unsigned short int orig_port = 0;
if(*csocket == NULL) {
- rc = sock_create(PF_INET, SOCK_STREAM, IPPROTO_TCP, csocket);
+ rc = sock_create_kern(PF_INET, SOCK_STREAM, IPPROTO_TCP, csocket);
if (rc < 0) {
cERROR(1, ("Error %d creating socket",rc));
*csocket = NULL;
int connected = 0;
if(*csocket == NULL) {
- rc = sock_create(PF_INET6, SOCK_STREAM, IPPROTO_TCP, csocket);
+ rc = sock_create_kern(PF_INET6, SOCK_STREAM, IPPROTO_TCP, csocket);
if (rc < 0) {
cERROR(1, ("Error %d creating ipv6 socket",rc));
*csocket = NULL;
extern struct socket *sock_alloc(void);
extern int sock_create(int family, int type, int proto,
struct socket **res);
+extern int sock_create_kern(int family, int type, int proto,
+ struct socket **res);
extern void sock_release(struct socket *sock);
extern int sock_sendmsg(struct socket *sock, struct msghdr *msg,
size_t len);
* @family contains the requested protocol family.
* @type contains the requested communications type.
* @protocol contains the requested protocol.
+ * @kern set to 1 if a kernel socket.
* Return 0 if permission is granted.
* @socket_post_create:
* This hook allows a module to update or allocate a per-socket security
* @family contains the requested protocol family.
* @type contains the requested communications type.
* @protocol contains the requested protocol.
+ * @kern set to 1 if a kernel socket.
* @socket_bind:
* Check permission before socket protocol layer bind operation is
* performed and the socket @sock is bound to the address specified in the
struct socket * other, struct sock * newsk);
int (*unix_may_send) (struct socket * sock, struct socket * other);
- int (*socket_create) (int family, int type, int protocol);
+ int (*socket_create) (int family, int type, int protocol, int kern);
void (*socket_post_create) (struct socket * sock, int family,
- int type, int protocol);
+ int type, int protocol, int kern);
int (*socket_bind) (struct socket * sock,
struct sockaddr * address, int addrlen);
int (*socket_connect) (struct socket * sock,
return security_ops->unix_may_send(sock, other);
}
-static inline int security_socket_create (int family, int type, int protocol)
+static inline int security_socket_create (int family, int type,
+ int protocol, int kern)
{
- return security_ops->socket_create(family, type, protocol);
+ return security_ops->socket_create(family, type, protocol, kern);
}
static inline void security_socket_post_create(struct socket * sock,
int family,
int type,
- int protocol)
+ int protocol, int kern)
{
- security_ops->socket_post_create(sock, family, type, protocol);
+ security_ops->socket_post_create(sock, family, type,
+ protocol, kern);
}
static inline int security_socket_bind(struct socket * sock,
return 0;
}
-static inline int security_socket_create (int family, int type, int protocol)
+static inline int security_socket_create (int family, int type,
+ int protocol, int kern)
{
return 0;
}
static inline void security_socket_post_create(struct socket * sock,
int family,
int type,
- int protocol)
+ int protocol, int kern)
{
}
BT_DBG("");
- err = sock_create(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
+ err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET,
+ BTPROTO_L2CAP, sock);
if (!err) {
struct sock *sk = (*sock)->sk;
sk->sk_data_ready = rfcomm_l2data_ready;
/* We can count ourselves lucky Acorn machines are too dim to
speak IPv6. :-) */
- if ((error = sock_create(PF_INET, SOCK_DGRAM, 0, &udpsock)) < 0)
+ if ((error = sock_create_kern(PF_INET, SOCK_DGRAM, 0, &udpsock)) < 0)
{
printk("AUN: socket error %d\n", -error);
return error;
if (!cpu_possible(i))
continue;
- err = sock_create(PF_INET, SOCK_RAW, IPPROTO_ICMP,
- &per_cpu(__icmp_socket, i));
+ err = sock_create_kern(PF_INET, SOCK_RAW, IPPROTO_ICMP,
+ &per_cpu(__icmp_socket, i));
if (err < 0)
panic("Failed to create the ICMP control socket.\n");
struct socket *sock;
/* First create a socket */
- if (sock_create(PF_INET, SOCK_DGRAM, IPPROTO_UDP, &sock) < 0) {
+ if (sock_create_kern(PF_INET, SOCK_DGRAM, IPPROTO_UDP, &sock) < 0) {
IP_VS_ERR("Error during creation of socket; terminating\n");
return NULL;
}
struct socket *sock;
/* First create a socket */
- if (sock_create(PF_INET, SOCK_DGRAM, IPPROTO_UDP, &sock) < 0) {
+ if (sock_create_kern(PF_INET, SOCK_DGRAM, IPPROTO_UDP, &sock) < 0) {
IP_VS_ERR("Error during creation of socket; terminating\n");
return NULL;
}
void __init tcp_v4_init(struct net_proto_family *ops)
{
- int err = sock_create(PF_INET, SOCK_RAW, IPPROTO_TCP, &tcp_socket);
+ int err = sock_create_kern(PF_INET, SOCK_RAW, IPPROTO_TCP, &tcp_socket);
if (err < 0)
panic("Failed to create the TCP control socket.\n");
tcp_socket->sk->sk_allocation = GFP_ATOMIC;
if (!cpu_possible(i))
continue;
- err = sock_create(PF_INET6, SOCK_RAW, IPPROTO_ICMPV6,
- &per_cpu(__icmpv6_socket, i));
+ err = sock_create_kern(PF_INET6, SOCK_RAW, IPPROTO_ICMPV6,
+ &per_cpu(__icmpv6_socket, i));
if (err < 0) {
printk(KERN_ERR
"Failed to initialize the ICMP6 control socket "
struct sock *sk;
int err;
- err = sock_create(PF_INET6, SOCK_RAW, IPPROTO_ICMPV6, &igmp6_socket);
+ err = sock_create_kern(PF_INET6, SOCK_RAW, IPPROTO_ICMPV6, &igmp6_socket);
if (err < 0) {
printk(KERN_ERR
"Failed to initialize the IGMP6 control socket (err %d).\n",
struct sock *sk;
int err;
- err = sock_create(PF_INET6, SOCK_RAW, IPPROTO_ICMPV6, &ndisc_socket);
+ err = sock_create_kern(PF_INET6, SOCK_RAW, IPPROTO_ICMPV6, &ndisc_socket);
if (err < 0) {
ND_PRINTK0(KERN_ERR
"ICMPv6 NDISC: Failed to initialize the control socket (err %d).\n",
if (test_and_set_bit(minor, &open_map))
return -EBUSY;
- err = sock_create(PF_NETLINK, SOCK_RAW, minor, &sock);
+ err = sock_create_kern(PF_NETLINK, SOCK_RAW, minor, &sock);
if (err < 0)
goto out;
trans->port = port;
/* create a UDP socket to be my actual transport endpoint */
- ret = sock_create(PF_INET, SOCK_DGRAM, IPPROTO_UDP, &trans->socket);
+ ret = sock_create_kern(PF_INET, SOCK_DGRAM, IPPROTO_UDP, &trans->socket);
if (ret < 0)
goto error;
else
family = PF_INET;
- err = sock_create(family, SOCK_SEQPACKET, IPPROTO_SCTP,
- &sctp_ctl_socket);
+ err = sock_create_kern(family, SOCK_SEQPACKET, IPPROTO_SCTP,
+ &sctp_ctl_socket);
if (err < 0) {
printk(KERN_ERR
"SCTP: Failed to create the SCTP control socket.\n");
return 0;
}
-
-int sock_create(int family, int type, int protocol, struct socket **res)
+static int __sock_create(int family, int type, int protocol, struct socket **res, int kern)
{
int i;
int err;
family = PF_PACKET;
}
- err = security_socket_create(family, type, protocol);
+ err = security_socket_create(family, type, protocol, kern);
if (err)
return err;
*/
module_put(net_families[family]->owner);
*res = sock;
- security_socket_post_create(sock, family, type, protocol);
+ security_socket_post_create(sock, family, type, protocol, kern);
out:
net_family_read_unlock();
goto out;
}
+int sock_create(int family, int type, int protocol, struct socket **res)
+{
+ return __sock_create(family, type, protocol, res, 0);
+}
+
+int sock_create_kern(int family, int type, int protocol, struct socket **res)
+{
+ return __sock_create(family, type, protocol, res, 1);
+}
+
asmlinkage long sys_socket(int family, int type, int protocol)
{
int retval;
EXPORT_SYMBOL(sock_alloc);
EXPORT_SYMBOL(sock_alloc_inode);
EXPORT_SYMBOL(sock_create);
+EXPORT_SYMBOL(sock_create_kern);
EXPORT_SYMBOL(sock_map_fd);
EXPORT_SYMBOL(sock_recvmsg);
EXPORT_SYMBOL(sock_register);
}
type = (protocol == IPPROTO_UDP)? SOCK_DGRAM : SOCK_STREAM;
- if ((error = sock_create(PF_INET, type, protocol, &sock)) < 0)
+ if ((error = sock_create_kern(PF_INET, type, protocol, &sock)) < 0)
return error;
if (sin != NULL) {
type = (proto == IPPROTO_UDP)? SOCK_DGRAM : SOCK_STREAM;
- if ((err = sock_create(PF_INET, type, proto, &sock)) < 0) {
+ if ((err = sock_create_kern(PF_INET, type, proto, &sock)) < 0) {
printk("RPC: can't create socket (%d).\n", -err);
return NULL;
}
return 0;
}
-static int dummy_socket_create (int family, int type, int protocol)
+static int dummy_socket_create (int family, int type,
+ int protocol, int kern)
{
return 0;
}
static void dummy_socket_post_create (struct socket *sock, int family, int type,
- int protocol)
+ int protocol, int kern)
{
return;
}
struct inode_security_struct *isec;
struct task_security_struct *tsec;
struct avc_audit_data ad;
- int err;
+ int err = 0;
tsec = task->security;
isec = SOCK_INODE(sock)->i_security;
+ if (isec->sid == SECINITSID_KERNEL)
+ goto out;
+
AVC_AUDIT_DATA_INIT(&ad,NET);
ad.u.net.sk = sock->sk;
err = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
perms, &isec->avcr, &ad);
+out:
return err;
}
-static int selinux_socket_create(int family, int type, int protocol)
+static int selinux_socket_create(int family, int type,
+ int protocol, int kern)
{
- int err;
+ int err = 0;
struct task_security_struct *tsec;
- tsec = current->security;
+ if (kern)
+ goto out;
+ tsec = current->security;
err = avc_has_perm(tsec->sid, tsec->sid,
socket_type_to_security_class(family, type),
SOCKET__CREATE, NULL, NULL);
+out:
return err;
}
-static void selinux_socket_post_create(struct socket *sock, int family, int type, int protocol)
+static void selinux_socket_post_create(struct socket *sock, int family,
+ int type, int protocol, int kern)
{
int err;
struct inode_security_struct *isec;
tsec = current->security;
isec->sclass = socket_type_to_security_class(family, type);
- isec->sid = tsec->sid;
+ isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
return;
}
projects / linux / commitdiff