SELinux: Enable dynamic enable/disable of the network access checks

int selinux_string_to_sid(char *str, u32 *sid);

/**

 *     selinux_relabel_packet_permission - check permission to relabel a packet

 *     @sid: ID value to be applied to network packet (via SECMARK, most likely)

 *     selinux_secmark_relabel_packet_permission - secmark permission check

 *     @sid: SECMARK ID value to be applied to network packet

 *

 *     Returns 0 if the current task is allowed to label packets with the

 *     supplied security ID.  Note that it is implicit that the packet is always

 *     being relabeled from the default unlabled value, and that the access

 *     control decision is made in the AVC.

 *     Returns 0 if the current task is allowed to set the SECMARK label of

 *     packets with the supplied security ID.  Note that it is implicit that

 *     the packet is always being relabeled from the default unlabeled value,

 *     and that the access control decision is made in the AVC.

 */

int selinux_relabel_packet_permission(u32 sid);

int selinux_secmark_relabel_packet_permission(u32 sid);

/**

 *     selinux_secmark_refcount_inc - increments the secmark use counter

 *

 *     SELinux keeps track of the current SECMARK targets in use so it knows

 *     when to apply SECMARK label access checks to network packets.  This

 *     function incements this reference count to indicate that a new SECMARK

 *     target has been configured.

 */

void selinux_secmark_refcount_inc(void);

/**

 *     selinux_secmark_refcount_dec - decrements the secmark use counter

 *

 *     SELinux keeps track of the current SECMARK targets in use so it knows

 *     when to apply SECMARK label access checks to network packets.  This

 *     function decements this reference count to indicate that one of the

 *     existing SECMARK targets has been removed/flushed.

 */

void selinux_secmark_refcount_dec(void);

#else

static inline int selinux_audit_rule_init(u32 field, u32 op,

       return 0;

}

static inline int selinux_relabel_packet_permission(u32 sid)

static inline int selinux_secmark_relabel_packet_permission(u32 sid)

{

	return 0;

}

static inline void selinux_secmark_refcount_inc(void)

{

	return;

}

static inline void selinux_secmark_refcount_dec(void)

{

	return;

}

#endif	/* CONFIG_SECURITY_SELINUX */

#endif /* _LINUX_SELINUX_H */

		return false;

	}

	err = selinux_relabel_packet_permission(sel->selsid);

	err = selinux_secmark_relabel_packet_permission(sel->selsid);

	if (err) {

		printk(KERN_INFO PFX "unable to obtain relabeling permission\n");

		return false;

	}

	selinux_secmark_refcount_inc();

	return true;

}

	return true;

}

void secmark_tg_destroy(const struct xt_target *target, void *targinfo)

{

	switch (mode) {

	case SECMARK_MODE_SEL:

		selinux_secmark_refcount_dec();

	}

}

static struct xt_target secmark_tg_reg[] __read_mostly = {

	{

		.name		= "SECMARK",

		.family		= AF_INET,

		.checkentry	= secmark_tg_check,

		.destroy	= secmark_tg_destroy,

		.target		= secmark_tg,

		.targetsize	= sizeof(struct xt_secmark_target_info),

		.table		= "mangle",

		.name		= "SECMARK",

		.family		= AF_INET6,

		.checkentry	= secmark_tg_check,

		.destroy	= secmark_tg_destroy,

		.target		= secmark_tg,

		.targetsize	= sizeof(struct xt_secmark_target_info),

		.table		= "mangle",

#include <linux/selinux.h>

#include <linux/fs.h>

#include <linux/ipc.h>

#include <asm/atomic.h>

#include "security.h"

#include "objsec.h"

/* SECMARK reference count */

extern atomic_t selinux_secmark_refcount;

int selinux_sid_to_string(u32 sid, char **ctx, u32 *ctxlen)

{

	if (selinux_enabled)

}

EXPORT_SYMBOL_GPL(selinux_string_to_sid);

int selinux_relabel_packet_permission(u32 sid)

int selinux_secmark_relabel_packet_permission(u32 sid)

{

	if (selinux_enabled) {

		struct task_security_struct *tsec = current->security;

	}

	return 0;

}

EXPORT_SYMBOL_GPL(selinux_relabel_packet_permission);

EXPORT_SYMBOL_GPL(selinux_secmark_relabel_packet_permission);

void selinux_secmark_refcount_inc(void)

{

	atomic_inc(&selinux_secmark_refcount);

}

EXPORT_SYMBOL_GPL(selinux_secmark_refcount_inc);

void selinux_secmark_refcount_dec(void)

{

	atomic_dec(&selinux_secmark_refcount);

}

EXPORT_SYMBOL_GPL(selinux_secmark_refcount_dec);

#include <net/ip.h>		/* for local_port_range[] */

#include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */

#include <net/net_namespace.h>

#include <net/netlabel.h>

#include <asm/uaccess.h>

#include <asm/ioctls.h>

#include <asm/atomic.h>

#include <linux/bitops.h>

#include <linux/interrupt.h>

#include <linux/netdevice.h>	/* for network interface checks */

extern int selinux_compat_net;

extern struct security_operations *security_ops;

/* SECMARK reference count */

atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);

#ifdef CONFIG_SECURITY_SELINUX_DEVELOP

int selinux_enforcing = 0;

	return len;

}

/**

 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled

 *

 * Description:

 * This function checks the SECMARK reference counter to see if any SECMARK

 * targets are currently configured, if the reference counter is greater than

 * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is

 * enabled, false (0) if SECMARK is disabled.

 *

 */

static int selinux_secmark_enabled(void)

{

	return (atomic_read(&selinux_secmark_refcount) > 0);

}

/* Allocate and free functions for each kind of security blob. */

static int task_alloc_security(struct task_struct *task)

	struct sk_security_struct *sksec = sk->sk_security;

	u16 family = sk->sk_family;

	u32 sk_sid = sksec->sid;

	u32 peer_sid;

	struct avc_audit_data ad;

	char *addrp;

		return selinux_sock_rcv_skb_compat(sk, skb, &ad,

						   family, addrp);

	if (selinux_secmark_enabled()) {

		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,

				   PACKET__RECV, &ad);

		if (err)

			return err;

	}

	if (netlbl_enabled() || selinux_xfrm_enabled()) {

		u32 peer_sid;

		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);

		if (err)

			return err;

	return avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, PEER__RECV, &ad);

		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,

				   PEER__RECV, &ad);

	}

	return err;

}

static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,

}

#ifdef CONFIG_SECURITY_NETWORK_XFRM

extern atomic_t selinux_xfrm_refcount;

static inline int selinux_xfrm_enabled(void)

{

	return (atomic_read(&selinux_xfrm_refcount) > 0);

}

int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,

			struct avc_audit_data *ad);

int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,

	atomic_inc(&flow_cache_genid);

}

#else

static inline int selinux_xfrm_enabled(void)

{

	return 0;

}

static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,

			struct avc_audit_data *ad)

{