[RFC 0/4] NetLabel fixups/cleanups

[RFC 0/4] NetLabel fixups/cleanups

[Paul Moore]

This is a collection of various fixups/cleanups (mostly the latter) that
various people have requested over the past few months.  The most noteworthy
change in this patchset is an effort to get the NetLabel support out of the
SELinux security server and into the general SELinux code.

The patch is based off the current net-2.6 git tree, although I suspect with a
little bit of fuzz it should apply to 2.6.20 and 2.6.21-rc1 for those who like
to live dangerously.  This patchset most likely needs a little more work and
testing before I feel comfortable submitting it for inclusion, but a little
birdie suggested I post them as an RFC patchset.

So without further ado, here they are ... please take a look at the patches and
send me any comments you may have.  I know you're not a bashful bunch ;)

Thanks.

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[RFC 1/4] NetLabel: cleanup and document CIPSO constants

[Paul Moore]

This patch collects all of the CIPSO constants and puts them in one place; it
also documents each value explaining how the value is derived.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 net/ipv4/cipso_ipv4.c |   37 +++++++++++++++++++++++++++++--------
 1 file changed, 29 insertions(+), 8 deletions(-)

Index: net-2.6_future/net/ipv4/cipso_ipv4.c
===================================================================
--- net-2.6_future.orig/net/ipv4/cipso_ipv4.c
+++ net-2.6_future/net/ipv4/cipso_ipv4.c
@@ -92,6 +92,33 @@ int cipso_v4_rbm_optfmt = 0;
 int cipso_v4_rbm_strictvalid = 1;
 
 /*
+ * Protocol Constants
+ */
+
+/* Maximum size of the CIPSO IP option, derived from the fact that the maximum
+ * IPv4 header size is 60 bytes and the base IPv4 header is 20 bytes long. */
+#define CIPSO_V4_OPT_LEN_MAX          40
+
+/* Length of the base CIPSO option, this includes the option type (1 byte), the
+ * option length (1 byte), and the DOI (4 bytes). */
+#define CIPSO_V4_HDR_LEN              6
+
+/* Base length of the restrictive category bitmap tag (tag #1). */
+#define CIPSO_V4_TAG_RBM_BLEN         4
+
+/* Base length of the enumerated category tag (tag #2). */
+#define CIPSO_V4_TAG_ENUM_BLEN        4
+
+/* Base length of the ranged categories bitmap tag (tag #5). */
+#define CIPSO_V4_TAG_RNG_BLEN         4
+/* The maximum number of category ranges permitted in the ranged category tag
+ * (tag #5).  You may note that the IETF draft states that the maximum number
+ * of category ranges is 7, but if the low end of the last category range is
+ * zero then it is possibile to fit 8 category ranges because the zero should
+ * be omitted. */
+#define CIPSO_V4_TAG_RNG_CAT_MAX      8
+
+/*
  * Helper Functions
  */
 
@@ -1108,15 +1135,12 @@ static int cipso_v4_map_cat_rng_hton(con
 				     unsigned char *net_cat,
 				     u32 net_cat_len)
 {
-	/* The constant '16' is not random, it is the maximum number of
-	 * high/low category range pairs as permitted by the CIPSO draft based
-	 * on a maximum IPv4 header length of 60 bytes - the BUG_ON() assertion
-	 * does a sanity check to make sure we don't overflow the array. */
 	int iter = -1;
-	u16 array[16];
+	u16 array[CIPSO_V4_TAG_RNG_CAT_MAX * 2];
 	u32 array_cnt = 0;
 	u32 cat_size = 0;
 
+	/* make sure we don't overflow the 'array[]' variable */
 	BUG_ON(net_cat_len > 30);
 
 	for (;;) {
@@ -1195,9 +1219,6 @@ static int cipso_v4_map_cat_rng_ntoh(con
  * Protocol Handling Functions
  */
 
-#define CIPSO_V4_OPT_LEN_MAX          40
-#define CIPSO_V4_HDR_LEN              6
-
 /**
  * cipso_v4_gentag_hdr - Generate a CIPSO option header
  * @doi_def: the DOI definition

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[RFC 2/4] NetLabel: convert a BUG_ON in the CIPSO code to a runtime check

[Paul Moore]

This patch changes a BUG_ON in the CIPSO code to a runtime check.  It should
also increase the readability of the code as it replaces an unexplained
constant with a well defined macro.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 net/ipv4/cipso_ipv4.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Index: net-2.6_future/net/ipv4/cipso_ipv4.c
===================================================================
--- net-2.6_future.orig/net/ipv4/cipso_ipv4.c
+++ net-2.6_future/net/ipv4/cipso_ipv4.c
@@ -1141,7 +1141,9 @@ static int cipso_v4_map_cat_rng_hton(con
 	u32 cat_size = 0;
 
 	/* make sure we don't overflow the 'array[]' variable */
-	BUG_ON(net_cat_len > 30);
+	if (net_cat_len >
+	    (CIPSO_V4_OPT_LEN_MAX - CIPSO_V4_HDR_LEN - CIPSO_V4_TAG_RNG_BLEN))
+		return -ENOSPC;
 
 	for (;;) {
 		iter = netlbl_secattr_catmap_walk(secattr->mls_cat, iter + 1);

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[RFC 3/4] SELinux: extract the NetLabel SELinux support from the security server

[Paul Moore]

Up until this patch the functions which have provided NetLabel support to
SELinux have been integrated into the SELinux security server, which for
various reasons is not really ideal.  This patch makes an effort to extract as
much of the NetLabel support from the security server as possibile and move it
into it's own file within the SELinux directory structure.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 net/netlabel/netlabel_kapi.c                |    3 
 security/selinux/Makefile                   |    2 
 security/selinux/include/security.h         |   24 +
 security/selinux/include/selinux_netlabel.h |   71 ++--
 security/selinux/netlabel.c                 |  363 ++++++++++++++++++++++++
 security/selinux/ss/services.c              |  423 +++-------------------------
 6 files changed, 481 insertions(+), 405 deletions(-)

Index: net-2.6_future/net/netlabel/netlabel_kapi.c
===================================================================
--- net-2.6_future.orig/net/netlabel/netlabel_kapi.c
+++ net-2.6_future/net/netlabel/netlabel_kapi.c
@@ -263,9 +263,6 @@ int netlbl_socket_setattr(const struct s
 	int ret_val = -ENOENT;
 	struct netlbl_dom_map *dom_entry;
 
-	if ((secattr->flags & NETLBL_SECATTR_DOMAIN) == 0)
-		return -ENOENT;
-
 	rcu_read_lock();
 	dom_entry = netlbl_domhsh_getentry(secattr->domain);
 	if (dom_entry == NULL)
Index: net-2.6_future/security/selinux/Makefile
===================================================================
--- net-2.6_future.orig/security/selinux/Makefile
+++ net-2.6_future/security/selinux/Makefile
@@ -8,5 +8,7 @@ selinux-y := avc.o hooks.o selinuxfs.o n
 
 selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
 
+selinux-$(CONFIG_NETLABEL) += netlabel.o
+
 EXTRA_CFLAGS += -Isecurity/selinux/include
 
Index: net-2.6_future/security/selinux/include/security.h
===================================================================
--- net-2.6_future.orig/security/selinux/include/security.h
+++ net-2.6_future/security/selinux/include/security.h
@@ -35,6 +35,7 @@
 #endif
 
 struct sk_buff;
+struct netlbl_lsm_secattr;
 
 extern int selinux_enabled;
 extern int selinux_mls_enabled;
@@ -102,5 +103,28 @@ int security_fs_use(const char *fstype, 
 int security_genfs_sid(const char *fstype, char *name, u16 sclass,
 	u32 *sid);
 
+#ifdef CONFIG_NETLABEL
+int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
+				   u32 base_sid,
+				   u32 *sid);
+
+int security_netlbl_sid_to_secattr(u32 sid,
+				   struct netlbl_lsm_secattr *secattr);
+#else
+static inline int security_netlbl_secattr_to_sid(
+					    struct netlbl_lsm_secattr *secattr,
+					    u32 base_sid,
+					    u32 *sid)
+{
+	return -EIDRM;
+}
+
+static inline int security_netlbl_sid_to_secattr(u32 sid,
+					   struct netlbl_lsm_secattr *secattr)
+{
+	return -ENOENT;
+}
+#endif /* CONFIG_NETLABEL */
+
 #endif /* _SELINUX_SECURITY_H_ */
 
Index: net-2.6_future/security/selinux/include/selinux_netlabel.h
===================================================================
--- net-2.6_future.orig/security/selinux/include/selinux_netlabel.h
+++ net-2.6_future/security/selinux/include/selinux_netlabel.h
@@ -38,19 +38,22 @@
 
 #ifdef CONFIG_NETLABEL
 void selinux_netlbl_cache_invalidate(void);
-int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid);
-int selinux_netlbl_socket_post_create(struct socket *sock);
-void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
-int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
-				struct sk_buff *skb,
-				struct avc_audit_data *ad);
+
 void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
 				      int family);
 void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
 				     int family);
 void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
 				      struct sk_security_struct *newssec);
+
+int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid);
+
+void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
+int selinux_netlbl_socket_post_create(struct socket *sock);
 int selinux_netlbl_inode_permission(struct inode *inode, int mask);
+int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
+				struct sk_buff *skb,
+				struct avc_audit_data *ad);
 int selinux_netlbl_socket_setsockopt(struct socket *sock,
 				     int level,
 				     int optname);
@@ -60,59 +63,53 @@ static inline void selinux_netlbl_cache_
 	return;
 }
 
-static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
-					       u32 base_sid,
-					       u32 *sid)
+static inline void selinux_netlbl_sk_security_reset(
+	                                       struct sk_security_struct *ssec,
+					       int family)
 {
-	*sid = SECSID_NULL;
-	return 0;
+	return;
 }
-
-static inline int selinux_netlbl_socket_post_create(struct socket *sock)
+static inline void selinux_netlbl_sk_security_init(
+	                                       struct sk_security_struct *ssec,
+					       int family)
 {
-	return 0;
+	return;
 }
-
-static inline void selinux_netlbl_sock_graft(struct sock *sk,
-					     struct socket *sock)
+static inline void selinux_netlbl_sk_security_clone(
+	                                    struct sk_security_struct *ssec,
+					    struct sk_security_struct *newssec)
 {
 	return;
 }
 
-static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
-					      struct sk_buff *skb,
-					      struct avc_audit_data *ad)
+static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
+					       u32 base_sid,
+					       u32 *sid)
 {
+	*sid = SECSID_NULL;
 	return 0;
 }
 
-static inline void selinux_netlbl_sk_security_reset(
-					       struct sk_security_struct *ssec,
-					       int family)
-{
-	return;
-}
-
-static inline void selinux_netlbl_sk_security_init(
-	                                       struct sk_security_struct *ssec,
-					       int family)
+static inline void selinux_netlbl_sock_graft(struct sock *sk,
+					     struct socket *sock)
 {
 	return;
 }
-
-static inline void selinux_netlbl_sk_security_clone(
-	                                   struct sk_security_struct *ssec,
-					   struct sk_security_struct *newssec)
+static inline int selinux_netlbl_socket_post_create(struct socket *sock)
 {
-	return;
+	return 0;
 }
-
 static inline int selinux_netlbl_inode_permission(struct inode *inode,
 						  int mask)
 {
 	return 0;
 }
-
+static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
+					      struct sk_buff *skb,
+					      struct avc_audit_data *ad)
+{
+	return 0;
+}
 static inline int selinux_netlbl_socket_setsockopt(struct socket *sock,
 						   int level,
 						   int optname)
Index: net-2.6_future/security/selinux/netlabel.c
===================================================================
--- /dev/null
+++ net-2.6_future/security/selinux/netlabel.c
@@ -0,0 +1,363 @@
+/*
+ * SELinux NetLabel Support
+ *
+ * This file provides the necessary glue to tie NetLabel into the SELinux
+ * subsystem.
+ *
+ * Author: Paul Moore <paul.moore@hp.com>
+ *
+ */
+
+/*
+ * (c) Copyright Hewlett-Packard Development Company, L.P., 2007
+ *
+ * This program is free software;  you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY;  without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+ * the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program;  if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ */
+
+#include <linux/spinlock.h>
+#include <linux/rcupdate.h>
+#include <net/sock.h>
+#include <net/netlabel.h>
+
+#include "objsec.h"
+#include "security.h"
+
+/**
+ * selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism
+ * @sock: the socket to label
+ * @sid: the SID to use
+ *
+ * Description:
+ * Attempt to label a socket using the NetLabel mechanism using the given
+ * SID.  Returns zero values on success, negative values on failure.  The
+ * caller is responsibile for calling rcu_read_lock() before calling this
+ * this function and rcu_read_unlock() after this function returns.
+ *
+ */
+static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
+{
+	int rc;
+	struct sk_security_struct *sksec = sock->sk->sk_security;
+	struct netlbl_lsm_secattr secattr;
+
+	rc = security_netlbl_sid_to_secattr(sid, &secattr);
+	if (rc != 0)
+		return rc;
+
+	rc = netlbl_socket_setattr(sock, &secattr);
+	if (rc == 0) {
+		spin_lock_bh(&sksec->nlbl_lock);
+		sksec->nlbl_state = NLBL_LABELED;
+		spin_unlock_bh(&sksec->nlbl_lock);
+	}
+
+	return rc;
+}
+
+/**
+ * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
+ *
+ * Description:
+ * Invalidate the NetLabel security attribute mapping cache.
+ *
+ */
+void selinux_netlbl_cache_invalidate(void)
+{
+	netlbl_cache_invalidate();
+}
+
+/**
+ * selinux_netlbl_sk_security_reset - Reset the NetLabel fields
+ * @ssec: the sk_security_struct
+ * @family: the socket family
+ *
+ * Description:
+ * Called when the NetLabel state of a sk_security_struct needs to be reset.
+ * The caller is responsibile for all the NetLabel sk_security_struct locking.
+ *
+ */
+void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
+				      int family)
+{
+        if (family == PF_INET)
+		ssec->nlbl_state = NLBL_REQUIRE;
+	else
+		ssec->nlbl_state = NLBL_UNSET;
+}
+
+/**
+ * selinux_netlbl_sk_security_init - Setup the NetLabel fields
+ * @ssec: the sk_security_struct
+ * @family: the socket family
+ *
+ * Description:
+ * Called when a new sk_security_struct is allocated to initialize the NetLabel
+ * fields.
+ *
+ */
+void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
+				     int family)
+{
+	/* No locking needed, we are the only one who has access to ssec */
+	selinux_netlbl_sk_security_reset(ssec, family);
+	spin_lock_init(&ssec->nlbl_lock);
+}
+
+/**
+ * selinux_netlbl_sk_security_clone - Copy the NetLabel fields
+ * @ssec: the original sk_security_struct
+ * @newssec: the cloned sk_security_struct
+ *
+ * Description:
+ * Clone the NetLabel specific sk_security_struct fields from @ssec to
+ * @newssec.
+ *
+ */
+void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
+				      struct sk_security_struct *newssec)
+{
+	/* We don't need to take newssec->nlbl_lock because we are the only
+	 * thread with access to newssec, but we do need to take the RCU read
+	 * lock as other threads could have access to ssec */
+	rcu_read_lock();
+	selinux_netlbl_sk_security_reset(newssec, ssec->sk->sk_family);
+	newssec->sclass = ssec->sclass;
+	rcu_read_unlock();
+}
+
+/**
+ * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
+ * @skb: the packet
+ * @base_sid: the SELinux SID to use as a context for MLS only attributes
+ * @sid: the SID
+ *
+ * Description:
+ * Call the NetLabel mechanism to get the security attributes of the given
+ * packet and use those attributes to determine the correct context/SID to
+ * assign to the packet.  Returns zero on success, negative values on failure.
+ *
+ */
+int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
+{
+	int rc;
+	struct netlbl_lsm_secattr secattr;
+
+	netlbl_secattr_init(&secattr);
+	rc = netlbl_skbuff_getattr(skb, &secattr);
+	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
+		rc = security_netlbl_secattr_to_sid(&secattr,
+						    base_sid,
+						    sid);
+	else
+		*sid = SECSID_NULL;
+	netlbl_secattr_destroy(&secattr);
+
+	return rc;
+}
+
+/**
+ * selinux_netlbl_sock_graft - Netlabel the new socket
+ * @sk: the new connection
+ * @sock: the new socket
+ *
+ * Description:
+ * The connection represented by @sk is being grafted onto @sock so set the
+ * socket's NetLabel to match the SID of @sk.
+ *
+ */
+void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
+{
+	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
+	struct sk_security_struct *sksec = sk->sk_security;
+	struct netlbl_lsm_secattr secattr;
+	u32 nlbl_peer_sid;
+
+	sksec->sclass = isec->sclass;
+
+	rcu_read_lock();
+
+	if (sksec->nlbl_state != NLBL_REQUIRE) {
+		rcu_read_unlock();
+		return;
+	}
+
+	netlbl_secattr_init(&secattr);
+	if (netlbl_sock_getattr(sk, &secattr) == 0 &&
+	    secattr.flags != NETLBL_SECATTR_NONE &&
+	    security_netlbl_secattr_to_sid(&secattr,
+					   SECINITSID_UNLABELED,
+					   &nlbl_peer_sid) == 0)
+		sksec->peer_sid = nlbl_peer_sid;
+	netlbl_secattr_destroy(&secattr);
+
+	/* Try to set the NetLabel on the socket to save time later, if we fail
+	 * here we will pick up the pieces in later calls to
+	 * selinux_netlbl_inode_permission(). */
+	selinux_netlbl_socket_setsid(sock, sksec->sid);
+
+	rcu_read_unlock();
+}
+
+/**
+ * selinux_netlbl_socket_post_create - Label a socket using NetLabel
+ * @sock: the socket to label
+ *
+ * Description:
+ * Attempt to label a socket using the NetLabel mechanism using the given
+ * SID.  Returns zero values on success, negative values on failure.
+ *
+ */
+int selinux_netlbl_socket_post_create(struct socket *sock)
+{
+	int rc = 0;
+	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
+	struct sk_security_struct *sksec = sock->sk->sk_security;
+
+	sksec->sclass = isec->sclass;
+
+	rcu_read_lock();
+	if (sksec->nlbl_state == NLBL_REQUIRE)
+		rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
+	rcu_read_unlock();
+
+	return rc;
+}
+
+/**
+ * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
+ * @inode: the file descriptor's inode
+ * @mask: the permission mask
+ *
+ * Description:
+ * Looks at a file's inode and if it is marked as a socket protected by
+ * NetLabel then verify that the socket has been labeled, if not try to label
+ * the socket now with the inode's SID.  Returns zero on success, negative
+ * values on failure.
+ *
+ */
+int selinux_netlbl_inode_permission(struct inode *inode, int mask)
+{
+	int rc;
+	struct sk_security_struct *sksec;
+	struct socket *sock;
+
+	if (!S_ISSOCK(inode->i_mode) ||
+	    ((mask & (MAY_WRITE | MAY_APPEND)) == 0))
+		return 0;
+	sock = SOCKET_I(inode);
+	sksec = sock->sk->sk_security;
+
+	rcu_read_lock();
+	if (sksec->nlbl_state != NLBL_REQUIRE) {
+		rcu_read_unlock();
+		return 0;
+	}
+	local_bh_disable();
+	bh_lock_sock_nested(sock->sk);
+	rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
+	bh_unlock_sock(sock->sk);
+	local_bh_enable();
+	rcu_read_unlock();
+
+	return rc;
+}
+
+/**
+ * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
+ * @sksec: the sock's sk_security_struct
+ * @skb: the packet
+ * @ad: the audit data
+ *
+ * Description:
+ * Fetch the NetLabel security attributes from @skb and perform an access check
+ * against the receiving socket.  Returns zero on success, negative values on
+ * error.
+ *
+ */
+int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
+				struct sk_buff *skb,
+				struct avc_audit_data *ad)
+{
+	int rc;
+	u32 netlbl_sid;
+	u32 recv_perm;
+
+	rc = selinux_netlbl_skbuff_getsid(skb,
+					  SECINITSID_UNLABELED,
+					  &netlbl_sid);
+	if (rc != 0)
+		return rc;
+
+	if (netlbl_sid == SECSID_NULL)
+		return 0;
+
+	switch (sksec->sclass) {
+	case SECCLASS_UDP_SOCKET:
+		recv_perm = UDP_SOCKET__RECVFROM;
+		break;
+	case SECCLASS_TCP_SOCKET:
+		recv_perm = TCP_SOCKET__RECVFROM;
+		break;
+	default:
+		recv_perm = RAWIP_SOCKET__RECVFROM;
+	}
+
+	rc = avc_has_perm(sksec->sid,
+			  netlbl_sid,
+			  sksec->sclass,
+			  recv_perm,
+			  ad);
+	if (rc == 0)
+		return 0;
+
+	netlbl_skbuff_err(skb, rc);
+	return rc;
+}
+
+/**
+ * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
+ * @sock: the socket
+ * @level: the socket level or protocol
+ * @optname: the socket option name
+ *
+ * Description:
+ * Check the setsockopt() call and if the user is trying to replace the IP
+ * options on a socket and a NetLabel is in place for the socket deny the
+ * access; otherwise allow the access.  Returns zero when the access is
+ * allowed, -EACCES when denied, and other negative values on error.
+ *
+ */
+int selinux_netlbl_socket_setsockopt(struct socket *sock,
+				     int level,
+				     int optname)
+{
+	int rc = 0;
+	struct sk_security_struct *sksec = sock->sk->sk_security;
+	struct netlbl_lsm_secattr secattr;
+
+	rcu_read_lock();
+	if (level == IPPROTO_IP && optname == IP_OPTIONS &&
+	    sksec->nlbl_state == NLBL_LABELED) {
+		netlbl_secattr_init(&secattr);
+		rc = netlbl_socket_getattr(sock, &secattr);
+		if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
+			rc = -EACCES;
+		netlbl_secattr_destroy(&secattr);
+	}
+	rcu_read_unlock();
+
+	return rc;
+}
Index: net-2.6_future/security/selinux/ss/services.c
===================================================================
--- net-2.6_future.orig/security/selinux/ss/services.c
+++ net-2.6_future/security/selinux/ss/services.c
@@ -2226,13 +2226,13 @@ void security_skb_extlbl_sid(struct sk_b
 
 #ifdef CONFIG_NETLABEL
 /*
- * This is the structure we store inside the NetLabel cache block.
+ * NetLabel cache structure
  */
-#define NETLBL_CACHE(x)           ((struct netlbl_cache *)(x))
+#define NETLBL_CACHE(x)           ((struct selinux_netlbl_cache *)(x))
 #define NETLBL_CACHE_T_NONE       0
 #define NETLBL_CACHE_T_SID        1
 #define NETLBL_CACHE_T_MLS        2
-struct netlbl_cache {
+struct selinux_netlbl_cache {
 	u32 type;
 	union {
 		u32 sid;
@@ -2241,7 +2241,7 @@ struct netlbl_cache {
 };
 
 /**
- * selinux_netlbl_cache_free - Free the NetLabel cached data
+ * security_netlbl_cache_free - Free the NetLabel cached data
  * @data: the data to free
  *
  * Description:
@@ -2249,9 +2249,9 @@ struct netlbl_cache {
  * netlbl_lsm_cache structure.
  *
  */
-static void selinux_netlbl_cache_free(const void *data)
+static void security_netlbl_cache_free(const void *data)
 {
-	struct netlbl_cache *cache;
+	struct selinux_netlbl_cache *cache;
 
 	if (data == NULL)
 		return;
@@ -2266,33 +2266,33 @@ static void selinux_netlbl_cache_free(co
 }
 
 /**
- * selinux_netlbl_cache_add - Add an entry to the NetLabel cache
- * @skb: the packet
+ * security_netlbl_cache_add - Add an entry to the NetLabel cache
+ * @secattr: the NetLabel packet security attributes
  * @ctx: the SELinux context
  *
  * Description:
  * Attempt to cache the context in @ctx, which was derived from the packet in
- * @skb, in the NetLabel subsystem cache.
+ * @skb, in the NetLabel subsystem cache.  This function assumes @secattr has
+ * already been initialized.
  *
  */
-static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx)
+static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
+				      struct context *ctx)
 {
-	struct netlbl_cache *cache = NULL;
-	struct netlbl_lsm_secattr secattr;
+	struct selinux_netlbl_cache *cache = NULL;
 
-	netlbl_secattr_init(&secattr);
-	secattr.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
-	if (secattr.cache == NULL)
-		goto netlbl_cache_add_return;
+	secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
+	if (secattr->cache == NULL)
+		return;
 
 	cache = kzalloc(sizeof(*cache),	GFP_ATOMIC);
 	if (cache == NULL)
-		goto netlbl_cache_add_return;
+		return;
 
 	cache->type = NETLBL_CACHE_T_MLS;
 	if (ebitmap_cpy(&cache->data.mls_label.level[0].cat,
 			&ctx->range.level[0].cat) != 0)
-		goto netlbl_cache_add_return;
+		return;
 	cache->data.mls_label.level[1].cat.highbit =
 		cache->data.mls_label.level[0].cat.highbit;
 	cache->data.mls_label.level[1].cat.node =
@@ -2300,52 +2300,40 @@ static void selinux_netlbl_cache_add(str
 	cache->data.mls_label.level[0].sens = ctx->range.level[0].sens;
 	cache->data.mls_label.level[1].sens = ctx->range.level[0].sens;
 
-	secattr.cache->free = selinux_netlbl_cache_free;
-	secattr.cache->data = (void *)cache;
-	secattr.flags = NETLBL_SECATTR_CACHE;
-
-	netlbl_cache_add(skb, &secattr);
-
-netlbl_cache_add_return:
-	netlbl_secattr_destroy(&secattr);
+	secattr->cache->free = security_netlbl_cache_free;
+	secattr->cache->data = (void *)cache;
+	secattr->flags |= NETLBL_SECATTR_CACHE;
 }
 
 /**
- * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
- *
- * Description:
- * Invalidate the NetLabel security attribute mapping cache.
- *
- */
-void selinux_netlbl_cache_invalidate(void)
-{
-	netlbl_cache_invalidate();
-}
-
-/**
- * selinux_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
- * @skb: the network packet
+ * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
  * @secattr: the NetLabel packet security attributes
  * @base_sid: the SELinux SID to use as a context for MLS only attributes
  * @sid: the SELinux SID
  *
  * Description:
- * Convert the given NetLabel packet security attributes in @secattr into a
+ * Convert the given NetLabel security attributes in @secattr into a
  * SELinux SID.  If the @secattr field does not contain a full SELinux
- * SID/context then use the context in @base_sid as the foundation.  If @skb
- * is not NULL attempt to cache as much data as possibile.  Returns zero on
- * success, negative values on failure.
+ * SID/context then use the context in @base_sid as the foundation.  If
+ * possibile the 'cache' field of @secattr is set and the CACHE flag is set;
+ * this is to allow the @secattr to be used by NetLabel to cache the secattr to
+ * SID conversion for future lookups.  Returns zero on success, negative
+ * values on failure.
  *
  */
-static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
-					 struct netlbl_lsm_secattr *secattr,
-					 u32 base_sid,
-					 u32 *sid)
+int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
+				   u32 base_sid,
+				   u32 *sid)
 {
 	int rc = -EIDRM;
 	struct context *ctx;
 	struct context ctx_new;
-	struct netlbl_cache *cache;
+	struct selinux_netlbl_cache *cache;
+
+	if (!ss_initialized) {
+		*sid = SECSID_NULL;
+		return 0;
+	}
 
 	POLICY_RDLOCK;
 
@@ -2410,8 +2398,8 @@ static int selinux_netlbl_secattr_to_sid
 		if (rc != 0)
 			goto netlbl_secattr_to_sid_return_cleanup;
 
-		if (skb != NULL)
-			selinux_netlbl_cache_add(skb, &ctx_new);
+		security_netlbl_cache_add(secattr, &ctx_new);
+
 		ebitmap_destroy(&ctx_new.range.level[0].cat);
 	} else {
 		*sid = SECSID_NULL;
@@ -2427,338 +2415,43 @@ netlbl_secattr_to_sid_return_cleanup:
 }
 
 /**
- * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
- * @skb: the packet
- * @base_sid: the SELinux SID to use as a context for MLS only attributes
- * @sid: the SID
- *
- * Description:
- * Call the NetLabel mechanism to get the security attributes of the given
- * packet and use those attributes to determine the correct context/SID to
- * assign to the packet.  Returns zero on success, negative values on failure.
- *
- */
-int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
-{
-	int rc;
-	struct netlbl_lsm_secattr secattr;
-
-	netlbl_secattr_init(&secattr);
-	rc = netlbl_skbuff_getattr(skb, &secattr);
-	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
-		rc = selinux_netlbl_secattr_to_sid(skb,
-						   &secattr,
-						   base_sid,
-						   sid);
-	else
-		*sid = SECSID_NULL;
-	netlbl_secattr_destroy(&secattr);
-
-	return rc;
-}
-
-/**
- * selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism
- * @sock: the socket to label
- * @sid: the SID to use
+ * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr
+ * @sid: the SELinux SID
+ * @secattr: the NetLabel packet security attributes
  *
  * Description:
- * Attempt to label a socket using the NetLabel mechanism using the given
- * SID.  Returns zero values on success, negative values on failure.  The
- * caller is responsibile for calling rcu_read_lock() before calling this
- * this function and rcu_read_unlock() after this function returns.
+ * Convert the given SELinux SID in @sid into a NetLabel security attribute.
+ * Returns zero on success, negative values on failure.
  *
  */
-static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
+int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
 {
 	int rc = -ENOENT;
-	struct sk_security_struct *sksec = sock->sk->sk_security;
-	struct netlbl_lsm_secattr secattr;
 	struct context *ctx;
 
+	netlbl_secattr_init(secattr);
+
 	if (!ss_initialized)
 		return 0;
 
-	netlbl_secattr_init(&secattr);
-
 	POLICY_RDLOCK;
-
 	ctx = sidtab_search(&sidtab, sid);
 	if (ctx == NULL)
-		goto netlbl_socket_setsid_return;
-
-	secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
-				 GFP_ATOMIC);
-	secattr.flags |= NETLBL_SECATTR_DOMAIN;
-	mls_export_netlbl_lvl(ctx, &secattr);
-	rc = mls_export_netlbl_cat(ctx, &secattr);
+		goto netlbl_sid_to_secattr_failure;
+	secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
+				  GFP_ATOMIC);
+	secattr->flags |= NETLBL_SECATTR_DOMAIN;
+	mls_export_netlbl_lvl(ctx, secattr);
+	rc = mls_export_netlbl_cat(ctx, secattr);
 	if (rc != 0)
-		goto netlbl_socket_setsid_return;
-
-	rc = netlbl_socket_setattr(sock, &secattr);
-	if (rc == 0) {
-		spin_lock_bh(&sksec->nlbl_lock);
-		sksec->nlbl_state = NLBL_LABELED;
-		spin_unlock_bh(&sksec->nlbl_lock);
-	}
-
-netlbl_socket_setsid_return:
+		goto netlbl_sid_to_secattr_failure;
 	POLICY_RDUNLOCK;
-	netlbl_secattr_destroy(&secattr);
-	return rc;
-}
-
-/**
- * selinux_netlbl_sk_security_reset - Reset the NetLabel fields
- * @ssec: the sk_security_struct
- * @family: the socket family
- *
- * Description:
- * Called when the NetLabel state of a sk_security_struct needs to be reset.
- * The caller is responsibile for all the NetLabel sk_security_struct locking.
- *
- */
-void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
-				      int family)
-{
-        if (family == PF_INET)
-		ssec->nlbl_state = NLBL_REQUIRE;
-	else
-		ssec->nlbl_state = NLBL_UNSET;
-}
-
-/**
- * selinux_netlbl_sk_security_init - Setup the NetLabel fields
- * @ssec: the sk_security_struct
- * @family: the socket family
- *
- * Description:
- * Called when a new sk_security_struct is allocated to initialize the NetLabel
- * fields.
- *
- */
-void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
-				     int family)
-{
-	/* No locking needed, we are the only one who has access to ssec */
-	selinux_netlbl_sk_security_reset(ssec, family);
-	spin_lock_init(&ssec->nlbl_lock);
-}
-
-/**
- * selinux_netlbl_sk_security_clone - Copy the NetLabel fields
- * @ssec: the original sk_security_struct
- * @newssec: the cloned sk_security_struct
- *
- * Description:
- * Clone the NetLabel specific sk_security_struct fields from @ssec to
- * @newssec.
- *
- */
-void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
-				      struct sk_security_struct *newssec)
-{
-	/* We don't need to take newssec->nlbl_lock because we are the only
-	 * thread with access to newssec, but we do need to take the RCU read
-	 * lock as other threads could have access to ssec */
-	rcu_read_lock();
-	selinux_netlbl_sk_security_reset(newssec, ssec->sk->sk_family);
-	newssec->sclass = ssec->sclass;
-	rcu_read_unlock();
-}
 
-/**
- * selinux_netlbl_socket_post_create - Label a socket using NetLabel
- * @sock: the socket to label
- *
- * Description:
- * Attempt to label a socket using the NetLabel mechanism using the given
- * SID.  Returns zero values on success, negative values on failure.
- *
- */
-int selinux_netlbl_socket_post_create(struct socket *sock)
-{
-	int rc = 0;
-	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
-	struct sk_security_struct *sksec = sock->sk->sk_security;
-
-	sksec->sclass = isec->sclass;
-
-	rcu_read_lock();
-	if (sksec->nlbl_state == NLBL_REQUIRE)
-		rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
-	rcu_read_unlock();
-
-	return rc;
-}
-
-/**
- * selinux_netlbl_sock_graft - Netlabel the new socket
- * @sk: the new connection
- * @sock: the new socket
- *
- * Description:
- * The connection represented by @sk is being grafted onto @sock so set the
- * socket's NetLabel to match the SID of @sk.
- *
- */
-void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
-{
-	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
-	struct sk_security_struct *sksec = sk->sk_security;
-	struct netlbl_lsm_secattr secattr;
-	u32 nlbl_peer_sid;
-
-	sksec->sclass = isec->sclass;
-
-	rcu_read_lock();
-
-	if (sksec->nlbl_state != NLBL_REQUIRE) {
-		rcu_read_unlock();
-		return;
-	}
-
-	netlbl_secattr_init(&secattr);
-	if (netlbl_sock_getattr(sk, &secattr) == 0 &&
-	    secattr.flags != NETLBL_SECATTR_NONE &&
-	    selinux_netlbl_secattr_to_sid(NULL,
-					  &secattr,
-					  SECINITSID_UNLABELED,
-					  &nlbl_peer_sid) == 0)
-		sksec->peer_sid = nlbl_peer_sid;
-	netlbl_secattr_destroy(&secattr);
-
-	/* Try to set the NetLabel on the socket to save time later, if we fail
-	 * here we will pick up the pieces in later calls to
-	 * selinux_netlbl_inode_permission(). */
-	selinux_netlbl_socket_setsid(sock, sksec->sid);
-
-	rcu_read_unlock();
-}
-
-/**
- * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
- * @inode: the file descriptor's inode
- * @mask: the permission mask
- *
- * Description:
- * Looks at a file's inode and if it is marked as a socket protected by
- * NetLabel then verify that the socket has been labeled, if not try to label
- * the socket now with the inode's SID.  Returns zero on success, negative
- * values on failure.
- *
- */
-int selinux_netlbl_inode_permission(struct inode *inode, int mask)
-{
-	int rc;
-	struct sk_security_struct *sksec;
-	struct socket *sock;
-
-	if (!S_ISSOCK(inode->i_mode) ||
-	    ((mask & (MAY_WRITE | MAY_APPEND)) == 0))
-		return 0;
-	sock = SOCKET_I(inode);
-	sksec = sock->sk->sk_security;
-
-	rcu_read_lock();
-	if (sksec->nlbl_state != NLBL_REQUIRE) {
-		rcu_read_unlock();
-		return 0;
-	}
-	local_bh_disable();
-	bh_lock_sock_nested(sock->sk);
-	rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
-	bh_unlock_sock(sock->sk);
-	local_bh_enable();
-	rcu_read_unlock();
-
-	return rc;
-}
-
-/**
- * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
- * @sksec: the sock's sk_security_struct
- * @skb: the packet
- * @ad: the audit data
- *
- * Description:
- * Fetch the NetLabel security attributes from @skb and perform an access check
- * against the receiving socket.  Returns zero on success, negative values on
- * error.
- *
- */
-int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
-				struct sk_buff *skb,
-				struct avc_audit_data *ad)
-{
-	int rc;
-	u32 netlbl_sid;
-	u32 recv_perm;
-
-	rc = selinux_netlbl_skbuff_getsid(skb,
-					  SECINITSID_UNLABELED,
-					  &netlbl_sid);
-	if (rc != 0)
-		return rc;
-
-	if (netlbl_sid == SECSID_NULL)
-		return 0;
-
-	switch (sksec->sclass) {
-	case SECCLASS_UDP_SOCKET:
-		recv_perm = UDP_SOCKET__RECVFROM;
-		break;
-	case SECCLASS_TCP_SOCKET:
-		recv_perm = TCP_SOCKET__RECVFROM;
-		break;
-	default:
-		recv_perm = RAWIP_SOCKET__RECVFROM;
-	}
-
-	rc = avc_has_perm(sksec->sid,
-			  netlbl_sid,
-			  sksec->sclass,
-			  recv_perm,
-			  ad);
-	if (rc == 0)
-		return 0;
-
-	netlbl_skbuff_err(skb, rc);
-	return rc;
-}
-
-/**
- * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
- * @sock: the socket
- * @level: the socket level or protocol
- * @optname: the socket option name
- *
- * Description:
- * Check the setsockopt() call and if the user is trying to replace the IP
- * options on a socket and a NetLabel is in place for the socket deny the
- * access; otherwise allow the access.  Returns zero when the access is
- * allowed, -EACCES when denied, and other negative values on error.
- *
- */
-int selinux_netlbl_socket_setsockopt(struct socket *sock,
-				     int level,
-				     int optname)
-{
-	int rc = 0;
-	struct sk_security_struct *sksec = sock->sk->sk_security;
-	struct netlbl_lsm_secattr secattr;
-
-	rcu_read_lock();
-	if (level == IPPROTO_IP && optname == IP_OPTIONS &&
-	    sksec->nlbl_state == NLBL_LABELED) {
-		netlbl_secattr_init(&secattr);
-		rc = netlbl_socket_getattr(sock, &secattr);
-		if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
-			rc = -EACCES;
-		netlbl_secattr_destroy(&secattr);
-	}
-	rcu_read_unlock();
+	return 0;
 
+netlbl_sid_to_secattr_failure:
+	POLICY_RDUNLOCK;
+	netlbl_secattr_destroy(secattr);
 	return rc;
 }
 #endif /* CONFIG_NETLABEL */

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[RFC 4/4] SELinux: rename selinux_netlabel.h to netlabel.h

[Paul Moore]

In the beginning I named the file selinux_netlabel.h to avoid potential
namespace colisions.  However, over time I have realized that there are several
other similar cases of multiple header files with the same name so I'm changing
the name to something which better fits with existing naming conventions.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 security/selinux/hooks.c                    |    2 
 security/selinux/include/netlabel.h         |  121 ++++++++++++++++++++++++++++
 security/selinux/include/selinux_netlabel.h |  121 ----------------------------
 security/selinux/ss/services.c              |    2 
 4 files changed, 123 insertions(+), 123 deletions(-)

Index: net-2.6_future/security/selinux/hooks.c
===================================================================
--- net-2.6_future.orig/security/selinux/hooks.c
+++ net-2.6_future/security/selinux/hooks.c
@@ -77,7 +77,7 @@
 #include "objsec.h"
 #include "netif.h"
 #include "xfrm.h"
-#include "selinux_netlabel.h"
+#include "netlabel.h"
 
 #define XATTR_SELINUX_SUFFIX "selinux"
 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
Index: net-2.6_future/security/selinux/include/netlabel.h
===================================================================
--- /dev/null
+++ net-2.6_future/security/selinux/include/netlabel.h
@@ -0,0 +1,121 @@
+/*
+ * SELinux interface to the NetLabel subsystem
+ *
+ * Author : Paul Moore <paul.moore@hp.com>
+ *
+ */
+
+/*
+ * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
+ *
+ * This program is free software;  you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY;  without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+ * the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program;  if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ */
+
+#ifndef _SELINUX_NETLABEL_H_
+#define _SELINUX_NETLABEL_H_
+
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <linux/net.h>
+#include <linux/skbuff.h>
+#include <net/sock.h>
+
+#include "avc.h"
+#include "objsec.h"
+
+#ifdef CONFIG_NETLABEL
+void selinux_netlbl_cache_invalidate(void);
+
+void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
+				      int family);
+void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
+				     int family);
+void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
+				      struct sk_security_struct *newssec);
+
+int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid);
+
+void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
+int selinux_netlbl_socket_post_create(struct socket *sock);
+int selinux_netlbl_inode_permission(struct inode *inode, int mask);
+int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
+				struct sk_buff *skb,
+				struct avc_audit_data *ad);
+int selinux_netlbl_socket_setsockopt(struct socket *sock,
+				     int level,
+				     int optname);
+#else
+static inline void selinux_netlbl_cache_invalidate(void)
+{
+	return;
+}
+
+static inline void selinux_netlbl_sk_security_reset(
+	                                       struct sk_security_struct *ssec,
+					       int family)
+{
+	return;
+}
+static inline void selinux_netlbl_sk_security_init(
+	                                       struct sk_security_struct *ssec,
+					       int family)
+{
+	return;
+}
+static inline void selinux_netlbl_sk_security_clone(
+	                                    struct sk_security_struct *ssec,
+					    struct sk_security_struct *newssec)
+{
+	return;
+}
+
+static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
+					       u32 base_sid,
+					       u32 *sid)
+{
+	*sid = SECSID_NULL;
+	return 0;
+}
+
+static inline void selinux_netlbl_sock_graft(struct sock *sk,
+					     struct socket *sock)
+{
+	return;
+}
+static inline int selinux_netlbl_socket_post_create(struct socket *sock)
+{
+	return 0;
+}
+static inline int selinux_netlbl_inode_permission(struct inode *inode,
+						  int mask)
+{
+	return 0;
+}
+static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
+					      struct sk_buff *skb,
+					      struct avc_audit_data *ad)
+{
+	return 0;
+}
+static inline int selinux_netlbl_socket_setsockopt(struct socket *sock,
+						   int level,
+						   int optname)
+{
+	return 0;
+}
+#endif /* CONFIG_NETLABEL */
+
+#endif
Index: net-2.6_future/security/selinux/include/selinux_netlabel.h
===================================================================
--- net-2.6_future.orig/security/selinux/include/selinux_netlabel.h
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- * SELinux interface to the NetLabel subsystem
- *
- * Author : Paul Moore <paul.moore@hp.com>
- *
- */
-
-/*
- * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
- *
- * This program is free software;  you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY;  without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
- * the GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program;  if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- */
-
-#ifndef _SELINUX_NETLABEL_H_
-#define _SELINUX_NETLABEL_H_
-
-#include <linux/types.h>
-#include <linux/fs.h>
-#include <linux/net.h>
-#include <linux/skbuff.h>
-#include <net/sock.h>
-
-#include "avc.h"
-#include "objsec.h"
-
-#ifdef CONFIG_NETLABEL
-void selinux_netlbl_cache_invalidate(void);
-
-void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
-				      int family);
-void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
-				     int family);
-void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
-				      struct sk_security_struct *newssec);
-
-int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid);
-
-void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
-int selinux_netlbl_socket_post_create(struct socket *sock);
-int selinux_netlbl_inode_permission(struct inode *inode, int mask);
-int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
-				struct sk_buff *skb,
-				struct avc_audit_data *ad);
-int selinux_netlbl_socket_setsockopt(struct socket *sock,
-				     int level,
-				     int optname);
-#else
-static inline void selinux_netlbl_cache_invalidate(void)
-{
-	return;
-}
-
-static inline void selinux_netlbl_sk_security_reset(
-	                                       struct sk_security_struct *ssec,
-					       int family)
-{
-	return;
-}
-static inline void selinux_netlbl_sk_security_init(
-	                                       struct sk_security_struct *ssec,
-					       int family)
-{
-	return;
-}
-static inline void selinux_netlbl_sk_security_clone(
-	                                    struct sk_security_struct *ssec,
-					    struct sk_security_struct *newssec)
-{
-	return;
-}
-
-static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
-					       u32 base_sid,
-					       u32 *sid)
-{
-	*sid = SECSID_NULL;
-	return 0;
-}
-
-static inline void selinux_netlbl_sock_graft(struct sock *sk,
-					     struct socket *sock)
-{
-	return;
-}
-static inline int selinux_netlbl_socket_post_create(struct socket *sock)
-{
-	return 0;
-}
-static inline int selinux_netlbl_inode_permission(struct inode *inode,
-						  int mask)
-{
-	return 0;
-}
-static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
-					      struct sk_buff *skb,
-					      struct avc_audit_data *ad)
-{
-	return 0;
-}
-static inline int selinux_netlbl_socket_setsockopt(struct socket *sock,
-						   int level,
-						   int optname)
-{
-	return 0;
-}
-#endif /* CONFIG_NETLABEL */
-
-#endif
Index: net-2.6_future/security/selinux/ss/services.c
===================================================================
--- net-2.6_future.orig/security/selinux/ss/services.c
+++ net-2.6_future/security/selinux/ss/services.c
@@ -53,7 +53,7 @@
 #include "conditional.h"
 #include "mls.h"
 #include "objsec.h"
-#include "selinux_netlabel.h"
+#include "netlabel.h"
 #include "xfrm.h"
 #include "ebitmap.h"
 

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC 0/4] NetLabel fixups/cleanups

[James Morris]

On Wed, 28 Feb 2007, Paul Moore wrote:

> to live dangerously.  This patchset most likely needs a little more work and
> testing before I feel comfortable submitting it for inclusion, but a little
> birdie suggested I post them as an RFC patchset.

These look ok to me, and I've applied them to
git://git.infradead.org/~jmorris/selinux-2.6#for-next-kernel

It's probably too late to get non-bugfixes into 2.6.21, so they'll 
probably queue there until the next merge window opens, and also go into 
-mm.


- James
-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC 0/4] NetLabel fixups/cleanups

[Paul Moore]

On Wednesday, February 28 2007 4:09:19 pm James Morris wrote:
> On Wed, 28 Feb 2007, Paul Moore wrote:
> > to live dangerously.  This patchset most likely needs a little more work
> > and testing before I feel comfortable submitting it for inclusion, but a
> > little birdie suggested I post them as an RFC patchset.
>
> These look ok to me, and I've applied them to
> git://git.infradead.org/~jmorris/selinux-2.6#for-next-kernel

Thanks.

> It's probably too late to get non-bugfixes into 2.6.21, so they'll
> probably queue there until the next merge window opens, and also go into
> -mm.

I wouldn't want them to go into 2.6.21 even if it were possible.  I just 
haven't done enough testing yet to really feel comfortable with the patches.    
However, having them sit in -mm for a while will go a long way towards giving 
me that warm, fuzzy feeling.  I also continue to bang on them and if anything 
pops up I'll send more patches.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC 3/4] SELinux: extract the NetLabel SELinux support from the security server

[Stephen Smalley]

On Wed, 2007-02-28 at 15:14 -0500, Paul Moore wrote:
> plain text document attachment (selinux-isolate_netlabel)
> Up until this patch the functions which have provided NetLabel support to
> SELinux have been integrated into the SELinux security server, which for
> various reasons is not really ideal.  This patch makes an effort to extract as
> much of the NetLabel support from the security server as possibile and move it
> into it's own file within the SELinux directory structure.

Thanks, this looks much better, and helps keep the security server
interface as an abstract security interface.  Is there any reason you
didn't also move security_skb_extlbl_sid() out from the security server?
It seems to be a lingering case where the security server directly acts
on a kernel object rather than a security abstraction.

> 
> Signed-off-by: Paul Moore <paul.moore@hp.com>
> ---
>  net/netlabel/netlabel_kapi.c                |    3 
>  security/selinux/Makefile                   |    2 
>  security/selinux/include/security.h         |   24 +
>  security/selinux/include/selinux_netlabel.h |   71 ++--
>  security/selinux/netlabel.c                 |  363 ++++++++++++++++++++++++
>  security/selinux/ss/services.c              |  423 +++-------------------------
>  6 files changed, 481 insertions(+), 405 deletions(-)
> 
> Index: net-2.6_future/net/netlabel/netlabel_kapi.c
> ===================================================================
> --- net-2.6_future.orig/net/netlabel/netlabel_kapi.c
> +++ net-2.6_future/net/netlabel/netlabel_kapi.c
> @@ -263,9 +263,6 @@ int netlbl_socket_setattr(const struct s
>  	int ret_val = -ENOENT;
>  	struct netlbl_dom_map *dom_entry;
>  
> -	if ((secattr->flags & NETLBL_SECATTR_DOMAIN) == 0)
> -		return -ENOENT;
> -
>  	rcu_read_lock();
>  	dom_entry = netlbl_domhsh_getentry(secattr->domain);
>  	if (dom_entry == NULL)
> Index: net-2.6_future/security/selinux/Makefile
> ===================================================================
> --- net-2.6_future.orig/security/selinux/Makefile
> +++ net-2.6_future/security/selinux/Makefile
> @@ -8,5 +8,7 @@ selinux-y := avc.o hooks.o selinuxfs.o n
>  
>  selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
>  
> +selinux-$(CONFIG_NETLABEL) += netlabel.o
> +
>  EXTRA_CFLAGS += -Isecurity/selinux/include
>  
> Index: net-2.6_future/security/selinux/include/security.h
> ===================================================================
> --- net-2.6_future.orig/security/selinux/include/security.h
> +++ net-2.6_future/security/selinux/include/security.h
> @@ -35,6 +35,7 @@
>  #endif
>  
>  struct sk_buff;
> +struct netlbl_lsm_secattr;
>  
>  extern int selinux_enabled;
>  extern int selinux_mls_enabled;
> @@ -102,5 +103,28 @@ int security_fs_use(const char *fstype, 
>  int security_genfs_sid(const char *fstype, char *name, u16 sclass,
>  	u32 *sid);
>  
> +#ifdef CONFIG_NETLABEL
> +int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
> +				   u32 base_sid,
> +				   u32 *sid);
> +
> +int security_netlbl_sid_to_secattr(u32 sid,
> +				   struct netlbl_lsm_secattr *secattr);
> +#else
> +static inline int security_netlbl_secattr_to_sid(
> +					    struct netlbl_lsm_secattr *secattr,
> +					    u32 base_sid,
> +					    u32 *sid)
> +{
> +	return -EIDRM;
> +}
> +
> +static inline int security_netlbl_sid_to_secattr(u32 sid,
> +					   struct netlbl_lsm_secattr *secattr)
> +{
> +	return -ENOENT;
> +}
> +#endif /* CONFIG_NETLABEL */
> +
>  #endif /* _SELINUX_SECURITY_H_ */
>  
> Index: net-2.6_future/security/selinux/include/selinux_netlabel.h
> ===================================================================
> --- net-2.6_future.orig/security/selinux/include/selinux_netlabel.h
> +++ net-2.6_future/security/selinux/include/selinux_netlabel.h
> @@ -38,19 +38,22 @@
>  
>  #ifdef CONFIG_NETLABEL
>  void selinux_netlbl_cache_invalidate(void);
> -int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid);
> -int selinux_netlbl_socket_post_create(struct socket *sock);
> -void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
> -int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
> -				struct sk_buff *skb,
> -				struct avc_audit_data *ad);
> +
>  void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
>  				      int family);
>  void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
>  				     int family);
>  void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
>  				      struct sk_security_struct *newssec);
> +
> +int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid);
> +
> +void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
> +int selinux_netlbl_socket_post_create(struct socket *sock);
>  int selinux_netlbl_inode_permission(struct inode *inode, int mask);
> +int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
> +				struct sk_buff *skb,
> +				struct avc_audit_data *ad);
>  int selinux_netlbl_socket_setsockopt(struct socket *sock,
>  				     int level,
>  				     int optname);
> @@ -60,59 +63,53 @@ static inline void selinux_netlbl_cache_
>  	return;
>  }
>  
> -static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
> -					       u32 base_sid,
> -					       u32 *sid)
> +static inline void selinux_netlbl_sk_security_reset(
> +	                                       struct sk_security_struct *ssec,
> +					       int family)
>  {
> -	*sid = SECSID_NULL;
> -	return 0;
> +	return;
>  }
> -
> -static inline int selinux_netlbl_socket_post_create(struct socket *sock)
> +static inline void selinux_netlbl_sk_security_init(
> +	                                       struct sk_security_struct *ssec,
> +					       int family)
>  {
> -	return 0;
> +	return;
>  }
> -
> -static inline void selinux_netlbl_sock_graft(struct sock *sk,
> -					     struct socket *sock)
> +static inline void selinux_netlbl_sk_security_clone(
> +	                                    struct sk_security_struct *ssec,
> +					    struct sk_security_struct *newssec)
>  {
>  	return;
>  }
>  
> -static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
> -					      struct sk_buff *skb,
> -					      struct avc_audit_data *ad)
> +static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
> +					       u32 base_sid,
> +					       u32 *sid)
>  {
> +	*sid = SECSID_NULL;
>  	return 0;
>  }
>  
> -static inline void selinux_netlbl_sk_security_reset(
> -					       struct sk_security_struct *ssec,
> -					       int family)
> -{
> -	return;
> -}
> -
> -static inline void selinux_netlbl_sk_security_init(
> -	                                       struct sk_security_struct *ssec,
> -					       int family)
> +static inline void selinux_netlbl_sock_graft(struct sock *sk,
> +					     struct socket *sock)
>  {
>  	return;
>  }
> -
> -static inline void selinux_netlbl_sk_security_clone(
> -	                                   struct sk_security_struct *ssec,
> -					   struct sk_security_struct *newssec)
> +static inline int selinux_netlbl_socket_post_create(struct socket *sock)
>  {
> -	return;
> +	return 0;
>  }
> -
>  static inline int selinux_netlbl_inode_permission(struct inode *inode,
>  						  int mask)
>  {
>  	return 0;
>  }
> -
> +static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
> +					      struct sk_buff *skb,
> +					      struct avc_audit_data *ad)
> +{
> +	return 0;
> +}
>  static inline int selinux_netlbl_socket_setsockopt(struct socket *sock,
>  						   int level,
>  						   int optname)
> Index: net-2.6_future/security/selinux/netlabel.c
> ===================================================================
> --- /dev/null
> +++ net-2.6_future/security/selinux/netlabel.c
> @@ -0,0 +1,363 @@
> +/*
> + * SELinux NetLabel Support
> + *
> + * This file provides the necessary glue to tie NetLabel into the SELinux
> + * subsystem.
> + *
> + * Author: Paul Moore <paul.moore@hp.com>
> + *
> + */
> +
> +/*
> + * (c) Copyright Hewlett-Packard Development Company, L.P., 2007
> + *
> + * This program is free software;  you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation; either version 2 of the License, or
> + * (at your option) any later version.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY;  without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
> + * the GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program;  if not, write to the Free Software
> + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> + *
> + */
> +
> +#include <linux/spinlock.h>
> +#include <linux/rcupdate.h>
> +#include <net/sock.h>
> +#include <net/netlabel.h>
> +
> +#include "objsec.h"
> +#include "security.h"
> +
> +/**
> + * selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism
> + * @sock: the socket to label
> + * @sid: the SID to use
> + *
> + * Description:
> + * Attempt to label a socket using the NetLabel mechanism using the given
> + * SID.  Returns zero values on success, negative values on failure.  The
> + * caller is responsibile for calling rcu_read_lock() before calling this
> + * this function and rcu_read_unlock() after this function returns.
> + *
> + */
> +static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
> +{
> +	int rc;
> +	struct sk_security_struct *sksec = sock->sk->sk_security;
> +	struct netlbl_lsm_secattr secattr;
> +
> +	rc = security_netlbl_sid_to_secattr(sid, &secattr);
> +	if (rc != 0)
> +		return rc;
> +
> +	rc = netlbl_socket_setattr(sock, &secattr);
> +	if (rc == 0) {
> +		spin_lock_bh(&sksec->nlbl_lock);
> +		sksec->nlbl_state = NLBL_LABELED;
> +		spin_unlock_bh(&sksec->nlbl_lock);
> +	}
> +
> +	return rc;
> +}
> +
> +/**
> + * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
> + *
> + * Description:
> + * Invalidate the NetLabel security attribute mapping cache.
> + *
> + */
> +void selinux_netlbl_cache_invalidate(void)
> +{
> +	netlbl_cache_invalidate();
> +}
> +
> +/**
> + * selinux_netlbl_sk_security_reset - Reset the NetLabel fields
> + * @ssec: the sk_security_struct
> + * @family: the socket family
> + *
> + * Description:
> + * Called when the NetLabel state of a sk_security_struct needs to be reset.
> + * The caller is responsibile for all the NetLabel sk_security_struct locking.
> + *
> + */
> +void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
> +				      int family)
> +{
> +        if (family == PF_INET)
> +		ssec->nlbl_state = NLBL_REQUIRE;
> +	else
> +		ssec->nlbl_state = NLBL_UNSET;
> +}
> +
> +/**
> + * selinux_netlbl_sk_security_init - Setup the NetLabel fields
> + * @ssec: the sk_security_struct
> + * @family: the socket family
> + *
> + * Description:
> + * Called when a new sk_security_struct is allocated to initialize the NetLabel
> + * fields.
> + *
> + */
> +void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
> +				     int family)
> +{
> +	/* No locking needed, we are the only one who has access to ssec */
> +	selinux_netlbl_sk_security_reset(ssec, family);
> +	spin_lock_init(&ssec->nlbl_lock);
> +}
> +
> +/**
> + * selinux_netlbl_sk_security_clone - Copy the NetLabel fields
> + * @ssec: the original sk_security_struct
> + * @newssec: the cloned sk_security_struct
> + *
> + * Description:
> + * Clone the NetLabel specific sk_security_struct fields from @ssec to
> + * @newssec.
> + *
> + */
> +void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
> +				      struct sk_security_struct *newssec)
> +{
> +	/* We don't need to take newssec->nlbl_lock because we are the only
> +	 * thread with access to newssec, but we do need to take the RCU read
> +	 * lock as other threads could have access to ssec */
> +	rcu_read_lock();
> +	selinux_netlbl_sk_security_reset(newssec, ssec->sk->sk_family);
> +	newssec->sclass = ssec->sclass;
> +	rcu_read_unlock();
> +}
> +
> +/**
> + * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
> + * @skb: the packet
> + * @base_sid: the SELinux SID to use as a context for MLS only attributes
> + * @sid: the SID
> + *
> + * Description:
> + * Call the NetLabel mechanism to get the security attributes of the given
> + * packet and use those attributes to determine the correct context/SID to
> + * assign to the packet.  Returns zero on success, negative values on failure.
> + *
> + */
> +int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
> +{
> +	int rc;
> +	struct netlbl_lsm_secattr secattr;
> +
> +	netlbl_secattr_init(&secattr);
> +	rc = netlbl_skbuff_getattr(skb, &secattr);
> +	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
> +		rc = security_netlbl_secattr_to_sid(&secattr,
> +						    base_sid,
> +						    sid);
> +	else
> +		*sid = SECSID_NULL;
> +	netlbl_secattr_destroy(&secattr);
> +
> +	return rc;
> +}
> +
> +/**
> + * selinux_netlbl_sock_graft - Netlabel the new socket
> + * @sk: the new connection
> + * @sock: the new socket
> + *
> + * Description:
> + * The connection represented by @sk is being grafted onto @sock so set the
> + * socket's NetLabel to match the SID of @sk.
> + *
> + */
> +void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
> +{
> +	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
> +	struct sk_security_struct *sksec = sk->sk_security;
> +	struct netlbl_lsm_secattr secattr;
> +	u32 nlbl_peer_sid;
> +
> +	sksec->sclass = isec->sclass;
> +
> +	rcu_read_lock();
> +
> +	if (sksec->nlbl_state != NLBL_REQUIRE) {
> +		rcu_read_unlock();
> +		return;
> +	}
> +
> +	netlbl_secattr_init(&secattr);
> +	if (netlbl_sock_getattr(sk, &secattr) == 0 &&
> +	    secattr.flags != NETLBL_SECATTR_NONE &&
> +	    security_netlbl_secattr_to_sid(&secattr,
> +					   SECINITSID_UNLABELED,
> +					   &nlbl_peer_sid) == 0)
> +		sksec->peer_sid = nlbl_peer_sid;
> +	netlbl_secattr_destroy(&secattr);
> +
> +	/* Try to set the NetLabel on the socket to save time later, if we fail
> +	 * here we will pick up the pieces in later calls to
> +	 * selinux_netlbl_inode_permission(). */
> +	selinux_netlbl_socket_setsid(sock, sksec->sid);
> +
> +	rcu_read_unlock();
> +}
> +
> +/**
> + * selinux_netlbl_socket_post_create - Label a socket using NetLabel
> + * @sock: the socket to label
> + *
> + * Description:
> + * Attempt to label a socket using the NetLabel mechanism using the given
> + * SID.  Returns zero values on success, negative values on failure.
> + *
> + */
> +int selinux_netlbl_socket_post_create(struct socket *sock)
> +{
> +	int rc = 0;
> +	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
> +	struct sk_security_struct *sksec = sock->sk->sk_security;
> +
> +	sksec->sclass = isec->sclass;
> +
> +	rcu_read_lock();
> +	if (sksec->nlbl_state == NLBL_REQUIRE)
> +		rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
> +	rcu_read_unlock();
> +
> +	return rc;
> +}
> +
> +/**
> + * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
> + * @inode: the file descriptor's inode
> + * @mask: the permission mask
> + *
> + * Description:
> + * Looks at a file's inode and if it is marked as a socket protected by
> + * NetLabel then verify that the socket has been labeled, if not try to label
> + * the socket now with the inode's SID.  Returns zero on success, negative
> + * values on failure.
> + *
> + */
> +int selinux_netlbl_inode_permission(struct inode *inode, int mask)
> +{
> +	int rc;
> +	struct sk_security_struct *sksec;
> +	struct socket *sock;
> +
> +	if (!S_ISSOCK(inode->i_mode) ||
> +	    ((mask & (MAY_WRITE | MAY_APPEND)) == 0))
> +		return 0;
> +	sock = SOCKET_I(inode);
> +	sksec = sock->sk->sk_security;
> +
> +	rcu_read_lock();
> +	if (sksec->nlbl_state != NLBL_REQUIRE) {
> +		rcu_read_unlock();
> +		return 0;
> +	}
> +	local_bh_disable();
> +	bh_lock_sock_nested(sock->sk);
> +	rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
> +	bh_unlock_sock(sock->sk);
> +	local_bh_enable();
> +	rcu_read_unlock();
> +
> +	return rc;
> +}
> +
> +/**
> + * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
> + * @sksec: the sock's sk_security_struct
> + * @skb: the packet
> + * @ad: the audit data
> + *
> + * Description:
> + * Fetch the NetLabel security attributes from @skb and perform an access check
> + * against the receiving socket.  Returns zero on success, negative values on
> + * error.
> + *
> + */
> +int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
> +				struct sk_buff *skb,
> +				struct avc_audit_data *ad)
> +{
> +	int rc;
> +	u32 netlbl_sid;
> +	u32 recv_perm;
> +
> +	rc = selinux_netlbl_skbuff_getsid(skb,
> +					  SECINITSID_UNLABELED,
> +					  &netlbl_sid);
> +	if (rc != 0)
> +		return rc;
> +
> +	if (netlbl_sid == SECSID_NULL)
> +		return 0;
> +
> +	switch (sksec->sclass) {
> +	case SECCLASS_UDP_SOCKET:
> +		recv_perm = UDP_SOCKET__RECVFROM;
> +		break;
> +	case SECCLASS_TCP_SOCKET:
> +		recv_perm = TCP_SOCKET__RECVFROM;
> +		break;
> +	default:
> +		recv_perm = RAWIP_SOCKET__RECVFROM;
> +	}
> +
> +	rc = avc_has_perm(sksec->sid,
> +			  netlbl_sid,
> +			  sksec->sclass,
> +			  recv_perm,
> +			  ad);
> +	if (rc == 0)
> +		return 0;
> +
> +	netlbl_skbuff_err(skb, rc);
> +	return rc;
> +}
> +
> +/**
> + * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
> + * @sock: the socket
> + * @level: the socket level or protocol
> + * @optname: the socket option name
> + *
> + * Description:
> + * Check the setsockopt() call and if the user is trying to replace the IP
> + * options on a socket and a NetLabel is in place for the socket deny the
> + * access; otherwise allow the access.  Returns zero when the access is
> + * allowed, -EACCES when denied, and other negative values on error.
> + *
> + */
> +int selinux_netlbl_socket_setsockopt(struct socket *sock,
> +				     int level,
> +				     int optname)
> +{
> +	int rc = 0;
> +	struct sk_security_struct *sksec = sock->sk->sk_security;
> +	struct netlbl_lsm_secattr secattr;
> +
> +	rcu_read_lock();
> +	if (level == IPPROTO_IP && optname == IP_OPTIONS &&
> +	    sksec->nlbl_state == NLBL_LABELED) {
> +		netlbl_secattr_init(&secattr);
> +		rc = netlbl_socket_getattr(sock, &secattr);
> +		if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
> +			rc = -EACCES;
> +		netlbl_secattr_destroy(&secattr);
> +	}
> +	rcu_read_unlock();
> +
> +	return rc;
> +}
> Index: net-2.6_future/security/selinux/ss/services.c
> ===================================================================
> --- net-2.6_future.orig/security/selinux/ss/services.c
> +++ net-2.6_future/security/selinux/ss/services.c
> @@ -2226,13 +2226,13 @@ void security_skb_extlbl_sid(struct sk_b
>  
>  #ifdef CONFIG_NETLABEL
>  /*
> - * This is the structure we store inside the NetLabel cache block.
> + * NetLabel cache structure
>   */
> -#define NETLBL_CACHE(x)           ((struct netlbl_cache *)(x))
> +#define NETLBL_CACHE(x)           ((struct selinux_netlbl_cache *)(x))
>  #define NETLBL_CACHE_T_NONE       0
>  #define NETLBL_CACHE_T_SID        1
>  #define NETLBL_CACHE_T_MLS        2
> -struct netlbl_cache {
> +struct selinux_netlbl_cache {
>  	u32 type;
>  	union {
>  		u32 sid;
> @@ -2241,7 +2241,7 @@ struct netlbl_cache {
>  };
>  
>  /**
> - * selinux_netlbl_cache_free - Free the NetLabel cached data
> + * security_netlbl_cache_free - Free the NetLabel cached data
>   * @data: the data to free
>   *
>   * Description:
> @@ -2249,9 +2249,9 @@ struct netlbl_cache {
>   * netlbl_lsm_cache structure.
>   *
>   */
> -static void selinux_netlbl_cache_free(const void *data)
> +static void security_netlbl_cache_free(const void *data)
>  {
> -	struct netlbl_cache *cache;
> +	struct selinux_netlbl_cache *cache;
>  
>  	if (data == NULL)
>  		return;
> @@ -2266,33 +2266,33 @@ static void selinux_netlbl_cache_free(co
>  }
>  
>  /**
> - * selinux_netlbl_cache_add - Add an entry to the NetLabel cache
> - * @skb: the packet
> + * security_netlbl_cache_add - Add an entry to the NetLabel cache
> + * @secattr: the NetLabel packet security attributes
>   * @ctx: the SELinux context
>   *
>   * Description:
>   * Attempt to cache the context in @ctx, which was derived from the packet in
> - * @skb, in the NetLabel subsystem cache.
> + * @skb, in the NetLabel subsystem cache.  This function assumes @secattr has
> + * already been initialized.
>   *
>   */
> -static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx)
> +static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
> +				      struct context *ctx)
>  {
> -	struct netlbl_cache *cache = NULL;
> -	struct netlbl_lsm_secattr secattr;
> +	struct selinux_netlbl_cache *cache = NULL;
>  
> -	netlbl_secattr_init(&secattr);
> -	secattr.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
> -	if (secattr.cache == NULL)
> -		goto netlbl_cache_add_return;
> +	secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
> +	if (secattr->cache == NULL)
> +		return;
>  
>  	cache = kzalloc(sizeof(*cache),	GFP_ATOMIC);
>  	if (cache == NULL)
> -		goto netlbl_cache_add_return;
> +		return;
>  
>  	cache->type = NETLBL_CACHE_T_MLS;
>  	if (ebitmap_cpy(&cache->data.mls_label.level[0].cat,
>  			&ctx->range.level[0].cat) != 0)
> -		goto netlbl_cache_add_return;
> +		return;
>  	cache->data.mls_label.level[1].cat.highbit =
>  		cache->data.mls_label.level[0].cat.highbit;
>  	cache->data.mls_label.level[1].cat.node =
> @@ -2300,52 +2300,40 @@ static void selinux_netlbl_cache_add(str
>  	cache->data.mls_label.level[0].sens = ctx->range.level[0].sens;
>  	cache->data.mls_label.level[1].sens = ctx->range.level[0].sens;
>  
> -	secattr.cache->free = selinux_netlbl_cache_free;
> -	secattr.cache->data = (void *)cache;
> -	secattr.flags = NETLBL_SECATTR_CACHE;
> -
> -	netlbl_cache_add(skb, &secattr);
> -
> -netlbl_cache_add_return:
> -	netlbl_secattr_destroy(&secattr);
> +	secattr->cache->free = security_netlbl_cache_free;
> +	secattr->cache->data = (void *)cache;
> +	secattr->flags |= NETLBL_SECATTR_CACHE;
>  }
>  
>  /**
> - * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
> - *
> - * Description:
> - * Invalidate the NetLabel security attribute mapping cache.
> - *
> - */
> -void selinux_netlbl_cache_invalidate(void)
> -{
> -	netlbl_cache_invalidate();
> -}
> -
> -/**
> - * selinux_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
> - * @skb: the network packet
> + * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
>   * @secattr: the NetLabel packet security attributes
>   * @base_sid: the SELinux SID to use as a context for MLS only attributes
>   * @sid: the SELinux SID
>   *
>   * Description:
> - * Convert the given NetLabel packet security attributes in @secattr into a
> + * Convert the given NetLabel security attributes in @secattr into a
>   * SELinux SID.  If the @secattr field does not contain a full SELinux
> - * SID/context then use the context in @base_sid as the foundation.  If @skb
> - * is not NULL attempt to cache as much data as possibile.  Returns zero on
> - * success, negative values on failure.
> + * SID/context then use the context in @base_sid as the foundation.  If
> + * possibile the 'cache' field of @secattr is set and the CACHE flag is set;
> + * this is to allow the @secattr to be used by NetLabel to cache the secattr to
> + * SID conversion for future lookups.  Returns zero on success, negative
> + * values on failure.
>   *
>   */
> -static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
> -					 struct netlbl_lsm_secattr *secattr,
> -					 u32 base_sid,
> -					 u32 *sid)
> +int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
> +				   u32 base_sid,
> +				   u32 *sid)
>  {
>  	int rc = -EIDRM;
>  	struct context *ctx;
>  	struct context ctx_new;
> -	struct netlbl_cache *cache;
> +	struct selinux_netlbl_cache *cache;
> +
> +	if (!ss_initialized) {
> +		*sid = SECSID_NULL;
> +		return 0;
> +	}
>  
>  	POLICY_RDLOCK;
>  
> @@ -2410,8 +2398,8 @@ static int selinux_netlbl_secattr_to_sid
>  		if (rc != 0)
>  			goto netlbl_secattr_to_sid_return_cleanup;
>  
> -		if (skb != NULL)
> -			selinux_netlbl_cache_add(skb, &ctx_new);
> +		security_netlbl_cache_add(secattr, &ctx_new);
> +
>  		ebitmap_destroy(&ctx_new.range.level[0].cat);
>  	} else {
>  		*sid = SECSID_NULL;
> @@ -2427,338 +2415,43 @@ netlbl_secattr_to_sid_return_cleanup:
>  }
>  
>  /**
> - * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
> - * @skb: the packet
> - * @base_sid: the SELinux SID to use as a context for MLS only attributes
> - * @sid: the SID
> - *
> - * Description:
> - * Call the NetLabel mechanism to get the security attributes of the given
> - * packet and use those attributes to determine the correct context/SID to
> - * assign to the packet.  Returns zero on success, negative values on failure.
> - *
> - */
> -int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
> -{
> -	int rc;
> -	struct netlbl_lsm_secattr secattr;
> -
> -	netlbl_secattr_init(&secattr);
> -	rc = netlbl_skbuff_getattr(skb, &secattr);
> -	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
> -		rc = selinux_netlbl_secattr_to_sid(skb,
> -						   &secattr,
> -						   base_sid,
> -						   sid);
> -	else
> -		*sid = SECSID_NULL;
> -	netlbl_secattr_destroy(&secattr);
> -
> -	return rc;
> -}
> -
> -/**
> - * selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism
> - * @sock: the socket to label
> - * @sid: the SID to use
> + * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr
> + * @sid: the SELinux SID
> + * @secattr: the NetLabel packet security attributes
>   *
>   * Description:
> - * Attempt to label a socket using the NetLabel mechanism using the given
> - * SID.  Returns zero values on success, negative values on failure.  The
> - * caller is responsibile for calling rcu_read_lock() before calling this
> - * this function and rcu_read_unlock() after this function returns.
> + * Convert the given SELinux SID in @sid into a NetLabel security attribute.
> + * Returns zero on success, negative values on failure.
>   *
>   */
> -static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
> +int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
>  {
>  	int rc = -ENOENT;
> -	struct sk_security_struct *sksec = sock->sk->sk_security;
> -	struct netlbl_lsm_secattr secattr;
>  	struct context *ctx;
>  
> +	netlbl_secattr_init(secattr);
> +
>  	if (!ss_initialized)
>  		return 0;
>  
> -	netlbl_secattr_init(&secattr);
> -
>  	POLICY_RDLOCK;
> -
>  	ctx = sidtab_search(&sidtab, sid);
>  	if (ctx == NULL)
> -		goto netlbl_socket_setsid_return;
> -
> -	secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
> -				 GFP_ATOMIC);
> -	secattr.flags |= NETLBL_SECATTR_DOMAIN;
> -	mls_export_netlbl_lvl(ctx, &secattr);
> -	rc = mls_export_netlbl_cat(ctx, &secattr);
> +		goto netlbl_sid_to_secattr_failure;
> +	secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
> +				  GFP_ATOMIC);
> +	secattr->flags |= NETLBL_SECATTR_DOMAIN;
> +	mls_export_netlbl_lvl(ctx, secattr);
> +	rc = mls_export_netlbl_cat(ctx, secattr);
>  	if (rc != 0)
> -		goto netlbl_socket_setsid_return;
> -
> -	rc = netlbl_socket_setattr(sock, &secattr);
> -	if (rc == 0) {
> -		spin_lock_bh(&sksec->nlbl_lock);
> -		sksec->nlbl_state = NLBL_LABELED;
> -		spin_unlock_bh(&sksec->nlbl_lock);
> -	}
> -
> -netlbl_socket_setsid_return:
> +		goto netlbl_sid_to_secattr_failure;
>  	POLICY_RDUNLOCK;
> -	netlbl_secattr_destroy(&secattr);
> -	return rc;
> -}
> -
> -/**
> - * selinux_netlbl_sk_security_reset - Reset the NetLabel fields
> - * @ssec: the sk_security_struct
> - * @family: the socket family
> - *
> - * Description:
> - * Called when the NetLabel state of a sk_security_struct needs to be reset.
> - * The caller is responsibile for all the NetLabel sk_security_struct locking.
> - *
> - */
> -void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
> -				      int family)
> -{
> -        if (family == PF_INET)
> -		ssec->nlbl_state = NLBL_REQUIRE;
> -	else
> -		ssec->nlbl_state = NLBL_UNSET;
> -}
> -
> -/**
> - * selinux_netlbl_sk_security_init - Setup the NetLabel fields
> - * @ssec: the sk_security_struct
> - * @family: the socket family
> - *
> - * Description:
> - * Called when a new sk_security_struct is allocated to initialize the NetLabel
> - * fields.
> - *
> - */
> -void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
> -				     int family)
> -{
> -	/* No locking needed, we are the only one who has access to ssec */
> -	selinux_netlbl_sk_security_reset(ssec, family);
> -	spin_lock_init(&ssec->nlbl_lock);
> -}
> -
> -/**
> - * selinux_netlbl_sk_security_clone - Copy the NetLabel fields
> - * @ssec: the original sk_security_struct
> - * @newssec: the cloned sk_security_struct
> - *
> - * Description:
> - * Clone the NetLabel specific sk_security_struct fields from @ssec to
> - * @newssec.
> - *
> - */
> -void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
> -				      struct sk_security_struct *newssec)
> -{
> -	/* We don't need to take newssec->nlbl_lock because we are the only
> -	 * thread with access to newssec, but we do need to take the RCU read
> -	 * lock as other threads could have access to ssec */
> -	rcu_read_lock();
> -	selinux_netlbl_sk_security_reset(newssec, ssec->sk->sk_family);
> -	newssec->sclass = ssec->sclass;
> -	rcu_read_unlock();
> -}
>  
> -/**
> - * selinux_netlbl_socket_post_create - Label a socket using NetLabel
> - * @sock: the socket to label
> - *
> - * Description:
> - * Attempt to label a socket using the NetLabel mechanism using the given
> - * SID.  Returns zero values on success, negative values on failure.
> - *
> - */
> -int selinux_netlbl_socket_post_create(struct socket *sock)
> -{
> -	int rc = 0;
> -	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
> -	struct sk_security_struct *sksec = sock->sk->sk_security;
> -
> -	sksec->sclass = isec->sclass;
> -
> -	rcu_read_lock();
> -	if (sksec->nlbl_state == NLBL_REQUIRE)
> -		rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
> -	rcu_read_unlock();
> -
> -	return rc;
> -}
> -
> -/**
> - * selinux_netlbl_sock_graft - Netlabel the new socket
> - * @sk: the new connection
> - * @sock: the new socket
> - *
> - * Description:
> - * The connection represented by @sk is being grafted onto @sock so set the
> - * socket's NetLabel to match the SID of @sk.
> - *
> - */
> -void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
> -{
> -	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
> -	struct sk_security_struct *sksec = sk->sk_security;
> -	struct netlbl_lsm_secattr secattr;
> -	u32 nlbl_peer_sid;
> -
> -	sksec->sclass = isec->sclass;
> -
> -	rcu_read_lock();
> -
> -	if (sksec->nlbl_state != NLBL_REQUIRE) {
> -		rcu_read_unlock();
> -		return;
> -	}
> -
> -	netlbl_secattr_init(&secattr);
> -	if (netlbl_sock_getattr(sk, &secattr) == 0 &&
> -	    secattr.flags != NETLBL_SECATTR_NONE &&
> -	    selinux_netlbl_secattr_to_sid(NULL,
> -					  &secattr,
> -					  SECINITSID_UNLABELED,
> -					  &nlbl_peer_sid) == 0)
> -		sksec->peer_sid = nlbl_peer_sid;
> -	netlbl_secattr_destroy(&secattr);
> -
> -	/* Try to set the NetLabel on the socket to save time later, if we fail
> -	 * here we will pick up the pieces in later calls to
> -	 * selinux_netlbl_inode_permission(). */
> -	selinux_netlbl_socket_setsid(sock, sksec->sid);
> -
> -	rcu_read_unlock();
> -}
> -
> -/**
> - * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
> - * @inode: the file descriptor's inode
> - * @mask: the permission mask
> - *
> - * Description:
> - * Looks at a file's inode and if it is marked as a socket protected by
> - * NetLabel then verify that the socket has been labeled, if not try to label
> - * the socket now with the inode's SID.  Returns zero on success, negative
> - * values on failure.
> - *
> - */
> -int selinux_netlbl_inode_permission(struct inode *inode, int mask)
> -{
> -	int rc;
> -	struct sk_security_struct *sksec;
> -	struct socket *sock;
> -
> -	if (!S_ISSOCK(inode->i_mode) ||
> -	    ((mask & (MAY_WRITE | MAY_APPEND)) == 0))
> -		return 0;
> -	sock = SOCKET_I(inode);
> -	sksec = sock->sk->sk_security;
> -
> -	rcu_read_lock();
> -	if (sksec->nlbl_state != NLBL_REQUIRE) {
> -		rcu_read_unlock();
> -		return 0;
> -	}
> -	local_bh_disable();
> -	bh_lock_sock_nested(sock->sk);
> -	rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
> -	bh_unlock_sock(sock->sk);
> -	local_bh_enable();
> -	rcu_read_unlock();
> -
> -	return rc;
> -}
> -
> -/**
> - * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
> - * @sksec: the sock's sk_security_struct
> - * @skb: the packet
> - * @ad: the audit data
> - *
> - * Description:
> - * Fetch the NetLabel security attributes from @skb and perform an access check
> - * against the receiving socket.  Returns zero on success, negative values on
> - * error.
> - *
> - */
> -int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
> -				struct sk_buff *skb,
> -				struct avc_audit_data *ad)
> -{
> -	int rc;
> -	u32 netlbl_sid;
> -	u32 recv_perm;
> -
> -	rc = selinux_netlbl_skbuff_getsid(skb,
> -					  SECINITSID_UNLABELED,
> -					  &netlbl_sid);
> -	if (rc != 0)
> -		return rc;
> -
> -	if (netlbl_sid == SECSID_NULL)
> -		return 0;
> -
> -	switch (sksec->sclass) {
> -	case SECCLASS_UDP_SOCKET:
> -		recv_perm = UDP_SOCKET__RECVFROM;
> -		break;
> -	case SECCLASS_TCP_SOCKET:
> -		recv_perm = TCP_SOCKET__RECVFROM;
> -		break;
> -	default:
> -		recv_perm = RAWIP_SOCKET__RECVFROM;
> -	}
> -
> -	rc = avc_has_perm(sksec->sid,
> -			  netlbl_sid,
> -			  sksec->sclass,
> -			  recv_perm,
> -			  ad);
> -	if (rc == 0)
> -		return 0;
> -
> -	netlbl_skbuff_err(skb, rc);
> -	return rc;
> -}
> -
> -/**
> - * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
> - * @sock: the socket
> - * @level: the socket level or protocol
> - * @optname: the socket option name
> - *
> - * Description:
> - * Check the setsockopt() call and if the user is trying to replace the IP
> - * options on a socket and a NetLabel is in place for the socket deny the
> - * access; otherwise allow the access.  Returns zero when the access is
> - * allowed, -EACCES when denied, and other negative values on error.
> - *
> - */
> -int selinux_netlbl_socket_setsockopt(struct socket *sock,
> -				     int level,
> -				     int optname)
> -{
> -	int rc = 0;
> -	struct sk_security_struct *sksec = sock->sk->sk_security;
> -	struct netlbl_lsm_secattr secattr;
> -
> -	rcu_read_lock();
> -	if (level == IPPROTO_IP && optname == IP_OPTIONS &&
> -	    sksec->nlbl_state == NLBL_LABELED) {
> -		netlbl_secattr_init(&secattr);
> -		rc = netlbl_socket_getattr(sock, &secattr);
> -		if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
> -			rc = -EACCES;
> -		netlbl_secattr_destroy(&secattr);
> -	}
> -	rcu_read_unlock();
> +	return 0;
>  
> +netlbl_sid_to_secattr_failure:
> +	POLICY_RDUNLOCK;
> +	netlbl_secattr_destroy(secattr);
>  	return rc;
>  }
>  #endif /* CONFIG_NETLABEL */
> 
> --
> paul moore
> linux security @ hp
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC 3/4] SELinux: extract the NetLabel SELinux support from the security server

[Stephen Smalley]

On Thu, 2007-03-01 at 07:40 -0500, Stephen Smalley wrote:
> On Wed, 2007-02-28 at 15:14 -0500, Paul Moore wrote:
> > plain text document attachment (selinux-isolate_netlabel)
> > Up until this patch the functions which have provided NetLabel support to
> > SELinux have been integrated into the SELinux security server, which for
> > various reasons is not really ideal.  This patch makes an effort to extract as
> > much of the NetLabel support from the security server as possibile and move it
> > into it's own file within the SELinux directory structure.
> 
> Thanks, this looks much better, and helps keep the security server
> interface as an abstract security interface.  Is there any reason you
> didn't also move security_skb_extlbl_sid() out from the security server?
> It seems to be a lingering case where the security server directly acts
> on a kernel object rather than a security abstraction.

It isn't NetLabel-specific, but appears that it could easily just be a
helper function in hooks.c itself.

> 
> > 
> > Signed-off-by: Paul Moore <paul.moore@hp.com>
> > ---
> >  net/netlabel/netlabel_kapi.c                |    3 
> >  security/selinux/Makefile                   |    2 
> >  security/selinux/include/security.h         |   24 +
> >  security/selinux/include/selinux_netlabel.h |   71 ++--
> >  security/selinux/netlabel.c                 |  363 ++++++++++++++++++++++++
> >  security/selinux/ss/services.c              |  423 +++-------------------------
> >  6 files changed, 481 insertions(+), 405 deletions(-)
> > 
> > Index: net-2.6_future/net/netlabel/netlabel_kapi.c
> > ===================================================================
> > --- net-2.6_future.orig/net/netlabel/netlabel_kapi.c
> > +++ net-2.6_future/net/netlabel/netlabel_kapi.c
> > @@ -263,9 +263,6 @@ int netlbl_socket_setattr(const struct s
> >  	int ret_val = -ENOENT;
> >  	struct netlbl_dom_map *dom_entry;
> >  
> > -	if ((secattr->flags & NETLBL_SECATTR_DOMAIN) == 0)
> > -		return -ENOENT;
> > -
> >  	rcu_read_lock();
> >  	dom_entry = netlbl_domhsh_getentry(secattr->domain);
> >  	if (dom_entry == NULL)
> > Index: net-2.6_future/security/selinux/Makefile
> > ===================================================================
> > --- net-2.6_future.orig/security/selinux/Makefile
> > +++ net-2.6_future/security/selinux/Makefile
> > @@ -8,5 +8,7 @@ selinux-y := avc.o hooks.o selinuxfs.o n
> >  
> >  selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
> >  
> > +selinux-$(CONFIG_NETLABEL) += netlabel.o
> > +
> >  EXTRA_CFLAGS += -Isecurity/selinux/include
> >  
> > Index: net-2.6_future/security/selinux/include/security.h
> > ===================================================================
> > --- net-2.6_future.orig/security/selinux/include/security.h
> > +++ net-2.6_future/security/selinux/include/security.h
> > @@ -35,6 +35,7 @@
> >  #endif
> >  
> >  struct sk_buff;
> > +struct netlbl_lsm_secattr;
> >  
> >  extern int selinux_enabled;
> >  extern int selinux_mls_enabled;
> > @@ -102,5 +103,28 @@ int security_fs_use(const char *fstype, 
> >  int security_genfs_sid(const char *fstype, char *name, u16 sclass,
> >  	u32 *sid);
> >  
> > +#ifdef CONFIG_NETLABEL
> > +int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
> > +				   u32 base_sid,
> > +				   u32 *sid);
> > +
> > +int security_netlbl_sid_to_secattr(u32 sid,
> > +				   struct netlbl_lsm_secattr *secattr);
> > +#else
> > +static inline int security_netlbl_secattr_to_sid(
> > +					    struct netlbl_lsm_secattr *secattr,
> > +					    u32 base_sid,
> > +					    u32 *sid)
> > +{
> > +	return -EIDRM;
> > +}
> > +
> > +static inline int security_netlbl_sid_to_secattr(u32 sid,
> > +					   struct netlbl_lsm_secattr *secattr)
> > +{
> > +	return -ENOENT;
> > +}
> > +#endif /* CONFIG_NETLABEL */
> > +
> >  #endif /* _SELINUX_SECURITY_H_ */
> >  
> > Index: net-2.6_future/security/selinux/include/selinux_netlabel.h
> > ===================================================================
> > --- net-2.6_future.orig/security/selinux/include/selinux_netlabel.h
> > +++ net-2.6_future/security/selinux/include/selinux_netlabel.h
> > @@ -38,19 +38,22 @@
> >  
> >  #ifdef CONFIG_NETLABEL
> >  void selinux_netlbl_cache_invalidate(void);
> > -int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid);
> > -int selinux_netlbl_socket_post_create(struct socket *sock);
> > -void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
> > -int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
> > -				struct sk_buff *skb,
> > -				struct avc_audit_data *ad);
> > +
> >  void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
> >  				      int family);
> >  void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
> >  				     int family);
> >  void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
> >  				      struct sk_security_struct *newssec);
> > +
> > +int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid);
> > +
> > +void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
> > +int selinux_netlbl_socket_post_create(struct socket *sock);
> >  int selinux_netlbl_inode_permission(struct inode *inode, int mask);
> > +int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
> > +				struct sk_buff *skb,
> > +				struct avc_audit_data *ad);
> >  int selinux_netlbl_socket_setsockopt(struct socket *sock,
> >  				     int level,
> >  				     int optname);
> > @@ -60,59 +63,53 @@ static inline void selinux_netlbl_cache_
> >  	return;
> >  }
> >  
> > -static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
> > -					       u32 base_sid,
> > -					       u32 *sid)
> > +static inline void selinux_netlbl_sk_security_reset(
> > +	                                       struct sk_security_struct *ssec,
> > +					       int family)
> >  {
> > -	*sid = SECSID_NULL;
> > -	return 0;
> > +	return;
> >  }
> > -
> > -static inline int selinux_netlbl_socket_post_create(struct socket *sock)
> > +static inline void selinux_netlbl_sk_security_init(
> > +	                                       struct sk_security_struct *ssec,
> > +					       int family)
> >  {
> > -	return 0;
> > +	return;
> >  }
> > -
> > -static inline void selinux_netlbl_sock_graft(struct sock *sk,
> > -					     struct socket *sock)
> > +static inline void selinux_netlbl_sk_security_clone(
> > +	                                    struct sk_security_struct *ssec,
> > +					    struct sk_security_struct *newssec)
> >  {
> >  	return;
> >  }
> >  
> > -static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
> > -					      struct sk_buff *skb,
> > -					      struct avc_audit_data *ad)
> > +static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
> > +					       u32 base_sid,
> > +					       u32 *sid)
> >  {
> > +	*sid = SECSID_NULL;
> >  	return 0;
> >  }
> >  
> > -static inline void selinux_netlbl_sk_security_reset(
> > -					       struct sk_security_struct *ssec,
> > -					       int family)
> > -{
> > -	return;
> > -}
> > -
> > -static inline void selinux_netlbl_sk_security_init(
> > -	                                       struct sk_security_struct *ssec,
> > -					       int family)
> > +static inline void selinux_netlbl_sock_graft(struct sock *sk,
> > +					     struct socket *sock)
> >  {
> >  	return;
> >  }
> > -
> > -static inline void selinux_netlbl_sk_security_clone(
> > -	                                   struct sk_security_struct *ssec,
> > -					   struct sk_security_struct *newssec)
> > +static inline int selinux_netlbl_socket_post_create(struct socket *sock)
> >  {
> > -	return;
> > +	return 0;
> >  }
> > -
> >  static inline int selinux_netlbl_inode_permission(struct inode *inode,
> >  						  int mask)
> >  {
> >  	return 0;
> >  }
> > -
> > +static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
> > +					      struct sk_buff *skb,
> > +					      struct avc_audit_data *ad)
> > +{
> > +	return 0;
> > +}
> >  static inline int selinux_netlbl_socket_setsockopt(struct socket *sock,
> >  						   int level,
> >  						   int optname)
> > Index: net-2.6_future/security/selinux/netlabel.c
> > ===================================================================
> > --- /dev/null
> > +++ net-2.6_future/security/selinux/netlabel.c
> > @@ -0,0 +1,363 @@
> > +/*
> > + * SELinux NetLabel Support
> > + *
> > + * This file provides the necessary glue to tie NetLabel into the SELinux
> > + * subsystem.
> > + *
> > + * Author: Paul Moore <paul.moore@hp.com>
> > + *
> > + */
> > +
> > +/*
> > + * (c) Copyright Hewlett-Packard Development Company, L.P., 2007
> > + *
> > + * This program is free software;  you can redistribute it and/or modify
> > + * it under the terms of the GNU General Public License as published by
> > + * the Free Software Foundation; either version 2 of the License, or
> > + * (at your option) any later version.
> > + *
> > + * This program is distributed in the hope that it will be useful,
> > + * but WITHOUT ANY WARRANTY;  without even the implied warranty of
> > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
> > + * the GNU General Public License for more details.
> > + *
> > + * You should have received a copy of the GNU General Public License
> > + * along with this program;  if not, write to the Free Software
> > + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> > + *
> > + */
> > +
> > +#include <linux/spinlock.h>
> > +#include <linux/rcupdate.h>
> > +#include <net/sock.h>
> > +#include <net/netlabel.h>
> > +
> > +#include "objsec.h"
> > +#include "security.h"
> > +
> > +/**
> > + * selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism
> > + * @sock: the socket to label
> > + * @sid: the SID to use
> > + *
> > + * Description:
> > + * Attempt to label a socket using the NetLabel mechanism using the given
> > + * SID.  Returns zero values on success, negative values on failure.  The
> > + * caller is responsibile for calling rcu_read_lock() before calling this
> > + * this function and rcu_read_unlock() after this function returns.
> > + *
> > + */
> > +static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
> > +{
> > +	int rc;
> > +	struct sk_security_struct *sksec = sock->sk->sk_security;
> > +	struct netlbl_lsm_secattr secattr;
> > +
> > +	rc = security_netlbl_sid_to_secattr(sid, &secattr);
> > +	if (rc != 0)
> > +		return rc;
> > +
> > +	rc = netlbl_socket_setattr(sock, &secattr);
> > +	if (rc == 0) {
> > +		spin_lock_bh(&sksec->nlbl_lock);
> > +		sksec->nlbl_state = NLBL_LABELED;
> > +		spin_unlock_bh(&sksec->nlbl_lock);
> > +	}
> > +
> > +	return rc;
> > +}
> > +
> > +/**
> > + * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
> > + *
> > + * Description:
> > + * Invalidate the NetLabel security attribute mapping cache.
> > + *
> > + */
> > +void selinux_netlbl_cache_invalidate(void)
> > +{
> > +	netlbl_cache_invalidate();
> > +}
> > +
> > +/**
> > + * selinux_netlbl_sk_security_reset - Reset the NetLabel fields
> > + * @ssec: the sk_security_struct
> > + * @family: the socket family
> > + *
> > + * Description:
> > + * Called when the NetLabel state of a sk_security_struct needs to be reset.
> > + * The caller is responsibile for all the NetLabel sk_security_struct locking.
> > + *
> > + */
> > +void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
> > +				      int family)
> > +{
> > +        if (family == PF_INET)
> > +		ssec->nlbl_state = NLBL_REQUIRE;
> > +	else
> > +		ssec->nlbl_state = NLBL_UNSET;
> > +}
> > +
> > +/**
> > + * selinux_netlbl_sk_security_init - Setup the NetLabel fields
> > + * @ssec: the sk_security_struct
> > + * @family: the socket family
> > + *
> > + * Description:
> > + * Called when a new sk_security_struct is allocated to initialize the NetLabel
> > + * fields.
> > + *
> > + */
> > +void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
> > +				     int family)
> > +{
> > +	/* No locking needed, we are the only one who has access to ssec */
> > +	selinux_netlbl_sk_security_reset(ssec, family);
> > +	spin_lock_init(&ssec->nlbl_lock);
> > +}
> > +
> > +/**
> > + * selinux_netlbl_sk_security_clone - Copy the NetLabel fields
> > + * @ssec: the original sk_security_struct
> > + * @newssec: the cloned sk_security_struct
> > + *
> > + * Description:
> > + * Clone the NetLabel specific sk_security_struct fields from @ssec to
> > + * @newssec.
> > + *
> > + */
> > +void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
> > +				      struct sk_security_struct *newssec)
> > +{
> > +	/* We don't need to take newssec->nlbl_lock because we are the only
> > +	 * thread with access to newssec, but we do need to take the RCU read
> > +	 * lock as other threads could have access to ssec */
> > +	rcu_read_lock();
> > +	selinux_netlbl_sk_security_reset(newssec, ssec->sk->sk_family);
> > +	newssec->sclass = ssec->sclass;
> > +	rcu_read_unlock();
> > +}
> > +
> > +/**
> > + * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
> > + * @skb: the packet
> > + * @base_sid: the SELinux SID to use as a context for MLS only attributes
> > + * @sid: the SID
> > + *
> > + * Description:
> > + * Call the NetLabel mechanism to get the security attributes of the given
> > + * packet and use those attributes to determine the correct context/SID to
> > + * assign to the packet.  Returns zero on success, negative values on failure.
> > + *
> > + */
> > +int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
> > +{
> > +	int rc;
> > +	struct netlbl_lsm_secattr secattr;
> > +
> > +	netlbl_secattr_init(&secattr);
> > +	rc = netlbl_skbuff_getattr(skb, &secattr);
> > +	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
> > +		rc = security_netlbl_secattr_to_sid(&secattr,
> > +						    base_sid,
> > +						    sid);
> > +	else
> > +		*sid = SECSID_NULL;
> > +	netlbl_secattr_destroy(&secattr);
> > +
> > +	return rc;
> > +}
> > +
> > +/**
> > + * selinux_netlbl_sock_graft - Netlabel the new socket
> > + * @sk: the new connection
> > + * @sock: the new socket
> > + *
> > + * Description:
> > + * The connection represented by @sk is being grafted onto @sock so set the
> > + * socket's NetLabel to match the SID of @sk.
> > + *
> > + */
> > +void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
> > +{
> > +	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
> > +	struct sk_security_struct *sksec = sk->sk_security;
> > +	struct netlbl_lsm_secattr secattr;
> > +	u32 nlbl_peer_sid;
> > +
> > +	sksec->sclass = isec->sclass;
> > +
> > +	rcu_read_lock();
> > +
> > +	if (sksec->nlbl_state != NLBL_REQUIRE) {
> > +		rcu_read_unlock();
> > +		return;
> > +	}
> > +
> > +	netlbl_secattr_init(&secattr);
> > +	if (netlbl_sock_getattr(sk, &secattr) == 0 &&
> > +	    secattr.flags != NETLBL_SECATTR_NONE &&
> > +	    security_netlbl_secattr_to_sid(&secattr,
> > +					   SECINITSID_UNLABELED,
> > +					   &nlbl_peer_sid) == 0)
> > +		sksec->peer_sid = nlbl_peer_sid;
> > +	netlbl_secattr_destroy(&secattr);
> > +
> > +	/* Try to set the NetLabel on the socket to save time later, if we fail
> > +	 * here we will pick up the pieces in later calls to
> > +	 * selinux_netlbl_inode_permission(). */
> > +	selinux_netlbl_socket_setsid(sock, sksec->sid);
> > +
> > +	rcu_read_unlock();
> > +}
> > +
> > +/**
> > + * selinux_netlbl_socket_post_create - Label a socket using NetLabel
> > + * @sock: the socket to label
> > + *
> > + * Description:
> > + * Attempt to label a socket using the NetLabel mechanism using the given
> > + * SID.  Returns zero values on success, negative values on failure.
> > + *
> > + */
> > +int selinux_netlbl_socket_post_create(struct socket *sock)
> > +{
> > +	int rc = 0;
> > +	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
> > +	struct sk_security_struct *sksec = sock->sk->sk_security;
> > +
> > +	sksec->sclass = isec->sclass;
> > +
> > +	rcu_read_lock();
> > +	if (sksec->nlbl_state == NLBL_REQUIRE)
> > +		rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
> > +	rcu_read_unlock();
> > +
> > +	return rc;
> > +}
> > +
> > +/**
> > + * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
> > + * @inode: the file descriptor's inode
> > + * @mask: the permission mask
> > + *
> > + * Description:
> > + * Looks at a file's inode and if it is marked as a socket protected by
> > + * NetLabel then verify that the socket has been labeled, if not try to label
> > + * the socket now with the inode's SID.  Returns zero on success, negative
> > + * values on failure.
> > + *
> > + */
> > +int selinux_netlbl_inode_permission(struct inode *inode, int mask)
> > +{
> > +	int rc;
> > +	struct sk_security_struct *sksec;
> > +	struct socket *sock;
> > +
> > +	if (!S_ISSOCK(inode->i_mode) ||
> > +	    ((mask & (MAY_WRITE | MAY_APPEND)) == 0))
> > +		return 0;
> > +	sock = SOCKET_I(inode);
> > +	sksec = sock->sk->sk_security;
> > +
> > +	rcu_read_lock();
> > +	if (sksec->nlbl_state != NLBL_REQUIRE) {
> > +		rcu_read_unlock();
> > +		return 0;
> > +	}
> > +	local_bh_disable();
> > +	bh_lock_sock_nested(sock->sk);
> > +	rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
> > +	bh_unlock_sock(sock->sk);
> > +	local_bh_enable();
> > +	rcu_read_unlock();
> > +
> > +	return rc;
> > +}
> > +
> > +/**
> > + * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
> > + * @sksec: the sock's sk_security_struct
> > + * @skb: the packet
> > + * @ad: the audit data
> > + *
> > + * Description:
> > + * Fetch the NetLabel security attributes from @skb and perform an access check
> > + * against the receiving socket.  Returns zero on success, negative values on
> > + * error.
> > + *
> > + */
> > +int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
> > +				struct sk_buff *skb,
> > +				struct avc_audit_data *ad)
> > +{
> > +	int rc;
> > +	u32 netlbl_sid;
> > +	u32 recv_perm;
> > +
> > +	rc = selinux_netlbl_skbuff_getsid(skb,
> > +					  SECINITSID_UNLABELED,
> > +					  &netlbl_sid);
> > +	if (rc != 0)
> > +		return rc;
> > +
> > +	if (netlbl_sid == SECSID_NULL)
> > +		return 0;
> > +
> > +	switch (sksec->sclass) {
> > +	case SECCLASS_UDP_SOCKET:
> > +		recv_perm = UDP_SOCKET__RECVFROM;
> > +		break;
> > +	case SECCLASS_TCP_SOCKET:
> > +		recv_perm = TCP_SOCKET__RECVFROM;
> > +		break;
> > +	default:
> > +		recv_perm = RAWIP_SOCKET__RECVFROM;
> > +	}
> > +
> > +	rc = avc_has_perm(sksec->sid,
> > +			  netlbl_sid,
> > +			  sksec->sclass,
> > +			  recv_perm,
> > +			  ad);
> > +	if (rc == 0)
> > +		return 0;
> > +
> > +	netlbl_skbuff_err(skb, rc);
> > +	return rc;
> > +}
> > +
> > +/**
> > + * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
> > + * @sock: the socket
> > + * @level: the socket level or protocol
> > + * @optname: the socket option name
> > + *
> > + * Description:
> > + * Check the setsockopt() call and if the user is trying to replace the IP
> > + * options on a socket and a NetLabel is in place for the socket deny the
> > + * access; otherwise allow the access.  Returns zero when the access is
> > + * allowed, -EACCES when denied, and other negative values on error.
> > + *
> > + */
> > +int selinux_netlbl_socket_setsockopt(struct socket *sock,
> > +				     int level,
> > +				     int optname)
> > +{
> > +	int rc = 0;
> > +	struct sk_security_struct *sksec = sock->sk->sk_security;
> > +	struct netlbl_lsm_secattr secattr;
> > +
> > +	rcu_read_lock();
> > +	if (level == IPPROTO_IP && optname == IP_OPTIONS &&
> > +	    sksec->nlbl_state == NLBL_LABELED) {
> > +		netlbl_secattr_init(&secattr);
> > +		rc = netlbl_socket_getattr(sock, &secattr);
> > +		if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
> > +			rc = -EACCES;
> > +		netlbl_secattr_destroy(&secattr);
> > +	}
> > +	rcu_read_unlock();
> > +
> > +	return rc;
> > +}
> > Index: net-2.6_future/security/selinux/ss/services.c
> > ===================================================================
> > --- net-2.6_future.orig/security/selinux/ss/services.c
> > +++ net-2.6_future/security/selinux/ss/services.c
> > @@ -2226,13 +2226,13 @@ void security_skb_extlbl_sid(struct sk_b
> >  
> >  #ifdef CONFIG_NETLABEL
> >  /*
> > - * This is the structure we store inside the NetLabel cache block.
> > + * NetLabel cache structure
> >   */
> > -#define NETLBL_CACHE(x)           ((struct netlbl_cache *)(x))
> > +#define NETLBL_CACHE(x)           ((struct selinux_netlbl_cache *)(x))
> >  #define NETLBL_CACHE_T_NONE       0
> >  #define NETLBL_CACHE_T_SID        1
> >  #define NETLBL_CACHE_T_MLS        2
> > -struct netlbl_cache {
> > +struct selinux_netlbl_cache {
> >  	u32 type;
> >  	union {
> >  		u32 sid;
> > @@ -2241,7 +2241,7 @@ struct netlbl_cache {
> >  };
> >  
> >  /**
> > - * selinux_netlbl_cache_free - Free the NetLabel cached data
> > + * security_netlbl_cache_free - Free the NetLabel cached data
> >   * @data: the data to free
> >   *
> >   * Description:
> > @@ -2249,9 +2249,9 @@ struct netlbl_cache {
> >   * netlbl_lsm_cache structure.
> >   *
> >   */
> > -static void selinux_netlbl_cache_free(const void *data)
> > +static void security_netlbl_cache_free(const void *data)
> >  {
> > -	struct netlbl_cache *cache;
> > +	struct selinux_netlbl_cache *cache;
> >  
> >  	if (data == NULL)
> >  		return;
> > @@ -2266,33 +2266,33 @@ static void selinux_netlbl_cache_free(co
> >  }
> >  
> >  /**
> > - * selinux_netlbl_cache_add - Add an entry to the NetLabel cache
> > - * @skb: the packet
> > + * security_netlbl_cache_add - Add an entry to the NetLabel cache
> > + * @secattr: the NetLabel packet security attributes
> >   * @ctx: the SELinux context
> >   *
> >   * Description:
> >   * Attempt to cache the context in @ctx, which was derived from the packet in
> > - * @skb, in the NetLabel subsystem cache.
> > + * @skb, in the NetLabel subsystem cache.  This function assumes @secattr has
> > + * already been initialized.
> >   *
> >   */
> > -static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx)
> > +static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
> > +				      struct context *ctx)
> >  {
> > -	struct netlbl_cache *cache = NULL;
> > -	struct netlbl_lsm_secattr secattr;
> > +	struct selinux_netlbl_cache *cache = NULL;
> >  
> > -	netlbl_secattr_init(&secattr);
> > -	secattr.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
> > -	if (secattr.cache == NULL)
> > -		goto netlbl_cache_add_return;
> > +	secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
> > +	if (secattr->cache == NULL)
> > +		return;
> >  
> >  	cache = kzalloc(sizeof(*cache),	GFP_ATOMIC);
> >  	if (cache == NULL)
> > -		goto netlbl_cache_add_return;
> > +		return;
> >  
> >  	cache->type = NETLBL_CACHE_T_MLS;
> >  	if (ebitmap_cpy(&cache->data.mls_label.level[0].cat,
> >  			&ctx->range.level[0].cat) != 0)
> > -		goto netlbl_cache_add_return;
> > +		return;
> >  	cache->data.mls_label.level[1].cat.highbit =
> >  		cache->data.mls_label.level[0].cat.highbit;
> >  	cache->data.mls_label.level[1].cat.node =
> > @@ -2300,52 +2300,40 @@ static void selinux_netlbl_cache_add(str
> >  	cache->data.mls_label.level[0].sens = ctx->range.level[0].sens;
> >  	cache->data.mls_label.level[1].sens = ctx->range.level[0].sens;
> >  
> > -	secattr.cache->free = selinux_netlbl_cache_free;
> > -	secattr.cache->data = (void *)cache;
> > -	secattr.flags = NETLBL_SECATTR_CACHE;
> > -
> > -	netlbl_cache_add(skb, &secattr);
> > -
> > -netlbl_cache_add_return:
> > -	netlbl_secattr_destroy(&secattr);
> > +	secattr->cache->free = security_netlbl_cache_free;
> > +	secattr->cache->data = (void *)cache;
> > +	secattr->flags |= NETLBL_SECATTR_CACHE;
> >  }
> >  
> >  /**
> > - * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
> > - *
> > - * Description:
> > - * Invalidate the NetLabel security attribute mapping cache.
> > - *
> > - */
> > -void selinux_netlbl_cache_invalidate(void)
> > -{
> > -	netlbl_cache_invalidate();
> > -}
> > -
> > -/**
> > - * selinux_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
> > - * @skb: the network packet
> > + * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
> >   * @secattr: the NetLabel packet security attributes
> >   * @base_sid: the SELinux SID to use as a context for MLS only attributes
> >   * @sid: the SELinux SID
> >   *
> >   * Description:
> > - * Convert the given NetLabel packet security attributes in @secattr into a
> > + * Convert the given NetLabel security attributes in @secattr into a
> >   * SELinux SID.  If the @secattr field does not contain a full SELinux
> > - * SID/context then use the context in @base_sid as the foundation.  If @skb
> > - * is not NULL attempt to cache as much data as possibile.  Returns zero on
> > - * success, negative values on failure.
> > + * SID/context then use the context in @base_sid as the foundation.  If
> > + * possibile the 'cache' field of @secattr is set and the CACHE flag is set;
> > + * this is to allow the @secattr to be used by NetLabel to cache the secattr to
> > + * SID conversion for future lookups.  Returns zero on success, negative
> > + * values on failure.
> >   *
> >   */
> > -static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
> > -					 struct netlbl_lsm_secattr *secattr,
> > -					 u32 base_sid,
> > -					 u32 *sid)
> > +int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
> > +				   u32 base_sid,
> > +				   u32 *sid)
> >  {
> >  	int rc = -EIDRM;
> >  	struct context *ctx;
> >  	struct context ctx_new;
> > -	struct netlbl_cache *cache;
> > +	struct selinux_netlbl_cache *cache;
> > +
> > +	if (!ss_initialized) {
> > +		*sid = SECSID_NULL;
> > +		return 0;
> > +	}
> >  
> >  	POLICY_RDLOCK;
> >  
> > @@ -2410,8 +2398,8 @@ static int selinux_netlbl_secattr_to_sid
> >  		if (rc != 0)
> >  			goto netlbl_secattr_to_sid_return_cleanup;
> >  
> > -		if (skb != NULL)
> > -			selinux_netlbl_cache_add(skb, &ctx_new);
> > +		security_netlbl_cache_add(secattr, &ctx_new);
> > +
> >  		ebitmap_destroy(&ctx_new.range.level[0].cat);
> >  	} else {
> >  		*sid = SECSID_NULL;
> > @@ -2427,338 +2415,43 @@ netlbl_secattr_to_sid_return_cleanup:
> >  }
> >  
> >  /**
> > - * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
> > - * @skb: the packet
> > - * @base_sid: the SELinux SID to use as a context for MLS only attributes
> > - * @sid: the SID
> > - *
> > - * Description:
> > - * Call the NetLabel mechanism to get the security attributes of the given
> > - * packet and use those attributes to determine the correct context/SID to
> > - * assign to the packet.  Returns zero on success, negative values on failure.
> > - *
> > - */
> > -int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
> > -{
> > -	int rc;
> > -	struct netlbl_lsm_secattr secattr;
> > -
> > -	netlbl_secattr_init(&secattr);
> > -	rc = netlbl_skbuff_getattr(skb, &secattr);
> > -	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
> > -		rc = selinux_netlbl_secattr_to_sid(skb,
> > -						   &secattr,
> > -						   base_sid,
> > -						   sid);
> > -	else
> > -		*sid = SECSID_NULL;
> > -	netlbl_secattr_destroy(&secattr);
> > -
> > -	return rc;
> > -}
> > -
> > -/**
> > - * selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism
> > - * @sock: the socket to label
> > - * @sid: the SID to use
> > + * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr
> > + * @sid: the SELinux SID
> > + * @secattr: the NetLabel packet security attributes
> >   *
> >   * Description:
> > - * Attempt to label a socket using the NetLabel mechanism using the given
> > - * SID.  Returns zero values on success, negative values on failure.  The
> > - * caller is responsibile for calling rcu_read_lock() before calling this
> > - * this function and rcu_read_unlock() after this function returns.
> > + * Convert the given SELinux SID in @sid into a NetLabel security attribute.
> > + * Returns zero on success, negative values on failure.
> >   *
> >   */
> > -static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
> > +int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
> >  {
> >  	int rc = -ENOENT;
> > -	struct sk_security_struct *sksec = sock->sk->sk_security;
> > -	struct netlbl_lsm_secattr secattr;
> >  	struct context *ctx;
> >  
> > +	netlbl_secattr_init(secattr);
> > +
> >  	if (!ss_initialized)
> >  		return 0;
> >  
> > -	netlbl_secattr_init(&secattr);
> > -
> >  	POLICY_RDLOCK;
> > -
> >  	ctx = sidtab_search(&sidtab, sid);
> >  	if (ctx == NULL)
> > -		goto netlbl_socket_setsid_return;
> > -
> > -	secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
> > -				 GFP_ATOMIC);
> > -	secattr.flags |= NETLBL_SECATTR_DOMAIN;
> > -	mls_export_netlbl_lvl(ctx, &secattr);
> > -	rc = mls_export_netlbl_cat(ctx, &secattr);
> > +		goto netlbl_sid_to_secattr_failure;
> > +	secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
> > +				  GFP_ATOMIC);
> > +	secattr->flags |= NETLBL_SECATTR_DOMAIN;
> > +	mls_export_netlbl_lvl(ctx, secattr);
> > +	rc = mls_export_netlbl_cat(ctx, secattr);
> >  	if (rc != 0)
> > -		goto netlbl_socket_setsid_return;
> > -
> > -	rc = netlbl_socket_setattr(sock, &secattr);
> > -	if (rc == 0) {
> > -		spin_lock_bh(&sksec->nlbl_lock);
> > -		sksec->nlbl_state = NLBL_LABELED;
> > -		spin_unlock_bh(&sksec->nlbl_lock);
> > -	}
> > -
> > -netlbl_socket_setsid_return:
> > +		goto netlbl_sid_to_secattr_failure;
> >  	POLICY_RDUNLOCK;
> > -	netlbl_secattr_destroy(&secattr);
> > -	return rc;
> > -}
> > -
> > -/**
> > - * selinux_netlbl_sk_security_reset - Reset the NetLabel fields
> > - * @ssec: the sk_security_struct
> > - * @family: the socket family
> > - *
> > - * Description:
> > - * Called when the NetLabel state of a sk_security_struct needs to be reset.
> > - * The caller is responsibile for all the NetLabel sk_security_struct locking.
> > - *
> > - */
> > -void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
> > -				      int family)
> > -{
> > -        if (family == PF_INET)
> > -		ssec->nlbl_state = NLBL_REQUIRE;
> > -	else
> > -		ssec->nlbl_state = NLBL_UNSET;
> > -}
> > -
> > -/**
> > - * selinux_netlbl_sk_security_init - Setup the NetLabel fields
> > - * @ssec: the sk_security_struct
> > - * @family: the socket family
> > - *
> > - * Description:
> > - * Called when a new sk_security_struct is allocated to initialize the NetLabel
> > - * fields.
> > - *
> > - */
> > -void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
> > -				     int family)
> > -{
> > -	/* No locking needed, we are the only one who has access to ssec */
> > -	selinux_netlbl_sk_security_reset(ssec, family);
> > -	spin_lock_init(&ssec->nlbl_lock);
> > -}
> > -
> > -/**
> > - * selinux_netlbl_sk_security_clone - Copy the NetLabel fields
> > - * @ssec: the original sk_security_struct
> > - * @newssec: the cloned sk_security_struct
> > - *
> > - * Description:
> > - * Clone the NetLabel specific sk_security_struct fields from @ssec to
> > - * @newssec.
> > - *
> > - */
> > -void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
> > -				      struct sk_security_struct *newssec)
> > -{
> > -	/* We don't need to take newssec->nlbl_lock because we are the only
> > -	 * thread with access to newssec, but we do need to take the RCU read
> > -	 * lock as other threads could have access to ssec */
> > -	rcu_read_lock();
> > -	selinux_netlbl_sk_security_reset(newssec, ssec->sk->sk_family);
> > -	newssec->sclass = ssec->sclass;
> > -	rcu_read_unlock();
> > -}
> >  
> > -/**
> > - * selinux_netlbl_socket_post_create - Label a socket using NetLabel
> > - * @sock: the socket to label
> > - *
> > - * Description:
> > - * Attempt to label a socket using the NetLabel mechanism using the given
> > - * SID.  Returns zero values on success, negative values on failure.
> > - *
> > - */
> > -int selinux_netlbl_socket_post_create(struct socket *sock)
> > -{
> > -	int rc = 0;
> > -	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
> > -	struct sk_security_struct *sksec = sock->sk->sk_security;
> > -
> > -	sksec->sclass = isec->sclass;
> > -
> > -	rcu_read_lock();
> > -	if (sksec->nlbl_state == NLBL_REQUIRE)
> > -		rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
> > -	rcu_read_unlock();
> > -
> > -	return rc;
> > -}
> > -
> > -/**
> > - * selinux_netlbl_sock_graft - Netlabel the new socket
> > - * @sk: the new connection
> > - * @sock: the new socket
> > - *
> > - * Description:
> > - * The connection represented by @sk is being grafted onto @sock so set the
> > - * socket's NetLabel to match the SID of @sk.
> > - *
> > - */
> > -void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
> > -{
> > -	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
> > -	struct sk_security_struct *sksec = sk->sk_security;
> > -	struct netlbl_lsm_secattr secattr;
> > -	u32 nlbl_peer_sid;
> > -
> > -	sksec->sclass = isec->sclass;
> > -
> > -	rcu_read_lock();
> > -
> > -	if (sksec->nlbl_state != NLBL_REQUIRE) {
> > -		rcu_read_unlock();
> > -		return;
> > -	}
> > -
> > -	netlbl_secattr_init(&secattr);
> > -	if (netlbl_sock_getattr(sk, &secattr) == 0 &&
> > -	    secattr.flags != NETLBL_SECATTR_NONE &&
> > -	    selinux_netlbl_secattr_to_sid(NULL,
> > -					  &secattr,
> > -					  SECINITSID_UNLABELED,
> > -					  &nlbl_peer_sid) == 0)
> > -		sksec->peer_sid = nlbl_peer_sid;
> > -	netlbl_secattr_destroy(&secattr);
> > -
> > -	/* Try to set the NetLabel on the socket to save time later, if we fail
> > -	 * here we will pick up the pieces in later calls to
> > -	 * selinux_netlbl_inode_permission(). */
> > -	selinux_netlbl_socket_setsid(sock, sksec->sid);
> > -
> > -	rcu_read_unlock();
> > -}
> > -
> > -/**
> > - * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
> > - * @inode: the file descriptor's inode
> > - * @mask: the permission mask
> > - *
> > - * Description:
> > - * Looks at a file's inode and if it is marked as a socket protected by
> > - * NetLabel then verify that the socket has been labeled, if not try to label
> > - * the socket now with the inode's SID.  Returns zero on success, negative
> > - * values on failure.
> > - *
> > - */
> > -int selinux_netlbl_inode_permission(struct inode *inode, int mask)
> > -{
> > -	int rc;
> > -	struct sk_security_struct *sksec;
> > -	struct socket *sock;
> > -
> > -	if (!S_ISSOCK(inode->i_mode) ||
> > -	    ((mask & (MAY_WRITE | MAY_APPEND)) == 0))
> > -		return 0;
> > -	sock = SOCKET_I(inode);
> > -	sksec = sock->sk->sk_security;
> > -
> > -	rcu_read_lock();
> > -	if (sksec->nlbl_state != NLBL_REQUIRE) {
> > -		rcu_read_unlock();
> > -		return 0;
> > -	}
> > -	local_bh_disable();
> > -	bh_lock_sock_nested(sock->sk);
> > -	rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
> > -	bh_unlock_sock(sock->sk);
> > -	local_bh_enable();
> > -	rcu_read_unlock();
> > -
> > -	return rc;
> > -}
> > -
> > -/**
> > - * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
> > - * @sksec: the sock's sk_security_struct
> > - * @skb: the packet
> > - * @ad: the audit data
> > - *
> > - * Description:
> > - * Fetch the NetLabel security attributes from @skb and perform an access check
> > - * against the receiving socket.  Returns zero on success, negative values on
> > - * error.
> > - *
> > - */
> > -int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
> > -				struct sk_buff *skb,
> > -				struct avc_audit_data *ad)
> > -{
> > -	int rc;
> > -	u32 netlbl_sid;
> > -	u32 recv_perm;
> > -
> > -	rc = selinux_netlbl_skbuff_getsid(skb,
> > -					  SECINITSID_UNLABELED,
> > -					  &netlbl_sid);
> > -	if (rc != 0)
> > -		return rc;
> > -
> > -	if (netlbl_sid == SECSID_NULL)
> > -		return 0;
> > -
> > -	switch (sksec->sclass) {
> > -	case SECCLASS_UDP_SOCKET:
> > -		recv_perm = UDP_SOCKET__RECVFROM;
> > -		break;
> > -	case SECCLASS_TCP_SOCKET:
> > -		recv_perm = TCP_SOCKET__RECVFROM;
> > -		break;
> > -	default:
> > -		recv_perm = RAWIP_SOCKET__RECVFROM;
> > -	}
> > -
> > -	rc = avc_has_perm(sksec->sid,
> > -			  netlbl_sid,
> > -			  sksec->sclass,
> > -			  recv_perm,
> > -			  ad);
> > -	if (rc == 0)
> > -		return 0;
> > -
> > -	netlbl_skbuff_err(skb, rc);
> > -	return rc;
> > -}
> > -
> > -/**
> > - * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
> > - * @sock: the socket
> > - * @level: the socket level or protocol
> > - * @optname: the socket option name
> > - *
> > - * Description:
> > - * Check the setsockopt() call and if the user is trying to replace the IP
> > - * options on a socket and a NetLabel is in place for the socket deny the
> > - * access; otherwise allow the access.  Returns zero when the access is
> > - * allowed, -EACCES when denied, and other negative values on error.
> > - *
> > - */
> > -int selinux_netlbl_socket_setsockopt(struct socket *sock,
> > -				     int level,
> > -				     int optname)
> > -{
> > -	int rc = 0;
> > -	struct sk_security_struct *sksec = sock->sk->sk_security;
> > -	struct netlbl_lsm_secattr secattr;
> > -
> > -	rcu_read_lock();
> > -	if (level == IPPROTO_IP && optname == IP_OPTIONS &&
> > -	    sksec->nlbl_state == NLBL_LABELED) {
> > -		netlbl_secattr_init(&secattr);
> > -		rc = netlbl_socket_getattr(sock, &secattr);
> > -		if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
> > -			rc = -EACCES;
> > -		netlbl_secattr_destroy(&secattr);
> > -	}
> > -	rcu_read_unlock();
> > +	return 0;
> >  
> > +netlbl_sid_to_secattr_failure:
> > +	POLICY_RDUNLOCK;
> > +	netlbl_secattr_destroy(secattr);
> >  	return rc;
> >  }
> >  #endif /* CONFIG_NETLABEL */
> > 
> > --
> > paul moore
> > linux security @ hp
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC 3/4] SELinux: extract the NetLabel SELinux support from the security server

[Paul Moore]

On Thursday 01 March 2007 7:52:36 am Stephen Smalley wrote:
> On Thu, 2007-03-01 at 07:40 -0500, Stephen Smalley wrote:
> > On Wed, 2007-02-28 at 15:14 -0500, Paul Moore wrote:
> > > plain text document attachment (selinux-isolate_netlabel)
> > > Up until this patch the functions which have provided NetLabel support
> > > to SELinux have been integrated into the SELinux security server, which
> > > for various reasons is not really ideal.  This patch makes an effort to
> > > extract as much of the NetLabel support from the security server as
> > > possibile and move it into it's own file within the SELinux directory
> > > structure.
> >
> > Thanks, this looks much better, and helps keep the security server
> > interface as an abstract security interface.  Is there any reason you
> > didn't also move security_skb_extlbl_sid() out from the security server?
> > It seems to be a lingering case where the security server directly acts
> > on a kernel object rather than a security abstraction.
>
> It isn't NetLabel-specific, but appears that it could easily just be a
> helper function in hooks.c itself.

That is why I didn't move it, I was focusing on the NetLabel specific bits.  
However, I agree, it probably would make more sense to move that out to 
hooks.c.

I'll throw together another patch and send it out later today.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.