From: Casey Schaufler <casey@schaufler-ca.com>
To: jmorris@namei.org, linux-security-module@vger.kernel.org,
selinux@vger.kernel.org
Cc: keescook@chromium.org, john.johansen@canonical.com,
penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com
Subject: [PATCH 96/97] LSM: Apply Netlabel consitancy checks on send and connect
Date: Thu, 28 Feb 2019 14:43:55 -0800 [thread overview]
Message-ID: <20190228224356.2608-27-casey@schaufler-ca.com> (raw)
In-Reply-To: <20190228224356.2608-1-casey@schaufler-ca.com>
Verify that all security modules agree on the network labeling
for sendmsg and connect.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/security.c | 43 ++++++++++++++++++++++----------
security/selinux/hooks.c | 2 +-
security/smack/smack_netfilter.c | 5 ++--
3 files changed, 34 insertions(+), 16 deletions(-)
diff --git a/security/security.c b/security/security.c
index 3c1d2f47b09f..dfee44ee4d19 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2355,7 +2355,13 @@ int security_socket_bind(struct socket *sock, struct sockaddr *address, int addr
int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
{
- return call_int_hook(socket_connect, 0, sock, address, addrlen);
+ int rc;
+
+ rc = call_int_hook(socket_connect, 0, sock, address, addrlen);
+ if (rc)
+ return rc;
+
+ return security_reconcile_netlbl(sock->sk);
}
int security_socket_listen(struct socket *sock, int backlog)
@@ -2370,6 +2376,12 @@ int security_socket_accept(struct socket *sock, struct socket *newsock)
int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
{
+ int rc;
+
+ rc = security_reconcile_netlbl(sock->sk);
+ if (rc)
+ return rc;
+
return call_int_hook(socket_sendmsg, 0, sock, msg, size);
}
@@ -2788,28 +2800,33 @@ int security_reconcile_netlbl(struct sock *sk)
int this_set = 0;
struct security_hook_list *hp;
+ if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
+ return 0;
+
hlist_for_each_entry(hp, &security_hook_heads.socket_netlbl_secattr,
list) {
hp->hook.socket_netlbl_secattr(sk, &this, &this_set);
+ /*
+ * If the NLTYPE has been deferred it's not
+ * possible to decide now. A decision will be made
+ * later.
+ */
+ if (this_set == NETLBL_NLTYPE_ADDRSELECT)
+ return 0;
if (this_set == 0 || this == NULL)
continue;
if (prev != NULL) {
- /*
- * Both unlabeled is easily acceptable.
- */
- if (prev_set == NETLBL_NLTYPE_UNLABELED &&
- this_set == NETLBL_NLTYPE_UNLABELED)
- continue;
/*
* The nltype being different means that
- * the secattrs aren't comparible. Except
- * that ADDRSELECT means that couldn't know
- * when the socket was created.
+ * the secattrs aren't comparible.
*/
- if (prev_set != this_set &&
- prev_set != NETLBL_NLTYPE_ADDRSELECT &&
- this_set != NETLBL_NLTYPE_ADDRSELECT)
+ if (prev_set != this_set)
return -EACCES;
+ /*
+ * Both unlabeled is easily acceptable.
+ */
+ if (this_set == NETLBL_NLTYPE_UNLABELED)
+ continue;
/*
* Count on the Netlabel system's judgement.
*/
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4a8996b7b477..c924b454246b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5400,7 +5400,7 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
sid = SECINITSID_KERNEL;
if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
return NF_DROP;
- /* verify that this IP option works with other security modules */
+
if (sk && security_reconcile_netlbl(sk))
return NF_DROP;
diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
index 55cc38ae07f5..de4145c2cdd5 100644
--- a/security/smack/smack_netfilter.c
+++ b/security/smack/smack_netfilter.c
@@ -88,9 +88,10 @@ static unsigned int smack_ipv4_output(void *priv,
if (rc < 0)
return NF_DROP;
ssp->smk_set = rc;
+ rc = security_reconcile_netlbl(sk);
+ if (rc < 0)
+ return NF_DROP;
}
- if (security_reconcile_netlbl(sk))
- return NF_DROP;
return NF_ACCEPT;
}
--
2.17.0
next prev parent reply other threads:[~2019-02-28 22:44 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-28 22:43 [PATCH 00/97] LSM: Complete module stacking Casey Schaufler
2019-02-28 22:43 ` [PATCH 71/97] LSM: Add secmark refcounting to call_one list Casey Schaufler
2019-02-28 22:43 ` [PATCH 72/97] LSM: Add secmark refcounting to call_one list - part 2 Casey Schaufler
2019-02-28 22:43 ` [PATCH 73/97] LSM: refactor security_setprocattr Casey Schaufler
2019-02-28 22:43 ` [PATCH 74/97] Smack: Detect if secmarks can be safely used Casey Schaufler
2019-02-28 22:43 ` [PATCH 75/97] LSM: Support multiple LSMs using inode_init_security Casey Schaufler
2019-02-28 22:43 ` [PATCH 76/97] LSM: Use full security context in security_inode_setsecctx Casey Schaufler
2019-02-28 22:43 ` [PATCH 77/97] LSM: Correct handling of ENOSYS in inode_setxattr Casey Schaufler
2019-02-28 22:43 ` [PATCH 78/97] LSM: Infrastructure security blobs for mount options Casey Schaufler
2019-02-28 22:43 ` [PATCH 79/97] LSM: Fix for security_init_inode_security Casey Schaufler
2019-02-28 22:43 ` [PATCH 80/97] Smack: Advertise the secid to netlabel Casey Schaufler
2019-02-28 22:43 ` [PATCH 81/97] LSM: Change error detection for UDP peer security Casey Schaufler
2019-02-28 22:43 ` [PATCH 82/97] Smack: Fix setting of the CIPSO MLS_CAT flags Casey Schaufler
2019-02-28 22:43 ` [PATCH 83/97] Smack: Set netlabel flags properly on new label import Casey Schaufler
2019-02-28 22:43 ` [PATCH 84/97] Netlabel: Add a secattr comparison API function Casey Schaufler
2019-02-28 22:43 ` [PATCH 85/97] Smack: Let netlabel do the work on the ambient domain Casey Schaufler
2019-02-28 22:43 ` [PATCH 86/97] Smack: Don't set the socket label on each send Casey Schaufler
2019-02-28 22:43 ` [PATCH 87/97] Smack: Let netlabel do the work on connections Casey Schaufler
2019-02-28 22:43 ` [PATCH 88/97] Netlabel: Return the labeling type on socket Casey Schaufler
2019-02-28 22:43 ` [PATCH 89/97] " Casey Schaufler
2019-02-28 22:43 ` [PATCH 90/97] " Casey Schaufler
2019-02-28 22:43 ` [PATCH 91/97] " Casey Schaufler
2019-02-28 22:43 ` [PATCH 92/97] LSM: Remember the NLTYPE of netlabel sockets Casey Schaufler
2019-02-28 22:43 ` [PATCH 93/97] Smack: Use the NLTYPE on output Casey Schaufler
2019-02-28 22:43 ` [PATCH 94/97] LSM: Hook for netlabel reconciliation Casey Schaufler
2019-02-28 22:43 ` [PATCH 95/97] LSM: Avoid network conflicts in SELinux and Smack Casey Schaufler
2019-02-28 22:43 ` Casey Schaufler [this message]
2019-02-28 22:43 ` [PATCH 97/97] Smack: Remove the exclusive bit Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190228224356.2608-27-casey@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).