SELinux: Convert the netif code to use ifindex values

The current SELinux netif code requires the caller have a valid net_device struct pointer to lookup network interface information. However, we don't always have a valid net_device pointer so convert the netif code to use the ifindex values we always have as part of the sk_buff. This patch also removes the default message SID from the network interface record, it is not being used and therefore is "dead code". Signed-off-by: Paul Moore <[email protected]> Signed-off-by: James Morris <[email protected]>
kawasaki · Jan 29, 2008 · e8bfdb9 · e8bfdb9
1 parent 75e2291
commit e8bfdb9
Show file tree

Hide file tree

Showing 6 changed files with 155 additions and 125 deletions.
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
@@ -3853,7 +3853,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
 	if (!skb->dev)
 		goto out;
 
-	err = sel_netif_sids(skb->dev, &if_sid, NULL);
+	err = sel_netif_sid(skb->iif, &if_sid);
 	if (err)
 		goto out;
 
@@ -4178,7 +4178,7 @@ static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *
 
 	isec = inode->i_security;
 
-	err = sel_netif_sids(dev, &if_sid, NULL);
+	err = sel_netif_sid(dev->ifindex, &if_sid);
 	if (err)
 		goto out;
 

diff --git a/security/selinux/include/netif.h b/security/selinux/include/netif.h
@@ -7,6 +7,8 @@
  * Author: James Morris <[email protected]>
  *
  * Copyright (C) 2003 Red Hat, Inc., James Morris <[email protected]>
+ * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
+ *                    Paul Moore, <[email protected]>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2,
@@ -15,7 +17,7 @@
 #ifndef _SELINUX_NETIF_H_
 #define _SELINUX_NETIF_H_
 
-int sel_netif_sids(struct net_device *dev, u32 *if_sid, u32 *msg_sid);
+int sel_netif_sid(int ifindex, u32 *sid);
 
 #endif	/* _SELINUX_NETIF_H_ */
 
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
@@ -96,9 +96,8 @@ struct bprm_security_struct {
 };
 
 struct netif_security_struct {
-	struct net_device *dev;		/* back pointer */
-	u32 if_sid;			/* SID for this interface */
-	u32 msg_sid;			/* default SID for messages received on this interface */
+	int ifindex;			/* device index */
+	u32 sid;			/* SID for this interface */
 };
 
 struct sk_security_struct {

diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
@@ -77,8 +77,7 @@ int security_get_user_sids(u32 callsid, char *username,
 int security_port_sid(u16 domain, u16 type, u8 protocol, u16 port,
 	u32 *out_sid);
 
-int security_netif_sid(char *name, u32 *if_sid,
-	u32 *msg_sid);
+int security_netif_sid(char *name, u32 *if_sid);
 
 int security_node_sid(u16 domain, void *addr, u32 addrlen,
 	u32 *out_sid);