[GIT PULL] SELinux patches for 4.5

2015-12-24 Thread Paul Moore
Hi James,

Nine patches for v4.5; there are a handful of minor fixes (constify 
parameters, warning rate-limits, etc.) but there are a couple of significant 
patches that invalidate/revalidate inode labels (needed for gfs2) and make 
validate_trans decisions visible via selinuxfs.  All the patches pass the 
selinux-testsuite and have been included in the pcmoore/kernel-secnext Fedora 
COPR repository[1] for some time now, all looks good.

As of about five minutes ago, selinux#upstream applied cleanly on top of 
linux-security#next so I don't expect you should have any problems merging the 
code.

Happy holidays and merry merging,
-Paul

[1] https://copr.fedoraproject.org/coprs/pcmoore/kernel-secnext

---
The following changes since commit ebd68df3f24b318d391d15c458d6f43f340ba36a:

  Sync to Linus v4.4-rc2 for LSM developers. (2015-11-23 22:46:28 +1100)

are available in the git repository at:

  git://git.infradead.org/users/pcmoore/selinux upstream

for you to fetch changes up to 76319946f321e30872dd72af7de867cb26e7a373:

  selinux: rate-limit netlink message warnings in selinux_nlmsg_perm() 
(2015-12-24 11:09:41 -0500)


Andreas Gruenbacher (7):
  selinux: Remove unused variable in selinux_inode_init_security
  security: Make inode argument of inode_getsecurity non-const
  security: Make inode argument of inode_getsecid non-const
  selinux: Add accessor functions for inode->i_security
  security: Add hook to invalidate inode security labels
  selinux: Revalidate invalid inode security labels
  gfs2: Invalid security labels of inodes when they go invalid

Andrew Perepechko (1):
  selinux: export validatetrans decisions

Vladis Dronov (1):
  selinux: rate-limit netlink message warnings in selinux_nlmsg_perm()

 fs/gfs2/glops.c |   2 +
 include/linux/audit.h   |   8 +-
 include/linux/lsm_hooks.h   |  10 +-
 include/linux/security.h|  13 ++-
 kernel/audit.c  |   2 +-
 kernel/audit.h  |   2 +-
 kernel/auditsc.c|   6 +-
 security/security.c |  12 ++-
 security/selinux/hooks.c| 206 --
 security/selinux/include/classmap.h |   2 +-
 security/selinux/include/objsec.h   |   6 ++
 security/selinux/include/security.h |   3 +
 security/selinux/selinuxfs.c|  80 ++
 security/selinux/ss/services.c  |  34 --
 security/smack/smack_lsm.c  |   4 +-
 15 files changed, 302 insertions(+), 88 deletions(-)

-- 
paul moore
security @ redhat

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH net] sctp: label accepted/peeled off sockets

2015-12-23 Thread Paul Moore
On Wednesday, December 23, 2015 04:44:09 PM Marcelo Ricardo Leitner wrote:
> From: Marcelo Ricardo Leitner 
> 
> Accepted or peeled off sockets were missing a security label (e.g.
> SELinux) which means that socket was in "unlabeled" state.
> 
> This patch clones the sock's label from the parent sock and resolves the
> issue (similar to AF_BLUETOOTH protocol family).
> 
> Cc: Paul Moore 
> Cc: David Teigland 
> Signed-off-by: Marcelo Ricardo Leitner 
> ---
>  net/sctp/socket.c | 2 ++
>  1 file changed, 2 insertions(+)

[NOTE: added the LSM and SELinux lists to the CC line as a FYI]

Proper SCTP support is on the SELinux todo list, but in the meantime it looks 
like the patch below should at least ensure that SCTP sockets inherit their 
parent's label which is probably the best we can hope for right now.

Acked-by: Paul Moore 

> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index
> 400a14d744834c7a503b338bc68f5f8b5b5dae8e..b67162767b7957b3e9f4f7bf52ab51fc1
> a3499c8 100644 --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -7202,6 +7202,8 @@ void sctp_copy_sock(struct sock *newsk, struct sock
> *sk,
> 
>   if (newsk->sk_flags & SK_FLAGS_TIMESTAMP)
>   net_enable_timestamp();
> +
> + security_sk_clone(sk, newsk);
>  }
> 
>  static inline void sctp_copy_descendant(struct sock *sk_to,

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [RFC PATCH 00/17] CALIPSO implementation

2015-12-23 Thread Paul Moore
On Tue, Dec 22, 2015 at 12:28 PM, Casey Schaufler
 wrote:
> On 12/22/2015 3:46 AM, Huw Davies wrote:
>> This patch series implements RFC 5570 - Common Architecture Label IPv6
>> Security Option (CALIPSO).  Its goal is to set MLS sensitivity labels
>> on IPv6 packets using a hop-by-hop option.  CALIPSO very similar to
>> its IPv4 cousin CIPSO and much of this series is based on that code.
>
> There's a one line change to the Smack code in 15/17 due to
> a change in the api, but I assume that there has been no
> attempt to verify that this works with Smack. It's not 100%
> clear that this won't break a Smack kernel, but I haven't
> tried it.
>
> You'll need to provide sufficient information (or code!) so
> that security modules other than SELinux can use this. If
> you look at how Smack uses netlabel for IPv4 you will see
> that it differs substantially from the way SELinux uses it.

Smack is going to have some difficulties implementing CALIPSO due to
some previous design decisions and inconsistencies between how Smack
handles both IPv4 and IPv6 packet labeling today.  I think we can all
agree that asking Huw to resolve these problems isn't quite fair,
although asking Huw to make sure he doesn't break existing
functionality *is* fair, and a requirement for patch acceptance.

Huw, I would suggest you ensure that the NetLabel/CALIPSO changes
don't break the existing Smack code, and that everything is commented
appropriately.  Adding CALIPSO support to the netlbl_cfg_*() functions
in netlabel_kapi.c would also be a good idea, and shouldn't be too
difficult (I should have commented on this earlier, my mistake).
However, I think resolving the Smack IPv6 design issues is something
best left to Casey and the rest of the Smack developers.

> Thank you for tackling RFC 5570. The lack of something like
> this has put IPv6 at a real disadvantage.

Agreed, thanks Huw for all the hard work you put into this
implementation.  I started a similar effort on two separate occasions
but never had the time to see it through to the end; I'm happy that
someone was finally able to get it finished.

-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: Exposing secid to secctx mapping to user-space

2015-12-18 Thread Paul Moore
On Tue, Dec 15, 2015 at 2:09 PM, Joe Nall  wrote:
>> On Dec 15, 2015, at 12:03 PM, Stephen Smalley  wrote:
>> Are you patching the kernel to support > 4K contexts?
>> Otherwise, I'd expect you run up against the proc and selinuxfs API 
>> limitations (page size) and/or the filesystem xattr storage limitations 
>> (block size).
>
> No. The example was a contrived example of what is possible within the 
> format. We use a couple of 2500 byte labels in formal test these days to make 
> sure that we don't have an OS regression. I just get tired of code like this 
> in openswan:
>
> #ifdef HAVE_LABELED_IPSEC
> /* security label length should not exceed 256 in most cases,
>  * (discussed with kernel and selinux people).
>  */
> #define MAX_SECCTX_LEN257 /* including '\0'*/

So let's just get rid of labeled IPsec ... show of hands? ;)

-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: Exposing secid to secctx mapping to user-space

2015-12-18 Thread Paul Moore
On Tue, Dec 15, 2015 at 3:58 PM, Daniel Cashman  wrote:
> On 12/15/2015 07:00 AM, Stephen Smalley wrote:
>> 1. I don't think it is the size of the context that is the concern but
>> rather the fact that it is a variable-length string, whereas current
>> binder commands use fixed-size arguments and encode the size in the
>> command value (common for ioctls).  Supporting passing a variable-length
>> string would be a change to the protocol and would complicate the code.
>>  On the performance side, it means generating a context string from the
>> secid and then copying it to userspace on each IPC (versus just getting
>> the secid and putting that in the existing binder_transaction_data that
>> is already copied to userspace).
>
> This is precisely the motivation for the original enquiry. Issue has
> been brought up about changing the protocol, and concern has also been
> strongly expressed about the overhead introduced by the string
> operations, although this has not been measured.  User-space would still
> need to do something intelligent with the secid, which would involve its
> own lookup and caching, but the idea is that this wouldn't be done with
> the binder lock held.
>
>> 2. Don't know; deferring to Daniel to run whatever binder IPC benchmarks
>> might exist with and without the current patch that copies the context
>> string.
>
> Yes, this needs to be done.  This issue was brought up as part of
> discussion regarding a proposed change to the binder driver to add the
> context string to each transaction.  An outcome of that discussion was,
> "before we go too far into this, let's see the reaction upstream to
> exposing the secid."  Based on the reaction here (upstream), I think
> it's my responsibility to push forward the string-based change and get
> the appropriate perf numbers so that a meaningful comparison can be made.

The existing, variable length string based approach is going to be
your easiest path forward with respect to the kernel, although it may
turn out to be a non-starter from a binder point of view.  I just want
to reiterate that I'm not against the idea of exposing the secid
tokens, but not necessarily in their current form; we will probably
want to revisit the idea of a persistent secid and consider the impact
to any future stacking work.

-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


SELinux/audit kernel repo process changes

2015-12-13 Thread Paul Moore
In an effort to make it a bit easier to maintain the kernel-secnext COPR I'm 
making some slight changes to how I manage the SELinux and audit kernel 
repositories.  The downside is that there is now going to be a regular rebase 
as part of the release cycle, but at least it will be well defined and part of 
the process, unlike the current reactionary rebases.

Starting with the next merge window, I'll be following the process below:

1. When a new kernel is released, rebase the repository's upstream branch to 
the tagged kernel release (or the latest LSM upstream branch in the case of 
SELinux) and apply the next branch on top of the upstream branch.  Send a pull 
request for the upstream branch to the next level maintainer.

2. Create a new branch, stable-X.XX, a copy of the upstream branch that was 
sent during the merge window.

3. Reset the next branch to the upstream branch that was sent during the merge 
window.  At this point the upstream, next, and latest stable-X.XX branch 
should be identical.

4. Accept patches into both the stable-X.XX and next branches; as necessary, 
send pull requests for stable-X.XX to the next level maintainer.  Continue 
until the next kernel is released and the process repeats.

As in the past, this process is subject to change, but I'm hopeful that this 
approach should work for the foreseeable future.

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: Exposing secid to secctx mapping to user-space

2015-12-13 Thread Paul Moore
On Friday, December 11, 2015 05:14:38 PM Stephen Smalley wrote:
> Perhaps we could provide a new fixed-size tokenized version of the
> security context string for export to userspace that could be embedded
> in the binder transaction structure?  This could avoid both the
> limitations of the current secid (e.g. limited to 32 bits, no
> stackability) and the overhead of copying context strings on every IPC.

On Friday, December 11, 2015 04:24:48 PM Casey Schaufler wrote:
> How about this: Provide an alias mechanism for secctx. There would then
> be a secid (32bits) a secctx (arbitrary text string) and a secalias which
> could be a limited string of some length. You could use the alias in place
> of the secctx anywhere you liked.

My initial reaction to the secalias idea isn't overly positive.  It seems like 
a kludge with a lot of duplication, both in terms of code and concept, and a 
lot of risk for confusion both by users and policy writers.  I think if we 
really wanted to limit the security label string format to a small size we 
should have done that from the start, it's too late now. 

Assuming we see some binder performance numbers, and the numbers are bad, I'm 
a little more open to doing something with the secid token.  Up to this point 
we haven't made any guarantees about the token and we haven't exported it 
outside the kernel so there is some ability to change it to fit our needs.  
Granted, this isn't perfect solution either, and perhaps ultimately we would 
need something else, but I think it is worth looking into this first before we 
introduce another string label.

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: Exposing secid to secctx mapping to user-space

2015-12-11 Thread Paul Moore
On Fri, Dec 11, 2015 at 1:37 PM, Daniel Cashman  wrote:
> Hello,
>
> I would like to write a patch that would expose, via selinuxfs, the
> mapping between secids in the kernel and security contexts to
> user-space, but before doing so wanted to get some feedback as to
> whether or not such an endeavor could have any support upstream.  The
> direct motivation for this is the desire to communicate calling security
> ids/contexts over binder IPC on android for use in a user-space object
> manager.  Passing the security ids themselves would be simpler and more
> efficient in the critical kernel path, but they currently have no
> user-space meaning.

In general we try to avoid exposing the secid tokens outside the
kernel, I view them as an implementation hack designed to make it
easier to manage and operate on the security labels in the kernel.  I
suspect you will hear something very similar from Casey and the other
Smack developers.  Another consideration is the long standing LSM
stacking effort, they have several good reasons for wanting to abolish
the secid token, propagating it to userspace would make that all but
impossible.

While I'm sympathetic to your desire for less complexity and better
performance in passing security labels, from a kernel perspective I
think we lose too much in exporting the secid tokens outside the LSM.

-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[GIT PULL] SELinux fixes for 4.4 (#1)

2015-11-25 Thread Paul Moore
Hi James,

A single SELinux fix for 4.4 that corrects a problem with SELinux's 
conditional rules handling.  The fix is small, easily understood, and passes 
the SELinux testsuite.  Please pull and send to Linus.

As of a few minutes ago, selinux#upstream applied cleanly on top of linux-
security#next.

Thanks,
-Paul

---
The following changes since commit 63205654c0e05e5ffa1c6eef2fbef21dcabd2185:

  selinux: Use a kmem_cache for allocation struct file_security_struct
   (2015-10-21 17:44:30 -0400)

are available in the git repository at:

  git://git.infradead.org/users/pcmoore/selinux upstream

for you to fetch changes up to f3bef67992e8698897b584616535803887c4a73e:

  selinux: fix bug in conditional rules handling (2015-11-24 13:44:32 -0500)


Stephen Smalley (1):
  selinux: fix bug in conditional rules handling

 security/selinux/ss/conditional.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

-- 
paul moore
security @ redhat

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [RFC PATCH] audit: force seccomp event logging to honor the audit_enabled flag

2015-11-24 Thread Paul Moore
On Monday, November 23, 2015 05:35:58 PM Paul Moore wrote:
> On Mon, Nov 23, 2015 at 5:20 PM, Tony Jones  wrote:
> > On 11/23/2015 02:20 PM, Paul Moore wrote:
> >> Previously we were emitting seccomp audit records regardless of the
> >> audit_enabled setting, a deparature from the rest of audit.  This
> >> patch makes seccomp auditing consistent with the rest of the audit
> >> record generation code in that when audit_enabled=0 nothing is logged
> >> by the audit subsystem.
> >> 
> >> The bulk of this patch is moving the CONFIG_AUDIT block ahead of the
> >> CONFIG_AUDITSYSCALL block in include/linux/audit.h; the only real
> >> code change was in the audit_seccomp() definition.
> >> 
> >> Reported-by: Tony Jones 
> >> Signed-off-by: Paul Moore 
> > 
> > Seems pretty much the same (functionally) as the patch I posted to audit
> > list on 10/12/2015 except that didn't hoist the entire block.
> 
> Yep, I prefered to move the block as I think it should have been that
> way anyway from the start.  IMHO we got to many audit Kconfig knobs
> as-is and splitting that block for just the audit_enabled flag made
> things worse.
> 
> > Signed-off-by: Tony Jones 

I just merged this patch into audit#next, the only change is I replaced the 
"Reported-by" for Tony with his sign-off.

-- 
paul moore
security @ redhat

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [RFC PATCH] audit: force seccomp event logging to honor the audit_enabled flag

2015-11-23 Thread Paul Moore
On Mon, Nov 23, 2015 at 5:20 PM, Tony Jones  wrote:
> On 11/23/2015 02:20 PM, Paul Moore wrote:
>> Previously we were emitting seccomp audit records regardless of the
>> audit_enabled setting, a deparature from the rest of audit.  This
>> patch makes seccomp auditing consistent with the rest of the audit
>> record generation code in that when audit_enabled=0 nothing is logged
>> by the audit subsystem.
>>
>> The bulk of this patch is moving the CONFIG_AUDIT block ahead of the
>> CONFIG_AUDITSYSCALL block in include/linux/audit.h; the only real
>> code change was in the audit_seccomp() definition.
>>
>> Reported-by: Tony Jones 
>> Signed-off-by: Paul Moore 
>
> Seems pretty much the same (functionally) as the patch I posted to audit
> list on 10/12/2015 except that didn't hoist the entire block.

Yep, I prefered to move the block as I think it should have been that
way anyway from the start.  IMHO we got to many audit Kconfig knobs
as-is and splitting that block for just the audit_enabled flag made
things worse.

> Signed-off-by: Tony Jones 

-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[RFC PATCH] audit: force seccomp event logging to honor the audit_enabled flag

2015-11-23 Thread Paul Moore
Previously we were emitting seccomp audit records regardless of the
audit_enabled setting, a deparature from the rest of audit.  This
patch makes seccomp auditing consistent with the rest of the audit
record generation code in that when audit_enabled=0 nothing is logged
by the audit subsystem.

The bulk of this patch is moving the CONFIG_AUDIT block ahead of the
CONFIG_AUDITSYSCALL block in include/linux/audit.h; the only real
code change was in the audit_seccomp() definition.

Reported-by: Tony Jones 
Signed-off-by: Paul Moore 
---
 include/linux/audit.h |  204 +
 1 file changed, 104 insertions(+), 100 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 20eba1e..476bc12 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -113,6 +113,107 @@ struct filename;
 
 extern void audit_log_session_info(struct audit_buffer *ab);
 
+#ifdef CONFIG_AUDIT
+/* These are defined in audit.c */
+   /* Public API */
+extern __printf(4, 5)
+void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
+  const char *fmt, ...);
+
+extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t 
gfp_mask, int type);
+extern __printf(2, 3)
+void audit_log_format(struct audit_buffer *ab, const char *fmt, ...);
+extern voidaudit_log_end(struct audit_buffer *ab);
+extern boolaudit_string_contains_control(const char *string,
+ size_t len);
+extern voidaudit_log_n_hex(struct audit_buffer *ab,
+ const unsigned char *buf,
+ size_t len);
+extern voidaudit_log_n_string(struct audit_buffer *ab,
+  const char *buf,
+  size_t n);
+extern voidaudit_log_n_untrustedstring(struct audit_buffer *ab,
+   const char *string,
+   size_t n);
+extern voidaudit_log_untrustedstring(struct audit_buffer *ab,
+ const char *string);
+extern voidaudit_log_d_path(struct audit_buffer *ab,
+const char *prefix,
+const struct path *path);
+extern voidaudit_log_key(struct audit_buffer *ab,
+ char *key);
+extern voidaudit_log_link_denied(const char *operation,
+ struct path *link);
+extern voidaudit_log_lost(const char *message);
+#ifdef CONFIG_SECURITY
+extern voidaudit_log_secctx(struct audit_buffer *ab, u32 
secid);
+#else
+static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
+{ }
+#endif
+
+extern int audit_log_task_context(struct audit_buffer *ab);
+extern void audit_log_task_info(struct audit_buffer *ab,
+   struct task_struct *tsk);
+
+extern int audit_update_lsm_rules(void);
+
+   /* Private API (for audit.c only) */
+extern int audit_filter_user(int type);
+extern int audit_filter_type(int type);
+extern int audit_rule_change(int type, __u32 portid, int seq,
+   void *data, size_t datasz);
+extern int audit_list_rules_send(struct sk_buff *request_skb, int seq);
+
+extern u32 audit_enabled;
+#else /* CONFIG_AUDIT */
+static inline __printf(4, 5)
+void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
+  const char *fmt, ...)
+{ }
+static inline struct audit_buffer *audit_log_start(struct audit_context *ctx,
+  gfp_t gfp_mask, int type)
+{
+   return NULL;
+}
+static inline __printf(2, 3)
+void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
+{ }
+static inline void audit_log_end(struct audit_buffer *ab)
+{ }
+static inline void audit_log_n_hex(struct audit_buffer *ab,
+  const unsigned char *buf, size_t len)
+{ }
+static inline void audit_log_n_string(struct audit_buffer *ab,
+ const char *buf, size_t n)
+{ }
+static inline void  audit_log_n_untrustedstring(struct audit_buffer *ab,
+   const char *string, size_t n)
+{ }
+static inline void audit_log_untrustedstring(struct audit_buffer *ab,
+const char *string)
+{ }
+static inline void audit_log_d_path(struct audit_buffer *ab,
+   const char *prefix,
+   const struct path *path)
+{ }
+static inline void

ANN: Experimental Fedora Rawhide kernels (selinux-next and audit-next)

2015-11-20 Thread Paul Moore
For the past few weeks I've been building experimental Fedora Rawhide kernels 
with all of the SELinux and audit kernel patches targeted for linux-next 
included. It has worked out reasonably well, and with the exception of getting 
a working Linux 4.4-rc1 build this week, it has proven to be relatively easy 
to manage. If you would like to help with testing and don't mind the 
instability that comes with development kernels, the Fedora COPR repository 
link is below.

I've been doing at least one build each week, sometimes more, and I expect to 
continue with that frequency. I also perform a quick sanity check on each 
successful build, including running the SELinux and audit testsuites; however, 
there may be times when the kernel is simply broken, so exercise caution and 
please don't run these kernels on anything critical.

 * https://copr.fedoraproject.org/coprs/pcmoore/kernel-secnext

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: seccomp and audit_enabled

2015-11-20 Thread Paul Moore
On Fri, Nov 20, 2015 at 12:51 PM, Tony Jones  wrote:
> Any comments on this?  Current interaction between enabled_enabled and dummy 
> flag seems wrong to me.   I can code up
> a patch.

It's on my todo list for this development cycle, I've just been a
little busy lately with the merge window and now some -rc1 testing.

-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH v3] selinux: rate-limit unrecognized netlink message warnings in selinux_nlmsg_perm()

2015-11-13 Thread Paul Moore
On Friday, November 13, 2015 03:14:19 PM Vladis Dronov wrote:
> Any process is able to send netlink messages with invalid types.
> Make the warning rate-limited to prevent too much log spam.
> 
> The warning is supposed to help to find misbehaving programs, so
> print the triggering command name and pid.
> 
> Reported-by: Florian Weimer 
> Signed-off-by: Vladis Dronov 
> ---
>  security/selinux/hooks.c | 9 +
>  1 file changed, 5 insertions(+), 4 deletions(-)

Applied to my selinux@next queue, with the merge window expected to close this 
weekend, this patch should appear in linux-next sometime next week.

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index d0cfaa9..791fc46 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4785,11 +4785,12 @@ static int selinux_nlmsg_perm(struct sock *sk,
> struct sk_buff *skb) err = selinux_nlmsg_lookup(sksec->sclass,
> nlh->nlmsg_type, &perm); if (err) {
>   if (err == -EINVAL) {
> - printk(KERN_WARNING
> -"SELinux: unrecognized netlink message:"
> -" protocol=%hu nlmsg_type=%hu sclass=%s\n",
> + pr_warn_ratelimited("SELinux: unrecognized netlink"
> +" message: protocol=%hu nlmsg_type=%hu sclass=%s"
> +" pig=%d comm=%s\n",
>  sk->sk_protocol, nlh->nlmsg_type,
> -secclass_map[sksec->sclass - 1].name);
> +secclass_map[sksec->sclass - 1].name,
> +task_pid_nr(current), current->comm);
>   if (!selinux_enforcing || security_get_allow_unknown())
>   err = 0;
>   }

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH v2] selinux: rate-limit unrecognized netlink message warnings in selinux_nlmsg_perm()

2015-11-10 Thread Paul Moore
On Wednesday, November 04, 2015 11:35:51 AM Vladis Dronov wrote:
> Any process is able to send netlink messages with invalid types.
> Make the warning rate-limited to prevent too much log spam.
> 
> The warning is supposed to help to find misbehaving programs, so
> print the triggering command name and pid.
> 
> Reported-by: Florian Weimer 
> Signed-off-by: Vladis Dronov 
> ---
>  security/selinux/hooks.c | 9 +
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index e4369d8..3d8087d 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4787,11 +4787,12 @@ static int selinux_nlmsg_perm(struct sock *sk,
> struct sk_buff *skb) err = selinux_nlmsg_lookup(sksec->sclass,
> nlh->nlmsg_type, &perm); if (err) {
>   if (err == -EINVAL) {
> - printk(KERN_WARNING
> -"SELinux: unrecognized netlink message:"
> -" protocol=%hu nlmsg_type=%hu sclass=%s\n",
> + pr_warn_ratelimited("SELinux: unrecognized netlink"
> +" message: protocol=%hu nlmsg_type=%hu sclass=%s"
> +" from %s[%d]\n",
>  sk->sk_protocol, nlh->nlmsg_type,
> -secclass_map[sksec->sclass - 1].name);
> +secclass_map[sksec->sclass - 1].name,
> +current->comm, current->pid);

I should have looked at more closely at the actual changes earlier, but the 
other issues with your posting distracted me ... while this isn't an audit 
message, it tends to follow the audit-ish name=value format so let's stick 
with that in this message, I would also suggest using task_pid_nr() so the 
line should look something like this:

  pr_warn_ratelimited("SELinux: unrecognized netlink"
  " message: protocol=%hu nlmsg_type=%hu sclass=%s"
  " pig=%d comm=%s\n",
  sk->sk_protocol, nlh->nlmsg_type,
  secclass_map[sksec->sclass - 1].name,
  task_pid_nr(current), current->comm);

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH v3] selinux: export validatetrans decisions

2015-11-06 Thread Paul Moore
)
> + goto out;
> +
> + rc = security_validate_transition_user(osid, nsid, tsid, tclass);
> + if (!rc)
> + rc = count;
> +out:
> + kfree(req);
> + kfree(oldcon);
> + kfree(newcon);
> + kfree(taskcon);
> + return rc;
> +}
> +
> +static const struct file_operations sel_transition_ops = {
> + .write  = sel_write_validatetrans,
> + .llseek = generic_file_llseek,
> +};
> +
>  /*
>   * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
>   */
> @@ -1759,6 +1837,8 @@ static int sel_fill_super(struct super_block *sb, void
> *data, int silent) [SEL_DENY_UNKNOWN] = {"deny_unknown",
> &sel_handle_unknown_ops, S_IRUGO}, [SEL_STATUS] = {"status",
> &sel_handle_status_ops, S_IRUGO},
>   [SEL_POLICY] = {"policy", &sel_policy_ops, S_IRUGO},
> + [SEL_VALIDATE_TRANS] = {"validatetrans", &sel_transition_ops,
> + S_IWUGO},
>   /* last one */ {""}
>   };
>   ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files);
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index ebb5eb3..ebda973 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -778,8 +778,8 @@ out:
>   return -EPERM;
>  }
> 
> -int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
> -  u16 orig_tclass)
> +static int security_compute_validatetrans(u32 oldsid, u32 newsid, u32
> tasksid, +  u16 orig_tclass, bool user)
>  {
>   struct context *ocontext;
>   struct context *ncontext;
> @@ -794,11 +794,12 @@ int security_validate_transition(u32 oldsid, u32
> newsid, u32 tasksid,
> 
>   read_lock(&policy_rwlock);
> 
> - tclass = unmap_class(orig_tclass);
> + if (!user)
> + tclass = unmap_class(orig_tclass);
> + else
> + tclass = orig_tclass;
> 
>   if (!tclass || tclass > policydb.p_classes.nprim) {
> - printk(KERN_ERR "SELinux: %s:  unrecognized class %d\n",
> - __func__, tclass);
>   rc = -EINVAL;
>   goto out;
>   }
> @@ -832,8 +833,13 @@ int security_validate_transition(u32 oldsid, u32
> newsid, u32 tasksid, while (constraint) {
>   if (!constraint_expr_eval(ocontext, ncontext, tcontext,
> constraint->expr)) {
> - rc = security_validtrans_handle_fail(ocontext, ncontext,
> -  tcontext, tclass);
> + if (user)
> + rc = -EPERM;
> + else
> + rc = security_validtrans_handle_fail(ocontext,
> +  ncontext,
> +      tcontext,
> +  tclass);
>   goto out;
>   }
>   constraint = constraint->next;
> @@ -844,6 +850,20 @@ out:
>   return rc;
>  }
> 
> +int security_validate_transition_user(u32 oldsid, u32 newsid, u32 tasksid,
> + u16 tclass)
> +{
> + return security_compute_validatetrans(oldsid, newsid, tasksid,
> + tclass, true);
> +}
> +
> +int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
> +  u16 orig_tclass)
> +{
> + return security_compute_validatetrans(oldsid, newsid, tasksid,
> + orig_tclass, false);
> +}
> +
>  /*
>   * security_bounded_transition - check whether the given
>   * transition is directed to bounded, or not.

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH v2] selinux: rate-limit unrecognized netlink message warnings in selinux_nlmsg_perm()

2015-11-06 Thread Paul Moore
On Wednesday, November 04, 2015 04:02:36 PM Vladis Dronov wrote:
> Any process is able to send netlink messages with invalid types.
> Make the warning rate-limited to prevent too much log spam.
> 
> The warning is supposed to help to find misbehaving programs, so
> print the triggering command name and pid.
> 
> Signed-off-by: Vladis Dronov 
> ---
>  security/selinux/hooks.c | 9 +
>  1 file changed, 5 insertions(+), 4 deletions(-)

Did you want the "Reported-by" tag included?  I'm also adding the SELinux list 
back to the CC line.

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index e4369d8..3d8087d 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4787,11 +4787,12 @@ static int selinux_nlmsg_perm(struct sock *sk,
> struct sk_buff *skb) err = selinux_nlmsg_lookup(sksec->sclass,
> nlh->nlmsg_type, &perm); if (err) {
>   if (err == -EINVAL) {
> - printk(KERN_WARNING
> -"SELinux: unrecognized netlink message:"
> -" protocol=%hu nlmsg_type=%hu sclass=%s\n",
> + pr_warn_ratelimited("SELinux: unrecognized netlink"
> +" message: protocol=%hu nlmsg_type=%hu sclass=%s"
> +" from %s[%d]\n",
>  sk->sk_protocol, nlh->nlmsg_type,
> -secclass_map[sksec->sclass - 1].name);
> +secclass_map[sksec->sclass - 1].name,
> +current->comm, current->pid);
>   if (!selinux_enforcing || security_get_allow_unknown())
>   err = 0;
>   }

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH v5 0/7] Inode security label invalidation

2015-11-02 Thread Paul Moore
On Sunday, November 01, 2015 06:24:26 PM Andreas Gruenbacher wrote:
> Here is another version of the patch queue to make gfs2 and similar file
> systems work with SELinux.  Previous posting:
> 
>   http://www.spinics.net/lists/selinux/msg17969.html
> 
> Changes since the previous version:
> 
>  * Use inode_security_novalidate instead of inode_security on all the
>SOCK_INODE(sock) inodes.
> 
> This patch queue is also available here:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/agruen/linux.git selinux-wip
> 
> Thanks,
> Andreas
> 
> Andreas Gruenbacher (7):
>   selinux: Remove unused variable in selinux_inode_init_security
>   security: Make inode argument of inode_getsecurity non-const
>   security: Make inode argument of inode_getsecid non-const
>   selinux: Add accessor functions for inode->i_security
>   security: Add hook to invalidate inode security labels
>   selinux: Revalidate invalid inode security labels
>   gfs2: Invalide security labels of inodes when they go invalid

Thanks for your time and effort on this patchset.

I've accepted all of the patches into my selinux#next queue, these should 
reach linux-next as soon as the merge window closes.

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH v5 6/7] selinux: Revalidate invalid inode security labels

2015-11-02 Thread Paul Moore
cu(inode, rcu);
> + if (IS_ERR(isec))
> + return PTR_ERR(isec);
> 
>   return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
> rcu ? MAY_NOT_BLOCK : 0);
> @@ -2926,7 +2981,9 @@ static int selinux_inode_permission(struct inode
> *inode, int mask) perms = file_mask_to_av(inode->i_mode, mask);
> 
>   sid = cred_sid(cred);
> - isec = inode_security(inode);
> + isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
> + if (IS_ERR(isec))
> + return PTR_ERR(isec);
> 
>   rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
>   audited = avc_audit_required(perms, &avd, rc,
> @@ -3234,6 +3291,7 @@ static int selinux_file_permission(struct file *file,
> int mask) /* No change since file_open check. */
>   return 0;
> 
> + inode_security_revalidate(inode);
>   return selinux_revalidate_file_permission(file, mask);
>  }
> 
> @@ -3539,6 +3597,7 @@ static int selinux_file_open(struct file *file, const
> struct cred *cred) * new inode label or new policy.
>* This check is not redundant - do not remove.
>*/
> + inode_security_revalidate(file_inode(file));
>   return file_path_has_perm(cred, file, open_file_to_av(file));
>  }
> 
> @@ -4080,7 +4139,7 @@ static int selinux_socket_post_create(struct socket
> *sock, int family, int type, int protocol, int kern)
>  {
>   const struct task_security_struct *tsec = current_security();
> - struct inode_security_struct *isec = inode_security(SOCK_INODE(sock));
> + struct inode_security_struct *isec =
> inode_security_novalidate(SOCK_INODE(sock)); struct sk_security_struct
> *sksec;
>   int err = 0;
> 
> @@ -4280,9 +4339,9 @@ static int selinux_socket_accept(struct socket *sock,
> struct socket *newsock) if (err)
>   return err;
> 
> - newisec = inode_security(SOCK_INODE(newsock));
> + newisec = inode_security_novalidate(SOCK_INODE(newsock));
> 
> - isec = inode_security(SOCK_INODE(sock));
> + isec = inode_security_novalidate(SOCK_INODE(sock));
>   newisec->sclass = isec->sclass;
>   newisec->sid = isec->sid;
>   newisec->initialized = LABEL_INITIALIZED;
> @@ -4620,7 +4679,8 @@ static void selinux_sk_getsecid(struct sock *sk, u32
> *secid)
> 
>  static void selinux_sock_graft(struct sock *sk, struct socket *parent)
>  {
> - struct inode_security_struct *isec = inode_security(SOCK_INODE(parent));
> + struct inode_security_struct *isec =
> + inode_security_novalidate(SOCK_INODE(parent));
>   struct sk_security_struct *sksec = sk->sk_security;
> 
>   if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH v4 6/7] selinux: Revalidate invalid inode security labels

2015-11-01 Thread Paul Moore
On Thu, Oct 29, 2015 at 12:52 PM, Andreas Gruenbacher
 wrote:
> On Thu, Oct 29, 2015 at 4:21 PM, Stephen Smalley  wrote:
>> On 10/28/2015 08:47 PM, Andreas Gruenbacher wrote:
>>>
>>> When fetching an inode's security label, check if it is still valid, and
>>> try reloading it if it is not. Reloading will fail when we are in RCU
>>> context which doesn't allow sleeping, or when we can't find a dentry for
>>> the inode.  (Reloading happens via iop->getxattr which takes a dentry
>>> parameter.)  When reloading fails, continue using the old, invalid
>>> label.
>>>
>>> Signed-off-by: Andreas Gruenbacher 
>>
>>
>> Could probably use inode_security_novalidate() for all of the SOCK_INODE()
>> cases, right?
>
> I guess, yes.

There is no time like the present.  All the patches look fine to me,
but I think it would be good to add the additional
inode_security_novalidate() calls.  If you want, you can just post a
"8/7" patch with the extra calls added and I'll apply that on top of
the v4 patchset.

-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [RFC PATCH v3 2/5] lsm: introduce hooks for kdbus

2015-10-29 Thread Paul Moore
On Tuesday, October 20, 2015 04:41:14 PM Stephen Smalley wrote:
> On Mon, Oct 19, 2015 at 6:29 PM, Paul Moore  wrote:
> > On Friday, October 09, 2015 10:56:12 AM Stephen Smalley wrote:
> >> On 10/07/2015 07:08 PM, Paul Moore wrote:
> >> > diff --git a/ipc/kdbus/connection.c b/ipc/kdbus/connection.c
> >> > index ef63d65..1cb87b3 100644
> >> > --- a/ipc/kdbus/connection.c
> >> > +++ b/ipc/kdbus/connection.c
> >> > @@ -108,6 +109,14 @@ static struct kdbus_conn *kdbus_conn_new(struct
> >> > kdbus_ep *ep,>
> >> > 
> >> > if (!owner && (creds || pids || seclabel))
> >> > 
> >> > return ERR_PTR(-EPERM);
> >> > 
> >> > +   ret = security_kdbus_conn_new(get_cred(file->f_cred),
> >> 
> >> You only need to use get_cred() if saving a reference; otherwise, you'll
> >> leak one here.
> > 
> > Yes, that was a typo on my part, thanks.
> > 
> >> Also, do we want file->f_cred here or ep->bus->node.creds (the latter is
> >> what is used by their own checks; the former is typically the same as
> >> current cred IIUC).  For that matter, what about ep->node.creds vs
> >> ep->bus-
> >> node.creds vs. ep->bus->domain->node.creds?  Can they differ?  Do we
> >> care?
> > 
> > We don't want file->f_cred, per our previous discussions.  I was working
> > on this patchset in small chunks and while I added credential storing in
> > the nodes, I forgot to update the hooks before I hit send, my apologies.
> > 
> > My current thinking is to pass both the endpoint and bus credentials, as I
> > believe they can differ.  Both the bus and the endpoint inherit their
> > security labels from their creator and while I don't have any specifics,
> > I think it is reasonable to imagine those two processes having different
> > security labels. Assuming we pass both credentials down to the LSM, I'm
> > currently thinking of> 
> > the following SELinux access controls for this hook:
> >   allow  bus_t:kdbus { connect };
> >   allow  ep_t:kdbus { use privileged activator monitor policy };
> 
> I think it would be simpler to apply an associate check when the
> endpoint is created between the endpoint label and the bus label
> (which will typically be the same), and then only check based on
> endpoint label for all subsequent permission checks involving that
> endpoint.  Then you don't have to worry about which label to use for
> all the other permission checks. And you get finer-grained control -
> per-endpoint rather than only per-bus.

After thinking about this for a bit, I agree.

> > ... besides the additional label, I added the kdbus:use permission and
> > dropped the kdbus:owner permission.  Considering that the endpoint label,
> > ep_t, in the examples above, could be different from the current process,
> > it seemed reasonable to want to control that interaction and I felt the
> > fd:use permission was the closest existing control so I reused the
> > permission name. I decided to drop the "owner" permission as it really
> > wasn't the useful for anything anymore, it simply indicates that the
> > current task is the DAC owner of the endpoint.
> 
> Can you 'use' an endpoint in any way other than to connect via it?
> If not, I'd just call that connect (won't conflict if you get rid of
> the separate bus check above), or distinguish it via separate classes
> or as connectthrough vs connectto.

I don't believe so; my understanding is that the main point of endpoints is to 
define special kdbus DAC policy.
 
> conn->owner is used to determine whether the caller can fake
> credentials, skip kdbus policy checking, create an activator, monitor,
> or policy holder connection, etc.  Our options are:
>
> 1. Apply a SELinux check when it is set to see if the caller is
> allowed to own the bus based on MAC labels and policy, and if not,
> refuse to create the connection (that's what checking the owner
> permission was doing).
> 
> 2. Separately apply MAC checks over each of those abilities (fake
> creds, override policy, create an activator, monitor, or policy
> holder, etc) when there is an attempt to exercise them (not all during
> connection creation), and selectively deny that ability.  More
> invasive, more potential for breakage for applications that don't
> expect failure if they could create the connection in the first place.
> 
> 3. Treat faking of DAC credentials and skipping of kdbus policy
> checking as not of interest to MAC, lea

Re: [PATCH v3 0/7] Inode security label invalidation

2015-10-28 Thread Paul Moore
On Mon, Oct 26, 2015 at 5:15 PM, Andreas Gruenbacher
 wrote:
> Here is another version of the patch queue to make gfs2 and similar file
> systems work with SELinux.  As suggested by Stephen Smalley [*], the relevant
> uses of inode->security are wrapped in function calls that try to revalidate
> invalid labels.
>
>   [*] http://marc.info/?l=linux-kernel&m=144416710207686&w=2
>
> The patches are looking good from my point of view; is there anything else 
> that
> needs addressing?

Hi Andreas,

I'm largely staying out of the way on this patchset as Stephen has
been providing good review and feedback (I see he identified a few
more things in this latest revision), however, before I accept this
upstream I'd like to see an ACK from one of the GFS developers on the
last patch which touches the code under fs/gfs2.  Yes, it's a minor
change, and probably not strictly necessary, but I would like for us
to be good neighbors when possible.

Thanks.

-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[GIT PULL] SELinux patches for 4.4

2015-10-21 Thread Paul Moore
Hi James,

Nine SELinux patches in total for v4.4, although six of those patches are 
either trivial, minor cleanups, or both.  The remaining three patches aren't 
too bad: one changes the CHECKREQPROT default to check the actual memory 
protections, one stops us from checking file:open on ftruncate() calls, and 
one converts the file_security_struct over to kmem_cache.

All pass the SELinux testsuite and should apply cleanly on top of your next 
branch.

Enjoy,
-Paul

---
The following changes since commit 09302fd19efbff9569eaad3f78ead8f411defd87:

  Merge branch 'smack-for-4.4' of https://github.com/cschaufler/smack-next 
into next (2015-10-21 10:49:29 +1100)

are available in the git repository at:

  git://git.infradead.org/users/pcmoore/selinux upstream

for you to fetch changes up to 63205654c0e05e5ffa1c6eef2fbef21dcabd2185:

  selinux: Use a kmem_cache for allocation struct file_security_struct
(2015-10-21 17:44:30 -0400)


Geliang Tang (1):
  selinux: ioctl_has_perm should be static

Jeff Vander Stoep (1):
  selinux: do not check open perm on ftruncate call

Paul Moore (1):
  selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default

Rasmus Villemoes (5):
  selinux: introduce security_context_str_to_sid
  selinux: remove pointless cast in selinux_inode_setsecurity()
  selinux: use kmemdup in security_sid_to_context_core()
  selinux: use kstrdup() in security_get_bools()
  selinux: use sprintf return value

Sangwoo (1):
  selinux: Use a kmem_cache for allocation struct file_security_struct

 security/selinux/Kconfig|  4 ++--
 security/selinux/hooks.c| 27 ++-
 security/selinux/include/security.h |  2 ++
 security/selinux/selinuxfs.c| 26 +-
 security/selinux/ss/services.c  | 22 +-
 5 files changed, 36 insertions(+), 45 deletions(-)

-- 
paul moore
security @ redhat

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [RFC PATCH v3 2/5] lsm: introduce hooks for kdbus

2015-10-19 Thread Paul Moore
On Friday, October 09, 2015 10:56:12 AM Stephen Smalley wrote:
> On 10/07/2015 07:08 PM, Paul Moore wrote:
> > diff --git a/ipc/kdbus/connection.c b/ipc/kdbus/connection.c
> > index ef63d65..1cb87b3 100644
> > --- a/ipc/kdbus/connection.c
> > +++ b/ipc/kdbus/connection.c
> > @@ -108,6 +109,14 @@ static struct kdbus_conn *kdbus_conn_new(struct
> > kdbus_ep *ep,> 
> > if (!owner && (creds || pids || seclabel))
> > 
> > return ERR_PTR(-EPERM);
> > 
> > +   ret = security_kdbus_conn_new(get_cred(file->f_cred),
> 
> You only need to use get_cred() if saving a reference; otherwise, you'll
> leak one here.

Yes, that was a typo on my part, thanks.

> Also, do we want file->f_cred here or ep->bus->node.creds (the latter is
> what is used by their own checks; the former is typically the same as
> current cred IIUC).  For that matter, what about ep->node.creds vs ep->bus-
> node.creds vs. ep->bus->domain->node.creds?  Can they differ?  Do we care?

We don't want file->f_cred, per our previous discussions.  I was working on 
this patchset in small chunks and while I added credential storing in the 
nodes, I forgot to update the hooks before I hit send, my apologies.

My current thinking is to pass both the endpoint and bus credentials, as I 
believe they can differ.  Both the bus and the endpoint inherit their security 
labels from their creator and while I don't have any specifics, I think it is 
reasonable to imagine those two processes having different security labels.  
Assuming we pass both credentials down to the LSM, I'm currently thinking of 
the following SELinux access controls for this hook:

  allow  bus_t:kdbus { connect };
  allow  ep_t:kdbus { use privileged activator monitor policy };

... besides the additional label, I added the kdbus:use permission and dropped 
the kdbus:owner permission.  Considering that the endpoint label, ep_t, in the 
examples above, could be different from the current process, it seemed 
reasonable to want to control that interaction and I felt the fd:use 
permission was the closest existing control so I reused the permission name.  
I decided to drop the "owner" permission as it really wasn't the useful for 
anything anymore, it simply indicates that the current task is the DAC owner 
of the endpoint.

> > @@ -1435,12 +1444,12 @@ bool kdbus_conn_policy_own_name(struct kdbus_conn
> > *conn,> 
> > return false;
> > 
> > }
> > 
> > -   if (conn->owner)
> > -   return true;
> > +   if (!conn->owner &&
> > +   kdbus_policy_query(&conn->ep->bus->policy_db, conn_creds, name,
> > +  hash) < KDBUS_POLICY_OWN)
> > +   return false;
> > 
> > -   res = kdbus_policy_query(&conn->ep->bus->policy_db, conn_creds,
> > -name, hash);
> > -   return res >= KDBUS_POLICY_OWN;
> > +   return (security_kdbus_own_name(conn_creds, name) == 0);
> 
> Similar question here.  conn_creds is the credentials of the creator of
> the connection, typically the client/sender, right?
> conn->ep->bus->node.creds are the credentials of the bus owner, so don't
> we want to ask "Can I own this name on this bus?".

Yes, I think so.

>From a SELinux point of view I imagine we would want access controls along the 
lines of the following:

  allow current name_t:kdbus { own_name };
  allow current bus_t:kdbus { own_name };

... do we want to use different permissions?  I doubt it would matter much 
either way.

> Note that their policy checks are based on conn->ep->policy_db, i.e. the
> policy associated with the endpoint, and conn->owner is only true if the
> connection creator has the same uid as the bus.

I don't think this is significant for us.

> > @@ -1465,14 +1474,13 @@ bool kdbus_conn_policy_talk(struct kdbus_conn
> > *conn,> 
> >  to, KDBUS_POLICY_TALK))
> > 
> > return false;
> > 
> > -   if (conn->owner)
> > -   return true;
> > -   if (uid_eq(conn_creds->euid, to->cred->uid))
> > -   return true;
> > +   if (!conn->owner && !uid_eq(conn_creds->euid, to->cred->uid) &&
> > +   !kdbus_conn_policy_query_all(conn, conn_creds,
> > +&conn->ep->bus->policy_db, to,
> > +KDBUS_POLICY_TALK))
> > +   return false;
> > 
> > -   return kdbus_conn_policy_query_all(conn, conn_creds,
> > -  

Re: seccomp and audit_enabled

2015-10-13 Thread Paul Moore
On Tue, Oct 13, 2015 at 1:18 PM, Tony Jones  wrote:
> On 10/13/2015 09:11 AM, Paul Moore wrote:
>> On Mon, Oct 12, 2015 at 4:45 PM, Kees Cook  wrote:
>>> On Mon, Oct 12, 2015 at 10:53 AM, Tony Jones  wrote:
>>>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>>>> index b2abc99..8f70f3f 100644
>>>> --- a/include/linux/audit.h
>>>> +++ b/include/linux/audit.h
>>>> @@ -113,6 +113,12 @@ struct filename;
>>>>
>>>>  extern void audit_log_session_info(struct audit_buffer *ab);
>>>>
>>>> +#ifdef CONFIG_AUDIT
>>>> +extern u32 audit_enabled;
>>>> +#else
>>>> +#define audit_enabled 0
>>>> +#endif
>>>> +
>>>>  #ifdef CONFIG_AUDIT_COMPAT_GENERIC
>>>>  #define audit_is_compat(arch)  (!((arch) & __AUDIT_ARCH_64BIT))
>>>>  #else
>>>> @@ -213,7 +219,7 @@ void audit_core_dumps(long signr);
>>>>  static inline void audit_seccomp(unsigned long syscall, long signr, int 
>>>> code)
>>>>  {
>>>> /* Force a record to be reported if a signal was delivered. */
>>>> -   if (signr || unlikely(!audit_dummy_context()))
>>>
>>> What is dummy_context part of this actually do? I don't think reports
>>> should be made when signr == 0.
>>
>> The idea behind audit_dummy_context() is to skip auditing when there
>> are no audit rules configured, it's a performance tweak.  My guess is
>> that Tony's system loads some audit configuration at boot which
>> enables audit (the kernel starts with audit_enabled=0 ...) and loads a
>> few syscall filter rules which are enough to make
>> audit_dummy_context() return false.  Can you confirm that Tony?
>
> No, it's the default audit.rules (-D, -b320).   No actual rules loaded.
> Let me add some instrumentation and figure out what's going on.  auditd
> is masked (via systemd) but systemd-journal seems to set audit_enabled=1
> during startup (at least on our systems).

Yes, if systemd is involved it enables audit; we've had some
discussions with the systemd folks about fixing that, but they haven't
gone very far.  I'm still a little curious as to why
audit_dummy_context() is false in this case, but I haven't looked at
how systemd/auditctl start/config the system too closely.

>> As for logging seccomp actions when signr == 0, I personally think
>> that still might be useful as the normal behavior has been altered; I
>> tend to think any action != ALLOW is worth logging.  However, I'm open
>> to discussion on this if others feel strongly.
>>
>>>> +   if (audit_enabled && (signr || unlikely(!audit_dummy_context(
>>>> __audit_seccomp(syscall, signr, code);
>>>>  }
>
> I'm of the opinion that nothing should get output (through the audit system) 
> if
> audit_enabled == 0.  What you advocate calls for more than 2 possible states 
> for
> audit_enabled or logging the information through another mechanism than audit.

I don't really care if it is audit or not (although we will need to
output something via audit if it is enabled to keep the CC crowd
happy); if you feel strongly that it isn't audit, we can just make it
a printk, that would work well with Kees' goals.  To me the important
point here is that we send a message when seccomp alters the behavior
of the syscall (action != ALLOW).

-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: seccomp and audit_enabled

2015-10-13 Thread Paul Moore
On Mon, Oct 12, 2015 at 4:45 PM, Kees Cook  wrote:
> On Mon, Oct 12, 2015 at 10:53 AM, Tony Jones  wrote:
>> From d6971ec9508244f7a1ab42f9ac4c59b7e1ca6145 Mon Sep 17 00:00:00 2001
>> From: Tony Jones 
>> Date: Sat, 10 Oct 2015 19:30:49 -0700
>> Subject: [PATCH] Don't log seccomp messages when audit is disabled
>>
>> Don't log seccomp messages when audit is disabled.
>
> This is intentional since violation of a seccomp policy ought to
> indicate a misbehaving program, and we want these to always be
> presented to the system log, regardless of audit being enabled. (I'd
> like to even produce system log entries when there is no CONFIG_AUDIT
> too, but that's for the future.)

I agree.  As I mentioned earlier these AUDIT_SECCOMP records are very handy.

>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>> index b2abc99..8f70f3f 100644
>> --- a/include/linux/audit.h
>> +++ b/include/linux/audit.h
>> @@ -113,6 +113,12 @@ struct filename;
>>
>>  extern void audit_log_session_info(struct audit_buffer *ab);
>>
>> +#ifdef CONFIG_AUDIT
>> +extern u32 audit_enabled;
>> +#else
>> +#define audit_enabled 0
>> +#endif
>> +
>>  #ifdef CONFIG_AUDIT_COMPAT_GENERIC
>>  #define audit_is_compat(arch)  (!((arch) & __AUDIT_ARCH_64BIT))
>>  #else
>> @@ -213,7 +219,7 @@ void audit_core_dumps(long signr);
>>  static inline void audit_seccomp(unsigned long syscall, long signr, int 
>> code)
>>  {
>> /* Force a record to be reported if a signal was delivered. */
>> -   if (signr || unlikely(!audit_dummy_context()))
>
> What is dummy_context part of this actually do? I don't think reports
> should be made when signr == 0.

The idea behind audit_dummy_context() is to skip auditing when there
are no audit rules configured, it's a performance tweak.  My guess is
that Tony's system loads some audit configuration at boot which
enables audit (the kernel starts with audit_enabled=0 ...) and loads a
few syscall filter rules which are enough to make
audit_dummy_context() return false.  Can you confirm that Tony?

As for logging seccomp actions when signr == 0, I personally think
that still might be useful as the normal behavior has been altered; I
tend to think any action != ALLOW is worth logging.  However, I'm open
to discussion on this if others feel strongly.

>> +   if (audit_enabled && (signr || unlikely(!audit_dummy_context(
>> __audit_seccomp(syscall, signr, code);
>>  }

-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: seccomp and audit_enabled

2015-10-12 Thread Paul Moore
My apologies for the resend, I had the wrong email for Kees.

On Monday, October 12, 2015 11:29:43 AM Paul Moore wrote:
> On Friday, October 09, 2015 08:50:01 PM Tony Jones wrote:
> > Hi.
> > 
> > What is the expected handling of AUDIT_SECCOMP if audit_enabled == 0?
> > Opera browser makes use of a sandbox and if audit_enabled == 0 (and no
> > auditd is running) there is a lot of messages dumped to the klog. The fix
> > to __audit_seccomp() is trivial, similar to c2412d91c and I can send a
> > patch, I'm just not sure if seccomp is somehow special?
> 
> I'm adding Kees to this since he looks after the seccomp kernel bits these
> days.  While there isn't anything special about seccomp from an audit
> perspective, the seccomp audit record can be a really nice thing as it is
> the only indication you may get that seccomp has stepped in and done
> "something" other than allow the syscall to progress normally.
> 
> I would be a little more concerned that you are seeing a flood of seccomp
> messages from Opera, that is something that most likely warrants some closer
> inspection.  Are all the records the same/similar?  Can you paste some into
> email?

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: seccomp and audit_enabled

2015-10-12 Thread Paul Moore
On Friday, October 09, 2015 08:50:01 PM Tony Jones wrote:
> Hi.
> 
> What is the expected handling of AUDIT_SECCOMP if audit_enabled == 0?  
> Opera browser makes use of a sandbox and if audit_enabled == 0 (and no
> auditd is running) there is a lot of messages dumped to the klog. The fix
> to __audit_seccomp() is trivial, similar to c2412d91c and I can send a
> patch, I'm just not sure if seccomp is somehow special?

I'm adding Kees to this since he looks after the seccomp kernel bits these 
days.  While there isn't anything special about seccomp from an audit 
perspective, the seccomp audit record can be a really nice thing as it is the 
only indication you may get that seccomp has stepped in and done "something" 
other than allow the syscall to progress normally.

I would be a little more concerned that you are seeing a flood of seccomp 
messages from Opera, that is something that most likely warrants some closer 
inspection.  Are all the records the same/similar?  Can you paste some into 
email?

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [RFC PATCH v3 5/5] selinux: introduce kdbus access controls

2015-10-09 Thread Paul Moore
On Friday, October 09, 2015 04:17:17 PM Stephen Smalley wrote:
> On 10/09/2015 11:39 AM, Paul Moore wrote:
> > On Friday, October 09, 2015 11:05:58 AM Stephen Smalley wrote:
> >> On 10/07/2015 07:08 PM, Paul Moore wrote:
> >>> +static int selinux_kdbus_init_inode(struct inode *inode,
> >>> + const struct cred *creds)
> >>> +{
> >>> + struct inode_security_struct *isec = inode->i_security;
> >>> + u32 sid = cred_sid(creds);
> >>> +
> >>> + /* XXX - this is very simple, e.g. no transitions, no special object
> >>> +  *   class, etc. since this inode is basically an IPC socket ...
> >>> +  *   however, is this too simple?  do we want transitions?  if 
we
> >>> +  *   do, we should do the transition in kdbus_node_init() and 
not
> >>> +  *   here so that endpoint is labeled correctly and not just 
this
> >>> +  *   inode */
> >>> +
> >>> + isec->inode = inode;
> >>> + isec->task_sid = sid;
> >>> + isec->sid = sid;
> >>> + isec->sclass = SECCLASS_FILE;
> >>> + isec->initialized = 1;
> >> 
> >> These are used for files exposed in the filesystem namespace, unlike
> >> sockets (sockfs can't be mounted by userspace, and the socket objects
> >> themselves have their own class, so there is no ambiguity).  Currently
> >> the only such files that are labeled with the same SID as the associated
> >> task are /proc files.  So if we label the kdbusfs files with the same
> >> SID, then you can't allow read/write to kdbusfs nodes owned by another
> >> task without also exposing its /proc/pid files in the same manner.
> >> Doubt we want that.  Probably should compute a transition from the task
> >> SID and the kdbusfs SID.
> > 
> > Okay, that was one of my main concerns; your suggestion makes sense to me.
> > 
> > I'm also thinking that is we do a file transition using the task label and
> > the kdbusfs superblock label we should limit it to just the inode label
> > and not the kdbus endpoint as I suggested in the comment above (the bit
> > about kdbus_node_init()), yes?
> 
> Yes, it only needs to be done for the inode, not the endpoint.
> Analogy with sockets:  Can I write to the socket file (kdbus file) bound
> to the socket (endpoint)?  Can I connectto/sendto the socket (endpoint)?

Yep.

I'll make these changes and work to get another draft out next week.

-- 
paul moore
security @ redhat

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [RFC PATCH v3 5/5] selinux: introduce kdbus access controls

2015-10-09 Thread Paul Moore
On Friday, October 09, 2015 11:05:58 AM Stephen Smalley wrote:
> On 10/07/2015 07:08 PM, Paul Moore wrote:
> > +static int selinux_kdbus_init_inode(struct inode *inode,
> > +   const struct cred *creds)
> > +{
> > +   struct inode_security_struct *isec = inode->i_security;
> > +   u32 sid = cred_sid(creds);
> > +
> > +   /* XXX - this is very simple, e.g. no transitions, no special object
> > +*   class, etc. since this inode is basically an IPC socket ...
> > +*   however, is this too simple?  do we want transitions?  if we
> > +*   do, we should do the transition in kdbus_node_init() and not
> > +*   here so that endpoint is labeled correctly and not just this
> > +*   inode */
> > +
> > +   isec->inode = inode;
> > +   isec->task_sid = sid;
> > +   isec->sid = sid;
> > +   isec->sclass = SECCLASS_FILE;
> > +   isec->initialized = 1;
> 
> These are used for files exposed in the filesystem namespace, unlike
> sockets (sockfs can't be mounted by userspace, and the socket objects
> themselves have their own class, so there is no ambiguity).  Currently
> the only such files that are labeled with the same SID as the associated
> task are /proc files.  So if we label the kdbusfs files with the same
> SID, then you can't allow read/write to kdbusfs nodes owned by another
> task without also exposing its /proc/pid files in the same manner.
> Doubt we want that.  Probably should compute a transition from the task
> SID and the kdbusfs SID.

Okay, that was one of my main concerns; your suggestion makes sense to me.

I'm also thinking that is we do a file transition using the task label and the 
kdbusfs superblock label we should limit it to just the inode label and not 
the kdbus endpoint as I suggested in the comment above (the bit about 
kdbus_node_init()), yes?

-- 
paul moore
security @ redhat

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [RFC PATCH v3 1/5] kdbus: add creator credentials to the endpoints

2015-10-09 Thread Paul Moore
On Friday, October 09, 2015 10:31:07 AM Stephen Smalley wrote:
> mode still remains

Yes it does, it looks like I went a little crazy with the Ctrl-K ... thanks 
for the review, it will be fixed in the next draft.

-- 
paul moore
security @ redhat

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH] security: selinux: Use a kmem_cache for allocation struct file_security_struct

2015-10-08 Thread Paul Moore
On Monday, October 05, 2015 02:45:41 PM Sangwoo wrote:
> The size of struct file_security_struct is 16byte at my setup.
> But, the real allocation size for per each file_security_struct
> is 64bytes in my setup that kmalloc min size is 64bytes
> because ARCH_DMA_MINALIGN is 64.
> 
> This allocation is called every times at file allocation(alloc_file()).
> So, the total slack memory size(allocated size - request size)
> is increased exponentially.
> 
> E.g) Min Kmalloc Size : 64bytes, Unit : bytes
>   Allocated Size | Request Size | Slack Size | Allocation Count
> ---
>  770048  |192512|   577536   |  12032
> 
> At the result, this change reduce memory usage 42bytes per each
> file_security_struct
> 
> Signed-off-by: Sangwoo 
> ---
>  security/selinux/hooks.c |8 ++--
>  1 file changed, 6 insertions(+), 2 deletions(-)

Applied, thanks for the patch and the data.  Sorry for the delay, it should be 
in linux-next tomorrow.
 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 3f8d567..c20e082 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -126,6 +126,7 @@ int selinux_enabled = 1;
>  #endif
> 
>  static struct kmem_cache *sel_inode_cache;
> +static struct kmem_cache *file_security_cache;
> 
>  /**
>   * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
> @@ -287,7 +288,7 @@ static int file_alloc_security(struct file *file)
>   struct file_security_struct *fsec;
>   u32 sid = current_sid();
> 
> - fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
> + fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
>   if (!fsec)
>   return -ENOMEM;
> 
> @@ -302,7 +303,7 @@ static void file_free_security(struct file *file)
>  {
>   struct file_security_struct *fsec = file->f_security;
>   file->f_security = NULL;
> - kfree(fsec);
> + kmem_cache_free(file_security_cache, fsec);
>  }
> 
>  static int superblock_alloc_security(struct super_block *sb)
> @@ -6086,6 +6087,9 @@ static __init int selinux_init(void)
>   sel_inode_cache = kmem_cache_create("selinux_inode_security",
>   sizeof(struct 
> inode_security_struct),
>   0, SLAB_PANIC, NULL);
> + file_security_cache = kmem_cache_create("selinux_file_security",
> + sizeof(struct file_security_struct),
> + 0, SLAB_PANIC, NULL);
>   avc_init();
> 
>   security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [RFC PATCH v3 5/5] selinux: introduce kdbus access controls

2015-10-08 Thread Paul Moore
On Wednesday, October 07, 2015 07:08:48 PM Paul Moore wrote:
> +static int selinux_kdbus_conn_see_notification(const struct cred *creds)
> +{
> + return avc_has_perm(SECINITSID_KERNEL, cred_sid(creds),
> + SECCLASS_KDBUS, KDBUS__SEE_NOTIFICATION, NULL);
> +}

I'm going to flip the subj/obj ordering here, the passed credentials should be 
the subject.

-- 
paul moore
security @ redhat

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[RFC PATCH v3 5/5] selinux: introduce kdbus access controls

2015-10-07 Thread Paul Moore
Add the SELinux access control implementation for the new kdbus LSM
hooks using the new kdbus object class and the following permissions:

 [NOTE: permissions below are based on kdbus code from Aug 2015]

 * kdbus:impersonate
   Send a different security label to kdbus peers.
 * kdbus:fakecreds
   Send different DAC credentials to kdbus peers.
 * kdbus:fakepids
   Send a different PID to kdbus peers.
 * kdbus:owner
   Act as a kdbus bus owner.
 * kdbus:privileged
   Act as a privileged endpoint.
 * kdbus:activator
   Act as a kdbus activator.
 * kdbus:monitor
   Act as a kdbus monitor.
 * kdbus:policy_holder
   Act as a kdbus policy holder.
 * kdbus:connect
   Create a new kdbus connection.
 * kdbus:own
   Own a kdbus service name.
 * kdbus:talk
   Talk between two kdbus endpoints.
 * kdbus:see
   See another kdbus endpoint.
 * kdbus:see_name
   See a kdbus service name.
 * kdbus:see_notification
   See a kdbus notification.

Signed-off-by: Paul Moore 

---
ChangeLog:
- v3
 * Ported to the 4.3-rc4 based kdbus tree
 * Fix the missing NULL terminator in the kdbus obj class definition
- v2
 * Add the selinux_kdbus_init_inode() hook
 * Add some very basic info on the permissions to the description
 * Add kdbus service name auditing in the AVC records
- v1
 * Initial draft
---
 security/selinux/hooks.c|  153 +++
 security/selinux/include/classmap.h |4 +
 2 files changed, 155 insertions(+), 2 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e4369d8..5581990 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -9,8 +9,10 @@
  *   James Morris 
  *
  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
- *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris 
- *Eric Paris 
+ *  Copyright (C) 2003-2008,2015 Red Hat, Inc.
+ * James Morris 
+ * Eric Paris 
+ * Paul Moore 
  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  * 
  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
@@ -2035,6 +2037,143 @@ static int selinux_binder_transfer_file(struct 
task_struct *from,
&ad);
 }
 
+static int selinux_kdbus_conn_new(const struct cred *creds,
+ const struct kdbus_creds *fake_creds,
+ const struct kdbus_pids *fake_pids,
+ const char *fake_seclabel,
+ bool owner, bool privileged,
+ bool is_activator, bool is_monitor,
+ bool is_policy_holder)
+{
+   int rc;
+   u32 tsid = current_sid();
+   u32 av = KDBUS__CONNECT;
+
+   if (fake_creds)
+   av |= KDBUS__FAKECREDS;
+   if (fake_pids)
+   av |= KDBUS__FAKEPIDS;
+   if (owner)
+   av |= KDBUS__OWNER;
+   if (privileged)
+   av |= KDBUS__PRIVILEGED;
+   if (is_activator)
+   av |= KDBUS__ACTIVATOR;
+   if (is_monitor)
+   av |= KDBUS__MONITOR;
+   if (is_policy_holder)
+   av |= KDBUS__POLICY_HOLDER;
+
+   rc = avc_has_perm(tsid, cred_sid(creds), SECCLASS_KDBUS, av, NULL);
+   if (rc)
+   return rc;
+
+   if (fake_seclabel) {
+   u32 sid;
+   if (security_context_to_sid(fake_seclabel,
+   strlen(fake_seclabel),
+   &sid, GFP_KERNEL))
+   return -EINVAL;
+
+   rc = avc_has_perm(tsid, sid,
+ SECCLASS_KDBUS, KDBUS__IMPERSONATE, NULL);
+   }
+
+   return rc;
+}
+
+static int selinux_kdbus_own_name(const struct cred *creds, const char *name)
+{
+   int rc;
+   u32 name_sid;
+   struct common_audit_data ad;
+
+   rc = security_kdbus_sid(name, &name_sid);
+   if (rc)
+   return rc;
+
+   ad.type = LSM_AUDIT_DATA_KDBUS;
+   ad.u.kdbus_name = name;
+
+   return avc_has_perm(cred_sid(creds), name_sid,
+   SECCLASS_KDBUS, KDBUS__OWN, &ad);
+}
+
+static int selinux_kdbus_conn_talk(const struct cred *creds,
+  const struct cred *creds_to)
+{
+   return avc_has_perm(cred_sid(creds), cred_sid(creds_to),
+   SECCLASS_KDBUS, KDBUS__TALK, NULL);
+}
+
+static int selinux_kdbus_conn_see(const struct cred *creds,
+ const struct cred *creds_whom)
+{
+   return avc_has_perm(cred_sid(creds), cred_sid(creds_whom),
+   SECCLASS_KDBUS, KDBUS__SEE, NULL);
+}
+
+static int selinux_kdbus_conn_see_name(const st

[RFC PATCH v3 4/5] selinux: introduce kdbus names into the policy

2015-10-07 Thread Paul Moore
SELinux treats kdbus service names as objects and therefore needs a
mechanism to map service names to security labels.  This patch adds
support for loading kdbus name/label matches with the security policy.

The patch supports service name prefix matching to lessen the burden
on the policy developers and reduce the size of the resulting policy.

Signed-off-by: Paul Moore 

---
ChangeLog:
- v3
 * Ported to the 4.3-rc4 based kdbus tree, v2 hacks removed
- v2
 * Porting needed to work with ioctl xperms
- v1
 * Initial draft
---
 security/selinux/include/security.h |5 ++
 security/selinux/ss/policydb.c  |   88 +--
 security/selinux/ss/policydb.h  |3 +
 security/selinux/ss/services.c  |   38 +++
 4 files changed, 116 insertions(+), 18 deletions(-)

diff --git a/security/selinux/include/security.h 
b/security/selinux/include/security.h
index 6a681d2..339b32b 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -36,13 +36,14 @@
 #define POLICYDB_VERSION_DEFAULT_TYPE  28
 #define POLICYDB_VERSION_CONSTRAINT_NAMES  29
 #define POLICYDB_VERSION_XPERMS_IOCTL  30
+#define POLICYDB_VERSION_KDBUS 31
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
 #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
 #define POLICYDB_VERSION_MAX   
CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
 #else
-#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_XPERMS_IOCTL
+#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_KDBUS
 #endif
 
 /* Mask for just the mount related flags */
@@ -212,6 +213,8 @@ int security_fs_use(struct super_block *sb);
 int security_genfs_sid(const char *fstype, char *name, u16 sclass,
u32 *sid);
 
+int security_kdbus_sid(const char *name, u32 *sid);
+
 #ifdef CONFIG_NETLABEL
 int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
   u32 *sid);
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 992a315..9be2e6d 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -76,81 +76,86 @@ static struct policydb_compat_info policydb_compat[] = {
{
.version= POLICYDB_VERSION_BASE,
.sym_num= SYM_NUM - 3,
-   .ocon_num   = OCON_NUM - 1,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_BOOL,
.sym_num= SYM_NUM - 2,
-   .ocon_num   = OCON_NUM - 1,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_IPV6,
.sym_num= SYM_NUM - 2,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_NLCLASS,
.sym_num= SYM_NUM - 2,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_MLS,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_AVTAB,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_RANGETRANS,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_POLCAP,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_PERMISSIVE,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_BOUNDARY,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_FILENAME_TRANS,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_ROLETRANS,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS,
.sym_num= SYM_NUM

[RFC PATCH v3 2/5] lsm: introduce hooks for kdbus

2015-10-07 Thread Paul Moore
Add LSM access control hooks to kdbus; several new hooks are added and
the existing security_file_receive() hook is reused.  The new hooks
are listed below:

 * security_kdbus_conn_new
   Check if the current task is allowed to create a new kdbus
   connection.
 * security_kdbus_own_name
   Check if a connection is allowed to own a kdbus service name.
 * security_kdbus_conn_talk
   Check if a connection is allowed to talk to a kdbus peer.
 * security_kdbus_conn_see
   Check if a connection can see a kdbus peer.
 * security_kdbus_conn_see_name
   Check if a connection can see a kdbus service name.
 * security_kdbus_conn_see_notification
   Check if a connection can receive notifications.
 * security_kdbus_proc_permission
   Check if a connection can access another task's pid namespace info.
 * security_kdbus_init_inode
   Set the security label on a kdbusfs inode

Signed-off-by: Paul Moore 

---
ChangeLog:
- v3
 * Ported to the 4.3-rc4 based kdbus tree
- v2
 * Implemented suggestions by Stephen Smalley
   * call security_kdbus_conn_new() sooner
   * reworked hook inside kdbus_conn_policy_own_name()
   * fixed if-conditional in kdbus_conn_policy_talk()
   * reworked hook inside kdbus_conn_policy_see_name_unlocked()
   * reworked hook inside kdbus_conn_policy_see()
   * reworked hook inside kdbus_conn_policy_see_notification()
   * added the security_kdbus_init_inode() hook
- v1
 * Initial draft
---
 include/linux/lsm_hooks.h |   63 +++
 include/linux/security.h  |   71 
 ipc/kdbus/connection.c|   73 +
 ipc/kdbus/fs.c|6 
 ipc/kdbus/message.c   |   19 +---
 ipc/kdbus/metadata.c  |6 +---
 security/security.c   |   62 ++
 7 files changed, 265 insertions(+), 35 deletions(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index ec3a6ba..36d4e5d 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1138,6 +1138,45 @@
  * @file contains the struct file being transferred.
  * @to contains the task_struct for the receiving task.
  *
+ * @kdbus_conn_new
+ * Check if the current task is allowed to create a new kdbus connection.
+ * @creds credentials for the new connection
+ * @fake_creds kdbus faked credentials
+ * @fake_pids kdbus faked pids
+ * @fake_seclabel kdbus faked security label
+ * @owner kdbus owner
+ * @privileged kdbus privileged
+ * @is_activator kdbus activator boolean
+ * @is_monitor kdbus monitor boolean
+ * @is_policy_holder kdbus policy holder boolean
+ * @kdbus_own_name
+ * Check if a connection is allowed to own a kdbus service name.
+ * @creds requestor's credentials
+ * @name service name
+ * @kdbus_conn_talk
+ * Check if a connection is allowed to talk to a kdbus peer.
+ * @creds requestor's credentials
+ * @creds_peer peer credentials
+ * @kdbus_conn_see
+ * Check if a connection can see a kdbus peer.
+ * @creds requestor's credentials
+ * @creds_peer peer credentials
+ * @kdbus_conn_see_name
+ * Check if a connection can see a kdbus service name.
+ * @creds requestor's credentials
+ * @name service name
+ * @kdbus_conn_see_notification
+ * Check if a connection can receive notifications.
+ * @creds requestor's credentials
+ * @kdbus_proc_permission
+ * Check if a connection can access another task's pid namespace info.
+ * @cred requestor's credentials
+ * @pid target task's pid struct
+ * @kdbus_init_inode
+ * Set the security label on a kdbusfs inode
+ * @inode kdbusfs inode
+ * @creds inode owner credentials
+ *
  * @ptrace_access_check:
  * Check permission before allowing the current process to trace the
  * @child process.
@@ -1310,6 +1349,22 @@ union security_list_options {
struct task_struct *to,
struct file *file);
 
+   int (*kdbus_conn_new)(const struct cred *creds,
+ const struct kdbus_creds *fake_creds,
+ const struct kdbus_pids *fake_pids,
+ const char *fake_seclabel,
+ bool owner, bool privileged, bool is_activator,
+ bool is_monitor, bool is_policy_holder);
+   int (*kdbus_own_name)(const struct cred *creds, const char *name);
+   int (*kdbus_conn_talk)(const struct cred *creds,
+  const struct cred *creds_peer);
+   int (*kdbus_conn_see)(const struct cred *creds,
+ const struct cred *creds_peer);
+   int (*kdbus_conn_see_name)(const struct cred *creds, const char *name);
+   int (*kdbus_conn_see_notification)(const struct cred *creds);
+   int (*kdbus_proc

[RFC PATCH v3 3/5] lsm: add support for auditing kdbus service names

2015-10-07 Thread Paul Moore
The kdbus service names will be recorded using 'service', similar to
the existing dbus audit records.

Signed-off-by: Paul Moore 

---
ChangeLog:
- v3
 * Ported to the 4.3-rc4 based kdbus tree
- v2
 * Initial draft
---
 include/linux/lsm_audit.h |2 ++
 security/lsm_audit.c  |4 
 2 files changed, 6 insertions(+)

diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index ffb9c9d..d6a656f 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -59,6 +59,7 @@ struct common_audit_data {
 #define LSM_AUDIT_DATA_INODE   9
 #define LSM_AUDIT_DATA_DENTRY  10
 #define LSM_AUDIT_DATA_IOCTL_OP11
+#define LSM_AUDIT_DATA_KDBUS   12
union   {
struct path path;
struct dentry *dentry;
@@ -75,6 +76,7 @@ struct common_audit_data {
 #endif
char *kmod_name;
struct lsm_ioctlop_audit *op;
+   const char *kdbus_name;
} u;
/* this union contains LSM specific data */
union {
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index cccbf30..0a3dc1b 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -397,6 +397,10 @@ static void dump_common_audit_data(struct audit_buffer *ab,
audit_log_format(ab, " kmod=");
audit_log_untrustedstring(ab, a->u.kmod_name);
break;
+   case LSM_AUDIT_DATA_KDBUS:
+   audit_log_format(ab, " service=");
+   audit_log_untrustedstring(ab, a->u.kdbus_name);
+   break;
} /* switch (a->type) */
 }
 

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[RFC PATCH v3 0/5] kdbus LSM/SELinux hooks

2015-10-07 Thread Paul Moore
No real functional improvements since the v2 patchset earlier this
week, the main update is rebasing on GregKH's current kdbus tree
which is now 4.3-rc4 based and as a result brings the LSM stacking
changes and SELinux ioctl/xperm additions.

---

Paul Moore (5):
  kdbus: add creator credentials to the endpoints
  lsm: introduce hooks for kdbus
  lsm: add support for auditing kdbus service names
  selinux: introduce kdbus names into the policy
  selinux: introduce kdbus access controls

 include/linux/lsm_audit.h   |2 
 include/linux/lsm_hooks.h   |   63 ++
 include/linux/security.h|   71 
 ipc/kdbus/bus.c |   13 +--
 ipc/kdbus/connection.c  |   73 +++--
 ipc/kdbus/endpoint.c|   14 +--
 ipc/kdbus/endpoint.h|3 -
 ipc/kdbus/fs.c  |   10 ++
 ipc/kdbus/message.c |   19 +++-
 ipc/kdbus/metadata.c|6 -
 ipc/kdbus/node.c|   11 +--
 ipc/kdbus/node.h|5 +
 security/lsm_audit.c|4 +
 security/security.c |   62 ++
 security/selinux/hooks.c|  153 +++
 security/selinux/include/classmap.h |4 +
 security/selinux/include/security.h |5 +
 security/selinux/ss/policydb.c  |   88 
 security/selinux/ss/policydb.h  |3 -
 security/selinux/ss/services.c  |   38 +
 20 files changed, 561 insertions(+), 86 deletions(-)

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[RFC PATCH v3 1/5] kdbus: add creator credentials to the endpoints

2015-10-07 Thread Paul Moore
In order to effectively enforce LSM based access controls we need to
have more information about the kdbus endpoint creator than the
uid/gid currently stored in the kdbus_node_type struct.  This patch
replaces the uid/gid values with a reference to the node creator's
credential struct which serves the needs of both the kdbus DAC access
controls as well as the LSM's access controls.

Two macros have also been created, kdbus_node_[uid,gid](), which can
be used to easily extract the euid/egid information from the new
credential reference.  The effective uid/gid is used as it was used
in all areas of the previous kdbus code except for areas where the
uid/gid was never set beyond the basic initialization to zero/root;
I expect this was a bug that was never caught as the node creator in
these cases was always expect to be root.

Signed-off-by: Paul Moore 

---
ChangeLog:
- v3
 * Ported to the 4.3-rc4 based kdbus tree
- v2
 * Initial draft
---
 ipc/kdbus/bus.c  |   13 +
 ipc/kdbus/endpoint.c |   14 --
 ipc/kdbus/endpoint.h |3 +--
 ipc/kdbus/fs.c   |4 ++--
 ipc/kdbus/node.c |   11 ---
 ipc/kdbus/node.h |5 +++--
 6 files changed, 19 insertions(+), 31 deletions(-)

diff --git a/ipc/kdbus/bus.c b/ipc/kdbus/bus.c
index a67f825..0cb9501 100644
--- a/ipc/kdbus/bus.c
+++ b/ipc/kdbus/bus.c
@@ -65,8 +65,7 @@ static void kdbus_bus_release(struct kdbus_node *node, bool 
was_active)
 static struct kdbus_bus *kdbus_bus_new(struct kdbus_domain *domain,
   const char *name,
   struct kdbus_bloom_parameter *bloom,
-  const u64 *pattach_owner,
-  u64 flags, kuid_t uid, kgid_t gid)
+  const u64 *pattach_owner, u64 flags)
 {
struct kdbus_bus *b;
u64 attach_owner;
@@ -81,7 +80,8 @@ static struct kdbus_bus *kdbus_bus_new(struct kdbus_domain 
*domain,
if (ret < 0)
return ERR_PTR(ret);
 
-   ret = kdbus_verify_uid_prefix(name, domain->user_namespace, uid);
+   ret = kdbus_verify_uid_prefix(name, domain->user_namespace,
+ current_euid());
if (ret < 0)
return ERR_PTR(ret);
 
@@ -93,8 +93,6 @@ static struct kdbus_bus *kdbus_bus_new(struct kdbus_domain 
*domain,
 
b->node.free_cb = kdbus_bus_free;
b->node.release_cb = kdbus_bus_release;
-   b->node.uid = uid;
-   b->node.gid = gid;
b->node.mode = S_IRUSR | S_IXUSR;
 
if (flags & (KDBUS_MAKE_ACCESS_GROUP | KDBUS_MAKE_ACCESS_WORLD))
@@ -374,7 +372,7 @@ struct kdbus_bus *kdbus_cmd_bus_make(struct kdbus_domain 
*domain,
bus = kdbus_bus_new(domain,
argv[1].item->str, &argv[2].item->bloom_parameter,
argv[3].item ? argv[3].item->data64 : NULL,
-   cmd->flags, current_euid(), current_egid());
+   cmd->flags);
if (IS_ERR(bus)) {
ret = PTR_ERR(bus);
bus = NULL;
@@ -393,8 +391,7 @@ struct kdbus_bus *kdbus_cmd_bus_make(struct kdbus_domain 
*domain,
goto exit;
}
 
-   ep = kdbus_ep_new(bus, "bus", cmd->flags, bus->node.uid, bus->node.gid,
- false);
+   ep = kdbus_ep_new(bus, "bus", cmd->flags, false);
if (IS_ERR(ep)) {
ret = PTR_ERR(ep);
ep = NULL;
diff --git a/ipc/kdbus/endpoint.c b/ipc/kdbus/endpoint.c
index 44e7a20..1ba5d51 100644
--- a/ipc/kdbus/endpoint.c
+++ b/ipc/kdbus/endpoint.c
@@ -74,8 +74,6 @@ static void kdbus_ep_release(struct kdbus_node *node, bool 
was_active)
  * @bus:   The bus this endpoint will be created for
  * @name:  The name of the endpoint
  * @access:The access flags for this node (KDBUS_MAKE_ACCESS_*)
- * @uid:   The uid of the node
- * @gid:   The gid of the node
  * @is_custom: Whether this is a custom endpoint
  *
  * This function will create a new endpoint with the given
@@ -84,8 +82,7 @@ static void kdbus_ep_release(struct kdbus_node *node, bool 
was_active)
  * Return: a new kdbus_ep on success, ERR_PTR on failure.
  */
 struct kdbus_ep *kdbus_ep_new(struct kdbus_bus *bus, const char *name,
- unsigned int access, kuid_t uid, kgid_t gid,
- bool is_custom)
+ unsigned int access, bool is_custom)
 {
struct kdbus_ep *e;
int ret;
@@ -96,7 +93,7 @@ struct kdbus_ep *kdbus_ep_new(struct kdbus_bus *bus, const 
char *name,
 */
if (is_custom) {
ret = kdbus_verify_uid_prefix(name, bus->domain->user_namespace,
-   

Re: [RFC PATCH v2 5/5] selinux: introduce kdbus access controls

2015-10-06 Thread Paul Moore
On Tuesday, October 06, 2015 08:55:33 PM Nicolas Iooss wrote:
> On 10/05/2015 10:41 PM, Paul Moore wrote:
> > Add the SELinux access control implementation for the new kdbus LSM
> 
> > hooks using the new kdbus object class and the following permissions:
> [[SNIP]]
> 
> > diff --git a/security/selinux/include/classmap.h
> > b/security/selinux/include/classmap.h index eccd61b..31e4435 100644
> > --- a/security/selinux/include/classmap.h
> > +++ b/security/selinux/include/classmap.h
> > @@ -153,5 +153,9 @@ struct security_class_mapping secclass_map[] = {
> > 
> >   { COMMON_SOCK_PERMS, "attach_queue", NULL } },
> > 
> > { "binder", { "impersonate", "call", "set_context_mgr", "transfer",
> > 
> >   NULL } },
> > 
> > +   { "kdbus", { "impersonate", "fakecreds", "fakepids", "owner",
> > +"privileged", "activator", "monitor", "policy_holder",
> > +"connect", "own", "talk", "see", "see_name",
> > +"see_notification" } },
> > 
> > { NULL }
> > 
> >};
> 
> Hello,
> Out of curiosity, why is the new list of permissions not
> NULL-terminated?

Honest answer: I forgot :)

These patches are still "RFC quality" which means I'm emphasizing getting the 
patches posted quickly (hardy har har) and not putting the code through as 
much testing and scrutiny as I usually do.  The idea right now is to get 
feedback about the hooks and the individual LSM implementations.

Regardless, thanks for catching the missing terminator, the fix will be in the 
next draft of the patches.

-- 
paul moore
security @ redhat

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[RFC PATCH v2 5/5] selinux: introduce kdbus access controls

2015-10-05 Thread Paul Moore
Add the SELinux access control implementation for the new kdbus LSM
hooks using the new kdbus object class and the following permissions:

 [NOTE: permissions below are based on kdbus code from Aug 2015]

 * kdbus:impersonate
   Send a different security label to kdbus peers.
 * kdbus:fakecreds
   Send different DAC credentials to kdbus peers.
 * kdbus:fakepids
   Send a different PID to kdbus peers.
 * kdbus:owner
   Act as a kdbus bus owner.
 * kdbus:privileged
   Act as a privileged endpoint.
 * kdbus:activator
   Act as a kdbus activator.
 * kdbus:monitor
   Act as a kdbus monitor.
 * kdbus:policy_holder
   Act as a kdbus policy holder.
 * kdbus:connect
   Create a new kdbus connection.
 * kdbus:own
   Own a kdbus service name.
 * kdbus:talk
   Talk between two kdbus endpoints.
 * kdbus:see
   See another kdbus endpoint.
 * kdbus:see_name
   See a kdbus service name.
 * kdbus:see_notification
   See a kdbus notification.

Signed-off-by: Paul Moore 

---
ChangeLog:
- v2
 * Add the selinux_kdbus_init_inode() hook
 * Add some very basic info on the permissions to the description
 * Add kdbus service name auditing in the AVC records
- v1
 * Initial draft
---
 security/selinux/hooks.c|  152 +++
 security/selinux/include/classmap.h |4 +
 2 files changed, 154 insertions(+), 2 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4d7e602..29341dd 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -9,8 +9,10 @@
  *   James Morris 
  *
  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
- *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris 
- *Eric Paris 
+ *  Copyright (C) 2003-2008,2015 Red Hat, Inc.
+ * James Morris 
+ * Eric Paris 
+ * Paul Moore 
  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  * 
  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
@@ -1987,6 +1989,143 @@ static int selinux_binder_transfer_file(struct 
task_struct *from,
&ad);
 }
 
+static int selinux_kdbus_conn_new(const struct cred *creds,
+ const struct kdbus_creds *fake_creds,
+ const struct kdbus_pids *fake_pids,
+ const char *fake_seclabel,
+ bool owner, bool privileged,
+ bool is_activator, bool is_monitor,
+ bool is_policy_holder)
+{
+   int rc;
+   u32 tsid = current_sid();
+   u32 av = KDBUS__CONNECT;
+
+   if (fake_creds)
+   av |= KDBUS__FAKECREDS;
+   if (fake_pids)
+   av |= KDBUS__FAKEPIDS;
+   if (owner)
+   av |= KDBUS__OWNER;
+   if (privileged)
+   av |= KDBUS__PRIVILEGED;
+   if (is_activator)
+   av |= KDBUS__ACTIVATOR;
+   if (is_monitor)
+   av |= KDBUS__MONITOR;
+   if (is_policy_holder)
+   av |= KDBUS__POLICY_HOLDER;
+
+   rc = avc_has_perm(tsid, cred_sid(creds), SECCLASS_KDBUS, av, NULL);
+   if (rc)
+   return rc;
+
+   if (fake_seclabel) {
+   u32 sid;
+   if (security_context_to_sid(fake_seclabel,
+   strlen(fake_seclabel),
+   &sid, GFP_KERNEL))
+   return -EINVAL;
+
+   rc = avc_has_perm(tsid, sid,
+ SECCLASS_KDBUS, KDBUS__IMPERSONATE, NULL);
+   }
+
+   return rc;
+}
+
+static int selinux_kdbus_own_name(const struct cred *creds, const char *name)
+{
+   int rc;
+   u32 name_sid;
+   struct common_audit_data ad;
+
+   rc = security_kdbus_sid(name, &name_sid);
+   if (rc)
+   return rc;
+
+   ad.type = LSM_AUDIT_DATA_KDBUS;
+   ad.u.kdbus_name = name;
+
+   return avc_has_perm(cred_sid(creds), name_sid,
+   SECCLASS_KDBUS, KDBUS__OWN, &ad);
+}
+
+static int selinux_kdbus_conn_talk(const struct cred *creds,
+  const struct cred *creds_to)
+{
+   return avc_has_perm(cred_sid(creds), cred_sid(creds_to),
+   SECCLASS_KDBUS, KDBUS__TALK, NULL);
+}
+
+static int selinux_kdbus_conn_see(const struct cred *creds,
+ const struct cred *creds_whom)
+{
+   return avc_has_perm(cred_sid(creds), cred_sid(creds_whom),
+   SECCLASS_KDBUS, KDBUS__SEE, NULL);
+}
+
+static int selinux_kdbus_conn_see_name(const struct cred *creds,
+  const char *name)
+{
+   int rc;
+   u32 name_sid;
+   struct common_audit_data 

[RFC PATCH v2 0/5] kdbus LSM/SELinux hooks

2015-10-05 Thread Paul Moore
I got a little distracted with some other tasks so it has taken me a
bit longer than I had hoped to get v2 of this patchset out, but
better late than never they say ...

This revision incorporates all of Stephen's comments and adds support
for auditing kdbus service names; see each patch's changelog for more
details.  Please take a look and comment, I'm especially interested
to hear what people have to say about the kdbusfs labeling, right now
it is very barebones, and I'm not sure if we want to support more
options (transitions, etc.).

Also, Smack folks, it would be great if I heard something from you
guys about the viability of these hooks for Smack.

---

Paul Moore (5):
  kdbus: add creator credentials to the endpoints
  lsm: introduce hooks for kdbus
  lsm: add support for auditing kdbus service names
  selinux: introduce kdbus names into the policy
  selinux: introduce kdbus access controls


 include/linux/lsm_audit.h   |2 
 include/linux/security.h|  126 +
 ipc/kdbus/bus.c |   13 +--
 ipc/kdbus/connection.c  |   73 +++--
 ipc/kdbus/endpoint.c|   14 +--
 ipc/kdbus/endpoint.h|3 -
 ipc/kdbus/fs.c  |   10 ++
 ipc/kdbus/message.c |   19 +++-
 ipc/kdbus/metadata.c|6 -
 ipc/kdbus/node.c|   11 +--
 ipc/kdbus/node.h|5 +
 security/lsm_audit.c|4 +
 security/security.c |   50 
 security/selinux/hooks.c|  152 +++
 security/selinux/include/classmap.h |4 +
 security/selinux/include/security.h |5 +
 security/selinux/ss/policydb.c  |   88 +---
 security/selinux/ss/policydb.h  |3 -
 security/selinux/ss/services.c  |   38 +
 19 files changed, 540 insertions(+), 86 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[RFC PATCH v2 4/5] selinux: introduce kdbus names into the policy

2015-10-05 Thread Paul Moore
SELinux treats kdbus service names as objects and therefore needs a
mechanism to map service names to security labels.  This patch adds
support for loading kdbus name/label matches with the security policy.

The patch supports service name prefix matching to lessen the burden
on the policy developers and reduce the size of the resulting policy.

Signed-off-by: Paul Moore 

---
ChangeLog:
- v2
 * Porting needed to work with ioctl xperms
- v1
 * Initial draft
---
 security/selinux/include/security.h |5 ++
 security/selinux/ss/policydb.c  |   88 +--
 security/selinux/ss/policydb.h  |3 +
 security/selinux/ss/services.c  |   38 +++
 4 files changed, 116 insertions(+), 18 deletions(-)

diff --git a/security/selinux/include/security.h 
b/security/selinux/include/security.h
index eb9a549..3219b5d 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -36,13 +36,14 @@
 #define POLICYDB_VERSION_DEFAULT_TYPE  28
 #define POLICYDB_VERSION_CONSTRAINT_NAMES  29
 #define POLICYDB_VERSION_XPERMS_IOCTL  30
+#define POLICYDB_VERSION_KDBUS 31
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
 #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
 #define POLICYDB_VERSION_MAX   
CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
 #else
-#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_XPERMS_IOCTL
+#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_KDBUS
 #endif
 
 /* Mask for just the mount related flags */
@@ -211,6 +212,8 @@ int security_fs_use(struct super_block *sb);
 int security_genfs_sid(const char *fstype, char *name, u16 sclass,
u32 *sid);
 
+int security_kdbus_sid(const char *name, u32 *sid);
+
 #ifdef CONFIG_NETLABEL
 int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
   u32 *sid);
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 992a315..9be2e6d 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -76,81 +76,86 @@ static struct policydb_compat_info policydb_compat[] = {
{
.version= POLICYDB_VERSION_BASE,
.sym_num= SYM_NUM - 3,
-   .ocon_num   = OCON_NUM - 1,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_BOOL,
.sym_num= SYM_NUM - 2,
-   .ocon_num   = OCON_NUM - 1,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_IPV6,
.sym_num= SYM_NUM - 2,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_NLCLASS,
.sym_num= SYM_NUM - 2,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_MLS,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_AVTAB,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_RANGETRANS,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_POLCAP,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_PERMISSIVE,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_BOUNDARY,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_FILENAME_TRANS,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_ROLETRANS,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 1,
},
{
.version= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num

[RFC PATCH v2 2/5] lsm: introduce hooks for kdbus

2015-10-05 Thread Paul Moore
Add LSM access control hooks to kdbus; several new hooks are added and
the existing security_file_receive() hook is reused.  The new hooks
are listed below:

 * security_kdbus_conn_new
   Check if the current task is allowed to create a new kdbus
   connection.
 * security_kdbus_own_name
   Check if a connection is allowed to own a kdbus service name.
 * security_kdbus_conn_talk
   Check if a connection is allowed to talk to a kdbus peer.
 * security_kdbus_conn_see
   Check if a connection can see a kdbus peer.
 * security_kdbus_conn_see_name
   Check if a connection can see a kdbus service name.
 * security_kdbus_conn_see_notification
   Check if a connection can receive notifications.
 * security_kdbus_proc_permission
   Check if a connection can access another task's pid namespace info.
 * security_kdbus_init_inode
   Set the security label on a kdbusfs inode

Signed-off-by: Paul Moore 

---
ChangeLog:
- v2
 * Implemented suggestions by Stephen Smalley
   * call security_kdbus_conn_new() sooner
   * reworked hook inside kdbus_conn_policy_own_name()
   * fixed if-conditional in kdbus_conn_policy_talk()
   * reworked hook inside kdbus_conn_policy_see_name_unlocked()
   * reworked hook inside kdbus_conn_policy_see()
   * reworked hook inside kdbus_conn_policy_see_notification()
   * added the security_kdbus_init_inode() hook
- v1
 * Initial draft
---
 include/linux/security.h |  126 ++
 ipc/kdbus/connection.c   |   73 +--
 ipc/kdbus/fs.c   |6 ++
 ipc/kdbus/message.c  |   19 +--
 ipc/kdbus/metadata.c |6 +-
 security/security.c  |   50 ++
 6 files changed, 245 insertions(+), 35 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index 18264ea..7992663 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -53,6 +53,9 @@ struct msg_queue;
 struct xattr;
 struct xfrm_sec_ctx;
 struct mm_struct;
+struct kdbus_creds;
+struct kdbus_pids;
+struct pid;
 
 /* Maximum number of letters for an LSM name string */
 #define SECURITY_NAME_MAX  10
@@ -1300,6 +1303,45 @@ static inline void security_free_mnt_opts(struct 
security_mnt_opts *opts)
  * @file contains the struct file being transferred.
  * @to contains the task_struct for the receiving task.
  *
+ * @kdbus_conn_new
+ * Check if the current task is allowed to create a new kdbus connection.
+ * @creds credentials for the new connection
+ * @fake_creds kdbus faked credentials
+ * @fake_pids kdbus faked pids
+ * @fake_seclabel kdbus faked security label
+ * @owner kdbus owner
+ * @privileged kdbus privileged
+ * @is_activator kdbus activator boolean
+ * @is_monitor kdbus monitor boolean
+ * @is_policy_holder kdbus policy holder boolean
+ * @kdbus_own_name
+ * Check if a connection is allowed to own a kdbus service name.
+ * @creds requestor's credentials
+ * @name service name
+ * @kdbus_conn_talk
+ * Check if a connection is allowed to talk to a kdbus peer.
+ * @creds requestor's credentials
+ * @creds_peer peer credentials
+ * @kdbus_conn_see
+ * Check if a connection can see a kdbus peer.
+ * @creds requestor's credentials
+ * @creds_peer peer credentials
+ * @kdbus_conn_see_name
+ * Check if a connection can see a kdbus service name.
+ * @creds requestor's credentials
+ * @name service name
+ * @kdbus_conn_see_notification
+ * Check if a connection can receive notifications.
+ * @creds requestor's credentials
+ * @kdbus_proc_permission
+ * Check if a connection can access another task's pid namespace info.
+ * @cred requestor's credentials
+ * @pid target task's pid struct
+ * @kdbus_init_inode
+ * Set the security label on a kdbusfs inode
+ * @inode kdbusfs inode
+ * @creds inode owner credentials
+ *
  * @ptrace_access_check:
  * Check permission before allowing the current process to trace the
  * @child process.
@@ -1468,6 +1510,22 @@ struct security_operations {
int (*binder_transfer_file) (struct task_struct *from,
 struct task_struct *to, struct file *file);
 
+   int (*kdbus_conn_new)(const struct cred *creds,
+ const struct kdbus_creds *fake_creds,
+ const struct kdbus_pids *fake_pids,
+ const char *fake_seclabel,
+ bool owner, bool privileged, bool is_activator,
+ bool is_monitor, bool is_policy_holder);
+   int (*kdbus_own_name)(const struct cred *creds, const char *name);
+   int (*kdbus_conn_talk)(const struct cred *creds,
+  const struct cred *creds_peer);
+   int (*kdbus_conn_see)(const struct cred *creds,
+ const struct cred *creds_peer);
+   int (*

[RFC PATCH v2 1/5] kdbus: add creator credentials to the endpoints

2015-10-05 Thread Paul Moore
In order to effectively enforce LSM based access controls we need to
have more information about the kdbus endpoint creator than the
uid/gid currently stored in the kdbus_node_type struct.  This patch
replaces the uid/gid values with a reference to the node creator's
credential struct which serves the needs of both the kdbus DAC access
controls as well as the LSM's access controls.

Two macros have also been created, kdbus_node_[uid,gid](), which can
be used to easily extract the euid/egid information from the new
credential reference.  The effective uid/gid is used as it was used
in all areas of the previous kdbus code except for areas where the
uid/gid was never set beyond the basic initialization to zero/root;
I expect this was a bug that was never caught as the node creator in
these cases was always expect to be root.

Signed-off-by: Paul Moore 

---
ChangeLog:
- v2
 * Initial draft
---
 ipc/kdbus/bus.c  |   13 +
 ipc/kdbus/endpoint.c |   14 --
 ipc/kdbus/endpoint.h |3 +--
 ipc/kdbus/fs.c   |4 ++--
 ipc/kdbus/node.c |   11 ---
 ipc/kdbus/node.h |5 +++--
 6 files changed, 19 insertions(+), 31 deletions(-)

diff --git a/ipc/kdbus/bus.c b/ipc/kdbus/bus.c
index a67f825..0cb9501 100644
--- a/ipc/kdbus/bus.c
+++ b/ipc/kdbus/bus.c
@@ -65,8 +65,7 @@ static void kdbus_bus_release(struct kdbus_node *node, bool 
was_active)
 static struct kdbus_bus *kdbus_bus_new(struct kdbus_domain *domain,
   const char *name,
   struct kdbus_bloom_parameter *bloom,
-  const u64 *pattach_owner,
-  u64 flags, kuid_t uid, kgid_t gid)
+  const u64 *pattach_owner, u64 flags)
 {
struct kdbus_bus *b;
u64 attach_owner;
@@ -81,7 +80,8 @@ static struct kdbus_bus *kdbus_bus_new(struct kdbus_domain 
*domain,
if (ret < 0)
return ERR_PTR(ret);
 
-   ret = kdbus_verify_uid_prefix(name, domain->user_namespace, uid);
+   ret = kdbus_verify_uid_prefix(name, domain->user_namespace,
+ current_euid());
if (ret < 0)
return ERR_PTR(ret);
 
@@ -93,8 +93,6 @@ static struct kdbus_bus *kdbus_bus_new(struct kdbus_domain 
*domain,
 
b->node.free_cb = kdbus_bus_free;
b->node.release_cb = kdbus_bus_release;
-   b->node.uid = uid;
-   b->node.gid = gid;
b->node.mode = S_IRUSR | S_IXUSR;
 
if (flags & (KDBUS_MAKE_ACCESS_GROUP | KDBUS_MAKE_ACCESS_WORLD))
@@ -374,7 +372,7 @@ struct kdbus_bus *kdbus_cmd_bus_make(struct kdbus_domain 
*domain,
bus = kdbus_bus_new(domain,
argv[1].item->str, &argv[2].item->bloom_parameter,
argv[3].item ? argv[3].item->data64 : NULL,
-   cmd->flags, current_euid(), current_egid());
+   cmd->flags);
if (IS_ERR(bus)) {
ret = PTR_ERR(bus);
bus = NULL;
@@ -393,8 +391,7 @@ struct kdbus_bus *kdbus_cmd_bus_make(struct kdbus_domain 
*domain,
goto exit;
}
 
-   ep = kdbus_ep_new(bus, "bus", cmd->flags, bus->node.uid, bus->node.gid,
- false);
+   ep = kdbus_ep_new(bus, "bus", cmd->flags, false);
if (IS_ERR(ep)) {
ret = PTR_ERR(ep);
ep = NULL;
diff --git a/ipc/kdbus/endpoint.c b/ipc/kdbus/endpoint.c
index 44e7a20..1ba5d51 100644
--- a/ipc/kdbus/endpoint.c
+++ b/ipc/kdbus/endpoint.c
@@ -74,8 +74,6 @@ static void kdbus_ep_release(struct kdbus_node *node, bool 
was_active)
  * @bus:   The bus this endpoint will be created for
  * @name:  The name of the endpoint
  * @access:The access flags for this node (KDBUS_MAKE_ACCESS_*)
- * @uid:   The uid of the node
- * @gid:   The gid of the node
  * @is_custom: Whether this is a custom endpoint
  *
  * This function will create a new endpoint with the given
@@ -84,8 +82,7 @@ static void kdbus_ep_release(struct kdbus_node *node, bool 
was_active)
  * Return: a new kdbus_ep on success, ERR_PTR on failure.
  */
 struct kdbus_ep *kdbus_ep_new(struct kdbus_bus *bus, const char *name,
- unsigned int access, kuid_t uid, kgid_t gid,
- bool is_custom)
+ unsigned int access, bool is_custom)
 {
struct kdbus_ep *e;
int ret;
@@ -96,7 +93,7 @@ struct kdbus_ep *kdbus_ep_new(struct kdbus_bus *bus, const 
char *name,
 */
if (is_custom) {
ret = kdbus_verify_uid_prefix(name, bus->domain->user_namespace,
- uid);
+   

[RFC PATCH v2 3/5] lsm: add support for auditing kdbus service names

2015-10-05 Thread Paul Moore
The kdbus service names will be recorded using 'service', similar to
the existing dbus audit records.

Signed-off-by: Paul Moore 

---
ChangeLog:
- v2
 * Initial draft
---
 include/linux/lsm_audit.h |2 ++
 security/lsm_audit.c  |4 
 2 files changed, 6 insertions(+)

diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index ffb9c9d..d6a656f 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -59,6 +59,7 @@ struct common_audit_data {
 #define LSM_AUDIT_DATA_INODE   9
 #define LSM_AUDIT_DATA_DENTRY  10
 #define LSM_AUDIT_DATA_IOCTL_OP11
+#define LSM_AUDIT_DATA_KDBUS   12
union   {
struct path path;
struct dentry *dentry;
@@ -75,6 +76,7 @@ struct common_audit_data {
 #endif
char *kmod_name;
struct lsm_ioctlop_audit *op;
+   const char *kdbus_name;
} u;
/* this union contains LSM specific data */
union {
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 9f6c649..d7af41d 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -397,6 +397,10 @@ static void dump_common_audit_data(struct audit_buffer *ab,
audit_log_format(ab, " kmod=");
audit_log_untrustedstring(ab, a->u.kmod_name);
break;
+   case LSM_AUDIT_DATA_KDBUS:
+   audit_log_format(ab, " service=");
+   audit_log_untrustedstring(ab, a->u.kdbus_name);
+   break;
} /* switch (a->type) */
 }
 

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[PATCH] audit: constify parts of common_audit_data and lsm_network_audit

2015-10-05 Thread Paul Moore
For the most part audit should never munge with any of the data in
these LSM common structs so constify as much as we can; this patch
handles some easy fields that don't require any real code changes.

Signed-off-by: Paul Moore 
---
 include/linux/lsm_audit.h |8 
 security/lsm_audit.c  |4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index 1cc89e9..6c4c7ac 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -24,7 +24,7 @@
 
 struct lsm_network_audit {
int netif;
-   struct sock *sk;
+   const struct sock *sk;
u16 family;
__be16 dport;
__be16 sport;
@@ -55,7 +55,7 @@ struct common_audit_data {
 #define LSM_AUDIT_DATA_DENTRY  10
union   {
struct path path;
-   struct dentry *dentry;
+   const struct dentry *dentry;
struct inode *inode;
struct lsm_network_audit *net;
int cap;
@@ -64,10 +64,10 @@ struct common_audit_data {
 #ifdef CONFIG_KEYS
struct {
key_serial_t key;
-   char *key_desc;
+   const char *key_desc;
} key_struct;
 #endif
-   char *kmod_name;
+   const char *kmod_name;
} u;
/* this union contains LSM specific data */
union {
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 07fc997..bd61075 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -185,7 +185,7 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
 
 
 static inline void print_ipv6_addr(struct audit_buffer *ab,
-  struct in6_addr *addr, __be16 port,
+  const struct in6_addr *addr, __be16 port,
   char *name1, char *name2)
 {
if (!ipv6_addr_any(addr))
@@ -288,7 +288,7 @@ static void dump_common_audit_data(struct audit_buffer *ab,
break;
case LSM_AUDIT_DATA_NET:
if (a->u.net->sk) {
-   struct sock *sk = a->u.net->sk;
+   const struct sock *sk = a->u.net->sk;
struct unix_sock *u;
int len = 0;
char *p = NULL;

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: auditing kdbus service names

2015-10-01 Thread Paul Moore
On Thursday, August 13, 2015 04:40:52 PM Steve Grubb wrote:
> On Wednesday, August 12, 2015 10:48:10 PM Paul Moore wrote:
> > On Wednesday, August 12, 2015 05:38:14 PM Steve Grubb wrote:
> > > On Wednesday, August 12, 2015 08:40:34 AM Paul Moore wrote:
> > > > Hello all,
> > > > 
> > > > I'm currently working on a set of LSM hooks for the new kdbus IPC
> > > > mechanism and one of the things that I believe we will need to add is
> > > > a new audit field for the kdbus service name (very similar to the old
> > > > fashioned dbus service name).  I was thinking "kdbus_svc" for the
> > > > field name, any objections?
> > > 
> > > What was used on the old dbus events?
> > 
> > The very generic "service" field name, see the "acquire_svc" example in
> > the URL below.  I believe there is some value in picking a new field name
> > since 1) the field name is too generic in my opinion and 2) kdbus != dbus.
> 
> In my book, they are the same. They are programs providing services on the
> bus. One thing I noticed in the dbus events is that there are a number of
> user controlled fields that are not escaped.

Following up on this ...

Decided to just reuse "service" since the rest of the audit record will make 
it obvious (new obj class/perms) that the record if for a kdbus event and not 
a dbus event.  The next patchset will include the audit bits, I'll CC the 
patchset here.

-- 
paul moore
security @ redhat

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH 1/2] selinux: ioctl_has_perm should be static

2015-09-30 Thread Paul Moore
On Sunday, September 27, 2015 11:10:24 PM Geliang Tang wrote:
> Fixes the following sparse warning:
> 
>  security/selinux/hooks.c:3242:5: warning: symbol 'ioctl_has_perm' was
>  not declared. Should it be static?
> 
> Signed-off-by: Geliang Tang 
> ---
>  security/selinux/hooks.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Applied, thanks.

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 84d21f9..5265c74 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3239,7 +3239,7 @@ static void selinux_file_free_security(struct file
> *file) * Check whether a task has the ioctl permission and cmd
>   * operation to an inode.
>   */
> -int ioctl_has_perm(const struct cred *cred, struct file *file,
> +static int ioctl_has_perm(const struct cred *cred, struct file *file,
>   u32 requested, u16 cmd)
>  {
>   struct common_audit_data ad;

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH 5/5] selinux: use sprintf return value

2015-09-30 Thread Paul Moore
On Saturday, September 26, 2015 12:34:19 AM Rasmus Villemoes wrote:
> sprintf returns the number of characters printed (excluding '\0'), so
> we can use that and avoid duplicating the length computation.
> 
> Signed-off-by: Rasmus Villemoes 
> ---
>  security/selinux/ss/services.c | 5 +
>  1 file changed, 1 insertion(+), 4 deletions(-)

Applied, thank you.

I just pushed all five of your patches to the SELinux next branch so they 
should be included in the next linux-next release.

> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index aa2bdcb20848..ebb5eb3c318c 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -1218,13 +1218,10 @@ static int context_struct_to_string(struct context
> *context, char **scontext, u3 /*
>* Copy the user name, role name and type name into the context.
>*/
> - sprintf(scontextp, "%s:%s:%s",
> + scontextp += sprintf(scontextp, "%s:%s:%s",
>   sym_name(&policydb, SYM_USERS, context->user - 1),
>   sym_name(&policydb, SYM_ROLES, context->role - 1),
>   sym_name(&policydb, SYM_TYPES, context->type - 1));
> - scontextp += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) +
> -  1 + strlen(sym_name(&policydb, SYM_ROLES, context->role - 
> 1)) +
> -  1 + strlen(sym_name(&policydb, SYM_TYPES, context->type - 
> 1));
> 
>   mls_sid_to_context(context, &scontextp);

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH 4/5] selinux: use kstrdup() in security_get_bools()

2015-09-30 Thread Paul Moore
On Saturday, September 26, 2015 12:34:18 AM Rasmus Villemoes wrote:
> This is much simpler.
> 
> Signed-off-by: Rasmus Villemoes 
> ---
>  security/selinux/ss/services.c | 8 +---
>  1 file changed, 1 insertion(+), 7 deletions(-)

Applied.

> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index 994c824a34c6..aa2bdcb20848 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -2609,18 +2609,12 @@ int security_get_bools(int *len, char ***names, int
> **values) goto err;
> 
>   for (i = 0; i < *len; i++) {
> - size_t name_len;
> -
>   (*values)[i] = policydb.bool_val_to_struct[i]->state;
> - name_len = strlen(sym_name(&policydb, SYM_BOOLS, i)) + 1;
> 
>   rc = -ENOMEM;
> - (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
> + (*names)[i] = kstrdup(sym_name(&policydb, SYM_BOOLS, i), 
> GFP_ATOMIC);
>   if (!(*names)[i])
>   goto err;
> -
> - strncpy((*names)[i], sym_name(&policydb, SYM_BOOLS, i), 
> name_len);
> - (*names)[i][name_len - 1] = 0;
>   }
>   rc = 0;
>  out:

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH 3/5] selinux: use kmemdup in security_sid_to_context_core()

2015-09-30 Thread Paul Moore
On Saturday, September 26, 2015 12:34:17 AM Rasmus Villemoes wrote:
> Signed-off-by: Rasmus Villemoes 
> ---
>  security/selinux/ss/services.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

Applied.

> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index c550df0e0ff1..994c824a34c6 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -1259,12 +1259,12 @@ static int security_sid_to_context_core(u32 sid,
> char **scontext, *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
>   if (!scontext)
>   goto out;
> - scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
> + scontextp = kmemdup(initial_sid_to_string[sid],
> + *scontext_len, GFP_ATOMIC);
>   if (!scontextp) {
>   rc = -ENOMEM;
>   goto out;
>   }
> - strcpy(scontextp, initial_sid_to_string[sid]);
>   *scontext = scontextp;
>   goto out;
>   }

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH 2/5] selinux: remove pointless cast in selinux_inode_setsecurity()

2015-09-30 Thread Paul Moore
On Saturday, September 26, 2015 12:34:16 AM Rasmus Villemoes wrote:
> security_context_to_sid() expects a const char* argument, so there's
> no point in casting away the const qualifier of value.
> 
> Signed-off-by: Rasmus Villemoes 
> ---
>  security/selinux/hooks.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Applied.

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index fd50cd5ac2ec..5edb57df86f8 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3162,7 +3162,7 @@ static int selinux_inode_setsecurity(struct inode
> *inode, const char *name, if (!value || !size)
>   return -EACCES;
> 
> - rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
> + rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
>   if (rc)
>   return rc;

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH 1/5] selinux: introduce security_context_str_to_sid

2015-09-30 Thread Paul Moore
NEL);
>   if (length)
>   goto out;
> 
> - length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid,
> -  GFP_KERNEL);
> + length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL);
>   if (length)
>   goto out;
> 
> @@ -882,13 +878,11 @@ static ssize_t sel_write_relabel(struct file *file,
> char *buf, size_t size) if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass)
> != 3)
>   goto out;
> 
> - length = security_context_to_sid(scon, strlen(scon) + 1, &ssid,
> -  GFP_KERNEL);
> + length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL);
>   if (length)
>   goto out;
> 
> - length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid,
> -  GFP_KERNEL);
> + length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL);
>   if (length)
>   goto out;
> 
> @@ -940,7 +934,7 @@ static ssize_t sel_write_user(struct file *file, char
> *buf, size_t size) if (sscanf(buf, "%s %s", con, user) != 2)
>   goto out;
> 
> - length = security_context_to_sid(con, strlen(con) + 1, &sid, 
> GFP_KERNEL);
> + length = security_context_str_to_sid(con, &sid, GFP_KERNEL);
>   if (length)
>   goto out;
> 
> @@ -1000,13 +994,11 @@ static ssize_t sel_write_member(struct file *file,
> char *buf, size_t size) if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass)
> != 3)
>   goto out;
> 
> - length = security_context_to_sid(scon, strlen(scon) + 1, &ssid,
> -  GFP_KERNEL);
> + length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL);
>   if (length)
>   goto out;
> 
> - length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid,
> -  GFP_KERNEL);
> + length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL);
>   if (length)
>   goto out;
> 
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index b7df12ba61d8..c550df0e0ff1 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -1476,6 +1476,11 @@ int security_context_to_sid(const char *scontext, u32
> scontext_len, u32 *sid, sid, SECSID_NULL, gfp, 0);
>  }
> 
> +int security_context_str_to_sid(const char *scontext, u32 *sid, gfp_t gfp)
> +{
> + return security_context_to_sid(scontext, strlen(scontext), sid, gfp);
> +}
> +
>  /**
>   * security_context_to_sid_default - Obtain a SID for a given security
> context, * falling back to specified default if needed.

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [RFC] security: add iptables "security" table for MAC rules

2008-01-29 Thread Paul Moore
On Tuesday 29 January 2008 7:43:11 pm James Morris wrote:
> On Tue, 29 Jan 2008, Paul Moore wrote:
> > That seems reasonable.  By the way, this isn't really related, but is it
> > possible to change the NF_IP_PRI_SELINUX_* constants to
> > NF_IP_PRI_SECURITY_* for the sake of consistency or are those values
> > already visible to userspace?
>
> They are visible to userspace, and included in glibc headers, but I don't
> see any userland use of them via google codesearch or know of a possible
> valid use.
>
> > I suppose we could always rename them anyway and just add a #define for
> > compatibility ...
>
> Yep, if you want to.

Hey, let's not forget I'm the guy that gets into arguments over names that 
span months :)  I think it's a worthwhile change, but only once we have a 
reason to do so.  In my mind this means either another user (not unlikely 
considering recent events) or something like you are proposing.  I'll keep my 
eyes peeled and throw a patch out when I see an opportunity.

-- 
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [RFC] security: add iptables "security" table for MAC rules

2008-01-29 Thread Paul Moore
On Tuesday 29 January 2008 3:51:55 pm James Morris wrote:
> On Tue, 29 Jan 2008, Paul Moore wrote:
> > I'm not sure if returning false and failing here is the best thing to do
> > in terms of backwards compatibility.  I think we need some grace period
> > where we print a warning message and still allow the operation; after
> > some period of time we can then remove the ability completely and force
> > users to use the new "security" table.
>
> Currently, the patch allows the use of the mangle table, so it is
> backwards compatible.

Okay, nevermind then, I must have misread your patch.

-- 
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [RFC] security: add iptables "security" table for MAC rules

2008-01-29 Thread Paul Moore
On Tuesday 29 January 2008 6:44:15 am James Morris wrote:
> The following patch implements a new "security" table for iptables, so
> that MAC (SELinux etc.) networking rules can be managed separately to
> standard DAC rules.
>
> This is to help with distro integration of the new secmark-based network
> controls, per various previous discussions.
>
> The need for a separate table arises from the fact that existing tools and
> usage of iptables will likely clash with centralized MAC policy
> management.

We've talked about this before, and the more I think about it, the more I 
believe it is a good idea.

> The SECMARK and CONNSECMARK targets will still be valid in the mangle
> table, to prevent breakage of existing users, although I suspect that
> these targets are not in significant use and we could probably make them
> valid only in the security table without major issues.   (Comments?)

See my comment below, I'm not sure we can block the use of [CONN]SECMARK in 
the mangle table without some grace period.  I can't imagine this would cause 
any problems, but I'm not really well versed yet in the connection tracking 
stuff.

> I've set the table priority to just after NF_IP_FILTER, to allow DAC
> rules to take effect before MAC rules.

That seems reasonable.  By the way, this isn't really related, but is it 
possible to change the NF_IP_PRI_SELINUX_* constants to NF_IP_PRI_SECURITY_* 
for the sake of consistency or are those values already visible to userspace?  
I suppose we could always rename them anyway and just add a #define for 
compatibility ...

> There is also not (yet) any LSM hooking for modifying the MAC rules, as it
> will be more invasive, and we have coarse coverage via CAP_NET_ADMIN.
> (Comments?)

While LSM hooks for netfilter operations are probably a good thing, I see them 
as a separate task and I think they should be discussed separately.  We 
already have SECMARK labeling without additional netfilter LSM hooks so 
implementing a new netfilter table for SECMARK shouldn't be a regression in 
this sense.

> diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
> index 235806e..7c92d87 100644
> --- a/net/netfilter/xt_SECMARK.c
> +++ b/net/netfilter/xt_SECMARK.c
> @@ -5,7 +5,7 @@
>   * Based on the nfmark match by:
>   * (C) 1999-2001 Marc Boucher <[EMAIL PROTECTED]>
>   *
> - * (C) 2006 Red Hat, Inc., James Morris <[EMAIL PROTECTED]>
> + * (C) 2006,2008 Red Hat, Inc., James Morris <[EMAIL PROTECTED]>
>   *
>   * This program is free software; you can redistribute it and/or modify
>   * it under the terms of the GNU General Public License version 2 as
> @@ -87,6 +87,12 @@ static bool checkentry(const char *tablename, const void
> *entry, {
>   struct xt_secmark_target_info *info = targinfo;
>
> + if (strcmp(tablename, "mangle") && strcmp(tablename, "security")) {
> + printk(KERN_INFO PFX "target only valid in the \'mangle\' "
> +"or \'security\' tables, not \'%s\'.\n", tablename);
> + return false;
> + }
> +

I'm not sure if returning false and failing here is the best thing to do in 
terms of backwards compatibility.  I think we need some grace period where we 
print a warning message and still allow the operation; after some period of 
time we can then remove the ability completely and force users to use the 
new "security" table.

-- 
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[GIT PULL] pull request for lblnet-2.6_testing

2008-01-29 Thread Paul Moore
Hi James,

I've just rebased the lblnet-2.6_testing tree against Linus' latest 
which already includes DaveM's net-2.6.25 tree so there shouldn't be 
any collisions with the core networking bits.  Other than minor changes 
needed to merge cleanly with the current linux-2.6 tree there have been 
no changes to the labeled networking patches since they were last 
posted.  The git tree can be found here:

 * git://git.infradead.org/users/pcmoore/lblnet-2.6_testing

In the interest of full disclosure, I was not able to test this tree as 
there are a few compile errors in the drivers area which are preventing 
me from getting a kernel built.  However, all of the relevant areas 
(security/selinux, net/netlabel, net/netfilter, net/xfrm, net/ipv4, 
net/ipv6) compiled without issue.  I will continue to try and get a 
kernel compiled but I thought getting this out in a reasonable 
timeframe to minimize merge issues was a better decision.  Thse patches 
applied to 2.6.24 do compile, boot, and run without any known 
regressions.

-- 
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH net-2.6.25] Add packet filtering based on process's security context.

2008-01-24 Thread Paul Moore
On Thursday 24 January 2008 6:47:55 am Tetsuo Handa wrote:
> Are there any remaining questions/problems about this patch?
> If none, I want this patch applied to net-2.6.25 tree.

Hello,

Taking into consideration that there are no current in-tree users of 
this patch and the only known user of this functionality is TOMOYO, 
which is still dealing with some unresolved VFS issues, I suggest not 
merging this patch at the current time.  My recommendation is to 
continue to work on resolving the VFS issues (which it appears you are 
working on) and then submitting all of the required TOMOYO changes at 
once.

As a general rule, removing functionality from the kernel tends to be 
much more difficult then adding it.

-- 
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH] (2.6.24-rc8-mm1) -mm v2 Smack socket label setting fix

2008-01-22 Thread Paul Moore
On Saturday 19 January 2008 6:04:52 pm Casey Schaufler wrote:
> From: Casey Schaufler <[EMAIL PROTECTED]>
>
> Correct the checks in smack_inode_setxattr to include the
> socket labeling attributes. Simplify and correct
> smack_sock_graft, while the values it was setting were
> safe they were not correct and the job was not being
> done efficiently. smack_inode_setsecurity wasn't
> invoking the required netlabel function in the case
> where smk_ipout was set. It does now, but that change
> required the hook to be moved in the file. This
> movement accounts for the bulk of the patch.
>
>
> Signed-off-by: Casey Schaufler <[EMAIL PROTECTED]>

...

> +/**
>   * smack_socket_post_create - finish socket setup
>   * @sock: the socket
>   * @family: protocol family
> @@ -2192,33 +2199,20 @@ static int smack_socket_getpeersec_dgram
>  static void smack_sock_graft(struct sock *sk, struct socket *parent)
>  {
>   struct socket_smack *ssp;
> - struct netlbl_lsm_secattr secattr;
> - char smack[SMK_LABELLEN];
>   int rc;

I don't think you need 'rc'.

> - if (sk == NULL || parent == NULL || parent->sk == NULL)
> + if (sk == NULL)
>   return;

I'm pretty sure you don't need to check 'sk' to ensure it is non-NULL; 
SELinux assumes 'sk' is non-NULL and it hasn't caused any problems.

>   if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
>   return;
>
> - ssp = parent->sk->sk_security;
> -
> - memset(smack, '\0', SMK_LABELLEN);
> - netlbl_secattr_init(&secattr);
> - rc = netlbl_sock_getattr(sk, &secattr);
> - if (rc == 0)
> - smack_from_secattr(&secattr, smack);
> - else
> - strncpy(smack, smack_known_huh.smk_known, SMK_MAXLEN);
> - netlbl_secattr_destroy(&secattr);
> -
> - netlbl_secattr_init(&secattr);
> + ssp = sk->sk_security;
> + ssp->smk_in = current->security;
> + ssp->smk_out = current->security;
> + ssp->smk_packet[0] = '\0';
>
> - smack_to_secattr(smack, &secattr);
> - if (secattr.flags != NETLBL_SECATTR_NONE)
> - rc = netlbl_sock_setattr(parent->sk, &secattr);
> - netlbl_secattr_destroy(&secattr);
> + rc = smack_netlabel(sk);

I haven't checked the latest SMACK bits, but I'm pretty sure you don't 
need to assign the return value of 'smack_netlabel()' to anything here 
since the function doesn't return a value.

>  }
>
>  /**



-- 
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[RFC PATCH v12 18/18] SELinux: Add warning messages on network denial due to error

2008-01-17 Thread Paul Moore
Currently network traffic can be sliently dropped due to non-avc errors which
can lead to much confusion when trying to debug the problem.  This patch adds
warning messages so that when these events occur there is a user visible
notification.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 security/selinux/hooks.c   |   29 -
 security/selinux/netif.c   |   13 +++--
 security/selinux/netnode.c |6 +-
 3 files changed, 40 insertions(+), 8 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b80e330..2a209cb 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3206,6 +3206,11 @@ static int selinux_parse_skb(struct sk_buff *skb, struct 
avc_audit_data *ad,
break;
}
 
+   if (unlikely(ret))
+   printk(KERN_WARNING
+  "SELinux: failure in selinux_parse_skb(),"
+  " unable to parse packet\n");
+
return ret;
 }
 
@@ -3226,6 +3231,7 @@ static int selinux_parse_skb(struct sk_buff *skb, struct 
avc_audit_data *ad,
  */
 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
 {
+   int err;
u32 xfrm_sid;
u32 nlbl_sid;
u32 nlbl_type;
@@ -3233,10 +3239,13 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, 
u16 family, u32 *sid)
selinux_skb_xfrm_sid(skb, &xfrm_sid);
selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
 
-   if (security_net_peersid_resolve(nlbl_sid, nlbl_type,
-xfrm_sid,
-sid) != 0)
+   err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
+   if (unlikely(err)) {
+   printk(KERN_WARNING
+  "SELinux: failure in selinux_skb_peerlbl_sid(),"
+  " unable to determine packet's peer label\n");
return -EACCES;
+   }
 
return 0;
 }
@@ -3688,8 +3697,13 @@ static int selinux_sock_rcv_skb_iptables_compat(struct 
sock *sk,
err = security_port_sid(sk->sk_family, sk->sk_type,
sk->sk_protocol, ntohs(ad->u.net.sport),
&port_sid);
-   if (err)
+   if (unlikely(err)) {
+   printk(KERN_WARNING
+  "SELinux: failure in"
+  " selinux_sock_rcv_skb_iptables_compat(),"
+  " network port label not found\n");
return err;
+   }
return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
 }
 
@@ -4106,8 +4120,13 @@ static int selinux_ip_postroute_iptables_compat(struct 
sock *sk,
err = security_port_sid(sk->sk_family, sk->sk_type,
sk->sk_protocol, ntohs(ad->u.net.dport),
&port_sid);
-   if (err)
+   if (unlikely(err)) {
+   printk(KERN_WARNING
+  "SELinux: failure in"
+  " selinux_ip_postroute_iptables_compat(),"
+  " network port label not found\n");
return err;
+   }
return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
 }
 
diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index ee49a73..013d311 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -157,8 +157,12 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
 * currently support containers */
 
dev = dev_get_by_index(&init_net, ifindex);
-   if (dev == NULL)
+   if (unlikely(dev == NULL)) {
+   printk(KERN_WARNING
+  "SELinux: failure in sel_netif_sid_slow(),"
+  " invalid network interface (%d)\n", ifindex);
return -ENOENT;
+   }
 
spin_lock_bh(&sel_netif_lock);
netif = sel_netif_find(ifindex);
@@ -184,8 +188,13 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
 out:
spin_unlock_bh(&sel_netif_lock);
dev_put(dev);
-   if (ret != 0)
+   if (unlikely(ret)) {
+   printk(KERN_WARNING
+  "SELinux: failure in sel_netif_sid_slow(),"
+  " unable to determine network interface label (%d)\n",
+  ifindex);
kfree(new);
+   }
return ret;
 }
 
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index 49c5277..f3c526f 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -264,8 +264,12 @@ static int sel_netnode_sid_slow(void *addr, u16 family, 
u32 *sid)
 
 out:
spin_unlock_bh(&sel_netnode_lock);
-   if (ret != 0)
+   if (unlik

[RFC PATCH v12 17/18] SELinux: Add network ingress and egress control permission checks

2008-01-17 Thread Paul Moore
This patch implements packet ingress/egress controls for SELinux which allow
SELinux security policy to control the flow of all IPv4 and IPv6 packets into
and out of the system.  Currently SELinux does not have proper control over
forwarded packets and this patch corrects this problem.

Special thanks to Venkat Yekkirala <[EMAIL PROTECTED]> whose earlier
work on this topic eventually led to this patch.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 security/selinux/hooks.c |  402 --
 1 files changed, 280 insertions(+), 122 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d16f586..b80e330 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -12,8 +12,8 @@
  *  Copyright (C) 2003 Red Hat, Inc., James Morris <[EMAIL PROTECTED]>
  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  *  <[EMAIL PROTECTED]>
- *  Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
- *     Paul Moore, <[EMAIL PROTECTED]>
+ *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
+ *Paul Moore <[EMAIL PROTECTED]>
  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
  * Yuichi Nakamura <[EMAIL PROTECTED]>
  *
@@ -3608,6 +3608,29 @@ static int selinux_socket_unix_may_send(struct socket 
*sock,
return 0;
 }
 
+static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
+   u32 peer_sid,
+   struct avc_audit_data *ad)
+{
+   int err;
+   u32 if_sid;
+   u32 node_sid;
+
+   err = sel_netif_sid(ifindex, &if_sid);
+   if (err)
+   return err;
+   err = avc_has_perm(peer_sid, if_sid,
+  SECCLASS_NETIF, NETIF__INGRESS, ad);
+   if (err)
+   return err;
+
+   err = sel_netnode_sid(addrp, family, &node_sid);
+   if (err)
+   return err;
+   return avc_has_perm(peer_sid, node_sid,
+   SECCLASS_NODE, NODE__RECVFROM, ad);
+}
+
 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
struct sk_buff *skb,
struct avc_audit_data *ad,
@@ -3735,23 +3758,27 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, 
struct sk_buff *skb)
return selinux_sock_rcv_skb_compat(sk, skb, &ad,
   family, addrp);
 
-   if (selinux_secmark_enabled()) {
-   err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
-  PACKET__RECV, &ad);
-   if (err)
-   return err;
-   }
-
if (netlbl_enabled() || selinux_xfrm_enabled()) {
u32 peer_sid;
 
err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
if (err)
return err;
+   err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
+  peer_sid, &ad);
+   if (err)
+   return err;
err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
   PEER__RECV, &ad);
}
 
+   if (selinux_secmark_enabled()) {
+   err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
+  PACKET__RECV, &ad);
+   if (err)
+   return err;
+   }
+
return err;
 }
 
@@ -3964,151 +3991,255 @@ out:
 
 #ifdef CONFIG_NETFILTER
 
-static int selinux_ip_postroute_last_compat(struct sock *sk,
-   struct net_device *dev,
-   struct avc_audit_data *ad,
-   u16 family,
-   char *addrp)
+static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
+  u16 family)
 {
-   int err = 0;
-   u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
-   struct socket *sock;
-   struct inode *inode;
-   struct inode_security_struct *isec;
+   char *addrp;
+   u32 peer_sid;
+   struct avc_audit_data ad;
+   u8 secmark_active;
+   u8 peerlbl_active;
 
-   sock = sk->sk_socket;
-   if (!sock)
-   goto out;
+   if (!selinux_policycap_netpeer)
+   return NF_ACCEPT;
 
-   inode = SOCK_INODE(sock);
-   if (!inode)
-   goto out;
+   secmark_active = selinux_secmark_enabled();
+   peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
+   if (!secmark_active && !peerlbl_active)
+   

[RFC PATCH v12 16/18] NetLabel: Add auditing to the static labeling mechanism

2008-01-17 Thread Paul Moore
This patch adds auditing support to the NetLabel static labeling mechanism.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 include/linux/audit.h |2 
 net/netlabel/netlabel_unlabeled.c |  207 ++---
 2 files changed, 195 insertions(+), 14 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index c687816..bdd6f5d 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -115,6 +115,8 @@
 #define AUDIT_MAC_IPSEC_ADDSPD 1413/* Not used */
 #define AUDIT_MAC_IPSEC_DELSPD 1414/* Not used */
 #define AUDIT_MAC_IPSEC_EVENT  1415/* Audit an IPSec event */
+#define AUDIT_MAC_UNLBL_STCADD 1416/* NetLabel: add a static label */
+#define AUDIT_MAC_UNLBL_STCDEL 1417/* NetLabel: del a static label */
 
 #define AUDIT_FIRST_KERN_ANOM_MSG   1700
 #define AUDIT_LAST_KERN_ANOM_MSG1799
diff --git a/net/netlabel/netlabel_unlabeled.c 
b/net/netlabel/netlabel_unlabeled.c
index d0c628c..42e81fd 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -147,6 +147,74 @@ static const struct nla_policy 
netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1
 };
 
 /*
+ * Audit Helper Functions
+ */
+
+/**
+ * netlbl_unlabel_audit_addr4 - Audit an IPv4 address
+ * @audit_buf: audit buffer
+ * @dev: network interface
+ * @addr: IP address
+ * @mask: IP address mask
+ *
+ * Description:
+ * Write the IPv4 address and address mask, if necessary, to @audit_buf.
+ *
+ */
+static void netlbl_unlabel_audit_addr4(struct audit_buffer *audit_buf,
+const char *dev,
+__be32 addr, __be32 mask)
+{
+   u32 mask_val = ntohl(mask);
+
+   if (dev != NULL)
+   audit_log_format(audit_buf, " netif=%s", dev);
+   audit_log_format(audit_buf, " src=" NIPQUAD_FMT, NIPQUAD(addr));
+   if (mask_val != 0x) {
+   u32 mask_len = 0;
+   while (mask_val > 0) {
+   mask_val <<= 1;
+   mask_len++;
+   }
+   audit_log_format(audit_buf, " src_prefixlen=%d", mask_len);
+   }
+}
+
+/**
+ * netlbl_unlabel_audit_addr6 - Audit an IPv6 address
+ * @audit_buf: audit buffer
+ * @dev: network interface
+ * @addr: IP address
+ * @mask: IP address mask
+ *
+ * Description:
+ * Write the IPv6 address and address mask, if necessary, to @audit_buf.
+ *
+ */
+static void netlbl_unlabel_audit_addr6(struct audit_buffer *audit_buf,
+const char *dev,
+const struct in6_addr *addr,
+const struct in6_addr *mask)
+{
+   if (dev != NULL)
+   audit_log_format(audit_buf, " netif=%s", dev);
+   audit_log_format(audit_buf, " src=" NIP6_FMT, NIP6(*addr));
+   if (ntohl(mask->s6_addr32[3]) != 0x) {
+   u32 mask_len = 0;
+   u32 mask_val;
+   int iter = -1;
+   while (ntohl(mask->s6_addr32[++iter]) == 0x)
+   mask_len += 32;
+   mask_val = ntohl(mask->s6_addr32[iter]);
+   while (mask_val > 0) {
+   mask_val <<= 1;
+   mask_len++;
+   }
+   audit_log_format(audit_buf, " src_prefixlen=%d", mask_len);
+   }
+}
+
+/*
  * Unlabeled Connection Hash Table Functions
  */
 
@@ -530,6 +598,7 @@ add_iface_failure:
  * @mask: address mask in network byte order
  * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6)
  * @secid: LSM secid value for the entry
+ * @audit_info: NetLabel audit information
  *
  * Description:
  * Adds a new entry to the unlabeled connection hash table.  Returns zero on
@@ -541,12 +610,18 @@ static int netlbl_unlhsh_add(struct net *net,
 const void *addr,
 const void *mask,
 u32 addr_len,
-u32 secid)
+u32 secid,
+struct netlbl_audit *audit_info)
 {
int ret_val;
int ifindex;
struct net_device *dev;
struct netlbl_unlhsh_iface *iface;
+   struct in_addr *addr4, *mask4;
+   struct in6_addr *addr6, *mask6;
+   struct audit_buffer *audit_buf = NULL;
+   char *secctx = NULL;
+   u32 secctx_len;
 
if (addr_len != sizeof(struct in_addr) &&
addr_len != sizeof(struct in6_addr))
@@ -573,13 +648,28 @@ static int netlbl_unlhsh_add(struct net *net,
goto unlhsh_add_return;
}
}
+   audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCADD,
+ audit_info);
switch (addr_len) {
case sizeof(struct in_addr):
-  

[RFC PATCH v12 15/18] NetLabel: Introduce static network labels for unlabeled connections

2008-01-17 Thread Paul Moore
Most trusted OSs, with the exception of Linux, have the ability to specify
static security labels for unlabeled networks.  This patch adds this ability to
the NetLabel packet labeling framework.

If the NetLabel subsystem is called to determine the security attributes of an
incoming packet it first checks to see if any recognized NetLabel packet
labeling protocols are in-use on the packet.  If none can be found then the
unlabled connection table is queried and based on the packets incoming
interface and address it is matched with a security label as configured by the
administrator using the netlabel_tools package.  The matching security label is
returned to the caller just as if the packet was explicitly labeled using a
labeling protocol.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 include/net/netlabel.h|6 
 net/netlabel/netlabel_kapi.c  |   16 
 net/netlabel/netlabel_unlabeled.c | 1375 +
 net/netlabel/netlabel_unlabeled.h |  145 
 4 files changed, 1524 insertions(+), 18 deletions(-)

diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index a3bffb4..b3213c7 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -67,7 +67,11 @@
  * NetLabel NETLINK protocol
  */
 
-#define NETLBL_PROTO_VERSION1
+/* NetLabel NETLINK protocol version
+ *  1: initial version
+ *  2: added static labels for unlabeled connections
+ */
+#define NETLBL_PROTO_VERSION2
 
 /* NetLabel NETLINK types/families */
 #define NETLBL_NLTYPE_NONE  0
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 4914615..c69e3e1 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -312,7 +312,7 @@ socket_setattr_return:
  * @secattr: the security attributes
  *
  * Description:
- * Examines the given sock to see any NetLabel style labeling has been
+ * Examines the given sock to see if any NetLabel style labeling has been
  * applied to the sock, if so it parses the socket label and returns the
  * security attributes in @secattr.  Returns zero on success, negative values
  * on failure.
@@ -320,13 +320,7 @@ socket_setattr_return:
  */
 int netlbl_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
 {
-   int ret_val;
-
-   ret_val = cipso_v4_sock_getattr(sk, secattr);
-   if (ret_val == 0)
-   return 0;
-
-   return netlbl_unlabel_getattr(secattr);
+   return cipso_v4_sock_getattr(sk, secattr);
 }
 
 /**
@@ -350,7 +344,7 @@ int netlbl_skbuff_getattr(const struct sk_buff *skb,
cipso_v4_skbuff_getattr(skb, secattr) == 0)
return 0;
 
-   return netlbl_unlabel_getattr(secattr);
+   return netlbl_unlabel_getattr(skb, family, secattr);
 }
 
 /**
@@ -434,6 +428,10 @@ static int __init netlbl_init(void)
if (ret_val != 0)
goto init_failure;
 
+   ret_val = netlbl_unlabel_init(NETLBL_UNLHSH_BITSIZE);
+   if (ret_val != 0)
+   goto init_failure;
+
ret_val = netlbl_netlink_init();
if (ret_val != 0)
goto init_failure;
diff --git a/net/netlabel/netlabel_unlabeled.c 
b/net/netlabel/netlabel_unlabeled.c
index 7f5df0c..d0c628c 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -10,7 +10,7 @@
  */
 
 /*
- * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
+ * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 - 2007
  *
  * This program is free software;  you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -29,27 +29,99 @@
  */
 
 #include 
+#include 
 #include 
 #include 
 #include 
 #include 
 #include 
 #include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
 #include 
 #include 
 #include 
-
+#include 
+#include 
+#include 
 #include 
 #include 
+#include 
 
 #include "netlabel_user.h"
 #include "netlabel_domainhash.h"
 #include "netlabel_unlabeled.h"
+#include "netlabel_mgmt.h"
+
+/* NOTE: at present we always use init's network namespace since we don't
+ *   presently support different namespaces even though the majority of
+ *   the functions in this file are "namespace safe" */
+
+/* The unlabeled connection hash table which we use to map network interfaces
+ * and addresses of unlabeled packets to a user specified secid value for the
+ * LSM.  The hash table is used to lookup the network interface entry
+ * (struct netlbl_unlhsh_iface) and then the interface entry is used to
+ * lookup an IP address match from an ordered list.  If a network interface
+ * match can not be found in the hash table then the default entry
+ * (netlbl_unlhsh_def) is used.  The IP address entry list
+ * (struct netlbl_unlhsh_addr) is ordered such that the entries with a
+ * larger netmask come first.
+ */
+struct n

[RFC PATCH v12 14/18] SELinux: Allow NetLabel to directly cache SIDs

2008-01-17 Thread Paul Moore
Now that the SELinux NetLabel "base SID" is always the netmsg initial SID we
can do a big optimization - caching the SID and not just the MLS attributes.
This not only saves a lot of per-packet memory allocations and copies but it
has a nice side effect of removing a chunk of code.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 security/selinux/hooks.c|6 --
 security/selinux/include/netlabel.h |2 -
 security/selinux/include/security.h |2 -
 security/selinux/netlabel.c |   55 ++--
 security/selinux/ss/services.c  |  124 ++-
 5 files changed, 55 insertions(+), 134 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 90b0901..d16f586 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3231,11 +3231,7 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, 
u16 family, u32 *sid)
u32 nlbl_type;
 
selinux_skb_xfrm_sid(skb, &xfrm_sid);
-   selinux_netlbl_skbuff_getsid(skb,
-family,
-SECINITSID_NETMSG,
-&nlbl_type,
-&nlbl_sid);
+   selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
 
if (security_net_peersid_resolve(nlbl_sid, nlbl_type,
 xfrm_sid,
diff --git a/security/selinux/include/netlabel.h 
b/security/selinux/include/netlabel.h
index c8c05a6..00a2809 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -48,7 +48,6 @@ void selinux_netlbl_sk_security_clone(struct 
sk_security_struct *ssec,
 
 int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
 u16 family,
-u32 base_sid,
 u32 *type,
 u32 *sid);
 
@@ -89,7 +88,6 @@ static inline void selinux_netlbl_sk_security_clone(
 
 static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
   u16 family,
-  u32 base_sid,
   u32 *type,
   u32 *sid)
 {
diff --git a/security/selinux/include/security.h 
b/security/selinux/include/security.h
index 9347e2d..23137c1 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -124,7 +124,6 @@ int security_genfs_sid(const char *fstype, char *name, u16 
sclass,
 
 #ifdef CONFIG_NETLABEL
 int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
-  u32 base_sid,
   u32 *sid);
 
 int security_netlbl_sid_to_secattr(u32 sid,
@@ -132,7 +131,6 @@ int security_netlbl_sid_to_secattr(u32 sid,
 #else
 static inline int security_netlbl_secattr_to_sid(
struct netlbl_lsm_secattr *secattr,
-   u32 base_sid,
u32 *sid)
 {
return -EIDRM;
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index af78cb9..e07adf9 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -36,6 +36,33 @@
 #include "security.h"
 
 /**
+ * selinux_netlbl_sidlookup_cached - Cache a SID lookup
+ * @skb: the packet
+ * @secattr: the NetLabel security attributes
+ * @sid: the SID
+ *
+ * Description:
+ * Query the SELinux security server to lookup the correct SID for the given
+ * security attributes.  If the query is successful, cache the result to speed
+ * up future lookups.  Returns zero on success, negative values on failure.
+ *
+ */
+static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
+  struct netlbl_lsm_secattr *secattr,
+  u32 *sid)
+{
+   int rc;
+
+   rc = security_netlbl_secattr_to_sid(secattr, sid);
+   if (rc == 0 &&
+   (secattr->flags & NETLBL_SECATTR_CACHEABLE) &&
+   (secattr->flags & NETLBL_SECATTR_CACHE))
+   netlbl_cache_add(skb, secattr);
+
+   return rc;
+}
+
+/**
  * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism
  * @sk: the socket to label
  * @sid: the SID to use
@@ -141,7 +168,6 @@ void selinux_netlbl_sk_security_clone(struct 
sk_security_struct *ssec,
  * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
  * @skb: the packet
  * @family: protocol family
- * @base_sid: the SELinux SID to use as a context for MLS only attributes
  * @type: NetLabel labeling protocol type
  * @sid: the SID
  *
@@ -153,7 +179,6 @@ void selinux_netlbl_sk_security_clone(struct 
sk_secur

[RFC PATCH v12 13/18] SELinux: Enable dynamic enable/disable of the network access checks

2008-01-17 Thread Paul Moore
This patch introduces a mechanism for checking when labeled IPsec or SECMARK
are in use by keeping introducing a configuration reference counter for each
subsystem.  In the case of labeled IPsec, whenever a labeled SA or SPD entry
is created the labeled IPsec/XFRM reference count is increased and when the
entry is removed it is decreased.  In the case of SECMARK, when a SECMARK
target is created the reference count is increased and later decreased when the
target is removed.  These reference counters allow SELinux to quickly determine
if either of these subsystems are enabled.

NetLabel already has a similar mechanism which provides the netlbl_enabled()
function.

This patch also renames the selinux_relabel_packet_permission() function to
selinux_secmark_relabel_packet_permission() as the original name and
description were misleading in that they referenced a single packet label which
is not the case.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 include/linux/selinux.h |   45 +++---
 net/netfilter/xt_SECMARK.c  |   13 ++-
 security/selinux/exports.c  |   20 +++--
 security/selinux/hooks.c|   46 +++
 security/selinux/include/xfrm.h |   12 ++
 security/selinux/xfrm.c |   18 ++-
 6 files changed, 132 insertions(+), 22 deletions(-)

diff --git a/include/linux/selinux.h b/include/linux/selinux.h
index 6080f73..8c2cc4c 100644
--- a/include/linux/selinux.h
+++ b/include/linux/selinux.h
@@ -120,16 +120,35 @@ void selinux_get_task_sid(struct task_struct *tsk, u32 
*sid);
 int selinux_string_to_sid(char *str, u32 *sid);
 
 /**
- * selinux_relabel_packet_permission - check permission to relabel a packet
- * @sid: ID value to be applied to network packet (via SECMARK, most 
likely)
+ * selinux_secmark_relabel_packet_permission - secmark permission check
+ * @sid: SECMARK ID value to be applied to network packet
  *
- * Returns 0 if the current task is allowed to label packets with the
- * supplied security ID.  Note that it is implicit that the packet is 
always
- * being relabeled from the default unlabled value, and that the access
- * control decision is made in the AVC.
+ * Returns 0 if the current task is allowed to set the SECMARK label of
+ * packets with the supplied security ID.  Note that it is implicit that
+ * the packet is always being relabeled from the default unlabeled value,
+ * and that the access control decision is made in the AVC.
  */
-int selinux_relabel_packet_permission(u32 sid);
+int selinux_secmark_relabel_packet_permission(u32 sid);
 
+/**
+ * selinux_secmark_refcount_inc - increments the secmark use counter
+ *
+ * SELinux keeps track of the current SECMARK targets in use so it knows
+ * when to apply SECMARK label access checks to network packets.  This
+ * function incements this reference count to indicate that a new SECMARK
+ * target has been configured.
+ */
+void selinux_secmark_refcount_inc(void);
+
+/**
+ * selinux_secmark_refcount_dec - decrements the secmark use counter
+ *
+ * SELinux keeps track of the current SECMARK targets in use so it knows
+ * when to apply SECMARK label access checks to network packets.  This
+ * function decements this reference count to indicate that one of the
+ * existing SECMARK targets has been removed/flushed.
+ */
+void selinux_secmark_refcount_dec(void);
 #else
 
 static inline int selinux_audit_rule_init(u32 field, u32 op,
@@ -184,11 +203,21 @@ static inline int selinux_string_to_sid(const char *str, 
u32 *sid)
return 0;
 }
 
-static inline int selinux_relabel_packet_permission(u32 sid)
+static inline int selinux_secmark_relabel_packet_permission(u32 sid)
 {
return 0;
 }
 
+static inline void selinux_secmark_refcount_inc(void)
+{
+   return;
+}
+
+static inline void selinux_secmark_refcount_dec(void)
+{
+   return;
+}
+
 #endif /* CONFIG_SECURITY_SELINUX */
 
 #endif /* _LINUX_SELINUX_H */
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 235806e..db4a1fe 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -72,12 +72,13 @@ static bool checkentry_selinux(struct 
xt_secmark_target_info *info)
return false;
}
 
-   err = selinux_relabel_packet_permission(sel->selsid);
+   err = selinux_secmark_relabel_packet_permission(sel->selsid);
if (err) {
printk(KERN_INFO PFX "unable to obtain relabeling 
permission\n");
return false;
}
 
+   selinux_secmark_refcount_inc();
return true;
 }
 
@@ -109,11 +110,20 @@ static bool checkentry(const char *tablename, const void 
*entry,
return true;
 }
 
+void destroy(const struct xt_target *target, void *targinfo)
+{
+   switch (mode) {
+   case SECMARK_MODE_SEL:
+   selinu

[RFC PATCH v12 12/18] SELinux: Better integration between peer labeling subsystems

2008-01-17 Thread Paul Moore
Rework the handling of network peer labels so that the different peer labeling
subsystems work better together.  This includes moving both subsystems to a
single "peer" object class which involves not only changes to the permission
checks but an improved method of consolidating multiple packet peer labels.
As part of this work the inbound packet permission check code has been heavily
modified to handle both the old and new behavior in as sane a fashion as
possible.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 security/selinux/hooks.c|  204 +++
 security/selinux/include/netlabel.h |3 +
 security/selinux/include/objsec.h   |2 
 security/selinux/include/security.h |4 +
 security/selinux/netlabel.c |   10 +-
 security/selinux/ss/services.c  |   85 +++
 6 files changed, 208 insertions(+), 100 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4250642..c156f6c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -50,6 +50,7 @@
 #include 
 #include /* for local_port_range[] */
 #include/* struct or_callable used in sock_rcv_skb */
+#include 
 #include 
 #include 
 #include 
@@ -3189,36 +3190,39 @@ static int selinux_parse_skb(struct sk_buff *skb, 
struct avc_audit_data *ad,
 }
 
 /**
- * selinux_skb_extlbl_sid - Determine the external label of a packet
+ * selinux_skb_peerlbl_sid - Determine the peer label of a packet
  * @skb: the packet
  * @family: protocol family
- * @sid: the packet's SID
+ * @sid: the packet's peer label SID
  *
  * Description:
- * Check the various different forms of external packet labeling and determine
- * the external SID for the packet.  If only one form of external labeling is
- * present then it is used, if both labeled IPsec and NetLabel labels are
- * present then the SELinux type information is taken from the labeled IPsec
- * SA and the MLS sensitivity label information is taken from the NetLabel
- * security attributes.  This bit of "magic" is done in the call to
- * selinux_netlbl_skbuff_getsid().
+ * Check the various different forms of network peer labeling and determine
+ * the peer label/SID for the packet; most of the magic actually occurs in
+ * the security server function security_net_peersid_cmp().  The function
+ * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
+ * or -EACCES if @sid is invalid due to inconsistencies with the different
+ * peer labels.
  *
  */
-static void selinux_skb_extlbl_sid(struct sk_buff *skb,
-  u16 family,
-  u32 *sid)
+static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
 {
u32 xfrm_sid;
u32 nlbl_sid;
+   u32 nlbl_type;
 
selinux_skb_xfrm_sid(skb, &xfrm_sid);
-   if (selinux_netlbl_skbuff_getsid(skb,
-family,
-(xfrm_sid == SECSID_NULL ?
- SECINITSID_NETMSG : xfrm_sid),
-&nlbl_sid) != 0)
-   nlbl_sid = SECSID_NULL;
-   *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
+   selinux_netlbl_skbuff_getsid(skb,
+family,
+SECINITSID_NETMSG,
+&nlbl_type,
+&nlbl_sid);
+
+   if (security_net_peersid_resolve(nlbl_sid, nlbl_type,
+xfrm_sid,
+sid) != 0)
+   return -EACCES;
+
+   return 0;
 }
 
 /* socket security operations */
@@ -3284,6 +3288,7 @@ static int selinux_socket_post_create(struct socket 
*sock, int family,
if (sock->sk) {
sksec = sock->sk->sk_security;
sksec->sid = isec->sid;
+   sksec->sclass = isec->sclass;
err = selinux_netlbl_socket_post_create(sock);
}
 
@@ -3587,104 +3592,114 @@ static int selinux_socket_unix_may_send(struct socket 
*sock,
return 0;
 }
 
-static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
-  struct avc_audit_data *ad,
-  u16 family, char *addrp)
+static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
+   struct sk_buff *skb,
+   struct avc_audit_data *ad,
+   u16 family,
+   char *addrp)
 {
-   int err = 0;
-   u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
-   struct socket *sock;
-   u16 sock_class = 0;
-   u32 sock_

[RFC PATCH v12 11/18] SELinux: Add a new peer class and permissions to the Flask definitions

2008-01-17 Thread Paul Moore
Add additional Flask definitions to support the new "peer" object class and
additional permissions to the netif, node, and packet object classes.  Also,
bring the kernel Flask definitions up to date with the Fedora SELinux policies
by adding the "flow_in" and "flow_out" permissions to the "packet" class.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 security/selinux/include/av_perm_to_string.h |9 +
 security/selinux/include/av_permissions.h|9 +
 security/selinux/include/class_to_string.h   |7 +++
 security/selinux/include/flask.h |1 +
 4 files changed, 26 insertions(+), 0 deletions(-)

diff --git a/security/selinux/include/av_perm_to_string.h 
b/security/selinux/include/av_perm_to_string.h
index 049bf69..399f868 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -37,6 +37,8 @@
S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest")
S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv")
S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send")
+   S_(SECCLASS_NODE, NODE__RECVFROM, "recvfrom")
+   S_(SECCLASS_NODE, NODE__SENDTO, "sendto")
S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv")
S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send")
S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv")
@@ -45,6 +47,8 @@
S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv")
S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send")
+   S_(SECCLASS_NETIF, NETIF__INGRESS, "ingress")
+   S_(SECCLASS_NETIF, NETIF__EGRESS, "egress")
S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto")
S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn")
S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, 
"acceptfrom")
@@ -149,6 +153,10 @@
S_(SECCLASS_PACKET, PACKET__SEND, "send")
S_(SECCLASS_PACKET, PACKET__RECV, "recv")
S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
+   S_(SECCLASS_PACKET, PACKET__FLOW_IN, "flow_in")
+   S_(SECCLASS_PACKET, PACKET__FLOW_OUT, "flow_out")
+   S_(SECCLASS_PACKET, PACKET__FORWARD_IN, "forward_in")
+   S_(SECCLASS_PACKET, PACKET__FORWARD_OUT, "forward_out")
S_(SECCLASS_KEY, KEY__VIEW, "view")
S_(SECCLASS_KEY, KEY__READ, "read")
S_(SECCLASS_KEY, KEY__WRITE, "write")
@@ -159,3 +167,4 @@
S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind")
S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero")
+   S_(SECCLASS_PEER, PEER__RECV, "recv")
diff --git a/security/selinux/include/av_permissions.h 
b/security/selinux/include/av_permissions.h
index eda89a2..84c9abc 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -292,6 +292,8 @@
 #define NODE__ENFORCE_DEST0x0040UL
 #define NODE__DCCP_RECV   0x0080UL
 #define NODE__DCCP_SEND   0x0100UL
+#define NODE__RECVFROM0x0200UL
+#define NODE__SENDTO  0x0400UL
 #define NETIF__TCP_RECV   0x0001UL
 #define NETIF__TCP_SEND   0x0002UL
 #define NETIF__UDP_RECV   0x0004UL
@@ -300,6 +302,8 @@
 #define NETIF__RAWIP_SEND 0x0020UL
 #define NETIF__DCCP_RECV  0x0040UL
 #define NETIF__DCCP_SEND  0x0080UL
+#define NETIF__INGRESS0x0100UL
+#define NETIF__EGRESS 0x0200UL
 #define NETLINK_SOCKET__IOCTL 0x0001UL
 #define NETLINK_SOCKET__READ  0x0002UL
 #define NETLINK_SOCKET__WRITE 0x0004UL
@@ -792,6 +796,10 @@
 #define PACKET__SEND  0x0001UL
 #define PACKET__RECV  0x0002UL
 #define PACKET__RELABELTO 0x0004UL
+#define PACKET__FLOW_IN   0x0008UL
+#define PACKET__FLOW_OUT  0x0010UL
+#define PACKET__FORWARD_IN0x0020UL
+#define PACKET__FORWARD_OUT   0x0040UL
 #define KEY__VIEW 0x0001UL
 #define KEY__READ 0x0002UL
 #define KEY__WRITE0x0004UL
@@ -824,3 +832,4 @@
 #define DCCP_SOCKET__NODE_BIND0x004

[RFC PATCH v12 10/18] SELinux: Add a capabilities bitmap to SELinux policy version 22

2008-01-17 Thread Paul Moore
Add a new policy capabilities bitmap to SELinux policy version 22.  This bitmap
will enable the security server to query the policy to determine which features
it supports.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 security/selinux/Kconfig|2 -
 security/selinux/include/security.h |   15 ++
 security/selinux/selinuxfs.c|   89 +--
 security/selinux/ss/policydb.c  |   18 +++
 security/selinux/ss/policydb.h  |2 +
 security/selinux/ss/services.c  |   67 ++
 6 files changed, 185 insertions(+), 8 deletions(-)

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index b32a459..2b517d6 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -145,7 +145,7 @@ config SECURITY_SELINUX_POLICYDB_VERSION_MAX
 config SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
int "NSA SELinux maximum supported policy format version value"
depends on SECURITY_SELINUX_POLICYDB_VERSION_MAX
-   range 15 21
+   range 15 22
default 19
help
  This option sets the value for the maximum policy format version
diff --git a/security/selinux/include/security.h 
b/security/selinux/include/security.h
index a33437b..a22de97 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -25,13 +25,14 @@
 #define POLICYDB_VERSION_MLS   19
 #define POLICYDB_VERSION_AVTAB 20
 #define POLICYDB_VERSION_RANGETRANS21
+#define POLICYDB_VERSION_POLCAP22
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
 #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
 #define POLICYDB_VERSION_MAX   
CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
 #else
-#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_RANGETRANS
+#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_POLCAP
 #endif
 
 struct netlbl_lsm_secattr;
@@ -39,8 +40,19 @@ struct netlbl_lsm_secattr;
 extern int selinux_enabled;
 extern int selinux_mls_enabled;
 
+/* Policy capabilities */
+enum {
+   POLICYDB_CAPABILITY_NETPEER,
+   __POLICYDB_CAPABILITY_MAX
+};
+#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
+
+extern int selinux_policycap_netpeer;
+
 int security_load_policy(void * data, size_t len);
 
+int security_policycap_supported(unsigned int req_cap);
+
 #define SEL_VEC_MAX 32
 struct av_decision {
u32 allowed;
@@ -91,6 +103,7 @@ int security_get_classes(char ***classes, int *nclasses);
 int security_get_permissions(char *class, char ***perms, int *nperms);
 int security_get_reject_unknown(void);
 int security_get_allow_unknown(void);
+int security_get_policycaps(int *len, int **values);
 
 #define SECURITY_FS_USE_XATTR  1 /* use xattr */
 #define SECURITY_FS_USE_TRANS  2 /* use transition SIDs, e.g. 
devpts/tmpfs */
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 2fa483f..b87e9eb 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -2,6 +2,11 @@
  *
  * Added conditional policy language extensions
  *
+ *  Updated: Hewlett-Packard <[EMAIL PROTECTED]>
+ *
+ *  Added support for the policy capability bitmap
+ *
+ * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
  * Copyright (C) 2004 Red Hat, Inc., James Morris <[EMAIL PROTECTED]>
  * This program is free software; you can redistribute it and/or modify
@@ -35,6 +40,11 @@
 #include "objsec.h"
 #include "conditional.h"
 
+/* Policy capability filenames */
+static char *policycap_names[] = {
+   "network_peer_controls"
+};
+
 unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
 
 #ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
@@ -72,6 +82,9 @@ static int *bool_pending_values = NULL;
 static struct dentry *class_dir = NULL;
 static unsigned long last_class_ino;
 
+/* global data for policy capabilities */
+static struct dentry *policycap_dir = NULL;
+
 extern void selnl_notify_setenforce(int val);
 
 /* Check whether a task is allowed to use a security operation. */
@@ -111,10 +124,11 @@ enum sel_inos {
 
 static unsigned long sel_last_ino = SEL_INO_NEXT - 1;
 
-#define SEL_INITCON_INO_OFFSET 0x0100
-#define SEL_BOOL_INO_OFFSET0x0200
-#define SEL_CLASS_INO_OFFSET   0x0400
-#define SEL_INO_MASK   0x00ff
+#define SEL_INITCON_INO_OFFSET 0x0100
+#define SEL_BOOL_INO_OFFSET0x0200
+#define SEL_CLASS_INO_OFFSET   0x0400
+#define SEL_POLICYCAP_INO_OFFSET   0x0800
+#define SEL_INO_MASK   0x00ff
 
 #define TMPBUFLEN  12
 static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
@@ -263,6 +277,7 @@ static const struct file_operations sel_policyvers_ops = {
 /* declaration for sel_w

[RFC PATCH v12 09/18] SELinux: Add a network node caching mechanism similar to the sel_netif_*() functions

2008-01-17 Thread Paul Moore
This patch adds a SELinux IP address/node SID caching mechanism similar to the
sel_netif_*() functions.  The node SID queries in the SELinux hooks files are
also modified to take advantage of this new functionality.  In addition, remove
the address length information from the sk_buff parsing routines as it is
redundant since we already have the address family.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 security/selinux/Makefile  |9 +
 security/selinux/hooks.c   |   33 ++-
 security/selinux/include/netnode.h |   32 +++
 security/selinux/include/objsec.h  |9 +
 security/selinux/netnode.c |  350 
 5 files changed, 416 insertions(+), 17 deletions(-)

diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index dc3502e..00afd85 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -4,7 +4,14 @@
 
 obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/
 
-selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o exports.o
+selinux-y := avc.o \
+hooks.o \
+selinuxfs.o \
+netlink.o \
+nlmsgtab.o \
+netif.o \
+netnode.o \
+exports.o
 
 selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b451b4c..4250642 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -76,6 +76,7 @@
 #include "avc.h"
 #include "objsec.h"
 #include "netif.h"
+#include "netnode.h"
 #include "xfrm.h"
 #include "netlabel.h"
 
@@ -3158,7 +3159,7 @@ out:
 #endif /* IPV6 */
 
 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
-char **addrp, int *len, int src, u8 *proto)
+char **addrp, int src, u8 *proto)
 {
int ret = 0;
 
@@ -3167,7 +3168,6 @@ static int selinux_parse_skb(struct sk_buff *skb, struct 
avc_audit_data *ad,
ret = selinux_parse_skb_ipv4(skb, ad, proto);
if (ret || !addrp)
break;
-   *len = 4;
*addrp = (char *)(src ? &ad->u.net.v4info.saddr :
&ad->u.net.v4info.daddr);
break;
@@ -3177,7 +3177,6 @@ static int selinux_parse_skb(struct sk_buff *skb, struct 
avc_audit_data *ad,
ret = selinux_parse_skb_ipv6(skb, ad, proto);
if (ret || !addrp)
break;
-   *len = 16;
*addrp = (char *)(src ? &ad->u.net.v6info.saddr :
&ad->u.net.v6info.daddr);
break;
@@ -3377,7 +3376,7 @@ static int selinux_socket_bind(struct socket *sock, 
struct sockaddr *address, in
break;
}

-   err = security_node_sid(family, addrp, addrlen, &sid);
+   err = sel_netnode_sid(addrp, family, &sid);
if (err)
goto out;

@@ -3589,7 +3588,8 @@ static int selinux_socket_unix_may_send(struct socket 
*sock,
 }
 
 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
-   struct avc_audit_data *ad, u16 family, char *addrp, int len)
+  struct avc_audit_data *ad,
+  u16 family, char *addrp)
 {
int err = 0;
u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
@@ -3649,7 +3649,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, 
struct sk_buff *skb,
if (err)
goto out;

-   err = security_node_sid(family, addrp, len, &node_sid);
+   err = sel_netnode_sid(addrp, family, &node_sid);
if (err)
goto out;

@@ -3678,7 +3678,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, 
struct sk_buff *skb)
 {
u16 family;
char *addrp;
-   int len, err = 0;
+   int err = 0;
struct avc_audit_data ad;
struct sk_security_struct *sksec = sk->sk_security;
 
@@ -3694,13 +3694,12 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, 
struct sk_buff *skb)
ad.u.net.netif = skb->iif;
ad.u.net.family = family;
 
-   err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL);
+   err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
if (err)
goto out;
 
if (selinux_compat_net)
-   err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family,
- addrp, len);
+   err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family, addrp);
else
err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
  

[RFC PATCH v12 08/18] SELinux: Only store the network interface's ifindex

2008-01-17 Thread Paul Moore
Instead of storing the packet's network interface name store the ifindex.  This
allows us to defer the need to lookup the net_device structure until the audit
record is generated meaning that in the majority of cases we never need to
bother with this at all.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 security/selinux/avc.c |   15 ---
 security/selinux/hooks.c   |4 ++--
 security/selinux/include/avc.h |2 +-
 3 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 81b3dff..e8529e2 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -661,9 +661,18 @@ void avc_audit(u32 ssid, u32 tsid,
"daddr", "dest");
break;
}
-   if (a->u.net.netif)
-   audit_log_format(ab, " netif=%s",
-   a->u.net.netif);
+   if (a->u.net.netif > 0) {
+   struct net_device *dev;
+
+   /* NOTE: we always use init's namespace */
+   dev = dev_get_by_index(&init_net,
+  a->u.net.netif);
+   if (dev) {
+   audit_log_format(ab, " netif=%s",
+dev->name);
+   dev_put(dev);
+   }
+   }
break;
}
}
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8336c93..b451b4c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3691,7 +3691,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, 
struct sk_buff *skb)
family = PF_INET;
 
AVC_AUDIT_DATA_INIT(&ad, NET);
-   ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
+   ad.u.net.netif = skb->iif;
ad.u.net.family = family;
 
err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL);
@@ -4022,7 +4022,7 @@ static unsigned int selinux_ip_postroute_last(unsigned 
int hooknum,
sksec = sk->sk_security;
 
AVC_AUDIT_DATA_INIT(&ad, NET);
-   ad.u.net.netif = dev->name;
+   ad.u.net.netif = dev->ifindex;
ad.u.net.family = family;
 
err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto);
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 553607a..80c28fa 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -51,7 +51,7 @@ struct avc_audit_data {
struct inode *inode;
} fs;
struct {
-   char *netif;
+   int netif;
struct sock *sk;
u16 family;
__be16 dport;

-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[RFC PATCH v12 07/18] SELinux: Convert the netif code to use ifindex values

2008-01-17 Thread Paul Moore
The current SELinux netif code requires the caller have a valid net_device
struct pointer to lookup network interface information.  However, we don't
always have a valid net_device pointer so convert the netif code to use
the ifindex values we always have as part of the sk_buff.  This patch also
removes the default message SID from the network interface record, it is
not being used and therefore is "dead code".

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 security/selinux/hooks.c|4 -
 security/selinux/include/netif.h|4 -
 security/selinux/include/objsec.h   |5 -
 security/selinux/include/security.h |3 
 security/selinux/netif.c|  254 ---
 security/selinux/ss/services.c  |   10 -
 6 files changed, 155 insertions(+), 125 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7b99d52..8336c93 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3616,7 +3616,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, 
struct sk_buff *skb,
if (!skb->dev)
goto out;
 
-   err = sel_netif_sids(skb->dev, &if_sid, NULL);
+   err = sel_netif_sid(skb->iif, &if_sid);
if (err)
goto out;
 
@@ -3941,7 +3941,7 @@ static int selinux_ip_postroute_last_compat(struct sock 
*sk, struct net_device *
 
isec = inode->i_security;

-   err = sel_netif_sids(dev, &if_sid, NULL);
+   err = sel_netif_sid(dev->ifindex, &if_sid);
if (err)
goto out;
 
diff --git a/security/selinux/include/netif.h b/security/selinux/include/netif.h
index 8bd6f99..ce23edd 100644
--- a/security/selinux/include/netif.h
+++ b/security/selinux/include/netif.h
@@ -7,6 +7,8 @@
  * Author: James Morris <[EMAIL PROTECTED]>
  *
  * Copyright (C) 2003 Red Hat, Inc., James Morris <[EMAIL PROTECTED]>
+ * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
+ *Paul Moore, <[EMAIL PROTECTED]>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2,
@@ -15,7 +17,7 @@
 #ifndef _SELINUX_NETIF_H_
 #define _SELINUX_NETIF_H_
 
-int sel_netif_sids(struct net_device *dev, u32 *if_sid, u32 *msg_sid);
+int sel_netif_sid(int ifindex, u32 *sid);
 
 #endif /* _SELINUX_NETIF_H_ */
 
diff --git a/security/selinux/include/objsec.h 
b/security/selinux/include/objsec.h
index 642a9fd..e41a2aa 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -95,9 +95,8 @@ struct bprm_security_struct {
 };
 
 struct netif_security_struct {
-   struct net_device *dev; /* back pointer */
-   u32 if_sid; /* SID for this interface */
-   u32 msg_sid;/* default SID for messages received on 
this interface */
+   int ifindex;/* device index */
+   u32 sid;/* SID for this interface */
 };
 
 struct sk_security_struct {
diff --git a/security/selinux/include/security.h 
b/security/selinux/include/security.h
index 39337af..a33437b 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -77,8 +77,7 @@ int security_get_user_sids(u32 callsid, char *username,
 int security_port_sid(u16 domain, u16 type, u8 protocol, u16 port,
u32 *out_sid);
 
-int security_netif_sid(char *name, u32 *if_sid,
-   u32 *msg_sid);
+int security_netif_sid(char *name, u32 *if_sid);
 
 int security_node_sid(u16 domain, void *addr, u32 addrlen,
u32 *out_sid);
diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index e87ab94..ee49a73 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -7,6 +7,8 @@
  * Author: James Morris <[EMAIL PROTECTED]>
  *
  * Copyright (C) 2003 Red Hat, Inc., James Morris <[EMAIL PROTECTED]>
+ * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
+ *Paul Moore <[EMAIL PROTECTED]>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2,
@@ -29,14 +31,6 @@
 #define SEL_NETIF_HASH_SIZE64
 #define SEL_NETIF_HASH_MAX 1024
 
-#undef DEBUG
-
-#ifdef DEBUG
-#define DEBUGP printk
-#else
-#define DEBUGP(format, args...)
-#endif
-
 struct sel_netif
 {
struct list_head list;
@@ -49,174 +43,217 @@ static LIST_HEAD(sel_netif_list);
 static DEFINE_SPINLOCK(sel_netif_lock);
 static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE];
 
-static inline u32 sel_netif_hasfn(struct net_device *dev)
+/**
+ * sel_netif_hashfn - Hashing function for the interface table
+ * @ifindex: the network interface
+ *
+ * Description:
+ * This is the hashing function for the network interface table, it returns the
+ * bucket number for the give

[RFC PATCH v12 06/18] NetLabel: Add IP address family information to the netlbl_skbuff_getattr() function

2008-01-17 Thread Paul Moore
In order to do any sort of IP header inspection of incoming packets we need to
know which address family, AF_INET/AF_INET6/etc., it belongs to and since the
sk_buff structure does not store this information we need to pass along the
address family separate from the packet itself.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 include/net/netlabel.h  |2 ++
 net/netlabel/netlabel_kapi.c|2 ++
 security/selinux/hooks.c|   33 ++---
 security/selinux/include/netlabel.h |8 +++-
 security/selinux/netlabel.c |   12 +---
 5 files changed, 42 insertions(+), 15 deletions(-)

diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 18b73cf..a3bffb4 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -363,6 +363,7 @@ int netlbl_sock_setattr(struct sock *sk,
 int netlbl_sock_getattr(struct sock *sk,
struct netlbl_lsm_secattr *secattr);
 int netlbl_skbuff_getattr(const struct sk_buff *skb,
+ u16 family,
  struct netlbl_lsm_secattr *secattr);
 void netlbl_skbuff_err(struct sk_buff *skb, int error);
 
@@ -415,6 +416,7 @@ static inline int netlbl_sock_getattr(struct sock *sk,
return -ENOSYS;
 }
 static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,
+   u16 family,
struct netlbl_lsm_secattr *secattr)
 {
return -ENOSYS;
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index d3762ea..4914615 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -332,6 +332,7 @@ int netlbl_sock_getattr(struct sock *sk, struct 
netlbl_lsm_secattr *secattr)
 /**
  * netlbl_skbuff_getattr - Determine the security attributes of a packet
  * @skb: the packet
+ * @family: protocol family
  * @secattr: the security attributes
  *
  * Description:
@@ -342,6 +343,7 @@ int netlbl_sock_getattr(struct sock *sk, struct 
netlbl_lsm_secattr *secattr)
  *
  */
 int netlbl_skbuff_getattr(const struct sk_buff *skb,
+ u16 family,
  struct netlbl_lsm_secattr *secattr)
 {
if (CIPSO_V4_OPTEXIST(skb) &&
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8bb673b..7b99d52 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3192,6 +3192,7 @@ static int selinux_parse_skb(struct sk_buff *skb, struct 
avc_audit_data *ad,
 /**
  * selinux_skb_extlbl_sid - Determine the external label of a packet
  * @skb: the packet
+ * @family: protocol family
  * @sid: the packet's SID
  *
  * Description:
@@ -3204,13 +3205,16 @@ static int selinux_parse_skb(struct sk_buff *skb, 
struct avc_audit_data *ad,
  * selinux_netlbl_skbuff_getsid().
  *
  */
-static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
+static void selinux_skb_extlbl_sid(struct sk_buff *skb,
+  u16 family,
+  u32 *sid)
 {
u32 xfrm_sid;
u32 nlbl_sid;
 
selinux_skb_xfrm_sid(skb, &xfrm_sid);
if (selinux_netlbl_skbuff_getsid(skb,
+family,
 (xfrm_sid == SECSID_NULL ?
  SECINITSID_NETMSG : xfrm_sid),
 &nlbl_sid) != 0)
@@ -3703,7 +3707,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, 
struct sk_buff *skb)
if (err)
goto out;
 
-   err = selinux_netlbl_sock_rcv_skb(sksec, skb, &ad);
+   err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
if (err)
goto out;
 
@@ -3759,18 +3763,25 @@ out:
 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff 
*skb, u32 *secid)
 {
u32 peer_secid = SECSID_NULL;
-   int err = 0;
+   u16 family;
 
-   if (sock && sock->sk->sk_family == PF_UNIX)
+   if (sock)
+   family = sock->sk->sk_family;
+   else if (skb && skb->sk)
+   family = skb->sk->sk_family;
+   else
+   goto out;
+
+   if (sock && family == PF_UNIX)
selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
else if (skb)
-   selinux_skb_extlbl_sid(skb, &peer_secid);
+   selinux_skb_extlbl_sid(skb, family, &peer_secid);
 
-   if (peer_secid == SECSID_NULL)
-   err = -EINVAL;
+out:
*secid = peer_secid;
-
-   return err;
+   if (peer_secid == SECSID_NULL)
+   return -EINVAL;
+   return 0;
 }
 
 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t 
priority)
@@ -3825,7 +3836,7 @@ static int selinux_inet_conn_request(struct sock *sk, 
struct sk_buff *

[RFC PATCH v12 05/18] LSM: Add secctx_to_secid() LSM hook

2008-01-17 Thread Paul Moore
Add a secctx_to_secid() LSM hook to go along with the existing
secid_to_secctx() LSM hook.  This patch also includes the SELinux
implementation for this hook.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
Acked-by: Stephen Smalley <[EMAIL PROTECTED]>
---

 include/linux/security.h |   13 +
 security/dummy.c |6 ++
 security/security.c  |6 ++
 security/selinux/hooks.c |6 ++
 4 files changed, 31 insertions(+), 0 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index ac05083..db19c92 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1183,6 +1183,10 @@ struct request_sock;
  * Convert secid to security context.
  * @secid contains the security ID.
  * @secdata contains the pointer that stores the converted security 
context.
+ * @secctx_to_secid:
+ *  Convert security context to secid.
+ *  @secid contains the pointer to the generated security ID.
+ *  @secdata contains the security context.
  *
  * @release_secctx:
  * Release the security context.
@@ -1371,6 +1375,7 @@ struct security_operations {
int (*getprocattr)(struct task_struct *p, char *name, char **value);
int (*setprocattr)(struct task_struct *p, char *name, void *value, 
size_t size);
int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen);
+   int (*secctx_to_secid)(char *secdata, u32 seclen, u32 *secid);
void (*release_secctx)(char *secdata, u32 seclen);
 
 #ifdef CONFIG_SECURITY_NETWORK
@@ -1603,6 +1608,7 @@ int security_setprocattr(struct task_struct *p, char 
*name, void *value, size_t
 int security_netlink_send(struct sock *sk, struct sk_buff *skb);
 int security_netlink_recv(struct sk_buff *skb, int cap);
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
+int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid);
 void security_release_secctx(char *secdata, u32 seclen);
 
 #else /* CONFIG_SECURITY */
@@ -2280,6 +2286,13 @@ static inline int security_secid_to_secctx(u32 secid, 
char **secdata, u32 *secle
return -EOPNOTSUPP;
 }
 
+static inline int security_secctx_to_secid(char *secdata,
+  u32 seclen,
+  u32 *secid)
+{
+   return -EOPNOTSUPP;
+}
+
 static inline void security_release_secctx(char *secdata, u32 seclen)
 {
 }
diff --git a/security/dummy.c b/security/dummy.c
index 3ccfbbe..0b62f95 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -928,6 +928,11 @@ static int dummy_secid_to_secctx(u32 secid, char 
**secdata, u32 *seclen)
return -EOPNOTSUPP;
 }
 
+static int dummy_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
+{
+   return -EOPNOTSUPP;
+}
+
 static void dummy_release_secctx(char *secdata, u32 seclen)
 {
 }
@@ -1086,6 +1091,7 @@ void security_fixup_ops (struct security_operations *ops)
set_to_dummy_if_null(ops, getprocattr);
set_to_dummy_if_null(ops, setprocattr);
set_to_dummy_if_null(ops, secid_to_secctx);
+   set_to_dummy_if_null(ops, secctx_to_secid);
set_to_dummy_if_null(ops, release_secctx);
 #ifdef CONFIG_SECURITY_NETWORK
set_to_dummy_if_null(ops, unix_stream_connect);
diff --git a/security/security.c b/security/security.c
index 0e1f1f1..3bdcada 100644
--- a/security/security.c
+++ b/security/security.c
@@ -816,6 +816,12 @@ int security_secid_to_secctx(u32 secid, char **secdata, 
u32 *seclen)
 }
 EXPORT_SYMBOL(security_secid_to_secctx);
 
+int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
+{
+   return security_ops->secctx_to_secid(secdata, seclen, secid);
+}
+EXPORT_SYMBOL(security_secctx_to_secid);
+
 void security_release_secctx(char *secdata, u32 seclen)
 {
return security_ops->release_secctx(secdata, seclen);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9f3124b..8bb673b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4710,6 +4710,11 @@ static int selinux_secid_to_secctx(u32 secid, char 
**secdata, u32 *seclen)
return security_sid_to_context(secid, secdata, seclen);
 }
 
+static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
+{
+   return security_context_to_sid(secdata, seclen, secid);
+}
+
 static void selinux_release_secctx(char *secdata, u32 seclen)
 {
kfree(secdata);
@@ -4898,6 +4903,7 @@ static struct security_operations selinux_ops = {
.setprocattr =  selinux_setprocattr,
 
.secid_to_secctx =  selinux_secid_to_secctx,
+   .secctx_to_secid =  selinux_secctx_to_secid,
.release_secctx =   selinux_release_secctx,
 
 .unix_stream_connect = selinux_socket_unix_stream_connect,

-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]

[RFC PATCH v12 04/18] NetLabel: Add secid token support to the NetLabel secattr struct

2008-01-17 Thread Paul Moore
This patch adds support to the NetLabel LSM secattr struct for a secid token
and a type field, paving the way for full LSM/SELinux context support and
"static" or "fallback" labels.  In addition, this patch adds a fair amount
of documentation to the core NetLabel structures used as part of the
NetLabel kernel API.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 include/net/netlabel.h|   91 ++---
 net/ipv4/cipso_ipv4.c |   59 +++-
 net/netlabel/netlabel_unlabeled.c |1 
 security/selinux/ss/mls.c |   10 ++--
 security/selinux/ss/services.c|5 ++
 5 files changed, 120 insertions(+), 46 deletions(-)

diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 2e5b2f6..18b73cf 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -105,17 +105,49 @@ struct netlbl_dom_map;
 /* Domain mapping operations */
 int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info);
 
-/* LSM security attributes */
+/*
+ * LSM security attributes
+ */
+
+/**
+ * struct netlbl_lsm_cache - NetLabel LSM security attribute cache
+ * @refcount: atomic reference counter
+ * @free: LSM supplied function to free the cache data
+ * @data: LSM supplied cache data
+ *
+ * Description:
+ * This structure is provided for LSMs which wish to make use of the NetLabel
+ * caching mechanism to store LSM specific data/attributes in the NetLabel
+ * cache.  If the LSM has to perform a lot of translation from the NetLabel
+ * security attributes into it's own internal representation then the cache
+ * mechanism can provide a way to eliminate some or all of that translation
+ * overhead on a cache hit.
+ *
+ */
 struct netlbl_lsm_cache {
atomic_t refcount;
void (*free) (const void *data);
void *data;
 };
-/* The catmap bitmap field MUST be a power of two in length and large
+
+/**
+ * struct netlbl_lsm_secattr_catmap - NetLabel LSM secattr category bitmap
+ * @startbit: the value of the lowest order bit in the bitmap
+ * @bitmap: the category bitmap
+ * @next: pointer to the next bitmap "node" or NULL
+ *
+ * Description:
+ * This structure is used to represent category bitmaps.  Due to the large
+ * number of categories supported by most labeling protocols it is not
+ * practical to transfer a full bitmap internally so NetLabel adopts a sparse
+ * bitmap structure modeled after SELinux's ebitmap structure.
+ * The catmap bitmap field MUST be a power of two in length and large
  * enough to hold at least 240 bits.  Special care (i.e. check the code!)
  * should be used when changing these values as the LSM implementation
  * probably has functions which rely on the sizes of these types to speed
- * processing. */
+ * processing.
+ *
+ */
 #define NETLBL_CATMAP_MAPTYPE   u64
 #define NETLBL_CATMAP_MAPCNT4
 #define NETLBL_CATMAP_MAPSIZE   (sizeof(NETLBL_CATMAP_MAPTYPE) * 8)
@@ -127,22 +159,48 @@ struct netlbl_lsm_secattr_catmap {
NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT];
struct netlbl_lsm_secattr_catmap *next;
 };
+
+/**
+ * struct netlbl_lsm_secattr - NetLabel LSM security attributes
+ * @flags: indicate which attributes are contained in this structure
+ * @type: indicate the NLTYPE of the attributes
+ * @domain: the NetLabel LSM domain
+ * @cache: NetLabel LSM specific cache
+ * @attr.mls: MLS sensitivity label
+ * @attr.mls.cat: MLS category bitmap
+ * @attr.mls.lvl: MLS sensitivity level
+ * @attr.secid: LSM specific secid token
+ *
+ * Description:
+ * This structure is used to pass security attributes between NetLabel and the
+ * LSM modules.  The flags field is used to specify which fields within the
+ * struct are valid and valid values can be created by bitwise OR'ing the
+ * NETLBL_SECATTR_* defines.  The domain field is typically set by the LSM to
+ * specify domain specific configuration settings and is not usually used by
+ * NetLabel itself when returning security attributes to the LSM.
+ *
+ */
 #define NETLBL_SECATTR_NONE 0x
 #define NETLBL_SECATTR_DOMAIN   0x0001
 #define NETLBL_SECATTR_CACHE0x0002
 #define NETLBL_SECATTR_MLS_LVL  0x0004
 #define NETLBL_SECATTR_MLS_CAT  0x0008
+#define NETLBL_SECATTR_SECID0x0010
 #define NETLBL_SECATTR_CACHEABLE(NETLBL_SECATTR_MLS_LVL | \
-NETLBL_SECATTR_MLS_CAT)
+NETLBL_SECATTR_MLS_CAT | \
+NETLBL_SECATTR_SECID)
 struct netlbl_lsm_secattr {
u32 flags;
-
+   u32 type;
char *domain;
-
-   u32 mls_lvl;
-   struct netlbl_lsm_secattr_catmap *mls_cat;
-
struct netlbl_lsm_cache *cache;
+   union {
+   struct {
+   struct netlbl_lsm_secattr_catmap *cat;
+  

[RFC PATCH v12 03/18] NetLabel: Consolidate the LSM domain mapping/hashing locks

2008-01-17 Thread Paul Moore
Currently we use two separate spinlocks to protect both the hash/mapping table
and the default entry.  This could be considered a bit foolish because it adds
complexity without offering any real performance advantage.  This patch
removes the dedicated default spinlock and protects the default entry with the
hash/mapping table spinlock.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 net/netlabel/netlabel_domainhash.c |   30 +-
 1 files changed, 9 insertions(+), 21 deletions(-)

diff --git a/net/netlabel/netlabel_domainhash.c 
b/net/netlabel/netlabel_domainhash.c
index 1f8f7ac..9a8ea01 100644
--- a/net/netlabel/netlabel_domainhash.c
+++ b/net/netlabel/netlabel_domainhash.c
@@ -54,9 +54,6 @@ struct netlbl_domhsh_tbl {
  * hash table should be okay */
 static DEFINE_SPINLOCK(netlbl_domhsh_lock);
 static struct netlbl_domhsh_tbl *netlbl_domhsh = NULL;
-
-/* Default domain mapping */
-static DEFINE_SPINLOCK(netlbl_domhsh_def_lock);
 static struct netlbl_dom_map *netlbl_domhsh_def = NULL;
 
 /*
@@ -239,24 +236,22 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry,
INIT_RCU_HEAD(&entry->rcu);
 
rcu_read_lock();
+   spin_lock(&netlbl_domhsh_lock);
if (entry->domain != NULL) {
bkt = netlbl_domhsh_hash(entry->domain);
-   spin_lock(&netlbl_domhsh_lock);
if (netlbl_domhsh_search(entry->domain) == NULL)
list_add_tail_rcu(&entry->list,
&rcu_dereference(netlbl_domhsh)->tbl[bkt]);
else
ret_val = -EEXIST;
-   spin_unlock(&netlbl_domhsh_lock);
} else {
INIT_LIST_HEAD(&entry->list);
-   spin_lock(&netlbl_domhsh_def_lock);
if (rcu_dereference(netlbl_domhsh_def) == NULL)
rcu_assign_pointer(netlbl_domhsh_def, entry);
else
ret_val = -EEXIST;
-   spin_unlock(&netlbl_domhsh_def_lock);
}
+   spin_unlock(&netlbl_domhsh_lock);
audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info);
if (audit_buf != NULL) {
audit_log_format(audit_buf,
@@ -337,23 +332,16 @@ int netlbl_domhsh_remove(const char *domain, struct 
netlbl_audit *audit_info)
   entry->domain);
break;
}
-   if (entry != rcu_dereference(netlbl_domhsh_def)) {
-   spin_lock(&netlbl_domhsh_lock);
-   if (entry->valid) {
-   entry->valid = 0;
+   spin_lock(&netlbl_domhsh_lock);
+   if (entry->valid) {
+   entry->valid = 0;
+   if (entry != rcu_dereference(netlbl_domhsh_def))
list_del_rcu(&entry->list);
-   ret_val = 0;
-   }
-   spin_unlock(&netlbl_domhsh_lock);
-   } else {
-   spin_lock(&netlbl_domhsh_def_lock);
-   if (entry->valid) {
-   entry->valid = 0;
+   else
rcu_assign_pointer(netlbl_domhsh_def, NULL);
-   ret_val = 0;
-   }
-   spin_unlock(&netlbl_domhsh_def_lock);
+   ret_val = 0;
}
+   spin_unlock(&netlbl_domhsh_lock);
 
audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info);
if (audit_buf != NULL) {

-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[RFC PATCH v12 02/18] NetLabel: Cleanup the LSM domain hash functions

2008-01-17 Thread Paul Moore
The NetLabel/LSM domain hash table search function used an argument to specify
if the default entry should be returned if an exact match couldn't be found in
the hash table.  This is a bit against the kernel's style so make two separate
functions to represent the separate behaviors.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 net/netlabel/netlabel_domainhash.c |   47 ++--
 1 files changed, 34 insertions(+), 13 deletions(-)

diff --git a/net/netlabel/netlabel_domainhash.c 
b/net/netlabel/netlabel_domainhash.c
index b3675bd..1f8f7ac 100644
--- a/net/netlabel/netlabel_domainhash.c
+++ b/net/netlabel/netlabel_domainhash.c
@@ -109,17 +109,14 @@ static u32 netlbl_domhsh_hash(const char *key)
 /**
  * netlbl_domhsh_search - Search for a domain entry
  * @domain: the domain
- * @def: return default if no match is found
  *
  * Description:
  * Searches the domain hash table and returns a pointer to the hash table
- * entry if found, otherwise NULL is returned.  If @def is non-zero and a
- * match is not found in the domain hash table the default mapping is returned
- * if it exists.  The caller is responsibile for the rcu hash table locks
- * (i.e. the caller much call rcu_read_[un]lock()).
+ * entry if found, otherwise NULL is returned.  The caller is responsibile for
+ * the rcu hash table locks (i.e. the caller much call rcu_read_[un]lock()).
  *
  */
-static struct netlbl_dom_map *netlbl_domhsh_search(const char *domain, u32 def)
+static struct netlbl_dom_map *netlbl_domhsh_search(const char *domain)
 {
u32 bkt;
struct netlbl_dom_map *iter;
@@ -133,10 +130,31 @@ static struct netlbl_dom_map *netlbl_domhsh_search(const 
char *domain, u32 def)
return iter;
}
 
-   if (def != 0) {
-   iter = rcu_dereference(netlbl_domhsh_def);
-   if (iter != NULL && iter->valid)
-   return iter;
+   return NULL;
+}
+
+/**
+ * netlbl_domhsh_search_def - Search for a domain entry
+ * @domain: the domain
+ * @def: return default if no match is found
+ *
+ * Description:
+ * Searches the domain hash table and returns a pointer to the hash table
+ * entry if an exact match is found, if an exact match is not present in the
+ * hash table then the default entry is returned if valid otherwise NULL is
+ * returned.  The caller is responsibile for the rcu hash table locks
+ * (i.e. the caller much call rcu_read_[un]lock()).
+ *
+ */
+static struct netlbl_dom_map *netlbl_domhsh_search_def(const char *domain)
+{
+   struct netlbl_dom_map *entry;
+
+   entry = netlbl_domhsh_search(domain);
+   if (entry == NULL) {
+   entry = rcu_dereference(netlbl_domhsh_def);
+   if (entry != NULL && entry->valid)
+   return entry;
}
 
return NULL;
@@ -224,7 +242,7 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry,
if (entry->domain != NULL) {
bkt = netlbl_domhsh_hash(entry->domain);
spin_lock(&netlbl_domhsh_lock);
-   if (netlbl_domhsh_search(entry->domain, 0) == NULL)
+   if (netlbl_domhsh_search(entry->domain) == NULL)
list_add_tail_rcu(&entry->list,
&rcu_dereference(netlbl_domhsh)->tbl[bkt]);
else
@@ -307,7 +325,10 @@ int netlbl_domhsh_remove(const char *domain, struct 
netlbl_audit *audit_info)
struct audit_buffer *audit_buf;
 
rcu_read_lock();
-   entry = netlbl_domhsh_search(domain, (domain != NULL ? 0 : 1));
+   if (domain)
+   entry = netlbl_domhsh_search(domain);
+   else
+   entry = netlbl_domhsh_search_def(domain);
if (entry == NULL)
goto remove_return;
switch (entry->type) {
@@ -377,7 +398,7 @@ int netlbl_domhsh_remove_default(struct netlbl_audit 
*audit_info)
  */
 struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain)
 {
-   return netlbl_domhsh_search(domain, 1);
+   return netlbl_domhsh_search_def(domain);
 }
 
 /**

-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[RFC PATCH v12 01/18] NetLabel: Remove unneeded RCU read locks

2008-01-17 Thread Paul Moore
This patch removes some unneeded RCU read locks as we can treat the reads as
"safe" even without RCU.  It also converts the NetLabel configuration refcount
from a spinlock protected u32 into atomic_t to be more consistent with the rest
of the kernel.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 net/netlabel/netlabel_cipso_v4.c  |5 ++-
 net/netlabel/netlabel_kapi.c  |3 +-
 net/netlabel/netlabel_mgmt.c  |   63 ++---
 net/netlabel/netlabel_mgmt.h  |7 ++--
 net/netlabel/netlabel_unlabeled.c |   22 ++---
 5 files changed, 15 insertions(+), 85 deletions(-)

diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
index ba0ca8d..becf91a 100644
--- a/net/netlabel/netlabel_cipso_v4.c
+++ b/net/netlabel/netlabel_cipso_v4.c
@@ -38,6 +38,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include "netlabel_user.h"
 #include "netlabel_cipso_v4.h"
@@ -421,7 +422,7 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct 
genl_info *info)
break;
}
if (ret_val == 0)
-   netlbl_mgmt_protocount_inc();
+   atomic_inc(&netlabel_mgmt_protocount);
 
audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
  &audit_info);
@@ -698,7 +699,7 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, 
struct genl_info *info)
  &audit_info,
  netlbl_cipsov4_doi_free);
if (ret_val == 0)
-   netlbl_mgmt_protocount_dec();
+   atomic_dec(&netlabel_mgmt_protocount);
 
audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,
  &audit_info);
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 4f50949..d3762ea 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -34,6 +34,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include "netlabel_domainhash.h"
 #include "netlabel_unlabeled.h"
@@ -262,7 +263,7 @@ int netlbl_enabled(void)
/* At some point we probably want to expose this mechanism to the user
 * as well so that admins can toggle NetLabel regardless of the
 * configuration */
-   return (netlbl_mgmt_protocount_value() > 0 ? 1 : 0);
+   return (atomic_read(&netlabel_mgmt_protocount) > 0);
 }
 
 /**
diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c
index 9c41464..e2258dc 100644
--- a/net/netlabel/netlabel_mgmt.c
+++ b/net/netlabel/netlabel_mgmt.c
@@ -37,14 +37,14 @@
 #include 
 #include 
 #include 
+#include 
 
 #include "netlabel_domainhash.h"
 #include "netlabel_user.h"
 #include "netlabel_mgmt.h"
 
-/* NetLabel configured protocol count */
-static DEFINE_SPINLOCK(netlabel_mgmt_protocount_lock);
-static u32 netlabel_mgmt_protocount = 0;
+/* NetLabel configured protocol counter */
+atomic_t netlabel_mgmt_protocount = ATOMIC_INIT(0);
 
 /* Argument struct for netlbl_domhsh_walk() */
 struct netlbl_domhsh_walk_arg {
@@ -71,63 +71,6 @@ static const struct nla_policy 
netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = {
 };
 
 /*
- * NetLabel Misc Management Functions
- */
-
-/**
- * netlbl_mgmt_protocount_inc - Increment the configured labeled protocol count
- *
- * Description:
- * Increment the number of labeled protocol configurations in the current
- * NetLabel configuration.  Keep track of this for use in determining if
- * NetLabel label enforcement should be active/enabled or not in the LSM.
- *
- */
-void netlbl_mgmt_protocount_inc(void)
-{
-   spin_lock(&netlabel_mgmt_protocount_lock);
-   netlabel_mgmt_protocount++;
-   spin_unlock(&netlabel_mgmt_protocount_lock);
-}
-
-/**
- * netlbl_mgmt_protocount_dec - Decrement the configured labeled protocol count
- *
- * Description:
- * Decrement the number of labeled protocol configurations in the current
- * NetLabel configuration.  Keep track of this for use in determining if
- * NetLabel label enforcement should be active/enabled or not in the LSM.
- *
- */
-void netlbl_mgmt_protocount_dec(void)
-{
-   spin_lock(&netlabel_mgmt_protocount_lock);
-   if (netlabel_mgmt_protocount > 0)
-   netlabel_mgmt_protocount--;
-   spin_unlock(&netlabel_mgmt_protocount_lock);
-}
-
-/**
- * netlbl_mgmt_protocount_value - Return the number of configured protocols
- *
- * Description:
- * Return the number of labeled protocols in the current NetLabel
- * configuration.  This value is useful in  determining if NetLabel label
- * enforcement should be active/enabled or not in the LSM.
- *
- */
-u32 netlbl_mgmt_protocount_value(void)
-{
-   u32 val;
-
-   rcu_read_lock();
-   val = netlabel_mgmt_protocount;
-   rcu_read_unlock();
-
-   return va

[RFC PATCH v12 00/18] Labeled networking changes for 2.6.25

2008-01-17 Thread Paul Moore
The latest update to the labeled networking changes for 2.6.25.

This revision of the patchset finalizes the packet ingress/egress controls
using the existing netfilter forwarding and postrouting hooks while
adding SECMARK controls for forwarded traffic as discussed on the SELinux list.
This patchset also fixes a longstanding, but recently discovered, discrepancy
regarding the SELinux FLASK definitions, the discussion is still ongoing and
the fix used here may change as a result. 

The patches below can also be found here:

 * git://git.infradead.org/users/pcmoore/lblnet-2.6_testing
 * http://git.infradead.org/?p=users/pcmoore/lblnet-2.6_testing

-- 
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH 08/26] Add a secctx_to_secid() LSM hook to go along with the existing

2008-01-16 Thread Paul Moore
On Wednesday 16 January 2008 5:13:53 pm James Morris wrote:
> On Wed, 16 Jan 2008, Paul Moore wrote:
> > On Tuesday 15 January 2008 8:05:27 pm James Morris wrote:
> > > On Tue, 15 Jan 2008, David Howells wrote:
> > > > secid_to_secctx() LSM hook.  This patch also includes the SELinux
> > > > implementation for this hook.
> > > >
> > > > Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
> > > > Acked-by: Stephen Smalley <[EMAIL PROTECTED]>
> > >
> > > This is useful in its own right, and I would like to push it upstream
> > > for 2.6.24 unless there are any objections.
> >
> > Isn't it a bit late in 2.6.24 to add new functionality, especially when
> > there isn't an in-tree user for it in 2.6.24?
>
> Actually, I meant to go into 2.6.24 after the merge window opens.

I'm assuming you meant 2.6.25 in the sentence above?

-- 
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH 08/26] Add a secctx_to_secid() LSM hook to go along with the existing

2008-01-16 Thread Paul Moore
On Tuesday 15 January 2008 8:05:27 pm James Morris wrote:
> On Tue, 15 Jan 2008, David Howells wrote:
> > secid_to_secctx() LSM hook.  This patch also includes the SELinux
> > implementation for this hook.
> >
> > Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
> > Acked-by: Stephen Smalley <[EMAIL PROTECTED]>
>
> This is useful in its own right, and I would like to push it upstream for
> 2.6.24 unless there are any objections.

Isn't it a bit late in 2.6.24 to add new functionality, especially when there 
isn't an in-tree user for it in 2.6.24?

You are right, there are several users of this function currently under 
development but I'm pretty sure all of them are targeting 2.6.25 or greater.  
With that in mind, I think the prudent thing to is to wait and push this 
upstream for 2.6.25.

-- 
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[RFC PATCH v10 16/20] SELinux: Allow NetLabel to directly cache SIDs

2008-01-03 Thread Paul Moore
Now that the SELinux NetLabel "base SID" is always the netmsg initial SID we
can do a big optimization - caching the SID and not just the MLS attributes.
This not only saves a lot of per-packet memory allocations and copies but it
has a nice side effect of removing a chunk of code.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 security/selinux/hooks.c|6 --
 security/selinux/include/netlabel.h |2 -
 security/selinux/include/security.h |2 -
 security/selinux/netlabel.c |   55 ++--
 security/selinux/ss/services.c  |  124 ++-
 5 files changed, 55 insertions(+), 134 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 90b0901..d16f586 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3231,11 +3231,7 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, 
u16 family, u32 *sid)
u32 nlbl_type;
 
selinux_skb_xfrm_sid(skb, &xfrm_sid);
-   selinux_netlbl_skbuff_getsid(skb,
-family,
-SECINITSID_NETMSG,
-&nlbl_type,
-&nlbl_sid);
+   selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
 
if (security_net_peersid_resolve(nlbl_sid, nlbl_type,
 xfrm_sid,
diff --git a/security/selinux/include/netlabel.h 
b/security/selinux/include/netlabel.h
index c8c05a6..00a2809 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -48,7 +48,6 @@ void selinux_netlbl_sk_security_clone(struct 
sk_security_struct *ssec,
 
 int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
 u16 family,
-u32 base_sid,
 u32 *type,
 u32 *sid);
 
@@ -89,7 +88,6 @@ static inline void selinux_netlbl_sk_security_clone(
 
 static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
   u16 family,
-  u32 base_sid,
   u32 *type,
   u32 *sid)
 {
diff --git a/security/selinux/include/security.h 
b/security/selinux/include/security.h
index 9347e2d..23137c1 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -124,7 +124,6 @@ int security_genfs_sid(const char *fstype, char *name, u16 
sclass,
 
 #ifdef CONFIG_NETLABEL
 int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
-  u32 base_sid,
   u32 *sid);
 
 int security_netlbl_sid_to_secattr(u32 sid,
@@ -132,7 +131,6 @@ int security_netlbl_sid_to_secattr(u32 sid,
 #else
 static inline int security_netlbl_secattr_to_sid(
struct netlbl_lsm_secattr *secattr,
-   u32 base_sid,
u32 *sid)
 {
return -EIDRM;
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index af78cb9..e07adf9 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -36,6 +36,33 @@
 #include "security.h"
 
 /**
+ * selinux_netlbl_sidlookup_cached - Cache a SID lookup
+ * @skb: the packet
+ * @secattr: the NetLabel security attributes
+ * @sid: the SID
+ *
+ * Description:
+ * Query the SELinux security server to lookup the correct SID for the given
+ * security attributes.  If the query is successful, cache the result to speed
+ * up future lookups.  Returns zero on success, negative values on failure.
+ *
+ */
+static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
+  struct netlbl_lsm_secattr *secattr,
+  u32 *sid)
+{
+   int rc;
+
+   rc = security_netlbl_secattr_to_sid(secattr, sid);
+   if (rc == 0 &&
+   (secattr->flags & NETLBL_SECATTR_CACHEABLE) &&
+   (secattr->flags & NETLBL_SECATTR_CACHE))
+   netlbl_cache_add(skb, secattr);
+
+   return rc;
+}
+
+/**
  * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism
  * @sk: the socket to label
  * @sid: the SID to use
@@ -141,7 +168,6 @@ void selinux_netlbl_sk_security_clone(struct 
sk_security_struct *ssec,
  * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
  * @skb: the packet
  * @family: protocol family
- * @base_sid: the SELinux SID to use as a context for MLS only attributes
  * @type: NetLabel labeling protocol type
  * @sid: the SID
  *
@@ -153,7 +179,6 @@ void selinux_netlbl_sk_security_clone(struct 
sk_secur

[RFC PATCH v10 19/20] SELinux: Add network ingress and egress control permission checks

2008-01-03 Thread Paul Moore
This patch implements packet ingress/egress controls for SELinux which allow
SELinux security policy to control the flow of all IPv4 and IPv6 packets into
and out of the system.  Currently SELinux does not have proper control over
forwarded packets and this patch corrects this problem.

Special thanks to Venkat Yekkirala <[EMAIL PROTECTED]> whose earlier
work on this topic eventually led to this patch.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 security/selinux/hooks.c |  347 --
 1 files changed, 240 insertions(+), 107 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d16f586..474ffe8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -12,8 +12,8 @@
  *  Copyright (C) 2003 Red Hat, Inc., James Morris <[EMAIL PROTECTED]>
  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  *  <[EMAIL PROTECTED]>
- *  Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
- *     Paul Moore, <[EMAIL PROTECTED]>
+ *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
+ * Paul Moore <[EMAIL PROTECTED]>
  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
  * Yuichi Nakamura <[EMAIL PROTECTED]>
  *
@@ -3608,6 +3608,83 @@ static int selinux_socket_unix_may_send(struct socket 
*sock,
return 0;
 }
 
+static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
+   u32 peer_sid,
+   struct avc_audit_data *ad)
+{
+   int err;
+   u32 if_sid;
+   u32 node_sid;
+
+   err = sel_netif_sid(ifindex, &if_sid);
+   if (err)
+   return err;
+   err = avc_has_perm(peer_sid, if_sid,
+  SECCLASS_NETIF, NETIF__INGRESS, ad);
+   if (err)
+   return err;
+
+   err = sel_netnode_sid(addrp, family, &node_sid);
+   if (err)
+   return err;
+   return avc_has_perm(peer_sid, node_sid,
+   SECCLASS_NODE, NODE__RECVFROM, ad);
+}
+
+static int selinux_inet_sys_snd_skb(struct sk_buff *skb, int family)
+{
+   int err = 0;
+
+   if (!selinux_policycap_netpeer)
+   return 0;
+
+   if (netlbl_enabled() || selinux_xfrm_enabled()) {
+   u32 if_sid;
+   u32 node_sid;
+   u32 peer_sid;
+   int ifindex = skb->dev->ifindex;
+   char *addrp;
+   struct sock *sk = skb->sk;
+   struct avc_audit_data ad;
+
+   AVC_AUDIT_DATA_INIT(&ad, NET);
+   ad.u.net.netif = ifindex;
+   ad.u.net.family = family;
+   err = selinux_parse_skb(skb, &ad, &addrp, 0, NULL);
+   if (err)
+   return err;
+
+   if (sk) {
+   /* packet was locally generated, get the peer label
+* from the originating socket */
+   struct sk_security_struct *sksec = sk->sk_security;
+   peer_sid = sksec->sid;
+   } else {
+   /* packet was generated by another host, get the peer
+* label directly from the packet */
+   err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
+   if (err)
+   return err;
+   }
+
+   err = sel_netif_sid(ifindex, &if_sid);
+   if (err)
+   return err;
+   err = avc_has_perm(peer_sid, if_sid,
+  SECCLASS_NETIF, NETIF__EGRESS, &ad);
+   if (err)
+   return err;
+
+   err = sel_netnode_sid(addrp, family, &node_sid);
+   if (err)
+   return err;
+   err = avc_has_perm(peer_sid, node_sid,
+  SECCLASS_NODE, NODE__SENDTO, &ad);
+   }
+
+   return err;
+}
+
 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
struct sk_buff *skb,
struct avc_audit_data *ad,
@@ -3748,6 +3825,10 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, 
struct sk_buff *skb)
err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
if (err)
return err;
+   err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
+  peer_sid, &ad);
+   if (err)
+   return err;
err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
   PEER__RECV, &ad);
}
@@ -3964

[RFC PATCH v10 20/20] SELinux: Add warning messages on network denial due to error

2008-01-03 Thread Paul Moore
Currently network traffic can be sliently dropped due to non-avc errors which
can lead to much confusion when trying to debug the problem.  This patch adds
warning messages so that when these events occur there is a user visible
notification.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 security/selinux/hooks.c   |   22 ++
 security/selinux/netif.c   |   13 +++--
 security/selinux/netnode.c |6 +-
 3 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 474ffe8..796144f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3206,6 +3206,11 @@ static int selinux_parse_skb(struct sk_buff *skb, struct 
avc_audit_data *ad,
break;
}
 
+   if (unlikely(ret))
+   printk(KERN_WARNING
+  "SELinux: failure in selinux_parse_skb(),"
+  " unable to parse packet\n");
+
return ret;
 }
 
@@ -3226,6 +3231,7 @@ static int selinux_parse_skb(struct sk_buff *skb, struct 
avc_audit_data *ad,
  */
 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
 {
+   int err;
u32 xfrm_sid;
u32 nlbl_sid;
u32 nlbl_type;
@@ -3233,10 +3239,13 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, 
u16 family, u32 *sid)
selinux_skb_xfrm_sid(skb, &xfrm_sid);
selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
 
-   if (security_net_peersid_resolve(nlbl_sid, nlbl_type,
-xfrm_sid,
-sid) != 0)
+   err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
+   if (unlikely(err)) {
+   printk(KERN_WARNING
+  "SELinux: failure in selinux_skb_peerlbl_sid(),"
+  " unable to determine packet's peer label\n");
return -EACCES;
+   }
 
return 0;
 }
@@ -3742,8 +3751,13 @@ static int selinux_sock_rcv_skb_iptables_compat(struct 
sock *sk,
err = security_port_sid(sk->sk_family, sk->sk_type,
sk->sk_protocol, ntohs(ad->u.net.sport),
&port_sid);
-   if (err)
+   if (unlikely(err)) {
+   printk(KERN_WARNING
+  "SELinux: failure in"
+  " selinux_sock_rcv_skb_iptables_compat(),"
+  " network port label not found\n");
return err;
+   }
return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
 }
 
diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index ee49a73..013d311 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -157,8 +157,12 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
 * currently support containers */
 
dev = dev_get_by_index(&init_net, ifindex);
-   if (dev == NULL)
+   if (unlikely(dev == NULL)) {
+   printk(KERN_WARNING
+  "SELinux: failure in sel_netif_sid_slow(),"
+  " invalid network interface (%d)\n", ifindex);
return -ENOENT;
+   }
 
spin_lock_bh(&sel_netif_lock);
netif = sel_netif_find(ifindex);
@@ -184,8 +188,13 @@ static int sel_netif_sid_slow(int ifindex, u32 *sid)
 out:
spin_unlock_bh(&sel_netif_lock);
dev_put(dev);
-   if (ret != 0)
+   if (unlikely(ret)) {
+   printk(KERN_WARNING
+  "SELinux: failure in sel_netif_sid_slow(),"
+  " unable to determine network interface label (%d)\n",
+  ifindex);
kfree(new);
+   }
return ret;
 }
 
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index 49c5277..f3c526f 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -264,8 +264,12 @@ static int sel_netnode_sid_slow(void *addr, u16 family, 
u32 *sid)
 
 out:
spin_unlock_bh(&sel_netnode_lock);
-   if (ret != 0)
+   if (unlikely(ret)) {
+   printk(KERN_WARNING
+  "SELinux: failure in sel_netnode_sid_slow(),"
+  " unable to determine network node label\n");
kfree(new);
+   }
return ret;
 }
 

-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[RFC PATCH v10 18/20] NetLabel: Add auditing to the static labeling mechanism

2008-01-03 Thread Paul Moore
This patch adds auditing support to the NetLabel static labeling mechanism.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 include/linux/audit.h |2 
 net/netlabel/netlabel_unlabeled.c |  207 ++---
 2 files changed, 195 insertions(+), 14 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index c687816..bdd6f5d 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -115,6 +115,8 @@
 #define AUDIT_MAC_IPSEC_ADDSPD 1413/* Not used */
 #define AUDIT_MAC_IPSEC_DELSPD 1414/* Not used */
 #define AUDIT_MAC_IPSEC_EVENT  1415/* Audit an IPSec event */
+#define AUDIT_MAC_UNLBL_STCADD 1416/* NetLabel: add a static label */
+#define AUDIT_MAC_UNLBL_STCDEL 1417/* NetLabel: del a static label */
 
 #define AUDIT_FIRST_KERN_ANOM_MSG   1700
 #define AUDIT_LAST_KERN_ANOM_MSG1799
diff --git a/net/netlabel/netlabel_unlabeled.c 
b/net/netlabel/netlabel_unlabeled.c
index d0c628c..42e81fd 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -147,6 +147,74 @@ static const struct nla_policy 
netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1
 };
 
 /*
+ * Audit Helper Functions
+ */
+
+/**
+ * netlbl_unlabel_audit_addr4 - Audit an IPv4 address
+ * @audit_buf: audit buffer
+ * @dev: network interface
+ * @addr: IP address
+ * @mask: IP address mask
+ *
+ * Description:
+ * Write the IPv4 address and address mask, if necessary, to @audit_buf.
+ *
+ */
+static void netlbl_unlabel_audit_addr4(struct audit_buffer *audit_buf,
+const char *dev,
+__be32 addr, __be32 mask)
+{
+   u32 mask_val = ntohl(mask);
+
+   if (dev != NULL)
+   audit_log_format(audit_buf, " netif=%s", dev);
+   audit_log_format(audit_buf, " src=" NIPQUAD_FMT, NIPQUAD(addr));
+   if (mask_val != 0x) {
+   u32 mask_len = 0;
+   while (mask_val > 0) {
+   mask_val <<= 1;
+   mask_len++;
+   }
+   audit_log_format(audit_buf, " src_prefixlen=%d", mask_len);
+   }
+}
+
+/**
+ * netlbl_unlabel_audit_addr6 - Audit an IPv6 address
+ * @audit_buf: audit buffer
+ * @dev: network interface
+ * @addr: IP address
+ * @mask: IP address mask
+ *
+ * Description:
+ * Write the IPv6 address and address mask, if necessary, to @audit_buf.
+ *
+ */
+static void netlbl_unlabel_audit_addr6(struct audit_buffer *audit_buf,
+const char *dev,
+const struct in6_addr *addr,
+const struct in6_addr *mask)
+{
+   if (dev != NULL)
+   audit_log_format(audit_buf, " netif=%s", dev);
+   audit_log_format(audit_buf, " src=" NIP6_FMT, NIP6(*addr));
+   if (ntohl(mask->s6_addr32[3]) != 0x) {
+   u32 mask_len = 0;
+   u32 mask_val;
+   int iter = -1;
+   while (ntohl(mask->s6_addr32[++iter]) == 0x)
+   mask_len += 32;
+   mask_val = ntohl(mask->s6_addr32[iter]);
+   while (mask_val > 0) {
+   mask_val <<= 1;
+   mask_len++;
+   }
+   audit_log_format(audit_buf, " src_prefixlen=%d", mask_len);
+   }
+}
+
+/*
  * Unlabeled Connection Hash Table Functions
  */
 
@@ -530,6 +598,7 @@ add_iface_failure:
  * @mask: address mask in network byte order
  * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6)
  * @secid: LSM secid value for the entry
+ * @audit_info: NetLabel audit information
  *
  * Description:
  * Adds a new entry to the unlabeled connection hash table.  Returns zero on
@@ -541,12 +610,18 @@ static int netlbl_unlhsh_add(struct net *net,
 const void *addr,
 const void *mask,
 u32 addr_len,
-u32 secid)
+u32 secid,
+struct netlbl_audit *audit_info)
 {
int ret_val;
int ifindex;
struct net_device *dev;
struct netlbl_unlhsh_iface *iface;
+   struct in_addr *addr4, *mask4;
+   struct in6_addr *addr6, *mask6;
+   struct audit_buffer *audit_buf = NULL;
+   char *secctx = NULL;
+   u32 secctx_len;
 
if (addr_len != sizeof(struct in_addr) &&
addr_len != sizeof(struct in6_addr))
@@ -573,13 +648,28 @@ static int netlbl_unlhsh_add(struct net *net,
goto unlhsh_add_return;
}
}
+   audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCADD,
+ audit_info);
switch (addr_len) {
case sizeof(struct in_addr):
-  

[RFC PATCH v10 17/20] NetLabel: Introduce static network labels for unlabeled connections

2008-01-03 Thread Paul Moore
Most trusted OSs, with the exception of Linux, have the ability to specify
static security labels for unlabeled networks.  This patch adds this ability to
the NetLabel packet labeling framework.

If the NetLabel subsystem is called to determine the security attributes of an
incoming packet it first checks to see if any recognized NetLabel packet
labeling protocols are in-use on the packet.  If none can be found then the
unlabled connection table is queried and based on the packets incoming
interface and address it is matched with a security label as configured by the
administrator using the netlabel_tools package.  The matching security label is
returned to the caller just as if the packet was explicitly labeled using a
labeling protocol.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 include/net/netlabel.h|6 
 net/netlabel/netlabel_kapi.c  |   16 
 net/netlabel/netlabel_unlabeled.c | 1375 +
 net/netlabel/netlabel_unlabeled.h |  145 
 4 files changed, 1524 insertions(+), 18 deletions(-)

diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index a3bffb4..b3213c7 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -67,7 +67,11 @@
  * NetLabel NETLINK protocol
  */
 
-#define NETLBL_PROTO_VERSION1
+/* NetLabel NETLINK protocol version
+ *  1: initial version
+ *  2: added static labels for unlabeled connections
+ */
+#define NETLBL_PROTO_VERSION2
 
 /* NetLabel NETLINK types/families */
 #define NETLBL_NLTYPE_NONE  0
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 4914615..c69e3e1 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -312,7 +312,7 @@ socket_setattr_return:
  * @secattr: the security attributes
  *
  * Description:
- * Examines the given sock to see any NetLabel style labeling has been
+ * Examines the given sock to see if any NetLabel style labeling has been
  * applied to the sock, if so it parses the socket label and returns the
  * security attributes in @secattr.  Returns zero on success, negative values
  * on failure.
@@ -320,13 +320,7 @@ socket_setattr_return:
  */
 int netlbl_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
 {
-   int ret_val;
-
-   ret_val = cipso_v4_sock_getattr(sk, secattr);
-   if (ret_val == 0)
-   return 0;
-
-   return netlbl_unlabel_getattr(secattr);
+   return cipso_v4_sock_getattr(sk, secattr);
 }
 
 /**
@@ -350,7 +344,7 @@ int netlbl_skbuff_getattr(const struct sk_buff *skb,
cipso_v4_skbuff_getattr(skb, secattr) == 0)
return 0;
 
-   return netlbl_unlabel_getattr(secattr);
+   return netlbl_unlabel_getattr(skb, family, secattr);
 }
 
 /**
@@ -434,6 +428,10 @@ static int __init netlbl_init(void)
if (ret_val != 0)
goto init_failure;
 
+   ret_val = netlbl_unlabel_init(NETLBL_UNLHSH_BITSIZE);
+   if (ret_val != 0)
+   goto init_failure;
+
ret_val = netlbl_netlink_init();
if (ret_val != 0)
goto init_failure;
diff --git a/net/netlabel/netlabel_unlabeled.c 
b/net/netlabel/netlabel_unlabeled.c
index 7f5df0c..d0c628c 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -10,7 +10,7 @@
  */
 
 /*
- * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
+ * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 - 2007
  *
  * This program is free software;  you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -29,27 +29,99 @@
  */
 
 #include 
+#include 
 #include 
 #include 
 #include 
 #include 
 #include 
 #include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
 #include 
 #include 
 #include 
-
+#include 
+#include 
+#include 
 #include 
 #include 
+#include 
 
 #include "netlabel_user.h"
 #include "netlabel_domainhash.h"
 #include "netlabel_unlabeled.h"
+#include "netlabel_mgmt.h"
+
+/* NOTE: at present we always use init's network namespace since we don't
+ *   presently support different namespaces even though the majority of
+ *   the functions in this file are "namespace safe" */
+
+/* The unlabeled connection hash table which we use to map network interfaces
+ * and addresses of unlabeled packets to a user specified secid value for the
+ * LSM.  The hash table is used to lookup the network interface entry
+ * (struct netlbl_unlhsh_iface) and then the interface entry is used to
+ * lookup an IP address match from an ordered list.  If a network interface
+ * match can not be found in the hash table then the default entry
+ * (netlbl_unlhsh_def) is used.  The IP address entry list
+ * (struct netlbl_unlhsh_addr) is ordered such that the entries with a
+ * larger netmask come first.
+ */
+struct n

[RFC PATCH v10 15/20] SELinux: Enable dynamic enable/disable of the network access checks

2008-01-03 Thread Paul Moore
This patch introduces a mechanism for checking when labeled IPsec or SECMARK
are in use by keeping introducing a configuration reference counter for each
subsystem.  In the case of labeled IPsec, whenever a labeled SA or SPD entry
is created the labeled IPsec/XFRM reference count is increased and when the
entry is removed it is decreased.  In the case of SECMARK, when a SECMARK
target is created the reference count is increased and later decreased when the
target is removed.  These reference counters allow SELinux to quickly determine
if either of these subsystems are enabled.

NetLabel already has a similar mechanism which provides the netlbl_enabled()
function.

This patch also renames the selinux_relabel_packet_permission() function to
selinux_secmark_relabel_packet_permission() as the original name and
description were misleading in that they referenced a single packet label which
is not the case.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 include/linux/selinux.h |   45 +++---
 net/netfilter/xt_SECMARK.c  |   13 ++-
 security/selinux/exports.c  |   20 +++--
 security/selinux/hooks.c|   46 +++
 security/selinux/include/xfrm.h |   12 ++
 security/selinux/xfrm.c |   18 ++-
 6 files changed, 132 insertions(+), 22 deletions(-)

diff --git a/include/linux/selinux.h b/include/linux/selinux.h
index 6080f73..8c2cc4c 100644
--- a/include/linux/selinux.h
+++ b/include/linux/selinux.h
@@ -120,16 +120,35 @@ void selinux_get_task_sid(struct task_struct *tsk, u32 
*sid);
 int selinux_string_to_sid(char *str, u32 *sid);
 
 /**
- * selinux_relabel_packet_permission - check permission to relabel a packet
- * @sid: ID value to be applied to network packet (via SECMARK, most 
likely)
+ * selinux_secmark_relabel_packet_permission - secmark permission check
+ * @sid: SECMARK ID value to be applied to network packet
  *
- * Returns 0 if the current task is allowed to label packets with the
- * supplied security ID.  Note that it is implicit that the packet is 
always
- * being relabeled from the default unlabled value, and that the access
- * control decision is made in the AVC.
+ * Returns 0 if the current task is allowed to set the SECMARK label of
+ * packets with the supplied security ID.  Note that it is implicit that
+ * the packet is always being relabeled from the default unlabeled value,
+ * and that the access control decision is made in the AVC.
  */
-int selinux_relabel_packet_permission(u32 sid);
+int selinux_secmark_relabel_packet_permission(u32 sid);
 
+/**
+ * selinux_secmark_refcount_inc - increments the secmark use counter
+ *
+ * SELinux keeps track of the current SECMARK targets in use so it knows
+ * when to apply SECMARK label access checks to network packets.  This
+ * function incements this reference count to indicate that a new SECMARK
+ * target has been configured.
+ */
+void selinux_secmark_refcount_inc(void);
+
+/**
+ * selinux_secmark_refcount_dec - decrements the secmark use counter
+ *
+ * SELinux keeps track of the current SECMARK targets in use so it knows
+ * when to apply SECMARK label access checks to network packets.  This
+ * function decements this reference count to indicate that one of the
+ * existing SECMARK targets has been removed/flushed.
+ */
+void selinux_secmark_refcount_dec(void);
 #else
 
 static inline int selinux_audit_rule_init(u32 field, u32 op,
@@ -184,11 +203,21 @@ static inline int selinux_string_to_sid(const char *str, 
u32 *sid)
return 0;
 }
 
-static inline int selinux_relabel_packet_permission(u32 sid)
+static inline int selinux_secmark_relabel_packet_permission(u32 sid)
 {
return 0;
 }
 
+static inline void selinux_secmark_refcount_inc(void)
+{
+   return;
+}
+
+static inline void selinux_secmark_refcount_dec(void)
+{
+   return;
+}
+
 #endif /* CONFIG_SECURITY_SELINUX */
 
 #endif /* _LINUX_SELINUX_H */
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 235806e..db4a1fe 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -72,12 +72,13 @@ static bool checkentry_selinux(struct 
xt_secmark_target_info *info)
return false;
}
 
-   err = selinux_relabel_packet_permission(sel->selsid);
+   err = selinux_secmark_relabel_packet_permission(sel->selsid);
if (err) {
printk(KERN_INFO PFX "unable to obtain relabeling 
permission\n");
return false;
}
 
+   selinux_secmark_refcount_inc();
return true;
 }
 
@@ -109,11 +110,20 @@ static bool checkentry(const char *tablename, const void 
*entry,
return true;
 }
 
+void destroy(const struct xt_target *target, void *targinfo)
+{
+   switch (mode) {
+   case SECMARK_MODE_SEL:
+   selinu

[RFC PATCH v10 13/20] SELinux: Add a new peer class and permissions to the Flask definitions

2008-01-03 Thread Paul Moore
Add additional Flask definitions to support the new "peer" object class and
additional permissions to the netif and node object classes.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 security/selinux/include/av_perm_to_string.h |5 +
 security/selinux/include/av_permissions.h|5 +
 security/selinux/include/class_to_string.h   |7 +++
 security/selinux/include/flask.h |1 +
 4 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/security/selinux/include/av_perm_to_string.h 
b/security/selinux/include/av_perm_to_string.h
index 049bf69..caa0634 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -37,6 +37,8 @@
S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest")
S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv")
S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send")
+   S_(SECCLASS_NODE, NODE__RECVFROM, "recvfrom")
+   S_(SECCLASS_NODE, NODE__SENDTO, "sendto")
S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv")
S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send")
S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv")
@@ -45,6 +47,8 @@
S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv")
S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send")
+   S_(SECCLASS_NETIF, NETIF__INGRESS, "ingress")
+   S_(SECCLASS_NETIF, NETIF__EGRESS, "egress")
S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto")
S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn")
S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, 
"acceptfrom")
@@ -159,3 +163,4 @@
S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind")
S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero")
+   S_(SECCLASS_PEER, PEER__RECV, "recv")
diff --git a/security/selinux/include/av_permissions.h 
b/security/selinux/include/av_permissions.h
index eda89a2..c2b5bb2 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -292,6 +292,8 @@
 #define NODE__ENFORCE_DEST0x0040UL
 #define NODE__DCCP_RECV   0x0080UL
 #define NODE__DCCP_SEND   0x0100UL
+#define NODE__RECVFROM0x0200UL
+#define NODE__SENDTO  0x0400UL
 #define NETIF__TCP_RECV   0x0001UL
 #define NETIF__TCP_SEND   0x0002UL
 #define NETIF__UDP_RECV   0x0004UL
@@ -300,6 +302,8 @@
 #define NETIF__RAWIP_SEND 0x0020UL
 #define NETIF__DCCP_RECV  0x0040UL
 #define NETIF__DCCP_SEND  0x0080UL
+#define NETIF__INGRESS0x0100UL
+#define NETIF__EGRESS 0x0200UL
 #define NETLINK_SOCKET__IOCTL 0x0001UL
 #define NETLINK_SOCKET__READ  0x0002UL
 #define NETLINK_SOCKET__WRITE 0x0004UL
@@ -824,3 +828,4 @@
 #define DCCP_SOCKET__NODE_BIND0x0040UL
 #define DCCP_SOCKET__NAME_CONNECT 0x0080UL
 #define MEMPROTECT__MMAP_ZERO 0x0001UL
+#define PEER__RECV0x0001UL
diff --git a/security/selinux/include/class_to_string.h 
b/security/selinux/include/class_to_string.h
index e77de0e..b1b0d1d 100644
--- a/security/selinux/include/class_to_string.h
+++ b/security/selinux/include/class_to_string.h
@@ -64,3 +64,10 @@
 S_(NULL)
 S_("dccp_socket")
 S_("memprotect")
+S_(NULL)
+S_(NULL)
+S_(NULL)
+S_(NULL)
+S_(NULL)
+S_(NULL)
+S_("peer")
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
index a9c2b20..09e9dd2 100644
--- a/security/selinux/include/flask.h
+++ b/security/selinux/include/flask.h
@@ -50,6 +50,7 @@
 #define SECCLASS_KEY 58
 #define SECCLASS_DCCP_SOCKET 60
 #define SECCLASS_MEMPROTECT  61
+#define SECCLASS_PEER68
 
 /*
  * Security identifier indices for initial entities

-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[RFC PATCH v10 14/20] SELinux: Better integration between peer labeling subsystems

2008-01-03 Thread Paul Moore
Rework the handling of network peer labels so that the different peer labeling
subsystems work better together.  This includes moving both subsystems to a
single "peer" object class which involves not only changes to the permission
checks but an improved method of consolidating multiple packet peer labels.
As part of this work the inbound packet permission check code has been heavily
modified to handle both the old and new behavior in as sane a fashion as
possible.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 security/selinux/hooks.c|  204 +++
 security/selinux/include/netlabel.h |3 +
 security/selinux/include/objsec.h   |2 
 security/selinux/include/security.h |4 +
 security/selinux/netlabel.c |   10 +-
 security/selinux/ss/services.c  |   85 +++
 6 files changed, 208 insertions(+), 100 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4250642..c156f6c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -50,6 +50,7 @@
 #include 
 #include /* for local_port_range[] */
 #include/* struct or_callable used in sock_rcv_skb */
+#include 
 #include 
 #include 
 #include 
@@ -3189,36 +3190,39 @@ static int selinux_parse_skb(struct sk_buff *skb, 
struct avc_audit_data *ad,
 }
 
 /**
- * selinux_skb_extlbl_sid - Determine the external label of a packet
+ * selinux_skb_peerlbl_sid - Determine the peer label of a packet
  * @skb: the packet
  * @family: protocol family
- * @sid: the packet's SID
+ * @sid: the packet's peer label SID
  *
  * Description:
- * Check the various different forms of external packet labeling and determine
- * the external SID for the packet.  If only one form of external labeling is
- * present then it is used, if both labeled IPsec and NetLabel labels are
- * present then the SELinux type information is taken from the labeled IPsec
- * SA and the MLS sensitivity label information is taken from the NetLabel
- * security attributes.  This bit of "magic" is done in the call to
- * selinux_netlbl_skbuff_getsid().
+ * Check the various different forms of network peer labeling and determine
+ * the peer label/SID for the packet; most of the magic actually occurs in
+ * the security server function security_net_peersid_cmp().  The function
+ * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
+ * or -EACCES if @sid is invalid due to inconsistencies with the different
+ * peer labels.
  *
  */
-static void selinux_skb_extlbl_sid(struct sk_buff *skb,
-  u16 family,
-  u32 *sid)
+static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
 {
u32 xfrm_sid;
u32 nlbl_sid;
+   u32 nlbl_type;
 
selinux_skb_xfrm_sid(skb, &xfrm_sid);
-   if (selinux_netlbl_skbuff_getsid(skb,
-family,
-(xfrm_sid == SECSID_NULL ?
- SECINITSID_NETMSG : xfrm_sid),
-&nlbl_sid) != 0)
-   nlbl_sid = SECSID_NULL;
-   *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
+   selinux_netlbl_skbuff_getsid(skb,
+family,
+SECINITSID_NETMSG,
+&nlbl_type,
+&nlbl_sid);
+
+   if (security_net_peersid_resolve(nlbl_sid, nlbl_type,
+xfrm_sid,
+sid) != 0)
+   return -EACCES;
+
+   return 0;
 }
 
 /* socket security operations */
@@ -3284,6 +3288,7 @@ static int selinux_socket_post_create(struct socket 
*sock, int family,
if (sock->sk) {
sksec = sock->sk->sk_security;
sksec->sid = isec->sid;
+   sksec->sclass = isec->sclass;
err = selinux_netlbl_socket_post_create(sock);
}
 
@@ -3587,104 +3592,114 @@ static int selinux_socket_unix_may_send(struct socket 
*sock,
return 0;
 }
 
-static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
-  struct avc_audit_data *ad,
-  u16 family, char *addrp)
+static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
+   struct sk_buff *skb,
+   struct avc_audit_data *ad,
+   u16 family,
+   char *addrp)
 {
-   int err = 0;
-   u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
-   struct socket *sock;
-   u16 sock_class = 0;
-   u32 sock_

[RFC PATCH v10 11/20] SELinux: Add a network node caching mechanism similar to the sel_netif_*() functions

2008-01-03 Thread Paul Moore
This patch adds a SELinux IP address/node SID caching mechanism similar to the
sel_netif_*() functions.  The node SID queries in the SELinux hooks files are
also modified to take advantage of this new functionality.  In addition, remove
the address length information from the sk_buff parsing routines as it is
redundant since we already have the address family.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 security/selinux/Makefile  |9 +
 security/selinux/hooks.c   |   33 ++-
 security/selinux/include/netnode.h |   32 +++
 security/selinux/include/objsec.h  |9 +
 security/selinux/netnode.c |  350 
 5 files changed, 416 insertions(+), 17 deletions(-)

diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index dc3502e..00afd85 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -4,7 +4,14 @@
 
 obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/
 
-selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o exports.o
+selinux-y := avc.o \
+hooks.o \
+selinuxfs.o \
+netlink.o \
+nlmsgtab.o \
+netif.o \
+netnode.o \
+exports.o
 
 selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b451b4c..4250642 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -76,6 +76,7 @@
 #include "avc.h"
 #include "objsec.h"
 #include "netif.h"
+#include "netnode.h"
 #include "xfrm.h"
 #include "netlabel.h"
 
@@ -3158,7 +3159,7 @@ out:
 #endif /* IPV6 */
 
 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
-char **addrp, int *len, int src, u8 *proto)
+char **addrp, int src, u8 *proto)
 {
int ret = 0;
 
@@ -3167,7 +3168,6 @@ static int selinux_parse_skb(struct sk_buff *skb, struct 
avc_audit_data *ad,
ret = selinux_parse_skb_ipv4(skb, ad, proto);
if (ret || !addrp)
break;
-   *len = 4;
*addrp = (char *)(src ? &ad->u.net.v4info.saddr :
&ad->u.net.v4info.daddr);
break;
@@ -3177,7 +3177,6 @@ static int selinux_parse_skb(struct sk_buff *skb, struct 
avc_audit_data *ad,
ret = selinux_parse_skb_ipv6(skb, ad, proto);
if (ret || !addrp)
break;
-   *len = 16;
*addrp = (char *)(src ? &ad->u.net.v6info.saddr :
&ad->u.net.v6info.daddr);
break;
@@ -3377,7 +3376,7 @@ static int selinux_socket_bind(struct socket *sock, 
struct sockaddr *address, in
break;
}

-   err = security_node_sid(family, addrp, addrlen, &sid);
+   err = sel_netnode_sid(addrp, family, &sid);
if (err)
goto out;

@@ -3589,7 +3588,8 @@ static int selinux_socket_unix_may_send(struct socket 
*sock,
 }
 
 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
-   struct avc_audit_data *ad, u16 family, char *addrp, int len)
+  struct avc_audit_data *ad,
+  u16 family, char *addrp)
 {
int err = 0;
u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
@@ -3649,7 +3649,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, 
struct sk_buff *skb,
if (err)
goto out;

-   err = security_node_sid(family, addrp, len, &node_sid);
+   err = sel_netnode_sid(addrp, family, &node_sid);
if (err)
goto out;

@@ -3678,7 +3678,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, 
struct sk_buff *skb)
 {
u16 family;
char *addrp;
-   int len, err = 0;
+   int err = 0;
struct avc_audit_data ad;
struct sk_security_struct *sksec = sk->sk_security;
 
@@ -3694,13 +3694,12 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, 
struct sk_buff *skb)
ad.u.net.netif = skb->iif;
ad.u.net.family = family;
 
-   err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL);
+   err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
if (err)
goto out;
 
if (selinux_compat_net)
-   err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family,
- addrp, len);
+   err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family, addrp);
else
err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
  

[RFC PATCH v10 12/20] SELinux: Add a capabilities bitmap to SELinux policy version 22

2008-01-03 Thread Paul Moore
Add a new policy capabilities bitmap to SELinux policy version 22.  This bitmap
will enable the security server to query the policy to determine which features
it supports.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 security/selinux/Kconfig|2 -
 security/selinux/include/security.h |   15 ++
 security/selinux/selinuxfs.c|   89 +--
 security/selinux/ss/policydb.c  |   18 +++
 security/selinux/ss/policydb.h  |2 +
 security/selinux/ss/services.c  |   67 ++
 6 files changed, 185 insertions(+), 8 deletions(-)

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index b32a459..2b517d6 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -145,7 +145,7 @@ config SECURITY_SELINUX_POLICYDB_VERSION_MAX
 config SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
int "NSA SELinux maximum supported policy format version value"
depends on SECURITY_SELINUX_POLICYDB_VERSION_MAX
-   range 15 21
+   range 15 22
default 19
help
  This option sets the value for the maximum policy format version
diff --git a/security/selinux/include/security.h 
b/security/selinux/include/security.h
index a33437b..a22de97 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -25,13 +25,14 @@
 #define POLICYDB_VERSION_MLS   19
 #define POLICYDB_VERSION_AVTAB 20
 #define POLICYDB_VERSION_RANGETRANS21
+#define POLICYDB_VERSION_POLCAP22
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
 #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
 #define POLICYDB_VERSION_MAX   
CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
 #else
-#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_RANGETRANS
+#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_POLCAP
 #endif
 
 struct netlbl_lsm_secattr;
@@ -39,8 +40,19 @@ struct netlbl_lsm_secattr;
 extern int selinux_enabled;
 extern int selinux_mls_enabled;
 
+/* Policy capabilities */
+enum {
+   POLICYDB_CAPABILITY_NETPEER,
+   __POLICYDB_CAPABILITY_MAX
+};
+#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
+
+extern int selinux_policycap_netpeer;
+
 int security_load_policy(void * data, size_t len);
 
+int security_policycap_supported(unsigned int req_cap);
+
 #define SEL_VEC_MAX 32
 struct av_decision {
u32 allowed;
@@ -91,6 +103,7 @@ int security_get_classes(char ***classes, int *nclasses);
 int security_get_permissions(char *class, char ***perms, int *nperms);
 int security_get_reject_unknown(void);
 int security_get_allow_unknown(void);
+int security_get_policycaps(int *len, int **values);
 
 #define SECURITY_FS_USE_XATTR  1 /* use xattr */
 #define SECURITY_FS_USE_TRANS  2 /* use transition SIDs, e.g. 
devpts/tmpfs */
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 2fa483f..b87e9eb 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -2,6 +2,11 @@
  *
  * Added conditional policy language extensions
  *
+ *  Updated: Hewlett-Packard <[EMAIL PROTECTED]>
+ *
+ *  Added support for the policy capability bitmap
+ *
+ * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
  * Copyright (C) 2004 Red Hat, Inc., James Morris <[EMAIL PROTECTED]>
  * This program is free software; you can redistribute it and/or modify
@@ -35,6 +40,11 @@
 #include "objsec.h"
 #include "conditional.h"
 
+/* Policy capability filenames */
+static char *policycap_names[] = {
+   "network_peer_controls"
+};
+
 unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
 
 #ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
@@ -72,6 +82,9 @@ static int *bool_pending_values = NULL;
 static struct dentry *class_dir = NULL;
 static unsigned long last_class_ino;
 
+/* global data for policy capabilities */
+static struct dentry *policycap_dir = NULL;
+
 extern void selnl_notify_setenforce(int val);
 
 /* Check whether a task is allowed to use a security operation. */
@@ -111,10 +124,11 @@ enum sel_inos {
 
 static unsigned long sel_last_ino = SEL_INO_NEXT - 1;
 
-#define SEL_INITCON_INO_OFFSET 0x0100
-#define SEL_BOOL_INO_OFFSET0x0200
-#define SEL_CLASS_INO_OFFSET   0x0400
-#define SEL_INO_MASK   0x00ff
+#define SEL_INITCON_INO_OFFSET 0x0100
+#define SEL_BOOL_INO_OFFSET0x0200
+#define SEL_CLASS_INO_OFFSET   0x0400
+#define SEL_POLICYCAP_INO_OFFSET   0x0800
+#define SEL_INO_MASK   0x00ff
 
 #define TMPBUFLEN  12
 static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
@@ -263,6 +277,7 @@ static const struct file_operations sel_policyvers_ops = {
 /* declaration for sel_w

[RFC PATCH v10 09/20] SELinux: Convert the netif code to use ifindex values

2008-01-03 Thread Paul Moore
The current SELinux netif code requires the caller have a valid net_device
struct pointer to lookup network interface information.  However, we don't
always have a valid net_device pointer so convert the netif code to use
the ifindex values we always have as part of the sk_buff.  This patch also
removes the default message SID from the network interface record, it is
not being used and therefore is "dead code".

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 security/selinux/hooks.c|4 -
 security/selinux/include/netif.h|4 -
 security/selinux/include/objsec.h   |5 -
 security/selinux/include/security.h |3 
 security/selinux/netif.c|  254 ---
 security/selinux/ss/services.c  |   10 -
 6 files changed, 155 insertions(+), 125 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7b99d52..8336c93 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3616,7 +3616,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, 
struct sk_buff *skb,
if (!skb->dev)
goto out;
 
-   err = sel_netif_sids(skb->dev, &if_sid, NULL);
+   err = sel_netif_sid(skb->iif, &if_sid);
if (err)
goto out;
 
@@ -3941,7 +3941,7 @@ static int selinux_ip_postroute_last_compat(struct sock 
*sk, struct net_device *
 
isec = inode->i_security;

-   err = sel_netif_sids(dev, &if_sid, NULL);
+   err = sel_netif_sid(dev->ifindex, &if_sid);
if (err)
goto out;
 
diff --git a/security/selinux/include/netif.h b/security/selinux/include/netif.h
index 8bd6f99..ce23edd 100644
--- a/security/selinux/include/netif.h
+++ b/security/selinux/include/netif.h
@@ -7,6 +7,8 @@
  * Author: James Morris <[EMAIL PROTECTED]>
  *
  * Copyright (C) 2003 Red Hat, Inc., James Morris <[EMAIL PROTECTED]>
+ * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
+ *Paul Moore, <[EMAIL PROTECTED]>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2,
@@ -15,7 +17,7 @@
 #ifndef _SELINUX_NETIF_H_
 #define _SELINUX_NETIF_H_
 
-int sel_netif_sids(struct net_device *dev, u32 *if_sid, u32 *msg_sid);
+int sel_netif_sid(int ifindex, u32 *sid);
 
 #endif /* _SELINUX_NETIF_H_ */
 
diff --git a/security/selinux/include/objsec.h 
b/security/selinux/include/objsec.h
index 642a9fd..e41a2aa 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -95,9 +95,8 @@ struct bprm_security_struct {
 };
 
 struct netif_security_struct {
-   struct net_device *dev; /* back pointer */
-   u32 if_sid; /* SID for this interface */
-   u32 msg_sid;/* default SID for messages received on 
this interface */
+   int ifindex;/* device index */
+   u32 sid;/* SID for this interface */
 };
 
 struct sk_security_struct {
diff --git a/security/selinux/include/security.h 
b/security/selinux/include/security.h
index 39337af..a33437b 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -77,8 +77,7 @@ int security_get_user_sids(u32 callsid, char *username,
 int security_port_sid(u16 domain, u16 type, u8 protocol, u16 port,
u32 *out_sid);
 
-int security_netif_sid(char *name, u32 *if_sid,
-   u32 *msg_sid);
+int security_netif_sid(char *name, u32 *if_sid);
 
 int security_node_sid(u16 domain, void *addr, u32 addrlen,
u32 *out_sid);
diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index e87ab94..ee49a73 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -7,6 +7,8 @@
  * Author: James Morris <[EMAIL PROTECTED]>
  *
  * Copyright (C) 2003 Red Hat, Inc., James Morris <[EMAIL PROTECTED]>
+ * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
+ *Paul Moore <[EMAIL PROTECTED]>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2,
@@ -29,14 +31,6 @@
 #define SEL_NETIF_HASH_SIZE64
 #define SEL_NETIF_HASH_MAX 1024
 
-#undef DEBUG
-
-#ifdef DEBUG
-#define DEBUGP printk
-#else
-#define DEBUGP(format, args...)
-#endif
-
 struct sel_netif
 {
struct list_head list;
@@ -49,174 +43,217 @@ static LIST_HEAD(sel_netif_list);
 static DEFINE_SPINLOCK(sel_netif_lock);
 static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE];
 
-static inline u32 sel_netif_hasfn(struct net_device *dev)
+/**
+ * sel_netif_hashfn - Hashing function for the interface table
+ * @ifindex: the network interface
+ *
+ * Description:
+ * This is the hashing function for the network interface table, it returns the
+ * bucket number for the give

[RFC PATCH v10 10/20] SELinux: Only store the network interface's ifindex

2008-01-03 Thread Paul Moore
Instead of storing the packet's network interface name store the ifindex.  This
allows us to defer the need to lookup the net_device structure until the audit
record is generated meaning that in the majority of cases we never need to
bother with this at all.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 security/selinux/avc.c |   15 ---
 security/selinux/hooks.c   |4 ++--
 security/selinux/include/avc.h |2 +-
 3 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 81b3dff..e8529e2 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -661,9 +661,18 @@ void avc_audit(u32 ssid, u32 tsid,
"daddr", "dest");
break;
}
-   if (a->u.net.netif)
-   audit_log_format(ab, " netif=%s",
-   a->u.net.netif);
+   if (a->u.net.netif > 0) {
+   struct net_device *dev;
+
+   /* NOTE: we always use init's namespace */
+   dev = dev_get_by_index(&init_net,
+  a->u.net.netif);
+   if (dev) {
+   audit_log_format(ab, " netif=%s",
+dev->name);
+   dev_put(dev);
+   }
+   }
break;
}
}
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8336c93..b451b4c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3691,7 +3691,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, 
struct sk_buff *skb)
family = PF_INET;
 
AVC_AUDIT_DATA_INIT(&ad, NET);
-   ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
+   ad.u.net.netif = skb->iif;
ad.u.net.family = family;
 
err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL);
@@ -4022,7 +4022,7 @@ static unsigned int selinux_ip_postroute_last(unsigned 
int hooknum,
sksec = sk->sk_security;
 
AVC_AUDIT_DATA_INIT(&ad, NET);
-   ad.u.net.netif = dev->name;
+   ad.u.net.netif = dev->ifindex;
ad.u.net.family = family;
 
err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto);
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 553607a..80c28fa 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -51,7 +51,7 @@ struct avc_audit_data {
struct inode *inode;
} fs;
struct {
-   char *netif;
+   int netif;
struct sock *sk;
u16 family;
__be16 dport;

-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[RFC PATCH v10 07/20] NetLabel: Add IP address family information to the netlbl_skbuff_getattr() function

2008-01-03 Thread Paul Moore
In order to do any sort of IP header inspection of incoming packets we need to
know which address family, AF_INET/AF_INET6/etc., it belongs to and since the
sk_buff structure does not store this information we need to pass along the
address family separate from the packet itself.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 include/net/netlabel.h  |2 ++
 net/netlabel/netlabel_kapi.c|2 ++
 security/selinux/hooks.c|   33 ++---
 security/selinux/include/netlabel.h |8 +++-
 security/selinux/netlabel.c |   12 +---
 5 files changed, 42 insertions(+), 15 deletions(-)

diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 18b73cf..a3bffb4 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -363,6 +363,7 @@ int netlbl_sock_setattr(struct sock *sk,
 int netlbl_sock_getattr(struct sock *sk,
struct netlbl_lsm_secattr *secattr);
 int netlbl_skbuff_getattr(const struct sk_buff *skb,
+ u16 family,
  struct netlbl_lsm_secattr *secattr);
 void netlbl_skbuff_err(struct sk_buff *skb, int error);
 
@@ -415,6 +416,7 @@ static inline int netlbl_sock_getattr(struct sock *sk,
return -ENOSYS;
 }
 static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,
+   u16 family,
struct netlbl_lsm_secattr *secattr)
 {
return -ENOSYS;
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index d3762ea..4914615 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -332,6 +332,7 @@ int netlbl_sock_getattr(struct sock *sk, struct 
netlbl_lsm_secattr *secattr)
 /**
  * netlbl_skbuff_getattr - Determine the security attributes of a packet
  * @skb: the packet
+ * @family: protocol family
  * @secattr: the security attributes
  *
  * Description:
@@ -342,6 +343,7 @@ int netlbl_sock_getattr(struct sock *sk, struct 
netlbl_lsm_secattr *secattr)
  *
  */
 int netlbl_skbuff_getattr(const struct sk_buff *skb,
+ u16 family,
  struct netlbl_lsm_secattr *secattr)
 {
if (CIPSO_V4_OPTEXIST(skb) &&
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8bb673b..7b99d52 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3192,6 +3192,7 @@ static int selinux_parse_skb(struct sk_buff *skb, struct 
avc_audit_data *ad,
 /**
  * selinux_skb_extlbl_sid - Determine the external label of a packet
  * @skb: the packet
+ * @family: protocol family
  * @sid: the packet's SID
  *
  * Description:
@@ -3204,13 +3205,16 @@ static int selinux_parse_skb(struct sk_buff *skb, 
struct avc_audit_data *ad,
  * selinux_netlbl_skbuff_getsid().
  *
  */
-static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
+static void selinux_skb_extlbl_sid(struct sk_buff *skb,
+  u16 family,
+  u32 *sid)
 {
u32 xfrm_sid;
u32 nlbl_sid;
 
selinux_skb_xfrm_sid(skb, &xfrm_sid);
if (selinux_netlbl_skbuff_getsid(skb,
+family,
 (xfrm_sid == SECSID_NULL ?
  SECINITSID_NETMSG : xfrm_sid),
 &nlbl_sid) != 0)
@@ -3703,7 +3707,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, 
struct sk_buff *skb)
if (err)
goto out;
 
-   err = selinux_netlbl_sock_rcv_skb(sksec, skb, &ad);
+   err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
if (err)
goto out;
 
@@ -3759,18 +3763,25 @@ out:
 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff 
*skb, u32 *secid)
 {
u32 peer_secid = SECSID_NULL;
-   int err = 0;
+   u16 family;
 
-   if (sock && sock->sk->sk_family == PF_UNIX)
+   if (sock)
+   family = sock->sk->sk_family;
+   else if (skb && skb->sk)
+   family = skb->sk->sk_family;
+   else
+   goto out;
+
+   if (sock && family == PF_UNIX)
selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
else if (skb)
-   selinux_skb_extlbl_sid(skb, &peer_secid);
+   selinux_skb_extlbl_sid(skb, family, &peer_secid);
 
-   if (peer_secid == SECSID_NULL)
-   err = -EINVAL;
+out:
*secid = peer_secid;
-
-   return err;
+   if (peer_secid == SECSID_NULL)
+   return -EINVAL;
+   return 0;
 }
 
 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t 
priority)
@@ -3825,7 +3836,7 @@ static int selinux_inet_conn_request(struct sock *sk, 
struct sk_buff *

[RFC PATCH v10 08/20] NET: Clone the sk_buff 'iif' field in __skb_clone()

2008-01-03 Thread Paul Moore
Both NetLabel and SELinux (other LSMs may grow to use it as well) rely on the
'iif' field to determine the receiving network interface of inbound packets.
Unfortunately, at present this field is not preserved across a skb clone
operation which can lead to garbage values if the cloned skb is sent back
through the network stack.  This patch corrects this problem by properly
copying the 'iif' field in __skb_clone() and removing the 'iif' field
assignment from skb_act_clone() since it is no longer needed.

Also, while we are here, get rid of that silly C() macro.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 include/net/sch_generic.h |1 -
 net/core/skbuff.c |   20 +---
 2 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
index c926551..4c3b351 100644
--- a/include/net/sch_generic.h
+++ b/include/net/sch_generic.h
@@ -325,7 +325,6 @@ static inline struct sk_buff *skb_act_clone(struct sk_buff 
*skb, gfp_t gfp_mask)
n->tc_verd = SET_TC_VERD(n->tc_verd, 0);
n->tc_verd = CLR_TC_OK2MUNGE(n->tc_verd);
n->tc_verd = CLR_TC_MUNGED(n->tc_verd);
-   n->iif = skb->iif;
}
return n;
 }
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 5b4ce9b..c726cd4 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -407,31 +407,29 @@ static void __copy_skb_header(struct sk_buff *new, const 
struct sk_buff *old)
 
 static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb)
 {
-#define C(x) n->x = skb->x
-
n->next = n->prev = NULL;
n->sk = NULL;
__copy_skb_header(n, skb);
 
-   C(len);
-   C(data_len);
-   C(mac_len);
+   n->iif = skb->iif;
+   n->len = skb->len;
+   n->data_len = skb->data_len;
+   n->mac_len = skb->mac_len;
n->cloned = 1;
n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len;
n->nohdr = 0;
n->destructor = NULL;
-   C(truesize);
+   n->truesize = skb->truesize;
atomic_set(&n->users, 1);
-   C(head);
-   C(data);
-   C(tail);
-   C(end);
+   n->head = skb->head;
+   n->data = skb->data;
+   n->tail = skb->tail;
+   n->end = skb->end;
 
atomic_inc(&(skb_shinfo(skb)->dataref));
skb->cloned = 1;
 
return n;
-#undef C
 }
 
 /**

-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[RFC PATCH v10 05/20] LSM: Add secctx_to_secid() LSM hook

2008-01-03 Thread Paul Moore
Add a secctx_to_secid() LSM hook to go along with the existing
secid_to_secctx() LSM hook.  This patch also includes the SELinux
implementation for this hook.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
Acked-by: Stephen Smalley <[EMAIL PROTECTED]>
---

 include/linux/security.h |   13 +
 security/dummy.c |6 ++
 security/security.c  |6 ++
 security/selinux/hooks.c |6 ++
 4 files changed, 31 insertions(+), 0 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index ac05083..db19c92 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1183,6 +1183,10 @@ struct request_sock;
  * Convert secid to security context.
  * @secid contains the security ID.
  * @secdata contains the pointer that stores the converted security 
context.
+ * @secctx_to_secid:
+ *  Convert security context to secid.
+ *  @secid contains the pointer to the generated security ID.
+ *  @secdata contains the security context.
  *
  * @release_secctx:
  * Release the security context.
@@ -1371,6 +1375,7 @@ struct security_operations {
int (*getprocattr)(struct task_struct *p, char *name, char **value);
int (*setprocattr)(struct task_struct *p, char *name, void *value, 
size_t size);
int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen);
+   int (*secctx_to_secid)(char *secdata, u32 seclen, u32 *secid);
void (*release_secctx)(char *secdata, u32 seclen);
 
 #ifdef CONFIG_SECURITY_NETWORK
@@ -1603,6 +1608,7 @@ int security_setprocattr(struct task_struct *p, char 
*name, void *value, size_t
 int security_netlink_send(struct sock *sk, struct sk_buff *skb);
 int security_netlink_recv(struct sk_buff *skb, int cap);
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
+int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid);
 void security_release_secctx(char *secdata, u32 seclen);
 
 #else /* CONFIG_SECURITY */
@@ -2280,6 +2286,13 @@ static inline int security_secid_to_secctx(u32 secid, 
char **secdata, u32 *secle
return -EOPNOTSUPP;
 }
 
+static inline int security_secctx_to_secid(char *secdata,
+  u32 seclen,
+  u32 *secid)
+{
+   return -EOPNOTSUPP;
+}
+
 static inline void security_release_secctx(char *secdata, u32 seclen)
 {
 }
diff --git a/security/dummy.c b/security/dummy.c
index 3ccfbbe..0b62f95 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -928,6 +928,11 @@ static int dummy_secid_to_secctx(u32 secid, char 
**secdata, u32 *seclen)
return -EOPNOTSUPP;
 }
 
+static int dummy_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
+{
+   return -EOPNOTSUPP;
+}
+
 static void dummy_release_secctx(char *secdata, u32 seclen)
 {
 }
@@ -1086,6 +1091,7 @@ void security_fixup_ops (struct security_operations *ops)
set_to_dummy_if_null(ops, getprocattr);
set_to_dummy_if_null(ops, setprocattr);
set_to_dummy_if_null(ops, secid_to_secctx);
+   set_to_dummy_if_null(ops, secctx_to_secid);
set_to_dummy_if_null(ops, release_secctx);
 #ifdef CONFIG_SECURITY_NETWORK
set_to_dummy_if_null(ops, unix_stream_connect);
diff --git a/security/security.c b/security/security.c
index 0e1f1f1..3bdcada 100644
--- a/security/security.c
+++ b/security/security.c
@@ -816,6 +816,12 @@ int security_secid_to_secctx(u32 secid, char **secdata, 
u32 *seclen)
 }
 EXPORT_SYMBOL(security_secid_to_secctx);
 
+int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
+{
+   return security_ops->secctx_to_secid(secdata, seclen, secid);
+}
+EXPORT_SYMBOL(security_secctx_to_secid);
+
 void security_release_secctx(char *secdata, u32 seclen)
 {
return security_ops->release_secctx(secdata, seclen);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9f3124b..8bb673b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4710,6 +4710,11 @@ static int selinux_secid_to_secctx(u32 secid, char 
**secdata, u32 *seclen)
return security_sid_to_context(secid, secdata, seclen);
 }
 
+static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
+{
+   return security_context_to_sid(secdata, seclen, secid);
+}
+
 static void selinux_release_secctx(char *secdata, u32 seclen)
 {
kfree(secdata);
@@ -4898,6 +4903,7 @@ static struct security_operations selinux_ops = {
.setprocattr =  selinux_setprocattr,
 
.secid_to_secctx =  selinux_secid_to_secctx,
+   .secctx_to_secid =  selinux_secctx_to_secid,
.release_secctx =   selinux_release_secctx,
 
 .unix_stream_connect = selinux_socket_unix_stream_connect,

-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]

[RFC PATCH v10 06/20] LSM: Add inet_sys_snd_skb() LSM hook

2008-01-03 Thread Paul Moore
Add an inet_sys_snd_skb() LSM hook to allow the LSM to provide packet level
access control for all outbound packets.  Using the existing postroute_last
netfilter hook turns out to be problematic as it is can be invoked multiple
times for a single packet, e.g. individual IPsec transforms, adding unwanted
overhead and complicating the security policy.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 include/linux/security.h |   11 +++
 net/ipv4/ip_output.c |7 +++
 net/ipv6/ip6_output.c|5 +
 security/dummy.c |8 +++-
 security/security.c  |6 ++
 5 files changed, 36 insertions(+), 1 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index db19c92..1b8d332 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -876,6 +876,10 @@ struct request_sock;
  * Sets the connection's peersid to the secmark on skb.
  * @req_classify_flow:
  * Sets the flow's sid to the openreq sid.
+ * @inet_sys_snd_skb:
+ * Check permissions on outgoing network packets.
+ * @skb is the packet to check
+ * @family is the packet's address family
  *
  * Security hooks for XFRM operations.
  *
@@ -1416,6 +1420,7 @@ struct security_operations {
void (*inet_csk_clone)(struct sock *newsk, const struct request_sock 
*req);
void (*inet_conn_established)(struct sock *sk, struct sk_buff *skb);
void (*req_classify_flow)(const struct request_sock *req, struct flowi 
*fl);
+   int (*inet_sys_snd_skb)(struct sk_buff *skb, int family);
 #endif /* CONFIG_SECURITY_NETWORK */
 
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -2328,6 +2333,7 @@ void security_sk_free(struct sock *sk);
 void security_sk_clone(const struct sock *sk, struct sock *newsk);
 void security_sk_classify_flow(struct sock *sk, struct flowi *fl);
 void security_req_classify_flow(const struct request_sock *req, struct flowi 
*fl);
+int security_inet_sys_snd_skb(struct sk_buff *skb, int family);
 void security_sock_graft(struct sock*sk, struct socket *parent);
 int security_inet_conn_request(struct sock *sk,
struct sk_buff *skb, struct request_sock *req);
@@ -2471,6 +2477,11 @@ static inline void security_req_classify_flow(const 
struct request_sock *req, st
 {
 }
 
+static inline int security_inet_sys_snd_skb(struct sk_buff *skb, int family)
+{
+   return 0;
+}
+
 static inline void security_sock_graft(struct sock* sk, struct socket *parent)
 {
 }
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index fd99fbd..82a7297 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -204,6 +204,8 @@ static inline int ip_skb_dst_mtu(struct sk_buff *skb)
 
 static int ip_finish_output(struct sk_buff *skb)
 {
+   int err;
+
 #if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
/* Policy lookup after SNAT yielded a new policy */
if (skb->dst->xfrm != NULL) {
@@ -211,6 +213,11 @@ static int ip_finish_output(struct sk_buff *skb)
return dst_output(skb);
}
 #endif
+
+   err = security_inet_sys_snd_skb(skb, AF_INET);
+   if (err)
+   return err;
+
if (skb->len > ip_skb_dst_mtu(skb) && !skb_is_gso(skb))
return ip_fragment(skb, ip_finish_output2);
else
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 6338a9c..44ddf32 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -72,8 +72,13 @@ static __inline__ void ipv6_select_ident(struct sk_buff 
*skb, struct frag_hdr *f
 
 static int ip6_output_finish(struct sk_buff *skb)
 {
+   int err;
struct dst_entry *dst = skb->dst;
 
+   err = security_inet_sys_snd_skb(skb, AF_INET6);
+   if (err)
+   return err;
+
if (dst->hh)
return neigh_hh_output(dst->hh, skb);
else if (dst->neighbour)
diff --git a/security/dummy.c b/security/dummy.c
index 0b62f95..384979a 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -848,6 +848,11 @@ static inline void dummy_req_classify_flow(const struct 
request_sock *req,
struct flowi *fl)
 {
 }
+
+static inline int dummy_inet_sys_snd_skb(struct sk_buff *skb, int family)
+{
+   return 0;
+}
 #endif /* CONFIG_SECURITY_NETWORK */
 
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -1122,7 +1127,8 @@ void security_fixup_ops (struct security_operations *ops)
set_to_dummy_if_null(ops, inet_csk_clone);
set_to_dummy_if_null(ops, inet_conn_established);
set_to_dummy_if_null(ops, req_classify_flow);
- #endif/* CONFIG_SECURITY_NETWORK */
+   set_to_dummy_if_null(ops, inet_sys_snd_skb);
+#endif /* CONFIG_SECURITY_NETWORK */
 #ifdef  CONFIG_SECURITY_NETWORK_XFRM
set_to_dummy_if_null(ops, xfrm_policy_alloc_security);
set_to_dummy_if_null(ops, xfrm_policy_clone_security);
diff --git a/security/security.c b/security/security.c
index 3bdcada..7f554

[RFC PATCH v10 04/20] NetLabel: Add secid token support to the NetLabel secattr struct

2008-01-03 Thread Paul Moore
This patch adds support to the NetLabel LSM secattr struct for a secid token
and a type field, paving the way for full LSM/SELinux context support and
"static" or "fallback" labels.  In addition, this patch adds a fair amount
of documentation to the core NetLabel structures used as part of the
NetLabel kernel API.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 include/net/netlabel.h|   91 ++---
 net/ipv4/cipso_ipv4.c |   59 +++-
 net/netlabel/netlabel_unlabeled.c |1 
 security/selinux/ss/mls.c |   10 ++--
 security/selinux/ss/services.c|5 ++
 5 files changed, 120 insertions(+), 46 deletions(-)

diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 2e5b2f6..18b73cf 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -105,17 +105,49 @@ struct netlbl_dom_map;
 /* Domain mapping operations */
 int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info);
 
-/* LSM security attributes */
+/*
+ * LSM security attributes
+ */
+
+/**
+ * struct netlbl_lsm_cache - NetLabel LSM security attribute cache
+ * @refcount: atomic reference counter
+ * @free: LSM supplied function to free the cache data
+ * @data: LSM supplied cache data
+ *
+ * Description:
+ * This structure is provided for LSMs which wish to make use of the NetLabel
+ * caching mechanism to store LSM specific data/attributes in the NetLabel
+ * cache.  If the LSM has to perform a lot of translation from the NetLabel
+ * security attributes into it's own internal representation then the cache
+ * mechanism can provide a way to eliminate some or all of that translation
+ * overhead on a cache hit.
+ *
+ */
 struct netlbl_lsm_cache {
atomic_t refcount;
void (*free) (const void *data);
void *data;
 };
-/* The catmap bitmap field MUST be a power of two in length and large
+
+/**
+ * struct netlbl_lsm_secattr_catmap - NetLabel LSM secattr category bitmap
+ * @startbit: the value of the lowest order bit in the bitmap
+ * @bitmap: the category bitmap
+ * @next: pointer to the next bitmap "node" or NULL
+ *
+ * Description:
+ * This structure is used to represent category bitmaps.  Due to the large
+ * number of categories supported by most labeling protocols it is not
+ * practical to transfer a full bitmap internally so NetLabel adopts a sparse
+ * bitmap structure modeled after SELinux's ebitmap structure.
+ * The catmap bitmap field MUST be a power of two in length and large
  * enough to hold at least 240 bits.  Special care (i.e. check the code!)
  * should be used when changing these values as the LSM implementation
  * probably has functions which rely on the sizes of these types to speed
- * processing. */
+ * processing.
+ *
+ */
 #define NETLBL_CATMAP_MAPTYPE   u64
 #define NETLBL_CATMAP_MAPCNT4
 #define NETLBL_CATMAP_MAPSIZE   (sizeof(NETLBL_CATMAP_MAPTYPE) * 8)
@@ -127,22 +159,48 @@ struct netlbl_lsm_secattr_catmap {
NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT];
struct netlbl_lsm_secattr_catmap *next;
 };
+
+/**
+ * struct netlbl_lsm_secattr - NetLabel LSM security attributes
+ * @flags: indicate which attributes are contained in this structure
+ * @type: indicate the NLTYPE of the attributes
+ * @domain: the NetLabel LSM domain
+ * @cache: NetLabel LSM specific cache
+ * @attr.mls: MLS sensitivity label
+ * @attr.mls.cat: MLS category bitmap
+ * @attr.mls.lvl: MLS sensitivity level
+ * @attr.secid: LSM specific secid token
+ *
+ * Description:
+ * This structure is used to pass security attributes between NetLabel and the
+ * LSM modules.  The flags field is used to specify which fields within the
+ * struct are valid and valid values can be created by bitwise OR'ing the
+ * NETLBL_SECATTR_* defines.  The domain field is typically set by the LSM to
+ * specify domain specific configuration settings and is not usually used by
+ * NetLabel itself when returning security attributes to the LSM.
+ *
+ */
 #define NETLBL_SECATTR_NONE 0x
 #define NETLBL_SECATTR_DOMAIN   0x0001
 #define NETLBL_SECATTR_CACHE0x0002
 #define NETLBL_SECATTR_MLS_LVL  0x0004
 #define NETLBL_SECATTR_MLS_CAT  0x0008
+#define NETLBL_SECATTR_SECID0x0010
 #define NETLBL_SECATTR_CACHEABLE(NETLBL_SECATTR_MLS_LVL | \
-NETLBL_SECATTR_MLS_CAT)
+NETLBL_SECATTR_MLS_CAT | \
+NETLBL_SECATTR_SECID)
 struct netlbl_lsm_secattr {
u32 flags;
-
+   u32 type;
char *domain;
-
-   u32 mls_lvl;
-   struct netlbl_lsm_secattr_catmap *mls_cat;
-
struct netlbl_lsm_cache *cache;
+   union {
+   struct {
+   struct netlbl_lsm_secattr_catmap *cat;
+  

[RFC PATCH v10 02/20] NetLabel: Cleanup the LSM domain hash functions

2008-01-03 Thread Paul Moore
The NetLabel/LSM domain hash table search function used an argument to specify
if the default entry should be returned if an exact match couldn't be found in
the hash table.  This is a bit against the kernel's style so make two separate
functions to represent the separate behaviors.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 net/netlabel/netlabel_domainhash.c |   47 ++--
 1 files changed, 34 insertions(+), 13 deletions(-)

diff --git a/net/netlabel/netlabel_domainhash.c 
b/net/netlabel/netlabel_domainhash.c
index b3675bd..1f8f7ac 100644
--- a/net/netlabel/netlabel_domainhash.c
+++ b/net/netlabel/netlabel_domainhash.c
@@ -109,17 +109,14 @@ static u32 netlbl_domhsh_hash(const char *key)
 /**
  * netlbl_domhsh_search - Search for a domain entry
  * @domain: the domain
- * @def: return default if no match is found
  *
  * Description:
  * Searches the domain hash table and returns a pointer to the hash table
- * entry if found, otherwise NULL is returned.  If @def is non-zero and a
- * match is not found in the domain hash table the default mapping is returned
- * if it exists.  The caller is responsibile for the rcu hash table locks
- * (i.e. the caller much call rcu_read_[un]lock()).
+ * entry if found, otherwise NULL is returned.  The caller is responsibile for
+ * the rcu hash table locks (i.e. the caller much call rcu_read_[un]lock()).
  *
  */
-static struct netlbl_dom_map *netlbl_domhsh_search(const char *domain, u32 def)
+static struct netlbl_dom_map *netlbl_domhsh_search(const char *domain)
 {
u32 bkt;
struct netlbl_dom_map *iter;
@@ -133,10 +130,31 @@ static struct netlbl_dom_map *netlbl_domhsh_search(const 
char *domain, u32 def)
return iter;
}
 
-   if (def != 0) {
-   iter = rcu_dereference(netlbl_domhsh_def);
-   if (iter != NULL && iter->valid)
-   return iter;
+   return NULL;
+}
+
+/**
+ * netlbl_domhsh_search_def - Search for a domain entry
+ * @domain: the domain
+ * @def: return default if no match is found
+ *
+ * Description:
+ * Searches the domain hash table and returns a pointer to the hash table
+ * entry if an exact match is found, if an exact match is not present in the
+ * hash table then the default entry is returned if valid otherwise NULL is
+ * returned.  The caller is responsibile for the rcu hash table locks
+ * (i.e. the caller much call rcu_read_[un]lock()).
+ *
+ */
+static struct netlbl_dom_map *netlbl_domhsh_search_def(const char *domain)
+{
+   struct netlbl_dom_map *entry;
+
+   entry = netlbl_domhsh_search(domain);
+   if (entry == NULL) {
+   entry = rcu_dereference(netlbl_domhsh_def);
+   if (entry != NULL && entry->valid)
+   return entry;
}
 
return NULL;
@@ -224,7 +242,7 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry,
if (entry->domain != NULL) {
bkt = netlbl_domhsh_hash(entry->domain);
spin_lock(&netlbl_domhsh_lock);
-   if (netlbl_domhsh_search(entry->domain, 0) == NULL)
+   if (netlbl_domhsh_search(entry->domain) == NULL)
list_add_tail_rcu(&entry->list,
&rcu_dereference(netlbl_domhsh)->tbl[bkt]);
else
@@ -307,7 +325,10 @@ int netlbl_domhsh_remove(const char *domain, struct 
netlbl_audit *audit_info)
struct audit_buffer *audit_buf;
 
rcu_read_lock();
-   entry = netlbl_domhsh_search(domain, (domain != NULL ? 0 : 1));
+   if (domain)
+   entry = netlbl_domhsh_search(domain);
+   else
+   entry = netlbl_domhsh_search_def(domain);
if (entry == NULL)
goto remove_return;
switch (entry->type) {
@@ -377,7 +398,7 @@ int netlbl_domhsh_remove_default(struct netlbl_audit 
*audit_info)
  */
 struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain)
 {
-   return netlbl_domhsh_search(domain, 1);
+   return netlbl_domhsh_search_def(domain);
 }
 
 /**

-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html


  1   2   3   >