From: Paul Moore <paul.moore@hp.com>
To: Steffen Klassert <steffen.klassert@secunet.com>
Cc: linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov
Subject: Re: [PATCH 10/10] selinux: Perform xfrm checks for unlabeled access in any case
Date: Wed, 16 Feb 2011 16:08:18 -0500 [thread overview]
Message-ID: <1297890498.25079.53.camel@sifl> (raw)
In-Reply-To: <20110214132312.GK15640@secunet.com>
On Mon, 2011-02-14 at 14:23 +0100, Steffen Klassert wrote:
> We do the checks for unlabeled access with selinux_xfrm_postroute_last
> and selinux_xfrm_sock_rcv_skb just in compatibility mode.
> However these checks are required in any case as we have to ensure
> that a packet is allowed to be send to (or received from) an unlabeled
> destination if we have no security association configured.
>
> This patch fixes this by calling selinux_xfrm_postroute_last and
> selinux_xfrm_sock_rcv_skb in any case.
>
> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Big NACK on this patch.
While it may seem odd to bail out on the labeled network access checks,
we should only do this when the admin has not configured any of the
labeled networking bits in the kernel (labeled IPsec, NetLabel,
Secmark). The idea is that if the admin hasn't configured anything, all
you are going to end up checking is if unlabeled packets can be sent up,
down and around the network stack. Not a very interesting access
control, and when you consider the policy headache and performance
impact it was causing we decided that dynamic access controls would be
okay for networking.
All you have to do to enable the dynamic access controls is configure
the system and viola, you get back all your unlabeled_t AVCs.
> ---
> security/selinux/hooks.c | 12 +++++++-----
> 1 files changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 1aeae26..85c7667 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4055,8 +4055,6 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
>
> secmark_active = selinux_secmark_enabled();
> peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
> - if (!secmark_active && !peerlbl_active)
> - return 0;
>
> COMMON_AUDIT_DATA_INIT(&ad, NET);
> ad.u.net.netif = skb->skb_iif;
> @@ -4090,6 +4088,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
> return err;
> }
>
> + err = selinux_xfrm_sock_rcv_skb(sk_sid, skb, &ad);
> +
> return err;
> }
>
> @@ -4532,6 +4532,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
> struct sock *sk;
> struct common_audit_data ad;
> char *addrp;
> + u8 proto;
> u8 secmark_active;
> u8 peerlbl_active;
>
> @@ -4555,8 +4556,6 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
>
> secmark_active = selinux_secmark_enabled();
> peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
> - if (!secmark_active && !peerlbl_active)
> - return NF_ACCEPT;
>
> /* if the packet is being forwarded then get the peer label from the
> * packet itself; otherwise check to see if it is from a local
> @@ -4581,7 +4580,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
> COMMON_AUDIT_DATA_INIT(&ad, NET);
> ad.u.net.netif = ifindex;
> ad.u.net.family = family;
> - if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
> + if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
> return NF_DROP;
>
> if (secmark_active)
> @@ -4606,6 +4605,9 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
> return NF_DROP_ERR(-ECONNREFUSED);
> }
>
> + if (selinux_xfrm_postroute_last(peer_sid, skb, &ad, proto))
> + return NF_DROP_ERR(-ECONNREFUSED);
> +
> return NF_ACCEPT;
> }
>
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2011-02-16 21:08 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20110214131651.GA15640@secunet.com>
2011-02-14 16:59 ` [PATCHSET RFC] selinux: rework labeled IPsec networking Paul Moore
[not found] ` <20110215121900.GA25769@secunet.com>
2011-02-16 0:02 ` Paul Moore
[not found] ` <20110221115403.GA20852@secunet.com>
2011-02-21 15:28 ` Paul Moore
[not found] ` <20110214131739.GB15640@secunet.com>
2011-02-16 19:18 ` [PATCH 01/10] selinux: Fix check for xfrm selinux context algorithm Paul Moore
[not found] ` <20110214131815.GC15640@secunet.com>
2011-02-16 19:34 ` [PATCH 02/10] selinux: Perform postroute access control checks after IPsec transfomations Paul Moore
[not found] ` <20110222112334.GB20852@secunet.com>
2011-02-23 21:02 ` Paul Moore
2011-02-28 7:29 ` Steffen Klassert
[not found] ` <20110214131855.GD15640@secunet.com>
2011-02-16 19:39 ` [PATCH 03/10] selinux: Remove checks for xfrm transformations from selinux_xfrm_postroute_last Paul Moore
[not found] ` <20110214131934.GE15640@secunet.com>
2011-02-16 19:46 ` [PATCH 04/10] selinux: Fix wrong checks for selinux_policycap_netpeer Paul Moore
[not found] ` <20110214132009.GF15640@secunet.com>
2011-02-16 20:11 ` [PATCH 05/10] selinux: selinux_xfrm_decode_session check for socket sid Paul Moore
[not found] ` <20110222121143.GC20852@secunet.com>
2011-02-23 21:16 ` Paul Moore
2011-02-25 19:21 ` Joy Latten
2011-02-28 10:25 ` Steffen Klassert
2011-02-28 8:51 ` Steffen Klassert
[not found] ` <20110214132049.GG15640@secunet.com>
2011-02-16 20:19 ` [PATCH 06/10] selinux: Fix packet forwarding checks on postrouting Paul Moore
[not found] ` <20110214132122.GH15640@secunet.com>
2011-02-16 20:32 ` [PATCH 07/10] selinux: Check receiving against sending interface on packet forwarding Paul Moore
[not found] ` <20110222130409.GD20852@secunet.com>
2011-02-23 21:34 ` Paul Moore
2011-02-28 9:10 ` Steffen Klassert
[not found] ` <20110214132157.GI15640@secunet.com>
2011-02-16 20:57 ` [PATCH 08/10] selinux: Fix handling of kernel generated packets on labeled IPsec Paul Moore
[not found] ` <20110222133150.GE20852@secunet.com>
2011-02-23 21:45 ` Paul Moore
2011-02-25 20:50 ` Joy Latten
2011-02-28 10:33 ` Steffen Klassert
2011-03-01 18:41 ` Paul Moore
[not found] ` <20110214132312.GK15640@secunet.com>
2011-02-16 21:08 ` Paul Moore [this message]
[not found] ` <20110222135217.GF20852@secunet.com>
2011-02-23 21:59 ` [PATCH 10/10] selinux: Perform xfrm checks for unlabeled access in any case Paul Moore
2011-02-28 11:34 ` Steffen Klassert
2011-03-01 18:42 ` Paul Moore
[not found] ` <20110214132234.GJ15640@secunet.com>
[not found] ` <1297889991.25079.46.camel@sifl>
2011-02-16 22:08 ` [PATCH 09/10] selinux: xfrm - notify users on dropped packets James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1297890498.25079.53.camel@sifl \
--to=paul.moore@hp.com \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.