@@ -115,6 +115,22 @@ static inline bool lsm_export_equal(struct lsm_export *l, struct lsm_export *m)
return true;
}
+/*
+ * After calling security_secctx_to_secid() one, and only one
+ * of the LSM fields will be set in the lsm_export. Return
+ * whichever one was set. Used to supply secmarks.
+ */
+static inline u32 lsm_export_one_secid(struct lsm_export *l)
+{
+ if (l->flags & LSM_EXPORT_SELINUX)
+ return l->selinux;
+ if (l->flags & LSM_EXPORT_SMACK)
+ return l->smack;
+ if (l->flags & LSM_EXPORT_APPARMOR)
+ return l->apparmor;
+ return 0;
+}
+
extern struct lsm_export *lsm_export_skb(struct sk_buff *skb);
/* Text representation of LSM specific security information - a "context" */
@@ -576,12 +576,7 @@ static int nft_secmark_compute_secid(struct nft_secmark *priv)
if (err)
return err;
- /* Use the "best" secid */
- if (le.selinux)
- tmp_secid = le.selinux;
- else
- tmp_secid = le.smack;
-
+ tmp_secid = lsm_export_one_secid(&le);
if (!tmp_secid)
return -ENOENT;
@@ -67,12 +67,7 @@ static int checkentry_lsm(struct xt_secmark_target_info *info)
return err;
}
- /* Smack is cheating, using SECMARK_MODE_SEL */
- if (le.selinux)
- info->secid = le.selinux;
- else
- info->secid = le.smack;
-
+ info->secid = lsm_export_one_secid(&le);
if (!info->secid) {
pr_info_ratelimited("unable to map security context \'%s\'\n",
info->secctx);
Getting the u32 secmark from the result of security_secctx_to_secid() requires knowledge about which LSM interpreted the context. Add a function lsm_export_one_secid() that finds the active secid in a lsm_export structure. Use it in secmark processing. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> --- include/linux/security.h | 16 ++++++++++++++++ net/netfilter/nft_meta.c | 7 +------ net/netfilter/xt_SECMARK.c | 7 +------ 3 files changed, 18 insertions(+), 12 deletions(-)