[redhat-lspp] [RFC] [MLSXFRM 02/04] Add enforcement to SELinux LSM

[Stephen Smalley]

On Tue, 2006-06-13 at 17:09 -0500, Venkat Yekkirala wrote:
> This patch adds enforcement of controls added to the xfrm subsystem. Three
> new hooks are added to help with this. Security for IP sockets at the sock
> level is also added. A polmatch permission is also added to the association
> access vector to enable arbitration of flow/state access to a policy rule.

> --- linux-2.6.16.vanilla/security/selinux/xfrm.c	2006-06-12 17:49:44.000000000 -0500
> +++ linux-2.6.16/security/selinux/xfrm.c	2006-06-13 08:40:48.000000000 -0500
> @@ -334,34 +472,25 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_s
>  {
>  	int i, rc = 0;
>  	struct sec_path *sp;
> +	u32 sel_sid = SECINITSID_UNLABELED;
>  
>  	sp = skb->sp;
>  
>  	if (sp) {
> -		/*
> -		 * __xfrm_policy_check does not approve unless xfrm_policy_ok
> -		 * says that spi's match for policy and the socket.
> -		 *
> -		 *  Only need to verify the existence of an authorizable sp.
> -		 */
>  		for (i = 0; i < sp->len; i++) {
>  			struct xfrm_state *x = sp->xvec[i];
>  
> -			if (x && selinux_authorizable_xfrm(x))
> -				goto accept;
> +			if (x && selinux_authorizable_xfrm(x)) {
> +				struct xfrm_sec_ctx *ctx = x->security;
> +				sel_sid = ctx->ctx_sid;
> +				break;
> +			}
>  		}
>  	}
>  
> -	/* check SELinux sock for unlabelled access */
> -	rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
> +	rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION,
>  			  ASSOCIATION__RECVFROM, NULL);

BTW, I think it would be useful to have the caller
(selinux_sock_rcv_skb) pass in the &ad (avc_audit_data) it constructs
for its own permission checks and propagate that to this avc_has_perm()
call as well.  That way you'll get the network device and packet address
information included in the AVC messages for the association recvfrom
denials as well.  Likewise for postroute_last and the sendto checks.

-- 
Stephen Smalley
National Security Agency