projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / security / selinux / netlabel.c
1 /*
2 * SELinux NetLabel Support
3 *
4 * This file provides the necessary glue to tie NetLabel into the SELinux
5 * subsystem.
6 *
7 * Author: Paul Moore <paul@paul-moore.com>
8 *
9 */
10
11 /*
12 * (c) Copyright Hewlett-Packard Development Company, L.P., 2007, 2008
13 *
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
18 *
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
22 * the GNU General Public License for more details.
23 *
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
27 *
28 */
29
30 #include <linux/spinlock.h>
31 #include <linux/rcupdate.h>
32 #include <linux/gfp.h>
33 #include <linux/ip.h>
34 #include <linux/ipv6.h>
35 #include <net/sock.h>
36 #include <net/netlabel.h>
37 #include <net/ip.h>
38 #include <net/ipv6.h>
39
40 #include "objsec.h"
41 #include "security.h"
42 #include "netlabel.h"
43
44 /**
45 * selinux_netlbl_sidlookup_cached - Cache a SID lookup
46 * @skb: the packet
47 * @secattr: the NetLabel security attributes
48 * @sid: the SID
49 *
50 * Description:
51 * Query the SELinux security server to lookup the correct SID for the given
52 * security attributes. If the query is successful, cache the result to speed
53 * up future lookups. Returns zero on success, negative values on failure.
54 *
55 */
56 static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
57 struct netlbl_lsm_secattr *secattr,
58 u32 *sid)
59 {
60 int rc;
61
62 rc = security_netlbl_secattr_to_sid(secattr, sid);
63 if (rc == 0 &&
64 (secattr->flags & NETLBL_SECATTR_CACHEABLE) &&
65 (secattr->flags & NETLBL_SECATTR_CACHE))
66 netlbl_cache_add(skb, secattr);
67
68 return rc;
69 }
70
71 /**
72 * selinux_netlbl_sock_genattr - Generate the NetLabel socket secattr
73 * @sk: the socket
74 *
75 * Description:
76 * Generate the NetLabel security attributes for a socket, making full use of
77 * the socket's attribute cache. Returns a pointer to the security attributes
78 * on success, NULL on failure.
79 *
80 */
81 static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk)
82 {
83 int rc;
84 struct sk_security_struct *sksec = sk->sk_security;
85 struct netlbl_lsm_secattr *secattr;
86
87 if (sksec->nlbl_secattr != NULL)
88 return sksec->nlbl_secattr;
89
90 secattr = netlbl_secattr_alloc(GFP_ATOMIC);
91 if (secattr == NULL)
92 return NULL;
93 rc = security_netlbl_sid_to_secattr(sksec->sid, secattr);
94 if (rc != 0) {
95 netlbl_secattr_free(secattr);
96 return NULL;
97 }
98 sksec->nlbl_secattr = secattr;
99
100 return secattr;
101 }
102
103 /**
104 * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
105 *
106 * Description:
107 * Invalidate the NetLabel security attribute mapping cache.
108 *
109 */
110 void selinux_netlbl_cache_invalidate(void)
111 {
112 netlbl_cache_invalidate();
113 }
114
115 /**
116 * selinux_netlbl_err - Handle a NetLabel packet error
117 * @skb: the packet
118 * @error: the error code
119 * @gateway: true if host is acting as a gateway, false otherwise
120 *
121 * Description:
122 * When a packet is dropped due to a call to avc_has_perm() pass the error
123 * code to the NetLabel subsystem so any protocol specific processing can be
124 * done. This is safe to call even if you are unsure if NetLabel labeling is
125 * present on the packet, NetLabel is smart enough to only act when it should.
126 *
127 */
128 void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway)
129 {
130 netlbl_skbuff_err(skb, error, gateway);
131 }
132
133 /**
134 * selinux_netlbl_sk_security_free - Free the NetLabel fields
135 * @sksec: the sk_security_struct
136 *
137 * Description:
138 * Free all of the memory in the NetLabel fields of a sk_security_struct.
139 *
140 */
141 void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec)
142 {
143 if (sksec->nlbl_secattr != NULL)
144 netlbl_secattr_free(sksec->nlbl_secattr);
145 }
146
147 /**
148 * selinux_netlbl_sk_security_reset - Reset the NetLabel fields
149 * @sksec: the sk_security_struct
150 * @family: the socket family
151 *
152 * Description:
153 * Called when the NetLabel state of a sk_security_struct needs to be reset.
154 * The caller is responsible for all the NetLabel sk_security_struct locking.
155 *
156 */
157 void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec)
158 {
159 sksec->nlbl_state = NLBL_UNSET;
160 }
161
162 /**
163 * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
164 * @skb: the packet
165 * @family: protocol family
166 * @type: NetLabel labeling protocol type
167 * @sid: the SID
168 *
169 * Description:
170 * Call the NetLabel mechanism to get the security attributes of the given
171 * packet and use those attributes to determine the correct context/SID to
172 * assign to the packet. Returns zero on success, negative values on failure.
173 *
174 */
175 int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
176 u16 family,
177 u32 *type,
178 u32 *sid)
179 {
180 int rc;
181 struct netlbl_lsm_secattr secattr;
182
183 if (!netlbl_enabled()) {
184 *sid = SECSID_NULL;
185 return 0;
186 }
187
188 netlbl_secattr_init(&secattr);
189 rc = netlbl_skbuff_getattr(skb, family, &secattr);
190 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
191 rc = selinux_netlbl_sidlookup_cached(skb, &secattr, sid);
192 else
193 *sid = SECSID_NULL;
194 *type = secattr.type;
195 netlbl_secattr_destroy(&secattr);
196
197 return rc;
198 }
199
200 /**
201 * selinux_netlbl_skbuff_setsid - Set the NetLabel on a packet given a sid
202 * @skb: the packet
203 * @family: protocol family
204 * @sid: the SID
205 *
206 * Description
207 * Call the NetLabel mechanism to set the label of a packet using @sid.
208 * Returns zero on success, negative values on failure.
209 *
210 */
211 int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
212 u16 family,
213 u32 sid)
214 {
215 int rc;
216 struct netlbl_lsm_secattr secattr_storage;
217 struct netlbl_lsm_secattr *secattr = NULL;
218 struct sock *sk;
219
220 /* if this is a locally generated packet check to see if it is already
221 * being labeled by it's parent socket, if it is just exit */
222 sk = skb->sk;
223 if (sk != NULL) {
224 struct sk_security_struct *sksec = sk->sk_security;
225 if (sksec->nlbl_state != NLBL_REQSKB)
226 return 0;
227 secattr = sksec->nlbl_secattr;
228 }
229 if (secattr == NULL) {
230 secattr = &secattr_storage;
231 netlbl_secattr_init(secattr);
232 rc = security_netlbl_sid_to_secattr(sid, secattr);
233 if (rc != 0)
234 goto skbuff_setsid_return;
235 }
236
237 rc = netlbl_skbuff_setattr(skb, family, secattr);
238
239 skbuff_setsid_return:
240 if (secattr == &secattr_storage)
241 netlbl_secattr_destroy(secattr);
242 return rc;
243 }
244
245 /**
246 * selinux_netlbl_inet_conn_request - Label an incoming stream connection
247 * @req: incoming connection request socket
248 *
249 * Description:
250 * A new incoming connection request is represented by @req, we need to label
251 * the new request_sock here and the stack will ensure the on-the-wire label
252 * will get preserved when a full sock is created once the connection handshake
253 * is complete. Returns zero on success, negative values on failure.
254 *
255 */
256 int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family)
257 {
258 int rc;
259 struct netlbl_lsm_secattr secattr;
260
261 if (family != PF_INET)
262 return 0;
263
264 netlbl_secattr_init(&secattr);
265 rc = security_netlbl_sid_to_secattr(req->secid, &secattr);
266 if (rc != 0)
267 goto inet_conn_request_return;
268 rc = netlbl_req_setattr(req, &secattr);
269 inet_conn_request_return:
270 netlbl_secattr_destroy(&secattr);
271 return rc;
272 }
273
274 /**
275 * selinux_netlbl_inet_csk_clone - Initialize the newly created sock
276 * @sk: the new sock
277 *
278 * Description:
279 * A new connection has been established using @sk, we've already labeled the
280 * socket via the request_sock struct in selinux_netlbl_inet_conn_request() but
281 * we need to set the NetLabel state here since we now have a sock structure.
282 *
283 */
284 void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
285 {
286 struct sk_security_struct *sksec = sk->sk_security;
287
288 if (family == PF_INET)
289 sksec->nlbl_state = NLBL_LABELED;
290 else
291 sksec->nlbl_state = NLBL_UNSET;
292 }
293
294 /**
295 * selinux_netlbl_socket_post_create - Label a socket using NetLabel
296 * @sock: the socket to label
297 * @family: protocol family
298 *
299 * Description:
300 * Attempt to label a socket using the NetLabel mechanism using the given
301 * SID. Returns zero values on success, negative values on failure.
302 *
303 */
304 int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)
305 {
306 int rc;
307 struct sk_security_struct *sksec = sk->sk_security;
308 struct netlbl_lsm_secattr *secattr;
309
310 if (family != PF_INET)
311 return 0;
312
313 secattr = selinux_netlbl_sock_genattr(sk);
314 if (secattr == NULL)
315 return -ENOMEM;
316 rc = netlbl_sock_setattr(sk, family, secattr);
317 switch (rc) {
318 case 0:
319 sksec->nlbl_state = NLBL_LABELED;
320 break;
321 case -EDESTADDRREQ:
322 sksec->nlbl_state = NLBL_REQSKB;
323 rc = 0;
324 break;
325 }
326
327 return rc;
328 }
329
330 /**
331 * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
332 * @sksec: the sock's sk_security_struct
333 * @skb: the packet
334 * @family: protocol family
335 * @ad: the audit data
336 *
337 * Description:
338 * Fetch the NetLabel security attributes from @skb and perform an access check
339 * against the receiving socket. Returns zero on success, negative values on
340 * error.
341 *
342 */
343 int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
344 struct sk_buff *skb,
345 u16 family,
346 struct common_audit_data *ad)
347 {
348 int rc;
349 u32 nlbl_sid;
350 u32 perm;
351 struct netlbl_lsm_secattr secattr;
352
353 if (!netlbl_enabled())
354 return 0;
355
356 netlbl_secattr_init(&secattr);
357 rc = netlbl_skbuff_getattr(skb, family, &secattr);
358 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
359 rc = selinux_netlbl_sidlookup_cached(skb, &secattr, &nlbl_sid);
360 else
361 nlbl_sid = SECINITSID_UNLABELED;
362 netlbl_secattr_destroy(&secattr);
363 if (rc != 0)
364 return rc;
365
366 switch (sksec->sclass) {
367 case SECCLASS_UDP_SOCKET:
368 perm = UDP_SOCKET__RECVFROM;
369 break;
370 case SECCLASS_TCP_SOCKET:
371 perm = TCP_SOCKET__RECVFROM;
372 break;
373 default:
374 perm = RAWIP_SOCKET__RECVFROM;
375 }
376
377 rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad);
378 if (rc == 0)
379 return 0;
380
381 if (nlbl_sid != SECINITSID_UNLABELED)
382 netlbl_skbuff_err(skb, rc, 0);
383 return rc;
384 }
385
386 /**
387 * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
388 * @sock: the socket
389 * @level: the socket level or protocol
390 * @optname: the socket option name
391 *
392 * Description:
393 * Check the setsockopt() call and if the user is trying to replace the IP
394 * options on a socket and a NetLabel is in place for the socket deny the
395 * access; otherwise allow the access. Returns zero when the access is
396 * allowed, -EACCES when denied, and other negative values on error.
397 *
398 */
399 int selinux_netlbl_socket_setsockopt(struct socket *sock,
400 int level,
401 int optname)
402 {
403 int rc = 0;
404 struct sock *sk = sock->sk;
405 struct sk_security_struct *sksec = sk->sk_security;
406 struct netlbl_lsm_secattr secattr;
407
408 if (level == IPPROTO_IP && optname == IP_OPTIONS &&
409 (sksec->nlbl_state == NLBL_LABELED ||
410 sksec->nlbl_state == NLBL_CONNLABELED)) {
411 netlbl_secattr_init(&secattr);
412 lock_sock(sk);
413 rc = netlbl_sock_getattr(sk, &secattr);
414 release_sock(sk);
415 if (rc == 0)
416 rc = -EACCES;
417 else if (rc == -ENOMSG)
418 rc = 0;
419 netlbl_secattr_destroy(&secattr);
420 }
421
422 return rc;
423 }
424
425 /**
426 * selinux_netlbl_socket_connect - Label a client-side socket on connect
427 * @sk: the socket to label
428 * @addr: the destination address
429 *
430 * Description:
431 * Attempt to label a connected socket with NetLabel using the given address.
432 * Returns zero values on success, negative values on failure.
433 *
434 */
435 int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
436 {
437 int rc;
438 struct sk_security_struct *sksec = sk->sk_security;
439 struct netlbl_lsm_secattr *secattr;
440
441 if (sksec->nlbl_state != NLBL_REQSKB &&
442 sksec->nlbl_state != NLBL_CONNLABELED)
443 return 0;
444
445 lock_sock(sk);
446
447 /* connected sockets are allowed to disconnect when the address family
448 * is set to AF_UNSPEC, if that is what is happening we want to reset
449 * the socket */
450 if (addr->sa_family == AF_UNSPEC) {
451 netlbl_sock_delattr(sk);
452 sksec->nlbl_state = NLBL_REQSKB;
453 rc = 0;
454 goto socket_connect_return;
455 }
456 secattr = selinux_netlbl_sock_genattr(sk);
457 if (secattr == NULL) {
458 rc = -ENOMEM;
459 goto socket_connect_return;
460 }
461 rc = netlbl_conn_setattr(sk, addr, secattr);
462 if (rc == 0)
463 sksec->nlbl_state = NLBL_CONNLABELED;
464
465 socket_connect_return:
466 release_sock(sk);
467 return rc;
468 }
kernel source for telekom puls (alcatel/mediatek)