From 23bcdc1adebd3cb47d5666f2e9ecada95c0134e4 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 18 Jul 2007 12:28:45 -0400 Subject: SELinux: enable dynamic activation/deactivation of NetLabel/SELinux enforcement Create a new NetLabel KAPI interface, netlbl_enabled(), which reports on the current runtime status of NetLabel based on the existing configuration. LSMs that make use of NetLabel, i.e. SELinux, can use this new function to determine if they should perform NetLabel access checks. This patch changes the NetLabel/SELinux glue code such that SELinux only enforces NetLabel related access checks when netlbl_enabled() returns true. At present NetLabel is considered to be enabled when there is at least one labeled protocol configuration present. The result is that by default NetLabel is considered to be disabled, however, as soon as an administrator configured a CIPSO DOI definition NetLabel is enabled and SELinux starts enforcing NetLabel related access controls - including unlabeled packet controls. This patch also tries to consolidate the multiple "#ifdef CONFIG_NETLABEL" blocks into a single block to ease future review as recommended by Linus. Signed-off-by: Paul Moore Signed-off-by: James Morris --- include/net/netlabel.h | 62 +++++++++++++++++--------------------- net/netlabel/netlabel_cipso_v4.c | 5 ++++ net/netlabel/netlabel_kapi.c | 21 +++++++++++++ net/netlabel/netlabel_mgmt.c | 65 ++++++++++++++++++++++++++++++++++++++++ net/netlabel/netlabel_mgmt.h | 5 ++++ security/selinux/netlabel.c | 8 +++++ 6 files changed, 131 insertions(+), 35 deletions(-) diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 9b7d6f2ac9a3..ffbc7f28335a 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h @@ -144,10 +144,9 @@ struct netlbl_lsm_secattr { }; /* - * LSM security attribute operations + * LSM security attribute operations (inline) */ - /** * netlbl_secattr_cache_alloc - Allocate and initialize a secattr cache * @flags: the memory allocation flags @@ -283,6 +282,9 @@ static inline void netlbl_secattr_free(struct netlbl_lsm_secattr *secattr) } #ifdef CONFIG_NETLABEL +/* + * LSM security attribute operations + */ int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap, u32 offset); int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap, @@ -294,6 +296,25 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap, u32 start, u32 end, gfp_t flags); + +/* + * LSM protocol operations + */ +int netlbl_enabled(void); +int netlbl_sock_setattr(struct sock *sk, + const struct netlbl_lsm_secattr *secattr); +int netlbl_sock_getattr(struct sock *sk, + struct netlbl_lsm_secattr *secattr); +int netlbl_skbuff_getattr(const struct sk_buff *skb, + struct netlbl_lsm_secattr *secattr); +void netlbl_skbuff_err(struct sk_buff *skb, int error); + +/* + * LSM label mapping cache operations + */ +void netlbl_cache_invalidate(void); +int netlbl_cache_add(const struct sk_buff *skb, + const struct netlbl_lsm_secattr *secattr); #else static inline int netlbl_secattr_catmap_walk( struct netlbl_lsm_secattr_catmap *catmap, @@ -301,14 +322,12 @@ static inline int netlbl_secattr_catmap_walk( { return -ENOENT; } - static inline int netlbl_secattr_catmap_walk_rng( struct netlbl_lsm_secattr_catmap *catmap, u32 offset) { return -ENOENT; } - static inline int netlbl_secattr_catmap_setbit( struct netlbl_lsm_secattr_catmap *catmap, u32 bit, @@ -316,7 +335,6 @@ static inline int netlbl_secattr_catmap_setbit( { return 0; } - static inline int netlbl_secattr_catmap_setrng( struct netlbl_lsm_secattr_catmap *catmap, u32 start, @@ -325,59 +343,33 @@ static inline int netlbl_secattr_catmap_setrng( { return 0; } -#endif - -/* - * LSM protocol operations - */ - -#ifdef CONFIG_NETLABEL -int netlbl_sock_setattr(struct sock *sk, - const struct netlbl_lsm_secattr *secattr); -int netlbl_sock_getattr(struct sock *sk, - struct netlbl_lsm_secattr *secattr); -int netlbl_skbuff_getattr(const struct sk_buff *skb, - struct netlbl_lsm_secattr *secattr); -void netlbl_skbuff_err(struct sk_buff *skb, int error); -#else +static inline int netlbl_enabled(void) +{ + return 0; +} static inline int netlbl_sock_setattr(struct sock *sk, const struct netlbl_lsm_secattr *secattr) { return -ENOSYS; } - static inline int netlbl_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr) { return -ENOSYS; } - static inline int netlbl_skbuff_getattr(const struct sk_buff *skb, struct netlbl_lsm_secattr *secattr) { return -ENOSYS; } - static inline void netlbl_skbuff_err(struct sk_buff *skb, int error) { return; } -#endif /* CONFIG_NETLABEL */ - -/* - * LSM label mapping cache operations - */ - -#ifdef CONFIG_NETLABEL -void netlbl_cache_invalidate(void); -int netlbl_cache_add(const struct sk_buff *skb, - const struct netlbl_lsm_secattr *secattr); -#else static inline void netlbl_cache_invalidate(void) { return; } - static inline int netlbl_cache_add(const struct sk_buff *skb, const struct netlbl_lsm_secattr *secattr) { diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c index 24b660f16ce3..c060e3f991f1 100644 --- a/net/netlabel/netlabel_cipso_v4.c +++ b/net/netlabel/netlabel_cipso_v4.c @@ -41,6 +41,7 @@ #include "netlabel_user.h" #include "netlabel_cipso_v4.h" +#include "netlabel_mgmt.h" /* Argument struct for cipso_v4_doi_walk() */ struct netlbl_cipsov4_doiwalk_arg { @@ -419,6 +420,8 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info) ret_val = netlbl_cipsov4_add_pass(info); break; } + if (ret_val == 0) + netlbl_mgmt_protocount_inc(); audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, &audit_info); @@ -694,6 +697,8 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) ret_val = cipso_v4_doi_remove(doi, &audit_info, netlbl_cipsov4_doi_free); + if (ret_val == 0) + netlbl_mgmt_protocount_dec(); audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL, &audit_info); diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index b165712aaa70..4f50949722a9 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c @@ -38,6 +38,7 @@ #include "netlabel_domainhash.h" #include "netlabel_unlabeled.h" #include "netlabel_user.h" +#include "netlabel_mgmt.h" /* * Security Attribute Functions @@ -244,6 +245,26 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap, * LSM Functions */ +/** + * netlbl_enabled - Determine if the NetLabel subsystem is enabled + * + * Description: + * The LSM can use this function to determine if it should use NetLabel + * security attributes in it's enforcement mechanism. Currently, NetLabel is + * considered to be enabled when it's configuration contains a valid setup for + * at least one labeled protocol (i.e. NetLabel can understand incoming + * labeled packets of at least one type); otherwise NetLabel is considered to + * be disabled. + * + */ +int netlbl_enabled(void) +{ + /* At some point we probably want to expose this mechanism to the user + * as well so that admins can toggle NetLabel regardless of the + * configuration */ + return (netlbl_mgmt_protocount_value() > 0 ? 1 : 0); +} + /** * netlbl_socket_setattr - Label a socket using the correct protocol * @sk: the socket to label diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c index e00fc219c72b..5315dacc5222 100644 --- a/net/netlabel/netlabel_mgmt.c +++ b/net/netlabel/netlabel_mgmt.c @@ -42,6 +42,10 @@ #include "netlabel_user.h" #include "netlabel_mgmt.h" +/* NetLabel configured protocol count */ +static DEFINE_SPINLOCK(netlabel_mgmt_protocount_lock); +static u32 netlabel_mgmt_protocount = 0; + /* Argument struct for netlbl_domhsh_walk() */ struct netlbl_domhsh_walk_arg { struct netlink_callback *nl_cb; @@ -66,6 +70,67 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = { [NLBL_MGMT_A_CV4DOI] = { .type = NLA_U32 }, }; +/* + * NetLabel Misc Managment Functions + */ + +/** + * netlbl_mgmt_protocount_inc - Increment the configured labeled protocol count + * + * Description: + * Increment the number of labeled protocol configurations in the current + * NetLabel configuration. Keep track of this for use in determining if + * NetLabel label enforcement should be active/enabled or not in the LSM. + * + */ +void netlbl_mgmt_protocount_inc(void) +{ + rcu_read_lock(); + spin_lock(&netlabel_mgmt_protocount_lock); + netlabel_mgmt_protocount++; + spin_unlock(&netlabel_mgmt_protocount_lock); + rcu_read_unlock(); +} + +/** + * netlbl_mgmt_protocount_dec - Decrement the configured labeled protocol count + * + * Description: + * Decrement the number of labeled protocol configurations in the current + * NetLabel configuration. Keep track of this for use in determining if + * NetLabel label enforcement should be active/enabled or not in the LSM. + * + */ +void netlbl_mgmt_protocount_dec(void) +{ + rcu_read_lock(); + spin_lock(&netlabel_mgmt_protocount_lock); + if (netlabel_mgmt_protocount > 0) + netlabel_mgmt_protocount--; + spin_unlock(&netlabel_mgmt_protocount_lock); + rcu_read_unlock(); +} + +/** + * netlbl_mgmt_protocount_value - Return the number of configured protocols + * + * Description: + * Return the number of labeled protocols in the current NetLabel + * configuration. This value is useful in determining if NetLabel label + * enforcement should be active/enabled or not in the LSM. + * + */ +u32 netlbl_mgmt_protocount_value(void) +{ + u32 val; + + rcu_read_lock(); + val = netlabel_mgmt_protocount; + rcu_read_unlock(); + + return val; +} + /* * NetLabel Command Handlers */ diff --git a/net/netlabel/netlabel_mgmt.h b/net/netlabel/netlabel_mgmt.h index 3642d3bfc8eb..ccb2b3923591 100644 --- a/net/netlabel/netlabel_mgmt.h +++ b/net/netlabel/netlabel_mgmt.h @@ -168,4 +168,9 @@ enum { /* NetLabel protocol functions */ int netlbl_mgmt_genl_init(void); +/* NetLabel misc management functions */ +void netlbl_mgmt_protocount_inc(void); +void netlbl_mgmt_protocount_dec(void); +u32 netlbl_mgmt_protocount_value(void); + #endif diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index e64eca246f1a..ed9155b29c1a 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -155,6 +155,11 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid) int rc; struct netlbl_lsm_secattr secattr; + if (!netlbl_enabled()) { + *sid = SECSID_NULL; + return 0; + } + netlbl_secattr_init(&secattr); rc = netlbl_skbuff_getattr(skb, &secattr); if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) @@ -298,6 +303,9 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, u32 netlbl_sid; u32 recv_perm; + if (!netlbl_enabled()) + return 0; + rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_UNLABELED, &netlbl_sid); -- cgit v1.2.3 From f36158c410651fe66f438c17b2ab3ae813f8c060 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 18 Jul 2007 12:28:46 -0400 Subject: SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel These changes will make NetLabel behave like labeled IPsec where there is an access check for both labeled and unlabeled packets as well as providing the ability to restrict domains to receiving only labeled packets when NetLabel is in use. The changes to the policy are straight forward with the following necessary to receive labeled traffic (with SECINITSID_NETMSG defined as "netlabel_peer_t"): allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom; The policy for unlabeled traffic would be: allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom; These policy changes, as well as more general NetLabel support, are included in the latest SELinux Reference Policy release 20070629 or later. Users who make use of NetLabel are strongly encouraged to upgrade their policy to avoid network problems. Users who do not make use of NetLabel will not notice any difference. Signed-off-by: Paul Moore Signed-off-by: James Morris --- security/selinux/hooks.c | 21 +++++++++++---------- security/selinux/netlabel.c | 41 ++++++++++++++++++++--------------------- 2 files changed, 31 insertions(+), 31 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 520b9998123e..26356e67108e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3129,17 +3129,19 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, /** * selinux_skb_extlbl_sid - Determine the external label of a packet * @skb: the packet - * @base_sid: the SELinux SID to use as a context for MLS only external labels * @sid: the packet's SID * * Description: * Check the various different forms of external packet labeling and determine - * the external SID for the packet. + * the external SID for the packet. If only one form of external labeling is + * present then it is used, if both labeled IPsec and NetLabel labels are + * present then the SELinux type information is taken from the labeled IPsec + * SA and the MLS sensitivity label information is taken from the NetLabel + * security attributes. This bit of "magic" is done in the call to + * selinux_netlbl_skbuff_getsid(). * */ -static void selinux_skb_extlbl_sid(struct sk_buff *skb, - u32 base_sid, - u32 *sid) +static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid) { u32 xfrm_sid; u32 nlbl_sid; @@ -3147,10 +3149,9 @@ static void selinux_skb_extlbl_sid(struct sk_buff *skb, selinux_skb_xfrm_sid(skb, &xfrm_sid); if (selinux_netlbl_skbuff_getsid(skb, (xfrm_sid == SECSID_NULL ? - base_sid : xfrm_sid), + SECINITSID_NETMSG : xfrm_sid), &nlbl_sid) != 0) nlbl_sid = SECSID_NULL; - *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); } @@ -3695,7 +3696,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * if (sock && sock->sk->sk_family == PF_UNIX) selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); else if (skb) - selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid); + selinux_skb_extlbl_sid(skb, &peer_secid); if (peer_secid == SECSID_NULL) err = -EINVAL; @@ -3756,7 +3757,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, u32 newsid; u32 peersid; - selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid); + selinux_skb_extlbl_sid(skb, &peersid); if (peersid == SECSID_NULL) { req->secid = sksec->sid; req->peer_secid = SECSID_NULL; @@ -3794,7 +3795,7 @@ static void selinux_inet_conn_established(struct sock *sk, { struct sk_security_struct *sksec = sk->sk_security; - selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid); + selinux_skb_extlbl_sid(skb, &sksec->peer_sid); } static void selinux_req_classify_flow(const struct request_sock *req, diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index ed9155b29c1a..051b14c88e2d 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -163,9 +163,7 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid) netlbl_secattr_init(&secattr); rc = netlbl_skbuff_getattr(skb, &secattr); if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) - rc = security_netlbl_secattr_to_sid(&secattr, - base_sid, - sid); + rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid); else *sid = SECSID_NULL; netlbl_secattr_destroy(&secattr); @@ -203,7 +201,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) if (netlbl_sock_getattr(sk, &secattr) == 0 && secattr.flags != NETLBL_SECATTR_NONE && security_netlbl_secattr_to_sid(&secattr, - SECINITSID_UNLABELED, + SECINITSID_NETMSG, &nlbl_peer_sid) == 0) sksec->peer_sid = nlbl_peer_sid; netlbl_secattr_destroy(&secattr); @@ -300,41 +298,42 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, struct avc_audit_data *ad) { int rc; - u32 netlbl_sid; - u32 recv_perm; + u32 nlbl_sid; + u32 perm; + struct netlbl_lsm_secattr secattr; if (!netlbl_enabled()) return 0; - rc = selinux_netlbl_skbuff_getsid(skb, - SECINITSID_UNLABELED, - &netlbl_sid); + netlbl_secattr_init(&secattr); + rc = netlbl_skbuff_getattr(skb, &secattr); + if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) + rc = security_netlbl_secattr_to_sid(&secattr, + SECINITSID_NETMSG, + &nlbl_sid); + else + nlbl_sid = SECINITSID_UNLABELED; + netlbl_secattr_destroy(&secattr); if (rc != 0) return rc; - if (netlbl_sid == SECSID_NULL) - return 0; - switch (sksec->sclass) { case SECCLASS_UDP_SOCKET: - recv_perm = UDP_SOCKET__RECVFROM; + perm = UDP_SOCKET__RECVFROM; break; case SECCLASS_TCP_SOCKET: - recv_perm = TCP_SOCKET__RECVFROM; + perm = TCP_SOCKET__RECVFROM; break; default: - recv_perm = RAWIP_SOCKET__RECVFROM; + perm = RAWIP_SOCKET__RECVFROM; } - rc = avc_has_perm(sksec->sid, - netlbl_sid, - sksec->sclass, - recv_perm, - ad); + rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad); if (rc == 0) return 0; - netlbl_skbuff_err(skb, rc); + if (nlbl_sid != SECINITSID_UNLABELED) + netlbl_skbuff_err(skb, rc); return rc; } -- cgit v1.2.3