From: Venkat Yekkirala <vyekkirala@trustedcs.com>
To: netdev@vger.kernel.org, selinux@tycho.nsa.gov
Cc: jmorris@namei.org, sds@tycho.nsa.gov, chanson@trustedcs.com
Subject: [RFC 2/3] secid reconciliation on inbound: add LSM hooks
Date: Tue, 01 Aug 2006 17:08:34 -0500 [thread overview]
Message-ID: <44CFD0E2.9070709@trustedcs.com> (raw)
Add skb_policy_check hook to LSM to enable reconciliation of the
various security identifiers as well as enforce flow control on
inbound (INPUT/FORWARD) traffic.
Also defines reconciliation for SELinux.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
---
dummy.c | 7 ++
hooks.c | 30 ++++++++--
security.h | 16 +++++
3 files changed, 49 insertions(+), 4 deletions(-)
--- linux-2.6.17.child_sock/include/linux/security.h 2006-07-31 10:03:26.000000000 -0500
+++ linux-2.6.17/include/linux/security.h 2006-08-01 10:57:15.000000000 -0500
@@ -828,6 +828,9 @@ struct request_sock;
* Sets the new child socket's sid to the openreq sid.
* @req_classify_flow:
* Sets the flow's sid to the openreq sid.
+ * @skb_policy_check:
+ * Checks to see if security policy would allow skb into the system.
+ * Returns 1 if skb is allowed, 0 otherwise.
*
* Security hooks for XFRM operations.
*
@@ -1360,6 +1363,7 @@ struct security_operations {
struct request_sock *req);
void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req);
void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl);
+ int (*skb_policy_check)(struct sk_buff *skb, unsigned short family);
#endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -2917,6 +2921,12 @@ static inline void security_req_classify
security_ops->req_classify_flow(req, fl);
}
+static inline int security_skb_policy_check(struct sk_buff *skb,
+ unsigned short family)
+{
+ return security_ops->skb_policy_check(skb, family);
+}
+
static inline void security_sock_graft(struct sock* sk, struct socket *parent)
{
security_ops->sock_graft(sk, parent);
@@ -3068,6 +3078,12 @@ static inline void security_req_classify
{
}
+static inline int security_skb_policy_check(struct sk_buff *skb,
+ unsigned short family)
+{
+ return 1;
+}
+
static inline void security_sock_graft(struct sock* sk, struct socket *parent)
{
}
--- linux-2.6.17.child_sock/security/dummy.c 2006-07-31 10:03:26.000000000 -0500
+++ linux-2.6.17/security/dummy.c 2006-08-01 10:57:37.000000000 -0500
@@ -833,6 +833,12 @@ static inline void dummy_req_classify_fl
struct flowi *fl)
{
}
+
+static inline int dummy_skb_policy_check(struct sk_buff *skb,
+ unsigned short family)
+{
+ return 1;
+}
#endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -1098,6 +1104,7 @@ void security_fixup_ops (struct security
set_to_dummy_if_null(ops, inet_conn_request);
set_to_dummy_if_null(ops, inet_csk_clone);
set_to_dummy_if_null(ops, req_classify_flow);
+ set_to_dummy_if_null(ops, skb_policy_check);
#endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_NETWORK_XFRM
set_to_dummy_if_null(ops, xfrm_policy_alloc_security);
--- linux-2.6.17.child_sock/security/selinux/hooks.c 2006-07-31 10:04:31.000000000 -0500
+++ linux-2.6.17/security/selinux/hooks.c 2006-08-01 10:33:43.000000000 -0500
@@ -3465,11 +3465,11 @@ static int selinux_socket_sock_rcv_skb(s
else
err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
PACKET__RECV, &ad);
- if (err)
- goto out;
+ /* if (err) */
+ /* goto out; */
- err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
-out:
+ /* err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); */
+out:
return err;
}
@@ -3624,6 +3624,27 @@ void selinux_req_classify_flow(const str
fl->secid = req->secid;
}
+static int selinux_skb_policy_check(struct sk_buff *skb, unsigned short family)
+{
+ u32 xfrm_sid;
+ int err;
+
+ err = selinux_xfrm_decode_session(skb, &xfrm_sid, 0);
+ BUG_ON(err);
+
+ err = avc_has_perm(xfrm_sid, skb->secmark, SECCLASS_PACKET,
+ PACKET__COME_THRU, NULL);
+ if (err)
+ goto out;
+
+ skb->secmark = xfrm_sid;
+
+ /* See if CIPSO can COME_THRU the current secmark here */
+
+out:
+ return err ? 0 : 1;
+}
+
static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
{
int err = 0;
@@ -4667,6 +4688,7 @@ static struct security_operations selinu
.inet_conn_request = selinux_inet_conn_request,
.inet_csk_clone = selinux_inet_csk_clone,
.req_classify_flow = selinux_req_classify_flow,
+ .skb_policy_check = selinux_skb_policy_check,
#ifdef CONFIG_SECURITY_NETWORK_XFRM
.xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
next reply other threads:[~2006-08-01 22:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-01 22:08 Venkat Yekkirala [this message]
2006-08-01 23:09 ` [RFC 2/3] secid reconciliation on inbound: add LSM hooks James Morris
-- strict thread matches above, loose matches on Subject: below --
2006-08-02 12:49 Venkat Yekkirala
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44CFD0E2.9070709@trustedcs.com \
--to=vyekkirala@trustedcs.com \
--cc=chanson@trustedcs.com \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).