tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

SELinux: Add network port SID cache

Much like we added a network node cache, this patch adds a network port
cache. The design is taken almost completely from the network node cache
which in turn was taken from the network interface cache. The basic idea is
to cache entries in a hash table based on protocol/port information. The
hash function only takes the port number into account since the number of
different protocols in use at any one time is expected to be relatively
small.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>

authored by

Paul Moore and committed by
James Morris 3e112172 832cbd9a

+17 -21
+1
security/selinux/Makefile
··· 11 11 nlmsgtab.o \ 12 12 netif.o \ 13 13 netnode.o \ 14 + netport.o \ 14 15 exports.o 15 16 16 17 selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
+8 -12
security/selinux/hooks.c
··· 80 80 #include "objsec.h" 81 81 #include "netif.h" 82 82 #include "netnode.h" 83 + #include "netport.h" 83 84 #include "xfrm.h" 84 85 #include "netlabel.h" 85 86 ··· 3671 3670 inet_get_local_port_range(&low, &high); 3672 3671 3673 3672 if (snum < max(PROT_SOCK, low) || snum > high) { 3674 - err = security_port_sid(sk->sk_family, 3675 - sk->sk_type, 3676 - sk->sk_protocol, snum, 3677 - &sid); 3673 + err = sel_netport_sid(sk->sk_protocol, 3674 + snum, &sid); 3678 3675 if (err) 3679 3676 goto out; 3680 3677 AVC_AUDIT_DATA_INIT(&ad,NET); ··· 3760 3761 snum = ntohs(addr6->sin6_port); 3761 3762 } 3762 3763 3763 - err = security_port_sid(sk->sk_family, sk->sk_type, 3764 - sk->sk_protocol, snum, &sid); 3764 + err = sel_netport_sid(sk->sk_protocol, snum, &sid); 3765 3765 if (err) 3766 3766 goto out; 3767 3767 ··· 3991 3993 3992 3994 if (!recv_perm) 3993 3995 return 0; 3994 - err = security_port_sid(sk->sk_family, sk->sk_type, 3995 - sk->sk_protocol, ntohs(ad->u.net.sport), 3996 - &port_sid); 3996 + err = sel_netport_sid(sk->sk_protocol, 3997 + ntohs(ad->u.net.sport), &port_sid); 3997 3998 if (unlikely(err)) { 3998 3999 printk(KERN_WARNING 3999 4000 "SELinux: failure in" ··· 4413 4416 if (send_perm != 0) 4414 4417 return 0; 4415 4418 4416 - err = security_port_sid(sk->sk_family, sk->sk_type, 4417 - sk->sk_protocol, ntohs(ad->u.net.dport), 4418 - &port_sid); 4419 + err = sel_netport_sid(sk->sk_protocol, 4420 + ntohs(ad->u.net.dport), &port_sid); 4419 4421 if (unlikely(err)) { 4420 4422 printk(KERN_WARNING 4421 4423 "SELinux: failure in"
+6
security/selinux/include/objsec.h
··· 103 103 u16 family; /* address family */ 104 104 }; 105 105 106 + struct netport_security_struct { 107 + u32 sid; /* SID for this node */ 108 + u16 port; /* port number */ 109 + u8 protocol; /* transport protocol */ 110 + }; 111 + 106 112 struct sk_security_struct { 107 113 u32 sid; /* SID of this object */ 108 114 u32 peer_sid; /* SID of peer */
+1 -2
security/selinux/include/security.h
··· 102 102 int security_get_user_sids(u32 callsid, char *username, 103 103 u32 **sids, u32 *nel); 104 104 105 - int security_port_sid(u16 domain, u16 type, u8 protocol, u16 port, 106 - u32 *out_sid); 105 + int security_port_sid(u8 protocol, u16 port, u32 *out_sid); 107 106 108 107 int security_netif_sid(char *name, u32 *if_sid); 109 108
+1 -7
security/selinux/ss/services.c
··· 1472 1472 1473 1473 /** 1474 1474 * security_port_sid - Obtain the SID for a port. 1475 - * @domain: communication domain aka address family 1476 - * @type: socket type 1477 1475 * @protocol: protocol number 1478 1476 * @port: port number 1479 1477 * @out_sid: security identifier 1480 1478 */ 1481 - int security_port_sid(u16 domain, 1482 - u16 type, 1483 - u8 protocol, 1484 - u16 port, 1485 - u32 *out_sid) 1479 + int security_port_sid(u8 protocol, u16 port, u32 *out_sid) 1486 1480 { 1487 1481 struct ocontext *c; 1488 1482 int rc = 0;