aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Moore <pmoore@redhat.com>2013-12-03 11:14:04 -0500
committerPaul Moore <pmoore@redhat.com>2013-12-04 16:06:47 -0500
commitda2ea0d05671f878196cc949906aa89d15c567db (patch)
treea9067db90c8d2da60f1a38ba649f793a09620f8d
parent8e645c345a4cf6b8b13054b4ec2f6371f05876a9 (diff)
selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output()
In selinux_ip_output() we always label packets based on the parent socket. While this approach works in almost all cases, it doesn't work in the case of TCP SYN-ACK packets when the correct label is not the label of the parent socket, but rather the label of the larval socket represented by the request_sock struct. Unfortunately, since the request_sock isn't queued on the parent socket until *after* the SYN-ACK packet is sent, we can't lookup the request_sock to determine the correct label for the packet; at this point in time the best we can do is simply pass/NF_ACCEPT the packet. It must be said that simply passing the packet without any explicit labeling action, while far from ideal, is not terrible as the SYN-ACK packet will inherit any IP option based labeling from the initial connection request so the label *should* be correct and all our access controls remain in place so we shouldn't have to worry about information leaks. Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Tested-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com>
-rw-r--r--security/selinux/hooks.c25
1 files changed, 23 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 777ee98273d1..877bab748c87 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -53,6 +53,7 @@
53#include <net/ip.h> /* for local_port_range[] */ 53#include <net/ip.h> /* for local_port_range[] */
54#include <net/sock.h> 54#include <net/sock.h>
55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56#include <net/inet_connection_sock.h>
56#include <net/net_namespace.h> 57#include <net/net_namespace.h>
57#include <net/netlabel.h> 58#include <net/netlabel.h>
58#include <linux/uaccess.h> 59#include <linux/uaccess.h>
@@ -4731,6 +4732,7 @@ static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4731static unsigned int selinux_ip_output(struct sk_buff *skb, 4732static unsigned int selinux_ip_output(struct sk_buff *skb,
4732 u16 family) 4733 u16 family)
4733{ 4734{
4735 struct sock *sk;
4734 u32 sid; 4736 u32 sid;
4735 4737
4736 if (!netlbl_enabled()) 4738 if (!netlbl_enabled())
@@ -4739,8 +4741,27 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
4739 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 4741 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4740 * because we want to make sure we apply the necessary labeling 4742 * because we want to make sure we apply the necessary labeling
4741 * before IPsec is applied so we can leverage AH protection */ 4743 * before IPsec is applied so we can leverage AH protection */
4742 if (skb->sk) { 4744 sk = skb->sk;
4743 struct sk_security_struct *sksec = skb->sk->sk_security; 4745 if (sk) {
4746 struct sk_security_struct *sksec;
4747
4748 if (sk->sk_state == TCP_LISTEN)
4749 /* if the socket is the listening state then this
4750 * packet is a SYN-ACK packet which means it needs to
4751 * be labeled based on the connection/request_sock and
4752 * not the parent socket. unfortunately, we can't
4753 * lookup the request_sock yet as it isn't queued on
4754 * the parent socket until after the SYN-ACK is sent.
4755 * the "solution" is to simply pass the packet as-is
4756 * as any IP option based labeling should be copied
4757 * from the initial connection request (in the IP
4758 * layer). it is far from ideal, but until we get a
4759 * security label in the packet itself this is the
4760 * best we can do. */
4761 return NF_ACCEPT;
4762
4763 /* standard practice, label using the parent socket */
4764 sksec = sk->sk_security;
4744 sid = sksec->sid; 4765 sid = sksec->sid;
4745 } else 4766 } else
4746 sid = SECINITSID_KERNEL; 4767 sid = SECINITSID_KERNEL;