Revert "SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel"

This reverts commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0. It bit people like Michal Piotrowski: "My system is too secure, I can not login :)" because it changed how CONFIG_NETLABEL worked, and broke older SElinux policies. As a result, quoth James Morris: "Can you please revert this patch? We thought it only affected people running MLS, but it will affect others. Sorry for the hassle." Cc: James Morris <jmorris@namei.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Michal Piotrowski <michal.k.k.piotrowski@gmail.com> Cc: Paul Moore <paul.moore@hp.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Linus Torvalds <torvalds@woody.linux-foundation.org> 2007-07-13 19:53:18 -0400
committer: Linus Torvalds <torvalds@woody.linux-foundation.org> 2007-07-13 19:53:18 -0400
commit: 8d9107e8c50e1c4ff43c91c8841805833f3ecfb9 (patch)
tree: abc57f38cf659d4031d5a9915a088f2c47b2cc7e /security
parent: 16cefa8c3863721fd40445a1b34dea18cd16ccfe (diff)
2 files changed, 31 insertions, 24 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index aff8f46c2aa2..78c3f98fcdcf 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3129,19 +3129,17 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
 /**
 * selinux_skb_extlbl_sid - Determine the external label of a packet
 * @skb: the packet
+ * @base_sid: the SELinux SID to use as a context for MLS only external labels
 * @sid: the packet's SID
 *
 * Description:
 * Check the various different forms of external packet labeling and determine
- * the external SID for the packet.  If only one form of external labeling is
+ * the external SID for the packet.
- * present then it is used, if both labeled IPsec and NetLabel labels are
- * present then the SELinux type information is taken from the labeled IPsec
- * SA and the MLS sensitivity label information is taken from the NetLabel
- * security attributes.  This bit of "magic" is done in the call to
- * selinux_netlbl_skbuff_getsid().
 *
 */
-static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
+static void selinux_skb_extlbl_sid(struct sk_buff *skb,
+                                   u32 base_sid,
+                                   u32 *sid)
 {
        u32 xfrm_sid;
        u32 nlbl_sid;
@@ -3149,9 +3147,10 @@ static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
        selinux_skb_xfrm_sid(skb, &xfrm_sid);
        if (selinux_netlbl_skbuff_getsid(skb,
                                         (xfrm_sid == SECSID_NULL ?
-                                          SECINITSID_NETMSG : xfrm_sid),
+                                          base_sid : xfrm_sid),
                                         &nlbl_sid) != 0)
                nlbl_sid = SECSID_NULL;
        *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
 }
@@ -3696,7 +3695,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
        if (sock && sock->sk->sk_family == PF_UNIX)
                selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
        else if (skb)
-                selinux_skb_extlbl_sid(skb, &peer_secid);
+                selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid);
        if (peer_secid == SECSID_NULL)
                err = -EINVAL;
@@ -3757,7 +3756,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
        u32 newsid;
        u32 peersid;
-        selinux_skb_extlbl_sid(skb, &peersid);
+        selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
        if (peersid == SECSID_NULL) {
                req->secid = sksec->sid;
                req->peer_secid = SECSID_NULL;
@@ -3795,7 +3794,7 @@ static void selinux_inet_conn_established(struct sock *sk,
 {
        struct sk_security_struct *sksec = sk->sk_security;
-        selinux_skb_extlbl_sid(skb, &sksec->peer_sid);
+        selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
 }
 static void selinux_req_classify_flow(const struct request_sock *req,
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 8192e8bc9f5a..e64eca246f1a 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -158,7 +158,9 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
        netlbl_secattr_init(&secattr);
        rc = netlbl_skbuff_getattr(skb, &secattr);
        if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
-                rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid);
+                rc = security_netlbl_secattr_to_sid(&secattr,
+                                                    base_sid,
+                                                    sid);
        else
                *sid = SECSID_NULL;
        netlbl_secattr_destroy(&secattr);
@@ -196,7 +198,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
        if (netlbl_sock_getattr(sk, &secattr) == 0 &&
            secattr.flags != NETLBL_SECATTR_NONE &&
            security_netlbl_secattr_to_sid(&secattr,
-                                           SECINITSID_NETMSG,
+                                           SECINITSID_UNLABELED,
                                           &nlbl_peer_sid) == 0)
                sksec->peer_sid = nlbl_peer_sid;
        netlbl_secattr_destroy(&secattr);
@@ -293,32 +295,38 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
                                struct avc_audit_data *ad)
 {
        int rc;
-        u32 nlbl_sid;
+        u32 netlbl_sid;
-        u32 perm;
+        u32 recv_perm;
-        rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &nlbl_sid);
+        rc = selinux_netlbl_skbuff_getsid(skb,
+                                          SECINITSID_UNLABELED,
+                                          &netlbl_sid);
        if (rc != 0)
                return rc;
-        if (nlbl_sid == SECSID_NULL)
-                nlbl_sid = SECINITSID_UNLABELED;
+        if (netlbl_sid == SECSID_NULL)
+                return 0;
        switch (sksec->sclass) {
        case SECCLASS_UDP_SOCKET:
-                perm = UDP_SOCKET__RECVFROM;
+                recv_perm = UDP_SOCKET__RECVFROM;
                break;
        case SECCLASS_TCP_SOCKET:
-                perm = TCP_SOCKET__RECVFROM;
+                recv_perm = TCP_SOCKET__RECVFROM;
                break;
        default:
-                perm = RAWIP_SOCKET__RECVFROM;
+                recv_perm = RAWIP_SOCKET__RECVFROM;
        }
-        rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad);
+        rc = avc_has_perm(sksec->sid,
+                          netlbl_sid,
+                          sksec->sclass,
+                          recv_perm,
+                          ad);
        if (rc == 0)
                return 0;
-        if (nlbl_sid != SECINITSID_UNLABELED)
+        netlbl_skbuff_err(skb, rc);
-                netlbl_skbuff_err(skb, rc);
        return rc;
 }
author	Linus Torvalds <torvalds@woody.linux-foundation.org>	2007-07-13 19:53:18 -0400
committer	Linus Torvalds <torvalds@woody.linux-foundation.org>	2007-07-13 19:53:18 -0400
commit	8d9107e8c50e1c4ff43c91c8841805833f3ecfb9 (patch)
tree	abc57f38cf659d4031d5a9915a088f2c47b2cc7e /security
parent	16cefa8c3863721fd40445a1b34dea18cd16ccfe (diff)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index aff8f46c2aa2..78c3f98fcdcf 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -3129,19 +3129,17 @@ static int selinux_parse_skb(struct sk_buff skb, struct avc_audit_data ad,
3129	/**	3129	/**
3130	* selinux_skb_extlbl_sid - Determine the external label of a packet	3130	* selinux_skb_extlbl_sid - Determine the external label of a packet
3131	* @skb: the packet	3131	* @skb: the packet
		3132	* @base_sid: the SELinux SID to use as a context for MLS only external labels
3132	* @sid: the packet's SID	3133	* @sid: the packet's SID
3133	*	3134	*
3134	* Description:	3135	* Description:
3135	* Check the various different forms of external packet labeling and determine	3136	* Check the various different forms of external packet labeling and determine
3136	* the external SID for the packet. If only one form of external labeling is	3137	* the external SID for the packet.
3137	* present then it is used, if both labeled IPsec and NetLabel labels are
3138	* present then the SELinux type information is taken from the labeled IPsec
3139	* SA and the MLS sensitivity label information is taken from the NetLabel
3140	* security attributes. This bit of "magic" is done in the call to
3141	* selinux_netlbl_skbuff_getsid().
3142	*	3138	*
3143	*/	3139	*/
3144	static void selinux_skb_extlbl_sid(struct sk_buff skb, u32 sid)	3140	static void selinux_skb_extlbl_sid(struct sk_buff *skb,
		3141	u32 base_sid,
		3142	u32 *sid)
3145	{	3143	{
3146	u32 xfrm_sid;	3144	u32 xfrm_sid;
3147	u32 nlbl_sid;	3145	u32 nlbl_sid;
@@ -3149,9 +3147,10 @@ static void selinux_skb_extlbl_sid(struct sk_buff skb, u32 sid)
3149	selinux_skb_xfrm_sid(skb, &xfrm_sid);	3147	selinux_skb_xfrm_sid(skb, &xfrm_sid);
3150	if (selinux_netlbl_skbuff_getsid(skb,	3148	if (selinux_netlbl_skbuff_getsid(skb,
3151	(xfrm_sid == SECSID_NULL ?	3149	(xfrm_sid == SECSID_NULL ?
3152	SECINITSID_NETMSG : xfrm_sid),	3150	base_sid : xfrm_sid),
3153	&nlbl_sid) != 0)	3151	&nlbl_sid) != 0)
3154	nlbl_sid = SECSID_NULL;	3152	nlbl_sid = SECSID_NULL;
		3153
3155	*sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);	3154	*sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
3156	}	3155	}
3157		3156
@@ -3696,7 +3695,7 @@ static int selinux_socket_getpeersec_dgram(struct socket sock, struct sk_buff
3696	if (sock && sock->sk->sk_family == PF_UNIX)	3695	if (sock && sock->sk->sk_family == PF_UNIX)
3697	selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);	3696	selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3698	else if (skb)	3697	else if (skb)
3699	selinux_skb_extlbl_sid(skb, &peer_secid);	3698	selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid);
3700		3699
3701	if (peer_secid == SECSID_NULL)	3700	if (peer_secid == SECSID_NULL)
3702	err = -EINVAL;	3701	err = -EINVAL;
@@ -3757,7 +3756,7 @@ static int selinux_inet_conn_request(struct sock sk, struct sk_buff skb,
3757	u32 newsid;	3756	u32 newsid;
3758	u32 peersid;	3757	u32 peersid;
3759		3758
3760	selinux_skb_extlbl_sid(skb, &peersid);	3759	selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
3761	if (peersid == SECSID_NULL) {	3760	if (peersid == SECSID_NULL) {
3762	req->secid = sksec->sid;	3761	req->secid = sksec->sid;
3763	req->peer_secid = SECSID_NULL;	3762	req->peer_secid = SECSID_NULL;
@@ -3795,7 +3794,7 @@ static void selinux_inet_conn_established(struct sock *sk,
3795	{	3794	{
3796	struct sk_security_struct *sksec = sk->sk_security;	3795	struct sk_security_struct *sksec = sk->sk_security;
3797		3796
3798	selinux_skb_extlbl_sid(skb, &sksec->peer_sid);	3797	selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
3799	}	3798	}
3800		3799
3801	static void selinux_req_classify_flow(const struct request_sock *req,	3800	static void selinux_req_classify_flow(const struct request_sock *req,


diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 8192e8bc9f5a..e64eca246f1a 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c
@@ -158,7 +158,9 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff skb, u32 base_sid, u32 sid)
158	netlbl_secattr_init(&secattr);	158	netlbl_secattr_init(&secattr);
159	rc = netlbl_skbuff_getattr(skb, &secattr);	159	rc = netlbl_skbuff_getattr(skb, &secattr);
160	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)	160	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
161	rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid);	161	rc = security_netlbl_secattr_to_sid(&secattr,
		162	base_sid,
		163	sid);
162	else	164	else
163	*sid = SECSID_NULL;	165	*sid = SECSID_NULL;
164	netlbl_secattr_destroy(&secattr);	166	netlbl_secattr_destroy(&secattr);
@@ -196,7 +198,7 @@ void selinux_netlbl_sock_graft(struct sock sk, struct socket sock)
196	if (netlbl_sock_getattr(sk, &secattr) == 0 &&	198	if (netlbl_sock_getattr(sk, &secattr) == 0 &&
197	secattr.flags != NETLBL_SECATTR_NONE &&	199	secattr.flags != NETLBL_SECATTR_NONE &&
198	security_netlbl_secattr_to_sid(&secattr,	200	security_netlbl_secattr_to_sid(&secattr,
199	SECINITSID_NETMSG,	201	SECINITSID_UNLABELED,
200	&nlbl_peer_sid) == 0)	202	&nlbl_peer_sid) == 0)
201	sksec->peer_sid = nlbl_peer_sid;	203	sksec->peer_sid = nlbl_peer_sid;
202	netlbl_secattr_destroy(&secattr);	204	netlbl_secattr_destroy(&secattr);
@@ -293,32 +295,38 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
293	struct avc_audit_data *ad)	295	struct avc_audit_data *ad)
294	{	296	{
295	int rc;	297	int rc;
296	u32 nlbl_sid;	298	u32 netlbl_sid;
297	u32 perm;	299	u32 recv_perm;
298		300
299	rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &nlbl_sid);	301	rc = selinux_netlbl_skbuff_getsid(skb,
		302	SECINITSID_UNLABELED,
		303	&netlbl_sid);
300	if (rc != 0)	304	if (rc != 0)
301	return rc;	305	return rc;
302	if (nlbl_sid == SECSID_NULL)	306
303	nlbl_sid = SECINITSID_UNLABELED;	307	if (netlbl_sid == SECSID_NULL)
		308	return 0;
304		309
305	switch (sksec->sclass) {	310	switch (sksec->sclass) {
306	case SECCLASS_UDP_SOCKET:	311	case SECCLASS_UDP_SOCKET:
307	perm = UDP_SOCKET__RECVFROM;	312	recv_perm = UDP_SOCKET__RECVFROM;
308	break;	313	break;
309	case SECCLASS_TCP_SOCKET:	314	case SECCLASS_TCP_SOCKET:
310	perm = TCP_SOCKET__RECVFROM;	315	recv_perm = TCP_SOCKET__RECVFROM;
311	break;	316	break;
312	default:	317	default:
313	perm = RAWIP_SOCKET__RECVFROM;	318	recv_perm = RAWIP_SOCKET__RECVFROM;
314	}	319	}
315		320
316	rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad);	321	rc = avc_has_perm(sksec->sid,
		322	netlbl_sid,
		323	sksec->sclass,
		324	recv_perm,
		325	ad);
317	if (rc == 0)	326	if (rc == 0)
318	return 0;	327	return 0;
319		328
320	if (nlbl_sid != SECINITSID_UNLABELED)	329	netlbl_skbuff_err(skb, rc);
321	netlbl_skbuff_err(skb, rc);
322	return rc;	330	return rc;
323	}	331	}
324		332