summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--include/net/netlabel.h2
-rw-r--r--net/netlabel/netlabel_user.c4
-rw-r--r--net/xfrm/xfrm_policy.c5
-rw-r--r--security/selinux/hooks.c3
-rw-r--r--security/selinux/netlabel.c16
5 files changed, 21 insertions, 9 deletions
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index ffbc7f28335a..2e5b2f6f9fa0 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -132,6 +132,8 @@ struct netlbl_lsm_secattr_catmap {
#define NETLBL_SECATTR_CACHE 0x00000002
#define NETLBL_SECATTR_MLS_LVL 0x00000004
#define NETLBL_SECATTR_MLS_CAT 0x00000008
+#define NETLBL_SECATTR_CACHEABLE (NETLBL_SECATTR_MLS_LVL | \
+ NETLBL_SECATTR_MLS_CAT)
struct netlbl_lsm_secattr {
u32 flags;
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 89dcc485653b..85a96a3fddaa 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -113,8 +113,10 @@ struct audit_buffer *netlbl_audit_start_common(int type,
if (audit_info->secid != 0 &&
security_secid_to_secctx(audit_info->secid,
&secctx,
- &secctx_len) == 0)
+ &secctx_len) == 0) {
audit_log_format(audit_buf, " subj=%s", secctx);
+ security_release_secctx(secctx, secctx_len);
+ }
return audit_buf;
}
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 95a47304336d..e5a3be03aa0d 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2195,9 +2195,10 @@ void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
}
if (sid != 0 &&
- security_secid_to_secctx(sid, &secctx, &secctx_len) == 0)
+ security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " subj=%s", secctx);
- else
+ security_release_secctx(secctx, secctx_len);
+ } else
audit_log_task_context(audit_buf);
if (xp) {
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0fac6829c63a..6237933f7d82 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4658,8 +4658,7 @@ static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
static void selinux_release_secctx(char *secdata, u32 seclen)
{
- if (secdata)
- kfree(secdata);
+ kfree(secdata);
}
#ifdef CONFIG_KEYS
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 051b14c88e2d..d243ddc723a5 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -162,9 +162,13 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
netlbl_secattr_init(&secattr);
rc = netlbl_skbuff_getattr(skb, &secattr);
- if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
+ if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) {
rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid);
- else
+ if (rc == 0 &&
+ (secattr.flags & NETLBL_SECATTR_CACHEABLE) &&
+ (secattr.flags & NETLBL_SECATTR_CACHE))
+ netlbl_cache_add(skb, &secattr);
+ } else
*sid = SECSID_NULL;
netlbl_secattr_destroy(&secattr);
@@ -307,11 +311,15 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
netlbl_secattr_init(&secattr);
rc = netlbl_skbuff_getattr(skb, &secattr);
- if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
+ if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) {
rc = security_netlbl_secattr_to_sid(&secattr,
SECINITSID_NETMSG,
&nlbl_sid);
- else
+ if (rc == 0 &&
+ (secattr.flags & NETLBL_SECATTR_CACHEABLE) &&
+ (secattr.flags & NETLBL_SECATTR_CACHE))
+ netlbl_cache_add(skb, &secattr);
+ } else
nlbl_sid = SECINITSID_UNLABELED;
netlbl_secattr_destroy(&secattr);
if (rc != 0)