Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6

* 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
  [CIPSO]: Fix several unaligned kernel accesses in the CIPSO engine.
  [NetLabel]: consolidate the struct socket/sock handling to just struct sock
  [IPV4]: Do not remove idev when addresses are cleared
This commit is contained in:
Linus Torvalds 2007-06-08 18:15:49 -07:00
commit 81d84a94be
6 changed files with 61 additions and 122 deletions

View file

@ -203,12 +203,10 @@ static inline int cipso_v4_cache_add(const struct sk_buff *skb,
#ifdef CONFIG_NETLABEL #ifdef CONFIG_NETLABEL
void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway); void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway);
int cipso_v4_socket_setattr(const struct socket *sock, int cipso_v4_sock_setattr(struct sock *sk,
const struct cipso_v4_doi *doi_def, const struct cipso_v4_doi *doi_def,
const struct netlbl_lsm_secattr *secattr); const struct netlbl_lsm_secattr *secattr);
int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr); int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr);
int cipso_v4_socket_getattr(const struct socket *sock,
struct netlbl_lsm_secattr *secattr);
int cipso_v4_skbuff_getattr(const struct sk_buff *skb, int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
struct netlbl_lsm_secattr *secattr); struct netlbl_lsm_secattr *secattr);
int cipso_v4_validate(unsigned char **option); int cipso_v4_validate(unsigned char **option);
@ -220,9 +218,9 @@ static inline void cipso_v4_error(struct sk_buff *skb,
return; return;
} }
static inline int cipso_v4_socket_setattr(const struct socket *sock, static inline int cipso_v4_sock_setattr(struct sock *sk,
const struct cipso_v4_doi *doi_def, const struct cipso_v4_doi *doi_def,
const struct netlbl_lsm_secattr *secattr) const struct netlbl_lsm_secattr *secattr)
{ {
return -ENOSYS; return -ENOSYS;
} }
@ -233,12 +231,6 @@ static inline int cipso_v4_sock_getattr(struct sock *sk,
return -ENOSYS; return -ENOSYS;
} }
static inline int cipso_v4_socket_getattr(const struct socket *sock,
struct netlbl_lsm_secattr *secattr)
{
return -ENOSYS;
}
static inline int cipso_v4_skbuff_getattr(const struct sk_buff *skb, static inline int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
struct netlbl_lsm_secattr *secattr) struct netlbl_lsm_secattr *secattr)
{ {

View file

@ -332,17 +332,15 @@ static inline int netlbl_secattr_catmap_setrng(
*/ */
#ifdef CONFIG_NETLABEL #ifdef CONFIG_NETLABEL
int netlbl_socket_setattr(const struct socket *sock, int netlbl_sock_setattr(struct sock *sk,
const struct netlbl_lsm_secattr *secattr); const struct netlbl_lsm_secattr *secattr);
int netlbl_sock_getattr(struct sock *sk, int netlbl_sock_getattr(struct sock *sk,
struct netlbl_lsm_secattr *secattr); struct netlbl_lsm_secattr *secattr);
int netlbl_socket_getattr(const struct socket *sock,
struct netlbl_lsm_secattr *secattr);
int netlbl_skbuff_getattr(const struct sk_buff *skb, int netlbl_skbuff_getattr(const struct sk_buff *skb,
struct netlbl_lsm_secattr *secattr); struct netlbl_lsm_secattr *secattr);
void netlbl_skbuff_err(struct sk_buff *skb, int error); void netlbl_skbuff_err(struct sk_buff *skb, int error);
#else #else
static inline int netlbl_socket_setattr(const struct socket *sock, static inline int netlbl_sock_setattr(struct sock *sk,
const struct netlbl_lsm_secattr *secattr) const struct netlbl_lsm_secattr *secattr)
{ {
return -ENOSYS; return -ENOSYS;
@ -354,12 +352,6 @@ static inline int netlbl_sock_getattr(struct sock *sk,
return -ENOSYS; return -ENOSYS;
} }
static inline int netlbl_socket_getattr(const struct socket *sock,
struct netlbl_lsm_secattr *secattr)
{
return -ENOSYS;
}
static inline int netlbl_skbuff_getattr(const struct sk_buff *skb, static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,
struct netlbl_lsm_secattr *secattr) struct netlbl_lsm_secattr *secattr)
{ {

View file

@ -45,6 +45,7 @@
#include <net/cipso_ipv4.h> #include <net/cipso_ipv4.h>
#include <asm/atomic.h> #include <asm/atomic.h>
#include <asm/bug.h> #include <asm/bug.h>
#include <asm/unaligned.h>
struct cipso_v4_domhsh_entry { struct cipso_v4_domhsh_entry {
char *domain; char *domain;
@ -1000,7 +1001,7 @@ static int cipso_v4_map_cat_enum_valid(const struct cipso_v4_doi *doi_def,
return -EFAULT; return -EFAULT;
for (iter = 0; iter < enumcat_len; iter += 2) { for (iter = 0; iter < enumcat_len; iter += 2) {
cat = ntohs(*((__be16 *)&enumcat[iter])); cat = ntohs(get_unaligned((__be16 *)&enumcat[iter]));
if (cat <= cat_prev) if (cat <= cat_prev)
return -EFAULT; return -EFAULT;
cat_prev = cat; cat_prev = cat;
@ -1068,8 +1069,8 @@ static int cipso_v4_map_cat_enum_ntoh(const struct cipso_v4_doi *doi_def,
for (iter = 0; iter < net_cat_len; iter += 2) { for (iter = 0; iter < net_cat_len; iter += 2) {
ret_val = netlbl_secattr_catmap_setbit(secattr->mls_cat, ret_val = netlbl_secattr_catmap_setbit(secattr->mls_cat,
ntohs(*((__be16 *)&net_cat[iter])), ntohs(get_unaligned((__be16 *)&net_cat[iter])),
GFP_ATOMIC); GFP_ATOMIC);
if (ret_val != 0) if (ret_val != 0)
return ret_val; return ret_val;
} }
@ -1102,9 +1103,10 @@ static int cipso_v4_map_cat_rng_valid(const struct cipso_v4_doi *doi_def,
return -EFAULT; return -EFAULT;
for (iter = 0; iter < rngcat_len; iter += 4) { for (iter = 0; iter < rngcat_len; iter += 4) {
cat_high = ntohs(*((__be16 *)&rngcat[iter])); cat_high = ntohs(get_unaligned((__be16 *)&rngcat[iter]));
if ((iter + 4) <= rngcat_len) if ((iter + 4) <= rngcat_len)
cat_low = ntohs(*((__be16 *)&rngcat[iter + 2])); cat_low = ntohs(
get_unaligned((__be16 *)&rngcat[iter + 2]));
else else
cat_low = 0; cat_low = 0;
@ -1201,9 +1203,10 @@ static int cipso_v4_map_cat_rng_ntoh(const struct cipso_v4_doi *doi_def,
u16 cat_high; u16 cat_high;
for (net_iter = 0; net_iter < net_cat_len; net_iter += 4) { for (net_iter = 0; net_iter < net_cat_len; net_iter += 4) {
cat_high = ntohs(*((__be16 *)&net_cat[net_iter])); cat_high = ntohs(get_unaligned((__be16 *)&net_cat[net_iter]));
if ((net_iter + 4) <= net_cat_len) if ((net_iter + 4) <= net_cat_len)
cat_low = ntohs(*((__be16 *)&net_cat[net_iter + 2])); cat_low = ntohs(
get_unaligned((__be16 *)&net_cat[net_iter + 2]));
else else
cat_low = 0; cat_low = 0;
@ -1565,7 +1568,7 @@ int cipso_v4_validate(unsigned char **option)
} }
rcu_read_lock(); rcu_read_lock();
doi_def = cipso_v4_doi_search(ntohl(*((__be32 *)&opt[2]))); doi_def = cipso_v4_doi_search(ntohl(get_unaligned((__be32 *)&opt[2])));
if (doi_def == NULL) { if (doi_def == NULL) {
err_offset = 2; err_offset = 2;
goto validate_return_locked; goto validate_return_locked;
@ -1709,22 +1712,22 @@ void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway)
} }
/** /**
* cipso_v4_socket_setattr - Add a CIPSO option to a socket * cipso_v4_sock_setattr - Add a CIPSO option to a socket
* @sock: the socket * @sk: the socket
* @doi_def: the CIPSO DOI to use * @doi_def: the CIPSO DOI to use
* @secattr: the specific security attributes of the socket * @secattr: the specific security attributes of the socket
* *
* Description: * Description:
* Set the CIPSO option on the given socket using the DOI definition and * Set the CIPSO option on the given socket using the DOI definition and
* security attributes passed to the function. This function requires * security attributes passed to the function. This function requires
* exclusive access to @sock->sk, which means it either needs to be in the * exclusive access to @sk, which means it either needs to be in the
* process of being created or locked via lock_sock(sock->sk). Returns zero on * process of being created or locked. Returns zero on success and negative
* success and negative values on failure. * values on failure.
* *
*/ */
int cipso_v4_socket_setattr(const struct socket *sock, int cipso_v4_sock_setattr(struct sock *sk,
const struct cipso_v4_doi *doi_def, const struct cipso_v4_doi *doi_def,
const struct netlbl_lsm_secattr *secattr) const struct netlbl_lsm_secattr *secattr)
{ {
int ret_val = -EPERM; int ret_val = -EPERM;
u32 iter; u32 iter;
@ -1732,7 +1735,6 @@ int cipso_v4_socket_setattr(const struct socket *sock,
u32 buf_len = 0; u32 buf_len = 0;
u32 opt_len; u32 opt_len;
struct ip_options *opt = NULL; struct ip_options *opt = NULL;
struct sock *sk;
struct inet_sock *sk_inet; struct inet_sock *sk_inet;
struct inet_connection_sock *sk_conn; struct inet_connection_sock *sk_conn;
@ -1740,7 +1742,6 @@ int cipso_v4_socket_setattr(const struct socket *sock,
* defined yet but it is not a problem as the only users of these * defined yet but it is not a problem as the only users of these
* "lite" PF_INET sockets are functions which do an accept() call * "lite" PF_INET sockets are functions which do an accept() call
* afterwards so we will label the socket as part of the accept(). */ * afterwards so we will label the socket as part of the accept(). */
sk = sock->sk;
if (sk == NULL) if (sk == NULL)
return 0; return 0;
@ -1858,7 +1859,7 @@ int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
if (ret_val == 0) if (ret_val == 0)
return ret_val; return ret_val;
doi = ntohl(*(__be32 *)&cipso_ptr[2]); doi = ntohl(get_unaligned((__be32 *)&cipso_ptr[2]));
rcu_read_lock(); rcu_read_lock();
doi_def = cipso_v4_doi_search(doi); doi_def = cipso_v4_doi_search(doi);
if (doi_def == NULL) { if (doi_def == NULL) {
@ -1891,29 +1892,6 @@ int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
return ret_val; return ret_val;
} }
/**
* cipso_v4_socket_getattr - Get the security attributes from a socket
* @sock: the socket
* @secattr: the security attributes
*
* Description:
* Query @sock to see if there is a CIPSO option attached to the socket and if
* there is return the CIPSO security attributes in @secattr. Returns zero on
* success and negative values on failure.
*
*/
int cipso_v4_socket_getattr(const struct socket *sock,
struct netlbl_lsm_secattr *secattr)
{
int ret_val;
lock_sock(sock->sk);
ret_val = cipso_v4_sock_getattr(sock->sk, secattr);
release_sock(sock->sk);
return ret_val;
}
/** /**
* cipso_v4_skbuff_getattr - Get the security attributes from the CIPSO option * cipso_v4_skbuff_getattr - Get the security attributes from the CIPSO option
* @skb: the packet * @skb: the packet
@ -1936,7 +1914,7 @@ int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
if (cipso_v4_cache_check(cipso_ptr, cipso_ptr[1], secattr) == 0) if (cipso_v4_cache_check(cipso_ptr, cipso_ptr[1], secattr) == 0)
return 0; return 0;
doi = ntohl(*(__be32 *)&cipso_ptr[2]); doi = ntohl(get_unaligned((__be32 *)&cipso_ptr[2]));
rcu_read_lock(); rcu_read_lock();
doi_def = cipso_v4_doi_search(doi); doi_def = cipso_v4_doi_search(doi);
if (doi_def == NULL) if (doi_def == NULL)

View file

@ -327,12 +327,8 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap,
} }
} }
if (destroy) { if (destroy)
inet_free_ifa(ifa1); inet_free_ifa(ifa1);
if (!in_dev->ifa_list)
inetdev_destroy(in_dev);
}
} }
static void inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap, static void inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap,

View file

@ -246,19 +246,18 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
/** /**
* netlbl_socket_setattr - Label a socket using the correct protocol * netlbl_socket_setattr - Label a socket using the correct protocol
* @sock: the socket to label * @sk: the socket to label
* @secattr: the security attributes * @secattr: the security attributes
* *
* Description: * Description:
* Attach the correct label to the given socket using the security attributes * Attach the correct label to the given socket using the security attributes
* specified in @secattr. This function requires exclusive access to * specified in @secattr. This function requires exclusive access to @sk,
* @sock->sk, which means it either needs to be in the process of being * which means it either needs to be in the process of being created or locked.
* created or locked via lock_sock(sock->sk). Returns zero on success, * Returns zero on success, negative values on failure.
* negative values on failure.
* *
*/ */
int netlbl_socket_setattr(const struct socket *sock, int netlbl_sock_setattr(struct sock *sk,
const struct netlbl_lsm_secattr *secattr) const struct netlbl_lsm_secattr *secattr)
{ {
int ret_val = -ENOENT; int ret_val = -ENOENT;
struct netlbl_dom_map *dom_entry; struct netlbl_dom_map *dom_entry;
@ -269,9 +268,9 @@ int netlbl_socket_setattr(const struct socket *sock,
goto socket_setattr_return; goto socket_setattr_return;
switch (dom_entry->type) { switch (dom_entry->type) {
case NETLBL_NLTYPE_CIPSOV4: case NETLBL_NLTYPE_CIPSOV4:
ret_val = cipso_v4_socket_setattr(sock, ret_val = cipso_v4_sock_setattr(sk,
dom_entry->type_def.cipsov4, dom_entry->type_def.cipsov4,
secattr); secattr);
break; break;
case NETLBL_NLTYPE_UNLABELED: case NETLBL_NLTYPE_UNLABELED:
ret_val = 0; ret_val = 0;
@ -308,30 +307,6 @@ int netlbl_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
return netlbl_unlabel_getattr(secattr); return netlbl_unlabel_getattr(secattr);
} }
/**
* netlbl_socket_getattr - Determine the security attributes of a socket
* @sock: the socket
* @secattr: the security attributes
*
* Description:
* Examines the given socket to see any NetLabel style labeling has been
* applied to the socket, if so it parses the socket label and returns the
* security attributes in @secattr. Returns zero on success, negative values
* on failure.
*
*/
int netlbl_socket_getattr(const struct socket *sock,
struct netlbl_lsm_secattr *secattr)
{
int ret_val;
ret_val = cipso_v4_socket_getattr(sock, secattr);
if (ret_val == 0)
return 0;
return netlbl_unlabel_getattr(secattr);
}
/** /**
* netlbl_skbuff_getattr - Determine the security attributes of a packet * netlbl_skbuff_getattr - Determine the security attributes of a packet
* @skb: the packet * @skb: the packet

View file

@ -36,8 +36,8 @@
#include "security.h" #include "security.h"
/** /**
* selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism
* @sock: the socket to label * @sk: the socket to label
* @sid: the SID to use * @sid: the SID to use
* *
* Description: * Description:
@ -47,17 +47,17 @@
* this function and rcu_read_unlock() after this function returns. * this function and rcu_read_unlock() after this function returns.
* *
*/ */
static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid) static int selinux_netlbl_sock_setsid(struct sock *sk, u32 sid)
{ {
int rc; int rc;
struct sk_security_struct *sksec = sock->sk->sk_security; struct sk_security_struct *sksec = sk->sk_security;
struct netlbl_lsm_secattr secattr; struct netlbl_lsm_secattr secattr;
rc = security_netlbl_sid_to_secattr(sid, &secattr); rc = security_netlbl_sid_to_secattr(sid, &secattr);
if (rc != 0) if (rc != 0)
return rc; return rc;
rc = netlbl_socket_setattr(sock, &secattr); rc = netlbl_sock_setattr(sk, &secattr);
if (rc == 0) { if (rc == 0) {
spin_lock_bh(&sksec->nlbl_lock); spin_lock_bh(&sksec->nlbl_lock);
sksec->nlbl_state = NLBL_LABELED; sksec->nlbl_state = NLBL_LABELED;
@ -206,7 +206,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
/* Try to set the NetLabel on the socket to save time later, if we fail /* Try to set the NetLabel on the socket to save time later, if we fail
* here we will pick up the pieces in later calls to * here we will pick up the pieces in later calls to
* selinux_netlbl_inode_permission(). */ * selinux_netlbl_inode_permission(). */
selinux_netlbl_socket_setsid(sock, sksec->sid); selinux_netlbl_sock_setsid(sk, sksec->sid);
rcu_read_unlock(); rcu_read_unlock();
} }
@ -223,14 +223,15 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
int selinux_netlbl_socket_post_create(struct socket *sock) int selinux_netlbl_socket_post_create(struct socket *sock)
{ {
int rc = 0; int rc = 0;
struct sock *sk = sock->sk;
struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
struct sk_security_struct *sksec = sock->sk->sk_security; struct sk_security_struct *sksec = sk->sk_security;
sksec->sclass = isec->sclass; sksec->sclass = isec->sclass;
rcu_read_lock(); rcu_read_lock();
if (sksec->nlbl_state == NLBL_REQUIRE) if (sksec->nlbl_state == NLBL_REQUIRE)
rc = selinux_netlbl_socket_setsid(sock, sksec->sid); rc = selinux_netlbl_sock_setsid(sk, sksec->sid);
rcu_read_unlock(); rcu_read_unlock();
return rc; return rc;
@ -251,14 +252,16 @@ int selinux_netlbl_socket_post_create(struct socket *sock)
int selinux_netlbl_inode_permission(struct inode *inode, int mask) int selinux_netlbl_inode_permission(struct inode *inode, int mask)
{ {
int rc; int rc;
struct sk_security_struct *sksec; struct sock *sk;
struct socket *sock; struct socket *sock;
struct sk_security_struct *sksec;
if (!S_ISSOCK(inode->i_mode) || if (!S_ISSOCK(inode->i_mode) ||
((mask & (MAY_WRITE | MAY_APPEND)) == 0)) ((mask & (MAY_WRITE | MAY_APPEND)) == 0))
return 0; return 0;
sock = SOCKET_I(inode); sock = SOCKET_I(inode);
sksec = sock->sk->sk_security; sk = sock->sk;
sksec = sk->sk_security;
rcu_read_lock(); rcu_read_lock();
if (sksec->nlbl_state != NLBL_REQUIRE) { if (sksec->nlbl_state != NLBL_REQUIRE) {
@ -266,9 +269,9 @@ int selinux_netlbl_inode_permission(struct inode *inode, int mask)
return 0; return 0;
} }
local_bh_disable(); local_bh_disable();
bh_lock_sock_nested(sock->sk); bh_lock_sock_nested(sk);
rc = selinux_netlbl_socket_setsid(sock, sksec->sid); rc = selinux_netlbl_sock_setsid(sk, sksec->sid);
bh_unlock_sock(sock->sk); bh_unlock_sock(sk);
local_bh_enable(); local_bh_enable();
rcu_read_unlock(); rcu_read_unlock();
@ -345,14 +348,17 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
int optname) int optname)
{ {
int rc = 0; int rc = 0;
struct sk_security_struct *sksec = sock->sk->sk_security; struct sock *sk = sock->sk;
struct sk_security_struct *sksec = sk->sk_security;
struct netlbl_lsm_secattr secattr; struct netlbl_lsm_secattr secattr;
rcu_read_lock(); rcu_read_lock();
if (level == IPPROTO_IP && optname == IP_OPTIONS && if (level == IPPROTO_IP && optname == IP_OPTIONS &&
sksec->nlbl_state == NLBL_LABELED) { sksec->nlbl_state == NLBL_LABELED) {
netlbl_secattr_init(&secattr); netlbl_secattr_init(&secattr);
rc = netlbl_socket_getattr(sock, &secattr); lock_sock(sk);
rc = netlbl_sock_getattr(sk, &secattr);
release_sock(sk);
if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
rc = -EACCES; rc = -EACCES;
netlbl_secattr_destroy(&secattr); netlbl_secattr_destroy(&secattr);