[redhat-lspp] [RFC] [MLSXFRM 01/04] Add support to core networking
Venkat Yekkirala
vyekkirala at trustedcs.com
Tue Jun 13 22:09:17 UTC 2006
This patch adds a security sid to the flow key itself making the flow cache
lookps based on the sid seemless.
This patch also adds support for handling security for sock. Security at the
sock level is needed to enforce the SELinux security policy for security associations
even when a sock is orphaned (such as in the TCP LAST_ACK state).
Signed-off-by: Venkat Yekkirala <vyekkirala at TrustedCS.com>
---
include/net/flow.h | 5 +++--
net/core/flow.c | 7 ++-----
net/core/sock.c | 4 ++++
3 files changed, 9 insertions(+), 7 deletions(-)
--- linux-2.6.16.vanilla/include/net/flow.h 2006-06-12 17:38:09.000000000 -0500
+++ linux-2.6.16/include/net/flow.h 2006-06-13 08:40:48.000000000 -0500
@@ -78,6 +78,7 @@ struct flowi {
#define fl_icmp_type uli_u.icmpt.type
#define fl_icmp_code uli_u.icmpt.code
#define fl_ipsec_spi uli_u.spi
+ __u32 sid;
} __attribute__((__aligned__(BITS_PER_LONG/8)));
#define FLOW_DIR_IN 0
@@ -85,10 +86,10 @@ struct flowi {
#define FLOW_DIR_FWD 2
struct sock;
-typedef void (*flow_resolve_t)(struct flowi *key, u32 sk_sid, u16 family, u8 dir,
+typedef void (*flow_resolve_t)(struct flowi *key, u16 family, u8 dir,
void **objp, atomic_t **obj_refp);
-extern void *flow_cache_lookup(struct flowi *key, u32 sk_sid, u16 family, u8 dir,
+extern void *flow_cache_lookup(struct flowi *key, u16 family, u8 dir,
flow_resolve_t resolver);
extern void flow_cache_flush(void);
extern atomic_t flow_cache_genid;
--- linux-2.6.16.vanilla/net/core/flow.c 2006-06-12 17:38:16.000000000 -0500
+++ linux-2.6.16/net/core/flow.c 2006-06-13 08:40:48.000000000 -0500
@@ -32,7 +32,6 @@ struct flow_cache_entry {
u8 dir;
struct flowi key;
u32 genid;
- u32 sk_sid;
void *object;
atomic_t *object_ref;
};
@@ -165,7 +164,7 @@ static int flow_key_compare(struct flowi
return 0;
}
-void *flow_cache_lookup(struct flowi *key, u32 sk_sid, u16 family, u8 dir,
+void *flow_cache_lookup(struct flowi *key, u16 family, u8 dir,
flow_resolve_t resolver)
{
struct flow_cache_entry *fle, **head;
@@ -189,7 +188,6 @@ void *flow_cache_lookup(struct flowi *ke
for (fle = *head; fle; fle = fle->next) {
if (fle->family == family &&
fle->dir == dir &&
- fle->sk_sid == sk_sid &&
flow_key_compare(key, &fle->key) == 0) {
if (fle->genid == atomic_read(&flow_cache_genid)) {
void *ret = fle->object;
@@ -214,7 +212,6 @@ void *flow_cache_lookup(struct flowi *ke
*head = fle;
fle->family = family;
fle->dir = dir;
- fle->sk_sid = sk_sid;
memcpy(&fle->key, key, sizeof(*key));
fle->object = NULL;
flow_count(cpu)++;
@@ -226,7 +223,7 @@ nocache:
void *obj;
atomic_t *obj_ref;
- resolver(key, sk_sid, family, dir, &obj, &obj_ref);
+ resolver(key, family, dir, &obj, &obj_ref);
if (fle) {
fle->genid = atomic_read(&flow_cache_genid);
--- linux-2.6.16.vanilla/net/core/sock.c 2006-06-12 17:49:39.000000000 -0500
+++ linux-2.6.16/net/core/sock.c 2006-06-13 08:40:48.000000000 -0500
@@ -841,7 +841,11 @@ struct sock *sk_clone(const struct sock
if (newsk != NULL) {
struct sk_filter *filter;
+ /* Save/restore the LSM security pointer around the copy */
+ void *sptr = newsk->sk_security;
memcpy(newsk, sk, sk->sk_prot->obj_size);
+ newsk->sk_security = sptr;
+ security_sk_clone(sk, newsk);
/* SANITY */
sk_node_init(&newsk->sk_node);
More information about the redhat-lspp
mailing list