RE: [PATCH] Fix for IPsec leakage with SELinux enabled

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: James Morris <jmorris@namei.org>
To: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Cc: "David S. Miller" <davem@davemloft.net>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	netdev@vger.kernel.org, Stephen Smalley <sds@tycho.nsa.gov>,
	Evgeniy Polyakov <johnpol@2ka.mipt.ru>,
	Paul Moore <paul.moore@hp.com>,
	Chad Hanson <chanson@TrustedCS.com>
Subject: RE: [PATCH] Fix for IPsec leakage with SELinux enabled
Date: Sun, 1 Oct 2006 21:44:03 -0400 (EDT)	[thread overview]
Message-ID: <Pine.LNX.4.64.0610012117110.4789@d.namei> (raw)
In-Reply-To: <36282A1733C57546BE392885C0618592015CF3C7@chaos.tcs.tcs-sec.com>

On Sun, 1 Oct 2006, Venkat Yekkirala wrote:

> > The way I was seeing the problem was when connecting via IPsec to a 
> > confined service on an SELinux box (vsftpd), which did not have the 
> > appropriate SELinux policy permissions to send packets via IPsec.
> > 
> > The first SYNACK would be blocked,
> 
> Given that the resolver fails to find a policy here, I am trying to
> understand what exactly is blocking it (the first SYNACK) from
> proceeding without IPSec.

You're right.  My explanation there was for the case where I'd modified 
the code to propagate the SELinux denial back to xfrm_lookup(), and not 
for the original issue (sorry, it's been a long week).

In the original case, all packets originating from a confined domain will 
bypass ipsec.  During xfrm_lookup, flow_cache_lookup() returns NULL 
policy:

xfrm_lookup()
{
	...

	if (!policy) {
                /* To accelerate a bit...  */
                if ((dst_orig->flags & DST_NOXFRM) ||
                    !xfrm_policy_count[XFRM_POLICY_OUT])
                        return 0;

                policy = flow_cache_lookup(fl, dst_orig->ops->family,
                                           dir, xfrm_policy_lookup);
        }

        if (!policy)
                return 0;  <- bad
	...
}

The call chain is:

flow_cache_lookup()
  xfrm_policy_lookup()
   xfrm_policy_lookup_bytype()
     xfrm_policy_match() {
       xfrm_selector_match => returns true, then
         security_xfrm_policy_lookup => returns -EACCESS
     }

then

xfrm_policy_match() => returns 0
xfrm_policy_lookup_bytype => returns 0
xfrm_policy_lookup() => sets obj to NULL w/ void return
flow_cache_lookup() => returns NULL
xfrm_lookup => returns 0

and the packet proceeds without error and with no transform applied (i.e. 
leaked as cleartext).

The first component of the fix is to propagate errors back up to callers 
via the flow cache resolver, and handle them correctly, as this is where 
we can experience security module denials.

The second component is to then ensure that, on failure, we kill the new 
flow cache entry created during lookup, so that it is not subsequently 
looked up with a null policy (i.e. allowing future packets to leak) and to 
force the security hook to be called again in case the policy has changed.  

Hope that clarifies.

- James
-- 
James Morris
<jmorris@namei.org>

next prev parent reply	other threads:[~2006-10-02  1:44 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-10-01 20:55 [PATCH] Fix for IPsec leakage with SELinux enabled Venkat Yekkirala
2006-10-02  1:44 ` James Morris [this message]
  -- strict thread matches above, loose matches on Subject: below --
2006-10-02 18:59 Venkat Yekkirala
2006-10-02 17:09 Venkat Yekkirala
2006-10-02 18:39 ` James Morris
2006-09-24 14:33 Is TCP over IPsec broken in 2.6.18? James Morris
2006-09-24 23:54 ` Herbert Xu
     [not found]   ` <20060925103836.GA13966@2ka.mipt.ru>
2006-09-25 11:27     ` Herbert Xu
2006-09-25 12:05       ` Evgeniy Polyakov
2006-09-30  5:06         ` James Morris
2006-09-30  5:14           ` James Morris
2006-09-30 11:15             ` Evgeniy Polyakov
2006-09-30 14:36               ` James Morris
2006-09-30 14:40                 ` Evgeniy Polyakov
2006-09-30 14:44                   ` James Morris
2006-10-01  6:27                     ` [PATCH] Fix for IPsec leakage with SELinux enabled James Morris
2006-10-02 11:20                       ` Evgeniy Polyakov
2006-10-02 13:31                         ` James Morris
2006-10-02 13:42                           ` Evgeniy Polyakov
2006-10-02 14:05                             ` James Morris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Pine.LNX.4.64.0610012117110.4789@d.namei \
    --to=jmorris@namei.org \
    --cc=chanson@TrustedCS.com \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=johnpol@2ka.mipt.ru \
    --cc=netdev@vger.kernel.org \
    --cc=paul.moore@hp.com \
    --cc=sds@tycho.nsa.gov \
    --cc=vyekkirala@TrustedCS.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).