diff options
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/Makefile | 2 | ||||
-rw-r--r-- | security/selinux/avc.c | 5 | ||||
-rw-r--r-- | security/selinux/hooks.c | 43 | ||||
-rw-r--r-- | security/selinux/include/av_perm_to_string.h | 1 | ||||
-rw-r--r-- | security/selinux/include/av_permissions.h | 1 | ||||
-rw-r--r-- | security/selinux/include/xfrm.h | 54 | ||||
-rw-r--r-- | security/selinux/selinuxfs.c | 6 | ||||
-rw-r--r-- | security/selinux/ss/avtab.c | 2 | ||||
-rw-r--r-- | security/selinux/ss/policydb.c | 2 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 6 | ||||
-rw-r--r-- | security/selinux/xfrm.c | 305 |
11 files changed, 414 insertions, 13 deletions
diff --git a/security/selinux/Makefile b/security/selinux/Makefile index b038cd0fae2..06d54d9d20a 100644 --- a/security/selinux/Makefile +++ b/security/selinux/Makefile @@ -8,5 +8,7 @@ selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o selinux-$(CONFIG_SECURITY_NETWORK) += netif.o +selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o + EXTRA_CFLAGS += -Isecurity/selinux/include diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 12e4fb72bf0..53d6c7bbf56 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -494,8 +494,7 @@ static inline void avc_print_ipv6_addr(struct audit_buffer *ab, char *name1, char *name2) { if (!ipv6_addr_any(addr)) - audit_log_format(ab, " %s=%04x:%04x:%04x:%04x:%04x:" - "%04x:%04x:%04x", name1, NIP6(*addr)); + audit_log_format(ab, " %s=" NIP6_FMT, name1, NIP6(*addr)); if (port) audit_log_format(ab, " %s=%d", name2, ntohs(port)); } @@ -504,7 +503,7 @@ static inline void avc_print_ipv4_addr(struct audit_buffer *ab, u32 addr, __be16 port, char *name1, char *name2) { if (addr) - audit_log_format(ab, " %s=%d.%d.%d.%d", name1, NIPQUAD(addr)); + audit_log_format(ab, " %s=" NIPQUAD_FMT, name1, NIPQUAD(addr)); if (port) audit_log_format(ab, " %s=%d", name2, ntohs(port)); } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index fc774436a26..b9f8d9731c3 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -73,6 +73,7 @@ #include "avc.h" #include "objsec.h" #include "netif.h" +#include "xfrm.h" #define XATTR_SELINUX_SUFFIX "selinux" #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX @@ -1018,7 +1019,7 @@ static inline int dentry_has_perm(struct task_struct *tsk, has the same SID as the process. If av is zero, then access to the file is not checked, e.g. for cases where only the descriptor is affected like seek. */ -static inline int file_has_perm(struct task_struct *tsk, +static int file_has_perm(struct task_struct *tsk, struct file *file, u32 av) { @@ -1662,7 +1663,7 @@ static inline void flush_unauthorized_files(struct files_struct * files) continue; } if (devnull) { - rcuref_inc(&devnull->f_count); + get_file(devnull); } else { devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR); if (!devnull) { @@ -3349,6 +3350,10 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) err = avc_has_perm(sock_sid, port_sid, sock_class, recv_perm, &ad); } + + if (!err) + err = selinux_xfrm_sock_rcv_skb(sock_sid, skb); + out: return err; } @@ -3401,6 +3406,24 @@ static void selinux_sk_free_security(struct sock *sk) sk_free_security(sk); } +static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir) +{ + struct inode_security_struct *isec; + u32 sock_sid = SECINITSID_ANY_SOCKET; + + if (!sk) + return selinux_no_sk_sid(fl); + + read_lock_bh(&sk->sk_callback_lock); + isec = get_sock_isec(sk); + + if (isec) + sock_sid = isec->sid; + + read_unlock_bh(&sk->sk_callback_lock); + return sock_sid; +} + static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) { int err = 0; @@ -3536,6 +3559,11 @@ static unsigned int selinux_ip_postroute_last(unsigned int hooknum, send_perm, &ad) ? NF_DROP : NF_ACCEPT; } + if (err != NF_ACCEPT) + goto out; + + err = selinux_xfrm_postroute_last(isec->sid, skb); + out: return err; } @@ -4380,6 +4408,16 @@ static struct security_operations selinux_ops = { .socket_getpeersec = selinux_socket_getpeersec, .sk_alloc_security = selinux_sk_alloc_security, .sk_free_security = selinux_sk_free_security, + .sk_getsid = selinux_sk_getsid_security, +#endif + +#ifdef CONFIG_SECURITY_NETWORK_XFRM + .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, + .xfrm_policy_clone_security = selinux_xfrm_policy_clone, + .xfrm_policy_free_security = selinux_xfrm_policy_free, + .xfrm_state_alloc_security = selinux_xfrm_state_alloc, + .xfrm_state_free_security = selinux_xfrm_state_free, + .xfrm_policy_lookup = selinux_xfrm_policy_lookup, #endif }; @@ -4491,6 +4529,7 @@ static int __init selinux_nf_ip_init(void) panic("SELinux: nf_register_hook for IPv6: error %d\n", err); #endif /* IPV6 */ + out: return err; } diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index 1deb59e1b76..591e98d9315 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h @@ -238,3 +238,4 @@ S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost") S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto") S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom") + S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext") diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index a78b5d59c9f..d7f02edf393 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h @@ -908,6 +908,7 @@ #define ASSOCIATION__SENDTO 0x00000001UL #define ASSOCIATION__RECVFROM 0x00000002UL +#define ASSOCIATION__SETCONTEXT 0x00000004UL #define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL #define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h new file mode 100644 index 00000000000..8e87996c6dd --- /dev/null +++ b/security/selinux/include/xfrm.h @@ -0,0 +1,54 @@ +/* + * SELinux support for the XFRM LSM hooks + * + * Author : Trent Jaeger, <jaegert@us.ibm.com> + */ +#ifndef _SELINUX_XFRM_H_ +#define _SELINUX_XFRM_H_ + +int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx); +int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new); +void selinux_xfrm_policy_free(struct xfrm_policy *xp); +int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx); +void selinux_xfrm_state_free(struct xfrm_state *x); +int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir); + +/* + * Extract the security blob from the sock (it's actually on the socket) + */ +static inline struct inode_security_struct *get_sock_isec(struct sock *sk) +{ + if (!sk->sk_socket) + return NULL; + + return SOCK_INODE(sk->sk_socket)->i_security; +} + + +static inline u32 selinux_no_sk_sid(struct flowi *fl) +{ + /* NOTE: no sock occurs on ICMP reply, forwards, ... */ + /* icmp_reply: authorize as kernel packet */ + if (fl && fl->proto == IPPROTO_ICMP) { + return SECINITSID_KERNEL; + } + + return SECINITSID_ANY_SOCKET; +} + +#ifdef CONFIG_SECURITY_NETWORK_XFRM +int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb); +int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb); +#else +static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb) +{ + return 0; +} + +static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb) +{ + return NF_ACCEPT; +} +#endif + +#endif /* _SELINUX_XFRM_H_ */ diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 0e1352a555c..b5fa02d17b1 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -376,7 +376,7 @@ static ssize_t selinux_transaction_write(struct file *file, const char __user *b char *data; ssize_t rv; - if (ino >= sizeof(write_op)/sizeof(write_op[0]) || !write_op[ino]) + if (ino >= ARRAY_SIZE(write_op) || !write_op[ino]) return -EINVAL; data = simple_transaction_get(file, buf, size); @@ -889,7 +889,7 @@ static void sel_remove_bools(struct dentry *de) spin_lock(&dcache_lock); node = de->d_subdirs.next; while (node != &de->d_subdirs) { - struct dentry *d = list_entry(node, struct dentry, d_child); + struct dentry *d = list_entry(node, struct dentry, d_u.d_child); list_del_init(node); if (d->d_inode) { @@ -1161,7 +1161,7 @@ static int sel_make_avc_files(struct dentry *dir) #endif }; - for (i = 0; i < sizeof (files) / sizeof (files[0]); i++) { + for (i = 0; i < ARRAY_SIZE(files); i++) { struct inode *inode; struct dentry *dentry; diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c index dde094feb20..d049c7acbc8 100644 --- a/security/selinux/ss/avtab.c +++ b/security/selinux/ss/avtab.c @@ -359,7 +359,7 @@ int avtab_read_item(void *fp, u32 vers, struct avtab *a, return -1; } - for (i = 0; i < sizeof(spec_order)/sizeof(u16); i++) { + for (i = 0; i < ARRAY_SIZE(spec_order); i++) { if (val & spec_order[i]) { key.specified = spec_order[i] | enabled; datum.data = le32_to_cpu(buf32[items++]); diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 0ac311dc837..0111990ba83 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -103,7 +103,7 @@ static struct policydb_compat_info *policydb_lookup_compat(int version) int i; struct policydb_compat_info *info = NULL; - for (i = 0; i < sizeof(policydb_compat)/sizeof(*info); i++) { + for (i = 0; i < ARRAY_SIZE(policydb_compat); i++) { if (policydb_compat[i].version == version) { info = &policydb_compat[i]; break; diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 44eb4d74908..8a764928ff4 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1712,11 +1712,11 @@ int security_get_bools(int *len, char ***names, int **values) goto out; } - *names = (char**)kcalloc(*len, sizeof(char*), GFP_ATOMIC); + *names = kcalloc(*len, sizeof(char*), GFP_ATOMIC); if (!*names) goto err; - *values = (int*)kcalloc(*len, sizeof(int), GFP_ATOMIC); + *values = kcalloc(*len, sizeof(int), GFP_ATOMIC); if (!*values) goto err; @@ -1724,7 +1724,7 @@ int security_get_bools(int *len, char ***names, int **values) size_t name_len; (*values)[i] = policydb.bool_val_to_struct[i]->state; name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; - (*names)[i] = (char*)kmalloc(sizeof(char) * name_len, GFP_ATOMIC); + (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); if (!(*names)[i]) goto err; strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c new file mode 100644 index 00000000000..b2af7ca496c --- /dev/null +++ b/security/selinux/xfrm.c @@ -0,0 +1,305 @@ +/* + * NSA Security-Enhanced Linux (SELinux) security module + * + * This file contains the SELinux XFRM hook function implementations. + * + * Authors: Serge Hallyn <sergeh@us.ibm.com> + * Trent Jaeger <jaegert@us.ibm.com> + * + * Copyright (C) 2005 International Business Machines Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ + +/* + * USAGE: + * NOTES: + * 1. Make sure to enable the following options in your kernel config: + * CONFIG_SECURITY=y + * CONFIG_SECURITY_NETWORK=y + * CONFIG_SECURITY_NETWORK_XFRM=y + * CONFIG_SECURITY_SELINUX=m/y + * ISSUES: + * 1. Caching packets, so they are not dropped during negotiation + * 2. Emulating a reasonable SO_PEERSEC across machines + * 3. Testing addition of sk_policy's with security context via setsockopt + */ +#include <linux/config.h> +#include <linux/module.h> +#include <linux/kernel.h> +#include <linux/init.h> +#include <linux/security.h> +#include <linux/types.h> +#include <linux/netfilter.h> +#include <linux/netfilter_ipv4.h> +#include <linux/netfilter_ipv6.h> +#include <linux/ip.h> +#include <linux/tcp.h> +#include <linux/skbuff.h> +#include <linux/xfrm.h> +#include <net/xfrm.h> +#include <net/checksum.h> +#include <net/udp.h> +#include <asm/semaphore.h> + +#include "avc.h" +#include "objsec.h" +#include "xfrm.h" + + +/* + * Returns true if an LSM/SELinux context + */ +static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx) +{ + return (ctx && + (ctx->ctx_doi == XFRM_SC_DOI_LSM) && + (ctx->ctx_alg == XFRM_SC_ALG_SELINUX)); +} + +/* + * Returns true if the xfrm contains a security blob for SELinux + */ +static inline int selinux_authorizable_xfrm(struct xfrm_state *x) +{ + return selinux_authorizable_ctx(x->security); +} + +/* + * LSM hook implementation that authorizes that a socket can be used + * with the corresponding xfrm_sec_ctx and direction. + */ +int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir) +{ + int rc = 0; + u32 sel_sid = SECINITSID_UNLABELED; + struct xfrm_sec_ctx *ctx; + + /* Context sid is either set to label or ANY_ASSOC */ + if ((ctx = xp->security)) { + if (!selinux_authorizable_ctx(ctx)) + return -EINVAL; + + sel_sid = ctx->ctx_sid; + } + + rc = avc_has_perm(sk_sid, sel_sid, SECCLASS_ASSOCIATION, + ((dir == FLOW_DIR_IN) ? ASSOCIATION__RECVFROM : + ((dir == FLOW_DIR_OUT) ? ASSOCIATION__SENDTO : + (ASSOCIATION__SENDTO | ASSOCIATION__RECVFROM))), + NULL); + + return rc; +} + +/* + * Security blob allocation for xfrm_policy and xfrm_state + * CTX does not have a meaningful value on input + */ +static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *uctx) +{ + int rc = 0; + struct task_security_struct *tsec = current->security; + struct xfrm_sec_ctx *ctx; + + BUG_ON(!uctx); + BUG_ON(uctx->ctx_doi != XFRM_SC_ALG_SELINUX); + + if (uctx->ctx_len >= PAGE_SIZE) + return -ENOMEM; + + *ctxp = ctx = kmalloc(sizeof(*ctx) + + uctx->ctx_len, + GFP_KERNEL); + + if (!ctx) + return -ENOMEM; + + ctx->ctx_doi = uctx->ctx_doi; + ctx->ctx_len = uctx->ctx_len; + ctx->ctx_alg = uctx->ctx_alg; + + memcpy(ctx->ctx_str, + uctx+1, + ctx->ctx_len); + rc = security_context_to_sid(ctx->ctx_str, + ctx->ctx_len, + &ctx->ctx_sid); + + if (rc) + goto out; + + /* + * Does the subject have permission to set security or permission to + * do the relabel? + * Must be permitted to relabel from default socket type (process type) + * to specified context + */ + rc = avc_has_perm(tsec->sid, ctx->ctx_sid, + SECCLASS_ASSOCIATION, + ASSOCIATION__SETCONTEXT, NULL); + if (rc) + goto out; + + return rc; + +out: + *ctxp = NULL; + kfree(ctx); + return rc; +} + +/* + * LSM hook implementation that allocs and transfers uctx spec to + * xfrm_policy. + */ +int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *uctx) +{ + int err; + + BUG_ON(!xp); + + err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx); + return err; +} + + +/* + * LSM hook implementation that copies security data structure from old to + * new for policy cloning. + */ +int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new) +{ + struct xfrm_sec_ctx *old_ctx, *new_ctx; + + old_ctx = old->security; + + if (old_ctx) { + new_ctx = new->security = kmalloc(sizeof(*new_ctx) + + old_ctx->ctx_len, + GFP_KERNEL); + + if (!new_ctx) + return -ENOMEM; + + memcpy(new_ctx, old_ctx, sizeof(*new_ctx)); + memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len); + } + return 0; +} + +/* + * LSM hook implementation that frees xfrm_policy security information. + */ +void selinux_xfrm_policy_free(struct xfrm_policy *xp) +{ + struct xfrm_sec_ctx *ctx = xp->security; + if (ctx) + kfree(ctx); +} + +/* + * LSM hook implementation that allocs and transfers sec_ctx spec to + * xfrm_state. + */ +int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx) +{ + int err; + + BUG_ON(!x); + + err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx); + return err; +} + +/* + * LSM hook implementation that frees xfrm_state security information. + */ +void selinux_xfrm_state_free(struct xfrm_state *x) +{ + struct xfrm_sec_ctx *ctx = x->security; + if (ctx) + kfree(ctx); +} + +/* + * LSM hook that controls access to unlabelled packets. If + * a xfrm_state is authorizable (defined by macro) then it was + * already authorized by the IPSec process. If not, then + * we need to check for unlabelled access since this may not have + * gone thru the IPSec process. + */ +int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb) +{ + int i, rc = 0; + struct sec_path *sp; + + sp = skb->sp; + + if (sp) { + /* + * __xfrm_policy_check does not approve unless xfrm_policy_ok + * says that spi's match for policy and the socket. + * + * Only need to verify the existence of an authorizable sp. + */ + for (i = 0; i < sp->len; i++) { + struct xfrm_state *x = sp->x[i].xvec; + + if (x && selinux_authorizable_xfrm(x)) + goto accept; + } + } + + /* check SELinux sock for unlabelled access */ + rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION, + ASSOCIATION__RECVFROM, NULL); + if (rc) + goto drop; + +accept: + return 0; + +drop: + return rc; +} + +/* + * POSTROUTE_LAST hook's XFRM processing: + * If we have no security association, then we need to determine + * whether the socket is allowed to send to an unlabelled destination. + * If we do have a authorizable security association, then it has already been + * checked in xfrm_policy_lookup hook. + */ +int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb) +{ + struct dst_entry *dst; + int rc = 0; + + dst = skb->dst; + + if (dst) { + struct dst_entry *dst_test; + + for (dst_test = dst; dst_test != 0; + dst_test = dst_test->child) { + struct xfrm_state *x = dst_test->xfrm; + + if (x && selinux_authorizable_xfrm(x)) + goto accept; + } + } + + rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION, + ASSOCIATION__SENDTO, NULL); + if (rc) + goto drop; + +accept: + return NF_ACCEPT; + +drop: + return NF_DROP; +} |