[MLSXFRM]: Auto-labeling of child sockets

This automatically labels the TCP, Unix stream, and dccp child sockets
as well as openreqs to be at the same MLS level as the peer. This will
result in the selection of appropriately labeled IPSec Security
Associations.

This also uses the sock's sid (as opposed to the isec sid) in SELinux
enforcement of secmark in rcv_skb and postroute_last hooks.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

6 files changed, 23 insertions, 6 deletions

diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 386498053b1c..171d363876ee 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -501,6 +501,9 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
 
         dccp_openreq_init(req, &dp, skb);
 
+        if (security_inet_conn_request(sk, skb, req))
+                goto drop_and_free;
+
         ireq = inet_rsk(req);
         ireq->loc_addr = daddr;
         ireq->rmt_addr = saddr;
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 53d255c01431..231bc7c7e749 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -424,7 +424,7 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req,
         fl.oif = ireq6->iif;
         fl.fl_ip_dport = inet_rsk(req)->rmt_port;
         fl.fl_ip_sport = inet_sk(sk)->sport;
-        security_sk_classify_flow(sk, &fl);
+        security_req_classify_flow(req, &fl);
 
         if (dst == NULL) {
                 opt = np->opt;
@@ -626,7 +626,7 @@ static void dccp_v6_reqsk_send_ack(struct sk_buff *rxskb,
         fl.oif = inet6_iif(rxskb);
         fl.fl_ip_dport = dh->dccph_dport;
         fl.fl_ip_sport = dh->dccph_sport;
-        security_skb_classify_flow(rxskb, &fl);
+        security_req_classify_flow(req, &fl);
 
         if (!ip6_dst_lookup(NULL, &skb->dst, &fl)) {
                 if (xfrm_lookup(&skb->dst, &fl, NULL, 0) >= 0) {
@@ -709,6 +709,9 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
 
         dccp_openreq_init(req, &dp, skb);
 
+        if (security_inet_conn_request(sk, skb, req))
+                goto drop_and_free;
+
         ireq6 = inet6_rsk(req);
         ireq = inet_rsk(req);
         ipv6_addr_copy(&ireq6->rmt_addr, &skb->nh.ipv6h->saddr);
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 772b4eac78bc..07204391d083 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -327,7 +327,7 @@ struct dst_entry* inet_csk_route_req(struct sock *sk,
                                        { .sport = inet_sk(sk)->sport,
                                          .dport = ireq->rmt_port } } };
 
-        security_sk_classify_flow(sk, &fl);
+        security_req_classify_flow(req, &fl);
         if (ip_route_output_flow(&rt, &fl, sk, 0)) {
                 IP_INC_STATS_BH(IPSTATS_MIB_OUTNOROUTES);
                 return NULL;
@@ -510,6 +510,8 @@ struct sock *inet_csk_clone(struct sock *sk, const struct request_sock *req,
 
                 /* Deinitialize accept_queue to trap illegal accesses. */
                 memset(&newicsk->icsk_accept_queue, 0, sizeof(newicsk->icsk_accept_queue));
+
+                security_inet_csk_clone(newsk, req);
         }
         return newsk;
 }
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index 307dc3c0d635..661e0a4bca72 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -214,6 +214,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
         if (!req)
                 goto out;
 
+        if (security_inet_conn_request(sk, skb, req)) {
+                reqsk_free(req);
+                goto out;
+        }
         ireq = inet_rsk(req);
         treq = tcp_rsk(req);
         treq->rcv_isn           = htonl(skb->h.th->seq) - 1;
@@ -259,7 +263,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
                                     .uli_u = { .ports =
                                                { .sport = skb->h.th->dest,
                                                  .dport = skb->h.th->source } } };
-                security_sk_classify_flow(sk, &fl);
+                security_req_classify_flow(req, &fl);
                 if (ip_route_output_key(&rt, &fl)) {
                         reqsk_free(req);
                         goto out; 
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 4b04c3edd4a9..43f6740244f8 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -798,6 +798,9 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
 
         tcp_openreq_init(req, &tmp_opt, skb);
 
+        if (security_inet_conn_request(sk, skb, req))
+                goto drop_and_free;
+
         ireq = inet_rsk(req);
         ireq->loc_addr = daddr;
         ireq->rmt_addr = saddr;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 46922e57e311..302786a11cd6 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -470,7 +470,7 @@ static int tcp_v6_send_synack(struct sock *sk, struct request_sock *req,
         fl.oif = treq->iif;
         fl.fl_ip_dport = inet_rsk(req)->rmt_port;
         fl.fl_ip_sport = inet_sk(sk)->sport;
-        security_sk_classify_flow(sk, &fl);
+        security_req_classify_flow(req, &fl);
 
         if (dst == NULL) {
                 opt = np->opt;
@@ -826,6 +826,8 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
 
         tcp_rsk(req)->snt_isn = isn;
 
+        security_inet_conn_request(sk, skb, req);
+
         if (tcp_v6_send_synack(sk, req, NULL))
                 goto drop;
 
@@ -929,7 +931,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
                 fl.oif = sk->sk_bound_dev_if;
                 fl.fl_ip_dport = inet_rsk(req)->rmt_port;
                 fl.fl_ip_sport = inet_sk(sk)->sport;
-                security_sk_classify_flow(sk, &fl);
+                security_req_classify_flow(req, &fl);
 
                 if (ip6_dst_lookup(sk, &dst, &fl))
                         goto out;