diff options
author | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-07-13 19:53:18 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-07-13 19:53:18 -0400 |
commit | 8d9107e8c50e1c4ff43c91c8841805833f3ecfb9 (patch) | |
tree | abc57f38cf659d4031d5a9915a088f2c47b2cc7e | |
parent | 16cefa8c3863721fd40445a1b34dea18cd16ccfe (diff) |
Revert "SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel"
This reverts commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0.
It bit people like Michal Piotrowski:
"My system is too secure, I can not login :)"
because it changed how CONFIG_NETLABEL worked, and broke older SElinux
policies.
As a result, quoth James Morris:
"Can you please revert this patch?
We thought it only affected people running MLS, but it will affect others.
Sorry for the hassle."
Cc: James Morris <jmorris@namei.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Michal Piotrowski <michal.k.k.piotrowski@gmail.com>
Cc: Paul Moore <paul.moore@hp.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | security/selinux/hooks.c | 21 | ||||
-rw-r--r-- | security/selinux/netlabel.c | 34 |
2 files changed, 31 insertions, 24 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index aff8f46c2aa2..78c3f98fcdcf 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -3129,19 +3129,17 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, | |||
3129 | /** | 3129 | /** |
3130 | * selinux_skb_extlbl_sid - Determine the external label of a packet | 3130 | * selinux_skb_extlbl_sid - Determine the external label of a packet |
3131 | * @skb: the packet | 3131 | * @skb: the packet |
3132 | * @base_sid: the SELinux SID to use as a context for MLS only external labels | ||
3132 | * @sid: the packet's SID | 3133 | * @sid: the packet's SID |
3133 | * | 3134 | * |
3134 | * Description: | 3135 | * Description: |
3135 | * Check the various different forms of external packet labeling and determine | 3136 | * Check the various different forms of external packet labeling and determine |
3136 | * the external SID for the packet. If only one form of external labeling is | 3137 | * the external SID for the packet. |
3137 | * present then it is used, if both labeled IPsec and NetLabel labels are | ||
3138 | * present then the SELinux type information is taken from the labeled IPsec | ||
3139 | * SA and the MLS sensitivity label information is taken from the NetLabel | ||
3140 | * security attributes. This bit of "magic" is done in the call to | ||
3141 | * selinux_netlbl_skbuff_getsid(). | ||
3142 | * | 3138 | * |
3143 | */ | 3139 | */ |
3144 | static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid) | 3140 | static void selinux_skb_extlbl_sid(struct sk_buff *skb, |
3141 | u32 base_sid, | ||
3142 | u32 *sid) | ||
3145 | { | 3143 | { |
3146 | u32 xfrm_sid; | 3144 | u32 xfrm_sid; |
3147 | u32 nlbl_sid; | 3145 | u32 nlbl_sid; |
@@ -3149,9 +3147,10 @@ static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid) | |||
3149 | selinux_skb_xfrm_sid(skb, &xfrm_sid); | 3147 | selinux_skb_xfrm_sid(skb, &xfrm_sid); |
3150 | if (selinux_netlbl_skbuff_getsid(skb, | 3148 | if (selinux_netlbl_skbuff_getsid(skb, |
3151 | (xfrm_sid == SECSID_NULL ? | 3149 | (xfrm_sid == SECSID_NULL ? |
3152 | SECINITSID_NETMSG : xfrm_sid), | 3150 | base_sid : xfrm_sid), |
3153 | &nlbl_sid) != 0) | 3151 | &nlbl_sid) != 0) |
3154 | nlbl_sid = SECSID_NULL; | 3152 | nlbl_sid = SECSID_NULL; |
3153 | |||
3155 | *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); | 3154 | *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); |
3156 | } | 3155 | } |
3157 | 3156 | ||
@@ -3696,7 +3695,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * | |||
3696 | if (sock && sock->sk->sk_family == PF_UNIX) | 3695 | if (sock && sock->sk->sk_family == PF_UNIX) |
3697 | selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); | 3696 | selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); |
3698 | else if (skb) | 3697 | else if (skb) |
3699 | selinux_skb_extlbl_sid(skb, &peer_secid); | 3698 | selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid); |
3700 | 3699 | ||
3701 | if (peer_secid == SECSID_NULL) | 3700 | if (peer_secid == SECSID_NULL) |
3702 | err = -EINVAL; | 3701 | err = -EINVAL; |
@@ -3757,7 +3756,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, | |||
3757 | u32 newsid; | 3756 | u32 newsid; |
3758 | u32 peersid; | 3757 | u32 peersid; |
3759 | 3758 | ||
3760 | selinux_skb_extlbl_sid(skb, &peersid); | 3759 | selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid); |
3761 | if (peersid == SECSID_NULL) { | 3760 | if (peersid == SECSID_NULL) { |
3762 | req->secid = sksec->sid; | 3761 | req->secid = sksec->sid; |
3763 | req->peer_secid = SECSID_NULL; | 3762 | req->peer_secid = SECSID_NULL; |
@@ -3795,7 +3794,7 @@ static void selinux_inet_conn_established(struct sock *sk, | |||
3795 | { | 3794 | { |
3796 | struct sk_security_struct *sksec = sk->sk_security; | 3795 | struct sk_security_struct *sksec = sk->sk_security; |
3797 | 3796 | ||
3798 | selinux_skb_extlbl_sid(skb, &sksec->peer_sid); | 3797 | selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid); |
3799 | } | 3798 | } |
3800 | 3799 | ||
3801 | static void selinux_req_classify_flow(const struct request_sock *req, | 3800 | static void selinux_req_classify_flow(const struct request_sock *req, |
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 8192e8bc9f5a..e64eca246f1a 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c | |||
@@ -158,7 +158,9 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid) | |||
158 | netlbl_secattr_init(&secattr); | 158 | netlbl_secattr_init(&secattr); |
159 | rc = netlbl_skbuff_getattr(skb, &secattr); | 159 | rc = netlbl_skbuff_getattr(skb, &secattr); |
160 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) | 160 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) |
161 | rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid); | 161 | rc = security_netlbl_secattr_to_sid(&secattr, |
162 | base_sid, | ||
163 | sid); | ||
162 | else | 164 | else |
163 | *sid = SECSID_NULL; | 165 | *sid = SECSID_NULL; |
164 | netlbl_secattr_destroy(&secattr); | 166 | netlbl_secattr_destroy(&secattr); |
@@ -196,7 +198,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) | |||
196 | if (netlbl_sock_getattr(sk, &secattr) == 0 && | 198 | if (netlbl_sock_getattr(sk, &secattr) == 0 && |
197 | secattr.flags != NETLBL_SECATTR_NONE && | 199 | secattr.flags != NETLBL_SECATTR_NONE && |
198 | security_netlbl_secattr_to_sid(&secattr, | 200 | security_netlbl_secattr_to_sid(&secattr, |
199 | SECINITSID_NETMSG, | 201 | SECINITSID_UNLABELED, |
200 | &nlbl_peer_sid) == 0) | 202 | &nlbl_peer_sid) == 0) |
201 | sksec->peer_sid = nlbl_peer_sid; | 203 | sksec->peer_sid = nlbl_peer_sid; |
202 | netlbl_secattr_destroy(&secattr); | 204 | netlbl_secattr_destroy(&secattr); |
@@ -293,32 +295,38 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, | |||
293 | struct avc_audit_data *ad) | 295 | struct avc_audit_data *ad) |
294 | { | 296 | { |
295 | int rc; | 297 | int rc; |
296 | u32 nlbl_sid; | 298 | u32 netlbl_sid; |
297 | u32 perm; | 299 | u32 recv_perm; |
298 | 300 | ||
299 | rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &nlbl_sid); | 301 | rc = selinux_netlbl_skbuff_getsid(skb, |
302 | SECINITSID_UNLABELED, | ||
303 | &netlbl_sid); | ||
300 | if (rc != 0) | 304 | if (rc != 0) |
301 | return rc; | 305 | return rc; |
302 | if (nlbl_sid == SECSID_NULL) | 306 | |
303 | nlbl_sid = SECINITSID_UNLABELED; | 307 | if (netlbl_sid == SECSID_NULL) |
308 | return 0; | ||
304 | 309 | ||
305 | switch (sksec->sclass) { | 310 | switch (sksec->sclass) { |
306 | case SECCLASS_UDP_SOCKET: | 311 | case SECCLASS_UDP_SOCKET: |
307 | perm = UDP_SOCKET__RECVFROM; | 312 | recv_perm = UDP_SOCKET__RECVFROM; |
308 | break; | 313 | break; |
309 | case SECCLASS_TCP_SOCKET: | 314 | case SECCLASS_TCP_SOCKET: |
310 | perm = TCP_SOCKET__RECVFROM; | 315 | recv_perm = TCP_SOCKET__RECVFROM; |
311 | break; | 316 | break; |
312 | default: | 317 | default: |
313 | perm = RAWIP_SOCKET__RECVFROM; | 318 | recv_perm = RAWIP_SOCKET__RECVFROM; |
314 | } | 319 | } |
315 | 320 | ||
316 | rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad); | 321 | rc = avc_has_perm(sksec->sid, |
322 | netlbl_sid, | ||
323 | sksec->sclass, | ||
324 | recv_perm, | ||
325 | ad); | ||
317 | if (rc == 0) | 326 | if (rc == 0) |
318 | return 0; | 327 | return 0; |
319 | 328 | ||
320 | if (nlbl_sid != SECINITSID_UNLABELED) | 329 | netlbl_skbuff_err(skb, rc); |
321 | netlbl_skbuff_err(skb, rc); | ||
322 | return rc; | 330 | return rc; |
323 | } | 331 | } |
324 | 332 | ||