Smack: Consolidate uses of secmark into a function

Add a function smack_from_skb() that returns the Smack label
identified by a network secmark. Replace the explicit uses of
the secmark with this function.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
This commit is contained in:
Casey Schaufler 2020-08-11 17:39:41 -07:00 committed by Casey Schaufler
parent d012a7190f
commit 36be81293d
1 changed files with 33 additions and 28 deletions

View File

@ -3810,6 +3810,20 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
} }
#endif /* CONFIG_IPV6 */ #endif /* CONFIG_IPV6 */
/**
* smack_from_skb - Smack data from the secmark in an skb
* @skb: packet
*
* Returns smack_known of the secmark or NULL if that won't work.
*/
static struct smack_known *smack_from_skb(struct sk_buff *skb)
{
if (skb == NULL || skb->secmark == 0)
return NULL;
return smack_from_secid(skb->secmark);
}
/** /**
* smack_socket_sock_rcv_skb - Smack packet delivery access check * smack_socket_sock_rcv_skb - Smack packet delivery access check
* @sk: socket * @sk: socket
@ -3838,17 +3852,14 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
switch (family) { switch (family) {
case PF_INET: case PF_INET:
#ifdef CONFIG_SECURITY_SMACK_NETFILTER
/* /*
* If there is a secmark use it rather than the CIPSO label. * If there is a secmark use it rather than the CIPSO label.
* If there is no secmark fall back to CIPSO. * If there is no secmark fall back to CIPSO.
* The secmark is assumed to reflect policy better. * The secmark is assumed to reflect policy better.
*/ */
if (skb && skb->secmark != 0) { skp = smack_from_skb(skb);
skp = smack_from_secid(skb->secmark); if (skp)
goto access_check; goto access_check;
}
#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
/* /*
* Translate what netlabel gave us. * Translate what netlabel gave us.
*/ */
@ -3862,9 +3873,8 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
netlbl_secattr_destroy(&secattr); netlbl_secattr_destroy(&secattr);
#ifdef CONFIG_SECURITY_SMACK_NETFILTER
access_check: access_check:
#endif
#ifdef CONFIG_AUDIT #ifdef CONFIG_AUDIT
smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
ad.a.u.net->family = family; ad.a.u.net->family = family;
@ -3890,16 +3900,14 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
proto != IPPROTO_TCP && proto != IPPROTO_DCCP) proto != IPPROTO_TCP && proto != IPPROTO_DCCP)
break; break;
#ifdef SMACK_IPV6_SECMARK_LABELING #ifdef SMACK_IPV6_SECMARK_LABELING
if (skb && skb->secmark != 0) skp = smack_from_skb(skb);
skp = smack_from_secid(skb->secmark); if (skp == NULL) {
else if (smk_ipv6_localhost(&sadd)) if (smk_ipv6_localhost(&sadd))
break; break;
else
skp = smack_ipv6host_label(&sadd); skp = smack_ipv6host_label(&sadd);
if (skp == NULL) if (skp == NULL)
skp = smack_net_ambient; skp = smack_net_ambient;
if (skb == NULL) }
break;
#ifdef CONFIG_AUDIT #ifdef CONFIG_AUDIT
smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
ad.a.u.net->family = family; ad.a.u.net->family = family;
@ -3995,11 +4003,11 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
s = ssp->smk_out->smk_secid; s = ssp->smk_out->smk_secid;
break; break;
case PF_INET: case PF_INET:
#ifdef CONFIG_SECURITY_SMACK_NETFILTER skp = smack_from_skb(skb);
s = skb->secmark; if (skp) {
if (s != 0) s = skp->smk_secid;
break; break;
#endif }
/* /*
* Translate what netlabel gave us. * Translate what netlabel gave us.
*/ */
@ -4015,7 +4023,9 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
break; break;
case PF_INET6: case PF_INET6:
#ifdef SMACK_IPV6_SECMARK_LABELING #ifdef SMACK_IPV6_SECMARK_LABELING
s = skb->secmark; skp = smack_from_skb(skb);
if (skp)
s = skp->smk_secid;
#endif #endif
break; break;
} }
@ -4087,17 +4097,14 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
} }
#endif /* CONFIG_IPV6 */ #endif /* CONFIG_IPV6 */
#ifdef CONFIG_SECURITY_SMACK_NETFILTER
/* /*
* If there is a secmark use it rather than the CIPSO label. * If there is a secmark use it rather than the CIPSO label.
* If there is no secmark fall back to CIPSO. * If there is no secmark fall back to CIPSO.
* The secmark is assumed to reflect policy better. * The secmark is assumed to reflect policy better.
*/ */
if (skb && skb->secmark != 0) { skp = smack_from_skb(skb);
skp = smack_from_secid(skb->secmark); if (skp)
goto access_check; goto access_check;
}
#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
netlbl_secattr_init(&secattr); netlbl_secattr_init(&secattr);
rc = netlbl_skbuff_getattr(skb, family, &secattr); rc = netlbl_skbuff_getattr(skb, family, &secattr);
@ -4107,9 +4114,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
skp = &smack_known_huh; skp = &smack_known_huh;
netlbl_secattr_destroy(&secattr); netlbl_secattr_destroy(&secattr);
#ifdef CONFIG_SECURITY_SMACK_NETFILTER
access_check: access_check:
#endif
#ifdef CONFIG_AUDIT #ifdef CONFIG_AUDIT
smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);