SELinux: enable dynamic activation/deactivation of NetLabel/SELinux enforcement

Create a new NetLabel KAPI interface, netlbl_enabled(), which reports on the current runtime status of NetLabel based on the existing configuration. LSMs that make use of NetLabel, i.e. SELinux, can use this new function to determine if they should perform NetLabel access checks. This patch changes the NetLabel/SELinux glue code such that SELinux only enforces NetLabel related access checks when netlbl_enabled() returns true. At present NetLabel is considered to be enabled when there is at least one labeled protocol configuration present. The result is that by default NetLabel is considered to be disabled, however, as soon as an administrator configured a CIPSO DOI definition NetLabel is enabled and SELinux starts enforcing NetLabel related access controls - including unlabeled packet controls. This patch also tries to consolidate the multiple "#ifdef CONFIG_NETLABEL" blocks into a single block to ease future review as recommended by Linus. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
author: Paul Moore <paul.moore@hp.com> 2007-07-18 12:28:45 -0400
committer: James Morris <jmorris@namei.org> 2007-07-19 10:21:11 -0400
commit: 23bcdc1adebd3cb47d5666f2e9ecada95c0134e4 (patch)
tree: 71caf0ac9fa86e4a9cf423d968a2486656c2e196 /net/netlabel
parent: 589f1e81bde732dd0b1bc5d01b6bddd4bcb4527b (diff)
4 files changed, 96 insertions, 0 deletions
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
index 24b660f16ce3..c060e3f991f1 100644
--- a/net/netlabel/netlabel_cipso_v4.c
+++ b/net/netlabel/netlabel_cipso_v4.c
@@ -41,6 +41,7 @@
 #include "netlabel_user.h"
 #include "netlabel_cipso_v4.h"
+#include "netlabel_mgmt.h"
 /* Argument struct for cipso_v4_doi_walk() */
 struct netlbl_cipsov4_doiwalk_arg {
@@ -419,6 +420,8 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
                ret_val = netlbl_cipsov4_add_pass(info);
                break;
        }
+        if (ret_val == 0)
+                netlbl_mgmt_protocount_inc();
        audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
                                              &audit_info);
@@ -694,6 +697,8 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info)
        ret_val = cipso_v4_doi_remove(doi,
                                      &audit_info,
                                      netlbl_cipsov4_doi_free);
+        if (ret_val == 0)
+                netlbl_mgmt_protocount_dec();
        audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,
                                              &audit_info);
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index b165712aaa70..4f50949722a9 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -38,6 +38,7 @@
 #include "netlabel_domainhash.h"
 #include "netlabel_unlabeled.h"
 #include "netlabel_user.h"
+#include "netlabel_mgmt.h"
 /*
 * Security Attribute Functions
@@ -245,6 +246,26 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
 */
 /**
+ * netlbl_enabled - Determine if the NetLabel subsystem is enabled
+ *
+ * Description:
+ * The LSM can use this function to determine if it should use NetLabel
+ * security attributes in it's enforcement mechanism.  Currently, NetLabel is
+ * considered to be enabled when it's configuration contains a valid setup for
+ * at least one labeled protocol (i.e. NetLabel can understand incoming
+ * labeled packets of at least one type); otherwise NetLabel is considered to
+ * be disabled.
+ *
+ */
+int netlbl_enabled(void)
+{
+        /* At some point we probably want to expose this mechanism to the user
+         * as well so that admins can toggle NetLabel regardless of the
+         * configuration */
+        return (netlbl_mgmt_protocount_value() > 0 ? 1 : 0);
+}
+/**
 * netlbl_socket_setattr - Label a socket using the correct protocol
 * @sk: the socket to label
 * @secattr: the security attributes
diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c
index e00fc219c72b..5315dacc5222 100644
--- a/net/netlabel/netlabel_mgmt.c
+++ b/net/netlabel/netlabel_mgmt.c
@@ -42,6 +42,10 @@
 #include "netlabel_user.h"
 #include "netlabel_mgmt.h"
+/* NetLabel configured protocol count */
+static DEFINE_SPINLOCK(netlabel_mgmt_protocount_lock);
+static u32 netlabel_mgmt_protocount = 0;
 /* Argument struct for netlbl_domhsh_walk() */
 struct netlbl_domhsh_walk_arg {
        struct netlink_callback *nl_cb;
@@ -67,6 +71,67 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = {
 };
 /*
+ * NetLabel Misc Managment Functions
+ */
+/**
+ * netlbl_mgmt_protocount_inc - Increment the configured labeled protocol count
+ *
+ * Description:
+ * Increment the number of labeled protocol configurations in the current
+ * NetLabel configuration.  Keep track of this for use in determining if
+ * NetLabel label enforcement should be active/enabled or not in the LSM.
+ *
+ */
+void netlbl_mgmt_protocount_inc(void)
+{
+        rcu_read_lock();
+        spin_lock(&netlabel_mgmt_protocount_lock);
+        netlabel_mgmt_protocount++;
+        spin_unlock(&netlabel_mgmt_protocount_lock);
+        rcu_read_unlock();
+}
+/**
+ * netlbl_mgmt_protocount_dec - Decrement the configured labeled protocol count
+ *
+ * Description:
+ * Decrement the number of labeled protocol configurations in the current
+ * NetLabel configuration.  Keep track of this for use in determining if
+ * NetLabel label enforcement should be active/enabled or not in the LSM.
+ *
+ */
+void netlbl_mgmt_protocount_dec(void)
+{
+        rcu_read_lock();
+        spin_lock(&netlabel_mgmt_protocount_lock);
+        if (netlabel_mgmt_protocount > 0)
+                netlabel_mgmt_protocount--;
+        spin_unlock(&netlabel_mgmt_protocount_lock);
+        rcu_read_unlock();
+}
+/**
+ * netlbl_mgmt_protocount_value - Return the number of configured protocols
+ *
+ * Description:
+ * Return the number of labeled protocols in the current NetLabel
+ * configuration.  This value is useful in  determining if NetLabel label
+ * enforcement should be active/enabled or not in the LSM.
+ *
+ */
+u32 netlbl_mgmt_protocount_value(void)
+{
+        u32 val;
+        rcu_read_lock();
+        val = netlabel_mgmt_protocount;
+        rcu_read_unlock();
+        return val;
+}
+/*
 * NetLabel Command Handlers
 */
diff --git a/net/netlabel/netlabel_mgmt.h b/net/netlabel/netlabel_mgmt.h
index 3642d3bfc8eb..ccb2b3923591 100644
--- a/net/netlabel/netlabel_mgmt.h
+++ b/net/netlabel/netlabel_mgmt.h
@@ -168,4 +168,9 @@ enum {
 /* NetLabel protocol functions */
 int netlbl_mgmt_genl_init(void);
+/* NetLabel misc management functions */
+void netlbl_mgmt_protocount_inc(void);
+void netlbl_mgmt_protocount_dec(void);
+u32 netlbl_mgmt_protocount_value(void);
 #endif
author	Paul Moore <paul.moore@hp.com>	2007-07-18 12:28:45 -0400
committer	James Morris <jmorris@namei.org>	2007-07-19 10:21:11 -0400
commit	23bcdc1adebd3cb47d5666f2e9ecada95c0134e4 (patch)
tree	71caf0ac9fa86e4a9cf423d968a2486656c2e196 /net/netlabel
parent	589f1e81bde732dd0b1bc5d01b6bddd4bcb4527b (diff)

diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c index 24b660f16ce3..c060e3f991f1 100644 --- a/net/netlabel/netlabel_cipso_v4.c +++ b/net/netlabel/netlabel_cipso_v4.c
@@ -41,6 +41,7 @@
41		41
42	#include "netlabel_user.h"	42	#include "netlabel_user.h"
43	#include "netlabel_cipso_v4.h"	43	#include "netlabel_cipso_v4.h"
		44	#include "netlabel_mgmt.h"
44		45
45	/* Argument struct for cipso_v4_doi_walk() */	46	/* Argument struct for cipso_v4_doi_walk() */
46	struct netlbl_cipsov4_doiwalk_arg {	47	struct netlbl_cipsov4_doiwalk_arg {
@@ -419,6 +420,8 @@ static int netlbl_cipsov4_add(struct sk_buff skb, struct genl_info info)
419	ret_val = netlbl_cipsov4_add_pass(info);	420	ret_val = netlbl_cipsov4_add_pass(info);
420	break;	421	break;
421	}	422	}
		423	if (ret_val == 0)
		424	netlbl_mgmt_protocount_inc();
422		425
423	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,	426	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
424	&audit_info);	427	&audit_info);
@@ -694,6 +697,8 @@ static int netlbl_cipsov4_remove(struct sk_buff skb, struct genl_info info)
694	ret_val = cipso_v4_doi_remove(doi,	697	ret_val = cipso_v4_doi_remove(doi,
695	&audit_info,	698	&audit_info,
696	netlbl_cipsov4_doi_free);	699	netlbl_cipsov4_doi_free);
		700	if (ret_val == 0)
		701	netlbl_mgmt_protocount_dec();
697		702
698	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,	703	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,
699	&audit_info);	704	&audit_info);


diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index b165712aaa70..4f50949722a9 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c
@@ -38,6 +38,7 @@
38	#include "netlabel_domainhash.h"	38	#include "netlabel_domainhash.h"
39	#include "netlabel_unlabeled.h"	39	#include "netlabel_unlabeled.h"
40	#include "netlabel_user.h"	40	#include "netlabel_user.h"
		41	#include "netlabel_mgmt.h"
41		42
42	/*	43	/*
43	* Security Attribute Functions	44	* Security Attribute Functions
@@ -245,6 +246,26 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
245	*/	246	*/
246		247
247	/**	248	/**
		249	* netlbl_enabled - Determine if the NetLabel subsystem is enabled
		250	*
		251	* Description:
		252	* The LSM can use this function to determine if it should use NetLabel
		253	* security attributes in it's enforcement mechanism. Currently, NetLabel is
		254	* considered to be enabled when it's configuration contains a valid setup for
		255	* at least one labeled protocol (i.e. NetLabel can understand incoming
		256	* labeled packets of at least one type); otherwise NetLabel is considered to
		257	* be disabled.
		258	*
		259	*/
		260	int netlbl_enabled(void)
		261	{
		262	/* At some point we probably want to expose this mechanism to the user
		263	* as well so that admins can toggle NetLabel regardless of the
		264	* configuration */
		265	return (netlbl_mgmt_protocount_value() > 0 ? 1 : 0);
		266	}
		267
		268	/**
248	* netlbl_socket_setattr - Label a socket using the correct protocol	269	* netlbl_socket_setattr - Label a socket using the correct protocol
249	* @sk: the socket to label	270	* @sk: the socket to label
250	* @secattr: the security attributes	271	* @secattr: the security attributes


diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c index e00fc219c72b..5315dacc5222 100644 --- a/net/netlabel/netlabel_mgmt.c +++ b/net/netlabel/netlabel_mgmt.c
@@ -42,6 +42,10 @@
42	#include "netlabel_user.h"	42	#include "netlabel_user.h"
43	#include "netlabel_mgmt.h"	43	#include "netlabel_mgmt.h"
44		44
		45	/* NetLabel configured protocol count */
		46	static DEFINE_SPINLOCK(netlabel_mgmt_protocount_lock);
		47	static u32 netlabel_mgmt_protocount = 0;
		48
45	/* Argument struct for netlbl_domhsh_walk() */	49	/* Argument struct for netlbl_domhsh_walk() */
46	struct netlbl_domhsh_walk_arg {	50	struct netlbl_domhsh_walk_arg {
47	struct netlink_callback *nl_cb;	51	struct netlink_callback *nl_cb;
@@ -67,6 +71,67 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = {
67	};	71	};
68		72
69	/*	73	/*
		74	* NetLabel Misc Managment Functions
		75	*/
		76
		77	/**
		78	* netlbl_mgmt_protocount_inc - Increment the configured labeled protocol count
		79	*
		80	* Description:
		81	* Increment the number of labeled protocol configurations in the current
		82	* NetLabel configuration. Keep track of this for use in determining if
		83	* NetLabel label enforcement should be active/enabled or not in the LSM.
		84	*
		85	*/
		86	void netlbl_mgmt_protocount_inc(void)
		87	{
		88	rcu_read_lock();
		89	spin_lock(&netlabel_mgmt_protocount_lock);
		90	netlabel_mgmt_protocount++;
		91	spin_unlock(&netlabel_mgmt_protocount_lock);
		92	rcu_read_unlock();
		93	}
		94
		95	/**
		96	* netlbl_mgmt_protocount_dec - Decrement the configured labeled protocol count
		97	*
		98	* Description:
		99	* Decrement the number of labeled protocol configurations in the current
		100	* NetLabel configuration. Keep track of this for use in determining if
		101	* NetLabel label enforcement should be active/enabled or not in the LSM.
		102	*
		103	*/
		104	void netlbl_mgmt_protocount_dec(void)
		105	{
		106	rcu_read_lock();
		107	spin_lock(&netlabel_mgmt_protocount_lock);
		108	if (netlabel_mgmt_protocount > 0)
		109	netlabel_mgmt_protocount--;
		110	spin_unlock(&netlabel_mgmt_protocount_lock);
		111	rcu_read_unlock();
		112	}
		113
		114	/**
		115	* netlbl_mgmt_protocount_value - Return the number of configured protocols
		116	*
		117	* Description:
		118	* Return the number of labeled protocols in the current NetLabel
		119	* configuration. This value is useful in determining if NetLabel label
		120	* enforcement should be active/enabled or not in the LSM.
		121	*
		122	*/
		123	u32 netlbl_mgmt_protocount_value(void)
		124	{
		125	u32 val;
		126
		127	rcu_read_lock();
		128	val = netlabel_mgmt_protocount;
		129	rcu_read_unlock();
		130
		131	return val;
		132	}
		133
		134	/*
70	* NetLabel Command Handlers	135	* NetLabel Command Handlers
71	*/	136	*/
72		137


diff --git a/net/netlabel/netlabel_mgmt.h b/net/netlabel/netlabel_mgmt.h index 3642d3bfc8eb..ccb2b3923591 100644 --- a/net/netlabel/netlabel_mgmt.h +++ b/net/netlabel/netlabel_mgmt.h
@@ -168,4 +168,9 @@ enum {
168	/* NetLabel protocol functions */	168	/* NetLabel protocol functions */
169	int netlbl_mgmt_genl_init(void);	169	int netlbl_mgmt_genl_init(void);
170		170
		171	/* NetLabel misc management functions */
		172	void netlbl_mgmt_protocount_inc(void);
		173	void netlbl_mgmt_protocount_dec(void);
		174	u32 netlbl_mgmt_protocount_value(void);
		175
171	#endif	176	#endif