aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2006-09-25 18:52:01 -0400
committerDavid S. Miller <davem@davemloft.net>2006-09-25 18:52:01 -0400
commit14a72f53fb1bb5d5c2bdd8cf172219519664729a (patch)
tree95a077fb9289a95c352af77f18f12e5aba3313c6
parent597811ec167fa01c926a0957a91d9e39baa30e64 (diff)
[NetLabel]: correct improper handling of non-NetLabel peer contexts
Fix a problem where NetLabel would always set the value of sk_security_struct->peer_sid in selinux_netlbl_sock_graft() to the context of the socket, causing problems when users would query the context of the connection. This patch fixes this so that the value in sk_security_struct->peer_sid is only set when the connection is NetLabel based, otherwise the value is untouched. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/net/cipso_ipv4.h7
-rw-r--r--include/net/netlabel.h8
-rw-r--r--net/ipv4/cipso_ipv4.c48
-rw-r--r--net/netlabel/netlabel_kapi.c23
-rw-r--r--security/selinux/ss/services.c12
5 files changed, 82 insertions, 16 deletions
diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h
index 59406e0dc5b2..6718452a5cd0 100644
--- a/include/net/cipso_ipv4.h
+++ b/include/net/cipso_ipv4.h
@@ -205,6 +205,7 @@ void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway);
205int cipso_v4_socket_setattr(const struct socket *sock, 205int cipso_v4_socket_setattr(const struct socket *sock,
206 const struct cipso_v4_doi *doi_def, 206 const struct cipso_v4_doi *doi_def,
207 const struct netlbl_lsm_secattr *secattr); 207 const struct netlbl_lsm_secattr *secattr);
208int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr);
208int cipso_v4_socket_getattr(const struct socket *sock, 209int cipso_v4_socket_getattr(const struct socket *sock,
209 struct netlbl_lsm_secattr *secattr); 210 struct netlbl_lsm_secattr *secattr);
210int cipso_v4_skbuff_getattr(const struct sk_buff *skb, 211int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
@@ -225,6 +226,12 @@ static inline int cipso_v4_socket_setattr(const struct socket *sock,
225 return -ENOSYS; 226 return -ENOSYS;
226} 227}
227 228
229static inline int cipso_v4_sock_getattr(struct sock *sk,
230 struct netlbl_lsm_secattr *secattr)
231{
232 return -ENOSYS;
233}
234
228static inline int cipso_v4_socket_getattr(const struct socket *sock, 235static inline int cipso_v4_socket_getattr(const struct socket *sock,
229 struct netlbl_lsm_secattr *secattr) 236 struct netlbl_lsm_secattr *secattr)
230{ 237{
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index dd5780b36919..bf7b564e3540 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -238,6 +238,8 @@ static inline void netlbl_secattr_free(struct netlbl_lsm_secattr *secattr,
238#ifdef CONFIG_NETLABEL 238#ifdef CONFIG_NETLABEL
239int netlbl_socket_setattr(const struct socket *sock, 239int netlbl_socket_setattr(const struct socket *sock,
240 const struct netlbl_lsm_secattr *secattr); 240 const struct netlbl_lsm_secattr *secattr);
241int netlbl_sock_getattr(struct sock *sk,
242 struct netlbl_lsm_secattr *secattr);
241int netlbl_socket_getattr(const struct socket *sock, 243int netlbl_socket_getattr(const struct socket *sock,
242 struct netlbl_lsm_secattr *secattr); 244 struct netlbl_lsm_secattr *secattr);
243int netlbl_skbuff_getattr(const struct sk_buff *skb, 245int netlbl_skbuff_getattr(const struct sk_buff *skb,
@@ -250,6 +252,12 @@ static inline int netlbl_socket_setattr(const struct socket *sock,
250 return -ENOSYS; 252 return -ENOSYS;
251} 253}
252 254
255static inline int netlbl_sock_getattr(struct sock *sk,
256 struct netlbl_lsm_secattr *secattr)
257{
258 return -ENOSYS;
259}
260
253static inline int netlbl_socket_getattr(const struct socket *sock, 261static inline int netlbl_socket_getattr(const struct socket *sock,
254 struct netlbl_lsm_secattr *secattr) 262 struct netlbl_lsm_secattr *secattr)
255{ 263{
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 80a2a0911b49..a3bae2ca8acc 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1486,43 +1486,40 @@ socket_setattr_failure:
1486} 1486}
1487 1487
1488/** 1488/**
1489 * cipso_v4_socket_getattr - Get the security attributes from a socket 1489 * cipso_v4_sock_getattr - Get the security attributes from a sock
1490 * @sock: the socket 1490 * @sk: the sock
1491 * @secattr: the security attributes 1491 * @secattr: the security attributes
1492 * 1492 *
1493 * Description: 1493 * Description:
1494 * Query @sock to see if there is a CIPSO option attached to the socket and if 1494 * Query @sk to see if there is a CIPSO option attached to the sock and if
1495 * there is return the CIPSO security attributes in @secattr. Returns zero on 1495 * there is return the CIPSO security attributes in @secattr. This function
1496 * success and negative values on failure. 1496 * requires that @sk be locked, or privately held, but it does not do any
1497 * locking itself. Returns zero on success and negative values on failure.
1497 * 1498 *
1498 */ 1499 */
1499int cipso_v4_socket_getattr(const struct socket *sock, 1500int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
1500 struct netlbl_lsm_secattr *secattr)
1501{ 1501{
1502 int ret_val = -ENOMSG; 1502 int ret_val = -ENOMSG;
1503 struct sock *sk;
1504 struct inet_sock *sk_inet; 1503 struct inet_sock *sk_inet;
1505 unsigned char *cipso_ptr; 1504 unsigned char *cipso_ptr;
1506 u32 doi; 1505 u32 doi;
1507 struct cipso_v4_doi *doi_def; 1506 struct cipso_v4_doi *doi_def;
1508 1507
1509 sk = sock->sk;
1510 lock_sock(sk);
1511 sk_inet = inet_sk(sk); 1508 sk_inet = inet_sk(sk);
1512 if (sk_inet->opt == NULL || sk_inet->opt->cipso == 0) 1509 if (sk_inet->opt == NULL || sk_inet->opt->cipso == 0)
1513 goto socket_getattr_return; 1510 return -ENOMSG;
1514 cipso_ptr = sk_inet->opt->__data + sk_inet->opt->cipso - 1511 cipso_ptr = sk_inet->opt->__data + sk_inet->opt->cipso -
1515 sizeof(struct iphdr); 1512 sizeof(struct iphdr);
1516 ret_val = cipso_v4_cache_check(cipso_ptr, cipso_ptr[1], secattr); 1513 ret_val = cipso_v4_cache_check(cipso_ptr, cipso_ptr[1], secattr);
1517 if (ret_val == 0) 1514 if (ret_val == 0)
1518 goto socket_getattr_return; 1515 return ret_val;
1519 1516
1520 doi = ntohl(*(u32 *)&cipso_ptr[2]); 1517 doi = ntohl(*(u32 *)&cipso_ptr[2]);
1521 rcu_read_lock(); 1518 rcu_read_lock();
1522 doi_def = cipso_v4_doi_getdef(doi); 1519 doi_def = cipso_v4_doi_getdef(doi);
1523 if (doi_def == NULL) { 1520 if (doi_def == NULL) {
1524 rcu_read_unlock(); 1521 rcu_read_unlock();
1525 goto socket_getattr_return; 1522 return -ENOMSG;
1526 } 1523 }
1527 switch (cipso_ptr[6]) { 1524 switch (cipso_ptr[6]) {
1528 case CIPSO_V4_TAG_RBITMAP: 1525 case CIPSO_V4_TAG_RBITMAP:
@@ -1533,8 +1530,29 @@ int cipso_v4_socket_getattr(const struct socket *sock,
1533 } 1530 }
1534 rcu_read_unlock(); 1531 rcu_read_unlock();
1535 1532
1536socket_getattr_return: 1533 return ret_val;
1537 release_sock(sk); 1534}
1535
1536/**
1537 * cipso_v4_socket_getattr - Get the security attributes from a socket
1538 * @sock: the socket
1539 * @secattr: the security attributes
1540 *
1541 * Description:
1542 * Query @sock to see if there is a CIPSO option attached to the socket and if
1543 * there is return the CIPSO security attributes in @secattr. Returns zero on
1544 * success and negative values on failure.
1545 *
1546 */
1547int cipso_v4_socket_getattr(const struct socket *sock,
1548 struct netlbl_lsm_secattr *secattr)
1549{
1550 int ret_val;
1551
1552 lock_sock(sock->sk);
1553 ret_val = cipso_v4_sock_getattr(sock->sk, secattr);
1554 release_sock(sock->sk);
1555
1538 return ret_val; 1556 return ret_val;
1539} 1557}
1540 1558
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 0fd8aaafe23f..54fb7de3c2b1 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -85,6 +85,29 @@ socket_setattr_return:
85} 85}
86 86
87/** 87/**
88 * netlbl_sock_getattr - Determine the security attributes of a sock
89 * @sk: the sock
90 * @secattr: the security attributes
91 *
92 * Description:
93 * Examines the given sock to see any NetLabel style labeling has been
94 * applied to the sock, if so it parses the socket label and returns the
95 * security attributes in @secattr. Returns zero on success, negative values
96 * on failure.
97 *
98 */
99int netlbl_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
100{
101 int ret_val;
102
103 ret_val = cipso_v4_sock_getattr(sk, secattr);
104 if (ret_val == 0)
105 return 0;
106
107 return netlbl_unlabel_getattr(secattr);
108}
109
110/**
88 * netlbl_socket_getattr - Determine the security attributes of a socket 111 * netlbl_socket_getattr - Determine the security attributes of a socket
89 * @sock: the socket 112 * @sock: the socket
90 * @secattr: the security attributes 113 * @secattr: the security attributes
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 7eb69a602d8f..d67f7e658529 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2502,14 +2502,24 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
2502{ 2502{
2503 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 2503 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
2504 struct sk_security_struct *sksec = sk->sk_security; 2504 struct sk_security_struct *sksec = sk->sk_security;
2505 struct netlbl_lsm_secattr secattr;
2506 u32 nlbl_peer_sid;
2505 2507
2506 sksec->sclass = isec->sclass; 2508 sksec->sclass = isec->sclass;
2507 2509
2508 if (sk->sk_family != PF_INET) 2510 if (sk->sk_family != PF_INET)
2509 return; 2511 return;
2510 2512
2513 netlbl_secattr_init(&secattr);
2514 if (netlbl_sock_getattr(sk, &secattr) == 0 &&
2515 selinux_netlbl_secattr_to_sid(NULL,
2516 &secattr,
2517 sksec->sid,
2518 &nlbl_peer_sid) == 0)
2519 sksec->peer_sid = nlbl_peer_sid;
2520 netlbl_secattr_destroy(&secattr, 0);
2521
2511 sksec->nlbl_state = NLBL_REQUIRE; 2522 sksec->nlbl_state = NLBL_REQUIRE;
2512 sksec->peer_sid = sksec->sid;
2513 2523
2514 /* Try to set the NetLabel on the socket to save time later, if we fail 2524 /* Try to set the NetLabel on the socket to save time later, if we fail
2515 * here we will pick up the pieces in later calls to 2525 * here we will pick up the pieces in later calls to