[RFC] [PATCH 2/4] Define new LSM hooks

[Venkat Yekkirala <vyekkirala@TrustedCS.com>]

This defines an LSM hook for flow_out checks. It also
points out places for NetLabel integration to label
flows when a packet being forwarded has used NetLabel
or has to use a fallback to label the outgoing flow
for appropriate selection of xfrms.

diff --git a/include/linux/security.h b/include/linux/security.h
index 1a15526..f0b5ee5 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -831,6 +831,8 @@ struct request_sock;
  *     Sets the connection's peersid to the secmark on skb.
  * @req_classify_flow:
  *	Sets the flow's sid to the openreq sid.
+ * @skb_flow_out:
+ *	Determines if an skb can flow out per LSM policy.
  *
  * Security hooks for XFRM operations.
  *
@@ -1370,6 +1372,7 @@ struct security_operations {
 	void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req);
 	void (*inet_conn_established)(struct sock *sk, struct sk_buff *skb);
 	void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl);
+	int (*skb_flow_out)(struct sk_buff *skb, int family);
 #endif	/* CONFIG_SECURITY_NETWORK */
 
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -2958,6 +2961,11 @@ static inline void security_req_classify_flow(const struct request_sock *req, st
 	security_ops->req_classify_flow(req, fl);
 }
 
+static inline int security_skb_flow_out(struct sk_buff *skb, int family)
+{
+	return security_ops->skb_flow_out(skb, family);
+}
+
 static inline void security_sock_graft(struct sock* sk, struct socket *parent)
 {
 	security_ops->sock_graft(sk, parent);
@@ -3115,6 +3123,11 @@ static inline void security_req_classify_flow(const struct request_sock *req, st
 {
 }
 
+static inline int security_skb_flow_out(struct sk_buff *skb, int family)
+{
+	return 0;
+}
+
 static inline void security_sock_graft(struct sock* sk, struct socket *parent)
 {
 }
@@ -3203,6 +3216,7 @@ static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
 
 static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
 {
+	/* TODO: Use NetLabel here to label flow if no labeled-ipsec in use. */
 	int rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0);
 
 	BUG_ON(rc);
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 7012891..3755e6b 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1912,6 +1912,9 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
 	if (xfrm_decode_session(skb, &fl, family) < 0)
 		return 0;
 
+	/* TODO: In case packet didn't use labeled-ipsec coming in
+	  set fl.secid here to the NetLabel/Fallback label */
+
 	return xfrm_lookup(&skb->dst, &fl, NULL, 0) == 0;
 }
 EXPORT_SYMBOL(__xfrm_route_forward);
diff --git a/security/dummy.c b/security/dummy.c
index 853ec22..46a7fa7 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -841,6 +841,12 @@ static inline void dummy_req_classify_flow(const struct request_sock *req,
 			struct flowi *fl)
 {
 }
+
+static inline int dummy_skb_flow_out(struct sk_buff *skb, int family)
+{
+	return 0;
+}
+
 #endif	/* CONFIG_SECURITY_NETWORK */
 
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -1113,6 +1119,7 @@ void security_fixup_ops (struct security_operations *ops)
 	set_to_dummy_if_null(ops, inet_csk_clone);
 	set_to_dummy_if_null(ops, inet_conn_established);
 	set_to_dummy_if_null(ops, req_classify_flow);
+	set_to_dummy_if_null(ops, skb_flow_out);
  #endif	/* CONFIG_SECURITY_NETWORK */
 #ifdef  CONFIG_SECURITY_NETWORK_XFRM
 	set_to_dummy_if_null(ops, xfrm_policy_alloc_security);

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.