diff options
| author | Paul Moore <pmoore@redhat.com> | 2013-08-02 14:45:08 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2013-08-02 19:57:01 -0400 |
| commit | 6a8b7f0c85f1f42eb8b6e68ef3d5ba8020d8e272 (patch) | |
| tree | 2097e9baf7e2af21a6cc80206df4f3c58c8a4840 /net/netlabel/netlabel_kapi.c | |
| parent | 5f671d6b4ec3e6d66c2a868738af2cdea09e7509 (diff) | |
netlabel: use domain based selectors when address based selectors are not available
NetLabel has the ability to selectively assign network security labels
to outbound traffic based on either the LSM's "domain" (different for
each LSM), the network destination, or a combination of both. Depending
on the type of traffic, local or forwarded, and the type of traffic
selector, domain or address based, different hooks are used to label the
traffic; the goal being minimal overhead.
Unfortunately, there is a bug such that a system using NetLabel domain
based traffic selectors does not correctly label outbound local traffic
that is not assigned to a socket. The issue is that in these cases
the associated NetLabel hook only looks at the address based selectors
and not the domain based selectors. This patch corrects this by
checking both the domain and address based selectors so that the correct
labeling is applied, regardless of the configuration type.
In order to acomplish this fix, this patch also simplifies some of the
NetLabel domainhash structures to use a more common outbound traffic
mapping type: struct netlbl_dommap_def. This simplifies some of the code
in this patch and paves the way for further simplifications in the
future.
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netlabel/netlabel_kapi.c')
| -rw-r--r-- | net/netlabel/netlabel_kapi.c | 88 |
1 files changed, 35 insertions, 53 deletions
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index 7c94aedd0912..96a458e12f60 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c | |||
| @@ -122,7 +122,7 @@ int netlbl_cfg_unlbl_map_add(const char *domain, | |||
| 122 | } | 122 | } |
| 123 | 123 | ||
| 124 | if (addr == NULL && mask == NULL) | 124 | if (addr == NULL && mask == NULL) |
| 125 | entry->type = NETLBL_NLTYPE_UNLABELED; | 125 | entry->def.type = NETLBL_NLTYPE_UNLABELED; |
| 126 | else if (addr != NULL && mask != NULL) { | 126 | else if (addr != NULL && mask != NULL) { |
| 127 | addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC); | 127 | addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC); |
| 128 | if (addrmap == NULL) | 128 | if (addrmap == NULL) |
| @@ -137,7 +137,7 @@ int netlbl_cfg_unlbl_map_add(const char *domain, | |||
| 137 | map4 = kzalloc(sizeof(*map4), GFP_ATOMIC); | 137 | map4 = kzalloc(sizeof(*map4), GFP_ATOMIC); |
| 138 | if (map4 == NULL) | 138 | if (map4 == NULL) |
| 139 | goto cfg_unlbl_map_add_failure; | 139 | goto cfg_unlbl_map_add_failure; |
| 140 | map4->type = NETLBL_NLTYPE_UNLABELED; | 140 | map4->def.type = NETLBL_NLTYPE_UNLABELED; |
| 141 | map4->list.addr = addr4->s_addr & mask4->s_addr; | 141 | map4->list.addr = addr4->s_addr & mask4->s_addr; |
| 142 | map4->list.mask = mask4->s_addr; | 142 | map4->list.mask = mask4->s_addr; |
| 143 | map4->list.valid = 1; | 143 | map4->list.valid = 1; |
| @@ -154,7 +154,7 @@ int netlbl_cfg_unlbl_map_add(const char *domain, | |||
| 154 | map6 = kzalloc(sizeof(*map6), GFP_ATOMIC); | 154 | map6 = kzalloc(sizeof(*map6), GFP_ATOMIC); |
| 155 | if (map6 == NULL) | 155 | if (map6 == NULL) |
| 156 | goto cfg_unlbl_map_add_failure; | 156 | goto cfg_unlbl_map_add_failure; |
| 157 | map6->type = NETLBL_NLTYPE_UNLABELED; | 157 | map6->def.type = NETLBL_NLTYPE_UNLABELED; |
| 158 | map6->list.addr = *addr6; | 158 | map6->list.addr = *addr6; |
| 159 | map6->list.addr.s6_addr32[0] &= mask6->s6_addr32[0]; | 159 | map6->list.addr.s6_addr32[0] &= mask6->s6_addr32[0]; |
| 160 | map6->list.addr.s6_addr32[1] &= mask6->s6_addr32[1]; | 160 | map6->list.addr.s6_addr32[1] &= mask6->s6_addr32[1]; |
| @@ -174,8 +174,8 @@ int netlbl_cfg_unlbl_map_add(const char *domain, | |||
| 174 | break; | 174 | break; |
| 175 | } | 175 | } |
| 176 | 176 | ||
| 177 | entry->type_def.addrsel = addrmap; | 177 | entry->def.addrsel = addrmap; |
| 178 | entry->type = NETLBL_NLTYPE_ADDRSELECT; | 178 | entry->def.type = NETLBL_NLTYPE_ADDRSELECT; |
| 179 | } else { | 179 | } else { |
| 180 | ret_val = -EINVAL; | 180 | ret_val = -EINVAL; |
| 181 | goto cfg_unlbl_map_add_failure; | 181 | goto cfg_unlbl_map_add_failure; |
| @@ -355,8 +355,8 @@ int netlbl_cfg_cipsov4_map_add(u32 doi, | |||
| 355 | } | 355 | } |
| 356 | 356 | ||
| 357 | if (addr == NULL && mask == NULL) { | 357 | if (addr == NULL && mask == NULL) { |
| 358 | entry->type_def.cipsov4 = doi_def; | 358 | entry->def.cipso = doi_def; |
| 359 | entry->type = NETLBL_NLTYPE_CIPSOV4; | 359 | entry->def.type = NETLBL_NLTYPE_CIPSOV4; |
| 360 | } else if (addr != NULL && mask != NULL) { | 360 | } else if (addr != NULL && mask != NULL) { |
| 361 | addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC); | 361 | addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC); |
| 362 | if (addrmap == NULL) | 362 | if (addrmap == NULL) |
| @@ -367,8 +367,8 @@ int netlbl_cfg_cipsov4_map_add(u32 doi, | |||
| 367 | addrinfo = kzalloc(sizeof(*addrinfo), GFP_ATOMIC); | 367 | addrinfo = kzalloc(sizeof(*addrinfo), GFP_ATOMIC); |
| 368 | if (addrinfo == NULL) | 368 | if (addrinfo == NULL) |
| 369 | goto out_addrinfo; | 369 | goto out_addrinfo; |
| 370 | addrinfo->type_def.cipsov4 = doi_def; | 370 | addrinfo->def.cipso = doi_def; |
| 371 | addrinfo->type = NETLBL_NLTYPE_CIPSOV4; | 371 | addrinfo->def.type = NETLBL_NLTYPE_CIPSOV4; |
| 372 | addrinfo->list.addr = addr->s_addr & mask->s_addr; | 372 | addrinfo->list.addr = addr->s_addr & mask->s_addr; |
| 373 | addrinfo->list.mask = mask->s_addr; | 373 | addrinfo->list.mask = mask->s_addr; |
| 374 | addrinfo->list.valid = 1; | 374 | addrinfo->list.valid = 1; |
| @@ -376,8 +376,8 @@ int netlbl_cfg_cipsov4_map_add(u32 doi, | |||
| 376 | if (ret_val != 0) | 376 | if (ret_val != 0) |
| 377 | goto cfg_cipsov4_map_add_failure; | 377 | goto cfg_cipsov4_map_add_failure; |
| 378 | 378 | ||
| 379 | entry->type_def.addrsel = addrmap; | 379 | entry->def.addrsel = addrmap; |
| 380 | entry->type = NETLBL_NLTYPE_ADDRSELECT; | 380 | entry->def.type = NETLBL_NLTYPE_ADDRSELECT; |
| 381 | } else { | 381 | } else { |
| 382 | ret_val = -EINVAL; | 382 | ret_val = -EINVAL; |
| 383 | goto out_addrmap; | 383 | goto out_addrmap; |
| @@ -657,14 +657,14 @@ int netlbl_sock_setattr(struct sock *sk, | |||
| 657 | } | 657 | } |
| 658 | switch (family) { | 658 | switch (family) { |
| 659 | case AF_INET: | 659 | case AF_INET: |
| 660 | switch (dom_entry->type) { | 660 | switch (dom_entry->def.type) { |
| 661 | case NETLBL_NLTYPE_ADDRSELECT: | 661 | case NETLBL_NLTYPE_ADDRSELECT: |
| 662 | ret_val = -EDESTADDRREQ; | 662 | ret_val = -EDESTADDRREQ; |
| 663 | break; | 663 | break; |
| 664 | case NETLBL_NLTYPE_CIPSOV4: | 664 | case NETLBL_NLTYPE_CIPSOV4: |
| 665 | ret_val = cipso_v4_sock_setattr(sk, | 665 | ret_val = cipso_v4_sock_setattr(sk, |
| 666 | dom_entry->type_def.cipsov4, | 666 | dom_entry->def.cipso, |
| 667 | secattr); | 667 | secattr); |
| 668 | break; | 668 | break; |
| 669 | case NETLBL_NLTYPE_UNLABELED: | 669 | case NETLBL_NLTYPE_UNLABELED: |
| 670 | ret_val = 0; | 670 | ret_val = 0; |
| @@ -754,23 +754,22 @@ int netlbl_conn_setattr(struct sock *sk, | |||
| 754 | { | 754 | { |
| 755 | int ret_val; | 755 | int ret_val; |
| 756 | struct sockaddr_in *addr4; | 756 | struct sockaddr_in *addr4; |
| 757 | struct netlbl_domaddr4_map *af4_entry; | 757 | struct netlbl_dommap_def *entry; |
| 758 | 758 | ||
| 759 | rcu_read_lock(); | 759 | rcu_read_lock(); |
| 760 | switch (addr->sa_family) { | 760 | switch (addr->sa_family) { |
| 761 | case AF_INET: | 761 | case AF_INET: |
| 762 | addr4 = (struct sockaddr_in *)addr; | 762 | addr4 = (struct sockaddr_in *)addr; |
| 763 | af4_entry = netlbl_domhsh_getentry_af4(secattr->domain, | 763 | entry = netlbl_domhsh_getentry_af4(secattr->domain, |
| 764 | addr4->sin_addr.s_addr); | 764 | addr4->sin_addr.s_addr); |
| 765 | if (af4_entry == NULL) { | 765 | if (entry == NULL) { |
| 766 | ret_val = -ENOENT; | 766 | ret_val = -ENOENT; |
| 767 | goto conn_setattr_return; | 767 | goto conn_setattr_return; |
| 768 | } | 768 | } |
| 769 | switch (af4_entry->type) { | 769 | switch (entry->type) { |
| 770 | case NETLBL_NLTYPE_CIPSOV4: | 770 | case NETLBL_NLTYPE_CIPSOV4: |
| 771 | ret_val = cipso_v4_sock_setattr(sk, | 771 | ret_val = cipso_v4_sock_setattr(sk, |
| 772 | af4_entry->type_def.cipsov4, | 772 | entry->cipso, secattr); |
| 773 | secattr); | ||
| 774 | break; | 773 | break; |
| 775 | case NETLBL_NLTYPE_UNLABELED: | 774 | case NETLBL_NLTYPE_UNLABELED: |
| 776 | /* just delete the protocols we support for right now | 775 | /* just delete the protocols we support for right now |
| @@ -812,36 +811,21 @@ int netlbl_req_setattr(struct request_sock *req, | |||
| 812 | const struct netlbl_lsm_secattr *secattr) | 811 | const struct netlbl_lsm_secattr *secattr) |
| 813 | { | 812 | { |
| 814 | int ret_val; | 813 | int ret_val; |
| 815 | struct netlbl_dom_map *dom_entry; | 814 | struct netlbl_dommap_def *entry; |
| 816 | struct netlbl_domaddr4_map *af4_entry; | ||
| 817 | u32 proto_type; | ||
| 818 | struct cipso_v4_doi *proto_cv4; | ||
| 819 | 815 | ||
| 820 | rcu_read_lock(); | 816 | rcu_read_lock(); |
| 821 | dom_entry = netlbl_domhsh_getentry(secattr->domain); | ||
| 822 | if (dom_entry == NULL) { | ||
| 823 | ret_val = -ENOENT; | ||
| 824 | goto req_setattr_return; | ||
| 825 | } | ||
| 826 | switch (req->rsk_ops->family) { | 817 | switch (req->rsk_ops->family) { |
| 827 | case AF_INET: | 818 | case AF_INET: |
| 828 | if (dom_entry->type == NETLBL_NLTYPE_ADDRSELECT) { | 819 | entry = netlbl_domhsh_getentry_af4(secattr->domain, |
| 829 | struct inet_request_sock *req_inet = inet_rsk(req); | 820 | inet_rsk(req)->rmt_addr); |
| 830 | af4_entry = netlbl_domhsh_getentry_af4(secattr->domain, | 821 | if (entry == NULL) { |
| 831 | req_inet->rmt_addr); | 822 | ret_val = -ENOENT; |
| 832 | if (af4_entry == NULL) { | 823 | goto req_setattr_return; |
| 833 | ret_val = -ENOENT; | ||
| 834 | goto req_setattr_return; | ||
| 835 | } | ||
| 836 | proto_type = af4_entry->type; | ||
| 837 | proto_cv4 = af4_entry->type_def.cipsov4; | ||
| 838 | } else { | ||
| 839 | proto_type = dom_entry->type; | ||
| 840 | proto_cv4 = dom_entry->type_def.cipsov4; | ||
| 841 | } | 824 | } |
| 842 | switch (proto_type) { | 825 | switch (entry->type) { |
| 843 | case NETLBL_NLTYPE_CIPSOV4: | 826 | case NETLBL_NLTYPE_CIPSOV4: |
| 844 | ret_val = cipso_v4_req_setattr(req, proto_cv4, secattr); | 827 | ret_val = cipso_v4_req_setattr(req, |
| 828 | entry->cipso, secattr); | ||
| 845 | break; | 829 | break; |
| 846 | case NETLBL_NLTYPE_UNLABELED: | 830 | case NETLBL_NLTYPE_UNLABELED: |
| 847 | /* just delete the protocols we support for right now | 831 | /* just delete the protocols we support for right now |
| @@ -899,23 +883,21 @@ int netlbl_skbuff_setattr(struct sk_buff *skb, | |||
| 899 | { | 883 | { |
| 900 | int ret_val; | 884 | int ret_val; |
| 901 | struct iphdr *hdr4; | 885 | struct iphdr *hdr4; |
| 902 | struct netlbl_domaddr4_map *af4_entry; | 886 | struct netlbl_dommap_def *entry; |
| 903 | 887 | ||
| 904 | rcu_read_lock(); | 888 | rcu_read_lock(); |
| 905 | switch (family) { | 889 | switch (family) { |
| 906 | case AF_INET: | 890 | case AF_INET: |
| 907 | hdr4 = ip_hdr(skb); | 891 | hdr4 = ip_hdr(skb); |
| 908 | af4_entry = netlbl_domhsh_getentry_af4(secattr->domain, | 892 | entry = netlbl_domhsh_getentry_af4(secattr->domain,hdr4->daddr); |
| 909 | hdr4->daddr); | 893 | if (entry == NULL) { |
| 910 | if (af4_entry == NULL) { | ||
| 911 | ret_val = -ENOENT; | 894 | ret_val = -ENOENT; |
| 912 | goto skbuff_setattr_return; | 895 | goto skbuff_setattr_return; |
| 913 | } | 896 | } |
| 914 | switch (af4_entry->type) { | 897 | switch (entry->type) { |
| 915 | case NETLBL_NLTYPE_CIPSOV4: | 898 | case NETLBL_NLTYPE_CIPSOV4: |
| 916 | ret_val = cipso_v4_skbuff_setattr(skb, | 899 | ret_val = cipso_v4_skbuff_setattr(skb, entry->cipso, |
| 917 | af4_entry->type_def.cipsov4, | 900 | secattr); |
| 918 | secattr); | ||
| 919 | break; | 901 | break; |
| 920 | case NETLBL_NLTYPE_UNLABELED: | 902 | case NETLBL_NLTYPE_UNLABELED: |
| 921 | /* just delete the protocols we support for right now | 903 | /* just delete the protocols we support for right now |