Merge commit 'v3.17' into next

[firefly-linux-kernel-4.4.55.git] / security / selinux / hooks.c

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 50978d3183ea06b19ded47b199faf0d7ae7abe4f..29e64d4ca099511520b8e5b8cf0af83255c52473 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4307,15 +4307,15 @@ static int selinux_socket_unix_may_send(struct socket *sock,
                            &ad);
 }
 
-static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
-                                   u32 peer_sid,
+static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
+                                   char *addrp, u16 family, u32 peer_sid,
                                    struct common_audit_data *ad)
 {
        int err;
        u32 if_sid;
        u32 node_sid;
 
-       err = sel_netif_sid(ifindex, &if_sid);
+       err = sel_netif_sid(ns, ifindex, &if_sid);
        if (err)
                return err;
        err = avc_has_perm(peer_sid, if_sid,
@@ -4408,8 +4408,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
                err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
                if (err)
                        return err;
-               err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
-                                              peer_sid, &ad);
+               err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
+                                              addrp, family, peer_sid, &ad);
                if (err) {
                        selinux_netlbl_err(skb, err, 0);
                        return err;
@@ -4727,10 +4727,9 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
        err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
        if (err) {
                if (err == -EINVAL) {
-                       audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
-                                 "SELinux:  unrecognized netlink message"
-                                 " type=%hu for sclass=%hu\n",
-                                 nlh->nlmsg_type, sksec->sclass);
+                       WARN_ONCE(1, "selinux_nlmsg_perm: unrecognized netlink message:"
+                                 " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
+                                 sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
                        if (!selinux_enforcing || security_get_allow_unknown())
                                err = 0;
                }
@@ -4748,7 +4747,8 @@ out:
 
 #ifdef CONFIG_NETFILTER
 
-static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
+static unsigned int selinux_ip_forward(struct sk_buff *skb,
+                                      const struct net_device *indev,
                                       u16 family)
 {
        int err;
@@ -4774,14 +4774,14 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
 
        ad.type = LSM_AUDIT_DATA_NET;
        ad.u.net = &net;
-       ad.u.net->netif = ifindex;
+       ad.u.net->netif = indev->ifindex;
        ad.u.net->family = family;
        if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
                return NF_DROP;
 
        if (peerlbl_active) {
-               err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
-                                              peer_sid, &ad);
+               err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
+                                              addrp, family, peer_sid, &ad);
                if (err) {
                        selinux_netlbl_err(skb, err, 1);
                        return NF_DROP;
@@ -4810,7 +4810,7 @@ static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
                                         const struct net_device *out,
                                         int (*okfn)(struct sk_buff *))
 {
-       return selinux_ip_forward(skb, in->ifindex, PF_INET);
+       return selinux_ip_forward(skb, in, PF_INET);
 }
 
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
@@ -4820,7 +4820,7 @@ static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
                                         const struct net_device *out,
                                         int (*okfn)(struct sk_buff *))
 {
-       return selinux_ip_forward(skb, in->ifindex, PF_INET6);
+       return selinux_ip_forward(skb, in, PF_INET6);
 }
 #endif /* IPV6 */
 
@@ -4908,11 +4908,13 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
        return NF_ACCEPT;
 }
 
-static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
+static unsigned int selinux_ip_postroute(struct sk_buff *skb,
+                                        const struct net_device *outdev,
                                         u16 family)
 {
        u32 secmark_perm;
        u32 peer_sid;
+       int ifindex = outdev->ifindex;
        struct sock *sk;
        struct common_audit_data ad;
        struct lsm_network_audit net = {0,};
@@ -5025,7 +5027,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
                u32 if_sid;
                u32 node_sid;
 
-               if (sel_netif_sid(ifindex, &if_sid))
+               if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
                        return NF_DROP;
                if (avc_has_perm(peer_sid, if_sid,
                                 SECCLASS_NETIF, NETIF__EGRESS, &ad))
@@ -5047,7 +5049,7 @@ static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
                                           const struct net_device *out,
                                           int (*okfn)(struct sk_buff *))
 {
-       return selinux_ip_postroute(skb, out->ifindex, PF_INET);
+       return selinux_ip_postroute(skb, out, PF_INET);
 }
 
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
@@ -5057,7 +5059,7 @@ static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
                                           const struct net_device *out,
                                           int (*okfn)(struct sk_buff *))
 {
-       return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
+       return selinux_ip_postroute(skb, out, PF_INET6);
 }
 #endif /* IPV6 */