diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/hooks.c | 33 | ||||
| -rw-r--r-- | security/selinux/include/netif.h | 4 | ||||
| -rw-r--r-- | security/selinux/include/objsec.h | 2 | ||||
| -rw-r--r-- | security/selinux/netif.c | 43 |
4 files changed, 46 insertions, 36 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 50978d3183ea..5eb512b7ac31 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -4307,15 +4307,15 @@ static int selinux_socket_unix_may_send(struct socket *sock, | |||
| 4307 | &ad); | 4307 | &ad); |
| 4308 | } | 4308 | } |
| 4309 | 4309 | ||
| 4310 | static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, | 4310 | static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, |
| 4311 | u32 peer_sid, | 4311 | char *addrp, u16 family, u32 peer_sid, |
| 4312 | struct common_audit_data *ad) | 4312 | struct common_audit_data *ad) |
| 4313 | { | 4313 | { |
| 4314 | int err; | 4314 | int err; |
| 4315 | u32 if_sid; | 4315 | u32 if_sid; |
| 4316 | u32 node_sid; | 4316 | u32 node_sid; |
| 4317 | 4317 | ||
| 4318 | err = sel_netif_sid(ifindex, &if_sid); | 4318 | err = sel_netif_sid(ns, ifindex, &if_sid); |
| 4319 | if (err) | 4319 | if (err) |
| 4320 | return err; | 4320 | return err; |
| 4321 | err = avc_has_perm(peer_sid, if_sid, | 4321 | err = avc_has_perm(peer_sid, if_sid, |
| @@ -4408,8 +4408,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | |||
| 4408 | err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); | 4408 | err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); |
| 4409 | if (err) | 4409 | if (err) |
| 4410 | return err; | 4410 | return err; |
| 4411 | err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family, | 4411 | err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, |
| 4412 | peer_sid, &ad); | 4412 | addrp, family, peer_sid, &ad); |
| 4413 | if (err) { | 4413 | if (err) { |
| 4414 | selinux_netlbl_err(skb, err, 0); | 4414 | selinux_netlbl_err(skb, err, 0); |
| 4415 | return err; | 4415 | return err; |
| @@ -4748,7 +4748,8 @@ out: | |||
| 4748 | 4748 | ||
| 4749 | #ifdef CONFIG_NETFILTER | 4749 | #ifdef CONFIG_NETFILTER |
| 4750 | 4750 | ||
| 4751 | static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, | 4751 | static unsigned int selinux_ip_forward(struct sk_buff *skb, |
| 4752 | const struct net_device *indev, | ||
| 4752 | u16 family) | 4753 | u16 family) |
| 4753 | { | 4754 | { |
| 4754 | int err; | 4755 | int err; |
| @@ -4774,14 +4775,14 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, | |||
| 4774 | 4775 | ||
| 4775 | ad.type = LSM_AUDIT_DATA_NET; | 4776 | ad.type = LSM_AUDIT_DATA_NET; |
| 4776 | ad.u.net = &net; | 4777 | ad.u.net = &net; |
| 4777 | ad.u.net->netif = ifindex; | 4778 | ad.u.net->netif = indev->ifindex; |
| 4778 | ad.u.net->family = family; | 4779 | ad.u.net->family = family; |
| 4779 | if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) | 4780 | if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) |
| 4780 | return NF_DROP; | 4781 | return NF_DROP; |
| 4781 | 4782 | ||
| 4782 | if (peerlbl_active) { | 4783 | if (peerlbl_active) { |
| 4783 | err = selinux_inet_sys_rcv_skb(ifindex, addrp, family, | 4784 | err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, |
| 4784 | peer_sid, &ad); | 4785 | addrp, family, peer_sid, &ad); |
| 4785 | if (err) { | 4786 | if (err) { |
| 4786 | selinux_netlbl_err(skb, err, 1); | 4787 | selinux_netlbl_err(skb, err, 1); |
| 4787 | return NF_DROP; | 4788 | return NF_DROP; |
| @@ -4810,7 +4811,7 @@ static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops, | |||
| 4810 | const struct net_device *out, | 4811 | const struct net_device *out, |
| 4811 | int (*okfn)(struct sk_buff *)) | 4812 | int (*okfn)(struct sk_buff *)) |
| 4812 | { | 4813 | { |
| 4813 | return selinux_ip_forward(skb, in->ifindex, PF_INET); | 4814 | return selinux_ip_forward(skb, in, PF_INET); |
| 4814 | } | 4815 | } |
| 4815 | 4816 | ||
| 4816 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | 4817 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) |
| @@ -4820,7 +4821,7 @@ static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops, | |||
| 4820 | const struct net_device *out, | 4821 | const struct net_device *out, |
| 4821 | int (*okfn)(struct sk_buff *)) | 4822 | int (*okfn)(struct sk_buff *)) |
| 4822 | { | 4823 | { |
| 4823 | return selinux_ip_forward(skb, in->ifindex, PF_INET6); | 4824 | return selinux_ip_forward(skb, in, PF_INET6); |
| 4824 | } | 4825 | } |
| 4825 | #endif /* IPV6 */ | 4826 | #endif /* IPV6 */ |
| 4826 | 4827 | ||
| @@ -4908,11 +4909,13 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | |||
| 4908 | return NF_ACCEPT; | 4909 | return NF_ACCEPT; |
| 4909 | } | 4910 | } |
| 4910 | 4911 | ||
| 4911 | static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | 4912 | static unsigned int selinux_ip_postroute(struct sk_buff *skb, |
| 4913 | const struct net_device *outdev, | ||
| 4912 | u16 family) | 4914 | u16 family) |
| 4913 | { | 4915 | { |
| 4914 | u32 secmark_perm; | 4916 | u32 secmark_perm; |
| 4915 | u32 peer_sid; | 4917 | u32 peer_sid; |
| 4918 | int ifindex = outdev->ifindex; | ||
| 4916 | struct sock *sk; | 4919 | struct sock *sk; |
| 4917 | struct common_audit_data ad; | 4920 | struct common_audit_data ad; |
| 4918 | struct lsm_network_audit net = {0,}; | 4921 | struct lsm_network_audit net = {0,}; |
| @@ -5025,7 +5028,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | |||
| 5025 | u32 if_sid; | 5028 | u32 if_sid; |
| 5026 | u32 node_sid; | 5029 | u32 node_sid; |
| 5027 | 5030 | ||
| 5028 | if (sel_netif_sid(ifindex, &if_sid)) | 5031 | if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) |
| 5029 | return NF_DROP; | 5032 | return NF_DROP; |
| 5030 | if (avc_has_perm(peer_sid, if_sid, | 5033 | if (avc_has_perm(peer_sid, if_sid, |
| 5031 | SECCLASS_NETIF, NETIF__EGRESS, &ad)) | 5034 | SECCLASS_NETIF, NETIF__EGRESS, &ad)) |
| @@ -5047,7 +5050,7 @@ static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops, | |||
| 5047 | const struct net_device *out, | 5050 | const struct net_device *out, |
| 5048 | int (*okfn)(struct sk_buff *)) | 5051 | int (*okfn)(struct sk_buff *)) |
| 5049 | { | 5052 | { |
| 5050 | return selinux_ip_postroute(skb, out->ifindex, PF_INET); | 5053 | return selinux_ip_postroute(skb, out, PF_INET); |
| 5051 | } | 5054 | } |
| 5052 | 5055 | ||
| 5053 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | 5056 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) |
| @@ -5057,7 +5060,7 @@ static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops, | |||
| 5057 | const struct net_device *out, | 5060 | const struct net_device *out, |
| 5058 | int (*okfn)(struct sk_buff *)) | 5061 | int (*okfn)(struct sk_buff *)) |
| 5059 | { | 5062 | { |
| 5060 | return selinux_ip_postroute(skb, out->ifindex, PF_INET6); | 5063 | return selinux_ip_postroute(skb, out, PF_INET6); |
| 5061 | } | 5064 | } |
| 5062 | #endif /* IPV6 */ | 5065 | #endif /* IPV6 */ |
| 5063 | 5066 | ||
diff --git a/security/selinux/include/netif.h b/security/selinux/include/netif.h index 57c6eae81eac..c72145444090 100644 --- a/security/selinux/include/netif.h +++ b/security/selinux/include/netif.h | |||
| @@ -17,9 +17,11 @@ | |||
| 17 | #ifndef _SELINUX_NETIF_H_ | 17 | #ifndef _SELINUX_NETIF_H_ |
| 18 | #define _SELINUX_NETIF_H_ | 18 | #define _SELINUX_NETIF_H_ |
| 19 | 19 | ||
| 20 | #include <net/net_namespace.h> | ||
| 21 | |||
| 20 | void sel_netif_flush(void); | 22 | void sel_netif_flush(void); |
| 21 | 23 | ||
| 22 | int sel_netif_sid(int ifindex, u32 *sid); | 24 | int sel_netif_sid(struct net *ns, int ifindex, u32 *sid); |
| 23 | 25 | ||
| 24 | #endif /* _SELINUX_NETIF_H_ */ | 26 | #endif /* _SELINUX_NETIF_H_ */ |
| 25 | 27 | ||
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 078e553f52f2..81fa718d5cb3 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h | |||
| @@ -24,6 +24,7 @@ | |||
| 24 | #include <linux/binfmts.h> | 24 | #include <linux/binfmts.h> |
| 25 | #include <linux/in.h> | 25 | #include <linux/in.h> |
| 26 | #include <linux/spinlock.h> | 26 | #include <linux/spinlock.h> |
| 27 | #include <net/net_namespace.h> | ||
| 27 | #include "flask.h" | 28 | #include "flask.h" |
| 28 | #include "avc.h" | 29 | #include "avc.h" |
| 29 | 30 | ||
| @@ -78,6 +79,7 @@ struct ipc_security_struct { | |||
| 78 | }; | 79 | }; |
| 79 | 80 | ||
| 80 | struct netif_security_struct { | 81 | struct netif_security_struct { |
| 82 | struct net *ns; /* network namespace */ | ||
| 81 | int ifindex; /* device index */ | 83 | int ifindex; /* device index */ |
| 82 | u32 sid; /* SID for this interface */ | 84 | u32 sid; /* SID for this interface */ |
| 83 | }; | 85 | }; |
diff --git a/security/selinux/netif.c b/security/selinux/netif.c index 3c3de4ca0ebc..485524c477a4 100644 --- a/security/selinux/netif.c +++ b/security/selinux/netif.c | |||
| @@ -45,6 +45,7 @@ static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE]; | |||
| 45 | 45 | ||
| 46 | /** | 46 | /** |
| 47 | * sel_netif_hashfn - Hashing function for the interface table | 47 | * sel_netif_hashfn - Hashing function for the interface table |
| 48 | * @ns: the network namespace | ||
| 48 | * @ifindex: the network interface | 49 | * @ifindex: the network interface |
| 49 | * | 50 | * |
| 50 | * Description: | 51 | * Description: |
| @@ -52,13 +53,14 @@ static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE]; | |||
| 52 | * bucket number for the given interface. | 53 | * bucket number for the given interface. |
| 53 | * | 54 | * |
| 54 | */ | 55 | */ |
| 55 | static inline u32 sel_netif_hashfn(int ifindex) | 56 | static inline u32 sel_netif_hashfn(const struct net *ns, int ifindex) |
| 56 | { | 57 | { |
| 57 | return (ifindex & (SEL_NETIF_HASH_SIZE - 1)); | 58 | return (((uintptr_t)ns + ifindex) & (SEL_NETIF_HASH_SIZE - 1)); |
| 58 | } | 59 | } |
| 59 | 60 | ||
| 60 | /** | 61 | /** |
| 61 | * sel_netif_find - Search for an interface record | 62 | * sel_netif_find - Search for an interface record |
| 63 | * @ns: the network namespace | ||
| 62 | * @ifindex: the network interface | 64 | * @ifindex: the network interface |
| 63 | * | 65 | * |
| 64 | * Description: | 66 | * Description: |
| @@ -66,15 +68,15 @@ static inline u32 sel_netif_hashfn(int ifindex) | |||
| 66 | * If an entry can not be found in the table return NULL. | 68 | * If an entry can not be found in the table return NULL. |
| 67 | * | 69 | * |
| 68 | */ | 70 | */ |
| 69 | static inline struct sel_netif *sel_netif_find(int ifindex) | 71 | static inline struct sel_netif *sel_netif_find(const struct net *ns, |
| 72 | int ifindex) | ||
| 70 | { | 73 | { |
| 71 | int idx = sel_netif_hashfn(ifindex); | 74 | int idx = sel_netif_hashfn(ns, ifindex); |
| 72 | struct sel_netif *netif; | 75 | struct sel_netif *netif; |
| 73 | 76 | ||
| 74 | list_for_each_entry_rcu(netif, &sel_netif_hash[idx], list) | 77 | list_for_each_entry_rcu(netif, &sel_netif_hash[idx], list) |
| 75 | /* all of the devices should normally fit in the hash, so we | 78 | if (net_eq(netif->nsec.ns, ns) && |
| 76 | * optimize for that case */ | 79 | netif->nsec.ifindex == ifindex) |
| 77 | if (likely(netif->nsec.ifindex == ifindex)) | ||
| 78 | return netif; | 80 | return netif; |
| 79 | 81 | ||
| 80 | return NULL; | 82 | return NULL; |
| @@ -96,7 +98,7 @@ static int sel_netif_insert(struct sel_netif *netif) | |||
| 96 | if (sel_netif_total >= SEL_NETIF_HASH_MAX) | 98 | if (sel_netif_total >= SEL_NETIF_HASH_MAX) |
| 97 | return -ENOSPC; | 99 | return -ENOSPC; |
| 98 | 100 | ||
| 99 | idx = sel_netif_hashfn(netif->nsec.ifindex); | 101 | idx = sel_netif_hashfn(netif->nsec.ns, netif->nsec.ifindex); |
| 100 | list_add_rcu(&netif->list, &sel_netif_hash[idx]); | 102 | list_add_rcu(&netif->list, &sel_netif_hash[idx]); |
| 101 | sel_netif_total++; | 103 | sel_netif_total++; |
| 102 | 104 | ||
| @@ -120,6 +122,7 @@ static void sel_netif_destroy(struct sel_netif *netif) | |||
| 120 | 122 | ||
| 121 | /** | 123 | /** |
| 122 | * sel_netif_sid_slow - Lookup the SID of a network interface using the policy | 124 | * sel_netif_sid_slow - Lookup the SID of a network interface using the policy |
| 125 | * @ns: the network namespace | ||
| 123 | * @ifindex: the network interface | 126 | * @ifindex: the network interface |
| 124 | * @sid: interface SID | 127 | * @sid: interface SID |
| 125 | * | 128 | * |
| @@ -130,7 +133,7 @@ static void sel_netif_destroy(struct sel_netif *netif) | |||
| 130 | * failure. | 133 | * failure. |
| 131 | * | 134 | * |
| 132 | */ | 135 | */ |
| 133 | static int sel_netif_sid_slow(int ifindex, u32 *sid) | 136 | static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid) |
| 134 | { | 137 | { |
| 135 | int ret; | 138 | int ret; |
| 136 | struct sel_netif *netif; | 139 | struct sel_netif *netif; |
| @@ -140,7 +143,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid) | |||
| 140 | /* NOTE: we always use init's network namespace since we don't | 143 | /* NOTE: we always use init's network namespace since we don't |
| 141 | * currently support containers */ | 144 | * currently support containers */ |
| 142 | 145 | ||
| 143 | dev = dev_get_by_index(&init_net, ifindex); | 146 | dev = dev_get_by_index(ns, ifindex); |
| 144 | if (unlikely(dev == NULL)) { | 147 | if (unlikely(dev == NULL)) { |
| 145 | printk(KERN_WARNING | 148 | printk(KERN_WARNING |
| 146 | "SELinux: failure in sel_netif_sid_slow()," | 149 | "SELinux: failure in sel_netif_sid_slow()," |
| @@ -149,7 +152,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid) | |||
| 149 | } | 152 | } |
| 150 | 153 | ||
| 151 | spin_lock_bh(&sel_netif_lock); | 154 | spin_lock_bh(&sel_netif_lock); |
| 152 | netif = sel_netif_find(ifindex); | 155 | netif = sel_netif_find(ns, ifindex); |
| 153 | if (netif != NULL) { | 156 | if (netif != NULL) { |
| 154 | *sid = netif->nsec.sid; | 157 | *sid = netif->nsec.sid; |
| 155 | ret = 0; | 158 | ret = 0; |
| @@ -163,6 +166,7 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid) | |||
| 163 | ret = security_netif_sid(dev->name, &new->nsec.sid); | 166 | ret = security_netif_sid(dev->name, &new->nsec.sid); |
| 164 | if (ret != 0) | 167 | if (ret != 0) |
| 165 | goto out; | 168 | goto out; |
| 169 | new->nsec.ns = ns; | ||
| 166 | new->nsec.ifindex = ifindex; | 170 | new->nsec.ifindex = ifindex; |
| 167 | ret = sel_netif_insert(new); | 171 | ret = sel_netif_insert(new); |
| 168 | if (ret != 0) | 172 | if (ret != 0) |
| @@ -184,6 +188,7 @@ out: | |||
| 184 | 188 | ||
| 185 | /** | 189 | /** |
| 186 | * sel_netif_sid - Lookup the SID of a network interface | 190 | * sel_netif_sid - Lookup the SID of a network interface |
| 191 | * @ns: the network namespace | ||
| 187 | * @ifindex: the network interface | 192 | * @ifindex: the network interface |
| 188 | * @sid: interface SID | 193 | * @sid: interface SID |
| 189 | * | 194 | * |
| @@ -195,12 +200,12 @@ out: | |||
| 195 | * on failure. | 200 | * on failure. |
| 196 | * | 201 | * |
| 197 | */ | 202 | */ |
| 198 | int sel_netif_sid(int ifindex, u32 *sid) | 203 | int sel_netif_sid(struct net *ns, int ifindex, u32 *sid) |
| 199 | { | 204 | { |
| 200 | struct sel_netif *netif; | 205 | struct sel_netif *netif; |
| 201 | 206 | ||
| 202 | rcu_read_lock(); | 207 | rcu_read_lock(); |
| 203 | netif = sel_netif_find(ifindex); | 208 | netif = sel_netif_find(ns, ifindex); |
| 204 | if (likely(netif != NULL)) { | 209 | if (likely(netif != NULL)) { |
| 205 | *sid = netif->nsec.sid; | 210 | *sid = netif->nsec.sid; |
| 206 | rcu_read_unlock(); | 211 | rcu_read_unlock(); |
| @@ -208,11 +213,12 @@ int sel_netif_sid(int ifindex, u32 *sid) | |||
| 208 | } | 213 | } |
| 209 | rcu_read_unlock(); | 214 | rcu_read_unlock(); |
| 210 | 215 | ||
| 211 | return sel_netif_sid_slow(ifindex, sid); | 216 | return sel_netif_sid_slow(ns, ifindex, sid); |
| 212 | } | 217 | } |
| 213 | 218 | ||
| 214 | /** | 219 | /** |
| 215 | * sel_netif_kill - Remove an entry from the network interface table | 220 | * sel_netif_kill - Remove an entry from the network interface table |
| 221 | * @ns: the network namespace | ||
| 216 | * @ifindex: the network interface | 222 | * @ifindex: the network interface |
| 217 | * | 223 | * |
| 218 | * Description: | 224 | * Description: |
| @@ -220,13 +226,13 @@ int sel_netif_sid(int ifindex, u32 *sid) | |||
| 220 | * table if it exists. | 226 | * table if it exists. |
| 221 | * | 227 | * |
| 222 | */ | 228 | */ |
| 223 | static void sel_netif_kill(int ifindex) | 229 | static void sel_netif_kill(const struct net *ns, int ifindex) |
| 224 | { | 230 | { |
| 225 | struct sel_netif *netif; | 231 | struct sel_netif *netif; |
| 226 | 232 | ||
| 227 | rcu_read_lock(); | 233 | rcu_read_lock(); |
| 228 | spin_lock_bh(&sel_netif_lock); | 234 | spin_lock_bh(&sel_netif_lock); |
| 229 | netif = sel_netif_find(ifindex); | 235 | netif = sel_netif_find(ns, ifindex); |
| 230 | if (netif) | 236 | if (netif) |
| 231 | sel_netif_destroy(netif); | 237 | sel_netif_destroy(netif); |
| 232 | spin_unlock_bh(&sel_netif_lock); | 238 | spin_unlock_bh(&sel_netif_lock); |
| @@ -257,11 +263,8 @@ static int sel_netif_netdev_notifier_handler(struct notifier_block *this, | |||
| 257 | { | 263 | { |
| 258 | struct net_device *dev = netdev_notifier_info_to_dev(ptr); | 264 | struct net_device *dev = netdev_notifier_info_to_dev(ptr); |
| 259 | 265 | ||
| 260 | if (dev_net(dev) != &init_net) | ||
| 261 | return NOTIFY_DONE; | ||
| 262 | |||
| 263 | if (event == NETDEV_DOWN) | 266 | if (event == NETDEV_DOWN) |
| 264 | sel_netif_kill(dev->ifindex); | 267 | sel_netif_kill(dev_net(dev), dev->ifindex); |
| 265 | 268 | ||
| 266 | return NOTIFY_DONE; | 269 | return NOTIFY_DONE; |
| 267 | } | 270 | } |