Commit 9faf65fb authored by Paul Moore's avatar Paul Moore Committed by James Morris

SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel

These changes will make NetLabel behave like labeled IPsec where there is an
access check for both labeled and unlabeled packets as well as providing the
ability to restrict domains to receiving only labeled packets when NetLabel
is in use.  The changes to the policy are straight forward with the
following necessary to receive labeled traffic (with SECINITSID_NETMSG
defined as "netlabel_peer_t"):

 allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;

The policy for unlabeled traffic would be:

 allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;

These policy changes, as well as more general NetLabel support, are included
in the SELinux Reference Policy SVN tree, r2352 or later.  Users who enable
NetLabel support in the kernel are strongly encouraged to upgrade their
policy to avoid network problems.
Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent ed032189
...@@ -3129,17 +3129,19 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, ...@@ -3129,17 +3129,19 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
/** /**
* selinux_skb_extlbl_sid - Determine the external label of a packet * selinux_skb_extlbl_sid - Determine the external label of a packet
* @skb: the packet * @skb: the packet
* @base_sid: the SELinux SID to use as a context for MLS only external labels
* @sid: the packet's SID * @sid: the packet's SID
* *
* Description: * Description:
* Check the various different forms of external packet labeling and determine * Check the various different forms of external packet labeling and determine
* the external SID for the packet. * the external SID for the packet. If only one form of external labeling is
* present then it is used, if both labeled IPsec and NetLabel labels are
* present then the SELinux type information is taken from the labeled IPsec
* SA and the MLS sensitivity label information is taken from the NetLabel
* security attributes. This bit of "magic" is done in the call to
* selinux_netlbl_skbuff_getsid().
* *
*/ */
static void selinux_skb_extlbl_sid(struct sk_buff *skb, static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
u32 base_sid,
u32 *sid)
{ {
u32 xfrm_sid; u32 xfrm_sid;
u32 nlbl_sid; u32 nlbl_sid;
...@@ -3147,10 +3149,9 @@ static void selinux_skb_extlbl_sid(struct sk_buff *skb, ...@@ -3147,10 +3149,9 @@ static void selinux_skb_extlbl_sid(struct sk_buff *skb,
selinux_skb_xfrm_sid(skb, &xfrm_sid); selinux_skb_xfrm_sid(skb, &xfrm_sid);
if (selinux_netlbl_skbuff_getsid(skb, if (selinux_netlbl_skbuff_getsid(skb,
(xfrm_sid == SECSID_NULL ? (xfrm_sid == SECSID_NULL ?
base_sid : xfrm_sid), SECINITSID_NETMSG : xfrm_sid),
&nlbl_sid) != 0) &nlbl_sid) != 0)
nlbl_sid = SECSID_NULL; nlbl_sid = SECSID_NULL;
*sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
} }
...@@ -3695,7 +3696,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * ...@@ -3695,7 +3696,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
if (sock && sock->sk->sk_family == PF_UNIX) if (sock && sock->sk->sk_family == PF_UNIX)
selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
else if (skb) else if (skb)
selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid); selinux_skb_extlbl_sid(skb, &peer_secid);
if (peer_secid == SECSID_NULL) if (peer_secid == SECSID_NULL)
err = -EINVAL; err = -EINVAL;
...@@ -3756,7 +3757,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, ...@@ -3756,7 +3757,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
u32 newsid; u32 newsid;
u32 peersid; u32 peersid;
selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid); selinux_skb_extlbl_sid(skb, &peersid);
if (peersid == SECSID_NULL) { if (peersid == SECSID_NULL) {
req->secid = sksec->sid; req->secid = sksec->sid;
req->peer_secid = SECSID_NULL; req->peer_secid = SECSID_NULL;
...@@ -3794,7 +3795,7 @@ static void selinux_inet_conn_established(struct sock *sk, ...@@ -3794,7 +3795,7 @@ static void selinux_inet_conn_established(struct sock *sk,
{ {
struct sk_security_struct *sksec = sk->sk_security; struct sk_security_struct *sksec = sk->sk_security;
selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid); selinux_skb_extlbl_sid(skb, &sksec->peer_sid);
} }
static void selinux_req_classify_flow(const struct request_sock *req, static void selinux_req_classify_flow(const struct request_sock *req,
......
...@@ -158,9 +158,7 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid) ...@@ -158,9 +158,7 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
netlbl_secattr_init(&secattr); netlbl_secattr_init(&secattr);
rc = netlbl_skbuff_getattr(skb, &secattr); rc = netlbl_skbuff_getattr(skb, &secattr);
if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
rc = security_netlbl_secattr_to_sid(&secattr, rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid);
base_sid,
sid);
else else
*sid = SECSID_NULL; *sid = SECSID_NULL;
netlbl_secattr_destroy(&secattr); netlbl_secattr_destroy(&secattr);
...@@ -198,7 +196,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) ...@@ -198,7 +196,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
if (netlbl_sock_getattr(sk, &secattr) == 0 && if (netlbl_sock_getattr(sk, &secattr) == 0 &&
secattr.flags != NETLBL_SECATTR_NONE && secattr.flags != NETLBL_SECATTR_NONE &&
security_netlbl_secattr_to_sid(&secattr, security_netlbl_secattr_to_sid(&secattr,
SECINITSID_UNLABELED, SECINITSID_NETMSG,
&nlbl_peer_sid) == 0) &nlbl_peer_sid) == 0)
sksec->peer_sid = nlbl_peer_sid; sksec->peer_sid = nlbl_peer_sid;
netlbl_secattr_destroy(&secattr); netlbl_secattr_destroy(&secattr);
...@@ -295,37 +293,31 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, ...@@ -295,37 +293,31 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
struct avc_audit_data *ad) struct avc_audit_data *ad)
{ {
int rc; int rc;
u32 netlbl_sid; u32 nlbl_sid;
u32 recv_perm; u32 perm;
rc = selinux_netlbl_skbuff_getsid(skb, rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &nlbl_sid);
SECINITSID_UNLABELED,
&netlbl_sid);
if (rc != 0) if (rc != 0)
return rc; return rc;
if (nlbl_sid == SECSID_NULL)
if (netlbl_sid == SECSID_NULL) nlbl_sid = SECINITSID_UNLABELED;
return 0;
switch (sksec->sclass) { switch (sksec->sclass) {
case SECCLASS_UDP_SOCKET: case SECCLASS_UDP_SOCKET:
recv_perm = UDP_SOCKET__RECVFROM; perm = UDP_SOCKET__RECVFROM;
break; break;
case SECCLASS_TCP_SOCKET: case SECCLASS_TCP_SOCKET:
recv_perm = TCP_SOCKET__RECVFROM; perm = TCP_SOCKET__RECVFROM;
break; break;
default: default:
recv_perm = RAWIP_SOCKET__RECVFROM; perm = RAWIP_SOCKET__RECVFROM;
} }
rc = avc_has_perm(sksec->sid, rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad);
netlbl_sid,
sksec->sclass,
recv_perm,
ad);
if (rc == 0) if (rc == 0)
return 0; return 0;
if (nlbl_sid != SECINITSID_UNLABELED)
netlbl_skbuff_err(skb, rc); netlbl_skbuff_err(skb, rc);
return rc; return rc;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment