Smack: Consolidate uses of secmark into a function (36be8129) · Commits · 戴 / test

security/smack/smack_lsm.c

+33 −28

Original line number	Diff line number	Diff line
		@@ -3810,6 +3810,20 @@ static int smk_skb_to_addr_ipv6(struct sk_buff skb, struct sockaddr_in6 sip)
		}
		#endif /* CONFIG_IPV6 */

		/**
		* smack_from_skb - Smack data from the secmark in an skb
		* @skb: packet
		*
		* Returns smack_known of the secmark or NULL if that won't work.
		*/
		static struct smack_known smack_from_skb(struct sk_buff skb)
		{
		if (skb == NULL \|\| skb->secmark == 0)
		return NULL;

		return smack_from_secid(skb->secmark);
		}

		/**
		* smack_socket_sock_rcv_skb - Smack packet delivery access check
		* @sk: socket
		@@ -3838,17 +3852,14 @@ static int smack_socket_sock_rcv_skb(struct sock sk, struct sk_buff skb)

		switch (family) {
		case PF_INET:
		#ifdef CONFIG_SECURITY_SMACK_NETFILTER
		/*
		* If there is a secmark use it rather than the CIPSO label.
		* If there is no secmark fall back to CIPSO.
		* The secmark is assumed to reflect policy better.
		*/
		if (skb && skb->secmark != 0) {
		skp = smack_from_secid(skb->secmark);
		skp = smack_from_skb(skb);
		if (skp)
		goto access_check;
		}
		#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
		/*
		* Translate what netlabel gave us.
		*/
		@@ -3862,9 +3873,8 @@ static int smack_socket_sock_rcv_skb(struct sock sk, struct sk_buff skb)

		netlbl_secattr_destroy(&secattr);

		#ifdef CONFIG_SECURITY_SMACK_NETFILTER
		access_check:
		#endif

		#ifdef CONFIG_AUDIT
		smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
		ad.a.u.net->family = family;
		@@ -3890,16 +3900,14 @@ access_check:
		proto != IPPROTO_TCP && proto != IPPROTO_DCCP)
		break;
		#ifdef SMACK_IPV6_SECMARK_LABELING
		if (skb && skb->secmark != 0)
		skp = smack_from_secid(skb->secmark);
		else if (smk_ipv6_localhost(&sadd))
		skp = smack_from_skb(skb);
		if (skp == NULL) {
		if (smk_ipv6_localhost(&sadd))
		break;
		else
		skp = smack_ipv6host_label(&sadd);
		if (skp == NULL)
		skp = smack_net_ambient;
		if (skb == NULL)
		break;
		}
		#ifdef CONFIG_AUDIT
		smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
		ad.a.u.net->family = family;
		@@ -3995,11 +4003,11 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
		s = ssp->smk_out->smk_secid;
		break;
		case PF_INET:
		#ifdef CONFIG_SECURITY_SMACK_NETFILTER
		s = skb->secmark;
		if (s != 0)
		skp = smack_from_skb(skb);
		if (skp) {
		s = skp->smk_secid;
		break;
		#endif
		}
		/*
		* Translate what netlabel gave us.
		*/
		@@ -4015,7 +4023,9 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
		break;
		case PF_INET6:
		#ifdef SMACK_IPV6_SECMARK_LABELING
		s = skb->secmark;
		skp = smack_from_skb(skb);
		if (skp)
		s = skp->smk_secid;
		#endif
		break;
		}
		@@ -4087,17 +4097,14 @@ static int smack_inet_conn_request(struct sock sk, struct sk_buff skb,
		}
		#endif /* CONFIG_IPV6 */

		#ifdef CONFIG_SECURITY_SMACK_NETFILTER
		/*
		* If there is a secmark use it rather than the CIPSO label.
		* If there is no secmark fall back to CIPSO.
		* The secmark is assumed to reflect policy better.
		*/
		if (skb && skb->secmark != 0) {
		skp = smack_from_secid(skb->secmark);
		skp = smack_from_skb(skb);
		if (skp)
		goto access_check;
		}
		#endif /* CONFIG_SECURITY_SMACK_NETFILTER */

		netlbl_secattr_init(&secattr);
		rc = netlbl_skbuff_getattr(skb, family, &secattr);
		@@ -4107,9 +4114,7 @@ static int smack_inet_conn_request(struct sock sk, struct sk_buff skb,
		skp = &smack_known_huh;
		netlbl_secattr_destroy(&secattr);

		#ifdef CONFIG_SECURITY_SMACK_NETFILTER
		access_check:
		#endif

		#ifdef CONFIG_AUDIT
		smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);

Admin message