| hooks.c (da5645a28a15aed2e541a814ecf9f7ffcd4c4673) | hooks.c (224dfbd81e1ff672eb46e7695469c395bd531083) |
|---|---|
| 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 62 unchanged lines hidden (view full) --- 71#include <linux/audit.h> 72#include <linux/string.h> 73#include <linux/selinux.h> 74#include <linux/mutex.h> 75 76#include "avc.h" 77#include "objsec.h" 78#include "netif.h" | 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> --- 62 unchanged lines hidden (view full) --- 71#include <linux/audit.h> 72#include <linux/string.h> 73#include <linux/selinux.h> 74#include <linux/mutex.h> 75 76#include "avc.h" 77#include "objsec.h" 78#include "netif.h" |
| 79#include "netnode.h" |
|
| 79#include "xfrm.h" 80#include "netlabel.h" 81 82#define XATTR_SELINUX_SUFFIX "selinux" 83#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX 84 85#define NUM_SEL_MNT_OPTS 4 86 --- 3303 unchanged lines hidden (view full) --- 3390 } 3391out: 3392 return ret; 3393} 3394 3395#endif /* IPV6 */ 3396 3397static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, | 80#include "xfrm.h" 81#include "netlabel.h" 82 83#define XATTR_SELINUX_SUFFIX "selinux" 84#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX 85 86#define NUM_SEL_MNT_OPTS 4 87 --- 3303 unchanged lines hidden (view full) --- 3391 } 3392out: 3393 return ret; 3394} 3395 3396#endif /* IPV6 */ 3397 3398static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, |
| 3398 char **addrp, int *len, int src, u8 *proto) | 3399 char **addrp, int src, u8 *proto) |
| 3399{ 3400 int ret = 0; 3401 3402 switch (ad->u.net.family) { 3403 case PF_INET: 3404 ret = selinux_parse_skb_ipv4(skb, ad, proto); 3405 if (ret || !addrp) 3406 break; | 3400{ 3401 int ret = 0; 3402 3403 switch (ad->u.net.family) { 3404 case PF_INET: 3405 ret = selinux_parse_skb_ipv4(skb, ad, proto); 3406 if (ret || !addrp) 3407 break; |
| 3407 *len = 4; | |
| 3408 *addrp = (char *)(src ? &ad->u.net.v4info.saddr : 3409 &ad->u.net.v4info.daddr); 3410 break; 3411 3412#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3413 case PF_INET6: 3414 ret = selinux_parse_skb_ipv6(skb, ad, proto); 3415 if (ret || !addrp) 3416 break; | 3408 *addrp = (char *)(src ? &ad->u.net.v4info.saddr : 3409 &ad->u.net.v4info.daddr); 3410 break; 3411 3412#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 3413 case PF_INET6: 3414 ret = selinux_parse_skb_ipv6(skb, ad, proto); 3415 if (ret || !addrp) 3416 break; |
| 3417 *len = 16; | |
| 3418 *addrp = (char *)(src ? &ad->u.net.v6info.saddr : 3419 &ad->u.net.v6info.daddr); 3420 break; 3421#endif /* IPV6 */ 3422 default: 3423 break; 3424 } 3425 --- 183 unchanged lines hidden (view full) --- 3609 node_perm = DCCP_SOCKET__NODE_BIND; 3610 break; 3611 3612 default: 3613 node_perm = RAWIP_SOCKET__NODE_BIND; 3614 break; 3615 } 3616 | 3417 *addrp = (char *)(src ? &ad->u.net.v6info.saddr : 3418 &ad->u.net.v6info.daddr); 3419 break; 3420#endif /* IPV6 */ 3421 default: 3422 break; 3423 } 3424 --- 183 unchanged lines hidden (view full) --- 3608 node_perm = DCCP_SOCKET__NODE_BIND; 3609 break; 3610 3611 default: 3612 node_perm = RAWIP_SOCKET__NODE_BIND; 3613 break; 3614 } 3615 |
| 3617 err = security_node_sid(family, addrp, addrlen, &sid); | 3616 err = sel_netnode_sid(addrp, family, &sid); |
| 3618 if (err) 3619 goto out; 3620 3621 AVC_AUDIT_DATA_INIT(&ad,NET); 3622 ad.u.net.sport = htons(snum); 3623 ad.u.net.family = family; 3624 3625 if (family == PF_INET) --- 195 unchanged lines hidden (view full) --- 3821 isec->sclass, SOCKET__SENDTO, &ad); 3822 if (err) 3823 return err; 3824 3825 return 0; 3826} 3827 3828static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, | 3617 if (err) 3618 goto out; 3619 3620 AVC_AUDIT_DATA_INIT(&ad,NET); 3621 ad.u.net.sport = htons(snum); 3622 ad.u.net.family = family; 3623 3624 if (family == PF_INET) --- 195 unchanged lines hidden (view full) --- 3820 isec->sclass, SOCKET__SENDTO, &ad); 3821 if (err) 3822 return err; 3823 3824 return 0; 3825} 3826 3827static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, |
| 3829 struct avc_audit_data *ad, u16 family, char *addrp, int len) | 3828 struct avc_audit_data *ad, 3829 u16 family, char *addrp) |
| 3830{ 3831 int err = 0; 3832 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0; 3833 struct socket *sock; 3834 u16 sock_class = 0; 3835 u32 sock_sid = 0; 3836 3837 read_lock_bh(&sk->sk_callback_lock); --- 43 unchanged lines hidden (view full) --- 3881 node_perm = NODE__RAWIP_RECV; 3882 break; 3883 } 3884 3885 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 3886 if (err) 3887 goto out; 3888 | 3830{ 3831 int err = 0; 3832 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0; 3833 struct socket *sock; 3834 u16 sock_class = 0; 3835 u32 sock_sid = 0; 3836 3837 read_lock_bh(&sk->sk_callback_lock); --- 43 unchanged lines hidden (view full) --- 3881 node_perm = NODE__RAWIP_RECV; 3882 break; 3883 } 3884 3885 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 3886 if (err) 3887 goto out; 3888 |
| 3889 err = security_node_sid(family, addrp, len, &node_sid); | 3889 err = sel_netnode_sid(addrp, family, &node_sid); |
| 3890 if (err) 3891 goto out; 3892 3893 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad); 3894 if (err) 3895 goto out; 3896 3897 if (recv_perm) { --- 12 unchanged lines hidden (view full) --- 3910out: 3911 return err; 3912} 3913 3914static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3915{ 3916 u16 family; 3917 char *addrp; | 3890 if (err) 3891 goto out; 3892 3893 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad); 3894 if (err) 3895 goto out; 3896 3897 if (recv_perm) { --- 12 unchanged lines hidden (view full) --- 3910out: 3911 return err; 3912} 3913 3914static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3915{ 3916 u16 family; 3917 char *addrp; |
| 3918 int len, err = 0; | 3918 int err = 0; |
| 3919 struct avc_audit_data ad; 3920 struct sk_security_struct *sksec = sk->sk_security; 3921 3922 family = sk->sk_family; 3923 if (family != PF_INET && family != PF_INET6) 3924 goto out; 3925 3926 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 3927 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3928 family = PF_INET; 3929 3930 AVC_AUDIT_DATA_INIT(&ad, NET); 3931 ad.u.net.netif = skb->iif; 3932 ad.u.net.family = family; 3933 | 3919 struct avc_audit_data ad; 3920 struct sk_security_struct *sksec = sk->sk_security; 3921 3922 family = sk->sk_family; 3923 if (family != PF_INET && family != PF_INET6) 3924 goto out; 3925 3926 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 3927 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3928 family = PF_INET; 3929 3930 AVC_AUDIT_DATA_INIT(&ad, NET); 3931 ad.u.net.netif = skb->iif; 3932 ad.u.net.family = family; 3933 |
| 3934 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL); | 3934 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); |
| 3935 if (err) 3936 goto out; 3937 3938 if (selinux_compat_net) | 3935 if (err) 3936 goto out; 3937 3938 if (selinux_compat_net) |
| 3939 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family, 3940 addrp, len); | 3939 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family, addrp); |
| 3941 else 3942 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET, 3943 PACKET__RECV, &ad); 3944 if (err) 3945 goto out; 3946 3947 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 3948 if (err) --- 204 unchanged lines hidden (view full) --- 4153 4154 err = socket_has_perm(current, sock, perm); 4155out: 4156 return err; 4157} 4158 4159#ifdef CONFIG_NETFILTER 4160 | 3940 else 3941 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET, 3942 PACKET__RECV, &ad); 3943 if (err) 3944 goto out; 3945 3946 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 3947 if (err) --- 204 unchanged lines hidden (view full) --- 4152 4153 err = socket_has_perm(current, sock, perm); 4154out: 4155 return err; 4156} 4157 4158#ifdef CONFIG_NETFILTER 4159 |
| 4161static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev, | 4160static int selinux_ip_postroute_last_compat(struct sock *sk, 4161 struct net_device *dev, |
| 4162 struct avc_audit_data *ad, | 4162 struct avc_audit_data *ad, |
| 4163 u16 family, char *addrp, int len) | 4163 u16 family, 4164 char *addrp) |
| 4164{ 4165 int err = 0; 4166 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0; 4167 struct socket *sock; 4168 struct inode *inode; 4169 struct inode_security_struct *isec; 4170 4171 sock = sk->sk_socket; --- 34 unchanged lines hidden (view full) --- 4206 node_perm = NODE__RAWIP_SEND; 4207 break; 4208 } 4209 4210 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 4211 if (err) 4212 goto out; 4213 | 4165{ 4166 int err = 0; 4167 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0; 4168 struct socket *sock; 4169 struct inode *inode; 4170 struct inode_security_struct *isec; 4171 4172 sock = sk->sk_socket; --- 34 unchanged lines hidden (view full) --- 4207 node_perm = NODE__RAWIP_SEND; 4208 break; 4209 } 4210 4211 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad); 4212 if (err) 4213 goto out; 4214 |
| 4214 err = security_node_sid(family, addrp, len, &node_sid); | 4215 err = sel_netnode_sid(addrp, family, &node_sid); |
| 4215 if (err) 4216 goto out; 4217 4218 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad); 4219 if (err) 4220 goto out; 4221 4222 if (send_perm) { --- 17 unchanged lines hidden (view full) --- 4240static unsigned int selinux_ip_postroute_last(unsigned int hooknum, 4241 struct sk_buff *skb, 4242 const struct net_device *in, 4243 const struct net_device *out, 4244 int (*okfn)(struct sk_buff *), 4245 u16 family) 4246{ 4247 char *addrp; | 4216 if (err) 4217 goto out; 4218 4219 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad); 4220 if (err) 4221 goto out; 4222 4223 if (send_perm) { --- 17 unchanged lines hidden (view full) --- 4241static unsigned int selinux_ip_postroute_last(unsigned int hooknum, 4242 struct sk_buff *skb, 4243 const struct net_device *in, 4244 const struct net_device *out, 4245 int (*okfn)(struct sk_buff *), 4246 u16 family) 4247{ 4248 char *addrp; |
| 4248 int len, err = 0; | 4249 int err = 0; |
| 4249 struct sock *sk; 4250 struct avc_audit_data ad; 4251 struct net_device *dev = (struct net_device *)out; 4252 struct sk_security_struct *sksec; 4253 u8 proto; 4254 4255 sk = skb->sk; 4256 if (!sk) 4257 goto out; 4258 4259 sksec = sk->sk_security; 4260 4261 AVC_AUDIT_DATA_INIT(&ad, NET); 4262 ad.u.net.netif = dev->ifindex; 4263 ad.u.net.family = family; 4264 | 4250 struct sock *sk; 4251 struct avc_audit_data ad; 4252 struct net_device *dev = (struct net_device *)out; 4253 struct sk_security_struct *sksec; 4254 u8 proto; 4255 4256 sk = skb->sk; 4257 if (!sk) 4258 goto out; 4259 4260 sksec = sk->sk_security; 4261 4262 AVC_AUDIT_DATA_INIT(&ad, NET); 4263 ad.u.net.netif = dev->ifindex; 4264 ad.u.net.family = family; 4265 |
| 4265 err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto); | 4266 err = selinux_parse_skb(skb, &ad, &addrp, 0, &proto); |
| 4266 if (err) 4267 goto out; 4268 4269 if (selinux_compat_net) 4270 err = selinux_ip_postroute_last_compat(sk, dev, &ad, | 4267 if (err) 4268 goto out; 4269 4270 if (selinux_compat_net) 4271 err = selinux_ip_postroute_last_compat(sk, dev, &ad, |
| 4271 family, addrp, len); | 4272 family, addrp); |
| 4272 else 4273 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET, 4274 PACKET__SEND, &ad); 4275 4276 if (err) 4277 goto out; 4278 4279 err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto); --- 1113 unchanged lines hidden --- | 4273 else 4274 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET, 4275 PACKET__SEND, &ad); 4276 4277 if (err) 4278 goto out; 4279 4280 err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto); --- 1113 unchanged lines hidden --- |