Re: [PATCH][SELINUX] Add name_connect permission check
On Sun, 3 Apr 2005, Dave Airlie wrote: > On a standard FC3 with selinux enabled, booting the latest -bk breaks > all my outgoing TCP connections at a guess due to this patch.. this > probably isn't something that people really want to happen.. or maybe > Fedora can release an updated policy to deal with it? You need an updated policy, which you can grab from rawhide for FC3 or via CVS at http://selinux.sourceforge.net/ - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH][SELINUX] Add name_connect permission check
On Mar 24, 2005 12:41 AM, Stephen Smalley <[EMAIL PROTECTED]> wrote: > On Wed, 2005-03-23 at 09:40 -0500, Stephen Smalley wrote: > > This patch adds a name_connect permission check to SELinux to provide > > control over outbound TCP connections to particular ports distinct > > from the general controls over sending and receiving packets. Please > > apply. > > On a standard FC3 with selinux enabled, booting the latest -bk breaks all my outgoing TCP connections at a guess due to this patch.. this probably isn't something that people really want to happen.. or maybe Fedora can release an updated policy to deal with it? Dave. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH][SELINUX] Add name_connect permission check
On Mar 24, 2005 12:41 AM, Stephen Smalley [EMAIL PROTECTED] wrote: On Wed, 2005-03-23 at 09:40 -0500, Stephen Smalley wrote: This patch adds a name_connect permission check to SELinux to provide control over outbound TCP connections to particular ports distinct from the general controls over sending and receiving packets. Please apply. On a standard FC3 with selinux enabled, booting the latest -bk breaks all my outgoing TCP connections at a guess due to this patch.. this probably isn't something that people really want to happen.. or maybe Fedora can release an updated policy to deal with it? Dave. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH][SELINUX] Add name_connect permission check
On Sun, 3 Apr 2005, Dave Airlie wrote: On a standard FC3 with selinux enabled, booting the latest -bk breaks all my outgoing TCP connections at a guess due to this patch.. this probably isn't something that people really want to happen.. or maybe Fedora can release an updated policy to deal with it? You need an updated policy, which you can grab from rawhide for FC3 or via CVS at http://selinux.sourceforge.net/ - James -- James Morris [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH][SELINUX] Add name_connect permission check
On Wed, 2005-03-23 at 09:40 -0500, Stephen Smalley wrote: > This patch adds a name_connect permission check to SELinux to provide > control over outbound TCP connections to particular ports distinct > from the general controls over sending and receiving packets. Please > apply. > > security/selinux/hooks.c | 48 > ++- > security/selinux/include/av_perm_to_string.h |1 > security/selinux/include/av_permissions.h|1 > 3 files changed, 49 insertions(+), 1 deletion(-) Ah, sorry - forgot the Signed-off-by lines. Signed-off-by: Stephen Smalley <[EMAIL PROTECTED]> Signed-off-by: James Morris <[EMAIL PROTECTED]> -- Stephen Smalley <[EMAIL PROTECTED]> National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH][SELINUX] Add name_connect permission check
This patch adds a name_connect permission check to SELinux to provide control over outbound TCP connections to particular ports distinct from the general controls over sending and receiving packets. Please apply. security/selinux/hooks.c | 48 ++- security/selinux/include/av_perm_to_string.h |1 security/selinux/include/av_permissions.h|1 3 files changed, 49 insertions(+), 1 deletion(-) Index: linux-2.6/security/selinux/hooks.c === RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/hooks.c,v retrieving revision 1.160 diff -u -p -r1.160 hooks.c --- linux-2.6/security/selinux/hooks.c 22 Mar 2005 17:30:12 - 1.160 +++ linux-2.6/security/selinux/hooks.c 23 Mar 2005 14:17:26 - @@ -3085,7 +3085,53 @@ out: static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) { - return socket_has_perm(current, sock, SOCKET__CONNECT); + struct inode_security_struct *isec; + int err; + + err = socket_has_perm(current, sock, SOCKET__CONNECT); + if (err) + return err; + + /* +* If a TCP socket, check name_connect permission for the port. +*/ + isec = SOCK_INODE(sock)->i_security; + if (isec->sclass == SECCLASS_TCP_SOCKET) { + struct sock *sk = sock->sk; + struct avc_audit_data ad; + struct sockaddr_in *addr4 = NULL; + struct sockaddr_in6 *addr6 = NULL; + unsigned short snum; + u32 sid; + + if (sk->sk_family == PF_INET) { + addr4 = (struct sockaddr_in *)address; + if (addrlen != sizeof(struct sockaddr_in)) + return -EINVAL; + snum = ntohs(addr4->sin_port); + } else { + addr6 = (struct sockaddr_in6 *)address; + if (addrlen != sizeof(struct sockaddr_in6)) + return -EINVAL; + snum = ntohs(addr6->sin6_port); + } + + err = security_port_sid(sk->sk_family, sk->sk_type, + sk->sk_protocol, snum, ); + if (err) + goto out; + + AVC_AUDIT_DATA_INIT(,NET); + ad.u.net.dport = htons(snum); + ad.u.net.family = sk->sk_family; + err = avc_has_perm(isec->sid, sid, isec->sclass, + TCP_SOCKET__NAME_CONNECT, ); + if (err) + goto out; + } + +out: + return err; } static int selinux_socket_listen(struct socket *sock, int backlog) Index: linux-2.6/security/selinux/include/av_perm_to_string.h === RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/include/av_perm_to_string.h,v retrieving revision 1.23 diff -u -p -r1.23 av_perm_to_string.h --- linux-2.6/security/selinux/include/av_perm_to_string.h 23 Feb 2005 20:26:54 - 1.23 +++ linux-2.6/security/selinux/include/av_perm_to_string.h 22 Mar 2005 20:29:05 - @@ -25,6 +25,7 @@ S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn") S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom") S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, "node_bind") + S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NAME_CONNECT, "name_connect") S_(SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, "node_bind") S_(SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, "node_bind") S_(SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv") Index: linux-2.6/security/selinux/include/av_permissions.h === RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/include/av_permissions.h,v retrieving revision 1.22 diff -u -p -r1.22 av_permissions.h --- linux-2.6/security/selinux/include/av_permissions.h 23 Feb 2005 20:26:54 - 1.22 +++ linux-2.6/security/selinux/include/av_permissions.h 22 Mar 2005 20:29:05 - @@ -253,6 +253,7 @@ #define TCP_SOCKET__NEWCONN 0x0080UL #define TCP_SOCKET__ACCEPTFROM0x0100UL #define TCP_SOCKET__NODE_BIND 0x0200UL +#define TCP_SOCKET__NAME_CONNECT 0x0400UL #define UDP_SOCKET__IOCTL 0x0001UL #define UDP_SOCKET__READ 0x0002UL -- Stephen Smalley <[EMAIL PROTECTED]> National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH][SELINUX] Add name_connect permission check
This patch adds a name_connect permission check to SELinux to provide control over outbound TCP connections to particular ports distinct from the general controls over sending and receiving packets. Please apply. security/selinux/hooks.c | 48 ++- security/selinux/include/av_perm_to_string.h |1 security/selinux/include/av_permissions.h|1 3 files changed, 49 insertions(+), 1 deletion(-) Index: linux-2.6/security/selinux/hooks.c === RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/hooks.c,v retrieving revision 1.160 diff -u -p -r1.160 hooks.c --- linux-2.6/security/selinux/hooks.c 22 Mar 2005 17:30:12 - 1.160 +++ linux-2.6/security/selinux/hooks.c 23 Mar 2005 14:17:26 - @@ -3085,7 +3085,53 @@ out: static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) { - return socket_has_perm(current, sock, SOCKET__CONNECT); + struct inode_security_struct *isec; + int err; + + err = socket_has_perm(current, sock, SOCKET__CONNECT); + if (err) + return err; + + /* +* If a TCP socket, check name_connect permission for the port. +*/ + isec = SOCK_INODE(sock)-i_security; + if (isec-sclass == SECCLASS_TCP_SOCKET) { + struct sock *sk = sock-sk; + struct avc_audit_data ad; + struct sockaddr_in *addr4 = NULL; + struct sockaddr_in6 *addr6 = NULL; + unsigned short snum; + u32 sid; + + if (sk-sk_family == PF_INET) { + addr4 = (struct sockaddr_in *)address; + if (addrlen != sizeof(struct sockaddr_in)) + return -EINVAL; + snum = ntohs(addr4-sin_port); + } else { + addr6 = (struct sockaddr_in6 *)address; + if (addrlen != sizeof(struct sockaddr_in6)) + return -EINVAL; + snum = ntohs(addr6-sin6_port); + } + + err = security_port_sid(sk-sk_family, sk-sk_type, + sk-sk_protocol, snum, sid); + if (err) + goto out; + + AVC_AUDIT_DATA_INIT(ad,NET); + ad.u.net.dport = htons(snum); + ad.u.net.family = sk-sk_family; + err = avc_has_perm(isec-sid, sid, isec-sclass, + TCP_SOCKET__NAME_CONNECT, ad); + if (err) + goto out; + } + +out: + return err; } static int selinux_socket_listen(struct socket *sock, int backlog) Index: linux-2.6/security/selinux/include/av_perm_to_string.h === RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/include/av_perm_to_string.h,v retrieving revision 1.23 diff -u -p -r1.23 av_perm_to_string.h --- linux-2.6/security/selinux/include/av_perm_to_string.h 23 Feb 2005 20:26:54 - 1.23 +++ linux-2.6/security/selinux/include/av_perm_to_string.h 22 Mar 2005 20:29:05 - @@ -25,6 +25,7 @@ S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, newconn) S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, acceptfrom) S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, node_bind) + S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NAME_CONNECT, name_connect) S_(SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, node_bind) S_(SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, node_bind) S_(SECCLASS_NODE, NODE__TCP_RECV, tcp_recv) Index: linux-2.6/security/selinux/include/av_permissions.h === RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/include/av_permissions.h,v retrieving revision 1.22 diff -u -p -r1.22 av_permissions.h --- linux-2.6/security/selinux/include/av_permissions.h 23 Feb 2005 20:26:54 - 1.22 +++ linux-2.6/security/selinux/include/av_permissions.h 22 Mar 2005 20:29:05 - @@ -253,6 +253,7 @@ #define TCP_SOCKET__NEWCONN 0x0080UL #define TCP_SOCKET__ACCEPTFROM0x0100UL #define TCP_SOCKET__NODE_BIND 0x0200UL +#define TCP_SOCKET__NAME_CONNECT 0x0400UL #define UDP_SOCKET__IOCTL 0x0001UL #define UDP_SOCKET__READ 0x0002UL -- Stephen Smalley [EMAIL PROTECTED] National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH][SELINUX] Add name_connect permission check
On Wed, 2005-03-23 at 09:40 -0500, Stephen Smalley wrote: This patch adds a name_connect permission check to SELinux to provide control over outbound TCP connections to particular ports distinct from the general controls over sending and receiving packets. Please apply. security/selinux/hooks.c | 48 ++- security/selinux/include/av_perm_to_string.h |1 security/selinux/include/av_permissions.h|1 3 files changed, 49 insertions(+), 1 deletion(-) Ah, sorry - forgot the Signed-off-by lines. Signed-off-by: Stephen Smalley [EMAIL PROTECTED] Signed-off-by: James Morris [EMAIL PROTECTED] -- Stephen Smalley [EMAIL PROTECTED] National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/