|
Linux Kernel
3.7.1
|
All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
|
Linux Kernel
3.7.1
|
#include <linux/spinlock.h>#include <linux/rcupdate.h>#include <linux/gfp.h>#include <linux/ip.h>#include <linux/ipv6.h>#include <net/sock.h>#include <net/netlabel.h>#include <net/ip.h>#include <net/ipv6.h>#include "objsec.h"#include "security.h"#include "netlabel.h"Go to the source code of this file.
selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
Description: Invalidate the NetLabel security attribute mapping cache.
Definition at line 110 of file netlabel.c.
selinux_netlbl_err - Handle a NetLabel packet error : the packet : the error code : true if host is acting as a gateway, false otherwise
Description: When a packet is dropped due to a call to avc_has_perm() pass the error code to the NetLabel subsystem so any protocol specific processing can be done. This is safe to call even if you are unsure if NetLabel labeling is present on the packet, NetLabel is smart enough to only act when it should.
Definition at line 128 of file netlabel.c.
| int selinux_netlbl_inet_conn_request | ( | struct request_sock * | req, |
| u16 | family | ||
| ) |
selinux_netlbl_inet_conn_request - Label an incoming stream connection : incoming connection request socket
Description: A new incoming connection request is represented by , we need to label the new request_sock here and the stack will ensure the on-the-wire label will get preserved when a full sock is created once the connection handshake is complete. Returns zero on success, negative values on failure.
Definition at line 256 of file netlabel.c.
selinux_netlbl_inet_csk_clone - Initialize the newly created sock : the new sock
Description: A new connection has been established using , we've already labeled the socket via the request_sock struct in selinux_netlbl_inet_conn_request() but we need to set the NetLabel state here since we now have a sock structure.
Definition at line 284 of file netlabel.c.
| void selinux_netlbl_sk_security_free | ( | struct sk_security_struct * | sksec | ) |
selinux_netlbl_sk_security_free - Free the NetLabel fields : the sk_security_struct
Description: Free all of the memory in the NetLabel fields of a sk_security_struct.
Definition at line 141 of file netlabel.c.
| void selinux_netlbl_sk_security_reset | ( | struct sk_security_struct * | sksec | ) |
selinux_netlbl_sk_security_reset - Reset the NetLabel fields : the sk_security_struct : the socket family
Description: Called when the NetLabel state of a sk_security_struct needs to be reset. The caller is responsible for all the NetLabel sk_security_struct locking.
Definition at line 157 of file netlabel.c.
selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel : the packet : protocol family : NetLabel labeling protocol type : the SID
Description: Call the NetLabel mechanism to get the security attributes of the given packet and use those attributes to determine the correct context/SID to assign to the packet. Returns zero on success, negative values on failure.
Definition at line 175 of file netlabel.c.
| int selinux_netlbl_sock_rcv_skb | ( | struct sk_security_struct * | sksec, |
| struct sk_buff * | skb, | ||
| u16 | family, | ||
| struct common_audit_data * | ad | ||
| ) |
selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel : the sock's sk_security_struct : the packet : protocol family : the audit data
Description: Fetch the NetLabel security attributes from and perform an access check against the receiving socket. Returns zero on success, negative values on error.
Definition at line 343 of file netlabel.c.
selinux_netlbl_socket_connect - Label a client-side socket on connect : the socket to label : the destination address
Description: Attempt to label a connected socket with NetLabel using the given address. Returns zero values on success, negative values on failure.
Definition at line 435 of file netlabel.c.
selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel : the socket : the socket level or protocol : the socket option name
Description: Check the setsockopt() call and if the user is trying to replace the IP options on a socket and a NetLabel is in place for the socket deny the access; otherwise allow the access. Returns zero when the access is allowed, -EACCES when denied, and other negative values on error.
Definition at line 399 of file netlabel.c.
1.8.2