xref: /openbmc/linux/security/selinux/netlabel.c (revision e23feb16)
1 /*
2  * SELinux NetLabel Support
3  *
4  * This file provides the necessary glue to tie NetLabel into the SELinux
5  * subsystem.
6  *
7  * Author: Paul Moore <paul@paul-moore.com>
8  *
9  */
10 
11 /*
12  * (c) Copyright Hewlett-Packard Development Company, L.P., 2007, 2008
13  *
14  * This program is free software;  you can redistribute it and/or modify
15  * it under the terms of the GNU General Public License as published by
16  * the Free Software Foundation; either version 2 of the License, or
17  * (at your option) any later version.
18  *
19  * This program is distributed in the hope that it will be useful,
20  * but WITHOUT ANY WARRANTY;  without even the implied warranty of
21  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
22  * the GNU General Public License for more details.
23  *
24  * You should have received a copy of the GNU General Public License
25  * along with this program;  if not, write to the Free Software
26  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
27  *
28  */
29 
30 #include <linux/spinlock.h>
31 #include <linux/rcupdate.h>
32 #include <linux/gfp.h>
33 #include <linux/ip.h>
34 #include <linux/ipv6.h>
35 #include <net/sock.h>
36 #include <net/netlabel.h>
37 #include <net/ip.h>
38 #include <net/ipv6.h>
39 
40 #include "objsec.h"
41 #include "security.h"
42 #include "netlabel.h"
43 
44 /**
45  * selinux_netlbl_sidlookup_cached - Cache a SID lookup
46  * @skb: the packet
47  * @secattr: the NetLabel security attributes
48  * @sid: the SID
49  *
50  * Description:
51  * Query the SELinux security server to lookup the correct SID for the given
52  * security attributes.  If the query is successful, cache the result to speed
53  * up future lookups.  Returns zero on success, negative values on failure.
54  *
55  */
56 static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
57 					   struct netlbl_lsm_secattr *secattr,
58 					   u32 *sid)
59 {
60 	int rc;
61 
62 	rc = security_netlbl_secattr_to_sid(secattr, sid);
63 	if (rc == 0 &&
64 	    (secattr->flags & NETLBL_SECATTR_CACHEABLE) &&
65 	    (secattr->flags & NETLBL_SECATTR_CACHE))
66 		netlbl_cache_add(skb, secattr);
67 
68 	return rc;
69 }
70 
71 /**
72  * selinux_netlbl_sock_genattr - Generate the NetLabel socket secattr
73  * @sk: the socket
74  *
75  * Description:
76  * Generate the NetLabel security attributes for a socket, making full use of
77  * the socket's attribute cache.  Returns a pointer to the security attributes
78  * on success, NULL on failure.
79  *
80  */
81 static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk)
82 {
83 	int rc;
84 	struct sk_security_struct *sksec = sk->sk_security;
85 	struct netlbl_lsm_secattr *secattr;
86 
87 	if (sksec->nlbl_secattr != NULL)
88 		return sksec->nlbl_secattr;
89 
90 	secattr = netlbl_secattr_alloc(GFP_ATOMIC);
91 	if (secattr == NULL)
92 		return NULL;
93 	rc = security_netlbl_sid_to_secattr(sksec->sid, secattr);
94 	if (rc != 0) {
95 		netlbl_secattr_free(secattr);
96 		return NULL;
97 	}
98 	sksec->nlbl_secattr = secattr;
99 
100 	return secattr;
101 }
102 
103 /**
104  * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
105  *
106  * Description:
107  * Invalidate the NetLabel security attribute mapping cache.
108  *
109  */
110 void selinux_netlbl_cache_invalidate(void)
111 {
112 	netlbl_cache_invalidate();
113 }
114 
115 /**
116  * selinux_netlbl_err - Handle a NetLabel packet error
117  * @skb: the packet
118  * @error: the error code
119  * @gateway: true if host is acting as a gateway, false otherwise
120  *
121  * Description:
122  * When a packet is dropped due to a call to avc_has_perm() pass the error
123  * code to the NetLabel subsystem so any protocol specific processing can be
124  * done.  This is safe to call even if you are unsure if NetLabel labeling is
125  * present on the packet, NetLabel is smart enough to only act when it should.
126  *
127  */
128 void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway)
129 {
130 	netlbl_skbuff_err(skb, error, gateway);
131 }
132 
133 /**
134  * selinux_netlbl_sk_security_free - Free the NetLabel fields
135  * @sksec: the sk_security_struct
136  *
137  * Description:
138  * Free all of the memory in the NetLabel fields of a sk_security_struct.
139  *
140  */
141 void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec)
142 {
143 	if (sksec->nlbl_secattr != NULL)
144 		netlbl_secattr_free(sksec->nlbl_secattr);
145 }
146 
147 /**
148  * selinux_netlbl_sk_security_reset - Reset the NetLabel fields
149  * @sksec: the sk_security_struct
150  * @family: the socket family
151  *
152  * Description:
153  * Called when the NetLabel state of a sk_security_struct needs to be reset.
154  * The caller is responsible for all the NetLabel sk_security_struct locking.
155  *
156  */
157 void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec)
158 {
159 	sksec->nlbl_state = NLBL_UNSET;
160 }
161 
162 /**
163  * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
164  * @skb: the packet
165  * @family: protocol family
166  * @type: NetLabel labeling protocol type
167  * @sid: the SID
168  *
169  * Description:
170  * Call the NetLabel mechanism to get the security attributes of the given
171  * packet and use those attributes to determine the correct context/SID to
172  * assign to the packet.  Returns zero on success, negative values on failure.
173  *
174  */
175 int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
176 				 u16 family,
177 				 u32 *type,
178 				 u32 *sid)
179 {
180 	int rc;
181 	struct netlbl_lsm_secattr secattr;
182 
183 	if (!netlbl_enabled()) {
184 		*sid = SECSID_NULL;
185 		return 0;
186 	}
187 
188 	netlbl_secattr_init(&secattr);
189 	rc = netlbl_skbuff_getattr(skb, family, &secattr);
190 	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
191 		rc = selinux_netlbl_sidlookup_cached(skb, &secattr, sid);
192 	else
193 		*sid = SECSID_NULL;
194 	*type = secattr.type;
195 	netlbl_secattr_destroy(&secattr);
196 
197 	return rc;
198 }
199 
200 /**
201  * selinux_netlbl_skbuff_setsid - Set the NetLabel on a packet given a sid
202  * @skb: the packet
203  * @family: protocol family
204  * @sid: the SID
205  *
206  * Description
207  * Call the NetLabel mechanism to set the label of a packet using @sid.
208  * Returns zero on success, negative values on failure.
209  *
210  */
211 int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
212 				 u16 family,
213 				 u32 sid)
214 {
215 	int rc;
216 	struct netlbl_lsm_secattr secattr_storage;
217 	struct netlbl_lsm_secattr *secattr = NULL;
218 	struct sock *sk;
219 
220 	/* if this is a locally generated packet check to see if it is already
221 	 * being labeled by it's parent socket, if it is just exit */
222 	sk = skb->sk;
223 	if (sk != NULL) {
224 		struct sk_security_struct *sksec = sk->sk_security;
225 		if (sksec->nlbl_state != NLBL_REQSKB)
226 			return 0;
227 		secattr = sksec->nlbl_secattr;
228 	}
229 	if (secattr == NULL) {
230 		secattr = &secattr_storage;
231 		netlbl_secattr_init(secattr);
232 		rc = security_netlbl_sid_to_secattr(sid, secattr);
233 		if (rc != 0)
234 			goto skbuff_setsid_return;
235 	}
236 
237 	rc = netlbl_skbuff_setattr(skb, family, secattr);
238 
239 skbuff_setsid_return:
240 	if (secattr == &secattr_storage)
241 		netlbl_secattr_destroy(secattr);
242 	return rc;
243 }
244 
245 /**
246  * selinux_netlbl_inet_conn_request - Label an incoming stream connection
247  * @req: incoming connection request socket
248  *
249  * Description:
250  * A new incoming connection request is represented by @req, we need to label
251  * the new request_sock here and the stack will ensure the on-the-wire label
252  * will get preserved when a full sock is created once the connection handshake
253  * is complete.  Returns zero on success, negative values on failure.
254  *
255  */
256 int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family)
257 {
258 	int rc;
259 	struct netlbl_lsm_secattr secattr;
260 
261 	if (family != PF_INET)
262 		return 0;
263 
264 	netlbl_secattr_init(&secattr);
265 	rc = security_netlbl_sid_to_secattr(req->secid, &secattr);
266 	if (rc != 0)
267 		goto inet_conn_request_return;
268 	rc = netlbl_req_setattr(req, &secattr);
269 inet_conn_request_return:
270 	netlbl_secattr_destroy(&secattr);
271 	return rc;
272 }
273 
274 /**
275  * selinux_netlbl_inet_csk_clone - Initialize the newly created sock
276  * @sk: the new sock
277  *
278  * Description:
279  * A new connection has been established using @sk, we've already labeled the
280  * socket via the request_sock struct in selinux_netlbl_inet_conn_request() but
281  * we need to set the NetLabel state here since we now have a sock structure.
282  *
283  */
284 void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
285 {
286 	struct sk_security_struct *sksec = sk->sk_security;
287 
288 	if (family == PF_INET)
289 		sksec->nlbl_state = NLBL_LABELED;
290 	else
291 		sksec->nlbl_state = NLBL_UNSET;
292 }
293 
294 /**
295  * selinux_netlbl_socket_post_create - Label a socket using NetLabel
296  * @sock: the socket to label
297  * @family: protocol family
298  *
299  * Description:
300  * Attempt to label a socket using the NetLabel mechanism using the given
301  * SID.  Returns zero values on success, negative values on failure.
302  *
303  */
304 int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)
305 {
306 	int rc;
307 	struct sk_security_struct *sksec = sk->sk_security;
308 	struct netlbl_lsm_secattr *secattr;
309 
310 	if (family != PF_INET)
311 		return 0;
312 
313 	secattr = selinux_netlbl_sock_genattr(sk);
314 	if (secattr == NULL)
315 		return -ENOMEM;
316 	rc = netlbl_sock_setattr(sk, family, secattr);
317 	switch (rc) {
318 	case 0:
319 		sksec->nlbl_state = NLBL_LABELED;
320 		break;
321 	case -EDESTADDRREQ:
322 		sksec->nlbl_state = NLBL_REQSKB;
323 		rc = 0;
324 		break;
325 	}
326 
327 	return rc;
328 }
329 
330 /**
331  * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
332  * @sksec: the sock's sk_security_struct
333  * @skb: the packet
334  * @family: protocol family
335  * @ad: the audit data
336  *
337  * Description:
338  * Fetch the NetLabel security attributes from @skb and perform an access check
339  * against the receiving socket.  Returns zero on success, negative values on
340  * error.
341  *
342  */
343 int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
344 				struct sk_buff *skb,
345 				u16 family,
346 				struct common_audit_data *ad)
347 {
348 	int rc;
349 	u32 nlbl_sid;
350 	u32 perm;
351 	struct netlbl_lsm_secattr secattr;
352 
353 	if (!netlbl_enabled())
354 		return 0;
355 
356 	netlbl_secattr_init(&secattr);
357 	rc = netlbl_skbuff_getattr(skb, family, &secattr);
358 	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
359 		rc = selinux_netlbl_sidlookup_cached(skb, &secattr, &nlbl_sid);
360 	else
361 		nlbl_sid = SECINITSID_UNLABELED;
362 	netlbl_secattr_destroy(&secattr);
363 	if (rc != 0)
364 		return rc;
365 
366 	switch (sksec->sclass) {
367 	case SECCLASS_UDP_SOCKET:
368 		perm = UDP_SOCKET__RECVFROM;
369 		break;
370 	case SECCLASS_TCP_SOCKET:
371 		perm = TCP_SOCKET__RECVFROM;
372 		break;
373 	default:
374 		perm = RAWIP_SOCKET__RECVFROM;
375 	}
376 
377 	rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad);
378 	if (rc == 0)
379 		return 0;
380 
381 	if (nlbl_sid != SECINITSID_UNLABELED)
382 		netlbl_skbuff_err(skb, rc, 0);
383 	return rc;
384 }
385 
386 /**
387  * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
388  * @sock: the socket
389  * @level: the socket level or protocol
390  * @optname: the socket option name
391  *
392  * Description:
393  * Check the setsockopt() call and if the user is trying to replace the IP
394  * options on a socket and a NetLabel is in place for the socket deny the
395  * access; otherwise allow the access.  Returns zero when the access is
396  * allowed, -EACCES when denied, and other negative values on error.
397  *
398  */
399 int selinux_netlbl_socket_setsockopt(struct socket *sock,
400 				     int level,
401 				     int optname)
402 {
403 	int rc = 0;
404 	struct sock *sk = sock->sk;
405 	struct sk_security_struct *sksec = sk->sk_security;
406 	struct netlbl_lsm_secattr secattr;
407 
408 	if (level == IPPROTO_IP && optname == IP_OPTIONS &&
409 	    (sksec->nlbl_state == NLBL_LABELED ||
410 	     sksec->nlbl_state == NLBL_CONNLABELED)) {
411 		netlbl_secattr_init(&secattr);
412 		lock_sock(sk);
413 		rc = netlbl_sock_getattr(sk, &secattr);
414 		release_sock(sk);
415 		if (rc == 0)
416 			rc = -EACCES;
417 		else if (rc == -ENOMSG)
418 			rc = 0;
419 		netlbl_secattr_destroy(&secattr);
420 	}
421 
422 	return rc;
423 }
424 
425 /**
426  * selinux_netlbl_socket_connect - Label a client-side socket on connect
427  * @sk: the socket to label
428  * @addr: the destination address
429  *
430  * Description:
431  * Attempt to label a connected socket with NetLabel using the given address.
432  * Returns zero values on success, negative values on failure.
433  *
434  */
435 int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
436 {
437 	int rc;
438 	struct sk_security_struct *sksec = sk->sk_security;
439 	struct netlbl_lsm_secattr *secattr;
440 
441 	if (sksec->nlbl_state != NLBL_REQSKB &&
442 	    sksec->nlbl_state != NLBL_CONNLABELED)
443 		return 0;
444 
445 	local_bh_disable();
446 	bh_lock_sock_nested(sk);
447 
448 	/* connected sockets are allowed to disconnect when the address family
449 	 * is set to AF_UNSPEC, if that is what is happening we want to reset
450 	 * the socket */
451 	if (addr->sa_family == AF_UNSPEC) {
452 		netlbl_sock_delattr(sk);
453 		sksec->nlbl_state = NLBL_REQSKB;
454 		rc = 0;
455 		goto socket_connect_return;
456 	}
457 	secattr = selinux_netlbl_sock_genattr(sk);
458 	if (secattr == NULL) {
459 		rc = -ENOMEM;
460 		goto socket_connect_return;
461 	}
462 	rc = netlbl_conn_setattr(sk, addr, secattr);
463 	if (rc == 0)
464 		sksec->nlbl_state = NLBL_CONNLABELED;
465 
466 socket_connect_return:
467 	bh_unlock_sock(sk);
468 	local_bh_enable();
469 	return rc;
470 }
471