On Tue, 2006-06-13 at 17:09 -0500, Venkat Yekkirala wrote:
> This patch adds enforcement of controls added to the xfrm subsystem. Three
> new hooks are added to help with this. Security for IP sockets at the sock
> level is also added. A polmatch permission is also added to the association
> access vector to enable arbitration of flow/state access to a policy rule.
> --- linux-2.6.16.vanilla/security/selinux/xfrm.c 2006-06-12
> 17:49:44.000000000 -0500
> +++ linux-2.6.16/security/selinux/xfrm.c 2006-06-13 08:40:48.000000000
> -0500
> @@ -334,34 +472,25 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_s
> {
> int i, rc = 0;
> struct sec_path *sp;
> + u32 sel_sid = SECINITSID_UNLABELED;
>
> sp = skb->sp;
>
> if (sp) {
> - /*
> - * __xfrm_policy_check does not approve unless xfrm_policy_ok
> - * says that spi's match for policy and the socket.
> - *
> - * Only need to verify the existence of an authorizable sp.
> - */
> for (i = 0; i < sp->len; i++) {
> struct xfrm_state *x = sp->xvec[i];
>
> - if (x && selinux_authorizable_xfrm(x))
> - goto accept;
> + if (x && selinux_authorizable_xfrm(x)) {
> + struct xfrm_sec_ctx *ctx = x->security;
> + sel_sid = ctx->ctx_sid;
> + break;
> + }
> }
> }
>
> - /* check SELinux sock for unlabelled access */
> - rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
> + rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION,
> ASSOCIATION__RECVFROM, NULL);
BTW, I think it would be useful to have the caller
(selinux_sock_rcv_skb) pass in the &ad (avc_audit_data) it constructs
for its own permission checks and propagate that to this avc_has_perm()
call as well. That way you'll get the network device and packet address
information included in the AVC messages for the association recvfrom
denials as well. Likewise for postroute_last and the sendto checks.
--
Stephen Smalley
National Security Agency
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
