1 /* 2 * SELinux NetLabel Support 3 * 4 * This file provides the necessary glue to tie NetLabel into the SELinux 5 * subsystem. 6 * 7 * Author: Paul Moore <paul.moore@hp.com> 8 * 9 */ 10 11 /* 12 * (c) Copyright Hewlett-Packard Development Company, L.P., 2007 13 * 14 * This program is free software; you can redistribute it and/or modify 15 * it under the terms of the GNU General Public License as published by 16 * the Free Software Foundation; either version 2 of the License, or 17 * (at your option) any later version. 18 * 19 * This program is distributed in the hope that it will be useful, 20 * but WITHOUT ANY WARRANTY; without even the implied warranty of 21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See 22 * the GNU General Public License for more details. 23 * 24 * You should have received a copy of the GNU General Public License 25 * along with this program; if not, write to the Free Software 26 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 27 * 28 */ 29 30 #include <linux/spinlock.h> 31 #include <linux/rcupdate.h> 32 #include <net/sock.h> 33 #include <net/netlabel.h> 34 35 #include "objsec.h" 36 #include "security.h" 37 38 /** 39 * selinux_netlbl_sidlookup_cached - Cache a SID lookup 40 * @skb: the packet 41 * @secattr: the NetLabel security attributes 42 * @sid: the SID 43 * 44 * Description: 45 * Query the SELinux security server to lookup the correct SID for the given 46 * security attributes. If the query is successful, cache the result to speed 47 * up future lookups. Returns zero on success, negative values on failure. 48 * 49 */ 50 static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb, 51 struct netlbl_lsm_secattr *secattr, 52 u32 *sid) 53 { 54 int rc; 55 56 rc = security_netlbl_secattr_to_sid(secattr, sid); 57 if (rc == 0 && 58 (secattr->flags & NETLBL_SECATTR_CACHEABLE) && 59 (secattr->flags & NETLBL_SECATTR_CACHE)) 60 netlbl_cache_add(skb, secattr); 61 62 return rc; 63 } 64 65 /** 66 * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism 67 * @sk: the socket to label 68 * @sid: the SID to use 69 * 70 * Description: 71 * Attempt to label a socket using the NetLabel mechanism using the given 72 * SID. Returns zero values on success, negative values on failure. The 73 * caller is responsibile for calling rcu_read_lock() before calling this 74 * this function and rcu_read_unlock() after this function returns. 75 * 76 */ 77 static int selinux_netlbl_sock_setsid(struct sock *sk, u32 sid) 78 { 79 int rc; 80 struct sk_security_struct *sksec = sk->sk_security; 81 struct netlbl_lsm_secattr secattr; 82 83 netlbl_secattr_init(&secattr); 84 85 rc = security_netlbl_sid_to_secattr(sid, &secattr); 86 if (rc != 0) 87 goto sock_setsid_return; 88 rc = netlbl_sock_setattr(sk, &secattr); 89 if (rc == 0) { 90 spin_lock_bh(&sksec->nlbl_lock); 91 sksec->nlbl_state = NLBL_LABELED; 92 spin_unlock_bh(&sksec->nlbl_lock); 93 } 94 95 sock_setsid_return: 96 netlbl_secattr_destroy(&secattr); 97 return rc; 98 } 99 100 /** 101 * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache 102 * 103 * Description: 104 * Invalidate the NetLabel security attribute mapping cache. 105 * 106 */ 107 void selinux_netlbl_cache_invalidate(void) 108 { 109 netlbl_cache_invalidate(); 110 } 111 112 /** 113 * selinux_netlbl_sk_security_reset - Reset the NetLabel fields 114 * @ssec: the sk_security_struct 115 * @family: the socket family 116 * 117 * Description: 118 * Called when the NetLabel state of a sk_security_struct needs to be reset. 119 * The caller is responsibile for all the NetLabel sk_security_struct locking. 120 * 121 */ 122 void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, 123 int family) 124 { 125 if (family == PF_INET) 126 ssec->nlbl_state = NLBL_REQUIRE; 127 else 128 ssec->nlbl_state = NLBL_UNSET; 129 } 130 131 /** 132 * selinux_netlbl_sk_security_init - Setup the NetLabel fields 133 * @ssec: the sk_security_struct 134 * @family: the socket family 135 * 136 * Description: 137 * Called when a new sk_security_struct is allocated to initialize the NetLabel 138 * fields. 139 * 140 */ 141 void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec, 142 int family) 143 { 144 /* No locking needed, we are the only one who has access to ssec */ 145 selinux_netlbl_sk_security_reset(ssec, family); 146 spin_lock_init(&ssec->nlbl_lock); 147 } 148 149 /** 150 * selinux_netlbl_sk_security_clone - Copy the NetLabel fields 151 * @ssec: the original sk_security_struct 152 * @newssec: the cloned sk_security_struct 153 * 154 * Description: 155 * Clone the NetLabel specific sk_security_struct fields from @ssec to 156 * @newssec. 157 * 158 */ 159 void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec, 160 struct sk_security_struct *newssec) 161 { 162 /* We don't need to take newssec->nlbl_lock because we are the only 163 * thread with access to newssec, but we do need to take the RCU read 164 * lock as other threads could have access to ssec */ 165 rcu_read_lock(); 166 selinux_netlbl_sk_security_reset(newssec, ssec->sk->sk_family); 167 rcu_read_unlock(); 168 } 169 170 /** 171 * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel 172 * @skb: the packet 173 * @family: protocol family 174 * @type: NetLabel labeling protocol type 175 * @sid: the SID 176 * 177 * Description: 178 * Call the NetLabel mechanism to get the security attributes of the given 179 * packet and use those attributes to determine the correct context/SID to 180 * assign to the packet. Returns zero on success, negative values on failure. 181 * 182 */ 183 int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, 184 u16 family, 185 u32 *type, 186 u32 *sid) 187 { 188 int rc; 189 struct netlbl_lsm_secattr secattr; 190 191 if (!netlbl_enabled()) { 192 *sid = SECSID_NULL; 193 return 0; 194 } 195 196 netlbl_secattr_init(&secattr); 197 rc = netlbl_skbuff_getattr(skb, family, &secattr); 198 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 199 rc = selinux_netlbl_sidlookup_cached(skb, &secattr, sid); 200 else 201 *sid = SECSID_NULL; 202 *type = secattr.type; 203 netlbl_secattr_destroy(&secattr); 204 205 return rc; 206 } 207 208 /** 209 * selinux_netlbl_sock_graft - Netlabel the new socket 210 * @sk: the new connection 211 * @sock: the new socket 212 * 213 * Description: 214 * The connection represented by @sk is being grafted onto @sock so set the 215 * socket's NetLabel to match the SID of @sk. 216 * 217 */ 218 void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) 219 { 220 struct sk_security_struct *sksec = sk->sk_security; 221 struct netlbl_lsm_secattr secattr; 222 u32 nlbl_peer_sid; 223 224 rcu_read_lock(); 225 226 if (sksec->nlbl_state != NLBL_REQUIRE) { 227 rcu_read_unlock(); 228 return; 229 } 230 231 netlbl_secattr_init(&secattr); 232 if (netlbl_sock_getattr(sk, &secattr) == 0 && 233 secattr.flags != NETLBL_SECATTR_NONE && 234 security_netlbl_secattr_to_sid(&secattr, &nlbl_peer_sid) == 0) 235 sksec->peer_sid = nlbl_peer_sid; 236 netlbl_secattr_destroy(&secattr); 237 238 /* Try to set the NetLabel on the socket to save time later, if we fail 239 * here we will pick up the pieces in later calls to 240 * selinux_netlbl_inode_permission(). */ 241 selinux_netlbl_sock_setsid(sk, sksec->sid); 242 243 rcu_read_unlock(); 244 } 245 246 /** 247 * selinux_netlbl_socket_post_create - Label a socket using NetLabel 248 * @sock: the socket to label 249 * 250 * Description: 251 * Attempt to label a socket using the NetLabel mechanism using the given 252 * SID. Returns zero values on success, negative values on failure. 253 * 254 */ 255 int selinux_netlbl_socket_post_create(struct socket *sock) 256 { 257 int rc = 0; 258 struct sock *sk = sock->sk; 259 struct sk_security_struct *sksec = sk->sk_security; 260 261 rcu_read_lock(); 262 if (sksec->nlbl_state == NLBL_REQUIRE) 263 rc = selinux_netlbl_sock_setsid(sk, sksec->sid); 264 rcu_read_unlock(); 265 266 return rc; 267 } 268 269 /** 270 * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled 271 * @inode: the file descriptor's inode 272 * @mask: the permission mask 273 * 274 * Description: 275 * Looks at a file's inode and if it is marked as a socket protected by 276 * NetLabel then verify that the socket has been labeled, if not try to label 277 * the socket now with the inode's SID. Returns zero on success, negative 278 * values on failure. 279 * 280 */ 281 int selinux_netlbl_inode_permission(struct inode *inode, int mask) 282 { 283 int rc; 284 struct sock *sk; 285 struct socket *sock; 286 struct sk_security_struct *sksec; 287 288 if (!S_ISSOCK(inode->i_mode) || 289 ((mask & (MAY_WRITE | MAY_APPEND)) == 0)) 290 return 0; 291 sock = SOCKET_I(inode); 292 sk = sock->sk; 293 sksec = sk->sk_security; 294 295 rcu_read_lock(); 296 if (sksec->nlbl_state != NLBL_REQUIRE) { 297 rcu_read_unlock(); 298 return 0; 299 } 300 local_bh_disable(); 301 bh_lock_sock_nested(sk); 302 rc = selinux_netlbl_sock_setsid(sk, sksec->sid); 303 bh_unlock_sock(sk); 304 local_bh_enable(); 305 rcu_read_unlock(); 306 307 return rc; 308 } 309 310 /** 311 * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel 312 * @sksec: the sock's sk_security_struct 313 * @skb: the packet 314 * @family: protocol family 315 * @ad: the audit data 316 * 317 * Description: 318 * Fetch the NetLabel security attributes from @skb and perform an access check 319 * against the receiving socket. Returns zero on success, negative values on 320 * error. 321 * 322 */ 323 int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 324 struct sk_buff *skb, 325 u16 family, 326 struct avc_audit_data *ad) 327 { 328 int rc; 329 u32 nlbl_sid; 330 u32 perm; 331 struct netlbl_lsm_secattr secattr; 332 333 if (!netlbl_enabled()) 334 return 0; 335 336 netlbl_secattr_init(&secattr); 337 rc = netlbl_skbuff_getattr(skb, family, &secattr); 338 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 339 rc = selinux_netlbl_sidlookup_cached(skb, &secattr, &nlbl_sid); 340 else 341 nlbl_sid = SECINITSID_UNLABELED; 342 netlbl_secattr_destroy(&secattr); 343 if (rc != 0) 344 return rc; 345 346 switch (sksec->sclass) { 347 case SECCLASS_UDP_SOCKET: 348 perm = UDP_SOCKET__RECVFROM; 349 break; 350 case SECCLASS_TCP_SOCKET: 351 perm = TCP_SOCKET__RECVFROM; 352 break; 353 default: 354 perm = RAWIP_SOCKET__RECVFROM; 355 } 356 357 rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad); 358 if (rc == 0) 359 return 0; 360 361 if (nlbl_sid != SECINITSID_UNLABELED) 362 netlbl_skbuff_err(skb, rc); 363 return rc; 364 } 365 366 /** 367 * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel 368 * @sock: the socket 369 * @level: the socket level or protocol 370 * @optname: the socket option name 371 * 372 * Description: 373 * Check the setsockopt() call and if the user is trying to replace the IP 374 * options on a socket and a NetLabel is in place for the socket deny the 375 * access; otherwise allow the access. Returns zero when the access is 376 * allowed, -EACCES when denied, and other negative values on error. 377 * 378 */ 379 int selinux_netlbl_socket_setsockopt(struct socket *sock, 380 int level, 381 int optname) 382 { 383 int rc = 0; 384 struct sock *sk = sock->sk; 385 struct sk_security_struct *sksec = sk->sk_security; 386 struct netlbl_lsm_secattr secattr; 387 388 rcu_read_lock(); 389 if (level == IPPROTO_IP && optname == IP_OPTIONS && 390 sksec->nlbl_state == NLBL_LABELED) { 391 netlbl_secattr_init(&secattr); 392 lock_sock(sk); 393 rc = netlbl_sock_getattr(sk, &secattr); 394 release_sock(sk); 395 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 396 rc = -EACCES; 397 netlbl_secattr_destroy(&secattr); 398 } 399 rcu_read_unlock(); 400 401 return rc; 402 } 403