diff options
author | Paul Moore <pmoore@redhat.com> | 2013-12-03 11:14:04 -0500 |
---|---|---|
committer | Paul Moore <pmoore@redhat.com> | 2013-12-04 16:06:47 -0500 |
commit | da2ea0d05671f878196cc949906aa89d15c567db (patch) | |
tree | a9067db90c8d2da60f1a38ba649f793a09620f8d | |
parent | 8e645c345a4cf6b8b13054b4ec2f6371f05876a9 (diff) |
selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output()
In selinux_ip_output() we always label packets based on the parent
socket. While this approach works in almost all cases, it doesn't
work in the case of TCP SYN-ACK packets when the correct label is not
the label of the parent socket, but rather the label of the larval
socket represented by the request_sock struct.
Unfortunately, since the request_sock isn't queued on the parent
socket until *after* the SYN-ACK packet is sent, we can't lookup the
request_sock to determine the correct label for the packet; at this
point in time the best we can do is simply pass/NF_ACCEPT the packet.
It must be said that simply passing the packet without any explicit
labeling action, while far from ideal, is not terrible as the SYN-ACK
packet will inherit any IP option based labeling from the initial
connection request so the label *should* be correct and all our
access controls remain in place so we shouldn't have to worry about
information leaks.
Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu>
Tested-by: Janak Desai <Janak.Desai@gtri.gatech.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moore <pmoore@redhat.com>
-rw-r--r-- | security/selinux/hooks.c | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 777ee98273d1..877bab748c87 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -53,6 +53,7 @@ | |||
53 | #include <net/ip.h> /* for local_port_range[] */ | 53 | #include <net/ip.h> /* for local_port_range[] */ |
54 | #include <net/sock.h> | 54 | #include <net/sock.h> |
55 | #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ | 55 | #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ |
56 | #include <net/inet_connection_sock.h> | ||
56 | #include <net/net_namespace.h> | 57 | #include <net/net_namespace.h> |
57 | #include <net/netlabel.h> | 58 | #include <net/netlabel.h> |
58 | #include <linux/uaccess.h> | 59 | #include <linux/uaccess.h> |
@@ -4731,6 +4732,7 @@ static unsigned int selinux_ipv6_forward(unsigned int hooknum, | |||
4731 | static unsigned int selinux_ip_output(struct sk_buff *skb, | 4732 | static unsigned int selinux_ip_output(struct sk_buff *skb, |
4732 | u16 family) | 4733 | u16 family) |
4733 | { | 4734 | { |
4735 | struct sock *sk; | ||
4734 | u32 sid; | 4736 | u32 sid; |
4735 | 4737 | ||
4736 | if (!netlbl_enabled()) | 4738 | if (!netlbl_enabled()) |
@@ -4739,8 +4741,27 @@ static unsigned int selinux_ip_output(struct sk_buff *skb, | |||
4739 | /* we do this in the LOCAL_OUT path and not the POST_ROUTING path | 4741 | /* we do this in the LOCAL_OUT path and not the POST_ROUTING path |
4740 | * because we want to make sure we apply the necessary labeling | 4742 | * because we want to make sure we apply the necessary labeling |
4741 | * before IPsec is applied so we can leverage AH protection */ | 4743 | * before IPsec is applied so we can leverage AH protection */ |
4742 | if (skb->sk) { | 4744 | sk = skb->sk; |
4743 | struct sk_security_struct *sksec = skb->sk->sk_security; | 4745 | if (sk) { |
4746 | struct sk_security_struct *sksec; | ||
4747 | |||
4748 | if (sk->sk_state == TCP_LISTEN) | ||
4749 | /* if the socket is the listening state then this | ||
4750 | * packet is a SYN-ACK packet which means it needs to | ||
4751 | * be labeled based on the connection/request_sock and | ||
4752 | * not the parent socket. unfortunately, we can't | ||
4753 | * lookup the request_sock yet as it isn't queued on | ||
4754 | * the parent socket until after the SYN-ACK is sent. | ||
4755 | * the "solution" is to simply pass the packet as-is | ||
4756 | * as any IP option based labeling should be copied | ||
4757 | * from the initial connection request (in the IP | ||
4758 | * layer). it is far from ideal, but until we get a | ||
4759 | * security label in the packet itself this is the | ||
4760 | * best we can do. */ | ||
4761 | return NF_ACCEPT; | ||
4762 | |||
4763 | /* standard practice, label using the parent socket */ | ||
4764 | sksec = sk->sk_security; | ||
4744 | sid = sksec->sid; | 4765 | sid = sksec->sid; |
4745 | } else | 4766 | } else |
4746 | sid = SECINITSID_KERNEL; | 4767 | sid = SECINITSID_KERNEL; |