From: Venkat Yekkirala <vyekkirala@TrustedCS.com>
To: netdev@vger.kernel.org
Cc: selinux@tycho.nsa.gov, jmorris@namei.org, sds@tycho.nsa.gov,
tjaeger@cse.psu.edu
Subject: Re: [PATCH 10/10] MLSXFRM-v02: Auto-labeling of child sockets
Date: Thu, 27 Jul 2006 11:53:44 -0500 [thread overview]
Message-ID: <44C8EF98.3020507@trustedcs.com> (raw)
In-Reply-To: <44BD196C.6000307@trustedcs.com>
The following patch will fix the build problem (encountered by Andrew Morton)
when SECURITY_NETWORK_XFRM is not enabled.
As compared to git-net-selinux_xfrm_decode_session-build-fix.patch in -mm,
this patch sets the return parameter sid to SECSID_NULL in selinux_xfrm_decode_session()
and handles this value in the caller selinux_inet_conn_request() appropriately.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
---
NOTE: Not sure what the ideal thing to do is here. The following is incremental
to the original patch. I can send a revision of the entire patch with these changes
if desired.
security/selinux/hooks.c | 5 +++++
security/selinux/include/xfrm.h | 7 ++++++-
2 files changed, 11 insertions(+), 1 deletion(-)
--- linux-2.6.17.child_sock/security/selinux/include/xfrm.h 2006-07-17 16:51:22.000000000 -0500
+++ linux-2.6.17/security/selinux/include/xfrm.h 2006-07-27 11:29:16.000000000 -0500
@@ -20,7 +20,6 @@ int selinux_xfrm_policy_lookup(struct xf
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
struct xfrm_policy *xp, struct flowi *fl);
int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm);
-int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall);
/*
@@ -41,6 +40,7 @@ int selinux_xfrm_postroute_last(u32 isec
struct avc_audit_data *ad);
u32 selinux_socket_getpeer_stream(struct sock *sk);
u32 selinux_socket_getpeer_dgram(struct sk_buff *skb);
+int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
#else
static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
struct avc_audit_data *ad)
@@ -63,6 +63,11 @@ static inline int selinux_socket_getpeer
{
return SECSID_NULL;
}
+static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
+{
+ *sid = SECSID_NULL;
+ return 0;
+}
#endif
#endif /* _SELINUX_XFRM_H_ */
--- linux-2.6.17.child_sock/security/selinux/hooks.c 2006-07-18 10:33:42.000000000 -0500
+++ linux-2.6.17/security/selinux/hooks.c 2006-07-27 11:28:53.000000000 -0500
@@ -3595,6 +3595,11 @@ int selinux_inet_conn_request(struct soc
err = selinux_xfrm_decode_session(skb, &peersid, 0);
BUG_ON(err);
+ if (peersid == SECSID_NULL) {
+ req->secid = sksec->sid;
+ return 0;
+ }
+
err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
if (err)
return err;
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: Venkat Yekkirala <vyekkirala@trustedcs.com>
To: netdev@vger.kernel.org
Cc: selinux@tycho.nsa.gov, jmorris@namei.org, sds@tycho.nsa.gov,
tjaeger@cse.psu.edu
Subject: Re: [PATCH 10/10] MLSXFRM-v02: Auto-labeling of child sockets
Date: Thu, 27 Jul 2006 11:53:44 -0500 [thread overview]
Message-ID: <44C8EF98.3020507@trustedcs.com> (raw)
In-Reply-To: <44BD196C.6000307@trustedcs.com>
The following patch will fix the build problem (encountered by Andrew Morton)
when SECURITY_NETWORK_XFRM is not enabled.
As compared to git-net-selinux_xfrm_decode_session-build-fix.patch in -mm,
this patch sets the return parameter sid to SECSID_NULL in selinux_xfrm_decode_session()
and handles this value in the caller selinux_inet_conn_request() appropriately.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
---
NOTE: Not sure what the ideal thing to do is here. The following is incremental
to the original patch. I can send a revision of the entire patch with these changes
if desired.
security/selinux/hooks.c | 5 +++++
security/selinux/include/xfrm.h | 7 ++++++-
2 files changed, 11 insertions(+), 1 deletion(-)
--- linux-2.6.17.child_sock/security/selinux/include/xfrm.h 2006-07-17 16:51:22.000000000 -0500
+++ linux-2.6.17/security/selinux/include/xfrm.h 2006-07-27 11:29:16.000000000 -0500
@@ -20,7 +20,6 @@ int selinux_xfrm_policy_lookup(struct xf
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
struct xfrm_policy *xp, struct flowi *fl);
int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm);
-int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall);
/*
@@ -41,6 +40,7 @@ int selinux_xfrm_postroute_last(u32 isec
struct avc_audit_data *ad);
u32 selinux_socket_getpeer_stream(struct sock *sk);
u32 selinux_socket_getpeer_dgram(struct sk_buff *skb);
+int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
#else
static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
struct avc_audit_data *ad)
@@ -63,6 +63,11 @@ static inline int selinux_socket_getpeer
{
return SECSID_NULL;
}
+static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
+{
+ *sid = SECSID_NULL;
+ return 0;
+}
#endif
#endif /* _SELINUX_XFRM_H_ */
--- linux-2.6.17.child_sock/security/selinux/hooks.c 2006-07-18 10:33:42.000000000 -0500
+++ linux-2.6.17/security/selinux/hooks.c 2006-07-27 11:28:53.000000000 -0500
@@ -3595,6 +3595,11 @@ int selinux_inet_conn_request(struct soc
err = selinux_xfrm_decode_session(skb, &peersid, 0);
BUG_ON(err);
+ if (peersid == SECSID_NULL) {
+ req->secid = sksec->sid;
+ return 0;
+ }
+
err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
if (err)
return err;
next prev parent reply other threads:[~2006-07-27 16:53 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-18 17:25 [PATCH 10/10] MLSXFRM-v02: Auto-labeling of child sockets Venkat Yekkirala
2006-07-18 17:25 ` Venkat Yekkirala
2006-07-27 16:53 ` Venkat Yekkirala [this message]
2006-07-27 16:53 ` Venkat Yekkirala
2006-07-28 4:53 ` James Morris
2006-07-28 4:53 ` James Morris
2006-07-28 4:59 ` David Miller
2006-08-01 22:16 ` Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2006-08-01 22:30 Venkat Yekkirala
2006-08-02 13:03 ` Paul Moore
2006-08-02 13:32 Venkat Yekkirala
2006-08-02 13:54 ` Paul Moore
2006-08-02 14:07 Venkat Yekkirala
2006-08-02 14:17 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44C8EF98.3020507@trustedcs.com \
--to=vyekkirala@trustedcs.com \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=tjaeger@cse.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.