aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/netlabel.c
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2007-07-18 12:28:46 -0400
committerJames Morris <jmorris@namei.org>2007-07-19 10:21:13 -0400
commitf36158c410651fe66f438c17b2ab3ae813f8c060 (patch)
tree644e57a36d918fe2b2fcdd2f59daffb847cd8d36 /security/selinux/netlabel.c
parent23bcdc1adebd3cb47d5666f2e9ecada95c0134e4 (diff)
SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel
These changes will make NetLabel behave like labeled IPsec where there is an access check for both labeled and unlabeled packets as well as providing the ability to restrict domains to receiving only labeled packets when NetLabel is in use. The changes to the policy are straight forward with the following necessary to receive labeled traffic (with SECINITSID_NETMSG defined as "netlabel_peer_t"): allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom; The policy for unlabeled traffic would be: allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom; These policy changes, as well as more general NetLabel support, are included in the latest SELinux Reference Policy release 20070629 or later. Users who make use of NetLabel are strongly encouraged to upgrade their policy to avoid network problems. Users who do not make use of NetLabel will not notice any difference. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/netlabel.c')
-rw-r--r--security/selinux/netlabel.c41
1 files changed, 20 insertions, 21 deletions
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index ed9155b29c1a..051b14c88e2d 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -163,9 +163,7 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
163 netlbl_secattr_init(&secattr); 163 netlbl_secattr_init(&secattr);
164 rc = netlbl_skbuff_getattr(skb, &secattr); 164 rc = netlbl_skbuff_getattr(skb, &secattr);
165 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 165 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
166 rc = security_netlbl_secattr_to_sid(&secattr, 166 rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid);
167 base_sid,
168 sid);
169 else 167 else
170 *sid = SECSID_NULL; 168 *sid = SECSID_NULL;
171 netlbl_secattr_destroy(&secattr); 169 netlbl_secattr_destroy(&secattr);
@@ -203,7 +201,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
203 if (netlbl_sock_getattr(sk, &secattr) == 0 && 201 if (netlbl_sock_getattr(sk, &secattr) == 0 &&
204 secattr.flags != NETLBL_SECATTR_NONE && 202 secattr.flags != NETLBL_SECATTR_NONE &&
205 security_netlbl_secattr_to_sid(&secattr, 203 security_netlbl_secattr_to_sid(&secattr,
206 SECINITSID_UNLABELED, 204 SECINITSID_NETMSG,
207 &nlbl_peer_sid) == 0) 205 &nlbl_peer_sid) == 0)
208 sksec->peer_sid = nlbl_peer_sid; 206 sksec->peer_sid = nlbl_peer_sid;
209 netlbl_secattr_destroy(&secattr); 207 netlbl_secattr_destroy(&secattr);
@@ -300,41 +298,42 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
300 struct avc_audit_data *ad) 298 struct avc_audit_data *ad)
301{ 299{
302 int rc; 300 int rc;
303 u32 netlbl_sid; 301 u32 nlbl_sid;
304 u32 recv_perm; 302 u32 perm;
303 struct netlbl_lsm_secattr secattr;
305 304
306 if (!netlbl_enabled()) 305 if (!netlbl_enabled())
307 return 0; 306 return 0;
308 307
309 rc = selinux_netlbl_skbuff_getsid(skb, 308 netlbl_secattr_init(&secattr);
310 SECINITSID_UNLABELED, 309 rc = netlbl_skbuff_getattr(skb, &secattr);
311 &netlbl_sid); 310 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
311 rc = security_netlbl_secattr_to_sid(&secattr,
312 SECINITSID_NETMSG,
313 &nlbl_sid);
314 else
315 nlbl_sid = SECINITSID_UNLABELED;
316 netlbl_secattr_destroy(&secattr);
312 if (rc != 0) 317 if (rc != 0)
313 return rc; 318 return rc;
314 319
315 if (netlbl_sid == SECSID_NULL)
316 return 0;
317
318 switch (sksec->sclass) { 320 switch (sksec->sclass) {
319 case SECCLASS_UDP_SOCKET: 321 case SECCLASS_UDP_SOCKET:
320 recv_perm = UDP_SOCKET__RECVFROM; 322 perm = UDP_SOCKET__RECVFROM;
321 break; 323 break;
322 case SECCLASS_TCP_SOCKET: 324 case SECCLASS_TCP_SOCKET:
323 recv_perm = TCP_SOCKET__RECVFROM; 325 perm = TCP_SOCKET__RECVFROM;
324 break; 326 break;
325 default: 327 default:
326 recv_perm = RAWIP_SOCKET__RECVFROM; 328 perm = RAWIP_SOCKET__RECVFROM;
327 } 329 }
328 330
329 rc = avc_has_perm(sksec->sid, 331 rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad);
330 netlbl_sid,
331 sksec->sclass,
332 recv_perm,
333 ad);
334 if (rc == 0) 332 if (rc == 0)
335 return 0; 333 return 0;
336 334
337 netlbl_skbuff_err(skb, rc); 335 if (nlbl_sid != SECINITSID_UNLABELED)
336 netlbl_skbuff_err(skb, rc);
338 return rc; 337 return rc;
339} 338}
340 339