[PATCH 69/97] Smack: Consolidate secmark conversions
From: Casey Schaufler <casey@schaufler-ca.com>
Date: 2019-02-28 22:20:35
Also in:
selinux
Subsystem:
security subsystem, smack security module, the rest · Maintainers:
Paul Moore, James Morris, "Serge E. Hallyn", Casey Schaufler, Linus Torvalds
Add a helper function smack_from_skb() that does all the checks required and maps a valid secmark to a smack_known structure. Replace the direct use of the secmark in surrounding code. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> --- security/smack/smack_lsm.c | 39 ++++++++++++++++++++++++++------------ 1 file changed, 27 insertions(+), 12 deletions(-)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index d3ec5f49ef44..7b8ad16c09e0 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c@@ -3734,6 +3734,20 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) } #endif /* CONFIG_IPV6 */ +/** + * smack_from_skb - Smack data from the secmark in an skb + * @skb: packet + * + * Returns smack_known of the secmark or NULL if that won't work. + */ +static struct smack_known *smack_from_skb(struct sk_buff *skb) +{ + if (skb == NULL || skb->secmark == 0) + return NULL; + + return smack_from_secid(skb->secmark); +} + /** * smack_socket_sock_rcv_skb - Smack packet delivery access check * @sk: socket
@@ -3768,10 +3782,9 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) * If there is no secmark fall back to CIPSO. * The secmark is assumed to reflect policy better. */ - if (skb && skb->secmark != 0) { - skp = smack_from_secid(skb->secmark); + skp = smack_from_skb(skb); + if (skp) goto access_check; - } #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ /* * Translate what netlabel gave us.
@@ -3814,9 +3827,8 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) proto != IPPROTO_TCP && proto != IPPROTO_DCCP) break; #ifdef SMACK_IPV6_SECMARK_LABELING - if (skb && skb->secmark != 0) - skp = smack_from_secid(skb->secmark); - else + skp = smack_from_skb(skb); + if (skp == NULL) skp = smack_ipv6host_label(&sadd); if (skp == NULL) skp = smack_net_ambient;
@@ -3917,9 +3929,11 @@ static int smack_socket_getpeersec_dgram(struct socket *sock, break; case PF_INET: #ifdef CONFIG_SECURITY_SMACK_NETFILTER - s = skb->secmark; - if (s != 0) + skp = smack_from_skb(skb); + if (skp) { + s = skp->smk_secid; break; + } #endif /* * Translate what netlabel gave us.
@@ -3936,7 +3950,9 @@ static int smack_socket_getpeersec_dgram(struct socket *sock, break; case PF_INET6: #ifdef SMACK_IPV6_SECMARK_LABELING - s = skb->secmark; + skp = smack_from_skb(skb); + if (skp) + s = skp->smk_secid; #endif break; }
@@ -4014,10 +4030,9 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, * If there is no secmark fall back to CIPSO. * The secmark is assumed to reflect policy better. */ - if (skb && skb->secmark != 0) { - skp = smack_from_secid(skb->secmark); + skp = smack_from_skb(skb); + if (skp) goto access_check; - } #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ netlbl_secattr_init(&secattr);
--
2.17.0