SELinux: Various xfrm labeling fixes
Since the upstreaming of the mlsxfrm modification a few months back,
testing has resulted in the identification of the following issues/bugs that
are resolved in this patch set.
1. Fix the security context used in the IKE negotiation to be the context
of the socket as opposed to the context of the SPD rule.
2. Fix SO_PEERSEC for tcp sockets to return the security context of
the peer as opposed to the source.
3. Fix the selection of an SA for an outgoing packet to be at the same
context as the originating socket/flow.
The following would be the result of applying this patchset:
- SO_PEERSEC will now correctly return the peer's context.
- IKE deamons will receive the context of the source socket/flow
as opposed to the SPD rule's context so that the negotiated SA
will be at the same context as the source socket/flow.
- The SELinux policy will require one or more of the
following for a socket to be able to communicate with/without SAs:
1. To enable a socket to communicate without using labeled-IPSec SAs:
allow socket_t unlabeled_t:association { sendto recvfrom }
2. To enable a socket to communicate with labeled-IPSec SAs:
allow socket_t self:association { sendto };
allow socket_t peer_sa_t:association { recvfrom };
This Patch: Pass correct security context to IKE for use in negotiation
Fix the security context passed to IKE for use in negotiation to be the
context of the socket as opposed to the context of the SPD rule so that
the SA carries the label of the originating socket/flow.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: James Morris <jmorris@namei.org>
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 675b995..4d5a043 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -226,16 +226,15 @@
* CTX does not have a meaningful value on input
*/
static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
- struct xfrm_user_sec_ctx *uctx, struct xfrm_sec_ctx *pol, u32 sid)
+ struct xfrm_user_sec_ctx *uctx, u32 sid)
{
int rc = 0;
struct task_security_struct *tsec = current->security;
struct xfrm_sec_ctx *ctx = NULL;
char *ctx_str = NULL;
u32 str_len;
- u32 ctx_sid;
- BUG_ON(uctx && pol);
+ BUG_ON(uctx && sid);
if (!uctx)
goto not_from_user;
@@ -279,15 +278,7 @@
return rc;
not_from_user:
- if (pol) {
- rc = security_sid_mls_copy(pol->ctx_sid, sid, &ctx_sid);
- if (rc)
- goto out;
- }
- else
- ctx_sid = sid;
-
- rc = security_sid_to_context(ctx_sid, &ctx_str, &str_len);
+ rc = security_sid_to_context(sid, &ctx_str, &str_len);
if (rc)
goto out;
@@ -302,7 +293,7 @@
ctx->ctx_doi = XFRM_SC_DOI_LSM;
ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
- ctx->ctx_sid = ctx_sid;
+ ctx->ctx_sid = sid;
ctx->ctx_len = str_len;
memcpy(ctx->ctx_str,
ctx_str,
@@ -323,22 +314,14 @@
* xfrm_policy.
*/
int selinux_xfrm_policy_alloc(struct xfrm_policy *xp,
- struct xfrm_user_sec_ctx *uctx, struct sock *sk)
+ struct xfrm_user_sec_ctx *uctx)
{
int err;
- u32 sid;
BUG_ON(!xp);
- BUG_ON(uctx && sk);
+ BUG_ON(!uctx);
- if (sk) {
- struct sk_security_struct *ssec = sk->sk_security;
- sid = ssec->sid;
- }
- else
- sid = SECSID_NULL;
-
- err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, NULL, sid);
+ err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, 0);
return err;
}
@@ -399,13 +382,13 @@
* xfrm_state.
*/
int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx,
- struct xfrm_sec_ctx *pol, u32 secid)
+ u32 secid)
{
int err;
BUG_ON(!x);
- err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, pol, secid);
+ err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid);
return err;
}