git.baikalelectronics.ru Git - kernel.git/commit

author	Eric Dumazet <edumazet@google.com>
	Mon, 8 Apr 2013 17:58:11 +0000 (17:58 +0000)
committer	David S. Miller <davem@davemloft.net>
	Tue, 9 Apr 2013 17:23:11 +0000 (13:23 -0400)
commit	6cd363dfe62fc1917e2bae4e7bdc4dc52efdfe84
tree	33842f41a127f9da904ddd5d61839590e986e420	tree \| snapshot
parent	5a98f9616c695cebc73dab217fa507e4dd77b792	commit \| diff

selinux: add a skb_owned_by() hook

Commit d76f06e427e7e8 (tcp: tcp_make_synack() can use alloc_skb())
broke certain SELinux/NetLabel configurations by no longer correctly
assigning the sock to the outgoing SYNACK packet.

Cost of atomic operations on the LISTEN socket is quite big,
and we would like it to happen only if really needed.

This patch introduces a new security_ops->skb_owned_by() method,
that is a void operation unless selinux is active.

Reported-by: Miroslav Vadkerti <mvadkert@redhat.com>
Diagnosed-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: linux-security-module@vger.kernel.org
Acked-by: James Morris <james.l.morris@oracle.com>
Tested-by: Paul Moore <pmoore@redhat.com>
Acked-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

include/linux/security.h		diff \| blob \| history
net/ipv4/tcp_output.c		diff \| blob \| history
security/capability.c		diff \| blob \| history
security/security.c		diff \| blob \| history
security/selinux/hooks.c		diff \| blob \| history