From: Venkat Yekkirala <vyekkirala@trustedcs•com>
To: netdev@vger•kernel.org
Cc: selinux@tycho•nsa.gov, jmorris@namei•org, sds@tycho•nsa.gov,
paul.moore@hp•com, eparis@redhat•com
Subject: [PATCH 8/9] secid reconciliation-v04: Use secmark when classifying flow using skb
Date: Sun, 01 Oct 2006 16:27:09 -0500 [thread overview]
Message-ID: <452032AD.6080303@trustedcs.com> (raw)
This beings secmark into the picture when classifying flows
using an skb.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS•com>
---
include/linux/security.h | 10 ----------
include/linux/skbuff.h | 20 ++++++++++++++++++++
2 files changed, 20 insertions(+), 10 deletions(-)
--- net-2.6.sid/include/linux/security.h 2006-09-30 16:02:59.000000000 -0500
+++ net-2.6/include/linux/security.h 2006-10-01 13:07:43.000000000 -0500
@@ -3223,12 +3223,6 @@ static inline int security_xfrm_decode_s
return security_ops->xfrm_decode_session(skb, secid, 1);
}
-static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
-{
- int rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0);
-
- BUG_ON(rc);
-}
#else /* CONFIG_SECURITY_NETWORK_XFRM */
static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
{
@@ -3297,10 +3291,6 @@ static inline int security_xfrm_decode_s
return 0;
}
-static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
-{
-}
-
#endif /* CONFIG_SECURITY_NETWORK_XFRM */
#ifdef CONFIG_KEYS
--- net-2.6.sid/include/linux/skbuff.h 2006-09-27 18:20:54.000000000 -0500
+++ net-2.6/include/linux/skbuff.h 2006-10-01 13:17:22.000000000 -0500
@@ -30,6 +30,7 @@
#include <net/checksum.h>
#include <linux/dmaengine.h>
#include <net/flow.h>
+#include <linux/security.h>
#define HAVE_ALLOC_SKB /* For the drivers to know */
#define HAVE_ALIGNABLE_SKB /* Ditto 8) */
@@ -1514,6 +1515,20 @@ static inline void security_flow_classif
skb->secmark = fl->secid;
}
+static inline void security_skb_classify_flow(struct sk_buff *skb,
+ struct flowi *fl)
+{
+ /*
+ * We need to check for xfrm label here since secid reconciliation
+ * may or may not have happened yet and we want the
+ * flow to use the best available label.
+ */
+ int rc = security_xfrm_decode_session(skb, &fl->secid);
+
+ if (rc || !fl->secid)
+ fl->secid = skb->secmark;
+}
+
#else
static inline void security_skb_classify_skb(struct sk_buff *from,
@@ -1526,6 +1541,11 @@ static inline void security_flow_classif
{
}
+static inline void security_skb_classify_flow(struct sk_buff *skb,
+ struct flowi *fl)
+{
+}
+
#endif /* CONFIG_SECURITY_NETWORK */
#endif /* __KERNEL__ */
reply other threads:[~2006-10-01 21:27 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=452032AD.6080303@trustedcs.com \
--to=vyekkirala@trustedcs$(echo .)com \
--cc=eparis@redhat$(echo .)com \
--cc=jmorris@namei$(echo .)org \
--cc=netdev@vger$(echo .)kernel.org \
--cc=paul.moore@hp$(echo .)com \
--cc=sds@tycho$(echo .)nsa.gov \
--cc=selinux@tycho$(echo .)nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox