1 files changed, 49 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a91146a6b37d..7432bdd5d367 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4407,13 +4407,15 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
        u32 peer_sid;
        struct avc_audit_data ad;
        u8 secmark_active;
+        u8 netlbl_active;
        u8 peerlbl_active;
        if (!selinux_policycap_netpeer)
                return NF_ACCEPT;
        secmark_active = selinux_secmark_enabled();
-        peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
+        netlbl_active = netlbl_enabled();
+        peerlbl_active = netlbl_active || selinux_xfrm_enabled();
        if (!secmark_active && !peerlbl_active)
                return NF_ACCEPT;
@@ -4440,6 +4442,14 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
                                 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
                        return NF_DROP;
+        if (netlbl_active)
+                /* we do this in the FORWARD path and not the POST_ROUTING
+                 * path because we want to make sure we apply the necessary
+                 * labeling before IPsec is applied so we can leverage AH
+                 * protection */
+                if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
+                        return NF_DROP;
        return NF_ACCEPT;
 }
@@ -4463,6 +4473,37 @@ static unsigned int selinux_ipv6_forward(unsigned int hooknum,
 }
 #endif  /* IPV6 */
+static unsigned int selinux_ip_output(struct sk_buff *skb,
+                                      u16 family)
+{
+        u32 sid;
+        if (!netlbl_enabled())
+                return NF_ACCEPT;
+        /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
+         * because we want to make sure we apply the necessary labeling
+         * before IPsec is applied so we can leverage AH protection */
+        if (skb->sk) {
+                struct sk_security_struct *sksec = skb->sk->sk_security;
+                sid = sksec->sid;
+        } else
+                sid = SECINITSID_KERNEL;
+        if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
+                return NF_DROP;
+        return NF_ACCEPT;
+}
+static unsigned int selinux_ipv4_output(unsigned int hooknum,
+                                        struct sk_buff *skb,
+                                        const struct net_device *in,
+                                        const struct net_device *out,
+                                        int (*okfn)(struct sk_buff *))
+{
+        return selinux_ip_output(skb, PF_INET);
+}
 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
                                                int ifindex,
                                                struct avc_audit_data *ad,
@@ -5700,6 +5741,13 @@ static struct nf_hook_ops selinux_ipv4_ops[] = {
                .pf =           PF_INET,
                .hooknum =      NF_INET_FORWARD,
                .priority =     NF_IP_PRI_SELINUX_FIRST,
+        },
+        {
+                .hook =         selinux_ipv4_output,
+                .owner =        THIS_MODULE,
+                .pf =           PF_INET,
+                .hooknum =      NF_INET_LOCAL_OUT,
+                .priority =     NF_IP_PRI_SELINUX_FIRST,
        }
 };

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a91146a6b37d..7432bdd5d367 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -4407,13 +4407,15 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4407	u32 peer_sid;	4407	u32 peer_sid;
4408	struct avc_audit_data ad;	4408	struct avc_audit_data ad;
4409	u8 secmark_active;	4409	u8 secmark_active;
		4410	u8 netlbl_active;
4410	u8 peerlbl_active;	4411	u8 peerlbl_active;
4411		4412
4412	if (!selinux_policycap_netpeer)	4413	if (!selinux_policycap_netpeer)
4413	return NF_ACCEPT;	4414	return NF_ACCEPT;
4414		4415
4415	secmark_active = selinux_secmark_enabled();	4416	secmark_active = selinux_secmark_enabled();
4416	peerlbl_active = netlbl_enabled() \|\| selinux_xfrm_enabled();	4417	netlbl_active = netlbl_enabled();
		4418	peerlbl_active = netlbl_active \|\| selinux_xfrm_enabled();
4417	if (!secmark_active && !peerlbl_active)	4419	if (!secmark_active && !peerlbl_active)
4418	return NF_ACCEPT;	4420	return NF_ACCEPT;
4419		4421
@@ -4440,6 +4442,14 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4440	SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))	4442	SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4441	return NF_DROP;	4443	return NF_DROP;
4442		4444
		4445	if (netlbl_active)
		4446	/* we do this in the FORWARD path and not the POST_ROUTING
		4447	* path because we want to make sure we apply the necessary
		4448	* labeling before IPsec is applied so we can leverage AH
		4449	* protection */
		4450	if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
		4451	return NF_DROP;
		4452
4443	return NF_ACCEPT;	4453	return NF_ACCEPT;
4444	}	4454	}
4445		4455
@@ -4463,6 +4473,37 @@ static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4463	}	4473	}
4464	#endif /* IPV6 */	4474	#endif /* IPV6 */
4465		4475
		4476	static unsigned int selinux_ip_output(struct sk_buff *skb,
		4477	u16 family)
		4478	{
		4479	u32 sid;
		4480
		4481	if (!netlbl_enabled())
		4482	return NF_ACCEPT;
		4483
		4484	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
		4485	* because we want to make sure we apply the necessary labeling
		4486	* before IPsec is applied so we can leverage AH protection */
		4487	if (skb->sk) {
		4488	struct sk_security_struct *sksec = skb->sk->sk_security;
		4489	sid = sksec->sid;
		4490	} else
		4491	sid = SECINITSID_KERNEL;
		4492	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
		4493	return NF_DROP;
		4494
		4495	return NF_ACCEPT;
		4496	}
		4497
		4498	static unsigned int selinux_ipv4_output(unsigned int hooknum,
		4499	struct sk_buff *skb,
		4500	const struct net_device *in,
		4501	const struct net_device *out,
		4502	int (okfn)(struct sk_buff ))
		4503	{
		4504	return selinux_ip_output(skb, PF_INET);
		4505	}
		4506
4466	static int selinux_ip_postroute_iptables_compat(struct sock *sk,	4507	static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4467	int ifindex,	4508	int ifindex,
4468	struct avc_audit_data *ad,	4509	struct avc_audit_data *ad,
@@ -5700,6 +5741,13 @@ static struct nf_hook_ops selinux_ipv4_ops[] = {
5700	.pf = PF_INET,	5741	.pf = PF_INET,
5701	.hooknum = NF_INET_FORWARD,	5742	.hooknum = NF_INET_FORWARD,
5702	.priority = NF_IP_PRI_SELINUX_FIRST,	5743	.priority = NF_IP_PRI_SELINUX_FIRST,
		5744	},
		5745	{
		5746	.hook = selinux_ipv4_output,
		5747	.owner = THIS_MODULE,
		5748	.pf = PF_INET,
		5749	.hooknum = NF_INET_LOCAL_OUT,
		5750	.priority = NF_IP_PRI_SELINUX_FIRST,
5703	}	5751	}
5704	};	5752	};
5705		5753