diff options
| author | Eric Paris | 2010-10-13 15:24:41 -0500 |
|---|---|---|
| committer | James Morris | 2010-10-20 18:12:48 -0500 |
| commit | 2606fd1fa5710205b23ee859563502aa18362447 (patch) | |
| tree | f79becd7010a2da1a765829fce0e09327cd50531 /security/capability.c | |
| parent | 15714f7b58011cf3948cab2988abea560240c74f (diff) | |
| download | am43-linux-kernel-2606fd1fa5710205b23ee859563502aa18362447.tar.gz am43-linux-kernel-2606fd1fa5710205b23ee859563502aa18362447.tar.xz am43-linux-kernel-2606fd1fa5710205b23ee859563502aa18362447.zip | |
secmark: make secmark object handling generic
Right now secmark has lots of direct selinux calls. Use all LSM calls and
remove all SELinux specific knowledge. The only SELinux specific knowledge
we leave is the mode. The only point is to make sure that other LSMs at
least test this generic code before they assume it works. (They may also
have to make changes if they do not represent labels as strings)
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Paul Moore <paul.moore@hp.com>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/capability.c')
| -rw-r--r-- | security/capability.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/security/capability.c b/security/capability.c index 95a6599a37b..30ae00fbecd 100644 --- a/security/capability.c +++ b/security/capability.c | |||
| @@ -677,7 +677,18 @@ static void cap_inet_conn_established(struct sock *sk, struct sk_buff *skb) | |||
| 677 | { | 677 | { |
| 678 | } | 678 | } |
| 679 | 679 | ||
| 680 | static int cap_secmark_relabel_packet(u32 secid) | ||
| 681 | { | ||
| 682 | return 0; | ||
| 683 | } | ||
| 680 | 684 | ||
| 685 | static void cap_secmark_refcount_inc(void) | ||
| 686 | { | ||
| 687 | } | ||
| 688 | |||
| 689 | static void cap_secmark_refcount_dec(void) | ||
| 690 | { | ||
| 691 | } | ||
| 681 | 692 | ||
| 682 | static void cap_req_classify_flow(const struct request_sock *req, | 693 | static void cap_req_classify_flow(const struct request_sock *req, |
| 683 | struct flowi *fl) | 694 | struct flowi *fl) |
| @@ -777,7 +788,8 @@ static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) | |||
| 777 | 788 | ||
| 778 | static int cap_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) | 789 | static int cap_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) |
| 779 | { | 790 | { |
| 780 | return -EOPNOTSUPP; | 791 | *secid = 0; |
| 792 | return 0; | ||
| 781 | } | 793 | } |
| 782 | 794 | ||
| 783 | static void cap_release_secctx(char *secdata, u32 seclen) | 795 | static void cap_release_secctx(char *secdata, u32 seclen) |
| @@ -1018,6 +1030,9 @@ void __init security_fixup_ops(struct security_operations *ops) | |||
| 1018 | set_to_cap_if_null(ops, inet_conn_request); | 1030 | set_to_cap_if_null(ops, inet_conn_request); |
| 1019 | set_to_cap_if_null(ops, inet_csk_clone); | 1031 | set_to_cap_if_null(ops, inet_csk_clone); |
| 1020 | set_to_cap_if_null(ops, inet_conn_established); | 1032 | set_to_cap_if_null(ops, inet_conn_established); |
| 1033 | set_to_cap_if_null(ops, secmark_relabel_packet); | ||
| 1034 | set_to_cap_if_null(ops, secmark_refcount_inc); | ||
| 1035 | set_to_cap_if_null(ops, secmark_refcount_dec); | ||
| 1021 | set_to_cap_if_null(ops, req_classify_flow); | 1036 | set_to_cap_if_null(ops, req_classify_flow); |
| 1022 | set_to_cap_if_null(ops, tun_dev_create); | 1037 | set_to_cap_if_null(ops, tun_dev_create); |
| 1023 | set_to_cap_if_null(ops, tun_dev_post_create); | 1038 | set_to_cap_if_null(ops, tun_dev_post_create); |