From: "Paul Moore" <paul.moore@hp.com>
To: selinux@tycho.nsa.gov
Cc: kaigai@ak.jp.nec.com, joe@nall.com
Subject: [RFC 3/5] NetLabel: add IP address family information to the netlbl_skbuff_getattr() function
Date: Tue, 07 Aug 2007 10:14:18 -0400 [thread overview]
Message-ID: <20070807141537.121835132@hp.com> (raw)
In-Reply-To: 20070807141415.525577324@hp.com
In order to do any sort of IP header inspection of incoming packets we need to
know which address family, AF_INET/AF_INET6/etc., it belongs to and since the
sk_buff structure does not store this information we need to pass along the
address family separate from the packet itself.
---
include/net/netlabel.h | 2 ++
net/netlabel/netlabel_kapi.c | 2 ++
security/selinux/hooks.c | 24 ++++++++++++++++++------
security/selinux/include/netlabel.h | 8 +++++++-
security/selinux/netlabel.c | 12 +++++++++---
5 files changed, 38 insertions(+), 10 deletions(-)
Index: linux-2.6_staticlbl/include/net/netlabel.h
===================================================================
--- linux-2.6_staticlbl.orig/include/net/netlabel.h
+++ linux-2.6_staticlbl/include/net/netlabel.h
@@ -366,6 +366,7 @@ int netlbl_sock_setattr(struct sock *sk,
int netlbl_sock_getattr(struct sock *sk,
struct netlbl_lsm_secattr *secattr);
int netlbl_skbuff_getattr(const struct sk_buff *skb,
+ u16 family,
struct netlbl_lsm_secattr *secattr);
void netlbl_skbuff_err(struct sk_buff *skb, int error);
@@ -418,6 +419,7 @@ static inline int netlbl_sock_getattr(st
return -ENOSYS;
}
static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,
+ u16 family,
struct netlbl_lsm_secattr *secattr)
{
return -ENOSYS;
Index: linux-2.6_staticlbl/net/netlabel/netlabel_kapi.c
===================================================================
--- linux-2.6_staticlbl.orig/net/netlabel/netlabel_kapi.c
+++ linux-2.6_staticlbl/net/netlabel/netlabel_kapi.c
@@ -331,6 +331,7 @@ int netlbl_sock_getattr(struct sock *sk,
/**
* netlbl_skbuff_getattr - Determine the security attributes of a packet
* @skb: the packet
+ * @family: protocol family
* @secattr: the security attributes
*
* Description:
@@ -341,6 +342,7 @@ int netlbl_sock_getattr(struct sock *sk,
*
*/
int netlbl_skbuff_getattr(const struct sk_buff *skb,
+ u16 family,
struct netlbl_lsm_secattr *secattr)
{
if (CIPSO_V4_OPTEXIST(skb) &&
Index: linux-2.6_staticlbl/security/selinux/hooks.c
===================================================================
--- linux-2.6_staticlbl.orig/security/selinux/hooks.c
+++ linux-2.6_staticlbl/security/selinux/hooks.c
@@ -3129,6 +3129,7 @@ static int selinux_parse_skb(struct sk_b
/**
* selinux_skb_extlbl_sid - Determine the external label of a packet
* @skb: the packet
+ * @family: protocol family
* @sid: the packet's SID
*
* Description:
@@ -3141,13 +3142,16 @@ static int selinux_parse_skb(struct sk_b
* selinux_netlbl_skbuff_getsid().
*
*/
-static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
+static void selinux_skb_extlbl_sid(struct sk_buff *skb,
+ u16 family,
+ u32 *sid)
{
u32 xfrm_sid;
u32 nlbl_sid;
selinux_skb_xfrm_sid(skb, &xfrm_sid);
if (selinux_netlbl_skbuff_getsid(skb,
+ family,
(xfrm_sid == SECSID_NULL ?
SECINITSID_NETMSG : xfrm_sid),
&nlbl_sid) != 0)
@@ -3635,7 +3639,7 @@ static int selinux_socket_sock_rcv_skb(s
if (err)
goto out;
- err = selinux_netlbl_sock_rcv_skb(sksec, skb, &ad);
+ err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
if (err)
goto out;
@@ -3692,11 +3696,19 @@ static int selinux_socket_getpeersec_dgr
{
u32 peer_secid = SECSID_NULL;
int err = 0;
+ u16 family;
+
+ if (sock)
+ family = sock->sk->sk_family;
+ else if (skb->sk)
+ family = skb->sk->sk_family;
+ else
+ family = PF_UNSPEC;
- if (sock && sock->sk->sk_family == PF_UNIX)
+ if (sock && family == PF_UNIX)
selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
else if (skb)
- selinux_skb_extlbl_sid(skb, &peer_secid);
+ selinux_skb_extlbl_sid(skb, family, &peer_secid);
if (peer_secid == SECSID_NULL)
err = -EINVAL;
@@ -3757,7 +3769,7 @@ static int selinux_inet_conn_request(str
u32 newsid;
u32 peersid;
- selinux_skb_extlbl_sid(skb, &peersid);
+ selinux_skb_extlbl_sid(skb, sk->sk_family, &peersid);
if (peersid == SECSID_NULL) {
req->secid = sksec->sid;
req->peer_secid = SECSID_NULL;
@@ -3795,7 +3807,7 @@ static void selinux_inet_conn_establishe
{
struct sk_security_struct *sksec = sk->sk_security;
- selinux_skb_extlbl_sid(skb, &sksec->peer_sid);
+ selinux_skb_extlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
}
static void selinux_req_classify_flow(const struct request_sock *req,
Index: linux-2.6_staticlbl/security/selinux/include/netlabel.h
===================================================================
--- linux-2.6_staticlbl.orig/security/selinux/include/netlabel.h
+++ linux-2.6_staticlbl/security/selinux/include/netlabel.h
@@ -46,13 +46,17 @@ void selinux_netlbl_sk_security_init(str
void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
struct sk_security_struct *newssec);
-int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid);
+int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
+ u16 family,
+ u32 base_sid,
+ u32 *sid);
void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
int selinux_netlbl_socket_post_create(struct socket *sock);
int selinux_netlbl_inode_permission(struct inode *inode, int mask);
int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
struct sk_buff *skb,
+ u16 family,
struct avc_audit_data *ad);
int selinux_netlbl_socket_setsockopt(struct socket *sock,
int level,
@@ -83,6 +87,7 @@ static inline void selinux_netlbl_sk_sec
}
static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
+ u16 family,
u32 base_sid,
u32 *sid)
{
@@ -106,6 +111,7 @@ static inline int selinux_netlbl_inode_p
}
static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
struct sk_buff *skb,
+ u16 family,
struct avc_audit_data *ad)
{
return 0;
Index: linux-2.6_staticlbl/security/selinux/netlabel.c
===================================================================
--- linux-2.6_staticlbl.orig/security/selinux/netlabel.c
+++ linux-2.6_staticlbl/security/selinux/netlabel.c
@@ -141,6 +141,7 @@ void selinux_netlbl_sk_security_clone(st
/**
* selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
* @skb: the packet
+ * @family: protocol family
* @base_sid: the SELinux SID to use as a context for MLS only attributes
* @sid: the SID
*
@@ -150,7 +151,10 @@ void selinux_netlbl_sk_security_clone(st
* assign to the packet. Returns zero on success, negative values on failure.
*
*/
-int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
+int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
+ u16 family,
+ u32 base_sid,
+ u32 *sid)
{
int rc;
struct netlbl_lsm_secattr secattr;
@@ -161,7 +165,7 @@ int selinux_netlbl_skbuff_getsid(struct
}
netlbl_secattr_init(&secattr);
- rc = netlbl_skbuff_getattr(skb, &secattr);
+ rc = netlbl_skbuff_getattr(skb, family, &secattr);
if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) {
rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid);
if (rc == 0 &&
@@ -289,6 +293,7 @@ int selinux_netlbl_inode_permission(stru
* selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
* @sksec: the sock's sk_security_struct
* @skb: the packet
+ * @family: protocol family
* @ad: the audit data
*
* Description:
@@ -299,6 +304,7 @@ int selinux_netlbl_inode_permission(stru
*/
int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
struct sk_buff *skb,
+ u16 family,
struct avc_audit_data *ad)
{
int rc;
@@ -310,7 +316,7 @@ int selinux_netlbl_sock_rcv_skb(struct s
return 0;
netlbl_secattr_init(&secattr);
- rc = netlbl_skbuff_getattr(skb, &secattr);
+ rc = netlbl_skbuff_getattr(skb, family, &secattr);
if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) {
rc = security_netlbl_secattr_to_sid(&secattr,
SECINITSID_NETMSG,
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-08-07 14:16 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-07 14:14 [RFC 0/5] Static/fallback external labels for NetLabel Paul Moore
2007-08-07 14:14 ` [RFC 1/5] SELinux: add secctx_to_secid() LSM hook Paul Moore
2007-08-07 14:14 ` [RFC 2/5] NetLabel: Add secid token support to the NetLabel secattr struct Paul Moore
2007-08-07 14:14 ` Paul Moore [this message]
2007-08-07 14:14 ` [RFC 4/5] NetLabel: introduce static network labels for unlabeled connections Paul Moore
2007-08-07 14:14 ` [RFC 5/5] NetLabel: add auditing to the static labeling mechanism Paul Moore
2007-08-09 10:57 ` [RFC 0/5] Static/fallback external labels for NetLabel KaiGai Kohei
2007-08-09 11:48 ` Paul Moore
2007-08-09 12:42 ` Stephen Smalley
2007-08-09 13:29 ` Paul Moore
2007-08-09 13:54 ` Stephen Smalley
2007-08-09 14:48 ` Paul Moore
2007-08-09 15:49 ` James Morris
2007-08-09 16:01 ` Stephen Smalley
2007-08-09 22:35 ` Paul Moore
2007-08-09 13:59 ` James Morris
2007-08-09 14:50 ` Paul Moore
2007-08-09 15:13 ` Stephen Smalley
2007-08-09 14:41 ` Darrel Goeddel
2007-08-09 14:57 ` Paul Moore
2007-08-09 15:07 ` Darrel Goeddel
2007-08-09 15:32 ` Casey Schaufler
2007-08-09 15:39 ` Stephen Smalley
2007-08-09 16:16 ` Casey Schaufler
2007-08-09 14:09 ` Darrel Goeddel
2007-08-09 14:24 ` James Morris
2007-08-09 16:42 ` Darrel Goeddel
2007-08-09 19:20 ` Joe Nall
2007-08-09 19:47 ` Darrel Goeddel
2007-08-09 20:12 ` Joe Nall
2007-08-09 21:15 ` Stephen Smalley
2007-08-09 21:18 ` Darrel Goeddel
2007-08-09 22:48 ` Paul Moore
2007-08-09 20:17 ` Paul Moore
2007-08-09 14:53 ` Paul Moore
2007-08-09 16:08 ` Darrel Goeddel
2007-08-09 22:55 ` Darrel Goeddel
2007-08-10 16:49 ` James Morris
2007-08-14 14:47 ` Darrel Goeddel
2007-08-15 4:24 ` James Morris
2007-08-15 22:35 ` Darrel Goeddel
2007-08-16 15:04 ` James Morris
2007-08-24 16:31 ` Paul Moore
2007-08-24 18:34 ` James Morris
2007-08-24 19:02 ` Casey Schaufler
2007-08-24 19:49 ` Paul Moore
2007-08-24 20:17 ` James Morris
2007-08-24 20:24 ` Paul Moore
2007-08-24 20:47 ` Joshua Brindle
2007-08-24 20:42 ` Casey Schaufler
2007-08-24 21:10 ` Paul Moore
2007-08-24 21:37 ` Casey Schaufler
2007-08-24 20:29 ` Joshua Brindle
2007-08-28 14:03 ` Darrel Goeddel
2007-08-28 15:16 ` Paul Moore
2007-08-09 15:48 ` Casey Schaufler
2007-08-09 19:38 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070807141537.121835132@hp.com \
--to=paul.moore@hp.com \
--cc=joe@nall.com \
--cc=kaigai@ak.jp.nec.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.