1
linux/net/ipv4
Paul Moore 389fb800ac netlabel: Label incoming TCP connections correctly in SELinux
The current NetLabel/SELinux behavior for incoming TCP connections works but
only through a series of happy coincidences that rely on the limited nature of
standard CIPSO (only able to convey MLS attributes) and the write equality
imposed by the SELinux MLS constraints.  The problem is that network sockets
created as the result of an incoming TCP connection were not on-the-wire
labeled based on the security attributes of the parent socket but rather based
on the wire label of the remote peer.  The issue had to do with how IP options
were managed as part of the network stack and where the LSM hooks were in
relation to the code which set the IP options on these newly created child
sockets.  While NetLabel/SELinux did correctly set the socket's on-the-wire
label it was promptly cleared by the network stack and reset based on the IP
options of the remote peer.

This patch, in conjunction with a prior patch that adjusted the LSM hook
locations, works to set the correct on-the-wire label format for new incoming
connections through the security_inet_conn_request() hook.  Besides the
correct behavior there are many advantages to this change, the most significant
is that all of the NetLabel socket labeling code in SELinux now lives in hooks
which can return error codes to the core stack which allows us to finally get
ride of the selinux_netlbl_inode_permission() logic which greatly simplfies
the NetLabel/SELinux glue code.  In the process of developing this patch I
also ran into a small handful of AF_INET6 cleanliness issues that have been
fixed which should make the code safer and easier to extend in the future.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <jmorris@namei.org>
2009-03-28 15:01:36 +11:00
..
netfilter Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6 2009-03-26 22:45:23 -07:00
af_inet.c net: convert usage of packet_type to read_mostly 2009-03-10 05:22:43 -07:00
ah4.c netns xfrm: AH/ESP in netns! 2008-11-25 17:59:27 -08:00
arp.c ipv4: arp announce, arp_proxy and windows ip conflict verification 2009-03-13 16:02:07 -07:00
cipso_ipv4.c netlabel: Label incoming TCP connections correctly in SELinux 2009-03-28 15:01:36 +11:00
datagram.c
devinet.c netlink: change nlmsg_notify() return value logic 2009-02-24 23:18:28 -08:00
esp4.c netns xfrm: AH/ESP in netns! 2008-11-25 17:59:27 -08:00
fib_frontend.c ip: add loose reverse path filtering 2009-02-22 19:54:45 -08:00
fib_hash.c net: clean up net/ipv4/fib_frontend.c fib_hash.c ip_gre.c 2008-11-03 00:25:16 -08:00
fib_lookup.h
fib_rules.c
fib_semantics.c netlink: change nlmsg_notify() return value logic 2009-02-24 23:18:28 -08:00
fib_trie.c net: replace NIPQUAD() in net/ipv4/ net/ipv6/ 2008-10-31 00:53:57 -07:00
icmp.c netns: Fix icmp shutdown. 2009-03-03 01:14:15 -08:00
igmp.c netns: igmp: make /proc/net/{igmp,mcfilter} per netns 2008-12-25 16:42:51 -08:00
inet_connection_sock.c net: move bsockets outside of read only beginning of struct inet_hashinfo 2009-02-01 12:31:33 -08:00
inet_diag.c net: Convert TCP/DCCP listening hash tables to use RCU 2008-11-23 17:22:55 -08:00
inet_fragment.c inet fragments: fix sparse warning: context imbalance 2009-02-26 23:13:35 -08:00
inet_hashtables.c net: move bsockets outside of read only beginning of struct inet_hashinfo 2009-02-01 12:31:33 -08:00
inet_lro.c include/net net/ - csum_partial - remove unnecessary casts 2008-11-19 15:44:53 -08:00
inet_timewait_sock.c net: convert TCP/DCCP ehash rwlocks to spinlocks 2008-11-20 20:39:09 -08:00
inetpeer.c net: clean up net/ipv4/ah4.c esp4.c fib_semantics.c inet_connection_sock.c inetpeer.c ip_output.c 2008-11-03 00:23:42 -08:00
ip_forward.c net: reduce structures when XFRM=n 2008-10-28 13:24:06 -07:00
ip_fragment.c netns: oops in ip[6]_frag_reasm incrementing stats 2009-03-18 23:26:11 -07:00
ip_gre.c gre: used time_before for comparing jiffies 2009-02-24 23:34:48 -08:00
ip_input.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2008-11-18 23:38:23 -08:00
ip_options.c
ip_output.c ip: support for TX timestamps on UDP and RAW sockets 2009-02-15 22:43:38 -08:00
ip_sockglue.c net: ip_sockglue.c add static, annotate ports' endianness 2008-11-20 01:54:27 -08:00
ipcomp.c netns xfrm: state lookup in netns 2008-11-25 17:30:50 -08:00
ipconfig.c net: replace uses of __constant_{endian} 2009-02-01 00:45:17 -08:00
ipip.c ipip: used time_before for comparing jiffies 2009-02-24 23:36:47 -08:00
ipmr.c ipmr: use goto to common label instead of opencoding 2009-02-06 23:46:51 -08:00
Kconfig Doc: Refer to ip-sysctl.txt for strict vs. loose rp_filter mode 2009-02-24 03:47:42 -08:00
Makefile
netfilter.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6 2008-11-28 02:19:15 -08:00
proc.c net: replace commatas with semicolons 2009-02-16 00:08:56 -08:00
protocol.c
raw.c ip: support for TX timestamps on UDP and RAW sockets 2009-02-15 22:43:38 -08:00
route.c net: replace uses of __constant_{endian} 2009-02-01 00:45:17 -08:00
syncookies.c lsm: Relocate the IPv4 security_inet_conn_request() hooks 2009-03-28 15:01:36 +11:00
sysctl_net_ipv4.c net: '&' redux 2008-11-03 18:21:05 -08:00
tcp_bic.c tcp: add helper for AI algorithm 2009-03-02 03:00:15 -08:00
tcp_cong.c tcp: add helper for AI algorithm 2009-03-02 03:00:15 -08:00
tcp_cubic.c tcp: add helper for AI algorithm 2009-03-02 03:00:15 -08:00
tcp_diag.c net: inet_diag_handler structs can be const 2008-11-19 15:43:27 -08:00
tcp_highspeed.c
tcp_htcp.c htcp: merge icsk_ca_state compare 2009-03-02 03:00:14 -08:00
tcp_hybla.c
tcp_illinois.c
tcp_input.c tcp: Discard segments that ack data not yet sent 2009-03-22 21:49:57 -07:00
tcp_ipv4.c lsm: Relocate the IPv4 security_inet_conn_request() hooks 2009-03-28 15:01:36 +11:00
tcp_lp.c
tcp_minisocks.c tcp: consolidate paws check 2009-03-15 20:09:52 -07:00
tcp_output.c tcp: simplify tcp_current_mss 2009-03-15 20:09:54 -07:00
tcp_probe.c tcp: '< 0' test on unsigned 2009-03-13 16:05:14 -07:00
tcp_scalable.c tcp: add helper for AI algorithm 2009-03-02 03:00:15 -08:00
tcp_timer.c tcp: cleanup ca_state mess in tcp_timer 2009-03-02 03:00:13 -08:00
tcp_vegas.c tcp: tcp_vegas cong avoid fix 2008-12-09 00:13:04 -08:00
tcp_vegas.h
tcp_veno.c tcp: add helper for AI algorithm 2009-03-02 03:00:15 -08:00
tcp_westwood.c
tcp_yeah.c tcp: add helper for AI algorithm 2009-03-02 03:00:15 -08:00
tcp.c tcp: remove parameter from tcp_recv_urg(). 2009-03-18 18:50:09 -07:00
tunnel4.c
udp_impl.h udp: introduce struct udp_table and multiple spinlocks 2008-10-29 01:41:45 -07:00
udp.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2009-03-26 01:22:01 -07:00
udplite.c udp: RCU handling for Unicast packets. 2008-10-29 02:11:14 -07:00
xfrm4_input.c ipsec: Remove useless ret variable 2008-12-26 01:31:18 -08:00
xfrm4_mode_beet.c
xfrm4_mode_transport.c
xfrm4_mode_tunnel.c
xfrm4_output.c
xfrm4_policy.c net: replace uses of __constant_{endian} 2009-02-01 00:45:17 -08:00
xfrm4_state.c xfrm: remove useless forward declarations 2008-11-25 01:05:54 -08:00
xfrm4_tunnel.c