This patch is to include Venkat's changes to racoon for
negotiating the security context with MLS.
This patch is against the ipsec-tools-0.6.5-3.1 rpm in rawhide.
I have not yet had a chance to test it, so if you have problems, please
let me know.
Regards,
Joy Latten
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/isakmp_quick.c
ipsec-tools-0.6.5.patch/src/racoon/isakmp_quick.c
--- ipsec-tools-0.6.5.orig/src/racoon/isakmp_quick.c 2006-08-22
00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.patch/src/racoon/isakmp_quick.c 2006-08-22
02:22:57.000000000 -0500
@@ -2128,5 +2128,11 @@ get_proposal_r(iph2)
return ISAKMP_INTERNAL_ERROR;
}
+#ifdef HAVE_SECCTX
+ if (spidx.sec_ctx.ctx_str) {
+ set_secctx_in_proposal(iph2, spidx);
+ }
+#endif /* HAVE_SECCTX */
+
return 0;
}
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/pfkey.c
ipsec-tools-0.6.5.patch/src/racoon/pfkey.c
--- ipsec-tools-0.6.5.orig/src/racoon/pfkey.c 2006-08-22 00:49:53.000000000
-0500
+++ ipsec-tools-0.6.5.patch/src/racoon/pfkey.c 2006-08-22 02:27:21.000000000
-0500
@@ -1672,6 +1672,9 @@ pk_recvacquire(mhp)
struct ph2handle *iph2[MAXNESTEDSA];
struct sockaddr *src, *dst;
int n; /* # of phase 2 handler */
+#ifdef HAVE_SECCTX
+ struct sadb_x_sec_ctx *m_sec_ctx;
+#endif /* HAVE_SECCTX */
/* ignore this message because of local test mode. */
if (f_local)
@@ -1691,6 +1694,24 @@ pk_recvacquire(mhp)
src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+#ifdef HAVE_SECCTX
+ m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
+
+ if (m_sec_ctx != NULL) {
+ plog(LLV_INFO, LOCATION, NULL,
+ "security context doi: %u\n",
+ m_sec_ctx->sadb_x_ctx_doi);
+ plog(LLV_INFO, LOCATION, NULL,
+ "security context algorithm: %u\n",
+ m_sec_ctx->sadb_x_ctx_alg);
+ plog(LLV_INFO, LOCATION, NULL,
+ "security context length: %u\n",
+ m_sec_ctx->sadb_x_ctx_len);
+ plog(LLV_INFO, LOCATION, NULL, "security context: %s\n",
+ ((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)));
+ }
+#endif /* HAVE_SECCTX */
+
/* ignore if type is not IPSEC_POLICY_IPSEC */
if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
plog(LLV_DEBUG, LOCATION, NULL,
@@ -1786,10 +1807,16 @@ pk_recvacquire(mhp)
spidx.prefs = sp_out->spidx.prefd;
spidx.prefd = sp_out->spidx.prefs;
spidx.ul_proto = sp_out->spidx.ul_proto;
+
#ifdef HAVE_SECCTX
- if (*sp_out->spidx.sec_ctx.ctx_str)
- memcpy(&spidx.sec_ctx, &sp_out->spidx.sec_ctx,
- sizeof(spidx.sec_ctx));
+ if (m_sec_ctx) {
+ spidx.sec_ctx.ctx_doi = m_sec_ctx->sadb_x_ctx_doi;
+ spidx.sec_ctx.ctx_alg = m_sec_ctx->sadb_x_ctx_alg;
+ spidx.sec_ctx.ctx_strlen = m_sec_ctx->sadb_x_ctx_len;
+ memcpy(spidx.sec_ctx.ctx_str,
+ ((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)),
+ spidx.sec_ctx.ctx_strlen);
+ }
#endif
sp_in = getsp(&spidx);
@@ -1877,6 +1904,12 @@ pk_recvacquire(mhp)
delph2(iph2[n]);
return -1;
}
+#ifdef HAVE_SECCTX
+ if (m_sec_ctx) {
+ set_secctx_in_proposal(iph2[n], spidx);
+ }
+#endif /* HAVE_SECCTX */
+
insph2(iph2[n]);
/* start isakmp initiation by using ident exchange */
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/policy.c
ipsec-tools-0.6.5.patch/src/racoon/policy.c
--- ipsec-tools-0.6.5.orig/src/racoon/policy.c 2006-08-22 00:49:53.000000000
-0500
+++ ipsec-tools-0.6.5.patch/src/racoon/policy.c 2006-08-22 02:32:10.000000000
-0500
@@ -206,9 +206,13 @@ cmpspidxstrict(a, b)
#ifdef HAVE_SECCTX
if (a->sec_ctx.ctx_alg != b->sec_ctx.ctx_alg
|| a->sec_ctx.ctx_doi != b->sec_ctx.ctx_doi
+#if 1
+ || !within_range(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str))
+#else
|| a->sec_ctx.ctx_strlen != b->sec_ctx.ctx_strlen
|| (memcmp(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str,
a->sec_ctx.ctx_strlen) != 0))
+#endif
return 1;
#endif
return 0;
@@ -284,9 +288,13 @@ cmpspidxwild(a, b)
#ifdef HAVE_SECCTX
if (a->sec_ctx.ctx_alg != b->sec_ctx.ctx_alg
|| a->sec_ctx.ctx_doi != b->sec_ctx.ctx_doi
+#if 1
+ || !within_range(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str))
+#else
|| a->sec_ctx.ctx_strlen != b->sec_ctx.ctx_strlen
|| (memcmp(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str,
a->sec_ctx.ctx_strlen) != 0))
+#endif
return 1;
#endif
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/policy.h
ipsec-tools-0.6.5.patch/src/racoon/policy.h
--- ipsec-tools-0.6.5.orig/src/racoon/policy.h 2006-08-22 00:49:53.000000000
-0500
+++ ipsec-tools-0.6.5.patch/src/racoon/policy.h 2006-08-22 02:20:28.000000000
-0500
@@ -35,6 +35,8 @@
#include <sys/queue.h>
#ifdef HAVE_SECCTX
+#include <selinux/selinux.h>
+
#define MAX_CTXSTR_SIZE 50
struct security_ctx {
u_int8_t ctx_doi; /* Security Context DOI */
@@ -146,6 +148,10 @@ extern void initsp __P((void));
extern struct ipsecrequest *newipsecreq __P((void));
extern const char *spidx2str __P((const struct policyindex *));
+#ifdef HAVE_SECCTX
extern int get_security_context __P((vchar_t *, struct policyindex *));
+extern int within_range __P((security_context_t, security_context_t));
+extern void set_secctx_in_proposal __P((struct *ph2handle, struct
policyindex));
+#endif
#endif /* _POLICY_H */
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/proposal.c
ipsec-tools-0.6.5.patch/src/racoon/proposal.c
--- ipsec-tools-0.6.5.orig/src/racoon/proposal.c 2006-08-22
00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.patch/src/racoon/proposal.c 2006-08-22
02:34:25.000000000 -0500
@@ -1025,15 +1025,6 @@ set_proposal_from_policy(iph2, sp_main,
newpp->lifetime = iph2->sainfo->lifetime;
newpp->lifebyte = iph2->sainfo->lifebyte;
newpp->pfs_group = iph2->sainfo->pfs_group;
-#ifdef HAVE_SECCTX
- if (*sp_main->spidx.sec_ctx.ctx_str) {
- newpp->sctx.ctx_doi = sp_main->spidx.sec_ctx.ctx_doi;
- newpp->sctx.ctx_alg = sp_main->spidx.sec_ctx.ctx_alg;
- newpp->sctx.ctx_strlen = sp_main->spidx.sec_ctx.ctx_strlen;
- memcpy(newpp->sctx.ctx_str, sp_main->spidx.sec_ctx.ctx_str,
- sp_main->spidx.sec_ctx.ctx_strlen);
- }
-#endif /* HAVE_SECCTX */
if (lcconf->complex_bundle)
goto skip1;
@@ -1196,7 +1187,11 @@ set_proposal_from_proposal(iph2)
pp0->sctx.ctx_strlen = pp_peer->sctx.ctx_strlen;
memcpy(pp0->sctx.ctx_str, pp_peer->sctx.ctx_str,
pp_peer->sctx.ctx_strlen);
+
+ plog(LLV_INFO, LOCATION, NULL,
+ "RESPONDING with (%s).\n", pp_peer->sctx.ctx_str);
}
+
#endif /* HAVE_SECCTX */
if (pp_peer->next != NULL) {
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/security.c
ipsec-tools-0.6.5.patch/src/racoon/security.c
--- ipsec-tools-0.6.5.orig/src/racoon/security.c 2006-08-22
00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.patch/src/racoon/security.c 2006-08-22
02:46:01.000000000 -0500
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2005 International Business Machines Corporation
+ * Copyright (c) 2005 by Trusted Computer Solutions, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -36,6 +37,12 @@
#include <stdio.h>
#include <string.h>
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
+#include <selinux/avc.h>
+#include <selinux/context.h>
+
#include "var.h"
#include "vmbuf.h"
#include "misc.h"
@@ -150,3 +157,109 @@ get_security_context(sa, p)
}
return 0;
}
+
+void
+set_secctx_in_proposal(iph2, spidx)
+ struct ph2handle *iph2;
+ struct policyindex spidx;
+{
+ iph2->proposal->sctx.ctx_doi = spidx.sec_ctx.ctx_doi;
+ iph2->proposal->sctx.ctx_alg = spidx.sec_ctx.ctx_alg;
+ iph2->proposal->sctx.ctx_strlen = spidx.sec_ctx.ctx_strlen;
+ memcpy(iph2->proposal->sctx.ctx_str, spidx.sec_ctx.ctx_str,
+ spidx.sec_ctx.ctx_strlen);
+}
+
+
+/*
+ * function: init_avc
+ * description: function performs the steps necessary to initialize the
+ * userspace avc.
+ * input: void
+ * return: 0 if avc was successfully initialized
+ * 1 if the avc could not be initialized
+ */
+
+static int
+init_avc(void)
+{
+ int rtn = 0;
+
+ if (!is_selinux_mls_enabled()) {
+ plog(LLV_ERROR, LOCATION, NULL, "racoon: MLS support is not"
+ " enabled.\n");
+ return 1;
+ }
+
+ rtn = avc_init("racoon", NULL, NULL, NULL, NULL);
+ if (rtn != 0) {
+ plog(LLV_ERROR, LOCATION, NULL, "racoon: could not initialize
avc.\n");
+ rtn = 1;
+ }
+ return rtn;
+}
+
+/*
+ * function: within_range
+ * description: function determines if the specified sl is within the
+ * configured range for a policy rule.
+ * input: security_context *sl SL
+ * char *range Range
+ * return: 1 if the sl is within the range
+ * 0 if the sl is not within the range or an error
+ * occurred which prevented the determination
+ */
+
+int
+within_range(security_context_t sl, security_context_t range)
+{
+ int rtn = 1;
+ security_id_t slsid;
+ security_id_t rangesid;
+ struct av_decision avd;
+ security_class_t tclass;
+ access_vector_t av;
+
+ rtn = init_avc();
+ if (rtn != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "within_range: couldn't initialize the AVC\n");
+ return 0;
+ }
+
+ /*
+ * Get the sids for the sl and range contexts
+ */
+ rtn = avc_context_to_sid(sl, &slsid);
+ if (rtn != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "within_range: Unable to retrieve "
+ "sid for sl context (%s).\n", sl);
+ return 0;
+ }
+ rtn = avc_context_to_sid(range, &rangesid);
+ if (rtn != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "within_range: Unable to retrieve "
+ "sid for range context (%s).\n", range);
+ sidput(slsid);
+ return 0;
+ }
+
+ /*
+ * Straight up test between sl and range
+ */
+ tclass = SECCLASS_ASSOCIATION;
+ av = ASSOCIATION__POLMATCH;
+ rtn = avc_has_perm(slsid, rangesid, tclass, av, NULL, &avd);
+ if (rtn != 0) {
+ plog(LLV_INFO, LOCATION, NULL,
+ "within_range: The sl is not within range\n");
+ sidput(slsid);
+ sidput(rangesid);
+ return 0;
+ }
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "within_range: The sl (%s) is within range (%s)\n", sl, range);
+ return 1;
+}
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
