Revert "SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel"
This reverts commit 9faf65fb6e.
It bit people like Michal Piotrowski:
"My system is too secure, I can not login :)"
because it changed how CONFIG_NETLABEL worked, and broke older SElinux
policies.
As a result, quoth James Morris:
"Can you please revert this patch?
We thought it only affected people running MLS, but it will affect others.
Sorry for the hassle."
Cc: James Morris <jmorris@namei.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Michal Piotrowski <michal.k.k.piotrowski@gmail.com>
Cc: Paul Moore <paul.moore@hp.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Linus Torvalds
@@ -3129,19 +3129,17 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
|
|||||||
/**
|
/**
|
||||||
* selinux_skb_extlbl_sid - Determine the external label of a packet
|
* selinux_skb_extlbl_sid - Determine the external label of a packet
|
||||||
* @skb: the packet
|
* @skb: the packet
|
||||||
|
* @base_sid: the SELinux SID to use as a context for MLS only external labels
|
||||||
* @sid: the packet's SID
|
* @sid: the packet's SID
|
||||||
*
|
*
|
||||||
* Description:
|
* Description:
|
||||||
* Check the various different forms of external packet labeling and determine
|
* Check the various different forms of external packet labeling and determine
|
||||||
* the external SID for the packet. If only one form of external labeling is
|
* the external SID for the packet.
|
||||||
* present then it is used, if both labeled IPsec and NetLabel labels are
|
|
||||||
* present then the SELinux type information is taken from the labeled IPsec
|
|
||||||
* SA and the MLS sensitivity label information is taken from the NetLabel
|
|
||||||
* security attributes. This bit of "magic" is done in the call to
|
|
||||||
* selinux_netlbl_skbuff_getsid().
|
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
|
static void selinux_skb_extlbl_sid(struct sk_buff *skb,
|
||||||
|
u32 base_sid,
|
||||||
|
u32 *sid)
|
||||||
{
|
{
|
||||||
u32 xfrm_sid;
|
u32 xfrm_sid;
|
||||||
u32 nlbl_sid;
|
u32 nlbl_sid;
|
||||||
@@ -3149,9 +3147,10 @@ static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
|
|||||||
selinux_skb_xfrm_sid(skb, &xfrm_sid);
|
selinux_skb_xfrm_sid(skb, &xfrm_sid);
|
||||||
if (selinux_netlbl_skbuff_getsid(skb,
|
if (selinux_netlbl_skbuff_getsid(skb,
|
||||||
(xfrm_sid == SECSID_NULL ?
|
(xfrm_sid == SECSID_NULL ?
|
||||||
SECINITSID_NETMSG : xfrm_sid),
|
base_sid : xfrm_sid),
|
||||||
&nlbl_sid) != 0)
|
&nlbl_sid) != 0)
|
||||||
nlbl_sid = SECSID_NULL;
|
nlbl_sid = SECSID_NULL;
|
||||||
|
|
||||||
*sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
|
*sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -3696,7 +3695,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
|
|||||||
if (sock && sock->sk->sk_family == PF_UNIX)
|
if (sock && sock->sk->sk_family == PF_UNIX)
|
||||||
selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
|
selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
|
||||||
else if (skb)
|
else if (skb)
|
||||||
selinux_skb_extlbl_sid(skb, &peer_secid);
|
selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid);
|
||||||
|
|
||||||
if (peer_secid == SECSID_NULL)
|
if (peer_secid == SECSID_NULL)
|
||||||
err = -EINVAL;
|
err = -EINVAL;
|
||||||
@@ -3757,7 +3756,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
|
|||||||
u32 newsid;
|
u32 newsid;
|
||||||
u32 peersid;
|
u32 peersid;
|
||||||
|
|
||||||
selinux_skb_extlbl_sid(skb, &peersid);
|
selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
|
||||||
if (peersid == SECSID_NULL) {
|
if (peersid == SECSID_NULL) {
|
||||||
req->secid = sksec->sid;
|
req->secid = sksec->sid;
|
||||||
req->peer_secid = SECSID_NULL;
|
req->peer_secid = SECSID_NULL;
|
||||||
@@ -3795,7 +3794,7 @@ static void selinux_inet_conn_established(struct sock *sk,
|
|||||||
{
|
{
|
||||||
struct sk_security_struct *sksec = sk->sk_security;
|
struct sk_security_struct *sksec = sk->sk_security;
|
||||||
|
|
||||||
selinux_skb_extlbl_sid(skb, &sksec->peer_sid);
|
selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void selinux_req_classify_flow(const struct request_sock *req,
|
static void selinux_req_classify_flow(const struct request_sock *req,
|
||||||
|
|||||||
@@ -158,7 +158,9 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
|
|||||||
netlbl_secattr_init(&secattr);
|
netlbl_secattr_init(&secattr);
|
||||||
rc = netlbl_skbuff_getattr(skb, &secattr);
|
rc = netlbl_skbuff_getattr(skb, &secattr);
|
||||||
if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
|
if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
|
||||||
rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid);
|
rc = security_netlbl_secattr_to_sid(&secattr,
|
||||||
|
base_sid,
|
||||||
|
sid);
|
||||||
else
|
else
|
||||||
*sid = SECSID_NULL;
|
*sid = SECSID_NULL;
|
||||||
netlbl_secattr_destroy(&secattr);
|
netlbl_secattr_destroy(&secattr);
|
||||||
@@ -196,7 +198,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
|
|||||||
if (netlbl_sock_getattr(sk, &secattr) == 0 &&
|
if (netlbl_sock_getattr(sk, &secattr) == 0 &&
|
||||||
secattr.flags != NETLBL_SECATTR_NONE &&
|
secattr.flags != NETLBL_SECATTR_NONE &&
|
||||||
security_netlbl_secattr_to_sid(&secattr,
|
security_netlbl_secattr_to_sid(&secattr,
|
||||||
SECINITSID_NETMSG,
|
SECINITSID_UNLABELED,
|
||||||
&nlbl_peer_sid) == 0)
|
&nlbl_peer_sid) == 0)
|
||||||
sksec->peer_sid = nlbl_peer_sid;
|
sksec->peer_sid = nlbl_peer_sid;
|
||||||
netlbl_secattr_destroy(&secattr);
|
netlbl_secattr_destroy(&secattr);
|
||||||
@@ -293,31 +295,37 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
|
|||||||
struct avc_audit_data *ad)
|
struct avc_audit_data *ad)
|
||||||
{
|
{
|
||||||
int rc;
|
int rc;
|
||||||
u32 nlbl_sid;
|
u32 netlbl_sid;
|
||||||
u32 perm;
|
u32 recv_perm;
|
||||||
|
|
||||||
rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &nlbl_sid);
|
rc = selinux_netlbl_skbuff_getsid(skb,
|
||||||
|
SECINITSID_UNLABELED,
|
||||||
|
&netlbl_sid);
|
||||||
if (rc != 0)
|
if (rc != 0)
|
||||||
return rc;
|
return rc;
|
||||||
if (nlbl_sid == SECSID_NULL)
|
|
||||||
nlbl_sid = SECINITSID_UNLABELED;
|
if (netlbl_sid == SECSID_NULL)
|
||||||
|
return 0;
|
||||||
|
|
||||||
switch (sksec->sclass) {
|
switch (sksec->sclass) {
|
||||||
case SECCLASS_UDP_SOCKET:
|
case SECCLASS_UDP_SOCKET:
|
||||||
perm = UDP_SOCKET__RECVFROM;
|
recv_perm = UDP_SOCKET__RECVFROM;
|
||||||
break;
|
break;
|
||||||
case SECCLASS_TCP_SOCKET:
|
case SECCLASS_TCP_SOCKET:
|
||||||
perm = TCP_SOCKET__RECVFROM;
|
recv_perm = TCP_SOCKET__RECVFROM;
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
perm = RAWIP_SOCKET__RECVFROM;
|
recv_perm = RAWIP_SOCKET__RECVFROM;
|
||||||
}
|
}
|
||||||
|
|
||||||
rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad);
|
rc = avc_has_perm(sksec->sid,
|
||||||
|
netlbl_sid,
|
||||||
|
sksec->sclass,
|
||||||
|
recv_perm,
|
||||||
|
ad);
|
||||||
if (rc == 0)
|
if (rc == 0)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (nlbl_sid != SECINITSID_UNLABELED)
|
|
||||||
netlbl_skbuff_err(skb, rc);
|
netlbl_skbuff_err(skb, rc);
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user