Commit | Line | Data |
---|---|---|
5778eabd PM |
1 | /* |
2 | * SELinux NetLabel Support | |
3 | * | |
4 | * This file provides the necessary glue to tie NetLabel into the SELinux | |
5 | * subsystem. | |
6 | * | |
7 | * Author: Paul Moore <paul.moore@hp.com> | |
8 | * | |
9 | */ | |
10 | ||
11 | /* | |
12 | * (c) Copyright Hewlett-Packard Development Company, L.P., 2007 | |
13 | * | |
14 | * This program is free software; you can redistribute it and/or modify | |
15 | * it under the terms of the GNU General Public License as published by | |
16 | * the Free Software Foundation; either version 2 of the License, or | |
17 | * (at your option) any later version. | |
18 | * | |
19 | * This program is distributed in the hope that it will be useful, | |
20 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
21 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See | |
22 | * the GNU General Public License for more details. | |
23 | * | |
24 | * You should have received a copy of the GNU General Public License | |
25 | * along with this program; if not, write to the Free Software | |
26 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
27 | * | |
28 | */ | |
29 | ||
30 | #include <linux/spinlock.h> | |
31 | #include <linux/rcupdate.h> | |
32 | #include <net/sock.h> | |
33 | #include <net/netlabel.h> | |
34 | ||
35 | #include "objsec.h" | |
36 | #include "security.h" | |
37 | ||
38 | /** | |
ba6ff9f2 PM |
39 | * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism |
40 | * @sk: the socket to label | |
5778eabd PM |
41 | * @sid: the SID to use |
42 | * | |
43 | * Description: | |
44 | * Attempt to label a socket using the NetLabel mechanism using the given | |
45 | * SID. Returns zero values on success, negative values on failure. The | |
46 | * caller is responsibile for calling rcu_read_lock() before calling this | |
47 | * this function and rcu_read_unlock() after this function returns. | |
48 | * | |
49 | */ | |
ba6ff9f2 | 50 | static int selinux_netlbl_sock_setsid(struct sock *sk, u32 sid) |
5778eabd PM |
51 | { |
52 | int rc; | |
ba6ff9f2 | 53 | struct sk_security_struct *sksec = sk->sk_security; |
5778eabd PM |
54 | struct netlbl_lsm_secattr secattr; |
55 | ||
45c950e0 PM |
56 | netlbl_secattr_init(&secattr); |
57 | ||
5778eabd PM |
58 | rc = security_netlbl_sid_to_secattr(sid, &secattr); |
59 | if (rc != 0) | |
45c950e0 | 60 | goto sock_setsid_return; |
ba6ff9f2 | 61 | rc = netlbl_sock_setattr(sk, &secattr); |
5778eabd PM |
62 | if (rc == 0) { |
63 | spin_lock_bh(&sksec->nlbl_lock); | |
64 | sksec->nlbl_state = NLBL_LABELED; | |
65 | spin_unlock_bh(&sksec->nlbl_lock); | |
66 | } | |
67 | ||
45c950e0 PM |
68 | sock_setsid_return: |
69 | netlbl_secattr_destroy(&secattr); | |
5778eabd PM |
70 | return rc; |
71 | } | |
72 | ||
73 | /** | |
74 | * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache | |
75 | * | |
76 | * Description: | |
77 | * Invalidate the NetLabel security attribute mapping cache. | |
78 | * | |
79 | */ | |
80 | void selinux_netlbl_cache_invalidate(void) | |
81 | { | |
82 | netlbl_cache_invalidate(); | |
83 | } | |
84 | ||
85 | /** | |
86 | * selinux_netlbl_sk_security_reset - Reset the NetLabel fields | |
87 | * @ssec: the sk_security_struct | |
88 | * @family: the socket family | |
89 | * | |
90 | * Description: | |
91 | * Called when the NetLabel state of a sk_security_struct needs to be reset. | |
92 | * The caller is responsibile for all the NetLabel sk_security_struct locking. | |
93 | * | |
94 | */ | |
95 | void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, | |
96 | int family) | |
97 | { | |
98 | if (family == PF_INET) | |
99 | ssec->nlbl_state = NLBL_REQUIRE; | |
100 | else | |
101 | ssec->nlbl_state = NLBL_UNSET; | |
102 | } | |
103 | ||
104 | /** | |
105 | * selinux_netlbl_sk_security_init - Setup the NetLabel fields | |
106 | * @ssec: the sk_security_struct | |
107 | * @family: the socket family | |
108 | * | |
109 | * Description: | |
110 | * Called when a new sk_security_struct is allocated to initialize the NetLabel | |
111 | * fields. | |
112 | * | |
113 | */ | |
114 | void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec, | |
115 | int family) | |
116 | { | |
117 | /* No locking needed, we are the only one who has access to ssec */ | |
118 | selinux_netlbl_sk_security_reset(ssec, family); | |
119 | spin_lock_init(&ssec->nlbl_lock); | |
120 | } | |
121 | ||
122 | /** | |
123 | * selinux_netlbl_sk_security_clone - Copy the NetLabel fields | |
124 | * @ssec: the original sk_security_struct | |
125 | * @newssec: the cloned sk_security_struct | |
126 | * | |
127 | * Description: | |
128 | * Clone the NetLabel specific sk_security_struct fields from @ssec to | |
129 | * @newssec. | |
130 | * | |
131 | */ | |
132 | void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec, | |
133 | struct sk_security_struct *newssec) | |
134 | { | |
135 | /* We don't need to take newssec->nlbl_lock because we are the only | |
136 | * thread with access to newssec, but we do need to take the RCU read | |
137 | * lock as other threads could have access to ssec */ | |
138 | rcu_read_lock(); | |
139 | selinux_netlbl_sk_security_reset(newssec, ssec->sk->sk_family); | |
5778eabd PM |
140 | rcu_read_unlock(); |
141 | } | |
142 | ||
143 | /** | |
144 | * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel | |
145 | * @skb: the packet | |
75e22910 | 146 | * @family: protocol family |
5778eabd | 147 | * @base_sid: the SELinux SID to use as a context for MLS only attributes |
220deb96 | 148 | * @type: NetLabel labeling protocol type |
5778eabd PM |
149 | * @sid: the SID |
150 | * | |
151 | * Description: | |
152 | * Call the NetLabel mechanism to get the security attributes of the given | |
153 | * packet and use those attributes to determine the correct context/SID to | |
154 | * assign to the packet. Returns zero on success, negative values on failure. | |
155 | * | |
156 | */ | |
75e22910 PM |
157 | int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, |
158 | u16 family, | |
159 | u32 base_sid, | |
220deb96 | 160 | u32 *type, |
75e22910 | 161 | u32 *sid) |
5778eabd PM |
162 | { |
163 | int rc; | |
164 | struct netlbl_lsm_secattr secattr; | |
165 | ||
23bcdc1a PM |
166 | if (!netlbl_enabled()) { |
167 | *sid = SECSID_NULL; | |
168 | return 0; | |
169 | } | |
170 | ||
5778eabd | 171 | netlbl_secattr_init(&secattr); |
75e22910 | 172 | rc = netlbl_skbuff_getattr(skb, family, &secattr); |
9534f71c | 173 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) { |
f36158c4 | 174 | rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid); |
9534f71c PM |
175 | if (rc == 0 && |
176 | (secattr.flags & NETLBL_SECATTR_CACHEABLE) && | |
177 | (secattr.flags & NETLBL_SECATTR_CACHE)) | |
178 | netlbl_cache_add(skb, &secattr); | |
179 | } else | |
5778eabd | 180 | *sid = SECSID_NULL; |
220deb96 | 181 | *type = secattr.type; |
5778eabd PM |
182 | netlbl_secattr_destroy(&secattr); |
183 | ||
184 | return rc; | |
185 | } | |
186 | ||
187 | /** | |
188 | * selinux_netlbl_sock_graft - Netlabel the new socket | |
189 | * @sk: the new connection | |
190 | * @sock: the new socket | |
191 | * | |
192 | * Description: | |
193 | * The connection represented by @sk is being grafted onto @sock so set the | |
194 | * socket's NetLabel to match the SID of @sk. | |
195 | * | |
196 | */ | |
197 | void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) | |
198 | { | |
5778eabd PM |
199 | struct sk_security_struct *sksec = sk->sk_security; |
200 | struct netlbl_lsm_secattr secattr; | |
201 | u32 nlbl_peer_sid; | |
202 | ||
5778eabd PM |
203 | rcu_read_lock(); |
204 | ||
205 | if (sksec->nlbl_state != NLBL_REQUIRE) { | |
206 | rcu_read_unlock(); | |
207 | return; | |
208 | } | |
209 | ||
210 | netlbl_secattr_init(&secattr); | |
211 | if (netlbl_sock_getattr(sk, &secattr) == 0 && | |
212 | secattr.flags != NETLBL_SECATTR_NONE && | |
213 | security_netlbl_secattr_to_sid(&secattr, | |
f36158c4 | 214 | SECINITSID_NETMSG, |
5778eabd PM |
215 | &nlbl_peer_sid) == 0) |
216 | sksec->peer_sid = nlbl_peer_sid; | |
217 | netlbl_secattr_destroy(&secattr); | |
218 | ||
219 | /* Try to set the NetLabel on the socket to save time later, if we fail | |
220 | * here we will pick up the pieces in later calls to | |
221 | * selinux_netlbl_inode_permission(). */ | |
ba6ff9f2 | 222 | selinux_netlbl_sock_setsid(sk, sksec->sid); |
5778eabd PM |
223 | |
224 | rcu_read_unlock(); | |
225 | } | |
226 | ||
227 | /** | |
228 | * selinux_netlbl_socket_post_create - Label a socket using NetLabel | |
229 | * @sock: the socket to label | |
230 | * | |
231 | * Description: | |
232 | * Attempt to label a socket using the NetLabel mechanism using the given | |
233 | * SID. Returns zero values on success, negative values on failure. | |
234 | * | |
235 | */ | |
236 | int selinux_netlbl_socket_post_create(struct socket *sock) | |
237 | { | |
238 | int rc = 0; | |
ba6ff9f2 | 239 | struct sock *sk = sock->sk; |
ba6ff9f2 | 240 | struct sk_security_struct *sksec = sk->sk_security; |
5778eabd | 241 | |
5778eabd PM |
242 | rcu_read_lock(); |
243 | if (sksec->nlbl_state == NLBL_REQUIRE) | |
ba6ff9f2 | 244 | rc = selinux_netlbl_sock_setsid(sk, sksec->sid); |
5778eabd PM |
245 | rcu_read_unlock(); |
246 | ||
247 | return rc; | |
248 | } | |
249 | ||
250 | /** | |
251 | * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled | |
252 | * @inode: the file descriptor's inode | |
253 | * @mask: the permission mask | |
254 | * | |
255 | * Description: | |
256 | * Looks at a file's inode and if it is marked as a socket protected by | |
257 | * NetLabel then verify that the socket has been labeled, if not try to label | |
258 | * the socket now with the inode's SID. Returns zero on success, negative | |
259 | * values on failure. | |
260 | * | |
261 | */ | |
262 | int selinux_netlbl_inode_permission(struct inode *inode, int mask) | |
263 | { | |
264 | int rc; | |
ba6ff9f2 | 265 | struct sock *sk; |
5778eabd | 266 | struct socket *sock; |
ba6ff9f2 | 267 | struct sk_security_struct *sksec; |
5778eabd PM |
268 | |
269 | if (!S_ISSOCK(inode->i_mode) || | |
270 | ((mask & (MAY_WRITE | MAY_APPEND)) == 0)) | |
271 | return 0; | |
272 | sock = SOCKET_I(inode); | |
ba6ff9f2 PM |
273 | sk = sock->sk; |
274 | sksec = sk->sk_security; | |
5778eabd PM |
275 | |
276 | rcu_read_lock(); | |
277 | if (sksec->nlbl_state != NLBL_REQUIRE) { | |
278 | rcu_read_unlock(); | |
279 | return 0; | |
280 | } | |
281 | local_bh_disable(); | |
ba6ff9f2 PM |
282 | bh_lock_sock_nested(sk); |
283 | rc = selinux_netlbl_sock_setsid(sk, sksec->sid); | |
284 | bh_unlock_sock(sk); | |
5778eabd PM |
285 | local_bh_enable(); |
286 | rcu_read_unlock(); | |
287 | ||
288 | return rc; | |
289 | } | |
290 | ||
291 | /** | |
292 | * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel | |
293 | * @sksec: the sock's sk_security_struct | |
294 | * @skb: the packet | |
75e22910 | 295 | * @family: protocol family |
5778eabd PM |
296 | * @ad: the audit data |
297 | * | |
298 | * Description: | |
299 | * Fetch the NetLabel security attributes from @skb and perform an access check | |
300 | * against the receiving socket. Returns zero on success, negative values on | |
301 | * error. | |
302 | * | |
303 | */ | |
304 | int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, | |
305 | struct sk_buff *skb, | |
75e22910 | 306 | u16 family, |
5778eabd PM |
307 | struct avc_audit_data *ad) |
308 | { | |
309 | int rc; | |
f36158c4 PM |
310 | u32 nlbl_sid; |
311 | u32 perm; | |
312 | struct netlbl_lsm_secattr secattr; | |
5778eabd | 313 | |
23bcdc1a PM |
314 | if (!netlbl_enabled()) |
315 | return 0; | |
316 | ||
f36158c4 | 317 | netlbl_secattr_init(&secattr); |
75e22910 | 318 | rc = netlbl_skbuff_getattr(skb, family, &secattr); |
9534f71c | 319 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) { |
f36158c4 PM |
320 | rc = security_netlbl_secattr_to_sid(&secattr, |
321 | SECINITSID_NETMSG, | |
322 | &nlbl_sid); | |
9534f71c PM |
323 | if (rc == 0 && |
324 | (secattr.flags & NETLBL_SECATTR_CACHEABLE) && | |
325 | (secattr.flags & NETLBL_SECATTR_CACHE)) | |
326 | netlbl_cache_add(skb, &secattr); | |
327 | } else | |
f36158c4 PM |
328 | nlbl_sid = SECINITSID_UNLABELED; |
329 | netlbl_secattr_destroy(&secattr); | |
5778eabd PM |
330 | if (rc != 0) |
331 | return rc; | |
8d9107e8 | 332 | |
5778eabd PM |
333 | switch (sksec->sclass) { |
334 | case SECCLASS_UDP_SOCKET: | |
f36158c4 | 335 | perm = UDP_SOCKET__RECVFROM; |
5778eabd PM |
336 | break; |
337 | case SECCLASS_TCP_SOCKET: | |
f36158c4 | 338 | perm = TCP_SOCKET__RECVFROM; |
5778eabd PM |
339 | break; |
340 | default: | |
f36158c4 | 341 | perm = RAWIP_SOCKET__RECVFROM; |
5778eabd PM |
342 | } |
343 | ||
f36158c4 | 344 | rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad); |
5778eabd PM |
345 | if (rc == 0) |
346 | return 0; | |
347 | ||
f36158c4 PM |
348 | if (nlbl_sid != SECINITSID_UNLABELED) |
349 | netlbl_skbuff_err(skb, rc); | |
5778eabd PM |
350 | return rc; |
351 | } | |
352 | ||
353 | /** | |
354 | * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel | |
355 | * @sock: the socket | |
356 | * @level: the socket level or protocol | |
357 | * @optname: the socket option name | |
358 | * | |
359 | * Description: | |
360 | * Check the setsockopt() call and if the user is trying to replace the IP | |
361 | * options on a socket and a NetLabel is in place for the socket deny the | |
362 | * access; otherwise allow the access. Returns zero when the access is | |
363 | * allowed, -EACCES when denied, and other negative values on error. | |
364 | * | |
365 | */ | |
366 | int selinux_netlbl_socket_setsockopt(struct socket *sock, | |
367 | int level, | |
368 | int optname) | |
369 | { | |
370 | int rc = 0; | |
ba6ff9f2 PM |
371 | struct sock *sk = sock->sk; |
372 | struct sk_security_struct *sksec = sk->sk_security; | |
5778eabd PM |
373 | struct netlbl_lsm_secattr secattr; |
374 | ||
375 | rcu_read_lock(); | |
376 | if (level == IPPROTO_IP && optname == IP_OPTIONS && | |
377 | sksec->nlbl_state == NLBL_LABELED) { | |
378 | netlbl_secattr_init(&secattr); | |
ba6ff9f2 PM |
379 | lock_sock(sk); |
380 | rc = netlbl_sock_getattr(sk, &secattr); | |
381 | release_sock(sk); | |
5778eabd PM |
382 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) |
383 | rc = -EACCES; | |
384 | netlbl_secattr_destroy(&secattr); | |
385 | } | |
386 | rcu_read_unlock(); | |
387 | ||
388 | return rc; | |
389 | } |