[PATCH][SELINUX] 3/7 Add node controls

[PATCH][SELINUX] 3/7 Add node controls

[James Morris]

This patch against 2.6.1-mm2 adds 'node' access controls for SELinux,
which allows network traffic to be controlled on the basis of remote 
address.
  
Like the previous patch, similar functionality was present in earlier
SELinux implementations; this is a rework within the constraints of the
LSM hooks present in the mainline kernel.
  
Please apply.

 hooks.c |   36 ++++++++++++++++++++++++++++++++----
 1 files changed, 32 insertions(+), 4 deletions(-)

diff -urN -X dontdiff linux-2.6.1-rc2.pending/security/selinux/hooks.c linux-2.6.1-rc2.w1/security/selinux/hooks.c
--- linux-2.6.1-rc2.pending/security/selinux/hooks.c	2004-01-07 11:46:47.687890256 -0500
+++ linux-2.6.1-rc2.w1/security/selinux/hooks.c	2004-01-07 11:48:08.107664592 -0500
@@ -2668,10 +2668,11 @@
 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
 	int err = 0;
-	u32 netif_perm;
+	u32 netif_perm, node_perm, node_sid;
 	struct socket *sock;
 	struct inode *inode;
 	struct net_device *dev;
+	struct iphdr *iph;
 	struct sel_netif *netif;
 	struct netif_security_struct *nsec;
 	struct inode_security_struct *isec;
@@ -2707,14 +2708,17 @@
 	switch (isec->sclass) {
 	case SECCLASS_UDP_SOCKET:
 		netif_perm = NETIF__UDP_RECV;
+		node_perm = NODE__UDP_RECV;
 		break;
 	
 	case SECCLASS_TCP_SOCKET:
 		netif_perm = NETIF__TCP_RECV;
+		node_perm = NODE__TCP_RECV;
 		break;
 	
 	default:
 		netif_perm = NETIF__RAWIP_RECV;
+		node_perm = NODE__RAWIP_RECV;
 		break;
 	}
 
@@ -2724,8 +2728,18 @@
 
 	err = avc_has_perm(isec->sid, nsec->if_sid, SECCLASS_NETIF,
 	                   netif_perm, &nsec->avcr, &ad);
-
 	sel_netif_put(netif);
+	if (err)
+		goto out;
+	
+	/* Fixme: this lookup is inefficient */
+	iph = skb->nh.iph;
+	err = security_node_sid(PF_INET, &iph->saddr, sizeof(iph->saddr), &node_sid);
+	if (err)
+		goto out;
+	
+	err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, NULL, &ad);
+
 out:	
 	return err;
 }
@@ -2738,9 +2752,10 @@
                                               int (*okfn)(struct sk_buff *))
 {
 	int err = NF_ACCEPT;
-	u32 netif_perm;
+	u32 netif_perm, node_perm, node_sid;
 	struct socket *sock;
 	struct inode *inode;
+	struct iphdr *iph;
 	struct sel_netif *netif;
 	struct sk_buff *skb = *pskb;
 	struct netif_security_struct *nsec;
@@ -2771,14 +2786,17 @@
 	switch (isec->sclass) {
 	case SECCLASS_UDP_SOCKET:
 		netif_perm = NETIF__UDP_SEND;
+		node_perm = NODE__UDP_SEND;
 		break;
 	
 	case SECCLASS_TCP_SOCKET:
 		netif_perm = NETIF__TCP_SEND;
+		node_perm = NODE__TCP_SEND;
 		break;
 	
 	default:
 		netif_perm = NETIF__RAWIP_SEND;
+		node_perm = NODE__RAWIP_SEND;
 		break;
 	}
 
@@ -2788,8 +2806,18 @@
 
 	err = avc_has_perm(isec->sid, nsec->if_sid, SECCLASS_NETIF,
 	                   netif_perm, &nsec->avcr, &ad) ? NF_DROP : NF_ACCEPT;
-
 	sel_netif_put(netif);
+	if (err != NF_ACCEPT)
+		goto out;
+		
+	/* Fixme: this lookup is inefficient */
+	iph = skb->nh.iph;
+	err = security_node_sid(PF_INET, &iph->daddr, sizeof(iph->daddr), &node_sid);
+	if (err)
+		goto out;
+	
+	err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
+	                   node_perm, NULL, &ad) ? NF_DROP : NF_ACCEPT;
 out:
 	return err;
 }



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH][SELINUX] 3/7 Add node controls

[James Morris]

This patch against 2.6.1-mm2 adds 'node' access controls for SELinux,
which allows network traffic to be controlled on the basis of remote 
address.
  
Like the previous patch, similar functionality was present in earlier
SELinux implementations; this is a rework within the constraints of the
LSM hooks present in the mainline kernel.
  
Please apply.

 hooks.c |   36 ++++++++++++++++++++++++++++++++----
 1 files changed, 32 insertions(+), 4 deletions(-)

diff -urN -X dontdiff linux-2.6.1-rc2.pending/security/selinux/hooks.c linux-2.6.1-rc2.w1/security/selinux/hooks.c
--- linux-2.6.1-rc2.pending/security/selinux/hooks.c	2004-01-07 11:46:47.687890256 -0500
+++ linux-2.6.1-rc2.w1/security/selinux/hooks.c	2004-01-07 11:48:08.107664592 -0500
@@ -2668,10 +2668,11 @@
 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
 	int err = 0;
-	u32 netif_perm;
+	u32 netif_perm, node_perm, node_sid;
 	struct socket *sock;
 	struct inode *inode;
 	struct net_device *dev;
+	struct iphdr *iph;
 	struct sel_netif *netif;
 	struct netif_security_struct *nsec;
 	struct inode_security_struct *isec;
@@ -2707,14 +2708,17 @@
 	switch (isec->sclass) {
 	case SECCLASS_UDP_SOCKET:
 		netif_perm = NETIF__UDP_RECV;
+		node_perm = NODE__UDP_RECV;
 		break;
 	
 	case SECCLASS_TCP_SOCKET:
 		netif_perm = NETIF__TCP_RECV;
+		node_perm = NODE__TCP_RECV;
 		break;
 	
 	default:
 		netif_perm = NETIF__RAWIP_RECV;
+		node_perm = NODE__RAWIP_RECV;
 		break;
 	}
 
@@ -2724,8 +2728,18 @@
 
 	err = avc_has_perm(isec->sid, nsec->if_sid, SECCLASS_NETIF,
 	                   netif_perm, &nsec->avcr, &ad);
-
 	sel_netif_put(netif);
+	if (err)
+		goto out;
+	
+	/* Fixme: this lookup is inefficient */
+	iph = skb->nh.iph;
+	err = security_node_sid(PF_INET, &iph->saddr, sizeof(iph->saddr), &node_sid);
+	if (err)
+		goto out;
+	
+	err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, NULL, &ad);
+
 out:	
 	return err;
 }
@@ -2738,9 +2752,10 @@
                                               int (*okfn)(struct sk_buff *))
 {
 	int err = NF_ACCEPT;
-	u32 netif_perm;
+	u32 netif_perm, node_perm, node_sid;
 	struct socket *sock;
 	struct inode *inode;
+	struct iphdr *iph;
 	struct sel_netif *netif;
 	struct sk_buff *skb = *pskb;
 	struct netif_security_struct *nsec;
@@ -2771,14 +2786,17 @@
 	switch (isec->sclass) {
 	case SECCLASS_UDP_SOCKET:
 		netif_perm = NETIF__UDP_SEND;
+		node_perm = NODE__UDP_SEND;
 		break;
 	
 	case SECCLASS_TCP_SOCKET:
 		netif_perm = NETIF__TCP_SEND;
+		node_perm = NODE__TCP_SEND;
 		break;
 	
 	default:
 		netif_perm = NETIF__RAWIP_SEND;
+		node_perm = NODE__RAWIP_SEND;
 		break;
 	}
 
@@ -2788,8 +2806,18 @@
 
 	err = avc_has_perm(isec->sid, nsec->if_sid, SECCLASS_NETIF,
 	                   netif_perm, &nsec->avcr, &ad) ? NF_DROP : NF_ACCEPT;
-
 	sel_netif_put(netif);
+	if (err != NF_ACCEPT)
+		goto out;
+		
+	/* Fixme: this lookup is inefficient */
+	iph = skb->nh.iph;
+	err = security_node_sid(PF_INET, &iph->daddr, sizeof(iph->daddr), &node_sid);
+	if (err)
+		goto out;
+	
+	err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
+	                   node_perm, NULL, &ad) ? NF_DROP : NF_ACCEPT;
 out:
 	return err;
 }

Re: [PATCH][SELINUX] 3/7 Add node controls

[Arkadiusz Miskiewicz]

On Friday 09 of January 2004 16:39, James Morris wrote:
> This patch against 2.6.1-mm2 adds 'node' access controls for SELinux,
> which allows network traffic to be controlled on the basis of remote
> address.
>
> Like the previous patch, similar functionality was present in earlier
> SELinux implementations; this is a rework within the constraints of the
> LSM hooks present in the mainline kernel.
But only for IPv4 right? What about IPv6 part - is SELinux able to deal with 
IPv6 at all?

> Please apply.

-- 
Arkadiusz Miśkiewicz    CS at FoE, Wroclaw University of Technology
arekm.pld-linux.org AM2-6BONE, 1024/3DB19BBD, arekm(at)ircnet, PLD/Linux

Re: [PATCH][SELINUX] 3/7 Add node controls

[James Morris]

On Fri, 9 Jan 2004, Arkadiusz Miskiewicz wrote:

> > Like the previous patch, similar functionality was present in earlier
> > SELinux implementations; this is a rework within the constraints of the
> > LSM hooks present in the mainline kernel.
> But only for IPv4 right? What about IPv6 part - is SELinux able to deal with 
> IPv6 at all?

Not at this level yet.  There are socket controls which provide coverage
all protocols, and finer grained controls for IPv4 and Unix.  Duplication
of the IPv4-specific controls for IPv6 is expected to be implemented soon.


- James
-- 
James Morris
<jmorris@redhat.com>

Re: [PATCH][SELINUX] 3/7 Add node controls

[Park Lee]

On Fri 9 Jan 2004 - at 10:39, James Morris wrote:
> This patch against 2.6.1-mm2 adds 'node' access
> controls for SELinux, which allows network traffic 
> to be controlled on the basis of remote address. 

Can 'node' access controls now permit controls
on inbound messages based on the source address in
addition to permit controls on outbound messages based
on the destination address you mentioned above.

Thanx.


=====
Best Regards,
Park Lee

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH][SELINUX] 3/7 Add node controls

[James Morris]

On Fri, 25 Feb 2005, Park Lee wrote:

> On Fri 9 Jan 2004 - at 10:39, James Morris wrote:
> > This patch against 2.6.1-mm2 adds 'node' access
> > controls for SELinux, which allows network traffic 
> > to be controlled on the basis of remote address. 
> 
> Can 'node' access controls now permit controls
> on inbound messages based on the source address in
> addition to permit controls on outbound messages based
> on the destination address you mentioned above.

Yes, these controls are always specify the remote node.


- James
-- 
James Morris
<jmorris@redhat.com>



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.