Commit 2b980dbd77d229eb60588802162c9659726b11f4
Committed by
James Morris
1 parent
d8e180dcd5
Exists in
master
and in
20 other branches
lsm: Add hooks to the TUN driver
The TUN driver lacks any LSM hooks which makes it difficult for LSM modules, such as SELinux, to enforce access controls on network traffic generated by TUN users; this is particularly problematic for virtualization apps such as QEMU and KVM. This patch adds three new LSM hooks designed to control the creation and attachment of TUN devices, the hooks are: * security_tun_dev_create() Provides access control for the creation of new TUN devices * security_tun_dev_post_create() Provides the ability to create the necessary socket LSM state for newly created TUN devices * security_tun_dev_attach() Provides access control for attaching to existing, persistent TUN devices and the ability to update the TUN device's socket LSM state as necessary Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Eric Paris <eparis@parisplace.org> Acked-by: Serge Hallyn <serue@us.ibm.com> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: James Morris <jmorris@namei.org>
Showing 4 changed files with 83 additions and 7 deletions Side-by-side Diff
drivers/net/tun.c
... | ... | @@ -130,17 +130,10 @@ |
130 | 130 | static int tun_attach(struct tun_struct *tun, struct file *file) |
131 | 131 | { |
132 | 132 | struct tun_file *tfile = file->private_data; |
133 | - const struct cred *cred = current_cred(); | |
134 | 133 | int err; |
135 | 134 | |
136 | 135 | ASSERT_RTNL(); |
137 | 136 | |
138 | - /* Check permissions */ | |
139 | - if (((tun->owner != -1 && cred->euid != tun->owner) || | |
140 | - (tun->group != -1 && !in_egroup_p(tun->group))) && | |
141 | - !capable(CAP_NET_ADMIN)) | |
142 | - return -EPERM; | |
143 | - | |
144 | 137 | netif_tx_lock_bh(tun->dev); |
145 | 138 | |
146 | 139 | err = -EINVAL; |
... | ... | @@ -926,6 +919,8 @@ |
926 | 919 | |
927 | 920 | dev = __dev_get_by_name(net, ifr->ifr_name); |
928 | 921 | if (dev) { |
922 | + const struct cred *cred = current_cred(); | |
923 | + | |
929 | 924 | if (ifr->ifr_flags & IFF_TUN_EXCL) |
930 | 925 | return -EBUSY; |
931 | 926 | if ((ifr->ifr_flags & IFF_TUN) && dev->netdev_ops == &tun_netdev_ops) |
... | ... | @@ -935,6 +930,14 @@ |
935 | 930 | else |
936 | 931 | return -EINVAL; |
937 | 932 | |
933 | + if (((tun->owner != -1 && cred->euid != tun->owner) || | |
934 | + (tun->group != -1 && !in_egroup_p(tun->group))) && | |
935 | + !capable(CAP_NET_ADMIN)) | |
936 | + return -EPERM; | |
937 | + err = security_tun_dev_attach(tun->sk); | |
938 | + if (err < 0) | |
939 | + return err; | |
940 | + | |
938 | 941 | err = tun_attach(tun, file); |
939 | 942 | if (err < 0) |
940 | 943 | return err; |
... | ... | @@ -947,6 +950,9 @@ |
947 | 950 | |
948 | 951 | if (!capable(CAP_NET_ADMIN)) |
949 | 952 | return -EPERM; |
953 | + err = security_tun_dev_create(); | |
954 | + if (err < 0) | |
955 | + return err; | |
950 | 956 | |
951 | 957 | /* Set dev type */ |
952 | 958 | if (ifr->ifr_flags & IFF_TUN) { |
... | ... | @@ -988,6 +994,8 @@ |
988 | 994 | |
989 | 995 | tun->sk = sk; |
990 | 996 | container_of(sk, struct tun_sock, sk)->tun = tun; |
997 | + | |
998 | + security_tun_dev_post_create(sk); | |
991 | 999 | |
992 | 1000 | tun_net_init(dev); |
993 | 1001 |
include/linux/security.h
... | ... | @@ -998,6 +998,17 @@ |
998 | 998 | * Sets the connection's peersid to the secmark on skb. |
999 | 999 | * @req_classify_flow: |
1000 | 1000 | * Sets the flow's sid to the openreq sid. |
1001 | + * @tun_dev_create: | |
1002 | + * Check permissions prior to creating a new TUN device. | |
1003 | + * @tun_dev_post_create: | |
1004 | + * This hook allows a module to update or allocate a per-socket security | |
1005 | + * structure. | |
1006 | + * @sk contains the newly created sock structure. | |
1007 | + * @tun_dev_attach: | |
1008 | + * Check permissions prior to attaching to a persistent TUN device. This | |
1009 | + * hook can also be used by the module to update any security state | |
1010 | + * associated with the TUN device's sock structure. | |
1011 | + * @sk contains the existing sock structure. | |
1001 | 1012 | * |
1002 | 1013 | * Security hooks for XFRM operations. |
1003 | 1014 | * |
... | ... | @@ -1597,6 +1608,9 @@ |
1597 | 1608 | void (*inet_csk_clone) (struct sock *newsk, const struct request_sock *req); |
1598 | 1609 | void (*inet_conn_established) (struct sock *sk, struct sk_buff *skb); |
1599 | 1610 | void (*req_classify_flow) (const struct request_sock *req, struct flowi *fl); |
1611 | + int (*tun_dev_create)(void); | |
1612 | + void (*tun_dev_post_create)(struct sock *sk); | |
1613 | + int (*tun_dev_attach)(struct sock *sk); | |
1600 | 1614 | #endif /* CONFIG_SECURITY_NETWORK */ |
1601 | 1615 | |
1602 | 1616 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
... | ... | @@ -2586,6 +2600,9 @@ |
2586 | 2600 | const struct request_sock *req); |
2587 | 2601 | void security_inet_conn_established(struct sock *sk, |
2588 | 2602 | struct sk_buff *skb); |
2603 | +int security_tun_dev_create(void); | |
2604 | +void security_tun_dev_post_create(struct sock *sk); | |
2605 | +int security_tun_dev_attach(struct sock *sk); | |
2589 | 2606 | |
2590 | 2607 | #else /* CONFIG_SECURITY_NETWORK */ |
2591 | 2608 | static inline int security_unix_stream_connect(struct socket *sock, |
... | ... | @@ -2735,6 +2752,20 @@ |
2735 | 2752 | static inline void security_inet_conn_established(struct sock *sk, |
2736 | 2753 | struct sk_buff *skb) |
2737 | 2754 | { |
2755 | +} | |
2756 | + | |
2757 | +static inline int security_tun_dev_create(void) | |
2758 | +{ | |
2759 | + return 0; | |
2760 | +} | |
2761 | + | |
2762 | +static inline void security_tun_dev_post_create(struct sock *sk) | |
2763 | +{ | |
2764 | +} | |
2765 | + | |
2766 | +static inline int security_tun_dev_attach(struct sock *sk) | |
2767 | +{ | |
2768 | + return 0; | |
2738 | 2769 | } |
2739 | 2770 | #endif /* CONFIG_SECURITY_NETWORK */ |
2740 | 2771 |
security/capability.c
... | ... | @@ -706,10 +706,26 @@ |
706 | 706 | { |
707 | 707 | } |
708 | 708 | |
709 | + | |
710 | + | |
709 | 711 | static void cap_req_classify_flow(const struct request_sock *req, |
710 | 712 | struct flowi *fl) |
711 | 713 | { |
712 | 714 | } |
715 | + | |
716 | +static int cap_tun_dev_create(void) | |
717 | +{ | |
718 | + return 0; | |
719 | +} | |
720 | + | |
721 | +static void cap_tun_dev_post_create(struct sock *sk) | |
722 | +{ | |
723 | +} | |
724 | + | |
725 | +static int cap_tun_dev_attach(struct sock *sk) | |
726 | +{ | |
727 | + return 0; | |
728 | +} | |
713 | 729 | #endif /* CONFIG_SECURITY_NETWORK */ |
714 | 730 | |
715 | 731 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
... | ... | @@ -1026,6 +1042,9 @@ |
1026 | 1042 | set_to_cap_if_null(ops, inet_csk_clone); |
1027 | 1043 | set_to_cap_if_null(ops, inet_conn_established); |
1028 | 1044 | set_to_cap_if_null(ops, req_classify_flow); |
1045 | + set_to_cap_if_null(ops, tun_dev_create); | |
1046 | + set_to_cap_if_null(ops, tun_dev_post_create); | |
1047 | + set_to_cap_if_null(ops, tun_dev_attach); | |
1029 | 1048 | #endif /* CONFIG_SECURITY_NETWORK */ |
1030 | 1049 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
1031 | 1050 | set_to_cap_if_null(ops, xfrm_policy_alloc_security); |
security/security.c
... | ... | @@ -1117,6 +1117,24 @@ |
1117 | 1117 | security_ops->inet_conn_established(sk, skb); |
1118 | 1118 | } |
1119 | 1119 | |
1120 | +int security_tun_dev_create(void) | |
1121 | +{ | |
1122 | + return security_ops->tun_dev_create(); | |
1123 | +} | |
1124 | +EXPORT_SYMBOL(security_tun_dev_create); | |
1125 | + | |
1126 | +void security_tun_dev_post_create(struct sock *sk) | |
1127 | +{ | |
1128 | + return security_ops->tun_dev_post_create(sk); | |
1129 | +} | |
1130 | +EXPORT_SYMBOL(security_tun_dev_post_create); | |
1131 | + | |
1132 | +int security_tun_dev_attach(struct sock *sk) | |
1133 | +{ | |
1134 | + return security_ops->tun_dev_attach(sk); | |
1135 | +} | |
1136 | +EXPORT_SYMBOL(security_tun_dev_attach); | |
1137 | + | |
1120 | 1138 | #endif /* CONFIG_SECURITY_NETWORK */ |
1121 | 1139 | |
1122 | 1140 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |