From: Paul Moore <paul.moore@hp.com>
To: linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov
Cc: netdev@vger.kernel.org, casey@schaufler-ca.com,
etienne.basset@numericable.fr
Subject: [PATCH 4/6] lsm: Remove the socket_post_accept() hook
Date: Fri, 27 Mar 2009 17:10:48 -0400 [thread overview]
Message-ID: <20090327211048.17777.42267.stgit@flek.lan> (raw)
In-Reply-To: <20090327205520.17777.32557.stgit@flek.lan>
The socket_post_accept() hook is not currently used by any in-tree modules
and its existence continues to cause problems by confusing people about
what can be safely accomplished using this hook. If a legitimate need for
this hook arises in the future it can always be reintroduced.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
include/linux/security.h | 13 -------------
net/socket.c | 2 --
security/capability.c | 5 -----
security/security.c | 5 -----
4 files changed, 0 insertions(+), 25 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 1f2ab63..54ed157 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -880,11 +880,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* @sock contains the listening socket structure.
* @newsock contains the newly created server socket for connection.
* Return 0 if permission is granted.
- * @socket_post_accept:
- * This hook allows a security module to copy security
- * information into the newly created socket's inode.
- * @sock contains the listening socket structure.
- * @newsock contains the newly created server socket for connection.
* @socket_sendmsg:
* Check permission before transmitting a message to another socket.
* @sock contains the socket structure.
@@ -1554,8 +1549,6 @@ struct security_operations {
struct sockaddr *address, int addrlen);
int (*socket_listen) (struct socket *sock, int backlog);
int (*socket_accept) (struct socket *sock, struct socket *newsock);
- void (*socket_post_accept) (struct socket *sock,
- struct socket *newsock);
int (*socket_sendmsg) (struct socket *sock,
struct msghdr *msg, int size);
int (*socket_recvmsg) (struct socket *sock,
@@ -2537,7 +2530,6 @@ int security_socket_bind(struct socket *sock, struct sockaddr *address, int addr
int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen);
int security_socket_listen(struct socket *sock, int backlog);
int security_socket_accept(struct socket *sock, struct socket *newsock);
-void security_socket_post_accept(struct socket *sock, struct socket *newsock);
int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size);
int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
int size, int flags);
@@ -2616,11 +2608,6 @@ static inline int security_socket_accept(struct socket *sock,
return 0;
}
-static inline void security_socket_post_accept(struct socket *sock,
- struct socket *newsock)
-{
-}
-
static inline int security_socket_sendmsg(struct socket *sock,
struct msghdr *msg, int size)
{
diff --git a/net/socket.c b/net/socket.c
index af0205f..5d288d1 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1536,8 +1536,6 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
fd_install(newfd, newfile);
err = newfd;
- security_socket_post_accept(sock, newsock);
-
out_put:
fput_light(sock->file, fput_needed);
out:
diff --git a/security/capability.c b/security/capability.c
index c545bd1..21b6cea 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -620,10 +620,6 @@ static int cap_socket_accept(struct socket *sock, struct socket *newsock)
return 0;
}
-static void cap_socket_post_accept(struct socket *sock, struct socket *newsock)
-{
-}
-
static int cap_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
{
return 0;
@@ -1014,7 +1010,6 @@ void security_fixup_ops(struct security_operations *ops)
set_to_cap_if_null(ops, socket_connect);
set_to_cap_if_null(ops, socket_listen);
set_to_cap_if_null(ops, socket_accept);
- set_to_cap_if_null(ops, socket_post_accept);
set_to_cap_if_null(ops, socket_sendmsg);
set_to_cap_if_null(ops, socket_recvmsg);
set_to_cap_if_null(ops, socket_getsockname);
diff --git a/security/security.c b/security/security.c
index c3586c0..206e538 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1007,11 +1007,6 @@ int security_socket_accept(struct socket *sock, struct socket *newsock)
return security_ops->socket_accept(sock, newsock);
}
-void security_socket_post_accept(struct socket *sock, struct socket *newsock)
-{
- security_ops->socket_post_accept(sock, newsock);
-}
-
int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
{
return security_ops->socket_sendmsg(sock, msg, size);
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul.moore@hp.com>
To: linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov
Cc: netdev@vger.kernel.org, casey@schaufler-ca.com,
etienne.basset@numericable.fr
Subject: [PATCH 4/6] lsm: Remove the socket_post_accept() hook
Date: Fri, 27 Mar 2009 17:10:48 -0400 [thread overview]
Message-ID: <20090327211048.17777.42267.stgit@flek.lan> (raw)
In-Reply-To: <20090327205520.17777.32557.stgit@flek.lan>
The socket_post_accept() hook is not currently used by any in-tree modules
and its existence continues to cause problems by confusing people about
what can be safely accomplished using this hook. If a legitimate need for
this hook arises in the future it can always be reintroduced.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
include/linux/security.h | 13 -------------
net/socket.c | 2 --
security/capability.c | 5 -----
security/security.c | 5 -----
4 files changed, 0 insertions(+), 25 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 1f2ab63..54ed157 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -880,11 +880,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* @sock contains the listening socket structure.
* @newsock contains the newly created server socket for connection.
* Return 0 if permission is granted.
- * @socket_post_accept:
- * This hook allows a security module to copy security
- * information into the newly created socket's inode.
- * @sock contains the listening socket structure.
- * @newsock contains the newly created server socket for connection.
* @socket_sendmsg:
* Check permission before transmitting a message to another socket.
* @sock contains the socket structure.
@@ -1554,8 +1549,6 @@ struct security_operations {
struct sockaddr *address, int addrlen);
int (*socket_listen) (struct socket *sock, int backlog);
int (*socket_accept) (struct socket *sock, struct socket *newsock);
- void (*socket_post_accept) (struct socket *sock,
- struct socket *newsock);
int (*socket_sendmsg) (struct socket *sock,
struct msghdr *msg, int size);
int (*socket_recvmsg) (struct socket *sock,
@@ -2537,7 +2530,6 @@ int security_socket_bind(struct socket *sock, struct sockaddr *address, int addr
int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen);
int security_socket_listen(struct socket *sock, int backlog);
int security_socket_accept(struct socket *sock, struct socket *newsock);
-void security_socket_post_accept(struct socket *sock, struct socket *newsock);
int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size);
int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
int size, int flags);
@@ -2616,11 +2608,6 @@ static inline int security_socket_accept(struct socket *sock,
return 0;
}
-static inline void security_socket_post_accept(struct socket *sock,
- struct socket *newsock)
-{
-}
-
static inline int security_socket_sendmsg(struct socket *sock,
struct msghdr *msg, int size)
{
diff --git a/net/socket.c b/net/socket.c
index af0205f..5d288d1 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1536,8 +1536,6 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
fd_install(newfd, newfile);
err = newfd;
- security_socket_post_accept(sock, newsock);
-
out_put:
fput_light(sock->file, fput_needed);
out:
diff --git a/security/capability.c b/security/capability.c
index c545bd1..21b6cea 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -620,10 +620,6 @@ static int cap_socket_accept(struct socket *sock, struct socket *newsock)
return 0;
}
-static void cap_socket_post_accept(struct socket *sock, struct socket *newsock)
-{
-}
-
static int cap_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
{
return 0;
@@ -1014,7 +1010,6 @@ void security_fixup_ops(struct security_operations *ops)
set_to_cap_if_null(ops, socket_connect);
set_to_cap_if_null(ops, socket_listen);
set_to_cap_if_null(ops, socket_accept);
- set_to_cap_if_null(ops, socket_post_accept);
set_to_cap_if_null(ops, socket_sendmsg);
set_to_cap_if_null(ops, socket_recvmsg);
set_to_cap_if_null(ops, socket_getsockname);
diff --git a/security/security.c b/security/security.c
index c3586c0..206e538 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1007,11 +1007,6 @@ int security_socket_accept(struct socket *sock, struct socket *newsock)
return security_ops->socket_accept(sock, newsock);
}
-void security_socket_post_accept(struct socket *sock, struct socket *newsock)
-{
- security_ops->socket_post_accept(sock, newsock);
-}
-
int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
{
return security_ops->socket_sendmsg(sock, msg, size);
next prev parent reply other threads:[~2009-03-27 21:10 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-27 21:10 [PATCH 0/6] Labeled networking patches for 2.6.30 Paul Moore
2009-03-27 21:10 ` Paul Moore
2009-03-27 21:10 ` [PATCH 1/6] lsm: Relocate the IPv4 security_inet_conn_request() hooks Paul Moore
2009-03-27 21:10 ` Paul Moore
2009-03-27 21:10 ` [PATCH 2/6] netlabel: Label incoming TCP connections correctly in SELinux Paul Moore
2009-03-27 21:10 ` Paul Moore
2009-03-28 3:03 ` Casey Schaufler
2009-03-28 3:03 ` Casey Schaufler
2009-03-27 21:10 ` [PATCH 3/6] selinux: Remove the "compat_net" compatibility code Paul Moore
2009-03-27 21:10 ` Paul Moore
2009-03-27 21:10 ` Paul Moore [this message]
2009-03-27 21:10 ` [PATCH 4/6] lsm: Remove the socket_post_accept() hook Paul Moore
2009-03-27 21:10 ` [PATCH 5/6] netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections Paul Moore
2009-03-27 21:10 ` Paul Moore
2009-03-28 3:04 ` Casey Schaufler
2009-03-28 3:04 ` Casey Schaufler
2009-03-27 21:11 ` [PATCH 6/6] smack: Add a new '-CIPSO' option to the network address label configuration Paul Moore
2009-03-27 21:11 ` Paul Moore
2009-03-28 3:05 ` Casey Schaufler
2009-03-28 3:05 ` Casey Schaufler
2009-03-27 21:58 ` [PATCH 0/6] Labeled networking patches for 2.6.30 David Miller
2009-03-28 0:58 ` James Morris
2009-03-28 0:58 ` James Morris
2009-03-28 1:08 ` David Miller
2009-03-28 12:01 ` Paul Moore
2009-03-28 12:01 ` Paul Moore
2009-03-28 5:16 ` James Morris
2009-03-28 5:16 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090327211048.17777.42267.stgit@flek.lan \
--to=paul.moore@hp.com \
--cc=casey@schaufler-ca.com \
--cc=etienne.basset@numericable.fr \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.