diff options
| author | Linus Torvalds <torvalds@g5.osdl.org> | 2006-09-23 16:49:31 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-09-23 16:49:31 -0700 |
| commit | a4c12d6c5dde48c69464baf7c703e425ee511433 (patch) | |
| tree | 73c375e41a353e2da0461ff30d744bff73958b08 /security/selinux/include/xfrm.h | |
| parent | 73af07de3e32b9ac328c3d1417258bb98a9b0a9b (diff) | |
| parent | 3b9f9a1c3903b64c38505f9fed3bb11e48dbc931 (diff) | |
Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6: (353 commits)
[IPV6] ADDRCONF: Mobile IPv6 Home Address support.
[IPV6] ADDRCONF: Allow non-DAD'able addresses.
[IPV6] NDISC: Fix is_router flag setting.
[IPV6] ADDRCONF: Convert addrconf_lock to RCU.
[IPV6] NDISC: Add proxy_ndp sysctl.
[IPV6] NDISC: Set per-entry is_router flag in Proxy NA.
[IPV6] NDISC: Avoid updating neighbor cache for proxied address in receiving NA.
[IPV6]: Don't forward packets to proxied link-local address.
[IPV6] NDISC: Handle NDP messages to proxied addresses.
[NETFILTER]: PPTP conntrack: fix another GRE keymap leak
[NETFILTER]: PPTP conntrack: fix GRE keymap leak
[NETFILTER]: PPTP conntrack: fix PPTP_IN_CALL message types
[NETFILTER]: PPTP conntrack: check call ID before changing state
[NETFILTER]: PPTP conntrack: clean up debugging cruft
[NETFILTER]: PPTP conntrack: consolidate header parsing
[NETFILTER]: PPTP conntrack: consolidate header size checks
[NETFILTER]: PPTP conntrack: simplify expectation handling
[NETFILTER]: PPTP conntrack: remove unnecessary cid/pcid header pointers
[NETFILTER]: PPTP conntrack: fix header definitions
[NETFILTER]: PPTP conntrack: remove more dead code
...
Diffstat (limited to 'security/selinux/include/xfrm.h')
| -rw-r--r-- | security/selinux/include/xfrm.h | 43 |
1 files changed, 24 insertions, 19 deletions
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index c96498a10eb..81eb5989016 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h @@ -2,18 +2,25 @@ * SELinux support for the XFRM LSM hooks * * Author : Trent Jaeger, <jaegert@us.ibm.com> + * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com> */ #ifndef _SELINUX_XFRM_H_ #define _SELINUX_XFRM_H_ -int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx); +int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, + struct xfrm_user_sec_ctx *sec_ctx, struct sock *sk); int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new); void selinux_xfrm_policy_free(struct xfrm_policy *xp); int selinux_xfrm_policy_delete(struct xfrm_policy *xp); -int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx); +int selinux_xfrm_state_alloc(struct xfrm_state *x, + struct xfrm_user_sec_ctx *sec_ctx, struct xfrm_sec_ctx *pol, u32 secid); void selinux_xfrm_state_free(struct xfrm_state *x); int selinux_xfrm_state_delete(struct xfrm_state *x); -int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir); +int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir); +int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, + struct xfrm_policy *xp, struct flowi *fl); +int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm); + /* * Extract the security blob from the sock (it's actually on the socket) @@ -26,30 +33,23 @@ static inline struct inode_security_struct *get_sock_isec(struct sock *sk) return SOCK_INODE(sk->sk_socket)->i_security; } - -static inline u32 selinux_no_sk_sid(struct flowi *fl) -{ - /* NOTE: no sock occurs on ICMP reply, forwards, ... */ - /* icmp_reply: authorize as kernel packet */ - if (fl && fl->proto == IPPROTO_ICMP) { - return SECINITSID_KERNEL; - } - - return SECINITSID_ANY_SOCKET; -} - #ifdef CONFIG_SECURITY_NETWORK_XFRM -int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb); -int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb); +int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, + struct avc_audit_data *ad); +int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, + struct avc_audit_data *ad); u32 selinux_socket_getpeer_stream(struct sock *sk); u32 selinux_socket_getpeer_dgram(struct sk_buff *skb); +int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); #else -static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb) +static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, + struct avc_audit_data *ad) { return 0; } -static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb) +static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, + struct avc_audit_data *ad) { return 0; } @@ -63,6 +63,11 @@ static inline int selinux_socket_getpeer_dgram(struct sk_buff *skb) { return SECSID_NULL; } +static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) +{ + *sid = SECSID_NULL; + return 0; +} #endif #endif /* _SELINUX_XFRM_H_ */ |