netlabel.c 13.3 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11
/*
 * SELinux NetLabel Support
 *
 * This file provides the necessary glue to tie NetLabel into the SELinux
 * subsystem.
 *
 * Author: Paul Moore <paul.moore@hp.com>
 *
 */

/*
12
 * (c) Copyright Hewlett-Packard Development Company, L.P., 2007, 2008
13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
 *
 * This program is free software;  you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY;  without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 * the GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program;  if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 *
 */

#include <linux/spinlock.h>
#include <linux/rcupdate.h>
32 33
#include <linux/ip.h>
#include <linux/ipv6.h>
34 35
#include <net/sock.h>
#include <net/netlabel.h>
36 37
#include <net/ip.h>
#include <net/ipv6.h>
38 39 40

#include "objsec.h"
#include "security.h"
41
#include "netlabel.h"
42

43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69
/**
 * selinux_netlbl_sidlookup_cached - Cache a SID lookup
 * @skb: the packet
 * @secattr: the NetLabel security attributes
 * @sid: the SID
 *
 * Description:
 * Query the SELinux security server to lookup the correct SID for the given
 * security attributes.  If the query is successful, cache the result to speed
 * up future lookups.  Returns zero on success, negative values on failure.
 *
 */
static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
					   struct netlbl_lsm_secattr *secattr,
					   u32 *sid)
{
	int rc;

	rc = security_netlbl_secattr_to_sid(secattr, sid);
	if (rc == 0 &&
	    (secattr->flags & NETLBL_SECATTR_CACHEABLE) &&
	    (secattr->flags & NETLBL_SECATTR_CACHE))
		netlbl_cache_add(skb, secattr);

	return rc;
}

70
/**
71 72
 * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism
 * @sk: the socket to label
73 74
 *
 * Description:
75 76
 * Attempt to label a socket using the NetLabel mechanism.  Returns zero values
 * on success, negative values on failure.
77 78
 *
 */
79
static int selinux_netlbl_sock_setsid(struct sock *sk)
80 81
{
	int rc;
82
	struct sk_security_struct *sksec = sk->sk_security;
83 84
	struct netlbl_lsm_secattr secattr;

85 86 87
	if (sksec->nlbl_state != NLBL_REQUIRE)
		return 0;

88 89
	netlbl_secattr_init(&secattr);

90
	rc = security_netlbl_sid_to_secattr(sksec->sid, &secattr);
91
	if (rc != 0)
92
		goto sock_setsid_return;
93
	rc = netlbl_sock_setattr(sk, &secattr);
94 95
	switch (rc) {
	case 0:
96
		sksec->nlbl_state = NLBL_LABELED;
97 98 99 100 101 102
		break;
	case -EDESTADDRREQ:
		sksec->nlbl_state = NLBL_REQSKB;
		rc = 0;
		break;
	}
103

104 105
sock_setsid_return:
	netlbl_secattr_destroy(&secattr);
106 107 108 109 110 111 112 113 114 115 116 117 118 119 120
	return rc;
}

/**
 * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
 *
 * Description:
 * Invalidate the NetLabel security attribute mapping cache.
 *
 */
void selinux_netlbl_cache_invalidate(void)
{
	netlbl_cache_invalidate();
}

121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138
/**
 * selinux_netlbl_err - Handle a NetLabel packet error
 * @skb: the packet
 * @error: the error code
 * @gateway: true if host is acting as a gateway, false otherwise
 *
 * Description:
 * When a packet is dropped due to a call to avc_has_perm() pass the error
 * code to the NetLabel subsystem so any protocol specific processing can be
 * done.  This is safe to call even if you are unsure if NetLabel labeling is
 * present on the packet, NetLabel is smart enough to only act when it should.
 *
 */
void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway)
{
	netlbl_skbuff_err(skb, error, gateway);
}

139 140 141 142 143 144 145 146 147 148 149 150 151
/**
 * selinux_netlbl_sk_security_reset - Reset the NetLabel fields
 * @ssec: the sk_security_struct
 * @family: the socket family
 *
 * Description:
 * Called when the NetLabel state of a sk_security_struct needs to be reset.
 * The caller is responsibile for all the NetLabel sk_security_struct locking.
 *
 */
void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
				      int family)
{
152
	if (family == PF_INET)
153 154 155 156 157 158 159 160
		ssec->nlbl_state = NLBL_REQUIRE;
	else
		ssec->nlbl_state = NLBL_UNSET;
}

/**
 * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
 * @skb: the packet
161
 * @family: protocol family
162
 * @type: NetLabel labeling protocol type
163 164 165 166 167 168 169 170
 * @sid: the SID
 *
 * Description:
 * Call the NetLabel mechanism to get the security attributes of the given
 * packet and use those attributes to determine the correct context/SID to
 * assign to the packet.  Returns zero on success, negative values on failure.
 *
 */
171 172
int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
				 u16 family,
173
				 u32 *type,
174
				 u32 *sid)
175 176 177 178
{
	int rc;
	struct netlbl_lsm_secattr secattr;

179 180 181 182 183
	if (!netlbl_enabled()) {
		*sid = SECSID_NULL;
		return 0;
	}

184
	netlbl_secattr_init(&secattr);
185
	rc = netlbl_skbuff_getattr(skb, family, &secattr);
186 187 188
	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
		rc = selinux_netlbl_sidlookup_cached(skb, &secattr, sid);
	else
189
		*sid = SECSID_NULL;
190
	*type = secattr.type;
191 192 193 194 195
	netlbl_secattr_destroy(&secattr);

	return rc;
}

196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234
/**
 * selinux_netlbl_skbuff_setsid - Set the NetLabel on a packet given a sid
 * @skb: the packet
 * @family: protocol family
 * @sid: the SID
 *
 * Description
 * Call the NetLabel mechanism to set the label of a packet using @sid.
 * Returns zero on auccess, negative values on failure.
 *
 */
int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
				 u16 family,
				 u32 sid)
{
	int rc;
	struct netlbl_lsm_secattr secattr;
	struct sock *sk;

	/* if this is a locally generated packet check to see if it is already
	 * being labeled by it's parent socket, if it is just exit */
	sk = skb->sk;
	if (sk != NULL) {
		struct sk_security_struct *sksec = sk->sk_security;
		if (sksec->nlbl_state != NLBL_REQSKB)
			return 0;
	}

	netlbl_secattr_init(&secattr);
	rc = security_netlbl_sid_to_secattr(sid, &secattr);
	if (rc != 0)
		goto skbuff_setsid_return;
	rc = netlbl_skbuff_setattr(skb, family, &secattr);

skbuff_setsid_return:
	netlbl_secattr_destroy(&secattr);
	return rc;
}

235
/**
236
 * selinux_netlbl_inet_conn_established - Netlabel the newly accepted connection
237 238 239
 * @sk: the new connection
 *
 * Description:
240 241
 * A new connection has been established on @sk so make sure it is labeled
 * correctly with the NetLabel susbsystem.
242 243
 *
 */
244
void selinux_netlbl_inet_conn_established(struct sock *sk, u16 family)
245
{
246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306
	int rc;
	struct sk_security_struct *sksec = sk->sk_security;
	struct netlbl_lsm_secattr secattr;
	struct inet_sock *sk_inet = inet_sk(sk);
	struct sockaddr_in addr;

	if (sksec->nlbl_state != NLBL_REQUIRE)
		return;

	netlbl_secattr_init(&secattr);
	if (security_netlbl_sid_to_secattr(sksec->sid, &secattr) != 0)
		goto inet_conn_established_return;

	rc = netlbl_sock_setattr(sk, &secattr);
	switch (rc) {
	case 0:
		sksec->nlbl_state = NLBL_LABELED;
		break;
	case -EDESTADDRREQ:
		/* no PF_INET6 support yet because we don't support any IPv6
		 * labeling protocols */
		if (family != PF_INET) {
			sksec->nlbl_state = NLBL_UNSET;
			goto inet_conn_established_return;
		}

		addr.sin_family = family;
		addr.sin_addr.s_addr = sk_inet->daddr;
		if (netlbl_conn_setattr(sk, (struct sockaddr *)&addr,
					&secattr) != 0) {
			/* we failed to label the connected socket (could be
			 * for a variety of reasons, the actual "why" isn't
			 * important here) so we have to go to our backup plan,
			 * labeling the packets individually in the netfilter
			 * local output hook.  this is okay but we need to
			 * adjust the MSS of the connection to take into
			 * account any labeling overhead, since we don't know
			 * the exact overhead at this point we'll use the worst
			 * case value which is 40 bytes for IPv4 */
			struct inet_connection_sock *sk_conn = inet_csk(sk);
			sk_conn->icsk_ext_hdr_len += 40 -
				      (sk_inet->opt ? sk_inet->opt->optlen : 0);
			sk_conn->icsk_sync_mss(sk, sk_conn->icsk_pmtu_cookie);

			sksec->nlbl_state = NLBL_REQSKB;
		} else
			sksec->nlbl_state = NLBL_CONNLABELED;
		break;
	default:
		/* note that we are failing to label the socket which could be
		 * a bad thing since it means traffic could leave the system
		 * without the desired labeling, however, all is not lost as
		 * we have a check in selinux_netlbl_inode_permission() to
		 * pick up the pieces that we might drop here because we can't
		 * return an error code */
		break;
	}

inet_conn_established_return:
	netlbl_secattr_destroy(&secattr);
	return;
307 308 309 310 311 312 313 314 315 316 317 318 319
}

/**
 * selinux_netlbl_socket_post_create - Label a socket using NetLabel
 * @sock: the socket to label
 *
 * Description:
 * Attempt to label a socket using the NetLabel mechanism using the given
 * SID.  Returns zero values on success, negative values on failure.
 *
 */
int selinux_netlbl_socket_post_create(struct socket *sock)
{
320
	return selinux_netlbl_sock_setsid(sock->sk);
321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337
}

/**
 * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
 * @inode: the file descriptor's inode
 * @mask: the permission mask
 *
 * Description:
 * Looks at a file's inode and if it is marked as a socket protected by
 * NetLabel then verify that the socket has been labeled, if not try to label
 * the socket now with the inode's SID.  Returns zero on success, negative
 * values on failure.
 *
 */
int selinux_netlbl_inode_permission(struct inode *inode, int mask)
{
	int rc;
338
	struct sock *sk;
339
	struct socket *sock;
340
	struct sk_security_struct *sksec;
341 342 343 344

	if (!S_ISSOCK(inode->i_mode) ||
	    ((mask & (MAY_WRITE | MAY_APPEND)) == 0))
		return 0;
345

346
	sock = SOCKET_I(inode);
347 348
	sk = sock->sk;
	sksec = sk->sk_security;
349
	if (sksec->nlbl_state != NLBL_REQUIRE)
350
		return 0;
351

352
	local_bh_disable();
353
	bh_lock_sock_nested(sk);
354
	if (likely(sksec->nlbl_state == NLBL_REQUIRE))
355
		rc = selinux_netlbl_sock_setsid(sk);
356 357
	else
		rc = 0;
358
	bh_unlock_sock(sk);
359 360 361 362 363 364 365 366 367
	local_bh_enable();

	return rc;
}

/**
 * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
 * @sksec: the sock's sk_security_struct
 * @skb: the packet
368
 * @family: protocol family
369 370 371 372 373 374 375 376 377 378
 * @ad: the audit data
 *
 * Description:
 * Fetch the NetLabel security attributes from @skb and perform an access check
 * against the receiving socket.  Returns zero on success, negative values on
 * error.
 *
 */
int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
				struct sk_buff *skb,
379
				u16 family,
380 381 382
				struct avc_audit_data *ad)
{
	int rc;
383 384 385
	u32 nlbl_sid;
	u32 perm;
	struct netlbl_lsm_secattr secattr;
386

387 388 389
	if (!netlbl_enabled())
		return 0;

390
	netlbl_secattr_init(&secattr);
391
	rc = netlbl_skbuff_getattr(skb, family, &secattr);
392 393 394
	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
		rc = selinux_netlbl_sidlookup_cached(skb, &secattr, &nlbl_sid);
	else
395 396
		nlbl_sid = SECINITSID_UNLABELED;
	netlbl_secattr_destroy(&secattr);
397 398
	if (rc != 0)
		return rc;
399

400 401
	switch (sksec->sclass) {
	case SECCLASS_UDP_SOCKET:
402
		perm = UDP_SOCKET__RECVFROM;
403 404
		break;
	case SECCLASS_TCP_SOCKET:
405
		perm = TCP_SOCKET__RECVFROM;
406 407
		break;
	default:
408
		perm = RAWIP_SOCKET__RECVFROM;
409 410
	}

411
	rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad);
412 413 414
	if (rc == 0)
		return 0;

415
	if (nlbl_sid != SECINITSID_UNLABELED)
416
		netlbl_skbuff_err(skb, rc, 0);
417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437
	return rc;
}

/**
 * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
 * @sock: the socket
 * @level: the socket level or protocol
 * @optname: the socket option name
 *
 * Description:
 * Check the setsockopt() call and if the user is trying to replace the IP
 * options on a socket and a NetLabel is in place for the socket deny the
 * access; otherwise allow the access.  Returns zero when the access is
 * allowed, -EACCES when denied, and other negative values on error.
 *
 */
int selinux_netlbl_socket_setsockopt(struct socket *sock,
				     int level,
				     int optname)
{
	int rc = 0;
438 439
	struct sock *sk = sock->sk;
	struct sk_security_struct *sksec = sk->sk_security;
440 441 442
	struct netlbl_lsm_secattr secattr;

	if (level == IPPROTO_IP && optname == IP_OPTIONS &&
443 444
	    (sksec->nlbl_state == NLBL_LABELED ||
	     sksec->nlbl_state == NLBL_CONNLABELED)) {
445
		netlbl_secattr_init(&secattr);
446 447 448
		lock_sock(sk);
		rc = netlbl_sock_getattr(sk, &secattr);
		release_sock(sk);
449 450 451 452 453 454 455
		if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
			rc = -EACCES;
		netlbl_secattr_destroy(&secattr);
	}

	return rc;
}
456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503

/**
 * selinux_netlbl_socket_connect - Label a client-side socket on connect
 * @sk: the socket to label
 * @addr: the destination address
 *
 * Description:
 * Attempt to label a connected socket with NetLabel using the given address.
 * Returns zero values on success, negative values on failure.
 *
 */
int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
{
	int rc;
	struct sk_security_struct *sksec = sk->sk_security;
	struct netlbl_lsm_secattr secattr;

	if (sksec->nlbl_state != NLBL_REQSKB &&
	    sksec->nlbl_state != NLBL_CONNLABELED)
		return 0;

	netlbl_secattr_init(&secattr);
	local_bh_disable();
	bh_lock_sock_nested(sk);

	/* connected sockets are allowed to disconnect when the address family
	 * is set to AF_UNSPEC, if that is what is happening we want to reset
	 * the socket */
	if (addr->sa_family == AF_UNSPEC) {
		netlbl_sock_delattr(sk);
		sksec->nlbl_state = NLBL_REQSKB;
		rc = 0;
		goto socket_connect_return;
	}
	rc = security_netlbl_sid_to_secattr(sksec->sid, &secattr);
	if (rc != 0)
		goto socket_connect_return;
	rc = netlbl_conn_setattr(sk, addr, &secattr);
	if (rc != 0)
		goto socket_connect_return;
	sksec->nlbl_state = NLBL_CONNLABELED;

socket_connect_return:
	bh_unlock_sock(sk);
	local_bh_enable();
	netlbl_secattr_destroy(&secattr);
	return rc;
}