1. 30 1月, 2008 5 次提交
  2. 25 1月, 2008 1 次提交
    • E
      Security: add get, set, and cloning of superblock security information · c9180a57
      Eric Paris 提交于
      Adds security_get_sb_mnt_opts, security_set_sb_mnt_opts, and
      security_clont_sb_mnt_opts to the LSM and to SELinux.  This will allow
      filesystems to directly own and control all of their mount options if they
      so choose.  This interface deals only with option identifiers and strings so
      it should generic enough for any LSM which may come in the future.
      
      Filesystems which pass text mount data around in the kernel (almost all of
      them) need not currently make use of this interface when dealing with
      SELinux since it will still parse those strings as it always has.  I assume
      future LSM's would do the same.  NFS is the primary FS which does not use
      text mount data and thus must make use of this interface.
      
      An LSM would need to implement these functions only if they had mount time
      options, such as selinux has context= or fscontext=.  If the LSM has no
      mount time options they could simply not implement and let the dummy ops
      take care of things.
      
      An LSM other than SELinux would need to define new option numbers in
      security.h and any FS which decides to own there own security options would
      need to be patched to use this new interface for every possible LSM.  This
      is because it was stated to me very clearly that LSM's should not attempt to
      understand FS mount data and the burdon to understand security should be in
      the FS which owns the options.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NStephen D. Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      c9180a57
  3. 17 10月, 2007 2 次提交
  4. 12 7月, 2007 4 次提交
  5. 26 4月, 2007 5 次提交
  6. 27 1月, 2007 1 次提交
  7. 05 12月, 2006 1 次提交
  8. 03 12月, 2006 7 次提交
    • J
      Compile fix for "peer secid consolidation for external network labeling" · bb22f580
      James Morris 提交于
      Use a forward declaration instead of dragging in skbuff.h and
      related junk.
      Signed-off-by: NJames Morris <jmorris@namei.org>
      bb22f580
    • P
      SELinux: peer secid consolidation for external network labeling · 3de4bab5
      Paul Moore 提交于
      Now that labeled IPsec makes use of the peer_sid field in the
      sk_security_struct we can remove a lot of the special cases between labeled
      IPsec and NetLabel.  In addition, create a new function,
      security_skb_extlbl_sid(), which we can use in several places to get the
      security context of the packet's external label which allows us to further
      simplify the code in a few places.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      3de4bab5
    • P
      NetLabel: SELinux cleanups · 9f2ad665
      Paul Moore 提交于
      This patch does a lot of cleanup in the SELinux NetLabel support code.  A
      summary of the changes include:
      
      * Use RCU locking for the NetLabel state variable in the skk_security_struct
        instead of using the inode_security_struct mutex.
      * Remove unnecessary parameters in selinux_netlbl_socket_post_create().
      * Rename selinux_netlbl_sk_clone_security() to
        selinux_netlbl_sk_security_clone() to better fit the other NetLabel
        sk_security functions.
      * Improvements to selinux_netlbl_inode_permission() to help reduce the cost of
        the common case.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      9f2ad665
    • J
      [SELinux]: Add support for DCCP · 2ee92d46
      James Morris 提交于
      This patch implements SELinux kernel support for DCCP
      (http://linux-net.osdl.org/index.php/DCCP), which is similar in
      operation to TCP in terms of connected state between peers.
      
      The SELinux support for DCCP is thus modeled on existing handling of
      TCP.
      
      A new DCCP socket class is introduced, to allow protocol
      differentation.  The permissions for this class inherit all of the
      socket permissions, as well as the current TCP permissions (node_bind,
      name_bind etc). IPv4 and IPv6 are supported, although labeled
      networking is not, at this stage.
      
      Patches for SELinux userspace are at:
      http://people.redhat.com/jmorris/selinux/dccp/user/
      
      I've performed some basic testing, and it seems to be working as
      expected.  Adding policy support is similar to TCP, the only real
      difference being that it's a different protocol.
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2ee92d46
    • V
      SELinux: Fix SA selection semantics · 67f83cbf
      Venkat Yekkirala 提交于
      Fix the selection of an SA for an outgoing packet to be at the same
      context as the originating socket/flow. This eliminates the SELinux
      policy's ability to use/sendto SAs with contexts other than the socket's.
      
      With this patch applied, the SELinux policy will require one or more of the
      following for a socket to be able to communicate with/without SAs:
      
      1. To enable a socket to communicate without using labeled-IPSec SAs:
      
      allow socket_t unlabeled_t:association { sendto recvfrom }
      
      2. To enable a socket to communicate with labeled-IPSec SAs:
      
      allow socket_t self:association { sendto };
      allow socket_t peer_sa_t:association { recvfrom };
      Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      67f83cbf
    • V
      SELinux: Return correct context for SO_PEERSEC · 6b877699
      Venkat Yekkirala 提交于
      Fix SO_PEERSEC for tcp sockets to return the security context of
      the peer (as represented by the SA from the peer) as opposed to the
      SA used by the local/source socket.
      Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      6b877699
    • V
      SELinux: Various xfrm labeling fixes · c1a856c9
      Venkat Yekkirala 提交于
      Since the upstreaming of the mlsxfrm modification a few months back,
      testing has resulted in the identification of the following issues/bugs that
      are resolved in this patch set.
      
      1. Fix the security context used in the IKE negotiation to be the context
         of the socket as opposed to the context of the SPD rule.
      
      2. Fix SO_PEERSEC for tcp sockets to return the security context of
         the peer as opposed to the source.
      
      3. Fix the selection of an SA for an outgoing packet to be at the same
         context as the originating socket/flow.
      
      The following would be the result of applying this patchset:
      
      - SO_PEERSEC will now correctly return the peer's context.
      
      - IKE deamons will receive the context of the source socket/flow
        as opposed to the SPD rule's context so that the negotiated SA
        will be at the same context as the source socket/flow.
      
      - The SELinux policy will require one or more of the
        following for a socket to be able to communicate with/without SAs:
      
        1. To enable a socket to communicate without using labeled-IPSec SAs:
      
           allow socket_t unlabeled_t:association { sendto recvfrom }
      
        2. To enable a socket to communicate with labeled-IPSec SAs:
      
           allow socket_t self:association { sendto };
           allow socket_t peer_sa_t:association { recvfrom };
      
      This Patch: Pass correct security context to IKE for use in negotiation
      
      Fix the security context passed to IKE for use in negotiation to be the
      context of the socket as opposed to the context of the SPD rule so that
      the SA carries the label of the originating socket/flow.
      Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      c1a856c9
  9. 29 11月, 2006 1 次提交
  10. 31 10月, 2006 1 次提交
    • P
      [NetLabel]: protect the CIPSOv4 socket option from setsockopt() · f8687afe
      Paul Moore 提交于
      This patch makes two changes to protect applications from either removing or
      tampering with the CIPSOv4 IP option on a socket.  The first is the requirement
      that applications have the CAP_NET_RAW capability to set an IPOPT_CIPSO option
      on a socket; this prevents untrusted applications from setting their own
      CIPSOv4 security attributes on the packets they send.  The second change is to
      SELinux and it prevents applications from setting any IPv4 options when there
      is an IPOPT_CIPSO option already present on the socket; this prevents
      applications from removing CIPSOv4 security attributes from the packets they
      send.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f8687afe
  11. 12 10月, 2006 1 次提交
    • V
      IPsec: correct semantics for SELinux policy matching · 5b368e61
      Venkat Yekkirala 提交于
      Currently when an IPSec policy rule doesn't specify a security
      context, it is assumed to be "unlabeled" by SELinux, and so
      the IPSec policy rule fails to match to a flow that it would
      otherwise match to, unless one has explicitly added an SELinux
      policy rule allowing the flow to "polmatch" to the "unlabeled"
      IPSec policy rules. In the absence of such an explicitly added
      SELinux policy rule, the IPSec policy rule fails to match and
      so the packet(s) flow in clear text without the otherwise applicable
      xfrm(s) applied.
      
      The above SELinux behavior violates the SELinux security notion of
      "deny by default" which should actually translate to "encrypt by
      default" in the above case.
      
      This was first reported by Evgeniy Polyakov and the way James Morris
      was seeing the problem was when connecting via IPsec to a
      confined service on an SELinux box (vsftpd), which did not have the
      appropriate SELinux policy permissions to send packets via IPsec.
      
      With this patch applied, SELinux "polmatching" of flows Vs. IPSec
      policy rules will only come into play when there's a explicit context
      specified for the IPSec policy rule (which also means there's corresponding
      SELinux policy allowing appropriate domains/flows to polmatch to this context).
      
      Secondly, when a security module is loaded (in this case, SELinux), the
      security_xfrm_policy_lookup() hook can return errors other than access denied,
      such as -EINVAL.  We were not handling that correctly, and in fact
      inverting the return logic and propagating a false "ok" back up to
      xfrm_lookup(), which then allowed packets to pass as if they were not
      associated with an xfrm policy.
      
      The solution for this is to first ensure that errno values are
      correctly propagated all the way back up through the various call chains
      from security_xfrm_policy_lookup(), and handled correctly.
      
      Then, flow_cache_lookup() is modified, so that if the policy resolver
      fails (typically a permission denied via the security module), the flow
      cache entry is killed rather than having a null policy assigned (which
      indicates that the packet can pass freely).  This also forces any future
      lookups for the same flow to consult the security module (e.g. SELinux)
      for current security policy (rather than, say, caching the error on the
      flow cache entry).
      
      This patch: Fix the selinux side of things.
      
      This makes sure SELinux polmatching of flow contexts to IPSec policy
      rules comes into play only when an explicit context is associated
      with the IPSec policy rule.
      
      Also, this no longer defaults the context of a socket policy to
      the context of the socket since the "no explicit context" case
      is now handled properly.
      Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      5b368e61
  12. 26 9月, 2006 4 次提交
  13. 23 9月, 2006 7 次提交