Add skb_policy_check hook to LSM to enable reconciliation of the various security identifiers as well as enforce flow control on inbound (INPUT/FORWARD) traffic.
Also defines reconciliation for SELinux. Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]> --- include/linux/security.h | 16 ++++++++ security/dummy.c | 7 +++ security/selinux/hooks.c | 60 +++++++++++++++++++++++++------ security/selinux/ss/mls.c | 2 + security/selinux/ss/services.c | 2 + 5 files changed, 76 insertions(+), 11 deletions(-) --- net-2.6.19.sid1/include/linux/security.h 2006-08-24 09:19:12.000000000 -0500 +++ net-2.6.19.sid2/include/linux/security.h 2006-08-24 09:55:39.000000000 -0500 @@ -828,6 +828,9 @@ struct request_sock; * Sets the new child socket's sid to the openreq sid. * @req_classify_flow: * Sets the flow's sid to the openreq sid. + * @skb_policy_check: + * Checks to see if security policy would allow skb into the system. + * Returns 1 if skb allowed into system, 0 otherwise. * * Security hooks for XFRM operations. * @@ -1372,6 +1375,7 @@ struct security_operations { struct request_sock *req); void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req); void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl); + int (*skb_policy_check)(struct sk_buff *skb, unsigned short family); #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_NETWORK_XFRM @@ -2946,6 +2950,12 @@ static inline void security_req_classify security_ops->req_classify_flow(req, fl); } +static inline int security_skb_policy_check(struct sk_buff *skb, + unsigned short family) +{ + return security_ops->skb_policy_check(skb, family); +} + static inline void security_sock_graft(struct sock* sk, struct socket *parent) { security_ops->sock_graft(sk, parent); @@ -3097,6 +3107,12 @@ static inline void security_req_classify { } +static inline int security_skb_policy_check(struct sk_buff *skb, + unsigned short family) +{ + return 1; +} + static inline void security_sock_graft(struct sock* sk, struct socket *parent) { } --- net-2.6.19.sid1/security/dummy.c 2006-08-24 09:19:13.000000000 -0500 +++ net-2.6.19.sid2/security/dummy.c 2006-08-24 09:55:39.000000000 -0500 @@ -832,6 +832,12 @@ static inline void dummy_req_classify_fl struct flowi *fl) { } + +static inline int dummy_skb_policy_check(struct sk_buff *skb, + unsigned short family) +{ + return 1; +} #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_NETWORK_XFRM @@ -1108,6 +1114,7 @@ void security_fixup_ops (struct security set_to_dummy_if_null(ops, inet_conn_request); set_to_dummy_if_null(ops, inet_csk_clone); set_to_dummy_if_null(ops, req_classify_flow); + set_to_dummy_if_null(ops, skb_policy_check); #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_NETWORK_XFRM set_to_dummy_if_null(ops, xfrm_policy_alloc_security); --- net-2.6.19.sid1/security/selinux/hooks.c 2006-08-24 09:19:13.000000000 -0500 +++ net-2.6.19.sid2/security/selinux/hooks.c 2006-08-24 10:00:12.000000000 -0500 @@ -3447,8 +3447,12 @@ static int selinux_sock_rcv_skb_compat(s err = avc_has_perm(sock_sid, port_sid, sock_class, recv_perm, ad); + if (err) + goto out; } + err = selinux_xfrm_sock_rcv_skb(sock_sid, skb, ad); + out: return err; } @@ -3487,10 +3491,6 @@ static int selinux_socket_sock_rcv_skb(s goto out; err = selinux_netlbl_sock_rcv_skb(sksec, skb, &ad); - if (err) - goto out; - - err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); out: return err; } @@ -3622,13 +3622,16 @@ static int selinux_inet_conn_request(str return 0; } - err = selinux_xfrm_decode_session(skb, &peersid, 0); - BUG_ON(err); - - if (peersid == SECSID_NULL) { - req->secid = sksec->sid; - return 0; - } + if (selinux_compat_net) { + err = selinux_xfrm_decode_session(skb, &peersid, 0); + BUG_ON(err); + + if (peersid == SECSID_NULL) { + req->secid = sksec->sid; + return 0; + } + } else + peersid = skb->secmark; err = security_sid_mls_copy(sksec->sid, peersid, &newsid); if (err) @@ -3656,6 +3659,40 @@ static void selinux_req_classify_flow(co fl->secid = req->secid; } +static int selinux_skb_policy_check(struct sk_buff *skb, unsigned short family) +{ + u32 xfrm_sid, trans_sid; + int err; + + if (selinux_compat_net) + return 1; + + err = selinux_xfrm_decode_session(skb, &xfrm_sid, 0); + BUG_ON(err); + + if (xfrm_sid) { + err = security_transition_sid(xfrm_sid, skb->secmark, + SECCLASS_PACKET, &trans_sid); + if (err) + goto out; + } + else + trans_sid = SECSID_NULL; + + err = avc_has_perm(trans_sid, skb->secmark, SECCLASS_PACKET, + PACKET__FLOW_IN, NULL); + if (err) + goto out; + + if (trans_sid != SECSID_NULL && trans_sid != SECINITSID_UNLABELED) + skb->secmark = trans_sid; + + /* See if CIPSO can flow in thru the current secmark here */ + +out: + return err ? 0 : 1; +} + static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) { int err = 0; @@ -4713,6 +4750,7 @@ static struct security_operations selinu .inet_conn_request = selinux_inet_conn_request, .inet_csk_clone = selinux_inet_csk_clone, .req_classify_flow = selinux_req_classify_flow, + .skb_policy_check = selinux_skb_policy_check, #ifdef CONFIG_SECURITY_NETWORK_XFRM .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, --- net-2.6.19.sid1/security/selinux/ss/mls.c 2006-08-24 09:19:13.000000000 -0500 +++ net-2.6.19.sid2/security/selinux/ss/mls.c 2006-08-24 09:55:39.000000000 -0500 @@ -548,6 +548,8 @@ int mls_compute_sid(struct context *scon } } } + else if (tclass == SECCLASS_PACKET) + return mls_copy_context(newcontext, scontext); /* Fallthrough */ case AVTAB_CHANGE: if (tclass == SECCLASS_PROCESS) --- net-2.6.19.sid1/security/selinux/ss/services.c 2006-08-24 09:19:13.000000000 -0500 +++ net-2.6.19.sid2/security/selinux/ss/services.c 2006-08-24 09:55:39.000000000 -0500 @@ -832,6 +832,7 @@ static int security_compute_sid(u32 ssid if (!ss_initialized) { switch (tclass) { + case SECCLASS_PACKET: case SECCLASS_PROCESS: *out_sid = ssid; break; @@ -876,6 +877,7 @@ static int security_compute_sid(u32 ssid /* Set the role and type to default values. */ switch (tclass) { + case SECCLASS_PACKET: case SECCLASS_PROCESS: /* Use the current role and type of process. */ newcontext.role = scontext->role; - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html