* Retrieve the LSM-specific secid for the sock to enable caching of network
* authorizations.
* @sock_graft:
- * Sets the socket's isec sid to the sock's sid.
+ * This hook is called in response to a newly created sock struct being
+ * grafted onto an existing socket and allows the security module to
+ * perform whatever security attribute management is necessary for both
+ * the sock and socket.
* @inet_conn_request:
* Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
* @inet_csk_clone:
void (*key_free) (struct key *key);
int (*key_permission) (key_ref_t key_ref,
const struct cred *cred,
- key_perm_t perm);
+ unsigned perm);
int (*key_getsecurity)(struct key *key, char **_buffer);
#endif /* CONFIG_KEYS */
int security_key_alloc(struct key *key, const struct cred *cred, unsigned long flags);
void security_key_free(struct key *key);
int security_key_permission(key_ref_t key_ref,
- const struct cred *cred, key_perm_t perm);
+ const struct cred *cred, unsigned perm);
int security_key_getsecurity(struct key *key, char **_buffer);
#else
static inline int security_key_permission(key_ref_t key_ref,
const struct cred *cred,
- key_perm_t perm)
+ unsigned perm)
{
return 0;
}
struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
struct sk_security_struct *sksec = sk->sk_security;
- if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
- sk->sk_family == PF_UNIX)
+ switch (sk->sk_family) {
+ case PF_INET:
+ case PF_INET6:
+ case PF_UNIX:
isec->sid = sksec->sid;
+ break;
+ default:
+ /* by default there is no special labeling mechanism for the
+ * sksec label so inherit the label from the parent socket */
+ BUG_ON(sksec->sid != SECINITSID_UNLABELED);
+ sksec->sid = isec->sid;
+ }
sksec->sclass = isec->sclass;
}
static int selinux_key_permission(key_ref_t key_ref,
const struct cred *cred,
- key_perm_t perm)
+ unsigned perm)
{
struct key *key;
struct key_security_struct *ksec;