GitHub-Mirror/linux-bl808
2
0
Fork 0
mirror of https://github.com/Fishwaldo/linux-bl808.git synced 2025-06-17 20:25:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

[NETLINK]: Encapsulate eff_cap usage within security framework.

Browse source 
This patch encapsulates the usage of eff_cap (in netlink_skb_params) within
the security framework by extending security_netlink_recv to include a required
capability parameter and converting all direct usage of eff_caps outside
of the lsm modules to use the interface.  It also updates the SELinux
implementation of the security_netlink_send and security_netlink_recv
hooks to take advantage of the sid in the netlink_skb_params struct.
This also enables SELinux to perform auditing of netlink capability checks.
Please apply, for 2.6.18 if possible.

Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by:  James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Darrel Goeddel 2006-06-27 13:26:11 -07:00 committed by David S. Miller
parent 576a30eb64
commit c7bdb545d2
12 changed files with 35 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

13
include/linux/security.h
View file

@ -67,7 +67,7 @@ struct xfrm_state;
struct xfrm_user_sec_ctx;
extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
extern int cap_netlink_recv(struct sk_buff *skb);
extern int cap_netlink_recv(struct sk_buff *skb, int cap);
/*
* Values used in the task_security_ops calls
@ -656,6 +656,7 @@ struct swap_info_struct;
* Check permission before processing the received netlink message in
* @skb.
* @skb contains the sk_buff structure for the netlink message.
* @cap indicates the capability required
* Return 0 if permission is granted.
*
* Security hooks for Unix domain networking.
@ -1266,7 +1267,7 @@ struct security_operations {
struct sembuf * sops, unsigned nsops, int alter);
int (*netlink_send) (struct sock * sk, struct sk_buff * skb);
int (*netlink_recv) (struct sk_buff * skb);
int (*netlink_recv) (struct sk_buff * skb, int cap);
/* allow module stacking */
int (*register_security) (const char *name,
@ -2032,9 +2033,9 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff * skb)
return security_ops->netlink_send(sk, skb);
}
static inline int security_netlink_recv(struct sk_buff * skb)
static inline int security_netlink_recv(struct sk_buff * skb, int cap)
{
return security_ops->netlink_recv(skb);
return security_ops->netlink_recv(skb, cap);
}
/* prototypes */
@ -2670,9 +2671,9 @@ static inline int security_netlink_send (struct sock *sk, struct sk_buff *skb)
return cap_netlink_send (sk, skb);
}
static inline int security_netlink_recv (struct sk_buff *skb)
static inline int security_netlink_recv (struct sk_buff *skb, int cap)
{
return cap_netlink_recv (skb);
return cap_netlink_recv (skb, cap);
}
static inline struct dentry *securityfs_create_dir(const char *name,