linux/include/net
Paul Moore 389fb800ac netlabel: Label incoming TCP connections correctly in SELinux
The current NetLabel/SELinux behavior for incoming TCP connections works but
only through a series of happy coincidences that rely on the limited nature of
standard CIPSO (only able to convey MLS attributes) and the write equality
imposed by the SELinux MLS constraints.  The problem is that network sockets
created as the result of an incoming TCP connection were not on-the-wire
labeled based on the security attributes of the parent socket but rather based
on the wire label of the remote peer.  The issue had to do with how IP options
were managed as part of the network stack and where the LSM hooks were in
relation to the code which set the IP options on these newly created child
sockets.  While NetLabel/SELinux did correctly set the socket's on-the-wire
label it was promptly cleared by the network stack and reset based on the IP
options of the remote peer.

This patch, in conjunction with a prior patch that adjusted the LSM hook
locations, works to set the correct on-the-wire label format for new incoming
connections through the security_inet_conn_request() hook.  Besides the
correct behavior there are many advantages to this change, the most significant
is that all of the NetLabel socket labeling code in SELinux now lives in hooks
which can return error codes to the core stack which allows us to finally get
ride of the selinux_netlbl_inode_permission() logic which greatly simplfies
the NetLabel/SELinux glue code.  In the process of developing this patch I
also ran into a small handful of AF_INET6 cleanliness issues that have been
fixed which should make the code safer and easier to extend in the future.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <jmorris@namei.org>
2009-03-28 15:01:36 +11:00
..
9p 9p: fix sparse warnings 2008-10-22 18:54:47 -05:00
bluetooth Bluetooth: Ask upper layers for HCI disconnect reason 2009-02-27 06:14:43 +01:00
irda irda: Add irda_skb_cb qdisc related padding 2008-12-17 15:44:58 -08:00
iucv [S390] iucv: Locking free version of iucv_message_(receive|send) 2008-12-25 13:39:04 +01:00
netfilter Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6 2009-03-26 22:45:23 -07:00
netns netfilter: nf_conntrack: use SLAB_DESTROY_BY_RCU and get rid of call_rcu() 2009-03-25 21:05:46 +01:00
phonet Phonet: use per-namespace devices list 2009-01-26 21:03:35 -08:00
sctp sctp: Clean up TEST_FRAME hacks. 2009-03-21 13:41:09 -07:00
tc_act pkt_action: add new action skbedit 2008-09-12 16:30:20 -07:00
tipc tipc: Remove unneeded parameter to tipc_createport_raw() 2008-07-14 22:42:19 -07:00
act_api.h [NET_SCHED]: act_api: use PTR_ERR in tcf_action_init/tcf_action_get 2008-01-28 15:11:17 -08:00
addrconf.h ipv6: Fix conflict resolutions during ipv6 binding 2009-03-24 19:49:11 -07:00
af_rxrpc.h
af_unix.h net: Fix soft lockups/OOM issues w/ unix garbage collector 2008-11-26 15:32:27 -08:00
ah.h
arp.h [NETFILTER]: ebtables: remove casts, use consts 2008-01-31 19:27:33 -08:00
atmclip.h clip: convert to internal network_device_stats 2009-01-21 14:01:59 -08:00
ax25.h [AX25] ax25_ds_timer: use mod_timer instead of add_timer 2008-02-12 17:53:34 -08:00
ax88796.h ax88796: Add method to take MAC from platform data 2009-03-24 23:32:03 -07:00
cfg80211.h cfg80211: add feature to hold bss 2009-03-27 20:13:13 -04:00
checksum.h include/net net/ - csum_partial - remove unnecessary casts 2008-11-19 15:44:53 -08:00
cipso_ipv4.h netlabel: Label incoming TCP connections correctly in SELinux 2009-03-28 15:01:36 +11:00
compat.h net: Use standard structures for generic socket address structures. 2008-07-19 22:35:47 -07:00
datalink.h
dcbnl.h net: fix DCB setstate to return success/failure 2008-12-21 20:09:50 -08:00
dn_dev.h
dn_fib.h decnet: remove private wrappers of endian helpers 2008-11-27 00:12:47 -08:00
dn_neigh.h
dn_nsp.h
dn_route.h
dn.h decnet: compile fix for removal of byteorder wrapper 2008-11-27 23:04:13 -08:00
dsa.h dsa: add switch chip cascading support 2009-03-21 19:06:54 -07:00
dsfield.h [NET]: Constify include/net/dsfield.h 2008-01-28 14:55:58 -08:00
dst.h netns xfrm: lookup in netns 2008-11-25 17:35:18 -08:00
esp.h [IPSEC]: Use crypto_aead and authenc in ESP 2008-01-31 19:27:02 -08:00
ethoc.h net: Add support for the OpenCores 10/100 Mbps Ethernet MAC. 2009-03-27 00:16:21 -07:00
fib_rules.h net: add fib_rules_ops to flush_cache method 2008-07-05 19:01:28 -07:00
flow.h netns xfrm: lookup in netns 2008-11-25 17:35:18 -08:00
garp.h vlan: Add GVRP support 2008-07-05 21:26:57 -07:00
gen_stats.h pkt_sched: gen_estimator: Optimize gen_estimator_active() 2008-11-26 15:24:32 -08:00
genetlink.h netlink: Improve returned error codes 2008-06-03 16:36:54 -07:00
icmp.h mib: put icmpmsg statistics on struct net 2008-07-18 04:04:22 -07:00
ieee80211_radiotap.h wireless: radiotap updates 2009-03-27 20:12:52 -04:00
if_inet6.h ipv6: reorder struct inet6_ifaddr to remove padding on 64 bit builds 2009-03-21 13:29:05 -07:00
inet6_connection_sock.h
inet6_hashtables.h inet: Don't lookup the socket if there's a socket attached to the skb 2008-10-07 12:41:01 -07:00
inet_common.h [NETNS]: Inet control socket should not hold a namespace. 2008-04-03 14:28:30 -07:00
inet_connection_sock.h net: more #ifdef CONFIG_COMPAT 2008-08-28 02:53:51 -07:00
inet_ecn.h net: replace __constant_{endian} uses in net headers 2009-02-14 22:58:35 -08:00
inet_frag.h inet fragments: fix sparse warning: context imbalance 2009-02-26 23:13:35 -08:00
inet_hashtables.h net: move bsockets outside of read only beginning of struct inet_hashinfo 2009-02-01 12:31:33 -08:00
inet_sock.h tcp: Port redirection support for TCP 2008-10-01 07:46:49 -07:00
inet_timewait_sock.h net: Convert TCP & DCCP hash tables to use RCU / hlist_nulls 2008-11-16 19:40:17 -08:00
inetpeer.h net: remove CVS keywords 2008-06-11 21:00:38 -07:00
ip6_checksum.h
ip6_fib.h [NETNS][IPV6] rt6_info - move rt6_info structure inside the namespace 2008-03-04 13:48:30 -08:00
ip6_route.h netns: Add network namespace argument to rt6_fill_node() and ipv6_dev_get_saddr() 2008-08-14 15:33:21 -07:00
ip6_tunnel.h net: remove CVS keywords 2008-06-11 21:00:38 -07:00
ip_fib.h [IPV4]: Fix compile error building without CONFIG_FS_PROC 2008-02-05 02:54:16 -08:00
ip_vs.h net: replace __constant_{endian} uses in net headers 2009-02-14 22:58:35 -08:00
ip.h ip: support for TX timestamps on UDP and RAW sockets 2009-02-15 22:43:38 -08:00
ipcomp.h ipsec: ipcomp - Merge IPComp implementations 2008-07-25 02:54:40 -07:00
ipconfig.h net: remove CVS keywords 2008-06-11 21:00:38 -07:00
ipip.h inet: Make tunnel RX/TX byte counters more consistent 2008-10-09 12:03:17 -07:00
ipv6.h net: replace __constant_{endian} uses in net headers 2009-02-14 22:58:35 -08:00
ipx.h net: replace __constant_{endian} uses in net headers 2009-02-14 22:58:35 -08:00
iw_handler.h wext: Emit event stream entries correctly when compat. 2008-06-16 18:50:49 -07:00
lapb.h
lib80211.h wireless: missing include in lib80211.h 2008-11-21 11:42:55 -05:00
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h [LLC]: Kill static inline llc_addrany 2008-02-29 11:46:17 -08:00
llc_pdu.h [LLC]: skb allocation size for responses 2008-03-31 21:02:47 -07:00
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h [LLC]: skb allocation size for responses 2008-03-31 21:02:47 -07:00
llc.h [LLC]: station source mac address 2008-03-28 16:28:36 -07:00
mac80211.h mac80211/iwlwifi: move virtual A-MDPU queue bookkeeping to iwlwifi 2009-03-27 20:13:23 -04:00
mip6.h [IPV6] MIP6: Use our standard definitions for paddings. 2008-04-12 13:43:22 +09:00
ndisc.h ipv6: Fix sporadic sendmsg -EINVAL when sending to multicast groups. 2009-01-04 16:04:39 -08:00
neighbour.h net: Cleanup of neighbour code 2008-11-12 00:54:54 -08:00
net_namespace.h netns: Remove net_alive 2009-03-03 01:14:27 -08:00
netdma.h net_dma: convert to dma_find_channel 2009-01-06 11:38:15 -07:00
netevent.h [NET]: Remove unnecessary inclusion of dst.h 2008-01-28 14:53:38 -08:00
netlabel.h netlabel: Label incoming TCP connections correctly in SELinux 2009-03-28 15:01:36 +11:00
netlink.h netlink: add nla_policy_len() 2009-03-25 18:26:30 +01:00
netrom.h netrom: convert to internal net_device_stats 2009-01-21 14:02:01 -08:00
nexthop.h
p8022.h
pkt_cls.h ematch: simpler tcf_em_unregister() 2008-11-16 23:01:49 -08:00
pkt_sched.h pkt_sched: sch_hfsc: sch_htb: Add non-work-conserving warning handler. 2009-02-01 01:12:42 -08:00
protocol.h ipv6: Add GRO support 2009-01-08 10:40:57 -08:00
psnap.h snap: use const for descriptor 2009-03-21 19:06:50 -07:00
raw.h [RAW]: Add raw_hashinfo member on struct proto. 2008-03-22 16:56:51 -07:00
rawv6.h [IPv6] RAW: Compact the API for the kernel 2008-01-28 14:54:29 -08:00
red.h
request_sock.h net: Fix memory leak in the proto_register function 2008-11-21 16:45:22 -08:00
rose.h rose: improving AX25 routing frames via ROSE network 2008-06-17 17:08:32 -07:00
route.h ipv4: Conditionally enable transparent flow flag when connecting 2008-10-01 07:35:39 -07:00
rtnetlink.h [RTNL]: Introduce the rtnl_kill_links helper. 2008-04-16 00:46:52 -07:00
sch_generic.h net: reorder struct Qdisc for better SMP performance 2009-03-20 01:33:32 -07:00
scm.h Merge branch 'master' into next 2008-11-14 11:29:12 +11:00
slhc_vj.h
snmp.h net: remove CVS keywords 2008-06-11 21:00:38 -07:00
sock.h Merge branch 'master' of /home/davem/src/GIT/linux-2.6/ 2009-02-24 03:50:29 -08:00
stp.h net: Add STP demux layer 2008-07-05 21:25:39 -07:00
tcp_states.h
tcp.h tcp: simplify tcp_current_mss 2009-03-15 20:09:54 -07:00
timewait_sock.h net: Fix memory leak in the proto_register function 2008-11-21 16:45:22 -08:00
transp_v6.h net: replace __constant_{endian} uses in net headers 2009-02-14 22:58:35 -08:00
udp.h ipv6: Fix conflict resolutions during ipv6 binding 2009-03-24 19:49:11 -07:00
udplite.h udp: introduce struct udp_table and multiple spinlocks 2008-10-29 01:41:45 -07:00
wext.h wext: Dispatch and handle compat ioctls entirely in net/wireless/wext.c 2008-06-16 18:32:46 -07:00
wimax.h wimax: fix typo in kernel-doc for debugfs_dentry in struct wimax_dev 2009-01-11 00:06:32 -08:00
wireless.h cfg80211: Add AP beacon regulatory hints 2009-02-27 14:52:59 -05:00
x25.h
x25device.h
xfrm.h netns xfrm: per-netns sysctls 2008-11-25 18:00:48 -08:00