From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Paul Moore <paul.moore@hp.com>
Cc: linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
selinux@tycho.nsa.gov
Subject: Re: [RFC PATCH v2 2/2] selinux: Support for the new TUN LSM hooks
Date: Wed, 12 Aug 2009 17:14:40 -0500 [thread overview]
Message-ID: <20090812221440.GA8524@us.ibm.com> (raw)
In-Reply-To: <20090810172850.7946.25175.stgit@flek.lan>
Quoting Paul Moore (paul.moore@hp.com):
> Add support for the new TUN LSM hooks: security_tun_dev_create(),
> security_tun_dev_post_create() and security_tun_dev_attach(). This includes
> the addition of a new object class, tun_socket, which represents the socks
> associated with TUN devices. The _tun_dev_create() and _tun_dev_post_create()
> hooks are fairly similar to the standard socket functions but _tun_dev_attach()
> is a bit special. The _tun_dev_attach() is unique because it involves a
> domain attaching to an existing TUN device and its associated tun_socket
> object, an operation which does not exist with standard sockets and most
> closely resembles a relabel operation.
>
> --
>
> NOTE: This relies on some changes to the policy to add the new object class
> and its associated permissions, I will ensure that the policy is sorted
> and merged before pushing this patch upstream. Also, you will notice
> that the new tun_socket object class simply inherits the base socket
> object class, thoughts?
> ---
>
> security/selinux/hooks.c | 60 +++++++++++++++++++++++++++-
> security/selinux/include/av_inherit.h | 1
> security/selinux/include/av_permissions.h | 22 ++++++++++
> security/selinux/include/class_to_string.h | 1
> security/selinux/include/flask.h | 1
> 5 files changed, 83 insertions(+), 2 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 15c2a08..fc7caa0 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -13,8 +13,8 @@
> * Eric Paris <eparis@redhat.com>
> * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
> * <dgoeddel@trustedcs.com>
> - * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
> - * Paul Moore <paul.moore@hp.com>
> + * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
> + * Paul Moore <paul.moore@hp.com>
> * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
> * Yuichi Nakamura <ynakam@hitachisoft.jp>
> *
> @@ -4296,6 +4296,59 @@ static void selinux_req_classify_flow(const struct request_sock *req,
> fl->secid = req->secid;
> }
>
> +static int selinux_tun_dev_create(void)
> +{
> + u32 sid = current_sid();
> +
> + /* we aren't taking into account the "sockcreate" SID since the socket
> + * that is being created here is not a socket in the traditional sense,
> + * instead it is a private sock, accessible only to the kernel, and
> + * representing a wide range of network traffic spanning multiple
> + * connections unlike traditional sockets - check the TUN driver to
> + * get a better understanding of why this socket is special */
> +
> + return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
> + NULL);
> +}
> +
> +static void selinux_tun_dev_post_create(struct sock *sk)
> +{
> + struct sk_security_struct *sksec = sk->sk_security;
> +
> + /* we don't currently perform any NetLabel based labeling here and it
> + * isn't clear that we would want to do so anyway; while we could apply
> + * labeling without the support of the TUN user the resulting labeled
> + * traffic from the other end of the connection would almost certainly
> + * cause confusion to the TUN user that had no idea network labeling
> + * protocols were being used */
> +
> + /* see the comments in selinux_tun_dev_create() about why we don't use
> + * the sockcreate SID here */
> +
> + sksec->sid = current_sid();
> + sksec->sclass = SECCLASS_TUN_SOCKET;
> +}
> +
> +static int selinux_tun_dev_attach(struct sock *sk)
> +{
> + struct sk_security_struct *sksec = sk->sk_security;
> + u32 sid = current_sid();
> + int err;
> +
> + err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
> + TUN_SOCKET__RELABELFROM, NULL);
> + if (err)
> + return err;
> + err = avc_has_perm(sid, sid, SECCLASS_RAWIP_SOCKET,
Was RAWIP on purpose here?
> + TUN_SOCKET__RELABELTO, NULL);
> + if (err)
> + return err;
> +
> + sksec->sid = sid;
> +
> + return 0;
> +}
IIUC it is possible for multiple processes to attach to the same
tun device. Will it get confusing/incorrect to have each attach
potentially (if tasks have different sids) relabel?
> static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
> {
> int err = 0;
> @@ -5464,6 +5517,9 @@ static struct security_operations selinux_ops = {
> .inet_csk_clone = selinux_inet_csk_clone,
> .inet_conn_established = selinux_inet_conn_established,
> .req_classify_flow = selinux_req_classify_flow,
> + .tun_dev_create = selinux_tun_dev_create,
> + .tun_dev_post_create = selinux_tun_dev_post_create,
> + .tun_dev_attach = selinux_tun_dev_attach,
>
> #ifdef CONFIG_SECURITY_NETWORK_XFRM
> .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
> diff --git a/security/selinux/include/av_inherit.h b/security/selinux/include/av_inherit.h
> index 8377a4b..abedcd7 100644
> --- a/security/selinux/include/av_inherit.h
> +++ b/security/selinux/include/av_inherit.h
> @@ -15,6 +15,7 @@
> S_(SECCLASS_KEY_SOCKET, socket, 0x00400000UL)
> S_(SECCLASS_UNIX_STREAM_SOCKET, socket, 0x00400000UL)
> S_(SECCLASS_UNIX_DGRAM_SOCKET, socket, 0x00400000UL)
> + S_(SECCLASS_TUN_SOCKET, socket, 0x00400000UL)
> S_(SECCLASS_IPC, ipc, 0x00000200UL)
> S_(SECCLASS_SEM, ipc, 0x00000200UL)
> S_(SECCLASS_MSGQ, ipc, 0x00000200UL)
> diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
> index d645192..0b41ad5 100644
> --- a/security/selinux/include/av_permissions.h
> +++ b/security/selinux/include/av_permissions.h
> @@ -423,6 +423,28 @@
> #define UNIX_DGRAM_SOCKET__RECV_MSG 0x00080000UL
> #define UNIX_DGRAM_SOCKET__SEND_MSG 0x00100000UL
> #define UNIX_DGRAM_SOCKET__NAME_BIND 0x00200000UL
> +#define TUN_SOCKET__IOCTL 0x00000001UL
> +#define TUN_SOCKET__READ 0x00000002UL
> +#define TUN_SOCKET__WRITE 0x00000004UL
> +#define TUN_SOCKET__CREATE 0x00000008UL
> +#define TUN_SOCKET__GETATTR 0x00000010UL
> +#define TUN_SOCKET__SETATTR 0x00000020UL
> +#define TUN_SOCKET__LOCK 0x00000040UL
> +#define TUN_SOCKET__RELABELFROM 0x00000080UL
> +#define TUN_SOCKET__RELABELTO 0x00000100UL
> +#define TUN_SOCKET__APPEND 0x00000200UL
> +#define TUN_SOCKET__BIND 0x00000400UL
> +#define TUN_SOCKET__CONNECT 0x00000800UL
> +#define TUN_SOCKET__LISTEN 0x00001000UL
> +#define TUN_SOCKET__ACCEPT 0x00002000UL
> +#define TUN_SOCKET__GETOPT 0x00004000UL
> +#define TUN_SOCKET__SETOPT 0x00008000UL
> +#define TUN_SOCKET__SHUTDOWN 0x00010000UL
> +#define TUN_SOCKET__RECVFROM 0x00020000UL
> +#define TUN_SOCKET__SENDTO 0x00040000UL
> +#define TUN_SOCKET__RECV_MSG 0x00080000UL
> +#define TUN_SOCKET__SEND_MSG 0x00100000UL
> +#define TUN_SOCKET__NAME_BIND 0x00200000UL
> #define PROCESS__FORK 0x00000001UL
> #define PROCESS__TRANSITION 0x00000002UL
> #define PROCESS__SIGCHLD 0x00000004UL
> diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
> index 21ec786..7ab9299 100644
> --- a/security/selinux/include/class_to_string.h
> +++ b/security/selinux/include/class_to_string.h
> @@ -77,3 +77,4 @@
> S_(NULL)
> S_(NULL)
> S_("kernel_service")
> + S_("tun_socket")
> diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
> index 882f27d..f248500 100644
> --- a/security/selinux/include/flask.h
> +++ b/security/selinux/include/flask.h
> @@ -53,6 +53,7 @@
> #define SECCLASS_PEER 68
> #define SECCLASS_CAPABILITY2 69
> #define SECCLASS_KERNEL_SERVICE 74
> +#define SECCLASS_TUN_SOCKET 75
>
> /*
> * Security identifier indices for initial entities
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2009-08-12 22:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-10 17:28 [RFC PATCH v2 0/2] New LSM hooks for the TUN driver Paul Moore
2009-08-10 17:28 ` [RFC PATCH v2 1/2] lsm: Add hooks to " Paul Moore
2009-08-11 20:34 ` Eric Paris
2009-08-12 19:28 ` Serge E. Hallyn
2009-08-12 19:43 ` Paul Moore
2009-08-10 17:28 ` [RFC PATCH v2 2/2] selinux: Support for the new TUN LSM hooks Paul Moore
2009-08-11 20:36 ` Eric Paris
2009-08-12 14:59 ` Paul Moore
2009-08-12 22:14 ` Serge E. Hallyn [this message]
2009-08-12 22:55 ` Paul Moore
2009-08-12 23:07 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090812221440.GA8524@us.ibm.com \
--to=serue@us.ibm.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=paul.moore@hp.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).