[PATCH v3 1/2] NetLabel: enable dynamic activation/deactivation of NetLabel/SELinux enforcement
Create a new NetLabel KAPI interface, netlbl_enabled(), which reports on the
current runtime status of NetLabel based on the existing configuration. LSMs
that make use of NetLabel, i.e. SELinux, can use this new function to determine
if they should perform NetLabel access checks. This patch changes the
NetLabel/SELinux glue code such that SELinux only enforces NetLabel related
access checks when netlbl_enabled() returns true.
At present NetLabel is considered to be enabled when there is at least one
labeled protocol configuration present. The result is that by default NetLabel
is considered to be disabled, however, as soon as an administrator configured
a CIPSO DOI definition NetLabel is enabled and SELinux starts enforcing
NetLabel related access controls - including unlabeled packet controls.
This patch also tries to consolidate the multiple "#ifdef CONFIG_NETLABEL"
blocks into a single block to ease future review as recommended by Linus.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
include/net/netlabel.h | 62 -
net/netlabel/netlabel_cipso_v4.c |5 +++
net/netlabel/netlabel_kapi.c | 21
net/netlabel/netlabel_mgmt.c | 65 +++
net/netlabel/netlabel_mgmt.h |5 +++
security/selinux/netlabel.c |8
6 files changed, 131 insertions(+), 35 deletions(-)
Index: linux-2.6_netmsg_3/include/net/netlabel.h
===
--- linux-2.6_netmsg_3.orig/include/net/netlabel.h
+++ linux-2.6_netmsg_3/include/net/netlabel.h
@@ -144,10 +144,9 @@ struct netlbl_lsm_secattr {
};
/*
- * LSM security attribute operations
+ * LSM security attribute operations (inline)
*/
-
/**
* netlbl_secattr_cache_alloc - Allocate and initialize a secattr cache
* @flags: the memory allocation flags
@@ -283,6 +282,9 @@ static inline void netlbl_secattr_free(s
}
#ifdef CONFIG_NETLABEL
+/*
+ * LSM security attribute operations
+ */
int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
u32 offset);
int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
@@ -294,6 +296,25 @@ int netlbl_secattr_catmap_setrng(struct
u32 start,
u32 end,
gfp_t flags);
+
+/*
+ * LSM protocol operations
+ */
+int netlbl_enabled(void);
+int netlbl_sock_setattr(struct sock *sk,
+ const struct netlbl_lsm_secattr *secattr);
+int netlbl_sock_getattr(struct sock *sk,
+ struct netlbl_lsm_secattr *secattr);
+int netlbl_skbuff_getattr(const struct sk_buff *skb,
+ struct netlbl_lsm_secattr *secattr);
+void netlbl_skbuff_err(struct sk_buff *skb, int error);
+
+/*
+ * LSM label mapping cache operations
+ */
+void netlbl_cache_invalidate(void);
+int netlbl_cache_add(const struct sk_buff *skb,
+const struct netlbl_lsm_secattr *secattr);
#else
static inline int netlbl_secattr_catmap_walk(
struct netlbl_lsm_secattr_catmap *catmap,
@@ -301,14 +322,12 @@ static inline int netlbl_secattr_catmap_
{
return -ENOENT;
}
-
static inline int netlbl_secattr_catmap_walk_rng(
struct netlbl_lsm_secattr_catmap *catmap,
u32 offset)
{
return -ENOENT;
}
-
static inline int netlbl_secattr_catmap_setbit(
struct netlbl_lsm_secattr_catmap *catmap,
u32 bit,
@@ -316,7 +335,6 @@ static inline int netlbl_secattr_catmap_
{
return 0;
}
-
static inline int netlbl_secattr_catmap_setrng(
struct netlbl_lsm_secattr_catmap *catmap,
u32 start,
@@ -325,59 +343,33 @@ static inline int netlbl_secattr_catmap_
{
return 0;
}
-#endif
-
-/*
- * LSM protocol operations
- */
-
-#ifdef CONFIG_NETLABEL
-int netlbl_sock_setattr(struct sock *sk,
- const struct netlbl_lsm_secattr *secattr);
-int netlbl_sock_getattr(struct sock *sk,
- struct netlbl_lsm_secattr *secattr);
-int netlbl_skbuff_getattr(const struct sk_buff *skb,
- struct netlbl_lsm_secattr *secattr);
-void netlbl_skbuff_err(struct sk_buff *skb, int error);
-#else
+static inline int netlbl_enabled(void)
+{
+ return 0;
+}
static inline int netlbl_sock_setattr(struct sock *sk,
const struct netlbl_lsm_secattr *secattr)
{
return -ENOSYS;
}
-
static inline int netlbl_sock_getattr(struct sock *sk,
struct netlbl_lsm_secattr *secattr)
{
return -ENOSYS;
}
-
static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,
[PATCH v3 1/2] NetLabel: enable dynamic activation/deactivation of NetLabel/SELinux enforcement
Create a new NetLabel KAPI interface, netlbl_enabled(), which reports on the
current runtime status of NetLabel based on the existing configuration. LSMs
that make use of NetLabel, i.e. SELinux, can use this new function to determine
if they should perform NetLabel access checks. This patch changes the
NetLabel/SELinux glue code such that SELinux only enforces NetLabel related
access checks when netlbl_enabled() returns true.
At present NetLabel is considered to be enabled when there is at least one
labeled protocol configuration present. The result is that by default NetLabel
is considered to be disabled, however, as soon as an administrator configured
a CIPSO DOI definition NetLabel is enabled and SELinux starts enforcing
NetLabel related access controls - including unlabeled packet controls.
This patch also tries to consolidate the multiple #ifdef CONFIG_NETLABEL
blocks into a single block to ease future review as recommended by Linus.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
include/net/netlabel.h | 62 -
net/netlabel/netlabel_cipso_v4.c |5 +++
net/netlabel/netlabel_kapi.c | 21
net/netlabel/netlabel_mgmt.c | 65 +++
net/netlabel/netlabel_mgmt.h |5 +++
security/selinux/netlabel.c |8
6 files changed, 131 insertions(+), 35 deletions(-)
Index: linux-2.6_netmsg_3/include/net/netlabel.h
===
--- linux-2.6_netmsg_3.orig/include/net/netlabel.h
+++ linux-2.6_netmsg_3/include/net/netlabel.h
@@ -144,10 +144,9 @@ struct netlbl_lsm_secattr {
};
/*
- * LSM security attribute operations
+ * LSM security attribute operations (inline)
*/
-
/**
* netlbl_secattr_cache_alloc - Allocate and initialize a secattr cache
* @flags: the memory allocation flags
@@ -283,6 +282,9 @@ static inline void netlbl_secattr_free(s
}
#ifdef CONFIG_NETLABEL
+/*
+ * LSM security attribute operations
+ */
int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
u32 offset);
int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
@@ -294,6 +296,25 @@ int netlbl_secattr_catmap_setrng(struct
u32 start,
u32 end,
gfp_t flags);
+
+/*
+ * LSM protocol operations
+ */
+int netlbl_enabled(void);
+int netlbl_sock_setattr(struct sock *sk,
+ const struct netlbl_lsm_secattr *secattr);
+int netlbl_sock_getattr(struct sock *sk,
+ struct netlbl_lsm_secattr *secattr);
+int netlbl_skbuff_getattr(const struct sk_buff *skb,
+ struct netlbl_lsm_secattr *secattr);
+void netlbl_skbuff_err(struct sk_buff *skb, int error);
+
+/*
+ * LSM label mapping cache operations
+ */
+void netlbl_cache_invalidate(void);
+int netlbl_cache_add(const struct sk_buff *skb,
+const struct netlbl_lsm_secattr *secattr);
#else
static inline int netlbl_secattr_catmap_walk(
struct netlbl_lsm_secattr_catmap *catmap,
@@ -301,14 +322,12 @@ static inline int netlbl_secattr_catmap_
{
return -ENOENT;
}
-
static inline int netlbl_secattr_catmap_walk_rng(
struct netlbl_lsm_secattr_catmap *catmap,
u32 offset)
{
return -ENOENT;
}
-
static inline int netlbl_secattr_catmap_setbit(
struct netlbl_lsm_secattr_catmap *catmap,
u32 bit,
@@ -316,7 +335,6 @@ static inline int netlbl_secattr_catmap_
{
return 0;
}
-
static inline int netlbl_secattr_catmap_setrng(
struct netlbl_lsm_secattr_catmap *catmap,
u32 start,
@@ -325,59 +343,33 @@ static inline int netlbl_secattr_catmap_
{
return 0;
}
-#endif
-
-/*
- * LSM protocol operations
- */
-
-#ifdef CONFIG_NETLABEL
-int netlbl_sock_setattr(struct sock *sk,
- const struct netlbl_lsm_secattr *secattr);
-int netlbl_sock_getattr(struct sock *sk,
- struct netlbl_lsm_secattr *secattr);
-int netlbl_skbuff_getattr(const struct sk_buff *skb,
- struct netlbl_lsm_secattr *secattr);
-void netlbl_skbuff_err(struct sk_buff *skb, int error);
-#else
+static inline int netlbl_enabled(void)
+{
+ return 0;
+}
static inline int netlbl_sock_setattr(struct sock *sk,
const struct netlbl_lsm_secattr *secattr)
{
return -ENOSYS;
}
-
static inline int netlbl_sock_getattr(struct sock *sk,
struct netlbl_lsm_secattr *secattr)
{
return -ENOSYS;
}
-
static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,
