[redhat-lspp] [RFC] [MLSXFRM 02/04] Add enforcement to SELinux LSM
Stephen Smalley
sds at tycho.nsa.gov
Thu Jun 15 15:52:57 UTC 2006
On Tue, 2006-06-13 at 17:09 -0500, Venkat Yekkirala wrote:
> This patch adds enforcement of controls added to the xfrm subsystem. Three
> new hooks are added to help with this. Security for IP sockets at the sock
> level is also added. A polmatch permission is also added to the association
> access vector to enable arbitration of flow/state access to a policy rule.
>
> Signed-off-by: Venkat Yekkirala <vyekkirala at TrustedCS.com>
> +static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
> + struct xfrm_policy *xp, struct flowi *fl)
> +{
> + return 1;
> +}
> +
> +static inline int security_xfrm_flow_state_match(struct flowi *fl,
> + struct xfrm_state *xfrm)
> +{
> + return 1;
> +}
In the !CONFIG_SECURITY_NETWORK_XFRM case, you return 1 from these
matching functions, i.e. always match. But...
> --- linux-2.6.16.vanilla/security/dummy.c 2006-06-12 17:49:44.000000000 -0500
> +++ linux-2.6.16/security/dummy.c 2006-06-13 08:40:48.000000000 -0500
> +static int dummy_xfrm_state_pol_flow_match(struct xfrm_state *x,
> + struct xfrm_policy *xp, struct flowi *fl)
> +{
> + return 0;
> +}
> +
> +static int dummy_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm)
> +{
> + return 0;
> +}
The dummy functions always return 0, i.e. never match?
> @@ -3433,6 +3442,8 @@ static unsigned int selinux_sk_getsid_se
>
> if (isec)
> sock_sid = isec->sid;
> + else
> + sock_sid = ((struct sk_security_struct *)(sk->sk_security))->sid;
Please assign sk->sk_security to a local var and then extract the SID,
as we do with other security fields.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list