• P
    netlabel: Label incoming TCP connections correctly in SELinux · 389fb800
    Paul Moore 提交于
    The current NetLabel/SELinux behavior for incoming TCP connections works but
    only through a series of happy coincidences that rely on the limited nature of
    standard CIPSO (only able to convey MLS attributes) and the write equality
    imposed by the SELinux MLS constraints.  The problem is that network sockets
    created as the result of an incoming TCP connection were not on-the-wire
    labeled based on the security attributes of the parent socket but rather based
    on the wire label of the remote peer.  The issue had to do with how IP options
    were managed as part of the network stack and where the LSM hooks were in
    relation to the code which set the IP options on these newly created child
    sockets.  While NetLabel/SELinux did correctly set the socket's on-the-wire
    label it was promptly cleared by the network stack and reset based on the IP
    options of the remote peer.
    
    This patch, in conjunction with a prior patch that adjusted the LSM hook
    locations, works to set the correct on-the-wire label format for new incoming
    connections through the security_inet_conn_request() hook.  Besides the
    correct behavior there are many advantages to this change, the most significant
    is that all of the NetLabel socket labeling code in SELinux now lives in hooks
    which can return error codes to the core stack which allows us to finally get
    ride of the selinux_netlbl_inode_permission() logic which greatly simplfies
    the NetLabel/SELinux glue code.  In the process of developing this patch I
    also ran into a small handful of AF_INET6 cleanliness issues that have been
    fixed which should make the code safer and easier to extend in the future.
    Signed-off-by: NPaul Moore <paul.moore@hp.com>
    Acked-by: NCasey Schaufler <casey@schaufler-ca.com>
    Signed-off-by: NJames Morris <jmorris@namei.org>
    389fb800
hooks.c 139.7 KB