1 files changed, 76 insertions, 43 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 0c219a1b3243..bfe122764c98 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2172,7 +2172,12 @@ struct netlbl_cache {
 */
 static void selinux_netlbl_cache_free(const void *data)
 {
-        struct netlbl_cache *cache = NETLBL_CACHE(data);
+        struct netlbl_cache *cache;
+        if (data == NULL)
+                return;
+        cache = NETLBL_CACHE(data);
        switch (cache->type) {
        case NETLBL_CACHE_T_MLS:
                ebitmap_destroy(&cache->data.mls_label.level[0].cat);
@@ -2197,17 +2202,20 @@ static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx)
        struct netlbl_lsm_secattr secattr;
        netlbl_secattr_init(&secattr);
+        secattr.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
+        if (secattr.cache == NULL)
+                goto netlbl_cache_add_return;
        cache = kzalloc(sizeof(*cache), GFP_ATOMIC);
        if (cache == NULL)
-                goto netlbl_cache_add_failure;
+                goto netlbl_cache_add_return;
-        secattr.cache.free = selinux_netlbl_cache_free;
+        secattr.cache->free = selinux_netlbl_cache_free;
-        secattr.cache.data = (void *)cache;
+        secattr.cache->data = (void *)cache;
        cache->type = NETLBL_CACHE_T_MLS;
        if (ebitmap_cpy(&cache->data.mls_label.level[0].cat,
                        &ctx->range.level[0].cat) != 0)
-                goto netlbl_cache_add_failure;
+                goto netlbl_cache_add_return;
        cache->data.mls_label.level[1].cat.highbit =
                cache->data.mls_label.level[0].cat.highbit;
        cache->data.mls_label.level[1].cat.node =
@@ -2215,13 +2223,10 @@ static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx)
        cache->data.mls_label.level[0].sens = ctx->range.level[0].sens;
        cache->data.mls_label.level[1].sens = ctx->range.level[0].sens;
-        if (netlbl_cache_add(skb, &secattr) != 0)
+        netlbl_cache_add(skb, &secattr);
-                goto netlbl_cache_add_failure;
-        return;
-netlbl_cache_add_failure:
+netlbl_cache_add_return:
-        netlbl_secattr_destroy(&secattr, 1);
+        netlbl_secattr_destroy(&secattr);
 }
 /**
@@ -2263,8 +2268,8 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
        POLICY_RDLOCK;
-        if (secattr->cache.data) {
+        if (secattr->cache) {
-                cache = NETLBL_CACHE(secattr->cache.data);
+                cache = NETLBL_CACHE(secattr->cache->data);
                switch (cache->type) {
                case NETLBL_CACHE_T_SID:
                        *sid = cache->data.sid;
@@ -2331,7 +2336,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
                        selinux_netlbl_cache_add(skb, &ctx_new);
                ebitmap_destroy(&ctx_new.range.level[0].cat);
        } else {
-                *sid = SECINITSID_UNLABELED;
+                *sid = SECSID_NULL;
                rc = 0;
        }
@@ -2369,7 +2374,7 @@ static int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
                                                   &secattr,
                                                   base_sid,
                                                   sid);
-        netlbl_secattr_destroy(&secattr, 0);
+        netlbl_secattr_destroy(&secattr);
        return rc;
 }
@@ -2394,31 +2399,33 @@ static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
        if (!ss_initialized)
                return 0;
+        netlbl_secattr_init(&secattr);
        POLICY_RDLOCK;
        ctx = sidtab_search(&sidtab, sid);
        if (ctx == NULL)
                goto netlbl_socket_setsid_return;
-        netlbl_secattr_init(&secattr);
        secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
                                 GFP_ATOMIC);
        mls_export_lvl(ctx, &secattr.mls_lvl, NULL);
        secattr.mls_lvl_vld = 1;
-        mls_export_cat(ctx,
+        rc = mls_export_cat(ctx,
-                       &secattr.mls_cat,
+                            &secattr.mls_cat,
-                       &secattr.mls_cat_len,
+                            &secattr.mls_cat_len,
-                       NULL,
+                            NULL,
-                       NULL);
+                            NULL);
+        if (rc != 0)
+                goto netlbl_socket_setsid_return;
        rc = netlbl_socket_setattr(sock, &secattr);
        if (rc == 0)
                sksec->nlbl_state = NLBL_LABELED;
-        netlbl_secattr_destroy(&secattr, 0);
 netlbl_socket_setsid_return:
        POLICY_RDUNLOCK;
+        netlbl_secattr_destroy(&secattr);
        return rc;
 }
@@ -2514,10 +2521,10 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
        if (netlbl_sock_getattr(sk, &secattr) == 0 &&
            selinux_netlbl_secattr_to_sid(NULL,
                                          &secattr,
-                                          sksec->sid,
+                                          SECINITSID_UNLABELED,
                                          &nlbl_peer_sid) == 0)
                sksec->peer_sid = nlbl_peer_sid;
-        netlbl_secattr_destroy(&secattr, 0);
+        netlbl_secattr_destroy(&secattr);
        sksec->nlbl_state = NLBL_REQUIRE;
@@ -2547,9 +2554,6 @@ u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid)
        if (rc != 0)
                return SECSID_NULL;
-        if (peer_sid == SECINITSID_UNLABELED)
-                return SECSID_NULL;
        return peer_sid;
 }
@@ -2611,11 +2615,13 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
        u32 netlbl_sid;
        u32 recv_perm;
-        rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &netlbl_sid);
+        rc = selinux_netlbl_skbuff_getsid(skb,
+                                          SECINITSID_UNLABELED,
+                                          &netlbl_sid);
        if (rc != 0)
                return rc;
-        if (netlbl_sid == SECINITSID_UNLABELED)
+        if (netlbl_sid == SECSID_NULL)
                return 0;
        switch (sksec->sclass) {
@@ -2653,10 +2659,6 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
 u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
 {
        struct sk_security_struct *sksec = sock->sk->sk_security;
-        if (sksec->peer_sid == SECINITSID_UNLABELED)
-                return SECSID_NULL;
        return sksec->peer_sid;
 }
@@ -2672,18 +2674,49 @@ u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
 u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
 {
        int peer_sid;
-        struct sock *sk = skb->sk;
-        struct inode_security_struct *isec;
-        if (sk == NULL || sk->sk_socket == NULL)
+        if (selinux_netlbl_skbuff_getsid(skb,
-                return SECSID_NULL;
+                                         SECINITSID_UNLABELED,
+                                         &peer_sid) != 0)
-        isec = SOCK_INODE(sk->sk_socket)->i_security;
-        if (selinux_netlbl_skbuff_getsid(skb, isec->sid, &peer_sid) != 0)
-                return SECSID_NULL;
-        if (peer_sid == SECINITSID_UNLABELED)
                return SECSID_NULL;
        return peer_sid;
 }
+/**
+ * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
+ * @sock: the socket
+ * @level: the socket level or protocol
+ * @optname: the socket option name
+ *
+ * Description:
+ * Check the setsockopt() call and if the user is trying to replace the IP
+ * options on a socket and a NetLabel is in place for the socket deny the
+ * access; otherwise allow the access.  Returns zero when the access is
+ * allowed, -EACCES when denied, and other negative values on error.
+ *
+ */
+int selinux_netlbl_socket_setsockopt(struct socket *sock,
+                                     int level,
+                                     int optname)
+{
+        int rc = 0;
+        struct inode *inode = SOCK_INODE(sock);
+        struct sk_security_struct *sksec = sock->sk->sk_security;
+        struct inode_security_struct *isec = inode->i_security;
+        struct netlbl_lsm_secattr secattr;
+        mutex_lock(&isec->lock);
+        if (level == IPPROTO_IP && optname == IP_OPTIONS &&
+            sksec->nlbl_state == NLBL_LABELED) {
+                netlbl_secattr_init(&secattr);
+                rc = netlbl_socket_getattr(sock, &secattr);
+                if (rc == 0 && (secattr.cache || secattr.mls_lvl_vld))
+                        rc = -EACCES;
+                netlbl_secattr_destroy(&secattr);
+        }
+        mutex_unlock(&isec->lock);
+        return rc;
+}
 #endif /* CONFIG_NETLABEL */

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 0c219a1b3243..bfe122764c98 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c
@@ -2172,7 +2172,12 @@ struct netlbl_cache {
2172	*/	2172	*/
2173	static void selinux_netlbl_cache_free(const void *data)	2173	static void selinux_netlbl_cache_free(const void *data)
2174	{	2174	{
2175	struct netlbl_cache *cache = NETLBL_CACHE(data);	2175	struct netlbl_cache *cache;
		2176
		2177	if (data == NULL)
		2178	return;
		2179
		2180	cache = NETLBL_CACHE(data);
2176	switch (cache->type) {	2181	switch (cache->type) {
2177	case NETLBL_CACHE_T_MLS:	2182	case NETLBL_CACHE_T_MLS:
2178	ebitmap_destroy(&cache->data.mls_label.level[0].cat);	2183	ebitmap_destroy(&cache->data.mls_label.level[0].cat);
@@ -2197,17 +2202,20 @@ static void selinux_netlbl_cache_add(struct sk_buff skb, struct context ctx)
2197	struct netlbl_lsm_secattr secattr;	2202	struct netlbl_lsm_secattr secattr;
2198		2203
2199	netlbl_secattr_init(&secattr);	2204	netlbl_secattr_init(&secattr);
		2205	secattr.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
		2206	if (secattr.cache == NULL)
		2207	goto netlbl_cache_add_return;
2200		2208
2201	cache = kzalloc(sizeof(*cache), GFP_ATOMIC);	2209	cache = kzalloc(sizeof(*cache), GFP_ATOMIC);
2202	if (cache == NULL)	2210	if (cache == NULL)
2203	goto netlbl_cache_add_failure;	2211	goto netlbl_cache_add_return;
2204	secattr.cache.free = selinux_netlbl_cache_free;	2212	secattr.cache->free = selinux_netlbl_cache_free;
2205	secattr.cache.data = (void *)cache;	2213	secattr.cache->data = (void *)cache;
2206		2214
2207	cache->type = NETLBL_CACHE_T_MLS;	2215	cache->type = NETLBL_CACHE_T_MLS;
2208	if (ebitmap_cpy(&cache->data.mls_label.level[0].cat,	2216	if (ebitmap_cpy(&cache->data.mls_label.level[0].cat,
2209	&ctx->range.level[0].cat) != 0)	2217	&ctx->range.level[0].cat) != 0)
2210	goto netlbl_cache_add_failure;	2218	goto netlbl_cache_add_return;
2211	cache->data.mls_label.level[1].cat.highbit =	2219	cache->data.mls_label.level[1].cat.highbit =
2212	cache->data.mls_label.level[0].cat.highbit;	2220	cache->data.mls_label.level[0].cat.highbit;
2213	cache->data.mls_label.level[1].cat.node =	2221	cache->data.mls_label.level[1].cat.node =
@@ -2215,13 +2223,10 @@ static void selinux_netlbl_cache_add(struct sk_buff skb, struct context ctx)
2215	cache->data.mls_label.level[0].sens = ctx->range.level[0].sens;	2223	cache->data.mls_label.level[0].sens = ctx->range.level[0].sens;
2216	cache->data.mls_label.level[1].sens = ctx->range.level[0].sens;	2224	cache->data.mls_label.level[1].sens = ctx->range.level[0].sens;
2217		2225
2218	if (netlbl_cache_add(skb, &secattr) != 0)	2226	netlbl_cache_add(skb, &secattr);
2219	goto netlbl_cache_add_failure;
2220
2221	return;
2222		2227
2223	netlbl_cache_add_failure:	2228	netlbl_cache_add_return:
2224	netlbl_secattr_destroy(&secattr, 1);	2229	netlbl_secattr_destroy(&secattr);
2225	}	2230	}
2226		2231
2227	/**	2232	/**
@@ -2263,8 +2268,8 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
2263		2268
2264	POLICY_RDLOCK;	2269	POLICY_RDLOCK;
2265		2270
2266	if (secattr->cache.data) {	2271	if (secattr->cache) {
2267	cache = NETLBL_CACHE(secattr->cache.data);	2272	cache = NETLBL_CACHE(secattr->cache->data);
2268	switch (cache->type) {	2273	switch (cache->type) {
2269	case NETLBL_CACHE_T_SID:	2274	case NETLBL_CACHE_T_SID:
2270	*sid = cache->data.sid;	2275	*sid = cache->data.sid;
@@ -2331,7 +2336,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
2331	selinux_netlbl_cache_add(skb, &ctx_new);	2336	selinux_netlbl_cache_add(skb, &ctx_new);
2332	ebitmap_destroy(&ctx_new.range.level[0].cat);	2337	ebitmap_destroy(&ctx_new.range.level[0].cat);
2333	} else {	2338	} else {
2334	*sid = SECINITSID_UNLABELED;	2339	*sid = SECSID_NULL;
2335	rc = 0;	2340	rc = 0;
2336	}	2341	}
2337		2342
@@ -2369,7 +2374,7 @@ static int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
2369	&secattr,	2374	&secattr,
2370	base_sid,	2375	base_sid,
2371	sid);	2376	sid);
2372	netlbl_secattr_destroy(&secattr, 0);	2377	netlbl_secattr_destroy(&secattr);
2373		2378
2374	return rc;	2379	return rc;
2375	}	2380	}
@@ -2394,31 +2399,33 @@ static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
2394	if (!ss_initialized)	2399	if (!ss_initialized)
2395	return 0;	2400	return 0;
2396		2401
		2402	netlbl_secattr_init(&secattr);
		2403
2397	POLICY_RDLOCK;	2404	POLICY_RDLOCK;
2398		2405
2399	ctx = sidtab_search(&sidtab, sid);	2406	ctx = sidtab_search(&sidtab, sid);
2400	if (ctx == NULL)	2407	if (ctx == NULL)
2401	goto netlbl_socket_setsid_return;	2408	goto netlbl_socket_setsid_return;
2402		2409
2403	netlbl_secattr_init(&secattr);
2404	secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],	2410	secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
2405	GFP_ATOMIC);	2411	GFP_ATOMIC);
2406	mls_export_lvl(ctx, &secattr.mls_lvl, NULL);	2412	mls_export_lvl(ctx, &secattr.mls_lvl, NULL);
2407	secattr.mls_lvl_vld = 1;	2413	secattr.mls_lvl_vld = 1;
2408	mls_export_cat(ctx,	2414	rc = mls_export_cat(ctx,
2409	&secattr.mls_cat,	2415	&secattr.mls_cat,
2410	&secattr.mls_cat_len,	2416	&secattr.mls_cat_len,
2411	NULL,	2417	NULL,
2412	NULL);	2418	NULL);
		2419	if (rc != 0)
		2420	goto netlbl_socket_setsid_return;
2413		2421
2414	rc = netlbl_socket_setattr(sock, &secattr);	2422	rc = netlbl_socket_setattr(sock, &secattr);
2415	if (rc == 0)	2423	if (rc == 0)
2416	sksec->nlbl_state = NLBL_LABELED;	2424	sksec->nlbl_state = NLBL_LABELED;
2417		2425
2418	netlbl_secattr_destroy(&secattr, 0);
2419
2420	netlbl_socket_setsid_return:	2426	netlbl_socket_setsid_return:
2421	POLICY_RDUNLOCK;	2427	POLICY_RDUNLOCK;
		2428	netlbl_secattr_destroy(&secattr);
2422	return rc;	2429	return rc;
2423	}	2430	}
2424		2431
@@ -2514,10 +2521,10 @@ void selinux_netlbl_sock_graft(struct sock sk, struct socket sock)
2514	if (netlbl_sock_getattr(sk, &secattr) == 0 &&	2521	if (netlbl_sock_getattr(sk, &secattr) == 0 &&
2515	selinux_netlbl_secattr_to_sid(NULL,	2522	selinux_netlbl_secattr_to_sid(NULL,
2516	&secattr,	2523	&secattr,
2517	sksec->sid,	2524	SECINITSID_UNLABELED,
2518	&nlbl_peer_sid) == 0)	2525	&nlbl_peer_sid) == 0)
2519	sksec->peer_sid = nlbl_peer_sid;	2526	sksec->peer_sid = nlbl_peer_sid;
2520	netlbl_secattr_destroy(&secattr, 0);	2527	netlbl_secattr_destroy(&secattr);
2521		2528
2522	sksec->nlbl_state = NLBL_REQUIRE;	2529	sksec->nlbl_state = NLBL_REQUIRE;
2523		2530
@@ -2547,9 +2554,6 @@ u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid)
2547	if (rc != 0)	2554	if (rc != 0)
2548	return SECSID_NULL;	2555	return SECSID_NULL;
2549		2556
2550	if (peer_sid == SECINITSID_UNLABELED)
2551	return SECSID_NULL;
2552
2553	return peer_sid;	2557	return peer_sid;
2554	}	2558	}
2555		2559
@@ -2611,11 +2615,13 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
2611	u32 netlbl_sid;	2615	u32 netlbl_sid;
2612	u32 recv_perm;	2616	u32 recv_perm;
2613		2617
2614	rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &netlbl_sid);	2618	rc = selinux_netlbl_skbuff_getsid(skb,
		2619	SECINITSID_UNLABELED,
		2620	&netlbl_sid);
2615	if (rc != 0)	2621	if (rc != 0)
2616	return rc;	2622	return rc;
2617		2623
2618	if (netlbl_sid == SECINITSID_UNLABELED)	2624	if (netlbl_sid == SECSID_NULL)
2619	return 0;	2625	return 0;
2620		2626
2621	switch (sksec->sclass) {	2627	switch (sksec->sclass) {
@@ -2653,10 +2659,6 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
2653	u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)	2659	u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
2654	{	2660	{
2655	struct sk_security_struct *sksec = sock->sk->sk_security;	2661	struct sk_security_struct *sksec = sock->sk->sk_security;
2656
2657	if (sksec->peer_sid == SECINITSID_UNLABELED)
2658	return SECSID_NULL;
2659
2660	return sksec->peer_sid;	2662	return sksec->peer_sid;
2661	}	2663	}
2662		2664
@@ -2672,18 +2674,49 @@ u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
2672	u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)	2674	u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
2673	{	2675	{
2674	int peer_sid;	2676	int peer_sid;
2675	struct sock *sk = skb->sk;
2676	struct inode_security_struct *isec;
2677		2677
2678	if (sk == NULL \|\| sk->sk_socket == NULL)	2678	if (selinux_netlbl_skbuff_getsid(skb,
2679	return SECSID_NULL;	2679	SECINITSID_UNLABELED,
2680		2680	&peer_sid) != 0)
2681	isec = SOCK_INODE(sk->sk_socket)->i_security;
2682	if (selinux_netlbl_skbuff_getsid(skb, isec->sid, &peer_sid) != 0)
2683	return SECSID_NULL;
2684	if (peer_sid == SECINITSID_UNLABELED)
2685	return SECSID_NULL;	2681	return SECSID_NULL;
2686		2682
2687	return peer_sid;	2683	return peer_sid;
2688	}	2684	}
		2685
		2686	/**
		2687	* selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
		2688	* @sock: the socket
		2689	* @level: the socket level or protocol
		2690	* @optname: the socket option name
		2691	*
		2692	* Description:
		2693	* Check the setsockopt() call and if the user is trying to replace the IP
		2694	* options on a socket and a NetLabel is in place for the socket deny the
		2695	* access; otherwise allow the access. Returns zero when the access is
		2696	* allowed, -EACCES when denied, and other negative values on error.
		2697	*
		2698	*/
		2699	int selinux_netlbl_socket_setsockopt(struct socket *sock,
		2700	int level,
		2701	int optname)
		2702	{
		2703	int rc = 0;
		2704	struct inode *inode = SOCK_INODE(sock);
		2705	struct sk_security_struct *sksec = sock->sk->sk_security;
		2706	struct inode_security_struct *isec = inode->i_security;
		2707	struct netlbl_lsm_secattr secattr;
		2708
		2709	mutex_lock(&isec->lock);
		2710	if (level == IPPROTO_IP && optname == IP_OPTIONS &&
		2711	sksec->nlbl_state == NLBL_LABELED) {
		2712	netlbl_secattr_init(&secattr);
		2713	rc = netlbl_socket_getattr(sock, &secattr);
		2714	if (rc == 0 && (secattr.cache \|\| secattr.mls_lvl_vld))
		2715	rc = -EACCES;
		2716	netlbl_secattr_destroy(&secattr);
		2717	}
		2718	mutex_unlock(&isec->lock);
		2719
		2720	return rc;
		2721	}
2689	#endif /* CONFIG_NETLABEL */	2722	#endif /* CONFIG_NETLABEL */