[PATCH 1/2] Define security_sk_getsecctx

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: <rongqing.li@windriver.com>
To: <netdev@vger.kernel.org>, <selinux@tycho.nsa.gov>,
	<linux-security-module@vger.kernel.org>
Subject: [PATCH 1/2] Define security_sk_getsecctx
Date: Wed, 31 Aug 2011 16:36:16 +0800	[thread overview]
Message-ID: <1314779777-12669-2-git-send-email-rongqing.li@windriver.com> (raw)
In-Reply-To: <1314779777-12669-1-git-send-email-rongqing.li@windriver.com>

From: Roy.Li <rongqing.li@windriver.com>

Define security_sk_getsecctx to return the security
context of a sock.

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
---
 include/linux/security.h |   13 +++++++++++++
 security/capability.c    |    6 ++++++
 security/security.c      |    6 ++++++
 security/selinux/hooks.c |    9 +++++++++
 4 files changed, 34 insertions(+), 0 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index ebd2a53..6bb8e0c 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -959,6 +959,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  * @sk_getsecid:
  *	Retrieve the LSM-specific secid for the sock to enable caching of network
  *	authorizations.
+ * @sk_getsecctx:
+ *	Returns a string containing sock security context information
+ *	@sk whom we wish to get the security context.
+ *	@ctx is the address of the pointer to where to place the allocated
+ *	security context.
+ *	@ctxlen points to the value of the length of the security context.
  * @sock_graft:
  *	Sets the socket's isec sid to the sock's sid.
  * @inet_conn_request:
@@ -1600,6 +1606,7 @@ struct security_operations {
 	void (*sk_free_security) (struct sock *sk);
 	void (*sk_clone_security) (const struct sock *sk, struct sock *newsk);
 	void (*sk_getsecid) (struct sock *sk, u32 *secid);
+	int (*sk_getsecctx) (struct sock *sk, void **ctx, u32 *ctxlen);
 	void (*sock_graft) (struct sock *sk, struct socket *parent);
 	int (*inet_conn_request) (struct sock *sk, struct sk_buff *skb,
 				  struct request_sock *req);
@@ -2574,6 +2581,7 @@ void security_secmark_refcount_dec(void);
 int security_tun_dev_create(void);
 void security_tun_dev_post_create(struct sock *sk);
 int security_tun_dev_attach(struct sock *sk);
+int security_sk_getsecctx(struct sock *sk, void **ctx, u32 *ctxlen);
 
 #else	/* CONFIG_SECURITY_NETWORK */
 static inline int security_unix_stream_connect(struct sock *sock,
@@ -2751,6 +2759,11 @@ static inline int security_tun_dev_attach(struct sock *sk)
 {
 	return 0;
 }
+
+static int security_sk_getsecctx(struct sock *sk, void **ctx, u32 *ctxlen)
+{
+	return -EOPNOTSUPP;
+}
 #endif	/* CONFIG_SECURITY_NETWORK */
 
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
diff --git a/security/capability.c b/security/capability.c
index 2984ea4..89256a6 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -664,6 +664,11 @@ static void cap_sk_getsecid(struct sock *sk, u32 *secid)
 {
 }
 
+static int cap_sk_getsecctx(struct sock *sk, void **ctx, u32 *ctxlen)
+{
+	return 0;
+}
+
 static void cap_sock_graft(struct sock *sk, struct socket *parent)
 {
 }
@@ -1032,6 +1037,7 @@ void __init security_fixup_ops(struct security_operations *ops)
 	set_to_cap_if_null(ops, sk_free_security);
 	set_to_cap_if_null(ops, sk_clone_security);
 	set_to_cap_if_null(ops, sk_getsecid);
+	set_to_cap_if_null(ops, sk_getsecctx);
 	set_to_cap_if_null(ops, sock_graft);
 	set_to_cap_if_null(ops, inet_conn_request);
 	set_to_cap_if_null(ops, inet_csk_clone);
diff --git a/security/security.c b/security/security.c
index 0e4fccf..a939f5c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -757,6 +757,12 @@ void security_task_getsecid(struct task_struct *p, u32 *secid)
 }
 EXPORT_SYMBOL(security_task_getsecid);
 
+int security_sk_getsecctx(struct sock *sk, void **ctx, u32 *ctxlen)
+{
+	return security_ops->sk_getsecctx(sk, ctx, ctxlen);
+}
+EXPORT_SYMBOL(security_sk_getsecctx);
+
 int security_task_setnice(struct task_struct *p, int nice)
 {
 	return security_ops->task_setnice(p, nice);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 266a229..6e96f01 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4284,6 +4284,14 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
 	}
 }
 
+static int selinux_sk_getsecctx(struct sock *sk, void **ctx, u32 *ctxlen)
+{
+	u32 secid;
+
+	selinux_sk_getsecid(sk, &secid);
+	return security_sid_to_context(secid, ctx, ctxlen);
+}
+
 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
 {
 	struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
@@ -5613,6 +5621,7 @@ static struct security_operations selinux_ops = {
 	.sk_free_security =		selinux_sk_free_security,
 	.sk_clone_security =		selinux_sk_clone_security,
 	.sk_getsecid =			selinux_sk_getsecid,
+	.sk_getsecctx =                 selinux_sk_getsecctx,
 	.sock_graft =			selinux_sock_graft,
 	.inet_conn_request =		selinux_inet_conn_request,
 	.inet_csk_clone =		selinux_inet_csk_clone,
-- 
1.7.1

next prev parent reply	other threads:[~2011-08-31  8:36 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-08-31  8:36 [PATCH 0/2] Dump the sock's security context rongqing.li
2011-08-31  8:36 ` rongqing.li [this message]
2011-08-31 15:43   ` [PATCH 1/2] Define security_sk_getsecctx Casey Schaufler
2011-08-31 18:46     ` Stephen Smalley
2011-08-31 20:49       ` Casey Schaufler
2011-08-31  8:36 ` [PATCH 2/2] Add a netlink attribute INET_DIAG_SECCTX rongqing.li
2011-08-31 12:08   ` Stephen Smalley
2011-08-31 21:18   ` Paul Moore
2011-09-01  9:33     ` Rongqing Li
2011-09-01 12:28       ` Paul Moore
2011-09-05  0:32         ` Rongqing Li
2011-08-31  8:38 ` [PATCH 0/2] Dump the sock's security context Rongqing Li

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:ebd2a53 dfblob:6bb8e0c dfblob:2984ea4 dfblob:89256a6
dfblob:0e4fccf dfblob:a939f5c dfblob:266a229 dfblob:6e96f01 )
 OR (
bs:"[PATCH 1/2] Define security_sk_getsecctx" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1314779777-12669-2-git-send-email-rongqing.li@windriver.com \
    --to=rongqing.li@windriver.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).