From: Paul Moore <paul.moore@hp.com>
To: selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org,
netdev@vger.kernel.org
Subject: [RFC PATCH v6 06/16] selinux: Fix missing calls to netlbl_skbuff_err()
Date: Tue, 16 Sep 2008 08:56:26 -0400 [thread overview]
Message-ID: <20080916125626.17132.28675.stgit@flek.lan> (raw)
In-Reply-To: <20080916124722.17132.38741.stgit@flek.lan>
At some point I think I messed up and dropped the calls to netlbl_skbuff_err()
which are necessary for CIPSO to send error notifications to remote systems.
This patch re-introduces the error handling calls into the SELinux code.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
---
include/net/netlabel.h | 6 ++++--
net/netlabel/netlabel_kapi.c | 5 +++--
security/selinux/hooks.c | 19 +++++++++++++++----
security/selinux/include/netlabel.h | 9 +++++++++
security/selinux/netlabel.c | 20 +++++++++++++++++++-
5 files changed, 50 insertions(+), 9 deletions(-)
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 5303749..e16db09 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -382,7 +382,7 @@ int netlbl_sock_getattr(struct sock *sk,
int netlbl_skbuff_getattr(const struct sk_buff *skb,
u16 family,
struct netlbl_lsm_secattr *secattr);
-void netlbl_skbuff_err(struct sk_buff *skb, int error);
+void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway);
/*
* LSM label mapping cache operations
@@ -454,7 +454,9 @@ static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,
{
return -ENOSYS;
}
-static inline void netlbl_skbuff_err(struct sk_buff *skb, int error)
+static inline void netlbl_skbuff_err(struct sk_buff *skb,
+ int error,
+ int gateway)
{
return;
}
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 6c211fe..22faba6 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -490,6 +490,7 @@ int netlbl_skbuff_getattr(const struct sk_buff *skb,
* netlbl_skbuff_err - Handle a LSM error on a sk_buff
* @skb: the packet
* @error: the error code
+ * @gateway: true if host is acting as a gateway, false otherwise
*
* Description:
* Deal with a LSM problem when handling the packet in @skb, typically this is
@@ -497,10 +498,10 @@ int netlbl_skbuff_getattr(const struct sk_buff *skb,
* according to the packet's labeling protocol.
*
*/
-void netlbl_skbuff_err(struct sk_buff *skb, int error)
+void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway)
{
if (CIPSO_V4_OPTEXIST(skb))
- cipso_v4_error(skb, error, 0);
+ cipso_v4_error(skb, error, gateway);
}
/**
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b520667..a91146a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4101,6 +4101,8 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
return err;
err = avc_has_perm(sk_sid, peer_sid,
SECCLASS_PEER, PEER__RECV, &ad);
+ if (err)
+ selinux_netlbl_err(skb, err, 0);
} else {
err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
if (err)
@@ -4156,10 +4158,14 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
return err;
err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
peer_sid, &ad);
- if (err)
+ if (err) {
+ selinux_netlbl_err(skb, err, 0);
return err;
+ }
err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
PEER__RECV, &ad);
+ if (err)
+ selinux_netlbl_err(skb, err, 0);
}
if (secmark_active) {
@@ -4396,6 +4402,7 @@ out:
static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
u16 family)
{
+ int err;
char *addrp;
u32 peer_sid;
struct avc_audit_data ad;
@@ -4419,10 +4426,14 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
return NF_DROP;
- if (peerlbl_active)
- if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
- peer_sid, &ad) != 0)
+ if (peerlbl_active) {
+ err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
+ peer_sid, &ad);
+ if (err) {
+ selinux_netlbl_err(skb, err, 1);
return NF_DROP;
+ }
+ }
if (secmark_active)
if (avc_has_perm(peer_sid, skb->secmark,
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index 487a7d8..d4e3ac8 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -39,6 +39,8 @@
#ifdef CONFIG_NETLABEL
void selinux_netlbl_cache_invalidate(void);
+void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway);
+
void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
int family);
@@ -63,6 +65,13 @@ static inline void selinux_netlbl_cache_invalidate(void)
return;
}
+static inline void selinux_netlbl_err(struct sk_buff *skb,
+ int error,
+ int gateway)
+{
+ return;
+}
+
static inline void selinux_netlbl_sk_security_reset(
struct sk_security_struct *ssec,
int family)
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index b9ce5fc..4053f7f 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -108,6 +108,24 @@ void selinux_netlbl_cache_invalidate(void)
}
/**
+ * selinux_netlbl_err - Handle a NetLabel packet error
+ * @skb: the packet
+ * @error: the error code
+ * @gateway: true if host is acting as a gateway, false otherwise
+ *
+ * Description:
+ * When a packet is dropped due to a call to avc_has_perm() pass the error
+ * code to the NetLabel subsystem so any protocol specific processing can be
+ * done. This is safe to call even if you are unsure if NetLabel labeling is
+ * present on the packet, NetLabel is smart enough to only act when it should.
+ *
+ */
+void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway)
+{
+ netlbl_skbuff_err(skb, error, gateway);
+}
+
+/**
* selinux_netlbl_sk_security_reset - Reset the NetLabel fields
* @ssec: the sk_security_struct
* @family: the socket family
@@ -289,7 +307,7 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
return 0;
if (nlbl_sid != SECINITSID_UNLABELED)
- netlbl_skbuff_err(skb, rc);
+ netlbl_skbuff_err(skb, rc, 0);
return rc;
}
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-09-16 12:56 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-16 12:55 [RFC PATCH v6 00/16] Labeled networking patches for 2.6.28 Paul Moore
2008-09-16 12:55 ` [RFC PATCH v6 01/16] selinux: Cleanup the NetLabel glue code Paul Moore
2008-10-01 1:35 ` James Morris
2008-10-01 16:34 ` Paul Moore
2008-09-16 12:56 ` [RFC PATCH v6 02/16] selinux: Correctly handle IPv4 packets on IPv6 sockets in all cases Paul Moore
2008-10-01 1:36 ` James Morris
2008-10-01 16:37 ` Paul Moore
2008-09-16 12:56 ` [RFC PATCH v6 03/16] netlabel: Remove unneeded in-kernel API functions Paul Moore
2008-10-01 1:38 ` James Morris
2008-09-16 12:56 ` [RFC PATCH v6 04/16] selinux: Better local/forward check in selinux_ip_postroute() Paul Moore
2008-10-01 1:43 ` James Morris
2008-10-01 16:41 ` Paul Moore
2008-09-16 12:56 ` [RFC PATCH v6 05/16] selinux: Fix a problem in security_netlbl_sid_to_secattr() Paul Moore
2008-09-16 12:56 ` Paul Moore [this message]
2008-09-16 12:56 ` [RFC PATCH v6 07/16] smack: Fix missing calls to netlbl_skbuff_err() Paul Moore
2008-09-16 12:56 ` [RFC PATCH v6 08/16] netlabel: Replace protocol/NetLabel linking with refrerence counts Paul Moore
2008-10-01 9:01 ` James Morris
2008-09-16 12:56 ` [RFC PATCH v6 09/16] netlabel: Add a generic way to create ordered linked lists of network addrs Paul Moore
2008-10-01 9:09 ` James Morris
2008-09-16 12:56 ` [RFC PATCH v6 10/16] netlabel: Add network address selectors to the NetLabel/LSM domain mapping Paul Moore
2008-10-01 9:14 ` James Morris
2008-09-16 12:57 ` [RFC PATCH v6 11/16] netlabel: Add functionality to set the security attributes of a packet Paul Moore
2008-10-01 9:55 ` James Morris
2008-10-01 16:51 ` Paul Moore
2008-09-16 12:57 ` [RFC PATCH v6 12/16] selinux: Set socket NetLabel based on connection endpoint Paul Moore
2008-10-01 10:00 ` James Morris
2008-10-01 14:51 ` Joe Nall
2008-10-01 15:09 ` Paul Moore
2008-09-16 12:57 ` [RFC PATCH v6 13/16] selinux: Cache NetLabel secattrs in the socket's security struct Paul Moore
2008-09-16 12:57 ` [RFC PATCH v6 14/16] netlabel: Changes to the NetLabel security attributes to allow LSMs to pass full contexts Paul Moore
2008-09-16 12:57 ` [RFC PATCH v6 15/16] cipso: Add support for native local labeling and fixup mapping names Paul Moore
2008-10-01 10:09 ` James Morris
2008-10-01 17:05 ` Paul Moore
2008-10-01 22:12 ` James Morris
2008-10-02 2:13 ` Paul Moore
2008-09-16 12:57 ` [RFC PATCH v6 16/16] netlabel: Add configuration support for local labeling Paul Moore
2008-10-01 10:13 ` James Morris
2008-10-01 16:54 ` Paul Moore
2008-09-16 13:15 ` [RFC PATCH v6 00/16] Labeled networking patches for 2.6.28 Paul Moore
2008-09-17 4:01 ` Casey Schaufler
2008-10-01 1:34 ` James Morris
2008-10-01 16:24 ` Paul Moore
2008-10-01 22:14 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080916125626.17132.28675.stgit@flek.lan \
--to=paul.moore@hp.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.