aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@woody.linux-foundation.org>2007-07-13 19:53:18 -0400
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-07-13 19:53:18 -0400
commit8d9107e8c50e1c4ff43c91c8841805833f3ecfb9 (patch)
treeabc57f38cf659d4031d5a9915a088f2c47b2cc7e
parent16cefa8c3863721fd40445a1b34dea18cd16ccfe (diff)
Revert "SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel"
This reverts commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0. It bit people like Michal Piotrowski: "My system is too secure, I can not login :)" because it changed how CONFIG_NETLABEL worked, and broke older SElinux policies. As a result, quoth James Morris: "Can you please revert this patch? We thought it only affected people running MLS, but it will affect others. Sorry for the hassle." Cc: James Morris <jmorris@namei.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Michal Piotrowski <michal.k.k.piotrowski@gmail.com> Cc: Paul Moore <paul.moore@hp.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--security/selinux/hooks.c21
-rw-r--r--security/selinux/netlabel.c34
2 files changed, 31 insertions, 24 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index aff8f46c2aa2..78c3f98fcdcf 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3129,19 +3129,17 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3129/** 3129/**
3130 * selinux_skb_extlbl_sid - Determine the external label of a packet 3130 * selinux_skb_extlbl_sid - Determine the external label of a packet
3131 * @skb: the packet 3131 * @skb: the packet
3132 * @base_sid: the SELinux SID to use as a context for MLS only external labels
3132 * @sid: the packet's SID 3133 * @sid: the packet's SID
3133 * 3134 *
3134 * Description: 3135 * Description:
3135 * Check the various different forms of external packet labeling and determine 3136 * Check the various different forms of external packet labeling and determine
3136 * the external SID for the packet. If only one form of external labeling is 3137 * the external SID for the packet.
3137 * present then it is used, if both labeled IPsec and NetLabel labels are
3138 * present then the SELinux type information is taken from the labeled IPsec
3139 * SA and the MLS sensitivity label information is taken from the NetLabel
3140 * security attributes. This bit of "magic" is done in the call to
3141 * selinux_netlbl_skbuff_getsid().
3142 * 3138 *
3143 */ 3139 */
3144static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid) 3140static void selinux_skb_extlbl_sid(struct sk_buff *skb,
3141 u32 base_sid,
3142 u32 *sid)
3145{ 3143{
3146 u32 xfrm_sid; 3144 u32 xfrm_sid;
3147 u32 nlbl_sid; 3145 u32 nlbl_sid;
@@ -3149,9 +3147,10 @@ static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
3149 selinux_skb_xfrm_sid(skb, &xfrm_sid); 3147 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3150 if (selinux_netlbl_skbuff_getsid(skb, 3148 if (selinux_netlbl_skbuff_getsid(skb,
3151 (xfrm_sid == SECSID_NULL ? 3149 (xfrm_sid == SECSID_NULL ?
3152 SECINITSID_NETMSG : xfrm_sid), 3150 base_sid : xfrm_sid),
3153 &nlbl_sid) != 0) 3151 &nlbl_sid) != 0)
3154 nlbl_sid = SECSID_NULL; 3152 nlbl_sid = SECSID_NULL;
3153
3155 *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); 3154 *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
3156} 3155}
3157 3156
@@ -3696,7 +3695,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
3696 if (sock && sock->sk->sk_family == PF_UNIX) 3695 if (sock && sock->sk->sk_family == PF_UNIX)
3697 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); 3696 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3698 else if (skb) 3697 else if (skb)
3699 selinux_skb_extlbl_sid(skb, &peer_secid); 3698 selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid);
3700 3699
3701 if (peer_secid == SECSID_NULL) 3700 if (peer_secid == SECSID_NULL)
3702 err = -EINVAL; 3701 err = -EINVAL;
@@ -3757,7 +3756,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3757 u32 newsid; 3756 u32 newsid;
3758 u32 peersid; 3757 u32 peersid;
3759 3758
3760 selinux_skb_extlbl_sid(skb, &peersid); 3759 selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
3761 if (peersid == SECSID_NULL) { 3760 if (peersid == SECSID_NULL) {
3762 req->secid = sksec->sid; 3761 req->secid = sksec->sid;
3763 req->peer_secid = SECSID_NULL; 3762 req->peer_secid = SECSID_NULL;
@@ -3795,7 +3794,7 @@ static void selinux_inet_conn_established(struct sock *sk,
3795{ 3794{
3796 struct sk_security_struct *sksec = sk->sk_security; 3795 struct sk_security_struct *sksec = sk->sk_security;
3797 3796
3798 selinux_skb_extlbl_sid(skb, &sksec->peer_sid); 3797 selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
3799} 3798}
3800 3799
3801static void selinux_req_classify_flow(const struct request_sock *req, 3800static void selinux_req_classify_flow(const struct request_sock *req,
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 8192e8bc9f5a..e64eca246f1a 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -158,7 +158,9 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
158 netlbl_secattr_init(&secattr); 158 netlbl_secattr_init(&secattr);
159 rc = netlbl_skbuff_getattr(skb, &secattr); 159 rc = netlbl_skbuff_getattr(skb, &secattr);
160 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 160 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
161 rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid); 161 rc = security_netlbl_secattr_to_sid(&secattr,
162 base_sid,
163 sid);
162 else 164 else
163 *sid = SECSID_NULL; 165 *sid = SECSID_NULL;
164 netlbl_secattr_destroy(&secattr); 166 netlbl_secattr_destroy(&secattr);
@@ -196,7 +198,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
196 if (netlbl_sock_getattr(sk, &secattr) == 0 && 198 if (netlbl_sock_getattr(sk, &secattr) == 0 &&
197 secattr.flags != NETLBL_SECATTR_NONE && 199 secattr.flags != NETLBL_SECATTR_NONE &&
198 security_netlbl_secattr_to_sid(&secattr, 200 security_netlbl_secattr_to_sid(&secattr,
199 SECINITSID_NETMSG, 201 SECINITSID_UNLABELED,
200 &nlbl_peer_sid) == 0) 202 &nlbl_peer_sid) == 0)
201 sksec->peer_sid = nlbl_peer_sid; 203 sksec->peer_sid = nlbl_peer_sid;
202 netlbl_secattr_destroy(&secattr); 204 netlbl_secattr_destroy(&secattr);
@@ -293,32 +295,38 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
293 struct avc_audit_data *ad) 295 struct avc_audit_data *ad)
294{ 296{
295 int rc; 297 int rc;
296 u32 nlbl_sid; 298 u32 netlbl_sid;
297 u32 perm; 299 u32 recv_perm;
298 300
299 rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &nlbl_sid); 301 rc = selinux_netlbl_skbuff_getsid(skb,
302 SECINITSID_UNLABELED,
303 &netlbl_sid);
300 if (rc != 0) 304 if (rc != 0)
301 return rc; 305 return rc;
302 if (nlbl_sid == SECSID_NULL) 306
303 nlbl_sid = SECINITSID_UNLABELED; 307 if (netlbl_sid == SECSID_NULL)
308 return 0;
304 309
305 switch (sksec->sclass) { 310 switch (sksec->sclass) {
306 case SECCLASS_UDP_SOCKET: 311 case SECCLASS_UDP_SOCKET:
307 perm = UDP_SOCKET__RECVFROM; 312 recv_perm = UDP_SOCKET__RECVFROM;
308 break; 313 break;
309 case SECCLASS_TCP_SOCKET: 314 case SECCLASS_TCP_SOCKET:
310 perm = TCP_SOCKET__RECVFROM; 315 recv_perm = TCP_SOCKET__RECVFROM;
311 break; 316 break;
312 default: 317 default:
313 perm = RAWIP_SOCKET__RECVFROM; 318 recv_perm = RAWIP_SOCKET__RECVFROM;
314 } 319 }
315 320
316 rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad); 321 rc = avc_has_perm(sksec->sid,
322 netlbl_sid,
323 sksec->sclass,
324 recv_perm,
325 ad);
317 if (rc == 0) 326 if (rc == 0)
318 return 0; 327 return 0;
319 328
320 if (nlbl_sid != SECINITSID_UNLABELED) 329 netlbl_skbuff_err(skb, rc);
321 netlbl_skbuff_err(skb, rc);
322 return rc; 330 return rc;
323} 331}
324 332