tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netlabel: Pass a family parameter to netlbl_skbuff_err().
This makes it possible to route the error to the appropriate
labelling engine. CALIPSO is far less verbose than CIPSO
when encountering a bogus packet, so there is no need for a
CALIPSO error handler.
Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
authored by
Huw Davies
and committed by
Paul Moore
a04e71f6
2917f57b
+19
-12
+1
-1
include/net/netlabel.h
+1
-1
include/net/netlabel.h
···
488
488
int netlbl_skbuff_getattr(const struct sk_buff *skb,
489
489
u16 family,
490
490
struct netlbl_lsm_secattr *secattr);
491
-
void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway);
491
+
void netlbl_skbuff_err(struct sk_buff *skb, u16 family, int error, int gateway);
492
492
493
493
/*
494
494
* LSM label mapping cache operations
+8
-3
net/netlabel/netlabel_kapi.c
+8
-3
net/netlabel/netlabel_kapi.c
···
1249
1249
/**
1250
1250
* netlbl_skbuff_err - Handle a LSM error on a sk_buff
1251
1251
* @skb: the packet
1252
+
* @family: the family
1252
1253
* @error: the error code
1253
1254
* @gateway: true if host is acting as a gateway, false otherwise
1254
1255
*
···
1259
1258
* according to the packet's labeling protocol.
1260
1259
*
1261
1260
*/
1262
-
void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway)
1261
+
void netlbl_skbuff_err(struct sk_buff *skb, u16 family, int error, int gateway)
1263
1262
{
1264
-
if (cipso_v4_optptr(skb))
1265
-
cipso_v4_error(skb, error, gateway);
1263
+
switch (family) {
1264
+
case AF_INET:
1265
+
if (cipso_v4_optptr(skb))
1266
+
cipso_v4_error(skb, error, gateway);
1267
+
break;
1268
+
}
1266
1269
}
1267
1270
1268
1271
/**
+3
-3
security/selinux/hooks.c
+3
-3
security/selinux/hooks.c
···
4603
4603
err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4604
4604
addrp, family, peer_sid, &ad);
4605
4605
if (err) {
4606
-
selinux_netlbl_err(skb, err, 0);
4606
+
selinux_netlbl_err(skb, family, err, 0);
4607
4607
return err;
4608
4608
}
4609
4609
err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4610
4610
PEER__RECV, &ad);
4611
4611
if (err) {
4612
-
selinux_netlbl_err(skb, err, 0);
4612
+
selinux_netlbl_err(skb, family, err, 0);
4613
4613
return err;
4614
4614
}
4615
4615
}
···
4977
4977
err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4978
4978
addrp, family, peer_sid, &ad);
4979
4979
if (err) {
4980
-
selinux_netlbl_err(skb, err, 1);
4980
+
selinux_netlbl_err(skb, family, err, 1);
4981
4981
return NF_DROP;
4982
4982
}
4983
4983
}
+3
-1
security/selinux/include/netlabel.h
+3
-1
security/selinux/include/netlabel.h
···
40
40
#ifdef CONFIG_NETLABEL
41
41
void selinux_netlbl_cache_invalidate(void);
42
42
43
-
void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway);
43
+
void selinux_netlbl_err(struct sk_buff *skb, u16 family, int error,
44
+
int gateway);
44
45
45
46
void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec);
46
47
void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec);
···
73
72
}
74
73
75
74
static inline void selinux_netlbl_err(struct sk_buff *skb,
75
+
u16 family,
76
76
int error,
77
77
int gateway)
78
78
{
+3
-3
security/selinux/netlabel.c
+3
-3
security/selinux/netlabel.c
···
151
151
* present on the packet, NetLabel is smart enough to only act when it should.
152
152
*
153
153
*/
154
-
void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway)
154
+
void selinux_netlbl_err(struct sk_buff *skb, u16 family, int error, int gateway)
155
155
{
156
-
netlbl_skbuff_err(skb, error, gateway);
156
+
netlbl_skbuff_err(skb, family, error, gateway);
157
157
}
158
158
159
159
/**
···
405
405
return 0;
406
406
407
407
if (nlbl_sid != SECINITSID_UNLABELED)
408
-
netlbl_skbuff_err(skb, rc, 0);
408
+
netlbl_skbuff_err(skb, family, rc, 0);
409
409
return rc;
410
410
}
411
411
+1
-1
security/smack/smack_lsm.c
+1
-1
security/smack/smack_lsm.c