diff options
| author | Paul Moore <paul.moore@hp.com> | 2008-10-10 10:16:33 -0400 |
|---|---|---|
| committer | Paul Moore <paul.moore@hp.com> | 2008-10-10 10:16:33 -0400 |
| commit | 014ab19a69c325f52d7bae54ceeda73d6307ae0c (patch) | |
| tree | 8a69c490accb7d5454bdfeb8c078d846729aeb60 /net/netlabel | |
| parent | 948bf85c1bc9a84754786a9d5dd99b7ecc46451e (diff) | |
selinux: Set socket NetLabel based on connection endpoint
Previous work enabled the use of address based NetLabel selectors, which while
highly useful, brought the potential for additional per-packet overhead when
used. This patch attempts to solve that by applying NetLabel socket labels
when sockets are connect()'d. This should alleviate the per-packet NetLabel
labeling for all connected sockets (yes, it even works for connected DGRAM
sockets).
Signed-off-by: Paul Moore <paul.moore@hp.com>
Reviewed-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'net/netlabel')
| -rw-r--r-- | net/netlabel/netlabel_kapi.c | 78 |
1 files changed, 77 insertions, 1 deletions
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index cc8047d1f505..78fc557689b2 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c | |||
| @@ -10,7 +10,7 @@ | |||
| 10 | */ | 10 | */ |
| 11 | 11 | ||
| 12 | /* | 12 | /* |
| 13 | * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 | 13 | * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008 |
| 14 | * | 14 | * |
| 15 | * This program is free software; you can redistribute it and/or modify | 15 | * This program is free software; you can redistribute it and/or modify |
| 16 | * it under the terms of the GNU General Public License as published by | 16 | * it under the terms of the GNU General Public License as published by |
| @@ -456,6 +456,20 @@ socket_setattr_return: | |||
| 456 | } | 456 | } |
| 457 | 457 | ||
| 458 | /** | 458 | /** |
| 459 | * netlbl_sock_delattr - Delete all the NetLabel labels on a socket | ||
| 460 | * @sk: the socket | ||
| 461 | * | ||
| 462 | * Description: | ||
| 463 | * Remove all the NetLabel labeling from @sk. The caller is responsible for | ||
| 464 | * ensuring that @sk is locked. | ||
| 465 | * | ||
| 466 | */ | ||
| 467 | void netlbl_sock_delattr(struct sock *sk) | ||
| 468 | { | ||
| 469 | cipso_v4_sock_delattr(sk); | ||
| 470 | } | ||
| 471 | |||
| 472 | /** | ||
| 459 | * netlbl_sock_getattr - Determine the security attributes of a sock | 473 | * netlbl_sock_getattr - Determine the security attributes of a sock |
| 460 | * @sk: the sock | 474 | * @sk: the sock |
| 461 | * @secattr: the security attributes | 475 | * @secattr: the security attributes |
| @@ -473,6 +487,68 @@ int netlbl_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr) | |||
| 473 | } | 487 | } |
| 474 | 488 | ||
| 475 | /** | 489 | /** |
| 490 | * netlbl_conn_setattr - Label a connected socket using the correct protocol | ||
| 491 | * @sk: the socket to label | ||
| 492 | * @addr: the destination address | ||
| 493 | * @secattr: the security attributes | ||
| 494 | * | ||
| 495 | * Description: | ||
| 496 | * Attach the correct label to the given connected socket using the security | ||
| 497 | * attributes specified in @secattr. The caller is responsible for ensuring | ||
| 498 | * that @sk is locked. Returns zero on success, negative values on failure. | ||
| 499 | * | ||
| 500 | */ | ||
| 501 | int netlbl_conn_setattr(struct sock *sk, | ||
| 502 | struct sockaddr *addr, | ||
| 503 | const struct netlbl_lsm_secattr *secattr) | ||
| 504 | { | ||
| 505 | int ret_val; | ||
| 506 | struct sockaddr_in *addr4; | ||
| 507 | struct netlbl_domaddr4_map *af4_entry; | ||
| 508 | |||
| 509 | rcu_read_lock(); | ||
| 510 | switch (addr->sa_family) { | ||
| 511 | case AF_INET: | ||
| 512 | addr4 = (struct sockaddr_in *)addr; | ||
| 513 | af4_entry = netlbl_domhsh_getentry_af4(secattr->domain, | ||
| 514 | addr4->sin_addr.s_addr); | ||
| 515 | if (af4_entry == NULL) { | ||
| 516 | ret_val = -ENOENT; | ||
| 517 | goto conn_setattr_return; | ||
| 518 | } | ||
| 519 | switch (af4_entry->type) { | ||
| 520 | case NETLBL_NLTYPE_CIPSOV4: | ||
| 521 | ret_val = cipso_v4_sock_setattr(sk, | ||
| 522 | af4_entry->type_def.cipsov4, | ||
| 523 | secattr); | ||
| 524 | break; | ||
| 525 | case NETLBL_NLTYPE_UNLABELED: | ||
| 526 | /* just delete the protocols we support for right now | ||
| 527 | * but we could remove other protocols if needed */ | ||
| 528 | cipso_v4_sock_delattr(sk); | ||
| 529 | ret_val = 0; | ||
| 530 | break; | ||
| 531 | default: | ||
| 532 | ret_val = -ENOENT; | ||
| 533 | } | ||
| 534 | break; | ||
| 535 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | ||
| 536 | case AF_INET6: | ||
| 537 | /* since we don't support any IPv6 labeling protocols right | ||
| 538 | * now we can optimize everything away until we do */ | ||
| 539 | ret_val = 0; | ||
| 540 | break; | ||
| 541 | #endif /* IPv6 */ | ||
| 542 | default: | ||
| 543 | ret_val = 0; | ||
| 544 | } | ||
| 545 | |||
| 546 | conn_setattr_return: | ||
| 547 | rcu_read_unlock(); | ||
| 548 | return ret_val; | ||
| 549 | } | ||
| 550 | |||
| 551 | /** | ||
| 476 | * netlbl_skbuff_setattr - Label a packet using the correct protocol | 552 | * netlbl_skbuff_setattr - Label a packet using the correct protocol |
| 477 | * @skb: the packet | 553 | * @skb: the packet |
| 478 | * @family: protocol family | 554 | * @family: protocol family |