aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteffen Klassert <steffen.klassert@secunet.com>2011-02-23 06:56:23 -0500
committerEric Paris <eparis@redhat.com>2011-02-25 15:00:51 -0500
commit4a7ab3dcad0b66a486c468ccf0d6197c5dbe3326 (patch)
treeb88badda1de339ed01149caf05601400d2e2a9dd
parentb9679a76187694138099e09d7f5091b73086e6d7 (diff)
selinux: Fix packet forwarding checks on postrouting
The IPSKB_FORWARDED and IP6SKB_FORWARDED flags are used only in the multicast forwarding case to indicate that a packet looped back after forward. So these flags are not a good indicator for packet forwarding. A better indicator is the incoming interface. If we have no socket context, but an incoming interface and we see the packet in the ip postroute hook, the packet is going to be forwarded. With this patch we use the incoming interface as an indicator on packet forwarding. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: Eric Paris <eparis@redhat.com>
-rw-r--r--security/selinux/hooks.c23
1 files changed, 5 insertions, 18 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b4e1ca021fc4..8ffed9f2004e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4475,27 +4475,14 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4475 * from the sending socket, otherwise use the kernel's sid */ 4475 * from the sending socket, otherwise use the kernel's sid */
4476 sk = skb->sk; 4476 sk = skb->sk;
4477 if (sk == NULL) { 4477 if (sk == NULL) {
4478 switch (family) { 4478 if (skb->skb_iif) {
4479 case PF_INET: 4479 secmark_perm = PACKET__FORWARD_OUT;
4480 if (IPCB(skb)->flags & IPSKB_FORWARDED)
4481 secmark_perm = PACKET__FORWARD_OUT;
4482 else
4483 secmark_perm = PACKET__SEND;
4484 break;
4485 case PF_INET6:
4486 if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
4487 secmark_perm = PACKET__FORWARD_OUT;
4488 else
4489 secmark_perm = PACKET__SEND;
4490 break;
4491 default:
4492 return NF_DROP_ERR(-ECONNREFUSED);
4493 }
4494 if (secmark_perm == PACKET__FORWARD_OUT) {
4495 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 4480 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4496 return NF_DROP; 4481 return NF_DROP;
4497 } else 4482 } else {
4483 secmark_perm = PACKET__SEND;
4498 peer_sid = SECINITSID_KERNEL; 4484 peer_sid = SECINITSID_KERNEL;
4485 }
4499 } else { 4486 } else {
4500 struct sk_security_struct *sksec = sk->sk_security; 4487 struct sk_security_struct *sksec = sk->sk_security;
4501 peer_sid = sksec->sid; 4488 peer_sid = sksec->sid;