SELinux: peer secid consolidation for external network labeling
Now that labeled IPsec makes use of the peer_sid field in the sk_security_struct we can remove a lot of the special cases between labeled IPsec and NetLabel. In addition, create a new function, security_skb_extlbl_sid(), which we can use in several places to get the security context of the packet's external label which allows us to further simplify the code in a few places. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
Paul Moore
committed by
David S. Miller
David S. Miller
parent
9f2ad66509
commit
3de4bab5b9
@@ -372,39 +372,6 @@ void selinux_xfrm_state_free(struct xfrm_state *x)
|
||||
kfree(ctx);
|
||||
}
|
||||
|
||||
/*
|
||||
* SELinux internal function to retrieve the context of a UDP packet
|
||||
* based on its security association.
|
||||
*
|
||||
* Retrieve via setsockopt IP_PASSSEC and recvmsg with control message
|
||||
* type SCM_SECURITY.
|
||||
*/
|
||||
u32 selinux_socket_getpeer_dgram(struct sk_buff *skb)
|
||||
{
|
||||
struct sec_path *sp;
|
||||
|
||||
if (skb == NULL)
|
||||
return SECSID_NULL;
|
||||
|
||||
if (skb->sk->sk_protocol != IPPROTO_UDP)
|
||||
return SECSID_NULL;
|
||||
|
||||
sp = skb->sp;
|
||||
if (sp) {
|
||||
int i;
|
||||
|
||||
for (i = sp->len-1; i >= 0; i--) {
|
||||
struct xfrm_state *x = sp->xvec[i];
|
||||
if (selinux_authorizable_xfrm(x)) {
|
||||
struct xfrm_sec_ctx *ctx = x->security;
|
||||
return ctx->ctx_sid;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return SECSID_NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
* LSM hook implementation that authorizes deletion of labeled SAs.
|
||||
*/
|
||||
|
||||
Reference in New Issue
Block a user