[PATCH] SELinux: fix build with CONFIG_SECURITY_NETWORK=n

SELinux should just drop out the socket and netfilter hooks when that is disabled. The problem was introduced because of the fine-grained netlink patches, which made the selinux_netlink_send/recv hook functions depend on CONFIG_SECURITY_NETWORK but the netlink_send/recv hooks themselves are not dependent on it. Need to move selinux_netlink_send/recv back out of the conditional block, and provide a static inline stub for selinux_nlmsg_perm if CONFIG_SECURITY_NETWORK is not defined. Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] SELinux: fix build with CONFIG_SECURITY_NETWORK=n
SELinux should just drop out the socket and netfilter hooks when that is disabled. The problem was introduced because of the fine-grained netlink patches, which made the selinux_netlink_send/recv hook functions depend on CONFIG_SECURITY_NETWORK but the netlink_send/recv hooks themselves are not dependent on it. Need to move selinux_netlink_send/recv back out of the conditional block, and provide a static inline stub for selinux_nlmsg_perm if CONFIG_SECURITY_NETWORK is not defined. Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
e903c6f9 · Stephen D. Smalley · Linus Torvalds · ec3c438e · e903c6f9
Commit e903c6f9 authored Jun 26, 2004 by Stephen D. Smalley Committed by Linus Torvalds Jun 26, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 22 deletions

security/selinux/hooks.c security/selinux/hooks.c +29 -22

No files found.
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3434,28 +3434,6 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
 	return err;
 }

-static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
-{
-	int err = 0;
-	
-	if (capable(CAP_NET_ADMIN))
-		cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN);
-	else
-		NETLINK_CB(skb).eff_cap = 0;
-	
-	if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
-		err = selinux_nlmsg_perm(sk, skb);
-	
-	return err;
-}
-
-static int selinux_netlink_recv(struct sk_buff *skb)
-{
-	if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
-		return -EPERM;
-	return 0;
-}
-
 #ifdef CONFIG_NETFILTER

 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
@@ -3591,8 +3569,37 @@ static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,

 #endif	/* CONFIG_NETFILTER */

+#else
+
+static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
+{
+	return 0;
+}
+
 #endif	/* CONFIG_SECURITY_NETWORK */

+static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
+{
+	int err = 0;
+
+	if (capable(CAP_NET_ADMIN))
+		cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN);
+	else
+		NETLINK_CB(skb).eff_cap = 0;
+
+	if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
+		err = selinux_nlmsg_perm(sk, skb);
+
+	return err;
+}
+
+static int selinux_netlink_recv(struct sk_buff *skb)
+{
+	if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
+		return -EPERM;
+	return 0;
+}
+
 static int ipc_alloc_security(struct task_struct *task,
 			      struct kern_ipc_perm *perm,
 			      u16 sclass)