1. 10 Oct, 2008 14 commits
    • Paul Moore's avatar
      selinux: Cache NetLabel secattrs in the socket's security struct · 6c5b3fc0
      Paul Moore authored
      Previous work enabled the use of address based NetLabel selectors, which
      while highly useful, brought the potential for additional per-packet overhead
      when used.  This patch attempts to mitigate some of that overhead by caching
      the NetLabel security attribute struct within the SELinux socket security
      structure.  This should help eliminate the need to recreate the NetLabel
      secattr structure for each packet resulting in less overhead.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      6c5b3fc0
    • Paul Moore's avatar
      selinux: Set socket NetLabel based on connection endpoint · 014ab19a
      Paul Moore authored
      Previous work enabled the use of address based NetLabel selectors, which while
      highly useful, brought the potential for additional per-packet overhead when
      used.  This patch attempts to solve that by applying NetLabel socket labels
      when sockets are connect()'d.  This should alleviate the per-packet NetLabel
      labeling for all connected sockets (yes, it even works for connected DGRAM
      sockets).
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Reviewed-by: default avatarJames Morris <jmorris@namei.org>
      014ab19a
    • Paul Moore's avatar
      netlabel: Add functionality to set the security attributes of a packet · 948bf85c
      Paul Moore authored
      This patch builds upon the new NetLabel address selector functionality by
      providing the NetLabel KAPI and CIPSO engine support needed to enable the
      new packet-based labeling.  The only new addition to the NetLabel KAPI at
      this point is shown below:
      
       * int netlbl_skbuff_setattr(skb, family, secattr)
      
      ... and is designed to be called from a Netfilter hook after the packet's
      IP header has been populated such as in the FORWARD or LOCAL_OUT hooks.
      
      This patch also provides the necessary SELinux hooks to support this new
      functionality.  Smack support is not currently included due to uncertainty
      regarding the permissions needed to expand the Smack network access controls.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Reviewed-by: default avatarJames Morris <jmorris@namei.org>
      948bf85c
    • Paul Moore's avatar
      netlabel: Add network address selectors to the NetLabel/LSM domain mapping · 63c41688
      Paul Moore authored
      This patch extends the NetLabel traffic labeling capabilities to individual
      packets based not only on the LSM domain but the by the destination address
      as well.  The changes here only affect the core NetLabel infrastructre,
      changes to the NetLabel KAPI and individial protocol engines are also
      required but are split out into a different patch to ease review.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Reviewed-by: default avatarJames Morris <jmorris@namei.org>
      63c41688
    • Paul Moore's avatar
      netlabel: Add a generic way to create ordered linked lists of network addrs · 61e10682
      Paul Moore authored
      Create an ordered IP address linked list mechanism similar to the core
      kernel's linked list construct.  The idea behind this list functionality
      is to create an extensibile linked list ordered by IP address mask to
      ease the matching of network addresses.  The linked list is ordered with
      larger address masks at the front of the list and shorter address masks
      at the end to facilitate overriding network entries with individual host
      or subnet entries.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Reviewed-by: default avatarJames Morris <jmorris@namei.org>
      61e10682
    • Paul Moore's avatar
      netlabel: Replace protocol/NetLabel linking with refrerence counts · b1edeb10
      Paul Moore authored
      NetLabel has always had a list of backpointers in the CIPSO DOI definition
      structure which pointed to the NetLabel LSM domain mapping structures which
      referenced the CIPSO DOI struct.  The rationale for this was that when an
      administrator removed a CIPSO DOI from the system all of the associated
      NetLabel LSM domain mappings should be removed as well; a list of
      backpointers made this a simple operation.
      
      Unfortunately, while the backpointers did make the removal easier they were
      a bit of a mess from an implementation point of view which was making
      further development difficult.  Since the removal of a CIPSO DOI is a
      realtively rare event it seems to make sense to remove this backpointer
      list as the optimization was hurting us more then it was helping.  However,
      we still need to be able to track when a CIPSO DOI definition is being used
      so replace the backpointer list with a reference count.  In order to
      preserve the current functionality of removing the associated LSM domain
      mappings when a CIPSO DOI is removed we walk the LSM domain mapping table,
      removing the relevant entries.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Reviewed-by: default avatarJames Morris <jmorris@namei.org>
      b1edeb10
    • Paul Moore's avatar
      smack: Fix missing calls to netlbl_skbuff_err() · a8134296
      Paul Moore authored
      Smack needs to call netlbl_skbuff_err() to let NetLabel do the necessary
      protocol specific error handling.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      a8134296
    • Paul Moore's avatar
      selinux: Fix missing calls to netlbl_skbuff_err() · dfaebe98
      Paul Moore authored
      At some point I think I messed up and dropped the calls to netlbl_skbuff_err()
      which are necessary for CIPSO to send error notifications to remote systems.
      This patch re-introduces the error handling calls into the SELinux code.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      dfaebe98
    • Paul Moore's avatar
      selinux: Fix a problem in security_netlbl_sid_to_secattr() · 99d854d2
      Paul Moore authored
      Currently when SELinux fails to allocate memory in
      security_netlbl_sid_to_secattr() the NetLabel LSM domain field is set to
      NULL which triggers the default NetLabel LSM domain mapping which may not
      always be the desired mapping.  This patch fixes this by returning an error
      when the kernel is unable to allocate memory.  This could result in more
      failures on a system with heavy memory pressure but it is the "correct"
      thing to do.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      99d854d2
    • Paul Moore's avatar
      selinux: Better local/forward check in selinux_ip_postroute() · d8395c87
      Paul Moore authored
      It turns out that checking to see if skb->sk is NULL is not a very good
      indicator of a forwarded packet as some locally generated packets also have
      skb->sk set to NULL.  Fix this by not only checking the skb->sk field but also
      the IP[6]CB(skb)->flags field for the IP[6]SKB_FORWARDED flag.  While we are
      at it, we are calling selinux_parse_skb() much earlier than we really should
      resulting in potentially wasted cycles parsing packets for information we
      might no use; so shuffle the code around a bit to fix this.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      d8395c87
    • Paul Moore's avatar
      netlabel: Remove unneeded in-kernel API functions · 948a7243
      Paul Moore authored
      After some discussions with the Smack folks, well just Casey, I now have a
      better idea of what Smack wants out of NetLabel in the future so I think it
      is now safe to do some API "pruning".  If another LSM comes along that
      needs this functionality we can always add it back in, but I don't see any
      LSMs on the horizon which might make use of these functions.
      
      Thanks to Rami Rosen who suggested removing netlbl_cfg_cipsov4_del() back
      in February 2008.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Reviewed-by: default avatarJames Morris <jmorris@namei.org>
      948a7243
    • Paul Moore's avatar
      selinux: Correctly handle IPv4 packets on IPv6 sockets in all cases · aa862900
      Paul Moore authored
      We did the right thing in a few cases but there were several areas where we
      determined a packet's address family based on the socket's address family which
      is not the right thing to do since we can get IPv4 packets on IPv6 sockets.
      This patch fixes these problems by either taking the address family directly
      from the packet.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      aa862900
    • Paul Moore's avatar
      selinux: Cleanup the NetLabel glue code · accc6093
      Paul Moore authored
      We were doing a lot of extra work in selinux_netlbl_sock_graft() what wasn't
      necessary so this patch removes that code.  It also removes the redundant
      second argument to selinux_netlbl_sock_setsid() which allows us to simplify a
      few other functions.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      accc6093
    • Paul Moore's avatar
      netlabel: Fix some sparse warnings · 56196701
      Paul Moore authored
      Fix a few sparse warnings.  One dealt with a RCU lock being held on error,
      another dealt with an improper type caused by a signed/unsigned mixup while
      the rest appeared to be caused by using rcu_dereference() in a
      list_for_each_entry_rcu() call.  The latter probably isn't a big deal, but
      I derive a certain pleasure from knowing that the net/netlabel is nice and
      clean.
      
      Thanks to James Morris for pointing out the issues and demonstrating how
      to run sparse.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      56196701
  2. 09 Oct, 2008 12 commits
  3. 08 Oct, 2008 3 commits
  4. 07 Oct, 2008 7 commits
  5. 06 Oct, 2008 4 commits