Attachment 258251 Details for Bug 382721 – Secure Networking Patch

Secure Networking Patch

tcs_se_net.patch (text/plain), 24.68 KB, created by Chad Hanson on 2007-11-14 16:08:47 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Chad Hanson

Created: 2007-11-14 16:08:47 UTC

Size: 24.68 KB

patch

obsolete

>--- linux-2.6.18.i686/include/linux/security.h	2007-06-26 16:18:24.000000000 -0500
>+++ linux-2.6.18.i686/include/linux/security.h	2007-07-24 14:05:52.000000000 -0500
>@@ -820,6 +820,8 @@ struct request_sock;
>  * @sk_getsecid:
>  *	Retrieve the LSM-specific secid for the sock to enable caching of network
>  *	authorizations.
>+ * @sk_classify_skb:
>+ *	Classify skb based on the sock.
>  * @sock_graft:
>  *	Sets the socket's isec sid to the sock's sid.
>  * @inet_conn_request:
>@@ -830,6 +832,13 @@ struct request_sock;
>  *     Sets the connection's peersid to the secmark on skb.
>  * @req_classify_flow:
>  *	Sets the flow's sid to the openreq sid.
>+ * @igmp_classify_skb:
>+ *	Classifies an skb representing an igmp packet.
>+ * @skb_flow_in:
>+ *	Checks to see if security policy would allow skb into the system
>+ *	while also reconciling the xfrm secid, cipso, etc, if any, and
>+ *	relabeling the skb with the reconciled secid.
>+ *	Returns 1 if skb allowed into system, 0 otherwise.
>  *
>  * Security hooks for XFRM operations.
>  *
>@@ -1361,12 +1370,15 @@ struct security_operations {
> 	void (*sk_free_security) (struct sock *sk);
> 	void (*sk_clone_security) (const struct sock *sk, struct sock *newsk);
> 	void (*sk_getsecid) (struct sock *sk, u32 *secid);
>+	void (*sk_classify_skb) (struct sock *sk, struct sk_buff *skb);
> 	void (*sock_graft)(struct sock* sk, struct socket *parent);
> 	int (*inet_conn_request)(struct sock *sk, struct sk_buff *skb,
> 					struct request_sock *req);
> 	void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req);
> 	void (*inet_conn_established)(struct sock *sk, struct sk_buff *skb);
> 	void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl);
>+	void (*igmp_classify_skb)(struct sk_buff *skb);
>+	int (*skb_flow_in)(struct sk_buff *skb, unsigned short family);
> #endif	/* CONFIG_SECURITY_NETWORK */
> 
> #ifdef CONFIG_SECURITY_NETWORK_XFRM
>@@ -2930,6 +2942,11 @@ static inline void security_sk_clone(con
> 	return security_ops->sk_clone_security(sk, newsk);
> }
> 
>+static inline void security_sk_classify_skb(struct sock *sk, struct sk_buff *skb)
>+{
>+	security_ops->sk_classify_skb(sk, skb);
>+}
>+
> static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
> {
> 	security_ops->sk_getsecid(sk, &fl->secid);
>@@ -2940,6 +2957,17 @@ static inline void security_req_classify
> 	security_ops->req_classify_flow(req, fl);
> }
> 
>+static inline void security_igmp_classify_skb(struct sk_buff *skb)
>+{
>+	security_ops->igmp_classify_skb(skb);
>+}
>+
>+static inline int security_skb_flow_in(struct sk_buff *skb,
>+					unsigned short family)
>+{
>+	return security_ops->skb_flow_in(skb, family);
>+}
>+
> static inline void security_sock_graft(struct sock* sk, struct socket *parent)
> {
> 	security_ops->sock_graft(sk, parent);
>@@ -3093,10 +3121,24 @@ static inline void security_sk_classify_
> {
> }
> 
>+static inline void security_sk_classify_skb(struct sock *sk, struct sk_buff *skb)
>+{
>+}
>+
> static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
> {
> }
> 
>+static inline void security_igmp_classify_skb(struct sk_buff *skb)
>+{
>+}
>+
>+static inline int security_skb_flow_in(struct sk_buff *skb,
>+					unsigned short family)
>+{
>+	return 1;
>+}
>+
> static inline void security_sock_graft(struct sock* sk, struct socket *parent)
> {
> }
>@@ -3183,12 +3225,6 @@ static inline int security_xfrm_decode_s
> 	return security_ops->xfrm_decode_session(skb, secid, 1);
> }
> 
>-static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
>-{
>-	int rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0);
>-
>-	BUG_ON(rc);
>-}
> #else	/* CONFIG_SECURITY_NETWORK_XFRM */
> static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
> {
>@@ -3246,10 +3282,6 @@ static inline int security_xfrm_decode_s
> 	return 0;
> }
> 
>-static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
>-{
>-}
>-
> #endif	/* CONFIG_SECURITY_NETWORK_XFRM */
> 
> #ifdef CONFIG_KEYS
>--- linux-2.6.18.i686/include/linux/skbuff.h	2007-06-26 16:18:15.000000000 -0500
>+++ linux-2.6.18.i686/include/linux/skbuff.h	2007-07-24 14:05:52.000000000 -0500
>@@ -29,6 +29,8 @@
> #include <linux/textsearch.h>
> #include <net/checksum.h>
> #include <linux/dmaengine.h>
>+#include <net/flow.h>
>+#include <linux/security.h>
> 
> #define HAVE_ALLOC_SKB		/* For the drivers to know */
> #define HAVE_ALIGNABLE_SKB	/* Ditto 8)		   */
>@@ -228,6 +230,7 @@ enum {
>  *	@dma_cookie: a cookie to one of several possible DMA operations
>  *		done by skb DMA functions
>  *	@secmark: security marking
>+ *	@secid: security identifier
>  */
> 
> struct sk_buff {
>@@ -316,6 +319,7 @@ struct sk_buff {
> #ifdef CONFIG_NETWORK_SECMARK
> 	__u32			secmark;
> #endif
>+	__u32			secid;
> 
> 
> 	/* These elements must be at the end, see alloc_skb() for details.  */
>@@ -1513,5 +1517,52 @@ static inline int skb_is_gso(const struc
> 	return skb_shinfo(skb)->gso_size;
> }
> 
>+#ifdef CONFIG_SECURITY_NETWORK
>+
>+static inline void security_skb_classify_skb(struct sk_buff *from,
>+					struct sk_buff *skb)
>+{
>+	skb->secid = from->secid;
>+}
>+
>+static inline void security_flow_classify_skb(struct flowi *fl,
>+					struct sk_buff *skb)
>+{
>+	skb->secid = fl->secid;
>+}
>+
>+static inline void security_skb_classify_flow(struct sk_buff *skb,
>+					struct flowi *fl)
>+{
>+	/*
>+	 * We need to check for xfrm label here since secid reconciliation
>+	 * may or may not have happened yet and we want the
>+	 * flow to use the best available label.
>+	 */
>+	int rc = security_xfrm_decode_session(skb, &fl->secid);
>+
>+	if (rc || !fl->secid)
>+		fl->secid = skb->secid;
>+}
>+
>+#else
>+
>+static inline void security_skb_classify_skb(struct sk_buff *from,
>+					struct sk_buff *skb)
>+{
>+}
>+
>+static inline void security_flow_classify_skb(struct flowi *fl,
>+					struct sk_buff *skb)
>+{
>+}
>+
>+static inline void security_skb_classify_flow(struct sk_buff *skb,
>+					struct flowi *fl)
>+{
>+}
>+
>+#endif /* CONFIG_SECURITY_NETWORK */
>+
> #endif	/* __KERNEL__ */
> #endif	/* _LINUX_SKBUFF_H */
>--- linux-2.6.18.i686/include/net/ip.h	2006-09-19 22:42:06.000000000 -0500
>+++ linux-2.6.18.i686/include/net/ip.h	2007-07-24 14:05:52.000000000 -0500
>@@ -48,6 +48,9 @@ struct ipcm_cookie
> 	u32			addr;
> 	int			oif;
> 	struct ip_options	*opt;
>+#ifdef CONFIG_SECURITY_NETWORK
>+	u32			secid;
>+#endif /* CONFIG_SECURITY_NETWORK */
> };
> 
> #define IPCB(skb) ((struct inet_skb_parm*)((skb)->cb))
>@@ -383,4 +386,45 @@ extern int ip_misc_proc_init(void);
> 
> extern struct ctl_table ipv4_table[];
> 
>+#ifdef CONFIG_SECURITY_NETWORK
>+
>+extern struct security_operations *security_ops;
>+
>+static inline void security_sk_classify_ipcm(struct sock *sk,
>+			struct ipcm_cookie *ipc)
>+{
>+	security_ops->sk_getsecid(sk, &ipc->secid);
>+}
>+
>+static inline void security_skb_classify_ipcm(struct sk_buff *skb,
>+					struct ipcm_cookie *ipc)
>+{
>+	ipc->secid = skb->secid;
>+}
>+
>+static inline void security_ipcm_classify_skb(struct ipcm_cookie *ipc,
>+					struct sk_buff *skb)
>+{
>+	skb->secid = ipc->secid;
>+}
>+
>+#else
>+
>+static inline void security_sk_classify_ipcm(struct sock *sk,
>+			struct ipcm_cookie *ipc)
>+{
>+}
>+
>+static inline void security_skb_classify_ipcm(struct sk_buff *skb,
>+					struct ipcm_cookie *ipc)
>+{
>+}
>+
>+static inline void security_ipcm_classify_skb(struct ipcm_cookie *ipc,
>+					struct sk_buff *skb)
>+{
>+}
>+
>+#endif /* CONFIG_SECURITY_NETWORK */
>+
> #endif	/* _IP_H */
>--- linux-2.6.18.i686/include/net/request_sock.h	2007-06-26 16:18:23.000000000 -0500
>+++ linux-2.6.18.i686/include/net/request_sock.h	2007-07-24 14:05:52.000000000 -0500
>@@ -260,4 +260,21 @@ static inline void reqsk_queue_hash_req(
> 	write_unlock(&queue->syn_wait_lock);
> }
> 
>+#ifdef CONFIG_SECURITY_NETWORK
>+
>+static inline void security_req_classify_skb(struct request_sock *req,
>+                                       struct sk_buff *skb)
>+{
>+	skb->secid = req->secid;
>+}
>+
>+#else
>+
>+static inline void security_req_classify_skb(struct request_sock *req,
>+                                       struct sk_buff *skb)
>+{
>+}
>+
>+#endif /* CONFIG_SECURITY_NETWORK */
>+
> #endif /* _REQUEST_SOCK_H */
>--- linux-2.6.18.i686/include/net/xfrm.h	2007-06-26 16:18:24.000000000 -0500
>+++ linux-2.6.18.i686/include/net/xfrm.h	2007-07-24 14:05:52.000000000 -0500
>@@ -704,22 +704,19 @@ extern int __xfrm_policy_check(struct so
> 
> static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
> {
>+	int ret;
>+
> 	if (sk && sk->sk_policy[XFRM_POLICY_IN])
>-		return __xfrm_policy_check(sk, dir, skb, family);
>-		
>-	return	(!xfrm_policy_list[dir] && !skb->sp) ||
>-		(skb->dst->flags & DST_NOPOLICY) ||
>-		__xfrm_policy_check(sk, dir, skb, family);
>-}
>+		ret = __xfrm_policy_check(sk, dir, skb, family);
>+	else
>+		ret = (!xfrm_policy_list[dir] && !skb->sp) ||
>+			(skb->dst->flags & DST_NOPOLICY) ||
>+			__xfrm_policy_check(sk, dir, skb, family);
> 
>-static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
>-{
>-	return xfrm_policy_check(sk, dir, skb, AF_INET);
>-}
>+	if (ret)
>+		ret = security_skb_flow_in(skb, family);
> 
>-static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
>-{
>-	return xfrm_policy_check(sk, dir, skb, AF_INET6);
>+	return ret;
> }
> 
> extern int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family);
>@@ -771,19 +768,22 @@ static inline void xfrm_sk_free_policy(s
> static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; }
> static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }  
> static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; } 
>-static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
>-{ 
>-	return 1; 
>-} 
>+static inline int xfrm_policy_check(struct sock *sk, int dir,
>+		struct sk_buff *skb, unsigned short family)
>+{
>+	return security_skb_flow_in(skb, family);
>+}
>+#endif
>+
> static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
> {
>-	return 1;
>+	return xfrm_policy_check(sk, dir, skb, AF_INET);
> }
>-static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
>+
>+static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
> {
>-	return 1;
>+	return xfrm_policy_check(sk, dir, skb, AF_INET6);
> }
>-#endif
> 
> static __inline__
> xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family)
>--- linux-2.6.18.i686/net/dccp/ipv4.c	2007-06-26 16:18:24.000000000 -0500
>+++ linux-2.6.18.i686/net/dccp/ipv4.c	2007-07-24 14:05:52.000000000 -0500
>@@ -233,6 +233,8 @@ static void dccp_v4_reqsk_send_ack(struc
> 	dccp_hdr_set_ack(dccp_hdr_ack_bits(skb),
> 			 DCCP_SKB_CB(rxskb)->dccpd_seq);
> 
>+	security_req_classify_skb(req, skb);
>+
> 	bh_lock_sock(dccp_v4_ctl_socket->sk);
> 	err = ip_build_and_send_pkt(skb, dccp_v4_ctl_socket->sk,
> 				    rxskb->nh.iph->daddr,
>@@ -264,6 +266,7 @@ static int dccp_v4_send_response(struct 
> 		dh->dccph_checksum = dccp_v4_checksum(skb, ireq->loc_addr,
> 						      ireq->rmt_addr);
> 		memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
>+		security_req_classify_skb(req, skb);
> 		err = ip_build_and_send_pkt(skb, sk, ireq->loc_addr,
> 					    ireq->rmt_addr,
> 					    ireq->opt);
>@@ -746,6 +749,8 @@ static void dccp_v4_ctl_send_reset(struc
> 	dh->dccph_checksum = dccp_v4_checksum(skb, rxskb->nh.iph->saddr,
> 					      rxskb->nh.iph->daddr);
> 
>+	security_skb_classify_skb(rxskb, skb);
>+
> 	bh_lock_sock(dccp_v4_ctl_socket->sk);
> 	err = ip_build_and_send_pkt(skb, dccp_v4_ctl_socket->sk,
> 				    rxskb->nh.iph->daddr,
>--- linux-2.6.18.i686/net/ipv4/icmp.c	2007-06-26 16:18:17.000000000 -0500
>+++ linux-2.6.18.i686/net/ipv4/icmp.c	2007-07-24 14:05:52.000000000 -0500
>@@ -389,6 +389,8 @@ static void icmp_reply(struct icmp_bxm *
> 	if (icmp_xmit_lock())
> 		return;
> 
>+	security_skb_classify_ipcm(skb, &ipc);
>+
> 	icmp_param->data.icmph.checksum = 0;
> 	icmp_out_count(icmp_param->data.icmph.type);
> 
>@@ -507,6 +509,8 @@ void icmp_send(struct sk_buff *skb_in, i
> 	if (icmp_xmit_lock())
> 		return;
> 
>+	security_skb_classify_ipcm(skb_in, &ipc);
>+
> 	/*
> 	 *	Construct source address and options.
> 	 */
>--- linux-2.6.18.i686/net/ipv4/igmp.c	2006-09-19 22:42:06.000000000 -0500
>+++ linux-2.6.18.i686/net/ipv4/igmp.c	2007-07-24 14:05:52.000000000 -0500
>@@ -293,6 +293,8 @@ static struct sk_buff *igmpv3_newpack(st
> 	if (skb == NULL)
> 		return NULL;
> 
>+	security_igmp_classify_skb(skb);
>+
> 	{
> 		struct flowi fl = { .oif = dev->ifindex,
> 				    .nl_u = { .ip4_u = {
>@@ -658,6 +660,8 @@ static int igmp_send_report(struct in_de
> 		return -1;
> 	}
> 
>+	security_igmp_classify_skb(skb);
>+
> 	skb->dst = &rt->u.dst;
> 
> 	skb_reserve(skb, LL_RESERVED_SPACE(dev));
>--- linux-2.6.18.i686/net/ipv4/ip_output.c	2007-06-26 16:18:17.000000000 -0500
>+++ linux-2.6.18.i686/net/ipv4/ip_output.c	2007-07-24 14:05:52.000000000 -0500
>@@ -340,6 +340,8 @@ packet_routed:
> 	if (opt && opt->is_strictroute && rt->rt_dst != rt->rt_gateway)
> 		goto no_route;
> 
>+	security_sk_classify_skb(sk, skb);
>+
> 	/* OK, we know where to send it, allocate and build IP header. */
> 	iph = (struct iphdr *) skb_push(skb, sizeof(struct iphdr) + (opt ? opt->optlen : 0));
> 	*((__u16 *)iph)	= htons((4 << 12) | (5 << 8) | (inet->tos & 0xff));
>@@ -927,6 +929,8 @@ alloc_new_skb:
> 			if (skb == NULL)
> 				goto error;
> 
>+			security_ipcm_classify_skb(ipc, skb);
>+
> 			/*
> 			 *	Fill in the control structures
> 			 */
>@@ -1123,6 +1127,8 @@ ssize_t	ip_append_page(struct sock *sk, 
> 				goto error;
> 			}
> 
>+			security_skb_classify_skb(skb_prev, skb);
>+
> 			/*
> 			 *	Fill in the control structures
> 			 */
>@@ -1350,6 +1356,8 @@ void ip_send_reply(struct sock *sk, stru
> 	daddr = ipc.addr = rt->rt_src;
> 	ipc.opt = NULL;
> 
>+	security_skb_classify_ipcm(skb, &ipc);
>+
> 	if (replyopts.opt.optlen) {
> 		ipc.opt = &replyopts.opt;
> 
>--- linux-2.6.18.i686/net/ipv4/raw.c	2007-06-26 16:18:24.000000000 -0500
>+++ linux-2.6.18.i686/net/ipv4/raw.c	2007-07-24 14:05:52.000000000 -0500
>@@ -433,6 +433,8 @@ static int raw_sendmsg(struct kiocb *ioc
> 	ipc.opt = NULL;
> 	ipc.oif = sk->sk_bound_dev_if;
> 
>+	security_sk_classify_ipcm(sk, &ipc);
>+
> 	if (msg->msg_controllen) {
> 		err = ip_cmsg_send(msg, &ipc);
> 		if (err)
>--- linux-2.6.18.i686/net/ipv4/tcp_ipv4.c	2007-06-26 16:18:24.000000000 -0500
>+++ linux-2.6.18.i686/net/ipv4/tcp_ipv4.c	2007-07-24 14:05:52.000000000 -0500
>@@ -658,6 +658,7 @@ static int tcp_v4_send_synack(struct soc
> 					 ireq->rmt_addr,
> 					 csum_partial((char *)th, skb->len,
> 						      skb->csum));
>+		security_req_classify_skb(req, skb);
> 
> 		err = ip_build_and_send_pkt(skb, sk, ireq->loc_addr,
> 					    ireq->rmt_addr,
>--- linux-2.6.18.i686/net/ipv4/udp.c	2007-06-26 16:18:24.000000000 -0500
>+++ linux-2.6.18.i686/net/ipv4/udp.c	2007-07-24 14:05:52.000000000 -0500
>@@ -508,6 +508,8 @@ int udp_sendmsg(struct kiocb *iocb, stru
> 
> 	ipc.opt = NULL;
> 
>+	security_sk_classify_ipcm(sk, &ipc);
>+
> 	if (up->pending) {
> 		/*
> 		 * There are pending frames.
>--- linux-2.6.18.i686/net/ipv6/ip6_output.c	2007-06-26 16:18:19.000000000 -0500
>+++ linux-2.6.18.i686/net/ipv6/ip6_output.c	2007-07-24 14:05:52.000000000 -0500
>@@ -170,6 +170,8 @@ int ip6_xmit(struct sock *sk, struct sk_
> 	int hlimit, tclass;
> 	u32 mtu;
> 
>+	security_flow_classify_skb(fl, skb);
>+
> 	if (opt) {
> 		int head_room;
> 
>@@ -1080,6 +1082,9 @@ alloc_new_skb:
> 			}
> 			if (skb == NULL)
> 				goto error;
>+
>+			security_flow_classify_skb(fl, skb);
>+
> 			/*
> 			 *	Fill in the control structures
> 			 */
>--- linux-2.6.18.i686/net/ipv6/netfilter/ip6t_REJECT.c	2007-06-26 16:18:17.000000000 -0500
>+++ linux-2.6.18.i686/net/ipv6/netfilter/ip6t_REJECT.c	2007-07-24 14:05:52.000000000 -0500
>@@ -128,6 +128,8 @@ static void send_reset(struct sk_buff *o
> 	ipv6_addr_copy(&ip6h->saddr, &oip6h->daddr);
> 	ipv6_addr_copy(&ip6h->daddr, &oip6h->saddr);
> 
>+	security_skb_classify_skb(oldskb, nskb);
>+
> 	tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr));
> 	/* Truncate to length (no data) */
> 	tcph->doff = sizeof(struct tcphdr)/4;
>--- linux-2.6.18.i686/net/xfrm/xfrm_policy.c	2007-06-26 16:18:24.000000000 -0500
>+++ linux-2.6.18.i686/net/xfrm/xfrm_policy.c	2007-07-24 14:05:52.000000000 -0500
>@@ -1209,6 +1209,9 @@ int __xfrm_route_forward(struct sk_buff 
> 	if (xfrm_decode_session(skb, &fl, family) < 0)
> 		return 0;
> 
>+	/* In case packet didn't use labeled-ipsec coming in */
>+	fl.secid = skb->secid;
>+
> 	return xfrm_lookup(&skb->dst, &fl, NULL, 0) == 0;
> }
> EXPORT_SYMBOL(__xfrm_route_forward);
>--- linux-2.6.18.i686/security/dummy.c	2007-06-26 16:18:24.000000000 -0500
>+++ linux-2.6.18.i686/security/dummy.c	2007-07-24 14:05:52.000000000 -0500
>@@ -813,6 +813,10 @@ static inline void dummy_sk_getsecid(str
> {
> }
> 
>+static inline void dummy_sk_classify_skb(struct sock *sk, struct sk_buff *skb)
>+{
>+}
>+
> static inline void dummy_sock_graft(struct sock* sk, struct socket *parent)
> {
> }
>@@ -837,6 +841,17 @@ static inline void dummy_req_classify_fl
> 			struct flowi *fl)
> {
> }
>+
>+static inline void dummy_igmp_classify_skb(struct sk_buff *skb)
>+{
>+}
>+
>+static inline int dummy_skb_flow_in(struct sk_buff *skb,
>+			unsigned short family)
>+{
>+	return -ENOENT;
>+}
>+
> #endif	/* CONFIG_SECURITY_NETWORK */
> 
> #ifdef CONFIG_SECURITY_NETWORK_XFRM
>@@ -1104,11 +1119,14 @@ void security_fixup_ops (struct security
> 	set_to_dummy_if_null(ops, sk_free_security);
> 	set_to_dummy_if_null(ops, sk_clone_security);
> 	set_to_dummy_if_null(ops, sk_getsecid);
>+	set_to_dummy_if_null(ops, sk_classify_skb);
> 	set_to_dummy_if_null(ops, sock_graft);
> 	set_to_dummy_if_null(ops, inet_conn_request);
> 	set_to_dummy_if_null(ops, inet_csk_clone);
> 	set_to_dummy_if_null(ops, inet_conn_established);
> 	set_to_dummy_if_null(ops, req_classify_flow);
>+	set_to_dummy_if_null(ops, igmp_classify_skb);
>+	set_to_dummy_if_null(ops, skb_flow_in);
>  #endif	/* CONFIG_SECURITY_NETWORK */
> #ifdef  CONFIG_SECURITY_NETWORK_XFRM
> 	set_to_dummy_if_null(ops, xfrm_policy_alloc_security);
>--- linux-2.6.18.i686/security/selinux/hooks.c	2007-06-26 16:18:24.000000000 -0500
>+++ linux-2.6.18.i686/security/selinux/hooks.c	2007-07-24 14:05:52.000000000 -0500
>@@ -3521,9 +3521,28 @@ static int selinux_socket_sock_rcv_skb(s
> 	if (selinux_compat_net)
> 		err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family,
> 						  addrp, len);
>-	else
>+	else {
>+		u32 recv_perm;
>+
> 		err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
> 				   PACKET__RECV, &ad);
>+		if (err)
>+			goto out;
>+
>+		switch (sksec->sclass) {
>+		case SECCLASS_UDP_SOCKET:
>+			recv_perm = UDP_SOCKET__RECVFROM;
>+			break;
>+		case SECCLASS_TCP_SOCKET:
>+			recv_perm = TCP_SOCKET__RECVFROM;
>+			break;
>+		default:
>+			recv_perm = RAWIP_SOCKET__RECVFROM;
>+		}
>+
>+		err = avc_has_perm(sksec->sid, skb->secid, sksec->sclass,
>+				   recv_perm, &ad);
>+	}
> 	if (err)
> 		goto out;
> 
>@@ -3631,6 +3650,13 @@ static void selinux_sk_getsecid(struct s
> 	}
> }
> 
>+static void selinux_sk_classify_skb(struct sock *sk, struct sk_buff *skb)
>+{
>+	struct sk_security_struct *sksec = sk->sk_security;
>+
>+	skb->secid = sksec->sid;
>+}
>+
> void selinux_sock_graft(struct sock* sk, struct socket *parent)
> {
> 	struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
>@@ -3696,6 +3722,62 @@ void selinux_req_classify_flow(const str
> 	fl->secid = req->secid;
> }
> 
>+void selinux_igmp_classify_skb(struct sk_buff *skb)
>+{
>+	skb->secid = SECINITSID_IGMP_PACKET;
>+}
>+
>+static int selinux_skb_flow_in(struct sk_buff *skb, unsigned short family)
>+{
>+	u32 if_sid;
>+	int err;
>+	struct avc_audit_data ad;
>+	char *addrp;
>+	int len;
>+
>+	if (selinux_compat_net)
>+		return 1;
>+
>+	if (!skb->dev) {
>+		err = -EACCES;
>+		goto out;
>+	}
>+
>+	AVC_AUDIT_DATA_INIT(&ad, NET);
>+	ad.u.net.netif = skb->dev->name;
>+	ad.u.net.family = family;
>+	err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL);
>+	if (err)
>+		goto out;
>+
>+	if (skb->dev != &loopback_dev) { /* Non-localhost packet */
>+		err = selinux_xfrm_decode_session(skb, &skb->secid, 0);
>+		BUG_ON(err);
>+	}
>+
>+	if (skb->secid) { /* localhost or IPSEC packet */
>+		err = avc_has_perm(skb->secid,
>+					skb->secmark? : SECINITSID_NETMSG,
>+					SECCLASS_PACKET, PACKET__FLOW_IN, &ad);
>+		if (err)
>+			goto out;
>+	} else { /* unlabeled packet */
>+		skb->secid = skb->secmark;
>+	}
>+
>+	/* See if skb can flow in thru the interface */
>+	err = sel_netif_sids(skb->dev, &if_sid, NULL);
>+	if (err)
>+		goto out;
>+
>+	err = avc_has_perm(skb->secid, if_sid,
>+					SECCLASS_NETIF,
>+					NETIF__FLOW_IN, &ad);
>+
>+out:
>+	return err ? 0 : 1;
>+};
>+
> static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
> {
> 	int err = 0;
>@@ -3822,12 +3904,7 @@ static unsigned int selinux_ip_postroute
> 	struct net_device *dev = (struct net_device *)out;
> 	struct sk_security_struct *sksec;
> 	u8 proto;
>-
>-	sk = skb->sk;
>-	if (!sk)
>-		goto out;
>-
>-	sksec = sk->sk_security;
>+	u32 if_sid;
> 
> 	AVC_AUDIT_DATA_INIT(&ad, NET);
> 	ad.u.net.netif = dev->name;
>@@ -3837,17 +3914,46 @@ static unsigned int selinux_ip_postroute
> 	if (err)
> 		goto out;
> 
>+	sk = skb->sk;
>+	if (!sk)
>+		goto flow_check;
>+
>+	sksec = sk->sk_security;
>+
> 	if (selinux_compat_net)
> 		err = selinux_ip_postroute_last_compat(sk, dev, &ad,
> 						       family, addrp, len);
>-	else
>+	else {
>+		if (!skb->secid)
>+			skb->secid = sksec->sid;
>+
> 		err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
> 				   PACKET__SEND, &ad);
>+		if (err)
>+			goto out;
>+	}
> 
>+	err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto);
> 	if (err)
> 		goto out;
> 
>-	err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto);
>+flow_check:
>+	if (!selinux_compat_net) {
>+		err = avc_has_perm(skb->secid, skb->secmark, SECCLASS_PACKET,
>+				   PACKET__FLOW_OUT, &ad);
>+		if (err)
>+			goto out;
>+	
>+		err = sel_netif_sids(dev, &if_sid, NULL);
>+		if (err)
>+			goto out;
>+
>+		err = avc_has_perm(skb->secid, if_sid, SECCLASS_NETIF,
>+				   NETIF__FLOW_OUT, &ad);
>+		if (err)
>+			goto out;
>+	}
>+
> out:
> 	return err ? NF_DROP : NF_ACCEPT;
> }
>@@ -4761,11 +4867,14 @@ static struct security_operations selinu
> 	.sk_free_security =		selinux_sk_free_security,
> 	.sk_clone_security =		selinux_sk_clone_security,
> 	.sk_getsecid = 			selinux_sk_getsecid,
>+	.sk_classify_skb = 		selinux_sk_classify_skb,
> 	.sock_graft =			selinux_sock_graft,
> 	.inet_conn_request =		selinux_inet_conn_request,
> 	.inet_csk_clone =		selinux_inet_csk_clone,
> 	.inet_conn_established =	selinux_inet_conn_established,
> 	.req_classify_flow =		selinux_req_classify_flow,
>+	.igmp_classify_skb =		selinux_igmp_classify_skb,
>+	.skb_flow_in =			selinux_skb_flow_in,
> 
> #ifdef CONFIG_SECURITY_NETWORK_XFRM
> 	.xfrm_policy_alloc_security =	selinux_xfrm_policy_alloc,
>--- linux-2.6.18.i686/security/selinux/include/av_permissions.h	2007-06-26 16:18:17.000000000 -0500
>+++ linux-2.6.18.i686/security/selinux/include/av_permissions.h	2007-07-24 14:05:52.000000000 -0500
>@@ -319,6 +319,8 @@
> #define NETIF__UDP_SEND                           0x00000008UL
> #define NETIF__RAWIP_RECV                         0x00000010UL
> #define NETIF__RAWIP_SEND                         0x00000020UL
>+#define NETIF__FLOW_IN                            0x00000040UL
>+#define NETIF__FLOW_OUT                           0x00000080UL
> 
> #define NETLINK_SOCKET__IOCTL                     0x00000001UL
> #define NETLINK_SOCKET__READ                      0x00000002UL
>@@ -962,6 +964,8 @@
> #define PACKET__SEND                              0x00000001UL
> #define PACKET__RECV                              0x00000002UL
> #define PACKET__RELABELTO                         0x00000004UL
>+#define PACKET__FLOW_IN                           0x00000008UL
>+#define PACKET__FLOW_OUT                          0x00000010UL
> 
> #define KEY__VIEW                                 0x00000001UL
> #define KEY__READ                                 0x00000002UL
>--- linux-2.6.18.i686/security/selinux/include/av_perm_to_string.h	2007-06-26 16:18:17.000000000 -0500
>+++ linux-2.6.18.i686/security/selinux/include/av_perm_to_string.h	2007-07-24 14:05:52.000000000 -0500
>@@ -41,6 +41,8 @@
>    S_(SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send")
>    S_(SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv")
>    S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
>+   S_(SECCLASS_NETIF, NETIF__FLOW_IN, "flow_in")
>+   S_(SECCLASS_NETIF, NETIF__FLOW_OUT, "flow_out")
>    S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto")
>    S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn")
>    S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom")
>@@ -245,6 +247,8 @@
>    S_(SECCLASS_PACKET, PACKET__SEND, "send")
>    S_(SECCLASS_PACKET, PACKET__RECV, "recv")
>    S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
>+   S_(SECCLASS_PACKET, PACKET__FLOW_IN, "flow_in")
>+   S_(SECCLASS_PACKET, PACKET__FLOW_OUT, "flow_out")
>    S_(SECCLASS_KEY, KEY__VIEW, "view")
>    S_(SECCLASS_KEY, KEY__READ, "read")
>    S_(SECCLASS_KEY, KEY__WRITE, "write")
>--- linux-2.6.18.i686/security/selinux/ss/services.c	2007-06-26 16:18:24.000000000 -0500
>+++ linux-2.6.18.i686/security/selinux/ss/services.c	2007-07-24 14:05:52.000000000 -0500
>@@ -2166,6 +2166,11 @@ void security_skb_extlbl_sid(struct sk_b
> 	u32 xfrm_sid;
> 	u32 nlbl_sid;
> 
>+	if (skb->secid) {
>+		*sid = skb->secid;
>+		return;
>+	}
>+
> 	selinux_skb_xfrm_sid(skb, &xfrm_sid);
> 	if (selinux_netlbl_skbuff_getsid(skb,
> 					 (xfrm_sid == SECSID_NULL ?

Actions: View

Attachments on bug 382721: 258251 | 258331 | 258341 | 258351