diff options
author | Paul Moore <paul.moore@hp.com> | 2009-03-27 17:10:34 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-03-28 15:01:36 +1100 |
commit | 389fb800ac8be2832efedd19978a2b8ced37eb61 (patch) | |
tree | fa0bc16050dfb491aa05f76b54fa4c167de96376 /security/smack | |
parent | 284904aa79466a4736f4c775fdbe5c7407fa136c (diff) | |
download | linux-389fb800ac8be2832efedd19978a2b8ced37eb61.tar.gz linux-389fb800ac8be2832efedd19978a2b8ced37eb61.tar.bz2 linux-389fb800ac8be2832efedd19978a2b8ced37eb61.zip |
netlabel: Label incoming TCP connections correctly in SELinux
The current NetLabel/SELinux behavior for incoming TCP connections works but
only through a series of happy coincidences that rely on the limited nature of
standard CIPSO (only able to convey MLS attributes) and the write equality
imposed by the SELinux MLS constraints. The problem is that network sockets
created as the result of an incoming TCP connection were not on-the-wire
labeled based on the security attributes of the parent socket but rather based
on the wire label of the remote peer. The issue had to do with how IP options
were managed as part of the network stack and where the LSM hooks were in
relation to the code which set the IP options on these newly created child
sockets. While NetLabel/SELinux did correctly set the socket's on-the-wire
label it was promptly cleared by the network stack and reset based on the IP
options of the remote peer.
This patch, in conjunction with a prior patch that adjusted the LSM hook
locations, works to set the correct on-the-wire label format for new incoming
connections through the security_inet_conn_request() hook. Besides the
correct behavior there are many advantages to this change, the most significant
is that all of the NetLabel socket labeling code in SELinux now lives in hooks
which can return error codes to the core stack which allows us to finally get
ride of the selinux_netlbl_inode_permission() logic which greatly simplfies
the NetLabel/SELinux glue code. In the process of developing this patch I
also ran into a small handful of AF_INET6 cleanliness issues that have been
fixed which should make the code safer and easier to extend in the future.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/smack')
-rw-r--r-- | security/smack/smack_lsm.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index fd20d15f5b9a..23ad420a49aa 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1387,7 +1387,7 @@ static int smack_netlabel(struct sock *sk, int labeled) else { netlbl_secattr_init(&secattr); smack_to_secattr(ssp->smk_out, &secattr); - rc = netlbl_sock_setattr(sk, &secattr); + rc = netlbl_sock_setattr(sk, sk->sk_family, &secattr); netlbl_secattr_destroy(&secattr); } |