[90/97] Netlabel: Return the labeling type on socket

Message ID	20190228224356.2608-21-casey@schaufler-ca.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-security-module-owner@kernel.org> From: Casey Schaufler <casey@schaufler-ca.com> To: jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com Subject: [PATCH 90/97] Netlabel: Return the labeling type on socket Date: Thu, 28 Feb 2019 14:43:49 -0800 Message-Id: <20190228224356.2608-21-casey@schaufler-ca.com> In-Reply-To: <20190228224356.2608-1-casey@schaufler-ca.com> References: <20190228224356.2608-1-casey@schaufler-ca.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk
Series	LSM: Complete module stacking \| expand [00/97] LSM: Complete module stacking [71/97] LSM: Add secmark refcounting to call_one list [72/97] LSM: Add secmark refcounting to call_one list - part 2 [73/97] LSM: refactor security_setprocattr [74/97] Smack: Detect if secmarks can be safely used [75/97] LSM: Support multiple LSMs using inode_init_security [76/97] LSM: Use full security context in security_inode_setsecctx [77/97] LSM: Correct handling of ENOSYS in inode_setxattr [78/97] LSM: Infrastructure security blobs for mount options [79/97] LSM: Fix for security_init_inode_security [80/97] Smack: Advertise the secid to netlabel [81/97] LSM: Change error detection for UDP peer security [82/97] Smack: Fix setting of the CIPSO MLS_CAT flags [83/97] Smack: Set netlabel flags properly on new label import [84/97] Netlabel: Add a secattr comparison API function [85/97] Smack: Let netlabel do the work on the ambient domain [86/97] Smack: Don't set the socket label on each send [87/97] Smack: Let netlabel do the work on connections [88/97] Netlabel: Return the labeling type on socket [89/97] Netlabel: Return the labeling type on socket [90/97] Netlabel: Return the labeling type on socket [91/97] Netlabel: Return the labeling type on socket [92/97] LSM: Remember the NLTYPE of netlabel sockets [93/97] Smack: Use the NLTYPE on output [94/97] LSM: Hook for netlabel reconciliation [95/97] LSM: Avoid network conflicts in SELinux and Smack [96/97] LSM: Apply Netlabel consitancy checks on send and connect [97/97] Smack: Remove the exclusive bit

Message ID

20190228224356.2608-21-casey@schaufler-ca.com (mailing list archive)

State

New, archived

Headers

From: Casey Schaufler <casey@schaufler-ca.com>
To: jmorris@namei.org, linux-security-module@vger.kernel.org,
        selinux@vger.kernel.org
Cc: keescook@chromium.org, john.johansen@canonical.com,
        penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com
Subject: [PATCH 90/97] Netlabel: Return the labeling type on socket
Date: Thu, 28 Feb 2019 14:43:49 -0800
Message-Id: <20190228224356.2608-21-casey@schaufler-ca.com>
In-Reply-To: <20190228224356.2608-1-casey@schaufler-ca.com>
References: <20190228224356.2608-1-casey@schaufler-ca.com>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk

Series

LSM: Complete module stacking | expand

Commit Message

Casey Schaufler Feb. 28, 2019, 10:43 p.m. UTC

Change netlbl_skbuff_setattr() to return the labeling
type of the domain. This allows the labeling types to
be compared when two LSMs want to determine how a socket
should be used.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 net/netlabel/netlabel_kapi.c | 7 ++++++-
 security/selinux/netlabel.c  | 2 ++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 2bd765290550..1d362a38dd05 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -1278,7 +1278,8 @@  void netlbl_req_delattr(struct request_sock *req)
  *
  * Description:
  * Attach the correct label to the given packet using the security attributes
- * specified in @secattr.  Returns zero on success, negative values on failure.
+ * specified in @secattr.  Returns the NLTYPE on success, negative values on
+ * failure.
  *
  */
 int netlbl_skbuff_setattr(struct sk_buff *skb,
@@ -1315,6 +1316,8 @@  int netlbl_skbuff_setattr(struct sk_buff *skb,
 		default:
 			ret_val = -ENOENT;
 		}
+		if (ret_val == 0)
+			ret_val = entry->type;
 		break;
 #if IS_ENABLED(CONFIG_IPV6)
 	case AF_INET6:
@@ -1338,6 +1341,8 @@  int netlbl_skbuff_setattr(struct sk_buff *skb,
 		default:
 			ret_val = -ENOENT;
 		}
+		if (ret_val == 0)
+			ret_val = entry->type;
 		break;
 #endif /* IPv6 */
 	default:
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index ca47c99f964a..b6eede4406bd 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -266,6 +266,8 @@  int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
 	}
 
 	rc = netlbl_skbuff_setattr(skb, family, secattr);
+	if (rc > 0)
+		rc = 0;
 
 skbuff_setsid_return:
 	if (secattr == &secattr_storage)

[90/97] Netlabel: Return the labeling type on socket

Commit Message

Patch