Stephen Smalley wrote:
> On Mon, 2006-10-02 at 14:06 -0400, [EMAIL PROTECTED] wrote:
>
>>plain text document attachment (netlabel-secid_support)
>>This patch provides the missing NetLabel support to the secid reconciliation
>>patchset.
>>
>>Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
>>---
>> security/selinux/hooks.c | 67 +++++++++++------
>> security/selinux/include/objsec.h | 1
>> security/selinux/include/selinux_netlabel.h | 28 +++----
>> security/selinux/ss/services.c | 106
>> ++++++++++------------------
>> 4 files changed, 98 insertions(+), 104 deletions(-)
>
>
>>@@ -3725,7 +3723,16 @@ static int selinux_skb_flow_in(struct sk
>>+
>>+ err = avc_has_perm(nlbl_sid, skb->secmark, SECCLASS_PACKET,
>>+ PACKET__FLOW_IN, NULL);
>
>
> This means we end up with two flow_in checks each time, even if only one
> or none of the two labeling mechanisms was used, right? Given the
> conclusion on the discussion of what it means to use them together (just
> redundant), this seems to be pointless overhead.
Okay, how about something like this?
static int selinux_skb_flow_in(struct sk_buff *skb, unsigned short family)
{
u32 xfrm_sid;
u32 nlbl_sid;
u32 ext_sid;
int err;
if (selinux_compat_net)
return 1;
/*
* loopback traffic already labeled and
* flow-controlled on outbound. We may
* need to flow-control on the inbound
* as well if there's ever a use-case for it.
*/
if (skb->dev == &loopback_dev)
return 1;
err = selinux_xfrm_decode_session(skb, &xfrm_sid, 0);
BUG_ON(err);
err = selinux_netlbl_skb_sid(skb,
xfrm_sid ? xfrm_sid : skb->secmark,
&nlbl_sid);
if (err)
goto out;
if (nlbl_sid)
ext_sid = nlbl_sid;
else
ext_sid = xfrm_sid;
err = avc_has_perm(ext_sid,
skb->secmark,
SECCLASS_PACKET,
PACKET__FLOW_IN,
NULL);
if (err)
goto out;
if (ext_sid)
skb->secmark = ext_sid;
out:
return err ? 0 : 1;
};
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
