linux-hardened/security
Eric Dumazet ca10b9e9a8 selinux: add a skb_owned_by() hook
Commit 90ba9b1986 (tcp: tcp_make_synack() can use alloc_skb())
broke certain SELinux/NetLabel configurations by no longer correctly
assigning the sock to the outgoing SYNACK packet.

Cost of atomic operations on the LISTEN socket is quite big,
and we would like it to happen only if really needed.

This patch introduces a new security_ops->skb_owned_by() method,
that is a void operation unless selinux is active.

Reported-by: Miroslav Vadkerti <mvadkert@redhat.com>
Diagnosed-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: linux-security-module@vger.kernel.org
Acked-by: James Morris <james.l.morris@oracle.com>
Tested-by: Paul Moore <pmoore@redhat.com>
Acked-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-09 13:23:11 -04:00
..
apparmor new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
integrity hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
keys Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys 2013-03-12 11:05:45 -07:00
selinux selinux: add a skb_owned_by() hook 2013-04-09 13:23:11 -04:00
smack new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
tomoyo new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
yama yama: Better permission check for ptraceme 2013-03-26 13:17:58 -07:00
capability.c selinux: add a skb_owned_by() hook 2013-04-09 13:23:11 -04:00
commoncap.c kill f_vfsmnt 2013-02-26 02:46:10 -05:00
device_cgroup.c device_cgroup: don't grab mutex in rcu callback 2013-02-21 17:22:15 -08:00
inode.c securityfs: fix object creation races 2012-01-10 10:20:35 -05:00
Kconfig KEYS: Move the key config into security/keys/Kconfig 2012-05-11 10:56:56 +01:00
lsm_audit.c LSM: BUILD_BUG_ON if the common_audit_data union ever grows 2012-04-09 12:23:03 -04:00
Makefile security: Yama LSM 2012-02-10 09:18:52 +11:00
min_addr.c mmap_min_addr check CAP_SYS_RAWIO only for write 2010-04-23 08:56:31 +10:00
security.c selinux: add a skb_owned_by() hook 2013-04-09 13:23:11 -04:00