Last active
December 16, 2016 00:40
-
-
Save pcmoore/f0d157c39d7930a8a8377555085f0e77 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From: Paul Moore <paul@paul-moore.com> | |
ipv6: add support for SOL_IPV6/IPV6_PASSSEC | |
XXX - needs commit description | |
XXX - https://github.com/SELinuxProject/selinux-kernel/issues/24 | |
Signed-off-by: XXX | |
--- | |
include/linux/ipv6.h | 4 ++-- | |
include/uapi/linux/in6.h | 1 + | |
net/ipv6/datagram.c | 10 ++++++++++ | |
net/ipv6/ipv6_sockglue.c | 8 ++++++++ | |
4 files changed, 21 insertions(+), 2 deletions(-) | |
diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h | |
index 671d014..fc351e7 100644 | |
--- a/include/linux/ipv6.h | |
+++ b/include/linux/ipv6.h | |
@@ -235,8 +235,8 @@ struct ipv6_pinfo { | |
rxtclass:1, | |
rxpmtu:1, | |
rxorigdstaddr:1, | |
- recvfragsize:1; | |
- /* 1 bits hole */ | |
+ recvfragsize:1, | |
+ rxsecurity:1; | |
} bits; | |
__u16 all; | |
} rxopt; | |
diff --git a/include/uapi/linux/in6.h b/include/uapi/linux/in6.h | |
index 46444f8..34c1334 100644 | |
--- a/include/uapi/linux/in6.h | |
+++ b/include/uapi/linux/in6.h | |
@@ -284,6 +284,7 @@ struct in6_flowlabel_req { | |
#define IPV6_TRANSPARENT 75 | |
#define IPV6_UNICAST_IF 76 | |
#define IPV6_RECVFRAGSIZE 77 | |
+#define IPV6_PASSSEC 78 | |
/* | |
* Multicast Routing: | |
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c | |
index 0489e19..3256516 100644 | |
--- a/net/ipv6/datagram.c | |
+++ b/net/ipv6/datagram.c | |
@@ -723,6 +723,16 @@ void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg, | |
put_cmsg(msg, SOL_IPV6, IPV6_RECVFRAGSIZE, sizeof(val), &val); | |
} | |
+ if (np->rxopt.bits.rxsecurity) { | |
+ char *secctx; | |
+ u32 ctxlen, secid; | |
+ | |
+ if (!security_socket_getpeersec_dgram(NULL, skb, &secid) && | |
+ !security_secid_to_secctx(secid, &secctx, &ctxlen)) { | |
+ put_cmsg(msg, SOL_IPV6, IPV6_PASSSEC, ctxlen, secctx); | |
+ security_release_secctx(secctx, ctxlen); | |
+ } | |
+ } | |
} | |
void ip6_datagram_recv_ctl(struct sock *sk, struct msghdr *msg, | |
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c | |
index 3ba5303..7d4e2e8 100644 | |
--- a/net/ipv6/ipv6_sockglue.c | |
+++ b/net/ipv6/ipv6_sockglue.c | |
@@ -882,6 +882,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, | |
np->rxopt.bits.recvfragsize = valbool; | |
retv = 0; | |
break; | |
+ case IPV6_PASSSEC: | |
+ np->rxopt.bits.rxsecurity = valbool; | |
+ retv = 0; | |
+ break; | |
} | |
release_sock(sk); | |
@@ -1328,6 +1332,10 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname, | |
val = np->rxopt.bits.recvfragsize; | |
break; | |
+ case IPV6_PASSSEC: | |
+ val = np->rxopt.bits.rxsecurity; | |
+ break; | |
+ | |
default: | |
return -ENOPROTOOPT; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment