Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753196AbYJVDhP (ORCPT ); Tue, 21 Oct 2008 23:37:15 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751174AbYJVDg7 (ORCPT ); Tue, 21 Oct 2008 23:36:59 -0400 Received: from smtp104.prem.mail.sp1.yahoo.com ([98.136.44.59]:24401 "HELO smtp104.prem.mail.sp1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1751126AbYJVDg4 (ORCPT ); Tue, 21 Oct 2008 23:36:56 -0400 X-YMail-OSG: 77BTkv4VM1l8rETrrAAmSXJNN3RQX0Nv693jijn8.FVlIHhJnxQv5aemWlR6aEEMbqZV44ZC9LN077rww1BYnGRdHeR7jlnWBEm0Gt.IrG0zjecXdRkNdUBvgZ8_t1Ir9pv7dnpszh6Fvh_oi0tIqaIbCHr2jPokjCZGBrotbrXgJO1bfC8w0JPPFsWrx8I1gUbzTLo5knb9Sko0tOdPnxCtvCP5WAtKQQ-- X-Yahoo-Newman-Property: ymail-3 Message-ID: <48FE9FCB.6070202@schaufler-ca.com> Date: Tue, 21 Oct 2008 20:36:43 -0700 From: Casey Schaufler User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Tilman Baumann CC: Linux-Kernel , linux-security-module@vger.kernel.org Subject: Re: SMACK netfilter smacklabel socket match References: <48DBC9A1.20900@collax.com> <48DC5A45.8020801@schaufler-ca.com> <48DDBE2E.3010006@schaufler-ca.com> <48E1007F.4000400@collax.com> <48E19D01.9050809@schaufler-ca.com> <48E35F36.4030203@collax.com> <48E3957A.7040201@schaufler-ca.com> <48E3AB97.8020305@collax.com> <48E3BFDE.7010300@schaufler-ca.com> <48EA0B30.6080907@collax.com> <48EACC91.8040008@schaufler-ca.com> <48F8C3EC.1030607@collax.com> <48F8D122.3010105@schaufler-ca.com> <48FC744F.6030507@collax.com> In-Reply-To: <48FC744F.6030507@collax.com> Content-Type: multipart/mixed; boundary="------------060101040008020100080707" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 32297 Lines: 1095 This is a multi-part message in MIME format. --------------060101040008020100080707 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Tilman Baumann wrote: >> If you're up to trying out something that you know is going to get >> rewhacked before it goes in anywhere let me know. > > Sure. I will be happy to use that. > Just tell me where to find it and how to use it and what I should look > out for. > You'll need to start out with Paul Moore's testing tree: % git clone git://git.infradead.org/users/pcmoore/lblnet-2.6_testing Apply the attached patch (attachments are discouraged for review purposes, but this is handier for this purpose) and compile. This is NOT production code. Again, we're hashing out the netlabel api and we know that they are going to change. This is demo only. The amount of testing it's gotten is really small. I have created a new system label "@", pronounced "at" and referred to as the internet label. Processes cannot be assigned the internet label. A subject with the internet label (as identified by a packet thus labeled) can write to any object and any subject can write to an object thus labeled, thereby explicitly blowing a hole in the Access Control Policy. Have fun, let me know what you hit next. Thank you. --------------060101040008020100080707 Content-Type: text/plain; name="lblnet081021.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="lblnet081021.patch" diff -uprN -X lblnet-2.6_testing/Documentation/dontdiff lblnet-2.6_testing/include/net/netlabel.h lblnet-2.6-1011/include/net/netlabel.h --- lblnet-2.6_testing/include/net/netlabel.h 2008-10-07 10:56:35.000000000 -0700 +++ lblnet-2.6-1011/include/net/netlabel.h 2008-10-11 06:31:40.000000000 -0700 @@ -356,6 +356,19 @@ static inline void netlbl_secattr_free(s int netlbl_cfg_map_del(const char *domain, struct netlbl_audit *audit_info); int netlbl_cfg_unlbl_add_map(const char *domain, struct netlbl_audit *audit_info); +int netlbl_cfg_unlbl_add_fallback(struct net *net, + const char *dev_name, + const void *addr, + const void *mask, + u16 family, + u32 secid, + struct netlbl_audit *audit_info); +int netlbl_cfg_unlbl_del_fallback(struct net *net, + const char *dev_name, + const void *addr, + const void *mask, + u16 family, + struct netlbl_audit *audit_info); int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def, const char *domain, struct netlbl_audit *audit_info); @@ -412,6 +425,25 @@ static inline int netlbl_cfg_unlbl_add_m { return -ENOSYS; } +static inline int netlbl_cfg_unlbl_add_fallback(struct net *net, + const char *dev_name, + const void *addr, + const void *mask, + u16 family, + u32 secid, + struct netlbl_audit *audit_info) +{ + return -ENOSYS; +} +static inline int netlbl_cfg_unlbl_del_fallback(struct net *net, + const char *dev_name, + const void *addr, + const void *mask, + u16 family, + struct netlbl_audit *audit_info) +{ + return -ENOSYS; +} static inline int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def, const char *domain, struct netlbl_audit *audit_info) diff -uprN -X lblnet-2.6_testing/Documentation/dontdiff lblnet-2.6_testing/net/netlabel/netlabel_kapi.c lblnet-2.6-1011/net/netlabel/netlabel_kapi.c --- lblnet-2.6_testing/net/netlabel/netlabel_kapi.c 2008-10-07 10:56:46.000000000 -0700 +++ lblnet-2.6-1011/net/netlabel/netlabel_kapi.c 2008-10-11 06:31:40.000000000 -0700 @@ -103,6 +103,92 @@ cfg_unlbl_add_map_failure: return ret_val; } + +/** + * netlbl_cfg_unlbl_add_fallback - Adds a new fallback label + * @net: network namespace + * @dev_name: interface name + * @addr: IP address in network byte order (struct in[6]_addr) + * @mask: address mask in network byte order (struct in[6]_addr) + * @family: address family + * @secid: LSM secid value for the entry + * @audit_info: NetLabel audit information + * + * Description: + * Adds a new NetLabel static/fallback label to be used when protocol provided + * labels are not present on incoming traffic. If @dev_name is NULL then the + * default interface will be used. Returns zero on success, negative values on + * failure. + * + */ +int netlbl_cfg_unlbl_add_fallback(struct net *net, + const char *dev_name, + const void *addr, + const void *mask, + u16 family, + u32 secid, + struct netlbl_audit *audit_info) +{ + u32 addr_len; + + switch (family) { + case AF_INET: + addr_len = 4; + break; + case AF_INET6: + addr_len = 16; + break; + default: + return -EPFNOSUPPORT; + } + + return netlbl_unlhsh_add(net, + dev_name, addr, mask, addr_len, + secid, audit_info); +} + +/** + * netlbl_cfg_unlbl_del_fallback - Removes an existing fallback label + * @net: network namespace + * @dev_name: interface name + * @addr: IP address in network byte order (struct in[6]_addr) + * @mask: address mask in network byte order (struct in[6]_addr) + * @family: address family + * @secid: LSM secid value for the entry + * @audit_info: NetLabel audit information + * + * Description: + * Removes an existing NetLabel static/fallback label used when protocol + * provided labels are not present on incoming traffic. If @dev_name is NULL + * then the default interface will be used. Returns zero on success, negative + * values on failure. + * + */ +int netlbl_cfg_unlbl_del_fallback(struct net *net, + const char *dev_name, + const void *addr, + const void *mask, + u16 family, + struct netlbl_audit *audit_info) +{ + u32 addr_len; + + switch (family) { + case AF_INET: + addr_len = 4; + break; + case AF_INET6: + addr_len = 16; + break; + default: + return -EPFNOSUPPORT; + } + + return netlbl_unlhsh_remove(net, + dev_name, addr, mask, addr_len, + audit_info); +} + /** * netlbl_cfg_cipsov4_add_map - Add a new CIPSOv4 DOI definition and mapping * @doi_def: the DOI definition diff -uprN -X lblnet-2.6_testing/Documentation/dontdiff lblnet-2.6_testing/net/netlabel/netlabel_unlabeled.c lblnet-2.6-1011/net/netlabel/netlabel_unlabeled.c --- lblnet-2.6_testing/net/netlabel/netlabel_unlabeled.c 2008-10-07 10:56:46.000000000 -0700 +++ lblnet-2.6-1011/net/netlabel/netlabel_unlabeled.c 2008-10-11 06:31:40.000000000 -0700 @@ -450,13 +450,13 @@ add_iface_failure: * success, negative values on failure. * */ -static int netlbl_unlhsh_add(struct net *net, - const char *dev_name, - const void *addr, - const void *mask, - u32 addr_len, - u32 secid, - struct netlbl_audit *audit_info) +int netlbl_unlhsh_add(struct net *net, + const char *dev_name, + const void *addr, + const void *mask, + u32 addr_len, + u32 secid, + struct netlbl_audit *audit_info) { int ret_val; int ifindex; @@ -716,12 +716,12 @@ unlhsh_condremove_failure: * Returns zero on success, negative values on failure. * */ -static int netlbl_unlhsh_remove(struct net *net, - const char *dev_name, - const void *addr, - const void *mask, - u32 addr_len, - struct netlbl_audit *audit_info) +int netlbl_unlhsh_remove(struct net *net, + const char *dev_name, + const void *addr, + const void *mask, + u32 addr_len, + struct netlbl_audit *audit_info) { int ret_val; struct net_device *dev; diff -uprN -X lblnet-2.6_testing/Documentation/dontdiff lblnet-2.6_testing/net/netlabel/netlabel_unlabeled.h lblnet-2.6-1011/net/netlabel/netlabel_unlabeled.h --- lblnet-2.6_testing/net/netlabel/netlabel_unlabeled.h 2008-10-07 10:56:46.000000000 -0700 +++ lblnet-2.6-1011/net/netlabel/netlabel_unlabeled.h 2008-10-11 06:31:40.000000000 -0700 @@ -221,6 +221,21 @@ int netlbl_unlabel_genl_init(void); /* General Unlabeled init function */ int netlbl_unlabel_init(u32 size); +/* Static/Fallback label management functions */ +int netlbl_unlhsh_add(struct net *net, + const char *dev_name, + const void *addr, + const void *mask, + u32 addr_len, + u32 secid, + struct netlbl_audit *audit_info); +int netlbl_unlhsh_remove(struct net *net, + const char *dev_name, + const void *addr, + const void *mask, + u32 addr_len, + struct netlbl_audit *audit_info); + /* Process Unlabeled incoming network packets */ int netlbl_unlabel_getattr(const struct sk_buff *skb, u16 family, diff -uprN -X lblnet-2.6_testing/Documentation/dontdiff lblnet-2.6_testing/security/smack/smack_access.c lblnet-2.6-1011/security/smack/smack_access.c --- lblnet-2.6_testing/security/smack/smack_access.c 2008-10-07 10:56:47.000000000 -0700 +++ lblnet-2.6-1011/security/smack/smack_access.c 2008-10-11 06:31:40.000000000 -0700 @@ -57,7 +57,14 @@ struct smack_known smack_known_invalid = .smk_cipso = NULL, }; -struct smack_known *smack_known = &smack_known_invalid; +struct smack_known smack_known_internet = { + .smk_next = &smack_known_invalid, + .smk_known = "@", + .smk_secid = 7, + .smk_cipso = NULL, +}; + +struct smack_known *smack_known = &smack_known_internet; /* * The initial value needs to be bigger than any of the @@ -99,6 +106,16 @@ int smk_access(char *subject_label, char strcmp(subject_label, smack_known_star.smk_known) == 0) return -EACCES; /* + * An internet object can be accessed by any subject. + * Tasks cannot be assigned the internet label. + * An internet subject can access any object. + */ + if (object_label == smack_known_internet.smk_known || + subject_label == smack_known_internet.smk_known || + strcmp(object_label, smack_known_internet.smk_known) == 0 || + strcmp(subject_label, smack_known_internet.smk_known) == 0) + return 0; + /* * A star object can be accessed by any subject. */ if (object_label == smack_known_star.smk_known || diff -uprN -X lblnet-2.6_testing/Documentation/dontdiff lblnet-2.6_testing/security/smack/smackfs.c lblnet-2.6-1011/security/smack/smackfs.c --- lblnet-2.6_testing/security/smack/smackfs.c 2008-10-07 10:56:47.000000000 -0700 +++ lblnet-2.6-1011/security/smack/smackfs.c 2008-10-12 12:59:36.000000000 -0700 @@ -20,6 +20,7 @@ #include #include #include +#include #include #include #include @@ -39,6 +40,8 @@ enum smk_inos { SMK_DIRECT = 6, /* CIPSO level indicating direct label */ SMK_AMBIENT = 7, /* internet ambient label */ SMK_NLTYPE = 8, /* label scheme to use by default */ + SMK_ONLYCAP = 9, /* the only "capable" label */ + SMK_SLHOST = 10, /* single label hosts */ }; /* @@ -47,6 +50,7 @@ enum smk_inos { static DEFINE_MUTEX(smack_list_lock); static DEFINE_MUTEX(smack_cipso_lock); static DEFINE_MUTEX(smack_ambient_lock); +static DEFINE_MUTEX(smk_slhost_lock); /* * This is the "ambient" label for network traffic. @@ -68,6 +72,23 @@ int smack_net_nltype = NETLBL_NLTYPE_CIP */ int smack_cipso_direct = SMACK_CIPSO_DIRECT_DEFAULT; +/* + * Unless a process is running with this label even + * having CAP_MAC_OVERRIDE isn't enough to grant + * privilege to violate MAC policy. If no label is + * designated (the NULL case) capabilities apply to + * everyone. It is expected that the hat (^) label + * will be used if any label is used. + */ +char *smack_onlycap; + +/* + * Certain IP addresses may be designated as single label hosts. + * Packets are sent there unlabeled, but only from tasks that + * can write to the specified label. + */ +struct smk_slhost *smack_slhosts; + static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT; struct smk_list_entry *smack_list; @@ -93,6 +114,13 @@ struct smk_list_entry *smack_list; #define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1) #define SMK_LOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_ACCESSLEN) +/* + * Values for parsing single label host rules + * "1.2.3.4 X" + * "192.168.138.129 abcdefghijklmnopqrstuvw" + */ +#define SMK_SLHOSTMIN 9 +#define SMK_SLHOSTMAX 39 /* * Seq_file read operations for /smack/load @@ -580,6 +608,196 @@ static const struct file_operations smk_ .release = seq_release, }; +/* + * Seq_file read operations for /smack/slhost + */ + +static void *slhost_seq_start(struct seq_file *s, loff_t *pos) +{ + if (*pos == SEQ_READ_FINISHED) + return NULL; + + return smack_slhosts; +} + +static void *slhost_seq_next(struct seq_file *s, void *v, loff_t *pos) +{ + struct smk_slhost *skp = ((struct smk_slhost *) v)->smk_next; + + if (skp == NULL) + *pos = SEQ_READ_FINISHED; + + return skp; +} + +/* + * Print host/label pairs + */ +static int slhost_seq_show(struct seq_file *s, void *v) +{ + struct smk_slhost *skp = (struct smk_slhost *) v; + unsigned char *hp = (char *) &skp->smk_host.sin_addr.s_addr; + + seq_printf(s, "%u.%u.%u.%u %s\n", hp[0], hp[1], hp[2], hp[3], + skp->smk_label); + + return 0; +} + +static void slhost_seq_stop(struct seq_file *s, void *v) +{ + /* No-op */ +} + +static struct seq_operations slhost_seq_ops = { + .start = slhost_seq_start, + .stop = slhost_seq_stop, + .next = slhost_seq_next, + .show = slhost_seq_show, +}; + +/** + * smk_open_slhost - open() for /smack/slhost + * @inode: inode structure representing file + * @file: "slhost" file pointer + * + * Connect our slhost_seq_* operations with /smack/slhost + * file_operations + */ +static int smk_open_slhost(struct inode *inode, struct file *file) +{ + return seq_open(file, &slhost_seq_ops); +} + +/** + * smk_write_slhost - write() for /smack/slhost + * @filp: file pointer, not actually used + * @buf: where to get the data from + * @count: bytes sent + * @ppos: where to start + * + * Accepts only one slhost per write call. + * Returns number of bytes written or error code, as appropriate + */ +static ssize_t smk_write_slhost(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) +{ + struct smk_slhost *skp; + struct sockaddr_in newname; + char smack[SMK_LABELLEN]; + char *sp; + char data[SMK_SLHOSTMAX]; + char *host = (char *)&newname.sin_addr.s_addr; + int rc; + int replace = 1; + struct netlbl_audit audit_info; + struct in_addr mask; + unsigned int m = 32; + __be32 bebits = 0x80000000; + __be32 nsa; + + /* + * Must have privilege. + * No partial writes. + * Enough data must be present. + * "