All of lore.kernel.org
 help / color / mirror / Atom feed
* [RFC] NetLabel: shift to using SECINITSID_UNLABLED as a base
@ 2006-10-05 13:38 Paul Moore
  2006-10-05 15:33 ` Paul Moore
  0 siblings, 1 reply; 3+ messages in thread
From: Paul Moore @ 2006-10-05 13:38 UTC (permalink / raw)
  To: selinux list, Stephen Smalley; +Cc: Venkat Yekkirala, James Morris, Eric Paris

This patch changes NetLabel from using SECINITSID_NETMSG and the parent socket's
SID as the for the TE portion of the NetLabel context to now use
SECINITSID_UNLABELED.  This should address the issues brought up yesterday.
Please take a look and let me know if this what you had in mind; if it is
acceptable I'll repost this for inclusion.

This patch is independent of the secid patches and should be treated as a bugfix
for 2.6.19.  A similar patch to deal with the secid case will be coming later today.

Index: net-2.6_bugfix/security/selinux/ss/services.c
===================================================================
--- net-2.6_bugfix.orig/security/selinux/ss/services.c
+++ net-2.6_bugfix/security/selinux/ss/services.c
@@ -2331,7 +2331,7 @@ static int selinux_netlbl_secattr_to_sid
                        selinux_netlbl_cache_add(skb, &ctx_new);
                ebitmap_destroy(&ctx_new.range.level[0].cat);
        } else {
-               *sid = SECINITSID_UNLABELED;
+               *sid = SECSID_NULL;
                rc = 0;
        }

@@ -2514,7 +2514,7 @@ void selinux_netlbl_sock_graft(struct so
        if (netlbl_sock_getattr(sk, &secattr) == 0 &&
            selinux_netlbl_secattr_to_sid(NULL,
                                          &secattr,
-                                         sksec->sid,
+                                         SECINITSID_UNLABELED,
                                          &nlbl_peer_sid) == 0)
                sksec->peer_sid = nlbl_peer_sid;
        netlbl_secattr_destroy(&secattr, 0);
@@ -2547,9 +2547,6 @@ u32 selinux_netlbl_inet_conn_request(str
        if (rc != 0)
                return SECSID_NULL;

-       if (peer_sid == SECINITSID_UNLABELED)
-               return SECSID_NULL;
-
        return peer_sid;
 }

@@ -2611,11 +2608,13 @@ int selinux_netlbl_sock_rcv_skb(struct s
        u32 netlbl_sid;
        u32 recv_perm;

-       rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &netlbl_sid);
+       rc = selinux_netlbl_skbuff_getsid(skb,
+                                         SECINITSID_UNLABELED,
+                                         &netlbl_sid);
        if (rc != 0)
                return rc;

-       if (netlbl_sid == SECINITSID_UNLABELED)
+       if (netlbl_sid == SECSID_NULL)
                return 0;

        switch (sksec->sclass) {
@@ -2653,10 +2652,6 @@ int selinux_netlbl_sock_rcv_skb(struct s
 u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
 {
        struct sk_security_struct *sksec = sock->sk->sk_security;
-
-       if (sksec->peer_sid == SECINITSID_UNLABELED)
-               return SECSID_NULL;
-
        return sksec->peer_sid;
 }

@@ -2681,8 +2676,6 @@ u32 selinux_netlbl_socket_getpeersec_dgr
        isec = SOCK_INODE(sk->sk_socket)->i_security;
        if (selinux_netlbl_skbuff_getsid(skb, isec->sid, &peer_sid) != 0)
                return SECSID_NULL;
-       if (peer_sid == SECINITSID_UNLABELED)
-               return SECSID_NULL;

        return peer_sid;
 }

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [RFC] NetLabel: shift to using SECINITSID_UNLABLED as a base
  2006-10-05 13:38 [RFC] NetLabel: shift to using SECINITSID_UNLABLED as a base Paul Moore
@ 2006-10-05 15:33 ` Paul Moore
  2006-10-05 16:38   ` Paul Moore
  0 siblings, 1 reply; 3+ messages in thread
From: Paul Moore @ 2006-10-05 15:33 UTC (permalink / raw)
  To: selinux list, Stephen Smalley; +Cc: Venkat Yekkirala, James Morris, Eric Paris

Paul Moore wrote:
> This patch changes NetLabel from using SECINITSID_NETMSG and the parent socket's
> SID as the for the TE portion of the NetLabel context to now use
> SECINITSID_UNLABELED.  This should address the issues brought up yesterday.
> Please take a look and let me know if this what you had in mind; if it is
> acceptable I'll repost this for inclusion.
> 
> This patch is independent of the secid patches and should be treated as a bugfix
> for 2.6.19.  A similar patch to deal with the secid case will be coming later today.

Testing has shown that this patch is still missing a few pieces.  I'll have an
updated version later.  Sorry about that.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [RFC] NetLabel: shift to using SECINITSID_UNLABLED as a base
  2006-10-05 15:33 ` Paul Moore
@ 2006-10-05 16:38   ` Paul Moore
  0 siblings, 0 replies; 3+ messages in thread
From: Paul Moore @ 2006-10-05 16:38 UTC (permalink / raw)
  To: selinux list, Stephen Smalley; +Cc: Venkat Yekkirala, James Morris, Eric Paris

Paul Moore wrote:
> Paul Moore wrote:
> 
>>This patch changes NetLabel from using SECINITSID_NETMSG and the parent socket's
>>SID as the for the TE portion of the NetLabel context to now use
>>SECINITSID_UNLABELED.  This should address the issues brought up yesterday.
>>Please take a look and let me know if this what you had in mind; if it is
>>acceptable I'll repost this for inclusion.
>>
>>This patch is independent of the secid patches and should be treated as a bugfix
>>for 2.6.19.  A similar patch to deal with the secid case will be coming later today.
> 
> Testing has shown that this patch is still missing a few pieces.  I'll have an
> updated version later.  Sorry about that.
> 

Below is the corrected patch, note the additional changes to
selinux_netlbl_socket_getpeersec_dgram().

Index: net-2.6_bugfix/security/selinux/ss/services.c
===================================================================
--- net-2.6_bugfix.orig/security/selinux/ss/services.c
+++ net-2.6_bugfix/security/selinux/ss/services.c
@@ -2331,7 +2331,7 @@ static int selinux_netlbl_secattr_to_sid
                        selinux_netlbl_cache_add(skb, &ctx_new);
                ebitmap_destroy(&ctx_new.range.level[0].cat);
        } else {
-               *sid = SECINITSID_UNLABELED;
+               *sid = SECSID_NULL;
                rc = 0;
        }

@@ -2514,7 +2514,7 @@ void selinux_netlbl_sock_graft(struct so
        if (netlbl_sock_getattr(sk, &secattr) == 0 &&
            selinux_netlbl_secattr_to_sid(NULL,
                                          &secattr,
-                                         sksec->sid,
+                                         SECINITSID_UNLABELED,
                                          &nlbl_peer_sid) == 0)
                sksec->peer_sid = nlbl_peer_sid;
        netlbl_secattr_destroy(&secattr, 0);
@@ -2547,9 +2547,6 @@ u32 selinux_netlbl_inet_conn_request(str
        if (rc != 0)
                return SECSID_NULL;

-       if (peer_sid == SECINITSID_UNLABELED)
-               return SECSID_NULL;
-
        return peer_sid;
 }

@@ -2611,11 +2608,13 @@ int selinux_netlbl_sock_rcv_skb(struct s
        u32 netlbl_sid;
        u32 recv_perm;

-       rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &netlbl_sid);
+       rc = selinux_netlbl_skbuff_getsid(skb,
+                                         SECINITSID_UNLABELED,
+                                         &netlbl_sid);
        if (rc != 0)
                return rc;

-       if (netlbl_sid == SECINITSID_UNLABELED)
+       if (netlbl_sid == SECSID_NULL)
                return 0;

        switch (sksec->sclass) {
@@ -2653,10 +2652,6 @@ int selinux_netlbl_sock_rcv_skb(struct s
 u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
 {
        struct sk_security_struct *sksec = sock->sk->sk_security;
-
-       if (sksec->peer_sid == SECINITSID_UNLABELED)
-               return SECSID_NULL;
-
        return sksec->peer_sid;
 }

@@ -2672,16 +2667,10 @@ u32 selinux_netlbl_socket_getpeersec_str
 u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
 {
        int peer_sid;
-       struct sock *sk = skb->sk;
-       struct inode_security_struct *isec;
-
-       if (sk == NULL || sk->sk_socket == NULL)
-               return SECSID_NULL;

-       isec = SOCK_INODE(sk->sk_socket)->i_security;
-       if (selinux_netlbl_skbuff_getsid(skb, isec->sid, &peer_sid) != 0)
-               return SECSID_NULL;
-       if (peer_sid == SECINITSID_UNLABELED)
+       if (selinux_netlbl_skbuff_getsid(skb,
+                                        SECINITSID_UNLABELED,
+                                        &peer_sid) != 0)
                return SECSID_NULL;

        return peer_sid;

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-10-05 16:38 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-05 13:38 [RFC] NetLabel: shift to using SECINITSID_UNLABLED as a base Paul Moore
2006-10-05 15:33 ` Paul Moore
2006-10-05 16:38   ` Paul Moore

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.