smack: Add support for unlabeled network hosts and networks

Add support for unlabeled network hosts and networks. Relies heavily on Paul Moore's netlabel support. Creates a new entry in /smack called netlabel. Writes to /smack/netlabel take the form: A.B.C.D LABEL or A.B.C.D/N LABEL where A.B.C.D is a network address, N is an integer between 0-32, and LABEL is the Smack label to be used. If /N is omitted /32 is assumed. N designates the netmask for the address. Entries are matched by the most specific address/mask pair. 0.0.0.0/0 will match everything, while 192.168.1.117/32 will match exactly one host. A new system label "@", pronounced "web", is defined. Processes can not be assigned the web label. An address assigned the web label can be written to by any process, and packets coming from a web address can be written to any socket. Use of the web label is a violation of any strict MAC policy, but the web label has been requested many times. The nltype entry has been removed from /smack. It did not work right and the netlabel interface can be used to specify that all hosts be treated as unlabeled. CIPSO labels on incoming packets will be honored, even from designated single label hosts. Single label hosts can only be written to by processes with labels that can write to the label of the host. Packets sent to single label hosts will always be unlabeled. Once added a single label designation cannot be removed, however the label may be changed. The behavior of the ambient label remains unchanged. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Paul Moore <paul.moore@hp.com>
author: Casey Schaufler <casey@schaufler-ca.com> 2008-12-31 12:54:12 -0500
committer: Paul Moore <paul.moore@hp.com> 2008-12-31 12:54:12 -0500
commit: 6d3dc07cbb1e88deed2e8710e215f232a56b1dce (patch)
tree: 4c294d1ddac8c9f417bcd406771993aa58106f6d /security/smack/smack.h
parent: 277d342fc423fca5e66e677fe629d1b2f8f1b9e2 (diff)
1 files changed, 29 insertions, 2 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 31dce559595a..b79582e4fbfd 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -16,6 +16,7 @@
 #include <linux/capability.h>
 #include <linux/spinlock.h>
 #include <linux/security.h>
+#include <linux/in.h>
 #include <net/netlabel.h>
 /*
@@ -39,6 +40,7 @@ struct superblock_smack {
 struct socket_smack {
        char            *smk_out;                       /* outbound label */
        char            *smk_in;                        /* inbound label */
+        int             smk_labeled;                    /* label scheme */
        char            smk_packet[SMK_LABELLEN];       /* TCP peer label */
 };
@@ -80,6 +82,16 @@ struct smack_cipso {
 };
 /*
+ * An entry in the table identifying hosts.
+ */
+struct smk_netlbladdr {
+        struct smk_netlbladdr   *smk_next;
+        struct sockaddr_in      smk_host;       /* network address */
+        struct in_addr          smk_mask;       /* network mask */
+        char                    *smk_label;     /* label */
+};
+/*
 * This is the repository for labels seen so that it is
 * not necessary to keep allocating tiny chuncks of memory
 * and so that they can be shared.
@@ -127,6 +139,20 @@ struct smack_known {
 #define XATTR_NAME_SMACKIPOUT   XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT
 /*
+ * How communications on this socket are treated.
+ * Usually it's determined by the underlying netlabel code
+ * but there are certain cases, including single label hosts
+ * and potentially single label interfaces for which the
+ * treatment can not be known in advance.
+ *
+ * The possibility of additional labeling schemes being
+ * introduced in the future exists as well.
+ */
+#define SMACK_UNLABELED_SOCKET  0
+#define SMACK_CIPSO_SOCKET      1
+/*
+ * smackfs magic number
 * smackfs macic number
 */
 #define SMACK_MAGIC     0x43415d53 /* "SMAC" */
@@ -141,6 +167,7 @@ struct smack_known {
 * CIPSO defaults.
 */
 #define SMACK_CIPSO_DOI_DEFAULT         3       /* Historical */
+#define SMACK_CIPSO_DOI_INVALID         -1      /* Not a DOI */
 #define SMACK_CIPSO_DIRECT_DEFAULT      250     /* Arbitrary */
 #define SMACK_CIPSO_MAXCATVAL           63      /* Bigger gets harder */
 #define SMACK_CIPSO_MAXLEVEL            255     /* CIPSO 2.2 standard */
@@ -176,7 +203,6 @@ u32 smack_to_secid(const char *);
 * Shared data.
 */
 extern int smack_cipso_direct;
-extern int smack_net_nltype;
 extern char *smack_net_ambient;
 extern char *smack_onlycap;
@@ -186,9 +212,10 @@ extern struct smack_known smack_known_hat;
 extern struct smack_known smack_known_huh;
 extern struct smack_known smack_known_invalid;
 extern struct smack_known smack_known_star;
-extern struct smack_known smack_known_unset;
+extern struct smack_known smack_known_web;
 extern struct smk_list_entry *smack_list;
+extern struct smk_netlbladdr *smack_netlbladdrs;
 extern struct security_operations smack_ops;
 /*
author	Casey Schaufler <casey@schaufler-ca.com>	2008-12-31 12:54:12 -0500
committer	Paul Moore <paul.moore@hp.com>	2008-12-31 12:54:12 -0500
commit	6d3dc07cbb1e88deed2e8710e215f232a56b1dce (patch)
tree	4c294d1ddac8c9f417bcd406771993aa58106f6d /security/smack/smack.h
parent	277d342fc423fca5e66e677fe629d1b2f8f1b9e2 (diff)