Commit 3de4bab5 authored by Paul Moore's avatar Paul Moore Committed by David S. Miller

SELinux: peer secid consolidation for external network labeling

Now that labeled IPsec makes use of the peer_sid field in the
sk_security_struct we can remove a lot of the special cases between labeled
IPsec and NetLabel.  In addition, create a new function,
security_skb_extlbl_sid(), which we can use in several places to get the
security context of the packet's external label which allows us to further
simplify the code in a few places.
Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 9f2ad665
...@@ -3574,27 +3574,16 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op ...@@ -3574,27 +3574,16 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op
u32 scontext_len; u32 scontext_len;
struct sk_security_struct *ssec; struct sk_security_struct *ssec;
struct inode_security_struct *isec; struct inode_security_struct *isec;
u32 peer_sid = 0; u32 peer_sid = SECSID_NULL;
isec = SOCK_INODE(sock)->i_security; isec = SOCK_INODE(sock)->i_security;
/* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */ if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) { isec->sclass == SECCLASS_TCP_SOCKET) {
ssec = sock->sk->sk_security; ssec = sock->sk->sk_security;
peer_sid = ssec->peer_sid; peer_sid = ssec->peer_sid;
} }
else if (isec->sclass == SECCLASS_TCP_SOCKET) { if (peer_sid == SECSID_NULL) {
peer_sid = selinux_netlbl_socket_getpeersec_stream(sock);
if (peer_sid == SECSID_NULL) {
ssec = sock->sk->sk_security;
peer_sid = ssec->peer_sid;
}
if (peer_sid == SECSID_NULL) {
err = -ENOPROTOOPT;
goto out;
}
}
else {
err = -ENOPROTOOPT; err = -ENOPROTOOPT;
goto out; goto out;
} }
...@@ -3626,13 +3615,12 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * ...@@ -3626,13 +3615,12 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
u32 peer_secid = SECSID_NULL; u32 peer_secid = SECSID_NULL;
int err = 0; int err = 0;
if (sock && (sock->sk->sk_family == PF_UNIX)) if (sock && sock->sk->sk_family == PF_UNIX)
selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
else if (skb) { else if (skb)
peer_secid = selinux_netlbl_socket_getpeersec_dgram(skb); security_skb_extlbl_sid(skb,
if (peer_secid == SECSID_NULL) SECINITSID_UNLABELED,
peer_secid = selinux_socket_getpeer_dgram(skb); &peer_secid);
}
if (peer_secid == SECSID_NULL) if (peer_secid == SECSID_NULL)
err = -EINVAL; err = -EINVAL;
...@@ -3693,17 +3681,10 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, ...@@ -3693,17 +3681,10 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
u32 newsid; u32 newsid;
u32 peersid; u32 peersid;
newsid = selinux_netlbl_inet_conn_request(skb, sksec->sid); security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
if (newsid != SECSID_NULL) {
req->secid = newsid;
return 0;
}
selinux_skb_xfrm_sid(skb, &peersid);
if (peersid == SECSID_NULL) { if (peersid == SECSID_NULL) {
req->secid = sksec->sid; req->secid = sksec->sid;
req->peer_secid = 0; req->peer_secid = SECSID_NULL;
return 0; return 0;
} }
...@@ -3738,7 +3719,7 @@ static void selinux_inet_conn_established(struct sock *sk, ...@@ -3738,7 +3719,7 @@ static void selinux_inet_conn_established(struct sock *sk,
{ {
struct sk_security_struct *sksec = sk->sk_security; struct sk_security_struct *sksec = sk->sk_security;
selinux_skb_xfrm_sid(skb, &sksec->peer_sid); security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
} }
static void selinux_req_classify_flow(const struct request_sock *req, static void selinux_req_classify_flow(const struct request_sock *req,
......
...@@ -8,6 +8,7 @@ ...@@ -8,6 +8,7 @@
#ifndef _SELINUX_SECURITY_H_ #ifndef _SELINUX_SECURITY_H_
#define _SELINUX_SECURITY_H_ #define _SELINUX_SECURITY_H_
#include <linux/skbuff.h>
#include "flask.h" #include "flask.h"
#define SECSID_NULL 0x00000000 /* unspecified SID */ #define SECSID_NULL 0x00000000 /* unspecified SID */
...@@ -80,6 +81,8 @@ int security_netif_sid(char *name, u32 *if_sid, ...@@ -80,6 +81,8 @@ int security_netif_sid(char *name, u32 *if_sid,
int security_node_sid(u16 domain, void *addr, u32 addrlen, int security_node_sid(u16 domain, void *addr, u32 addrlen,
u32 *out_sid); u32 *out_sid);
void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid);
int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
u16 tclass); u16 tclass);
......
...@@ -38,14 +38,12 @@ ...@@ -38,14 +38,12 @@
#ifdef CONFIG_NETLABEL #ifdef CONFIG_NETLABEL
void selinux_netlbl_cache_invalidate(void); void selinux_netlbl_cache_invalidate(void);
int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid);
int selinux_netlbl_socket_post_create(struct socket *sock); int selinux_netlbl_socket_post_create(struct socket *sock);
void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock); void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid);
int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
struct sk_buff *skb, struct sk_buff *skb,
struct avc_audit_data *ad); struct avc_audit_data *ad);
u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock);
u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb);
void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
int family); int family);
void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec, void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
...@@ -62,6 +60,14 @@ static inline void selinux_netlbl_cache_invalidate(void) ...@@ -62,6 +60,14 @@ static inline void selinux_netlbl_cache_invalidate(void)
return; return;
} }
static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
u32 base_sid,
u32 *sid)
{
*sid = SECSID_NULL;
return 0;
}
static inline int selinux_netlbl_socket_post_create(struct socket *sock) static inline int selinux_netlbl_socket_post_create(struct socket *sock)
{ {
return 0; return 0;
...@@ -73,12 +79,6 @@ static inline void selinux_netlbl_sock_graft(struct sock *sk, ...@@ -73,12 +79,6 @@ static inline void selinux_netlbl_sock_graft(struct sock *sk,
return; return;
} }
static inline u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb,
u32 sock_sid)
{
return SECSID_NULL;
}
static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
struct sk_buff *skb, struct sk_buff *skb,
struct avc_audit_data *ad) struct avc_audit_data *ad)
...@@ -86,16 +86,6 @@ static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, ...@@ -86,16 +86,6 @@ static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
return 0; return 0;
} }
static inline u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
{
return SECSID_NULL;
}
static inline u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
{
return SECSID_NULL;
}
static inline void selinux_netlbl_sk_security_reset( static inline void selinux_netlbl_sk_security_reset(
struct sk_security_struct *ssec, struct sk_security_struct *ssec,
int family) int family)
......
...@@ -36,7 +36,6 @@ int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, ...@@ -36,7 +36,6 @@ int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
struct avc_audit_data *ad); struct avc_audit_data *ad);
int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
struct avc_audit_data *ad, u8 proto); struct avc_audit_data *ad, u8 proto);
u32 selinux_socket_getpeer_dgram(struct sk_buff *skb);
int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
#else #else
static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
...@@ -51,10 +50,6 @@ static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, ...@@ -51,10 +50,6 @@ static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
return 0; return 0;
} }
static inline int selinux_socket_getpeer_dgram(struct sk_buff *skb)
{
return SECSID_NULL;
}
static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
{ {
*sid = SECSID_NULL; *sid = SECSID_NULL;
......
...@@ -54,6 +54,7 @@ ...@@ -54,6 +54,7 @@
#include "mls.h" #include "mls.h"
#include "objsec.h" #include "objsec.h"
#include "selinux_netlabel.h" #include "selinux_netlabel.h"
#include "xfrm.h"
extern void selnl_notify_policyload(u32 seqno); extern void selnl_notify_policyload(u32 seqno);
unsigned int policydb_loaded_version; unsigned int policydb_loaded_version;
...@@ -2191,6 +2192,32 @@ void selinux_audit_set_callback(int (*callback)(void)) ...@@ -2191,6 +2192,32 @@ void selinux_audit_set_callback(int (*callback)(void))
aurule_callback = callback; aurule_callback = callback;
} }
/**
* security_skb_extlbl_sid - Determine the external label of a packet
* @skb: the packet
* @base_sid: the SELinux SID to use as a context for MLS only external labels
* @sid: the packet's SID
*
* Description:
* Check the various different forms of external packet labeling and determine
* the external SID for the packet.
*
*/
void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid)
{
u32 xfrm_sid;
u32 nlbl_sid;
selinux_skb_xfrm_sid(skb, &xfrm_sid);
if (selinux_netlbl_skbuff_getsid(skb,
(xfrm_sid == SECSID_NULL ?
base_sid : xfrm_sid),
&nlbl_sid) != 0)
nlbl_sid = SECSID_NULL;
*sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
}
#ifdef CONFIG_NETLABEL #ifdef CONFIG_NETLABEL
/* /*
* This is the structure we store inside the NetLabel cache block. * This is the structure we store inside the NetLabel cache block.
...@@ -2408,9 +2435,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb, ...@@ -2408,9 +2435,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
* assign to the packet. Returns zero on success, negative values on failure. * assign to the packet. Returns zero on success, negative values on failure.
* *
*/ */
static int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
u32 base_sid,
u32 *sid)
{ {
int rc; int rc;
struct netlbl_lsm_secattr secattr; struct netlbl_lsm_secattr secattr;
...@@ -2615,29 +2640,6 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) ...@@ -2615,29 +2640,6 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
rcu_read_unlock(); rcu_read_unlock();
} }
/**
* selinux_netlbl_inet_conn_request - Handle a new connection request
* @skb: the packet
* @sock_sid: the SID of the parent socket
*
* Description:
* If present, use the security attributes of the packet in @skb and the
* parent sock's SID to arrive at a SID for the new child sock. Returns the
* SID of the connection or SECSID_NULL on failure.
*
*/
u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid)
{
int rc;
u32 peer_sid;
rc = selinux_netlbl_skbuff_getsid(skb, sock_sid, &peer_sid);
if (rc != 0)
return SECSID_NULL;
return peer_sid;
}
/** /**
* selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
* @inode: the file descriptor's inode * @inode: the file descriptor's inode
...@@ -2727,42 +2729,6 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, ...@@ -2727,42 +2729,6 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
return rc; return rc;
} }
/**
* selinux_netlbl_socket_getpeersec_stream - Return the connected peer's SID
* @sock: the socket
*
* Description:
* Examine @sock to find the connected peer's SID. Returns the SID on success
* or SECSID_NULL on error.
*
*/
u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
{
struct sk_security_struct *sksec = sock->sk->sk_security;
return sksec->peer_sid;
}
/**
* selinux_netlbl_socket_getpeersec_dgram - Return the SID of a NetLabel packet
* @skb: the packet
*
* Description:
* Examine @skb to find the SID assigned to it by NetLabel. Returns the SID on
* success, SECSID_NULL on error.
*
*/
u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
{
int peer_sid;
if (selinux_netlbl_skbuff_getsid(skb,
SECINITSID_UNLABELED,
&peer_sid) != 0)
return SECSID_NULL;
return peer_sid;
}
/** /**
* selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
* @sock: the socket * @sock: the socket
......
...@@ -372,39 +372,6 @@ void selinux_xfrm_state_free(struct xfrm_state *x) ...@@ -372,39 +372,6 @@ void selinux_xfrm_state_free(struct xfrm_state *x)
kfree(ctx); kfree(ctx);
} }
/*
* SELinux internal function to retrieve the context of a UDP packet
* based on its security association.
*
* Retrieve via setsockopt IP_PASSSEC and recvmsg with control message
* type SCM_SECURITY.
*/
u32 selinux_socket_getpeer_dgram(struct sk_buff *skb)
{
struct sec_path *sp;
if (skb == NULL)
return SECSID_NULL;
if (skb->sk->sk_protocol != IPPROTO_UDP)
return SECSID_NULL;
sp = skb->sp;
if (sp) {
int i;
for (i = sp->len-1; i >= 0; i--) {
struct xfrm_state *x = sp->xvec[i];
if (selinux_authorizable_xfrm(x)) {
struct xfrm_sec_ctx *ctx = x->security;
return ctx->ctx_sid;
}
}
}
return SECSID_NULL;
}
/* /*
* LSM hook implementation that authorizes deletion of labeled SAs. * LSM hook implementation that authorizes deletion of labeled SAs.
*/ */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment