[NetLabel]: consolidate the struct socket/sock handling to just struct sock

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The current NetLabel code has some redundant APIs which allow both
"struct socket" and "struct sock" types to be used; this may have made
sense at some point but it is wasteful now. Remove the functions that
operate on sockets and convert the callers. Not only does this make
the code smaller and more consistent but it pushes the locking burden
up to the caller which can be more intelligent about the locks. Also,
perform the same conversion (socket to sock) on the SELinux/NetLabel
glue code where it make sense.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Paul Moore and committed by

David S. Miller 19 years ago ba6ff9f2 6363097c

+47 -107

5 changed files

expand all

include

net

cipso_ipv4.h

netlabel.h

net

ipv4

cipso_ipv4.c

netlabel

netlabel_kapi.c

security

selinux

netlabel.c

+6 -14

include/net/cipso_ipv4.h

··· 203 203 204 204 #ifdef CONFIG_NETLABEL 205 205 void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway); 206 - int cipso_v4_socket_setattr(const struct socket *sock, 207 - const struct cipso_v4_doi *doi_def, 208 - const struct netlbl_lsm_secattr *secattr); 206 + int cipso_v4_sock_setattr(struct sock *sk, 207 + const struct cipso_v4_doi *doi_def, 208 + const struct netlbl_lsm_secattr *secattr); 209 209 int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr); 210 - int cipso_v4_socket_getattr(const struct socket *sock, 211 - struct netlbl_lsm_secattr *secattr); 212 210 int cipso_v4_skbuff_getattr(const struct sk_buff *skb, 213 211 struct netlbl_lsm_secattr *secattr); 214 212 int cipso_v4_validate(unsigned char **option); ··· 218 220 return; 219 221 } 220 222 221 - static inline int cipso_v4_socket_setattr(const struct socket *sock, 222 - const struct cipso_v4_doi *doi_def, 223 - const struct netlbl_lsm_secattr *secattr) 223 + static inline int cipso_v4_sock_setattr(struct sock *sk, 224 + const struct cipso_v4_doi *doi_def, 225 + const struct netlbl_lsm_secattr *secattr) 224 226 { 225 227 return -ENOSYS; 226 228 } 227 229 228 230 static inline int cipso_v4_sock_getattr(struct sock *sk, 229 231 struct netlbl_lsm_secattr *secattr) 230 - { 231 - return -ENOSYS; 232 - } 233 - 234 - static inline int cipso_v4_socket_getattr(const struct socket *sock, 235 - struct netlbl_lsm_secattr *secattr) 236 232 { 237 233 return -ENOSYS; 238 234 }

+3 -11

include/net/netlabel.h

··· 332 332 */ 333 333 334 334 #ifdef CONFIG_NETLABEL 335 - int netlbl_socket_setattr(const struct socket *sock, 336 - const struct netlbl_lsm_secattr *secattr); 335 + int netlbl_sock_setattr(struct sock *sk, 336 + const struct netlbl_lsm_secattr *secattr); 337 337 int netlbl_sock_getattr(struct sock *sk, 338 338 struct netlbl_lsm_secattr *secattr); 339 - int netlbl_socket_getattr(const struct socket *sock, 340 - struct netlbl_lsm_secattr *secattr); 341 339 int netlbl_skbuff_getattr(const struct sk_buff *skb, 342 340 struct netlbl_lsm_secattr *secattr); 343 341 void netlbl_skbuff_err(struct sk_buff *skb, int error); 344 342 #else 345 - static inline int netlbl_socket_setattr(const struct socket *sock, 343 + static inline int netlbl_sock_setattr(struct sock *sk, 346 344 const struct netlbl_lsm_secattr *secattr) 347 345 { 348 346 return -ENOSYS; ··· 348 350 349 351 static inline int netlbl_sock_getattr(struct sock *sk, 350 352 struct netlbl_lsm_secattr *secattr) 351 - { 352 - return -ENOSYS; 353 - } 354 - 355 - static inline int netlbl_socket_getattr(const struct socket *sock, 356 - struct netlbl_lsm_secattr *secattr) 357 353 { 358 354 return -ENOSYS; 359 355 }

+8 -33

net/ipv4/cipso_ipv4.c

··· 1709 1709 } 1710 1710 1711 1711 /** 1712 - * cipso_v4_socket_setattr - Add a CIPSO option to a socket 1713 - * @sock: the socket 1712 + * cipso_v4_sock_setattr - Add a CIPSO option to a socket 1713 + * @sk: the socket 1714 1714 * @doi_def: the CIPSO DOI to use 1715 1715 * @secattr: the specific security attributes of the socket 1716 1716 * 1717 1717 * Description: 1718 1718 * Set the CIPSO option on the given socket using the DOI definition and 1719 1719 * security attributes passed to the function. This function requires 1720 - * exclusive access to @sock->sk, which means it either needs to be in the 1721 - * process of being created or locked via lock_sock(sock->sk). Returns zero on 1722 - * success and negative values on failure. 1720 + * exclusive access to @sk, which means it either needs to be in the 1721 + * process of being created or locked. Returns zero on success and negative 1722 + * values on failure. 1723 1723 * 1724 1724 */ 1725 - int cipso_v4_socket_setattr(const struct socket *sock, 1726 - const struct cipso_v4_doi *doi_def, 1727 - const struct netlbl_lsm_secattr *secattr) 1725 + int cipso_v4_sock_setattr(struct sock *sk, 1726 + const struct cipso_v4_doi *doi_def, 1727 + const struct netlbl_lsm_secattr *secattr) 1728 1728 { 1729 1729 int ret_val = -EPERM; 1730 1730 u32 iter; ··· 1732 1732 u32 buf_len = 0; 1733 1733 u32 opt_len; 1734 1734 struct ip_options *opt = NULL; 1735 - struct sock *sk; 1736 1735 struct inet_sock *sk_inet; 1737 1736 struct inet_connection_sock *sk_conn; 1738 1737 ··· 1739 1740 * defined yet but it is not a problem as the only users of these 1740 1741 * "lite" PF_INET sockets are functions which do an accept() call 1741 1742 * afterwards so we will label the socket as part of the accept(). */ 1742 - sk = sock->sk; 1743 1743 if (sk == NULL) 1744 1744 return 0; 1745 1745 ··· 1885 1887 break; 1886 1888 } 1887 1889 rcu_read_unlock(); 1888 - 1889 - return ret_val; 1890 - } 1891 - 1892 - /** 1893 - * cipso_v4_socket_getattr - Get the security attributes from a socket 1894 - * @sock: the socket 1895 - * @secattr: the security attributes 1896 - * 1897 - * Description: 1898 - * Query @sock to see if there is a CIPSO option attached to the socket and if 1899 - * there is return the CIPSO security attributes in @secattr. Returns zero on 1900 - * success and negative values on failure. 1901 - * 1902 - */ 1903 - int cipso_v4_socket_getattr(const struct socket *sock, 1904 - struct netlbl_lsm_secattr *secattr) 1905 - { 1906 - int ret_val; 1907 - 1908 - lock_sock(sock->sk); 1909 - ret_val = cipso_v4_sock_getattr(sock->sk, secattr); 1910 - release_sock(sock->sk); 1911 1890 1912 1891 return ret_val; 1913 1892 }

+9 -34

net/netlabel/netlabel_kapi.c

··· 246 246 247 247 /** 248 248 * netlbl_socket_setattr - Label a socket using the correct protocol 249 - * @sock: the socket to label 249 + * @sk: the socket to label 250 250 * @secattr: the security attributes 251 251 * 252 252 * Description: 253 253 * Attach the correct label to the given socket using the security attributes 254 - * specified in @secattr. This function requires exclusive access to 255 - * @sock->sk, which means it either needs to be in the process of being 256 - * created or locked via lock_sock(sock->sk). Returns zero on success, 257 - * negative values on failure. 254 + * specified in @secattr. This function requires exclusive access to @sk, 255 + * which means it either needs to be in the process of being created or locked. 256 + * Returns zero on success, negative values on failure. 258 257 * 259 258 */ 260 - int netlbl_socket_setattr(const struct socket *sock, 261 - const struct netlbl_lsm_secattr *secattr) 259 + int netlbl_sock_setattr(struct sock *sk, 260 + const struct netlbl_lsm_secattr *secattr) 262 261 { 263 262 int ret_val = -ENOENT; 264 263 struct netlbl_dom_map *dom_entry; ··· 268 269 goto socket_setattr_return; 269 270 switch (dom_entry->type) { 270 271 case NETLBL_NLTYPE_CIPSOV4: 271 - ret_val = cipso_v4_socket_setattr(sock, 272 - dom_entry->type_def.cipsov4, 273 - secattr); 272 + ret_val = cipso_v4_sock_setattr(sk, 273 + dom_entry->type_def.cipsov4, 274 + secattr); 274 275 break; 275 276 case NETLBL_NLTYPE_UNLABELED: 276 277 ret_val = 0; ··· 301 302 int ret_val; 302 303 303 304 ret_val = cipso_v4_sock_getattr(sk, secattr); 304 - if (ret_val == 0) 305 - return 0; 306 - 307 - return netlbl_unlabel_getattr(secattr); 308 - } 309 - 310 - /** 311 - * netlbl_socket_getattr - Determine the security attributes of a socket 312 - * @sock: the socket 313 - * @secattr: the security attributes 314 - * 315 - * Description: 316 - * Examines the given socket to see any NetLabel style labeling has been 317 - * applied to the socket, if so it parses the socket label and returns the 318 - * security attributes in @secattr. Returns zero on success, negative values 319 - * on failure. 320 - * 321 - */ 322 - int netlbl_socket_getattr(const struct socket *sock, 323 - struct netlbl_lsm_secattr *secattr) 324 - { 325 - int ret_val; 326 - 327 - ret_val = cipso_v4_socket_getattr(sock, secattr); 328 305 if (ret_val == 0) 329 306 return 0; 330 307

+21 -15

security/selinux/netlabel.c

··· 36 36 #include "security.h" 37 37 38 38 /** 39 - * selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism 40 - * @sock: the socket to label 39 + * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism 40 + * @sk: the socket to label 41 41 * @sid: the SID to use 42 42 * 43 43 * Description: ··· 47 47 * this function and rcu_read_unlock() after this function returns. 48 48 * 49 49 */ 50 - static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid) 50 + static int selinux_netlbl_sock_setsid(struct sock *sk, u32 sid) 51 51 { 52 52 int rc; 53 - struct sk_security_struct *sksec = sock->sk->sk_security; 53 + struct sk_security_struct *sksec = sk->sk_security; 54 54 struct netlbl_lsm_secattr secattr; 55 55 56 56 rc = security_netlbl_sid_to_secattr(sid, &secattr); 57 57 if (rc != 0) 58 58 return rc; 59 59 60 - rc = netlbl_socket_setattr(sock, &secattr); 60 + rc = netlbl_sock_setattr(sk, &secattr); 61 61 if (rc == 0) { 62 62 spin_lock_bh(&sksec->nlbl_lock); 63 63 sksec->nlbl_state = NLBL_LABELED; ··· 206 206 /* Try to set the NetLabel on the socket to save time later, if we fail 207 207 * here we will pick up the pieces in later calls to 208 208 * selinux_netlbl_inode_permission(). */ 209 - selinux_netlbl_socket_setsid(sock, sksec->sid); 209 + selinux_netlbl_sock_setsid(sk, sksec->sid); 210 210 211 211 rcu_read_unlock(); 212 212 } ··· 223 223 int selinux_netlbl_socket_post_create(struct socket *sock) 224 224 { 225 225 int rc = 0; 226 + struct sock *sk = sock->sk; 226 227 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 227 - struct sk_security_struct *sksec = sock->sk->sk_security; 228 + struct sk_security_struct *sksec = sk->sk_security; 228 229 229 230 sksec->sclass = isec->sclass; 230 231 231 232 rcu_read_lock(); 232 233 if (sksec->nlbl_state == NLBL_REQUIRE) 233 - rc = selinux_netlbl_socket_setsid(sock, sksec->sid); 234 + rc = selinux_netlbl_sock_setsid(sk, sksec->sid); 234 235 rcu_read_unlock(); 235 236 236 237 return rc; ··· 252 251 int selinux_netlbl_inode_permission(struct inode *inode, int mask) 253 252 { 254 253 int rc; 255 - struct sk_security_struct *sksec; 254 + struct sock *sk; 256 255 struct socket *sock; 256 + struct sk_security_struct *sksec; 257 257 258 258 if (!S_ISSOCK(inode->i_mode) || 259 259 ((mask & (MAY_WRITE | MAY_APPEND)) == 0)) 260 260 return 0; 261 261 sock = SOCKET_I(inode); 262 - sksec = sock->sk->sk_security; 262 + sk = sock->sk; 263 + sksec = sk->sk_security; 263 264 264 265 rcu_read_lock(); 265 266 if (sksec->nlbl_state != NLBL_REQUIRE) { ··· 269 266 return 0; 270 267 } 271 268 local_bh_disable(); 272 - bh_lock_sock_nested(sock->sk); 273 - rc = selinux_netlbl_socket_setsid(sock, sksec->sid); 274 - bh_unlock_sock(sock->sk); 269 + bh_lock_sock_nested(sk); 270 + rc = selinux_netlbl_sock_setsid(sk, sksec->sid); 271 + bh_unlock_sock(sk); 275 272 local_bh_enable(); 276 273 rcu_read_unlock(); 277 274 ··· 348 345 int optname) 349 346 { 350 347 int rc = 0; 351 - struct sk_security_struct *sksec = sock->sk->sk_security; 348 + struct sock *sk = sock->sk; 349 + struct sk_security_struct *sksec = sk->sk_security; 352 350 struct netlbl_lsm_secattr secattr; 353 351 354 352 rcu_read_lock(); 355 353 if (level == IPPROTO_IP && optname == IP_OPTIONS && 356 354 sksec->nlbl_state == NLBL_LABELED) { 357 355 netlbl_secattr_init(&secattr); 358 - rc = netlbl_socket_getattr(sock, &secattr); 356 + lock_sock(sk); 357 + rc = netlbl_sock_getattr(sk, &secattr); 358 + release_sock(sk); 359 359 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 360 360 rc = -EACCES; 361 361 netlbl_secattr_destroy(&secattr);