Hi,
After discussion with Stephen Smalley and James Morris, we decided to
change the SELinux authorization from relabel to testing for a security
operation (set_ipsec). That is, a process must have the authority to
set IPsec security contexts in order to create or delete IPsec policy
or SA entries with security contexts.
The proposed patch has a couple of minor issues that would need to be
resolved: (1) only pass to LSM when context is set? (2) task_for_security
becomes a non-static?
Patch is made against mm tree. The point of the post is to discuss patch
changes prior to upstream to Andrew Morton.
I will be traveling tomorrow and in less than optimal contact until Sun,
so please bear with that.
Happy holidays to all!
Regards,
Trent.
-----------------------------------------
This patch changes the authorization semantics for adding security
contexts to IPsec policies. Instead of requiring relabeling permissions
to add a security context to an IPsec policy, we require a security
management permission (new: set_ipsec) to either add IPsec policies
with security contexts or remove IPsec policies with security contexts.
Note that if no security context is supplied on add or present on policy
to be deleted, the SELinux module allows the change unconditionally. The
hook is called on deletion when no context is present, which we may want
to change. At present, I left it up to the module.
LSM changes:
The patch adds two new LSM hooks: xfrm_policy_delete and xfrm_state_delete.
The new hooks are necessary to authorize deletion of IPsec policies that
have security contexts. The existing hooks xfrm_policy_free and
xfrm_state_free lack the context to do the authorization, so I decided to split
authorization of deletion and memory management of security data, as is typical
in the LSM interface.
Use:
The new delete hooks are checked when xfrm_policy or xfrm_state are
deleted by either the xfrm_user interface (xfrm_get_policy,
xfrm_del_sa) or the pfkey interface (pfkey_spddelete, pfkey_delete).
Note that the line that adds a free to xfrm_add_policy addresses a
memory leak. The security context must be freed when the insertion
fails also.
SELinux changes:
The sec_ctx_alloc function is changed to authorize the task for set_ipsec.
The new policy_delete and state_delete functions are added.
The function task_has_security is copied from selinuxfs.c. Do we have
a problem making this non-static? If so, I will do that.
Signed-off-by: Trent Jaeger <[EMAIL PROTECTED]>
---
include/linux/security.h | 40 +++++++++++++--
net/key/af_key.c | 5 +
net/xfrm/xfrm_user.c | 7 ++
security/dummy.c | 12 ++++
security/selinux/hooks.c | 2
security/selinux/include/av_perm_to_string.h | 3 -
security/selinux/include/av_permissions.h | 3 -
security/selinux/include/xfrm.h | 2
security/selinux/xfrm.c | 68 +++++++++++++++++++--------
9 files changed, 114 insertions(+), 28 deletions(-)
diff -puN include/linux/security.h~lsm-labels-nethooks include/linux/security.h
--- linux-2.6.15-rc5/include/linux/security.h~lsm-labels-nethooks
2005-12-26 11:27:00.000000000 -0500
+++ linux-2.6.15-rc5-root/include/linux/security.h 2005-12-26
11:29:43.000000000 -0500
@@ -805,31 +805,37 @@ struct swap_info_struct;
* used by the XFRM system.
* @sec_ctx contains the security context information being provided by
* the user-level policy update program (e.g., setkey).
- * Allocate a security structure to the xp->selector.security field.
+ * Allocate a security structure to the xp->security field.
* The security field is initialized to NULL when the xfrm_policy is
* allocated.
* Return 0 if operation was successful (memory to allocate, legal context)
* @xfrm_policy_clone_security:
* @old contains an existing xfrm_policy in the SPD.
* @new contains a new xfrm_policy being cloned from old.
- * Allocate a security structure to the new->selector.security field
- * that contains the information from the old->selector.security field.
+ * Allocate a security structure to the new->security field
+ * that contains the information from the old->security field.
* Return 0 if operation was successful (memory to allocate).
* @xfrm_policy_free_security:
* @xp contains the xfrm_policy
- * Deallocate xp->selector.security.
+ * Deallocate xp->security.
+ * @xfrm_policy_delete_security:
+ * @xp contains the xfrm_policy
+ * Authorize deletion of xp->security.
* @xfrm_state_alloc_security:
* @x contains the xfrm_state being added to the Security Association
* Database by the XFRM system.
* @sec_ctx contains the security context information being provided by
* the user-level SA generation program (e.g., setkey or racoon).
- * Allocate a security structure to the x->sel.security field. The
+ * Allocate a security structure to the x->security field. The
* security field is initialized to NULL when the xfrm_state is
* allocated.
* Return 0 if operation was successful (memory to allocate, legal
context).
* @xfrm_state_free_security:
* @x contains the xfrm_state.
- * Deallocate x>sel.security.
+ * Deallocate x->security.
+ * @xfrm_state_delete_security:
+ * @x contains the xfrm_state
+ * Authorize deletion of x->security.
* @xfrm_policy_lookup:
* @xp contains the xfrm_policy for which the access control is being
* checked.
@@ -1303,8 +1309,10 @@ struct security_operations {
int (*xfrm_policy_alloc_security) (struct xfrm_policy *xp, struct
xfrm_user_sec_ctx *sec_ctx);
int (*xfrm_policy_clone_security) (struct xfrm_policy *old, struct
xfrm_policy *new);
void (*xfrm_policy_free_security) (struct xfrm_policy *xp);
+ int (*xfrm_policy_delete_security) (struct xfrm_policy *xp);
int (*xfrm_state_alloc_security) (struct xfrm_state *x, struct
xfrm_user_sec_ctx *sec_ctx);
void (*xfrm_state_free_security) (struct xfrm_state *x);
+ int (*xfrm_state_delete_security) (struct xfrm_state *x);
int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 sk_sid, u8 dir);
#endif /* CONFIG_SECURITY_NETWORK_XFRM */
@@ -2912,6 +2920,11 @@ static inline void security_xfrm_policy_
security_ops->xfrm_policy_free_security(xp);
}
+static inline int security_xfrm_policy_delete(struct xfrm_policy *xp)
+{
+ return security_ops->xfrm_policy_delete_security(xp);
+}
+
static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct
xfrm_user_sec_ctx *sec_ctx)
{
return security_ops->xfrm_state_alloc_security(x, sec_ctx);
@@ -2922,6 +2935,11 @@ static inline void security_xfrm_state_f
security_ops->xfrm_state_free_security(x);
}
+static inline int security_xfrm_state_delete(struct xfrm_state *x)
+{
+ return security_ops->xfrm_state_delete_security(x);
+}
+
static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32
sk_sid, u8 dir)
{
return security_ops->xfrm_policy_lookup(xp, sk_sid, dir);
@@ -2941,6 +2959,11 @@ static inline void security_xfrm_policy_
{
}
+static inline int security_xfrm_policy_delete(struct xfrm_policy *xp)
+{
+ return 0;
+}
+
static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct
xfrm_user_sec_ctx *sec_ctx)
{
return 0;
@@ -2950,6 +2973,11 @@ static inline void security_xfrm_state_f
{
}
+static inline int security_xfrm_state_delete(struct xfrm_state *xp)
+{
+ return 0;
+}
+
static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32
sk_sid, u8 dir)
{
return 0;
diff -puN net/key/af_key.c~lsm-labels-nethooks net/key/af_key.c
--- linux-2.6.15-rc5/net/key/af_key.c~lsm-labels-nethooks 2005-12-26
11:27:00.000000000 -0500
+++ linux-2.6.15-rc5-root/net/key/af_key.c 2005-12-26 11:27:00.000000000
-0500
@@ -1454,6 +1454,9 @@ static int pfkey_delete(struct sock *sk,
if (x == NULL)
return -ESRCH;
+ if ((err = security_xfrm_state_delete(x)))
+ return err;
+
if (xfrm_state_kern(x)) {
xfrm_state_put(x);
return -EPERM;
@@ -2273,6 +2276,8 @@ static int pfkey_spddelete(struct sock *
err = 0;
+ if ((err = security_xfrm_policy_delete(xp)))
+ return err;
c.seq = hdr->sadb_msg_seq;
c.pid = hdr->sadb_msg_pid;
c.event = XFRM_MSG_DELPOLICY;
diff -puN net/xfrm/xfrm_user.c~lsm-labels-nethooks net/xfrm/xfrm_user.c
--- linux-2.6.15-rc5/net/xfrm/xfrm_user.c~lsm-labels-nethooks 2005-12-26
11:27:00.000000000 -0500
+++ linux-2.6.15-rc5-root/net/xfrm/xfrm_user.c 2005-12-26 11:27:00.000000000
-0500
@@ -370,6 +370,9 @@ static int xfrm_del_sa(struct sk_buff *s
if (x == NULL)
return -ESRCH;
+ if (err = security_xfrm_state_delete(x))
+ return err;
+
if (xfrm_state_kern(x)) {
xfrm_state_put(x);
return -EPERM;
@@ -802,6 +805,7 @@ static int xfrm_add_policy(struct sk_buf
excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
err = xfrm_policy_insert(p->dir, xp, excl);
if (err) {
+ security_xfrm_policy_free(xp);
kfree(xp);
return err;
}
@@ -997,6 +1001,8 @@ static int xfrm_get_policy(struct sk_buf
MSG_DONTWAIT);
}
} else {
+ if (err = security_xfrm_policy_delete(xp))
+ goto out;
c.data.byid = p->index;
c.event = nlh->nlmsg_type;
c.seq = nlh->nlmsg_seq;
@@ -1006,6 +1012,7 @@ static int xfrm_get_policy(struct sk_buf
xfrm_pol_put(xp);
+out:
return err;
}
diff -puN security/dummy.c~lsm-labels-nethooks security/dummy.c
--- linux-2.6.15-rc5/security/dummy.c~lsm-labels-nethooks 2005-12-26
11:27:00.000000000 -0500
+++ linux-2.6.15-rc5-root/security/dummy.c 2005-12-26 11:27:00.000000000
-0500
@@ -808,6 +808,11 @@ static void dummy_xfrm_policy_free_secur
{
}
+static int dummy_xfrm_policy_delete_security(struct xfrm_policy *xp)
+{
+ return 0;
+}
+
static int dummy_xfrm_state_alloc_security(struct xfrm_state *x, struct
xfrm_user_sec_ctx *sec_ctx)
{
return 0;
@@ -817,6 +822,11 @@ static void dummy_xfrm_state_free_securi
{
}
+static int dummy_xfrm_state_delete_security(struct xfrm_state *x)
+{
+ return 0;
+}
+
static int dummy_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)
{
return 0;
@@ -1022,8 +1032,10 @@ void security_fixup_ops (struct security
set_to_dummy_if_null(ops, xfrm_policy_alloc_security);
set_to_dummy_if_null(ops, xfrm_policy_clone_security);
set_to_dummy_if_null(ops, xfrm_policy_free_security);
+ set_to_dummy_if_null(ops, xfrm_policy_delete_security);
set_to_dummy_if_null(ops, xfrm_state_alloc_security);
set_to_dummy_if_null(ops, xfrm_state_free_security);
+ set_to_dummy_if_null(ops, xfrm_state_delete_security);
set_to_dummy_if_null(ops, xfrm_policy_lookup);
#endif /* CONFIG_SECURITY_NETWORK_XFRM */
#ifdef CONFIG_KEYS
diff -puN security/selinux/hooks.c~lsm-labels-nethooks security/selinux/hooks.c
--- linux-2.6.15-rc5/security/selinux/hooks.c~lsm-labels-nethooks
2005-12-26 11:27:00.000000000 -0500
+++ linux-2.6.15-rc5-root/security/selinux/hooks.c 2005-12-26
11:27:00.000000000 -0500
@@ -4409,8 +4409,10 @@ static struct security_operations selinu
.xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
.xfrm_policy_clone_security = selinux_xfrm_policy_clone,
.xfrm_policy_free_security = selinux_xfrm_policy_free,
+ .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
.xfrm_state_alloc_security = selinux_xfrm_state_alloc,
.xfrm_state_free_security = selinux_xfrm_state_free,
+ .xfrm_state_delete_security = selinux_xfrm_state_delete,
.xfrm_policy_lookup = selinux_xfrm_policy_lookup,
#endif
};
diff -puN security/selinux/include/av_perm_to_string.h~lsm-labels-nethooks
security/selinux/include/av_perm_to_string.h
---
linux-2.6.15-rc5/security/selinux/include/av_perm_to_string.h~lsm-labels-nethooks
2005-12-26 11:27:00.000000000 -0500
+++ linux-2.6.15-rc5-root/security/selinux/include/av_perm_to_string.h
2005-12-26 11:27:00.000000000 -0500
@@ -87,6 +87,7 @@
S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool")
S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam")
S_(SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT, "setcheckreqprot")
+ S_(SECCLASS_SECURITY, SECURITY__SETIPSEC, "setipsec")
S_(SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info")
S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read")
S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod")
@@ -238,5 +239,3 @@
S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost")
S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
- S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELFROM, "relabelfrom")
- S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELTO, "relabelto")
diff -puN security/selinux/include/av_permissions.h~lsm-labels-nethooks
security/selinux/include/av_permissions.h
---
linux-2.6.15-rc5/security/selinux/include/av_permissions.h~lsm-labels-nethooks
2005-12-26 11:27:00.000000000 -0500
+++ linux-2.6.15-rc5-root/security/selinux/include/av_permissions.h
2005-12-26 11:27:00.000000000 -0500
@@ -526,6 +526,7 @@
#define SECURITY__SETBOOL 0x00000100UL
#define SECURITY__SETSECPARAM 0x00000200UL
#define SECURITY__SETCHECKREQPROT 0x00000400UL
+#define SECURITY__SETIPSEC 0x00000800UL
#define SYSTEM__IPC_INFO 0x00000001UL
#define SYSTEM__SYSLOG_READ 0x00000002UL
@@ -908,8 +909,6 @@
#define ASSOCIATION__SENDTO 0x00000001UL
#define ASSOCIATION__RECVFROM 0x00000002UL
-#define ASSOCIATION__RELABELFROM 0x00000004UL
-#define ASSOCIATION__RELABELTO 0x00000008UL
#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL
#define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL
diff -puN security/selinux/include/av_inherit.h~lsm-labels-nethooks
security/selinux/include/av_inherit.h
diff -puN security/selinux/include/class_to_string.h~lsm-labels-nethooks
security/selinux/include/class_to_string.h
diff -puN security/selinux/include/common_perm_to_string.h~lsm-labels-nethooks
security/selinux/include/common_perm_to_string.h
diff -puN security/selinux/include/flask.h~lsm-labels-nethooks
security/selinux/include/flask.h
diff -puN security/selinux/include/initial_sid_to_string.h~lsm-labels-nethooks
security/selinux/include/initial_sid_to_string.h
diff -puN security/selinux/include/xfrm.h~lsm-labels-nethooks
security/selinux/include/xfrm.h
--- linux-2.6.15-rc5/security/selinux/include/xfrm.h~lsm-labels-nethooks
2005-12-26 11:27:00.000000000 -0500
+++ linux-2.6.15-rc5-root/security/selinux/include/xfrm.h 2005-12-26
11:27:00.000000000 -0500
@@ -9,8 +9,10 @@
int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx
*sec_ctx);
int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy
*new);
void selinux_xfrm_policy_free(struct xfrm_policy *xp);
+int selinux_xfrm_policy_delete(struct xfrm_policy *xp);
int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx
*sec_ctx);
void selinux_xfrm_state_free(struct xfrm_state *x);
+int selinux_xfrm_state_delete(struct xfrm_state *x);
int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir);
/*
diff -puN security/selinux/xfrm.c~lsm-labels-nethooks security/selinux/xfrm.c
--- linux-2.6.15-rc5/security/selinux/xfrm.c~lsm-labels-nethooks
2005-12-26 11:27:00.000000000 -0500
+++ linux-2.6.15-rc5-root/security/selinux/xfrm.c 2005-12-26
11:31:44.000000000 -0500
@@ -67,6 +67,21 @@ static inline int selinux_authorizable_x
return selinux_authorizable_ctx(x->security);
}
+/* Check whether a task is allowed to use a security operation. */
+/* NOTE: In selinuxfs.c as static */
+static inline int task_has_security(struct task_struct *tsk,
+ u32 perms)
+{
+ struct task_security_struct *tsec;
+
+ tsec = tsk->security;
+ if (!tsec)
+ return -EACCES;
+
+ return avc_has_perm(tsec->sid, SECINITSID_SECURITY,
+ SECCLASS_SECURITY, perms, NULL);
+}
+
/*
* LSM hook implementation that authorizes that a socket can be used
* with the corresponding xfrm_sec_ctx and direction.
@@ -107,6 +122,13 @@ static int selinux_xfrm_sec_ctx_alloc(st
BUG_ON(!uctx);
BUG_ON(uctx->ctx_doi != XFRM_SC_ALG_SELINUX);
+ /*
+ * Subjects need permission to set ipsec labels
+ */
+ rc = task_has_security(current, SECURITY__SETIPSEC);
+ if (rc)
+ return rc;
+
if (uctx->ctx_len >= PAGE_SIZE)
return -ENOMEM;
@@ -131,24 +153,6 @@ static int selinux_xfrm_sec_ctx_alloc(st
if (rc)
goto out;
- /*
- * Does the subject have permission to set security or permission to
- * do the relabel?
- * Must be permitted to relabel from default socket type (process type)
- * to specified context
- */
- rc = avc_has_perm(tsec->sid, tsec->sid,
- SECCLASS_ASSOCIATION,
- ASSOCIATION__RELABELFROM, NULL);
- if (rc)
- goto out;
-
- rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
- SECCLASS_ASSOCIATION,
- ASSOCIATION__RELABELTO, NULL);
- if (rc)
- goto out;
-
return rc;
out:
@@ -207,6 +211,20 @@ void selinux_xfrm_policy_free(struct xfr
}
/*
+ * LSM hook implementation that authorizes deletion of labeled policies.
+ */
+int selinux_xfrm_policy_delete(struct xfrm_policy *xp)
+{
+ int rc = 0;
+
+ if (xp->security) {
+ rc = task_has_security(current, SECURITY__SETIPSEC);
+ }
+
+ return rc;
+}
+
+/*
* LSM hook implementation that allocs and transfers sec_ctx spec to
* xfrm_state.
*/
@@ -231,6 +249,20 @@ void selinux_xfrm_state_free(struct xfrm
}
/*
+ * LSM hook implementation that authorizes deletion of labeled SAs.
+ */
+int selinux_xfrm_state_delete(struct xfrm_state *x)
+{
+ int rc = 0;
+
+ if (x->security) {
+ rc = task_has_security(current, SECURITY__SETIPSEC);
+ }
+
+ return rc;
+}
+
+/*
* LSM hook that controls access to unlabelled packets. If
* a xfrm_state is authorizable (defined by macro) then it was
* already authorized by the IPSec process. If not, then
_
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
