From: Roy.Li <rongqing.li@xxxxxxxxxxxxx>
Define security_sk_getsecctx to return the security
context of a sock.
Signed-off-by: Roy.Li <rongqing.li@xxxxxxxxxxxxx>
---
include/linux/security.h | 13 +++++++++++++
security/capability.c | 6 ++++++
security/security.c | 6 ++++++
security/selinux/hooks.c | 9 +++++++++
4 files changed, 34 insertions(+), 0 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index ebd2a53..6bb8e0c 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -959,6 +959,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* @sk_getsecid:
* Retrieve the LSM-specific secid for the sock to enable caching of network
* authorizations.
+ * @sk_getsecctx:
+ * Returns a string containing sock security context information
+ * @sk whom we wish to get the security context.
+ * @ctx is the address of the pointer to where to place the allocated
+ * security context.
+ * @ctxlen points to the value of the length of the security context.
* @sock_graft:
* Sets the socket's isec sid to the sock's sid.
* @inet_conn_request:
@@ -1600,6 +1606,7 @@ struct security_operations {
void (*sk_free_security) (struct sock *sk);
void (*sk_clone_security) (const struct sock *sk, struct sock *newsk);
void (*sk_getsecid) (struct sock *sk, u32 *secid);
+ int (*sk_getsecctx) (struct sock *sk, void **ctx, u32 *ctxlen);
void (*sock_graft) (struct sock *sk, struct socket *parent);
int (*inet_conn_request) (struct sock *sk, struct sk_buff *skb,
struct request_sock *req);
@@ -2574,6 +2581,7 @@ void security_secmark_refcount_dec(void);
int security_tun_dev_create(void);
void security_tun_dev_post_create(struct sock *sk);
int security_tun_dev_attach(struct sock *sk);
+int security_sk_getsecctx(struct sock *sk, void **ctx, u32 *ctxlen);
#else /* CONFIG_SECURITY_NETWORK */
static inline int security_unix_stream_connect(struct sock *sock,
@@ -2751,6 +2759,11 @@ static inline int security_tun_dev_attach(struct sock *sk)
{
return 0;
}
+
+static int security_sk_getsecctx(struct sock *sk, void **ctx, u32 *ctxlen)
+{
+ return -EOPNOTSUPP;
+}
#endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_NETWORK_XFRM
diff --git a/security/capability.c b/security/capability.c
index 2984ea4..89256a6 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -664,6 +664,11 @@ static void cap_sk_getsecid(struct sock *sk, u32 *secid)
{
}
+static int cap_sk_getsecctx(struct sock *sk, void **ctx, u32 *ctxlen)
+{
+ return 0;
+}
+
static void cap_sock_graft(struct sock *sk, struct socket *parent)
{
}
@@ -1032,6 +1037,7 @@ void __init security_fixup_ops(struct security_operations *ops)
set_to_cap_if_null(ops, sk_free_security);
set_to_cap_if_null(ops, sk_clone_security);
set_to_cap_if_null(ops, sk_getsecid);
+ set_to_cap_if_null(ops, sk_getsecctx);
set_to_cap_if_null(ops, sock_graft);
set_to_cap_if_null(ops, inet_conn_request);
set_to_cap_if_null(ops, inet_csk_clone);
diff --git a/security/security.c b/security/security.c
index 0e4fccf..a939f5c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -757,6 +757,12 @@ void security_task_getsecid(struct task_struct *p, u32 *secid)
}
EXPORT_SYMBOL(security_task_getsecid);
+int security_sk_getsecctx(struct sock *sk, void **ctx, u32 *ctxlen)
+{
+ return security_ops->sk_getsecctx(sk, ctx, ctxlen);
+}
+EXPORT_SYMBOL(security_sk_getsecctx);
+
int security_task_setnice(struct task_struct *p, int nice)
{
return security_ops->task_setnice(p, nice);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 266a229..6e96f01 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4284,6 +4284,14 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
}
}
+static int selinux_sk_getsecctx(struct sock *sk, void **ctx, u32 *ctxlen)
+{
+ u32 secid;
+
+ selinux_sk_getsecid(sk, &secid);
+ return security_sid_to_context(secid, ctx, ctxlen);
+}
+
static void selinux_sock_graft(struct sock *sk, struct socket *parent)
{
struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
@@ -5613,6 +5621,7 @@ static struct security_operations selinux_ops = {
.sk_free_security = selinux_sk_free_security,
.sk_clone_security = selinux_sk_clone_security,
.sk_getsecid = selinux_sk_getsecid,
+ .sk_getsecctx = selinux_sk_getsecctx,
.sock_graft = selinux_sock_graft,
.inet_conn_request = selinux_inet_conn_request,
.inet_csk_clone = selinux_inet_csk_clone,
--
1.7.1
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
