diff options
author | Casey Schaufler <casey@schaufler-ca.com> | 2015-02-11 23:52:32 +0300 |
---|---|---|
committer | Casey Schaufler <casey@schaufler-ca.com> | 2015-02-11 23:55:05 +0300 |
commit | 7f368ad34f0657f4bc39bf5bad6692b5a81a1194 (patch) | |
tree | eafdecc1ed9d7219b479342463cbeb92a7535e64 | |
parent | 82b0b2c2b1e64ad6c5309a9eeba806af9812666b (diff) | |
download | linux-7f368ad34f0657f4bc39bf5bad6692b5a81a1194.tar.xz |
Smack: secmark connections
If the secmark is available us it on connection as
well as packet delivery.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
-rw-r--r-- | security/smack/smack_lsm.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index a0ccce4e46f8..ed94f6f836e7 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3818,6 +3818,18 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, } #endif /* CONFIG_IPV6 */ +#ifdef CONFIG_SECURITY_SMACK_NETFILTER + /* + * If there is a secmark use it rather than the CIPSO label. + * If there is no secmark fall back to CIPSO. + * The secmark is assumed to reflect policy better. + */ + if (skb && skb->secmark != 0) { + skp = smack_from_secid(skb->secmark); + goto access_check; + } +#endif /* CONFIG_SECURITY_SMACK_NETFILTER */ + netlbl_secattr_init(&secattr); rc = netlbl_skbuff_getattr(skb, family, &secattr); if (rc == 0) @@ -3826,6 +3838,10 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, skp = &smack_known_huh; netlbl_secattr_destroy(&secattr); +#ifdef CONFIG_SECURITY_SMACK_NETFILTER +access_check: +#endif + #ifdef CONFIG_AUDIT smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); ad.a.u.net->family = family; |