Linux kernel documentation tree maintained by Jonathan Corbet http://mirrors.hust.edu.cn/git/lwn.git/atom?h=v2.6.30.1 2009-03-28T04:01:36+00:00 2009-03-28T04:01:36+00:00 Paul Moore paul.moore@hp.com 2009-03-27T21:10:34+00:00 urn:sha1:389fb800ac8be2832efedd19978a2b8ced37eb61 The current NetLabel/SELinux behavior for incoming TCP connections works but only through a series of happy coincidences that rely on the limited nature of standard CIPSO (only able to convey MLS attributes) and the write equality imposed by the SELinux MLS constraints. The problem is that network sockets created as the result of an incoming TCP connection were not on-the-wire labeled based on the security attributes of the parent socket but rather based on the wire label of the remote peer. The issue had to do with how IP options were managed as part of the network stack and where the LSM hooks were in relation to the code which set the IP options on these newly created child sockets. While NetLabel/SELinux did correctly set the socket's on-the-wire label it was promptly cleared by the network stack and reset based on the IP options of the remote peer. This patch, in conjunction with a prior patch that adjusted the LSM hook locations, works to set the correct on-the-wire label format for new incoming connections through the security_inet_conn_request() hook. Besides the correct behavior there are many advantages to this change, the most significant is that all of the NetLabel socket labeling code in SELinux now lives in hooks which can return error codes to the core stack which allows us to finally get ride of the selinux_netlbl_inode_permission() logic which greatly simplfies the NetLabel/SELinux glue code. In the process of developing this patch I also ran into a small handful of AF_INET6 cleanliness issues that have been fixed which should make the code safer and easier to extend in the future. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: James Morris <jmorris@namei.org> 2009-03-01T22:30:04+00:00 Paul Moore paul.moore@hp.com 2009-02-27T20:00:03+00:00 urn:sha1:d7f59dc4642ce2fc7b79fcd4ec02ffce7f21eb02 Rick McNeal from LSI identified a panic in selinux_netlbl_inode_permission() caused by a certain sequence of SUNRPC operations. The problem appears to be due to the lack of NULL pointer checking in the function; this patch adds the pointer checks so the function will exit safely in the cases where the socket is not completely initialized. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org> 2009-02-22T23:05:55+00:00 Paul Moore paul.moore@hp.com 2009-02-20T21:33:02+00:00 urn:sha1:09c50b4a52c01a1f450b8eec819089e228655bfb At some point we (okay, I) managed to break the ability for users to use the setsockopt() syscall to set IPv4 options when NetLabel was not active on the socket in question. The problem was noticed by someone trying to use the "-R" (record route) option of ping: # ping -R 10.0.0.1 ping: record route: No message of desired type The solution is relatively simple, we catch the unlabeled socket case and clear the error code, allowing the operation to succeed. Please note that we still deny users the ability to override IPv4 options on socket's which have NetLabel labeling active; this is done to ensure the labeling remains intact. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org> 2008-10-10T14:16:33+00:00 Paul Moore paul.moore@hp.com 2008-10-10T14:16:33+00:00 urn:sha1:6c5b3fc0147f79d714d2fe748b5869d7892ef2e7 Previous work enabled the use of address based NetLabel selectors, which while highly useful, brought the potential for additional per-packet overhead when used. This patch attempts to mitigate some of that overhead by caching the NetLabel security attribute struct within the SELinux socket security structure. This should help eliminate the need to recreate the NetLabel secattr structure for each packet resulting in less overhead. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> 2008-10-10T14:16:33+00:00 Paul Moore paul.moore@hp.com 2008-10-10T14:16:33+00:00 urn:sha1:014ab19a69c325f52d7bae54ceeda73d6307ae0c Previous work enabled the use of address based NetLabel selectors, which while highly useful, brought the potential for additional per-packet overhead when used. This patch attempts to solve that by applying NetLabel socket labels when sockets are connect()'d. This should alleviate the per-packet NetLabel labeling for all connected sockets (yes, it even works for connected DGRAM sockets). Signed-off-by: Paul Moore <paul.moore@hp.com> Reviewed-by: James Morris <jmorris@namei.org> 2008-10-10T14:16:32+00:00 Paul Moore paul.moore@hp.com 2008-10-10T14:16:32+00:00 urn:sha1:948bf85c1bc9a84754786a9d5dd99b7ecc46451e This patch builds upon the new NetLabel address selector functionality by providing the NetLabel KAPI and CIPSO engine support needed to enable the new packet-based labeling. The only new addition to the NetLabel KAPI at this point is shown below: * int netlbl_skbuff_setattr(skb, family, secattr) ... and is designed to be called from a Netfilter hook after the packet's IP header has been populated such as in the FORWARD or LOCAL_OUT hooks. This patch also provides the necessary SELinux hooks to support this new functionality. Smack support is not currently included due to uncertainty regarding the permissions needed to expand the Smack network access controls. Signed-off-by: Paul Moore <paul.moore@hp.com> Reviewed-by: James Morris <jmorris@namei.org> 2008-10-10T14:16:31+00:00 Paul Moore paul.moore@hp.com 2008-10-10T14:16:31+00:00 urn:sha1:dfaebe9825ff34983778f287101bc5f3bce00640 At some point I think I messed up and dropped the calls to netlbl_skbuff_err() which are necessary for CIPSO to send error notifications to remote systems. This patch re-introduces the error handling calls into the SELinux code. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> 2008-10-10T14:16:29+00:00 Paul Moore paul.moore@hp.com 2008-10-10T14:16:29+00:00 urn:sha1:accc609322ef5ed44cba6d2d70c741afc76385fb We were doing a lot of extra work in selinux_netlbl_sock_graft() what wasn't necessary so this patch removes that code. It also removes the redundant second argument to selinux_netlbl_sock_setsid() which allows us to simplify a few other functions. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> 2008-04-21T09:05:04+00:00 Eric Paris eparis@redhat.com 2008-04-18T21:38:23+00:00 urn:sha1:a6aaafeecca7ea1ddb5d7dac09e468ae14751fcd This patch changes netlabel.c to fix whitespace and syntax issues. Things that are fixed may include (does not not have to include) whitespace at end of lines spaces followed by tabs spaces used instead of tabs spacing around parenthesis locateion of { around struct and else clauses location of * in pointer declarations removal of initialization of static data to keep it in the right section useless {} in if statemetns useless checking for NULL before kfree fixing of the indentation depth of switch statements and any number of other things I forgot to mention Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org> 2008-04-18T10:26:06+00:00 Adrian Bunk bunk@kernel.org 2008-02-27T21:20:42+00:00 urn:sha1:d4ee4231a3a8731576ef0e0a7e1225e4fde1e659 Every file should include the headers containing the externs for its global code. Signed-off-by: Adrian Bunk <bunk@kernel.org> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>