From: paul.moore@hp.com
To: netdev@vger.kernel.org, selinux@tycho.nsa.gov
Cc: jmorris@namei.org, sds@tycho.nsa.gov, akpm@osdl.org,
Paul Moore <paul.moore@hp.com>
Subject: [PATCH 5/6] NetLabel: uninline selinux_netlbl_inode_permission()
Date: Tue, 29 Aug 2006 10:42:56 -0400 [thread overview]
Message-ID: <20060829144446.837714000@hp.com> (raw)
In-Reply-To: 20060829144251.452774000@hp.com
Uninline the selinux_netlbl_inode_permission() at the request of Andrew Morton.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
security/selinux/include/selinux_netlabel.h | 35 ----------------------------
security/selinux/ss/services.c | 33 +++++++++++++++++++-------
2 files changed, 25 insertions(+), 43 deletions(-)
Index: net-2.6.19/security/selinux/include/selinux_netlabel.h
===================================================================
--- net-2.6.19.orig/security/selinux/include/selinux_netlabel.h
+++ net-2.6.19/security/selinux/include/selinux_netlabel.h
@@ -43,40 +43,7 @@ void selinux_netlbl_sk_security_init(str
int family);
void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,
struct sk_security_struct *newssec);
-
-int __selinux_netlbl_inode_permission(struct inode *inode, int mask);
-/**
- * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
- * @inode: the file descriptor's inode
- * @mask: the permission mask
- *
- * Description:
- * Looks at a file's inode and if it is marked as a socket protected by
- * NetLabel then verify that the socket has been labeled, if not try to label
- * the socket now with the inode's SID. Returns zero on success, negative
- * values on failure.
- *
- */
-static inline int selinux_netlbl_inode_permission(struct inode *inode,
- int mask)
-{
- int rc = 0;
- struct inode_security_struct *isec;
- struct sk_security_struct *sksec;
-
- if (!S_ISSOCK(inode->i_mode))
- return 0;
-
- isec = inode->i_security;
- sksec = SOCKET_I(inode)->sk->sk_security;
- down(&isec->sem);
- if (unlikely(sksec->nlbl_state == NLBL_REQUIRE &&
- (mask & (MAY_WRITE | MAY_APPEND))))
- rc = __selinux_netlbl_inode_permission(inode, mask);
- up(&isec->sem);
-
- return rc;
-}
+int selinux_netlbl_inode_permission(struct inode *inode, int mask);
#else
static inline void selinux_netlbl_cache_invalidate(void)
{
Index: net-2.6.19/security/selinux/ss/services.c
===================================================================
--- net-2.6.19.orig/security/selinux/ss/services.c
+++ net-2.6.19/security/selinux/ss/services.c
@@ -2544,24 +2544,39 @@ u32 selinux_netlbl_inet_conn_request(str
}
/**
- * __selinux_netlbl_inode_permission - Label a socket using NetLabel
+ * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
* @inode: the file descriptor's inode
* @mask: the permission mask
*
* Description:
- * Try to label a socket with the inode's SID using NetLabel. Returns zero on
- * success, negative values on failure.
+ * Looks at a file's inode and if it is marked as a socket protected by
+ * NetLabel then verify that the socket has been labeled, if not try to label
+ * the socket now with the inode's SID. Returns zero on success, negative
+ * values on failure.
*
*/
-int __selinux_netlbl_inode_permission(struct inode *inode, int mask)
+int selinux_netlbl_inode_permission(struct inode *inode, int mask)
{
int rc;
- struct socket *sock = SOCKET_I(inode);
- struct sk_security_struct *sksec = sock->sk->sk_security;
+ struct inode_security_struct *isec;
+ struct sk_security_struct *sksec;
+ struct socket *sock;
+
+ if (!S_ISSOCK(inode->i_mode))
+ return 0;
- lock_sock(sock->sk);
- rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
- release_sock(sock->sk);
+ sock = SOCKET_I(inode);
+ isec = inode->i_security;
+ sksec = sock->sk->sk_security;
+ down(&isec->sem);
+ if (unlikely(sksec->nlbl_state == NLBL_REQUIRE &&
+ (mask & (MAY_WRITE | MAY_APPEND)))) {
+ lock_sock(sock->sk);
+ rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
+ release_sock(sock->sk);
+ } else
+ rc = 0;
+ up(&isec->sem);
return rc;
}
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: paul.moore@hp.com
To: netdev@vger.kernel.org, selinux@tycho.nsa.gov
Cc: jmorris@namei.org, sds@tycho.nsa.gov, akpm@osdl.org,
Paul Moore <paul.moore@hp.com>
Subject: [PATCH 5/6] NetLabel: uninline selinux_netlbl_inode_permission()
Date: Tue, 29 Aug 2006 10:42:56 -0400 [thread overview]
Message-ID: <20060829144446.837714000@hp.com> (raw)
In-Reply-To: 20060829144251.452774000@hp.com
[-- Attachment #1: netlabel-uninline_inodeperm --]
[-- Type: text/plain, Size: 3767 bytes --]
Uninline the selinux_netlbl_inode_permission() at the request of Andrew Morton.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
security/selinux/include/selinux_netlabel.h | 35 ----------------------------
security/selinux/ss/services.c | 33 +++++++++++++++++++-------
2 files changed, 25 insertions(+), 43 deletions(-)
Index: net-2.6.19/security/selinux/include/selinux_netlabel.h
===================================================================
--- net-2.6.19.orig/security/selinux/include/selinux_netlabel.h
+++ net-2.6.19/security/selinux/include/selinux_netlabel.h
@@ -43,40 +43,7 @@ void selinux_netlbl_sk_security_init(str
int family);
void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,
struct sk_security_struct *newssec);
-
-int __selinux_netlbl_inode_permission(struct inode *inode, int mask);
-/**
- * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
- * @inode: the file descriptor's inode
- * @mask: the permission mask
- *
- * Description:
- * Looks at a file's inode and if it is marked as a socket protected by
- * NetLabel then verify that the socket has been labeled, if not try to label
- * the socket now with the inode's SID. Returns zero on success, negative
- * values on failure.
- *
- */
-static inline int selinux_netlbl_inode_permission(struct inode *inode,
- int mask)
-{
- int rc = 0;
- struct inode_security_struct *isec;
- struct sk_security_struct *sksec;
-
- if (!S_ISSOCK(inode->i_mode))
- return 0;
-
- isec = inode->i_security;
- sksec = SOCKET_I(inode)->sk->sk_security;
- down(&isec->sem);
- if (unlikely(sksec->nlbl_state == NLBL_REQUIRE &&
- (mask & (MAY_WRITE | MAY_APPEND))))
- rc = __selinux_netlbl_inode_permission(inode, mask);
- up(&isec->sem);
-
- return rc;
-}
+int selinux_netlbl_inode_permission(struct inode *inode, int mask);
#else
static inline void selinux_netlbl_cache_invalidate(void)
{
Index: net-2.6.19/security/selinux/ss/services.c
===================================================================
--- net-2.6.19.orig/security/selinux/ss/services.c
+++ net-2.6.19/security/selinux/ss/services.c
@@ -2544,24 +2544,39 @@ u32 selinux_netlbl_inet_conn_request(str
}
/**
- * __selinux_netlbl_inode_permission - Label a socket using NetLabel
+ * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
* @inode: the file descriptor's inode
* @mask: the permission mask
*
* Description:
- * Try to label a socket with the inode's SID using NetLabel. Returns zero on
- * success, negative values on failure.
+ * Looks at a file's inode and if it is marked as a socket protected by
+ * NetLabel then verify that the socket has been labeled, if not try to label
+ * the socket now with the inode's SID. Returns zero on success, negative
+ * values on failure.
*
*/
-int __selinux_netlbl_inode_permission(struct inode *inode, int mask)
+int selinux_netlbl_inode_permission(struct inode *inode, int mask)
{
int rc;
- struct socket *sock = SOCKET_I(inode);
- struct sk_security_struct *sksec = sock->sk->sk_security;
+ struct inode_security_struct *isec;
+ struct sk_security_struct *sksec;
+ struct socket *sock;
+
+ if (!S_ISSOCK(inode->i_mode))
+ return 0;
- lock_sock(sock->sk);
- rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
- release_sock(sock->sk);
+ sock = SOCKET_I(inode);
+ isec = inode->i_security;
+ sksec = sock->sk->sk_security;
+ down(&isec->sem);
+ if (unlikely(sksec->nlbl_state == NLBL_REQUIRE &&
+ (mask & (MAY_WRITE | MAY_APPEND)))) {
+ lock_sock(sock->sk);
+ rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
+ release_sock(sock->sk);
+ } else
+ rc = 0;
+ up(&isec->sem);
return rc;
}
--
paul moore
linux security @ hp
next prev parent reply other threads:[~2006-08-29 14:42 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-29 14:42 [PATCH 0/6] Various NetLabel fixes and cleanups paul.moore
2006-08-29 14:42 ` paul.moore
2006-08-29 14:42 ` [PATCH 1/6] NetLabel: correctly initialize the NetLabel fields paul.moore
2006-08-29 14:42 ` paul.moore
2006-08-29 16:51 ` James Morris
2006-08-29 16:51 ` James Morris
2006-08-29 17:56 ` Paul Moore
2006-08-29 17:56 ` Paul Moore
2006-08-29 19:17 ` James Morris
2006-08-29 19:17 ` James Morris
2006-08-29 20:21 ` Paul Moore
2006-08-29 20:21 ` Paul Moore
2006-08-29 17:01 ` James Morris
2006-08-29 17:01 ` James Morris
2006-08-29 14:42 ` [PATCH 2/6] NetLabel: remove unused function prototypes paul.moore
2006-08-29 14:42 ` paul.moore
2006-08-29 16:56 ` James Morris
2006-08-29 16:56 ` James Morris
2006-08-29 14:42 ` [PATCH 3/6] NetLabel: comment corrections paul.moore
2006-08-29 14:42 ` paul.moore
2006-08-29 16:57 ` James Morris
2006-08-29 16:57 ` James Morris
2006-08-29 14:42 ` [PATCH 4/6] NetLabel: cleanup ebitmap_import() paul.moore
2006-08-29 14:42 ` paul.moore
2006-08-29 16:58 ` James Morris
2006-08-29 16:58 ` James Morris
2006-08-29 14:42 ` paul.moore [this message]
2006-08-29 14:42 ` [PATCH 5/6] NetLabel: uninline selinux_netlbl_inode_permission() paul.moore
2006-08-29 16:54 ` James Morris
2006-08-29 16:54 ` James Morris
2006-08-29 14:42 ` [PATCH 6/6] NetLabel: add some missing #includes to various header files paul.moore
2006-08-29 14:42 ` paul.moore
2006-08-29 16:56 ` James Morris
2006-08-29 16:56 ` James Morris
2006-08-30 0:56 ` [PATCH 0/6] Various NetLabel fixes and cleanups David Miller
2006-08-30 13:18 ` Paul Moore
2006-08-30 13:18 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060829144446.837714000@hp.com \
--to=paul.moore@hp.com \
--cc=akpm@osdl.org \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.