From patchwork Mon Jun 15 15:46:56 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Pablo Neira Ayuso <pablo@netfilter.org>
X-Patchwork-Id: 484381
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 351AC140218
	for <incoming@patchwork.ozlabs.org>;
	Tue, 16 Jun 2015 01:42:02 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754427AbbFOPmB (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Mon, 15 Jun 2015 11:42:01 -0400
Received: from mail.us.es ([193.147.175.20]:36926 "EHLO mail.us.es"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1755796AbbFOPl7 (ORCPT <rfc822; netfilter-devel@vger.kernel.org>);
	Mon, 15 Jun 2015 11:41:59 -0400
Received: (qmail 26373 invoked from network); 15 Jun 2015 17:41:57 +0200
Received: from unknown (HELO us.es) (192.168.2.16)
	by us.es with SMTP; 15 Jun 2015 17:41:57 +0200
Received: (qmail 28565 invoked by uid 507); 15 Jun 2015 15:41:57 -0000
X-Qmail-Scanner-Diagnostics: from 127.0.0.1 by antivirus6 (envelope-from
	<pablo@netfilter.org>, uid 501) with qmail-scanner-2.10
	(clamdscan: 0.98.7/20566. spamassassin: 3.4.0.  
	Clear:RC:1(127.0.0.1):SA:0(-103.2/7.5):.
	Processed in 5.300637 secs); 15 Jun 2015 15:41:57 -0000
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on antivirus6
X-Spam-Level: 
X-Spam-Status: No, score=-103.2 required=7.5 tests=BAYES_50,SMTPAUTH_US,
	USER_IN_WHITELIST autolearn=disabled version=3.4.0
X-Spam-ASN: AS12715 87.216.0.0/16
X-Envelope-From: pablo@netfilter.org
Received: from unknown (HELO antivirus6) (127.0.0.1)
	by us.es with SMTP; 15 Jun 2015 15:41:52 -0000
Received: from 192.168.1.13 (192.168.1.13)
	by antivirus6 (F-Secure/fsigk_smtp/412/antivirus6);
	Mon, 15 Jun 2015 17:41:52 +0200 (CEST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/412/antivirus6)
Received: (qmail 9903 invoked from network); 15 Jun 2015 17:41:52 +0200
Received: from 129.166.216.87.static.jazztel.es (HELO salvia.here)
	(pneira@us.es@87.216.166.129)
	by mail.us.es with SMTP; 15 Jun 2015 17:41:52 +0200
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: ebiederm@xmission.com, aschultz@warp10.net, kaber@trash.net
Subject: [PATCH RFC 14/15] security: adapt it to pernet hooks
Date: Mon, 15 Jun 2015 17:46:56 +0200
Message-Id: <1434383217-13732-15-git-send-email-pablo@netfilter.org>
X-Mailer: git-send-email 1.7.10.4
In-Reply-To: <1434383217-13732-1-git-send-email-pablo@netfilter.org>
References: <1434383217-13732-1-git-send-email-pablo@netfilter.org>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

Since pernet hooks, we need to register the hook for each netnamespace space.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/net/netns/netfilter.h |    3 +++
 security/selinux/hooks.c      |   43 +++++++++++++++++++++++++++++++++++------
 2 files changed, 40 insertions(+), 6 deletions(-)

diff --git a/include/net/netns/netfilter.h b/include/net/netns/netfilter.h
index f2b513d..89925e3 100644
--- a/include/net/netns/netfilter.h
+++ b/include/net/netns/netfilter.h
@@ -21,5 +21,8 @@ struct netns_nf {
 #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
 	struct nf_hook_ops *ipv6_defrag_ops;
 #endif
+#ifdef CONFIG_SECURITY
+	struct nf_hook_ops *selinux_ops;
+#endif
 };
 #endif
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7246654..c10a5b1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6147,6 +6147,40 @@ static struct nf_hook_ops selinux_nf_ops[] = {
 #endif	/* IPV6 */
 };
 
+static int selinux_net_init(struct net *net)
+{
+	int err;
+
+	net->nf.selinux_ops =
+		kmemdup(selinux_nf_ops, sizeof(selinux_nf_ops), GFP_KERNEL);
+	if (net->nf.selinux_ops == NULL) {
+		err = -ENOMEM;
+		goto err1;
+	}
+
+	err = nf_register_hooks(net, net->nf.selinux_ops,
+				ARRAY_SIZE(selinux_nf_ops));
+	if (err < 0)
+		goto err2;
+
+	return 0;
+err2:
+	kfree(net->nf.selinux_ops);
+err1:
+	return err;
+}
+
+static void selinux_net_exit(struct net *net)
+{
+	nf_unregister_hooks(net->nf.selinux_ops, ARRAY_SIZE(selinux_nf_ops));
+	kfree(net->nf.selinux_ops);
+}
+
+static struct pernet_operations selinux_net_ops = {
+	.init = selinux_net_init,
+	.exit = selinux_net_exit,
+};
+
 static int __init selinux_nf_ip_init(void)
 {
 	int err;
@@ -6156,9 +6190,8 @@ static int __init selinux_nf_ip_init(void)
 
 	printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
 
-	err = nf_register_hooks(&init_net, selinux_nf_ops,
-				ARRAY_SIZE(selinux_nf_ops));
-	if (err)
+	err = register_pernet_subsys(&selinux_net_ops);
+	if (err < 0)
 		panic("SELinux: nf_register_hooks: error %d\n", err);
 
 	return 0;
@@ -6170,9 +6203,7 @@ __initcall(selinux_nf_ip_init);
 static void selinux_nf_ip_exit(void)
 {
 	printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
-
-	nf_unregister_hooks(&init_net, selinux_nf_ops,
-			    ARRAY_SIZE(selinux_nf_ops));
+	unregister_pernet_subsys(&selinux_net_ops);
 }
 #endif