1. 27 Jun, 2016 1 commit
  2. 02 Aug, 2011 2 commits
  3. 07 Apr, 2010 1 commit
  4. 16 Aug, 2009 1 commit
    • Thomas Liu's avatar
      SELinux: Convert avc_audit to use lsm_audit.h · 2bf49690
      Thomas Liu authored
      Convert avc_audit in security/selinux/avc.c to use lsm_audit.h,
      for better maintainability.
      
       - changed selinux to use common_audit_data instead of
          avc_audit_data
       - eliminated code in avc.c and used code from lsm_audit.h instead.
      
      Had to add a LSM_AUDIT_NO_AUDIT to lsm_audit.h so that avc_audit
      can call common_lsm_audit and do the pre and post callbacks without
      doing the actual dump.  This makes it so that the patched version
      behaves the same way as the unpatched version.
      
      Also added a denied field to the selinux_audit_data private space,
      once again to make it so that the patched version behaves like the
      unpatched.
      
      I've tested and confirmed that AVCs look the same before and after
      this patch.
      Signed-off-by: default avatarThomas Liu <tliu@redhat.com>
      Acked-by: Stephen Smalley's avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      2bf49690
  5. 13 Jul, 2009 1 commit
  6. 12 Jul, 2009 1 commit
  7. 28 Mar, 2009 1 commit
    • Paul Moore's avatar
      netlabel: Label incoming TCP connections correctly in SELinux · 389fb800
      Paul Moore authored
      The current NetLabel/SELinux behavior for incoming TCP connections works but
      only through a series of happy coincidences that rely on the limited nature of
      standard CIPSO (only able to convey MLS attributes) and the write equality
      imposed by the SELinux MLS constraints.  The problem is that network sockets
      created as the result of an incoming TCP connection were not on-the-wire
      labeled based on the security attributes of the parent socket but rather based
      on the wire label of the remote peer.  The issue had to do with how IP options
      were managed as part of the network stack and where the LSM hooks were in
      relation to the code which set the IP options on these newly created child
      sockets.  While NetLabel/SELinux did correctly set the socket's on-the-wire
      label it was promptly cleared by the network stack and reset based on the IP
      options of the remote peer.
      
      This patch, in conjunction with a prior patch that adjusted the LSM hook
      locations, works to set the correct on-the-wire label format for new incoming
      connections through the security_inet_conn_request() hook.  Besides the
      correct behavior there are many advantages to this change, the most significant
      is that all of the NetLabel socket labeling code in SELinux now lives in hooks
      which can return error codes to the core stack which allows us to finally get
      ride of the selinux_netlbl_inode_permission() logic which greatly simplfies
      the NetLabel/SELinux glue code.  In the process of developing this patch I
      also ran into a small handful of AF_INET6 cleanliness issues that have been
      fixed which should make the code safer and easier to extend in the future.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      389fb800
  8. 10 Oct, 2008 4 commits
    • Paul Moore's avatar
      selinux: Cache NetLabel secattrs in the socket's security struct · 6c5b3fc0
      Paul Moore authored
      Previous work enabled the use of address based NetLabel selectors, which
      while highly useful, brought the potential for additional per-packet overhead
      when used.  This patch attempts to mitigate some of that overhead by caching
      the NetLabel security attribute struct within the SELinux socket security
      structure.  This should help eliminate the need to recreate the NetLabel
      secattr structure for each packet resulting in less overhead.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      6c5b3fc0
    • Paul Moore's avatar
      selinux: Set socket NetLabel based on connection endpoint · 014ab19a
      Paul Moore authored
      Previous work enabled the use of address based NetLabel selectors, which while
      highly useful, brought the potential for additional per-packet overhead when
      used.  This patch attempts to solve that by applying NetLabel socket labels
      when sockets are connect()'d.  This should alleviate the per-packet NetLabel
      labeling for all connected sockets (yes, it even works for connected DGRAM
      sockets).
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Reviewed-by: default avatarJames Morris <jmorris@namei.org>
      014ab19a
    • Paul Moore's avatar
      netlabel: Add functionality to set the security attributes of a packet · 948bf85c
      Paul Moore authored
      This patch builds upon the new NetLabel address selector functionality by
      providing the NetLabel KAPI and CIPSO engine support needed to enable the
      new packet-based labeling.  The only new addition to the NetLabel KAPI at
      this point is shown below:
      
       * int netlbl_skbuff_setattr(skb, family, secattr)
      
      ... and is designed to be called from a Netfilter hook after the packet's
      IP header has been populated such as in the FORWARD or LOCAL_OUT hooks.
      
      This patch also provides the necessary SELinux hooks to support this new
      functionality.  Smack support is not currently included due to uncertainty
      regarding the permissions needed to expand the Smack network access controls.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Reviewed-by: default avatarJames Morris <jmorris@namei.org>
      948bf85c
    • Paul Moore's avatar
      selinux: Fix missing calls to netlbl_skbuff_err() · dfaebe98
      Paul Moore authored
      At some point I think I messed up and dropped the calls to netlbl_skbuff_err()
      which are necessary for CIPSO to send error notifications to remote systems.
      This patch re-introduces the error handling calls into the SELinux code.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      dfaebe98
  9. 27 Apr, 2008 1 commit
  10. 18 Apr, 2008 1 commit
  11. 29 Jan, 2008 3 commits
  12. 26 Apr, 2007 2 commits
  13. 03 Dec, 2006 2 commits
    • Paul Moore's avatar
      SELinux: peer secid consolidation for external network labeling · 3de4bab5
      Paul Moore authored
      Now that labeled IPsec makes use of the peer_sid field in the
      sk_security_struct we can remove a lot of the special cases between labeled
      IPsec and NetLabel.  In addition, create a new function,
      security_skb_extlbl_sid(), which we can use in several places to get the
      security context of the packet's external label which allows us to further
      simplify the code in a few places.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      3de4bab5
    • Paul Moore's avatar
      NetLabel: SELinux cleanups · 9f2ad665
      Paul Moore authored
      This patch does a lot of cleanup in the SELinux NetLabel support code.  A
      summary of the changes include:
      
      * Use RCU locking for the NetLabel state variable in the skk_security_struct
        instead of using the inode_security_struct mutex.
      * Remove unnecessary parameters in selinux_netlbl_socket_post_create().
      * Rename selinux_netlbl_sk_clone_security() to
        selinux_netlbl_sk_security_clone() to better fit the other NetLabel
        sk_security functions.
      * Improvements to selinux_netlbl_inode_permission() to help reduce the cost of
        the common case.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      9f2ad665
  14. 30 Oct, 2006 1 commit
    • Paul Moore's avatar
      [NetLabel]: protect the CIPSOv4 socket option from setsockopt() · f8687afe
      Paul Moore authored
      This patch makes two changes to protect applications from either removing or
      tampering with the CIPSOv4 IP option on a socket.  The first is the requirement
      that applications have the CAP_NET_RAW capability to set an IPOPT_CIPSO option
      on a socket; this prevents untrusted applications from setting their own
      CIPSOv4 security attributes on the packets they send.  The second change is to
      SELinux and it prevents applications from setting any IPv4 options when there
      is an IPOPT_CIPSO option already present on the socket; this prevents
      applications from removing CIPSOv4 security attributes from the packets they
      send.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f8687afe
  15. 22 Sep, 2006 4 commits