diff options
| author | Stephen D. Smalley <sds@epoch.ncsc.mil> | 2004-06-26 20:59:04 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@ppc970.osdl.org> | 2004-06-26 20:59:04 -0700 |
| commit | e903c6f912e1b716b3e039d507b6afcd3b3cdc46 (patch) | |
| tree | 46ce623dc6f8f86dc77f73b841aa8a5a3c55db0c /security | |
| parent | ec3c438ed7a820fdb66c0ff189a85fd9b976758e (diff) | |
| download | history-e903c6f912e1b716b3e039d507b6afcd3b3cdc46.tar.gz | |
[PATCH] SELinux: fix build with CONFIG_SECURITY_NETWORK=n
SELinux should just drop out the socket and netfilter hooks when that is
disabled.
The problem was introduced because of the fine-grained netlink patches,
which made the selinux_netlink_send/recv hook functions depend on
CONFIG_SECURITY_NETWORK but the netlink_send/recv hooks themselves are not
dependent on it.
Need to move selinux_netlink_send/recv back out of the conditional block,
and provide a static inline stub for selinux_nlmsg_perm if
CONFIG_SECURITY_NETWORK is not defined.
Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/hooks.c | 51 |
1 files changed, 29 insertions, 22 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e1009456e6d476..161da40417e665 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3434,28 +3434,6 @@ out: return err; } -static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) -{ - int err = 0; - - if (capable(CAP_NET_ADMIN)) - cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN); - else - NETLINK_CB(skb).eff_cap = 0; - - if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) - err = selinux_nlmsg_perm(sk, skb); - - return err; -} - -static int selinux_netlink_recv(struct sk_buff *skb) -{ - if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) - return -EPERM; - return 0; -} - #ifdef CONFIG_NETFILTER static unsigned int selinux_ip_postroute_last(unsigned int hooknum, @@ -3591,8 +3569,37 @@ static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum, #endif /* CONFIG_NETFILTER */ +#else + +static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) +{ + return 0; +} + #endif /* CONFIG_SECURITY_NETWORK */ +static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) +{ + int err = 0; + + if (capable(CAP_NET_ADMIN)) + cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN); + else + NETLINK_CB(skb).eff_cap = 0; + + if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) + err = selinux_nlmsg_perm(sk, skb); + + return err; +} + +static int selinux_netlink_recv(struct sk_buff *skb) +{ + if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) + return -EPERM; + return 0; +} + static int ipc_alloc_security(struct task_struct *task, struct kern_ipc_perm *perm, u16 sclass) |