aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-01-29 08:38:04 -0500
committerJames Morris <jmorris@namei.org>2008-01-29 16:17:20 -0500
commit75e22910cf0c26802b09dac2e34c13e648d3ed02 (patch)
treebf5f5c62f6db8a3057a0265dc7748bf310d26d4a /security
parent16efd45435fa695b501b7f73c3259bd7c77cc12c (diff)
NetLabel: Add IP address family information to the netlbl_skbuff_getattr() function
In order to do any sort of IP header inspection of incoming packets we need to know which address family, AF_INET/AF_INET6/etc., it belongs to and since the sk_buff structure does not store this information we need to pass along the address family separate from the packet itself. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c33
-rw-r--r--security/selinux/include/netlabel.h8
-rw-r--r--security/selinux/netlabel.c12
3 files changed, 38 insertions, 15 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 64d414efb404..5df12072c8d5 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3429,6 +3429,7 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3429/** 3429/**
3430 * selinux_skb_extlbl_sid - Determine the external label of a packet 3430 * selinux_skb_extlbl_sid - Determine the external label of a packet
3431 * @skb: the packet 3431 * @skb: the packet
3432 * @family: protocol family
3432 * @sid: the packet's SID 3433 * @sid: the packet's SID
3433 * 3434 *
3434 * Description: 3435 * Description:
@@ -3441,13 +3442,16 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3441 * selinux_netlbl_skbuff_getsid(). 3442 * selinux_netlbl_skbuff_getsid().
3442 * 3443 *
3443 */ 3444 */
3444static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid) 3445static void selinux_skb_extlbl_sid(struct sk_buff *skb,
3446 u16 family,
3447 u32 *sid)
3445{ 3448{
3446 u32 xfrm_sid; 3449 u32 xfrm_sid;
3447 u32 nlbl_sid; 3450 u32 nlbl_sid;
3448 3451
3449 selinux_skb_xfrm_sid(skb, &xfrm_sid); 3452 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3450 if (selinux_netlbl_skbuff_getsid(skb, 3453 if (selinux_netlbl_skbuff_getsid(skb,
3454 family,
3451 (xfrm_sid == SECSID_NULL ? 3455 (xfrm_sid == SECSID_NULL ?
3452 SECINITSID_NETMSG : xfrm_sid), 3456 SECINITSID_NETMSG : xfrm_sid),
3453 &nlbl_sid) != 0) 3457 &nlbl_sid) != 0)
@@ -3940,7 +3944,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3940 if (err) 3944 if (err)
3941 goto out; 3945 goto out;
3942 3946
3943 err = selinux_netlbl_sock_rcv_skb(sksec, skb, &ad); 3947 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
3944 if (err) 3948 if (err)
3945 goto out; 3949 goto out;
3946 3950
@@ -3996,18 +4000,25 @@ out:
3996static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4000static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
3997{ 4001{
3998 u32 peer_secid = SECSID_NULL; 4002 u32 peer_secid = SECSID_NULL;
3999 int err = 0; 4003 u16 family;
4000 4004
4001 if (sock && sock->sk->sk_family == PF_UNIX) 4005 if (sock)
4006 family = sock->sk->sk_family;
4007 else if (skb && skb->sk)
4008 family = skb->sk->sk_family;
4009 else
4010 goto out;
4011
4012 if (sock && family == PF_UNIX)
4002 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); 4013 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4003 else if (skb) 4014 else if (skb)
4004 selinux_skb_extlbl_sid(skb, &peer_secid); 4015 selinux_skb_extlbl_sid(skb, family, &peer_secid);
4005 4016
4006 if (peer_secid == SECSID_NULL) 4017out:
4007 err = -EINVAL;
4008 *secid = peer_secid; 4018 *secid = peer_secid;
4009 4019 if (peer_secid == SECSID_NULL)
4010 return err; 4020 return -EINVAL;
4021 return 0;
4011} 4022}
4012 4023
4013static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4024static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
@@ -4062,7 +4073,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4062 u32 newsid; 4073 u32 newsid;
4063 u32 peersid; 4074 u32 peersid;
4064 4075
4065 selinux_skb_extlbl_sid(skb, &peersid); 4076 selinux_skb_extlbl_sid(skb, sk->sk_family, &peersid);
4066 if (peersid == SECSID_NULL) { 4077 if (peersid == SECSID_NULL) {
4067 req->secid = sksec->sid; 4078 req->secid = sksec->sid;
4068 req->peer_secid = SECSID_NULL; 4079 req->peer_secid = SECSID_NULL;
@@ -4100,7 +4111,7 @@ static void selinux_inet_conn_established(struct sock *sk,
4100{ 4111{
4101 struct sk_security_struct *sksec = sk->sk_security; 4112 struct sk_security_struct *sksec = sk->sk_security;
4102 4113
4103 selinux_skb_extlbl_sid(skb, &sksec->peer_sid); 4114 selinux_skb_extlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4104} 4115}
4105 4116
4106static void selinux_req_classify_flow(const struct request_sock *req, 4117static void selinux_req_classify_flow(const struct request_sock *req,
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index 218e3f77c350..272769a1cb96 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -46,13 +46,17 @@ void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
46void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec, 46void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
47 struct sk_security_struct *newssec); 47 struct sk_security_struct *newssec);
48 48
49int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid); 49int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
50 u16 family,
51 u32 base_sid,
52 u32 *sid);
50 53
51void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock); 54void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
52int selinux_netlbl_socket_post_create(struct socket *sock); 55int selinux_netlbl_socket_post_create(struct socket *sock);
53int selinux_netlbl_inode_permission(struct inode *inode, int mask); 56int selinux_netlbl_inode_permission(struct inode *inode, int mask);
54int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 57int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
55 struct sk_buff *skb, 58 struct sk_buff *skb,
59 u16 family,
56 struct avc_audit_data *ad); 60 struct avc_audit_data *ad);
57int selinux_netlbl_socket_setsockopt(struct socket *sock, 61int selinux_netlbl_socket_setsockopt(struct socket *sock,
58 int level, 62 int level,
@@ -83,6 +87,7 @@ static inline void selinux_netlbl_sk_security_clone(
83} 87}
84 88
85static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, 89static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
90 u16 family,
86 u32 base_sid, 91 u32 base_sid,
87 u32 *sid) 92 u32 *sid)
88{ 93{
@@ -106,6 +111,7 @@ static inline int selinux_netlbl_inode_permission(struct inode *inode,
106} 111}
107static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 112static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
108 struct sk_buff *skb, 113 struct sk_buff *skb,
114 u16 family,
109 struct avc_audit_data *ad) 115 struct avc_audit_data *ad)
110{ 116{
111 return 0; 117 return 0;
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 66e013d6f6f6..f4bcbf12a4c9 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -144,6 +144,7 @@ void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
144/** 144/**
145 * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel 145 * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
146 * @skb: the packet 146 * @skb: the packet
147 * @family: protocol family
147 * @base_sid: the SELinux SID to use as a context for MLS only attributes 148 * @base_sid: the SELinux SID to use as a context for MLS only attributes
148 * @sid: the SID 149 * @sid: the SID
149 * 150 *
@@ -153,7 +154,10 @@ void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
153 * assign to the packet. Returns zero on success, negative values on failure. 154 * assign to the packet. Returns zero on success, negative values on failure.
154 * 155 *
155 */ 156 */
156int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid) 157int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
158 u16 family,
159 u32 base_sid,
160 u32 *sid)
157{ 161{
158 int rc; 162 int rc;
159 struct netlbl_lsm_secattr secattr; 163 struct netlbl_lsm_secattr secattr;
@@ -164,7 +168,7 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
164 } 168 }
165 169
166 netlbl_secattr_init(&secattr); 170 netlbl_secattr_init(&secattr);
167 rc = netlbl_skbuff_getattr(skb, &secattr); 171 rc = netlbl_skbuff_getattr(skb, family, &secattr);
168 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) { 172 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) {
169 rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid); 173 rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid);
170 if (rc == 0 && 174 if (rc == 0 &&
@@ -292,6 +296,7 @@ int selinux_netlbl_inode_permission(struct inode *inode, int mask)
292 * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel 296 * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
293 * @sksec: the sock's sk_security_struct 297 * @sksec: the sock's sk_security_struct
294 * @skb: the packet 298 * @skb: the packet
299 * @family: protocol family
295 * @ad: the audit data 300 * @ad: the audit data
296 * 301 *
297 * Description: 302 * Description:
@@ -302,6 +307,7 @@ int selinux_netlbl_inode_permission(struct inode *inode, int mask)
302 */ 307 */
303int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 308int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
304 struct sk_buff *skb, 309 struct sk_buff *skb,
310 u16 family,
305 struct avc_audit_data *ad) 311 struct avc_audit_data *ad)
306{ 312{
307 int rc; 313 int rc;
@@ -313,7 +319,7 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
313 return 0; 319 return 0;
314 320
315 netlbl_secattr_init(&secattr); 321 netlbl_secattr_init(&secattr);
316 rc = netlbl_skbuff_getattr(skb, &secattr); 322 rc = netlbl_skbuff_getattr(skb, family, &secattr);
317 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) { 323 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) {
318 rc = security_netlbl_secattr_to_sid(&secattr, 324 rc = security_netlbl_secattr_to_sid(&secattr,
319 SECINITSID_NETMSG, 325 SECINITSID_NETMSG,