RE: [RFC] [PATCH 4/4] SELinux changes

["Venkatesh Yekkirala" <vyekkirala@TrustedCS.com>]

[-- Attachment #1: Type: text/plain, Size: 4308 bytes --]

> -----Original Message-----
> From: Stephen Smalley [mailto:sds@tycho.nsa.gov]
> Sent: Wednesday, September 19, 2007 9:18 AM
> To: Venkat Yekkirala
> Cc: selinux@tycho.nsa.gov; paul.moore@hp.com; 
> jmorris@namei.org; Karl MacMillan; Joshua Brindle
> Subject: Re: [RFC] [PATCH 4/4] SELinux changes
> 
> 
> On Tue, 2007-09-18 at 12:32 -0500, Venkat Yekkirala wrote: 
> > This implements the skb_flow_out LSM hook for SELinux. This 
> > also defines a new forward_first netfilter hook to perform 
> > flow-control of forwarded traffic on the way into the system. 
> > Locally destined traffic is flow-controlled inside the existing 
> > rcv_skb LSM hook. 
> > 
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c 
> > index 3694662..5434d7f 100644 
> > --- a/security/selinux/hooks.c 
> > +++ b/security/selinux/hooks.c 
> > @@ -3519,6 +3519,124 @@ static int 
> selinux_socket_unix_may_send(struct socket *sock, 
> >       return 0; 
> >  } 
> >  
> > +static int selinux_skb_flow_in(struct sk_buff *skb, struct 
> net_device *in, 
> > +                            unsigned short family) 
> > +{ 
> > +     u32 node_sid, if_sid, secid = SECSID_NULL; 
> > +     int err; 
> > +     struct avc_audit_data ad; 
> > +     char *addrp; 
> > +     int len; 
> > + 
> > +     if (!in) { 
> > +             if (skb->dev && skb->dev->ifindex == skb->iif) 
> > +                     in = skb->dev; 
> > +             else 
> > +                     in = __dev_get_by_index(skb->iif); 
> > + 
> > +             if (!in) { 
> > +                     err = -EACCES; 
> > +                     goto out; 
> > +             } 
> > +     } 
> > + 
> > +     AVC_AUDIT_DATA_INIT(&ad, NET); 
> > +     ad.u.net.netif = in->name; 
> > +     ad.u.net.family = family; 
> > +     err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL); 
> > +     if (err) 
> > +             goto out; 
> > + 
> > +     if (in != &loopback_dev) { /* Non-localhost packet */ 
> > +             err = selinux_xfrm_decode_session(skb, &secid, 0); 
> > +             BUG_ON(err); 
> > +             /* TODO: Retrieve and check any NetLabel for 
> agreement with 
> > +                any Xfrm; also retrieve fallback if necessary */ 
> > +     } 
> > +#ifdef TODO 
> > +     else /* localhost packet */ 
> > +             /* TODO: Retrieve special IP Option set for 
> localhost traffic */ 
> > +#endif 
> > + 
> > +     err = security_node_sid(family, addrp, len, &node_sid); 
> > +     if (err) 
> > +             goto out; 
> > + 
> > +     err = avc_has_perm(secid, node_sid, 
> > +                               SECCLASS_NODE, 
> > +                               NODE__FLOW_IN, &ad); 
> > +     if (err) 
> > +             goto out; 
> Side note:  If we are going to keep using node SIDs in new network 
> controls (vs. just the compat ones), then we will need to a) 
> introduce 
> some kind of node SID cache to avoid the overhead of policy lookup on 
> each packet, and b) extend semanage to manage node contexts.  
> There was 
> work on both in the past but nothing ever made it to completion (see 
> prior postings by Joy Latten and Rodrigo Vivi). 

Paul once wondered if it made sense to replace the individual netif
and node flow lookup/checks with a single interface/network based
label lookup and check. I initially felt it made sense but I was
discussing this with Chad and Darrel this afternoon
and the thinking on this end is that it would be best to leave the
boundary-defining labels in the policy itself. So unless we want to
invent a way to define and lookup the interface/network labels in policy,
we could continue with the individual checks. In which case, we will
certainly need to work on the 2 issues you mention above.

Also, another idea that has come up here is to make the default message
sid on netif's useable again and make them fallbacks to the NetLabel
fallbacks. So the resolution, in order of priority would be:

1. NetLabel(external/cipso)/Xfrm
2. NetLabel Fallback
3. netif default context
4. Unlabeled

> We thought we were eliminating the need for these per-packet 
> per-node/netif checks by way of secmark, but I guess not if we are 
> keeping secmark separate from labeled networking. 

At least that's my current understanding of what we were going to do
(keeping secmark separate).

[-- Attachment #2: winmail.dat --]
[-- Type: application/ms-tnef, Size: 3952 bytes --]