Convert the xfrm and netlabel permission checks to use the appropriate namespace-aware helper for each check. When in process context, use cred_tsid_has_perm() to check permission; when not in process context, use selinux_state_has_perm(). Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> --- security/selinux/netlabel.c | 6 +++--- security/selinux/xfrm.c | 33 ++++++++++++++++++--------------- 2 files changed, 21 insertions(+), 18 deletions(-) diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 9c360f2ee7fc..06ce45f628f8 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -137,7 +137,7 @@ void selinux_netlbl_cache_invalidate(void) * @gateway: true if host is acting as a gateway, false otherwise * * Description: - * When a packet is dropped due to a call to avc_has_perm() pass the error + * When a packet is dropped due to a permission denial, pass the error * code to the NetLabel subsystem so any protocol specific processing can be * done. This is safe to call even if you are unsure if NetLabel labeling is * present on the packet, NetLabel is smart enough to only act when it should. @@ -478,8 +478,8 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, perm = RAWIP_SOCKET__RECVFROM; } - rc = avc_has_perm(sksec->state, sksec->sid, nlbl_sid, sksec->sclass, - perm, ad); + rc = selinux_state_has_perm(sksec->state, sksec->sid, nlbl_sid, + sksec->sclass, perm, ad); if (rc == 0) return 0; diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 855f77630bdb..be91a28ab47b 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -102,9 +102,9 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp, if (rc) goto err; - rc = avc_has_perm(current_selinux_state, - current_sid(), ctx->ctx_sid, - SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL); + rc = cred_tsid_has_perm(current_cred(), ctx->ctx_sid, + SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, + NULL); if (rc) goto err; @@ -137,10 +137,9 @@ static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx) if (!ctx) return 0; - return avc_has_perm(current_selinux_state, - current_sid(), ctx->ctx_sid, - SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, - NULL); + return cred_tsid_has_perm(current_cred(), ctx->ctx_sid, + SECCLASS_ASSOCIATION, + ASSOCIATION__SETCONTEXT, NULL); } /* @@ -162,8 +161,9 @@ int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid) if (!selinux_authorizable_ctx(ctx)) return -EINVAL; - rc = avc_has_perm(state, fl_secid, ctx->ctx_sid, - SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL); + rc = selinux_state_has_perm(state, fl_secid, ctx->ctx_sid, + SECCLASS_ASSOCIATION, + ASSOCIATION__POLMATCH, NULL); return (rc == -EACCES ? -ESRCH : rc); } @@ -205,8 +205,9 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, /* We don't need a separate SA Vs. policy polmatch check since the SA * is now of the same label as the flow and a flow Vs. policy polmatch * check had already happened in selinux_xfrm_policy_lookup() above. */ - return (avc_has_perm(state, flic_sid, state_sid, SECCLASS_ASSOCIATION, - ASSOCIATION__SENDTO, NULL) ? 0 : 1); + return (selinux_state_has_perm(state, flic_sid, state_sid, + SECCLASS_ASSOCIATION, + ASSOCIATION__SENDTO, NULL) ? 0 : 1); } static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb) @@ -425,8 +426,9 @@ int selinux_xfrm_sock_rcv_skb(struct sk_security_struct *sksec, struct sk_buff * /* This check even when there's no association involved is intended, * according to Trent Jaeger, to make sure a process can't engage in * non-IPsec communication unless explicitly allowed by policy. */ - return avc_has_perm(sksec->state, sk_sid, peer_sid, - SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad); + return selinux_state_has_perm(sksec->state, sk_sid, peer_sid, + SECCLASS_ASSOCIATION, + ASSOCIATION__RECVFROM, ad); } /* @@ -469,6 +471,7 @@ int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb, /* This check even when there's no association involved is intended, * according to Trent Jaeger, to make sure a process can't engage in * non-IPsec communication unless explicitly allowed by policy. */ - return avc_has_perm(state, sk_sid, SECINITSID_UNLABELED, - SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad); + return selinux_state_has_perm(state, sk_sid, SECINITSID_UNLABELED, + SECCLASS_ASSOCIATION, + ASSOCIATION__SENDTO, ad); } -- 2.47.1
