| blob | e64eca246f1ab25ce57cb1190cc578fa643421e9 |
1 /*
2 * SELinux NetLabel Support
3 *
4 * This file provides the necessary glue to tie NetLabel into the SELinux
5 * subsystem.
6 *
7 * Author: Paul Moore <paul.moore@hp.com>
8 *
9 */
11 /*
12 * (c) Copyright Hewlett-Packard Development Company, L.P., 2007
13 *
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
18 *
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
22 * the GNU General Public License for more details.
23 *
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
27 *
28 */
30 #include <linux/spinlock.h>
31 #include <linux/rcupdate.h>
32 #include <net/sock.h>
33 #include <net/netlabel.h>
38 /**
39 * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism
40 * @sk: the socket to label
41 * @sid: the SID to use
42 *
43 * Description:
44 * Attempt to label a socket using the NetLabel mechanism using the given
45 * SID. Returns zero values on success, negative values on failure. The
46 * caller is responsibile for calling rcu_read_lock() before calling this
47 * this function and rcu_read_unlock() after this function returns.
48 *
49 */
51 {
65 }
68 }
70 /**
71 * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
72 *
73 * Description:
74 * Invalidate the NetLabel security attribute mapping cache.
75 *
76 */
78 {
80 }
82 /**
83 * selinux_netlbl_sk_security_reset - Reset the NetLabel fields
84 * @ssec: the sk_security_struct
85 * @family: the socket family
86 *
87 * Description:
88 * Called when the NetLabel state of a sk_security_struct needs to be reset.
89 * The caller is responsibile for all the NetLabel sk_security_struct locking.
90 *
91 */
94 {
97 else
99 }
101 /**
102 * selinux_netlbl_sk_security_init - Setup the NetLabel fields
103 * @ssec: the sk_security_struct
104 * @family: the socket family
105 *
106 * Description:
107 * Called when a new sk_security_struct is allocated to initialize the NetLabel
108 * fields.
109 *
110 */
113 {
114 /* No locking needed, we are the only one who has access to ssec */
117 }
119 /**
120 * selinux_netlbl_sk_security_clone - Copy the NetLabel fields
121 * @ssec: the original sk_security_struct
122 * @newssec: the cloned sk_security_struct
123 *
124 * Description:
125 * Clone the NetLabel specific sk_security_struct fields from @ssec to
126 * @newssec.
127 *
128 */
131 {
132 /* We don't need to take newssec->nlbl_lock because we are the only
133 * thread with access to newssec, but we do need to take the RCU read
134 * lock as other threads could have access to ssec */
139 }
141 /**
142 * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
143 * @skb: the packet
144 * @base_sid: the SELinux SID to use as a context for MLS only attributes
145 * @sid: the SID
146 *
147 * Description:
148 * Call the NetLabel mechanism to get the security attributes of the given
149 * packet and use those attributes to determine the correct context/SID to
150 * assign to the packet. Returns zero on success, negative values on failure.
151 *
152 */
154 {
162 base_sid,
163 sid);
164 else
169 }
171 /**
172 * selinux_netlbl_sock_graft - Netlabel the new socket
173 * @sk: the new connection
174 * @sock: the new socket
175 *
176 * Description:
177 * The connection represented by @sk is being grafted onto @sock so set the
178 * socket's NetLabel to match the SID of @sk.
179 *
180 */
182 {
186 u32 nlbl_peer_sid;
195 }
201 SECINITSID_UNLABELED,
206 /* Try to set the NetLabel on the socket to save time later, if we fail
207 * here we will pick up the pieces in later calls to
208 * selinux_netlbl_inode_permission(). */
212 }
214 /**
215 * selinux_netlbl_socket_post_create - Label a socket using NetLabel
216 * @sock: the socket to label
217 *
218 * Description:
219 * Attempt to label a socket using the NetLabel mechanism using the given
220 * SID. Returns zero values on success, negative values on failure.
221 *
222 */
224 {
238 }
240 /**
241 * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
242 * @inode: the file descriptor's inode
243 * @mask: the permission mask
244 *
245 * Description:
246 * Looks at a file's inode and if it is marked as a socket protected by
247 * NetLabel then verify that the socket has been labeled, if not try to label
248 * the socket now with the inode's SID. Returns zero on success, negative
249 * values on failure.
250 *
251 */
253 {
270 }
279 }
281 /**
282 * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
283 * @sksec: the sock's sk_security_struct
284 * @skb: the packet
285 * @ad: the audit data
286 *
287 * Description:
288 * Fetch the NetLabel security attributes from @skb and perform an access check
289 * against the receiving socket. Returns zero on success, negative values on
290 * error.
291 *
292 */
296 {
298 u32 netlbl_sid;
299 u32 recv_perm;
302 SECINITSID_UNLABELED,
319 }
322 netlbl_sid,
324 recv_perm,
325 ad);
331 }
333 /**
334 * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
335 * @sock: the socket
336 * @level: the socket level or protocol
337 * @optname: the socket option name
338 *
339 * Description:
340 * Check the setsockopt() call and if the user is trying to replace the IP
341 * options on a socket and a NetLabel is in place for the socket deny the
342 * access; otherwise allow the access. Returns zero when the access is
343 * allowed, -EACCES when denied, and other negative values on error.
344 *
345 */
349 {
365 }
369 }