Re: [PATCH v12 19/25] NET: Store LSM netlabel data in a lsmblob

Stephen Smalley <sds@xxxxxxxxxxxxx> · Wed, 18 Dec 2019 12:41:20 -0500

On 12/16/19 5:36 PM, Casey Schaufler wrote:
Netlabel uses LSM interfaces requiring an lsmblob and
the internal storage is used to pass information between
these interfaces, so change the internal data from a secid
to a lsmblob. Update the netlabel interfaces and their
callers to accommodate the change. This requires that the
modules using netlabel use the lsm_id.slot to access the
correct secid when using netlabel.

Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
Reviewed-by: John Johansen <john.johansen@xxxxxxxxxxxxx>
Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
---
  include/net/netlabel.h              |  8 ++--
  net/ipv4/cipso_ipv4.c               |  6 ++-
  net/netlabel/netlabel_kapi.c        |  6 +--
  net/netlabel/netlabel_unlabeled.c   | 57 +++++++++++------------------
  net/netlabel/netlabel_unlabeled.h   |  2 +-
  security/selinux/hooks.c            |  2 +-
  security/selinux/include/security.h |  1 +
  security/selinux/netlabel.c         |  2 +-
  security/selinux/ss/services.c      |  4 +-
  security/smack/smack.h              |  1 +
  security/smack/smack_lsm.c          |  5 ++-
  security/smack/smackfs.c            | 10 +++--
  12 files changed, 50 insertions(+), 54 deletions(-)

diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 376882215919..8ee7a804423e 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1467,7 +1467,8 @@ static int cipso_v4_gentag_loc(const struct cipso_v4_doi *doi_def,
  
  	buffer[0] = CIPSO_V4_TAG_LOCAL;
  	buffer[1] = CIPSO_V4_TAG_LOC_BLEN;
-	*(u32 *)&buffer[2] = secattr->attr.secid;
+	/* only one netlabel user - the first */
+	*(u32 *)&buffer[2] = secattr->attr.lsmblob.secid[0];
  
  	return CIPSO_V4_TAG_LOC_BLEN;
  }
@@ -1487,7 +1488,8 @@ static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def,
  				 const unsigned char *tag,
  				 struct netlbl_lsm_secattr *secattr)
  {
-	secattr->attr.secid = *(u32 *)&tag[2];
+	/* only one netlabel user - the first */
+	secattr->attr.lsmblob.secid[0] = *(u32 *)&tag[2];
  	secattr->flags |= NETLBL_SECATTR_SECID;
  
  	return 0;

Here we always use secid[0].

diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 6a94b31b5472..d8d7603ab14e 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -108,7 +108,7 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr(
  		return NULL;
  
  	if ((secattr->flags & NETLBL_SECATTR_SECID) &&
-	    (secattr->attr.secid == sid))
+	    (secattr->attr.lsmblob.secid[selinux_lsmid.slot] == sid))
  		return secattr;
  
  	return NULL;

And here we use secid[selinux_lsmid.slot].  So things will break in 
interesting ways if selinux_lsmid.slot is anything other than zero? 
What's the point of using this indirection in the security modules 
until/unless NetLabel truly supports something other than slot 0?

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index a5813c7629c1..2b7680903b6b 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -3599,7 +3599,7 @@ int security_netlbl_secattr_to_sid(struct selinux_state *state,
  	if (secattr->flags & NETLBL_SECATTR_CACHE)
  		*sid = *(u32 *)secattr->cache->data;
  	else if (secattr->flags & NETLBL_SECATTR_SECID)
-		*sid = secattr->attr.secid;
+		*sid = secattr->attr.lsmblob.secid[selinux_lsmid.slot];
  	else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) {
  		rc = -EIDRM;
  		ctx = sidtab_search(sidtab, SECINITSID_NETMSG);
@@ -3672,7 +3672,7 @@ int security_netlbl_sid_to_secattr(struct selinux_state *state,
  	if (secattr->domain == NULL)
  		goto out;
  
-	secattr->attr.secid = sid;
+	secattr->attr.lsmblob.secid[selinux_lsmid.slot] = sid;
  	secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID;
  	mls_export_netlbl_lvl(policydb, ctx, secattr);
  	rc = mls_export_netlbl_cat(policydb, ctx, secattr);

Ditto







