aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2007-06-29 11:48:16 -0400
committerJames Morris <jmorris@namei.org>2007-07-11 22:52:31 -0400
commit9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0 (patch)
treeee167dc8c575dee062cdaf91d0b60a5997bba0c3
parented0321895182ffb6ecf210e066d87911b270d587 (diff)
SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel
These changes will make NetLabel behave like labeled IPsec where there is an access check for both labeled and unlabeled packets as well as providing the ability to restrict domains to receiving only labeled packets when NetLabel is in use. The changes to the policy are straight forward with the following necessary to receive labeled traffic (with SECINITSID_NETMSG defined as "netlabel_peer_t"): allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom; The policy for unlabeled traffic would be: allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom; These policy changes, as well as more general NetLabel support, are included in the SELinux Reference Policy SVN tree, r2352 or later. Users who enable NetLabel support in the kernel are strongly encouraged to upgrade their policy to avoid network problems. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--security/selinux/hooks.c21
-rw-r--r--security/selinux/netlabel.c34
2 files changed, 24 insertions, 31 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 78c3f98fcdcf..aff8f46c2aa2 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3129,17 +3129,19 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3129/** 3129/**
3130 * selinux_skb_extlbl_sid - Determine the external label of a packet 3130 * selinux_skb_extlbl_sid - Determine the external label of a packet
3131 * @skb: the packet 3131 * @skb: the packet
3132 * @base_sid: the SELinux SID to use as a context for MLS only external labels
3133 * @sid: the packet's SID 3132 * @sid: the packet's SID
3134 * 3133 *
3135 * Description: 3134 * Description:
3136 * Check the various different forms of external packet labeling and determine 3135 * Check the various different forms of external packet labeling and determine
3137 * the external SID for the packet. 3136 * the external SID for the packet. If only one form of external labeling is
3137 * present then it is used, if both labeled IPsec and NetLabel labels are
3138 * present then the SELinux type information is taken from the labeled IPsec
3139 * SA and the MLS sensitivity label information is taken from the NetLabel
3140 * security attributes. This bit of "magic" is done in the call to
3141 * selinux_netlbl_skbuff_getsid().
3138 * 3142 *
3139 */ 3143 */
3140static void selinux_skb_extlbl_sid(struct sk_buff *skb, 3144static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
3141 u32 base_sid,
3142 u32 *sid)
3143{ 3145{
3144 u32 xfrm_sid; 3146 u32 xfrm_sid;
3145 u32 nlbl_sid; 3147 u32 nlbl_sid;
@@ -3147,10 +3149,9 @@ static void selinux_skb_extlbl_sid(struct sk_buff *skb,
3147 selinux_skb_xfrm_sid(skb, &xfrm_sid); 3149 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3148 if (selinux_netlbl_skbuff_getsid(skb, 3150 if (selinux_netlbl_skbuff_getsid(skb,
3149 (xfrm_sid == SECSID_NULL ? 3151 (xfrm_sid == SECSID_NULL ?
3150 base_sid : xfrm_sid), 3152 SECINITSID_NETMSG : xfrm_sid),
3151 &nlbl_sid) != 0) 3153 &nlbl_sid) != 0)
3152 nlbl_sid = SECSID_NULL; 3154 nlbl_sid = SECSID_NULL;
3153
3154 *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); 3155 *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
3155} 3156}
3156 3157
@@ -3695,7 +3696,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
3695 if (sock && sock->sk->sk_family == PF_UNIX) 3696 if (sock && sock->sk->sk_family == PF_UNIX)
3696 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); 3697 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3697 else if (skb) 3698 else if (skb)
3698 selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid); 3699 selinux_skb_extlbl_sid(skb, &peer_secid);
3699 3700
3700 if (peer_secid == SECSID_NULL) 3701 if (peer_secid == SECSID_NULL)
3701 err = -EINVAL; 3702 err = -EINVAL;
@@ -3756,7 +3757,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3756 u32 newsid; 3757 u32 newsid;
3757 u32 peersid; 3758 u32 peersid;
3758 3759
3759 selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid); 3760 selinux_skb_extlbl_sid(skb, &peersid);
3760 if (peersid == SECSID_NULL) { 3761 if (peersid == SECSID_NULL) {
3761 req->secid = sksec->sid; 3762 req->secid = sksec->sid;
3762 req->peer_secid = SECSID_NULL; 3763 req->peer_secid = SECSID_NULL;
@@ -3794,7 +3795,7 @@ static void selinux_inet_conn_established(struct sock *sk,
3794{ 3795{
3795 struct sk_security_struct *sksec = sk->sk_security; 3796 struct sk_security_struct *sksec = sk->sk_security;
3796 3797
3797 selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid); 3798 selinux_skb_extlbl_sid(skb, &sksec->peer_sid);
3798} 3799}
3799 3800
3800static void selinux_req_classify_flow(const struct request_sock *req, 3801static void selinux_req_classify_flow(const struct request_sock *req,
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index e64eca246f1a..8192e8bc9f5a 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -158,9 +158,7 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
158 netlbl_secattr_init(&secattr); 158 netlbl_secattr_init(&secattr);
159 rc = netlbl_skbuff_getattr(skb, &secattr); 159 rc = netlbl_skbuff_getattr(skb, &secattr);
160 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 160 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
161 rc = security_netlbl_secattr_to_sid(&secattr, 161 rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid);
162 base_sid,
163 sid);
164 else 162 else
165 *sid = SECSID_NULL; 163 *sid = SECSID_NULL;
166 netlbl_secattr_destroy(&secattr); 164 netlbl_secattr_destroy(&secattr);
@@ -198,7 +196,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
198 if (netlbl_sock_getattr(sk, &secattr) == 0 && 196 if (netlbl_sock_getattr(sk, &secattr) == 0 &&
199 secattr.flags != NETLBL_SECATTR_NONE && 197 secattr.flags != NETLBL_SECATTR_NONE &&
200 security_netlbl_secattr_to_sid(&secattr, 198 security_netlbl_secattr_to_sid(&secattr,
201 SECINITSID_UNLABELED, 199 SECINITSID_NETMSG,
202 &nlbl_peer_sid) == 0) 200 &nlbl_peer_sid) == 0)
203 sksec->peer_sid = nlbl_peer_sid; 201 sksec->peer_sid = nlbl_peer_sid;
204 netlbl_secattr_destroy(&secattr); 202 netlbl_secattr_destroy(&secattr);
@@ -295,38 +293,32 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
295 struct avc_audit_data *ad) 293 struct avc_audit_data *ad)
296{ 294{
297 int rc; 295 int rc;
298 u32 netlbl_sid; 296 u32 nlbl_sid;
299 u32 recv_perm; 297 u32 perm;
300 298
301 rc = selinux_netlbl_skbuff_getsid(skb, 299 rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &nlbl_sid);
302 SECINITSID_UNLABELED,
303 &netlbl_sid);
304 if (rc != 0) 300 if (rc != 0)
305 return rc; 301 return rc;
306 302 if (nlbl_sid == SECSID_NULL)
307 if (netlbl_sid == SECSID_NULL) 303 nlbl_sid = SECINITSID_UNLABELED;
308 return 0;
309 304
310 switch (sksec->sclass) { 305 switch (sksec->sclass) {
311 case SECCLASS_UDP_SOCKET: 306 case SECCLASS_UDP_SOCKET:
312 recv_perm = UDP_SOCKET__RECVFROM; 307 perm = UDP_SOCKET__RECVFROM;
313 break; 308 break;
314 case SECCLASS_TCP_SOCKET: 309 case SECCLASS_TCP_SOCKET:
315 recv_perm = TCP_SOCKET__RECVFROM; 310 perm = TCP_SOCKET__RECVFROM;
316 break; 311 break;
317 default: 312 default:
318 recv_perm = RAWIP_SOCKET__RECVFROM; 313 perm = RAWIP_SOCKET__RECVFROM;
319 } 314 }
320 315
321 rc = avc_has_perm(sksec->sid, 316 rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad);
322 netlbl_sid,
323 sksec->sclass,
324 recv_perm,
325 ad);
326 if (rc == 0) 317 if (rc == 0)
327 return 0; 318 return 0;
328 319
329 netlbl_skbuff_err(skb, rc); 320 if (nlbl_sid != SECINITSID_UNLABELED)
321 netlbl_skbuff_err(skb, rc);
330 return rc; 322 return rc;
331} 323}
332 324