On Wed, 2006-05-03 at 15:53 -0400, Paul Moore wrote:
diff -purN kernel-2.6.16/security/selinux/hooks.c
kernel-2.6.16-cipso_05032006/security/selinux/hooks.c
--- kernel-2.6.16/security/selinux/hooks.c 2006-05-02 10:41:02.000000000
-0400
+++ kernel-2.6.16-cipso_05032006/security/selinux/hooks.c 2006-05-02
14:19:13.000000000 -0400
@@ -3304,10 +3317,26 @@ static int selinux_socket_sock_rcv_skb(s
err = avc_has_perm(sock_sid, port_sid,
sock_class, recv_perm, &ad);
+ if (err)
+ goto out;
}
- if (!err)
- err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
+ /* PM - discuss these changes on the list */
+ err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
+ if (err == 0)
+ goto out;
+
+ err = security_netlbl_sid(skb, &netlbl_sid);
+ if (err)
+ goto out;
+
+ err = avc_has_perm(sock_sid,
+ netlbl_sid,
+ SECCLASS_SOCKET,
+ SOCKET__RECV_MSG,
+ &ad);
+ if (err)
+ netlbl_skbuff_err(skb, err);
We'll need to resolve how this should interact with the security marking
patches under development by James, see the RFC at:
http://marc.theaimsgroup.com/?l=linux-netdev&m=114516429530333&w=2
Patches should be forthcoming soon.
Those are intended to replace the existing SELinux netif/node/port
per-packet checks with a single per-packet check on each send/receive
based on the secmark assigned via iptables rules. Exactly how that
should interact with both the implicit packet labeling via IPSEC and
with your NetLabel code isn't entirely clear to me; ideally, they could
all leverage the secmark functionality and everything could devolve to a
single check on send/recv based on the secmark.
diff -purN kernel-2.6.16/security/selinux/ss/services.c
kernel-2.6.16-cipso_05032006/security/selinux/ss/services.c
--- kernel-2.6.16/security/selinux/ss/services.c 2006-05-02
10:41:02.000000000 -0400
+++ kernel-2.6.16-cipso_05032006/security/selinux/ss/services.c 2006-05-02
13:22:45.000000000 -0400
+int security_netlbl_sid(struct sk_buff *skb, u32 *sid)
+{
+ int ret_val = -EIDRM;
+ struct netlbl_lsm_secattr secattr;
+ struct context *ctx;
+ struct context ctx_new;
+
+ if (!ss_initialized)
+ return 0;
+
+ context_init(&ctx_new);
+ netlbl_secattr_init(&secattr);
+ secattr.lsm_type = NETLBL_LSM_SELINUX;
+ ret_val = netlbl_skbuff_read(skb, &secattr);
+ if (ret_val != 0)
+ goto netlbl_sid_failure;
+
+ if (secattr.set_selinux_sid)
+ *sid = secattr.lsm.selinux.sid;
Where do you check that the SID is defined/valid?
+ } else if (secattr.set_mls_lvl) {
+ ctx = sidtab_search(&sidtab, SECINITSID_NETMSG);
+ if (ctx == NULL)
+ goto netlbl_sid_failure;
+
+ ret_val = context_cpy(&ctx_new, ctx);
+ if (ret_val != 0)
+ goto netlbl_sid_failure;
+ mls_context_destroy(&ctx_new);
+
+ if (mls_import_lvl(&ctx_new,
+ secattr.mls_lvl,
+ secattr.mls_lvl) != 0)
+ goto netlbl_sid_failure;
+ if (secattr.set_mls_cat) {
+ if (mls_import_cat(&ctx_new,
+ secattr.mls_cat,
+ secattr.mls_cat_len,
+ secattr.mls_cat,
+ secattr.mls_cat_len) != 0)
+ goto netlbl_sid_failure;
+ }
Where do you check that the MLS field values are defined and form a
legal combination under the policy, e.g. mls_context_isvalid?
diff -purN kernel-2.6.16/security/selinux/xfrm.c
kernel-2.6.16-cipso_05032006/security/selinux/xfrm.c
--- kernel-2.6.16/security/selinux/xfrm.c 2006-05-02 10:40:28.000000000
-0400
+++ kernel-2.6.16-cipso_05032006/security/selinux/xfrm.c 2006-05-02
14:20:51.000000000 -0400
@@ -317,21 +317,12 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_s
struct xfrm_state *x = sp->xvec[i];
if (x && selinux_authorizable_xfrm(x))
- goto accept;
+ return 0;
}
+ return -EPERM;
}
- /* check SELinux sock for unlabelled access */
- rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
- ASSOCIATION__RECVFROM, NULL);
- if (rc)
- goto drop;
-
-accept:
- return 0;
-
-drop:
- return rc;
+ return -EIDRM;
}
Not clear what you are doing here with these different error codes. I
do agree that we want to unify the different per-packet checks.
--
Stephen Smalley
National Security Agency
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
