(const struct request_sock *req,
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 605b07165af8..bfe562c36469 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -34,7 +34,6 @@
#define POLICYDB_VERSION_MAX POLICYDB_VERSION_RANGETRANS
#endif
-struct sk_buff;
struct netlbl_lsm_secattr;
extern int selinux_enabled;
@@ -83,8 +82,6 @@ int security_netif_sid(char *name, u32 *if_sid,
int security_node_sid(u16 domain, void *addr, u32 addrlen,
u32 *out_sid);
-void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid);
-
int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
u16 tclass);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index f4129f589313..8ee4aaef1094 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -39,7 +39,6 @@
#include <linux/sched.h>
#include <linux/audit.h>
#include <linux/mutex.h>
-#include <net/sock.h>
#include <net/netlabel.h>
#include "flask.h"
@@ -2198,32 +2197,6 @@ void selinux_audit_set_callback(int (*callback)(void))
aurule_callback = callback;
}
-/**
- * security_skb_extlbl_sid - Determine the external label of a packet
- * @skb: the packet
- * @base_sid: the SELinux SID to use as a context for MLS only external labels
- * @sid: the packet's SID
- *
- * Description:
- * Check the various different forms of external packet labeling and determine
- * the external SID for the packet.
- *
- */
-void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid)
-{
- u32 xfrm_sid;
- u32 nlbl_sid;
-
- selinux_skb_xfrm_sid(skb, &xfrm_sid);
- if (selinux_netlbl_skbuff_getsid(skb,
- (xfrm_sid == SECSID_NULL ?
- base_sid : xfrm_sid),
- &nlbl_sid) != 0)
- nlbl_sid = SECSID_NULL;
-
- *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
-}
-
#ifdef CONFIG_NETLABEL
/*
* NetLabel cache structure