summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorJames Morris <james.l.morris@oracle.com>2015-02-16 13:47:53 +1100
committerJames Morris <james.l.morris@oracle.com>2015-02-16 13:47:53 +1100
commit0d309cbddb49d4d948b3e9fe8423e80b3b64486b (patch)
tree80c2de7fa46339120d458e033612a9c71625d856 /security
parentd0709f1e66e8066c4ac6a54620ec116aa41937c0 (diff)
parent7f368ad34f0657f4bc39bf5bad6692b5a81a1194 (diff)
Merge branch 'smack-for-3.20-rebased' of git://git.gitorious.org/smack-next/kernel into for-linus
Diffstat (limited to 'security')
-rw-r--r--security/smack/smack_lsm.c16
1 files changed, 16 insertions, 0 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index a0ccce4e46f8..ed94f6f836e7 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3818,6 +3818,18 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
}
#endif /* CONFIG_IPV6 */
+#ifdef CONFIG_SECURITY_SMACK_NETFILTER
+ /*
+ * If there is a secmark use it rather than the CIPSO label.
+ * If there is no secmark fall back to CIPSO.
+ * The secmark is assumed to reflect policy better.
+ */
+ if (skb && skb->secmark != 0) {
+ skp = smack_from_secid(skb->secmark);
+ goto access_check;
+ }
+#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
+
netlbl_secattr_init(&secattr);
rc = netlbl_skbuff_getattr(skb, family, &secattr);
if (rc == 0)
@@ -3826,6 +3838,10 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
skp = &smack_known_huh;
netlbl_secattr_destroy(&secattr);
+#ifdef CONFIG_SECURITY_SMACK_NETFILTER
+access_check:
+#endif
+
#ifdef CONFIG_AUDIT
smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
ad.a.u.net->family = family;