Gitiles
Code Review Sign In
review.evervolv.com / android_kernel_oneplus_sm8150 / 8d9107e8c50e1c4ff43c91c8841805833f3ecfb9^! / . / security / selinux / hooks.c
commit8d9107e8c50e1c4ff43c91c8841805833f3ecfb9[log] [tgz]
authorLinus Torvalds <torvalds@woody.linux-foundation.org>Fri Jul 13 16:53:18 2007 -0700
committerLinus Torvalds <torvalds@woody.linux-foundation.org>Fri Jul 13 16:53:18 2007 -0700
treeabc57f38cf659d4031d5a9915a088f2c47b2cc7e
parent16cefa8c3863721fd40445a1b34dea18cd16ccfe [diff] [blame]
Revert "SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel"

This reverts commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0.

It bit people like Michal Piotrowski:

  "My system is too secure, I can not login :)"

because it changed how CONFIG_NETLABEL worked, and broke older SElinux
policies.

As a result, quoth James Morris:

  "Can you please revert this patch?

   We thought it only affected people running MLS, but it will affect others.

   Sorry for the hassle."

Cc: James Morris <jmorris@namei.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Michal Piotrowski <michal.k.k.piotrowski@gmail.com>
Cc: Paul Moore <paul.moore@hp.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index aff8f46..78c3f98 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c

@@ -3129,19 +3129,17 @@
 /**
  * selinux_skb_extlbl_sid - Determine the external label of a packet
  * @skb: the packet
+ * @base_sid: the SELinux SID to use as a context for MLS only external labels
  * @sid: the packet's SID
  *
  * Description:
  * Check the various different forms of external packet labeling and determine
- * the external SID for the packet.  If only one form of external labeling is
- * present then it is used, if both labeled IPsec and NetLabel labels are
- * present then the SELinux type information is taken from the labeled IPsec
- * SA and the MLS sensitivity label information is taken from the NetLabel
- * security attributes.  This bit of "magic" is done in the call to
- * selinux_netlbl_skbuff_getsid().
+ * the external SID for the packet.
  *
  */
-static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
+static void selinux_skb_extlbl_sid(struct sk_buff *skb,
+				   u32 base_sid,
+				   u32 *sid)
 {
 	u32 xfrm_sid;
 	u32 nlbl_sid;
@@ -3149,9 +3147,10 @@
 	selinux_skb_xfrm_sid(skb, &xfrm_sid);
 	if (selinux_netlbl_skbuff_getsid(skb,
 					 (xfrm_sid == SECSID_NULL ?
-					  SECINITSID_NETMSG : xfrm_sid),
+					  base_sid : xfrm_sid),
 					 &nlbl_sid) != 0)
 		nlbl_sid = SECSID_NULL;
+
 	*sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
 }
 
@@ -3696,7 +3695,7 @@
 	if (sock && sock->sk->sk_family == PF_UNIX)
 		selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
 	else if (skb)
-		selinux_skb_extlbl_sid(skb, &peer_secid);
+		selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid);
 
 	if (peer_secid == SECSID_NULL)
 		err = -EINVAL;
@@ -3757,7 +3756,7 @@
 	u32 newsid;
 	u32 peersid;
 
-	selinux_skb_extlbl_sid(skb, &peersid);
+	selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
 	if (peersid == SECSID_NULL) {
 		req->secid = sksec->sid;
 		req->peer_secid = SECSID_NULL;
@@ -3795,7 +3794,7 @@
 {
 	struct sk_security_struct *sksec = sk->sk_security;
 
-	selinux_skb_extlbl_sid(skb, &sksec->peer_sid);
+	selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
 }
 
 static void selinux_req_classify_flow(const struct request_sock *req,