Re: [PATCH stable 1/2] Resubmitting to stable as a backport, backported based on the 3.4 stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2013-12-19 at 18:27 -0500, Paul Moore wrote:
> queue but should apply to the other stable kernels >=3.4.

Thanks Paul...  Queuing these up for 3.8 stable.

 -Kamal


> Original commit description is shown below.
> 
> 	commit 817eff718dca4e54d5721211ddde0914428fbb7c
> 	Author: Paul Moore <pmoore@xxxxxxxxxx>
> 	Date:   Tue Dec 10 14:57:54 2013 -0500
> 
> 	selinux: look for IPsec labels on both inbound and outbound packets
> 
> 	Previously selinux_skb_peerlbl_sid() would only check for labeled
> 	IPsec security labels on inbound packets, this patch enables it to
> 	check both inbound and outbound traffic for labeled IPsec security
> 	labels.
> 
> 	Reported-by: Janak Desai <Janak.Desai@xxxxxxxxxxxxxxx>
> 	Cc: stable@xxxxxxxxxxxxxxx
> 	Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx>
> ---
>  security/selinux/hooks.c        |    2 +
>  security/selinux/include/xfrm.h |    9 ++++---
>  security/selinux/xfrm.c         |   53 +++++++++++++++++++++++++++++++--------
>  3 files changed, 48 insertions(+), 16 deletions(-)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index d32db41..96e64e9 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3720,7 +3720,7 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
>  	u32 nlbl_sid;
>  	u32 nlbl_type;
>  
> -	selinux_skb_xfrm_sid(skb, &xfrm_sid);
> +	selinux_xfrm_skb_sid(skb, &xfrm_sid);
>  	selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
>  
>  	err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
> diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
> index c220f31..d1c980c 100644
> --- a/security/selinux/include/xfrm.h
> +++ b/security/selinux/include/xfrm.h
> @@ -47,6 +47,7 @@ int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
>  int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
>  			struct common_audit_data *ad, u8 proto);
>  int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
> +int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid);
>  
>  static inline void selinux_xfrm_notify_policyload(void)
>  {
> @@ -79,12 +80,12 @@ static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int
>  static inline void selinux_xfrm_notify_policyload(void)
>  {
>  }
> -#endif
>  
> -static inline void selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid)
> +static inline int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
>  {
> -	int err = selinux_xfrm_decode_session(skb, sid, 0);
> -	BUG_ON(err);
> +	*sid = SECSID_NULL;
> +	return 0;
>  }
> +#endif
>  
>  #endif /* _SELINUX_XFRM_H_ */
> diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
> index 8ab2951..1552b91 100644
> --- a/security/selinux/xfrm.c
> +++ b/security/selinux/xfrm.c
> @@ -152,21 +152,13 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *
>  	return rc;
>  }
>  
> -/*
> - * LSM hook implementation that checks and/or returns the xfrm sid for the
> - * incoming packet.
> - */
> -
> -int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
> +static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb,
> +					u32 *sid, int ckall)
>  {
> -	struct sec_path *sp;
> +	struct sec_path *sp = skb->sp;
>  
>  	*sid = SECSID_NULL;
>  
> -	if (skb == NULL)
> -		return 0;
> -
> -	sp = skb->sp;
>  	if (sp) {
>  		int i, sid_set = 0;
>  
> @@ -190,6 +182,45 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
>  	return 0;
>  }
>  
> +static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb)
> +{
> +	struct dst_entry *dst = skb_dst(skb);
> +	struct xfrm_state *x;
> +
> +	if (dst == NULL)
> +		return SECSID_NULL;
> +	x = dst->xfrm;
> +	if (x == NULL || !selinux_authorizable_xfrm(x))
> +		return SECSID_NULL;
> +
> +	return x->security->ctx_sid;
> +}
> +
> +/*
> + * LSM hook implementation that checks and/or returns the xfrm sid for the
> + * incoming packet.
> + */
> +
> +int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
> +{
> +	if (skb == NULL) {
> +		*sid = SECSID_NULL;
> +		return 0;
> +	}
> +	return selinux_xfrm_skb_sid_ingress(skb, sid, ckall);
> +}
> +
> +int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
> +{
> +	int rc;
> +
> +	rc = selinux_xfrm_skb_sid_ingress(skb, sid, 0);
> +	if (rc == 0 && *sid == SECSID_NULL)
> +		*sid = selinux_xfrm_skb_sid_egress(skb);
> +
> +	return rc;
> +}
> +
>  /*
>   * Security blob allocation for xfrm_policy and xfrm_state
>   * CTX does not have a meaningful value on input
> 
> --
> To unsubscribe from this list: send the line "unsubscribe stable" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]