From: paul.moore@hp.com
To: netdev@vger.kernel.org, selinux@tycho.nsa.gov
Cc: vyekkirala@TrustedCS.com, jmorris@namei.org, sds@tycho.nsa.gov
Subject: [PATCH 02/11] secid reconciliation: Add LSM hooks
Date: Mon, 09 Oct 2006 15:42:25 -0400 [thread overview]
Message-ID: <20061009195846.817755000@hp.com> (raw)
In-Reply-To: 20061009194223.402695000@hp.com
From: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Add skb_policy_check and skb_netfilter_check hooks to LSM to enable
reconciliation of the various security identifiers as well as enforce
flow control on inbound (PREROUTING/INPUT) and outbound (OUTPUT/FORWARD/POSTROUTING)
traffic.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
---
include/linux/security.h | 41 ++++++++++++++++++++++++++++++++++++++++-
security/dummy.c | 13 +++++++++++++
2 files changed, 53 insertions(+), 1 deletion(-)
Index: net-2.6_secidfinal/include/linux/security.h
===================================================================
--- net-2.6_secidfinal.orig/include/linux/security.h
+++ net-2.6_secidfinal/include/linux/security.h
@@ -828,6 +828,15 @@ struct request_sock;
* Sets the new child socket's sid to the openreq sid.
* @req_classify_flow:
* Sets the flow's sid to the openreq sid.
+ * @skb_flow_in:
+ * Checks to see if security policy would allow skb into the system
+ * while also reconciling the xfrm secid, cipso, etc, if any, and
+ * relabeling the skb with the reconciled secid.
+ * Returns 1 if skb allowed into system, 0 otherwise.
+ * @skb_flow_out:
+ * Checks to see if security policy would allow skb to go out of system.
+ * Returns 1 if skb allowed out of system, 0 if not, and -ENOENT if there's
+ * no hook defined.
*
* Security hooks for XFRM operations.
*
@@ -1372,6 +1381,8 @@ struct security_operations {
struct request_sock *req);
void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req);
void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl);
+ int (*skb_flow_in)(struct sk_buff *skb, unsigned short family);
+ int (*skb_flow_out)(struct sk_buff *skb, u32 nf_secid);
#endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -2947,6 +2958,18 @@ static inline void security_req_classify
security_ops->req_classify_flow(req, fl);
}
+static inline int security_skb_flow_in(struct sk_buff *skb,
+ unsigned short family)
+{
+ return security_ops->skb_flow_in(skb, family);
+}
+
+static inline int security_skb_flow_out(struct sk_buff *skb,
+ u32 nf_secid)
+{
+ return security_ops->skb_flow_out(skb, nf_secid);
+}
+
static inline void security_sock_graft(struct sock* sk, struct socket *parent)
{
security_ops->sock_graft(sk, parent);
@@ -3098,6 +3121,18 @@ static inline void security_req_classify
{
}
+static inline int security_skb_flow_in(struct sk_buff *skb,
+ unsigned short family)
+{
+ return 1;
+}
+
+static inline int security_skb_flow_out(struct sk_buff *skb,
+ u32 nf_secid)
+{
+ return -ENOENT;
+}
+
static inline void security_sock_graft(struct sock* sk, struct socket *parent)
{
}
@@ -3151,7 +3186,11 @@ static inline int security_xfrm_state_al
{
if (!polsec)
return 0;
- return security_ops->xfrm_state_alloc_security(x, NULL, polsec, secid);
+ /*
+ * No need to pass polsec along since we want the context to be
+ * taken from secid which is usually from the sock.
+ */
+ return security_ops->xfrm_state_alloc_security(x, NULL, NULL, secid);
}
static inline int security_xfrm_state_delete(struct xfrm_state *x)
Index: net-2.6_secidfinal/security/dummy.c
===================================================================
--- net-2.6_secidfinal.orig/security/dummy.c
+++ net-2.6_secidfinal/security/dummy.c
@@ -832,6 +832,17 @@ static inline void dummy_req_classify_fl
struct flowi *fl)
{
}
+
+static inline int dummy_skb_flow_in(struct sk_buff *skb,
+ unsigned short family)
+{
+ return -ENOENT;
+}
+
+static inline int dummy_skb_flow_out(struct sk_buff *skb, u32 nf_secid)
+{
+ return -ENOENT;
+}
#endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -1108,6 +1119,8 @@ void security_fixup_ops (struct security
set_to_dummy_if_null(ops, inet_conn_request);
set_to_dummy_if_null(ops, inet_csk_clone);
set_to_dummy_if_null(ops, req_classify_flow);
+ set_to_dummy_if_null(ops, skb_flow_in);
+ set_to_dummy_if_null(ops, skb_flow_out);
#endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_NETWORK_XFRM
set_to_dummy_if_null(ops, xfrm_policy_alloc_security);
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: paul.moore@hp.com
To: netdev@vger.kernel.org, selinux@tycho.nsa.gov
Cc: vyekkirala@TrustedCS.com, jmorris@namei.org, sds@tycho.nsa.gov
Subject: [PATCH 02/11] secid reconciliation: Add LSM hooks
Date: Mon, 09 Oct 2006 15:42:25 -0400 [thread overview]
Message-ID: <20061009195846.817755000@hp.com> (raw)
In-Reply-To: 20061009194223.402695000@hp.com
[-- Attachment #1: secid-2 --]
[-- Type: text/plain, Size: 4223 bytes --]
From: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Add skb_policy_check and skb_netfilter_check hooks to LSM to enable
reconciliation of the various security identifiers as well as enforce
flow control on inbound (PREROUTING/INPUT) and outbound (OUTPUT/FORWARD/POSTROUTING)
traffic.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
---
include/linux/security.h | 41 ++++++++++++++++++++++++++++++++++++++++-
security/dummy.c | 13 +++++++++++++
2 files changed, 53 insertions(+), 1 deletion(-)
Index: net-2.6_secidfinal/include/linux/security.h
===================================================================
--- net-2.6_secidfinal.orig/include/linux/security.h
+++ net-2.6_secidfinal/include/linux/security.h
@@ -828,6 +828,15 @@ struct request_sock;
* Sets the new child socket's sid to the openreq sid.
* @req_classify_flow:
* Sets the flow's sid to the openreq sid.
+ * @skb_flow_in:
+ * Checks to see if security policy would allow skb into the system
+ * while also reconciling the xfrm secid, cipso, etc, if any, and
+ * relabeling the skb with the reconciled secid.
+ * Returns 1 if skb allowed into system, 0 otherwise.
+ * @skb_flow_out:
+ * Checks to see if security policy would allow skb to go out of system.
+ * Returns 1 if skb allowed out of system, 0 if not, and -ENOENT if there's
+ * no hook defined.
*
* Security hooks for XFRM operations.
*
@@ -1372,6 +1381,8 @@ struct security_operations {
struct request_sock *req);
void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req);
void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl);
+ int (*skb_flow_in)(struct sk_buff *skb, unsigned short family);
+ int (*skb_flow_out)(struct sk_buff *skb, u32 nf_secid);
#endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -2947,6 +2958,18 @@ static inline void security_req_classify
security_ops->req_classify_flow(req, fl);
}
+static inline int security_skb_flow_in(struct sk_buff *skb,
+ unsigned short family)
+{
+ return security_ops->skb_flow_in(skb, family);
+}
+
+static inline int security_skb_flow_out(struct sk_buff *skb,
+ u32 nf_secid)
+{
+ return security_ops->skb_flow_out(skb, nf_secid);
+}
+
static inline void security_sock_graft(struct sock* sk, struct socket *parent)
{
security_ops->sock_graft(sk, parent);
@@ -3098,6 +3121,18 @@ static inline void security_req_classify
{
}
+static inline int security_skb_flow_in(struct sk_buff *skb,
+ unsigned short family)
+{
+ return 1;
+}
+
+static inline int security_skb_flow_out(struct sk_buff *skb,
+ u32 nf_secid)
+{
+ return -ENOENT;
+}
+
static inline void security_sock_graft(struct sock* sk, struct socket *parent)
{
}
@@ -3151,7 +3186,11 @@ static inline int security_xfrm_state_al
{
if (!polsec)
return 0;
- return security_ops->xfrm_state_alloc_security(x, NULL, polsec, secid);
+ /*
+ * No need to pass polsec along since we want the context to be
+ * taken from secid which is usually from the sock.
+ */
+ return security_ops->xfrm_state_alloc_security(x, NULL, NULL, secid);
}
static inline int security_xfrm_state_delete(struct xfrm_state *x)
Index: net-2.6_secidfinal/security/dummy.c
===================================================================
--- net-2.6_secidfinal.orig/security/dummy.c
+++ net-2.6_secidfinal/security/dummy.c
@@ -832,6 +832,17 @@ static inline void dummy_req_classify_fl
struct flowi *fl)
{
}
+
+static inline int dummy_skb_flow_in(struct sk_buff *skb,
+ unsigned short family)
+{
+ return -ENOENT;
+}
+
+static inline int dummy_skb_flow_out(struct sk_buff *skb, u32 nf_secid)
+{
+ return -ENOENT;
+}
#endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -1108,6 +1119,8 @@ void security_fixup_ops (struct security
set_to_dummy_if_null(ops, inet_conn_request);
set_to_dummy_if_null(ops, inet_csk_clone);
set_to_dummy_if_null(ops, req_classify_flow);
+ set_to_dummy_if_null(ops, skb_flow_in);
+ set_to_dummy_if_null(ops, skb_flow_out);
#endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_NETWORK_XFRM
set_to_dummy_if_null(ops, xfrm_policy_alloc_security);
--
paul moore
linux security @ hp
next prev parent reply other threads:[~2006-10-09 19:42 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-09 19:42 [PATCH 00/11] The _entire_ secid reconciliation patchset (tada!) paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` [PATCH 01/11] secid reconciliation: new SELinux flask definitions paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` paul.moore [this message]
2006-10-09 19:42 ` [PATCH 02/11] secid reconciliation: Add LSM hooks paul.moore
2006-10-09 19:42 ` [PATCH 03/11] secid reconciliation: Invoke LSM hook for inbound traffic paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` [PATCH 04/11] secid reconciliation: Invoke LSM hook for outbound traffic paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` [PATCH 05/11] secid reconciliation: Label locally generated IPv6 traffic paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` [PATCH 06/11] secid reconciliation: Label locally generated IPv4 traffic paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` [PATCH 07/11] secid reconciliation: Enforcement for SELinux paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` [PATCH 08/11] secid reconciliation: Use secmark when classifying flow using skb paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` [PATCH 09/11] secid reconciliation: Track peersecid at connection establishment paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` [PATCH 10/11] secid reconciliation: various fixes paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` [PATCH 11/11] secid reconciliation: support for NetLabel paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 20:19 ` [PATCH 00/11] The _entire_ secid reconciliation patchset (tada!) James Morris
2006-10-09 20:19 ` James Morris
2006-10-09 20:30 ` Paul Moore
2006-10-09 20:30 ` Paul Moore
2006-10-09 20:36 ` James Morris
2006-10-09 20:36 ` James Morris
2006-10-11 19:20 ` Venkat Yekkirala
2006-10-11 19:20 ` Venkat Yekkirala
2006-10-12 7:26 ` James Morris
2006-10-12 7:26 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061009195846.817755000@hp.com \
--to=paul.moore@hp.com \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.