diff options
author | Venkat Yekkirala <vyekkirala@TrustedCS.com> | 2006-07-25 02:32:50 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-09-22 17:53:29 -0400 |
commit | 4237c75c0a35535d7f9f2bfeeb4b4df1e068a0bf (patch) | |
tree | 02adcb6fe6c346a8b99cf161ba5233ed1e572727 /include | |
parent | cb969f072b6d67770b559617f14e767f47e77ece (diff) |
[MLSXFRM]: Auto-labeling of child sockets
This automatically labels the TCP, Unix stream, and dccp child sockets
as well as openreqs to be at the same MLS level as the peer. This will
result in the selection of appropriately labeled IPSec Security
Associations.
This also uses the sock's sid (as opposed to the isec sid) in SELinux
enforcement of secmark in rcv_skb and postroute_last hooks.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/security.h | 55 | ||||
-rw-r--r-- | include/net/request_sock.h | 1 | ||||
-rw-r--r-- | include/net/sock.h | 1 |
3 files changed, 57 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 8e3dc6c51a6..bb4c80fdfe7 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -90,6 +90,7 @@ extern int cap_netlink_recv(struct sk_buff *skb, int cap); | |||
90 | struct nfsctl_arg; | 90 | struct nfsctl_arg; |
91 | struct sched_param; | 91 | struct sched_param; |
92 | struct swap_info_struct; | 92 | struct swap_info_struct; |
93 | struct request_sock; | ||
93 | 94 | ||
94 | /* bprm_apply_creds unsafe reasons */ | 95 | /* bprm_apply_creds unsafe reasons */ |
95 | #define LSM_UNSAFE_SHARE 1 | 96 | #define LSM_UNSAFE_SHARE 1 |
@@ -819,6 +820,14 @@ struct swap_info_struct; | |||
819 | * @sk_getsecid: | 820 | * @sk_getsecid: |
820 | * Retrieve the LSM-specific secid for the sock to enable caching of network | 821 | * Retrieve the LSM-specific secid for the sock to enable caching of network |
821 | * authorizations. | 822 | * authorizations. |
823 | * @sock_graft: | ||
824 | * Sets the socket's isec sid to the sock's sid. | ||
825 | * @inet_conn_request: | ||
826 | * Sets the openreq's sid to socket's sid with MLS portion taken from peer sid. | ||
827 | * @inet_csk_clone: | ||
828 | * Sets the new child socket's sid to the openreq sid. | ||
829 | * @req_classify_flow: | ||
830 | * Sets the flow's sid to the openreq sid. | ||
822 | * | 831 | * |
823 | * Security hooks for XFRM operations. | 832 | * Security hooks for XFRM operations. |
824 | * | 833 | * |
@@ -1358,6 +1367,11 @@ struct security_operations { | |||
1358 | void (*sk_free_security) (struct sock *sk); | 1367 | void (*sk_free_security) (struct sock *sk); |
1359 | void (*sk_clone_security) (const struct sock *sk, struct sock *newsk); | 1368 | void (*sk_clone_security) (const struct sock *sk, struct sock *newsk); |
1360 | void (*sk_getsecid) (struct sock *sk, u32 *secid); | 1369 | void (*sk_getsecid) (struct sock *sk, u32 *secid); |
1370 | void (*sock_graft)(struct sock* sk, struct socket *parent); | ||
1371 | int (*inet_conn_request)(struct sock *sk, struct sk_buff *skb, | ||
1372 | struct request_sock *req); | ||
1373 | void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req); | ||
1374 | void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl); | ||
1361 | #endif /* CONFIG_SECURITY_NETWORK */ | 1375 | #endif /* CONFIG_SECURITY_NETWORK */ |
1362 | 1376 | ||
1363 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 1377 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
@@ -2926,6 +2940,28 @@ static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl) | |||
2926 | { | 2940 | { |
2927 | security_ops->sk_getsecid(sk, &fl->secid); | 2941 | security_ops->sk_getsecid(sk, &fl->secid); |
2928 | } | 2942 | } |
2943 | |||
2944 | static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl) | ||
2945 | { | ||
2946 | security_ops->req_classify_flow(req, fl); | ||
2947 | } | ||
2948 | |||
2949 | static inline void security_sock_graft(struct sock* sk, struct socket *parent) | ||
2950 | { | ||
2951 | security_ops->sock_graft(sk, parent); | ||
2952 | } | ||
2953 | |||
2954 | static inline int security_inet_conn_request(struct sock *sk, | ||
2955 | struct sk_buff *skb, struct request_sock *req) | ||
2956 | { | ||
2957 | return security_ops->inet_conn_request(sk, skb, req); | ||
2958 | } | ||
2959 | |||
2960 | static inline void security_inet_csk_clone(struct sock *newsk, | ||
2961 | const struct request_sock *req) | ||
2962 | { | ||
2963 | security_ops->inet_csk_clone(newsk, req); | ||
2964 | } | ||
2929 | #else /* CONFIG_SECURITY_NETWORK */ | 2965 | #else /* CONFIG_SECURITY_NETWORK */ |
2930 | static inline int security_unix_stream_connect(struct socket * sock, | 2966 | static inline int security_unix_stream_connect(struct socket * sock, |
2931 | struct socket * other, | 2967 | struct socket * other, |
@@ -3055,6 +3091,25 @@ static inline void security_sk_clone(const struct sock *sk, struct sock *newsk) | |||
3055 | static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl) | 3091 | static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl) |
3056 | { | 3092 | { |
3057 | } | 3093 | } |
3094 | |||
3095 | static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl) | ||
3096 | { | ||
3097 | } | ||
3098 | |||
3099 | static inline void security_sock_graft(struct sock* sk, struct socket *parent) | ||
3100 | { | ||
3101 | } | ||
3102 | |||
3103 | static inline int security_inet_conn_request(struct sock *sk, | ||
3104 | struct sk_buff *skb, struct request_sock *req) | ||
3105 | { | ||
3106 | return 0; | ||
3107 | } | ||
3108 | |||
3109 | static inline void security_inet_csk_clone(struct sock *newsk, | ||
3110 | const struct request_sock *req) | ||
3111 | { | ||
3112 | } | ||
3058 | #endif /* CONFIG_SECURITY_NETWORK */ | 3113 | #endif /* CONFIG_SECURITY_NETWORK */ |
3059 | 3114 | ||
3060 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 3115 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
diff --git a/include/net/request_sock.h b/include/net/request_sock.h index c5d7f920c35..8e165ca16bd 100644 --- a/include/net/request_sock.h +++ b/include/net/request_sock.h | |||
@@ -53,6 +53,7 @@ struct request_sock { | |||
53 | unsigned long expires; | 53 | unsigned long expires; |
54 | struct request_sock_ops *rsk_ops; | 54 | struct request_sock_ops *rsk_ops; |
55 | struct sock *sk; | 55 | struct sock *sk; |
56 | u32 secid; | ||
56 | }; | 57 | }; |
57 | 58 | ||
58 | static inline struct request_sock *reqsk_alloc(struct request_sock_ops *ops) | 59 | static inline struct request_sock *reqsk_alloc(struct request_sock_ops *ops) |
diff --git a/include/net/sock.h b/include/net/sock.h index 91cdceb3c02..337ebec84c7 100644 --- a/include/net/sock.h +++ b/include/net/sock.h | |||
@@ -969,6 +969,7 @@ static inline void sock_graft(struct sock *sk, struct socket *parent) | |||
969 | sk->sk_sleep = &parent->wait; | 969 | sk->sk_sleep = &parent->wait; |
970 | parent->sk = sk; | 970 | parent->sk = sk; |
971 | sk->sk_socket = parent; | 971 | sk->sk_socket = parent; |
972 | security_sock_graft(sk, parent); | ||
972 | write_unlock_bh(&sk->sk_callback_lock); | 973 | write_unlock_bh(&sk->sk_callback_lock); |
973 | } | 974 | } |
974 | 975 | ||