From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: casey@schaufler-ca.com, keescook@chromium.org,
john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
paul@paul-moore.com, sds@tycho.nsa.gov
Subject: [PATCH v7 15/16] LSM: Avoid network conflicts in SELinux and Smack
Date: Wed, 7 Aug 2019 15:42:44 -0700 [thread overview]
Message-ID: <20190807224245.10798-17-casey@schaufler-ca.com> (raw)
In-Reply-To: <20190807224245.10798-1-casey@schaufler-ca.com>
Add calls to security_reconcile_netlbl() in SELinux and
Smack to ensure that only packets that are acceptable to
all active security modules get sent. Verify that all
security modules agree on the network labeling for sendmsg
and connect.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/security.c | 43 ++++++++++++++++++++++----------
security/selinux/hooks.c | 3 +++
security/smack/smack_netfilter.c | 8 ++++--
3 files changed, 39 insertions(+), 15 deletions(-)
diff --git a/security/security.c b/security/security.c
index bfe40c11f5bf..4897c68cdb71 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2496,7 +2496,13 @@ int security_socket_bind(struct socket *sock, struct sockaddr *address, int addr
int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
{
- return call_int_hook(socket_connect, 0, sock, address, addrlen);
+ int rc;
+
+ rc = call_int_hook(socket_connect, 0, sock, address, addrlen);
+ if (rc)
+ return rc;
+
+ return security_reconcile_netlbl(sock->sk);
}
int security_socket_listen(struct socket *sock, int backlog)
@@ -2511,6 +2517,12 @@ int security_socket_accept(struct socket *sock, struct socket *newsock)
int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
{
+ int rc;
+
+ rc = security_reconcile_netlbl(sock->sk);
+ if (rc)
+ return rc;
+
return call_int_hook(socket_sendmsg, 0, sock, msg, size);
}
@@ -3016,28 +3028,33 @@ int security_reconcile_netlbl(struct sock *sk)
int this_set = 0;
struct security_hook_list *hp;
+ if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
+ return 0;
+
hlist_for_each_entry(hp, &security_hook_heads.socket_netlbl_secattr,
list) {
hp->hook.socket_netlbl_secattr(sk, &this, &this_set);
+ /*
+ * If the NLTYPE has been deferred it's not
+ * possible to decide now. A decision will be made
+ * later.
+ */
+ if (this_set == NETLBL_NLTYPE_ADDRSELECT)
+ return 0;
if (this_set == 0 || this == NULL)
continue;
if (prev != NULL) {
- /*
- * Both unlabeled is easily acceptable.
- */
- if (prev_set == NETLBL_NLTYPE_UNLABELED &&
- this_set == NETLBL_NLTYPE_UNLABELED)
- continue;
/*
* The nltype being different means that
- * the secattrs aren't comparible. Except
- * that ADDRSELECT means that couldn't know
- * when the socket was created.
+ * the secattrs aren't comparible.
*/
- if (prev_set != this_set &&
- prev_set != NETLBL_NLTYPE_ADDRSELECT &&
- this_set != NETLBL_NLTYPE_ADDRSELECT)
+ if (prev_set != this_set)
return -EACCES;
+ /*
+ * Both unlabeled is easily acceptable.
+ */
+ if (this_set == NETLBL_NLTYPE_UNLABELED)
+ continue;
/*
* Count on the Netlabel system's judgement.
*/
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 48468a4b478c..293350b672a8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5522,6 +5522,9 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
return NF_DROP;
+ if (sk && security_reconcile_netlbl(sk))
+ return NF_DROP;
+
return NF_ACCEPT;
}
diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
index 7b9c8d5d8408..92aeffbbb27c 100644
--- a/security/smack/smack_netfilter.c
+++ b/security/smack/smack_netfilter.c
@@ -75,7 +75,7 @@ static unsigned int smack_ipv4_output(void *priv,
const struct nf_hook_state *state)
{
struct sock *sk = skb_to_full_sk(skb);
- struct socket_smack *ssp;
+ struct socket_smack *ssp = NULL;
struct smack_known *skp;
if (!smack_checked_secmark) {
@@ -84,11 +84,15 @@ static unsigned int smack_ipv4_output(void *priv,
smack_checked_secmark = true;
}
- if (smack_use_secmark && sk && smack_sock(sk)) {
+ if (sk && smack_sock(sk))
ssp = smack_sock(sk);
+
+ if (smack_use_secmark && ssp) {
skp = ssp->smk_out;
skb->secmark = skp->smk_secid;
}
+ if (sk && security_reconcile_netlbl(sk))
+ return NF_DROP;
return NF_ACCEPT;
}
--
2.20.1
next prev parent reply other threads:[~2019-08-07 22:43 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-07 22:42 [PATCH v7 00/16] LSM: Full module stacking Casey Schaufler
2019-08-07 22:42 ` Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 01/16] LSM: Single hook called in secmark refcounting Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 02/16] Smack: Detect if secmarks can be safely used Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 03/16] LSM: Support multiple LSMs using inode_init_security Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 04/16] LSM: List multiple security attributes in security_inode_listsecurity Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 05/16] LSM: Multiple modules using security_ismaclabel Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 06/16] LSM: Make multiple MAC modules safe in nfs and kernfs Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 07/16] LSM: Correct handling of ENOSYS in inode_setxattr Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 08/16] LSM: Infrastructure security blobs for mount options Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 09/16] LSM: Fix for security_init_inode_security Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 10/16] LSM: Change error detection for UDP peer security Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 11/16] Netlabel: Add a secattr comparison API function Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 12/16] Netlabel: Provide labeling type to security modules Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 13/16] LSM: Remember the NLTYPE of netlabel sockets Casey Schaufler
2019-08-07 22:42 ` [PATCH v7 14/16] LSM: Hook for netlabel reconciliation Casey Schaufler
2019-08-07 22:42 ` Casey Schaufler [this message]
2019-08-07 22:42 ` [PATCH v7 16/16] Smack: Remove the exclusive flag Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190807224245.10798-17-casey@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=casey.schaufler@intel.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.