From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: casey@schaufler-ca.com, keescook@chromium.org,
john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
paul@paul-moore.com, sds@tycho.nsa.gov
Subject: [PATCH v7 12/16] Netlabel: Provide labeling type to security modules
Date: Wed, 7 Aug 2019 15:42:41 -0700 [thread overview]
Message-ID: <20190807224245.10798-14-casey@schaufler-ca.com> (raw)
In-Reply-To: <20190807224245.10798-1-casey@schaufler-ca.com>
Return the labeling type when setting network security attributes.
This allows for later comparison of the complete label information
to determine if the security modules agree on how a packet should
be labeled.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
net/netlabel/netlabel_kapi.c | 70 +++++++++++++++++++++---------------
security/selinux/netlabel.c | 23 +++++++-----
security/smack/smack_lsm.c | 8 +++--
3 files changed, 61 insertions(+), 40 deletions(-)
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index a0996bdc8595..496d6a38b2aa 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -975,15 +975,14 @@ int netlbl_enabled(void)
* Attach the correct label to the given socket using the security attributes
* specified in @secattr. This function requires exclusive access to @sk,
* which means it either needs to be in the process of being created or locked.
- * Returns zero on success, -EDESTADDRREQ if the domain is configured to use
- * network address selectors (can't blindly label the socket), and negative
- * values on all other failures.
+ * Returns the labeling type of the domain, or negative values on failures.
*
*/
int netlbl_sock_setattr(struct sock *sk,
u16 family,
const struct netlbl_lsm_secattr *secattr)
{
+ int rc;
int ret_val;
struct netlbl_dom_map *dom_entry;
@@ -995,17 +994,17 @@ int netlbl_sock_setattr(struct sock *sk,
}
switch (family) {
case AF_INET:
+ ret_val = dom_entry->def.type;
switch (dom_entry->def.type) {
case NETLBL_NLTYPE_ADDRSELECT:
- ret_val = -EDESTADDRREQ;
break;
case NETLBL_NLTYPE_CIPSOV4:
- ret_val = cipso_v4_sock_setattr(sk,
- dom_entry->def.cipso,
- secattr);
+ rc = cipso_v4_sock_setattr(sk, dom_entry->def.cipso,
+ secattr);
+ if (rc < 0)
+ ret_val = rc;
break;
case NETLBL_NLTYPE_UNLABELED:
- ret_val = 0;
break;
default:
ret_val = -ENOENT;
@@ -1013,17 +1012,17 @@ int netlbl_sock_setattr(struct sock *sk,
break;
#if IS_ENABLED(CONFIG_IPV6)
case AF_INET6:
+ ret_val = dom_entry->def.type;
switch (dom_entry->def.type) {
case NETLBL_NLTYPE_ADDRSELECT:
- ret_val = -EDESTADDRREQ;
break;
case NETLBL_NLTYPE_CALIPSO:
- ret_val = calipso_sock_setattr(sk,
- dom_entry->def.calipso,
- secattr);
+ rc = calipso_sock_setattr(sk, dom_entry->def.calipso,
+ secattr);
+ if (rc < 0)
+ ret_val = rc;
break;
case NETLBL_NLTYPE_UNLABELED:
- ret_val = 0;
break;
default:
ret_val = -ENOENT;
@@ -1104,14 +1103,16 @@ int netlbl_sock_getattr(struct sock *sk,
* Description:
* Attach the correct label to the given connected socket using the security
* attributes specified in @secattr. The caller is responsible for ensuring
- * that @sk is locked. Returns zero on success, negative values on failure.
+ * that @sk is locked. Returns the NLTYPE on success, negative values on
+ * failure.
*
*/
int netlbl_conn_setattr(struct sock *sk,
struct sockaddr *addr,
const struct netlbl_lsm_secattr *secattr)
{
- int ret_val;
+ int rc;
+ int ret_val = 0;
struct sockaddr_in *addr4;
#if IS_ENABLED(CONFIG_IPV6)
struct sockaddr_in6 *addr6;
@@ -1128,16 +1129,17 @@ int netlbl_conn_setattr(struct sock *sk,
ret_val = -ENOENT;
goto conn_setattr_return;
}
+ ret_val = entry->type;
switch (entry->type) {
case NETLBL_NLTYPE_CIPSOV4:
- ret_val = cipso_v4_sock_setattr(sk,
- entry->cipso, secattr);
+ rc = cipso_v4_sock_setattr(sk, entry->cipso, secattr);
+ if (rc < 0)
+ ret_val = rc;
break;
case NETLBL_NLTYPE_UNLABELED:
/* just delete the protocols we support for right now
* but we could remove other protocols if needed */
netlbl_sock_delattr(sk);
- ret_val = 0;
break;
default:
ret_val = -ENOENT;
@@ -1152,16 +1154,17 @@ int netlbl_conn_setattr(struct sock *sk,
ret_val = -ENOENT;
goto conn_setattr_return;
}
+ ret_val = entry->type;
switch (entry->type) {
case NETLBL_NLTYPE_CALIPSO:
- ret_val = calipso_sock_setattr(sk,
- entry->calipso, secattr);
+ rc = calipso_sock_setattr(sk, entry->calipso, secattr);
+ if (rc < 0)
+ ret_val = rc;
break;
case NETLBL_NLTYPE_UNLABELED:
/* just delete the protocols we support for right now
* but we could remove other protocols if needed */
netlbl_sock_delattr(sk);
- ret_val = 0;
break;
default:
ret_val = -ENOENT;
@@ -1184,12 +1187,14 @@ int netlbl_conn_setattr(struct sock *sk,
*
* Description:
* Attach the correct label to the given socket using the security attributes
- * specified in @secattr. Returns zero on success, negative values on failure.
+ * specified in @secattr. Returns the NLTYPE on success, negative values on
+ * failure.
*
*/
int netlbl_req_setattr(struct request_sock *req,
const struct netlbl_lsm_secattr *secattr)
{
+ int rc;
int ret_val;
struct netlbl_dommap_def *entry;
struct inet_request_sock *ireq = inet_rsk(req);
@@ -1203,14 +1208,15 @@ int netlbl_req_setattr(struct request_sock *req,
ret_val = -ENOENT;
goto req_setattr_return;
}
+ ret_val = entry->type;
switch (entry->type) {
case NETLBL_NLTYPE_CIPSOV4:
- ret_val = cipso_v4_req_setattr(req,
- entry->cipso, secattr);
+ rc = cipso_v4_req_setattr(req, entry->cipso, secattr);
+ if (rc < 0)
+ ret_val = rc;
break;
case NETLBL_NLTYPE_UNLABELED:
netlbl_req_delattr(req);
- ret_val = 0;
break;
default:
ret_val = -ENOENT;
@@ -1224,14 +1230,15 @@ int netlbl_req_setattr(struct request_sock *req,
ret_val = -ENOENT;
goto req_setattr_return;
}
+ ret_val = entry->type;
switch (entry->type) {
case NETLBL_NLTYPE_CALIPSO:
- ret_val = calipso_req_setattr(req,
- entry->calipso, secattr);
+ rc = calipso_req_setattr(req, entry->calipso, secattr);
+ if (rc < 0)
+ ret_val = rc;
break;
case NETLBL_NLTYPE_UNLABELED:
netlbl_req_delattr(req);
- ret_val = 0;
break;
default:
ret_val = -ENOENT;
@@ -1277,7 +1284,8 @@ void netlbl_req_delattr(struct request_sock *req)
*
* Description:
* Attach the correct label to the given packet using the security attributes
- * specified in @secattr. Returns zero on success, negative values on failure.
+ * specified in @secattr. Returns the NLTYPE on success, negative values on
+ * failure.
*
*/
int netlbl_skbuff_setattr(struct sk_buff *skb,
@@ -1314,6 +1322,8 @@ int netlbl_skbuff_setattr(struct sk_buff *skb,
default:
ret_val = -ENOENT;
}
+ if (ret_val == 0)
+ ret_val = entry->type;
break;
#if IS_ENABLED(CONFIG_IPV6)
case AF_INET6:
@@ -1337,6 +1347,8 @@ int netlbl_skbuff_setattr(struct sk_buff *skb,
default:
ret_val = -ENOENT;
}
+ if (ret_val == 0)
+ ret_val = entry->type;
break;
#endif /* IPv6 */
default:
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 120d50c1bcac..8088a787777a 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -266,6 +266,8 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
}
rc = netlbl_skbuff_setattr(skb, family, secattr);
+ if (rc > 0)
+ rc = 0;
skbuff_setsid_return:
if (secattr == &secattr_storage)
@@ -321,8 +323,10 @@ int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep,
}
rc = netlbl_conn_setattr(ep->base.sk, addr, &secattr);
- if (rc == 0)
+ if (rc >= 0) {
sksec->nlbl_state = NLBL_LABELED;
+ rc = 0;
+ }
assoc_request_return:
netlbl_secattr_destroy(&secattr);
@@ -354,6 +358,8 @@ int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family)
if (rc != 0)
goto inet_conn_request_return;
rc = netlbl_req_setattr(req, &secattr);
+ if (rc > 0)
+ rc = 0;
inet_conn_request_return:
netlbl_secattr_destroy(&secattr);
return rc;
@@ -418,15 +424,12 @@ int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)
if (secattr == NULL)
return -ENOMEM;
rc = netlbl_sock_setattr(sk, family, secattr);
- switch (rc) {
- case 0:
- sksec->nlbl_state = NLBL_LABELED;
- break;
- case -EDESTADDRREQ:
+ if (rc == NETLBL_NLTYPE_ADDRSELECT)
sksec->nlbl_state = NLBL_REQSKB;
+ else if (rc >= 0)
+ sksec->nlbl_state = NLBL_LABELED;
+ if (rc > 0)
rc = 0;
- break;
- }
return rc;
}
@@ -579,8 +582,10 @@ static int selinux_netlbl_socket_connect_helper(struct sock *sk,
return rc;
}
rc = netlbl_conn_setattr(sk, addr, secattr);
- if (rc == 0)
+ if (rc >= 0) {
sksec->nlbl_state = NLBL_CONNLABELED;
+ rc = 0;
+ }
return rc;
}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 2d88983868e8..62189558bb6a 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2414,6 +2414,8 @@ static int smack_netlabel(struct sock *sk, int labeled)
else {
skp = ssp->smk_out;
rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel);
+ if (rc > 0)
+ rc = 0;
}
bh_unlock_sock(sk);
@@ -4141,9 +4143,11 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
hskp = smack_ipv4host_label(&addr);
rcu_read_unlock();
- if (hskp == NULL)
+ if (hskp == NULL) {
rc = netlbl_req_setattr(req, &skp->smk_netlabel);
- else
+ if (rc > 0)
+ rc = 0;
+ } else
netlbl_req_delattr(req);
return rc;
--
2.20.1
next prev parent reply other threads:[~2019-08-07 22:43 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-07 22:42 [PATCH v7 00/16] LSM: Full module stacking Casey Schaufler
2019-08-07 22:42 ` Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 01/16] LSM: Single hook called in secmark refcounting Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 02/16] Smack: Detect if secmarks can be safely used Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 03/16] LSM: Support multiple LSMs using inode_init_security Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 04/16] LSM: List multiple security attributes in security_inode_listsecurity Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 05/16] LSM: Multiple modules using security_ismaclabel Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 06/16] LSM: Make multiple MAC modules safe in nfs and kernfs Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 07/16] LSM: Correct handling of ENOSYS in inode_setxattr Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 08/16] LSM: Infrastructure security blobs for mount options Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 09/16] LSM: Fix for security_init_inode_security Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 10/16] LSM: Change error detection for UDP peer security Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 11/16] Netlabel: Add a secattr comparison API function Casey Schaufler
2019-08-07 22:42 ` Casey Schaufler [this message]
2019-08-07 22:42 ` [PATCH v7 13/16] LSM: Remember the NLTYPE of netlabel sockets Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 14/16] LSM: Hook for netlabel reconciliation Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 15/16] LSM: Avoid network conflicts in SELinux and Smack Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 16/16] Smack: Remove the exclusive flag Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190807224245.10798-14-casey@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=casey.schaufler@intel.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.