Re: [PATCH 06/10] selinux: Fix packet forwarding checks on postrouting

Paul Moore <paul.moore@xxxxxx> · Wed, 16 Feb 2011 15:19:35 -0500

On Mon, 2011-02-14 at 14:20 +0100, Steffen Klassert wrote:
> The IPSKB_FORWARDED and IP6SKB_FORWARDED flags are used only in the
> multicast forwarding case to indicate that a packet looped back after
> forward. So these flags are not a good indicator for packet forwarding.
> A better indicator is the incoming interface. If we have no socket context,
> but an incoming interface and we see the packet in the ip postroute hook,
> the packet is going to be forwarded.
> 
> With this patch we use the incoming interface as an indicator on packet
> forwarding.
> 
> Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>

Nice fix.  I could have sworn that IP{6}SKB_FORWARDED was more universal
when this code was written ... but then again, I'm easily confused :)

Acked-by: Paul Moore <paul.moore@xxxxxx>

> ---
>  security/selinux/hooks.c |   23 +++++------------------
>  1 files changed, 5 insertions(+), 18 deletions(-)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 2b594de..1aeae26 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4564,27 +4564,14 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
>  	 * from the sending socket, otherwise use the kernel's sid */
>  	sk = skb->sk;
>  	if (sk == NULL) {
> -		switch (family) {
> -		case PF_INET:
> -			if (IPCB(skb)->flags & IPSKB_FORWARDED)
> -				secmark_perm = PACKET__FORWARD_OUT;
> -			else
> -				secmark_perm = PACKET__SEND;
> -			break;
> -		case PF_INET6:
> -			if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
> -				secmark_perm = PACKET__FORWARD_OUT;
> -			else
> -				secmark_perm = PACKET__SEND;
> -			break;
> -		default:
> -			return NF_DROP_ERR(-ECONNREFUSED);
> -		}
> -		if (secmark_perm == PACKET__FORWARD_OUT) {
> +		if (skb->skb_iif) {
> +			secmark_perm = PACKET__FORWARD_OUT;
>  			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
>  				return NF_DROP;
> -		} else
> +		} else {
> +			secmark_perm = PACKET__SEND;
>  			peer_sid = SECINITSID_KERNEL;
> +		}
>  	} else {
>  		struct sk_security_struct *sksec = sk->sk_security;
>  		peer_sid = sksec->sid;

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.