SELinux: peer secid consolidation for external network labeling

	u32 scontext_len;

	struct sk_security_struct *ssec;

	struct inode_security_struct *isec;

	u32 peer_sid = 0;

	u32 peer_sid = SECSID_NULL;

	isec = SOCK_INODE(sock)->i_security;

	/* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */

	if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {

	if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||

	    isec->sclass == SECCLASS_TCP_SOCKET) {

		ssec = sock->sk->sk_security;

		peer_sid = ssec->peer_sid;

	}

	else if (isec->sclass == SECCLASS_TCP_SOCKET) {

		peer_sid = selinux_netlbl_socket_getpeersec_stream(sock);

	if (peer_sid == SECSID_NULL) {

			ssec = sock->sk->sk_security;

			peer_sid = ssec->peer_sid;

		}

		if (peer_sid == SECSID_NULL) {

			err = -ENOPROTOOPT;

			goto out;

		}

	}

	else {

		err = -ENOPROTOOPT;

		goto out;

	}

	u32 peer_secid = SECSID_NULL;

	int err = 0;

	if (sock && (sock->sk->sk_family == PF_UNIX))

	if (sock && sock->sk->sk_family == PF_UNIX)

		selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);

	else if (skb) {

		peer_secid = selinux_netlbl_socket_getpeersec_dgram(skb);

		if (peer_secid == SECSID_NULL)

			peer_secid = selinux_socket_getpeer_dgram(skb);

	}

	else if (skb)

		security_skb_extlbl_sid(skb,

					SECINITSID_UNLABELED,

					&peer_secid);

	if (peer_secid == SECSID_NULL)

		err = -EINVAL;

	u32 newsid;

	u32 peersid;

	newsid = selinux_netlbl_inet_conn_request(skb, sksec->sid);

	if (newsid != SECSID_NULL) {

		req->secid = newsid;

		return 0;

	}

	selinux_skb_xfrm_sid(skb, &peersid);

	security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);

	if (peersid == SECSID_NULL) {

		req->secid = sksec->sid;

		req->peer_secid = 0;

		req->peer_secid = SECSID_NULL;

		return 0;

	}

{

	struct sk_security_struct *sksec = sk->sk_security;

	selinux_skb_xfrm_sid(skb, &sksec->peer_sid);

	security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);

}

static void selinux_req_classify_flow(const struct request_sock *req,

#ifndef _SELINUX_SECURITY_H_

#define _SELINUX_SECURITY_H_

#include <linux/skbuff.h>

#include "flask.h"

#define SECSID_NULL			0x00000000 /* unspecified SID */

int security_node_sid(u16 domain, void *addr, u32 addrlen,

	u32 *out_sid);

void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid);

int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,

                                 u16 tclass);

#ifdef CONFIG_NETLABEL

void selinux_netlbl_cache_invalidate(void);

int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid);

int selinux_netlbl_socket_post_create(struct socket *sock);

void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);

u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid);

int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,

				struct sk_buff *skb,

				struct avc_audit_data *ad);

u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock);

u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb);

void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,

				      int family);

void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,

	return;

}

static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,

					       u32 base_sid,

					       u32 *sid)

{

	*sid = SECSID_NULL;

	return 0;

}

static inline int selinux_netlbl_socket_post_create(struct socket *sock)

{

	return 0;

	return;

}

static inline u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb,

						   u32 sock_sid)

{

	return SECSID_NULL;

}

static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,

					      struct sk_buff *skb,

					      struct avc_audit_data *ad)

	return 0;

}

static inline u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)

{

	return SECSID_NULL;

}

static inline u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)

{

	return SECSID_NULL;

}

static inline void selinux_netlbl_sk_security_reset(

					       struct sk_security_struct *ssec,

					       int family)

			struct avc_audit_data *ad);

int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,

			struct avc_audit_data *ad, u8 proto);

u32 selinux_socket_getpeer_dgram(struct sk_buff *skb);

int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);

#else

static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,

	return 0;

}

static inline int selinux_socket_getpeer_dgram(struct sk_buff *skb)

{

	return SECSID_NULL;

}

static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)

{

	*sid = SECSID_NULL;

#include "mls.h"

#include "objsec.h"

#include "selinux_netlabel.h"

#include "xfrm.h"

extern void selnl_notify_policyload(u32 seqno);

unsigned int policydb_loaded_version;

	aurule_callback = callback;

}

/**

 * security_skb_extlbl_sid - Determine the external label of a packet

 * @skb: the packet

 * @base_sid: the SELinux SID to use as a context for MLS only external labels

 * @sid: the packet's SID

 *

 * Description:

 * Check the various different forms of external packet labeling and determine

 * the external SID for the packet.

 *

 */

void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid)

{

	u32 xfrm_sid;

	u32 nlbl_sid;

	selinux_skb_xfrm_sid(skb, &xfrm_sid);

	if (selinux_netlbl_skbuff_getsid(skb,

					 (xfrm_sid == SECSID_NULL ?

					  base_sid : xfrm_sid),

					 &nlbl_sid) != 0)

		nlbl_sid = SECSID_NULL;

	*sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);

}

#ifdef CONFIG_NETLABEL

/*

 * This is the structure we store inside the NetLabel cache block.

 * assign to the packet.  Returns zero on success, negative values on failure.

 *

 */

static int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,

					u32 base_sid,

					u32 *sid)

int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)

{

	int rc;

	struct netlbl_lsm_secattr secattr;

	rcu_read_unlock();

}

/**

 * selinux_netlbl_inet_conn_request - Handle a new connection request

 * @skb: the packet

 * @sock_sid: the SID of the parent socket

 *

 * Description:

 * If present, use the security attributes of the packet in @skb and the

 * parent sock's SID to arrive at a SID for the new child sock.  Returns the

 * SID of the connection or SECSID_NULL on failure.

 *

 */

u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid)

{

	int rc;

	u32 peer_sid;

	rc = selinux_netlbl_skbuff_getsid(skb, sock_sid, &peer_sid);

	if (rc != 0)

		return SECSID_NULL;

	return peer_sid;

}

/**

 * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled

 * @inode: the file descriptor's inode

	return rc;

}

/**

 * selinux_netlbl_socket_getpeersec_stream - Return the connected peer's SID

 * @sock: the socket

 *

 * Description:

 * Examine @sock to find the connected peer's SID.  Returns the SID on success

 * or SECSID_NULL on error.

 *

 */

u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)

{

	struct sk_security_struct *sksec = sock->sk->sk_security;

	return sksec->peer_sid;

}

/**

 * selinux_netlbl_socket_getpeersec_dgram - Return the SID of a NetLabel packet

 * @skb: the packet

 *

 * Description:

 * Examine @skb to find the SID assigned to it by NetLabel.  Returns the SID on

 * success, SECSID_NULL on error.

 *

 */

u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)

{

	int peer_sid;

	if (selinux_netlbl_skbuff_getsid(skb,

					 SECINITSID_UNLABELED,

					 &peer_sid) != 0)

		return SECSID_NULL;

	return peer_sid;

}

/**

 * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel

 * @sock: the socket