Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 258251 Details for
Bug 382721
Add labeled networking controls at the interface level
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
Secure Networking Patch
tcs_se_net.patch (text/plain), 24.68 KB, created by
Chad Hanson
on 2007-11-14 16:08:47 UTC
(
hide
)
Description:
Secure Networking Patch
Filename:
MIME Type:
Creator:
Chad Hanson
Created:
2007-11-14 16:08:47 UTC
Size:
24.68 KB
patch
obsolete
>--- linux-2.6.18.i686/include/linux/security.h 2007-06-26 16:18:24.000000000 -0500 >+++ linux-2.6.18.i686/include/linux/security.h 2007-07-24 14:05:52.000000000 -0500 >@@ -820,6 +820,8 @@ struct request_sock; > * @sk_getsecid: > * Retrieve the LSM-specific secid for the sock to enable caching of network > * authorizations. >+ * @sk_classify_skb: >+ * Classify skb based on the sock. > * @sock_graft: > * Sets the socket's isec sid to the sock's sid. > * @inet_conn_request: >@@ -830,6 +832,13 @@ struct request_sock; > * Sets the connection's peersid to the secmark on skb. > * @req_classify_flow: > * Sets the flow's sid to the openreq sid. >+ * @igmp_classify_skb: >+ * Classifies an skb representing an igmp packet. >+ * @skb_flow_in: >+ * Checks to see if security policy would allow skb into the system >+ * while also reconciling the xfrm secid, cipso, etc, if any, and >+ * relabeling the skb with the reconciled secid. >+ * Returns 1 if skb allowed into system, 0 otherwise. > * > * Security hooks for XFRM operations. > * >@@ -1361,12 +1370,15 @@ struct security_operations { > void (*sk_free_security) (struct sock *sk); > void (*sk_clone_security) (const struct sock *sk, struct sock *newsk); > void (*sk_getsecid) (struct sock *sk, u32 *secid); >+ void (*sk_classify_skb) (struct sock *sk, struct sk_buff *skb); > void (*sock_graft)(struct sock* sk, struct socket *parent); > int (*inet_conn_request)(struct sock *sk, struct sk_buff *skb, > struct request_sock *req); > void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req); > void (*inet_conn_established)(struct sock *sk, struct sk_buff *skb); > void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl); >+ void (*igmp_classify_skb)(struct sk_buff *skb); >+ int (*skb_flow_in)(struct sk_buff *skb, unsigned short family); > #endif /* CONFIG_SECURITY_NETWORK */ > > #ifdef CONFIG_SECURITY_NETWORK_XFRM >@@ -2930,6 +2942,11 @@ static inline void security_sk_clone(con > return security_ops->sk_clone_security(sk, newsk); > } > >+static inline void security_sk_classify_skb(struct sock *sk, struct sk_buff *skb) >+{ >+ security_ops->sk_classify_skb(sk, skb); >+} >+ > static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl) > { > security_ops->sk_getsecid(sk, &fl->secid); >@@ -2940,6 +2957,17 @@ static inline void security_req_classify > security_ops->req_classify_flow(req, fl); > } > >+static inline void security_igmp_classify_skb(struct sk_buff *skb) >+{ >+ security_ops->igmp_classify_skb(skb); >+} >+ >+static inline int security_skb_flow_in(struct sk_buff *skb, >+ unsigned short family) >+{ >+ return security_ops->skb_flow_in(skb, family); >+} >+ > static inline void security_sock_graft(struct sock* sk, struct socket *parent) > { > security_ops->sock_graft(sk, parent); >@@ -3093,10 +3121,24 @@ static inline void security_sk_classify_ > { > } > >+static inline void security_sk_classify_skb(struct sock *sk, struct sk_buff *skb) >+{ >+} >+ > static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl) > { > } > >+static inline void security_igmp_classify_skb(struct sk_buff *skb) >+{ >+} >+ >+static inline int security_skb_flow_in(struct sk_buff *skb, >+ unsigned short family) >+{ >+ return 1; >+} >+ > static inline void security_sock_graft(struct sock* sk, struct socket *parent) > { > } >@@ -3183,12 +3225,6 @@ static inline int security_xfrm_decode_s > return security_ops->xfrm_decode_session(skb, secid, 1); > } > >-static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl) >-{ >- int rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0); >- >- BUG_ON(rc); >-} > #else /* CONFIG_SECURITY_NETWORK_XFRM */ > static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) > { >@@ -3246,10 +3282,6 @@ static inline int security_xfrm_decode_s > return 0; > } > >-static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl) >-{ >-} >- > #endif /* CONFIG_SECURITY_NETWORK_XFRM */ > > #ifdef CONFIG_KEYS >--- linux-2.6.18.i686/include/linux/skbuff.h 2007-06-26 16:18:15.000000000 -0500 >+++ linux-2.6.18.i686/include/linux/skbuff.h 2007-07-24 14:05:52.000000000 -0500 >@@ -29,6 +29,8 @@ > #include <linux/textsearch.h> > #include <net/checksum.h> > #include <linux/dmaengine.h> >+#include <net/flow.h> >+#include <linux/security.h> > > #define HAVE_ALLOC_SKB /* For the drivers to know */ > #define HAVE_ALIGNABLE_SKB /* Ditto 8) */ >@@ -228,6 +230,7 @@ enum { > * @dma_cookie: a cookie to one of several possible DMA operations > * done by skb DMA functions > * @secmark: security marking >+ * @secid: security identifier > */ > > struct sk_buff { >@@ -316,6 +319,7 @@ struct sk_buff { > #ifdef CONFIG_NETWORK_SECMARK > __u32 secmark; > #endif >+ __u32 secid; > > > /* These elements must be at the end, see alloc_skb() for details. */ >@@ -1513,5 +1517,52 @@ static inline int skb_is_gso(const struc > return skb_shinfo(skb)->gso_size; > } > >+#ifdef CONFIG_SECURITY_NETWORK >+ >+static inline void security_skb_classify_skb(struct sk_buff *from, >+ struct sk_buff *skb) >+{ >+ skb->secid = from->secid; >+} >+ >+static inline void security_flow_classify_skb(struct flowi *fl, >+ struct sk_buff *skb) >+{ >+ skb->secid = fl->secid; >+} >+ >+static inline void security_skb_classify_flow(struct sk_buff *skb, >+ struct flowi *fl) >+{ >+ /* >+ * We need to check for xfrm label here since secid reconciliation >+ * may or may not have happened yet and we want the >+ * flow to use the best available label. >+ */ >+ int rc = security_xfrm_decode_session(skb, &fl->secid); >+ >+ if (rc || !fl->secid) >+ fl->secid = skb->secid; >+} >+ >+#else >+ >+static inline void security_skb_classify_skb(struct sk_buff *from, >+ struct sk_buff *skb) >+{ >+} >+ >+static inline void security_flow_classify_skb(struct flowi *fl, >+ struct sk_buff *skb) >+{ >+} >+ >+static inline void security_skb_classify_flow(struct sk_buff *skb, >+ struct flowi *fl) >+{ >+} >+ >+#endif /* CONFIG_SECURITY_NETWORK */ >+ > #endif /* __KERNEL__ */ > #endif /* _LINUX_SKBUFF_H */ >--- linux-2.6.18.i686/include/net/ip.h 2006-09-19 22:42:06.000000000 -0500 >+++ linux-2.6.18.i686/include/net/ip.h 2007-07-24 14:05:52.000000000 -0500 >@@ -48,6 +48,9 @@ struct ipcm_cookie > u32 addr; > int oif; > struct ip_options *opt; >+#ifdef CONFIG_SECURITY_NETWORK >+ u32 secid; >+#endif /* CONFIG_SECURITY_NETWORK */ > }; > > #define IPCB(skb) ((struct inet_skb_parm*)((skb)->cb)) >@@ -383,4 +386,45 @@ extern int ip_misc_proc_init(void); > > extern struct ctl_table ipv4_table[]; > >+#ifdef CONFIG_SECURITY_NETWORK >+ >+extern struct security_operations *security_ops; >+ >+static inline void security_sk_classify_ipcm(struct sock *sk, >+ struct ipcm_cookie *ipc) >+{ >+ security_ops->sk_getsecid(sk, &ipc->secid); >+} >+ >+static inline void security_skb_classify_ipcm(struct sk_buff *skb, >+ struct ipcm_cookie *ipc) >+{ >+ ipc->secid = skb->secid; >+} >+ >+static inline void security_ipcm_classify_skb(struct ipcm_cookie *ipc, >+ struct sk_buff *skb) >+{ >+ skb->secid = ipc->secid; >+} >+ >+#else >+ >+static inline void security_sk_classify_ipcm(struct sock *sk, >+ struct ipcm_cookie *ipc) >+{ >+} >+ >+static inline void security_skb_classify_ipcm(struct sk_buff *skb, >+ struct ipcm_cookie *ipc) >+{ >+} >+ >+static inline void security_ipcm_classify_skb(struct ipcm_cookie *ipc, >+ struct sk_buff *skb) >+{ >+} >+ >+#endif /* CONFIG_SECURITY_NETWORK */ >+ > #endif /* _IP_H */ >--- linux-2.6.18.i686/include/net/request_sock.h 2007-06-26 16:18:23.000000000 -0500 >+++ linux-2.6.18.i686/include/net/request_sock.h 2007-07-24 14:05:52.000000000 -0500 >@@ -260,4 +260,21 @@ static inline void reqsk_queue_hash_req( > write_unlock(&queue->syn_wait_lock); > } > >+#ifdef CONFIG_SECURITY_NETWORK >+ >+static inline void security_req_classify_skb(struct request_sock *req, >+ struct sk_buff *skb) >+{ >+ skb->secid = req->secid; >+} >+ >+#else >+ >+static inline void security_req_classify_skb(struct request_sock *req, >+ struct sk_buff *skb) >+{ >+} >+ >+#endif /* CONFIG_SECURITY_NETWORK */ >+ > #endif /* _REQUEST_SOCK_H */ >--- linux-2.6.18.i686/include/net/xfrm.h 2007-06-26 16:18:24.000000000 -0500 >+++ linux-2.6.18.i686/include/net/xfrm.h 2007-07-24 14:05:52.000000000 -0500 >@@ -704,22 +704,19 @@ extern int __xfrm_policy_check(struct so > > static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) > { >+ int ret; >+ > if (sk && sk->sk_policy[XFRM_POLICY_IN]) >- return __xfrm_policy_check(sk, dir, skb, family); >- >- return (!xfrm_policy_list[dir] && !skb->sp) || >- (skb->dst->flags & DST_NOPOLICY) || >- __xfrm_policy_check(sk, dir, skb, family); >-} >+ ret = __xfrm_policy_check(sk, dir, skb, family); >+ else >+ ret = (!xfrm_policy_list[dir] && !skb->sp) || >+ (skb->dst->flags & DST_NOPOLICY) || >+ __xfrm_policy_check(sk, dir, skb, family); > >-static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb) >-{ >- return xfrm_policy_check(sk, dir, skb, AF_INET); >-} >+ if (ret) >+ ret = security_skb_flow_in(skb, family); > >-static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb) >-{ >- return xfrm_policy_check(sk, dir, skb, AF_INET6); >+ return ret; > } > > extern int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family); >@@ -771,19 +768,22 @@ static inline void xfrm_sk_free_policy(s > static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; } > static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; } > static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; } >-static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb) >-{ >- return 1; >-} >+static inline int xfrm_policy_check(struct sock *sk, int dir, >+ struct sk_buff *skb, unsigned short family) >+{ >+ return security_skb_flow_in(skb, family); >+} >+#endif >+ > static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb) > { >- return 1; >+ return xfrm_policy_check(sk, dir, skb, AF_INET); > } >-static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) >+ >+static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb) > { >- return 1; >+ return xfrm_policy_check(sk, dir, skb, AF_INET6); > } >-#endif > > static __inline__ > xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family) >--- linux-2.6.18.i686/net/dccp/ipv4.c 2007-06-26 16:18:24.000000000 -0500 >+++ linux-2.6.18.i686/net/dccp/ipv4.c 2007-07-24 14:05:52.000000000 -0500 >@@ -233,6 +233,8 @@ static void dccp_v4_reqsk_send_ack(struc > dccp_hdr_set_ack(dccp_hdr_ack_bits(skb), > DCCP_SKB_CB(rxskb)->dccpd_seq); > >+ security_req_classify_skb(req, skb); >+ > bh_lock_sock(dccp_v4_ctl_socket->sk); > err = ip_build_and_send_pkt(skb, dccp_v4_ctl_socket->sk, > rxskb->nh.iph->daddr, >@@ -264,6 +266,7 @@ static int dccp_v4_send_response(struct > dh->dccph_checksum = dccp_v4_checksum(skb, ireq->loc_addr, > ireq->rmt_addr); > memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt)); >+ security_req_classify_skb(req, skb); > err = ip_build_and_send_pkt(skb, sk, ireq->loc_addr, > ireq->rmt_addr, > ireq->opt); >@@ -746,6 +749,8 @@ static void dccp_v4_ctl_send_reset(struc > dh->dccph_checksum = dccp_v4_checksum(skb, rxskb->nh.iph->saddr, > rxskb->nh.iph->daddr); > >+ security_skb_classify_skb(rxskb, skb); >+ > bh_lock_sock(dccp_v4_ctl_socket->sk); > err = ip_build_and_send_pkt(skb, dccp_v4_ctl_socket->sk, > rxskb->nh.iph->daddr, >--- linux-2.6.18.i686/net/ipv4/icmp.c 2007-06-26 16:18:17.000000000 -0500 >+++ linux-2.6.18.i686/net/ipv4/icmp.c 2007-07-24 14:05:52.000000000 -0500 >@@ -389,6 +389,8 @@ static void icmp_reply(struct icmp_bxm * > if (icmp_xmit_lock()) > return; > >+ security_skb_classify_ipcm(skb, &ipc); >+ > icmp_param->data.icmph.checksum = 0; > icmp_out_count(icmp_param->data.icmph.type); > >@@ -507,6 +509,8 @@ void icmp_send(struct sk_buff *skb_in, i > if (icmp_xmit_lock()) > return; > >+ security_skb_classify_ipcm(skb_in, &ipc); >+ > /* > * Construct source address and options. > */ >--- linux-2.6.18.i686/net/ipv4/igmp.c 2006-09-19 22:42:06.000000000 -0500 >+++ linux-2.6.18.i686/net/ipv4/igmp.c 2007-07-24 14:05:52.000000000 -0500 >@@ -293,6 +293,8 @@ static struct sk_buff *igmpv3_newpack(st > if (skb == NULL) > return NULL; > >+ security_igmp_classify_skb(skb); >+ > { > struct flowi fl = { .oif = dev->ifindex, > .nl_u = { .ip4_u = { >@@ -658,6 +660,8 @@ static int igmp_send_report(struct in_de > return -1; > } > >+ security_igmp_classify_skb(skb); >+ > skb->dst = &rt->u.dst; > > skb_reserve(skb, LL_RESERVED_SPACE(dev)); >--- linux-2.6.18.i686/net/ipv4/ip_output.c 2007-06-26 16:18:17.000000000 -0500 >+++ linux-2.6.18.i686/net/ipv4/ip_output.c 2007-07-24 14:05:52.000000000 -0500 >@@ -340,6 +340,8 @@ packet_routed: > if (opt && opt->is_strictroute && rt->rt_dst != rt->rt_gateway) > goto no_route; > >+ security_sk_classify_skb(sk, skb); >+ > /* OK, we know where to send it, allocate and build IP header. */ > iph = (struct iphdr *) skb_push(skb, sizeof(struct iphdr) + (opt ? opt->optlen : 0)); > *((__u16 *)iph) = htons((4 << 12) | (5 << 8) | (inet->tos & 0xff)); >@@ -927,6 +929,8 @@ alloc_new_skb: > if (skb == NULL) > goto error; > >+ security_ipcm_classify_skb(ipc, skb); >+ > /* > * Fill in the control structures > */ >@@ -1123,6 +1127,8 @@ ssize_t ip_append_page(struct sock *sk, > goto error; > } > >+ security_skb_classify_skb(skb_prev, skb); >+ > /* > * Fill in the control structures > */ >@@ -1350,6 +1356,8 @@ void ip_send_reply(struct sock *sk, stru > daddr = ipc.addr = rt->rt_src; > ipc.opt = NULL; > >+ security_skb_classify_ipcm(skb, &ipc); >+ > if (replyopts.opt.optlen) { > ipc.opt = &replyopts.opt; > >--- linux-2.6.18.i686/net/ipv4/raw.c 2007-06-26 16:18:24.000000000 -0500 >+++ linux-2.6.18.i686/net/ipv4/raw.c 2007-07-24 14:05:52.000000000 -0500 >@@ -433,6 +433,8 @@ static int raw_sendmsg(struct kiocb *ioc > ipc.opt = NULL; > ipc.oif = sk->sk_bound_dev_if; > >+ security_sk_classify_ipcm(sk, &ipc); >+ > if (msg->msg_controllen) { > err = ip_cmsg_send(msg, &ipc); > if (err) >--- linux-2.6.18.i686/net/ipv4/tcp_ipv4.c 2007-06-26 16:18:24.000000000 -0500 >+++ linux-2.6.18.i686/net/ipv4/tcp_ipv4.c 2007-07-24 14:05:52.000000000 -0500 >@@ -658,6 +658,7 @@ static int tcp_v4_send_synack(struct soc > ireq->rmt_addr, > csum_partial((char *)th, skb->len, > skb->csum)); >+ security_req_classify_skb(req, skb); > > err = ip_build_and_send_pkt(skb, sk, ireq->loc_addr, > ireq->rmt_addr, >--- linux-2.6.18.i686/net/ipv4/udp.c 2007-06-26 16:18:24.000000000 -0500 >+++ linux-2.6.18.i686/net/ipv4/udp.c 2007-07-24 14:05:52.000000000 -0500 >@@ -508,6 +508,8 @@ int udp_sendmsg(struct kiocb *iocb, stru > > ipc.opt = NULL; > >+ security_sk_classify_ipcm(sk, &ipc); >+ > if (up->pending) { > /* > * There are pending frames. >--- linux-2.6.18.i686/net/ipv6/ip6_output.c 2007-06-26 16:18:19.000000000 -0500 >+++ linux-2.6.18.i686/net/ipv6/ip6_output.c 2007-07-24 14:05:52.000000000 -0500 >@@ -170,6 +170,8 @@ int ip6_xmit(struct sock *sk, struct sk_ > int hlimit, tclass; > u32 mtu; > >+ security_flow_classify_skb(fl, skb); >+ > if (opt) { > int head_room; > >@@ -1080,6 +1082,9 @@ alloc_new_skb: > } > if (skb == NULL) > goto error; >+ >+ security_flow_classify_skb(fl, skb); >+ > /* > * Fill in the control structures > */ >--- linux-2.6.18.i686/net/ipv6/netfilter/ip6t_REJECT.c 2007-06-26 16:18:17.000000000 -0500 >+++ linux-2.6.18.i686/net/ipv6/netfilter/ip6t_REJECT.c 2007-07-24 14:05:52.000000000 -0500 >@@ -128,6 +128,8 @@ static void send_reset(struct sk_buff *o > ipv6_addr_copy(&ip6h->saddr, &oip6h->daddr); > ipv6_addr_copy(&ip6h->daddr, &oip6h->saddr); > >+ security_skb_classify_skb(oldskb, nskb); >+ > tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr)); > /* Truncate to length (no data) */ > tcph->doff = sizeof(struct tcphdr)/4; >--- linux-2.6.18.i686/net/xfrm/xfrm_policy.c 2007-06-26 16:18:24.000000000 -0500 >+++ linux-2.6.18.i686/net/xfrm/xfrm_policy.c 2007-07-24 14:05:52.000000000 -0500 >@@ -1209,6 +1209,9 @@ int __xfrm_route_forward(struct sk_buff > if (xfrm_decode_session(skb, &fl, family) < 0) > return 0; > >+ /* In case packet didn't use labeled-ipsec coming in */ >+ fl.secid = skb->secid; >+ > return xfrm_lookup(&skb->dst, &fl, NULL, 0) == 0; > } > EXPORT_SYMBOL(__xfrm_route_forward); >--- linux-2.6.18.i686/security/dummy.c 2007-06-26 16:18:24.000000000 -0500 >+++ linux-2.6.18.i686/security/dummy.c 2007-07-24 14:05:52.000000000 -0500 >@@ -813,6 +813,10 @@ static inline void dummy_sk_getsecid(str > { > } > >+static inline void dummy_sk_classify_skb(struct sock *sk, struct sk_buff *skb) >+{ >+} >+ > static inline void dummy_sock_graft(struct sock* sk, struct socket *parent) > { > } >@@ -837,6 +841,17 @@ static inline void dummy_req_classify_fl > struct flowi *fl) > { > } >+ >+static inline void dummy_igmp_classify_skb(struct sk_buff *skb) >+{ >+} >+ >+static inline int dummy_skb_flow_in(struct sk_buff *skb, >+ unsigned short family) >+{ >+ return -ENOENT; >+} >+ > #endif /* CONFIG_SECURITY_NETWORK */ > > #ifdef CONFIG_SECURITY_NETWORK_XFRM >@@ -1104,11 +1119,14 @@ void security_fixup_ops (struct security > set_to_dummy_if_null(ops, sk_free_security); > set_to_dummy_if_null(ops, sk_clone_security); > set_to_dummy_if_null(ops, sk_getsecid); >+ set_to_dummy_if_null(ops, sk_classify_skb); > set_to_dummy_if_null(ops, sock_graft); > set_to_dummy_if_null(ops, inet_conn_request); > set_to_dummy_if_null(ops, inet_csk_clone); > set_to_dummy_if_null(ops, inet_conn_established); > set_to_dummy_if_null(ops, req_classify_flow); >+ set_to_dummy_if_null(ops, igmp_classify_skb); >+ set_to_dummy_if_null(ops, skb_flow_in); > #endif /* CONFIG_SECURITY_NETWORK */ > #ifdef CONFIG_SECURITY_NETWORK_XFRM > set_to_dummy_if_null(ops, xfrm_policy_alloc_security); >--- linux-2.6.18.i686/security/selinux/hooks.c 2007-06-26 16:18:24.000000000 -0500 >+++ linux-2.6.18.i686/security/selinux/hooks.c 2007-07-24 14:05:52.000000000 -0500 >@@ -3521,9 +3521,28 @@ static int selinux_socket_sock_rcv_skb(s > if (selinux_compat_net) > err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family, > addrp, len); >- else >+ else { >+ u32 recv_perm; >+ > err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET, > PACKET__RECV, &ad); >+ if (err) >+ goto out; >+ >+ switch (sksec->sclass) { >+ case SECCLASS_UDP_SOCKET: >+ recv_perm = UDP_SOCKET__RECVFROM; >+ break; >+ case SECCLASS_TCP_SOCKET: >+ recv_perm = TCP_SOCKET__RECVFROM; >+ break; >+ default: >+ recv_perm = RAWIP_SOCKET__RECVFROM; >+ } >+ >+ err = avc_has_perm(sksec->sid, skb->secid, sksec->sclass, >+ recv_perm, &ad); >+ } > if (err) > goto out; > >@@ -3631,6 +3650,13 @@ static void selinux_sk_getsecid(struct s > } > } > >+static void selinux_sk_classify_skb(struct sock *sk, struct sk_buff *skb) >+{ >+ struct sk_security_struct *sksec = sk->sk_security; >+ >+ skb->secid = sksec->sid; >+} >+ > void selinux_sock_graft(struct sock* sk, struct socket *parent) > { > struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; >@@ -3696,6 +3722,62 @@ void selinux_req_classify_flow(const str > fl->secid = req->secid; > } > >+void selinux_igmp_classify_skb(struct sk_buff *skb) >+{ >+ skb->secid = SECINITSID_IGMP_PACKET; >+} >+ >+static int selinux_skb_flow_in(struct sk_buff *skb, unsigned short family) >+{ >+ u32 if_sid; >+ int err; >+ struct avc_audit_data ad; >+ char *addrp; >+ int len; >+ >+ if (selinux_compat_net) >+ return 1; >+ >+ if (!skb->dev) { >+ err = -EACCES; >+ goto out; >+ } >+ >+ AVC_AUDIT_DATA_INIT(&ad, NET); >+ ad.u.net.netif = skb->dev->name; >+ ad.u.net.family = family; >+ err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL); >+ if (err) >+ goto out; >+ >+ if (skb->dev != &loopback_dev) { /* Non-localhost packet */ >+ err = selinux_xfrm_decode_session(skb, &skb->secid, 0); >+ BUG_ON(err); >+ } >+ >+ if (skb->secid) { /* localhost or IPSEC packet */ >+ err = avc_has_perm(skb->secid, >+ skb->secmark? : SECINITSID_NETMSG, >+ SECCLASS_PACKET, PACKET__FLOW_IN, &ad); >+ if (err) >+ goto out; >+ } else { /* unlabeled packet */ >+ skb->secid = skb->secmark; >+ } >+ >+ /* See if skb can flow in thru the interface */ >+ err = sel_netif_sids(skb->dev, &if_sid, NULL); >+ if (err) >+ goto out; >+ >+ err = avc_has_perm(skb->secid, if_sid, >+ SECCLASS_NETIF, >+ NETIF__FLOW_IN, &ad); >+ >+out: >+ return err ? 0 : 1; >+}; >+ > static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) > { > int err = 0; >@@ -3822,12 +3904,7 @@ static unsigned int selinux_ip_postroute > struct net_device *dev = (struct net_device *)out; > struct sk_security_struct *sksec; > u8 proto; >- >- sk = skb->sk; >- if (!sk) >- goto out; >- >- sksec = sk->sk_security; >+ u32 if_sid; > > AVC_AUDIT_DATA_INIT(&ad, NET); > ad.u.net.netif = dev->name; >@@ -3837,17 +3914,46 @@ static unsigned int selinux_ip_postroute > if (err) > goto out; > >+ sk = skb->sk; >+ if (!sk) >+ goto flow_check; >+ >+ sksec = sk->sk_security; >+ > if (selinux_compat_net) > err = selinux_ip_postroute_last_compat(sk, dev, &ad, > family, addrp, len); >- else >+ else { >+ if (!skb->secid) >+ skb->secid = sksec->sid; >+ > err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET, > PACKET__SEND, &ad); >+ if (err) >+ goto out; >+ } > >+ err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto); > if (err) > goto out; > >- err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto); >+flow_check: >+ if (!selinux_compat_net) { >+ err = avc_has_perm(skb->secid, skb->secmark, SECCLASS_PACKET, >+ PACKET__FLOW_OUT, &ad); >+ if (err) >+ goto out; >+ >+ err = sel_netif_sids(dev, &if_sid, NULL); >+ if (err) >+ goto out; >+ >+ err = avc_has_perm(skb->secid, if_sid, SECCLASS_NETIF, >+ NETIF__FLOW_OUT, &ad); >+ if (err) >+ goto out; >+ } >+ > out: > return err ? NF_DROP : NF_ACCEPT; > } >@@ -4761,11 +4867,14 @@ static struct security_operations selinu > .sk_free_security = selinux_sk_free_security, > .sk_clone_security = selinux_sk_clone_security, > .sk_getsecid = selinux_sk_getsecid, >+ .sk_classify_skb = selinux_sk_classify_skb, > .sock_graft = selinux_sock_graft, > .inet_conn_request = selinux_inet_conn_request, > .inet_csk_clone = selinux_inet_csk_clone, > .inet_conn_established = selinux_inet_conn_established, > .req_classify_flow = selinux_req_classify_flow, >+ .igmp_classify_skb = selinux_igmp_classify_skb, >+ .skb_flow_in = selinux_skb_flow_in, > > #ifdef CONFIG_SECURITY_NETWORK_XFRM > .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, >--- linux-2.6.18.i686/security/selinux/include/av_permissions.h 2007-06-26 16:18:17.000000000 -0500 >+++ linux-2.6.18.i686/security/selinux/include/av_permissions.h 2007-07-24 14:05:52.000000000 -0500 >@@ -319,6 +319,8 @@ > #define NETIF__UDP_SEND 0x00000008UL > #define NETIF__RAWIP_RECV 0x00000010UL > #define NETIF__RAWIP_SEND 0x00000020UL >+#define NETIF__FLOW_IN 0x00000040UL >+#define NETIF__FLOW_OUT 0x00000080UL > > #define NETLINK_SOCKET__IOCTL 0x00000001UL > #define NETLINK_SOCKET__READ 0x00000002UL >@@ -962,6 +964,8 @@ > #define PACKET__SEND 0x00000001UL > #define PACKET__RECV 0x00000002UL > #define PACKET__RELABELTO 0x00000004UL >+#define PACKET__FLOW_IN 0x00000008UL >+#define PACKET__FLOW_OUT 0x00000010UL > > #define KEY__VIEW 0x00000001UL > #define KEY__READ 0x00000002UL >--- linux-2.6.18.i686/security/selinux/include/av_perm_to_string.h 2007-06-26 16:18:17.000000000 -0500 >+++ linux-2.6.18.i686/security/selinux/include/av_perm_to_string.h 2007-07-24 14:05:52.000000000 -0500 >@@ -41,6 +41,8 @@ > S_(SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send") > S_(SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv") > S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send") >+ S_(SECCLASS_NETIF, NETIF__FLOW_IN, "flow_in") >+ S_(SECCLASS_NETIF, NETIF__FLOW_OUT, "flow_out") > S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto") > S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn") > S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom") >@@ -245,6 +247,8 @@ > S_(SECCLASS_PACKET, PACKET__SEND, "send") > S_(SECCLASS_PACKET, PACKET__RECV, "recv") > S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto") >+ S_(SECCLASS_PACKET, PACKET__FLOW_IN, "flow_in") >+ S_(SECCLASS_PACKET, PACKET__FLOW_OUT, "flow_out") > S_(SECCLASS_KEY, KEY__VIEW, "view") > S_(SECCLASS_KEY, KEY__READ, "read") > S_(SECCLASS_KEY, KEY__WRITE, "write") >--- linux-2.6.18.i686/security/selinux/ss/services.c 2007-06-26 16:18:24.000000000 -0500 >+++ linux-2.6.18.i686/security/selinux/ss/services.c 2007-07-24 14:05:52.000000000 -0500 >@@ -2166,6 +2166,11 @@ void security_skb_extlbl_sid(struct sk_b > u32 xfrm_sid; > u32 nlbl_sid; > >+ if (skb->secid) { >+ *sid = skb->secid; >+ return; >+ } >+ > selinux_skb_xfrm_sid(skb, &xfrm_sid); > if (selinux_netlbl_skbuff_getsid(skb, > (xfrm_sid == SECSID_NULL ?
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 382721
: 258251 |
258331
|
258341
|
258351