netlabel: Add functionality to set the security attributes of a packet

This patch builds upon the new NetLabel address selector functionality by providing the NetLabel KAPI and CIPSO engine support needed to enable the new packet-based labeling. The only new addition to the NetLabel KAPI at this point is shown below: * int netlbl_skbuff_setattr(skb, family, secattr) ... and is designed to be called from a Netfilter hook after the packet's IP header has been populated such as in the FORWARD or LOCAL_OUT hooks. This patch also provides the necessary SELinux hooks to support this new functionality. Smack support is not currently included due to uncertainty regarding the permissions needed to expand the Smack network access controls. Signed-off-by: Paul Moore <paul.moore@hp.com> Reviewed-by: James Morris <jmorris@namei.org>
author: Paul Moore <paul.moore@hp.com> 2008-10-10 10:16:32 -0400
committer: Paul Moore <paul.moore@hp.com> 2008-10-10 10:16:32 -0400
commit: 948bf85c1bc9a84754786a9d5dd99b7ecc46451e (patch)
tree: a4706be1f4a5a37408774ef3c4cab8cf2e7775b5 /security/selinux/netlabel.c
parent: 63c41688743760631188cf0f4ae986a6793ccb0a (diff)
1 files changed, 66 insertions, 2 deletions
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 4053f7fc95fb..090404d6e512 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -9,7 +9,7 @@
 */
 /*
- * (c) Copyright Hewlett-Packard Development Company, L.P., 2007
+ * (c) Copyright Hewlett-Packard Development Company, L.P., 2007, 2008
 *
 * This program is free software;  you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -31,6 +31,8 @@
 #include <linux/rcupdate.h>
 #include <net/sock.h>
 #include <net/netlabel.h>
+#include <net/inet_sock.h>
+#include <net/inet_connection_sock.h>
 #include "objsec.h"
 #include "security.h"
@@ -77,6 +79,8 @@ static int selinux_netlbl_sock_setsid(struct sock *sk)
        int rc;
        struct sk_security_struct *sksec = sk->sk_security;
        struct netlbl_lsm_secattr secattr;
+        struct inet_sock *sk_inet;
+        struct inet_connection_sock *sk_conn;
        if (sksec->nlbl_state != NLBL_REQUIRE)
                return 0;
@@ -87,8 +91,29 @@ static int selinux_netlbl_sock_setsid(struct sock *sk)
        if (rc != 0)
                goto sock_setsid_return;
        rc = netlbl_sock_setattr(sk, &secattr);
-        if (rc == 0)
+        switch (rc) {
+        case 0:
                sksec->nlbl_state = NLBL_LABELED;
+                break;
+        case -EDESTADDRREQ:
+                /* we are going to possibly end up labeling the individual
+                 * packets later which is problematic for stream sockets
+                 * because of the additional IP header size, our solution is to
+                 * allow for the maximum IP header length (40 bytes for IPv4,
+                 * we don't have to worry about IPv6 yet) just in case */
+                sk_inet = inet_sk(sk);
+                if (sk_inet->is_icsk) {
+                        sk_conn = inet_csk(sk);
+                        if (sk_inet->opt)
+                                sk_conn->icsk_ext_hdr_len -=
+                                                           sk_inet->opt->optlen;
+                        sk_conn->icsk_ext_hdr_len += 40;
+                        sk_conn->icsk_sync_mss(sk, sk_conn->icsk_pmtu_cookie);
+                }
+                sksec->nlbl_state = NLBL_REQSKB;
+                rc = 0;
+                break;
+        }
 sock_setsid_return:
        netlbl_secattr_destroy(&secattr);
@@ -183,6 +208,45 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
 }
 /**
+ * selinux_netlbl_skbuff_setsid - Set the NetLabel on a packet given a sid
+ * @skb: the packet
+ * @family: protocol family
+ * @sid: the SID
+ *
+ * Description
+ * Call the NetLabel mechanism to set the label of a packet using @sid.
+ * Returns zero on auccess, negative values on failure.
+ *
+ */
+int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
+                                 u16 family,
+                                 u32 sid)
+{
+        int rc;
+        struct netlbl_lsm_secattr secattr;
+        struct sock *sk;
+        /* if this is a locally generated packet check to see if it is already
+         * being labeled by it's parent socket, if it is just exit */
+        sk = skb->sk;
+        if (sk != NULL) {
+                struct sk_security_struct *sksec = sk->sk_security;
+                if (sksec->nlbl_state != NLBL_REQSKB)
+                        return 0;
+        }
+        netlbl_secattr_init(&secattr);
+        rc = security_netlbl_sid_to_secattr(sid, &secattr);
+        if (rc != 0)
+                goto skbuff_setsid_return;
+        rc = netlbl_skbuff_setattr(skb, family, &secattr);
+skbuff_setsid_return:
+        netlbl_secattr_destroy(&secattr);
+        return rc;
+}
+/**
 * selinux_netlbl_sock_graft - Netlabel the new socket
 * @sk: the new connection
 * @sock: the new socket
author	Paul Moore <paul.moore@hp.com>	2008-10-10 10:16:32 -0400
committer	Paul Moore <paul.moore@hp.com>	2008-10-10 10:16:32 -0400
commit	948bf85c1bc9a84754786a9d5dd99b7ecc46451e (patch)
tree	a4706be1f4a5a37408774ef3c4cab8cf2e7775b5 /security/selinux/netlabel.c
parent	63c41688743760631188cf0f4ae986a6793ccb0a (diff)

diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 4053f7fc95fb..090404d6e512 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c
@@ -9,7 +9,7 @@
9	*/	9	*/
10		10
11	/*	11	/*
12	* (c) Copyright Hewlett-Packard Development Company, L.P., 2007	12	* (c) Copyright Hewlett-Packard Development Company, L.P., 2007, 2008
13	*	13	*
14	* This program is free software; you can redistribute it and/or modify	14	* This program is free software; you can redistribute it and/or modify
15	* it under the terms of the GNU General Public License as published by	15	* it under the terms of the GNU General Public License as published by
@@ -31,6 +31,8 @@
31	#include <linux/rcupdate.h>	31	#include <linux/rcupdate.h>
32	#include <net/sock.h>	32	#include <net/sock.h>
33	#include <net/netlabel.h>	33	#include <net/netlabel.h>
		34	#include <net/inet_sock.h>
		35	#include <net/inet_connection_sock.h>
34		36
35	#include "objsec.h"	37	#include "objsec.h"
36	#include "security.h"	38	#include "security.h"
@@ -77,6 +79,8 @@ static int selinux_netlbl_sock_setsid(struct sock *sk)
77	int rc;	79	int rc;
78	struct sk_security_struct *sksec = sk->sk_security;	80	struct sk_security_struct *sksec = sk->sk_security;
79	struct netlbl_lsm_secattr secattr;	81	struct netlbl_lsm_secattr secattr;
		82	struct inet_sock *sk_inet;
		83	struct inet_connection_sock *sk_conn;
80		84
81	if (sksec->nlbl_state != NLBL_REQUIRE)	85	if (sksec->nlbl_state != NLBL_REQUIRE)
82	return 0;	86	return 0;
@@ -87,8 +91,29 @@ static int selinux_netlbl_sock_setsid(struct sock *sk)
87	if (rc != 0)	91	if (rc != 0)
88	goto sock_setsid_return;	92	goto sock_setsid_return;
89	rc = netlbl_sock_setattr(sk, &secattr);	93	rc = netlbl_sock_setattr(sk, &secattr);
90	if (rc == 0)	94	switch (rc) {
		95	case 0:
91	sksec->nlbl_state = NLBL_LABELED;	96	sksec->nlbl_state = NLBL_LABELED;
		97	break;
		98	case -EDESTADDRREQ:
		99	/* we are going to possibly end up labeling the individual
		100	* packets later which is problematic for stream sockets
		101	* because of the additional IP header size, our solution is to
		102	* allow for the maximum IP header length (40 bytes for IPv4,
		103	* we don't have to worry about IPv6 yet) just in case */
		104	sk_inet = inet_sk(sk);
		105	if (sk_inet->is_icsk) {
		106	sk_conn = inet_csk(sk);
		107	if (sk_inet->opt)
		108	sk_conn->icsk_ext_hdr_len -=
		109	sk_inet->opt->optlen;
		110	sk_conn->icsk_ext_hdr_len += 40;
		111	sk_conn->icsk_sync_mss(sk, sk_conn->icsk_pmtu_cookie);
		112	}
		113	sksec->nlbl_state = NLBL_REQSKB;
		114	rc = 0;
		115	break;
		116	}
92		117
93	sock_setsid_return:	118	sock_setsid_return:
94	netlbl_secattr_destroy(&secattr);	119	netlbl_secattr_destroy(&secattr);
@@ -183,6 +208,45 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
183	}	208	}
184		209
185	/**	210	/**
		211	* selinux_netlbl_skbuff_setsid - Set the NetLabel on a packet given a sid
		212	* @skb: the packet
		213	* @family: protocol family
		214	* @sid: the SID
		215	*
		216	* Description
		217	* Call the NetLabel mechanism to set the label of a packet using @sid.
		218	* Returns zero on auccess, negative values on failure.
		219	*
		220	*/
		221	int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
		222	u16 family,
		223	u32 sid)
		224	{
		225	int rc;
		226	struct netlbl_lsm_secattr secattr;
		227	struct sock *sk;
		228
		229	/* if this is a locally generated packet check to see if it is already
		230	* being labeled by it's parent socket, if it is just exit */
		231	sk = skb->sk;
		232	if (sk != NULL) {
		233	struct sk_security_struct *sksec = sk->sk_security;
		234	if (sksec->nlbl_state != NLBL_REQSKB)
		235	return 0;
		236	}
		237
		238	netlbl_secattr_init(&secattr);
		239	rc = security_netlbl_sid_to_secattr(sid, &secattr);
		240	if (rc != 0)
		241	goto skbuff_setsid_return;
		242	rc = netlbl_skbuff_setattr(skb, family, &secattr);
		243
		244	skbuff_setsid_return:
		245	netlbl_secattr_destroy(&secattr);
		246	return rc;
		247	}
		248
		249	/**
186	* selinux_netlbl_sock_graft - Netlabel the new socket	250	* selinux_netlbl_sock_graft - Netlabel the new socket
187	* @sk: the new connection	251	* @sk: the new connection
188	* @sock: the new socket	252	* @sock: the new socket