netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Paul Moore <paul.moore@hp.com>
To: selinux@tycho.nsa.gov, netdev@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: [RFC PATCH v4 04/14] selinux: Fix missing calls to netlbl_skbuff_err()
Date: Tue, 02 Sep 2008 20:49:08 -0400	[thread overview]
Message-ID: <20080903004908.15669.36176.stgit@flek.lan> (raw)
In-Reply-To: <20080903003647.15669.45349.stgit@flek.lan>

At some point I think I messed up and dropped the calls to netlbl_skbuff_err()
which are necessary for CIPSO to send error notifications to remote systems.
This patch re-introduces the error handling calls into the SELinux code.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---

 include/net/netlabel.h              |    6 ++++--
 net/netlabel/netlabel_kapi.c        |    5 +++--
 security/selinux/hooks.c            |   19 +++++++++++++++----
 security/selinux/include/netlabel.h |    9 +++++++++
 security/selinux/netlabel.c         |   20 +++++++++++++++++++-
 5 files changed, 50 insertions(+), 9 deletions(-)

diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 5303749..e16db09 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -382,7 +382,7 @@ int netlbl_sock_getattr(struct sock *sk,
 int netlbl_skbuff_getattr(const struct sk_buff *skb,
 			  u16 family,
 			  struct netlbl_lsm_secattr *secattr);
-void netlbl_skbuff_err(struct sk_buff *skb, int error);
+void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway);
 
 /*
  * LSM label mapping cache operations
@@ -454,7 +454,9 @@ static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,
 {
 	return -ENOSYS;
 }
-static inline void netlbl_skbuff_err(struct sk_buff *skb, int error)
+static inline void netlbl_skbuff_err(struct sk_buff *skb,
+				     int error,
+				     int gateway)
 {
 	return;
 }
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 2a2b8fa..38ee891 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -490,6 +490,7 @@ int netlbl_skbuff_getattr(const struct sk_buff *skb,
  * netlbl_skbuff_err - Handle a LSM error on a sk_buff
  * @skb: the packet
  * @error: the error code
+ * @gateway: true if host is acting as a gateway, false otherwise
  *
  * Description:
  * Deal with a LSM problem when handling the packet in @skb, typically this is
@@ -497,10 +498,10 @@ int netlbl_skbuff_getattr(const struct sk_buff *skb,
  * according to the packet's labeling protocol.
  *
  */
-void netlbl_skbuff_err(struct sk_buff *skb, int error)
+void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway)
 {
 	if (CIPSO_V4_OPTEXIST(skb))
-		cipso_v4_error(skb, error, 0);
+		cipso_v4_error(skb, error, gateway);
 }
 
 /**
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 995488d..35a577c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4093,6 +4093,8 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
 			return err;
 		err = avc_has_perm(sk_sid, peer_sid,
 				   SECCLASS_PEER, PEER__RECV, ad);
+		if (err)
+			selinux_netlbl_err(skb, err, 0);
 	} else {
 		err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
 		if (err)
@@ -4142,10 +4144,14 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 			return err;
 		err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
 					       peer_sid, &ad);
-		if (err)
+		if (err) {
+			selinux_netlbl_err(skb, err, 0);
 			return err;
+		}
 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
 				   PEER__RECV, &ad);
+		if (err)
+			selinux_netlbl_err(skb, err, 0);
 	}
 
 	if (selinux_secmark_enabled()) {
@@ -4370,6 +4376,7 @@ out:
 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
 				       u16 family)
 {
+	int err;
 	char *addrp;
 	u32 peer_sid;
 	struct avc_audit_data ad;
@@ -4393,10 +4400,14 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
 		return NF_DROP;
 
-	if (peerlbl_active)
-		if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
-					     peer_sid, &ad) != 0)
+	if (peerlbl_active) {
+		err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
+					       peer_sid, &ad);
+		if (err) {
+			selinux_netlbl_err(skb, err, 1);
 			return NF_DROP;
+		}
+	}
 
 	if (secmark_active)
 		if (avc_has_perm(peer_sid, skb->secmark,
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index 487a7d8..e034d25 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -39,6 +39,8 @@
 #ifdef CONFIG_NETLABEL
 void selinux_netlbl_cache_invalidate(void);
 
+void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway);
+
 void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
 				      int family);
 
@@ -63,6 +65,13 @@ static inline void selinux_netlbl_cache_invalidate(void)
 	return;
 }
 
+static inline void void selinux_netlbl_err(struct sk_buff *skb,
+					   int error,
+					   int gateway)
+{
+	return;
+}
+
 static inline void selinux_netlbl_sk_security_reset(
 					       struct sk_security_struct *ssec,
 					       int family)
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 89b4183..0207bd2 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -106,6 +106,24 @@ void selinux_netlbl_cache_invalidate(void)
 }
 
 /**
+ * selinux_netlbl_err - Handle a NetLabel packet error
+ * @skb: the packet
+ * @error: the error code
+ * @gateway: true if host is acting as a gateway, false otherwise
+ *
+ * Description:
+ * When a packet is dropped due to a call to avc_has_perm() pass the error
+ * code to the NetLabel subsystem so any protocol specific processing can be
+ * done.  This is safe to call even if you are unsure if NetLabel labeling is
+ * present on the packet, NetLabel is smart enough to only act when it should.
+ *
+ */
+void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway)
+{
+	netlbl_skbuff_err(skb, error, gateway);
+}
+
+/**
  * selinux_netlbl_sk_security_reset - Reset the NetLabel fields
  * @ssec: the sk_security_struct
  * @family: the socket family
@@ -307,7 +325,7 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
 		return 0;
 
 	if (nlbl_sid != SECINITSID_UNLABELED)
-		netlbl_skbuff_err(skb, rc);
+		netlbl_skbuff_err(skb, rc, 0);
 	return rc;
 }
 


  parent reply	other threads:[~2008-09-03  0:49 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-03  0:48 [RFC PATCH v4 00/14] Labeled networking patches for 2.6.28 Paul Moore
2008-09-03  0:48 ` [RFC PATCH v4 01/14] netlabel: Remove unneeded in-kernel API functions Paul Moore
2008-09-03  0:48 ` [RFC PATCH v4 02/14] selinux: Better local/forward check in selinux_ip_postroute() Paul Moore
2008-09-05  8:51   ` James Morris
2008-09-05 21:58     ` Paul Moore
2008-09-03  0:49 ` [RFC PATCH v4 03/14] selinux: Fix a problem in security_netlbl_sid_to_secattr() Paul Moore
2008-09-05  8:53   ` James Morris
2008-09-03  0:49 ` Paul Moore [this message]
2008-09-05  8:55   ` [RFC PATCH v4 04/14] selinux: Fix missing calls to netlbl_skbuff_err() James Morris
2008-09-03  0:49 ` [RFC PATCH v4 05/14] smack: " Paul Moore
2008-09-03  0:49 ` [RFC PATCH v4 06/14] netlabel: Replace protocol/NetLabel linking with refrerence counts Paul Moore
2008-09-03  0:49 ` [RFC PATCH v4 07/14] netlabel: Add a generic way to create ordered linked lists of network addrs Paul Moore
2008-09-03  0:49 ` [RFC PATCH v4 08/14] netlabel: Add network address selectors to the NetLabel/LSM domain mapping Paul Moore
2008-09-03  0:49 ` [RFC PATCH v4 09/14] netlabel: Add functionality to set the security attributes of a packet Paul Moore
2008-09-05  9:03   ` James Morris
2008-09-03  0:49 ` [RFC PATCH v4 10/14] selinux: Set socket NetLabel based on connection endpoint Paul Moore
2008-09-05  9:08   ` James Morris
2008-09-03  0:50 ` [RFC PATCH v4 11/14] selinux: Cache NetLabel secattrs in the socket's security struct Paul Moore
2008-09-05  9:12   ` James Morris
2008-09-03  0:50 ` [RFC PATCH v4 12/14] netlabel: Changes to the NetLabel security attributes to allow LSMs to pass full contexts Paul Moore
2008-09-05  9:12   ` James Morris
2008-09-03  0:50 ` [RFC PATCH v4 13/14] cipso: Add support for native local labeling and fixup mapping names Paul Moore
2008-09-03  0:50 ` [RFC PATCH v4 14/14] netlabel: Add configuration support for local labeling Paul Moore
2008-09-03  3:48 ` [RFC PATCH v4 00/14] Labeled networking patches for 2.6.28 Casey Schaufler
2008-09-03 14:05 ` Paul Moore
2008-09-04 11:44   ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080903004908.15669.36176.stgit@flek.lan \
    --to=paul.moore@hp.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).