lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1286924143.5133.86.camel@sifl>
Date:	Tue, 12 Oct 2010 18:55:43 -0400
From:	Paul Moore <paul.moore@...com>
To:	Eric Paris <eparis@...hat.com>
Cc:	linux-kernel@...r.kernel.org, netfilter-devel@...r.kernel.org,
	netfilter@...r.kernel.org, jmorris@...ei.org,
	selinux@...ho.nsa.gov, sds@...ho.nsa.gov, jengelh@...ozas.de,
	linux-security-module@...r.kernel.org, mr.dash.four@...glemail.com,
	pablo@...filter.org
Subject: Re: [PATCH 2/5] secmark: make secmark object handling generic

On Tue, 2010-10-12 at 11:40 -0400, Eric Paris wrote:
> Right now secmark has lots of direct selinux calls.  Use all LSM calls and
> remove all SELinux specific knowledge.  The only SELinux specific knowledge
> we leave is the mode.  The only point is to make sure that other LSMs at
> least test this generic code before they assume it works.  (They may also
> have to make changes if they do not represent labels as strings)

I'm sure you have, but I just want to make sure - you've tested this
change (and the others for that matter) against the existing iptables
userspace to make sure everything still works, right?

> Signed-off-by: Eric Paris <eparis@...hat.com>
> ---
> 
>  include/linux/netfilter/xt_SECMARK.h |   12 ++----
>  include/linux/security.h             |   25 +++++++++++++
>  include/linux/selinux.h              |   63 ----------------------------------
>  net/netfilter/xt_CT.c                |    1 -
>  net/netfilter/xt_SECMARK.c           |   51 +++++++++++++---------------
>  security/capability.c                |   17 +++++++++
>  security/security.c                  |   18 ++++++++++
>  security/selinux/exports.c           |   49 --------------------------
>  security/selinux/hooks.c             |   24 +++++++++++++
>  security/selinux/include/security.h  |    1 +
>  10 files changed, 112 insertions(+), 149 deletions(-)
> 
> diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h
> index 6fcd344..989092b 100644
> --- a/include/linux/netfilter/xt_SECMARK.h
> +++ b/include/linux/netfilter/xt_SECMARK.h
> @@ -11,18 +11,12 @@
>   * packets are being marked for.
>   */
>  #define SECMARK_MODE_SEL	0x01		/* SELinux */
> -#define SECMARK_SELCTX_MAX	256
> -
> -struct xt_secmark_target_selinux_info {
> -	__u32 selsid;
> -	char selctx[SECMARK_SELCTX_MAX];
> -};
> +#define SECMARK_SECCTX_MAX	256
>  
>  struct xt_secmark_target_info {
>  	__u8 mode;
> -	union {
> -		struct xt_secmark_target_selinux_info sel;
> -	} u;
> +	__u32 secid;
> +	char secctx[SECMARK_SECCTX_MAX];
>  };
>  
>  #endif /*_XT_SECMARK_H_target */
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 43771c8..f050119 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -960,6 +960,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
>   *	Sets the new child socket's sid to the openreq sid.
>   * @inet_conn_established:
>   *	Sets the connection's peersid to the secmark on skb.
> + * @secmark_relabel_packet:
> + *	check if the process should be allowed to relabel packets to the given secid
> + * @security_secmark_refcount_inc
> + *	tells the LSM to increment the number of secmark labeling rules loaded
> + * @security_secmark_refcount_dec
> + *	tells the LSM to decrement the number of secmark labeling rules loaded
>   * @req_classify_flow:
>   *	Sets the flow's sid to the openreq sid.
>   * @tun_dev_create:
> @@ -1596,6 +1602,9 @@ struct security_operations {
>  				  struct request_sock *req);
>  	void (*inet_csk_clone) (struct sock *newsk, const struct request_sock *req);
>  	void (*inet_conn_established) (struct sock *sk, struct sk_buff *skb);
> +	int (*secmark_relabel_packet) (u32 secid);
> +	void (*secmark_refcount_inc) (void);
> +	void (*secmark_refcount_dec) (void);
>  	void (*req_classify_flow) (const struct request_sock *req, struct flowi *fl);
>  	int (*tun_dev_create)(void);
>  	void (*tun_dev_post_create)(struct sock *sk);
> @@ -2556,6 +2565,9 @@ void security_inet_csk_clone(struct sock *newsk,
>  			const struct request_sock *req);
>  void security_inet_conn_established(struct sock *sk,
>  			struct sk_buff *skb);
> +int security_secmark_relabel_packet(u32 secid);
> +void security_secmark_refcount_inc(void);
> +void security_secmark_refcount_dec(void);
>  int security_tun_dev_create(void);
>  void security_tun_dev_post_create(struct sock *sk);
>  int security_tun_dev_attach(struct sock *sk);
> @@ -2710,6 +2722,19 @@ static inline void security_inet_conn_established(struct sock *sk,
>  {
>  }
>  
> +static inline int security_secmark_relabel_packet(u32 secid)
> +{
> +	return 0;
> +}
> +
> +static inline void security_secmark_refcount_inc(void)
> +{
> +}
> +
> +static inline void security_secmark_refcount_dec(void)
> +{
> +}
> +
>  static inline int security_tun_dev_create(void)
>  {
>  	return 0;
> diff --git a/include/linux/selinux.h b/include/linux/selinux.h
> index 82e0f26..44f4596 100644
> --- a/include/linux/selinux.h
> +++ b/include/linux/selinux.h
> @@ -21,74 +21,11 @@ struct kern_ipc_perm;
>  #ifdef CONFIG_SECURITY_SELINUX
>  
>  /**
> - *     selinux_string_to_sid - map a security context string to a security ID
> - *     @str: the security context string to be mapped
> - *     @sid: ID value returned via this.
> - *
> - *     Returns 0 if successful, with the SID stored in sid.  A value
> - *     of zero for sid indicates no SID could be determined (but no error
> - *     occurred).
> - */
> -int selinux_string_to_sid(char *str, u32 *sid);
> -
> -/**
> - *     selinux_secmark_relabel_packet_permission - secmark permission check
> - *     @sid: SECMARK ID value to be applied to network packet
> - *
> - *     Returns 0 if the current task is allowed to set the SECMARK label of
> - *     packets with the supplied security ID.  Note that it is implicit that
> - *     the packet is always being relabeled from the default unlabeled value,
> - *     and that the access control decision is made in the AVC.
> - */
> -int selinux_secmark_relabel_packet_permission(u32 sid);
> -
> -/**
> - *     selinux_secmark_refcount_inc - increments the secmark use counter
> - *
> - *     SELinux keeps track of the current SECMARK targets in use so it knows
> - *     when to apply SECMARK label access checks to network packets.  This
> - *     function incements this reference count to indicate that a new SECMARK
> - *     target has been configured.
> - */
> -void selinux_secmark_refcount_inc(void);
> -
> -/**
> - *     selinux_secmark_refcount_dec - decrements the secmark use counter
> - *
> - *     SELinux keeps track of the current SECMARK targets in use so it knows
> - *     when to apply SECMARK label access checks to network packets.  This
> - *     function decements this reference count to indicate that one of the
> - *     existing SECMARK targets has been removed/flushed.
> - */
> -void selinux_secmark_refcount_dec(void);
> -
> -/**
>   * selinux_is_enabled - is SELinux enabled?
>   */
>  bool selinux_is_enabled(void);
>  #else
>  
> -static inline int selinux_string_to_sid(const char *str, u32 *sid)
> -{
> -       *sid = 0;
> -       return 0;
> -}
> -
> -static inline int selinux_secmark_relabel_packet_permission(u32 sid)
> -{
> -	return 0;
> -}
> -
> -static inline void selinux_secmark_refcount_inc(void)
> -{
> -	return;
> -}
> -
> -static inline void selinux_secmark_refcount_dec(void)
> -{
> -	return;
> -}
> -
>  static inline bool selinux_is_enabled(void)
>  {
>  	return false;
> diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
> index 0cb6053..782e519 100644
> --- a/net/netfilter/xt_CT.c
> +++ b/net/netfilter/xt_CT.c
> @@ -9,7 +9,6 @@
>  #include <linux/module.h>
>  #include <linux/gfp.h>
>  #include <linux/skbuff.h>
> -#include <linux/selinux.h>
>  #include <linux/netfilter_ipv4/ip_tables.h>
>  #include <linux/netfilter_ipv6/ip6_tables.h>
>  #include <linux/netfilter/x_tables.h>
> diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
> index 364ad16..295054e 100644
> --- a/net/netfilter/xt_SECMARK.c
> +++ b/net/netfilter/xt_SECMARK.c
> @@ -14,8 +14,8 @@
>   */
>  #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
>  #include <linux/module.h>
> +#include <linux/security.h>
>  #include <linux/skbuff.h>
> -#include <linux/selinux.h>
>  #include <linux/netfilter/x_tables.h>
>  #include <linux/netfilter/xt_SECMARK.h>
>  
> @@ -39,9 +39,8 @@ secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
>  
>  	switch (mode) {
>  	case SECMARK_MODE_SEL:
> -		secmark = info->u.sel.selsid;
> +		secmark = info->secid;
>  		break;
> -
>  	default:
>  		BUG();
>  	}
> @@ -50,33 +49,33 @@ secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
>  	return XT_CONTINUE;
>  }
>  
> -static int checkentry_selinux(struct xt_secmark_target_info *info)
> +static int checkentry_lsm(struct xt_secmark_target_info *info)
>  {
>  	int err;
> -	struct xt_secmark_target_selinux_info *sel = &info->u.sel;
>  
> -	sel->selctx[SECMARK_SELCTX_MAX - 1] = '\0';
> +	info->secctx[SECMARK_SECCTX_MAX - 1] = '\0';
> +	info->secid = 0;
>  
> -	err = selinux_string_to_sid(sel->selctx, &sel->selsid);
> +	err = security_secctx_to_secid(info->secctx, strlen(info->secctx),
> +				       &info->secid);
>  	if (err) {
>  		if (err == -EINVAL)
> -			pr_info("invalid SELinux context \'%s\'\n",
> -				sel->selctx);
> +			pr_info("invalid security context \'%s\'\n", info->secctx);
>  		return err;
>  	}
>  
> -	if (!sel->selsid) {
> -		pr_info("unable to map SELinux context \'%s\'\n", sel->selctx);
> +	if (!info->secid) {
> +		pr_info("unable to map security context \'%s\'\n", info->secctx);
>  		return -ENOENT;
>  	}
>  
> -	err = selinux_secmark_relabel_packet_permission(sel->selsid);
> +	err = security_secmark_relabel_packet(info->secid);
>  	if (err) {
>  		pr_info("unable to obtain relabeling permission\n");
>  		return err;
>  	}
>  
> -	selinux_secmark_refcount_inc();
> +	security_secmark_refcount_inc();
>  	return 0;
>  }
>  
> @@ -100,16 +99,16 @@ static int secmark_tg_check(const struct xt_tgchk_param *par)
>  
>  	switch (info->mode) {
>  	case SECMARK_MODE_SEL:
> -		err = checkentry_selinux(info);
> -		if (err)
> -			return err;
>  		break;
> -
>  	default:
>  		pr_info("invalid mode: %hu\n", info->mode);
>  		return -EINVAL;
>  	}
>  
> +	err = checkentry_lsm(info);
> +	if (err)
> +		return err;
> +
>  	if (!mode)
>  		mode = info->mode;
>  	return 0;
> @@ -119,19 +118,19 @@ static void secmark_tg_destroy(const struct xt_tgdtor_param *par)
>  {
>  	switch (mode) {
>  	case SECMARK_MODE_SEL:
> -		selinux_secmark_refcount_dec();
> +		security_secmark_refcount_dec();
>  	}
>  }
>  
>  static struct xt_target secmark_tg_reg __read_mostly = {
> -	.name       = "SECMARK",
> -	.revision   = 0,
> -	.family     = NFPROTO_UNSPEC,
> -	.checkentry = secmark_tg_check,
> -	.destroy    = secmark_tg_destroy,
> -	.target     = secmark_tg,
> -	.targetsize = sizeof(struct xt_secmark_target_info),
> -	.me         = THIS_MODULE,
> +	.name		= "SECMARK",
> +	.revision	= 0,
> +	.family		= NFPROTO_UNSPEC,
> +	.checkentry	= secmark_tg_check,
> +	.destroy	= secmark_tg_destroy,
> +	.target		= secmark_tg,
> +	.targetsize	= sizeof(struct xt_secmark_target_info),
> +	.me		= THIS_MODULE,
>  };
>  
>  static int __init secmark_tg_init(void)
> diff --git a/security/capability.c b/security/capability.c
> index 1e26299..806061b 100644
> --- a/security/capability.c
> +++ b/security/capability.c
> @@ -681,7 +681,18 @@ static void cap_inet_conn_established(struct sock *sk, struct sk_buff *skb)
>  {
>  }
>  
> +static int cap_secmark_relabel_packet(u32 secid)
> +{
> +	return 0;
> +}
>  
> +static void cap_secmark_refcount_inc(void)
> +{
> +}
> +
> +static void cap_secmark_refcount_dec(void)
> +{
> +}
>  
>  static void cap_req_classify_flow(const struct request_sock *req,
>  				  struct flowi *fl)
> @@ -781,7 +792,8 @@ static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>  
>  static int cap_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
>  {
> -	return -EOPNOTSUPP;
> +	*secid = 0;
> +	return 0;
>  }
>  
>  static void cap_release_secctx(char *secdata, u32 seclen)
> @@ -1023,6 +1035,9 @@ void __init security_fixup_ops(struct security_operations *ops)
>  	set_to_cap_if_null(ops, inet_conn_request);
>  	set_to_cap_if_null(ops, inet_csk_clone);
>  	set_to_cap_if_null(ops, inet_conn_established);
> +	set_to_cap_if_null(ops, secmark_relabel_packet);
> +	set_to_cap_if_null(ops, secmark_refcount_inc);
> +	set_to_cap_if_null(ops, secmark_refcount_dec);
>  	set_to_cap_if_null(ops, req_classify_flow);
>  	set_to_cap_if_null(ops, tun_dev_create);
>  	set_to_cap_if_null(ops, tun_dev_post_create);
> diff --git a/security/security.c b/security/security.c
> index fe2da98..a8aa414 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -1143,6 +1143,24 @@ void security_inet_conn_established(struct sock *sk,
>  	security_ops->inet_conn_established(sk, skb);
>  }
>  
> +int security_secmark_relabel_packet(u32 secid)
> +{
> +	return security_ops->secmark_relabel_packet(secid);
> +}
> +EXPORT_SYMBOL(security_secmark_relabel_packet);
> +
> +void security_secmark_refcount_inc(void)
> +{
> +	security_ops->secmark_refcount_inc();
> +}
> +EXPORT_SYMBOL(security_secmark_refcount_inc);
> +
> +void security_secmark_refcount_dec(void)
> +{
> +	security_ops->secmark_refcount_dec();
> +}
> +EXPORT_SYMBOL(security_secmark_refcount_dec);
> +
>  int security_tun_dev_create(void)
>  {
>  	return security_ops->tun_dev_create();
> diff --git a/security/selinux/exports.c b/security/selinux/exports.c
> index c0a454a..9066438 100644
> --- a/security/selinux/exports.c
> +++ b/security/selinux/exports.c
> @@ -11,58 +11,9 @@
>   * it under the terms of the GNU General Public License version 2,
>   * as published by the Free Software Foundation.
>   */
> -#include <linux/types.h>
> -#include <linux/kernel.h>
>  #include <linux/module.h>
> -#include <linux/selinux.h>
> -#include <linux/fs.h>
> -#include <linux/ipc.h>
> -#include <asm/atomic.h>
>  
>  #include "security.h"
> -#include "objsec.h"
> -
> -/* SECMARK reference count */
> -extern atomic_t selinux_secmark_refcount;
> -
> -int selinux_string_to_sid(char *str, u32 *sid)
> -{
> -	if (selinux_enabled)
> -		return security_context_to_sid(str, strlen(str), sid);
> -	else {
> -		*sid = 0;
> -		return 0;
> -	}
> -}
> -EXPORT_SYMBOL_GPL(selinux_string_to_sid);
> -
> -int selinux_secmark_relabel_packet_permission(u32 sid)
> -{
> -	if (selinux_enabled) {
> -		const struct task_security_struct *__tsec;
> -		u32 tsid;
> -
> -		__tsec = current_security();
> -		tsid = __tsec->sid;
> -
> -		return avc_has_perm(tsid, sid, SECCLASS_PACKET,
> -				    PACKET__RELABELTO, NULL);
> -	}
> -	return 0;
> -}
> -EXPORT_SYMBOL_GPL(selinux_secmark_relabel_packet_permission);
> -
> -void selinux_secmark_refcount_inc(void)
> -{
> -	atomic_inc(&selinux_secmark_refcount);
> -}
> -EXPORT_SYMBOL_GPL(selinux_secmark_refcount_inc);
> -
> -void selinux_secmark_refcount_dec(void)
> -{
> -	atomic_dec(&selinux_secmark_refcount);
> -}
> -EXPORT_SYMBOL_GPL(selinux_secmark_refcount_dec);
>  
>  bool selinux_is_enabled(void)
>  {
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index f31b0a3..a6c063b 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4290,6 +4290,27 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
>  	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
>  }
>  
> +static int selinux_secmark_relabel_packet(u32 sid)
> +{
> +	const struct task_security_struct *__tsec;
> +	u32 tsid;
> +
> +	__tsec = current_security();
> +	tsid = __tsec->sid;
> +
> +	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
> +}
> +
> +static void selinux_secmark_refcount_inc(void)
> +{
> +	atomic_inc(&selinux_secmark_refcount);
> +}
> +
> +static void selinux_secmark_refcount_dec(void)
> +{
> +	atomic_dec(&selinux_secmark_refcount);
> +}
> +
>  static void selinux_req_classify_flow(const struct request_sock *req,
>  				      struct flowi *fl)
>  {
> @@ -5545,6 +5566,9 @@ static struct security_operations selinux_ops = {
>  	.inet_conn_request =		selinux_inet_conn_request,
>  	.inet_csk_clone =		selinux_inet_csk_clone,
>  	.inet_conn_established =	selinux_inet_conn_established,
> +	.secmark_relabel_packet =	selinux_secmark_relabel_packet,
> +	.secmark_refcount_inc =		selinux_secmark_refcount_inc,
> +	.secmark_refcount_dec =		selinux_secmark_refcount_dec,
>  	.req_classify_flow =		selinux_req_classify_flow,
>  	.tun_dev_create =		selinux_tun_dev_create,
>  	.tun_dev_post_create = 		selinux_tun_dev_post_create,
> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index 79df4a2..671273e 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -9,6 +9,7 @@
>  #define _SELINUX_SECURITY_H_
>  
>  #include <linux/magic.h>
> +#include <linux/types.h>
>  #include "flask.h"
>  
>  #define SECSID_NULL			0x00000000 /* unspecified SID */
> 

-- 
paul moore
linux @ hp


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ