Root/
1 | /* |
2 | * SELinux NetLabel Support |
3 | * |
4 | * This file provides the necessary glue to tie NetLabel into the SELinux |
5 | * subsystem. |
6 | * |
7 | * Author: Paul Moore <paul.moore@hp.com> |
8 | * |
9 | */ |
10 | |
11 | /* |
12 | * (c) Copyright Hewlett-Packard Development Company, L.P., 2007, 2008 |
13 | * |
14 | * This program is free software; you can redistribute it and/or modify |
15 | * it under the terms of the GNU General Public License as published by |
16 | * the Free Software Foundation; either version 2 of the License, or |
17 | * (at your option) any later version. |
18 | * |
19 | * This program is distributed in the hope that it will be useful, |
20 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
21 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See |
22 | * the GNU General Public License for more details. |
23 | * |
24 | * You should have received a copy of the GNU General Public License |
25 | * along with this program; if not, write to the Free Software |
26 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
27 | * |
28 | */ |
29 | |
30 | #include <linux/spinlock.h> |
31 | #include <linux/rcupdate.h> |
32 | #include <linux/gfp.h> |
33 | #include <linux/ip.h> |
34 | #include <linux/ipv6.h> |
35 | #include <net/sock.h> |
36 | #include <net/netlabel.h> |
37 | #include <net/ip.h> |
38 | #include <net/ipv6.h> |
39 | |
40 | #include "objsec.h" |
41 | #include "security.h" |
42 | #include "netlabel.h" |
43 | |
44 | /** |
45 | * selinux_netlbl_sidlookup_cached - Cache a SID lookup |
46 | * @skb: the packet |
47 | * @secattr: the NetLabel security attributes |
48 | * @sid: the SID |
49 | * |
50 | * Description: |
51 | * Query the SELinux security server to lookup the correct SID for the given |
52 | * security attributes. If the query is successful, cache the result to speed |
53 | * up future lookups. Returns zero on success, negative values on failure. |
54 | * |
55 | */ |
56 | static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb, |
57 | struct netlbl_lsm_secattr *secattr, |
58 | u32 *sid) |
59 | { |
60 | int rc; |
61 | |
62 | rc = security_netlbl_secattr_to_sid(secattr, sid); |
63 | if (rc == 0 && |
64 | (secattr->flags & NETLBL_SECATTR_CACHEABLE) && |
65 | (secattr->flags & NETLBL_SECATTR_CACHE)) |
66 | netlbl_cache_add(skb, secattr); |
67 | |
68 | return rc; |
69 | } |
70 | |
71 | /** |
72 | * selinux_netlbl_sock_genattr - Generate the NetLabel socket secattr |
73 | * @sk: the socket |
74 | * |
75 | * Description: |
76 | * Generate the NetLabel security attributes for a socket, making full use of |
77 | * the socket's attribute cache. Returns a pointer to the security attributes |
78 | * on success, NULL on failure. |
79 | * |
80 | */ |
81 | static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk) |
82 | { |
83 | int rc; |
84 | struct sk_security_struct *sksec = sk->sk_security; |
85 | struct netlbl_lsm_secattr *secattr; |
86 | |
87 | if (sksec->nlbl_secattr != NULL) |
88 | return sksec->nlbl_secattr; |
89 | |
90 | secattr = netlbl_secattr_alloc(GFP_ATOMIC); |
91 | if (secattr == NULL) |
92 | return NULL; |
93 | rc = security_netlbl_sid_to_secattr(sksec->sid, secattr); |
94 | if (rc != 0) { |
95 | netlbl_secattr_free(secattr); |
96 | return NULL; |
97 | } |
98 | sksec->nlbl_secattr = secattr; |
99 | |
100 | return secattr; |
101 | } |
102 | |
103 | /** |
104 | * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache |
105 | * |
106 | * Description: |
107 | * Invalidate the NetLabel security attribute mapping cache. |
108 | * |
109 | */ |
110 | void selinux_netlbl_cache_invalidate(void) |
111 | { |
112 | netlbl_cache_invalidate(); |
113 | } |
114 | |
115 | /** |
116 | * selinux_netlbl_err - Handle a NetLabel packet error |
117 | * @skb: the packet |
118 | * @error: the error code |
119 | * @gateway: true if host is acting as a gateway, false otherwise |
120 | * |
121 | * Description: |
122 | * When a packet is dropped due to a call to avc_has_perm() pass the error |
123 | * code to the NetLabel subsystem so any protocol specific processing can be |
124 | * done. This is safe to call even if you are unsure if NetLabel labeling is |
125 | * present on the packet, NetLabel is smart enough to only act when it should. |
126 | * |
127 | */ |
128 | void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway) |
129 | { |
130 | netlbl_skbuff_err(skb, error, gateway); |
131 | } |
132 | |
133 | /** |
134 | * selinux_netlbl_sk_security_free - Free the NetLabel fields |
135 | * @sksec: the sk_security_struct |
136 | * |
137 | * Description: |
138 | * Free all of the memory in the NetLabel fields of a sk_security_struct. |
139 | * |
140 | */ |
141 | void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec) |
142 | { |
143 | if (sksec->nlbl_secattr != NULL) |
144 | netlbl_secattr_free(sksec->nlbl_secattr); |
145 | } |
146 | |
147 | /** |
148 | * selinux_netlbl_sk_security_reset - Reset the NetLabel fields |
149 | * @sksec: the sk_security_struct |
150 | * @family: the socket family |
151 | * |
152 | * Description: |
153 | * Called when the NetLabel state of a sk_security_struct needs to be reset. |
154 | * The caller is responsibile for all the NetLabel sk_security_struct locking. |
155 | * |
156 | */ |
157 | void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec) |
158 | { |
159 | sksec->nlbl_state = NLBL_UNSET; |
160 | } |
161 | |
162 | /** |
163 | * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel |
164 | * @skb: the packet |
165 | * @family: protocol family |
166 | * @type: NetLabel labeling protocol type |
167 | * @sid: the SID |
168 | * |
169 | * Description: |
170 | * Call the NetLabel mechanism to get the security attributes of the given |
171 | * packet and use those attributes to determine the correct context/SID to |
172 | * assign to the packet. Returns zero on success, negative values on failure. |
173 | * |
174 | */ |
175 | int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, |
176 | u16 family, |
177 | u32 *type, |
178 | u32 *sid) |
179 | { |
180 | int rc; |
181 | struct netlbl_lsm_secattr secattr; |
182 | |
183 | if (!netlbl_enabled()) { |
184 | *sid = SECSID_NULL; |
185 | return 0; |
186 | } |
187 | |
188 | netlbl_secattr_init(&secattr); |
189 | rc = netlbl_skbuff_getattr(skb, family, &secattr); |
190 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) |
191 | rc = selinux_netlbl_sidlookup_cached(skb, &secattr, sid); |
192 | else |
193 | *sid = SECSID_NULL; |
194 | *type = secattr.type; |
195 | netlbl_secattr_destroy(&secattr); |
196 | |
197 | return rc; |
198 | } |
199 | |
200 | /** |
201 | * selinux_netlbl_skbuff_setsid - Set the NetLabel on a packet given a sid |
202 | * @skb: the packet |
203 | * @family: protocol family |
204 | * @sid: the SID |
205 | * |
206 | * Description |
207 | * Call the NetLabel mechanism to set the label of a packet using @sid. |
208 | * Returns zero on success, negative values on failure. |
209 | * |
210 | */ |
211 | int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, |
212 | u16 family, |
213 | u32 sid) |
214 | { |
215 | int rc; |
216 | struct netlbl_lsm_secattr secattr_storage; |
217 | struct netlbl_lsm_secattr *secattr = NULL; |
218 | struct sock *sk; |
219 | |
220 | /* if this is a locally generated packet check to see if it is already |
221 | * being labeled by it's parent socket, if it is just exit */ |
222 | sk = skb->sk; |
223 | if (sk != NULL) { |
224 | struct sk_security_struct *sksec = sk->sk_security; |
225 | if (sksec->nlbl_state != NLBL_REQSKB) |
226 | return 0; |
227 | secattr = sksec->nlbl_secattr; |
228 | } |
229 | if (secattr == NULL) { |
230 | secattr = &secattr_storage; |
231 | netlbl_secattr_init(secattr); |
232 | rc = security_netlbl_sid_to_secattr(sid, secattr); |
233 | if (rc != 0) |
234 | goto skbuff_setsid_return; |
235 | } |
236 | |
237 | rc = netlbl_skbuff_setattr(skb, family, secattr); |
238 | |
239 | skbuff_setsid_return: |
240 | if (secattr == &secattr_storage) |
241 | netlbl_secattr_destroy(secattr); |
242 | return rc; |
243 | } |
244 | |
245 | /** |
246 | * selinux_netlbl_inet_conn_request - Label an incoming stream connection |
247 | * @req: incoming connection request socket |
248 | * |
249 | * Description: |
250 | * A new incoming connection request is represented by @req, we need to label |
251 | * the new request_sock here and the stack will ensure the on-the-wire label |
252 | * will get preserved when a full sock is created once the connection handshake |
253 | * is complete. Returns zero on success, negative values on failure. |
254 | * |
255 | */ |
256 | int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family) |
257 | { |
258 | int rc; |
259 | struct netlbl_lsm_secattr secattr; |
260 | |
261 | if (family != PF_INET) |
262 | return 0; |
263 | |
264 | netlbl_secattr_init(&secattr); |
265 | rc = security_netlbl_sid_to_secattr(req->secid, &secattr); |
266 | if (rc != 0) |
267 | goto inet_conn_request_return; |
268 | rc = netlbl_req_setattr(req, &secattr); |
269 | inet_conn_request_return: |
270 | netlbl_secattr_destroy(&secattr); |
271 | return rc; |
272 | } |
273 | |
274 | /** |
275 | * selinux_netlbl_inet_csk_clone - Initialize the newly created sock |
276 | * @sk: the new sock |
277 | * |
278 | * Description: |
279 | * A new connection has been established using @sk, we've already labeled the |
280 | * socket via the request_sock struct in selinux_netlbl_inet_conn_request() but |
281 | * we need to set the NetLabel state here since we now have a sock structure. |
282 | * |
283 | */ |
284 | void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family) |
285 | { |
286 | struct sk_security_struct *sksec = sk->sk_security; |
287 | |
288 | if (family == PF_INET) |
289 | sksec->nlbl_state = NLBL_LABELED; |
290 | else |
291 | sksec->nlbl_state = NLBL_UNSET; |
292 | } |
293 | |
294 | /** |
295 | * selinux_netlbl_socket_post_create - Label a socket using NetLabel |
296 | * @sock: the socket to label |
297 | * @family: protocol family |
298 | * |
299 | * Description: |
300 | * Attempt to label a socket using the NetLabel mechanism using the given |
301 | * SID. Returns zero values on success, negative values on failure. |
302 | * |
303 | */ |
304 | int selinux_netlbl_socket_post_create(struct sock *sk, u16 family) |
305 | { |
306 | int rc; |
307 | struct sk_security_struct *sksec = sk->sk_security; |
308 | struct netlbl_lsm_secattr *secattr; |
309 | |
310 | if (family != PF_INET) |
311 | return 0; |
312 | |
313 | secattr = selinux_netlbl_sock_genattr(sk); |
314 | if (secattr == NULL) |
315 | return -ENOMEM; |
316 | rc = netlbl_sock_setattr(sk, family, secattr); |
317 | switch (rc) { |
318 | case 0: |
319 | sksec->nlbl_state = NLBL_LABELED; |
320 | break; |
321 | case -EDESTADDRREQ: |
322 | sksec->nlbl_state = NLBL_REQSKB; |
323 | rc = 0; |
324 | break; |
325 | } |
326 | |
327 | return rc; |
328 | } |
329 | |
330 | /** |
331 | * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel |
332 | * @sksec: the sock's sk_security_struct |
333 | * @skb: the packet |
334 | * @family: protocol family |
335 | * @ad: the audit data |
336 | * |
337 | * Description: |
338 | * Fetch the NetLabel security attributes from @skb and perform an access check |
339 | * against the receiving socket. Returns zero on success, negative values on |
340 | * error. |
341 | * |
342 | */ |
343 | int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, |
344 | struct sk_buff *skb, |
345 | u16 family, |
346 | struct common_audit_data *ad) |
347 | { |
348 | int rc; |
349 | u32 nlbl_sid; |
350 | u32 perm; |
351 | struct netlbl_lsm_secattr secattr; |
352 | |
353 | if (!netlbl_enabled()) |
354 | return 0; |
355 | |
356 | netlbl_secattr_init(&secattr); |
357 | rc = netlbl_skbuff_getattr(skb, family, &secattr); |
358 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) |
359 | rc = selinux_netlbl_sidlookup_cached(skb, &secattr, &nlbl_sid); |
360 | else |
361 | nlbl_sid = SECINITSID_UNLABELED; |
362 | netlbl_secattr_destroy(&secattr); |
363 | if (rc != 0) |
364 | return rc; |
365 | |
366 | switch (sksec->sclass) { |
367 | case SECCLASS_UDP_SOCKET: |
368 | perm = UDP_SOCKET__RECVFROM; |
369 | break; |
370 | case SECCLASS_TCP_SOCKET: |
371 | perm = TCP_SOCKET__RECVFROM; |
372 | break; |
373 | default: |
374 | perm = RAWIP_SOCKET__RECVFROM; |
375 | } |
376 | |
377 | rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad); |
378 | if (rc == 0) |
379 | return 0; |
380 | |
381 | if (nlbl_sid != SECINITSID_UNLABELED) |
382 | netlbl_skbuff_err(skb, rc, 0); |
383 | return rc; |
384 | } |
385 | |
386 | /** |
387 | * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel |
388 | * @sock: the socket |
389 | * @level: the socket level or protocol |
390 | * @optname: the socket option name |
391 | * |
392 | * Description: |
393 | * Check the setsockopt() call and if the user is trying to replace the IP |
394 | * options on a socket and a NetLabel is in place for the socket deny the |
395 | * access; otherwise allow the access. Returns zero when the access is |
396 | * allowed, -EACCES when denied, and other negative values on error. |
397 | * |
398 | */ |
399 | int selinux_netlbl_socket_setsockopt(struct socket *sock, |
400 | int level, |
401 | int optname) |
402 | { |
403 | int rc = 0; |
404 | struct sock *sk = sock->sk; |
405 | struct sk_security_struct *sksec = sk->sk_security; |
406 | struct netlbl_lsm_secattr secattr; |
407 | |
408 | if (level == IPPROTO_IP && optname == IP_OPTIONS && |
409 | (sksec->nlbl_state == NLBL_LABELED || |
410 | sksec->nlbl_state == NLBL_CONNLABELED)) { |
411 | netlbl_secattr_init(&secattr); |
412 | lock_sock(sk); |
413 | rc = netlbl_sock_getattr(sk, &secattr); |
414 | release_sock(sk); |
415 | if (rc == 0) |
416 | rc = -EACCES; |
417 | else if (rc == -ENOMSG) |
418 | rc = 0; |
419 | netlbl_secattr_destroy(&secattr); |
420 | } |
421 | |
422 | return rc; |
423 | } |
424 | |
425 | /** |
426 | * selinux_netlbl_socket_connect - Label a client-side socket on connect |
427 | * @sk: the socket to label |
428 | * @addr: the destination address |
429 | * |
430 | * Description: |
431 | * Attempt to label a connected socket with NetLabel using the given address. |
432 | * Returns zero values on success, negative values on failure. |
433 | * |
434 | */ |
435 | int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr) |
436 | { |
437 | int rc; |
438 | struct sk_security_struct *sksec = sk->sk_security; |
439 | struct netlbl_lsm_secattr *secattr; |
440 | |
441 | if (sksec->nlbl_state != NLBL_REQSKB && |
442 | sksec->nlbl_state != NLBL_CONNLABELED) |
443 | return 0; |
444 | |
445 | local_bh_disable(); |
446 | bh_lock_sock_nested(sk); |
447 | |
448 | /* connected sockets are allowed to disconnect when the address family |
449 | * is set to AF_UNSPEC, if that is what is happening we want to reset |
450 | * the socket */ |
451 | if (addr->sa_family == AF_UNSPEC) { |
452 | netlbl_sock_delattr(sk); |
453 | sksec->nlbl_state = NLBL_REQSKB; |
454 | rc = 0; |
455 | goto socket_connect_return; |
456 | } |
457 | secattr = selinux_netlbl_sock_genattr(sk); |
458 | if (secattr == NULL) { |
459 | rc = -ENOMEM; |
460 | goto socket_connect_return; |
461 | } |
462 | rc = netlbl_conn_setattr(sk, addr, secattr); |
463 | if (rc == 0) |
464 | sksec->nlbl_state = NLBL_CONNLABELED; |
465 | |
466 | socket_connect_return: |
467 | bh_unlock_sock(sk); |
468 | local_bh_enable(); |
469 | return rc; |
470 | } |
471 |
Branches:
ben-wpan
ben-wpan-stefan
javiroman/ks7010
jz-2.6.34
jz-2.6.34-rc5
jz-2.6.34-rc6
jz-2.6.34-rc7
jz-2.6.35
jz-2.6.36
jz-2.6.37
jz-2.6.38
jz-2.6.39
jz-3.0
jz-3.1
jz-3.11
jz-3.12
jz-3.13
jz-3.15
jz-3.16
jz-3.18-dt
jz-3.2
jz-3.3
jz-3.4
jz-3.5
jz-3.6
jz-3.6-rc2-pwm
jz-3.9
jz-3.9-clk
jz-3.9-rc8
jz47xx
jz47xx-2.6.38
master
Tags:
od-2011-09-04
od-2011-09-18
v2.6.34-rc5
v2.6.34-rc6
v2.6.34-rc7
v3.9