]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blob - security/selinux/netlabel.c
projects / mirror_ubuntu-bionic-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
UBUNTU: SAUCE: LSM stacking: LSM: Manage remaining security blobs
[mirror_ubuntu-bionic-kernel.git] / security / selinux / netlabel.c
1 /*
2 * SELinux NetLabel Support
3 *
4 * This file provides the necessary glue to tie NetLabel into the SELinux
5 * subsystem.
6 *
7 * Author: Paul Moore <paul@paul-moore.com>
8 *
9 */
10
11 /*
12 * (c) Copyright Hewlett-Packard Development Company, L.P., 2007, 2008
13 *
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
18 *
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
22 * the GNU General Public License for more details.
23 *
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
27 *
28 */
29
30 #include <linux/spinlock.h>
31 #include <linux/rcupdate.h>
32 #include <linux/gfp.h>
33 #include <linux/ip.h>
34 #include <linux/ipv6.h>
35 #include <linux/lsm_hooks.h>
36 #include <net/sock.h>
37 #include <net/netlabel.h>
38 #include <net/ip.h>
39 #include <net/ipv6.h>
40
41 #include "objsec.h"
42 #include "security.h"
43 #include "netlabel.h"
44
45 /**
46 * selinux_netlbl_sidlookup_cached - Cache a SID lookup
47 * @skb: the packet
48 * @secattr: the NetLabel security attributes
49 * @sid: the SID
50 *
51 * Description:
52 * Query the SELinux security server to lookup the correct SID for the given
53 * security attributes. If the query is successful, cache the result to speed
54 * up future lookups. Returns zero on success, negative values on failure.
55 *
56 */
57 static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
58 u16 family,
59 struct netlbl_lsm_secattr *secattr,
60 u32 *sid)
61 {
62 int rc;
63
64 rc = security_netlbl_secattr_to_sid(secattr, sid);
65 if (rc == 0 &&
66 (secattr->flags & NETLBL_SECATTR_CACHEABLE) &&
67 (secattr->flags & NETLBL_SECATTR_CACHE))
68 netlbl_cache_add(skb, family, secattr);
69
70 return rc;
71 }
72
73 /**
74 * selinux_netlbl_sock_genattr - Generate the NetLabel socket secattr
75 * @sk: the socket
76 *
77 * Description:
78 * Generate the NetLabel security attributes for a socket, making full use of
79 * the socket's attribute cache. Returns a pointer to the security attributes
80 * on success, NULL on failure.
81 *
82 */
83 static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk)
84 {
85 int rc;
86 struct sk_security_struct *sksec = selinux_sock(sk);
87 struct netlbl_lsm_secattr *secattr;
88
89 if (sksec->nlbl_secattr != NULL)
90 return sksec->nlbl_secattr;
91
92 secattr = netlbl_secattr_alloc(GFP_ATOMIC);
93 if (secattr == NULL)
94 return NULL;
95 rc = security_netlbl_sid_to_secattr(sksec->sid, secattr);
96 if (rc != 0) {
97 netlbl_secattr_free(secattr);
98 return NULL;
99 }
100 sksec->nlbl_secattr = secattr;
101
102 return secattr;
103 }
104
105 /**
106 * selinux_netlbl_sock_getattr - Get the cached NetLabel secattr
107 * @sk: the socket
108 * @sid: the SID
109 *
110 * Query the socket's cached secattr and if the SID matches the cached value
111 * return the cache, otherwise return NULL.
112 *
113 */
114 static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr(
115 const struct sock *sk,
116 u32 sid)
117 {
118 struct sk_security_struct *sksec = selinux_sock(sk);
119 struct netlbl_lsm_secattr *secattr = sksec->nlbl_secattr;
120
121 if (secattr == NULL)
122 return NULL;
123
124 if ((secattr->flags & NETLBL_SECATTR_SECID) &&
125 (secattr->attr.secid == sid))
126 return secattr;
127
128 return NULL;
129 }
130
131 /**
132 * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
133 *
134 * Description:
135 * Invalidate the NetLabel security attribute mapping cache.
136 *
137 */
138 void selinux_netlbl_cache_invalidate(void)
139 {
140 netlbl_cache_invalidate();
141 }
142
143 /**
144 * selinux_netlbl_err - Handle a NetLabel packet error
145 * @skb: the packet
146 * @error: the error code
147 * @gateway: true if host is acting as a gateway, false otherwise
148 *
149 * Description:
150 * When a packet is dropped due to a call to avc_has_perm() pass the error
151 * code to the NetLabel subsystem so any protocol specific processing can be
152 * done. This is safe to call even if you are unsure if NetLabel labeling is
153 * present on the packet, NetLabel is smart enough to only act when it should.
154 *
155 */
156 void selinux_netlbl_err(struct sk_buff *skb, u16 family, int error, int gateway)
157 {
158 netlbl_skbuff_err(skb, family, error, gateway);
159 }
160
161 /**
162 * selinux_netlbl_sk_security_free - Free the NetLabel fields
163 * @sksec: the sk_security_struct
164 *
165 * Description:
166 * Free all of the memory in the NetLabel fields of a sk_security_struct.
167 *
168 */
169 void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec)
170 {
171 if (sksec->nlbl_secattr != NULL)
172 netlbl_secattr_free(sksec->nlbl_secattr);
173 }
174
175 /**
176 * selinux_netlbl_sk_security_reset - Reset the NetLabel fields
177 * @sksec: the sk_security_struct
178 * @family: the socket family
179 *
180 * Description:
181 * Called when the NetLabel state of a sk_security_struct needs to be reset.
182 * The caller is responsible for all the NetLabel sk_security_struct locking.
183 *
184 */
185 void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec)
186 {
187 sksec->nlbl_state = NLBL_UNSET;
188 }
189
190 /**
191 * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
192 * @skb: the packet
193 * @family: protocol family
194 * @type: NetLabel labeling protocol type
195 * @sid: the SID
196 *
197 * Description:
198 * Call the NetLabel mechanism to get the security attributes of the given
199 * packet and use those attributes to determine the correct context/SID to
200 * assign to the packet. Returns zero on success, negative values on failure.
201 *
202 */
203 int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
204 u16 family,
205 u32 *type,
206 u32 *sid)
207 {
208 int rc;
209 struct netlbl_lsm_secattr secattr;
210
211 if (!netlbl_enabled()) {
212 *sid = SECSID_NULL;
213 return 0;
214 }
215
216 netlbl_secattr_init(&secattr);
217 rc = netlbl_skbuff_getattr(skb, family, &secattr);
218 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
219 rc = selinux_netlbl_sidlookup_cached(skb, family,
220 &secattr, sid);
221 else
222 *sid = SECSID_NULL;
223 *type = secattr.type;
224 netlbl_secattr_destroy(&secattr);
225
226 return rc;
227 }
228
229 /**
230 * selinux_netlbl_skbuff_setsid - Set the NetLabel on a packet given a sid
231 * @skb: the packet
232 * @family: protocol family
233 * @sid: the SID
234 *
235 * Description
236 * Call the NetLabel mechanism to set the label of a packet using @sid.
237 * Returns zero on success, negative values on failure.
238 *
239 */
240 int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
241 u16 family,
242 u32 sid)
243 {
244 int rc;
245 struct netlbl_lsm_secattr secattr_storage;
246 struct netlbl_lsm_secattr *secattr = NULL;
247 struct sock *sk;
248
249 /* if this is a locally generated packet check to see if it is already
250 * being labeled by it's parent socket, if it is just exit */
251 sk = skb_to_full_sk(skb);
252 if (sk != NULL) {
253 struct sk_security_struct *sksec = selinux_sock(sk);
254 if (sksec->nlbl_state != NLBL_REQSKB)
255 return 0;
256 secattr = selinux_netlbl_sock_getattr(sk, sid);
257 }
258 if (secattr == NULL) {
259 secattr = &secattr_storage;
260 netlbl_secattr_init(secattr);
261 rc = security_netlbl_sid_to_secattr(sid, secattr);
262 if (rc != 0)
263 goto skbuff_setsid_return;
264 }
265
266 rc = netlbl_skbuff_setattr(skb, family, secattr);
267
268 skbuff_setsid_return:
269 if (secattr == &secattr_storage)
270 netlbl_secattr_destroy(secattr);
271 return rc;
272 }
273
274 /**
275 * selinux_netlbl_inet_conn_request - Label an incoming stream connection
276 * @req: incoming connection request socket
277 *
278 * Description:
279 * A new incoming connection request is represented by @req, we need to label
280 * the new request_sock here and the stack will ensure the on-the-wire label
281 * will get preserved when a full sock is created once the connection handshake
282 * is complete. Returns zero on success, negative values on failure.
283 *
284 */
285 int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family)
286 {
287 int rc;
288 struct netlbl_lsm_secattr secattr;
289
290 if (family != PF_INET && family != PF_INET6)
291 return 0;
292
293 netlbl_secattr_init(&secattr);
294 rc = security_netlbl_sid_to_secattr(req->secid, &secattr);
295 if (rc != 0)
296 goto inet_conn_request_return;
297 rc = netlbl_req_setattr(req, &secattr);
298 inet_conn_request_return:
299 netlbl_secattr_destroy(&secattr);
300 return rc;
301 }
302
303 /**
304 * selinux_netlbl_inet_csk_clone - Initialize the newly created sock
305 * @sk: the new sock
306 *
307 * Description:
308 * A new connection has been established using @sk, we've already labeled the
309 * socket via the request_sock struct in selinux_netlbl_inet_conn_request() but
310 * we need to set the NetLabel state here since we now have a sock structure.
311 *
312 */
313 void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
314 {
315 struct sk_security_struct *sksec = selinux_sock(sk);
316
317 if (family == PF_INET)
318 sksec->nlbl_state = NLBL_LABELED;
319 else
320 sksec->nlbl_state = NLBL_UNSET;
321 }
322
323 /**
324 * selinux_netlbl_socket_post_create - Label a socket using NetLabel
325 * @sock: the socket to label
326 * @family: protocol family
327 *
328 * Description:
329 * Attempt to label a socket using the NetLabel mechanism using the given
330 * SID. Returns zero values on success, negative values on failure.
331 *
332 */
333 int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)
334 {
335 int rc;
336 struct sk_security_struct *sksec = selinux_sock(sk);
337 struct netlbl_lsm_secattr *secattr;
338
339 if (family != PF_INET && family != PF_INET6)
340 return 0;
341
342 secattr = selinux_netlbl_sock_genattr(sk);
343 if (secattr == NULL)
344 return -ENOMEM;
345 rc = netlbl_sock_setattr(sk, family, secattr);
346 switch (rc) {
347 case 0:
348 sksec->nlbl_state = NLBL_LABELED;
349 break;
350 case -EDESTADDRREQ:
351 sksec->nlbl_state = NLBL_REQSKB;
352 rc = 0;
353 break;
354 }
355
356 return rc;
357 }
358
359 /**
360 * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
361 * @sksec: the sock's sk_security_struct
362 * @skb: the packet
363 * @family: protocol family
364 * @ad: the audit data
365 *
366 * Description:
367 * Fetch the NetLabel security attributes from @skb and perform an access check
368 * against the receiving socket. Returns zero on success, negative values on
369 * error.
370 *
371 */
372 int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
373 struct sk_buff *skb,
374 u16 family,
375 struct common_audit_data *ad)
376 {
377 int rc;
378 u32 nlbl_sid;
379 u32 perm;
380 struct netlbl_lsm_secattr secattr;
381
382 if (!netlbl_enabled())
383 return 0;
384
385 netlbl_secattr_init(&secattr);
386 rc = netlbl_skbuff_getattr(skb, family, &secattr);
387 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
388 rc = selinux_netlbl_sidlookup_cached(skb, family,
389 &secattr, &nlbl_sid);
390 else
391 nlbl_sid = SECINITSID_UNLABELED;
392 netlbl_secattr_destroy(&secattr);
393 if (rc != 0)
394 return rc;
395
396 switch (sksec->sclass) {
397 case SECCLASS_UDP_SOCKET:
398 perm = UDP_SOCKET__RECVFROM;
399 break;
400 case SECCLASS_TCP_SOCKET:
401 perm = TCP_SOCKET__RECVFROM;
402 break;
403 default:
404 perm = RAWIP_SOCKET__RECVFROM;
405 }
406
407 rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad);
408 if (rc == 0)
409 return 0;
410
411 if (nlbl_sid != SECINITSID_UNLABELED)
412 netlbl_skbuff_err(skb, family, rc, 0);
413 return rc;
414 }
415
416 /**
417 * selinux_netlbl_option - Is this a NetLabel option
418 * @level: the socket level or protocol
419 * @optname: the socket option name
420 *
421 * Description:
422 * Returns true if @level and @optname refer to a NetLabel option.
423 * Helper for selinux_netlbl_socket_setsockopt().
424 */
425 static inline int selinux_netlbl_option(int level, int optname)
426 {
427 return (level == IPPROTO_IP && optname == IP_OPTIONS) ||
428 (level == IPPROTO_IPV6 && optname == IPV6_HOPOPTS);
429 }
430
431 /**
432 * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
433 * @sock: the socket
434 * @level: the socket level or protocol
435 * @optname: the socket option name
436 *
437 * Description:
438 * Check the setsockopt() call and if the user is trying to replace the IP
439 * options on a socket and a NetLabel is in place for the socket deny the
440 * access; otherwise allow the access. Returns zero when the access is
441 * allowed, -EACCES when denied, and other negative values on error.
442 *
443 */
444 int selinux_netlbl_socket_setsockopt(struct socket *sock,
445 int level,
446 int optname)
447 {
448 int rc = 0;
449 struct sock *sk = sock->sk;
450 struct sk_security_struct *sksec = selinux_sock(sk);
451 struct netlbl_lsm_secattr secattr;
452
453 if (selinux_netlbl_option(level, optname) &&
454 (sksec->nlbl_state == NLBL_LABELED ||
455 sksec->nlbl_state == NLBL_CONNLABELED)) {
456 netlbl_secattr_init(&secattr);
457 lock_sock(sk);
458 /* call the netlabel function directly as we want to see the
459 * on-the-wire label that is assigned via the socket's options
460 * and not the cached netlabel/lsm attributes */
461 rc = netlbl_sock_getattr(sk, &secattr);
462 release_sock(sk);
463 if (rc == 0)
464 rc = -EACCES;
465 else if (rc == -ENOMSG)
466 rc = 0;
467 netlbl_secattr_destroy(&secattr);
468 }
469
470 return rc;
471 }
472
473 /**
474 * selinux_netlbl_socket_connect - Label a client-side socket on connect
475 * @sk: the socket to label
476 * @addr: the destination address
477 *
478 * Description:
479 * Attempt to label a connected socket with NetLabel using the given address.
480 * Returns zero values on success, negative values on failure.
481 *
482 */
483 int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
484 {
485 int rc;
486 struct sk_security_struct *sksec = selinux_sock(sk);
487 struct netlbl_lsm_secattr *secattr;
488
489 if (sksec->nlbl_state != NLBL_REQSKB &&
490 sksec->nlbl_state != NLBL_CONNLABELED)
491 return 0;
492
493 lock_sock(sk);
494
495 /* connected sockets are allowed to disconnect when the address family
496 * is set to AF_UNSPEC, if that is what is happening we want to reset
497 * the socket */
498 if (addr->sa_family == AF_UNSPEC) {
499 netlbl_sock_delattr(sk);
500 sksec->nlbl_state = NLBL_REQSKB;
501 rc = 0;
502 goto socket_connect_return;
503 }
504 secattr = selinux_netlbl_sock_genattr(sk);
505 if (secattr == NULL) {
506 rc = -ENOMEM;
507 goto socket_connect_return;
508 }
509 rc = netlbl_conn_setattr(sk, addr, secattr);
510 if (rc == 0)
511 sksec->nlbl_state = NLBL_CONNLABELED;
512
513 socket_connect_return:
514 release_sock(sk);
515 return rc;
516 }
ubuntu-bionic-kernel mirror