Blame view
security/selinux/netlabel.c
9.02 KB
5778eabd9
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
/* * SELinux NetLabel Support * * This file provides the necessary glue to tie NetLabel into the SELinux * subsystem. * * Author: Paul Moore <paul.moore@hp.com> * */ /* * (c) Copyright Hewlett-Packard Development Company, L.P., 2007 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See * the GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * */ #include <linux/spinlock.h> #include <linux/rcupdate.h> #include <net/sock.h> #include <net/netlabel.h> #include "objsec.h" #include "security.h" |
d4ee4231a
|
37 |
#include "netlabel.h" |
5778eabd9
|
38 39 |
/** |
5dbe1eb0c
|
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 |
* selinux_netlbl_sidlookup_cached - Cache a SID lookup * @skb: the packet * @secattr: the NetLabel security attributes * @sid: the SID * * Description: * Query the SELinux security server to lookup the correct SID for the given * security attributes. If the query is successful, cache the result to speed * up future lookups. Returns zero on success, negative values on failure. * */ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb, struct netlbl_lsm_secattr *secattr, u32 *sid) { int rc; rc = security_netlbl_secattr_to_sid(secattr, sid); if (rc == 0 && (secattr->flags & NETLBL_SECATTR_CACHEABLE) && (secattr->flags & NETLBL_SECATTR_CACHE)) netlbl_cache_add(skb, secattr); return rc; } /** |
ba6ff9f2b
|
67 68 |
* selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism * @sk: the socket to label |
5778eabd9
|
69 70 71 72 |
* @sid: the SID to use * * Description: * Attempt to label a socket using the NetLabel mechanism using the given |
f74af6e81
|
73 |
* SID. Returns zero values on success, negative values on failure. |
5778eabd9
|
74 75 |
* */ |
ba6ff9f2b
|
76 |
static int selinux_netlbl_sock_setsid(struct sock *sk, u32 sid) |
5778eabd9
|
77 78 |
{ int rc; |
ba6ff9f2b
|
79 |
struct sk_security_struct *sksec = sk->sk_security; |
5778eabd9
|
80 |
struct netlbl_lsm_secattr secattr; |
45c950e0f
|
81 |
netlbl_secattr_init(&secattr); |
5778eabd9
|
82 83 |
rc = security_netlbl_sid_to_secattr(sid, &secattr); if (rc != 0) |
45c950e0f
|
84 |
goto sock_setsid_return; |
ba6ff9f2b
|
85 |
rc = netlbl_sock_setattr(sk, &secattr); |
f74af6e81
|
86 |
if (rc == 0) |
5778eabd9
|
87 |
sksec->nlbl_state = NLBL_LABELED; |
5778eabd9
|
88 |
|
45c950e0f
|
89 90 |
sock_setsid_return: netlbl_secattr_destroy(&secattr); |
5778eabd9
|
91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 |
return rc; } /** * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache * * Description: * Invalidate the NetLabel security attribute mapping cache. * */ void selinux_netlbl_cache_invalidate(void) { netlbl_cache_invalidate(); } /** * selinux_netlbl_sk_security_reset - Reset the NetLabel fields * @ssec: the sk_security_struct * @family: the socket family * * Description: * Called when the NetLabel state of a sk_security_struct needs to be reset. * The caller is responsibile for all the NetLabel sk_security_struct locking. * */ void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, int family) { |
a6aaafeec
|
119 |
if (family == PF_INET) |
5778eabd9
|
120 121 122 123 124 125 |
ssec->nlbl_state = NLBL_REQUIRE; else ssec->nlbl_state = NLBL_UNSET; } /** |
5778eabd9
|
126 127 |
* selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel * @skb: the packet |
75e22910c
|
128 |
* @family: protocol family |
220deb966
|
129 |
* @type: NetLabel labeling protocol type |
5778eabd9
|
130 131 132 133 134 135 136 137 |
* @sid: the SID * * Description: * Call the NetLabel mechanism to get the security attributes of the given * packet and use those attributes to determine the correct context/SID to * assign to the packet. Returns zero on success, negative values on failure. * */ |
75e22910c
|
138 139 |
int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u16 family, |
220deb966
|
140 |
u32 *type, |
75e22910c
|
141 |
u32 *sid) |
5778eabd9
|
142 143 144 |
{ int rc; struct netlbl_lsm_secattr secattr; |
23bcdc1ad
|
145 146 147 148 |
if (!netlbl_enabled()) { *sid = SECSID_NULL; return 0; } |
5778eabd9
|
149 |
netlbl_secattr_init(&secattr); |
75e22910c
|
150 |
rc = netlbl_skbuff_getattr(skb, family, &secattr); |
5dbe1eb0c
|
151 152 153 |
if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) rc = selinux_netlbl_sidlookup_cached(skb, &secattr, sid); else |
5778eabd9
|
154 |
*sid = SECSID_NULL; |
220deb966
|
155 |
*type = secattr.type; |
5778eabd9
|
156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 |
netlbl_secattr_destroy(&secattr); return rc; } /** * selinux_netlbl_sock_graft - Netlabel the new socket * @sk: the new connection * @sock: the new socket * * Description: * The connection represented by @sk is being grafted onto @sock so set the * socket's NetLabel to match the SID of @sk. * */ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) { |
5778eabd9
|
173 174 175 |
struct sk_security_struct *sksec = sk->sk_security; struct netlbl_lsm_secattr secattr; u32 nlbl_peer_sid; |
f74af6e81
|
176 |
if (sksec->nlbl_state != NLBL_REQUIRE) |
5778eabd9
|
177 |
return; |
5778eabd9
|
178 179 180 181 |
netlbl_secattr_init(&secattr); if (netlbl_sock_getattr(sk, &secattr) == 0 && secattr.flags != NETLBL_SECATTR_NONE && |
5dbe1eb0c
|
182 |
security_netlbl_secattr_to_sid(&secattr, &nlbl_peer_sid) == 0) |
5778eabd9
|
183 184 185 186 187 188 |
sksec->peer_sid = nlbl_peer_sid; netlbl_secattr_destroy(&secattr); /* Try to set the NetLabel on the socket to save time later, if we fail * here we will pick up the pieces in later calls to * selinux_netlbl_inode_permission(). */ |
ba6ff9f2b
|
189 |
selinux_netlbl_sock_setsid(sk, sksec->sid); |
5778eabd9
|
190 191 192 193 194 195 196 197 198 199 200 201 202 |
} /** * selinux_netlbl_socket_post_create - Label a socket using NetLabel * @sock: the socket to label * * Description: * Attempt to label a socket using the NetLabel mechanism using the given * SID. Returns zero values on success, negative values on failure. * */ int selinux_netlbl_socket_post_create(struct socket *sock) { |
ba6ff9f2b
|
203 |
struct sock *sk = sock->sk; |
ba6ff9f2b
|
204 |
struct sk_security_struct *sksec = sk->sk_security; |
5778eabd9
|
205 |
|
f74af6e81
|
206 207 |
if (sksec->nlbl_state != NLBL_REQUIRE) return 0; |
5778eabd9
|
208 |
|
f74af6e81
|
209 |
return selinux_netlbl_sock_setsid(sk, sksec->sid); |
5778eabd9
|
210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 |
} /** * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled * @inode: the file descriptor's inode * @mask: the permission mask * * Description: * Looks at a file's inode and if it is marked as a socket protected by * NetLabel then verify that the socket has been labeled, if not try to label * the socket now with the inode's SID. Returns zero on success, negative * values on failure. * */ int selinux_netlbl_inode_permission(struct inode *inode, int mask) { int rc; |
ba6ff9f2b
|
227 |
struct sock *sk; |
5778eabd9
|
228 |
struct socket *sock; |
ba6ff9f2b
|
229 |
struct sk_security_struct *sksec; |
5778eabd9
|
230 231 232 233 |
if (!S_ISSOCK(inode->i_mode) || ((mask & (MAY_WRITE | MAY_APPEND)) == 0)) return 0; |
f74af6e81
|
234 |
|
5778eabd9
|
235 |
sock = SOCKET_I(inode); |
ba6ff9f2b
|
236 237 |
sk = sock->sk; sksec = sk->sk_security; |
f74af6e81
|
238 |
if (sksec->nlbl_state != NLBL_REQUIRE) |
5778eabd9
|
239 |
return 0; |
f74af6e81
|
240 |
|
5778eabd9
|
241 |
local_bh_disable(); |
ba6ff9f2b
|
242 |
bh_lock_sock_nested(sk); |
f74af6e81
|
243 244 245 246 |
if (likely(sksec->nlbl_state == NLBL_REQUIRE)) rc = selinux_netlbl_sock_setsid(sk, sksec->sid); else rc = 0; |
ba6ff9f2b
|
247 |
bh_unlock_sock(sk); |
5778eabd9
|
248 |
local_bh_enable(); |
5778eabd9
|
249 250 251 252 253 254 255 256 |
return rc; } /** * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel * @sksec: the sock's sk_security_struct * @skb: the packet |
75e22910c
|
257 |
* @family: protocol family |
5778eabd9
|
258 259 260 261 262 263 264 265 266 267 |
* @ad: the audit data * * Description: * Fetch the NetLabel security attributes from @skb and perform an access check * against the receiving socket. Returns zero on success, negative values on * error. * */ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, struct sk_buff *skb, |
75e22910c
|
268 |
u16 family, |
5778eabd9
|
269 270 271 |
struct avc_audit_data *ad) { int rc; |
f36158c41
|
272 273 274 |
u32 nlbl_sid; u32 perm; struct netlbl_lsm_secattr secattr; |
5778eabd9
|
275 |
|
23bcdc1ad
|
276 277 |
if (!netlbl_enabled()) return 0; |
f36158c41
|
278 |
netlbl_secattr_init(&secattr); |
75e22910c
|
279 |
rc = netlbl_skbuff_getattr(skb, family, &secattr); |
5dbe1eb0c
|
280 281 282 |
if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) rc = selinux_netlbl_sidlookup_cached(skb, &secattr, &nlbl_sid); else |
f36158c41
|
283 284 |
nlbl_sid = SECINITSID_UNLABELED; netlbl_secattr_destroy(&secattr); |
5778eabd9
|
285 286 |
if (rc != 0) return rc; |
8d9107e8c
|
287 |
|
5778eabd9
|
288 289 |
switch (sksec->sclass) { case SECCLASS_UDP_SOCKET: |
f36158c41
|
290 |
perm = UDP_SOCKET__RECVFROM; |
5778eabd9
|
291 292 |
break; case SECCLASS_TCP_SOCKET: |
f36158c41
|
293 |
perm = TCP_SOCKET__RECVFROM; |
5778eabd9
|
294 295 |
break; default: |
f36158c41
|
296 |
perm = RAWIP_SOCKET__RECVFROM; |
5778eabd9
|
297 |
} |
f36158c41
|
298 |
rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad); |
5778eabd9
|
299 300 |
if (rc == 0) return 0; |
f36158c41
|
301 302 |
if (nlbl_sid != SECINITSID_UNLABELED) netlbl_skbuff_err(skb, rc); |
5778eabd9
|
303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 |
return rc; } /** * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel * @sock: the socket * @level: the socket level or protocol * @optname: the socket option name * * Description: * Check the setsockopt() call and if the user is trying to replace the IP * options on a socket and a NetLabel is in place for the socket deny the * access; otherwise allow the access. Returns zero when the access is * allowed, -EACCES when denied, and other negative values on error. * */ int selinux_netlbl_socket_setsockopt(struct socket *sock, int level, int optname) { int rc = 0; |
ba6ff9f2b
|
324 325 |
struct sock *sk = sock->sk; struct sk_security_struct *sksec = sk->sk_security; |
5778eabd9
|
326 |
struct netlbl_lsm_secattr secattr; |
5778eabd9
|
327 328 329 |
if (level == IPPROTO_IP && optname == IP_OPTIONS && sksec->nlbl_state == NLBL_LABELED) { netlbl_secattr_init(&secattr); |
ba6ff9f2b
|
330 331 332 |
lock_sock(sk); rc = netlbl_sock_getattr(sk, &secattr); release_sock(sk); |
5778eabd9
|
333 334 335 336 |
if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) rc = -EACCES; netlbl_secattr_destroy(&secattr); } |
5778eabd9
|
337 338 339 |
return rc; } |