diff options
| author | Linus Torvalds <torvalds@g5.osdl.org> | 2006-03-21 09:31:48 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-03-21 09:31:48 -0800 |
| commit | 3d1f337b3e7378923c89f37afb573a918ef40be5 (patch) | |
| tree | 386798378567a10d1c7b24f599cb50f70298694c /security/selinux/xfrm.c | |
| parent | 2bf2154c6bb5599e3ec3f73c34861a0b12aa839e (diff) | |
| parent | 5e35941d990123f155b02d5663e51a24f816b6f3 (diff) | |
Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6: (235 commits)
[NETFILTER]: Add H.323 conntrack/NAT helper
[TG3]: Don't mark tg3_test_registers() as returning const.
[IPV6]: Cleanups for net/ipv6/addrconf.c (kzalloc, early exit) v2
[IPV6]: Nearly complete kzalloc cleanup for net/ipv6
[IPV6]: Cleanup of net/ipv6/reassambly.c
[BRIDGE]: Remove duplicate const from is_link_local() argument type.
[DECNET]: net/decnet/dn_route.c: fix inconsequent NULL checking
[TG3]: make drivers/net/tg3.c:tg3_request_irq() static
[BRIDGE]: use LLC to send STP
[LLC]: llc_mac_hdr_init const arguments
[BRIDGE]: allow show/store of group multicast address
[BRIDGE]: use llc for receiving STP packets
[BRIDGE]: stp timer to jiffies cleanup
[BRIDGE]: forwarding remove unneeded preempt and bh diasables
[BRIDGE]: netfilter inline cleanup
[BRIDGE]: netfilter VLAN macro cleanup
[BRIDGE]: netfilter dont use __constant_htons
[BRIDGE]: netfilter whitespace
[BRIDGE]: optimize frame pass up
[BRIDGE]: use kzalloc
...
Diffstat (limited to 'security/selinux/xfrm.c')
| -rw-r--r-- | security/selinux/xfrm.c | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index b2af7ca496c1..dfab6c886698 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -225,6 +225,74 @@ void selinux_xfrm_state_free(struct xfrm_state *x) } /* + * SELinux internal function to retrieve the context of a connected + * (sk->sk_state == TCP_ESTABLISHED) TCP socket based on its security + * association used to connect to the remote socket. + * + * Retrieve via getsockopt SO_PEERSEC. + */ +u32 selinux_socket_getpeer_stream(struct sock *sk) +{ + struct dst_entry *dst, *dst_test; + u32 peer_sid = SECSID_NULL; + + if (sk->sk_state != TCP_ESTABLISHED) + goto out; + + dst = sk_dst_get(sk); + if (!dst) + goto out; + + for (dst_test = dst; dst_test != 0; + dst_test = dst_test->child) { + struct xfrm_state *x = dst_test->xfrm; + + if (x && selinux_authorizable_xfrm(x)) { + struct xfrm_sec_ctx *ctx = x->security; + peer_sid = ctx->ctx_sid; + break; + } + } + dst_release(dst); + +out: + return peer_sid; +} + +/* + * SELinux internal function to retrieve the context of a UDP packet + * based on its security association used to connect to the remote socket. + * + * Retrieve via setsockopt IP_PASSSEC and recvmsg with control message + * type SCM_SECURITY. + */ +u32 selinux_socket_getpeer_dgram(struct sk_buff *skb) +{ + struct sec_path *sp; + + if (skb == NULL) + return SECSID_NULL; + + if (skb->sk->sk_protocol != IPPROTO_UDP) + return SECSID_NULL; + + sp = skb->sp; + if (sp) { + int i; + + for (i = sp->len-1; i >= 0; i--) { + struct xfrm_state *x = sp->x[i].xvec; + if (selinux_authorizable_xfrm(x)) { + struct xfrm_sec_ctx *ctx = x->security; + return ctx->ctx_sid; + } + } + } + + return SECSID_NULL; +} + +/* * LSM hook that controls access to unlabelled packets. If * a xfrm_state is authorizable (defined by macro) then it was * already authorized by the IPSec process. If not, then |