@@ -137,7 +137,7 @@ void selinux_netlbl_cache_invalidate(void)
* @gateway: true if host is acting as a gateway, false otherwise
*
* Description:
- * When a packet is dropped due to a call to avc_has_perm() pass the error
+ * When a packet is dropped due to a permission denial, pass the error
* code to the NetLabel subsystem so any protocol specific processing can be
* done. This is safe to call even if you are unsure if NetLabel labeling is
* present on the packet, NetLabel is smart enough to only act when it should.
@@ -478,8 +478,8 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
perm = RAWIP_SOCKET__RECVFROM;
}
- rc = avc_has_perm(sksec->state, sksec->sid, nlbl_sid, sksec->sclass,
- perm, ad);
+ rc = selinux_state_has_perm(sksec->state, sksec->sid, nlbl_sid,
+ sksec->sclass, perm, ad);
if (rc == 0)
return 0;
@@ -102,9 +102,9 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
if (rc)
goto err;
- rc = avc_has_perm(current_selinux_state,
- current_sid(), ctx->ctx_sid,
- SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL);
+ rc = cred_tsid_has_perm(current_cred(), ctx->ctx_sid,
+ SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
+ NULL);
if (rc)
goto err;
@@ -137,10 +137,9 @@ static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
if (!ctx)
return 0;
- return avc_has_perm(current_selinux_state,
- current_sid(), ctx->ctx_sid,
- SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
- NULL);
+ return cred_tsid_has_perm(current_cred(), ctx->ctx_sid,
+ SECCLASS_ASSOCIATION,
+ ASSOCIATION__SETCONTEXT, NULL);
}
/*
@@ -162,8 +161,9 @@ int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid)
if (!selinux_authorizable_ctx(ctx))
return -EINVAL;
- rc = avc_has_perm(state, fl_secid, ctx->ctx_sid,
- SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);
+ rc = selinux_state_has_perm(state, fl_secid, ctx->ctx_sid,
+ SECCLASS_ASSOCIATION,
+ ASSOCIATION__POLMATCH, NULL);
return (rc == -EACCES ? -ESRCH : rc);
}
@@ -205,8 +205,9 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
/* We don't need a separate SA Vs. policy polmatch check since the SA
* is now of the same label as the flow and a flow Vs. policy polmatch
* check had already happened in selinux_xfrm_policy_lookup() above. */
- return (avc_has_perm(state, flic_sid, state_sid, SECCLASS_ASSOCIATION,
- ASSOCIATION__SENDTO, NULL) ? 0 : 1);
+ return (selinux_state_has_perm(state, flic_sid, state_sid,
+ SECCLASS_ASSOCIATION,
+ ASSOCIATION__SENDTO, NULL) ? 0 : 1);
}
static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb)
@@ -425,8 +426,9 @@ int selinux_xfrm_sock_rcv_skb(struct sk_security_struct *sksec, struct sk_buff *
/* This check even when there's no association involved is intended,
* according to Trent Jaeger, to make sure a process can't engage in
* non-IPsec communication unless explicitly allowed by policy. */
- return avc_has_perm(sksec->state, sk_sid, peer_sid,
- SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad);
+ return selinux_state_has_perm(sksec->state, sk_sid, peer_sid,
+ SECCLASS_ASSOCIATION,
+ ASSOCIATION__RECVFROM, ad);
}
/*
@@ -469,6 +471,7 @@ int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
/* This check even when there's no association involved is intended,
* according to Trent Jaeger, to make sure a process can't engage in
* non-IPsec communication unless explicitly allowed by policy. */
- return avc_has_perm(state, sk_sid, SECINITSID_UNLABELED,
- SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad);
+ return selinux_state_has_perm(state, sk_sid, SECINITSID_UNLABELED,
+ SECCLASS_ASSOCIATION,
+ ASSOCIATION__SENDTO, ad);
}
Convert the xfrm and netlabel permission checks to use the appropriate namespace-aware helper for each check. When in process context, use cred_tsid_has_perm() to check permission; when not in process context, use selinux_state_has_perm(). Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> --- security/selinux/netlabel.c | 6 +++--- security/selinux/xfrm.c | 33 ++++++++++++++++++--------------- 2 files changed, 21 insertions(+), 18 deletions(-)