summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorHuw Davies <huw@codeweavers.com>2016-06-27 15:06:15 -0400
committerPaul Moore <paul@paul-moore.com>2016-06-27 15:06:15 -0400
commit2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 (patch)
treecf6e68541ba82eb7c4b11a7ba563f423060d8b46 /security
parent0868383b822e4d8ebde980c7aac973a6aa81a3ec (diff)
downloadlinux-2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3.tar.bz2
calipso: Allow the lsm to label the skbuff directly.
In some cases, the lsm needs to add the label to the skbuff directly. A NF_INET_LOCAL_OUT IPv6 hook is added to selinux to match the IPv4 behaviour. This allows selinux to label the skbuffs that it requires. Signed-off-by: Huw Davies <huw@codeweavers.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c15
1 files changed, 15 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a00ab81ab719..cb7c5c8028e7 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5063,6 +5063,15 @@ static unsigned int selinux_ipv4_output(void *priv,
return selinux_ip_output(skb, PF_INET);
}
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+static unsigned int selinux_ipv6_output(void *priv,
+ struct sk_buff *skb,
+ const struct nf_hook_state *state)
+{
+ return selinux_ip_output(skb, PF_INET6);
+}
+#endif /* IPV6 */
+
static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
int ifindex,
u16 family)
@@ -6297,6 +6306,12 @@ static struct nf_hook_ops selinux_nf_ops[] = {
.hooknum = NF_INET_FORWARD,
.priority = NF_IP6_PRI_SELINUX_FIRST,
},
+ {
+ .hook = selinux_ipv6_output,
+ .pf = NFPROTO_IPV6,
+ .hooknum = NF_INET_LOCAL_OUT,
+ .priority = NF_IP6_PRI_SELINUX_FIRST,
+ },
#endif /* IPV6 */
};