SELinux: peer secid consolidation for external network labeling

Now that labeled IPsec makes use of the peer_sid field in the sk_security_struct we can remove a lot of the special cases between labeled IPsec and NetLabel. In addition, create a new function, security_skb_extlbl_sid(), which we can use in several places to get the security context of the packet's external label which allows us to further simplify the code in a few places. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
2024-12-27 05:11:48 +00:00 · 2006-11-17 17:38:54 -05:00 · 2006-11-17 17:38:54 -05:00 · 3de4bab5b9
commit 3de4bab5b9
parent 9f2ad66509
6 changed files with 52 additions and 150 deletions
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@ -3574,27 +3574,16 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op
 	u32 scontext_len;
 	struct sk_security_struct *ssec;
 	struct inode_security_struct *isec;
-	u32 peer_sid = 0;
+	u32 peer_sid = SECSID_NULL;
 	isec = SOCK_INODE(sock)->i_security;
-	/* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
+	if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
-	if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
+	    isec->sclass == SECCLASS_TCP_SOCKET) {
 		ssec = sock->sk->sk_security;
 		peer_sid = ssec->peer_sid;
 	}
-	else if (isec->sclass == SECCLASS_TCP_SOCKET) {
+	if (peer_sid == SECSID_NULL) {
 		peer_sid = selinux_netlbl_socket_getpeersec_stream(sock);
 		if (peer_sid == SECSID_NULL) {
 			ssec = sock->sk->sk_security;
 			peer_sid = ssec->peer_sid;
 		}
 		if (peer_sid == SECSID_NULL) {
 			err = -ENOPROTOOPT;
 			goto out;
 		}
 	}
 	else {
 		err = -ENOPROTOOPT;
 		goto out;
 	}
@ -3626,13 +3615,12 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
 	u32 peer_secid = SECSID_NULL;
 	int err = 0;
-	if (sock && (sock->sk->sk_family == PF_UNIX))
+	if (sock && sock->sk->sk_family == PF_UNIX)
 		selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
-	else if (skb) {
+	else if (skb)
-		peer_secid = selinux_netlbl_socket_getpeersec_dgram(skb);
+		security_skb_extlbl_sid(skb,
-		if (peer_secid == SECSID_NULL)
+					SECINITSID_UNLABELED,
-			peer_secid = selinux_socket_getpeer_dgram(skb);
+					&peer_secid);
 	}
 	if (peer_secid == SECSID_NULL)
 		err = -EINVAL;
@ -3693,17 +3681,10 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
 	u32 newsid;
 	u32 peersid;
-	newsid = selinux_netlbl_inet_conn_request(skb, sksec->sid);
+	security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
 	if (newsid != SECSID_NULL) {
 		req->secid = newsid;
 		return 0;
 	}
 	selinux_skb_xfrm_sid(skb, &peersid);
 	if (peersid == SECSID_NULL) {
 		req->secid = sksec->sid;
-		req->peer_secid = 0;
+		req->peer_secid = SECSID_NULL;
 		return 0;
 	}
@ -3738,7 +3719,7 @@ static void selinux_inet_conn_established(struct sock *sk,
 {
 	struct sk_security_struct *sksec = sk->sk_security;
-	selinux_skb_xfrm_sid(skb, &sksec->peer_sid);
+	security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
 }
 static void selinux_req_classify_flow(const struct request_sock *req,
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@ -8,6 +8,7 @@
 #ifndef _SELINUX_SECURITY_H_
 #define _SELINUX_SECURITY_H_
 #include <linux/skbuff.h>
 #include "flask.h"
 #define SECSID_NULL			0x00000000 /* unspecified SID */
@ -80,6 +81,8 @@ int security_netif_sid(char *name, u32 *if_sid,
 int security_node_sid(u16 domain, void *addr, u32 addrlen,
 	u32 *out_sid);
 void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid);
 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
                                 u16 tclass);
--- a/security/selinux/include/selinux_netlabel.h
+++ b/security/selinux/include/selinux_netlabel.h
@ -38,14 +38,12 @@
 #ifdef CONFIG_NETLABEL
 void selinux_netlbl_cache_invalidate(void);
 int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid);
 int selinux_netlbl_socket_post_create(struct socket *sock);
 void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
 u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid);
 int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
 				struct sk_buff *skb,
 				struct avc_audit_data *ad);
 u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock);
 u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb);
 void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
 				      int family);
 void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
@ -62,6 +60,14 @@ static inline void selinux_netlbl_cache_invalidate(void)
 	return;
 }
 static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
 					       u32 base_sid,
 					       u32 *sid)
 {
 	*sid = SECSID_NULL;
 	return 0;
 }
 static inline int selinux_netlbl_socket_post_create(struct socket *sock)
 {
 	return 0;
@ -73,12 +79,6 @@ static inline void selinux_netlbl_sock_graft(struct sock *sk,
 	return;
 }
 static inline u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb,
 						   u32 sock_sid)
 {
 	return SECSID_NULL;
 }
 static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
 					      struct sk_buff *skb,
 					      struct avc_audit_data *ad)
@ -86,16 +86,6 @@ static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
 	return 0;
 }
 static inline u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
 {
 	return SECSID_NULL;
 }
 static inline u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
 {
 	return SECSID_NULL;
 }
 static inline void selinux_netlbl_sk_security_reset(
 					       struct sk_security_struct *ssec,
 					       int family)
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@ -36,7 +36,6 @@ int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
 			struct avc_audit_data *ad);
 int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
 			struct avc_audit_data *ad, u8 proto);
 u32 selinux_socket_getpeer_dgram(struct sk_buff *skb);
 int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
 #else
 static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
@ -51,10 +50,6 @@ static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
 	return 0;
 }
 static inline int selinux_socket_getpeer_dgram(struct sk_buff *skb)
 {
 	return SECSID_NULL;
 }
 static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
 {
 	*sid = SECSID_NULL;
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@ -54,6 +54,7 @@
 #include "mls.h"
 #include "objsec.h"
 #include "selinux_netlabel.h"
 #include "xfrm.h"
 extern void selnl_notify_policyload(u32 seqno);
 unsigned int policydb_loaded_version;
@ -2191,6 +2192,32 @@ void selinux_audit_set_callback(int (*callback)(void))
 	aurule_callback = callback;
 }
 /**
 * security_skb_extlbl_sid - Determine the external label of a packet
 * @skb: the packet
 * @base_sid: the SELinux SID to use as a context for MLS only external labels
 * @sid: the packet's SID
 *
 * Description:
 * Check the various different forms of external packet labeling and determine
 * the external SID for the packet.
 *
 */
 void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid)
 {
 	u32 xfrm_sid;
 	u32 nlbl_sid;
 	selinux_skb_xfrm_sid(skb, &xfrm_sid);
 	if (selinux_netlbl_skbuff_getsid(skb,
 					 (xfrm_sid == SECSID_NULL ?
 					  base_sid : xfrm_sid),
 					 &nlbl_sid) != 0)
 		nlbl_sid = SECSID_NULL;
 	*sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
 }
 #ifdef CONFIG_NETLABEL
 /*
 * This is the structure we store inside the NetLabel cache block.
@ -2408,9 +2435,7 @@ netlbl_secattr_to_sid_return_cleanup:
 * assign to the packet.  Returns zero on success, negative values on failure.
 *
 */
-static int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
+int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
 					u32 base_sid,
 					u32 *sid)
 {
 	int rc;
 	struct netlbl_lsm_secattr secattr;
@ -2615,29 +2640,6 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
 	rcu_read_unlock();
 }
 /**
 * selinux_netlbl_inet_conn_request - Handle a new connection request
 * @skb: the packet
 * @sock_sid: the SID of the parent socket
 *
 * Description:
 * If present, use the security attributes of the packet in @skb and the
 * parent sock's SID to arrive at a SID for the new child sock.  Returns the
 * SID of the connection or SECSID_NULL on failure.
 *
 */
 u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid)
 {
 	int rc;
 	u32 peer_sid;
 	rc = selinux_netlbl_skbuff_getsid(skb, sock_sid, &peer_sid);
 	if (rc != 0)
 		return SECSID_NULL;
 	return peer_sid;
 }
 /**
 * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
 * @inode: the file descriptor's inode
@ -2727,42 +2729,6 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
 	return rc;
 }
 /**
 * selinux_netlbl_socket_getpeersec_stream - Return the connected peer's SID
 * @sock: the socket
 *
 * Description:
 * Examine @sock to find the connected peer's SID.  Returns the SID on success
 * or SECSID_NULL on error.
 *
 */
 u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
 {
 	struct sk_security_struct *sksec = sock->sk->sk_security;
 	return sksec->peer_sid;
 }
 /**
 * selinux_netlbl_socket_getpeersec_dgram - Return the SID of a NetLabel packet
 * @skb: the packet
 *
 * Description:
 * Examine @skb to find the SID assigned to it by NetLabel.  Returns the SID on
 * success, SECSID_NULL on error.
 *
 */
 u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
 {
 	int peer_sid;
 	if (selinux_netlbl_skbuff_getsid(skb,
 					 SECINITSID_UNLABELED,
 					 &peer_sid) != 0)
 		return SECSID_NULL;
 	return peer_sid;
 }
 /**
 * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
 * @sock: the socket
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@ -372,39 +372,6 @@ void selinux_xfrm_state_free(struct xfrm_state *x)
 		kfree(ctx);
 }
 /*
 * SELinux internal function to retrieve the context of a UDP packet
 * based on its security association.
 *
 * Retrieve via setsockopt IP_PASSSEC and recvmsg with control message
 * type SCM_SECURITY.
 */
 u32 selinux_socket_getpeer_dgram(struct sk_buff *skb)
 {
 	struct sec_path *sp;
 	if (skb == NULL)
 		return SECSID_NULL;
 	if (skb->sk->sk_protocol != IPPROTO_UDP)
 		return SECSID_NULL;
 	sp = skb->sp;
 	if (sp) {
 		int i;
 		for (i = sp->len-1; i >= 0; i--) {
 			struct xfrm_state *x = sp->xvec[i];
 			if (selinux_authorizable_xfrm(x)) {
 				struct xfrm_sec_ctx *ctx = x->security;
 				return ctx->ctx_sid;
 			}
 		}
 	}
 	return SECSID_NULL;
 }
 /*
  * LSM hook implementation that authorizes deletion of labeled SAs.
  */