aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2007-07-18 12:28:46 -0400
committerJames Morris <jmorris@namei.org>2007-07-19 10:21:13 -0400
commitf36158c410651fe66f438c17b2ab3ae813f8c060 (patch)
tree644e57a36d918fe2b2fcdd2f59daffb847cd8d36 /security
parent23bcdc1adebd3cb47d5666f2e9ecada95c0134e4 (diff)
SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel
These changes will make NetLabel behave like labeled IPsec where there is an access check for both labeled and unlabeled packets as well as providing the ability to restrict domains to receiving only labeled packets when NetLabel is in use. The changes to the policy are straight forward with the following necessary to receive labeled traffic (with SECINITSID_NETMSG defined as "netlabel_peer_t"): allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom; The policy for unlabeled traffic would be: allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom; These policy changes, as well as more general NetLabel support, are included in the latest SELinux Reference Policy release 20070629 or later. Users who make use of NetLabel are strongly encouraged to upgrade their policy to avoid network problems. Users who do not make use of NetLabel will not notice any difference. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c21
-rw-r--r--security/selinux/netlabel.c41
2 files changed, 31 insertions, 31 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 520b9998123e..26356e67108e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3129,17 +3129,19 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3129/** 3129/**
3130 * selinux_skb_extlbl_sid - Determine the external label of a packet 3130 * selinux_skb_extlbl_sid - Determine the external label of a packet
3131 * @skb: the packet 3131 * @skb: the packet
3132 * @base_sid: the SELinux SID to use as a context for MLS only external labels
3133 * @sid: the packet's SID 3132 * @sid: the packet's SID
3134 * 3133 *
3135 * Description: 3134 * Description:
3136 * Check the various different forms of external packet labeling and determine 3135 * Check the various different forms of external packet labeling and determine
3137 * the external SID for the packet. 3136 * the external SID for the packet. If only one form of external labeling is
3137 * present then it is used, if both labeled IPsec and NetLabel labels are
3138 * present then the SELinux type information is taken from the labeled IPsec
3139 * SA and the MLS sensitivity label information is taken from the NetLabel
3140 * security attributes. This bit of "magic" is done in the call to
3141 * selinux_netlbl_skbuff_getsid().
3138 * 3142 *
3139 */ 3143 */
3140static void selinux_skb_extlbl_sid(struct sk_buff *skb, 3144static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
3141 u32 base_sid,
3142 u32 *sid)
3143{ 3145{
3144 u32 xfrm_sid; 3146 u32 xfrm_sid;
3145 u32 nlbl_sid; 3147 u32 nlbl_sid;
@@ -3147,10 +3149,9 @@ static void selinux_skb_extlbl_sid(struct sk_buff *skb,
3147 selinux_skb_xfrm_sid(skb, &xfrm_sid); 3149 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3148 if (selinux_netlbl_skbuff_getsid(skb, 3150 if (selinux_netlbl_skbuff_getsid(skb,
3149 (xfrm_sid == SECSID_NULL ? 3151 (xfrm_sid == SECSID_NULL ?
3150 base_sid : xfrm_sid), 3152 SECINITSID_NETMSG : xfrm_sid),
3151 &nlbl_sid) != 0) 3153 &nlbl_sid) != 0)
3152 nlbl_sid = SECSID_NULL; 3154 nlbl_sid = SECSID_NULL;
3153
3154 *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); 3155 *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
3155} 3156}
3156 3157
@@ -3695,7 +3696,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
3695 if (sock && sock->sk->sk_family == PF_UNIX) 3696 if (sock && sock->sk->sk_family == PF_UNIX)
3696 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); 3697 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3697 else if (skb) 3698 else if (skb)
3698 selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid); 3699 selinux_skb_extlbl_sid(skb, &peer_secid);
3699 3700
3700 if (peer_secid == SECSID_NULL) 3701 if (peer_secid == SECSID_NULL)
3701 err = -EINVAL; 3702 err = -EINVAL;
@@ -3756,7 +3757,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3756 u32 newsid; 3757 u32 newsid;
3757 u32 peersid; 3758 u32 peersid;
3758 3759
3759 selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid); 3760 selinux_skb_extlbl_sid(skb, &peersid);
3760 if (peersid == SECSID_NULL) { 3761 if (peersid == SECSID_NULL) {
3761 req->secid = sksec->sid; 3762 req->secid = sksec->sid;
3762 req->peer_secid = SECSID_NULL; 3763 req->peer_secid = SECSID_NULL;
@@ -3794,7 +3795,7 @@ static void selinux_inet_conn_established(struct sock *sk,
3794{ 3795{
3795 struct sk_security_struct *sksec = sk->sk_security; 3796 struct sk_security_struct *sksec = sk->sk_security;
3796 3797
3797 selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid); 3798 selinux_skb_extlbl_sid(skb, &sksec->peer_sid);
3798} 3799}
3799 3800
3800static void selinux_req_classify_flow(const struct request_sock *req, 3801static void selinux_req_classify_flow(const struct request_sock *req,
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index ed9155b29c1a..051b14c88e2d 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -163,9 +163,7 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
163 netlbl_secattr_init(&secattr); 163 netlbl_secattr_init(&secattr);
164 rc = netlbl_skbuff_getattr(skb, &secattr); 164 rc = netlbl_skbuff_getattr(skb, &secattr);
165 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 165 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
166 rc = security_netlbl_secattr_to_sid(&secattr, 166 rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid);
167 base_sid,
168 sid);
169 else 167 else
170 *sid = SECSID_NULL; 168 *sid = SECSID_NULL;
171 netlbl_secattr_destroy(&secattr); 169 netlbl_secattr_destroy(&secattr);
@@ -203,7 +201,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
203 if (netlbl_sock_getattr(sk, &secattr) == 0 && 201 if (netlbl_sock_getattr(sk, &secattr) == 0 &&
204 secattr.flags != NETLBL_SECATTR_NONE && 202 secattr.flags != NETLBL_SECATTR_NONE &&
205 security_netlbl_secattr_to_sid(&secattr, 203 security_netlbl_secattr_to_sid(&secattr,
206 SECINITSID_UNLABELED, 204 SECINITSID_NETMSG,
207 &nlbl_peer_sid) == 0) 205 &nlbl_peer_sid) == 0)
208 sksec->peer_sid = nlbl_peer_sid; 206 sksec->peer_sid = nlbl_peer_sid;
209 netlbl_secattr_destroy(&secattr); 207 netlbl_secattr_destroy(&secattr);
@@ -300,41 +298,42 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
300 struct avc_audit_data *ad) 298 struct avc_audit_data *ad)
301{ 299{
302 int rc; 300 int rc;
303 u32 netlbl_sid; 301 u32 nlbl_sid;
304 u32 recv_perm; 302 u32 perm;
303 struct netlbl_lsm_secattr secattr;
305 304
306 if (!netlbl_enabled()) 305 if (!netlbl_enabled())
307 return 0; 306 return 0;
308 307
309 rc = selinux_netlbl_skbuff_getsid(skb, 308 netlbl_secattr_init(&secattr);
310 SECINITSID_UNLABELED, 309 rc = netlbl_skbuff_getattr(skb, &secattr);
311 &netlbl_sid); 310 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
311 rc = security_netlbl_secattr_to_sid(&secattr,
312 SECINITSID_NETMSG,
313 &nlbl_sid);
314 else
315 nlbl_sid = SECINITSID_UNLABELED;
316 netlbl_secattr_destroy(&secattr);
312 if (rc != 0) 317 if (rc != 0)
313 return rc; 318 return rc;
314 319
315 if (netlbl_sid == SECSID_NULL)
316 return 0;
317
318 switch (sksec->sclass) { 320 switch (sksec->sclass) {
319 case SECCLASS_UDP_SOCKET: 321 case SECCLASS_UDP_SOCKET:
320 recv_perm = UDP_SOCKET__RECVFROM; 322 perm = UDP_SOCKET__RECVFROM;
321 break; 323 break;
322 case SECCLASS_TCP_SOCKET: 324 case SECCLASS_TCP_SOCKET:
323 recv_perm = TCP_SOCKET__RECVFROM; 325 perm = TCP_SOCKET__RECVFROM;
324 break; 326 break;
325 default: 327 default:
326 recv_perm = RAWIP_SOCKET__RECVFROM; 328 perm = RAWIP_SOCKET__RECVFROM;
327 } 329 }
328 330
329 rc = avc_has_perm(sksec->sid, 331 rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad);
330 netlbl_sid,
331 sksec->sclass,
332 recv_perm,
333 ad);
334 if (rc == 0) 332 if (rc == 0)
335 return 0; 333 return 0;
336 334
337 netlbl_skbuff_err(skb, rc); 335 if (nlbl_sid != SECINITSID_UNLABELED)
336 netlbl_skbuff_err(skb, rc);
338 return rc; 337 return rc;
339} 338}
340 339