]>
Commit | Line | Data |
---|---|---|
5778eabd PM |
1 | /* |
2 | * SELinux NetLabel Support | |
3 | * | |
4 | * This file provides the necessary glue to tie NetLabel into the SELinux | |
5 | * subsystem. | |
6 | * | |
7 | * Author: Paul Moore <paul.moore@hp.com> | |
8 | * | |
9 | */ | |
10 | ||
11 | /* | |
12 | * (c) Copyright Hewlett-Packard Development Company, L.P., 2007 | |
13 | * | |
14 | * This program is free software; you can redistribute it and/or modify | |
15 | * it under the terms of the GNU General Public License as published by | |
16 | * the Free Software Foundation; either version 2 of the License, or | |
17 | * (at your option) any later version. | |
18 | * | |
19 | * This program is distributed in the hope that it will be useful, | |
20 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
21 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See | |
22 | * the GNU General Public License for more details. | |
23 | * | |
24 | * You should have received a copy of the GNU General Public License | |
25 | * along with this program; if not, write to the Free Software | |
26 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
27 | * | |
28 | */ | |
29 | ||
30 | #include <linux/spinlock.h> | |
31 | #include <linux/rcupdate.h> | |
32 | #include <net/sock.h> | |
33 | #include <net/netlabel.h> | |
34 | ||
35 | #include "objsec.h" | |
36 | #include "security.h" | |
d4ee4231 | 37 | #include "netlabel.h" |
5778eabd | 38 | |
5dbe1eb0 PM |
39 | /** |
40 | * selinux_netlbl_sidlookup_cached - Cache a SID lookup | |
41 | * @skb: the packet | |
42 | * @secattr: the NetLabel security attributes | |
43 | * @sid: the SID | |
44 | * | |
45 | * Description: | |
46 | * Query the SELinux security server to lookup the correct SID for the given | |
47 | * security attributes. If the query is successful, cache the result to speed | |
48 | * up future lookups. Returns zero on success, negative values on failure. | |
49 | * | |
50 | */ | |
51 | static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb, | |
52 | struct netlbl_lsm_secattr *secattr, | |
53 | u32 *sid) | |
54 | { | |
55 | int rc; | |
56 | ||
57 | rc = security_netlbl_secattr_to_sid(secattr, sid); | |
58 | if (rc == 0 && | |
59 | (secattr->flags & NETLBL_SECATTR_CACHEABLE) && | |
60 | (secattr->flags & NETLBL_SECATTR_CACHE)) | |
61 | netlbl_cache_add(skb, secattr); | |
62 | ||
63 | return rc; | |
64 | } | |
65 | ||
5778eabd | 66 | /** |
ba6ff9f2 PM |
67 | * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism |
68 | * @sk: the socket to label | |
5778eabd PM |
69 | * |
70 | * Description: | |
accc6093 PM |
71 | * Attempt to label a socket using the NetLabel mechanism. Returns zero values |
72 | * on success, negative values on failure. | |
5778eabd PM |
73 | * |
74 | */ | |
accc6093 | 75 | static int selinux_netlbl_sock_setsid(struct sock *sk) |
5778eabd PM |
76 | { |
77 | int rc; | |
ba6ff9f2 | 78 | struct sk_security_struct *sksec = sk->sk_security; |
5778eabd PM |
79 | struct netlbl_lsm_secattr secattr; |
80 | ||
accc6093 PM |
81 | if (sksec->nlbl_state != NLBL_REQUIRE) |
82 | return 0; | |
83 | ||
45c950e0 PM |
84 | netlbl_secattr_init(&secattr); |
85 | ||
accc6093 | 86 | rc = security_netlbl_sid_to_secattr(sksec->sid, &secattr); |
5778eabd | 87 | if (rc != 0) |
45c950e0 | 88 | goto sock_setsid_return; |
ba6ff9f2 | 89 | rc = netlbl_sock_setattr(sk, &secattr); |
f74af6e8 | 90 | if (rc == 0) |
5778eabd | 91 | sksec->nlbl_state = NLBL_LABELED; |
5778eabd | 92 | |
45c950e0 PM |
93 | sock_setsid_return: |
94 | netlbl_secattr_destroy(&secattr); | |
5778eabd PM |
95 | return rc; |
96 | } | |
97 | ||
98 | /** | |
99 | * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache | |
100 | * | |
101 | * Description: | |
102 | * Invalidate the NetLabel security attribute mapping cache. | |
103 | * | |
104 | */ | |
105 | void selinux_netlbl_cache_invalidate(void) | |
106 | { | |
107 | netlbl_cache_invalidate(); | |
108 | } | |
109 | ||
dfaebe98 PM |
110 | /** |
111 | * selinux_netlbl_err - Handle a NetLabel packet error | |
112 | * @skb: the packet | |
113 | * @error: the error code | |
114 | * @gateway: true if host is acting as a gateway, false otherwise | |
115 | * | |
116 | * Description: | |
117 | * When a packet is dropped due to a call to avc_has_perm() pass the error | |
118 | * code to the NetLabel subsystem so any protocol specific processing can be | |
119 | * done. This is safe to call even if you are unsure if NetLabel labeling is | |
120 | * present on the packet, NetLabel is smart enough to only act when it should. | |
121 | * | |
122 | */ | |
123 | void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway) | |
124 | { | |
125 | netlbl_skbuff_err(skb, error, gateway); | |
126 | } | |
127 | ||
5778eabd PM |
128 | /** |
129 | * selinux_netlbl_sk_security_reset - Reset the NetLabel fields | |
130 | * @ssec: the sk_security_struct | |
131 | * @family: the socket family | |
132 | * | |
133 | * Description: | |
134 | * Called when the NetLabel state of a sk_security_struct needs to be reset. | |
135 | * The caller is responsibile for all the NetLabel sk_security_struct locking. | |
136 | * | |
137 | */ | |
138 | void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, | |
139 | int family) | |
140 | { | |
a6aaafee | 141 | if (family == PF_INET) |
5778eabd PM |
142 | ssec->nlbl_state = NLBL_REQUIRE; |
143 | else | |
144 | ssec->nlbl_state = NLBL_UNSET; | |
145 | } | |
146 | ||
5778eabd PM |
147 | /** |
148 | * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel | |
149 | * @skb: the packet | |
75e22910 | 150 | * @family: protocol family |
220deb96 | 151 | * @type: NetLabel labeling protocol type |
5778eabd PM |
152 | * @sid: the SID |
153 | * | |
154 | * Description: | |
155 | * Call the NetLabel mechanism to get the security attributes of the given | |
156 | * packet and use those attributes to determine the correct context/SID to | |
157 | * assign to the packet. Returns zero on success, negative values on failure. | |
158 | * | |
159 | */ | |
75e22910 PM |
160 | int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, |
161 | u16 family, | |
220deb96 | 162 | u32 *type, |
75e22910 | 163 | u32 *sid) |
5778eabd PM |
164 | { |
165 | int rc; | |
166 | struct netlbl_lsm_secattr secattr; | |
167 | ||
23bcdc1a PM |
168 | if (!netlbl_enabled()) { |
169 | *sid = SECSID_NULL; | |
170 | return 0; | |
171 | } | |
172 | ||
5778eabd | 173 | netlbl_secattr_init(&secattr); |
75e22910 | 174 | rc = netlbl_skbuff_getattr(skb, family, &secattr); |
5dbe1eb0 PM |
175 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) |
176 | rc = selinux_netlbl_sidlookup_cached(skb, &secattr, sid); | |
177 | else | |
5778eabd | 178 | *sid = SECSID_NULL; |
220deb96 | 179 | *type = secattr.type; |
5778eabd PM |
180 | netlbl_secattr_destroy(&secattr); |
181 | ||
182 | return rc; | |
183 | } | |
184 | ||
185 | /** | |
186 | * selinux_netlbl_sock_graft - Netlabel the new socket | |
187 | * @sk: the new connection | |
188 | * @sock: the new socket | |
189 | * | |
190 | * Description: | |
191 | * The connection represented by @sk is being grafted onto @sock so set the | |
192 | * socket's NetLabel to match the SID of @sk. | |
193 | * | |
194 | */ | |
195 | void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) | |
196 | { | |
5778eabd PM |
197 | /* Try to set the NetLabel on the socket to save time later, if we fail |
198 | * here we will pick up the pieces in later calls to | |
199 | * selinux_netlbl_inode_permission(). */ | |
accc6093 | 200 | selinux_netlbl_sock_setsid(sk); |
5778eabd PM |
201 | } |
202 | ||
203 | /** | |
204 | * selinux_netlbl_socket_post_create - Label a socket using NetLabel | |
205 | * @sock: the socket to label | |
206 | * | |
207 | * Description: | |
208 | * Attempt to label a socket using the NetLabel mechanism using the given | |
209 | * SID. Returns zero values on success, negative values on failure. | |
210 | * | |
211 | */ | |
212 | int selinux_netlbl_socket_post_create(struct socket *sock) | |
213 | { | |
accc6093 | 214 | return selinux_netlbl_sock_setsid(sock->sk); |
5778eabd PM |
215 | } |
216 | ||
217 | /** | |
218 | * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled | |
219 | * @inode: the file descriptor's inode | |
220 | * @mask: the permission mask | |
221 | * | |
222 | * Description: | |
223 | * Looks at a file's inode and if it is marked as a socket protected by | |
224 | * NetLabel then verify that the socket has been labeled, if not try to label | |
225 | * the socket now with the inode's SID. Returns zero on success, negative | |
226 | * values on failure. | |
227 | * | |
228 | */ | |
229 | int selinux_netlbl_inode_permission(struct inode *inode, int mask) | |
230 | { | |
231 | int rc; | |
ba6ff9f2 | 232 | struct sock *sk; |
5778eabd | 233 | struct socket *sock; |
ba6ff9f2 | 234 | struct sk_security_struct *sksec; |
5778eabd PM |
235 | |
236 | if (!S_ISSOCK(inode->i_mode) || | |
237 | ((mask & (MAY_WRITE | MAY_APPEND)) == 0)) | |
238 | return 0; | |
f74af6e8 | 239 | |
5778eabd | 240 | sock = SOCKET_I(inode); |
ba6ff9f2 PM |
241 | sk = sock->sk; |
242 | sksec = sk->sk_security; | |
f74af6e8 | 243 | if (sksec->nlbl_state != NLBL_REQUIRE) |
5778eabd | 244 | return 0; |
f74af6e8 | 245 | |
5778eabd | 246 | local_bh_disable(); |
ba6ff9f2 | 247 | bh_lock_sock_nested(sk); |
f74af6e8 | 248 | if (likely(sksec->nlbl_state == NLBL_REQUIRE)) |
accc6093 | 249 | rc = selinux_netlbl_sock_setsid(sk); |
f74af6e8 PM |
250 | else |
251 | rc = 0; | |
ba6ff9f2 | 252 | bh_unlock_sock(sk); |
5778eabd | 253 | local_bh_enable(); |
5778eabd PM |
254 | |
255 | return rc; | |
256 | } | |
257 | ||
258 | /** | |
259 | * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel | |
260 | * @sksec: the sock's sk_security_struct | |
261 | * @skb: the packet | |
75e22910 | 262 | * @family: protocol family |
5778eabd PM |
263 | * @ad: the audit data |
264 | * | |
265 | * Description: | |
266 | * Fetch the NetLabel security attributes from @skb and perform an access check | |
267 | * against the receiving socket. Returns zero on success, negative values on | |
268 | * error. | |
269 | * | |
270 | */ | |
271 | int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, | |
272 | struct sk_buff *skb, | |
75e22910 | 273 | u16 family, |
5778eabd PM |
274 | struct avc_audit_data *ad) |
275 | { | |
276 | int rc; | |
f36158c4 PM |
277 | u32 nlbl_sid; |
278 | u32 perm; | |
279 | struct netlbl_lsm_secattr secattr; | |
5778eabd | 280 | |
23bcdc1a PM |
281 | if (!netlbl_enabled()) |
282 | return 0; | |
283 | ||
f36158c4 | 284 | netlbl_secattr_init(&secattr); |
75e22910 | 285 | rc = netlbl_skbuff_getattr(skb, family, &secattr); |
5dbe1eb0 PM |
286 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) |
287 | rc = selinux_netlbl_sidlookup_cached(skb, &secattr, &nlbl_sid); | |
288 | else | |
f36158c4 PM |
289 | nlbl_sid = SECINITSID_UNLABELED; |
290 | netlbl_secattr_destroy(&secattr); | |
5778eabd PM |
291 | if (rc != 0) |
292 | return rc; | |
8d9107e8 | 293 | |
5778eabd PM |
294 | switch (sksec->sclass) { |
295 | case SECCLASS_UDP_SOCKET: | |
f36158c4 | 296 | perm = UDP_SOCKET__RECVFROM; |
5778eabd PM |
297 | break; |
298 | case SECCLASS_TCP_SOCKET: | |
f36158c4 | 299 | perm = TCP_SOCKET__RECVFROM; |
5778eabd PM |
300 | break; |
301 | default: | |
f36158c4 | 302 | perm = RAWIP_SOCKET__RECVFROM; |
5778eabd PM |
303 | } |
304 | ||
f36158c4 | 305 | rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad); |
5778eabd PM |
306 | if (rc == 0) |
307 | return 0; | |
308 | ||
f36158c4 | 309 | if (nlbl_sid != SECINITSID_UNLABELED) |
dfaebe98 | 310 | netlbl_skbuff_err(skb, rc, 0); |
5778eabd PM |
311 | return rc; |
312 | } | |
313 | ||
314 | /** | |
315 | * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel | |
316 | * @sock: the socket | |
317 | * @level: the socket level or protocol | |
318 | * @optname: the socket option name | |
319 | * | |
320 | * Description: | |
321 | * Check the setsockopt() call and if the user is trying to replace the IP | |
322 | * options on a socket and a NetLabel is in place for the socket deny the | |
323 | * access; otherwise allow the access. Returns zero when the access is | |
324 | * allowed, -EACCES when denied, and other negative values on error. | |
325 | * | |
326 | */ | |
327 | int selinux_netlbl_socket_setsockopt(struct socket *sock, | |
328 | int level, | |
329 | int optname) | |
330 | { | |
331 | int rc = 0; | |
ba6ff9f2 PM |
332 | struct sock *sk = sock->sk; |
333 | struct sk_security_struct *sksec = sk->sk_security; | |
5778eabd PM |
334 | struct netlbl_lsm_secattr secattr; |
335 | ||
5778eabd PM |
336 | if (level == IPPROTO_IP && optname == IP_OPTIONS && |
337 | sksec->nlbl_state == NLBL_LABELED) { | |
338 | netlbl_secattr_init(&secattr); | |
ba6ff9f2 PM |
339 | lock_sock(sk); |
340 | rc = netlbl_sock_getattr(sk, &secattr); | |
341 | release_sock(sk); | |
5778eabd PM |
342 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) |
343 | rc = -EACCES; | |
344 | netlbl_secattr_destroy(&secattr); | |
345 | } | |
5778eabd PM |
346 | |
347 | return rc; | |
348 | } |