1. 28 Mar, 2009 1 commit
    • Paul Moore's avatar
      netlabel: Label incoming TCP connections correctly in SELinux · 389fb800
      Paul Moore authored
      
      The current NetLabel/SELinux behavior for incoming TCP connections works but
      only through a series of happy coincidences that rely on the limited nature of
      standard CIPSO (only able to convey MLS attributes) and the write equality
      imposed by the SELinux MLS constraints.  The problem is that network sockets
      created as the result of an incoming TCP connection were not on-the-wire
      labeled based on the security attributes of the parent socket but rather based
      on the wire label of the remote peer.  The issue had to do with how IP options
      were managed as part of the network stack and where the LSM hooks were in
      relation to the code which set the IP options on these newly created child
      sockets.  While NetLabel/SELinux did correctly set the socket's on-the-wire
      label it was promptly cleared by the network stack and reset based on the IP
      options of the remote peer.
      
      This patch, in conjunction with a prior patch that adjusted the LSM hook
      locations, works to set the correct on-the-wire label format for new incoming
      connections through the security_inet_conn_request() hook.  Besides the
      correct behavior there are many advantages to this change, the most significant
      is that all of the NetLabel socket labeling code in SELinux now lives in hooks
      which can return error codes to the core stack which allows us to finally get
      ride of the selinux_netlbl_inode_permission() logic which greatly simplfies
      the NetLabel/SELinux glue code.  In the process of developing this patch I
      also ran into a small handful of AF_INET6 cleanliness issues that have been
      fixed which should make the code safer and easier to extend in the future.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      389fb800
  2. 22 Feb, 2009 1 commit
    • Paul Moore's avatar
      cipso: Fix documentation comment · 586c2500
      Paul Moore authored
      
      The CIPSO protocol engine incorrectly stated that the FIPS-188 specification
      could be found in the kernel's Documentation directory.  This patch corrects
      that by removing the comment and directing users to the FIPS-188 documented
      hosted online.  For the sake of completeness I've also included a link to the
      CIPSO draft specification on the NetLabel website.
      
      Thanks to Randy Dunlap for spotting the error and letting me know.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      586c2500
  3. 31 Dec, 2008 1 commit
  4. 29 Oct, 2008 1 commit
  5. 28 Oct, 2008 1 commit
  6. 10 Oct, 2008 4 commits
    • Paul Moore's avatar
      cipso: Add support for native local labeling and fixup mapping names · 15c45f7b
      Paul Moore authored
      
      This patch accomplishes three minor tasks: add a new tag type for local
      labeling, rename the CIPSO_V4_MAP_STD define to CIPSO_V4_MAP_TRANS and
      replace some of the CIPSO "magic numbers" with constants from the header
      file.  The first change allows CIPSO to support full LSM labels/contexts,
      not just MLS attributes.  The second change brings the mapping names inline
      with what userspace is using, compatibility is preserved since we don't
      actually change the value.  The last change is to aid readability and help
      prevent mistakes.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      15c45f7b
    • Paul Moore's avatar
      selinux: Set socket NetLabel based on connection endpoint · 014ab19a
      Paul Moore authored
      
      Previous work enabled the use of address based NetLabel selectors, which while
      highly useful, brought the potential for additional per-packet overhead when
      used.  This patch attempts to solve that by applying NetLabel socket labels
      when sockets are connect()'d.  This should alleviate the per-packet NetLabel
      labeling for all connected sockets (yes, it even works for connected DGRAM
      sockets).
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Reviewed-by: default avatarJames Morris <jmorris@namei.org>
      014ab19a
    • Paul Moore's avatar
      netlabel: Add functionality to set the security attributes of a packet · 948bf85c
      Paul Moore authored
      
      This patch builds upon the new NetLabel address selector functionality by
      providing the NetLabel KAPI and CIPSO engine support needed to enable the
      new packet-based labeling.  The only new addition to the NetLabel KAPI at
      this point is shown below:
      
       * int netlbl_skbuff_setattr(skb, family, secattr)
      
      ... and is designed to be called from a Netfilter hook after the packet's
      IP header has been populated such as in the FORWARD or LOCAL_OUT hooks.
      
      This patch also provides the necessary SELinux hooks to support this new
      functionality.  Smack support is not currently included due to uncertainty
      regarding the permissions needed to expand the Smack network access controls.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Reviewed-by: default avatarJames Morris <jmorris@namei.org>
      948bf85c
    • Paul Moore's avatar
      netlabel: Replace protocol/NetLabel linking with refrerence counts · b1edeb10
      Paul Moore authored
      
      NetLabel has always had a list of backpointers in the CIPSO DOI definition
      structure which pointed to the NetLabel LSM domain mapping structures which
      referenced the CIPSO DOI struct.  The rationale for this was that when an
      administrator removed a CIPSO DOI from the system all of the associated
      NetLabel LSM domain mappings should be removed as well; a list of
      backpointers made this a simple operation.
      
      Unfortunately, while the backpointers did make the removal easier they were
      a bit of a mess from an implementation point of view which was making
      further development difficult.  Since the removal of a CIPSO DOI is a
      realtively rare event it seems to make sense to remove this backpointer
      list as the optimization was hurting us more then it was helping.  However,
      we still need to be able to track when a CIPSO DOI definition is being used
      so replace the backpointer list with a reference count.  In order to
      preserve the current functionality of removing the associated LSM domain
      mappings when a CIPSO DOI is removed we walk the LSM domain mapping table,
      removing the relevant entries.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Reviewed-by: default avatarJames Morris <jmorris@namei.org>
      b1edeb10
  7. 14 May, 2008 1 commit
  8. 02 May, 2008 1 commit
  9. 22 Mar, 2008 1 commit
  10. 05 Feb, 2008 1 commit
  11. 29 Jan, 2008 1 commit
  12. 28 Jan, 2008 1 commit
  13. 26 Oct, 2007 1 commit
  14. 10 Oct, 2007 1 commit
  15. 08 Jun, 2007 2 commits
  16. 09 May, 2007 1 commit
  17. 26 Apr, 2007 4 commits
  18. 12 Mar, 2007 1 commit
  19. 02 Mar, 2007 1 commit
  20. 03 Dec, 2006 12 commits
  21. 30 Oct, 2006 1 commit
    • Paul Moore's avatar
      [NetLabel]: protect the CIPSOv4 socket option from setsockopt() · f8687afe
      Paul Moore authored
      
      This patch makes two changes to protect applications from either removing or
      tampering with the CIPSOv4 IP option on a socket.  The first is the requirement
      that applications have the CAP_NET_RAW capability to set an IPOPT_CIPSO option
      on a socket; this prevents untrusted applications from setting their own
      CIPSOv4 security attributes on the packets they send.  The second change is to
      SELinux and it prevents applications from setting any IPv4 options when there
      is an IPOPT_CIPSO option already present on the socket; this prevents
      applications from removing CIPSOv4 security attributes from the packets they
      send.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f8687afe
  22. 16 Oct, 2006 1 commit