summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2006-11-17 17:38:54 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2006-12-02 21:24:14 -0800
commit3de4bab5b9f8848a0c16a4b1ffe0452f0d670237 (patch)
treef65c12b53bf2ad02645ea31522f67e7318019498 /security
parent9f2ad66509b182b399a5b03de487f45bde623524 (diff)
downloadlwn-3de4bab5b9f8848a0c16a4b1ffe0452f0d670237.tar.gz
lwn-3de4bab5b9f8848a0c16a4b1ffe0452f0d670237.zip
SELinux: peer secid consolidation for external network labeling
Now that labeled IPsec makes use of the peer_sid field in the sk_security_struct we can remove a lot of the special cases between labeled IPsec and NetLabel. In addition, create a new function, security_skb_extlbl_sid(), which we can use in several places to get the security context of the packet's external label which allows us to further simplify the code in a few places. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c43
-rw-r--r--security/selinux/include/security.h3
-rw-r--r--security/selinux/include/selinux_netlabel.h28
-rw-r--r--security/selinux/include/xfrm.h5
-rw-r--r--security/selinux/ss/services.c90
-rw-r--r--security/selinux/xfrm.c33
6 files changed, 52 insertions, 150 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 975c0dfb5a11..a29d78d3f44c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3574,27 +3574,16 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op
u32 scontext_len;
struct sk_security_struct *ssec;
struct inode_security_struct *isec;
- u32 peer_sid = 0;
+ u32 peer_sid = SECSID_NULL;
isec = SOCK_INODE(sock)->i_security;
- /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
- if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
+ if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
+ isec->sclass == SECCLASS_TCP_SOCKET) {
ssec = sock->sk->sk_security;
peer_sid = ssec->peer_sid;
}
- else if (isec->sclass == SECCLASS_TCP_SOCKET) {
- peer_sid = selinux_netlbl_socket_getpeersec_stream(sock);
- if (peer_sid == SECSID_NULL) {
- ssec = sock->sk->sk_security;
- peer_sid = ssec->peer_sid;
- }
- if (peer_sid == SECSID_NULL) {
- err = -ENOPROTOOPT;
- goto out;
- }
- }
- else {
+ if (peer_sid == SECSID_NULL) {
err = -ENOPROTOOPT;
goto out;
}
@@ -3626,13 +3615,12 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
u32 peer_secid = SECSID_NULL;
int err = 0;
- if (sock && (sock->sk->sk_family == PF_UNIX))
+ if (sock && sock->sk->sk_family == PF_UNIX)
selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
- else if (skb) {
- peer_secid = selinux_netlbl_socket_getpeersec_dgram(skb);
- if (peer_secid == SECSID_NULL)
- peer_secid = selinux_socket_getpeer_dgram(skb);
- }
+ else if (skb)
+ security_skb_extlbl_sid(skb,
+ SECINITSID_UNLABELED,
+ &peer_secid);
if (peer_secid == SECSID_NULL)
err = -EINVAL;
@@ -3693,17 +3681,10 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
u32 newsid;
u32 peersid;
- newsid = selinux_netlbl_inet_conn_request(skb, sksec->sid);
- if (newsid != SECSID_NULL) {
- req->secid = newsid;
- return 0;
- }
-
- selinux_skb_xfrm_sid(skb, &peersid);
-
+ security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
if (peersid == SECSID_NULL) {
req->secid = sksec->sid;
- req->peer_secid = 0;
+ req->peer_secid = SECSID_NULL;
return 0;
}
@@ -3738,7 +3719,7 @@ static void selinux_inet_conn_established(struct sock *sk,
{
struct sk_security_struct *sksec = sk->sk_security;
- selinux_skb_xfrm_sid(skb, &sksec->peer_sid);
+ security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
}
static void selinux_req_classify_flow(const struct request_sock *req,
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 1ef79172cc8c..015f697e925f 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -8,6 +8,7 @@
#ifndef _SELINUX_SECURITY_H_
#define _SELINUX_SECURITY_H_
+#include <linux/skbuff.h>
#include "flask.h"
#define SECSID_NULL 0x00000000 /* unspecified SID */
@@ -80,6 +81,8 @@ int security_netif_sid(char *name, u32 *if_sid,
int security_node_sid(u16 domain, void *addr, u32 addrlen,
u32 *out_sid);
+void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid);
+
int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
u16 tclass);
diff --git a/security/selinux/include/selinux_netlabel.h b/security/selinux/include/selinux_netlabel.h
index 57943f4a8f90..2a732c9033e3 100644
--- a/security/selinux/include/selinux_netlabel.h
+++ b/security/selinux/include/selinux_netlabel.h
@@ -38,14 +38,12 @@
#ifdef CONFIG_NETLABEL
void selinux_netlbl_cache_invalidate(void);
+int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid);
int selinux_netlbl_socket_post_create(struct socket *sock);
void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
-u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid);
int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
struct sk_buff *skb,
struct avc_audit_data *ad);
-u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock);
-u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb);
void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
int family);
void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
@@ -62,6 +60,14 @@ static inline void selinux_netlbl_cache_invalidate(void)
return;
}
+static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
+ u32 base_sid,
+ u32 *sid)
+{
+ *sid = SECSID_NULL;
+ return 0;
+}
+
static inline int selinux_netlbl_socket_post_create(struct socket *sock)
{
return 0;
@@ -73,12 +79,6 @@ static inline void selinux_netlbl_sock_graft(struct sock *sk,
return;
}
-static inline u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb,
- u32 sock_sid)
-{
- return SECSID_NULL;
-}
-
static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
struct sk_buff *skb,
struct avc_audit_data *ad)
@@ -86,16 +86,6 @@ static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
return 0;
}
-static inline u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
-{
- return SECSID_NULL;
-}
-
-static inline u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
-{
- return SECSID_NULL;
-}
-
static inline void selinux_netlbl_sk_security_reset(
struct sk_security_struct *ssec,
int family)
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index ebd7246a4be5..161eb571c82d 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -36,7 +36,6 @@ int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
struct avc_audit_data *ad);
int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
struct avc_audit_data *ad, u8 proto);
-u32 selinux_socket_getpeer_dgram(struct sk_buff *skb);
int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
#else
static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
@@ -51,10 +50,6 @@ static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
return 0;
}
-static inline int selinux_socket_getpeer_dgram(struct sk_buff *skb)
-{
- return SECSID_NULL;
-}
static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
{
*sid = SECSID_NULL;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index b66b454fe72b..b43dd803fd5e 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -54,6 +54,7 @@
#include "mls.h"
#include "objsec.h"
#include "selinux_netlabel.h"
+#include "xfrm.h"
extern void selnl_notify_policyload(u32 seqno);
unsigned int policydb_loaded_version;
@@ -2191,6 +2192,32 @@ void selinux_audit_set_callback(int (*callback)(void))
aurule_callback = callback;
}
+/**
+ * security_skb_extlbl_sid - Determine the external label of a packet
+ * @skb: the packet
+ * @base_sid: the SELinux SID to use as a context for MLS only external labels
+ * @sid: the packet's SID
+ *
+ * Description:
+ * Check the various different forms of external packet labeling and determine
+ * the external SID for the packet.
+ *
+ */
+void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid)
+{
+ u32 xfrm_sid;
+ u32 nlbl_sid;
+
+ selinux_skb_xfrm_sid(skb, &xfrm_sid);
+ if (selinux_netlbl_skbuff_getsid(skb,
+ (xfrm_sid == SECSID_NULL ?
+ base_sid : xfrm_sid),
+ &nlbl_sid) != 0)
+ nlbl_sid = SECSID_NULL;
+
+ *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
+}
+
#ifdef CONFIG_NETLABEL
/*
* This is the structure we store inside the NetLabel cache block.
@@ -2408,9 +2435,7 @@ netlbl_secattr_to_sid_return_cleanup:
* assign to the packet. Returns zero on success, negative values on failure.
*
*/
-static int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
- u32 base_sid,
- u32 *sid)
+int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
{
int rc;
struct netlbl_lsm_secattr secattr;
@@ -2616,29 +2641,6 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
}
/**
- * selinux_netlbl_inet_conn_request - Handle a new connection request
- * @skb: the packet
- * @sock_sid: the SID of the parent socket
- *
- * Description:
- * If present, use the security attributes of the packet in @skb and the
- * parent sock's SID to arrive at a SID for the new child sock. Returns the
- * SID of the connection or SECSID_NULL on failure.
- *
- */
-u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid)
-{
- int rc;
- u32 peer_sid;
-
- rc = selinux_netlbl_skbuff_getsid(skb, sock_sid, &peer_sid);
- if (rc != 0)
- return SECSID_NULL;
-
- return peer_sid;
-}
-
-/**
* selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
* @inode: the file descriptor's inode
* @mask: the permission mask
@@ -2728,42 +2730,6 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
}
/**
- * selinux_netlbl_socket_getpeersec_stream - Return the connected peer's SID
- * @sock: the socket
- *
- * Description:
- * Examine @sock to find the connected peer's SID. Returns the SID on success
- * or SECSID_NULL on error.
- *
- */
-u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
-{
- struct sk_security_struct *sksec = sock->sk->sk_security;
- return sksec->peer_sid;
-}
-
-/**
- * selinux_netlbl_socket_getpeersec_dgram - Return the SID of a NetLabel packet
- * @skb: the packet
- *
- * Description:
- * Examine @skb to find the SID assigned to it by NetLabel. Returns the SID on
- * success, SECSID_NULL on error.
- *
- */
-u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
-{
- int peer_sid;
-
- if (selinux_netlbl_skbuff_getsid(skb,
- SECINITSID_UNLABELED,
- &peer_sid) != 0)
- return SECSID_NULL;
-
- return peer_sid;
-}
-
-/**
* selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
* @sock: the socket
* @level: the socket level or protocol
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 9b777140068f..bd8d1ef40a90 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -372,39 +372,6 @@ void selinux_xfrm_state_free(struct xfrm_state *x)
kfree(ctx);
}
-/*
- * SELinux internal function to retrieve the context of a UDP packet
- * based on its security association.
- *
- * Retrieve via setsockopt IP_PASSSEC and recvmsg with control message
- * type SCM_SECURITY.
- */
-u32 selinux_socket_getpeer_dgram(struct sk_buff *skb)
-{
- struct sec_path *sp;
-
- if (skb == NULL)
- return SECSID_NULL;
-
- if (skb->sk->sk_protocol != IPPROTO_UDP)
- return SECSID_NULL;
-
- sp = skb->sp;
- if (sp) {
- int i;
-
- for (i = sp->len-1; i >= 0; i--) {
- struct xfrm_state *x = sp->xvec[i];
- if (selinux_authorizable_xfrm(x)) {
- struct xfrm_sec_ctx *ctx = x->security;
- return ctx->ctx_sid;
- }
- }
- }
-
- return SECSID_NULL;
-}
-
/*
* LSM hook implementation that authorizes deletion of labeled SAs.
*/