From: paul.moore@hp.com
To: netdev@vger.kernel.org, selinux@tycho.nsa.gov
Cc: vyekkirala@TrustedCS.com, jmorris@namei.org, sds@tycho.nsa.gov
Subject: [PATCH 08/11] secid reconciliation: Use secmark when classifying flow using skb
Date: Mon, 09 Oct 2006 15:42:31 -0400 [thread overview]
Message-ID: <20061009195850.814267000@hp.com> (raw)
In-Reply-To: 20061009194223.402695000@hp.com
[-- Attachment #1: secid-8 --]
[-- Type: text/plain, Size: 2533 bytes --]
From: Venkat Yekkirala <vyekkirala@TrustedCS.com>
This beings secmark into the picture when classifying flows
using an skb.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
---
include/linux/security.h | 10 ----------
include/linux/skbuff.h | 20 ++++++++++++++++++++
2 files changed, 20 insertions(+), 10 deletions(-)
Index: net-2.6_secidfinal/include/linux/security.h
===================================================================
--- net-2.6_secidfinal.orig/include/linux/security.h
+++ net-2.6_secidfinal/include/linux/security.h
@@ -3224,12 +3224,6 @@ static inline int security_xfrm_decode_s
return security_ops->xfrm_decode_session(skb, secid, 1);
}
-static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
-{
- int rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0);
-
- BUG_ON(rc);
-}
#else /* CONFIG_SECURITY_NETWORK_XFRM */
static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
{
@@ -3298,10 +3292,6 @@ static inline int security_xfrm_decode_s
return 0;
}
-static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
-{
-}
-
#endif /* CONFIG_SECURITY_NETWORK_XFRM */
#ifdef CONFIG_KEYS
Index: net-2.6_secidfinal/include/linux/skbuff.h
===================================================================
--- net-2.6_secidfinal.orig/include/linux/skbuff.h
+++ net-2.6_secidfinal/include/linux/skbuff.h
@@ -30,6 +30,7 @@
#include <net/checksum.h>
#include <linux/dmaengine.h>
#include <net/flow.h>
+#include <linux/security.h>
#define HAVE_ALLOC_SKB /* For the drivers to know */
#define HAVE_ALIGNABLE_SKB /* Ditto 8) */
@@ -1514,6 +1515,20 @@ static inline void security_flow_classif
skb->secmark = fl->secid;
}
+static inline void security_skb_classify_flow(struct sk_buff *skb,
+ struct flowi *fl)
+{
+ /*
+ * We need to check for xfrm label here since secid reconciliation
+ * may or may not have happened yet and we want the
+ * flow to use the best available label.
+ */
+ int rc = security_xfrm_decode_session(skb, &fl->secid);
+
+ if (rc || !fl->secid)
+ fl->secid = skb->secmark;
+}
+
#else
static inline void security_skb_classify_skb(struct sk_buff *from,
@@ -1526,6 +1541,11 @@ static inline void security_flow_classif
{
}
+static inline void security_skb_classify_flow(struct sk_buff *skb,
+ struct flowi *fl)
+{
+}
+
#endif /* CONFIG_SECURITY_NETWORK */
#endif /* __KERNEL__ */
--
paul moore
linux security @ hp
next prev parent reply other threads:[~2006-10-09 19:58 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-09 19:42 [PATCH 00/11] The _entire_ secid reconciliation patchset (tada!) paul.moore
2006-10-09 19:42 ` [PATCH 01/11] secid reconciliation: new SELinux flask definitions paul.moore
2006-10-09 19:42 ` [PATCH 02/11] secid reconciliation: Add LSM hooks paul.moore
2006-10-09 19:42 ` [PATCH 03/11] secid reconciliation: Invoke LSM hook for inbound traffic paul.moore
2006-10-09 19:42 ` [PATCH 04/11] secid reconciliation: Invoke LSM hook for outbound traffic paul.moore
2006-10-09 19:42 ` [PATCH 05/11] secid reconciliation: Label locally generated IPv6 traffic paul.moore
2006-10-09 19:42 ` [PATCH 06/11] secid reconciliation: Label locally generated IPv4 traffic paul.moore
2006-10-09 19:42 ` [PATCH 07/11] secid reconciliation: Enforcement for SELinux paul.moore
2006-10-09 19:42 ` paul.moore [this message]
2006-10-09 19:42 ` [PATCH 09/11] secid reconciliation: Track peersecid at connection establishment paul.moore
2006-10-09 19:42 ` [PATCH 10/11] secid reconciliation: various fixes paul.moore
2006-10-09 19:42 ` [PATCH 11/11] secid reconciliation: support for NetLabel paul.moore
2006-10-09 20:19 ` [PATCH 00/11] The _entire_ secid reconciliation patchset (tada!) James Morris
2006-10-09 20:30 ` Paul Moore
2006-10-09 20:36 ` James Morris
2006-10-11 19:20 ` Venkat Yekkirala
2006-10-12 7:26 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061009195850.814267000@hp.com \
--to=paul.moore@hp.com \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).