[PATCH 0/6] Various NetLabel fixes and cleanups

[PATCH 0/6] Various NetLabel fixes and cleanups

[paul.moore]

This patchset contains a series of small patches to fix a bug and some general
ugliness from the original author (that moron ...).  All of the following
patches are against David's net-2.6.19 tree.

Please consider these for 2.6.19, thanks.

--
paul moore
linux security @ hp

[PATCH 0/6] Various NetLabel fixes and cleanups

[paul.moore]

This patchset contains a series of small patches to fix a bug and some general
ugliness from the original author (that moron ...).  All of the following
patches are against David's net-2.6.19 tree.

Please consider these for 2.6.19, thanks.

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 1/6] NetLabel: correctly initialize the NetLabel fields

[paul.moore]

[-- Attachment #1: netlabel-bug_invalidclass --]
[-- Type: text/plain, Size: 5146 bytes --]

Fix a problem where the NetLabel specific fields of the sk_security_struct
structure were not being initialized early enough in some cases.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 security/selinux/hooks.c                    |    6 +++
 security/selinux/include/selinux_netlabel.h |   18 +++++++++++
 security/selinux/ss/services.c              |   45 ++++++++++++++++++++++++++--
 3 files changed, 67 insertions(+), 2 deletions(-)

Index: net-2.6.19/security/selinux/hooks.c
===================================================================
--- net-2.6.19.orig/security/selinux/hooks.c
+++ net-2.6.19/security/selinux/hooks.c
@@ -281,6 +281,8 @@ static int sk_alloc_security(struct sock
 	ssec->sid = SECINITSID_UNLABELED;
 	sk->sk_security = ssec;
 
+	selinux_netlbl_sk_security_init(ssec, family);
+
 	return 0;
 }
 
@@ -3585,6 +3587,8 @@ static void selinux_sk_clone_security(co
 
 	newssec->sid = ssec->sid;
 	newssec->peer_sid = ssec->peer_sid;
+
+	selinux_netlbl_sk_clone_security(ssec, newssec);
 }
 
 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
@@ -3648,6 +3652,8 @@ static void selinux_inet_csk_clone(struc
 	   new socket in sync, but we don't have the isec available yet.
 	   So we will wait until sock_graft to do it, by which
 	   time it will have been created and available. */
+
+	selinux_netlbl_sk_security_init(newsksec, req->rsk_ops->family);
 }
 
 static void selinux_req_classify_flow(const struct request_sock *req,
Index: net-2.6.19/security/selinux/include/selinux_netlabel.h
===================================================================
--- net-2.6.19.orig/security/selinux/include/selinux_netlabel.h
+++ net-2.6.19/security/selinux/include/selinux_netlabel.h
@@ -39,6 +39,10 @@ int selinux_netlbl_sock_rcv_skb(struct s
 				struct avc_audit_data *ad);
 u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock);
 u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb);
+void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
+				     int family);
+void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,
+				      struct sk_security_struct *newssec);
 
 int __selinux_netlbl_inode_permission(struct inode *inode, int mask);
 /**
@@ -115,6 +119,20 @@ static inline u32 selinux_netlbl_socket_
 	return SECSID_NULL;
 }
 
+static inline void selinux_netlbl_sk_security_init(
+	                                       struct sk_security_struct *ssec,
+					       int family)
+{
+	return;
+}
+
+static inline void selinux_netlbl_sk_clone_security(
+	                                   struct sk_security_struct *ssec,
+					   struct sk_security_struct *newssec)
+{
+	return;
+}
+
 static inline int selinux_netlbl_inode_permission(struct inode *inode,
 						  int mask)
 {
Index: net-2.6.19/security/selinux/ss/services.c
===================================================================
--- net-2.6.19.orig/security/selinux/ss/services.c
+++ net-2.6.19/security/selinux/ss/services.c
@@ -2423,6 +2423,45 @@ netlbl_socket_setsid_return:
 }
 
 /**
+ * selinux_netlbl_sk_security_init - Setup the NetLabel fields
+ * @ssec: the sk_security_struct
+ * @family: the socket family
+ *
+ * Description:
+ * Called when a new sk_security_struct is allocated to initialize the NetLabel
+ * fields.
+ *
+ */
+void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
+				     int family)
+{
+        if (family == PF_INET)
+		ssec->nlbl_state = NLBL_REQUIRE;
+	else
+		ssec->nlbl_state = NLBL_UNSET;
+}
+
+/**
+ * selinux_netlbl_sk_clone_security - Copy the NetLabel fields
+ * @ssec: the original sk_security_struct
+ * @newssec: the cloned sk_security_struct
+ *
+ * Description:
+ * Clone the NetLabel specific sk_security_struct fields from @ssec to
+ * @newssec.
+ *
+ */
+void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,
+				      struct sk_security_struct *newssec)
+{
+	newssec->sclass = ssec->sclass;
+	if (ssec->nlbl_state != NLBL_UNSET)
+		newssec->nlbl_state = NLBL_REQUIRE;
+	else
+		newssec->nlbl_state = NLBL_UNSET;
+}
+
+/**
  * selinux_netlbl_socket_post_create - Label a socket using NetLabel
  * @sock: the socket to label
  * @sock_family: the socket family
@@ -2440,10 +2479,11 @@ int selinux_netlbl_socket_post_create(st
 	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
 	struct sk_security_struct *sksec = sock->sk->sk_security;
 
+	sksec->sclass = isec->sclass;
+
 	if (sock_family != PF_INET)
 		return 0;
 
-	sksec->sclass = isec->sclass;
 	sksec->nlbl_state = NLBL_REQUIRE;
 	return selinux_netlbl_socket_setsid(sock, sid);
 }
@@ -2463,12 +2503,13 @@ void selinux_netlbl_sock_graft(struct so
 	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
 	struct sk_security_struct *sksec = sk->sk_security;
 
+	sksec->sclass = isec->sclass;
+
 	if (sk->sk_family != PF_INET)
 		return;
 
 	sksec->nlbl_state = NLBL_REQUIRE;
 	sksec->peer_sid = sksec->sid;
-	sksec->sclass = isec->sclass;
 
 	/* Try to set the NetLabel on the socket to save time later, if we fail
 	 * here we will pick up the pieces in later calls to

--
paul moore
linux security @ hp

[PATCH 1/6] NetLabel: correctly initialize the NetLabel fields

[paul.moore]

Fix a problem where the NetLabel specific fields of the sk_security_struct
structure were not being initialized early enough in some cases.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 security/selinux/hooks.c                    |    6 +++
 security/selinux/include/selinux_netlabel.h |   18 +++++++++++
 security/selinux/ss/services.c              |   45 ++++++++++++++++++++++++++--
 3 files changed, 67 insertions(+), 2 deletions(-)

Index: net-2.6.19/security/selinux/hooks.c
===================================================================
--- net-2.6.19.orig/security/selinux/hooks.c
+++ net-2.6.19/security/selinux/hooks.c
@@ -281,6 +281,8 @@ static int sk_alloc_security(struct sock
 	ssec->sid = SECINITSID_UNLABELED;
 	sk->sk_security = ssec;
 
+	selinux_netlbl_sk_security_init(ssec, family);
+
 	return 0;
 }
 
@@ -3585,6 +3587,8 @@ static void selinux_sk_clone_security(co
 
 	newssec->sid = ssec->sid;
 	newssec->peer_sid = ssec->peer_sid;
+
+	selinux_netlbl_sk_clone_security(ssec, newssec);
 }
 
 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
@@ -3648,6 +3652,8 @@ static void selinux_inet_csk_clone(struc
 	   new socket in sync, but we don't have the isec available yet.
 	   So we will wait until sock_graft to do it, by which
 	   time it will have been created and available. */
+
+	selinux_netlbl_sk_security_init(newsksec, req->rsk_ops->family);
 }
 
 static void selinux_req_classify_flow(const struct request_sock *req,
Index: net-2.6.19/security/selinux/include/selinux_netlabel.h
===================================================================
--- net-2.6.19.orig/security/selinux/include/selinux_netlabel.h
+++ net-2.6.19/security/selinux/include/selinux_netlabel.h
@@ -39,6 +39,10 @@ int selinux_netlbl_sock_rcv_skb(struct s
 				struct avc_audit_data *ad);
 u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock);
 u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb);
+void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
+				     int family);
+void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,
+				      struct sk_security_struct *newssec);
 
 int __selinux_netlbl_inode_permission(struct inode *inode, int mask);
 /**
@@ -115,6 +119,20 @@ static inline u32 selinux_netlbl_socket_
 	return SECSID_NULL;
 }
 
+static inline void selinux_netlbl_sk_security_init(
+	                                       struct sk_security_struct *ssec,
+					       int family)
+{
+	return;
+}
+
+static inline void selinux_netlbl_sk_clone_security(
+	                                   struct sk_security_struct *ssec,
+					   struct sk_security_struct *newssec)
+{
+	return;
+}
+
 static inline int selinux_netlbl_inode_permission(struct inode *inode,
 						  int mask)
 {
Index: net-2.6.19/security/selinux/ss/services.c
===================================================================
--- net-2.6.19.orig/security/selinux/ss/services.c
+++ net-2.6.19/security/selinux/ss/services.c
@@ -2423,6 +2423,45 @@ netlbl_socket_setsid_return:
 }
 
 /**
+ * selinux_netlbl_sk_security_init - Setup the NetLabel fields
+ * @ssec: the sk_security_struct
+ * @family: the socket family
+ *
+ * Description:
+ * Called when a new sk_security_struct is allocated to initialize the NetLabel
+ * fields.
+ *
+ */
+void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
+				     int family)
+{
+        if (family == PF_INET)
+		ssec->nlbl_state = NLBL_REQUIRE;
+	else
+		ssec->nlbl_state = NLBL_UNSET;
+}
+
+/**
+ * selinux_netlbl_sk_clone_security - Copy the NetLabel fields
+ * @ssec: the original sk_security_struct
+ * @newssec: the cloned sk_security_struct
+ *
+ * Description:
+ * Clone the NetLabel specific sk_security_struct fields from @ssec to
+ * @newssec.
+ *
+ */
+void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,
+				      struct sk_security_struct *newssec)
+{
+	newssec->sclass = ssec->sclass;
+	if (ssec->nlbl_state != NLBL_UNSET)
+		newssec->nlbl_state = NLBL_REQUIRE;
+	else
+		newssec->nlbl_state = NLBL_UNSET;
+}
+
+/**
  * selinux_netlbl_socket_post_create - Label a socket using NetLabel
  * @sock: the socket to label
  * @sock_family: the socket family
@@ -2440,10 +2479,11 @@ int selinux_netlbl_socket_post_create(st
 	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
 	struct sk_security_struct *sksec = sock->sk->sk_security;
 
+	sksec->sclass = isec->sclass;
+
 	if (sock_family != PF_INET)
 		return 0;
 
-	sksec->sclass = isec->sclass;
 	sksec->nlbl_state = NLBL_REQUIRE;
 	return selinux_netlbl_socket_setsid(sock, sid);
 }
@@ -2463,12 +2503,13 @@ void selinux_netlbl_sock_graft(struct so
 	struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
 	struct sk_security_struct *sksec = sk->sk_security;
 
+	sksec->sclass = isec->sclass;
+
 	if (sk->sk_family != PF_INET)
 		return;
 
 	sksec->nlbl_state = NLBL_REQUIRE;
 	sksec->peer_sid = sksec->sid;
-	sksec->sclass = isec->sclass;
 
 	/* Try to set the NetLabel on the socket to save time later, if we fail
 	 * here we will pick up the pieces in later calls to

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 2/6] NetLabel: remove unused function prototypes

[paul.moore]

[-- Attachment #1: netlabel-prototypes_unused --]
[-- Type: text/plain, Size: 1116 bytes --]

Removed some older function prototypes for functions that no longer exist.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 include/net/cipso_ipv4.h |    6 ------
 1 file changed, 6 deletions(-)

Index: linux-2.6.17.i686/include/net/cipso_ipv4.h
===================================================================
--- linux-2.6.17.i686.orig/include/net/cipso_ipv4.h
+++ linux-2.6.17.i686/include/net/cipso_ipv4.h
@@ -200,15 +200,9 @@ static inline int cipso_v4_cache_add(con
 
 #ifdef CONFIG_NETLABEL
 void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway);
-int cipso_v4_socket_setopt(struct socket *sock,
-			   unsigned char *opt,
-			   u32 opt_len);
 int cipso_v4_socket_setattr(const struct socket *sock,
 			    const struct cipso_v4_doi *doi_def,
 			    const struct netlbl_lsm_secattr *secattr);
-int cipso_v4_socket_getopt(const struct socket *sock,
-			   unsigned char **opt,
-			   u32 *opt_len);
 int cipso_v4_socket_getattr(const struct socket *sock,
 			    struct netlbl_lsm_secattr *secattr);
 int cipso_v4_skbuff_getattr(const struct sk_buff *skb,

--
paul moore
linux security @ hp

[PATCH 2/6] NetLabel: remove unused function prototypes

[paul.moore]

Removed some older function prototypes for functions that no longer exist.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 include/net/cipso_ipv4.h |    6 ------
 1 file changed, 6 deletions(-)

Index: linux-2.6.17.i686/include/net/cipso_ipv4.h
===================================================================
--- linux-2.6.17.i686.orig/include/net/cipso_ipv4.h
+++ linux-2.6.17.i686/include/net/cipso_ipv4.h
@@ -200,15 +200,9 @@ static inline int cipso_v4_cache_add(con
 
 #ifdef CONFIG_NETLABEL
 void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway);
-int cipso_v4_socket_setopt(struct socket *sock,
-			   unsigned char *opt,
-			   u32 opt_len);
 int cipso_v4_socket_setattr(const struct socket *sock,
 			    const struct cipso_v4_doi *doi_def,
 			    const struct netlbl_lsm_secattr *secattr);
-int cipso_v4_socket_getopt(const struct socket *sock,
-			   unsigned char **opt,
-			   u32 *opt_len);
 int cipso_v4_socket_getattr(const struct socket *sock,
 			    struct netlbl_lsm_secattr *secattr);
 int cipso_v4_skbuff_getattr(const struct sk_buff *skb,

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 3/6] NetLabel: comment corrections

[paul.moore]

[-- Attachment #1: netlabel-comments_corrections --]
[-- Type: text/plain, Size: 692 bytes --]

Fix some incorrect comments.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 security/selinux/ss/services.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

Index: net-2.6.19/security/selinux/ss/services.c
===================================================================
--- net-2.6.19.orig/security/selinux/ss/services.c
+++ net-2.6.19/security/selinux/ss/services.c
@@ -2617,7 +2617,7 @@ int selinux_netlbl_sock_rcv_skb(struct s
 }
 
 /**
- * selinux_netlbl_socket_peersid - Return the peer SID of a connected socket
+ * selinux_netlbl_socket_getpeersec_stream - Return the connected peer's SID
  * @sock: the socket
  *
  * Description:

--
paul moore
linux security @ hp

[PATCH 3/6] NetLabel: comment corrections

[paul.moore]

Fix some incorrect comments.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 security/selinux/ss/services.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

Index: net-2.6.19/security/selinux/ss/services.c
===================================================================
--- net-2.6.19.orig/security/selinux/ss/services.c
+++ net-2.6.19/security/selinux/ss/services.c
@@ -2617,7 +2617,7 @@ int selinux_netlbl_sock_rcv_skb(struct s
 }
 
 /**
- * selinux_netlbl_socket_peersid - Return the peer SID of a connected socket
+ * selinux_netlbl_socket_getpeersec_stream - Return the connected peer's SID
  * @sock: the socket
  *
  * Description:

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 4/6] NetLabel: cleanup ebitmap_import()

[paul.moore]

[-- Attachment #1: netlabel-loop_fixups --]
[-- Type: text/plain, Size: 2306 bytes --]

Rewrite ebitmap_import() so it is a bit cleaner and easier to read.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 security/selinux/ss/ebitmap.c |   36 ++++++++++++++++--------------------
 1 files changed, 16 insertions(+), 20 deletions(-)

Index: net-2.6.19/security/selinux/ss/ebitmap.c
===================================================================
--- net-2.6.19.orig/security/selinux/ss/ebitmap.c
+++ net-2.6.19/security/selinux/ss/ebitmap.c
@@ -145,29 +145,28 @@ int ebitmap_import(const unsigned char *
 		   struct ebitmap *dst)
 {
 	size_t src_off = 0;
+	size_t node_limit;
 	struct ebitmap_node *node_new;
 	struct ebitmap_node *node_last = NULL;
-	size_t iter;
-	size_t iter_bit;
-	size_t iter_limit;
+	u32 i_byte;
+	u32 i_bit;
 	unsigned char src_byte;
 
-	do {
-		iter_limit = src_len - src_off;
-		if (iter_limit >= sizeof(MAPTYPE)) {
+	while (src_off < src_len) {
+		if (src_len - src_off >= sizeof(MAPTYPE)) {
 			if (*(MAPTYPE *)&src[src_off] == 0) {
 				src_off += sizeof(MAPTYPE);
 				continue;
 			}
-			iter_limit = sizeof(MAPTYPE);
+			node_limit = sizeof(MAPTYPE);
 		} else {
-			iter = src_off;
-			src_byte = 0;
-			do {
-				src_byte |= src[iter++];
-			} while (iter < src_len && src_byte == 0);
+			for (src_byte = 0, i_byte = src_off;
+			     i_byte < src_len && src_byte == 0;
+			     i_byte++)
+				src_byte |= src[i_byte];
 			if (src_byte == 0)
 				break;
+			node_limit = src_len - src_off;
 		}
 
 		node_new = kzalloc(sizeof(*node_new), GFP_ATOMIC);
@@ -176,24 +175,21 @@ int ebitmap_import(const unsigned char *
 			return -ENOMEM;
 		}
 		node_new->startbit = src_off * 8;
-		iter = 0;
-		do {
+		for (i_byte = 0; i_byte < node_limit; i_byte++) {
 			src_byte = src[src_off++];
-			iter_bit = iter++ * 8;
-			while (src_byte != 0) {
+			for (i_bit = i_byte * 8; src_byte != 0; i_bit++) {
 				if (src_byte & 0x80)
-					node_new->map |= MAPBIT << iter_bit;
-				iter_bit++;
+					node_new->map |= MAPBIT << i_bit;
 				src_byte <<= 1;
 			}
-		} while (iter < iter_limit);
+		}
 
 		if (node_last != NULL)
 			node_last->next = node_new;
 		else
 			dst->node = node_new;
 		node_last = node_new;
-	} while (src_off < src_len);
+	}
 
 	if (likely(node_last != NULL))
 		dst->highbit = node_last->startbit + MAPSIZE;

--
paul moore
linux security @ hp

[PATCH 4/6] NetLabel: cleanup ebitmap_import()

[paul.moore]

Rewrite ebitmap_import() so it is a bit cleaner and easier to read.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 security/selinux/ss/ebitmap.c |   36 ++++++++++++++++--------------------
 1 files changed, 16 insertions(+), 20 deletions(-)

Index: net-2.6.19/security/selinux/ss/ebitmap.c
===================================================================
--- net-2.6.19.orig/security/selinux/ss/ebitmap.c
+++ net-2.6.19/security/selinux/ss/ebitmap.c
@@ -145,29 +145,28 @@ int ebitmap_import(const unsigned char *
 		   struct ebitmap *dst)
 {
 	size_t src_off = 0;
+	size_t node_limit;
 	struct ebitmap_node *node_new;
 	struct ebitmap_node *node_last = NULL;
-	size_t iter;
-	size_t iter_bit;
-	size_t iter_limit;
+	u32 i_byte;
+	u32 i_bit;
 	unsigned char src_byte;
 
-	do {
-		iter_limit = src_len - src_off;
-		if (iter_limit >= sizeof(MAPTYPE)) {
+	while (src_off < src_len) {
+		if (src_len - src_off >= sizeof(MAPTYPE)) {
 			if (*(MAPTYPE *)&src[src_off] == 0) {
 				src_off += sizeof(MAPTYPE);
 				continue;
 			}
-			iter_limit = sizeof(MAPTYPE);
+			node_limit = sizeof(MAPTYPE);
 		} else {
-			iter = src_off;
-			src_byte = 0;
-			do {
-				src_byte |= src[iter++];
-			} while (iter < src_len && src_byte == 0);
+			for (src_byte = 0, i_byte = src_off;
+			     i_byte < src_len && src_byte == 0;
+			     i_byte++)
+				src_byte |= src[i_byte];
 			if (src_byte == 0)
 				break;
+			node_limit = src_len - src_off;
 		}
 
 		node_new = kzalloc(sizeof(*node_new), GFP_ATOMIC);
@@ -176,24 +175,21 @@ int ebitmap_import(const unsigned char *
 			return -ENOMEM;
 		}
 		node_new->startbit = src_off * 8;
-		iter = 0;
-		do {
+		for (i_byte = 0; i_byte < node_limit; i_byte++) {
 			src_byte = src[src_off++];
-			iter_bit = iter++ * 8;
-			while (src_byte != 0) {
+			for (i_bit = i_byte * 8; src_byte != 0; i_bit++) {
 				if (src_byte & 0x80)
-					node_new->map |= MAPBIT << iter_bit;
-				iter_bit++;
+					node_new->map |= MAPBIT << i_bit;
 				src_byte <<= 1;
 			}
-		} while (iter < iter_limit);
+		}
 
 		if (node_last != NULL)
 			node_last->next = node_new;
 		else
 			dst->node = node_new;
 		node_last = node_new;
-	} while (src_off < src_len);
+	}
 
 	if (likely(node_last != NULL))
 		dst->highbit = node_last->startbit + MAPSIZE;

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 5/6] NetLabel: uninline selinux_netlbl_inode_permission()

[paul.moore]

[-- Attachment #1: netlabel-uninline_inodeperm --]
[-- Type: text/plain, Size: 3767 bytes --]

Uninline the selinux_netlbl_inode_permission() at the request of Andrew Morton.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 security/selinux/include/selinux_netlabel.h |   35 ----------------------------
 security/selinux/ss/services.c              |   33 +++++++++++++++++++-------
 2 files changed, 25 insertions(+), 43 deletions(-)

Index: net-2.6.19/security/selinux/include/selinux_netlabel.h
===================================================================
--- net-2.6.19.orig/security/selinux/include/selinux_netlabel.h
+++ net-2.6.19/security/selinux/include/selinux_netlabel.h
@@ -43,40 +43,7 @@ void selinux_netlbl_sk_security_init(str
 				     int family);
 void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,
 				      struct sk_security_struct *newssec);
-
-int __selinux_netlbl_inode_permission(struct inode *inode, int mask);
-/**
- * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
- * @inode: the file descriptor's inode
- * @mask: the permission mask
- *
- * Description:
- * Looks at a file's inode and if it is marked as a socket protected by
- * NetLabel then verify that the socket has been labeled, if not try to label
- * the socket now with the inode's SID.  Returns zero on success, negative
- * values on failure.
- *
- */
-static inline int selinux_netlbl_inode_permission(struct inode *inode,
-						  int mask)
-{
-	int rc = 0;
-	struct inode_security_struct *isec;
-	struct sk_security_struct *sksec;
-
-	if (!S_ISSOCK(inode->i_mode))
-		return 0;
-
-	isec = inode->i_security;
-	sksec = SOCKET_I(inode)->sk->sk_security;
-	down(&isec->sem);
-	if (unlikely(sksec->nlbl_state == NLBL_REQUIRE &&
-		     (mask & (MAY_WRITE | MAY_APPEND))))
-		rc = __selinux_netlbl_inode_permission(inode, mask);
-	up(&isec->sem);
-
-	return rc;
-}
+int selinux_netlbl_inode_permission(struct inode *inode, int mask);
 #else
 static inline void selinux_netlbl_cache_invalidate(void)
 {
Index: net-2.6.19/security/selinux/ss/services.c
===================================================================
--- net-2.6.19.orig/security/selinux/ss/services.c
+++ net-2.6.19/security/selinux/ss/services.c
@@ -2544,24 +2544,39 @@ u32 selinux_netlbl_inet_conn_request(str
 }
 
 /**
- * __selinux_netlbl_inode_permission - Label a socket using NetLabel
+ * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
  * @inode: the file descriptor's inode
  * @mask: the permission mask
  *
  * Description:
- * Try to label a socket with the inode's SID using NetLabel.  Returns zero on
- * success, negative values on failure.
+ * Looks at a file's inode and if it is marked as a socket protected by
+ * NetLabel then verify that the socket has been labeled, if not try to label
+ * the socket now with the inode's SID.  Returns zero on success, negative
+ * values on failure.
  *
  */
-int __selinux_netlbl_inode_permission(struct inode *inode, int mask)
+int selinux_netlbl_inode_permission(struct inode *inode, int mask)
 {
 	int rc;
-	struct socket *sock = SOCKET_I(inode);
-	struct sk_security_struct *sksec = sock->sk->sk_security;
+	struct inode_security_struct *isec;
+	struct sk_security_struct *sksec;
+	struct socket *sock;
+
+	if (!S_ISSOCK(inode->i_mode))
+		return 0;
 
-	lock_sock(sock->sk);
-	rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
-	release_sock(sock->sk);
+	sock = SOCKET_I(inode);
+	isec = inode->i_security;
+	sksec = sock->sk->sk_security;
+	down(&isec->sem);
+	if (unlikely(sksec->nlbl_state == NLBL_REQUIRE &&
+		     (mask & (MAY_WRITE | MAY_APPEND)))) {
+		lock_sock(sock->sk);
+		rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
+		release_sock(sock->sk);
+	} else
+		rc = 0;
+	up(&isec->sem);
 
 	return rc;
 }

--
paul moore
linux security @ hp

[PATCH 5/6] NetLabel: uninline selinux_netlbl_inode_permission()

[paul.moore]

Uninline the selinux_netlbl_inode_permission() at the request of Andrew Morton.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 security/selinux/include/selinux_netlabel.h |   35 ----------------------------
 security/selinux/ss/services.c              |   33 +++++++++++++++++++-------
 2 files changed, 25 insertions(+), 43 deletions(-)

Index: net-2.6.19/security/selinux/include/selinux_netlabel.h
===================================================================
--- net-2.6.19.orig/security/selinux/include/selinux_netlabel.h
+++ net-2.6.19/security/selinux/include/selinux_netlabel.h
@@ -43,40 +43,7 @@ void selinux_netlbl_sk_security_init(str
 				     int family);
 void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,
 				      struct sk_security_struct *newssec);
-
-int __selinux_netlbl_inode_permission(struct inode *inode, int mask);
-/**
- * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
- * @inode: the file descriptor's inode
- * @mask: the permission mask
- *
- * Description:
- * Looks at a file's inode and if it is marked as a socket protected by
- * NetLabel then verify that the socket has been labeled, if not try to label
- * the socket now with the inode's SID.  Returns zero on success, negative
- * values on failure.
- *
- */
-static inline int selinux_netlbl_inode_permission(struct inode *inode,
-						  int mask)
-{
-	int rc = 0;
-	struct inode_security_struct *isec;
-	struct sk_security_struct *sksec;
-
-	if (!S_ISSOCK(inode->i_mode))
-		return 0;
-
-	isec = inode->i_security;
-	sksec = SOCKET_I(inode)->sk->sk_security;
-	down(&isec->sem);
-	if (unlikely(sksec->nlbl_state == NLBL_REQUIRE &&
-		     (mask & (MAY_WRITE | MAY_APPEND))))
-		rc = __selinux_netlbl_inode_permission(inode, mask);
-	up(&isec->sem);
-
-	return rc;
-}
+int selinux_netlbl_inode_permission(struct inode *inode, int mask);
 #else
 static inline void selinux_netlbl_cache_invalidate(void)
 {
Index: net-2.6.19/security/selinux/ss/services.c
===================================================================
--- net-2.6.19.orig/security/selinux/ss/services.c
+++ net-2.6.19/security/selinux/ss/services.c
@@ -2544,24 +2544,39 @@ u32 selinux_netlbl_inet_conn_request(str
 }
 
 /**
- * __selinux_netlbl_inode_permission - Label a socket using NetLabel
+ * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
  * @inode: the file descriptor's inode
  * @mask: the permission mask
  *
  * Description:
- * Try to label a socket with the inode's SID using NetLabel.  Returns zero on
- * success, negative values on failure.
+ * Looks at a file's inode and if it is marked as a socket protected by
+ * NetLabel then verify that the socket has been labeled, if not try to label
+ * the socket now with the inode's SID.  Returns zero on success, negative
+ * values on failure.
  *
  */
-int __selinux_netlbl_inode_permission(struct inode *inode, int mask)
+int selinux_netlbl_inode_permission(struct inode *inode, int mask)
 {
 	int rc;
-	struct socket *sock = SOCKET_I(inode);
-	struct sk_security_struct *sksec = sock->sk->sk_security;
+	struct inode_security_struct *isec;
+	struct sk_security_struct *sksec;
+	struct socket *sock;
+
+	if (!S_ISSOCK(inode->i_mode))
+		return 0;
 
-	lock_sock(sock->sk);
-	rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
-	release_sock(sock->sk);
+	sock = SOCKET_I(inode);
+	isec = inode->i_security;
+	sksec = sock->sk->sk_security;
+	down(&isec->sem);
+	if (unlikely(sksec->nlbl_state == NLBL_REQUIRE &&
+		     (mask & (MAY_WRITE | MAY_APPEND)))) {
+		lock_sock(sock->sk);
+		rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
+		release_sock(sock->sk);
+	} else
+		rc = 0;
+	up(&isec->sem);
 
 	return rc;
 }

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 6/6] NetLabel: add some missing #includes to various header files

[paul.moore]

[-- Attachment #1: netlabel-header_includes --]
[-- Type: text/plain, Size: 2925 bytes --]

Add some missing include files to the NetLabel related header files.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 include/net/cipso_ipv4.h                    |    2 ++
 include/net/netlabel.h                      |    1 +
 net/netlabel/netlabel_domainhash.h          |    4 ++++
 net/netlabel/netlabel_user.h                |    5 +++--
 security/selinux/include/selinux_netlabel.h |    9 +++++++++
 5 files changed, 19 insertions(+), 2 deletions(-)

Index: net-2.6.19/include/net/cipso_ipv4.h
===================================================================
--- net-2.6.19.orig/include/net/cipso_ipv4.h
+++ net-2.6.19/include/net/cipso_ipv4.h
@@ -37,6 +37,8 @@
 #include <linux/types.h>
 #include <linux/rcupdate.h>
 #include <linux/list.h>
+#include <linux/net.h>
+#include <linux/skbuff.h>
 #include <net/netlabel.h>
 
 /* known doi values */
Index: net-2.6.19/include/net/netlabel.h
===================================================================
--- net-2.6.19.orig/include/net/netlabel.h
+++ net-2.6.19/include/net/netlabel.h
@@ -31,6 +31,7 @@
 #define _NETLABEL_H
 
 #include <linux/types.h>
+#include <linux/net.h>
 #include <linux/skbuff.h>
 #include <net/netlink.h>
 
Index: net-2.6.19/net/netlabel/netlabel_domainhash.h
===================================================================
--- net-2.6.19.orig/net/netlabel/netlabel_domainhash.h
+++ net-2.6.19/net/netlabel/netlabel_domainhash.h
@@ -32,6 +32,10 @@
 #ifndef _NETLABEL_DOMAINHASH_H
 #define _NETLABEL_DOMAINHASH_H
 
+#include <linux/types.h>
+#include <linux/rcupdate.h>
+#include <linux/list.h>
+
 /* Domain hash table size */
 /* XXX - currently this number is an uneducated guess */
 #define NETLBL_DOMHSH_BITSIZE       7
Index: net-2.6.19/net/netlabel/netlabel_user.h
===================================================================
--- net-2.6.19.orig/net/netlabel/netlabel_user.h
+++ net-2.6.19/net/netlabel/netlabel_user.h
@@ -31,11 +31,12 @@
 #ifndef _NETLABEL_USER_H
 #define _NETLABEL_USER_H
 
+#include <linux/types.h>
 #include <linux/skbuff.h>
 #include <linux/capability.h>
-#include <linux/genetlink.h>
-#include <net/netlabel.h>
+#include <net/netlink.h>
 #include <net/genetlink.h>
+#include <net/netlabel.h>
 
 /* NetLabel NETLINK helper functions */
 
Index: net-2.6.19/security/selinux/include/selinux_netlabel.h
===================================================================
--- net-2.6.19.orig/security/selinux/include/selinux_netlabel.h
+++ net-2.6.19/security/selinux/include/selinux_netlabel.h
@@ -27,6 +27,15 @@
 #ifndef _SELINUX_NETLABEL_H_
 #define _SELINUX_NETLABEL_H_
 
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <linux/net.h>
+#include <linux/skbuff.h>
+#include <net/sock.h>
+
+#include "avc.h"
+#include "objsec.h"
+
 #ifdef CONFIG_NETLABEL
 void selinux_netlbl_cache_invalidate(void);
 int selinux_netlbl_socket_post_create(struct socket *sock,

--
paul moore
linux security @ hp

[PATCH 6/6] NetLabel: add some missing #includes to various header files

[paul.moore]

Add some missing include files to the NetLabel related header files.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 include/net/cipso_ipv4.h                    |    2 ++
 include/net/netlabel.h                      |    1 +
 net/netlabel/netlabel_domainhash.h          |    4 ++++
 net/netlabel/netlabel_user.h                |    5 +++--
 security/selinux/include/selinux_netlabel.h |    9 +++++++++
 5 files changed, 19 insertions(+), 2 deletions(-)

Index: net-2.6.19/include/net/cipso_ipv4.h
===================================================================
--- net-2.6.19.orig/include/net/cipso_ipv4.h
+++ net-2.6.19/include/net/cipso_ipv4.h
@@ -37,6 +37,8 @@
 #include <linux/types.h>
 #include <linux/rcupdate.h>
 #include <linux/list.h>
+#include <linux/net.h>
+#include <linux/skbuff.h>
 #include <net/netlabel.h>
 
 /* known doi values */
Index: net-2.6.19/include/net/netlabel.h
===================================================================
--- net-2.6.19.orig/include/net/netlabel.h
+++ net-2.6.19/include/net/netlabel.h
@@ -31,6 +31,7 @@
 #define _NETLABEL_H
 
 #include <linux/types.h>
+#include <linux/net.h>
 #include <linux/skbuff.h>
 #include <net/netlink.h>
 
Index: net-2.6.19/net/netlabel/netlabel_domainhash.h
===================================================================
--- net-2.6.19.orig/net/netlabel/netlabel_domainhash.h
+++ net-2.6.19/net/netlabel/netlabel_domainhash.h
@@ -32,6 +32,10 @@
 #ifndef _NETLABEL_DOMAINHASH_H
 #define _NETLABEL_DOMAINHASH_H
 
+#include <linux/types.h>
+#include <linux/rcupdate.h>
+#include <linux/list.h>
+
 /* Domain hash table size */
 /* XXX - currently this number is an uneducated guess */
 #define NETLBL_DOMHSH_BITSIZE       7
Index: net-2.6.19/net/netlabel/netlabel_user.h
===================================================================
--- net-2.6.19.orig/net/netlabel/netlabel_user.h
+++ net-2.6.19/net/netlabel/netlabel_user.h
@@ -31,11 +31,12 @@
 #ifndef _NETLABEL_USER_H
 #define _NETLABEL_USER_H
 
+#include <linux/types.h>
 #include <linux/skbuff.h>
 #include <linux/capability.h>
-#include <linux/genetlink.h>
-#include <net/netlabel.h>
+#include <net/netlink.h>
 #include <net/genetlink.h>
+#include <net/netlabel.h>
 
 /* NetLabel NETLINK helper functions */
 
Index: net-2.6.19/security/selinux/include/selinux_netlabel.h
===================================================================
--- net-2.6.19.orig/security/selinux/include/selinux_netlabel.h
+++ net-2.6.19/security/selinux/include/selinux_netlabel.h
@@ -27,6 +27,15 @@
 #ifndef _SELINUX_NETLABEL_H_
 #define _SELINUX_NETLABEL_H_
 
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <linux/net.h>
+#include <linux/skbuff.h>
+#include <net/sock.h>
+
+#include "avc.h"
+#include "objsec.h"
+
 #ifdef CONFIG_NETLABEL
 void selinux_netlbl_cache_invalidate(void);
 int selinux_netlbl_socket_post_create(struct socket *sock,

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/6] NetLabel: correctly initialize the NetLabel fields

[James Morris]

On Tue, 29 Aug 2006, paul.moore@hp.com wrote:

> +void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
> +				     int family)
> +{
> +        if (family == PF_INET)

No tab.

> +		ssec->nlbl_state = NLBL_REQUIRE;
> +	else
> +		ssec->nlbl_state = NLBL_UNSET;
> +}

It doesn't look like this code handles ipv4 packets mapped on ipv6 
sockets.  See the test elsewhere in the SELinux code:

	if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))


Also, can you verify that you've tested these fixes and that they resolve 
all issues that you've encountered?



-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 1/6] NetLabel: correctly initialize the NetLabel fields

[James Morris]

On Tue, 29 Aug 2006, paul.moore@hp.com wrote:

> +void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
> +				     int family)
> +{
> +        if (family == PF_INET)

No tab.

> +		ssec->nlbl_state = NLBL_REQUIRE;
> +	else
> +		ssec->nlbl_state = NLBL_UNSET;
> +}

It doesn't look like this code handles ipv4 packets mapped on ipv6 
sockets.  See the test elsewhere in the SELinux code:

	if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))


Also, can you verify that you've tested these fixes and that they resolve 
all issues that you've encountered?



-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 5/6] NetLabel: uninline selinux_netlbl_inode_permission()

[James Morris]

On Tue, 29 Aug 2006, paul.moore@hp.com wrote:

> Uninline the selinux_netlbl_inode_permission() at the request of Andrew Morton.
> 
> Signed-off-by: Paul Moore <paul.moore@hp.com>

Acked-by: James Morris <jmorris@namei.org>


These patches should likely go in via Dave's tree.



-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 5/6] NetLabel: uninline selinux_netlbl_inode_permission()

[James Morris]

On Tue, 29 Aug 2006, paul.moore@hp.com wrote:

> Uninline the selinux_netlbl_inode_permission() at the request of Andrew Morton.
> 
> Signed-off-by: Paul Moore <paul.moore@hp.com>

Acked-by: James Morris <jmorris@namei.org>


These patches should likely go in via Dave's tree.



-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 6/6] NetLabel: add some missing #includes to various header files

[James Morris]

On Tue, 29 Aug 2006, paul.moore@hp.com wrote:

> Add some missing include files to the NetLabel related header files.
> 
> Signed-off-by: Paul Moore <paul.moore@hp.com>

Acked-by: James Morris <jmorris@namei.org>



-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 6/6] NetLabel: add some missing #includes to various header files

[James Morris]

On Tue, 29 Aug 2006, paul.moore@hp.com wrote:

> Add some missing include files to the NetLabel related header files.
> 
> Signed-off-by: Paul Moore <paul.moore@hp.com>

Acked-by: James Morris <jmorris@namei.org>



-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 2/6] NetLabel: remove unused function prototypes

[James Morris]

On Tue, 29 Aug 2006, paul.moore@hp.com wrote:

> Removed some older function prototypes for functions that no longer exist.
> 
> Signed-off-by: Paul Moore <paul.moore@hp.com>

Acked-by: James Morris <jmorris@namei.org>


-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 2/6] NetLabel: remove unused function prototypes

[James Morris]

On Tue, 29 Aug 2006, paul.moore@hp.com wrote:

> Removed some older function prototypes for functions that no longer exist.
> 
> Signed-off-by: Paul Moore <paul.moore@hp.com>

Acked-by: James Morris <jmorris@namei.org>


-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 3/6] NetLabel: comment corrections

[James Morris]

On Tue, 29 Aug 2006, paul.moore@hp.com wrote:

> Fix some incorrect comments.
> 
> Signed-off-by: Paul Moore <paul.moore@hp.com>

Acked-by: James Morris <jmorris@namei.org>


-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 3/6] NetLabel: comment corrections

[James Morris]

On Tue, 29 Aug 2006, paul.moore@hp.com wrote:

> Fix some incorrect comments.
> 
> Signed-off-by: Paul Moore <paul.moore@hp.com>

Acked-by: James Morris <jmorris@namei.org>


-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 4/6] NetLabel: cleanup ebitmap_import()

[James Morris]

On Tue, 29 Aug 2006, paul.moore@hp.com wrote:

> Rewrite ebitmap_import() so it is a bit cleaner and easier to read.
> 
> Signed-off-by: Paul Moore <paul.moore@hp.com>

Acked-by: James Morris <jmorris@namei.org>


-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 4/6] NetLabel: cleanup ebitmap_import()

[James Morris]

On Tue, 29 Aug 2006, paul.moore@hp.com wrote:

> Rewrite ebitmap_import() so it is a bit cleaner and easier to read.
> 
> Signed-off-by: Paul Moore <paul.moore@hp.com>

Acked-by: James Morris <jmorris@namei.org>


-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/6] NetLabel: correctly initialize the NetLabel fields

[James Morris]

On Tue, 29 Aug 2006, paul.moore@hp.com wrote:

> Fix a problem where the NetLabel specific fields of the sk_security_struct
> structure were not being initialized early enough in some cases.
> 
> Signed-off-by: Paul Moore <paul.moore@hp.com>

Regardless of the mapped ipv6 socket issue, I think these should be 
applied as fixes in their own right.  The mapped ipv6 socket stuff can be 
done separately if required.


Acked-by: James Morris <jmorris@namei.org>


-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 1/6] NetLabel: correctly initialize the NetLabel fields

[James Morris]

On Tue, 29 Aug 2006, paul.moore@hp.com wrote:

> Fix a problem where the NetLabel specific fields of the sk_security_struct
> structure were not being initialized early enough in some cases.
> 
> Signed-off-by: Paul Moore <paul.moore@hp.com>

Regardless of the mapped ipv6 socket issue, I think these should be 
applied as fixes in their own right.  The mapped ipv6 socket stuff can be 
done separately if required.


Acked-by: James Morris <jmorris@namei.org>


-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/6] NetLabel: correctly initialize the NetLabel fields

[Paul Moore]

James Morris wrote:
> On Tue, 29 Aug 2006, paul.moore@hp.com wrote:
>>+void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
>>+				     int family)
>>+{
>>+        if (family == PF_INET)
> 
> No tab. 

I see you already ack'd this patch, should I resubmit with the tab
correction or just leave it alone?

>>+		ssec->nlbl_state = NLBL_REQUIRE;
>>+	else
>>+		ssec->nlbl_state = NLBL_UNSET;
>>+}
>  
> It doesn't look like this code handles ipv4 packets mapped on ipv6 
> sockets.  See the test elsewhere in the SELinux code:
> 
> 	if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))

This is an issue which I am still thinking about, but I haven't devoted
to much time to it because in the one example case I have tried
everything works as expected.

Example case:

1. Configure NetLabel so that packets are labeled with CIPSO
2. Ensure SSH is listening for both IPv4 and IPv6 connections and
restart the daemon
3. Connect to the SSH daemon using IPv4

I haven't looked at the sshd code enough in detail to see what it is
doing exactly but simply running 'netstat -nl' shows that sshd is
listening for connections with an IPv6 socket (at least it is listening
on port ':::22').  Once the connection is established the daemon
continues to use an IPv6 socket, '::ffff:127.0.0.1:22', whereas the
client uses a traditional IPv4 socket.  Sniffing the connection
indicates that both directions of network traffic are labeled with the
correct CIPSO tags.

On the receive side in selinux_socket_sock_rcv_skb() the socket's IP
address family is not consulted, only the SELinux socket class and the
skbuff's CIPSO tag if present.

On the outbound side, yes, we only NetLabel sockets which are PF_INET
but I didn't think I could set an IPv4 option on a PF_INET6 socket can
I?  It just sounds wrong ...

> Also, can you verify that you've tested these fixes and that they resolve 
> all issues that you've encountered?

I have verified that this patchset fixes all the issues that I've
encountered.  In addition I have run the patches overnight on a test
machine while hitting the machine pretty hard and I have not noticed any
other problems or regressions.

-- 
paul moore
linux security @ hp

Re: [PATCH 1/6] NetLabel: correctly initialize the NetLabel fields

[Paul Moore]

James Morris wrote:
> On Tue, 29 Aug 2006, paul.moore@hp.com wrote:
>>+void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
>>+				     int family)
>>+{
>>+        if (family == PF_INET)
> 
> No tab. 

I see you already ack'd this patch, should I resubmit with the tab
correction or just leave it alone?

>>+		ssec->nlbl_state = NLBL_REQUIRE;
>>+	else
>>+		ssec->nlbl_state = NLBL_UNSET;
>>+}
>  
> It doesn't look like this code handles ipv4 packets mapped on ipv6 
> sockets.  See the test elsewhere in the SELinux code:
> 
> 	if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))

This is an issue which I am still thinking about, but I haven't devoted
to much time to it because in the one example case I have tried
everything works as expected.

Example case:

1. Configure NetLabel so that packets are labeled with CIPSO
2. Ensure SSH is listening for both IPv4 and IPv6 connections and
restart the daemon
3. Connect to the SSH daemon using IPv4

I haven't looked at the sshd code enough in detail to see what it is
doing exactly but simply running 'netstat -nl' shows that sshd is
listening for connections with an IPv6 socket (at least it is listening
on port ':::22').  Once the connection is established the daemon
continues to use an IPv6 socket, '::ffff:127.0.0.1:22', whereas the
client uses a traditional IPv4 socket.  Sniffing the connection
indicates that both directions of network traffic are labeled with the
correct CIPSO tags.

On the receive side in selinux_socket_sock_rcv_skb() the socket's IP
address family is not consulted, only the SELinux socket class and the
skbuff's CIPSO tag if present.

On the outbound side, yes, we only NetLabel sockets which are PF_INET
but I didn't think I could set an IPv4 option on a PF_INET6 socket can
I?  It just sounds wrong ...

> Also, can you verify that you've tested these fixes and that they resolve 
> all issues that you've encountered?

I have verified that this patchset fixes all the issues that I've
encountered.  In addition I have run the patches overnight on a test
machine while hitting the machine pretty hard and I have not noticed any
other problems or regressions.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/6] NetLabel: correctly initialize the NetLabel fields

[James Morris]

On Tue, 29 Aug 2006, Paul Moore wrote:

> James Morris wrote:
> > On Tue, 29 Aug 2006, paul.moore@hp.com wrote:
> >>+void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
> >>+				     int family)
> >>+{
> >>+        if (family == PF_INET)
> > 
> > No tab. 
> 
> I see you already ack'd this patch, should I resubmit with the tab
> correction or just leave it alone?

Probably easiest to fix it as it's applied.

> Example case:
> 
> 1. Configure NetLabel so that packets are labeled with CIPSO
> 2. Ensure SSH is listening for both IPv4 and IPv6 connections and
> restart the daemon
> 3. Connect to the SSH daemon using IPv4
> 
> I haven't looked at the sshd code enough in detail to see what it is
> doing exactly but simply running 'netstat -nl' shows that sshd is
> listening for connections with an IPv6 socket (at least it is listening
> on port ':::22').  Once the connection is established the daemon
> continues to use an IPv6 socket, '::ffff:127.0.0.1:22', whereas the
> client uses a traditional IPv4 socket.  Sniffing the connection
> indicates that both directions of network traffic are labeled with the
> correct CIPSO tags.

IIRC, the way I originally tested this was to write a simple app.  I 
wonder if something has changed in the networking code which means we 
don't need to test for this now.

> On the outbound side, yes, we only NetLabel sockets which are PF_INET
> but I didn't think I could set an IPv4 option on a PF_INET6 socket can
> I?  It just sounds wrong ...

If it's carrying IPv4 traffic, it may make sense in some cases.


- James
-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 1/6] NetLabel: correctly initialize the NetLabel fields

[James Morris]

On Tue, 29 Aug 2006, Paul Moore wrote:

> James Morris wrote:
> > On Tue, 29 Aug 2006, paul.moore@hp.com wrote:
> >>+void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
> >>+				     int family)
> >>+{
> >>+        if (family == PF_INET)
> > 
> > No tab. 
> 
> I see you already ack'd this patch, should I resubmit with the tab
> correction or just leave it alone?

Probably easiest to fix it as it's applied.

> Example case:
> 
> 1. Configure NetLabel so that packets are labeled with CIPSO
> 2. Ensure SSH is listening for both IPv4 and IPv6 connections and
> restart the daemon
> 3. Connect to the SSH daemon using IPv4
> 
> I haven't looked at the sshd code enough in detail to see what it is
> doing exactly but simply running 'netstat -nl' shows that sshd is
> listening for connections with an IPv6 socket (at least it is listening
> on port ':::22').  Once the connection is established the daemon
> continues to use an IPv6 socket, '::ffff:127.0.0.1:22', whereas the
> client uses a traditional IPv4 socket.  Sniffing the connection
> indicates that both directions of network traffic are labeled with the
> correct CIPSO tags.

IIRC, the way I originally tested this was to write a simple app.  I 
wonder if something has changed in the networking code which means we 
don't need to test for this now.

> On the outbound side, yes, we only NetLabel sockets which are PF_INET
> but I didn't think I could set an IPv4 option on a PF_INET6 socket can
> I?  It just sounds wrong ...

If it's carrying IPv4 traffic, it may make sense in some cases.


- James
-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/6] NetLabel: correctly initialize the NetLabel fields

[Paul Moore]

James Morris wrote:
> On Tue, 29 Aug 2006, Paul Moore wrote:
>>James Morris wrote:
>>>On Tue, 29 Aug 2006, paul.moore@hp.com wrote:
>>>
>>>>+void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
>>>>+				     int family)
>>>>+{
>>>>+        if (family == PF_INET)
>>>
>>>No tab. 
>>
>>I see you already ack'd this patch, should I resubmit with the tab
>>correction or just leave it alone?
> 
> Probably easiest to fix it as it's applied.
> 
>>Example case:
>>
>>1. Configure NetLabel so that packets are labeled with CIPSO
>>2. Ensure SSH is listening for both IPv4 and IPv6 connections and
>>restart the daemon
>>3. Connect to the SSH daemon using IPv4
>>
>>I haven't looked at the sshd code enough in detail to see what it is
>>doing exactly but simply running 'netstat -nl' shows that sshd is
>>listening for connections with an IPv6 socket (at least it is listening
>>on port ':::22').  Once the connection is established the daemon
>>continues to use an IPv6 socket, '::ffff:127.0.0.1:22', whereas the
>>client uses a traditional IPv4 socket.  Sniffing the connection
>>indicates that both directions of network traffic are labeled with the
>>correct CIPSO tags.
> 
> IIRC, the way I originally tested this was to write a simple app.  I 
> wonder if something has changed in the networking code which means we 
> don't need to test for this now.
> 
>>On the outbound side, yes, we only NetLabel sockets which are PF_INET
>>but I didn't think I could set an IPv4 option on a PF_INET6 socket can
>>I?  It just sounds wrong ...
> 
> If it's carrying IPv4 traffic, it may make sense in some cases.
> 

My concern was if the stack would honor the inet_sock->opt field and
after talking to a coworker here it sounds like it would do the right
thing.  I'll work on a patch to label PF_INET6 sockets as well, but like
you said earlier, I don't think it should hold up this patchset.

-- 
paul moore
linux security @ hp

Re: [PATCH 1/6] NetLabel: correctly initialize the NetLabel fields

[Paul Moore]

James Morris wrote:
> On Tue, 29 Aug 2006, Paul Moore wrote:
>>James Morris wrote:
>>>On Tue, 29 Aug 2006, paul.moore@hp.com wrote:
>>>
>>>>+void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
>>>>+				     int family)
>>>>+{
>>>>+        if (family == PF_INET)
>>>
>>>No tab. 
>>
>>I see you already ack'd this patch, should I resubmit with the tab
>>correction or just leave it alone?
> 
> Probably easiest to fix it as it's applied.
> 
>>Example case:
>>
>>1. Configure NetLabel so that packets are labeled with CIPSO
>>2. Ensure SSH is listening for both IPv4 and IPv6 connections and
>>restart the daemon
>>3. Connect to the SSH daemon using IPv4
>>
>>I haven't looked at the sshd code enough in detail to see what it is
>>doing exactly but simply running 'netstat -nl' shows that sshd is
>>listening for connections with an IPv6 socket (at least it is listening
>>on port ':::22').  Once the connection is established the daemon
>>continues to use an IPv6 socket, '::ffff:127.0.0.1:22', whereas the
>>client uses a traditional IPv4 socket.  Sniffing the connection
>>indicates that both directions of network traffic are labeled with the
>>correct CIPSO tags.
> 
> IIRC, the way I originally tested this was to write a simple app.  I 
> wonder if something has changed in the networking code which means we 
> don't need to test for this now.
> 
>>On the outbound side, yes, we only NetLabel sockets which are PF_INET
>>but I didn't think I could set an IPv4 option on a PF_INET6 socket can
>>I?  It just sounds wrong ...
> 
> If it's carrying IPv4 traffic, it may make sense in some cases.
> 

My concern was if the stack would honor the inet_sock->opt field and
after talking to a coworker here it sounds like it would do the right
thing.  I'll work on a patch to label PF_INET6 sockets as well, but like
you said earlier, I don't think it should hold up this patchset.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 0/6] Various NetLabel fixes and cleanups

[David Miller]

From: paul.moore@hp.com
Date: Tue, 29 Aug 2006 10:42:51 -0400

> This patchset contains a series of small patches to fix a bug and some general
> ugliness from the original author (that moron ...).  All of the following
> patches are against David's net-2.6.19 tree.
> 
> Please consider these for 2.6.19, thanks.

Applied to net-2.6.19, thanks a lot Paul.

Does the bug fix in that first patch fix the ssh problem?

Re: [PATCH 0/6] Various NetLabel fixes and cleanups

[Paul Moore]

David Miller wrote:
> From: paul.moore@hp.com
> Date: Tue, 29 Aug 2006 10:42:51 -0400
> 
> 
>>This patchset contains a series of small patches to fix a bug and some general
>>ugliness from the original author (that moron ...).  All of the following
>>patches are against David's net-2.6.19 tree.
>>
>>Please consider these for 2.6.19, thanks.
> 
> Applied to net-2.6.19, thanks a lot Paul.

No problem.

> Does the bug fix in that first patch fix the ssh problem?

As far as the kernel is concerned, yes.  There was a problem in the
kernel of the sk_security_struct->sclass variable not being initialized
correctly which the posted patch fixes as well as a problem with the ssh
daemon rejecting all connections with IP options.  Looking at the ssh
code it appears that they wanted to reject source routed connections but
they were a bit heavy handed and simply rejected connections if any
options were present.

There is more information in this Fedora Bugzilla:

 * https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=202856

-- 
paul moore
linux security @ hp

Re: [PATCH 0/6] Various NetLabel fixes and cleanups

[Paul Moore]

David Miller wrote:
> From: paul.moore@hp.com
> Date: Tue, 29 Aug 2006 10:42:51 -0400
> 
> 
>>This patchset contains a series of small patches to fix a bug and some general
>>ugliness from the original author (that moron ...).  All of the following
>>patches are against David's net-2.6.19 tree.
>>
>>Please consider these for 2.6.19, thanks.
> 
> Applied to net-2.6.19, thanks a lot Paul.

No problem.

> Does the bug fix in that first patch fix the ssh problem?

As far as the kernel is concerned, yes.  There was a problem in the
kernel of the sk_security_struct->sclass variable not being initialized
correctly which the posted patch fixes as well as a problem with the ssh
daemon rejecting all connections with IP options.  Looking at the ssh
code it appears that they wanted to reject source routed connections but
they were a bit heavy handed and simply rejected connections if any
options were present.

There is more information in this Fedora Bugzilla:

 * https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=202856

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.