Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e448e931 authored by Paul Moore's avatar Paul Moore Committed by David S. Miller
Browse files

[NetLabel]: uninline selinux_netlbl_inode_permission() 



Uninline the selinux_netlbl_inode_permission() at the request of
Andrew Morton.

Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 7b3bbb92

security/selinux/include/selinux_netlabel.h

+1 −34
Original line number Diff line number Diff line
@@ -43,40 +43,7 @@ void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec, 
				     int family);

void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,

				      struct sk_security_struct *newssec);



int __selinux_netlbl_inode_permission(struct inode *inode, int mask);

/**

 * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled

 * @inode: the file descriptor's inode

 * @mask: the permission mask

 *

 * Description:

 * Looks at a file's inode and if it is marked as a socket protected by

 * NetLabel then verify that the socket has been labeled, if not try to label

 * the socket now with the inode's SID.  Returns zero on success, negative

 * values on failure.

 *

 */

static inline int selinux_netlbl_inode_permission(struct inode *inode,

						  int mask)

{

	int rc = 0;

	struct inode_security_struct *isec;

	struct sk_security_struct *sksec;



	if (!S_ISSOCK(inode->i_mode))

		return 0;



	isec = inode->i_security;

	sksec = SOCKET_I(inode)->sk->sk_security;

	down(&isec->sem);

	if (unlikely(sksec->nlbl_state == NLBL_REQUIRE &&

		     (mask & (MAY_WRITE | MAY_APPEND))))

		rc = __selinux_netlbl_inode_permission(inode, mask);

	up(&isec->sem);



	return rc;

}

int selinux_netlbl_inode_permission(struct inode *inode, int mask);

#else

static inline void selinux_netlbl_cache_invalidate(void)

{

security/selinux/ss/services.c

+24 −9
Original line number Diff line number Diff line
@@ -2544,24 +2544,39 @@ u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid) 
}



/**

 * __selinux_netlbl_inode_permission - Label a socket using NetLabel

 * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled

 * @inode: the file descriptor's inode

 * @mask: the permission mask

 *

 * Description:

 * Try to label a socket with the inode's SID using NetLabel.  Returns zero on

 * success, negative values on failure.

 * Looks at a file's inode and if it is marked as a socket protected by

 * NetLabel then verify that the socket has been labeled, if not try to label

 * the socket now with the inode's SID.  Returns zero on success, negative

 * values on failure.

 *

 */

int __selinux_netlbl_inode_permission(struct inode *inode, int mask)

int selinux_netlbl_inode_permission(struct inode *inode, int mask)

{

	int rc;

	struct socket *sock = SOCKET_I(inode);

	struct sk_security_struct *sksec = sock->sk->sk_security;

	struct inode_security_struct *isec;

	struct sk_security_struct *sksec;

	struct socket *sock;



	if (!S_ISSOCK(inode->i_mode))

		return 0;



	sock = SOCKET_I(inode);

	isec = inode->i_security;

	sksec = sock->sk->sk_security;

	down(&isec->sem);

	if (unlikely(sksec->nlbl_state == NLBL_REQUIRE &&

		     (mask & (MAY_WRITE | MAY_APPEND)))) {

		lock_sock(sock->sk);

		rc = selinux_netlbl_socket_setsid(sock, sksec->sid);

		release_sock(sock->sk);

	} else

		rc = 0;

	up(&isec->sem);



	return rc;

}