On Thu, Dec 19, 2013 at 06:27:19PM -0500, Paul Moore wrote:
> queue but should apply to the other stable kernels >=3.4.
Thank you Paul, I'm queuing these two backports for the 3.5 and 3.11
kernels.
Cheers,
--
Luis
> Original commit description is shown below.
>
> commit 817eff718dca4e54d5721211ddde0914428fbb7c
> Author: Paul Moore <pmoore@xxxxxxxxxx>
> Date: Tue Dec 10 14:57:54 2013 -0500
>
> selinux: look for IPsec labels on both inbound and outbound packets
>
> Previously selinux_skb_peerlbl_sid() would only check for labeled
> IPsec security labels on inbound packets, this patch enables it to
> check both inbound and outbound traffic for labeled IPsec security
> labels.
>
> Reported-by: Janak Desai <Janak.Desai@xxxxxxxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx>
> ---
> security/selinux/hooks.c | 2 +
> security/selinux/include/xfrm.h | 9 ++++---
> security/selinux/xfrm.c | 53 +++++++++++++++++++++++++++++++--------
> 3 files changed, 48 insertions(+), 16 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index d32db41..96e64e9 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3720,7 +3720,7 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
> u32 nlbl_sid;
> u32 nlbl_type;
>
> - selinux_skb_xfrm_sid(skb, &xfrm_sid);
> + selinux_xfrm_skb_sid(skb, &xfrm_sid);
> selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
>
> err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
> diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
> index c220f31..d1c980c 100644
> --- a/security/selinux/include/xfrm.h
> +++ b/security/selinux/include/xfrm.h
> @@ -47,6 +47,7 @@ int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
> int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
> struct common_audit_data *ad, u8 proto);
> int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
> +int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid);
>
> static inline void selinux_xfrm_notify_policyload(void)
> {
> @@ -79,12 +80,12 @@ static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int
> static inline void selinux_xfrm_notify_policyload(void)
> {
> }
> -#endif
>
> -static inline void selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid)
> +static inline int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
> {
> - int err = selinux_xfrm_decode_session(skb, sid, 0);
> - BUG_ON(err);
> + *sid = SECSID_NULL;
> + return 0;
> }
> +#endif
>
> #endif /* _SELINUX_XFRM_H_ */
> diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
> index 8ab2951..1552b91 100644
> --- a/security/selinux/xfrm.c
> +++ b/security/selinux/xfrm.c
> @@ -152,21 +152,13 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *
> return rc;
> }
>
> -/*
> - * LSM hook implementation that checks and/or returns the xfrm sid for the
> - * incoming packet.
> - */
> -
> -int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
> +static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb,
> + u32 *sid, int ckall)
> {
> - struct sec_path *sp;
> + struct sec_path *sp = skb->sp;
>
> *sid = SECSID_NULL;
>
> - if (skb == NULL)
> - return 0;
> -
> - sp = skb->sp;
> if (sp) {
> int i, sid_set = 0;
>
> @@ -190,6 +182,45 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
> return 0;
> }
>
> +static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb)
> +{
> + struct dst_entry *dst = skb_dst(skb);
> + struct xfrm_state *x;
> +
> + if (dst == NULL)
> + return SECSID_NULL;
> + x = dst->xfrm;
> + if (x == NULL || !selinux_authorizable_xfrm(x))
> + return SECSID_NULL;
> +
> + return x->security->ctx_sid;
> +}
> +
> +/*
> + * LSM hook implementation that checks and/or returns the xfrm sid for the
> + * incoming packet.
> + */
> +
> +int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
> +{
> + if (skb == NULL) {
> + *sid = SECSID_NULL;
> + return 0;
> + }
> + return selinux_xfrm_skb_sid_ingress(skb, sid, ckall);
> +}
> +
> +int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
> +{
> + int rc;
> +
> + rc = selinux_xfrm_skb_sid_ingress(skb, sid, 0);
> + if (rc == 0 && *sid == SECSID_NULL)
> + *sid = selinux_xfrm_skb_sid_egress(skb);
> +
> + return rc;
> +}
> +
> /*
> * Security blob allocation for xfrm_policy and xfrm_state
> * CTX does not have a meaningful value on input
>
> --
> To unsubscribe from this list: send the line "unsubscribe stable" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html