[PATCHSET 0/7] SECMARK 2.0

[PATCHSET 0/7] SECMARK 2.0

[James Morris]

The following patchset is an updated version of secmark, which I'd like to 
propose for inclusion in either Dave or Andrew's tree for subsequent merge 
into mainline during the 2.6.18 merge window.

Secmark implements a new scheme for adding security markings to packets 
via iptables, as well as changes to SELinux to use these markings for 
security policy enforcement.  The rationale for this scheme is explained 
and discussed in detail in the original threads: 
http://thread.gmane.org/gmane.linux.network/34927/ 
http://thread.gmane.org/gmane.linux.network/35244/

Since the last posting, I've fully separated the conntrack-related 
functionality of SECMARK into the CONNSECMARK target, following the 
original suggestion by Patrick McHardy.  This indeed keeps the code 
cleaner and only requires one extra rule per service.  I've also added a 
boot param for SELinux to control whether the new packet controls are used 
or not.

Examples of policy and rulesets, as well as a full archive of patches for 
iptables and SELinux userland, may be found at:
http://people.redhat.com/jmorris/selinux/secmark/

The code has been tested with various compilation options and in several 
scenarios, including with 'complicated' protocols such as FTP and also 
with the new generic conntrack code with IPv6 connection tracking.

I'm not sure if this would be better in Dave or Andrew's tree.  It touches 
a lot of the core networking, although not very heavily, and most of the 
Netfilter stuff is new targets.  There's already an SELinux patch in -mm 
which affects the SELinux components in this patchset (I rebased against 
current -mm because of this).

I'll send the Netfilter userland patches separately to the netfilter 
developers.

Cumulative diffstat:

 Documentation/kernel-parameters.txt          |    9 +
 include/linux/netfilter/xt_CONNSECMARK.h     |   13 +
 include/linux/netfilter/xt_SECMARK.h         |   26 ++
 include/linux/netfilter_ipv4/ip_conntrack.h  |    4 
 include/linux/selinux.h                      |   32 +++
 include/linux/skbuff.h                       |   22 ++
 include/net/netfilter/nf_conntrack.h         |    4 
 include/net/netfilter/nf_conntrack_compat.h  |   26 ++
 net/Kconfig                                  |    7 
 net/core/skbuff.c                            |    3 
 net/ipv4/ip_output.c                         |    1 
 net/ipv4/netfilter/Kconfig                   |   12 +
 net/ipv4/netfilter/ip_conntrack_core.c       |    3 
 net/ipv4/netfilter/ip_conntrack_standalone.c |    5 
 net/ipv4/netfilter/ipt_REJECT.c              |    1 
 net/ipv6/ip6_output.c                        |    1 
 net/netfilter/Kconfig                        |   32 +++
 net/netfilter/Makefile                       |    2 
 net/netfilter/nf_conntrack_core.c            |    3 
 net/netfilter/nf_conntrack_standalone.c      |    5 
 net/netfilter/xt_CONNSECMARK.c               |  155 +++++++++++++++++
 net/netfilter/xt_SECMARK.c                   |  156 +++++++++++++++++
 security/selinux/Kconfig                     |    2 
 security/selinux/exports.c                   |   22 ++
 security/selinux/hooks.c                     |  241 ++++++++++++++-------------
 security/selinux/include/av_perm_to_string.h |    3 
 security/selinux/include/av_permissions.h    |    3 
 security/selinux/include/class_to_string.h   |    1 
 security/selinux/include/flask.h             |    1 
 security/selinux/include/xfrm.h              |    2 
 security/selinux/selinuxfs.c                 |   59 ++++++
 security/selinux/xfrm.c                      |   12 -
 32 files changed, 747 insertions(+), 121 deletions(-)


-- 
James Morris
<jmorris@namei.org>

[PATCH 01/07] secmark: Add new flask definitions to SELinux

[James Morris]

This patch adds support for a new object class ('packet'), and associated 
permissions ('send', 'recv', 'relabelto').  These are used to enforce 
security policy for network packets labeled with SECMARK, and for adding 
labeling rules.

Please apply.

Signed-off-by: James Morris <jmorris@namei.org>

---

 security/selinux/include/av_perm_to_string.h |    3 +++
 security/selinux/include/av_permissions.h    |    3 +++
 security/selinux/include/class_to_string.h   |    1 +
 security/selinux/include/flask.h             |    1 +
 4 files changed, 8 insertions(+)

diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/security/selinux/include/av_permissions.h linux-2.6.17-rc4-mm1.w/security/selinux/include/av_permissions.h
--- linux-2.6.17-rc4-mm1.p/security/selinux/include/av_permissions.h	2006-05-16 23:35:11.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/security/selinux/include/av_permissions.h	2006-05-17 01:13:15.000000000 -0400
@@ -956,3 +956,6 @@
 #define APPLETALK_SOCKET__SEND_MSG                0x00100000UL
 #define APPLETALK_SOCKET__NAME_BIND               0x00200000UL
 
+#define PACKET__SEND                              0x00000001UL
+#define PACKET__RECV                              0x00000002UL
+#define PACKET__RELABELTO                         0x00000004UL
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/security/selinux/include/av_perm_to_string.h linux-2.6.17-rc4-mm1.w/security/selinux/include/av_perm_to_string.h
--- linux-2.6.17-rc4-mm1.p/security/selinux/include/av_perm_to_string.h	2006-03-20 00:53:29.000000000 -0500
+++ linux-2.6.17-rc4-mm1.w/security/selinux/include/av_perm_to_string.h	2006-05-17 01:13:33.000000000 -0400
@@ -239,3 +239,6 @@
    S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
    S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
    S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
+   S_(SECCLASS_PACKET, PACKET__SEND, "send")
+   S_(SECCLASS_PACKET, PACKET__RECV, "recv")
+   S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/security/selinux/include/class_to_string.h linux-2.6.17-rc4-mm1.w/security/selinux/include/class_to_string.h
--- linux-2.6.17-rc4-mm1.p/security/selinux/include/class_to_string.h	2006-05-16 23:35:11.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/security/selinux/include/class_to_string.h	2006-05-17 01:10:46.000000000 -0400
@@ -59,3 +59,4 @@
     S_("association")
     S_("netlink_kobject_uevent_socket")
     S_("appletalk_socket")
+    S_("packet")
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/security/selinux/include/flask.h linux-2.6.17-rc4-mm1.w/security/selinux/include/flask.h
--- linux-2.6.17-rc4-mm1.p/security/selinux/include/flask.h	2006-05-16 23:35:11.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/security/selinux/include/flask.h	2006-05-17 01:09:43.000000000 -0400
@@ -61,6 +61,7 @@
 #define SECCLASS_ASSOCIATION                             54
 #define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET           55
 #define SECCLASS_APPLETALK_SOCKET                        56
+#define SECCLASS_PACKET                                  57
 
 /*
  * Security identifier indices for initial entities

[PATCH 02/07] secmark: Add SELinux exports

[James Morris]

This patch exports adds new functions to the in-kernel SELinux API in 
support of the new secmark-based packet controls.

Please apply.

Signed-off-by: James Morris <jmorris@namei.org>

---

 include/linux/selinux.h    |   32 ++++++++++++++++++++++++++++++++
 security/selinux/exports.c |   22 ++++++++++++++++++++++
 2 files changed, 54 insertions(+)


diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/include/linux/selinux.h linux-2.6.17-rc4-mm1.w/include/linux/selinux.h
--- linux-2.6.17-rc4-mm1.p/include/linux/selinux.h	2006-05-17 01:03:34.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/include/linux/selinux.h	2006-05-17 01:18:57.000000000 -0400
@@ -118,6 +118,27 @@ void selinux_get_ipc_sid(const struct ke
  */
 void selinux_get_task_sid(struct task_struct *tsk, u32 *sid);
 
+/**
+ *     selinux_string_to_sid - map a security context string to a security ID
+ *     @str: the security context string to be mapped
+ *     @sid: ID value returned via this.
+ *
+ *     Returns 0 if successful, with the SID stored in sid.  A value
+ *     of zero for sid indicates no SID could be determined (but no error
+ *     occurred).
+ */
+int selinux_string_to_sid(char *str, u32 *sid);
+
+/**
+ *     selinux_relabel_packet_permission - check permission to relabel a packet
+ *     @sid: ID value to be applied to network packet (via SECMARK, most likely)
+ *
+ *     Returns 0 if the current task is allowed to label packets with the
+ *     supplied security ID.  Note that it is implicit that the packet is always
+ *     being relabeled from the default unlabled value, and that the access
+ *     control decision is made in the AVC.
+ */
+int selinux_relabel_packet_permission(u32 sid);
 
 #else
 
@@ -172,6 +193,17 @@ static inline void selinux_get_task_sid(
 	*sid = 0;
 }
 
+static inline int selinux_string_to_sid(const char *str, u32 *sid)
+{
+       *sid = 0;
+       return 0;
+}
+
+static inline int selinux_relabel_packet_permission(u32 sid)
+{
+	return 0;
+}
+
 #endif	/* CONFIG_SECURITY_SELINUX */
 
 #endif /* _LINUX_SELINUX_H */
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/security/selinux/exports.c linux-2.6.17-rc4-mm1.w/security/selinux/exports.c
--- linux-2.6.17-rc4-mm1.p/security/selinux/exports.c	2006-05-17 01:03:34.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/security/selinux/exports.c	2006-05-17 01:18:57.000000000 -0400
@@ -72,3 +72,25 @@ void selinux_get_task_sid(struct task_st
 	*sid = 0;
 }
 
+int selinux_string_to_sid(char *str, u32 *sid)
+{
+	if (selinux_enabled)
+		return security_context_to_sid(str, strlen(str), sid);
+	else {
+		*sid = 0;
+		return 0;
+	}
+}
+EXPORT_SYMBOL_GPL(selinux_string_to_sid);
+
+int selinux_relabel_packet_permission(u32 sid)
+{
+	if (selinux_enabled) {
+		struct task_security_struct *tsec = current->security;
+		
+		return avc_has_perm(tsec->sid, sid, SECCLASS_PACKET,
+				    PACKET__RELABELTO, NULL);
+	}
+	return 0;
+}
+EXPORT_SYMBOL_GPL(selinux_relabel_packet_permission);

[PATCH 03/07] secmark: Add secmark support to core networking.

[James Morris]

This patch adds a secmark field to the skbuff structure, to allow security 
subsystems to place security markings on network packets.  This is similar 
to the nfmark field, except is intended for implementing security policy, 
rather than than networking policy.

This patch was already acked in principle by Dave Miller.

Please apply.

Signed-off-by: James Morris <jmorris@namei.org>

---

 include/linux/skbuff.h          |   22 ++++++++++++++++++++++
 net/Kconfig                     |    7 +++++++
 net/core/skbuff.c               |    3 ++-
 net/ipv4/ip_output.c            |    1 +
 net/ipv4/netfilter/ipt_REJECT.c |    1 +
 net/ipv6/ip6_output.c           |    1 +
 6 files changed, 34 insertions(+), 1 deletion(-)


diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/include/linux/skbuff.h linux-2.6.17-rc4-mm1.w/include/linux/skbuff.h
--- linux-2.6.17-rc4-mm1.p/include/linux/skbuff.h	2006-05-17 01:04:35.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/include/linux/skbuff.h	2006-05-17 01:29:36.000000000 -0400
@@ -208,6 +208,7 @@ enum {
  *	@nf_bridge: Saved data about a bridged frame - see br_netfilter.c
  *	@tc_index: Traffic control index
  *	@tc_verd: traffic control verdict
+ *	@secmark: security marking
  */
 
 struct sk_buff {
@@ -284,6 +285,9 @@ struct sk_buff {
 	__u16			tc_verd;	/* traffic control verdict */
 #endif
 #endif
+#ifdef CONFIG_NETWORK_SECMARK
+	__u32			secmark;
+#endif
 
 
 	/* These elements must be at the end, see alloc_skb() for details.  */
@@ -1395,5 +1399,23 @@ static inline void nf_reset(struct sk_bu
 static inline void nf_reset(struct sk_buff *skb) {}
 #endif /* CONFIG_NETFILTER */
 
+#ifdef CONFIG_NETWORK_SECMARK
+static inline void skb_copy_secmark(struct sk_buff *to, const struct sk_buff *from)
+{
+	to->secmark = from->secmark;
+}
+
+static inline void skb_init_secmark(struct sk_buff *skb)
+{
+	skb->secmark = 0;
+}
+#else
+static inline void skb_copy_secmark(struct sk_buff *to, const struct sk_buff *from)
+{ }
+
+static inline void skb_init_secmark(struct sk_buff *skb)
+{ }
+#endif
+
 #endif	/* __KERNEL__ */
 #endif	/* _LINUX_SKBUFF_H */
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/core/skbuff.c linux-2.6.17-rc4-mm1.w/net/core/skbuff.c
--- linux-2.6.17-rc4-mm1.p/net/core/skbuff.c	2006-05-17 01:04:35.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/net/core/skbuff.c	2006-05-17 01:29:36.000000000 -0400
@@ -464,7 +464,7 @@ struct sk_buff *skb_clone(struct sk_buff
 	n->tc_verd = CLR_TC_MUNGED(n->tc_verd);
 	C(input_dev);
 #endif
-
+	skb_copy_secmark(n, skb);
 #endif
 	C(truesize);
 	atomic_set(&n->users, 1);
@@ -526,6 +526,7 @@ static void copy_skb_header(struct sk_bu
 #endif
 	new->tc_index	= old->tc_index;
 #endif
+	skb_copy_secmark(new, old);
 	atomic_set(&new->users, 1);
 	skb_shinfo(new)->tso_size = skb_shinfo(old)->tso_size;
 	skb_shinfo(new)->tso_segs = skb_shinfo(old)->tso_segs;
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/ipv4/ip_output.c linux-2.6.17-rc4-mm1.w/net/ipv4/ip_output.c
--- linux-2.6.17-rc4-mm1.p/net/ipv4/ip_output.c	2006-05-17 01:04:35.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/net/ipv4/ip_output.c	2006-05-17 01:29:36.000000000 -0400
@@ -410,6 +410,7 @@ static void ip_copy_metadata(struct sk_b
 	nf_bridge_get(to->nf_bridge);
 #endif
 #endif
+	skb_copy_secmark(to, from);
 }
 
 /*
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/ipv4/netfilter/ipt_REJECT.c linux-2.6.17-rc4-mm1.w/net/ipv4/netfilter/ipt_REJECT.c
--- linux-2.6.17-rc4-mm1.p/net/ipv4/netfilter/ipt_REJECT.c	2006-05-17 01:04:35.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/net/ipv4/netfilter/ipt_REJECT.c	2006-05-17 01:29:36.000000000 -0400
@@ -147,6 +147,7 @@ static void send_reset(struct sk_buff *o
 	/* This packet will not be the same as the other: clear nf fields */
 	nf_reset(nskb);
 	nskb->nfmark = 0;
+	skb_init_secmark(nskb);
 
 	tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
 
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/ipv6/ip6_output.c linux-2.6.17-rc4-mm1.w/net/ipv6/ip6_output.c
--- linux-2.6.17-rc4-mm1.p/net/ipv6/ip6_output.c	2006-05-17 01:04:35.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/net/ipv6/ip6_output.c	2006-05-17 01:29:36.000000000 -0400
@@ -458,6 +458,7 @@ static void ip6_copy_metadata(struct sk_
 	nf_bridge_get(to->nf_bridge);
 #endif
 #endif
+	skb_copy_secmark(to, from);
 }
 
 int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/Kconfig linux-2.6.17-rc4-mm1.w/net/Kconfig
--- linux-2.6.17-rc4-mm1.p/net/Kconfig	2006-05-17 01:04:35.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/net/Kconfig	2006-05-17 01:29:36.000000000 -0400
@@ -66,6 +66,13 @@ source "net/ipv6/Kconfig"
 
 endif # if INET
 
+config NETWORK_SECMARK
+	bool "Security Marking"
+	help
+	  This enables security marking of network packets, similar
+	  to nfmark, but designated for security purposes.
+	  If you are unsure how to answer this question, answer N.
+
 menuconfig NETFILTER
 	bool "Network packet filtering (replaces ipchains)"
 	---help---

[PATCH 04/07] secmark: Add xtables SECMARK target

[James Morris]

This patch adds a SECMARK target to xtables, allowing the admin to apply 
security marks to packets via both iptables and ip6tables.

The target currently handles SELinux security marking, but can be extended 
for other purposes as needed.

Please apply.

Signed-off-by: James Morris <jmorris@namei.org>

---

 include/linux/netfilter/xt_SECMARK.h |   26 +++++
 net/netfilter/Kconfig                |    9 ++
 net/netfilter/Makefile               |    1 
 net/netfilter/xt_SECMARK.c           |  156 +++++++++++++++++++++++++++++++++++
 4 files changed, 192 insertions(+)

diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/include/linux/netfilter/xt_SECMARK.h linux-2.6.17-rc4-mm1.w/include/linux/netfilter/xt_SECMARK.h
--- linux-2.6.17-rc4-mm1.p/include/linux/netfilter/xt_SECMARK.h	1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.17-rc4-mm1.w/include/linux/netfilter/xt_SECMARK.h	2006-05-17 01:31:26.000000000 -0400
@@ -0,0 +1,26 @@
+#ifndef _XT_SECMARK_H_target
+#define _XT_SECMARK_H_target
+
+/*
+ * This is intended for use by various security subsystems (but not
+ * at the same time).
+ *
+ * 'mode' refers to the specific security subsystem which the 
+ * packets are being marked for.
+ */
+#define SECMARK_MODE_SEL	0x01		/* SELinux */
+#define SECMARK_SELCTX_MAX	256
+
+struct xt_secmark_target_selinux_info {
+	u_int32_t selsid;
+	char selctx[SECMARK_SELCTX_MAX];
+};
+
+struct xt_secmark_target_info {
+	u_int8_t mode;
+	union {
+		struct xt_secmark_target_selinux_info sel;
+	} u;
+};
+
+#endif /*_XT_SECMARK_H_target */
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/netfilter/Kconfig linux-2.6.17-rc4-mm1.w/net/netfilter/Kconfig
--- linux-2.6.17-rc4-mm1.p/net/netfilter/Kconfig	2006-05-17 01:03:27.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/net/netfilter/Kconfig	2006-05-17 01:31:26.000000000 -0400
@@ -174,6 +174,15 @@ config NETFILTER_XT_TARGET_NOTRACK
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/modules.txt>.  If unsure, say `N'.
 
+config NETFILTER_XT_TARGET_SECMARK
+	tristate '"SECMARK" target support'
+	depends on NETFILTER_XTABLES && NETWORK_SECMARK
+	help
+	  The SECMARK target allows security marking of network
+	  packets, for use with security subsystems.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config NETFILTER_XT_MATCH_COMMENT
 	tristate  '"comment" match support'
 	depends on NETFILTER_XTABLES
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/netfilter/Makefile linux-2.6.17-rc4-mm1.w/net/netfilter/Makefile
--- linux-2.6.17-rc4-mm1.p/net/netfilter/Makefile	2006-05-17 01:03:27.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/net/netfilter/Makefile	2006-05-17 01:31:26.000000000 -0400
@@ -28,6 +28,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMAR
 obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
 
 # matches
 obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/netfilter/xt_SECMARK.c linux-2.6.17-rc4-mm1.w/net/netfilter/xt_SECMARK.c
--- linux-2.6.17-rc4-mm1.p/net/netfilter/xt_SECMARK.c	1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.17-rc4-mm1.w/net/netfilter/xt_SECMARK.c	2006-05-17 01:31:52.000000000 -0400
@@ -0,0 +1,156 @@
+/*
+ * Module for modifying the secmark field of the skb, for use by
+ * security subsystems.
+ *
+ * Based on the nfmark match by:
+ * (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
+ *
+ * (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/selinux.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_SECMARK.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
+MODULE_DESCRIPTION("ip[6]tables SECMARK modification module");
+MODULE_ALIAS("ipt_SECMARK");
+MODULE_ALIAS("ip6t_SECMARK");
+
+#define PFX "SECMARK: "
+
+static u8 mode;
+
+static unsigned int target(struct sk_buff **pskb, const struct net_device *in,
+			   const struct net_device *out, unsigned int hooknum,
+			   const struct xt_target *target,
+			   const void *targinfo, void *userinfo)
+{
+	u32 secmark = 0;
+	const struct xt_secmark_target_info *info = targinfo;
+
+	BUG_ON(info->mode != mode);
+
+	switch (mode) {
+	case SECMARK_MODE_SEL:
+		secmark = info->u.sel.selsid;
+		break;
+	
+	default:
+		BUG();
+	}
+	
+	if ((*pskb)->secmark != secmark)
+		(*pskb)->secmark = secmark;
+	
+	return XT_CONTINUE;
+}
+
+static int checkentry_selinux(struct xt_secmark_target_info *info)
+{
+	int err;
+	struct xt_secmark_target_selinux_info *sel = &info->u.sel;
+
+	err = selinux_string_to_sid(sel->selctx, &sel->selsid);
+	if (err) {
+		if (err == -EINVAL)
+			printk(KERN_INFO PFX "invalid SELinux context \'%s\'\n",
+			       sel->selctx);
+		return 0;
+	}
+	
+	if (!sel->selsid) {
+		printk(KERN_INFO PFX "unable to map SELinux context \'%s\'\n",
+		       sel->selctx);
+		return 0;
+	}
+
+	err = selinux_relabel_packet_permission(sel->selsid);
+	if (err) {
+		printk(KERN_INFO PFX "unable to obtain relabeling permission\n");
+		return 0;
+	}
+
+	return 1;
+}
+
+static int checkentry(const char *tablename, const void *entry,
+		      const struct xt_target *target, void *targinfo,
+		      unsigned int targinfosize, unsigned int hook_mask)
+{
+	struct xt_secmark_target_info *info = targinfo;
+
+	if (mode && mode != info->mode) {
+		printk(KERN_INFO PFX "mode already set to %hu cannot mix with "
+		       "rules for mode %hu\n", mode, info->mode);
+		return 0;
+	}
+
+	switch (info->mode) {
+	case SECMARK_MODE_SEL:
+		if (!checkentry_selinux(info))
+			return 0;
+		break;
+	
+	default:
+		printk(KERN_INFO PFX "invalid mode: %hu\n", info->mode);
+		return 0;
+	}
+	
+	if (!mode)
+		mode = info->mode;
+	return 1;
+}
+
+static struct xt_target ipt_secmark_reg = {
+	.name		= "SECMARK",
+	.target		= target,
+	.targetsize	= sizeof(struct xt_secmark_target_info),
+	.table		= "mangle",
+	.checkentry	= checkentry,
+	.me		= THIS_MODULE,
+	.family		= AF_INET,
+	.revision	= 0,
+};
+
+static struct xt_target ip6t_secmark_reg = {
+	.name		= "SECMARK",
+	.target		= target,
+	.targetsize	= sizeof(struct xt_secmark_target_info),
+	.table		= "mangle",
+	.checkentry	= checkentry,
+	.me		= THIS_MODULE,
+	.family		= AF_INET6,
+	.revision	= 0,
+};
+
+static int __init xt_secmark_init(void)
+{
+	int err;
+
+	err = xt_register_target(&ipt_secmark_reg);
+	if (err)
+		return err;
+
+	err = xt_register_target(&ip6t_secmark_reg);
+	if (err)
+		xt_unregister_target(&ipt_secmark_reg);
+
+	return err;
+}
+
+static void __exit xt_secmark_fini(void)
+{
+	xt_unregister_target(&ip6t_secmark_reg);
+	xt_unregister_target(&ipt_secmark_reg);
+}
+
+module_init(xt_secmark_init);
+module_exit(xt_secmark_fini);

[PATCH 05/07] secmark: Add secmark support to conntrack

[James Morris]

This patch adds a secmark field to IP and NF conntracks, so that security 
markings on packets can be copied to their associated connections, and 
also copied back to packets as required.  This is similar to the network 
mark field currently used with conntrack, although it is intended for 
enforcement of security policy rather than network policy.

Please apply.

Signed-off-by: James Morris <jmorris@namei.org>

---

 include/linux/netfilter_ipv4/ip_conntrack.h  |    4 ++++
 include/net/netfilter/nf_conntrack.h         |    4 ++++
 include/net/netfilter/nf_conntrack_compat.h  |   26 ++++++++++++++++++++++++++
 net/ipv4/netfilter/Kconfig                   |   12 ++++++++++++
 net/ipv4/netfilter/ip_conntrack_core.c       |    3 +++
 net/ipv4/netfilter/ip_conntrack_standalone.c |    5 +++++
 net/netfilter/Kconfig                        |   12 ++++++++++++
 net/netfilter/nf_conntrack_core.c            |    3 +++
 net/netfilter/nf_conntrack_standalone.c      |    5 +++++
 9 files changed, 74 insertions(+)

diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.6.17-rc4-mm1.w/include/linux/netfilter_ipv4/ip_conntrack.h
--- linux-2.6.17-rc4-mm1.p/include/linux/netfilter_ipv4/ip_conntrack.h	2006-05-16 23:35:11.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/include/linux/netfilter_ipv4/ip_conntrack.h	2006-05-17 01:39:42.000000000 -0400
@@ -120,6 +120,10 @@ struct ip_conntrack
 	u_int32_t mark;
 #endif
 
+#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
+	u_int32_t secmark;
+#endif
+
 	/* Traversed often, so hopefully in different cacheline to top */
 	/* These are my tuples; original and reply */
 	struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/include/net/netfilter/nf_conntrack_compat.h linux-2.6.17-rc4-mm1.w/include/net/netfilter/nf_conntrack_compat.h
--- linux-2.6.17-rc4-mm1.p/include/net/netfilter/nf_conntrack_compat.h	2006-03-20 00:53:29.000000000 -0500
+++ linux-2.6.17-rc4-mm1.w/include/net/netfilter/nf_conntrack_compat.h	2006-05-17 01:39:42.000000000 -0400
@@ -20,6 +20,19 @@ static inline u_int32_t *nf_ct_get_mark(
 }
 #endif /* CONFIG_IP_NF_CONNTRACK_MARK */
 
+#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
+static inline u_int32_t *nf_ct_get_secmark(const struct sk_buff *skb,
+					   u_int32_t *ctinfo)
+{
+	struct ip_conntrack *ct = ip_conntrack_get(skb, ctinfo);
+
+	if (ct)
+		return &ct->secmark;
+	else
+		return NULL;
+}
+#endif /* CONFIG_IP_NF_CONNTRACK_SECMARK */
+
 #ifdef CONFIG_IP_NF_CT_ACCT
 static inline struct ip_conntrack_counter *
 nf_ct_get_counters(const struct sk_buff *skb)
@@ -70,6 +83,19 @@ static inline u_int32_t *nf_ct_get_mark(
 }
 #endif /* CONFIG_NF_CONNTRACK_MARK */
 
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+static inline u_int32_t *nf_ct_get_secmark(const struct sk_buff *skb,
+					   u_int32_t *ctinfo)
+{
+	struct nf_conn *ct = nf_ct_get(skb, ctinfo);
+
+	if (ct)
+		return &ct->secmark;
+	else
+		return NULL;
+}
+#endif /* CONFIG_NF_CONNTRACK_MARK */
+
 #ifdef CONFIG_NF_CT_ACCT
 static inline struct ip_conntrack_counter *
 nf_ct_get_counters(const struct sk_buff *skb)
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/include/net/netfilter/nf_conntrack.h linux-2.6.17-rc4-mm1.w/include/net/netfilter/nf_conntrack.h
--- linux-2.6.17-rc4-mm1.p/include/net/netfilter/nf_conntrack.h	2006-05-16 23:35:11.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/include/net/netfilter/nf_conntrack.h	2006-05-17 01:39:42.000000000 -0400
@@ -113,6 +113,10 @@ struct nf_conn
 	u_int32_t mark;
 #endif
 
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+	u_int32_t secmark;
+#endif
+
 	/* Storage reserved for other modules: */
 	union nf_conntrack_proto proto;
 
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.17-rc4-mm1.w/net/ipv4/netfilter/ip_conntrack_core.c
--- linux-2.6.17-rc4-mm1.p/net/ipv4/netfilter/ip_conntrack_core.c	2006-05-16 23:34:59.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/net/ipv4/netfilter/ip_conntrack_core.c	2006-05-17 01:39:42.000000000 -0400
@@ -724,6 +724,9 @@ init_conntrack(struct ip_conntrack_tuple
 		/* this is ugly, but there is no other place where to put it */
 		conntrack->nat.masq_index = exp->master->nat.masq_index;
 #endif
+#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
+		conntrack->secmark = exp->master->secmark;
+#endif
 		nf_conntrack_get(&conntrack->master->ct_general);
 		CONNTRACK_STAT_INC(expect_new);
 	} else {
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.6.17-rc4-mm1.w/net/ipv4/netfilter/ip_conntrack_standalone.c
--- linux-2.6.17-rc4-mm1.p/net/ipv4/netfilter/ip_conntrack_standalone.c	2006-05-16 23:34:59.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/net/ipv4/netfilter/ip_conntrack_standalone.c	2006-05-17 01:39:42.000000000 -0400
@@ -189,6 +189,11 @@ static int ct_seq_show(struct seq_file *
 		return -ENOSPC;
 #endif
 
+#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
+	if (seq_printf(s, "secmark=%u ", conntrack->secmark))
+		return -ENOSPC;
+#endif
+
 	if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
 		return -ENOSPC;
 
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/ipv4/netfilter/Kconfig linux-2.6.17-rc4-mm1.w/net/ipv4/netfilter/Kconfig
--- linux-2.6.17-rc4-mm1.p/net/ipv4/netfilter/Kconfig	2006-05-16 23:34:59.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/net/ipv4/netfilter/Kconfig	2006-05-17 01:48:41.000000000 -0400
@@ -55,6 +55,18 @@ config IP_NF_CONNTRACK_MARK
 	  of packets, but this mark value is kept in the conntrack session
 	  instead of the individual packets.
 	
+config IP_NF_CONNTRACK_SECMARK
+	bool  'Connection tracking security mark support'
+	depends on IP_NF_CONNTRACK && NETWORK_SECMARK
+	help
+	  This option enables security markings to be applied to
+	  connections.  Typically they are copied to connections from
+	  packets using the CONNSECMARK target and copied back from
+	  connections to packets with the same target, with the packets
+	  being originally labeled via SECMARK.
+	  
+	  If unsure, say 'N'.
+
 config IP_NF_CONNTRACK_EVENTS
 	bool "Connection tracking events (EXPERIMENTAL)"
 	depends on EXPERIMENTAL && IP_NF_CONNTRACK
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/netfilter/Kconfig linux-2.6.17-rc4-mm1.w/net/netfilter/Kconfig
--- linux-2.6.17-rc4-mm1.p/net/netfilter/Kconfig	2006-05-17 01:35:52.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/net/netfilter/Kconfig	2006-05-17 01:48:42.000000000 -0400
@@ -60,6 +60,18 @@ config NF_CONNTRACK_MARK
 	  of packets, but this mark value is kept in the conntrack session
 	  instead of the individual packets.
 
+config NF_CONNTRACK_SECMARK
+	bool  'Connection tracking security mark support'
+	depends on NF_CONNTRACK && NETWORK_SECMARK
+	help
+	  This option enables security markings to be applied to
+	  connections.  Typically they are copied to connections from
+	  packets using the CONNSECMARK target and copied back from
+	  connections to packets with the same target, with the packets
+	  being originally labeled via SECMARK.
+
+	  If unsure, say 'N'.
+
 config NF_CONNTRACK_EVENTS
 	bool "Connection tracking events (EXPERIMENTAL)"
 	depends on EXPERIMENTAL && NF_CONNTRACK
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/netfilter/nf_conntrack_core.c linux-2.6.17-rc4-mm1.w/net/netfilter/nf_conntrack_core.c
--- linux-2.6.17-rc4-mm1.p/net/netfilter/nf_conntrack_core.c	2006-05-16 23:34:59.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/net/netfilter/nf_conntrack_core.c	2006-05-17 01:39:42.000000000 -0400
@@ -990,6 +990,9 @@ init_conntrack(const struct nf_conntrack
 #ifdef CONFIG_NF_CONNTRACK_MARK
 		conntrack->mark = exp->master->mark;
 #endif
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+		conntrack->secmark = exp->master->secmark;
+#endif
 		nf_conntrack_get(&conntrack->master->ct_general);
 		NF_CT_STAT_INC(expect_new);
 	} else
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/netfilter/nf_conntrack_standalone.c linux-2.6.17-rc4-mm1.w/net/netfilter/nf_conntrack_standalone.c
--- linux-2.6.17-rc4-mm1.p/net/netfilter/nf_conntrack_standalone.c	2006-05-16 23:34:59.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/net/netfilter/nf_conntrack_standalone.c	2006-05-17 01:39:42.000000000 -0400
@@ -213,6 +213,11 @@ static int ct_seq_show(struct seq_file *
 		return -ENOSPC;
 #endif
 
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+	if (seq_printf(s, "secmark=%u ", conntrack->secmark))
+		return -ENOSPC;
+#endif
+
 	if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
 		return -ENOSPC;
 	

[PATCH 06/07] secmark: Add CONNSECMARK xtables target

[James Morris]

This patch adds a new xtables target, CONNSECMARK, which is used to 
specify rules for copying security marks from packets to connections, and 
for copyying security marks back from connections to packets.  This is 
similar to the CONNMARK target, but is more limited in scope in that it 
only allows copying of security marks to and from packets, as this is all 
it needs to do.

A typical scenario would be to apply a security mark to a 'new' packet 
with SECMARK, then copy that to its conntrack via CONNMARK, and then 
restore the security mark from the connection to established and related 
packets on that connection.

Please apply.

Signed-off-by: James Morris <jmorris@namei.org>

---

 include/linux/netfilter/xt_CONNSECMARK.h |   13 ++
 net/netfilter/Kconfig                    |   11 ++
 net/netfilter/Makefile                   |    1 
 net/netfilter/xt_CONNSECMARK.c           |  155 +++++++++++++++++++++++++++++++
 4 files changed, 180 insertions(+)


diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/include/linux/netfilter/xt_CONNSECMARK.h linux-2.6.17-rc4-mm1.w/include/linux/netfilter/xt_CONNSECMARK.h
--- linux-2.6.17-rc4-mm1.p/include/linux/netfilter/xt_CONNSECMARK.h	1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.17-rc4-mm1.w/include/linux/netfilter/xt_CONNSECMARK.h	2006-05-17 19:54:52.000000000 -0400
@@ -0,0 +1,13 @@
+#ifndef _XT_CONNSECMARK_H_target
+#define _XT_CONNSECMARK_H_target
+
+enum {
+	CONNSECMARK_SAVE = 1,
+	CONNSECMARK_RESTORE,
+};
+
+struct xt_connsecmark_target_info {
+	u_int8_t mode;
+};
+
+#endif /*_XT_CONNSECMARK_H_target */
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/netfilter/Kconfig linux-2.6.17-rc4-mm1.w/net/netfilter/Kconfig
--- linux-2.6.17-rc4-mm1.p/net/netfilter/Kconfig	2006-05-17 19:54:43.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/net/netfilter/Kconfig	2006-05-17 19:54:52.000000000 -0400
@@ -195,6 +195,17 @@ config NETFILTER_XT_TARGET_SECMARK
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config NETFILTER_XT_TARGET_CONNSECMARK
+	tristate '"CONNSECMARK" target support'
+	depends on NETFILTER_XTABLES && (NF_CONNTRACK_SECMARK || IP_NF_CONNTRACK_SECMARK)
+	help
+	  The CONNSECMARK target copies security markings from packets
+	  to connections, and restores security markings from connections
+	  to packets (if the packets are not already marked).  This would
+	  normally be used in conjunction with the SECMARK target.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config NETFILTER_XT_MATCH_COMMENT
 	tristate  '"comment" match support'
 	depends on NETFILTER_XTABLES
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/netfilter/Makefile linux-2.6.17-rc4-mm1.w/net/netfilter/Makefile
--- linux-2.6.17-rc4-mm1.p/net/netfilter/Makefile	2006-05-17 19:53:39.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/net/netfilter/Makefile	2006-05-17 19:54:52.000000000 -0400
@@ -29,6 +29,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) +
 obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
 
 # matches
 obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/netfilter/xt_CONNSECMARK.c linux-2.6.17-rc4-mm1.w/net/netfilter/xt_CONNSECMARK.c
--- linux-2.6.17-rc4-mm1.p/net/netfilter/xt_CONNSECMARK.c	1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.17-rc4-mm1.w/net/netfilter/xt_CONNSECMARK.c	2006-05-17 19:55:25.000000000 -0400
@@ -0,0 +1,155 @@
+/*
+ * This module is used to copy security markings from packets
+ * to connections, and restore security markings from connections
+ * back to packets.  This would normally be performed in conjunction
+ * with the SECMARK target and state match.
+ *
+ * Based somewhat on CONNMARK: 
+ *   Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ *    by Henrik Nordstrom <hno@marasystems.com>
+ * 
+ * (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_CONNSECMARK.h>
+#include <net/netfilter/nf_conntrack_compat.h>
+
+#define PFX "CONNSECMARK: "
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
+MODULE_DESCRIPTION("ip[6]tables CONNSECMARK module");
+MODULE_ALIAS("ipt_CONNSECMARK");
+MODULE_ALIAS("ip6t_CONNSECMARK");
+
+/*
+ * If the packet has a security mark and the connection does not, copy
+ * the security mark from the packet to the connection.
+ */
+static void secmark_save(struct sk_buff *skb)
+{
+	if (skb->secmark) {
+		u32 *connsecmark;
+		enum ip_conntrack_info ctinfo;
+		
+		connsecmark = nf_ct_get_secmark(skb, &ctinfo);
+		if (connsecmark && !*connsecmark)
+			if (*connsecmark != skb->secmark)
+				*connsecmark = skb->secmark;
+	}
+}
+
+/*
+ * If packet has no security mark, and the connection does, restore the
+ * security mark from the connection to the packet.
+ */
+static void secmark_restore(struct sk_buff *skb)
+{
+	if (!skb->secmark) {
+		u32 *connsecmark;
+		enum ip_conntrack_info ctinfo;
+		
+		connsecmark = nf_ct_get_secmark(skb, &ctinfo);
+		if (connsecmark && *connsecmark)
+			if (skb->secmark != *connsecmark)
+				skb->secmark = *connsecmark;
+	}
+}
+
+static unsigned int target(struct sk_buff **pskb, const struct net_device *in,
+			   const struct net_device *out, unsigned int hooknum,
+			   const struct xt_target *target,
+			   const void *targinfo, void *userinfo)
+{
+	struct sk_buff *skb = *pskb;
+	const struct xt_connsecmark_target_info *info = targinfo;
+
+	switch (info->mode) {
+	case CONNSECMARK_SAVE:
+		secmark_save(skb);
+		break;
+		
+	case CONNSECMARK_RESTORE:
+		secmark_restore(skb);
+		break;
+	
+	default:
+		BUG();
+	}
+
+	return XT_CONTINUE;
+}
+
+static int checkentry(const char *tablename, const void *entry,
+		      const struct xt_target *target, void *targinfo,
+		      unsigned int targinfosize, unsigned int hook_mask)
+{
+	struct xt_connsecmark_target_info *info = targinfo;
+
+	switch (info->mode) {
+	case CONNSECMARK_SAVE:
+	case CONNSECMARK_RESTORE:
+		break;
+	
+	default:
+		printk(KERN_INFO PFX "invalid mode: %hu\n", info->mode);
+		return 0;
+	}
+	
+	return 1;
+}
+
+static struct xt_target ipt_connsecmark_reg = {
+	.name		= "CONNSECMARK",
+	.target		= target,
+	.targetsize	= sizeof(struct xt_connsecmark_target_info),
+	.table		= "mangle",
+	.checkentry	= checkentry,
+	.me		= THIS_MODULE,
+	.family		= AF_INET,
+	.revision	= 0,
+};
+
+static struct xt_target ip6t_connsecmark_reg = {
+	.name		= "CONNSECMARK",
+	.target		= target,
+	.targetsize	= sizeof(struct xt_connsecmark_target_info),
+	.table		= "mangle",
+	.checkentry	= checkentry,
+	.me		= THIS_MODULE,
+	.family		= AF_INET6,
+	.revision	= 0,
+};
+
+static int __init xt_connsecmark_init(void)
+{
+	int err;
+
+	need_conntrack();
+
+	err = xt_register_target(&ipt_connsecmark_reg);
+	if (err)
+		return err;
+
+	err = xt_register_target(&ip6t_connsecmark_reg);
+	if (err)
+		xt_unregister_target(&ipt_connsecmark_reg);
+
+	return err;
+}
+
+static void __exit xt_connsecmark_fini(void)
+{
+	xt_unregister_target(&ip6t_connsecmark_reg);
+	xt_unregister_target(&ipt_connsecmark_reg);
+}
+
+module_init(xt_connsecmark_init);
+module_exit(xt_connsecmark_fini);

[PATCH 07/07] secmark: Add new packet controls to SELinux

[James Morris]

This patch adds new per-packet access controls to SELinux, replacing the 
old packet controls.

Packets are labeled with the iptables SECMARK and CONNSECMARK targets, 
then security policy for the packets is enforced with these controls.

To allow for a smooth transition to the new controls, the old code is 
still present, but not active by default.  To restore previous behavior, 
the old controls may be activated at runtime by writing a '1' to 
/selinux/compat_net, and also via the kernel boot parameter 
selinux_compat_net.  Switching between the network control models requires 
the security load_policy permission.  The old controls will probably 
eventually be removed and any continued use is discouraged.

Please apply.

Signed-off-by: James Morris <jmorris@namei.org>

---

 Documentation/kernel-parameters.txt |    9 +
 security/selinux/Kconfig            |    2 
 security/selinux/hooks.c            |  241 +++++++++++++++++++-----------------
 security/selinux/include/xfrm.h     |    2 
 security/selinux/selinuxfs.c        |   59 ++++++++
 security/selinux/xfrm.c             |   12 -
 6 files changed, 205 insertions(+), 120 deletions(-)


diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/Documentation/kernel-parameters.txt linux-2.6.17-rc4-mm1.w/Documentation/kernel-parameters.txt
--- linux-2.6.17-rc4-mm1.p/Documentation/kernel-parameters.txt	2006-05-18 03:07:47.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/Documentation/kernel-parameters.txt	2006-05-17 23:45:13.000000000 -0400
@@ -1414,6 +1414,15 @@ running once the system is up.
 			If enabled at boot time, /selinux/disable can be used
 			later to disable prior to initial policy load.
 
+	selinux_compat_net =
+			[SELINUX] Set initial selinux_compat_net flag value.
+                        Format: { "0" | "1" }
+                        0 -- use new secmark-based packet controls
+                        1 -- use legacy packet controls
+                        Default value is 0 (preferred).
+                        Value can be changed at runtime via
+                        /selinux/compat_net.
+                                                                                                                                                                                                                
 	serialnumber	[BUGS=IA-32]
 
 	sg_def_reserved_size=	[SCSI]
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/security/selinux/hooks.c linux-2.6.17-rc4-mm1.w/security/selinux/hooks.c
--- linux-2.6.17-rc4-mm1.p/security/selinux/hooks.c	2006-05-18 03:07:47.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/security/selinux/hooks.c	2006-05-17 21:01:07.000000000 -0400
@@ -80,6 +80,7 @@
 
 extern unsigned int policydb_loaded_version;
 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
+extern int selinux_compat_net;
 
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 int selinux_enforcing = 0;
@@ -3216,47 +3217,16 @@ static int selinux_socket_unix_may_send(
 	return 0;
 }
 
-static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
+static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, struct avc_audit_data *ad,
+				       u32 sock_sid, u16 sock_class, u16 family, char *addrp, int len)
 {
-	u16 family;
-	char *addrp;
-	int len, err = 0;
+	int err = 0;
 	u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
-	u32 sock_sid = 0;
-	u16 sock_class = 0;
-	struct socket *sock;
-	struct net_device *dev;
-	struct avc_audit_data ad;
 
-	family = sk->sk_family;
-	if (family != PF_INET && family != PF_INET6)
+	if (!skb->dev)
 		goto out;
 
-	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
-	if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
-		family = PF_INET;
-
- 	read_lock_bh(&sk->sk_callback_lock);
- 	sock = sk->sk_socket;
- 	if (sock) {
- 		struct inode *inode;
- 		inode = SOCK_INODE(sock);
- 		if (inode) {
- 			struct inode_security_struct *isec;
- 			isec = inode->i_security;
- 			sock_sid = isec->sid;
- 			sock_class = isec->sclass;
- 		}
- 	}
- 	read_unlock_bh(&sk->sk_callback_lock);
- 	if (!sock_sid)
-  		goto out;
-
-	dev = skb->dev;
-	if (!dev)
-		goto out;
-
-	err = sel_netif_sids(dev, &if_sid, NULL);
+	err = sel_netif_sids(skb->dev, &if_sid, NULL);
 	if (err)
 		goto out;
 
@@ -3279,44 +3249,88 @@ static int selinux_socket_sock_rcv_skb(s
 		break;
 	}
 
-	AVC_AUDIT_DATA_INIT(&ad, NET);
-	ad.u.net.netif = dev->name;
-	ad.u.net.family = family;
-
-	err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
-	if (err)
-		goto out;
-
-	err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
+	err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
 	if (err)
 		goto out;
 	
-	/* Fixme: this lookup is inefficient */
 	err = security_node_sid(family, addrp, len, &node_sid);
 	if (err)
 		goto out;
 	
-	err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
+	err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
 	if (err)
 		goto out;
 
 	if (recv_perm) {
 		u32 port_sid;
 
-		/* Fixme: make this more efficient */
 		err = security_port_sid(sk->sk_family, sk->sk_type,
-		                        sk->sk_protocol, ntohs(ad.u.net.sport),
+		                        sk->sk_protocol, ntohs(ad->u.net.sport),
 		                        &port_sid);
 		if (err)
 			goto out;
 
 		err = avc_has_perm(sock_sid, port_sid,
-				   sock_class, recv_perm, &ad);
+				   sock_class, recv_perm, ad);
 	}
 
-	if (!err)
-		err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
+out:
+	return err;
+}
+
+static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
+{
+	u16 family;
+	u16 sock_class = 0;
+	char *addrp;
+	int len, err = 0;
+	u32 sock_sid = 0;
+	struct socket *sock;
+	struct avc_audit_data ad;
+
+	family = sk->sk_family;
+	if (family != PF_INET && family != PF_INET6)
+		goto out;
+
+	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
+	if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
+		family = PF_INET;
+
+ 	read_lock_bh(&sk->sk_callback_lock);
+ 	sock = sk->sk_socket;
+ 	if (sock) {
+ 		struct inode *inode;
+ 		inode = SOCK_INODE(sock);
+ 		if (inode) {
+ 			struct inode_security_struct *isec;
+ 			isec = inode->i_security;
+ 			sock_sid = isec->sid;
+ 			sock_class = isec->sclass;
+ 		}
+ 	}
+ 	read_unlock_bh(&sk->sk_callback_lock);
+ 	if (!sock_sid)
+  		goto out;
+
+	AVC_AUDIT_DATA_INIT(&ad, NET);
+	ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
+	ad.u.net.family = family;
+
+	err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
+	if (err)
+		goto out;
+
+	if (selinux_compat_net)
+		err = selinux_sock_rcv_skb_compat(sk, skb, &ad, sock_sid,
+						  sock_class, family,
+						  addrp, len);
+	else
+		err = avc_has_perm(sock_sid, skb->secmark, SECCLASS_PACKET,
+				   PACKET__RECV, &ad);
+	if (err)
+		goto out;
 
+	err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
 out:	
 	return err;
 }
@@ -3456,42 +3470,18 @@ out:
 
 #ifdef CONFIG_NETFILTER
 
-static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
-                                              struct sk_buff **pskb,
-                                              const struct net_device *in,
-                                              const struct net_device *out,
-                                              int (*okfn)(struct sk_buff *),
-                                              u16 family)
+static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
+					    struct inode_security_struct *isec,
+					    struct avc_audit_data *ad,
+					    u16 family, char *addrp, int len)
 {
-	char *addrp;
-	int len, err = NF_ACCEPT;
+	int err;
 	u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
-	struct sock *sk;
-	struct socket *sock;
-	struct inode *inode;
-	struct sk_buff *skb = *pskb;
-	struct inode_security_struct *isec;
-	struct avc_audit_data ad;
-	struct net_device *dev = (struct net_device *)out;
 	
-	sk = skb->sk;
-	if (!sk)
-		goto out;
-		
-	sock = sk->sk_socket;
-	if (!sock)
-		goto out;
-		
-	inode = SOCK_INODE(sock);
-	if (!inode)
-		goto out;
-
 	err = sel_netif_sids(dev, &if_sid, NULL);
 	if (err)
 		goto out;
 
-	isec = inode->i_security;
-	
 	switch (isec->sclass) {
 	case SECCLASS_UDP_SOCKET:
 		netif_perm = NETIF__UDP_SEND;
@@ -3511,55 +3501,88 @@ static unsigned int selinux_ip_postroute
 		break;
 	}
 
-
-	AVC_AUDIT_DATA_INIT(&ad, NET);
-	ad.u.net.netif = dev->name;
-	ad.u.net.family = family;
-
-	err = selinux_parse_skb(skb, &ad, &addrp,
-				&len, 0) ? NF_DROP : NF_ACCEPT;
-	if (err != NF_ACCEPT)
-		goto out;
-
-	err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
-	                   netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
-	if (err != NF_ACCEPT)
+	err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
+	if (err)
 		goto out;
 		
-	/* Fixme: this lookup is inefficient */
-	err = security_node_sid(family, addrp, len,
-				&node_sid) ? NF_DROP : NF_ACCEPT;
-	if (err != NF_ACCEPT)
+	err = security_node_sid(family, addrp, len, &node_sid);
+	if (err)
 		goto out;
 	
-	err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
-	                   node_perm, &ad) ? NF_DROP : NF_ACCEPT;
-	if (err != NF_ACCEPT)
+	err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
+	if (err)
 		goto out;
 
 	if (send_perm) {
 		u32 port_sid;
 		
-		/* Fixme: make this more efficient */
 		err = security_port_sid(sk->sk_family,
 		                        sk->sk_type,
 		                        sk->sk_protocol,
-		                        ntohs(ad.u.net.dport),
-		                        &port_sid) ? NF_DROP : NF_ACCEPT;
-		if (err != NF_ACCEPT)
+		                        ntohs(ad->u.net.dport),
+		                        &port_sid);
+		if (err)
 			goto out;
 
 		err = avc_has_perm(isec->sid, port_sid, isec->sclass,
-		                   send_perm, &ad) ? NF_DROP : NF_ACCEPT;
+				   send_perm, ad);
 	}
+out:
+	return err;
+}
+
+static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
+                                              struct sk_buff **pskb,
+                                              const struct net_device *in,
+                                              const struct net_device *out,
+                                              int (*okfn)(struct sk_buff *),
+                                              u16 family)
+{
+	char *addrp;
+	int len, err = 0;
+	struct sock *sk;
+	struct socket *sock;
+	struct inode *inode;
+	struct sk_buff *skb = *pskb;
+	struct inode_security_struct *isec;
+	struct avc_audit_data ad;
+	struct net_device *dev = (struct net_device *)out;
+	
+	sk = skb->sk;
+	if (!sk)
+		goto out;
+		
+	sock = sk->sk_socket;
+	if (!sock)
+		goto out;
+		
+	inode = SOCK_INODE(sock);
+	if (!inode)
+		goto out;
+
+	isec = inode->i_security;
+	
+	AVC_AUDIT_DATA_INIT(&ad, NET);
+	ad.u.net.netif = dev->name;
+	ad.u.net.family = family;
 
-	if (err != NF_ACCEPT)
+	err = selinux_parse_skb(skb, &ad, &addrp, &len, 0);
+	if (err)
 		goto out;
 
-	err = selinux_xfrm_postroute_last(isec->sid, skb);
+	if (selinux_compat_net)
+		err = selinux_ip_postroute_last_compat(sk, dev, isec, &ad,
+						       family, addrp, len);
+	else
+		err = avc_has_perm(isec->sid, skb->secmark, SECCLASS_PACKET, 
+				   PACKET__SEND, &ad);
+	
+	if (err)
+		goto out;
 
+	err = selinux_xfrm_postroute_last(isec->sid, skb);
 out:
-	return err;
+	return err ? NF_DROP : NF_ACCEPT;
 }
 
 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/security/selinux/include/xfrm.h linux-2.6.17-rc4-mm1.w/security/selinux/include/xfrm.h
--- linux-2.6.17-rc4-mm1.p/security/selinux/include/xfrm.h	2006-05-18 03:07:47.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/security/selinux/include/xfrm.h	2006-05-17 21:01:07.000000000 -0400
@@ -49,7 +49,7 @@ static inline int selinux_xfrm_sock_rcv_
 
 static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb)
 {
-	return NF_ACCEPT;
+	return 0;
 }
 
 static inline int selinux_socket_getpeer_stream(struct sock *sk)
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/security/selinux/Kconfig linux-2.6.17-rc4-mm1.w/security/selinux/Kconfig
--- linux-2.6.17-rc4-mm1.p/security/selinux/Kconfig	2006-03-20 00:53:29.000000000 -0500
+++ linux-2.6.17-rc4-mm1.w/security/selinux/Kconfig	2006-05-18 03:10:02.000000000 -0400
@@ -1,6 +1,6 @@
 config SECURITY_SELINUX
 	bool "NSA SELinux Support"
-	depends on SECURITY_NETWORK && AUDIT && NET && INET
+	depends on SECURITY_NETWORK && AUDIT && NET && INET && NETWORK_SECMARK
 	default n
 	help
 	  This selects NSA Security-Enhanced Linux (SELinux).
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/security/selinux/selinuxfs.c linux-2.6.17-rc4-mm1.w/security/selinux/selinuxfs.c
--- linux-2.6.17-rc4-mm1.p/security/selinux/selinuxfs.c	2006-05-18 03:07:47.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/security/selinux/selinuxfs.c	2006-05-17 21:01:07.000000000 -0400
@@ -37,6 +37,7 @@
 #include "conditional.h"
 
 unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
+int selinux_compat_net;
 
 static int __init checkreqprot_setup(char *str)
 {
@@ -45,6 +46,13 @@ static int __init checkreqprot_setup(cha
 }
 __setup("checkreqprot=", checkreqprot_setup);
 
+static int __init selinux_compat_net_setup(char *str)
+{
+	selinux_compat_net = simple_strtoul(str,NULL,0) ? 1 : 0;
+	return 1;
+}
+__setup("selinux_compat_net=", selinux_compat_net_setup);
+
 
 static DEFINE_MUTEX(sel_mutex);
 
@@ -85,6 +93,7 @@ enum sel_inos {
 	SEL_AVC,	/* AVC management directory */
 	SEL_MEMBER,	/* compute polyinstantiation membership decision */
 	SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */
+	SEL_COMPAT_NET,	/* whether to use old compat network packet controls */
 };
 
 #define TMPBUFLEN	12
@@ -364,6 +373,55 @@ static struct file_operations sel_checkr
 	.write		= sel_write_checkreqprot,
 };
 
+static ssize_t sel_read_compat_net(struct file *filp, char __user *buf,
+				   size_t count, loff_t *ppos)
+{
+	char tmpbuf[TMPBUFLEN];
+	ssize_t length;
+
+	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_compat_net);
+	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
+}
+
+static ssize_t sel_write_compat_net(struct file * file, const char __user * buf,
+				    size_t count, loff_t *ppos)
+{
+	char *page;
+	ssize_t length;
+	int new_value;
+
+	length = task_has_security(current, SECURITY__LOAD_POLICY);
+	if (length)
+		return length;
+
+	if (count >= PAGE_SIZE)
+		return -ENOMEM;
+	if (*ppos != 0) {
+		/* No partial writes. */
+		return -EINVAL;
+	}
+	page = (char*)get_zeroed_page(GFP_KERNEL);
+	if (!page)
+		return -ENOMEM;
+	length = -EFAULT;
+	if (copy_from_user(page, buf, count))
+		goto out;
+
+	length = -EINVAL;
+	if (sscanf(page, "%d", &new_value) != 1)
+		goto out;
+
+	selinux_compat_net = new_value ? 1 : 0;
+	length = count;
+out:
+	free_page((unsigned long) page);
+	return length;
+}
+static struct file_operations sel_compat_net_ops = {
+	.read		= sel_read_compat_net,
+	.write		= sel_write_compat_net,
+};
+
 /*
  * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
  */
@@ -1219,6 +1277,7 @@ static int sel_fill_super(struct super_b
 		[SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR},
 		[SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO},
 		[SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR},
+		[SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO|S_IWUSR},
 		/* last one */ {""}
 	};
 	ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files);
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/security/selinux/xfrm.c linux-2.6.17-rc4-mm1.w/security/selinux/xfrm.c
--- linux-2.6.17-rc4-mm1.p/security/selinux/xfrm.c	2006-05-18 03:07:47.000000000 -0400
+++ linux-2.6.17-rc4-mm1.w/security/selinux/xfrm.c	2006-05-17 21:01:07.000000000 -0400
@@ -356,18 +356,12 @@ int selinux_xfrm_postroute_last(u32 isec
 			struct xfrm_state *x = dst_test->xfrm;
 
 			if (x && selinux_authorizable_xfrm(x))
-				goto accept;
+				goto out;
 		}
 	}
 
 	rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
 			  ASSOCIATION__SENDTO, NULL);
-	if (rc)
-		goto drop;
-
-accept:
-	return NF_ACCEPT;
-
-drop:
-	return NF_DROP;
+out:
+	return rc;
 }

Re: [PATCHSET 0/7] SECMARK 2.0

[Andrew Morton]

James Morris <jmorris@namei.org> wrote:
>
> The following patchset is an updated version of secmark, which I'd like to 
>  propose for inclusion in either Dave or Andrew's tree for subsequent merge 
>  into mainline during the 2.6.18 merge window.

Well as discussed off-list, I'm not able to get this stuff to work.  I get
a pile of these:

security_compute_av:  unrecognized class 57
security_compute_av:  unrecognized class 57
security_compute_av:  unrecognized class 57
security_compute_av:  unrecognized class 57
security_compute_av:  unrecognized class 57
security_compute_av:  unrecognized class 57
security_compute_av:  unrecognized class 57
security_compute_av:  unrecognized class 57
security_compute_av:  unrecognized class 57
security_compute_av:  unrecognized class 57
security_compute_av:  unrecognized class 57
security_compute_av:  unrecognized class 57
security_compute_av:  unrecognized class 57
security_compute_av:  unrecognized class 57
security_compute_av:  unrecognized class 57
security_compute_av:  unrecognized class 57
security_compute_av:  unrecognized class 57

coming out and networking is dead.

And I'd agree with the other commenters: if these features are compulsory
for SELinux then we might as well just `select' them.  Right now it's way
too hard.

Even if we do that, the chances of people actually going off and finding
all the other random secmark Kconfig options and turning on the appropriate
ones seem pretty small.  Needs a rethink.  Perhaps a standalone secmark
menu, or just selecting everything..

And maybe just remove all the various netfilter secmark CONFIG options
altogether and make all the new code dependent upon the top-level
CONFIG_SECMARK.

Re: [PATCHSET 0/7] SECMARK 2.0

[James Morris]

On Sun, 21 May 2006, Andrew Morton wrote:

> Well as discussed off-list, I'm not able to get this stuff to work.  I get
> a pile of these:
> 
> security_compute_av:  unrecognized class 57

This is because the userspace components have not been updated yet -- the 
patch just went into -mm.

The workaround is to enable the old networking controls via the kernel 
parameter selinux_compat_net=1.  Once the distro packages have been 
updated, this will not be necessary.  All that's needed to start with in 
fact is a change to the startup scripts to do this at boot, depending on 
the package version.  This is a brief temporary issue in -mm.

> And I'd agree with the other commenters: if these features are compulsory
> for SELinux then we might as well just `select' them.  Right now it's way
> too hard.

Ok, I'll look into selecting them.

> Even if we do that, the chances of people actually going off and finding
> all the other random secmark Kconfig options and turning on the appropriate
> ones seem pretty small.  Needs a rethink.  Perhaps a standalone secmark
> menu, or just selecting everything..
> 
> And maybe just remove all the various netfilter secmark CONFIG options
> altogether and make all the new code dependent upon the top-level
> CONFIG_SECMARK.

I'm not sure what you mean here.  The top level secmark just enables the 
skb->secmark field without adding any mechanism to use it.  Then, two 
mechanisms which have been provided (the SECMARK and CONNSECMARK) targets 
can be independently enabled.  These are not the only possible ways of 
utilizing skb->secmark, so these components are configurable separately.



- James
-- 
James Morris
<jmorris@namei.org>

Re: [PATCHSET 0/7] SECMARK 2.0

[James Morris]

On Sun, 21 May 2006, James Morris wrote:

> > And I'd agree with the other commenters: if these features are compulsory
> > for SELinux then we might as well just `select' them.  Right now it's way
> > too hard.
> 
> Ok, I'll look into selecting them.

There are several problems with this.  Because SELinux can only be 
selected as Y, using select for the secmark modules would force them also 
be be built statically into the kernel.  Another issue is the presence of 
new and old Netfilter infrastructure, and there's no way the SELinux 
config can know whether to enable the new generic NF conntrack system or 
the old IP conntrack one.  Then, there's the issue of forcing a specific 
configuration on the user: perhaps they don't want connection tracking at 
all and just want static controls (i.e. only use the SECMARK target, not 
CONNSECMARK).  And how far do you go?  Force the selection of FTP 
connection tracking?  What about new conntrack targets?

The only reasonable solution is to allow the user to configure what they 
need, with the simplest case being that only NETWORK_SECMARK is enabled as 
a minimum requirement for SELinux, which will result in all traffic 
carying the default 'unlabeled_t' marking, which thye user then needs to 
have an appropriate policy for.

I was planning on posting detailed documentation on the new secmark scheme 
once it was in -mm, and having selinux_compat_net=1 as a stopgap until 
people either know what to configure or their distro userland is updated.  
(Support for secmark controls cannot be rolled out into distros until the 
kernel infrastructure is in an upstream kernel such as -mm).


- James
-- 
James Morris
<jmorris@namei.org>

[PATCH] secmark: disable new controls for SELinux by default

[James Morris]

This should address the issue of people tripping over the new secmark 
controls when upgrading their kernel before the userland components are 
available.

With this patch, the new secmark controls for SElinux are now disabled by 
default, so existing behavior is entirely preserved, and the user is not 
affected at all.

It also provides a config option to enable the secmark controls by default 
(which can always be overridden at boot and runtime).  It is also noted in 
the kconfig help that the user will need updated userspace if enabling 
secmark controls for SELinux and that they'll probably need the SECMARK 
and CONNMARK targets, and conntrack protocol helpers, although such 
decisions are beyond the scope of kernel configuration.

Please review an apply if ok.

Signed-off-by: James Morris <jmorris@namei.org>

---

 security/selinux/Kconfig     |   31 ++++++++++++++++++++++++++++++-
 security/selinux/selinuxfs.c |    9 ++++++++-
 2 files changed, 38 insertions(+), 2 deletions(-)

diff -purN -X dontdiff linux-2.6.17-rc4-mm2.p/security/selinux/Kconfig linux-2.6.17-rc4-mm2.w/security/selinux/Kconfig
--- linux-2.6.17-rc4-mm2.p/security/selinux/Kconfig	2006-05-20 19:46:38.000000000 -0400
+++ linux-2.6.17-rc4-mm2.w/security/selinux/Kconfig	2006-05-22 00:06:23.000000000 -0400
@@ -1,6 +1,7 @@
 config SECURITY_SELINUX
 	bool "NSA SELinux Support"
-	depends on SECURITY_NETWORK && AUDIT && NET && INET && NETWORK_SECMARK
+	depends on SECURITY_NETWORK && AUDIT && NET && INET
+	select NETWORK_SECMARK
 	default n
 	help
 	  This selects NSA Security-Enhanced Linux (SELinux).
@@ -95,3 +96,31 @@ config SECURITY_SELINUX_CHECKREQPROT_VAL
 	  via /selinux/checkreqprot if authorized by policy.
 
 	  If you are unsure how to answer this question, answer 1.
+
+config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
+	bool "NSA SELinux enable new secmark network controls by default"
+	depends on SECURITY_SELINUX
+	default n
+	help
+	  This option determines whether the new secmark-based network
+	  controls will be enabled by default.  If not, the old internal
+	  per-packet controls will be enabled by default, preserving
+	  old behavior.
+	  
+	  If you enable the new controls, you will need updated 
+	  SELinux userspace libraries, tools and policy.  Typically,
+	  your distribution will provide these and enable the new controls
+	  in the kernel they also distribute.
+	  
+	  Note that this option can be overriden at boot with the
+	  selinux_compat_net parameter, and after boot via
+	  /selinux/compat_net.  See Documentation/kernel-parameters.txt
+	  for details on this parameter.
+	  
+	  If you enable the new network controls, you will likely
+	  also require the SECMARK and CONNSECMARK targets, as
+	  well as any conntrack helpers for protocols which you 
+	  wish to control.
+
+	  If you are unsure what do do here, select N.
+
diff -purN -X dontdiff linux-2.6.17-rc4-mm2.p/security/selinux/selinuxfs.c linux-2.6.17-rc4-mm2.w/security/selinux/selinuxfs.c
--- linux-2.6.17-rc4-mm2.p/security/selinux/selinuxfs.c	2006-05-20 19:46:38.000000000 -0400
+++ linux-2.6.17-rc4-mm2.w/security/selinux/selinuxfs.c	2006-05-22 00:23:00.000000000 -0400
@@ -37,7 +37,14 @@
 #include "conditional.h"
 
 unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
-int selinux_compat_net;
+
+#ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
+#define SELINUX_COMPAT_NET_VALUE 0
+#else
+#define SELINUX_COMPAT_NET_VALUE 1
+#endif
+
+int selinux_compat_net = SELINUX_COMPAT_NET_VALUE;
 
 static int __init checkreqprot_setup(char *str)
 {