diff options
| author | Paul Moore <pmoore@redhat.com> | 2013-12-10 14:57:54 -0500 |
|---|---|---|
| committer | Paul Moore <pmoore@redhat.com> | 2013-12-12 17:21:31 -0500 |
| commit | 817eff718dca4e54d5721211ddde0914428fbb7c (patch) | |
| tree | af7ee8d6ca454532624c7148e9f96bd1a67c0cb3 /security | |
| parent | 446b802437f285de68ffb8d6fac3c44c3cab5b04 (diff) | |
selinux: look for IPsec labels on both inbound and outbound packets
Previously selinux_skb_peerlbl_sid() would only check for labeled
IPsec security labels on inbound packets, this patch enables it to
check both inbound and outbound traffic for labeled IPsec security
labels.
Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/hooks.c | 2 | ||||
| -rw-r--r-- | security/selinux/include/xfrm.h | 8 | ||||
| -rw-r--r-- | security/selinux/xfrm.c | 51 |
3 files changed, 47 insertions, 14 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index cc076a9b0344..8b2812312ae4 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -3829,7 +3829,7 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) | |||
| 3829 | u32 nlbl_sid; | 3829 | u32 nlbl_sid; |
| 3830 | u32 nlbl_type; | 3830 | u32 nlbl_type; |
| 3831 | 3831 | ||
| 3832 | err = selinux_skb_xfrm_sid(skb, &xfrm_sid); | 3832 | err = selinux_xfrm_skb_sid(skb, &xfrm_sid); |
| 3833 | if (unlikely(err)) | 3833 | if (unlikely(err)) |
| 3834 | return -EACCES; | 3834 | return -EACCES; |
| 3835 | err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); | 3835 | err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); |
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index 0dec76c64cf5..48c3cc94c168 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h | |||
| @@ -39,6 +39,7 @@ int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb, | |||
| 39 | int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb, | 39 | int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb, |
| 40 | struct common_audit_data *ad, u8 proto); | 40 | struct common_audit_data *ad, u8 proto); |
| 41 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); | 41 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); |
| 42 | int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid); | ||
| 42 | 43 | ||
| 43 | static inline void selinux_xfrm_notify_policyload(void) | 44 | static inline void selinux_xfrm_notify_policyload(void) |
| 44 | { | 45 | { |
| @@ -79,11 +80,12 @@ static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, | |||
| 79 | static inline void selinux_xfrm_notify_policyload(void) | 80 | static inline void selinux_xfrm_notify_policyload(void) |
| 80 | { | 81 | { |
| 81 | } | 82 | } |
| 82 | #endif | ||
| 83 | 83 | ||
| 84 | static inline int selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid) | 84 | static inline int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid) |
| 85 | { | 85 | { |
| 86 | return selinux_xfrm_decode_session(skb, sid, 0); | 86 | *sid = SECSID_NULL; |
| 87 | return 0; | ||
| 87 | } | 88 | } |
| 89 | #endif | ||
| 88 | 90 | ||
| 89 | #endif /* _SELINUX_XFRM_H_ */ | 91 | #endif /* _SELINUX_XFRM_H_ */ |
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index cf79a4564e38..0462cb3ff0a7 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c | |||
| @@ -209,19 +209,26 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, | |||
| 209 | NULL) ? 0 : 1); | 209 | NULL) ? 0 : 1); |
| 210 | } | 210 | } |
| 211 | 211 | ||
| 212 | /* | 212 | static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb) |
| 213 | * LSM hook implementation that checks and/or returns the xfrm sid for the | ||
| 214 | * incoming packet. | ||
| 215 | */ | ||
| 216 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) | ||
| 217 | { | 213 | { |
| 218 | u32 sid_session = SECSID_NULL; | 214 | struct dst_entry *dst = skb_dst(skb); |
| 219 | struct sec_path *sp; | 215 | struct xfrm_state *x; |
| 220 | 216 | ||
| 221 | if (skb == NULL) | 217 | if (dst == NULL) |
| 222 | goto out; | 218 | return SECSID_NULL; |
| 219 | x = dst->xfrm; | ||
| 220 | if (x == NULL || !selinux_authorizable_xfrm(x)) | ||
| 221 | return SECSID_NULL; | ||
| 222 | |||
| 223 | return x->security->ctx_sid; | ||
| 224 | } | ||
| 225 | |||
| 226 | static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb, | ||
| 227 | u32 *sid, int ckall) | ||
| 228 | { | ||
| 229 | u32 sid_session = SECSID_NULL; | ||
| 230 | struct sec_path *sp = skb->sp; | ||
| 223 | 231 | ||
| 224 | sp = skb->sp; | ||
| 225 | if (sp) { | 232 | if (sp) { |
| 226 | int i; | 233 | int i; |
| 227 | 234 | ||
| @@ -248,6 +255,30 @@ out: | |||
| 248 | } | 255 | } |
| 249 | 256 | ||
| 250 | /* | 257 | /* |
| 258 | * LSM hook implementation that checks and/or returns the xfrm sid for the | ||
| 259 | * incoming packet. | ||
| 260 | */ | ||
| 261 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) | ||
| 262 | { | ||
| 263 | if (skb == NULL) { | ||
| 264 | *sid = SECSID_NULL; | ||
| 265 | return 0; | ||
| 266 | } | ||
| 267 | return selinux_xfrm_skb_sid_ingress(skb, sid, ckall); | ||
| 268 | } | ||
| 269 | |||
| 270 | int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid) | ||
| 271 | { | ||
| 272 | int rc; | ||
| 273 | |||
| 274 | rc = selinux_xfrm_skb_sid_ingress(skb, sid, 0); | ||
| 275 | if (rc == 0 && *sid == SECSID_NULL) | ||
| 276 | *sid = selinux_xfrm_skb_sid_egress(skb); | ||
| 277 | |||
| 278 | return rc; | ||
| 279 | } | ||
| 280 | |||
| 281 | /* | ||
| 251 | * LSM hook implementation that allocs and transfers uctx spec to xfrm_policy. | 282 | * LSM hook implementation that allocs and transfers uctx spec to xfrm_policy. |
| 252 | */ | 283 | */ |
| 253 | int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, | 284 | int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, |