[NetLabel]: SELinux support

Add NetLabel support to the SELinux LSM and modify the socket_post_create() LSM hook to return an error code. The most significant part of this patch is the addition of NetLabel hooks into the following SELinux LSM hooks: * selinux_file_permission() * selinux_socket_sendmsg() * selinux_socket_post_create() * selinux_socket_sock_rcv_skb() * selinux_socket_getpeersec_stream() * selinux_socket_getpeersec_dgram() * selinux_sock_graft() * selinux_inet_conn_request() The basic reasoning behind this patch is that outgoing packets are "NetLabel'd" by labeling their socket and the NetLabel security attributes are checked via the additional hook in selinux_socket_sock_rcv_skb(). NetLabel itself is only a labeling mechanism, similar to filesystem extended attributes, it is up to the SELinux enforcement mechanism to perform the actual access checks. In addition to the changes outlined above this patch also includes some changes to the extended bitmap (ebitmap) and multi-level security (mls) code to import and export SELinux TE/MLS attributes into and out of NetLabel. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Venkat Yekkirala <vyekkirala@TrustedCS.com> 2006-08-05 02:17:57 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2006-09-22 17:53:36 -0400
commit: 7420ed23a4f77480b5b7b3245e5da30dd24b7575 (patch)
tree: 016f5bb996c5eae66754b10243c5be6226d773f2 /security/selinux/include
parent: 96cb8e3313c7a12e026c1ed510522ae6f6023875 (diff)
2 files changed, 133 insertions, 0 deletions
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 79b9e0af19a0..0a39bfd1319f 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -101,6 +101,14 @@ struct sk_security_struct {
        struct sock *sk;                /* back pointer to sk object */
        u32 sid;                        /* SID of this object */
        u32 peer_sid;                   /* SID of peer */
+#ifdef CONFIG_NETLABEL
+        u16 sclass;                     /* sock security class */
+        enum {                          /* NetLabel state */
+                NLBL_UNSET = 0,
+                NLBL_REQUIRE,
+                NLBL_LABELED,
+        } nlbl_state;
+#endif
 };
 struct key_security_struct {
diff --git a/security/selinux/include/selinux_netlabel.h b/security/selinux/include/selinux_netlabel.h
new file mode 100644
index 000000000000..88c463eef1e1
--- /dev/null
+++ b/security/selinux/include/selinux_netlabel.h
@@ -0,0 +1,125 @@
+/*
+ * SELinux interface to the NetLabel subsystem
+ *
+ * Author : Paul Moore <paul.moore@hp.com>
+ *
+ */
+/*
+ * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
+ *
+ * This program is free software;  you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY;  without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+ * the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program;  if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ */
+#ifndef _SELINUX_NETLABEL_H_
+#define _SELINUX_NETLABEL_H_
+#ifdef CONFIG_NETLABEL
+void selinux_netlbl_cache_invalidate(void);
+int selinux_netlbl_socket_post_create(struct socket *sock,
+                                      int sock_family,
+                                      u32 sid);
+void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
+u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid);
+int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
+                                struct sk_buff *skb,
+                                struct avc_audit_data *ad);
+u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock);
+u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb);
+int __selinux_netlbl_inode_permission(struct inode *inode, int mask);
+/**
+ * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
+ * @inode: the file descriptor's inode
+ * @mask: the permission mask
+ *
+ * Description:
+ * Looks at a file's inode and if it is marked as a socket protected by
+ * NetLabel then verify that the socket has been labeled, if not try to label
+ * the socket now with the inode's SID.  Returns zero on success, negative
+ * values on failure.
+ *
+ */
+static inline int selinux_netlbl_inode_permission(struct inode *inode,
+                                                  int mask)
+{
+        int rc = 0;
+        struct inode_security_struct *isec;
+        struct sk_security_struct *sksec;
+        if (!S_ISSOCK(inode->i_mode))
+                return 0;
+        isec = inode->i_security;
+        sksec = SOCKET_I(inode)->sk->sk_security;
+        down(&isec->sem);
+        if (unlikely(sksec->nlbl_state == NLBL_REQUIRE &&
+                     (mask & (MAY_WRITE | MAY_APPEND))))
+                rc = __selinux_netlbl_inode_permission(inode, mask);
+        up(&isec->sem);
+        return rc;
+}
+#else
+static inline void selinux_netlbl_cache_invalidate(void)
+{
+        return;
+}
+static inline int selinux_netlbl_socket_post_create(struct socket *sock,
+                                                    int sock_family,
+                                                    u32 sid)
+{
+        return 0;
+}
+static inline void selinux_netlbl_sock_graft(struct sock *sk,
+                                             struct socket *sock)
+{
+        return;
+}
+static inline u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb,
+                                                   u32 sock_sid)
+{
+        return SECSID_NULL;
+}
+static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
+                                              struct sk_buff *skb,
+                                              struct avc_audit_data *ad)
+{
+        return 0;
+}
+static inline u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
+{
+        return SECSID_NULL;
+}
+static inline u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
+{
+        return SECSID_NULL;
+}
+static inline int selinux_netlbl_inode_permission(struct inode *inode,
+                                                  int mask)
+{
+        return 0;
+}
+#endif /* CONFIG_NETLABEL */
+#endif
author	Venkat Yekkirala <vyekkirala@TrustedCS.com>	2006-08-05 02:17:57 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2006-09-22 17:53:36 -0400
commit	7420ed23a4f77480b5b7b3245e5da30dd24b7575 (patch)
tree	016f5bb996c5eae66754b10243c5be6226d773f2 /security/selinux/include
parent	96cb8e3313c7a12e026c1ed510522ae6f6023875 (diff)

diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 79b9e0af19a0..0a39bfd1319f 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h
@@ -101,6 +101,14 @@ struct sk_security_struct {
101	struct sock sk; / back pointer to sk object */	101	struct sock sk; / back pointer to sk object */
102	u32 sid; /* SID of this object */	102	u32 sid; /* SID of this object */
103	u32 peer_sid; /* SID of peer */	103	u32 peer_sid; /* SID of peer */
		104	#ifdef CONFIG_NETLABEL
		105	u16 sclass; /* sock security class */
		106	enum { /* NetLabel state */
		107	NLBL_UNSET = 0,
		108	NLBL_REQUIRE,
		109	NLBL_LABELED,
		110	} nlbl_state;
		111	#endif
104	};	112	};
105		113
106	struct key_security_struct {	114	struct key_security_struct {


diff --git a/security/selinux/include/selinux_netlabel.h b/security/selinux/include/selinux_netlabel.h new file mode 100644 index 000000000000..88c463eef1e1 --- /dev/null +++ b/security/selinux/include/selinux_netlabel.h
@@ -0,0 +1,125 @@
		1	/*
		2	* SELinux interface to the NetLabel subsystem
		3	*
		4	* Author : Paul Moore <paul.moore@hp.com>
		5	*
		6	*/
		7
		8	/*
		9	* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
		10	*
		11	* This program is free software; you can redistribute it and/or modify
		12	* it under the terms of the GNU General Public License as published by
		13	* the Free Software Foundation; either version 2 of the License, or
		14	* (at your option) any later version.
		15	*
		16	* This program is distributed in the hope that it will be useful,
		17	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		18	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
		19	* the GNU General Public License for more details.
		20	*
		21	* You should have received a copy of the GNU General Public License
		22	* along with this program; if not, write to the Free Software
		23	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
		24	*
		25	*/
		26
		27	#ifndef _SELINUX_NETLABEL_H_
		28	#define _SELINUX_NETLABEL_H_
		29
		30	#ifdef CONFIG_NETLABEL
		31	void selinux_netlbl_cache_invalidate(void);
		32	int selinux_netlbl_socket_post_create(struct socket *sock,
		33	int sock_family,
		34	u32 sid);
		35	void selinux_netlbl_sock_graft(struct sock sk, struct socket sock);
		36	u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid);
		37	int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
		38	struct sk_buff *skb,
		39	struct avc_audit_data *ad);
		40	u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock);
		41	u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb);
		42
		43	int __selinux_netlbl_inode_permission(struct inode *inode, int mask);
		44	/**
		45	* selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
		46	* @inode: the file descriptor's inode
		47	* @mask: the permission mask
		48	*
		49	* Description:
		50	* Looks at a file's inode and if it is marked as a socket protected by
		51	* NetLabel then verify that the socket has been labeled, if not try to label
		52	* the socket now with the inode's SID. Returns zero on success, negative
		53	* values on failure.
		54	*
		55	*/
		56	static inline int selinux_netlbl_inode_permission(struct inode *inode,
		57	int mask)
		58	{
		59	int rc = 0;
		60	struct inode_security_struct *isec;
		61	struct sk_security_struct *sksec;
		62
		63	if (!S_ISSOCK(inode->i_mode))
		64	return 0;
		65
		66	isec = inode->i_security;
		67	sksec = SOCKET_I(inode)->sk->sk_security;
		68	down(&isec->sem);
		69	if (unlikely(sksec->nlbl_state == NLBL_REQUIRE &&
		70	(mask & (MAY_WRITE \| MAY_APPEND))))
		71	rc = __selinux_netlbl_inode_permission(inode, mask);
		72	up(&isec->sem);
		73
		74	return rc;
		75	}
		76	#else
		77	static inline void selinux_netlbl_cache_invalidate(void)
		78	{
		79	return;
		80	}
		81
		82	static inline int selinux_netlbl_socket_post_create(struct socket *sock,
		83	int sock_family,
		84	u32 sid)
		85	{
		86	return 0;
		87	}
		88
		89	static inline void selinux_netlbl_sock_graft(struct sock *sk,
		90	struct socket *sock)
		91	{
		92	return;
		93	}
		94
		95	static inline u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb,
		96	u32 sock_sid)
		97	{
		98	return SECSID_NULL;
		99	}
		100
		101	static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
		102	struct sk_buff *skb,
		103	struct avc_audit_data *ad)
		104	{
		105	return 0;
		106	}
		107
		108	static inline u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
		109	{
		110	return SECSID_NULL;
		111	}
		112
		113	static inline u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
		114	{
		115	return SECSID_NULL;
		116	}
		117
		118	static inline int selinux_netlbl_inode_permission(struct inode *inode,
		119	int mask)
		120	{
		121	return 0;
		122	}
		123	#endif /* CONFIG_NETLABEL */
		124
		125	#endif