[PATCH 0/1] NetLabel changes from yesterday's discussion

[PATCH 0/1] NetLabel changes from yesterday's discussion

[paul.moore]

In case you missed it (har har) there was a pretty good discussion about
labeled networking yesterday.  One of the results of the dicussion was the
realization that the way NetLabel determines what to use for the SELinux TE
portion of the packet's label was not the best choice.  This patch should
address the issue.

This patch does not rely on the secid patches currently in progress and should
be considered a bugfix against the current net-2.6 tree.

--
paul moore
linux security @ hp

[PATCH 1/1] NetLabel: use SECINITSID_UNLABELED for a base SID

[paul.moore]

[-- Attachment #1: netlabel-permchange_unlbl --]
[-- Type: text/plain, Size: 2641 bytes --]

This patch changes NetLabel to use SECINITSID_UNLABLELED as it's source of
SELinux type information when generating a NetLabel context.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 security/selinux/ss/services.c |   29 +++++++++--------------------
 1 files changed, 9 insertions(+), 20 deletions(-)

Index: net-2.6_bugfix/security/selinux/ss/services.c
===================================================================
--- net-2.6_bugfix.orig/security/selinux/ss/services.c
+++ net-2.6_bugfix/security/selinux/ss/services.c
@@ -2336,7 +2336,7 @@ static int selinux_netlbl_secattr_to_sid
 			selinux_netlbl_cache_add(skb, &ctx_new);
 		ebitmap_destroy(&ctx_new.range.level[0].cat);
 	} else {
-		*sid = SECINITSID_UNLABELED;
+		*sid = SECSID_NULL;
 		rc = 0;
 	}
 
@@ -2519,7 +2519,7 @@ void selinux_netlbl_sock_graft(struct so
 	if (netlbl_sock_getattr(sk, &secattr) == 0 &&
 	    selinux_netlbl_secattr_to_sid(NULL,
 					  &secattr,
-					  sksec->sid,
+					  SECINITSID_UNLABELED,
 					  &nlbl_peer_sid) == 0)
 		sksec->peer_sid = nlbl_peer_sid;
 	netlbl_secattr_destroy(&secattr);
@@ -2552,9 +2552,6 @@ u32 selinux_netlbl_inet_conn_request(str
 	if (rc != 0)
 		return SECSID_NULL;
 
-	if (peer_sid == SECINITSID_UNLABELED)
-		return SECSID_NULL;
-
 	return peer_sid;
 }
 
@@ -2616,11 +2613,13 @@ int selinux_netlbl_sock_rcv_skb(struct s
 	u32 netlbl_sid;
 	u32 recv_perm;
 
-	rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &netlbl_sid);
+	rc = selinux_netlbl_skbuff_getsid(skb,
+					  SECINITSID_UNLABELED,
+					  &netlbl_sid);
 	if (rc != 0)
 		return rc;
 
-	if (netlbl_sid == SECINITSID_UNLABELED)
+	if (netlbl_sid == SECSID_NULL)
 		return 0;
 
 	switch (sksec->sclass) {
@@ -2658,10 +2657,6 @@ int selinux_netlbl_sock_rcv_skb(struct s
 u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
 {
 	struct sk_security_struct *sksec = sock->sk->sk_security;
-
-	if (sksec->peer_sid == SECINITSID_UNLABELED)
-		return SECSID_NULL;
-
 	return sksec->peer_sid;
 }
 
@@ -2677,16 +2672,10 @@ u32 selinux_netlbl_socket_getpeersec_str
 u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
 {
 	int peer_sid;
-	struct sock *sk = skb->sk;
-	struct inode_security_struct *isec;
-
-	if (sk == NULL || sk->sk_socket == NULL)
-		return SECSID_NULL;
 
-	isec = SOCK_INODE(sk->sk_socket)->i_security;
-	if (selinux_netlbl_skbuff_getsid(skb, isec->sid, &peer_sid) != 0)
-		return SECSID_NULL;
-	if (peer_sid == SECINITSID_UNLABELED)
+	if (selinux_netlbl_skbuff_getsid(skb,
+					 SECINITSID_UNLABELED,
+					 &peer_sid) != 0)
 		return SECSID_NULL;
 
 	return peer_sid;

--
paul moore
linux security @ hp

Re: [PATCH 1/1] NetLabel: use SECINITSID_UNLABELED for a base SID

[James Morris]

On Thu, 5 Oct 2006, paul.moore@hp.com wrote:

> This patch changes NetLabel to use SECINITSID_UNLABLELED as it's source of
> SELinux type information when generating a NetLabel context.

Applied.


Git:
git://git.infradead.org/~jmorris/selinux-2.6.git

Web:
http://git.infradead.org/?p=users/jmorris/selinux-2.6.git;a=summary




-- 
James Morris
<jmorris@namei.org>