aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
Commit message (Collapse)AuthorAge
* SELinux: peer secid consolidation for external network labelingPaul Moore2006-12-03
| | | | | | | | | | | | Now that labeled IPsec makes use of the peer_sid field in the sk_security_struct we can remove a lot of the special cases between labeled IPsec and NetLabel. In addition, create a new function, security_skb_extlbl_sid(), which we can use in several places to get the security context of the packet's external label which allows us to further simplify the code in a few places. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: SELinux cleanupsPaul Moore2006-12-03
| | | | | | | | | | | | | | | | | This patch does a lot of cleanup in the SELinux NetLabel support code. A summary of the changes include: * Use RCU locking for the NetLabel state variable in the skk_security_struct instead of using the inode_security_struct mutex. * Remove unnecessary parameters in selinux_netlbl_socket_post_create(). * Rename selinux_netlbl_sk_clone_security() to selinux_netlbl_sk_security_clone() to better fit the other NetLabel sk_security functions. * Improvements to selinux_netlbl_inode_permission() to help reduce the cost of the common case. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: make netlbl_lsm_secattr struct easier/quicker to understandPaul Moore2006-12-03
| | | | | | | | | | | | | | | | | | | The existing netlbl_lsm_secattr struct required the LSM to check all of the fields to determine if any security attributes were present resulting in a lot of work in the common case of no attributes. This patch adds a 'flags' field which is used to indicate which attributes are present in the structure; this should allow the LSM to do a quick comparison to determine if the structure holds any security attributes. Example: if (netlbl_lsm_secattr->flags) /* security attributes present */ else /* NO security attributes present */ Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* [IPv6] prefix: Convert RTM_NEWPREFIX notifications to use the new netlink apiThomas Graf2006-12-03
| | | | | | | RTM_GETPREFIX is completely unused and is thus removed. Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
* [SELinux]: Add support for DCCPJames Morris2006-12-03
| | | | | | | | | | | | | | | | | | | | | | | | | | This patch implements SELinux kernel support for DCCP (http://linux-net.osdl.org/index.php/DCCP), which is similar in operation to TCP in terms of connected state between peers. The SELinux support for DCCP is thus modeled on existing handling of TCP. A new DCCP socket class is introduced, to allow protocol differentation. The permissions for this class inherit all of the socket permissions, as well as the current TCP permissions (node_bind, name_bind etc). IPv4 and IPv6 are supported, although labeled networking is not, at this stage. Patches for SELinux userspace are at: http://people.redhat.com/jmorris/selinux/dccp/user/ I've performed some basic testing, and it seems to be working as expected. Adding policy support is similar to TCP, the only real difference being that it's a different protocol. Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* SELinux: Fix SA selection semanticsVenkat Yekkirala2006-12-03
| | | | | | | | | | | | | | | | | | | | | Fix the selection of an SA for an outgoing packet to be at the same context as the originating socket/flow. This eliminates the SELinux policy's ability to use/sendto SAs with contexts other than the socket's. With this patch applied, the SELinux policy will require one or more of the following for a socket to be able to communicate with/without SAs: 1. To enable a socket to communicate without using labeled-IPSec SAs: allow socket_t unlabeled_t:association { sendto recvfrom } 2. To enable a socket to communicate with labeled-IPSec SAs: allow socket_t self:association { sendto }; allow socket_t peer_sa_t:association { recvfrom }; Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: Return correct context for SO_PEERSECVenkat Yekkirala2006-12-03
| | | | | | | | | Fix SO_PEERSEC for tcp sockets to return the security context of the peer (as represented by the SA from the peer) as opposed to the SA used by the local/source socket. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: Various xfrm labeling fixesVenkat Yekkirala2006-12-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since the upstreaming of the mlsxfrm modification a few months back, testing has resulted in the identification of the following issues/bugs that are resolved in this patch set. 1. Fix the security context used in the IKE negotiation to be the context of the socket as opposed to the context of the SPD rule. 2. Fix SO_PEERSEC for tcp sockets to return the security context of the peer as opposed to the source. 3. Fix the selection of an SA for an outgoing packet to be at the same context as the originating socket/flow. The following would be the result of applying this patchset: - SO_PEERSEC will now correctly return the peer's context. - IKE deamons will receive the context of the source socket/flow as opposed to the SPD rule's context so that the negotiated SA will be at the same context as the source socket/flow. - The SELinux policy will require one or more of the following for a socket to be able to communicate with/without SAs: 1. To enable a socket to communicate without using labeled-IPSec SAs: allow socket_t unlabeled_t:association { sendto recvfrom } 2. To enable a socket to communicate with labeled-IPSec SAs: allow socket_t self:association { sendto }; allow socket_t peer_sa_t:association { recvfrom }; This Patch: Pass correct security context to IKE for use in negotiation Fix the security context passed to IKE for use in negotiation to be the context of the socket as opposed to the context of the SPD rule so that the SA carries the label of the originating socket/flow. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: James Morris <jmorris@namei.org>
* Merge branch 'for-2.6.20' of ↵Linus Torvalds2006-12-01
|\ | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6 * 'for-2.6.20' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6: SELinux: validate kernel object classes and permissions SELinux: ensure keys constant in hashtab_search SELinux: export object class and permission definitions SELinux: remove current object class and permission validation mechanism
| * SELinux: validate kernel object classes and permissionsChad Sellers2006-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a new object class and permission validation scheme that validates against the defined kernel headers. This scheme allows extra classes and permissions that do not conflict with the kernel definitions to be added to the policy. This validation is now done for all policy loads, not just subsequent loads after the first policy load. The implementation walks the three structrures containing the defined object class and permission values and ensures their values are the same in the policy being loaded. This includes verifying the object classes themselves, the permissions they contain, and the permissions they inherit from commons. Classes or permissions that are present in the kernel but missing from the policy cause a warning (printed to KERN_INFO) to be printed, but do not stop the policy from loading, emulating current behavior. Any other inconsistencies cause the load to fail. Signed-off-by: Chad Sellers <csellers@tresys.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
| * SELinux: ensure keys constant in hashtab_searchChad Sellers2006-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Makes the key argument passed into hashtab_search and all the functions it calls constant. These functions include hash table function pointers hash_value and keycmp. The only implementations of these currently are symhash and symcmp, which do not modify the key. The key parameter should never be changed by any of these, so it should be const. This is necessary to allow calling these functions with keys found in kernel object class and permission definitions. Signed-off-by: Chad Sellers <csellers@tresys.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
| * SELinux: export object class and permission definitionsChad Sellers2006-11-28
| | | | | | | | | | | | | | | | | | | | | | | | Moves the definition of the 3 structs containing object class and permission definitions from avc.c to avc_ss.h so that the security server can access them for validation on policy load. This also adds a new struct type, defined_classes_perms_t, suitable for allowing the security server to access these data structures from the avc. Signed-off-by: Chad Sellers <csellers@tresys.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
| * SELinux: remove current object class and permission validation mechanismChad Sellers2006-11-28
| | | | | | | | | | | | | | | | | | | | | | | | Removes the current SELinux object class and permission validation code, as the current code makes it impossible to change or remove object classes and permissions on a running system. Additionally, the current code does not actually validate that the classes and permissions are correct, but instead merely validates that they do not change between policy reloads. Signed-off-by: Chad Sellers <csellers@tresys.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* | selinux: fix dentry_open() error checkAkinobu Mita2006-11-27
|/ | | | | | | | | The return value of dentry_open() shoud be checked by IS_ERR(). Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: James Morris <jmorris@namei.org> Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com> Signed-off-by: James Morris <jmorris@namei.org>
* [NetLabel]: protect the CIPSOv4 socket option from setsockopt()Paul Moore2006-10-30
| | | | | | | | | | | | | | | | This patch makes two changes to protect applications from either removing or tampering with the CIPSOv4 IP option on a socket. The first is the requirement that applications have the CAP_NET_RAW capability to set an IPOPT_CIPSO option on a socket; this prevents untrusted applications from setting their own CIPSOv4 security attributes on the packets they send. The second change is to SELinux and it prevents applications from setting any IPv4 options when there is an IPOPT_CIPSO option already present on the socket; this prevents applications from removing CIPSOv4 security attributes from the packets they send. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* NetLabel: better error handling involving mls_export_cat()Paul Moore2006-10-16
| | | | | | | | | | Upon inspection it looked like the error handling for mls_export_cat() was rather poor. This patch addresses this by NULL'ing out kfree()'d pointers before returning and checking the return value of the function everywhere it is called. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: Bug fix in polidydb_destroyChad Sellers2006-10-12
| | | | | | | | | | | | | | | This patch fixes two bugs in policydb_destroy. Two list pointers (policydb.ocontexts[i] and policydb.genfs) were not being reset to NULL when the lists they pointed to were being freed. This caused a problem when the initial policy load failed, as the policydb being destroyed was not a temporary new policydb that was thrown away, but rather was the global (active) policydb. Consequently, later functions, particularly sys_bind->selinux_socket_bind->security_node_sid and do_rw_proc->selinux_sysctl->selinux_proc_get_sid->security_genfs_sid tried to dereference memory that had previously been freed. Signed-off-by: Chad Sellers <csellers@tresys.com> Signed-off-by: James Morris <jmorris@namei.org>
* IPsec: correct semantics for SELinux policy matchingVenkat Yekkirala2006-10-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently when an IPSec policy rule doesn't specify a security context, it is assumed to be "unlabeled" by SELinux, and so the IPSec policy rule fails to match to a flow that it would otherwise match to, unless one has explicitly added an SELinux policy rule allowing the flow to "polmatch" to the "unlabeled" IPSec policy rules. In the absence of such an explicitly added SELinux policy rule, the IPSec policy rule fails to match and so the packet(s) flow in clear text without the otherwise applicable xfrm(s) applied. The above SELinux behavior violates the SELinux security notion of "deny by default" which should actually translate to "encrypt by default" in the above case. This was first reported by Evgeniy Polyakov and the way James Morris was seeing the problem was when connecting via IPsec to a confined service on an SELinux box (vsftpd), which did not have the appropriate SELinux policy permissions to send packets via IPsec. With this patch applied, SELinux "polmatching" of flows Vs. IPSec policy rules will only come into play when there's a explicit context specified for the IPSec policy rule (which also means there's corresponding SELinux policy allowing appropriate domains/flows to polmatch to this context). Secondly, when a security module is loaded (in this case, SELinux), the security_xfrm_policy_lookup() hook can return errors other than access denied, such as -EINVAL. We were not handling that correctly, and in fact inverting the return logic and propagating a false "ok" back up to xfrm_lookup(), which then allowed packets to pass as if they were not associated with an xfrm policy. The solution for this is to first ensure that errno values are correctly propagated all the way back up through the various call chains from security_xfrm_policy_lookup(), and handled correctly. Then, flow_cache_lookup() is modified, so that if the policy resolver fails (typically a permission denied via the security module), the flow cache entry is killed rather than having a null policy assigned (which indicates that the packet can pass freely). This also forces any future lookups for the same flow to consult the security module (e.g. SELinux) for current security policy (rather than, say, caching the error on the flow cache entry). This patch: Fix the selinux side of things. This makes sure SELinux polmatching of flow contexts to IPSec policy rules comes into play only when an explicit context is associated with the IPSec policy rule. Also, this no longer defaults the context of a socket policy to the context of the socket since the "no explicit context" case is now handled properly. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: use SECINITSID_UNLABELED for a base SIDpaul.moore@hp.com2006-10-12
| | | | | | | | This patch changes NetLabel to use SECINITSID_UNLABLELED as it's source of SELinux type information when generating a NetLabel context. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: fix a cache race conditionpaul.moore@hp.com2006-10-12
| | | | | | | | | | Testing revealed a problem with the NetLabel cache where a cached entry could be freed while in use by the LSM layer causing an oops and other problems. This patch fixes that problem by introducing a reference counter to the cache entry so that it is only freed when it is no longer in use. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* Still more typo fixesMatt LaPlante2006-10-03
| | | | Signed-off-by: Adrian Bunk <bunk@stusta.de>
* more misc typo fixesMatt LaPlante2006-10-03
| | | | Signed-off-by: Adrian Bunk <bunk@stusta.de>
* [PATCH] r/o bind mount prepwork: inc_nlink() helperDave Hansen2006-10-01
| | | | | | | | | | | This is mostly included for parity with dec_nlink(), where we will have some more hooks. This one should stay pretty darn straightforward for now. Signed-off-by: Dave Hansen <haveblue@us.ibm.com> Acked-by: Christoph Hellwig <hch@lst.de> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] MLSXFRM: fix mis-labelling of child socketsDavid Woodhouse2006-09-29
| | | | | | | | | | | | Accepted connections of types other than AF_INET, AF_INET6, AF_UNIX won't have an appropriate label derived from the peer, so don't use it. Signed-off-by: David Woodhouse <dwmw2@infradead.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] SELinux: support mls categories for context mountsCory Olmo2006-09-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allows commas to be embedded into context mount options (i.e. "-o context=some_selinux_context_t"), to better support multiple categories, which are separated by commas and confuse mount. For example, with the current code: mount -t iso9660 /dev/cdrom /media/cdrom -o \ ro,context=system_u:object_r:iso9660_t:s0:c1,c3,c4,exec The context option that will be interpreted by SELinux is context=system_u:object_r:iso9660_t:s0:c1 instead of context=system_u:object_r:iso9660_t:s0:c1,c3,c4 The options that will be passed on to the file system will be ro,c3,c4,exec. The proposed solution is to allow/require the SELinux context option specified to mount to use quotes when the context contains a comma. This patch modifies the option parsing in parse_opts(), contained in mount.c, to take options after finding a comma only if it hasn't seen a quote or if the quotes are matched. It also introduces a new function that will strip the quotes from the context option prior to translation. The quotes are replaced after the translation is completed to insure that in the event the raw context contains commas the kernel will be able to interpret the correct context. Signed-off-by: Cory Olmo <colmo@TrustedCS.com> Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] inode-diet: Eliminate i_blksize from the inode structureTheodore Ts'o2006-09-27
| | | | | | | | | | | | | | | | This eliminates the i_blksize field from struct inode. Filesystems that want to provide a per-inode st_blksize can do so by providing their own getattr routine instead of using the generic_fillattr() function. Note that some filesystems were providing pretty much random (and incorrect) values for i_blksize. [bunk@stusta.de: cleanup] [akpm@osdl.org: generic_fillattr() fix] Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] selinux: fix tty lockingStephen Smalley2006-09-26
| | | | | | | | | | | | | Take tty_mutex when accessing ->signal->tty in selinux code. Noted by Alan Cox. Longer term, we are looking at refactoring the code to provide better encapsulation of the tty layer, but this is a simple fix that addresses the immediate bug. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Alan Cox <alan@redhat.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] SELinux: convert sbsec semaphore to a mutexEric Paris2006-09-26
| | | | | | | | | | | This patch converts the semaphore in the superblock security struct to a mutex. No locking changes or other code changes are done. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] SELinux: change isec semaphore to a mutexEric Paris2006-09-26
| | | | | | | | | | | | | This patch converts the remaining isec->sem into a mutex. Very similar locking is provided as before only in the faster smaller mutex rather than a semaphore. An out_unlock path is introduced rather than the conditional unlocking found in the original code. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] SELinux: eliminate inode_security_set_securityEric Paris2006-09-26
| | | | | | | | | | | | | | | | inode_security_set_sid is only called by security_inode_init_security, which is called when a new file is being created and needs to have its incore security state initialized and its security xattr set. This helper used to be called in other places in the past, but now only has the one. So this patch rolls inode_security_set_sid directly back into security_inode_init_security. There also is no need to hold the isec->sem while doing this, as the inode is not available to other threads at this point in time. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] selinux: add support for range transitions on object classesDarrel Goeddel2006-09-26
| | | | | | | | | | | | | | | | Introduces support for policy version 21. This version of the binary kernel policy allows for defining range transitions on security classes other than the process security class. As always, backwards compatibility for older formats is retained. The security class is read in as specified when using the new format, while the "process" security class is assumed when using an older policy format. Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] selinux: enable configuration of max policy versionStephen Smalley2006-09-26
| | | | | | | | | | | | | | | Enable configuration of SELinux maximum supported policy version to support legacy userland (init) that does not gracefully handle kernels that support newer policy versions two or more beyond the installed policy, as in FC3 and FC4. [bunk@stusta.de: improve Kconfig help text] Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] selinux: replace ctxid with sid in selinux_audit_rule_match interfaceStephen Smalley2006-09-26
| | | | | | | | | | Replace ctxid with sid in selinux_audit_rule_match interface for consistency with other interfaces. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] selinux: rename selinux_ctxid_to_stringStephen Smalley2006-09-26
| | | | | | | | | | Rename selinux_ctxid_to_string to selinux_sid_to_string to be consistent with other interfaces. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PATCH] selinux: eliminate selinux_task_ctxidStephen Smalley2006-09-26
| | | | | | | | | Eliminate selinux_task_ctxid since it duplicates selinux_task_get_sid. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [NetLabel]: change the SELinux permissionsPaul Moore2006-09-25
| | | | | | | | | | Change NetLabel to use the 'recvfrom' socket permission and the SECINITSID_NETMSG SELinux SID as the NetLabel base SID for incoming packets. This patch effectively makes the old, and currently unused, SELinux NETMSG permissions NetLabel permissions. Signed-of-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NetLabel]: correct improper handling of non-NetLabel peer contextsPaul Moore2006-09-25
| | | | | | | | | | | | Fix a problem where NetLabel would always set the value of sk_security_struct->peer_sid in selinux_netlbl_sock_graft() to the context of the socket, causing problems when users would query the context of the connection. This patch fixes this so that the value in sk_security_struct->peer_sid is only set when the connection is NetLabel based, otherwise the value is untouched. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [SELINUX]: Fix bug in security_sid_mls_copyVenkat Yekkirala2006-09-22
| | | | | | | | | The following fixes a bug where random mem is being tampered with in the non-mls case; encountered by Jashua Brindle on a gentoo box. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* [NetLabel]: add some missing #includes to various header filesPaul Moore2006-09-22
| | | | | | | Add some missing include files to the NetLabel related header files. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NetLabel]: uninline selinux_netlbl_inode_permission()Paul Moore2006-09-22
| | | | | | | | Uninline the selinux_netlbl_inode_permission() at the request of Andrew Morton. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NetLabel]: Cleanup ebitmap_import()Paul Moore2006-09-22
| | | | | | | Rewrite ebitmap_import() so it is a bit cleaner and easier to read. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NetLabel]: Comment corrections.Paul Moore2006-09-22
| | | | | | | Fix some incorrect comments. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NetLabel]: Correctly initialize the NetLabel fields.Paul Moore2006-09-22
| | | | | | | | Fix a problem where the NetLabel specific fields of the sk_security_struct structure were not being initialized early enough in some cases. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [SELINUX]: security/selinux/hooks.c: Make 4 functions static.Adrian Bunk2006-09-22
| | | | | | | | | This patch makes four needlessly global functions static. Signed-off-by: Adrian Bunk <bunk@stusta.de> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NetLabel]: SELinux supportVenkat Yekkirala2006-09-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add NetLabel support to the SELinux LSM and modify the socket_post_create() LSM hook to return an error code. The most significant part of this patch is the addition of NetLabel hooks into the following SELinux LSM hooks: * selinux_file_permission() * selinux_socket_sendmsg() * selinux_socket_post_create() * selinux_socket_sock_rcv_skb() * selinux_socket_getpeersec_stream() * selinux_socket_getpeersec_dgram() * selinux_sock_graft() * selinux_inet_conn_request() The basic reasoning behind this patch is that outgoing packets are "NetLabel'd" by labeling their socket and the NetLabel security attributes are checked via the additional hook in selinux_socket_sock_rcv_skb(). NetLabel itself is only a labeling mechanism, similar to filesystem extended attributes, it is up to the SELinux enforcement mechanism to perform the actual access checks. In addition to the changes outlined above this patch also includes some changes to the extended bitmap (ebitmap) and multi-level security (mls) code to import and export SELinux TE/MLS attributes into and out of NetLabel. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [MLSXFRM]: Fix build with SECURITY_NETWORK_XFRM disabled.Venkat Yekkirala2006-09-22
| | | | | | | | | | | | | | The following patch will fix the build problem (encountered by Andrew Morton) when SECURITY_NETWORK_XFRM is not enabled. As compared to git-net-selinux_xfrm_decode_session-build-fix.patch in -mm, this patch sets the return parameter sid to SECSID_NULL in selinux_xfrm_decode_session() and handles this value in the caller selinux_inet_conn_request() appropriately. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [MLSXFRM]: Auto-labeling of child socketsVenkat Yekkirala2006-09-22
| | | | | | | | | | | | | This automatically labels the TCP, Unix stream, and dccp child sockets as well as openreqs to be at the same MLS level as the peer. This will result in the selection of appropriately labeled IPSec Security Associations. This also uses the sock's sid (as opposed to the isec sid) in SELinux enforcement of secmark in rcv_skb and postroute_last hooks. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [MLSXFRM]: Default labeling of socket specific IPSec policiesVenkat Yekkirala2006-09-22
| | | | | | | | This defaults the label of socket-specific IPSec policies to be the same as the socket they are set on. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [MLSXFRM]: Add flow labelingVenkat Yekkirala2006-09-22
| | | | | | | | | | | | | | | | | | | | | | This labels the flows that could utilize IPSec xfrms at the points the flows are defined so that IPSec policy and SAs at the right label can be used. The following protos are currently not handled, but they should continue to be able to use single-labeled IPSec like they currently do. ipmr ip_gre ipip igmp sit sctp ip6_tunnel (IPv6 over IPv6 tunnel device) decnet Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [MLSXFRM]: Flow based matching of xfrm policy and stateVenkat Yekkirala2006-09-22
| | | | | | | | | This implements a seemless mechanism for xfrm policy selection and state matching based on the flow sid. This also includes the necessary SELinux enforcement pieces. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>