From: paul.moore@hp.com
To: netdev@vger.kernel.org, selinux@tycho.nsa.gov
Cc: vyekkirala@TrustedCS.com, jmorris@namei.org, sds@tycho.nsa.gov,
Paul Moore <paul.moore@hp.com>
Subject: [PATCH 11/11] secid reconciliation: support for NetLabel
Date: Mon, 09 Oct 2006 15:42:34 -0400 [thread overview]
Message-ID: <20061009195853.495026000@hp.com> (raw)
In-Reply-To: 20061009194223.402695000@hp.com
From: Paul Moore <paul.moore@hp.com>
This patch provides the missing NetLabel support to the secid reconciliation
patchset.
This includes a change to the security_skb_flow_in() LSM hook to indicate if
the hook is in the forwarding path and a change to netlbl_skbuff_err() to carry
the forwarding information to the lower protocol level. This was required to
meet the CIPSO specifications regarding handling permission denied errors.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
include/linux/security.h | 10 +-
include/net/netlabel.h | 6 -
include/net/xfrm.h | 4
net/netlabel/netlabel_kapi.c | 5 -
security/dummy.c | 3
security/selinux/hooks.c | 139 +++++++++++++++++++---------
security/selinux/include/objsec.h | 1
security/selinux/include/selinux_netlabel.h | 34 ++----
security/selinux/ss/services.c | 124 ++++--------------------
9 files changed, 153 insertions(+), 173 deletions(-)
Index: net-2.6_secidfinal/include/linux/security.h
===================================================================
--- net-2.6_secidfinal.orig/include/linux/security.h
+++ net-2.6_secidfinal/include/linux/security.h
@@ -1385,7 +1385,7 @@ struct security_operations {
void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req);
void (*inet_conn_established)(struct sock *sk, struct sk_buff *skb);
void (*igmp_classify_skb)(struct sk_buff *skb);
- int (*skb_flow_in)(struct sk_buff *skb, unsigned short family);
+ int (*skb_flow_in)(struct sk_buff *skb, unsigned short family, u32 fwd);
int (*skb_flow_out)(struct sk_buff *skb, u32 nf_secid,
const struct net_device *out, unsigned short family);
#endif /* CONFIG_SECURITY_NETWORK */
@@ -2964,9 +2964,10 @@ static inline void security_igmp_classif
}
static inline int security_skb_flow_in(struct sk_buff *skb,
- unsigned short family)
+ unsigned short family,
+ u32 fwd)
{
- return security_ops->skb_flow_in(skb, family);
+ return security_ops->skb_flow_in(skb, family, fwd);
}
static inline int security_skb_flow_out(struct sk_buff *skb,
@@ -3134,7 +3135,8 @@ static inline void security_igmp_classif
}
static inline int security_skb_flow_in(struct sk_buff *skb,
- unsigned short family)
+ unsigned short family,
+ u32 fwd)
{
return 1;
}
Index: net-2.6_secidfinal/include/net/netlabel.h
===================================================================
--- net-2.6_secidfinal.orig/include/net/netlabel.h
+++ net-2.6_secidfinal/include/net/netlabel.h
@@ -237,7 +237,7 @@ int netlbl_socket_getattr(const struct s
struct netlbl_lsm_secattr *secattr);
int netlbl_skbuff_getattr(const struct sk_buff *skb,
struct netlbl_lsm_secattr *secattr);
-void netlbl_skbuff_err(struct sk_buff *skb, int error);
+void netlbl_skbuff_err(struct sk_buff *skb, int error, u32 gateway);
#else
static inline int netlbl_socket_setattr(const struct socket *sock,
const struct netlbl_lsm_secattr *secattr)
@@ -263,7 +263,9 @@ static inline int netlbl_skbuff_getattr(
return -ENOSYS;
}
-static inline void netlbl_skbuff_err(struct sk_buff *skb, int error)
+static inline void netlbl_skbuff_err(struct sk_buff *skb,
+ int error,
+ u32 gateway)
{
return;
}
Index: net-2.6_secidfinal/include/net/xfrm.h
===================================================================
--- net-2.6_secidfinal.orig/include/net/xfrm.h
+++ net-2.6_secidfinal/include/net/xfrm.h
@@ -685,7 +685,9 @@ static inline int xfrm_policy_check(stru
__xfrm_policy_check(sk, dir, skb, family);
if (ret)
- ret = security_skb_flow_in(skb, family);
+ ret = security_skb_flow_in(skb,
+ family,
+ dir == XFRM_POLICY_FWD ? 1 : 0);
return ret;
}
Index: net-2.6_secidfinal/net/netlabel/netlabel_kapi.c
===================================================================
--- net-2.6_secidfinal.orig/net/netlabel/netlabel_kapi.c
+++ net-2.6_secidfinal/net/netlabel/netlabel_kapi.c
@@ -159,6 +159,7 @@ int netlbl_skbuff_getattr(const struct s
* netlbl_skbuff_err - Handle a LSM error on a sk_buff
* @skb: the packet
* @error: the error code
+ * @gateway: true if the packet is being forwarded and not consumed locally
*
* Description:
* Deal with a LSM problem when handling the packet in @skb, typically this is
@@ -166,10 +167,10 @@ int netlbl_skbuff_getattr(const struct s
* according to the packet's labeling protocol.
*
*/
-void netlbl_skbuff_err(struct sk_buff *skb, int error)
+void netlbl_skbuff_err(struct sk_buff *skb, int error, u32 gateway)
{
if (CIPSO_V4_OPTEXIST(skb))
- cipso_v4_error(skb, error, 0);
+ cipso_v4_error(skb, error, gateway);
}
/**
Index: net-2.6_secidfinal/security/dummy.c
===================================================================
--- net-2.6_secidfinal.orig/security/dummy.c
+++ net-2.6_secidfinal/security/dummy.c
@@ -838,7 +838,8 @@ static inline void dummy_igmp_classify_s
}
static inline int dummy_skb_flow_in(struct sk_buff *skb,
- unsigned short family)
+ unsigned short family,
+ u32 fwd)
{
return -ENOENT;
}
Index: net-2.6_secidfinal/security/selinux/hooks.c
===================================================================
--- net-2.6_secidfinal.orig/security/selinux/hooks.c
+++ net-2.6_secidfinal/security/selinux/hooks.c
@@ -50,6 +50,7 @@
#include <net/icmp.h>
#include <net/ip.h> /* for sysctl_local_port_range[] */
#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
+#include <net/netlabel.h>
#include <asm/uaccess.h>
#include <asm/ioctls.h>
#include <linux/bitops.h>
@@ -3465,6 +3466,10 @@ static int selinux_sock_rcv_skb_compat(s
goto out;
}
+ err = selinux_netlbl_sock_rcv_skb(sock_sid, sock_class, skb, ad);
+ if (err)
+ goto out;
+
err = selinux_xfrm_sock_rcv_skb(sock_sid, skb, ad);
out:
@@ -3498,13 +3503,15 @@ static int selinux_socket_sock_rcv_skb(s
if (selinux_compat_net)
err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family,
addrp, len);
- else
+ else {
err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
PACKET__RECV, &ad);
- if (err)
- goto out;
+ if (err)
+ /* This is okay because NetLabel will only act here
+ * if the packet is labeled with NetLabel already. */
+ netlbl_skbuff_err(skb, err, 0);
+ }
- err = selinux_netlbl_sock_rcv_skb(sksec, skb, &ad);
out:
return err;
}
@@ -3527,11 +3534,8 @@ static int selinux_socket_getpeersec_str
peer_sid = ssec->peer_sid;
}
else if (isec->sclass == SECCLASS_TCP_SOCKET) {
- peer_sid = selinux_netlbl_socket_getpeersec_stream(sock);
- if (peer_sid == SECSID_NULL) {
- ssec = sock->sk->sk_security;
- peer_sid = ssec->peer_sid;
- }
+ ssec = sock->sk->sk_security;
+ peer_sid = ssec->peer_sid;
if (peer_sid == SECSID_NULL) {
err = -ENOPROTOOPT;
goto out;
@@ -3573,13 +3577,17 @@ static int selinux_socket_getpeersec_dgr
if (sock && (sock->sk->sk_family == PF_UNIX))
selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
else if (skb) {
- peer_secid = selinux_netlbl_socket_getpeersec_dgram(skb);
- if (peer_secid == SECSID_NULL) {
- if (selinux_compat_net)
- peer_secid = selinux_socket_getpeer_dgram(skb);
- else
- peer_secid = skb->secmark;
- }
+ if (selinux_compat_net) {
+ u32 xfrm_peer_secid;
+
+ xfrm_peer_secid = selinux_socket_getpeer_dgram(skb);
+ err = selinux_netlbl_skb_sid(skb,
+ xfrm_peer_secid,
+ &peer_secid);
+ if (err == 0 && peer_secid == SECSID_NULL)
+ peer_secid = xfrm_peer_secid;
+ } else
+ peer_secid = skb->secmark;
}
if (peer_secid == SECSID_NULL)
@@ -3641,13 +3649,11 @@ static int selinux_inet_conn_request(str
u32 newsid;
u32 peersid;
- newsid = selinux_netlbl_inet_conn_request(skb, sksec->sid);
- if (newsid != SECSID_NULL) {
- req->secid = newsid;
- return 0;
- }
-
if (selinux_compat_net) {
+ err = selinux_netlbl_skb_sid(skb, sksec->sid, &peersid);
+ if (err == 0 && peersid != SECSID_NULL)
+ goto out;
+
err = selinux_xfrm_decode_session(skb, &peersid, 0);
BUG_ON(err);
@@ -3659,6 +3665,7 @@ static int selinux_inet_conn_request(str
} else
peersid = skb->secmark;
+out:
err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
if (err)
return err;
@@ -3696,9 +3703,14 @@ static void selinux_igmp_classify_skb(st
skb->secmark = SECINITSID_IGMP_PACKET;
}
-static int selinux_skb_flow_in(struct sk_buff *skb, unsigned short family)
+static int selinux_skb_flow_in(struct sk_buff *skb,
+ unsigned short family,
+ u32 fwd)
{
u32 xfrm_sid;
+ u32 nlbl_sid;
+ u32 nlbl_base_sid;
+ u32 ext_sid;
int err;
struct avc_audit_data ad;
char *addrp;
@@ -3724,20 +3736,38 @@ static int selinux_skb_flow_in(struct sk
err = selinux_xfrm_decode_session(skb, &xfrm_sid, 0);
BUG_ON(err);
- err = avc_has_perm(xfrm_sid, skb->secmark? : SECINITSID_NETMSG,
- SECCLASS_PACKET,
- PACKET__FLOW_IN, &ad);
+ if (xfrm_sid)
+ nlbl_base_sid = xfrm_sid;
+ else if (skb->secmark)
+ nlbl_base_sid = skb->secmark;
+ else
+ nlbl_base_sid = SECINITSID_UNLABELED;
+ err = selinux_netlbl_skb_sid(skb, nlbl_base_sid, &nlbl_sid);
if (err)
goto out;
- if (xfrm_sid)
- skb->secmark = xfrm_sid;
+ if (nlbl_sid)
+ ext_sid = nlbl_sid;
+ else
+ ext_sid = xfrm_sid;
- /* See if NetLabel can flow in thru the current secmark here */
+ err = avc_has_perm(ext_sid,
+ skb->secmark ? skb->secmark : SECINITSID_NETMSG,
+ SECCLASS_PACKET,
+ PACKET__FLOW_IN,
+ &ad);
+ if (err) {
+ if (nlbl_sid)
+ netlbl_skbuff_err(skb, err, fwd);
+ goto out;
+ }
+
+ if (ext_sid)
+ skb->secmark = ext_sid;
out:
return err ? 0 : 1;
-};
+}
static int selinux_skb_flow_out(struct sk_buff *skb, u32 nf_secid,
const struct net_device *out, unsigned short family)
@@ -3752,16 +3782,30 @@ static int selinux_skb_flow_out(struct s
return 1;
if (!skb->secmark) {
+ u32 sk_sid;
u32 xfrm_sid;
+ u32 nlbl_sid;
+
+ if (skb->sk) {
+ struct sk_security_struct *sksec =
+ skb->sk->sk_security;
+ sk_sid = sksec->sid;
+ } else
+ sk_sid = SECSID_NULL;
selinux_skb_xfrm_sid(skb, &xfrm_sid);
+ err = selinux_netlbl_skb_sid(skb,
+ xfrm_sid ? xfrm_sid : sk_sid,
+ &nlbl_sid);
+ if (err)
+ goto out;
- if (xfrm_sid)
+ if (nlbl_sid)
+ skb->secmark = nlbl_sid;
+ else if (xfrm_sid)
skb->secmark = xfrm_sid;
- else if (skb->sk) {
- struct sk_security_struct *sksec = skb->sk->sk_security;
- skb->secmark = sksec->sid;
- }
+ else if (sk_sid)
+ skb->secmark = sk_sid;
}
AVC_AUDIT_DATA_INIT(&ad, NET);
@@ -3923,17 +3967,30 @@ static unsigned int selinux_ip_postroute
family, addrp, len);
else {
if (!skb->secmark) {
+ u32 sk_sid;
u32 xfrm_sid;
+ u32 nlbl_sid;
+
+ if (skb->sk) {
+ struct sk_security_struct *sksec =
+ skb->sk->sk_security;
+ sk_sid = sksec->sid;
+ } else
+ sk_sid = SECSID_NULL;
selinux_skb_xfrm_sid(skb, &xfrm_sid);
+ err = selinux_netlbl_skb_sid(skb,
+ xfrm_sid ? xfrm_sid : sk_sid,
+ &nlbl_sid);
+ if (err)
+ goto out;
- if (xfrm_sid)
+ if (nlbl_sid)
+ skb->secmark = nlbl_sid;
+ else if (xfrm_sid)
skb->secmark = xfrm_sid;
- else if (skb->sk) {
- struct sk_security_struct *sksec =
- skb->sk->sk_security;
- skb->secmark = sksec->sid;
- }
+ else if (sk_sid)
+ skb->secmark = sk_sid;
}
if (out == &loopback_dev)
return NF_ACCEPT;
Index: net-2.6_secidfinal/security/selinux/include/objsec.h
===================================================================
--- net-2.6_secidfinal.orig/security/selinux/include/objsec.h
+++ net-2.6_secidfinal/security/selinux/include/objsec.h
@@ -102,7 +102,6 @@ struct sk_security_struct {
u32 sid; /* SID of this object */
u32 peer_sid; /* SID of peer */
#ifdef CONFIG_NETLABEL
- u16 sclass; /* sock security class */
enum { /* NetLabel state */
NLBL_UNSET = 0,
NLBL_REQUIRE,
Index: net-2.6_secidfinal/security/selinux/include/selinux_netlabel.h
===================================================================
--- net-2.6_secidfinal.orig/security/selinux/include/selinux_netlabel.h
+++ net-2.6_secidfinal/security/selinux/include/selinux_netlabel.h
@@ -42,17 +42,16 @@ int selinux_netlbl_socket_post_create(st
int sock_family,
u32 sid);
void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
-u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid);
-int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
+int selinux_netlbl_sock_rcv_skb(u32 sock_sid,
+ u16 sock_class,
struct sk_buff *skb,
struct avc_audit_data *ad);
-u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock);
-u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb);
void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
int family);
void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,
struct sk_security_struct *newssec);
int selinux_netlbl_inode_permission(struct inode *inode, int mask);
+int selinux_netlbl_skb_sid(struct sk_buff *skb, u32 base_sid, u32 *sid);
#else
static inline void selinux_netlbl_cache_invalidate(void)
{
@@ -72,29 +71,14 @@ static inline void selinux_netlbl_sock_g
return;
}
-static inline u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb,
- u32 sock_sid)
-{
- return SECSID_NULL;
-}
-
-static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
+static inline int selinux_netlbl_sock_rcv_skb(u32 sock_sid,
+ u16 sock_class,
struct sk_buff *skb,
struct avc_audit_data *ad)
{
return 0;
}
-static inline u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
-{
- return SECSID_NULL;
-}
-
-static inline u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
-{
- return SECSID_NULL;
-}
-
static inline void selinux_netlbl_sk_security_init(
struct sk_security_struct *ssec,
int family)
@@ -114,6 +98,14 @@ static inline int selinux_netlbl_inode_p
{
return 0;
}
+
+static inline int selinux_netlbl_skb_sid(struct sk_buff *skb,
+ u32 base_sid,
+ u32 *sid)
+{
+ *sid = SECSID_NULL;
+ return 0;
+}
#endif /* CONFIG_NETLABEL */
#endif
Index: net-2.6_secidfinal/security/selinux/ss/services.c
===================================================================
--- net-2.6_secidfinal.orig/security/selinux/ss/services.c
+++ net-2.6_secidfinal/security/selinux/ss/services.c
@@ -51,6 +51,7 @@
#include "selinux_netlabel.h"
extern void selnl_notify_policyload(u32 seqno);
+extern int selinux_compat_net;
unsigned int policydb_loaded_version;
static DEFINE_RWLOCK(policy_rwlock);
@@ -2336,7 +2337,7 @@ static int selinux_netlbl_secattr_to_sid
selinux_netlbl_cache_add(skb, &ctx_new);
ebitmap_destroy(&ctx_new.range.level[0].cat);
} else {
- *sid = SECINITSID_UNLABELED;
+ *sid = SECSID_NULL;
rc = 0;
}
@@ -2349,7 +2350,7 @@ netlbl_secattr_to_sid_return_cleanup:
}
/**
- * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
+ * selinux_netlbl_skb_sid - Get the SID of a packet using NetLabel
* @skb: the packet
* @base_sid: the SELinux SID to use as a context for MLS only attributes
* @sid: the SID
@@ -2360,9 +2361,7 @@ netlbl_secattr_to_sid_return_cleanup:
* assign to the packet. Returns zero on success, negative values on failure.
*
*/
-static int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
- u32 base_sid,
- u32 *sid)
+int selinux_netlbl_skb_sid(struct sk_buff *skb, u32 base_sid, u32 *sid)
{
int rc;
struct netlbl_lsm_secattr secattr;
@@ -2459,7 +2458,6 @@ void selinux_netlbl_sk_security_init(str
void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,
struct sk_security_struct *newssec)
{
- newssec->sclass = ssec->sclass;
if (ssec->nlbl_state != NLBL_UNSET)
newssec->nlbl_state = NLBL_REQUIRE;
else
@@ -2481,11 +2479,8 @@ int selinux_netlbl_socket_post_create(st
int sock_family,
u32 sid)
{
- struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
struct sk_security_struct *sksec = sock->sk->sk_security;
- sksec->sclass = isec->sclass;
-
if (sock_family != PF_INET)
return 0;
@@ -2505,24 +2500,23 @@ int selinux_netlbl_socket_post_create(st
*/
void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
{
- struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
struct sk_security_struct *sksec = sk->sk_security;
struct netlbl_lsm_secattr secattr;
u32 nlbl_peer_sid;
- sksec->sclass = isec->sclass;
-
if (sk->sk_family != PF_INET)
return;
- netlbl_secattr_init(&secattr);
- if (netlbl_sock_getattr(sk, &secattr) == 0 &&
- selinux_netlbl_secattr_to_sid(NULL,
- &secattr,
- sksec->sid,
- &nlbl_peer_sid) == 0)
- sksec->peer_sid = nlbl_peer_sid;
- netlbl_secattr_destroy(&secattr);
+ if (selinux_compat_net) {
+ netlbl_secattr_init(&secattr);
+ if (netlbl_sock_getattr(sk, &secattr) == 0 &&
+ selinux_netlbl_secattr_to_sid(NULL,
+ &secattr,
+ SECINITSID_UNLABELED,
+ &nlbl_peer_sid) == 0)
+ sksec->peer_sid = nlbl_peer_sid;
+ netlbl_secattr_destroy(&secattr);
+ }
sksec->nlbl_state = NLBL_REQUIRE;
@@ -2533,32 +2527,6 @@ void selinux_netlbl_sock_graft(struct so
}
/**
- * selinux_netlbl_inet_conn_request - Handle a new connection request
- * @skb: the packet
- * @sock_sid: the SID of the parent socket
- *
- * Description:
- * If present, use the security attributes of the packet in @skb and the
- * parent sock's SID to arrive at a SID for the new child sock. Returns the
- * SID of the connection or SECSID_NULL on failure.
- *
- */
-u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid)
-{
- int rc;
- u32 peer_sid;
-
- rc = selinux_netlbl_skbuff_getsid(skb, sock_sid, &peer_sid);
- if (rc != 0)
- return SECSID_NULL;
-
- if (peer_sid == SECINITSID_UNLABELED)
- return SECSID_NULL;
-
- return peer_sid;
-}
-
-/**
* selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
* @inode: the file descriptor's inode
* @mask: the permission mask
@@ -2598,7 +2566,8 @@ int selinux_netlbl_inode_permission(stru
/**
* selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
- * @sksec: the sock's sk_security_struct
+ * @sock_sid: the socket's SID
+ * @sock_class: the socket's class
* @skb: the packet
* @ad: the audit data
*
@@ -2608,7 +2577,8 @@ int selinux_netlbl_inode_permission(stru
* error.
*
*/
-int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
+int selinux_netlbl_sock_rcv_skb(u32 sock_sid,
+ u16 sock_class,
struct sk_buff *skb,
struct avc_audit_data *ad)
{
@@ -2616,14 +2586,14 @@ int selinux_netlbl_sock_rcv_skb(struct s
u32 netlbl_sid;
u32 recv_perm;
- rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &netlbl_sid);
+ rc = selinux_netlbl_skb_sid(skb, SECINITSID_UNLABELED, &netlbl_sid);
if (rc != 0)
return rc;
- if (netlbl_sid == SECINITSID_UNLABELED)
+ if (netlbl_sid == SECSID_NULL)
return 0;
- switch (sksec->sclass) {
+ switch (sock_class) {
case SECCLASS_UDP_SOCKET:
recv_perm = UDP_SOCKET__RECVFROM;
break;
@@ -2634,61 +2604,15 @@ int selinux_netlbl_sock_rcv_skb(struct s
recv_perm = RAWIP_SOCKET__RECVFROM;
}
- rc = avc_has_perm(sksec->sid,
+ rc = avc_has_perm(sock_sid,
netlbl_sid,
- sksec->sclass,
+ sock_class,
recv_perm,
ad);
if (rc == 0)
return 0;
- netlbl_skbuff_err(skb, rc);
+ netlbl_skbuff_err(skb, rc, 0);
return rc;
}
-
-/**
- * selinux_netlbl_socket_getpeersec_stream - Return the connected peer's SID
- * @sock: the socket
- *
- * Description:
- * Examine @sock to find the connected peer's SID. Returns the SID on success
- * or SECSID_NULL on error.
- *
- */
-u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
-{
- struct sk_security_struct *sksec = sock->sk->sk_security;
-
- if (sksec->peer_sid == SECINITSID_UNLABELED)
- return SECSID_NULL;
-
- return sksec->peer_sid;
-}
-
-/**
- * selinux_netlbl_socket_getpeersec_dgram - Return the SID of a NetLabel packet
- * @skb: the packet
- *
- * Description:
- * Examine @skb to find the SID assigned to it by NetLabel. Returns the SID on
- * success, SECSID_NULL on error.
- *
- */
-u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
-{
- int peer_sid;
- struct sock *sk = skb->sk;
- struct inode_security_struct *isec;
-
- if (sk == NULL || sk->sk_socket == NULL)
- return SECSID_NULL;
-
- isec = SOCK_INODE(sk->sk_socket)->i_security;
- if (selinux_netlbl_skbuff_getsid(skb, isec->sid, &peer_sid) != 0)
- return SECSID_NULL;
- if (peer_sid == SECINITSID_UNLABELED)
- return SECSID_NULL;
-
- return peer_sid;
-}
#endif /* CONFIG_NETLABEL */
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: paul.moore@hp.com
To: netdev@vger.kernel.org, selinux@tycho.nsa.gov
Cc: vyekkirala@TrustedCS.com, jmorris@namei.org, sds@tycho.nsa.gov,
Paul Moore <paul.moore@hp.com>
Subject: [PATCH 11/11] secid reconciliation: support for NetLabel
Date: Mon, 09 Oct 2006 15:42:34 -0400 [thread overview]
Message-ID: <20061009195853.495026000@hp.com> (raw)
In-Reply-To: 20061009194223.402695000@hp.com
[-- Attachment #1: secid-netlabel --]
[-- Type: text/plain, Size: 21147 bytes --]
From: Paul Moore <paul.moore@hp.com>
This patch provides the missing NetLabel support to the secid reconciliation
patchset.
This includes a change to the security_skb_flow_in() LSM hook to indicate if
the hook is in the forwarding path and a change to netlbl_skbuff_err() to carry
the forwarding information to the lower protocol level. This was required to
meet the CIPSO specifications regarding handling permission denied errors.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
include/linux/security.h | 10 +-
include/net/netlabel.h | 6 -
include/net/xfrm.h | 4
net/netlabel/netlabel_kapi.c | 5 -
security/dummy.c | 3
security/selinux/hooks.c | 139 +++++++++++++++++++---------
security/selinux/include/objsec.h | 1
security/selinux/include/selinux_netlabel.h | 34 ++----
security/selinux/ss/services.c | 124 ++++--------------------
9 files changed, 153 insertions(+), 173 deletions(-)
Index: net-2.6_secidfinal/include/linux/security.h
===================================================================
--- net-2.6_secidfinal.orig/include/linux/security.h
+++ net-2.6_secidfinal/include/linux/security.h
@@ -1385,7 +1385,7 @@ struct security_operations {
void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req);
void (*inet_conn_established)(struct sock *sk, struct sk_buff *skb);
void (*igmp_classify_skb)(struct sk_buff *skb);
- int (*skb_flow_in)(struct sk_buff *skb, unsigned short family);
+ int (*skb_flow_in)(struct sk_buff *skb, unsigned short family, u32 fwd);
int (*skb_flow_out)(struct sk_buff *skb, u32 nf_secid,
const struct net_device *out, unsigned short family);
#endif /* CONFIG_SECURITY_NETWORK */
@@ -2964,9 +2964,10 @@ static inline void security_igmp_classif
}
static inline int security_skb_flow_in(struct sk_buff *skb,
- unsigned short family)
+ unsigned short family,
+ u32 fwd)
{
- return security_ops->skb_flow_in(skb, family);
+ return security_ops->skb_flow_in(skb, family, fwd);
}
static inline int security_skb_flow_out(struct sk_buff *skb,
@@ -3134,7 +3135,8 @@ static inline void security_igmp_classif
}
static inline int security_skb_flow_in(struct sk_buff *skb,
- unsigned short family)
+ unsigned short family,
+ u32 fwd)
{
return 1;
}
Index: net-2.6_secidfinal/include/net/netlabel.h
===================================================================
--- net-2.6_secidfinal.orig/include/net/netlabel.h
+++ net-2.6_secidfinal/include/net/netlabel.h
@@ -237,7 +237,7 @@ int netlbl_socket_getattr(const struct s
struct netlbl_lsm_secattr *secattr);
int netlbl_skbuff_getattr(const struct sk_buff *skb,
struct netlbl_lsm_secattr *secattr);
-void netlbl_skbuff_err(struct sk_buff *skb, int error);
+void netlbl_skbuff_err(struct sk_buff *skb, int error, u32 gateway);
#else
static inline int netlbl_socket_setattr(const struct socket *sock,
const struct netlbl_lsm_secattr *secattr)
@@ -263,7 +263,9 @@ static inline int netlbl_skbuff_getattr(
return -ENOSYS;
}
-static inline void netlbl_skbuff_err(struct sk_buff *skb, int error)
+static inline void netlbl_skbuff_err(struct sk_buff *skb,
+ int error,
+ u32 gateway)
{
return;
}
Index: net-2.6_secidfinal/include/net/xfrm.h
===================================================================
--- net-2.6_secidfinal.orig/include/net/xfrm.h
+++ net-2.6_secidfinal/include/net/xfrm.h
@@ -685,7 +685,9 @@ static inline int xfrm_policy_check(stru
__xfrm_policy_check(sk, dir, skb, family);
if (ret)
- ret = security_skb_flow_in(skb, family);
+ ret = security_skb_flow_in(skb,
+ family,
+ dir == XFRM_POLICY_FWD ? 1 : 0);
return ret;
}
Index: net-2.6_secidfinal/net/netlabel/netlabel_kapi.c
===================================================================
--- net-2.6_secidfinal.orig/net/netlabel/netlabel_kapi.c
+++ net-2.6_secidfinal/net/netlabel/netlabel_kapi.c
@@ -159,6 +159,7 @@ int netlbl_skbuff_getattr(const struct s
* netlbl_skbuff_err - Handle a LSM error on a sk_buff
* @skb: the packet
* @error: the error code
+ * @gateway: true if the packet is being forwarded and not consumed locally
*
* Description:
* Deal with a LSM problem when handling the packet in @skb, typically this is
@@ -166,10 +167,10 @@ int netlbl_skbuff_getattr(const struct s
* according to the packet's labeling protocol.
*
*/
-void netlbl_skbuff_err(struct sk_buff *skb, int error)
+void netlbl_skbuff_err(struct sk_buff *skb, int error, u32 gateway)
{
if (CIPSO_V4_OPTEXIST(skb))
- cipso_v4_error(skb, error, 0);
+ cipso_v4_error(skb, error, gateway);
}
/**
Index: net-2.6_secidfinal/security/dummy.c
===================================================================
--- net-2.6_secidfinal.orig/security/dummy.c
+++ net-2.6_secidfinal/security/dummy.c
@@ -838,7 +838,8 @@ static inline void dummy_igmp_classify_s
}
static inline int dummy_skb_flow_in(struct sk_buff *skb,
- unsigned short family)
+ unsigned short family,
+ u32 fwd)
{
return -ENOENT;
}
Index: net-2.6_secidfinal/security/selinux/hooks.c
===================================================================
--- net-2.6_secidfinal.orig/security/selinux/hooks.c
+++ net-2.6_secidfinal/security/selinux/hooks.c
@@ -50,6 +50,7 @@
#include <net/icmp.h>
#include <net/ip.h> /* for sysctl_local_port_range[] */
#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
+#include <net/netlabel.h>
#include <asm/uaccess.h>
#include <asm/ioctls.h>
#include <linux/bitops.h>
@@ -3465,6 +3466,10 @@ static int selinux_sock_rcv_skb_compat(s
goto out;
}
+ err = selinux_netlbl_sock_rcv_skb(sock_sid, sock_class, skb, ad);
+ if (err)
+ goto out;
+
err = selinux_xfrm_sock_rcv_skb(sock_sid, skb, ad);
out:
@@ -3498,13 +3503,15 @@ static int selinux_socket_sock_rcv_skb(s
if (selinux_compat_net)
err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family,
addrp, len);
- else
+ else {
err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
PACKET__RECV, &ad);
- if (err)
- goto out;
+ if (err)
+ /* This is okay because NetLabel will only act here
+ * if the packet is labeled with NetLabel already. */
+ netlbl_skbuff_err(skb, err, 0);
+ }
- err = selinux_netlbl_sock_rcv_skb(sksec, skb, &ad);
out:
return err;
}
@@ -3527,11 +3534,8 @@ static int selinux_socket_getpeersec_str
peer_sid = ssec->peer_sid;
}
else if (isec->sclass == SECCLASS_TCP_SOCKET) {
- peer_sid = selinux_netlbl_socket_getpeersec_stream(sock);
- if (peer_sid == SECSID_NULL) {
- ssec = sock->sk->sk_security;
- peer_sid = ssec->peer_sid;
- }
+ ssec = sock->sk->sk_security;
+ peer_sid = ssec->peer_sid;
if (peer_sid == SECSID_NULL) {
err = -ENOPROTOOPT;
goto out;
@@ -3573,13 +3577,17 @@ static int selinux_socket_getpeersec_dgr
if (sock && (sock->sk->sk_family == PF_UNIX))
selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
else if (skb) {
- peer_secid = selinux_netlbl_socket_getpeersec_dgram(skb);
- if (peer_secid == SECSID_NULL) {
- if (selinux_compat_net)
- peer_secid = selinux_socket_getpeer_dgram(skb);
- else
- peer_secid = skb->secmark;
- }
+ if (selinux_compat_net) {
+ u32 xfrm_peer_secid;
+
+ xfrm_peer_secid = selinux_socket_getpeer_dgram(skb);
+ err = selinux_netlbl_skb_sid(skb,
+ xfrm_peer_secid,
+ &peer_secid);
+ if (err == 0 && peer_secid == SECSID_NULL)
+ peer_secid = xfrm_peer_secid;
+ } else
+ peer_secid = skb->secmark;
}
if (peer_secid == SECSID_NULL)
@@ -3641,13 +3649,11 @@ static int selinux_inet_conn_request(str
u32 newsid;
u32 peersid;
- newsid = selinux_netlbl_inet_conn_request(skb, sksec->sid);
- if (newsid != SECSID_NULL) {
- req->secid = newsid;
- return 0;
- }
-
if (selinux_compat_net) {
+ err = selinux_netlbl_skb_sid(skb, sksec->sid, &peersid);
+ if (err == 0 && peersid != SECSID_NULL)
+ goto out;
+
err = selinux_xfrm_decode_session(skb, &peersid, 0);
BUG_ON(err);
@@ -3659,6 +3665,7 @@ static int selinux_inet_conn_request(str
} else
peersid = skb->secmark;
+out:
err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
if (err)
return err;
@@ -3696,9 +3703,14 @@ static void selinux_igmp_classify_skb(st
skb->secmark = SECINITSID_IGMP_PACKET;
}
-static int selinux_skb_flow_in(struct sk_buff *skb, unsigned short family)
+static int selinux_skb_flow_in(struct sk_buff *skb,
+ unsigned short family,
+ u32 fwd)
{
u32 xfrm_sid;
+ u32 nlbl_sid;
+ u32 nlbl_base_sid;
+ u32 ext_sid;
int err;
struct avc_audit_data ad;
char *addrp;
@@ -3724,20 +3736,38 @@ static int selinux_skb_flow_in(struct sk
err = selinux_xfrm_decode_session(skb, &xfrm_sid, 0);
BUG_ON(err);
- err = avc_has_perm(xfrm_sid, skb->secmark? : SECINITSID_NETMSG,
- SECCLASS_PACKET,
- PACKET__FLOW_IN, &ad);
+ if (xfrm_sid)
+ nlbl_base_sid = xfrm_sid;
+ else if (skb->secmark)
+ nlbl_base_sid = skb->secmark;
+ else
+ nlbl_base_sid = SECINITSID_UNLABELED;
+ err = selinux_netlbl_skb_sid(skb, nlbl_base_sid, &nlbl_sid);
if (err)
goto out;
- if (xfrm_sid)
- skb->secmark = xfrm_sid;
+ if (nlbl_sid)
+ ext_sid = nlbl_sid;
+ else
+ ext_sid = xfrm_sid;
- /* See if NetLabel can flow in thru the current secmark here */
+ err = avc_has_perm(ext_sid,
+ skb->secmark ? skb->secmark : SECINITSID_NETMSG,
+ SECCLASS_PACKET,
+ PACKET__FLOW_IN,
+ &ad);
+ if (err) {
+ if (nlbl_sid)
+ netlbl_skbuff_err(skb, err, fwd);
+ goto out;
+ }
+
+ if (ext_sid)
+ skb->secmark = ext_sid;
out:
return err ? 0 : 1;
-};
+}
static int selinux_skb_flow_out(struct sk_buff *skb, u32 nf_secid,
const struct net_device *out, unsigned short family)
@@ -3752,16 +3782,30 @@ static int selinux_skb_flow_out(struct s
return 1;
if (!skb->secmark) {
+ u32 sk_sid;
u32 xfrm_sid;
+ u32 nlbl_sid;
+
+ if (skb->sk) {
+ struct sk_security_struct *sksec =
+ skb->sk->sk_security;
+ sk_sid = sksec->sid;
+ } else
+ sk_sid = SECSID_NULL;
selinux_skb_xfrm_sid(skb, &xfrm_sid);
+ err = selinux_netlbl_skb_sid(skb,
+ xfrm_sid ? xfrm_sid : sk_sid,
+ &nlbl_sid);
+ if (err)
+ goto out;
- if (xfrm_sid)
+ if (nlbl_sid)
+ skb->secmark = nlbl_sid;
+ else if (xfrm_sid)
skb->secmark = xfrm_sid;
- else if (skb->sk) {
- struct sk_security_struct *sksec = skb->sk->sk_security;
- skb->secmark = sksec->sid;
- }
+ else if (sk_sid)
+ skb->secmark = sk_sid;
}
AVC_AUDIT_DATA_INIT(&ad, NET);
@@ -3923,17 +3967,30 @@ static unsigned int selinux_ip_postroute
family, addrp, len);
else {
if (!skb->secmark) {
+ u32 sk_sid;
u32 xfrm_sid;
+ u32 nlbl_sid;
+
+ if (skb->sk) {
+ struct sk_security_struct *sksec =
+ skb->sk->sk_security;
+ sk_sid = sksec->sid;
+ } else
+ sk_sid = SECSID_NULL;
selinux_skb_xfrm_sid(skb, &xfrm_sid);
+ err = selinux_netlbl_skb_sid(skb,
+ xfrm_sid ? xfrm_sid : sk_sid,
+ &nlbl_sid);
+ if (err)
+ goto out;
- if (xfrm_sid)
+ if (nlbl_sid)
+ skb->secmark = nlbl_sid;
+ else if (xfrm_sid)
skb->secmark = xfrm_sid;
- else if (skb->sk) {
- struct sk_security_struct *sksec =
- skb->sk->sk_security;
- skb->secmark = sksec->sid;
- }
+ else if (sk_sid)
+ skb->secmark = sk_sid;
}
if (out == &loopback_dev)
return NF_ACCEPT;
Index: net-2.6_secidfinal/security/selinux/include/objsec.h
===================================================================
--- net-2.6_secidfinal.orig/security/selinux/include/objsec.h
+++ net-2.6_secidfinal/security/selinux/include/objsec.h
@@ -102,7 +102,6 @@ struct sk_security_struct {
u32 sid; /* SID of this object */
u32 peer_sid; /* SID of peer */
#ifdef CONFIG_NETLABEL
- u16 sclass; /* sock security class */
enum { /* NetLabel state */
NLBL_UNSET = 0,
NLBL_REQUIRE,
Index: net-2.6_secidfinal/security/selinux/include/selinux_netlabel.h
===================================================================
--- net-2.6_secidfinal.orig/security/selinux/include/selinux_netlabel.h
+++ net-2.6_secidfinal/security/selinux/include/selinux_netlabel.h
@@ -42,17 +42,16 @@ int selinux_netlbl_socket_post_create(st
int sock_family,
u32 sid);
void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
-u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid);
-int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
+int selinux_netlbl_sock_rcv_skb(u32 sock_sid,
+ u16 sock_class,
struct sk_buff *skb,
struct avc_audit_data *ad);
-u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock);
-u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb);
void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
int family);
void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,
struct sk_security_struct *newssec);
int selinux_netlbl_inode_permission(struct inode *inode, int mask);
+int selinux_netlbl_skb_sid(struct sk_buff *skb, u32 base_sid, u32 *sid);
#else
static inline void selinux_netlbl_cache_invalidate(void)
{
@@ -72,29 +71,14 @@ static inline void selinux_netlbl_sock_g
return;
}
-static inline u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb,
- u32 sock_sid)
-{
- return SECSID_NULL;
-}
-
-static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
+static inline int selinux_netlbl_sock_rcv_skb(u32 sock_sid,
+ u16 sock_class,
struct sk_buff *skb,
struct avc_audit_data *ad)
{
return 0;
}
-static inline u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
-{
- return SECSID_NULL;
-}
-
-static inline u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
-{
- return SECSID_NULL;
-}
-
static inline void selinux_netlbl_sk_security_init(
struct sk_security_struct *ssec,
int family)
@@ -114,6 +98,14 @@ static inline int selinux_netlbl_inode_p
{
return 0;
}
+
+static inline int selinux_netlbl_skb_sid(struct sk_buff *skb,
+ u32 base_sid,
+ u32 *sid)
+{
+ *sid = SECSID_NULL;
+ return 0;
+}
#endif /* CONFIG_NETLABEL */
#endif
Index: net-2.6_secidfinal/security/selinux/ss/services.c
===================================================================
--- net-2.6_secidfinal.orig/security/selinux/ss/services.c
+++ net-2.6_secidfinal/security/selinux/ss/services.c
@@ -51,6 +51,7 @@
#include "selinux_netlabel.h"
extern void selnl_notify_policyload(u32 seqno);
+extern int selinux_compat_net;
unsigned int policydb_loaded_version;
static DEFINE_RWLOCK(policy_rwlock);
@@ -2336,7 +2337,7 @@ static int selinux_netlbl_secattr_to_sid
selinux_netlbl_cache_add(skb, &ctx_new);
ebitmap_destroy(&ctx_new.range.level[0].cat);
} else {
- *sid = SECINITSID_UNLABELED;
+ *sid = SECSID_NULL;
rc = 0;
}
@@ -2349,7 +2350,7 @@ netlbl_secattr_to_sid_return_cleanup:
}
/**
- * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
+ * selinux_netlbl_skb_sid - Get the SID of a packet using NetLabel
* @skb: the packet
* @base_sid: the SELinux SID to use as a context for MLS only attributes
* @sid: the SID
@@ -2360,9 +2361,7 @@ netlbl_secattr_to_sid_return_cleanup:
* assign to the packet. Returns zero on success, negative values on failure.
*
*/
-static int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
- u32 base_sid,
- u32 *sid)
+int selinux_netlbl_skb_sid(struct sk_buff *skb, u32 base_sid, u32 *sid)
{
int rc;
struct netlbl_lsm_secattr secattr;
@@ -2459,7 +2458,6 @@ void selinux_netlbl_sk_security_init(str
void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,
struct sk_security_struct *newssec)
{
- newssec->sclass = ssec->sclass;
if (ssec->nlbl_state != NLBL_UNSET)
newssec->nlbl_state = NLBL_REQUIRE;
else
@@ -2481,11 +2479,8 @@ int selinux_netlbl_socket_post_create(st
int sock_family,
u32 sid)
{
- struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
struct sk_security_struct *sksec = sock->sk->sk_security;
- sksec->sclass = isec->sclass;
-
if (sock_family != PF_INET)
return 0;
@@ -2505,24 +2500,23 @@ int selinux_netlbl_socket_post_create(st
*/
void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
{
- struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
struct sk_security_struct *sksec = sk->sk_security;
struct netlbl_lsm_secattr secattr;
u32 nlbl_peer_sid;
- sksec->sclass = isec->sclass;
-
if (sk->sk_family != PF_INET)
return;
- netlbl_secattr_init(&secattr);
- if (netlbl_sock_getattr(sk, &secattr) == 0 &&
- selinux_netlbl_secattr_to_sid(NULL,
- &secattr,
- sksec->sid,
- &nlbl_peer_sid) == 0)
- sksec->peer_sid = nlbl_peer_sid;
- netlbl_secattr_destroy(&secattr);
+ if (selinux_compat_net) {
+ netlbl_secattr_init(&secattr);
+ if (netlbl_sock_getattr(sk, &secattr) == 0 &&
+ selinux_netlbl_secattr_to_sid(NULL,
+ &secattr,
+ SECINITSID_UNLABELED,
+ &nlbl_peer_sid) == 0)
+ sksec->peer_sid = nlbl_peer_sid;
+ netlbl_secattr_destroy(&secattr);
+ }
sksec->nlbl_state = NLBL_REQUIRE;
@@ -2533,32 +2527,6 @@ void selinux_netlbl_sock_graft(struct so
}
/**
- * selinux_netlbl_inet_conn_request - Handle a new connection request
- * @skb: the packet
- * @sock_sid: the SID of the parent socket
- *
- * Description:
- * If present, use the security attributes of the packet in @skb and the
- * parent sock's SID to arrive at a SID for the new child sock. Returns the
- * SID of the connection or SECSID_NULL on failure.
- *
- */
-u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid)
-{
- int rc;
- u32 peer_sid;
-
- rc = selinux_netlbl_skbuff_getsid(skb, sock_sid, &peer_sid);
- if (rc != 0)
- return SECSID_NULL;
-
- if (peer_sid == SECINITSID_UNLABELED)
- return SECSID_NULL;
-
- return peer_sid;
-}
-
-/**
* selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
* @inode: the file descriptor's inode
* @mask: the permission mask
@@ -2598,7 +2566,8 @@ int selinux_netlbl_inode_permission(stru
/**
* selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
- * @sksec: the sock's sk_security_struct
+ * @sock_sid: the socket's SID
+ * @sock_class: the socket's class
* @skb: the packet
* @ad: the audit data
*
@@ -2608,7 +2577,8 @@ int selinux_netlbl_inode_permission(stru
* error.
*
*/
-int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
+int selinux_netlbl_sock_rcv_skb(u32 sock_sid,
+ u16 sock_class,
struct sk_buff *skb,
struct avc_audit_data *ad)
{
@@ -2616,14 +2586,14 @@ int selinux_netlbl_sock_rcv_skb(struct s
u32 netlbl_sid;
u32 recv_perm;
- rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &netlbl_sid);
+ rc = selinux_netlbl_skb_sid(skb, SECINITSID_UNLABELED, &netlbl_sid);
if (rc != 0)
return rc;
- if (netlbl_sid == SECINITSID_UNLABELED)
+ if (netlbl_sid == SECSID_NULL)
return 0;
- switch (sksec->sclass) {
+ switch (sock_class) {
case SECCLASS_UDP_SOCKET:
recv_perm = UDP_SOCKET__RECVFROM;
break;
@@ -2634,61 +2604,15 @@ int selinux_netlbl_sock_rcv_skb(struct s
recv_perm = RAWIP_SOCKET__RECVFROM;
}
- rc = avc_has_perm(sksec->sid,
+ rc = avc_has_perm(sock_sid,
netlbl_sid,
- sksec->sclass,
+ sock_class,
recv_perm,
ad);
if (rc == 0)
return 0;
- netlbl_skbuff_err(skb, rc);
+ netlbl_skbuff_err(skb, rc, 0);
return rc;
}
-
-/**
- * selinux_netlbl_socket_getpeersec_stream - Return the connected peer's SID
- * @sock: the socket
- *
- * Description:
- * Examine @sock to find the connected peer's SID. Returns the SID on success
- * or SECSID_NULL on error.
- *
- */
-u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
-{
- struct sk_security_struct *sksec = sock->sk->sk_security;
-
- if (sksec->peer_sid == SECINITSID_UNLABELED)
- return SECSID_NULL;
-
- return sksec->peer_sid;
-}
-
-/**
- * selinux_netlbl_socket_getpeersec_dgram - Return the SID of a NetLabel packet
- * @skb: the packet
- *
- * Description:
- * Examine @skb to find the SID assigned to it by NetLabel. Returns the SID on
- * success, SECSID_NULL on error.
- *
- */
-u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
-{
- int peer_sid;
- struct sock *sk = skb->sk;
- struct inode_security_struct *isec;
-
- if (sk == NULL || sk->sk_socket == NULL)
- return SECSID_NULL;
-
- isec = SOCK_INODE(sk->sk_socket)->i_security;
- if (selinux_netlbl_skbuff_getsid(skb, isec->sid, &peer_sid) != 0)
- return SECSID_NULL;
- if (peer_sid == SECINITSID_UNLABELED)
- return SECSID_NULL;
-
- return peer_sid;
-}
#endif /* CONFIG_NETLABEL */
--
paul moore
linux security @ hp
next prev parent reply other threads:[~2006-10-09 19:42 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-09 19:42 [PATCH 00/11] The _entire_ secid reconciliation patchset (tada!) paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` [PATCH 01/11] secid reconciliation: new SELinux flask definitions paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` [PATCH 02/11] secid reconciliation: Add LSM hooks paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` [PATCH 03/11] secid reconciliation: Invoke LSM hook for inbound traffic paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` [PATCH 04/11] secid reconciliation: Invoke LSM hook for outbound traffic paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` [PATCH 05/11] secid reconciliation: Label locally generated IPv6 traffic paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` [PATCH 06/11] secid reconciliation: Label locally generated IPv4 traffic paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` [PATCH 07/11] secid reconciliation: Enforcement for SELinux paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` [PATCH 08/11] secid reconciliation: Use secmark when classifying flow using skb paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` [PATCH 09/11] secid reconciliation: Track peersecid at connection establishment paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` [PATCH 10/11] secid reconciliation: various fixes paul.moore
2006-10-09 19:42 ` paul.moore
2006-10-09 19:42 ` paul.moore [this message]
2006-10-09 19:42 ` [PATCH 11/11] secid reconciliation: support for NetLabel paul.moore
2006-10-09 20:19 ` [PATCH 00/11] The _entire_ secid reconciliation patchset (tada!) James Morris
2006-10-09 20:19 ` James Morris
2006-10-09 20:30 ` Paul Moore
2006-10-09 20:30 ` Paul Moore
2006-10-09 20:36 ` James Morris
2006-10-09 20:36 ` James Morris
2006-10-11 19:20 ` Venkat Yekkirala
2006-10-11 19:20 ` Venkat Yekkirala
2006-10-12 7:26 ` James Morris
2006-10-12 7:26 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061009195853.495026000@hp.com \
--to=paul.moore@hp.com \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.