Commit effad8df authored by Paul Moore's avatar Paul Moore Committed by James Morris

SELinux: Add network ingress and egress control permission checks

This patch implements packet ingress/egress controls for SELinux which allow
SELinux security policy to control the flow of all IPv4 and IPv6 packets into
and out of the system.  Currently SELinux does not have proper control over
forwarded packets and this patch corrects this problem.

Special thanks to Venkat Yekkirala <vyekkirala@trustedcs.com> whose earlier
work on this topic eventually led to this patch.
Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 13541b3a
...@@ -12,8 +12,8 @@ ...@@ -12,8 +12,8 @@
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
* <dgoeddel@trustedcs.com> * <dgoeddel@trustedcs.com>
* Copyright (C) 2006 Hewlett-Packard Development Company, L.P. * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
* Paul Moore, <paul.moore@hp.com> * Paul Moore <paul.moore@hp.com>
* Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
* Yuichi Nakamura <ynakam@hitachisoft.jp> * Yuichi Nakamura <ynakam@hitachisoft.jp>
* *
...@@ -3845,6 +3845,29 @@ static int selinux_socket_unix_may_send(struct socket *sock, ...@@ -3845,6 +3845,29 @@ static int selinux_socket_unix_may_send(struct socket *sock,
return 0; return 0;
} }
static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
u32 peer_sid,
struct avc_audit_data *ad)
{
int err;
u32 if_sid;
u32 node_sid;
err = sel_netif_sid(ifindex, &if_sid);
if (err)
return err;
err = avc_has_perm(peer_sid, if_sid,
SECCLASS_NETIF, NETIF__INGRESS, ad);
if (err)
return err;
err = sel_netnode_sid(addrp, family, &node_sid);
if (err)
return err;
return avc_has_perm(peer_sid, node_sid,
SECCLASS_NODE, NODE__RECVFROM, ad);
}
static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
struct sk_buff *skb, struct sk_buff *skb,
struct avc_audit_data *ad, struct avc_audit_data *ad,
...@@ -3972,23 +3995,27 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) ...@@ -3972,23 +3995,27 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
return selinux_sock_rcv_skb_compat(sk, skb, &ad, return selinux_sock_rcv_skb_compat(sk, skb, &ad,
family, addrp); family, addrp);
if (selinux_secmark_enabled()) {
err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
PACKET__RECV, &ad);
if (err)
return err;
}
if (netlbl_enabled() || selinux_xfrm_enabled()) { if (netlbl_enabled() || selinux_xfrm_enabled()) {
u32 peer_sid; u32 peer_sid;
err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
if (err)
return err;
err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
peer_sid, &ad);
if (err) if (err)
return err; return err;
err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
PEER__RECV, &ad); PEER__RECV, &ad);
} }
if (selinux_secmark_enabled()) {
err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
PACKET__RECV, &ad);
if (err)
return err;
}
return err; return err;
} }
...@@ -4201,151 +4228,255 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) ...@@ -4201,151 +4228,255 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
#ifdef CONFIG_NETFILTER #ifdef CONFIG_NETFILTER
static int selinux_ip_postroute_last_compat(struct sock *sk, static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
struct net_device *dev, u16 family)
struct avc_audit_data *ad,
u16 family,
char *addrp)
{ {
int err = 0; char *addrp;
u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0; u32 peer_sid;
struct socket *sock; struct avc_audit_data ad;
struct inode *inode; u8 secmark_active;
struct inode_security_struct *isec; u8 peerlbl_active;
sock = sk->sk_socket; if (!selinux_policycap_netpeer)
if (!sock) return NF_ACCEPT;
goto out;
inode = SOCK_INODE(sock); secmark_active = selinux_secmark_enabled();
if (!inode) peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
goto out; if (!secmark_active && !peerlbl_active)
return NF_ACCEPT;
isec = inode->i_security; AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.netif = ifindex;
ad.u.net.family = family;
if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
return NF_DROP;
err = sel_netif_sid(dev->ifindex, &if_sid); if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
if (err) return NF_DROP;
goto out;
if (peerlbl_active)
if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
peer_sid, &ad) != 0)
return NF_DROP;
if (secmark_active)
if (avc_has_perm(peer_sid, skb->secmark,
SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
return NF_DROP;
return NF_ACCEPT;
}
static unsigned int selinux_ipv4_forward(unsigned int hooknum,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
return selinux_ip_forward(skb, in->ifindex, PF_INET);
}
switch (isec->sclass) { #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
static unsigned int selinux_ipv6_forward(unsigned int hooknum,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
return selinux_ip_forward(skb, in->ifindex, PF_INET6);
}
#endif /* IPV6 */
static int selinux_ip_postroute_iptables_compat(struct sock *sk,
int ifindex,
struct avc_audit_data *ad,
u16 family, char *addrp)
{
int err;
struct sk_security_struct *sksec = sk->sk_security;
u16 sk_class;
u32 netif_perm, node_perm, send_perm;
u32 port_sid, node_sid, if_sid, sk_sid;
sk_sid = sksec->sid;
sk_class = sksec->sclass;
switch (sk_class) {
case SECCLASS_UDP_SOCKET: case SECCLASS_UDP_SOCKET:
netif_perm = NETIF__UDP_SEND; netif_perm = NETIF__UDP_SEND;
node_perm = NODE__UDP_SEND; node_perm = NODE__UDP_SEND;
send_perm = UDP_SOCKET__SEND_MSG; send_perm = UDP_SOCKET__SEND_MSG;
break; break;
case SECCLASS_TCP_SOCKET: case SECCLASS_TCP_SOCKET:
netif_perm = NETIF__TCP_SEND; netif_perm = NETIF__TCP_SEND;
node_perm = NODE__TCP_SEND; node_perm = NODE__TCP_SEND;
send_perm = TCP_SOCKET__SEND_MSG; send_perm = TCP_SOCKET__SEND_MSG;
break; break;
case SECCLASS_DCCP_SOCKET: case SECCLASS_DCCP_SOCKET:
netif_perm = NETIF__DCCP_SEND; netif_perm = NETIF__DCCP_SEND;
node_perm = NODE__DCCP_SEND; node_perm = NODE__DCCP_SEND;
send_perm = DCCP_SOCKET__SEND_MSG; send_perm = DCCP_SOCKET__SEND_MSG;
break; break;
default: default:
netif_perm = NETIF__RAWIP_SEND; netif_perm = NETIF__RAWIP_SEND;
node_perm = NODE__RAWIP_SEND; node_perm = NODE__RAWIP_SEND;
send_perm = 0;
break; break;
} }
err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad); err = sel_netif_sid(ifindex, &if_sid);
if (err) if (err)
goto out; return err;
err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
return err;
err = sel_netnode_sid(addrp, family, &node_sid); err = sel_netnode_sid(addrp, family, &node_sid);
if (err) if (err)
goto out; return err;
err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
if (err) if (err)
goto out; return err;
if (send_perm) { if (send_perm != 0)
u32 port_sid; return 0;
err = security_port_sid(sk->sk_family, err = security_port_sid(sk->sk_family, sk->sk_type,
sk->sk_type, sk->sk_protocol, ntohs(ad->u.net.dport),
sk->sk_protocol,
ntohs(ad->u.net.dport),
&port_sid); &port_sid);
if (err) if (err)
goto out; return err;
return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
}
err = avc_has_perm(isec->sid, port_sid, isec->sclass, static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
send_perm, ad); int ifindex,
struct avc_audit_data *ad,
u16 family,
char *addrp,
u8 proto)
{
struct sock *sk = skb->sk;
struct sk_security_struct *sksec;
if (sk == NULL)
return NF_ACCEPT;
sksec = sk->sk_security;
if (selinux_compat_net) {
if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
ad, family, addrp))
return NF_DROP;
} else {
if (avc_has_perm(sksec->sid, skb->secmark,
SECCLASS_PACKET, PACKET__SEND, ad))
return NF_DROP;
} }
out:
return err; if (selinux_policycap_netpeer)
if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
return NF_DROP;
return NF_ACCEPT;
} }
static unsigned int selinux_ip_postroute_last(unsigned int hooknum, static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *),
u16 family) u16 family)
{ {
char *addrp; u32 secmark_perm;
int err = 0; u32 peer_sid;
struct sock *sk; struct sock *sk;
struct avc_audit_data ad; struct avc_audit_data ad;
struct net_device *dev = (struct net_device *)out; char *addrp;
struct sk_security_struct *sksec;
u8 proto; u8 proto;
u8 secmark_active;
sk = skb->sk; u8 peerlbl_active;
if (!sk)
goto out;
sksec = sk->sk_security;
AVC_AUDIT_DATA_INIT(&ad, NET); AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.netif = dev->ifindex; ad.u.net.netif = ifindex;
ad.u.net.family = family; ad.u.net.family = family;
if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
return NF_DROP;
err = selinux_parse_skb(skb, &ad, &addrp, 0, &proto); /* If any sort of compatibility mode is enabled then handoff processing
if (err) * to the selinux_ip_postroute_compat() function to deal with the
goto out; * special handling. We do this in an attempt to keep this function
* as fast and as clean as possible. */
if (selinux_compat_net || !selinux_policycap_netpeer)
return selinux_ip_postroute_compat(skb, ifindex, &ad,
family, addrp, proto);
/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
* packet transformation so allow the packet to pass without any checks
* since we'll have another chance to perform access control checks
* when the packet is on it's final way out.
* NOTE: there appear to be some IPv6 multicast cases where skb->dst
* is NULL, in this case go ahead and apply access control. */
if (skb->dst != NULL && skb->dst->xfrm != NULL)
return NF_ACCEPT;
secmark_active = selinux_secmark_enabled();
peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
if (!secmark_active && !peerlbl_active)
return NF_ACCEPT;
/* if the packet is locally generated (skb->sk != NULL) then use the
* socket's label as the peer label, otherwise the packet is being
* forwarded through this system and we need to fetch the peer label
* directly from the packet */
sk = skb->sk;
if (sk) {
struct sk_security_struct *sksec = sk->sk_security;
peer_sid = sksec->sid;
secmark_perm = PACKET__SEND;
} else {
if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
return NF_DROP;
secmark_perm = PACKET__FORWARD_OUT;
}
if (selinux_compat_net) if (secmark_active)
err = selinux_ip_postroute_last_compat(sk, dev, &ad, if (avc_has_perm(peer_sid, skb->secmark,
family, addrp); SECCLASS_PACKET, secmark_perm, &ad))
else return NF_DROP;
err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
PACKET__SEND, &ad);
if (err) if (peerlbl_active) {
goto out; u32 if_sid;
u32 node_sid;
err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto); if (sel_netif_sid(ifindex, &if_sid))
out: return NF_DROP;
return err ? NF_DROP : NF_ACCEPT; if (avc_has_perm(peer_sid, if_sid,
SECCLASS_NETIF, NETIF__EGRESS, &ad))
return NF_DROP;
if (sel_netnode_sid(addrp, family, &node_sid))
return NF_DROP;
if (avc_has_perm(peer_sid, node_sid,
SECCLASS_NODE, NODE__SENDTO, &ad))
return NF_DROP;
}
return NF_ACCEPT;
} }
static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum, static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
struct sk_buff *skb, struct sk_buff *skb,
const struct net_device *in, const struct net_device *in,
const struct net_device *out, const struct net_device *out,
int (*okfn)(struct sk_buff *)) int (*okfn)(struct sk_buff *))
{ {
return selinux_ip_postroute_last(hooknum, skb, in, out, okfn, PF_INET); return selinux_ip_postroute(skb, out->ifindex, PF_INET);
} }
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
struct sk_buff *skb, struct sk_buff *skb,
const struct net_device *in, const struct net_device *in,
const struct net_device *out, const struct net_device *out,
int (*okfn)(struct sk_buff *)) int (*okfn)(struct sk_buff *))
{ {
return selinux_ip_postroute_last(hooknum, skb, in, out, okfn, PF_INET6); return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
} }
#endif /* IPV6 */ #endif /* IPV6 */
#endif /* CONFIG_NETFILTER */ #endif /* CONFIG_NETFILTER */
...@@ -5333,22 +5464,40 @@ security_initcall(selinux_init); ...@@ -5333,22 +5464,40 @@ security_initcall(selinux_init);
#if defined(CONFIG_NETFILTER) #if defined(CONFIG_NETFILTER)
static struct nf_hook_ops selinux_ipv4_op = { static struct nf_hook_ops selinux_ipv4_ops[] = {
.hook = selinux_ipv4_postroute_last, {
.hook = selinux_ipv4_postroute,
.owner = THIS_MODULE, .owner = THIS_MODULE,
.pf = PF_INET, .pf = PF_INET,
.hooknum = NF_INET_POST_ROUTING, .hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP_PRI_SELINUX_LAST, .priority = NF_IP_PRI_SELINUX_LAST,
},
{
.hook = selinux_ipv4_forward,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP_PRI_SELINUX_FIRST,
}
}; };
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
static struct nf_hook_ops selinux_ipv6_op = { static struct nf_hook_ops selinux_ipv6_ops[] = {
.hook = selinux_ipv6_postroute_last, {
.hook = selinux_ipv6_postroute,
.owner = THIS_MODULE, .owner = THIS_MODULE,
.pf = PF_INET6, .pf = PF_INET6,
.hooknum = NF_INET_POST_ROUTING, .hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP6_PRI_SELINUX_LAST, .priority = NF_IP6_PRI_SELINUX_LAST,
},
{
.hook = selinux_ipv6_forward,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP6_PRI_SELINUX_FIRST,
}
}; };
#endif /* IPV6 */ #endif /* IPV6 */
...@@ -5356,22 +5505,27 @@ static struct nf_hook_ops selinux_ipv6_op = { ...@@ -5356,22 +5505,27 @@ static struct nf_hook_ops selinux_ipv6_op = {
static int __init selinux_nf_ip_init(void) static int __init selinux_nf_ip_init(void)
{ {
int err = 0; int err = 0;
u32 iter;
if (!selinux_enabled) if (!selinux_enabled)
goto out; goto out;
printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
err = nf_register_hook(&selinux_ipv4_op); for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
err = nf_register_hook(&selinux_ipv4_ops[iter]);
if (err) if (err)
panic("SELinux: nf_register_hook for IPv4: error %d\n", err); panic("SELinux: nf_register_hook for IPv4: error %d\n",
err);
}
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
err = nf_register_hook(&selinux_ipv6_op); err = nf_register_hook(&selinux_ipv6_ops[iter]);
if (err) if (err)
panic("SELinux: nf_register_hook for IPv6: error %d\n", err); panic("SELinux: nf_register_hook for IPv6: error %d\n",
err);
}
#endif /* IPV6 */ #endif /* IPV6 */
out: out:
...@@ -5383,11 +5537,15 @@ __initcall(selinux_nf_ip_init); ...@@ -5383,11 +5537,15 @@ __initcall(selinux_nf_ip_init);
#ifdef CONFIG_SECURITY_SELINUX_DISABLE #ifdef CONFIG_SECURITY_SELINUX_DISABLE
static void selinux_nf_ip_exit(void) static void selinux_nf_ip_exit(void)
{ {
u32 iter;
printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
nf_unregister_hook(&selinux_ipv4_op); for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
nf_unregister_hook(&selinux_ipv4_ops[iter]);
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
nf_unregister_hook(&selinux_ipv6_op); for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
nf_unregister_hook(&selinux_ipv6_ops[iter]);
#endif /* IPV6 */ #endif /* IPV6 */
} }
#endif #endif
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment