diff options
author | Paul Moore <paul.moore@hp.com> | 2007-07-18 12:28:45 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2007-07-19 10:21:11 -0400 |
commit | 23bcdc1adebd3cb47d5666f2e9ecada95c0134e4 (patch) | |
tree | 71caf0ac9fa86e4a9cf423d968a2486656c2e196 /security | |
parent | 589f1e81bde732dd0b1bc5d01b6bddd4bcb4527b (diff) | |
download | lwn-23bcdc1adebd3cb47d5666f2e9ecada95c0134e4.tar.gz lwn-23bcdc1adebd3cb47d5666f2e9ecada95c0134e4.zip |
SELinux: enable dynamic activation/deactivation of NetLabel/SELinux enforcement
Create a new NetLabel KAPI interface, netlbl_enabled(), which reports on the
current runtime status of NetLabel based on the existing configuration. LSMs
that make use of NetLabel, i.e. SELinux, can use this new function to determine
if they should perform NetLabel access checks. This patch changes the
NetLabel/SELinux glue code such that SELinux only enforces NetLabel related
access checks when netlbl_enabled() returns true.
At present NetLabel is considered to be enabled when there is at least one
labeled protocol configuration present. The result is that by default NetLabel
is considered to be disabled, however, as soon as an administrator configured
a CIPSO DOI definition NetLabel is enabled and SELinux starts enforcing
NetLabel related access controls - including unlabeled packet controls.
This patch also tries to consolidate the multiple "#ifdef CONFIG_NETLABEL"
blocks into a single block to ease future review as recommended by Linus.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/netlabel.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index e64eca246f1a..ed9155b29c1a 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -155,6 +155,11 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid) int rc; struct netlbl_lsm_secattr secattr; + if (!netlbl_enabled()) { + *sid = SECSID_NULL; + return 0; + } + netlbl_secattr_init(&secattr); rc = netlbl_skbuff_getattr(skb, &secattr); if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) @@ -298,6 +303,9 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, u32 netlbl_sid; u32 recv_perm; + if (!netlbl_enabled()) + return 0; + rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_UNLABELED, &netlbl_sid); |