34 #include <linux/ipv6.h>
56 static int selinux_netlbl_sidlookup_cached(
struct sk_buff *
skb,
62 rc = security_netlbl_secattr_to_sid(secattr, sid);
87 if (sksec->nlbl_secattr !=
NULL)
88 return sksec->nlbl_secattr;
93 rc = security_netlbl_sid_to_secattr(sksec->
sid, secattr);
95 netlbl_secattr_free(secattr);
98 sksec->nlbl_secattr = secattr;
143 if (sksec->nlbl_secattr !=
NULL)
144 netlbl_secattr_free(sksec->nlbl_secattr);
159 sksec->nlbl_state = NLBL_UNSET;
188 netlbl_secattr_init(&secattr);
191 rc = selinux_netlbl_sidlookup_cached(skb, &secattr, sid);
194 *type = secattr.
type;
195 netlbl_secattr_destroy(&secattr);
225 if (sksec->nlbl_state != NLBL_REQSKB)
227 secattr = sksec->nlbl_secattr;
229 if (secattr ==
NULL) {
230 secattr = &secattr_storage;
231 netlbl_secattr_init(secattr);
232 rc = security_netlbl_sid_to_secattr(sid, secattr);
234 goto skbuff_setsid_return;
239 skbuff_setsid_return:
240 if (secattr == &secattr_storage)
241 netlbl_secattr_destroy(secattr);
264 netlbl_secattr_init(&secattr);
265 rc = security_netlbl_sid_to_secattr(req->
secid, &secattr);
267 goto inet_conn_request_return;
269 inet_conn_request_return:
270 netlbl_secattr_destroy(&secattr);
289 sksec->nlbl_state = NLBL_LABELED;
291 sksec->nlbl_state = NLBL_UNSET;
313 secattr = selinux_netlbl_sock_genattr(sk);
319 sksec->nlbl_state = NLBL_LABELED;
322 sksec->nlbl_state = NLBL_REQSKB;
356 netlbl_secattr_init(&secattr);
359 rc = selinux_netlbl_sidlookup_cached(skb, &secattr, &nlbl_sid);
361 nlbl_sid = SECINITSID_UNLABELED;
362 netlbl_secattr_destroy(&secattr);
367 case SECCLASS_UDP_SOCKET:
368 perm = UDP_SOCKET__RECVFROM;
370 case SECCLASS_TCP_SOCKET:
371 perm = TCP_SOCKET__RECVFROM;
374 perm = RAWIP_SOCKET__RECVFROM;
377 rc = avc_has_perm(sksec->
sid, nlbl_sid, sksec->
sclass, perm, ad);
381 if (nlbl_sid != SECINITSID_UNLABELED)
404 struct sock *sk = sock->
sk;
409 (sksec->nlbl_state == NLBL_LABELED ||
410 sksec->nlbl_state == NLBL_CONNLABELED)) {
411 netlbl_secattr_init(&secattr);
419 netlbl_secattr_destroy(&secattr);
441 if (sksec->nlbl_state != NLBL_REQSKB &&
442 sksec->nlbl_state != NLBL_CONNLABELED)
453 sksec->nlbl_state = NLBL_REQSKB;
455 goto socket_connect_return;
457 secattr = selinux_netlbl_sock_genattr(sk);
458 if (secattr ==
NULL) {
460 goto socket_connect_return;
464 sksec->nlbl_state = NLBL_CONNLABELED;
466 socket_connect_return: