On Thu, 2013-12-19 at 18:27 -0500, Paul Moore wrote: > queue but should apply to the other stable kernels >=3.4. Thanks Paul... Queuing these up for 3.8 stable. -Kamal > Original commit description is shown below. > > commit 817eff718dca4e54d5721211ddde0914428fbb7c > Author: Paul Moore <pmoore@xxxxxxxxxx> > Date: Tue Dec 10 14:57:54 2013 -0500 > > selinux: look for IPsec labels on both inbound and outbound packets > > Previously selinux_skb_peerlbl_sid() would only check for labeled > IPsec security labels on inbound packets, this patch enables it to > check both inbound and outbound traffic for labeled IPsec security > labels. > > Reported-by: Janak Desai <Janak.Desai@xxxxxxxxxxxxxxx> > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx> > --- > security/selinux/hooks.c | 2 + > security/selinux/include/xfrm.h | 9 ++++--- > security/selinux/xfrm.c | 53 +++++++++++++++++++++++++++++++-------- > 3 files changed, 48 insertions(+), 16 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index d32db41..96e64e9 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -3720,7 +3720,7 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) > u32 nlbl_sid; > u32 nlbl_type; > > - selinux_skb_xfrm_sid(skb, &xfrm_sid); > + selinux_xfrm_skb_sid(skb, &xfrm_sid); > selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); > > err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); > diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h > index c220f31..d1c980c 100644 > --- a/security/selinux/include/xfrm.h > +++ b/security/selinux/include/xfrm.h > @@ -47,6 +47,7 @@ int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, > int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, > struct common_audit_data *ad, u8 proto); > int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); > +int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid); > > static inline void selinux_xfrm_notify_policyload(void) > { > @@ -79,12 +80,12 @@ static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int > static inline void selinux_xfrm_notify_policyload(void) > { > } > -#endif > > -static inline void selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid) > +static inline int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid) > { > - int err = selinux_xfrm_decode_session(skb, sid, 0); > - BUG_ON(err); > + *sid = SECSID_NULL; > + return 0; > } > +#endif > > #endif /* _SELINUX_XFRM_H_ */ > diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c > index 8ab2951..1552b91 100644 > --- a/security/selinux/xfrm.c > +++ b/security/selinux/xfrm.c > @@ -152,21 +152,13 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy * > return rc; > } > > -/* > - * LSM hook implementation that checks and/or returns the xfrm sid for the > - * incoming packet. > - */ > - > -int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) > +static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb, > + u32 *sid, int ckall) > { > - struct sec_path *sp; > + struct sec_path *sp = skb->sp; > > *sid = SECSID_NULL; > > - if (skb == NULL) > - return 0; > - > - sp = skb->sp; > if (sp) { > int i, sid_set = 0; > > @@ -190,6 +182,45 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) > return 0; > } > > +static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb) > +{ > + struct dst_entry *dst = skb_dst(skb); > + struct xfrm_state *x; > + > + if (dst == NULL) > + return SECSID_NULL; > + x = dst->xfrm; > + if (x == NULL || !selinux_authorizable_xfrm(x)) > + return SECSID_NULL; > + > + return x->security->ctx_sid; > +} > + > +/* > + * LSM hook implementation that checks and/or returns the xfrm sid for the > + * incoming packet. > + */ > + > +int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) > +{ > + if (skb == NULL) { > + *sid = SECSID_NULL; > + return 0; > + } > + return selinux_xfrm_skb_sid_ingress(skb, sid, ckall); > +} > + > +int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid) > +{ > + int rc; > + > + rc = selinux_xfrm_skb_sid_ingress(skb, sid, 0); > + if (rc == 0 && *sid == SECSID_NULL) > + *sid = selinux_xfrm_skb_sid_egress(skb); > + > + return rc; > +} > + > /* > * Security blob allocation for xfrm_policy and xfrm_state > * CTX does not have a meaningful value on input > > -- > To unsubscribe from this list: send the line "unsubscribe stable" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html >
Attachment:
signature.asc
Description: This is a digitally signed message part