aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c4
-rw-r--r--security/selinux/include/netif.h4
-rw-r--r--security/selinux/include/objsec.h5
-rw-r--r--security/selinux/include/security.h3
-rw-r--r--security/selinux/netif.c254
-rw-r--r--security/selinux/ss/services.c10
6 files changed, 155 insertions, 125 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5df12072c8d5..be544332214c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3853,7 +3853,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3853 if (!skb->dev) 3853 if (!skb->dev)
3854 goto out; 3854 goto out;
3855 3855
3856 err = sel_netif_sids(skb->dev, &if_sid, NULL); 3856 err = sel_netif_sid(skb->iif, &if_sid);
3857 if (err) 3857 if (err)
3858 goto out; 3858 goto out;
3859 3859
@@ -4178,7 +4178,7 @@ static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *
4178 4178
4179 isec = inode->i_security; 4179 isec = inode->i_security;
4180 4180
4181 err = sel_netif_sids(dev, &if_sid, NULL); 4181 err = sel_netif_sid(dev->ifindex, &if_sid);
4182 if (err) 4182 if (err)
4183 goto out; 4183 goto out;
4184 4184
diff --git a/security/selinux/include/netif.h b/security/selinux/include/netif.h
index 8bd6f9992d2b..ce23edd128b3 100644
--- a/security/selinux/include/netif.h
+++ b/security/selinux/include/netif.h
@@ -7,6 +7,8 @@
7 * Author: James Morris <jmorris@redhat.com> 7 * Author: James Morris <jmorris@redhat.com>
8 * 8 *
9 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 9 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
10 * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
11 * Paul Moore, <paul.moore@hp.com>
10 * 12 *
11 * This program is free software; you can redistribute it and/or modify 13 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2, 14 * it under the terms of the GNU General Public License version 2,
@@ -15,7 +17,7 @@
15#ifndef _SELINUX_NETIF_H_ 17#ifndef _SELINUX_NETIF_H_
16#define _SELINUX_NETIF_H_ 18#define _SELINUX_NETIF_H_
17 19
18int sel_netif_sids(struct net_device *dev, u32 *if_sid, u32 *msg_sid); 20int sel_netif_sid(int ifindex, u32 *sid);
19 21
20#endif /* _SELINUX_NETIF_H_ */ 22#endif /* _SELINUX_NETIF_H_ */
21 23
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 4138a80f8e27..2d0a92e97d5a 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -96,9 +96,8 @@ struct bprm_security_struct {
96}; 96};
97 97
98struct netif_security_struct { 98struct netif_security_struct {
99 struct net_device *dev; /* back pointer */ 99 int ifindex; /* device index */
100 u32 if_sid; /* SID for this interface */ 100 u32 sid; /* SID for this interface */
101 u32 msg_sid; /* default SID for messages received on this interface */
102}; 101};
103 102
104struct sk_security_struct { 103struct sk_security_struct {
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 39337afffec2..a33437bba932 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -77,8 +77,7 @@ int security_get_user_sids(u32 callsid, char *username,
77int security_port_sid(u16 domain, u16 type, u8 protocol, u16 port, 77int security_port_sid(u16 domain, u16 type, u8 protocol, u16 port,
78 u32 *out_sid); 78 u32 *out_sid);
79 79
80int security_netif_sid(char *name, u32 *if_sid, 80int security_netif_sid(char *name, u32 *if_sid);
81 u32 *msg_sid);
82 81
83int security_node_sid(u16 domain, void *addr, u32 addrlen, 82int security_node_sid(u16 domain, void *addr, u32 addrlen,
84 u32 *out_sid); 83 u32 *out_sid);
diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index e87ab948104c..ee49a7382875 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -7,6 +7,8 @@
7 * Author: James Morris <jmorris@redhat.com> 7 * Author: James Morris <jmorris@redhat.com>
8 * 8 *
9 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 9 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
10 * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
11 * Paul Moore <paul.moore@hp.com>
10 * 12 *
11 * This program is free software; you can redistribute it and/or modify 13 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2, 14 * it under the terms of the GNU General Public License version 2,
@@ -29,14 +31,6 @@
29#define SEL_NETIF_HASH_SIZE 64 31#define SEL_NETIF_HASH_SIZE 64
30#define SEL_NETIF_HASH_MAX 1024 32#define SEL_NETIF_HASH_MAX 1024
31 33
32#undef DEBUG
33
34#ifdef DEBUG
35#define DEBUGP printk
36#else
37#define DEBUGP(format, args...)
38#endif
39
40struct sel_netif 34struct sel_netif
41{ 35{
42 struct list_head list; 36 struct list_head list;
@@ -49,174 +43,217 @@ static LIST_HEAD(sel_netif_list);
49static DEFINE_SPINLOCK(sel_netif_lock); 43static DEFINE_SPINLOCK(sel_netif_lock);
50static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE]; 44static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE];
51 45
52static inline u32 sel_netif_hasfn(struct net_device *dev) 46/**
47 * sel_netif_hashfn - Hashing function for the interface table
48 * @ifindex: the network interface
49 *
50 * Description:
51 * This is the hashing function for the network interface table, it returns the
52 * bucket number for the given interface.
53 *
54 */
55static inline u32 sel_netif_hashfn(int ifindex)
53{ 56{
54 return (dev->ifindex & (SEL_NETIF_HASH_SIZE - 1)); 57 return (ifindex & (SEL_NETIF_HASH_SIZE - 1));
55} 58}
56 59
57/* 60/**
58 * All of the devices should normally fit in the hash, so we optimize 61 * sel_netif_find - Search for an interface record
59 * for that case. 62 * @ifindex: the network interface
63 *
64 * Description:
65 * Search the network interface table and return the record matching @ifindex.
66 * If an entry can not be found in the table return NULL.
67 *
60 */ 68 */
61static inline struct sel_netif *sel_netif_find(struct net_device *dev) 69static inline struct sel_netif *sel_netif_find(int ifindex)
62{ 70{
63 struct list_head *pos; 71 int idx = sel_netif_hashfn(ifindex);
64 int idx = sel_netif_hasfn(dev); 72 struct sel_netif *netif;
65 73
66 __list_for_each_rcu(pos, &sel_netif_hash[idx]) { 74 list_for_each_entry_rcu(netif, &sel_netif_hash[idx], list)
67 struct sel_netif *netif = list_entry(pos, 75 /* all of the devices should normally fit in the hash, so we
68 struct sel_netif, list); 76 * optimize for that case */
69 if (likely(netif->nsec.dev == dev)) 77 if (likely(netif->nsec.ifindex == ifindex))
70 return netif; 78 return netif;
71 } 79
72 return NULL; 80 return NULL;
73} 81}
74 82
83/**
84 * sel_netif_insert - Insert a new interface into the table
85 * @netif: the new interface record
86 *
87 * Description:
88 * Add a new interface record to the network interface hash table. Returns
89 * zero on success, negative values on failure.
90 *
91 */
75static int sel_netif_insert(struct sel_netif *netif) 92static int sel_netif_insert(struct sel_netif *netif)
76{ 93{
77 int idx, ret = 0; 94 int idx;
78 95
79 if (sel_netif_total >= SEL_NETIF_HASH_MAX) { 96 if (sel_netif_total >= SEL_NETIF_HASH_MAX)
80 ret = -ENOSPC; 97 return -ENOSPC;
81 goto out;
82 }
83 98
84 idx = sel_netif_hasfn(netif->nsec.dev); 99 idx = sel_netif_hashfn(netif->nsec.ifindex);
85 list_add_rcu(&netif->list, &sel_netif_hash[idx]); 100 list_add_rcu(&netif->list, &sel_netif_hash[idx]);
86 sel_netif_total++; 101 sel_netif_total++;
87out: 102
88 return ret; 103 return 0;
89} 104}
90 105
106/**
107 * sel_netif_free - Frees an interface entry
108 * @p: the entry's RCU field
109 *
110 * Description:
111 * This function is designed to be used as a callback to the call_rcu()
112 * function so that memory allocated to a hash table interface entry can be
113 * released safely.
114 *
115 */
91static void sel_netif_free(struct rcu_head *p) 116static void sel_netif_free(struct rcu_head *p)
92{ 117{
93 struct sel_netif *netif = container_of(p, struct sel_netif, rcu_head); 118 struct sel_netif *netif = container_of(p, struct sel_netif, rcu_head);
94
95 DEBUGP("%s: %s\n", __FUNCTION__, netif->nsec.dev->name);
96 kfree(netif); 119 kfree(netif);
97} 120}
98 121
122/**
123 * sel_netif_destroy - Remove an interface record from the table
124 * @netif: the existing interface record
125 *
126 * Description:
127 * Remove an existing interface record from the network interface table.
128 *
129 */
99static void sel_netif_destroy(struct sel_netif *netif) 130static void sel_netif_destroy(struct sel_netif *netif)
100{ 131{
101 DEBUGP("%s: %s\n", __FUNCTION__, netif->nsec.dev->name);
102
103 list_del_rcu(&netif->list); 132 list_del_rcu(&netif->list);
104 sel_netif_total--; 133 sel_netif_total--;
105 call_rcu(&netif->rcu_head, sel_netif_free); 134 call_rcu(&netif->rcu_head, sel_netif_free);
106} 135}
107 136
108static struct sel_netif *sel_netif_lookup(struct net_device *dev) 137/**
138 * sel_netif_sid_slow - Lookup the SID of a network interface using the policy
139 * @ifindex: the network interface
140 * @sid: interface SID
141 *
142 * Description:
143 * This function determines the SID of a network interface by quering the
144 * security policy. The result is added to the network interface table to
145 * speedup future queries. Returns zero on success, negative values on
146 * failure.
147 *
148 */
149static int sel_netif_sid_slow(int ifindex, u32 *sid)
109{ 150{
110 int ret; 151 int ret;
111 struct sel_netif *netif, *new; 152 struct sel_netif *netif;
112 struct netif_security_struct *nsec; 153 struct sel_netif *new = NULL;
154 struct net_device *dev;
113 155
114 netif = sel_netif_find(dev); 156 /* NOTE: we always use init's network namespace since we don't
115 if (likely(netif != NULL)) 157 * currently support containers */
116 goto out;
117
118 new = kzalloc(sizeof(*new), GFP_ATOMIC);
119 if (!new) {
120 netif = ERR_PTR(-ENOMEM);
121 goto out;
122 }
123
124 nsec = &new->nsec;
125 158
126 ret = security_netif_sid(dev->name, &nsec->if_sid, &nsec->msg_sid); 159 dev = dev_get_by_index(&init_net, ifindex);
127 if (ret < 0) { 160 if (dev == NULL)
128 kfree(new); 161 return -ENOENT;
129 netif = ERR_PTR(ret);
130 goto out;
131 }
132 162
133 nsec->dev = dev;
134
135 spin_lock_bh(&sel_netif_lock); 163 spin_lock_bh(&sel_netif_lock);
136 164 netif = sel_netif_find(ifindex);
137 netif = sel_netif_find(dev); 165 if (netif != NULL) {
138 if (netif) { 166 *sid = netif->nsec.sid;
139 spin_unlock_bh(&sel_netif_lock); 167 ret = 0;
140 kfree(new);
141 goto out; 168 goto out;
142 } 169 }
143 170 new = kzalloc(sizeof(*new), GFP_ATOMIC);
144 ret = sel_netif_insert(new); 171 if (new == NULL) {
145 spin_unlock_bh(&sel_netif_lock); 172 ret = -ENOMEM;
146
147 if (ret) {
148 kfree(new);
149 netif = ERR_PTR(ret);
150 goto out; 173 goto out;
151 } 174 }
175 ret = security_netif_sid(dev->name, &new->nsec.sid);
176 if (ret != 0)
177 goto out;
178 new->nsec.ifindex = ifindex;
179 ret = sel_netif_insert(new);
180 if (ret != 0)
181 goto out;
182 *sid = new->nsec.sid;
152 183
153 netif = new;
154
155 DEBUGP("new: ifindex=%u name=%s if_sid=%u msg_sid=%u\n", dev->ifindex, dev->name,
156 nsec->if_sid, nsec->msg_sid);
157out: 184out:
158 return netif; 185 spin_unlock_bh(&sel_netif_lock);
159} 186 dev_put(dev);
160 187 if (ret != 0)
161static void sel_netif_assign_sids(u32 if_sid_in, u32 msg_sid_in, u32 *if_sid_out, u32 *msg_sid_out) 188 kfree(new);
162{
163 if (if_sid_out)
164 *if_sid_out = if_sid_in;
165 if (msg_sid_out)
166 *msg_sid_out = msg_sid_in;
167}
168
169static int sel_netif_sids_slow(struct net_device *dev, u32 *if_sid, u32 *msg_sid)
170{
171 int ret = 0;
172 u32 tmp_if_sid, tmp_msg_sid;
173
174 ret = security_netif_sid(dev->name, &tmp_if_sid, &tmp_msg_sid);
175 if (!ret)
176 sel_netif_assign_sids(tmp_if_sid, tmp_msg_sid, if_sid, msg_sid);
177 return ret; 189 return ret;
178} 190}
179 191
180int sel_netif_sids(struct net_device *dev, u32 *if_sid, u32 *msg_sid) 192/**
193 * sel_netif_sid - Lookup the SID of a network interface
194 * @ifindex: the network interface
195 * @sid: interface SID
196 *
197 * Description:
198 * This function determines the SID of a network interface using the fastest
199 * method possible. First the interface table is queried, but if an entry
200 * can't be found then the policy is queried and the result is added to the
201 * table to speedup future queries. Returns zero on success, negative values
202 * on failure.
203 *
204 */
205int sel_netif_sid(int ifindex, u32 *sid)
181{ 206{
182 int ret = 0;
183 struct sel_netif *netif; 207 struct sel_netif *netif;
184 208
185 rcu_read_lock(); 209 rcu_read_lock();
186 netif = sel_netif_lookup(dev); 210 netif = sel_netif_find(ifindex);
187 if (IS_ERR(netif)) { 211 if (likely(netif != NULL)) {
212 *sid = netif->nsec.sid;
188 rcu_read_unlock(); 213 rcu_read_unlock();
189 ret = sel_netif_sids_slow(dev, if_sid, msg_sid); 214 return 0;
190 goto out;
191 } 215 }
192 sel_netif_assign_sids(netif->nsec.if_sid, netif->nsec.msg_sid, if_sid, msg_sid);
193 rcu_read_unlock(); 216 rcu_read_unlock();
194out: 217
195 return ret; 218 return sel_netif_sid_slow(ifindex, sid);
196} 219}
197 220
198static void sel_netif_kill(struct net_device *dev) 221/**
222 * sel_netif_kill - Remove an entry from the network interface table
223 * @ifindex: the network interface
224 *
225 * Description:
226 * This function removes the entry matching @ifindex from the network interface
227 * table if it exists.
228 *
229 */
230static void sel_netif_kill(int ifindex)
199{ 231{
200 struct sel_netif *netif; 232 struct sel_netif *netif;
201 233
202 spin_lock_bh(&sel_netif_lock); 234 spin_lock_bh(&sel_netif_lock);
203 netif = sel_netif_find(dev); 235 netif = sel_netif_find(ifindex);
204 if (netif) 236 if (netif)
205 sel_netif_destroy(netif); 237 sel_netif_destroy(netif);
206 spin_unlock_bh(&sel_netif_lock); 238 spin_unlock_bh(&sel_netif_lock);
207} 239}
208 240
241/**
242 * sel_netif_flush - Flush the entire network interface table
243 *
244 * Description:
245 * Remove all entries from the network interface table.
246 *
247 */
209static void sel_netif_flush(void) 248static void sel_netif_flush(void)
210{ 249{
211 int idx; 250 int idx;
251 struct sel_netif *netif;
212 252
213 spin_lock_bh(&sel_netif_lock); 253 spin_lock_bh(&sel_netif_lock);
214 for (idx = 0; idx < SEL_NETIF_HASH_SIZE; idx++) { 254 for (idx = 0; idx < SEL_NETIF_HASH_SIZE; idx++)
215 struct sel_netif *netif;
216
217 list_for_each_entry(netif, &sel_netif_hash[idx], list) 255 list_for_each_entry(netif, &sel_netif_hash[idx], list)
218 sel_netif_destroy(netif); 256 sel_netif_destroy(netif);
219 }
220 spin_unlock_bh(&sel_netif_lock); 257 spin_unlock_bh(&sel_netif_lock);
221} 258}
222 259
@@ -239,7 +276,7 @@ static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
239 return NOTIFY_DONE; 276 return NOTIFY_DONE;
240 277
241 if (event == NETDEV_DOWN) 278 if (event == NETDEV_DOWN)
242 sel_netif_kill(dev); 279 sel_netif_kill(dev->ifindex);
243 280
244 return NOTIFY_DONE; 281 return NOTIFY_DONE;
245} 282}
@@ -250,10 +287,10 @@ static struct notifier_block sel_netif_netdev_notifier = {
250 287
251static __init int sel_netif_init(void) 288static __init int sel_netif_init(void)
252{ 289{
253 int i, err = 0; 290 int i, err;
254 291
255 if (!selinux_enabled) 292 if (!selinux_enabled)
256 goto out; 293 return 0;
257 294
258 for (i = 0; i < SEL_NETIF_HASH_SIZE; i++) 295 for (i = 0; i < SEL_NETIF_HASH_SIZE; i++)
259 INIT_LIST_HEAD(&sel_netif_hash[i]); 296 INIT_LIST_HEAD(&sel_netif_hash[i]);
@@ -265,7 +302,6 @@ static __init int sel_netif_init(void)
265 if (err) 302 if (err)
266 panic("avc_add_callback() failed, error %d\n", err); 303 panic("avc_add_callback() failed, error %d\n", err);
267 304
268out:
269 return err; 305 return err;
270} 306}
271 307
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 0f97ef578370..8dfaa3e7c26d 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1478,11 +1478,8 @@ out:
1478 * security_netif_sid - Obtain the SID for a network interface. 1478 * security_netif_sid - Obtain the SID for a network interface.
1479 * @name: interface name 1479 * @name: interface name
1480 * @if_sid: interface SID 1480 * @if_sid: interface SID
1481 * @msg_sid: default SID for received packets
1482 */ 1481 */
1483int security_netif_sid(char *name, 1482int security_netif_sid(char *name, u32 *if_sid)
1484 u32 *if_sid,
1485 u32 *msg_sid)
1486{ 1483{
1487 int rc = 0; 1484 int rc = 0;
1488 struct ocontext *c; 1485 struct ocontext *c;
@@ -1510,11 +1507,8 @@ int security_netif_sid(char *name,
1510 goto out; 1507 goto out;
1511 } 1508 }
1512 *if_sid = c->sid[0]; 1509 *if_sid = c->sid[0];
1513 *msg_sid = c->sid[1]; 1510 } else
1514 } else {
1515 *if_sid = SECINITSID_NETIF; 1511 *if_sid = SECINITSID_NETIF;
1516 *msg_sid = SECINITSID_NETMSG;
1517 }
1518 1512
1519out: 1513out:
1520 POLICY_RDUNLOCK; 1514 POLICY_RDUNLOCK;