This patch implements two new access controls for SELinux: SEND_MSG and
RECV_MSG, providing mediation of network packets based on destination
port (IPv4 only at this stage).
Please apply.
security/selinux/hooks.c | 47 +++++++++++++++++++++++++++++++++++++++++++----
1 files changed, 43 insertions(+), 4 deletions(-)
diff -urN -X dontdiff linux-2.6.1-rc3.pending/security/selinux/hooks.c linux-2.6.1-rc3.w1/security/selinux/hooks.c
--- linux-2.6.1-rc3.pending/security/selinux/hooks.c 2004-01-08 13:56:32.000000000 -0500
+++ linux-2.6.1-rc3.w1/security/selinux/hooks.c 2004-01-08 14:37:03.251274816 -0500
@@ -2694,7 +2694,7 @@
static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
int err = 0;
- u32 netif_perm, node_perm, node_sid;
+ u32 netif_perm, node_perm, node_sid, recv_perm = 0;
struct socket *sock;
struct inode *inode;
struct net_device *dev;
@@ -2735,11 +2735,13 @@
case SECCLASS_UDP_SOCKET:
netif_perm = NETIF__UDP_RECV;
node_perm = NODE__UDP_RECV;
+ recv_perm = UDP_SOCKET__RECV_MSG;
break;
case SECCLASS_TCP_SOCKET:
netif_perm = NETIF__TCP_RECV;
node_perm = NODE__TCP_RECV;
+ recv_perm = TCP_SOCKET__RECV_MSG;
break;
default:
@@ -2766,6 +2768,20 @@
err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, NULL, &ad);
+ if (recv_perm) {
+ u32 port_sid;
+
+ /* Fixme: make this more efficient */
+ err = security_port_sid(sk->sk_family, sk->sk_type,
+ sk->sk_protocol, ntohs(ad.u.net.dport),
+ &port_sid);
+ if (err)
+ goto out;
+
+ err = avc_has_perm(isec->sid, port_sid, isec->sclass,
+ recv_perm, NULL, &ad);
+ }
+
out:
return err;
}
@@ -2826,7 +2842,8 @@
int (*okfn)(struct sk_buff *))
{
int err = NF_ACCEPT;
- u32 netif_perm, node_perm, node_sid;
+ u32 netif_perm, node_perm, node_sid, send_perm = 0;
+ struct sock *sk;
struct socket *sock;
struct inode *inode;
struct iphdr *iph;
@@ -2837,10 +2854,11 @@
struct avc_audit_data ad;
struct net_device *dev = (struct net_device *)out;
- if (!skb->sk)
+ sk = skb->sk;
+ if (!sk)
goto out;
- sock = skb->sk->sk_socket;
+ sock = sk->sk_socket;
if (!sock)
goto out;
@@ -2861,11 +2879,13 @@
case SECCLASS_UDP_SOCKET:
netif_perm = NETIF__UDP_SEND;
node_perm = NODE__UDP_SEND;
+ send_perm = UDP_SOCKET__SEND_MSG;
break;
case SECCLASS_TCP_SOCKET:
netif_perm = NETIF__TCP_SEND;
node_perm = NODE__TCP_SEND;
+ send_perm = TCP_SOCKET__SEND_MSG;
break;
default:
@@ -2892,6 +2912,25 @@
err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
node_perm, NULL, &ad) ? NF_DROP : NF_ACCEPT;
+ if (err != NF_ACCEPT)
+ goto out;
+
+ if (send_perm) {
+ u32 port_sid;
+
+ /* Fixme: make this more efficient */
+ err = security_port_sid(sk->sk_family,
+ sk->sk_type,
+ sk->sk_protocol,
+ ntohs(ad.u.net.dport),
+ &port_sid) ? NF_DROP : NF_ACCEPT;
+ if (err != NF_ACCEPT)
+ goto out;
+
+ err = avc_has_perm(isec->sid, port_sid, isec->sclass,
+ send_perm, NULL, &ad) ? NF_DROP : NF_ACCEPT;
+ }
+
out:
return err;
}
On Tue, 13 Jan 2004, James Morris wrote:
> This patch implements two new access controls for SELinux: SEND_MSG and
> RECV_MSG, providing mediation of network packets based on destination
> port (IPv4 only at this stage).
>
After some further discussion, Stephen and I decided that it would be more
useful for security to invert the sense of the RECV_MSG permission so that
the source port is checked during packet reception.
This patch is relative to the previous patch, please let me know if you
want the entire patch redone.
diff -urN -X dontdiff linux-2.6.1-mm2.p/security/selinux/hooks.c linux-2.6.1-mm2.w/security/selinux/hooks.c
--- linux-2.6.1-mm2.p/security/selinux/hooks.c 2004-01-13 15:59:04.153184216 -0500
+++ linux-2.6.1-mm2.w/security/selinux/hooks.c 2004-01-13 14:32:06.000000000 -0500
@@ -2773,7 +2773,7 @@
/* Fixme: make this more efficient */
err = security_port_sid(sk->sk_family, sk->sk_type,
- sk->sk_protocol, ntohs(ad.u.net.dport),
+ sk->sk_protocol, ntohs(ad.u.net.sport),
&port_sid);
if (err)
goto out;