Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8d9107e8c50e1c4ff43c91c8841805833f3ecfb9
Commit:     8d9107e8c50e1c4ff43c91c8841805833f3ecfb9
Parent:     16cefa8c3863721fd40445a1b34dea18cd16ccfe
Author:     Linus Torvalds <[EMAIL PROTECTED]>
AuthorDate: Fri Jul 13 16:53:18 2007 -0700
Committer:  Linus Torvalds <[EMAIL PROTECTED]>
CommitDate: Fri Jul 13 16:53:18 2007 -0700

    Revert "SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for 
NetLabel"
    
    This reverts commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0.
    
    It bit people like Michal Piotrowski:
    
      "My system is too secure, I can not login :)"
    
    because it changed how CONFIG_NETLABEL worked, and broke older SElinux
    policies.
    
    As a result, quoth James Morris:
    
      "Can you please revert this patch?
    
       We thought it only affected people running MLS, but it will affect 
others.
    
       Sorry for the hassle."
    
    Cc: James Morris <[EMAIL PROTECTED]>
    Cc: Stephen Smalley <[EMAIL PROTECTED]>
    Cc: Michal Piotrowski <[EMAIL PROTECTED]>
    Cc: Paul Moore <[EMAIL PROTECTED]>
    Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
---
 security/selinux/hooks.c    |   21 ++++++++++-----------
 security/selinux/netlabel.c |   34 +++++++++++++++++++++-------------
 2 files changed, 31 insertions(+), 24 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index aff8f46..78c3f98 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3129,19 +3129,17 @@ static int selinux_parse_skb(struct sk_buff *skb, 
struct avc_audit_data *ad,
 /**
  * selinux_skb_extlbl_sid - Determine the external label of a packet
  * @skb: the packet
+ * @base_sid: the SELinux SID to use as a context for MLS only external labels
  * @sid: the packet's SID
  *
  * Description:
  * Check the various different forms of external packet labeling and determine
- * the external SID for the packet.  If only one form of external labeling is
- * present then it is used, if both labeled IPsec and NetLabel labels are
- * present then the SELinux type information is taken from the labeled IPsec
- * SA and the MLS sensitivity label information is taken from the NetLabel
- * security attributes.  This bit of "magic" is done in the call to
- * selinux_netlbl_skbuff_getsid().
+ * the external SID for the packet.
  *
  */
-static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
+static void selinux_skb_extlbl_sid(struct sk_buff *skb,
+                                  u32 base_sid,
+                                  u32 *sid)
 {
        u32 xfrm_sid;
        u32 nlbl_sid;
@@ -3149,9 +3147,10 @@ static void selinux_skb_extlbl_sid(struct sk_buff *skb, 
u32 *sid)
        selinux_skb_xfrm_sid(skb, &xfrm_sid);
        if (selinux_netlbl_skbuff_getsid(skb,
                                         (xfrm_sid == SECSID_NULL ?
-                                         SECINITSID_NETMSG : xfrm_sid),
+                                         base_sid : xfrm_sid),
                                         &nlbl_sid) != 0)
                nlbl_sid = SECSID_NULL;
+
        *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
 }
 
@@ -3696,7 +3695,7 @@ static int selinux_socket_getpeersec_dgram(struct socket 
*sock, struct sk_buff *
        if (sock && sock->sk->sk_family == PF_UNIX)
                selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
        else if (skb)
-               selinux_skb_extlbl_sid(skb, &peer_secid);
+               selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid);
 
        if (peer_secid == SECSID_NULL)
                err = -EINVAL;
@@ -3757,7 +3756,7 @@ static int selinux_inet_conn_request(struct sock *sk, 
struct sk_buff *skb,
        u32 newsid;
        u32 peersid;
 
-       selinux_skb_extlbl_sid(skb, &peersid);
+       selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
        if (peersid == SECSID_NULL) {
                req->secid = sksec->sid;
                req->peer_secid = SECSID_NULL;
@@ -3795,7 +3794,7 @@ static void selinux_inet_conn_established(struct sock *sk,
 {
        struct sk_security_struct *sksec = sk->sk_security;
 
-       selinux_skb_extlbl_sid(skb, &sksec->peer_sid);
+       selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
 }
 
 static void selinux_req_classify_flow(const struct request_sock *req,
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 8192e8b..e64eca2 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -158,7 +158,9 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 
base_sid, u32 *sid)
        netlbl_secattr_init(&secattr);
        rc = netlbl_skbuff_getattr(skb, &secattr);
        if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
-               rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid);
+               rc = security_netlbl_secattr_to_sid(&secattr,
+                                                   base_sid,
+                                                   sid);
        else
                *sid = SECSID_NULL;
        netlbl_secattr_destroy(&secattr);
@@ -196,7 +198,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct 
socket *sock)
        if (netlbl_sock_getattr(sk, &secattr) == 0 &&
            secattr.flags != NETLBL_SECATTR_NONE &&
            security_netlbl_secattr_to_sid(&secattr,
-                                          SECINITSID_NETMSG,
+                                          SECINITSID_UNLABELED,
                                           &nlbl_peer_sid) == 0)
                sksec->peer_sid = nlbl_peer_sid;
        netlbl_secattr_destroy(&secattr);
@@ -293,32 +295,38 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct 
*sksec,
                                struct avc_audit_data *ad)
 {
        int rc;
-       u32 nlbl_sid;
-       u32 perm;
+       u32 netlbl_sid;
+       u32 recv_perm;
 
-       rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &nlbl_sid);
+       rc = selinux_netlbl_skbuff_getsid(skb,
+                                         SECINITSID_UNLABELED,
+                                         &netlbl_sid);
        if (rc != 0)
                return rc;
-       if (nlbl_sid == SECSID_NULL)
-               nlbl_sid = SECINITSID_UNLABELED;
+
+       if (netlbl_sid == SECSID_NULL)
+               return 0;
 
        switch (sksec->sclass) {
        case SECCLASS_UDP_SOCKET:
-               perm = UDP_SOCKET__RECVFROM;
+               recv_perm = UDP_SOCKET__RECVFROM;
                break;
        case SECCLASS_TCP_SOCKET:
-               perm = TCP_SOCKET__RECVFROM;
+               recv_perm = TCP_SOCKET__RECVFROM;
                break;
        default:
-               perm = RAWIP_SOCKET__RECVFROM;
+               recv_perm = RAWIP_SOCKET__RECVFROM;
        }
 
-       rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad);
+       rc = avc_has_perm(sksec->sid,
+                         netlbl_sid,
+                         sksec->sclass,
+                         recv_perm,
+                         ad);
        if (rc == 0)
                return 0;
 
-       if (nlbl_sid != SECINITSID_UNLABELED)
-               netlbl_skbuff_err(skb, rc);
+       netlbl_skbuff_err(skb, rc);
        return rc;
 }
 
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to