Gitiles
Code Review Sign In
gerrit.openfyde.cn / github.com / raspberrypi / raspberrypi-kernel / 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3^! / . / security / selinux / hooks.c
commit2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3[log] [tgz]
authorHuw Davies <huw@codeweavers.com>Mon Jun 27 15:06:15 2016 -0400
committerPaul Moore <paul@paul-moore.com>Mon Jun 27 15:06:15 2016 -0400
treecf6e68541ba82eb7c4b11a7ba563f423060d8b46
parent0868383b822e4d8ebde980c7aac973a6aa81a3ec [diff] [blame]
calipso: Allow the lsm to label the skbuff directly.

In some cases, the lsm needs to add the label to the skbuff directly.
A NF_INET_LOCAL_OUT IPv6 hook is added to selinux to match the IPv4
behaviour.  This allows selinux to label the skbuffs that it requires.

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a00ab81..cb7c5c8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c

@@ -5063,6 +5063,15 @@
 	return selinux_ip_output(skb, PF_INET);
 }
 
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+static unsigned int selinux_ipv6_output(void *priv,
+					struct sk_buff *skb,
+					const struct nf_hook_state *state)
+{
+	return selinux_ip_output(skb, PF_INET6);
+}
+#endif	/* IPV6 */
+
 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
 						int ifindex,
 						u16 family)
@@ -6297,6 +6306,12 @@
 		.hooknum =	NF_INET_FORWARD,
 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
 	},
+	{
+		.hook =		selinux_ipv6_output,
+		.pf =		NFPROTO_IPV6,
+		.hooknum =	NF_INET_LOCAL_OUT,
+		.priority =	NF_IP6_PRI_SELINUX_FIRST,
+	},
 #endif	/* IPV6 */
 };