From: paul.moore@hp•com
To: netdev@vger•kernel.org, selinux@tycho•nsa.gov
Cc: vyekkirala@TrustedCS•com, jmorris@namei•org, sds@tycho•nsa.gov
Subject: [PATCH 04/11] secid reconciliation: Invoke LSM hook for outbound traffic
Date: Mon, 09 Oct 2006 15:42:27 -0400 [thread overview]
Message-ID: <20061009195848.642381000@hp.com> (raw)
In-Reply-To: 20061009194223.402695000@hp.com
[-- Attachment #1: secid-4 --]
[-- Type: text/plain, Size: 5590 bytes --]
From: Venkat Yekkirala <vyekkirala@TrustedCS•com>
Invoke the skb_flow_out LSM hook for outbound
traffic for secid reconciliation and flow control.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS•com>
---
net/netfilter/xt_CONNSECMARK.c | 72 ++++++++++++++++++++++++-------
net/netfilter/xt_SECMARK.c | 45 ++++++++++++++++++-
2 files changed, 100 insertions(+), 17 deletions(-)
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 4673862..cca4a0c 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -17,6 +17,8 @@
*/
#include <linux/module.h>
#include <linux/skbuff.h>
+#include <linux/security.h>
+#include <linux/netfilter_ipv6.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_CONNSECMARK.h>
#include <net/netfilter/nf_conntrack_compat.h>
@@ -29,38 +31,78 @@ MODULE_DESCRIPTION("ip[6]tables CONNSECM
MODULE_ALIAS("ipt_CONNSECMARK");
MODULE_ALIAS("ip6t_CONNSECMARK");
+static inline int outbound(unsigned short family, unsigned int hooknum)
+{
+ if ((family == AF_INET &&
+ (hooknum == NF_IP_POST_ROUTING ||
+ hooknum == NF_IP_LOCAL_OUT ||
+ hooknum == NF_IP_FORWARD)) ||
+ (family == AF_INET6 &&
+ (hooknum == NF_IP6_POST_ROUTING ||
+ hooknum == NF_IP6_LOCAL_OUT ||
+ hooknum == NF_IP6_FORWARD)))
+ return 1;
+ else
+ return 0;
+}
+
/*
* If the packet has a security mark and the connection does not, copy
* the security mark from the packet to the connection.
*/
-static void secmark_save(struct sk_buff *skb)
+static void secmark_save(struct sk_buff *skb, unsigned int hooknum)
{
if (skb->secmark) {
u32 *connsecmark;
enum ip_conntrack_info ctinfo;
connsecmark = nf_ct_get_secmark(skb, &ctinfo);
- if (connsecmark && !*connsecmark)
+ if (connsecmark)
if (*connsecmark != skb->secmark)
*connsecmark = skb->secmark;
}
}
/*
- * If packet has no security mark, and the connection does, restore the
- * security mark from the connection to the packet.
+ * On the inbound, restore the security mark from the connection to the packet.
+ * On the outbound, filter based on the current secmark.
*/
-static void secmark_restore(struct sk_buff *skb)
+static unsigned int secmark_restore(struct sk_buff *skb, unsigned int hooknum,
+ const struct net_device *in, unsigned short family)
{
- if (!skb->secmark) {
- u32 *connsecmark;
- enum ip_conntrack_info ctinfo;
-
- connsecmark = nf_ct_get_secmark(skb, &ctinfo);
- if (connsecmark && *connsecmark)
- if (skb->secmark != *connsecmark)
- skb->secmark = *connsecmark;
+ u32 *psecmark;
+ enum ip_conntrack_info ctinfo;
+
+ psecmark = nf_ct_get_secmark(skb, &ctinfo);
+
+ if (psecmark && *psecmark) {
+
+ /* Set secmark on inbound and filter it on outbound */
+ if (outbound(family, hooknum)) {
+ int err;
+
+ err = security_skb_flow_out(skb, *psecmark);
+ if (!err)
+ return NF_DROP;
+ } else
+ /*
+ * inbound:
+ * loopback traffic should already be labeled
+ * and any filtering on outbound should suffice
+ */
+ if (in == &loopback_dev)
+ goto out;
+
+ /*
+ * inbound or done with outbound check or no LSM hook
+ * for outbound
+ */
+ if (skb->secmark != *psecmark)
+ skb->secmark = *psecmark;
}
+
+out:
+ return XT_CONTINUE;
}
static unsigned int target(struct sk_buff **pskb, const struct net_device *in,
@@ -73,11 +115,11 @@ static unsigned int target(struct sk_buf
switch (info->mode) {
case CONNSECMARK_SAVE:
- secmark_save(skb);
+ secmark_save(skb, hooknum);
break;
case CONNSECMARK_RESTORE:
- secmark_restore(skb);
+ return secmark_restore(skb, hooknum, in, target->family);
break;
default:
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index add7521..9ecce66 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -15,8 +15,10 @@
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/selinux.h>
+#include <linux/security.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_SECMARK.h>
+#include <linux/netfilter_ipv6.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("James Morris <jmorris@redhat•com>");
@@ -28,6 +30,21 @@ #define PFX "SECMARK: "
static u8 mode;
+static inline int outbound(unsigned short family, unsigned int hooknum)
+{
+ if ((family == AF_INET &&
+ (hooknum == NF_IP_POST_ROUTING ||
+ hooknum == NF_IP_LOCAL_OUT ||
+ hooknum == NF_IP_FORWARD)) ||
+ (family == AF_INET6 &&
+ (hooknum == NF_IP6_POST_ROUTING ||
+ hooknum == NF_IP6_LOCAL_OUT ||
+ hooknum == NF_IP6_FORWARD)))
+ return 1;
+ else
+ return 0;
+}
+
static unsigned int target(struct sk_buff **pskb, const struct net_device *in,
const struct net_device *out, unsigned int hooknum,
const struct xt_target *target,
@@ -47,9 +64,33 @@ static unsigned int target(struct sk_buf
BUG();
}
- if ((*pskb)->secmark != secmark)
- (*pskb)->secmark = secmark;
+ if (secmark) {
+
+ /* Set secmark on inbound and filter it on outbound */
+ if (outbound(target->family, hooknum)) {
+ int err;
+
+ err = security_skb_flow_out(*pskb, secmark);
+ if (!err)
+ return NF_DROP;
+ } else
+ /*
+ * inbound:
+ * loopback traffic should already be labeled
+ * and any filtering on outbound should suffice
+ */
+ if (in == &loopback_dev)
+ goto out;
+
+ /*
+ * inbound or done with outbound check or no LSM hook
+ * for outbound
+ */
+ if ((*pskb)->secmark != secmark)
+ (*pskb)->secmark = secmark;
+ }
+out:
return XT_CONTINUE;
}
--
paul moore
linux security @ hp
next prev parent reply other threads:[~2006-10-09 19:58 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-09 19:42 [PATCH 00/11] The _entire_ secid reconciliation patchset (tada!) paul.moore
2006-10-09 19:42 ` [PATCH 01/11] secid reconciliation: new SELinux flask definitions paul.moore
2006-10-09 19:42 ` [PATCH 02/11] secid reconciliation: Add LSM hooks paul.moore
2006-10-09 19:42 ` [PATCH 03/11] secid reconciliation: Invoke LSM hook for inbound traffic paul.moore
2006-10-09 19:42 ` paul.moore [this message]
2006-10-09 19:42 ` [PATCH 05/11] secid reconciliation: Label locally generated IPv6 traffic paul.moore
2006-10-09 19:42 ` [PATCH 06/11] secid reconciliation: Label locally generated IPv4 traffic paul.moore
2006-10-09 19:42 ` [PATCH 07/11] secid reconciliation: Enforcement for SELinux paul.moore
2006-10-09 19:42 ` [PATCH 08/11] secid reconciliation: Use secmark when classifying flow using skb paul.moore
2006-10-09 19:42 ` [PATCH 09/11] secid reconciliation: Track peersecid at connection establishment paul.moore
2006-10-09 19:42 ` [PATCH 10/11] secid reconciliation: various fixes paul.moore
2006-10-09 19:42 ` [PATCH 11/11] secid reconciliation: support for NetLabel paul.moore
2006-10-09 20:19 ` [PATCH 00/11] The _entire_ secid reconciliation patchset (tada!) James Morris
2006-10-09 20:30 ` Paul Moore
2006-10-09 20:36 ` James Morris
2006-10-11 19:20 ` Venkat Yekkirala
2006-10-12 7:26 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061009195848.642381000@hp.com \
--to=paul.moore@hp$(echo .)com \
--cc=jmorris@namei$(echo .)org \
--cc=netdev@vger$(echo .)kernel.org \
--cc=sds@tycho$(echo .)nsa.gov \
--cc=selinux@tycho$(echo .)nsa.gov \
--cc=vyekkirala@TrustedCS$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox