aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--net/ipv4/cipso_ipv4.c7
-rw-r--r--net/ipv4/ip_options.c2
-rw-r--r--security/selinux/hooks.c8
-rw-r--r--security/selinux/include/selinux_netlabel.h10
-rw-r--r--security/selinux/ss/services.c37
5 files changed, 58 insertions, 6 deletions
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index e2077a3aa8c..6460233407c 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1307,7 +1307,8 @@ int cipso_v4_socket_setattr(const struct socket *sock,
1307 1307
1308 /* We can't use ip_options_get() directly because it makes a call to 1308 /* We can't use ip_options_get() directly because it makes a call to
1309 * ip_options_get_alloc() which allocates memory with GFP_KERNEL and 1309 * ip_options_get_alloc() which allocates memory with GFP_KERNEL and
1310 * we can't block here. */ 1310 * we won't always have CAP_NET_RAW even though we _always_ want to
1311 * set the IPOPT_CIPSO option. */
1311 opt_len = (buf_len + 3) & ~3; 1312 opt_len = (buf_len + 3) & ~3;
1312 opt = kzalloc(sizeof(*opt) + opt_len, GFP_ATOMIC); 1313 opt = kzalloc(sizeof(*opt) + opt_len, GFP_ATOMIC);
1313 if (opt == NULL) { 1314 if (opt == NULL) {
@@ -1317,11 +1318,9 @@ int cipso_v4_socket_setattr(const struct socket *sock,
1317 memcpy(opt->__data, buf, buf_len); 1318 memcpy(opt->__data, buf, buf_len);
1318 opt->optlen = opt_len; 1319 opt->optlen = opt_len;
1319 opt->is_data = 1; 1320 opt->is_data = 1;
1321 opt->cipso = sizeof(struct iphdr);
1320 kfree(buf); 1322 kfree(buf);
1321 buf = NULL; 1323 buf = NULL;
1322 ret_val = ip_options_compile(opt, NULL);
1323 if (ret_val != 0)
1324 goto socket_setattr_failure;
1325 1324
1326 sk_inet = inet_sk(sk); 1325 sk_inet = inet_sk(sk);
1327 if (sk_inet->is_icsk) { 1326 if (sk_inet->is_icsk) {
diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
index 8dabbfc3126..9f02917d6f4 100644
--- a/net/ipv4/ip_options.c
+++ b/net/ipv4/ip_options.c
@@ -443,7 +443,7 @@ int ip_options_compile(struct ip_options * opt, struct sk_buff * skb)
443 opt->router_alert = optptr - iph; 443 opt->router_alert = optptr - iph;
444 break; 444 break;
445 case IPOPT_CIPSO: 445 case IPOPT_CIPSO:
446 if (opt->cipso) { 446 if ((!skb && !capable(CAP_NET_RAW)) || opt->cipso) {
447 pp_ptr = optptr; 447 pp_ptr = optptr;
448 goto error; 448 goto error;
449 } 449 }
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e9969a2fc84..8ab5679a37a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3313,7 +3313,13 @@ static int selinux_socket_getpeername(struct socket *sock)
3313 3313
3314static int selinux_socket_setsockopt(struct socket *sock,int level,int optname) 3314static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3315{ 3315{
3316 return socket_has_perm(current, sock, SOCKET__SETOPT); 3316 int err;
3317
3318 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3319 if (err)
3320 return err;
3321
3322 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3317} 3323}
3318 3324
3319static int selinux_socket_getsockopt(struct socket *sock, int level, 3325static int selinux_socket_getsockopt(struct socket *sock, int level,
diff --git a/security/selinux/include/selinux_netlabel.h b/security/selinux/include/selinux_netlabel.h
index ecab4bddaaf..9de10cc2cef 100644
--- a/security/selinux/include/selinux_netlabel.h
+++ b/security/selinux/include/selinux_netlabel.h
@@ -53,6 +53,9 @@ void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
53void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec, 53void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,
54 struct sk_security_struct *newssec); 54 struct sk_security_struct *newssec);
55int selinux_netlbl_inode_permission(struct inode *inode, int mask); 55int selinux_netlbl_inode_permission(struct inode *inode, int mask);
56int selinux_netlbl_socket_setsockopt(struct socket *sock,
57 int level,
58 int optname);
56#else 59#else
57static inline void selinux_netlbl_cache_invalidate(void) 60static inline void selinux_netlbl_cache_invalidate(void)
58{ 61{
@@ -114,6 +117,13 @@ static inline int selinux_netlbl_inode_permission(struct inode *inode,
114{ 117{
115 return 0; 118 return 0;
116} 119}
120
121static inline int selinux_netlbl_socket_setsockopt(struct socket *sock,
122 int level,
123 int optname)
124{
125 return 0;
126}
117#endif /* CONFIG_NETLABEL */ 127#endif /* CONFIG_NETLABEL */
118 128
119#endif 129#endif
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index b1f6fb36c69..bfe122764c9 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2682,4 +2682,41 @@ u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
2682 2682
2683 return peer_sid; 2683 return peer_sid;
2684} 2684}
2685
2686/**
2687 * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
2688 * @sock: the socket
2689 * @level: the socket level or protocol
2690 * @optname: the socket option name
2691 *
2692 * Description:
2693 * Check the setsockopt() call and if the user is trying to replace the IP
2694 * options on a socket and a NetLabel is in place for the socket deny the
2695 * access; otherwise allow the access. Returns zero when the access is
2696 * allowed, -EACCES when denied, and other negative values on error.
2697 *
2698 */
2699int selinux_netlbl_socket_setsockopt(struct socket *sock,
2700 int level,
2701 int optname)
2702{
2703 int rc = 0;
2704 struct inode *inode = SOCK_INODE(sock);
2705 struct sk_security_struct *sksec = sock->sk->sk_security;
2706 struct inode_security_struct *isec = inode->i_security;
2707 struct netlbl_lsm_secattr secattr;
2708
2709 mutex_lock(&isec->lock);
2710 if (level == IPPROTO_IP && optname == IP_OPTIONS &&
2711 sksec->nlbl_state == NLBL_LABELED) {
2712 netlbl_secattr_init(&secattr);
2713 rc = netlbl_socket_getattr(sock, &secattr);
2714 if (rc == 0 && (secattr.cache || secattr.mls_lvl_vld))
2715 rc = -EACCES;
2716 netlbl_secattr_destroy(&secattr);
2717 }
2718 mutex_unlock(&isec->lock);
2719
2720 return rc;
2721}
2685#endif /* CONFIG_NETLABEL */ 2722#endif /* CONFIG_NETLABEL */