From: paul.moore@hp.com
To: netdev@vger.kernel.org, selinux@tycho.nsa.gov
Cc: jmorris@namei.org, sds@tycho.nsa.gov, akpm@osdl.org,
Paul Moore <paul.moore@hp.com>
Subject: [PATCH 5/6] NetLabel: uninline selinux_netlbl_inode_permission()
Date: Tue, 29 Aug 2006 10:42:56 -0400 [thread overview]
Message-ID: <20060829144446.837714000@hp.com> (raw)
In-Reply-To: 20060829144251.452774000@hp.com
[-- Attachment #1: netlabel-uninline_inodeperm --]
[-- Type: text/plain, Size: 3767 bytes --]
Uninline the selinux_netlbl_inode_permission() at the request of Andrew Morton.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
security/selinux/include/selinux_netlabel.h | 35 ----------------------------
security/selinux/ss/services.c | 33 +++++++++++++++++++-------
2 files changed, 25 insertions(+), 43 deletions(-)
Index: net-2.6.19/security/selinux/include/selinux_netlabel.h
===================================================================
--- net-2.6.19.orig/security/selinux/include/selinux_netlabel.h
+++ net-2.6.19/security/selinux/include/selinux_netlabel.h
@@ -43,40 +43,7 @@ void selinux_netlbl_sk_security_init(str
int family);
void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,
struct sk_security_struct *newssec);
-
-int __selinux_netlbl_inode_permission(struct inode *inode, int mask);
-/**
- * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
- * @inode: the file descriptor's inode
- * @mask: the permission mask
- *
- * Description:
- * Looks at a file's inode and if it is marked as a socket protected by
- * NetLabel then verify that the socket has been labeled, if not try to label
- * the socket now with the inode's SID. Returns zero on success, negative
- * values on failure.
- *
- */
-static inline int selinux_netlbl_inode_permission(struct inode *inode,
- int mask)
-{
- int rc = 0;
- struct inode_security_struct *isec;
- struct sk_security_struct *sksec;
-
- if (!S_ISSOCK(inode->i_mode))
- return 0;
-
- isec = inode->i_security;
- sksec = SOCKET_I(inode)->sk->sk_security;
- down(&isec->sem);
- if (unlikely(sksec->nlbl_state == NLBL_REQUIRE &&
- (mask & (MAY_WRITE | MAY_APPEND))))
- rc = __selinux_netlbl_inode_permission(inode, mask);
- up(&isec->sem);
-
- return rc;
-}
+int selinux_netlbl_inode_permission(struct inode *inode, int mask);
#else
static inline void selinux_netlbl_cache_invalidate(void)
{
Index: net-2.6.19/security/selinux/ss/services.c
===================================================================
--- net-2.6.19.orig/security/selinux/ss/services.c
+++ net-2.6.19/security/selinux/ss/services.c
@@ -2544,24 +2544,39 @@ u32 selinux_netlbl_inet_conn_request(str
}
/**
- * __selinux_netlbl_inode_permission - Label a socket using NetLabel
+ * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
* @inode: the file descriptor's inode
* @mask: the permission mask
*
* Description:
- * Try to label a socket with the inode's SID using NetLabel. Returns zero on
- * success, negative values on failure.
+ * Looks at a file's inode and if it is marked as a socket protected by
+ * NetLabel then verify that the socket has been labeled, if not try to label
+ * the socket now with the inode's SID. Returns zero on success, negative
+ * values on failure.
*
*/
-int __selinux_netlbl_inode_permission(struct inode *inode, int mask)
+int selinux_netlbl_inode_permission(struct inode *inode, int mask)
{
int rc;
- struct socket *sock = SOCKET_I(inode);
- struct sk_security_struct *sksec = sock->sk->sk_security;
+ struct inode_security_struct *isec;
+ struct sk_security_struct *sksec;
+ struct socket *sock;
+
+ if (!S_ISSOCK(inode->i_mode))
+ return 0;
- lock_sock(sock->sk);
- rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
- release_sock(sock->sk);
+ sock = SOCKET_I(inode);
+ isec = inode->i_security;
+ sksec = sock->sk->sk_security;
+ down(&isec->sem);
+ if (unlikely(sksec->nlbl_state == NLBL_REQUIRE &&
+ (mask & (MAY_WRITE | MAY_APPEND)))) {
+ lock_sock(sock->sk);
+ rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
+ release_sock(sock->sk);
+ } else
+ rc = 0;
+ up(&isec->sem);
return rc;
}
--
paul moore
linux security @ hp
next prev parent reply other threads:[~2006-08-29 14:44 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-29 14:42 [PATCH 0/6] Various NetLabel fixes and cleanups paul.moore
2006-08-29 14:42 ` [PATCH 1/6] NetLabel: correctly initialize the NetLabel fields paul.moore
2006-08-29 16:51 ` James Morris
2006-08-29 17:56 ` Paul Moore
2006-08-29 19:17 ` James Morris
2006-08-29 20:21 ` Paul Moore
2006-08-29 17:01 ` James Morris
2006-08-29 14:42 ` [PATCH 2/6] NetLabel: remove unused function prototypes paul.moore
2006-08-29 16:56 ` James Morris
2006-08-29 14:42 ` [PATCH 3/6] NetLabel: comment corrections paul.moore
2006-08-29 16:57 ` James Morris
2006-08-29 14:42 ` [PATCH 4/6] NetLabel: cleanup ebitmap_import() paul.moore
2006-08-29 16:58 ` James Morris
2006-08-29 14:42 ` paul.moore [this message]
2006-08-29 16:54 ` [PATCH 5/6] NetLabel: uninline selinux_netlbl_inode_permission() James Morris
2006-08-29 14:42 ` [PATCH 6/6] NetLabel: add some missing #includes to various header files paul.moore
2006-08-29 16:56 ` James Morris
2006-08-30 0:56 ` [PATCH 0/6] Various NetLabel fixes and cleanups David Miller
2006-08-30 13:18 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060829144446.837714000@hp.com \
--to=paul.moore@hp.com \
--cc=akpm@osdl.org \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).