]>
Commit | Line | Data |
---|---|---|
5778eabd PM |
1 | /* |
2 | * SELinux NetLabel Support | |
3 | * | |
4 | * This file provides the necessary glue to tie NetLabel into the SELinux | |
5 | * subsystem. | |
6 | * | |
7 | * Author: Paul Moore <paul.moore@hp.com> | |
8 | * | |
9 | */ | |
10 | ||
11 | /* | |
12 | * (c) Copyright Hewlett-Packard Development Company, L.P., 2007 | |
13 | * | |
14 | * This program is free software; you can redistribute it and/or modify | |
15 | * it under the terms of the GNU General Public License as published by | |
16 | * the Free Software Foundation; either version 2 of the License, or | |
17 | * (at your option) any later version. | |
18 | * | |
19 | * This program is distributed in the hope that it will be useful, | |
20 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
21 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See | |
22 | * the GNU General Public License for more details. | |
23 | * | |
24 | * You should have received a copy of the GNU General Public License | |
25 | * along with this program; if not, write to the Free Software | |
26 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
27 | * | |
28 | */ | |
29 | ||
30 | #include <linux/spinlock.h> | |
31 | #include <linux/rcupdate.h> | |
32 | #include <net/sock.h> | |
33 | #include <net/netlabel.h> | |
34 | ||
35 | #include "objsec.h" | |
36 | #include "security.h" | |
37 | ||
5dbe1eb0 PM |
38 | /** |
39 | * selinux_netlbl_sidlookup_cached - Cache a SID lookup | |
40 | * @skb: the packet | |
41 | * @secattr: the NetLabel security attributes | |
42 | * @sid: the SID | |
43 | * | |
44 | * Description: | |
45 | * Query the SELinux security server to lookup the correct SID for the given | |
46 | * security attributes. If the query is successful, cache the result to speed | |
47 | * up future lookups. Returns zero on success, negative values on failure. | |
48 | * | |
49 | */ | |
50 | static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb, | |
51 | struct netlbl_lsm_secattr *secattr, | |
52 | u32 *sid) | |
53 | { | |
54 | int rc; | |
55 | ||
56 | rc = security_netlbl_secattr_to_sid(secattr, sid); | |
57 | if (rc == 0 && | |
58 | (secattr->flags & NETLBL_SECATTR_CACHEABLE) && | |
59 | (secattr->flags & NETLBL_SECATTR_CACHE)) | |
60 | netlbl_cache_add(skb, secattr); | |
61 | ||
62 | return rc; | |
63 | } | |
64 | ||
5778eabd | 65 | /** |
ba6ff9f2 PM |
66 | * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism |
67 | * @sk: the socket to label | |
5778eabd PM |
68 | * @sid: the SID to use |
69 | * | |
70 | * Description: | |
71 | * Attempt to label a socket using the NetLabel mechanism using the given | |
72 | * SID. Returns zero values on success, negative values on failure. The | |
73 | * caller is responsibile for calling rcu_read_lock() before calling this | |
74 | * this function and rcu_read_unlock() after this function returns. | |
75 | * | |
76 | */ | |
ba6ff9f2 | 77 | static int selinux_netlbl_sock_setsid(struct sock *sk, u32 sid) |
5778eabd PM |
78 | { |
79 | int rc; | |
ba6ff9f2 | 80 | struct sk_security_struct *sksec = sk->sk_security; |
5778eabd PM |
81 | struct netlbl_lsm_secattr secattr; |
82 | ||
45c950e0 PM |
83 | netlbl_secattr_init(&secattr); |
84 | ||
5778eabd PM |
85 | rc = security_netlbl_sid_to_secattr(sid, &secattr); |
86 | if (rc != 0) | |
45c950e0 | 87 | goto sock_setsid_return; |
ba6ff9f2 | 88 | rc = netlbl_sock_setattr(sk, &secattr); |
5778eabd PM |
89 | if (rc == 0) { |
90 | spin_lock_bh(&sksec->nlbl_lock); | |
91 | sksec->nlbl_state = NLBL_LABELED; | |
92 | spin_unlock_bh(&sksec->nlbl_lock); | |
93 | } | |
94 | ||
45c950e0 PM |
95 | sock_setsid_return: |
96 | netlbl_secattr_destroy(&secattr); | |
5778eabd PM |
97 | return rc; |
98 | } | |
99 | ||
100 | /** | |
101 | * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache | |
102 | * | |
103 | * Description: | |
104 | * Invalidate the NetLabel security attribute mapping cache. | |
105 | * | |
106 | */ | |
107 | void selinux_netlbl_cache_invalidate(void) | |
108 | { | |
109 | netlbl_cache_invalidate(); | |
110 | } | |
111 | ||
112 | /** | |
113 | * selinux_netlbl_sk_security_reset - Reset the NetLabel fields | |
114 | * @ssec: the sk_security_struct | |
115 | * @family: the socket family | |
116 | * | |
117 | * Description: | |
118 | * Called when the NetLabel state of a sk_security_struct needs to be reset. | |
119 | * The caller is responsibile for all the NetLabel sk_security_struct locking. | |
120 | * | |
121 | */ | |
122 | void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, | |
123 | int family) | |
124 | { | |
125 | if (family == PF_INET) | |
126 | ssec->nlbl_state = NLBL_REQUIRE; | |
127 | else | |
128 | ssec->nlbl_state = NLBL_UNSET; | |
129 | } | |
130 | ||
131 | /** | |
132 | * selinux_netlbl_sk_security_init - Setup the NetLabel fields | |
133 | * @ssec: the sk_security_struct | |
134 | * @family: the socket family | |
135 | * | |
136 | * Description: | |
137 | * Called when a new sk_security_struct is allocated to initialize the NetLabel | |
138 | * fields. | |
139 | * | |
140 | */ | |
141 | void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec, | |
142 | int family) | |
143 | { | |
144 | /* No locking needed, we are the only one who has access to ssec */ | |
145 | selinux_netlbl_sk_security_reset(ssec, family); | |
146 | spin_lock_init(&ssec->nlbl_lock); | |
147 | } | |
148 | ||
149 | /** | |
150 | * selinux_netlbl_sk_security_clone - Copy the NetLabel fields | |
151 | * @ssec: the original sk_security_struct | |
152 | * @newssec: the cloned sk_security_struct | |
153 | * | |
154 | * Description: | |
155 | * Clone the NetLabel specific sk_security_struct fields from @ssec to | |
156 | * @newssec. | |
157 | * | |
158 | */ | |
159 | void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec, | |
160 | struct sk_security_struct *newssec) | |
161 | { | |
162 | /* We don't need to take newssec->nlbl_lock because we are the only | |
163 | * thread with access to newssec, but we do need to take the RCU read | |
164 | * lock as other threads could have access to ssec */ | |
165 | rcu_read_lock(); | |
166 | selinux_netlbl_sk_security_reset(newssec, ssec->sk->sk_family); | |
5778eabd PM |
167 | rcu_read_unlock(); |
168 | } | |
169 | ||
170 | /** | |
171 | * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel | |
172 | * @skb: the packet | |
75e22910 | 173 | * @family: protocol family |
220deb96 | 174 | * @type: NetLabel labeling protocol type |
5778eabd PM |
175 | * @sid: the SID |
176 | * | |
177 | * Description: | |
178 | * Call the NetLabel mechanism to get the security attributes of the given | |
179 | * packet and use those attributes to determine the correct context/SID to | |
180 | * assign to the packet. Returns zero on success, negative values on failure. | |
181 | * | |
182 | */ | |
75e22910 PM |
183 | int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, |
184 | u16 family, | |
220deb96 | 185 | u32 *type, |
75e22910 | 186 | u32 *sid) |
5778eabd PM |
187 | { |
188 | int rc; | |
189 | struct netlbl_lsm_secattr secattr; | |
190 | ||
23bcdc1a PM |
191 | if (!netlbl_enabled()) { |
192 | *sid = SECSID_NULL; | |
193 | return 0; | |
194 | } | |
195 | ||
5778eabd | 196 | netlbl_secattr_init(&secattr); |
75e22910 | 197 | rc = netlbl_skbuff_getattr(skb, family, &secattr); |
5dbe1eb0 PM |
198 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) |
199 | rc = selinux_netlbl_sidlookup_cached(skb, &secattr, sid); | |
200 | else | |
5778eabd | 201 | *sid = SECSID_NULL; |
220deb96 | 202 | *type = secattr.type; |
5778eabd PM |
203 | netlbl_secattr_destroy(&secattr); |
204 | ||
205 | return rc; | |
206 | } | |
207 | ||
208 | /** | |
209 | * selinux_netlbl_sock_graft - Netlabel the new socket | |
210 | * @sk: the new connection | |
211 | * @sock: the new socket | |
212 | * | |
213 | * Description: | |
214 | * The connection represented by @sk is being grafted onto @sock so set the | |
215 | * socket's NetLabel to match the SID of @sk. | |
216 | * | |
217 | */ | |
218 | void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) | |
219 | { | |
5778eabd PM |
220 | struct sk_security_struct *sksec = sk->sk_security; |
221 | struct netlbl_lsm_secattr secattr; | |
222 | u32 nlbl_peer_sid; | |
223 | ||
5778eabd PM |
224 | rcu_read_lock(); |
225 | ||
226 | if (sksec->nlbl_state != NLBL_REQUIRE) { | |
227 | rcu_read_unlock(); | |
228 | return; | |
229 | } | |
230 | ||
231 | netlbl_secattr_init(&secattr); | |
232 | if (netlbl_sock_getattr(sk, &secattr) == 0 && | |
233 | secattr.flags != NETLBL_SECATTR_NONE && | |
5dbe1eb0 | 234 | security_netlbl_secattr_to_sid(&secattr, &nlbl_peer_sid) == 0) |
5778eabd PM |
235 | sksec->peer_sid = nlbl_peer_sid; |
236 | netlbl_secattr_destroy(&secattr); | |
237 | ||
238 | /* Try to set the NetLabel on the socket to save time later, if we fail | |
239 | * here we will pick up the pieces in later calls to | |
240 | * selinux_netlbl_inode_permission(). */ | |
ba6ff9f2 | 241 | selinux_netlbl_sock_setsid(sk, sksec->sid); |
5778eabd PM |
242 | |
243 | rcu_read_unlock(); | |
244 | } | |
245 | ||
246 | /** | |
247 | * selinux_netlbl_socket_post_create - Label a socket using NetLabel | |
248 | * @sock: the socket to label | |
249 | * | |
250 | * Description: | |
251 | * Attempt to label a socket using the NetLabel mechanism using the given | |
252 | * SID. Returns zero values on success, negative values on failure. | |
253 | * | |
254 | */ | |
255 | int selinux_netlbl_socket_post_create(struct socket *sock) | |
256 | { | |
257 | int rc = 0; | |
ba6ff9f2 | 258 | struct sock *sk = sock->sk; |
ba6ff9f2 | 259 | struct sk_security_struct *sksec = sk->sk_security; |
5778eabd | 260 | |
5778eabd PM |
261 | rcu_read_lock(); |
262 | if (sksec->nlbl_state == NLBL_REQUIRE) | |
ba6ff9f2 | 263 | rc = selinux_netlbl_sock_setsid(sk, sksec->sid); |
5778eabd PM |
264 | rcu_read_unlock(); |
265 | ||
266 | return rc; | |
267 | } | |
268 | ||
269 | /** | |
270 | * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled | |
271 | * @inode: the file descriptor's inode | |
272 | * @mask: the permission mask | |
273 | * | |
274 | * Description: | |
275 | * Looks at a file's inode and if it is marked as a socket protected by | |
276 | * NetLabel then verify that the socket has been labeled, if not try to label | |
277 | * the socket now with the inode's SID. Returns zero on success, negative | |
278 | * values on failure. | |
279 | * | |
280 | */ | |
281 | int selinux_netlbl_inode_permission(struct inode *inode, int mask) | |
282 | { | |
283 | int rc; | |
ba6ff9f2 | 284 | struct sock *sk; |
5778eabd | 285 | struct socket *sock; |
ba6ff9f2 | 286 | struct sk_security_struct *sksec; |
5778eabd PM |
287 | |
288 | if (!S_ISSOCK(inode->i_mode) || | |
289 | ((mask & (MAY_WRITE | MAY_APPEND)) == 0)) | |
290 | return 0; | |
291 | sock = SOCKET_I(inode); | |
ba6ff9f2 PM |
292 | sk = sock->sk; |
293 | sksec = sk->sk_security; | |
5778eabd PM |
294 | |
295 | rcu_read_lock(); | |
296 | if (sksec->nlbl_state != NLBL_REQUIRE) { | |
297 | rcu_read_unlock(); | |
298 | return 0; | |
299 | } | |
300 | local_bh_disable(); | |
ba6ff9f2 PM |
301 | bh_lock_sock_nested(sk); |
302 | rc = selinux_netlbl_sock_setsid(sk, sksec->sid); | |
303 | bh_unlock_sock(sk); | |
5778eabd PM |
304 | local_bh_enable(); |
305 | rcu_read_unlock(); | |
306 | ||
307 | return rc; | |
308 | } | |
309 | ||
310 | /** | |
311 | * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel | |
312 | * @sksec: the sock's sk_security_struct | |
313 | * @skb: the packet | |
75e22910 | 314 | * @family: protocol family |
5778eabd PM |
315 | * @ad: the audit data |
316 | * | |
317 | * Description: | |
318 | * Fetch the NetLabel security attributes from @skb and perform an access check | |
319 | * against the receiving socket. Returns zero on success, negative values on | |
320 | * error. | |
321 | * | |
322 | */ | |
323 | int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, | |
324 | struct sk_buff *skb, | |
75e22910 | 325 | u16 family, |
5778eabd PM |
326 | struct avc_audit_data *ad) |
327 | { | |
328 | int rc; | |
f36158c4 PM |
329 | u32 nlbl_sid; |
330 | u32 perm; | |
331 | struct netlbl_lsm_secattr secattr; | |
5778eabd | 332 | |
23bcdc1a PM |
333 | if (!netlbl_enabled()) |
334 | return 0; | |
335 | ||
f36158c4 | 336 | netlbl_secattr_init(&secattr); |
75e22910 | 337 | rc = netlbl_skbuff_getattr(skb, family, &secattr); |
5dbe1eb0 PM |
338 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) |
339 | rc = selinux_netlbl_sidlookup_cached(skb, &secattr, &nlbl_sid); | |
340 | else | |
f36158c4 PM |
341 | nlbl_sid = SECINITSID_UNLABELED; |
342 | netlbl_secattr_destroy(&secattr); | |
5778eabd PM |
343 | if (rc != 0) |
344 | return rc; | |
8d9107e8 | 345 | |
5778eabd PM |
346 | switch (sksec->sclass) { |
347 | case SECCLASS_UDP_SOCKET: | |
f36158c4 | 348 | perm = UDP_SOCKET__RECVFROM; |
5778eabd PM |
349 | break; |
350 | case SECCLASS_TCP_SOCKET: | |
f36158c4 | 351 | perm = TCP_SOCKET__RECVFROM; |
5778eabd PM |
352 | break; |
353 | default: | |
f36158c4 | 354 | perm = RAWIP_SOCKET__RECVFROM; |
5778eabd PM |
355 | } |
356 | ||
f36158c4 | 357 | rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad); |
5778eabd PM |
358 | if (rc == 0) |
359 | return 0; | |
360 | ||
f36158c4 PM |
361 | if (nlbl_sid != SECINITSID_UNLABELED) |
362 | netlbl_skbuff_err(skb, rc); | |
5778eabd PM |
363 | return rc; |
364 | } | |
365 | ||
366 | /** | |
367 | * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel | |
368 | * @sock: the socket | |
369 | * @level: the socket level or protocol | |
370 | * @optname: the socket option name | |
371 | * | |
372 | * Description: | |
373 | * Check the setsockopt() call and if the user is trying to replace the IP | |
374 | * options on a socket and a NetLabel is in place for the socket deny the | |
375 | * access; otherwise allow the access. Returns zero when the access is | |
376 | * allowed, -EACCES when denied, and other negative values on error. | |
377 | * | |
378 | */ | |
379 | int selinux_netlbl_socket_setsockopt(struct socket *sock, | |
380 | int level, | |
381 | int optname) | |
382 | { | |
383 | int rc = 0; | |
ba6ff9f2 PM |
384 | struct sock *sk = sock->sk; |
385 | struct sk_security_struct *sksec = sk->sk_security; | |
5778eabd PM |
386 | struct netlbl_lsm_secattr secattr; |
387 | ||
388 | rcu_read_lock(); | |
389 | if (level == IPPROTO_IP && optname == IP_OPTIONS && | |
390 | sksec->nlbl_state == NLBL_LABELED) { | |
391 | netlbl_secattr_init(&secattr); | |
ba6ff9f2 PM |
392 | lock_sock(sk); |
393 | rc = netlbl_sock_getattr(sk, &secattr); | |
394 | release_sock(sk); | |
5778eabd PM |
395 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) |
396 | rc = -EACCES; | |
397 | netlbl_secattr_destroy(&secattr); | |
398 | } | |
399 | rcu_read_unlock(); | |
400 | ||
401 | return rc; | |
402 | } |