1. 05 12月, 2006 1 次提交
  2. 03 12月, 2006 5 次提交
    • P
      SELinux: peer secid consolidation for external network labeling · 3de4bab5
      Paul Moore 提交于
      Now that labeled IPsec makes use of the peer_sid field in the
      sk_security_struct we can remove a lot of the special cases between labeled
      IPsec and NetLabel.  In addition, create a new function,
      security_skb_extlbl_sid(), which we can use in several places to get the
      security context of the packet's external label which allows us to further
      simplify the code in a few places.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      3de4bab5
    • P
      NetLabel: SELinux cleanups · 9f2ad665
      Paul Moore 提交于
      This patch does a lot of cleanup in the SELinux NetLabel support code.  A
      summary of the changes include:
      
      * Use RCU locking for the NetLabel state variable in the skk_security_struct
        instead of using the inode_security_struct mutex.
      * Remove unnecessary parameters in selinux_netlbl_socket_post_create().
      * Rename selinux_netlbl_sk_clone_security() to
        selinux_netlbl_sk_security_clone() to better fit the other NetLabel
        sk_security functions.
      * Improvements to selinux_netlbl_inode_permission() to help reduce the cost of
        the common case.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      9f2ad665
    • J
      [SELinux]: Add support for DCCP · 2ee92d46
      James Morris 提交于
      This patch implements SELinux kernel support for DCCP
      (http://linux-net.osdl.org/index.php/DCCP), which is similar in
      operation to TCP in terms of connected state between peers.
      
      The SELinux support for DCCP is thus modeled on existing handling of
      TCP.
      
      A new DCCP socket class is introduced, to allow protocol
      differentation.  The permissions for this class inherit all of the
      socket permissions, as well as the current TCP permissions (node_bind,
      name_bind etc). IPv4 and IPv6 are supported, although labeled
      networking is not, at this stage.
      
      Patches for SELinux userspace are at:
      http://people.redhat.com/jmorris/selinux/dccp/user/
      
      I've performed some basic testing, and it seems to be working as
      expected.  Adding policy support is similar to TCP, the only real
      difference being that it's a different protocol.
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2ee92d46
    • V
      SELinux: Fix SA selection semantics · 67f83cbf
      Venkat Yekkirala 提交于
      Fix the selection of an SA for an outgoing packet to be at the same
      context as the originating socket/flow. This eliminates the SELinux
      policy's ability to use/sendto SAs with contexts other than the socket's.
      
      With this patch applied, the SELinux policy will require one or more of the
      following for a socket to be able to communicate with/without SAs:
      
      1. To enable a socket to communicate without using labeled-IPSec SAs:
      
      allow socket_t unlabeled_t:association { sendto recvfrom }
      
      2. To enable a socket to communicate with labeled-IPSec SAs:
      
      allow socket_t self:association { sendto };
      allow socket_t peer_sa_t:association { recvfrom };
      Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      67f83cbf
    • V
      SELinux: Return correct context for SO_PEERSEC · 6b877699
      Venkat Yekkirala 提交于
      Fix SO_PEERSEC for tcp sockets to return the security context of
      the peer (as represented by the SA from the peer) as opposed to the
      SA used by the local/source socket.
      Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      6b877699
  3. 27 11月, 2006 1 次提交
  4. 31 10月, 2006 1 次提交
    • P
      [NetLabel]: protect the CIPSOv4 socket option from setsockopt() · f8687afe
      Paul Moore 提交于
      This patch makes two changes to protect applications from either removing or
      tampering with the CIPSOv4 IP option on a socket.  The first is the requirement
      that applications have the CAP_NET_RAW capability to set an IPOPT_CIPSO option
      on a socket; this prevents untrusted applications from setting their own
      CIPSOv4 security attributes on the packets they send.  The second change is to
      SELinux and it prevents applications from setting any IPv4 options when there
      is an IPOPT_CIPSO option already present on the socket; this prevents
      applications from removing CIPSOv4 security attributes from the packets they
      send.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f8687afe
  5. 30 9月, 2006 2 次提交
  6. 26 9月, 2006 4 次提交
  7. 23 9月, 2006 8 次提交
  8. 03 8月, 2006 1 次提交
    • C
      [AF_UNIX]: Kernel memory leak fix for af_unix datagram getpeersec patch · dc49c1f9
      Catherine Zhang 提交于
      From: Catherine Zhang <cxzhang@watson.ibm.com>
      
      This patch implements a cleaner fix for the memory leak problem of the
      original unix datagram getpeersec patch.  Instead of creating a
      security context each time a unix datagram is sent, we only create the
      security context when the receiver requests it.
      
      This new design requires modification of the current
      unix_getsecpeer_dgram LSM hook and addition of two new hooks, namely,
      secid_to_secctx and release_secctx.  The former retrieves the security
      context and the latter releases it.  A hook is required for releasing
      the security context because it is up to the security module to decide
      how that's done.  In the case of Selinux, it's a simple kfree
      operation.
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      dc49c1f9
  9. 15 7月, 2006 1 次提交
  10. 11 7月, 2006 2 次提交
  11. 01 7月, 2006 3 次提交
  12. 30 6月, 2006 2 次提交
    • C
      [AF_UNIX]: Datagram getpeersec · 877ce7c1
      Catherine Zhang 提交于
      This patch implements an API whereby an application can determine the
      label of its peer's Unix datagram sockets via the auxiliary data mechanism of
      recvmsg.
      
      Patch purpose:
      
      This patch enables a security-aware application to retrieve the
      security context of the peer of a Unix datagram socket.  The application
      can then use this security context to determine the security context for
      processing on behalf of the peer who sent the packet.
      
      Patch design and implementation:
      
      The design and implementation is very similar to the UDP case for INET
      sockets.  Basically we build upon the existing Unix domain socket API for
      retrieving user credentials.  Linux offers the API for obtaining user
      credentials via ancillary messages (i.e., out of band/control messages
      that are bundled together with a normal message).  To retrieve the security
      context, the application first indicates to the kernel such desire by
      setting the SO_PASSSEC option via getsockopt.  Then the application
      retrieves the security context using the auxiliary data mechanism.
      
      An example server application for Unix datagram socket should look like this:
      
      toggle = 1;
      toggle_len = sizeof(toggle);
      
      setsockopt(sockfd, SOL_SOCKET, SO_PASSSEC, &toggle, &toggle_len);
      recvmsg(sockfd, &msg_hdr, 0);
      if (msg_hdr.msg_controllen > sizeof(struct cmsghdr)) {
          cmsg_hdr = CMSG_FIRSTHDR(&msg_hdr);
          if (cmsg_hdr->cmsg_len <= CMSG_LEN(sizeof(scontext)) &&
              cmsg_hdr->cmsg_level == SOL_SOCKET &&
              cmsg_hdr->cmsg_type == SCM_SECURITY) {
              memcpy(&scontext, CMSG_DATA(cmsg_hdr), sizeof(scontext));
          }
      }
      
      sock_setsockopt is enhanced with a new socket option SOCK_PASSSEC to allow
      a server socket to receive security context of the peer.
      
      Testing:
      
      We have tested the patch by setting up Unix datagram client and server
      applications.  We verified that the server can retrieve the security context
      using the auxiliary data mechanism of recvmsg.
      Signed-off-by: NCatherine Zhang <cxzhang@watson.ibm.com>
      Acked-by: NAcked-by: James Morris <jmorris@namei.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      877ce7c1
    • D
      [NETLINK]: Encapsulate eff_cap usage within security framework. · c7bdb545
      Darrel Goeddel 提交于
      This patch encapsulates the usage of eff_cap (in netlink_skb_params) within
      the security framework by extending security_netlink_recv to include a required
      capability parameter and converting all direct usage of eff_caps outside
      of the lsm modules to use the interface.  It also updates the SELinux
      implementation of the security_netlink_send and security_netlink_recv
      hooks to take advantage of the sid in the netlink_skb_params struct.
      This also enables SELinux to perform auditing of netlink capability checks.
      Please apply, for 2.6.18 if possible.
      Signed-off-by: NDarrel Goeddel <dgoeddel@trustedcs.com>
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c7bdb545
  13. 28 6月, 2006 1 次提交
  14. 27 6月, 2006 3 次提交
    • E
      [PATCH] SELinux: Add sockcreate node to procattr API · 42c3e03e
      Eric Paris 提交于
      Below is a patch to add a new /proc/self/attr/sockcreate A process may write a
      context into this interface and all subsequent sockets created will be labeled
      with that context.  This is the same idea as the fscreate interface where a
      process can specify the label of a file about to be created.  At this time one
      envisioned user of this will be xinetd.  It will be able to better label
      sockets for the actual services.  At this time all sockets take the label of
      the creating process, so all xinitd sockets would just be labeled the same.
      
      I tested this by creating a tcp sender and listener.  The sender was able to
      write to this new proc file and then create sockets with the specified label.
      I am able to be sure the new label was used since the avc denial messages
      kicked out by the kernel included both the new security permission
      setsockcreate and all the socket denials were for the new label, not the label
      of the running process.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      42c3e03e
    • M
      [PATCH] keys: add a way to store the appropriate context for newly-created keys · 4eb582cf
      Michael LeMay 提交于
      Add a /proc/<pid>/attr/keycreate entry that stores the appropriate context for
      newly-created keys.  Modify the selinux_key_alloc hook to make use of the new
      entry.  Update the flask headers to include a new "setkeycreate" permission
      for processes.  Update the flask headers to include a new "create" permission
      for keys.  Use the create permission to restrict which SIDs each task can
      assign to newly-created keys.  Add a new parameter to the security hook
      "security_key_alloc" to indicate whether it is being invoked by the kernel, or
      from userspace.  If it is being invoked by the kernel, the security hook
      should never fail.  Update the documentation to reflect these changes.
      Signed-off-by: NMichael LeMay <mdlemay@epoch.ncsc.mil>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      4eb582cf
    • D
      [PATCH] keys: sort out key quota system · 7e047ef5
      David Howells 提交于
      Add the ability for key creation to overrun the user's quota in some
      circumstances - notably when a session keyring is created and assigned to a
      process that didn't previously have one.
      
      This means it's still possible to log in, should PAM require the creation of a
      new session keyring, and fix an overburdened key quota.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      7e047ef5
  15. 23 6月, 2006 4 次提交
  16. 18 6月, 2006 1 次提交
    • J
      [SECMARK]: Add new packet controls to SELinux · 4e5ab4cb
      James Morris 提交于
      Add new per-packet access controls to SELinux, replacing the old
      packet controls.
      
      Packets are labeled with the iptables SECMARK and CONNSECMARK targets,
      then security policy for the packets is enforced with these controls.
      
      To allow for a smooth transition to the new controls, the old code is
      still present, but not active by default.  To restore previous
      behavior, the old controls may be activated at runtime by writing a
      '1' to /selinux/compat_net, and also via the kernel boot parameter
      selinux_compat_net.  Switching between the network control models
      requires the security load_policy permission.  The old controls will
      probably eventually be removed and any continued use is discouraged.
      
      With this patch, the new secmark controls for SElinux are disabled by
      default, so existing behavior is entirely preserved, and the user is
      not affected at all.
      
      It also provides a config option to enable the secmark controls by
      default (which can always be overridden at boot and runtime).  It is
      also noted in the kconfig help that the user will need updated
      userspace if enabling secmark controls for SELinux and that they'll
      probably need the SECMARK and CONNMARK targets, and conntrack protocol
      helpers, although such decisions are beyond the scope of kernel
      configuration.
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4e5ab4cb