SELinux: Enable dynamic enable/disable of the network access checks

This patch introduces a mechanism for checking when labeled IPsec or SECMARK are in use by keeping introducing a configuration reference counter for each subsystem. In the case of labeled IPsec, whenever a labeled SA or SPD entry is created the labeled IPsec/XFRM reference count is increased and when the entry is removed it is decreased. In the case of SECMARK, when a SECMARK target is created the reference count is increased and later decreased when the target is removed. These reference counters allow SELinux to quickly determine if either of these subsystems are enabled. NetLabel already has a similar mechanism which provides the netlbl_enabled() function. This patch also renames the selinux_relabel_packet_permission() function to selinux_secmark_relabel_packet_permission() as the original name and description were misleading in that they referenced a single packet label which is not the case. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
author: Paul Moore <paul.moore@hp.com> 2008-01-29 08:43:36 -0500
committer: James Morris <jmorris@namei.org> 2008-01-29 16:17:26 -0500
commit: d621d35e576aa20a0ddae8022c3810f38357c8ff (patch)
tree: 318e8aa890dbe715b901b11b019ebac3badb693d /security
parent: 220deb966ea51e0dedb6a187c0763120809f3e64 (diff)
4 files changed, 83 insertions, 13 deletions
diff --git a/security/selinux/exports.c b/security/selinux/exports.c
index b6f96943be1f..87d2bb3ea355 100644
--- a/security/selinux/exports.c
+++ b/security/selinux/exports.c
@@ -17,10 +17,14 @@
 #include <linux/selinux.h>
 #include <linux/fs.h>
 #include <linux/ipc.h>
+#include <asm/atomic.h>
 #include "security.h"
 #include "objsec.h"
+/* SECMARK reference count */
+extern atomic_t selinux_secmark_refcount;
 int selinux_sid_to_string(u32 sid, char **ctx, u32 *ctxlen)
 {
        if (selinux_enabled)
@@ -74,7 +78,7 @@ int selinux_string_to_sid(char *str, u32 *sid)
 }
 EXPORT_SYMBOL_GPL(selinux_string_to_sid);
-int selinux_relabel_packet_permission(u32 sid)
+int selinux_secmark_relabel_packet_permission(u32 sid)
 {
        if (selinux_enabled) {
                struct task_security_struct *tsec = current->security;
@@ -84,4 +88,16 @@ int selinux_relabel_packet_permission(u32 sid)
        }
        return 0;
 }
-EXPORT_SYMBOL_GPL(selinux_relabel_packet_permission);
+EXPORT_SYMBOL_GPL(selinux_secmark_relabel_packet_permission);
+void selinux_secmark_refcount_inc(void)
+{
+        atomic_inc(&selinux_secmark_refcount);
+}
+EXPORT_SYMBOL_GPL(selinux_secmark_refcount_inc);
+void selinux_secmark_refcount_dec(void)
+{
+        atomic_dec(&selinux_secmark_refcount);
+}
+EXPORT_SYMBOL_GPL(selinux_secmark_refcount_dec);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index bfe9a05db3a2..6156241c8770 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -51,8 +51,10 @@
 #include <net/ip.h>             /* for local_port_range[] */
 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
 #include <net/net_namespace.h>
+#include <net/netlabel.h>
 #include <asm/uaccess.h>
 #include <asm/ioctls.h>
+#include <asm/atomic.h>
 #include <linux/bitops.h>
 #include <linux/interrupt.h>
 #include <linux/netdevice.h>    /* for network interface checks */
@@ -91,6 +93,9 @@ extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
 extern int selinux_compat_net;
 extern struct security_operations *security_ops;
+/* SECMARK reference count */
+atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 int selinux_enforcing = 0;
@@ -157,6 +162,21 @@ getsecurity_exit:
        return len;
 }
+/**
+ * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
+ *
+ * Description:
+ * This function checks the SECMARK reference counter to see if any SECMARK
+ * targets are currently configured, if the reference counter is greater than
+ * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
+ * enabled, false (0) if SECMARK is disabled.
+ *
+ */
+static int selinux_secmark_enabled(void)
+{
+        return (atomic_read(&selinux_secmark_refcount) > 0);
+}
 /* Allocate and free functions for each kind of security blob. */
 static int task_alloc_security(struct task_struct *task)
@@ -3931,7 +3951,6 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
        struct sk_security_struct *sksec = sk->sk_security;
        u16 family = sk->sk_family;
        u32 sk_sid = sksec->sid;
-        u32 peer_sid;
        struct avc_audit_data ad;
        char *addrp;
@@ -3957,15 +3976,24 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
                return selinux_sock_rcv_skb_compat(sk, skb, &ad,
                                                   family, addrp);
-        err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
+        if (selinux_secmark_enabled()) {
-                           PACKET__RECV, &ad);
+                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
-        if (err)
+                                   PACKET__RECV, &ad);
-                return err;
+                if (err)
+                        return err;
+        }
-        err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
+        if (netlbl_enabled() || selinux_xfrm_enabled()) {
-        if (err)
+                u32 peer_sid;
-                return err;
-        return avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, PEER__RECV, &ad);
+                err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
+                if (err)
+                        return err;
+                err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
+                                   PEER__RECV, &ad);
+        }
+        return err;
 }
 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 31929e39f5ca..36b0510efa7b 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -32,6 +32,13 @@ static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
 }
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
+extern atomic_t selinux_xfrm_refcount;
+static inline int selinux_xfrm_enabled(void)
+{
+        return (atomic_read(&selinux_xfrm_refcount) > 0);
+}
 int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
                        struct avc_audit_data *ad);
 int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
@@ -43,6 +50,11 @@ static inline void selinux_xfrm_notify_policyload(void)
        atomic_inc(&flow_cache_genid);
 }
 #else
+static inline int selinux_xfrm_enabled(void)
+{
+        return 0;
+}
 static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
                        struct avc_audit_data *ad)
 {
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index e07603969033..7e158205d081 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -46,11 +46,14 @@
 #include <net/checksum.h>
 #include <net/udp.h>
 #include <asm/semaphore.h>
+#include <asm/atomic.h>
 #include "avc.h"
 #include "objsec.h"
 #include "xfrm.h"
+/* Labeled XFRM instance counter */
+atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0);
 /*
 * Returns true if an LSM/SELinux context
@@ -293,6 +296,9 @@ int selinux_xfrm_policy_alloc(struct xfrm_policy *xp,
        BUG_ON(!uctx);
        err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, 0);
+        if (err == 0)
+                atomic_inc(&selinux_xfrm_refcount);
        return err;
 }
@@ -340,10 +346,13 @@ int selinux_xfrm_policy_delete(struct xfrm_policy *xp)
        struct xfrm_sec_ctx *ctx = xp->security;
        int rc = 0;
-        if (ctx)
+        if (ctx) {
                rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
                                  SECCLASS_ASSOCIATION,
                                  ASSOCIATION__SETCONTEXT, NULL);
+                if (rc == 0)
+                        atomic_dec(&selinux_xfrm_refcount);
+        }
        return rc;
 }
@@ -360,6 +369,8 @@ int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uct
        BUG_ON(!x);
        err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid);
+        if (err == 0)
+                atomic_inc(&selinux_xfrm_refcount);
        return err;
 }
@@ -382,10 +393,13 @@ int selinux_xfrm_state_delete(struct xfrm_state *x)
        struct xfrm_sec_ctx *ctx = x->security;
        int rc = 0;
-        if (ctx)
+        if (ctx) {
                rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
                                  SECCLASS_ASSOCIATION,
                                  ASSOCIATION__SETCONTEXT, NULL);
+                if (rc == 0)
+                        atomic_dec(&selinux_xfrm_refcount);
+        }
        return rc;
 }
author	Paul Moore <paul.moore@hp.com>	2008-01-29 08:43:36 -0500
committer	James Morris <jmorris@namei.org>	2008-01-29 16:17:26 -0500
commit	d621d35e576aa20a0ddae8022c3810f38357c8ff (patch)
tree	318e8aa890dbe715b901b11b019ebac3badb693d /security
parent	220deb966ea51e0dedb6a187c0763120809f3e64 (diff)

diff --git a/security/selinux/exports.c b/security/selinux/exports.c index b6f96943be1f..87d2bb3ea355 100644 --- a/security/selinux/exports.c +++ b/security/selinux/exports.c
@@ -17,10 +17,14 @@
17	#include <linux/selinux.h>	17	#include <linux/selinux.h>
18	#include <linux/fs.h>	18	#include <linux/fs.h>
19	#include <linux/ipc.h>	19	#include <linux/ipc.h>
		20	#include <asm/atomic.h>
20		21
21	#include "security.h"	22	#include "security.h"
22	#include "objsec.h"	23	#include "objsec.h"
23		24
		25	/* SECMARK reference count */
		26	extern atomic_t selinux_secmark_refcount;
		27
24	int selinux_sid_to_string(u32 sid, char *ctx, u32 ctxlen)	28	int selinux_sid_to_string(u32 sid, char *ctx, u32 ctxlen)
25	{	29	{
26	if (selinux_enabled)	30	if (selinux_enabled)
@@ -74,7 +78,7 @@ int selinux_string_to_sid(char str, u32 sid)
74	}	78	}
75	EXPORT_SYMBOL_GPL(selinux_string_to_sid);	79	EXPORT_SYMBOL_GPL(selinux_string_to_sid);
76		80
77	int selinux_relabel_packet_permission(u32 sid)	81	int selinux_secmark_relabel_packet_permission(u32 sid)
78	{	82	{
79	if (selinux_enabled) {	83	if (selinux_enabled) {
80	struct task_security_struct *tsec = current->security;	84	struct task_security_struct *tsec = current->security;
@@ -84,4 +88,16 @@ int selinux_relabel_packet_permission(u32 sid)
84	}	88	}
85	return 0;	89	return 0;
86	}	90	}
87	EXPORT_SYMBOL_GPL(selinux_relabel_packet_permission);	91	EXPORT_SYMBOL_GPL(selinux_secmark_relabel_packet_permission);
		92
		93	void selinux_secmark_refcount_inc(void)
		94	{
		95	atomic_inc(&selinux_secmark_refcount);
		96	}
		97	EXPORT_SYMBOL_GPL(selinux_secmark_refcount_inc);
		98
		99	void selinux_secmark_refcount_dec(void)
		100	{
		101	atomic_dec(&selinux_secmark_refcount);
		102	}
		103	EXPORT_SYMBOL_GPL(selinux_secmark_refcount_dec);


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index bfe9a05db3a2..6156241c8770 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -51,8 +51,10 @@
51	#include <net/ip.h> /* for local_port_range[] */	51	#include <net/ip.h> /* for local_port_range[] */
52	#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */	52	#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53	#include <net/net_namespace.h>	53	#include <net/net_namespace.h>
		54	#include <net/netlabel.h>
54	#include <asm/uaccess.h>	55	#include <asm/uaccess.h>
55	#include <asm/ioctls.h>	56	#include <asm/ioctls.h>
		57	#include <asm/atomic.h>
56	#include <linux/bitops.h>	58	#include <linux/bitops.h>
57	#include <linux/interrupt.h>	59	#include <linux/interrupt.h>
58	#include <linux/netdevice.h> /* for network interface checks */	60	#include <linux/netdevice.h> /* for network interface checks */
@@ -91,6 +93,9 @@ extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
91	extern int selinux_compat_net;	93	extern int selinux_compat_net;
92	extern struct security_operations *security_ops;	94	extern struct security_operations *security_ops;
93		95
		96	/* SECMARK reference count */
		97	atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
		98
94	#ifdef CONFIG_SECURITY_SELINUX_DEVELOP	99	#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
95	int selinux_enforcing = 0;	100	int selinux_enforcing = 0;
96		101
@@ -157,6 +162,21 @@ getsecurity_exit:
157	return len;	162	return len;
158	}	163	}
159		164
		165	/**
		166	* selinux_secmark_enabled - Check to see if SECMARK is currently enabled
		167	*
		168	* Description:
		169	* This function checks the SECMARK reference counter to see if any SECMARK
		170	* targets are currently configured, if the reference counter is greater than
		171	* zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
		172	* enabled, false (0) if SECMARK is disabled.
		173	*
		174	*/
		175	static int selinux_secmark_enabled(void)
		176	{
		177	return (atomic_read(&selinux_secmark_refcount) > 0);
		178	}
		179
160	/* Allocate and free functions for each kind of security blob. */	180	/* Allocate and free functions for each kind of security blob. */
161		181
162	static int task_alloc_security(struct task_struct *task)	182	static int task_alloc_security(struct task_struct *task)
@@ -3931,7 +3951,6 @@ static int selinux_socket_sock_rcv_skb(struct sock sk, struct sk_buff skb)
3931	struct sk_security_struct *sksec = sk->sk_security;	3951	struct sk_security_struct *sksec = sk->sk_security;
3932	u16 family = sk->sk_family;	3952	u16 family = sk->sk_family;
3933	u32 sk_sid = sksec->sid;	3953	u32 sk_sid = sksec->sid;
3934	u32 peer_sid;
3935	struct avc_audit_data ad;	3954	struct avc_audit_data ad;
3936	char *addrp;	3955	char *addrp;
3937		3956
@@ -3957,15 +3976,24 @@ static int selinux_socket_sock_rcv_skb(struct sock sk, struct sk_buff skb)
3957	return selinux_sock_rcv_skb_compat(sk, skb, &ad,	3976	return selinux_sock_rcv_skb_compat(sk, skb, &ad,
3958	family, addrp);	3977	family, addrp);
3959		3978
3960	err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,	3979	if (selinux_secmark_enabled()) {
3961	PACKET__RECV, &ad);	3980	err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3962	if (err)	3981	PACKET__RECV, &ad);
3963	return err;	3982	if (err)
		3983	return err;
		3984	}
3964		3985
3965	err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);	3986	if (netlbl_enabled() \|\| selinux_xfrm_enabled()) {
3966	if (err)	3987	u32 peer_sid;
3967	return err;	3988
3968	return avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, PEER__RECV, &ad);	3989	err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
		3990	if (err)
		3991	return err;
		3992	err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
		3993	PEER__RECV, &ad);
		3994	}
		3995
		3996	return err;
3969	}	3997	}
3970		3998
3971	static int selinux_socket_getpeersec_stream(struct socket sock, char __user optval,	3999	static int selinux_socket_getpeersec_stream(struct socket sock, char __user optval,


diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index 31929e39f5ca..36b0510efa7b 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h
@@ -32,6 +32,13 @@ static inline struct inode_security_struct get_sock_isec(struct sock sk)
32	}	32	}
33		33
34	#ifdef CONFIG_SECURITY_NETWORK_XFRM	34	#ifdef CONFIG_SECURITY_NETWORK_XFRM
		35	extern atomic_t selinux_xfrm_refcount;
		36
		37	static inline int selinux_xfrm_enabled(void)
		38	{
		39	return (atomic_read(&selinux_xfrm_refcount) > 0);
		40	}
		41
35	int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,	42	int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
36	struct avc_audit_data *ad);	43	struct avc_audit_data *ad);
37	int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,	44	int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
@@ -43,6 +50,11 @@ static inline void selinux_xfrm_notify_policyload(void)
43	atomic_inc(&flow_cache_genid);	50	atomic_inc(&flow_cache_genid);
44	}	51	}
45	#else	52	#else
		53	static inline int selinux_xfrm_enabled(void)
		54	{
		55	return 0;
		56	}
		57
46	static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,	58	static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
47	struct avc_audit_data *ad)	59	struct avc_audit_data *ad)
48	{	60	{


diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index e07603969033..7e158205d081 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c
@@ -46,11 +46,14 @@
46	#include <net/checksum.h>	46	#include <net/checksum.h>
47	#include <net/udp.h>	47	#include <net/udp.h>
48	#include <asm/semaphore.h>	48	#include <asm/semaphore.h>
		49	#include <asm/atomic.h>
49		50
50	#include "avc.h"	51	#include "avc.h"
51	#include "objsec.h"	52	#include "objsec.h"
52	#include "xfrm.h"	53	#include "xfrm.h"
53		54
		55	/* Labeled XFRM instance counter */
		56	atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0);
54		57
55	/*	58	/*
56	* Returns true if an LSM/SELinux context	59	* Returns true if an LSM/SELinux context
@@ -293,6 +296,9 @@ int selinux_xfrm_policy_alloc(struct xfrm_policy *xp,
293	BUG_ON(!uctx);	296	BUG_ON(!uctx);
294		297
295	err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, 0);	298	err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, 0);
		299	if (err == 0)
		300	atomic_inc(&selinux_xfrm_refcount);
		301
296	return err;	302	return err;
297	}	303	}
298		304
@@ -340,10 +346,13 @@ int selinux_xfrm_policy_delete(struct xfrm_policy *xp)
340	struct xfrm_sec_ctx *ctx = xp->security;	346	struct xfrm_sec_ctx *ctx = xp->security;
341	int rc = 0;	347	int rc = 0;
342		348
343	if (ctx)	349	if (ctx) {
344	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,	350	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
345	SECCLASS_ASSOCIATION,	351	SECCLASS_ASSOCIATION,
346	ASSOCIATION__SETCONTEXT, NULL);	352	ASSOCIATION__SETCONTEXT, NULL);
		353	if (rc == 0)
		354	atomic_dec(&selinux_xfrm_refcount);
		355	}
347		356
348	return rc;	357	return rc;
349	}	358	}
@@ -360,6 +369,8 @@ int selinux_xfrm_state_alloc(struct xfrm_state x, struct xfrm_user_sec_ctx uct
360	BUG_ON(!x);	369	BUG_ON(!x);
361		370
362	err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid);	371	err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid);
		372	if (err == 0)
		373	atomic_inc(&selinux_xfrm_refcount);
363	return err;	374	return err;
364	}	375	}
365		376
@@ -382,10 +393,13 @@ int selinux_xfrm_state_delete(struct xfrm_state *x)
382	struct xfrm_sec_ctx *ctx = x->security;	393	struct xfrm_sec_ctx *ctx = x->security;
383	int rc = 0;	394	int rc = 0;
384		395
385	if (ctx)	396	if (ctx) {
386	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,	397	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
387	SECCLASS_ASSOCIATION,	398	SECCLASS_ASSOCIATION,
388	ASSOCIATION__SETCONTEXT, NULL);	399	ASSOCIATION__SETCONTEXT, NULL);
		400	if (rc == 0)
		401	atomic_dec(&selinux_xfrm_refcount);
		402	}
389		403
390	return rc;	404	return rc;
391	}	405	}