There is a problem where packets being sent by the TUN driver are not
correctly handled by SELinux in the postrouting code. The issue is that
the SELinux network access controls rely on a packet's associated sock, when
present, for it's security label. The TUN driver does create a sock to send
network traffic but it only calls into the LSM/SELinux code once via the
security_sk_alloc() hook which never fully initializes the sock's label. This
patch attempts to correct this problem by adding the normal LSM socket
creation hooks to the TUN driver.
NOTE: this is an RFC patch intended to demonstrate a possible solution
completely different from the v1 patch, but it is still crude, untested and
not fully hashed out just yet. Please take a look and see if this approach
is even worth pursuing ... thanks.
---
drivers/net/tun.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 11a0ba4..7db4b13 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -946,6 +946,10 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
if (!capable(CAP_NET_ADMIN))
return -EPERM;
+ err = security_socket_create(AF_UNSPEC, SOCK_RAW, 0, 0);
+ if (err < 0)
+ return err;
+
/* Set dev type */
if (ifr->ifr_flags & IFF_TUN) {
/* TUN device */
@@ -987,6 +991,12 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
tun->sk = sk;
container_of(sk, struct tun_sock, sk)->tun = tun;
+ /* XXX - correct placement? */
+ err = security_socket_post_create(tun->socket,
+ AF_UNSPEC, SOCK_RAW, 0, 0);
+ if (err < 0)
+ goto err_free_sk;
+
tun_net_init(dev);
if (strchr(dev->name, '%')) {
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
