from:"Richard Haines"

Re: [PATCH] selinux-testsuite: Enhance inet_socket tests

2018-06-13 Thread Richard Haines via Selinux

On Tue, 2018-06-12 at 18:02 -0400, Paul Moore wrote:
> On Fri, Apr 13, 2018 at 6:13 AM, Richard Haines via Selinux
>  wrote:
> > Enhance the tests as follows:
> > 1) Determine number of tests to run with current config.
> > 2) Add CALIPSO STREAM tests (DGRAM not supported in kernel. See
> > [1]).
> > 3) Add support for CIPSO TAGS 1 & 2. Closes [2].
> > 4) Run scripts using /bin/sh.
> > 5) Shorten sleep time as more tests.
> > 
> > [1] https://github.com/SELinuxProject/selinux-kernel/issues/24
> > [2] https://github.com/SELinuxProject/selinux-testsuite/issues/1
> > 
> > Signed-off-by: Richard Haines 
> > ---
> >  tests/inet_socket/calipso-flush |   5 +
> >  tests/inet_socket/calipso-load  |   7 +
> >  tests/inet_socket/cipso-fl-flush|   0
> >  tests/inet_socket/cipso-fl-load |   0
> >  tests/inet_socket/cipso-flush   |   0
> >  tests/inet_socket/cipso-load-t1 |  11 +
> >  tests/inet_socket/cipso-load-t2 |  11 +
> >  tests/inet_socket/{cipso-load => cipso-load-t5} |   0
> >  tests/inet_socket/ipsec-flush   |   0
> >  tests/inet_socket/ipsec-load|   0
> >  tests/inet_socket/iptables-flush|   0
> >  tests/inet_socket/iptables-load |   0
> >  tests/inet_socket/server.c  |  16 +-
> >  tests/inet_socket/test  | 348
> > ++--
> >  14 files changed, 310 insertions(+), 88 deletions(-)
> >  create mode 100644 tests/inet_socket/calipso-flush
> >  create mode 100644 tests/inet_socket/calipso-load
> >  mode change 100755 => 100644 tests/inet_socket/cipso-fl-flush
> >  mode change 100755 => 100644 tests/inet_socket/cipso-fl-load
> >  mode change 100755 => 100644 tests/inet_socket/cipso-flush
> >  create mode 100644 tests/inet_socket/cipso-load-t1
> >  create mode 100644 tests/inet_socket/cipso-load-t2
> >  rename tests/inet_socket/{cipso-load => cipso-load-t5} (100%)
> >  mode change 100755 => 100644
> >  mode change 100755 => 100644 tests/inet_socket/ipsec-flush
> >  mode change 100755 => 100644 tests/inet_socket/ipsec-load
> >  mode change 100755 => 100644 tests/inet_socket/iptables-flush
> >  mode change 100755 => 100644 tests/inet_socket/iptables-load
> >  mode change 100755 => 100644 tests/inet_socket/test
> 
> I had to fixup the file mode bits on tests/inet_socket/test, but
> other
> than that this looks fine to me, merged.  Thanks.

The reason I have not been setting +x on the tests/*/test scripts is
that the tests/Makefile does it for you. However as all the others are
set, I'll set +x in future (as you flagged this on the sctp and binder
patches I sent).
> 
> I remain a little wary about the reduced sleep times (1s to 0.25s),
> but I'm never comfortable with arbitrary sleep-and-hope-it-works
> tricks anyway.

I've been using this value in the SCTP tests for some time and not had
any problems, that's why I used it for the inet tests (probably better
to have the client try connecting x times and do away with the wait)

> 
> > diff --git a/tests/inet_socket/calipso-flush
> > b/tests/inet_socket/calipso-flush
> > new file mode 100644
> > index 000..5143962
> > --- /dev/null
> > +++ b/tests/inet_socket/calipso-flush
> > @@ -0,0 +1,5 @@
> > +#!/bin/sh
> > +# Reset NetLabel configuration to unlabeled after CALIPSO/IPv6
> > tests.
> > +netlabelctl map del default
> > +netlabelctl calipso del doi:16
> > +netlabelctl map add default protocol:unlbl
> > diff --git a/tests/inet_socket/calipso-load
> > b/tests/inet_socket/calipso-load
> > new file mode 100644
> > index 000..4bb9c7f
> > --- /dev/null
> > +++ b/tests/inet_socket/calipso-load
> > @@ -0,0 +1,7 @@
> > +#!/bin/sh
> > +# Define a doi for testing loopback for CALIPSO/IPv6.
> > +netlabelctl calipso add pass doi:16
> > +netlabelctl map del default
> > +netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
> > +netlabelctl map add default address:::/0 protocol:unlbl
> > +netlabelctl map add default address:::1 protocol:calipso,16
> > diff --git a/tests/inet_socket/cipso-fl-flush
> > b/tests/inet_socket/cipso-fl-flush
> > old mode 100755
> > new mode 100644
> > diff --git a/tests/inet_socket/cipso-fl-load
> > b/tests/inet_socket/cipso-fl-load
> > old mode 100755
> > new mode 100644
> > diff --git a/tests/inet_socket/cipso-flush
> > b/tests/inet_socket/cipso-flush
> >

[PATCH V2] selinux-testsuite: Add SCTP test support

2018-06-01 Thread Richard Haines via Selinux

The sctp testsuite tests all new sctp SELinux functionality.

Signed-off-by: Richard Haines 
---
V2 Changes:
Add -v option to test
Add info in README.md regarding lksctp-tools-devel requirements
Fix asconf parameter chunk processing in test
Fix merge error for policy/Makefile
Fix buffer overflow in sctp_asconf_params_client.c

 README.md  |   4 +-
 policy/Makefile|   4 +
 policy/test_sctp.te| 159 +
 tests/Makefile |   4 +
 tests/sctp/Makefile|  13 +
 tests/sctp/calipso-flush   |   5 +
 tests/sctp/calipso-load|   7 +
 tests/sctp/cipso-fl-flush  |   5 +
 tests/sctp/cipso-fl-load   |   7 +
 tests/sctp/cipso-flush |   5 +
 tests/sctp/cipso-load-t1   |   7 +
 tests/sctp/cipso-load-t2   |   7 +
 tests/sctp/cipso-load-t5   |   7 +
 tests/sctp/fb-deny-label-flush |   6 +
 tests/sctp/fb-deny-label-load  |   7 +
 tests/sctp/fb-label-flush  |   6 +
 tests/sctp/fb-label-load   |   8 +
 tests/sctp/iptables-flush  |   4 +
 tests/sctp/iptables-load   |  27 +
 tests/sctp/sctp_asconf_params_client.c | 298 +
 tests/sctp/sctp_asconf_params_server.c | 236 +++
 tests/sctp/sctp_bind.c |  81 +++
 tests/sctp/sctp_bindx.c| 116 
 tests/sctp/sctp_client.c   | 220 +++
 tests/sctp/sctp_common.c   | 101 +++
 tests/sctp/sctp_common.h   |  27 +
 tests/sctp/sctp_connectx.c | 124 
 tests/sctp/sctp_peeloff_server.c   | 260 
 tests/sctp/sctp_server.c   | 335 ++
 tests/sctp/sctp_set_params.c   | 205 +++
 tests/sctp/sctp_set_peer_addr.c| 414 +
 tests/sctp/sctp_set_pri_addr.c | 135 
 tests/sctp/test| 814 +
 33 files changed, 3657 insertions(+), 1 deletion(-)
 create mode 100644 policy/test_sctp.te
 create mode 100644 tests/sctp/Makefile
 create mode 100644 tests/sctp/calipso-flush
 create mode 100644 tests/sctp/calipso-load
 create mode 100644 tests/sctp/cipso-fl-flush
 create mode 100644 tests/sctp/cipso-fl-load
 create mode 100644 tests/sctp/cipso-flush
 create mode 100644 tests/sctp/cipso-load-t1
 create mode 100644 tests/sctp/cipso-load-t2
 create mode 100644 tests/sctp/cipso-load-t5
 create mode 100644 tests/sctp/fb-deny-label-flush
 create mode 100644 tests/sctp/fb-deny-label-load
 create mode 100644 tests/sctp/fb-label-flush
 create mode 100644 tests/sctp/fb-label-load
 create mode 100644 tests/sctp/iptables-flush
 create mode 100644 tests/sctp/iptables-load
 create mode 100644 tests/sctp/sctp_asconf_params_client.c
 create mode 100644 tests/sctp/sctp_asconf_params_server.c
 create mode 100644 tests/sctp/sctp_bind.c
 create mode 100644 tests/sctp/sctp_bindx.c
 create mode 100644 tests/sctp/sctp_client.c
 create mode 100644 tests/sctp/sctp_common.c
 create mode 100644 tests/sctp/sctp_common.h
 create mode 100644 tests/sctp/sctp_connectx.c
 create mode 100644 tests/sctp/sctp_peeloff_server.c
 create mode 100644 tests/sctp/sctp_server.c
 create mode 100644 tests/sctp/sctp_set_params.c
 create mode 100644 tests/sctp/sctp_set_peer_addr.c
 create mode 100644 tests/sctp/sctp_set_pri_addr.c
 create mode 100755 tests/sctp/test

diff --git a/README.md b/README.md
index 60a249e..2c871d3 100644
--- a/README.md
+++ b/README.md
@@ -49,6 +49,7 @@ similar dependencies):
 * net-tools _(for `ifconfig`, used by `capable_net/test`)_
 * netlabel\_tools _(to load NetLabel configuration during `inet_socket` tests)_
 * iptables _(to load the `iptables SECMARK` rules during `inet_socket` tests)_
+* lksctp-tools-devel _(to build the SCTP test programs)_
 
 On a modern Fedora system you can install these dependencies with the
 following command:
@@ -61,7 +62,8 @@ following command:
libselinux-devel \
net-tools \
netlabel_tools \
-   iptables
+   iptables \
+   lksctp-tools-devel
 
 The testsuite requires a pre-existing base policy configuration of SELinux,
 using either the old example policy or the reference policy as the baseline.
diff --git a/policy/Makefile b/policy/Makefile
index 15e3a0c..cc70d33 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -67,6 +67,10 @@ ifeq ($(shell grep -q binder 
$(POLDEV)/include/support/all_perms.spt && echo tru
 TARGETS += test_binder.te
 endif
 
+ifeq ($(shell grep -q corenet_sctp_bind_all_nodes 
$(POLDEV)/include/kernel/corenetwork.if && echo true),true)
+TARGETS += test_sctp.te
+endif
+
 ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
 TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS))
 endif
diff --git a/policy/test_sctp.te b/policy/test_sctp.te
new file mode 100644
index 000..6d432

Re: [PATCH] selinux-testsuite: Add SCTP test support

2018-05-31 Thread Richard Haines via Selinux

On Wed, 2018-05-30 at 16:42 -0400, Paul Moore wrote:
> On Tue, Mar 20, 2018 at 1:48 PM, Richard Haines via Selinux
>  wrote:
> > The sctp testsuite tests all new sctp SELinux functionality.
> > 
> > Signed-off-by: Richard Haines 
> 
> Now that the new SELinux userspace is out, I applied this to my test
> tree and noticed two problems at the start (both easily fixed):
> 
> * We need to list the lksctp-tools-devel package as a dependency in
> README.md
> * Minor merge conflict in policy/Makefile
> 
> ... actually running the test went rather well, but there was one
> test
> failure: test #11, the "asconf parameter chunk processing".  Looking
> a
> bit closer at the failure, it appears that the address detection code
> at the top of tests/sctp/test needs to be a bit more robust as
> 'hostname -I' returns multiple addresses, but they are a mix of IPv4
> and IPv6 - all on one interface.
> 
> I would suggest taking a look at parsing the output of 'ip -o addr
> show up scope global' and using that instead of 'hostname -I'.
> 

Thanks for the feedback, I'll fix these and post a new patch in a few
days.

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [RFC V4 PATCH 0/1] selinux-testsuite: Add binder tests

2018-05-22 Thread Richard Haines via Selinux

On Tue, 2018-05-22 at 09:53 -0400, Stephen Smalley wrote:
> On 05/22/2018 09:11 AM, Stephen Smalley wrote:
> > On 05/22/2018 09:01 AM, Stephen Smalley wrote:
> > > On 05/22/2018 07:37 AM, Richard Haines wrote:
> > > > Could you try this version where I've packed the transaction
> > > > structures.
> > > > I could not get the tests to fail on my two systems (but then
> > > > V3 didn't).
> > > 
> > > Hmmm...I saw one instance of a failure in test 6 when running
> > > ./test by
> > > hand but am now having problems replicating it.
> > > 
> > > dmesg output during all 6 tests was:
> > > 
> > > [  263.831513] binder: release 2025:2025 transaction 2 out, still
> > > active
> > > [  263.831519] binder: 2024:2024 transaction failed 29189/0, size
> > > 24-8 line 2788
> > > [  263.831522] binder: send failed reply for transaction 2,
> > > target dead
> > > [  263.846321] binder: 2026:2026 transaction failed 29201/-1,
> > > size 24-8 line 2864
> > > [  263.858613] binder: 2024:2027 transaction failed 29201/-1,
> > > size 0-0 line 2864
> > > [  263.872764] binder: 2028:2028 transaction failed 29201/-1,
> > > size 24-8 line 3050
> > > [  263.883684] binder: 2029:2029 ioctl 40046207 0 returned -13
> > > [  263.895261] binder: 2030 RLIMIT_NICE not set
> > > [  264.151699] binder: 2030 RLIMIT_NICE not set
> > > [  264.151879] binder: 2030 RLIMIT_NICE not set
> > > [  264.152212] binder: undelivered transaction 19, process died.
> > > [  264.152219] binder: 2030 RLIMIT_NICE not set
> > > [  264.153438] binder: 2030 RLIMIT_NICE not set
> > > 
> > > Are all of those expected?

Almost. These are my journal outputs for each test. The line numbers
will not match yours as I've added a bit of debug. I think I've
interpreted the results correctly for each one.

TEST 1:
binder: release 13663:13663 transaction 386 out, still active
binder: 13662:13662 transaction failed 29189/0, size 24-8 line 2800
(this is BR_DEAD_REPLY)
binder: send failed reply for transaction 386, target dead
Dead target because I kill off (guess I could close down cleanly but
just wanted to get something to at least BR_TRANSACTION_COMPLETE)

TEST 2:
binder: 13674:13674 transaction failed 29201/-1, size 24-8 line 2876
This is BR_FAILED_REPLY as the call perm was denied.

TEST 3:
binder: 13699:13700 transaction failed 29201/-1, size 0-0 line 2876
This is BR_FAILED_REPLY as impersonate perm was denied.

TEST 4:
binder: 13730:13730 transaction failed 29201/-1, size 24-8 line 3062
This is BR_FAILED_REPLY as transfer perm was denied.

TEST 5:
binder: 13754:13754 ioctl 40046207 0 returned -13
This is because set_context_mgr perm was denied.

TEST 6:
binder: 13780 RLIMIT_NICE not set (capability sys_nice denied - could
add this) 
binder: 13780 RLIMIT_NICE not set
binder: 13780 RLIMIT_NICE not set
binder: 13780:13780 transaction failed 29201/-1, size 24-8 line 3088
binder: send failed reply for transaction 402 to 13781:13781
binder: 13780 RLIMIT_NICE not set
This is BR_FAILED_REPLY as the fd:use permission is denied
(BINDER_TYPE_FD)


> > 
> > Now it is repeating upon a fresh reboot and running ./test by hand
> > repeatedly.
> > Also seeing these errors:
> > [  176.467915] binder_alloc: 1998: binder_alloc_buf, no vma
> > [  176.468046] binder: undelivered TRANSACTION_ERROR: 29189
> > 
> > Running it via make test passes though, oddly enough.
> > 
> > This is with completely stock 4.17-rc5 on F28.
> 
> ./test -v reports the following for test 6:
> Manager PID: 1949 Process context:
>   unconfined_u:unconfined_r:test_binder_mgr_no_fd_t:s0-
> s0:c0.c1023
> Service Provider PID: 1950 Process context:
>   unconfined_u:unconfined_r:test_binder_provider_t:s0-s0:c0.c1023
> Service Provider sending transaction to Manager - ADD_TEST_SERVICE
> Service Provider read_consumed: 48
> Service Provider command: BR_NOOP
> Service Provider command: BR_INCREFS
> Service Provider command: BR_ACQUIRE
> Service Provider command: BR_TRANSACTION_COMPLETE
> Manager read_consumed: 72
> Manager command: BR_NOOP
> Manager command: BR_TRANSACTION
> Manager BR_TRANSACTION data:
>   handle: 0
>   cookie: 0
>   code: 100
>   flag: TF_ACCEPT_FDS
>   sender pid: 1950
>   sender euid: 0
>   data_size: 24
>   offsets_size: 8
>   hdr: BINDER_TYPE_HANDLE
>   handle: 1
>   flags: priority: 0x7f accept FDS: YES
>   cookie: 0
> Manager has BINDER_TYPE_HANDLE obj->handle: 1
> Manager acquired handle: 1 for Service Provider
> Manager sending BC_REPLY to obtain its FD
> Manager

[RFC V4 PATCH 1/1] selinux-testsuite: Add binder tests

2018-05-22 Thread Richard Haines via Selinux

Add binder tests. See tests/binder/test_binder.c for details on
message flows to test security_binder*() functions.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 README.md   |   8 +
 defconfig   |   7 +
 policy/Makefile |   4 +
 policy/test_binder.te   | 120 +++
 tests/Makefile  |   5 +
 tests/binder/Makefile   |   7 +
 tests/binder/check_binder.c |  80 +
 tests/binder/test   |  89 +
 tests/binder/test_binder.c  | 684 
 9 files changed, 1004 insertions(+)
 create mode 100644 policy/test_binder.te
 create mode 100644 tests/binder/Makefile
 create mode 100644 tests/binder/check_binder.c
 create mode 100644 tests/binder/test
 create mode 100644 tests/binder/test_binder.c

diff --git a/README.md b/README.md
index c9f3b2b..60a249e 100644
--- a/README.md
+++ b/README.md
@@ -141,6 +141,14 @@ directory or you can follow these broken-out steps:
 The broken-out steps allow you to run the tests multiple times without
 loading policy each time.
 
+Note that if leaving the test policy in-place for further testing, the
+policy build process changes a boolean:
+   On policy load:   setsebool allow_domain_fd_use=0
+   On policy unload: setsebool allow_domain_fd_use=1
+The consequence of this is that after a system reboot, the boolean
+defaults to true. Therefore if running the fdreceive or binder tests,
+reset the boolean to false, otherwise some tests will fail.
+
 4) Review the test results.
 
 As each test script is run, the name of the script will be displayed followed
diff --git a/defconfig b/defconfig
index 7dce8bc..c48d3cc 100644
--- a/defconfig
+++ b/defconfig
@@ -51,3 +51,10 @@ CONFIG_CRYPTO_USER=m
 # This is enabled to test overlayfs SELinux integration.
 # It is not required for SELinux operation itself.
 CONFIG_OVERLAY_FS=m
+
+# Android binder implementations.
+# These are enabled to test the binder controls in
+# tests/binder; they are not required for SELinux operation itself.
+CONFIG_ANDROID=y
+CONFIG_ANDROID_BINDER_DEVICES="binder"
+CONFIG_ANDROID_BINDER_IPC=y
diff --git a/policy/Makefile b/policy/Makefile
index 5e07ee2..15e3a0c 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -63,6 +63,10 @@ ifeq ($(shell grep -q nnp_transition 
$(POLDEV)/include/support/all_perms.spt &&
 export M4PARAM += -Dnnp_nosuid_transition_permission_defined
 endif
 
+ifeq ($(shell grep -q binder $(POLDEV)/include/support/all_perms.spt && echo 
true),true)
+TARGETS += test_binder.te
+endif
+
 ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
 TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS))
 endif
diff --git a/policy/test_binder.te b/policy/test_binder.te
new file mode 100644
index 000..0589396
--- /dev/null
+++ b/policy/test_binder.te
@@ -0,0 +1,120 @@
+
+attribute binderdomain;
+
+#
+## Manager ###
+#
+type test_binder_mgr_t;
+domain_type(test_binder_mgr_t)
+unconfined_runs_test(test_binder_mgr_t)
+typeattribute test_binder_mgr_t testdomain;
+typeattribute test_binder_mgr_t binderdomain;
+allow test_binder_mgr_t self:binder { set_context_mgr call };
+allow test_binder_mgr_t test_binder_provider_t:binder call;
+allow test_binder_mgr_t device_t:chr_file { ioctl open read write };
+allow_map(test_binder_mgr_t, device_t, chr_file)
+allow test_binder_mgr_t self:capability { sys_nice };
+allow test_binder_provider_t test_binder_mgr_t:fd use;
+fs_getattr_tmpfs(test_binder_mgr_t)
+allow test_binder_mgr_t tmpfs_t:file { read write open };
+allow_map(test_binder_mgr_t, tmpfs_t, file)
+fs_manage_tmpfs_dirs(test_binder_mgr_t)
+fs_manage_tmpfs_files(test_binder_mgr_t)
+
+#
+## Manager no fd {use} ###
+#
+type test_binder_mgr_no_fd_t;
+domain_type(test_binder_mgr_no_fd_t)
+unconfined_runs_test(test_binder_mgr_no_fd_t)
+typeattribute test_binder_mgr_no_fd_t testdomain;
+typeattribute test_binder_mgr_no_fd_t binderdomain;
+allow test_binder_mgr_no_fd_t self:binder { set_context_mgr call };
+allow test_binder_mgr_no_fd_t test_binder_provider_t:binder { call };
+allow test_binder_mgr_no_fd_t device_t:chr_file { ioctl open read write };
+allow_map(test_binder_mgr_no_fd_t, device_t, chr_file)
+allow test_binder_provider_t test_binder_mgr_no_fd_t:binder { call transfer 
impersonate };
+fs_getattr_tmpfs(test_binder_mgr_no_fd_t)
+allow test_binder_mgr_no_fd_t tmpfs_t:file { read write open };
+allow_map(test_binder_mgr_no_fd_t, tmpfs_t, file)
+fs_manage_tmpfs_dirs(test_binder_mgr_no_fd_t)
+fs_manage_tmpfs_files(test_binder_mgr_no_fd_t)
+
+#
+## Service Provider 
+#
+type test_binder_provider_t;
+domain_type(test_binder_provider_t)
+unconfined_runs_test(test_binder_provider_t)
+typeattribute test_binder_provider_t testdomain;
+typeattribute test_binder

[RFC V4 PATCH 0/1] selinux-testsuite: Add binder tests

2018-05-22 Thread Richard Haines via Selinux

Could you try this version where I've packed the transaction structures.
I could not get the tests to fail on my two systems (but then V3 didn't).

Thanks

I've updated this so it still tests all the binder permissions.

I didn't bother with a Client as I found another way to achieve the
same result. Plenty of comments in test_binder.c to explain. Hopefully
it is sane, otherwise a Client will be required.

I've tested on Fedora 28 with linux-4.17-rc5 so that it does not
suffer the same fate as V1 did. Also looked to see what other patches
were in the pipeline, none that should stop this version working.

V2 Changes:
Fixed the policy and test Makefiles
Updated binder policy.
Updated the defconfig and now works to build linux-4.17-rc5
Updated the test to handle the -v option. Plenty of output
to see what is happening.

V3 Changes:
Added missing policy for using shared memory.
Use the allow_map macro.

V4 Changes:
Pack transaction structures.
Check if $(INCLUDEDIR)/linux/android/binder.h exists.

Richard Haines (1):
  selinux-testsuite: Add binder tests

 README.md   |   8 +
 defconfig   |   7 +
 policy/Makefile |   4 +
 policy/test_binder.te   | 120 +++
 tests/Makefile  |   5 +
 tests/binder/Makefile   |   7 +
 tests/binder/check_binder.c |  80 +
 tests/binder/test   |  89 +
 tests/binder/test_binder.c  | 684 
 9 files changed, 1004 insertions(+)
 create mode 100644 policy/test_binder.te
 create mode 100644 tests/binder/Makefile
 create mode 100644 tests/binder/check_binder.c
 create mode 100644 tests/binder/test
 create mode 100644 tests/binder/test_binder.c

-- 
2.17.0

Re: [RFC V3 PATCH 1/1] selinux-testsuite: Add binder tests

2018-05-21 Thread Richard Haines via Selinux

On Mon, 2018-05-21 at 13:06 -0400, Stephen Smalley wrote:
> On 05/21/2018 01:02 PM, Stephen Smalley wrote:
> > On 05/21/2018 12:33 PM, Richard Haines wrote:
> > > Add binder tests. See tests/binder/test_binder.c for details on
> > > message flows to test security_binder*() functions.
> > 
> > Breaks the build on RHEL7 since /usr/include/linux/android/binder.h
> > does not exist and is not

I'll fix this.

> > provided by any package.  On F28 with v4.17-rc5, 2 tests fail at
> > runtime:
> > # ./test -v
> > 1..6
> > Manager PID: 5610 Process context:
> > unconfined_u:unconfined_r:test_binder_mgr_t:s0-s0:c0.c1023
> > Service Provider PID: 5611 Process context:
> > unconfined_u:unconfined_r:test_binder_provider_t:s0-s0:c0.c1023
> > Service Provider sending transaction to Manager - ADD_TEST_SERVICE
> > Service Provider read_consumed: 8
> > Service Provider command: BR_NOOP
> > Service Provider command: BR_FAILED_REPLY
> > not ok 1
> > #   Failed test at ./test line 46.
> > Service Provider PID: 5612 Process context:
> > unconfined_u:unconfined_r:test_binder_provider_no_call_t:s0-
> > s0:c0.c1023
> > Service Provider sending transaction to Manager - ADD_TEST_SERVICE
> > Service Provider read_consumed: 8
> > Service Provider command: BR_NOOP
> > Service Provider command: BR_FAILED_REPLY
> > ok 2
> > Service Provider PID: 5613 Process context:
> > unconfined_u:unconfined_r:test_binder_provider_no_im_t:s0-
> > s0:c0.c1023
> > Service Provider sending transaction to Manager - ADD_TEST_SERVICE
> > Service Provider read_consumed: 8
> > Service Provider command: BR_NOOP
> > Service Provider command: BR_FAILED_REPLY
> > not ok 3
> > #   Failed test at ./test line 56.
> > Service Provider PID: 5614 Process context:
> > unconfined_u:unconfined_r:test_binder_provider_no_transfer_t:s0
> > -s0:c0.c1023
> > Service Provider sending transaction to Manager - ADD_TEST_SERVICE
> > Service Provider read_consumed: 8
> > Service Provider command: BR_NOOP
> > Service Provider command: BR_FAILED_REPLY
> > ok 4
> > Manager PID: 5615 Process context:
> > unconfined_u:unconfined_r:test_binder_provider_t:s0-s0:c0.c1023
> > Failed to become context manager: Permission denied
> > ok 5
> > Manager PID: 5616 Process context:
> > unconfined_u:unconfined_r:test_binder_mgr_no_fd_t:s0-
> > s0:c0.c1023
> > Service Provider PID: 5617 Process context:
> > unconfined_u:unconfined_r:test_binder_provider_t:s0-s0:c0.c1023
> > Service Provider sending transaction to Manager - ADD_TEST_SERVICE
> > Service Provider read_consumed: 8
> > Service Provider command: BR_NOOP
> > Service Provider command: BR_FAILED_REPLY
> > ok 6
> > # Looks like you failed 2 tests of 6.
> 
> dmesg output during the tests:
> <6>[ 2769.139332] binder: 5827:5827 got transaction with invalid
> offset (4096, min 0 max 24) or object.
> <6>[ 2769.139377] binder: 5827:5827 transaction failed 29201/-22,
> size 24-8 line 3034
> <6>[ 2769.159674] binder: 5828:5828 transaction failed 29201/-1, size
> 24-8 line 2864
> <6>[ 2769.170922] binder: 5829:5829 got transaction with invalid
> offset (4096, min 0 max 24) or object.
> <6>[ 2769.170933] binder: 5829:5829 transaction failed 29201/-22,
> size 24-8 line 3034
> <6>[ 2769.182644] binder: 5830:5830 got transaction with invalid
> offset (4096, min 0 max 24) or object.
> <6>[ 2769.182655] binder: 5830:5830 transaction failed 29201/-22,
> size 24-8 line 3034
> <6>[ 2769.199232] binder: 5831:5831 ioctl 40046207 0 returned -13
> <6>[ 2769.209828] binder: 5832 RLIMIT_NICE not set
> <6>[ 2769.495722] binder: 5833:5833 got transaction with invalid
> offset (4096, min 0 max 24) or object.
> <6>[ 2769.495740] binder: 5833:5833 transaction failed 29201/-22,
> size 24-8 line 3034
> 

I've seen this type of error when I was first experimenting, but don't
see this on my system any more. I think it's because I don't pack like
the Android code:

struct {
uint32_t cmd;
struct binder_transaction_data txn;
} __attribute__((packed)) writebuf;

I'll pack as they do and send an update to see if it works on your
system.

[RFC V3 PATCH 0/1] selinux-testsuite: Add binder tests

2018-05-21 Thread Richard Haines via Selinux

I've update this so it still tests all the binder permissions.

I didn't bother with a Client as I found another way to achieve the
same result. Plenty of comments in test_binder.c to explain. Hopefully
it is sane, otherwise a Client will be required.

I've tested on Fedora 28 with linux-4.17-rc5 so that it does not
suffer the same fate as V1 did. Also looked to see what other patches
were in the pipeline, none that should stop this version working.

V2 Changes:
Fixed the policy and test Makefiles
Updated binder policy.
Updated the defconfig and now works to build linux-4.17-rc5
Updated the test to handle the -v option. Plenty of output
to see what is happening.

V3 Changes:
Added missing policy for using shared memory.
Use the allow_map macro.

Richard Haines (1):
  selinux-testsuite: Add binder tests

 README.md   |   8 +
 defconfig   |   7 +
 policy/Makefile |   4 +
 policy/test_binder.te   | 120 +++
 tests/Makefile  |   4 +
 tests/binder/Makefile   |   7 +
 tests/binder/check_binder.c |  80 +
 tests/binder/test   |  89 +
 tests/binder/test_binder.c  | 684 
 9 files changed, 1003 insertions(+)
 create mode 100644 policy/test_binder.te
 create mode 100644 tests/binder/Makefile
 create mode 100644 tests/binder/check_binder.c
 create mode 100644 tests/binder/test
 create mode 100644 tests/binder/test_binder.c

-- 
2.17.0

[RFC V3 PATCH 1/1] selinux-testsuite: Add binder tests

2018-05-21 Thread Richard Haines via Selinux

Add binder tests. See tests/binder/test_binder.c for details on
message flows to test security_binder*() functions.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 README.md   |   8 +
 defconfig   |   7 +
 policy/Makefile |   4 +
 policy/test_binder.te   | 120 +++
 tests/Makefile  |   4 +
 tests/binder/Makefile   |   7 +
 tests/binder/check_binder.c |  80 +
 tests/binder/test   |  89 +
 tests/binder/test_binder.c  | 684 
 9 files changed, 1003 insertions(+)
 create mode 100644 policy/test_binder.te
 create mode 100644 tests/binder/Makefile
 create mode 100644 tests/binder/check_binder.c
 create mode 100644 tests/binder/test
 create mode 100644 tests/binder/test_binder.c

diff --git a/README.md b/README.md
index c9f3b2b..60a249e 100644
--- a/README.md
+++ b/README.md
@@ -141,6 +141,14 @@ directory or you can follow these broken-out steps:
 The broken-out steps allow you to run the tests multiple times without
 loading policy each time.
 
+Note that if leaving the test policy in-place for further testing, the
+policy build process changes a boolean:
+   On policy load:   setsebool allow_domain_fd_use=0
+   On policy unload: setsebool allow_domain_fd_use=1
+The consequence of this is that after a system reboot, the boolean
+defaults to true. Therefore if running the fdreceive or binder tests,
+reset the boolean to false, otherwise some tests will fail.
+
 4) Review the test results.
 
 As each test script is run, the name of the script will be displayed followed
diff --git a/defconfig b/defconfig
index 7dce8bc..c48d3cc 100644
--- a/defconfig
+++ b/defconfig
@@ -51,3 +51,10 @@ CONFIG_CRYPTO_USER=m
 # This is enabled to test overlayfs SELinux integration.
 # It is not required for SELinux operation itself.
 CONFIG_OVERLAY_FS=m
+
+# Android binder implementations.
+# These are enabled to test the binder controls in
+# tests/binder; they are not required for SELinux operation itself.
+CONFIG_ANDROID=y
+CONFIG_ANDROID_BINDER_DEVICES="binder"
+CONFIG_ANDROID_BINDER_IPC=y
diff --git a/policy/Makefile b/policy/Makefile
index 5e07ee2..15e3a0c 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -63,6 +63,10 @@ ifeq ($(shell grep -q nnp_transition 
$(POLDEV)/include/support/all_perms.spt &&
 export M4PARAM += -Dnnp_nosuid_transition_permission_defined
 endif
 
+ifeq ($(shell grep -q binder $(POLDEV)/include/support/all_perms.spt && echo 
true),true)
+TARGETS += test_binder.te
+endif
+
 ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
 TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS))
 endif
diff --git a/policy/test_binder.te b/policy/test_binder.te
new file mode 100644
index 000..0589396
--- /dev/null
+++ b/policy/test_binder.te
@@ -0,0 +1,120 @@
+
+attribute binderdomain;
+
+#
+## Manager ###
+#
+type test_binder_mgr_t;
+domain_type(test_binder_mgr_t)
+unconfined_runs_test(test_binder_mgr_t)
+typeattribute test_binder_mgr_t testdomain;
+typeattribute test_binder_mgr_t binderdomain;
+allow test_binder_mgr_t self:binder { set_context_mgr call };
+allow test_binder_mgr_t test_binder_provider_t:binder call;
+allow test_binder_mgr_t device_t:chr_file { ioctl open read write };
+allow_map(test_binder_mgr_t, device_t, chr_file)
+allow test_binder_mgr_t self:capability { sys_nice };
+allow test_binder_provider_t test_binder_mgr_t:fd use;
+fs_getattr_tmpfs(test_binder_mgr_t)
+allow test_binder_mgr_t tmpfs_t:file { read write open };
+allow_map(test_binder_mgr_t, tmpfs_t, file)
+fs_manage_tmpfs_dirs(test_binder_mgr_t)
+fs_manage_tmpfs_files(test_binder_mgr_t)
+
+#
+## Manager no fd {use} ###
+#
+type test_binder_mgr_no_fd_t;
+domain_type(test_binder_mgr_no_fd_t)
+unconfined_runs_test(test_binder_mgr_no_fd_t)
+typeattribute test_binder_mgr_no_fd_t testdomain;
+typeattribute test_binder_mgr_no_fd_t binderdomain;
+allow test_binder_mgr_no_fd_t self:binder { set_context_mgr call };
+allow test_binder_mgr_no_fd_t test_binder_provider_t:binder { call };
+allow test_binder_mgr_no_fd_t device_t:chr_file { ioctl open read write };
+allow_map(test_binder_mgr_no_fd_t, device_t, chr_file)
+allow test_binder_provider_t test_binder_mgr_no_fd_t:binder { call transfer 
impersonate };
+fs_getattr_tmpfs(test_binder_mgr_no_fd_t)
+allow test_binder_mgr_no_fd_t tmpfs_t:file { read write open };
+allow_map(test_binder_mgr_no_fd_t, tmpfs_t, file)
+fs_manage_tmpfs_dirs(test_binder_mgr_no_fd_t)
+fs_manage_tmpfs_files(test_binder_mgr_no_fd_t)
+
+#
+## Service Provider 
+#
+type test_binder_provider_t;
+domain_type(test_binder_provider_t)
+unconfined_runs_test(test_binder_provider_t)
+typeattribute test_binder_provider_t testdomain;
+typeattribute test_binder

[RFC V2 PATCH 1/1] selinux-testsuite: Add binder tests

2018-05-20 Thread Richard Haines via Selinux

Add binder tests. See tests/binder/test_binder.c for details on
message flows to test security_binder*() functions.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 README.md   |   8 +
 defconfig   |   7 +
 policy/Makefile |   4 +
 policy/test_binder.te   |  96 +
 tests/Makefile  |   4 +
 tests/binder/Makefile   |   7 +
 tests/binder/check_binder.c |  80 +
 tests/binder/test   |  89 +
 tests/binder/test_binder.c  | 685 
 9 files changed, 980 insertions(+)
 create mode 100644 policy/test_binder.te
 create mode 100644 tests/binder/Makefile
 create mode 100644 tests/binder/check_binder.c
 create mode 100644 tests/binder/test
 create mode 100644 tests/binder/test_binder.c

diff --git a/README.md b/README.md
index c9f3b2b..60a249e 100644
--- a/README.md
+++ b/README.md
@@ -141,6 +141,14 @@ directory or you can follow these broken-out steps:
 The broken-out steps allow you to run the tests multiple times without
 loading policy each time.
 
+Note that if leaving the test policy in-place for further testing, the
+policy build process changes a boolean:
+   On policy load:   setsebool allow_domain_fd_use=0
+   On policy unload: setsebool allow_domain_fd_use=1
+The consequence of this is that after a system reboot, the boolean
+defaults to true. Therefore if running the fdreceive or binder tests,
+reset the boolean to false, otherwise some tests will fail.
+
 4) Review the test results.
 
 As each test script is run, the name of the script will be displayed followed
diff --git a/defconfig b/defconfig
index 7dce8bc..c48d3cc 100644
--- a/defconfig
+++ b/defconfig
@@ -51,3 +51,10 @@ CONFIG_CRYPTO_USER=m
 # This is enabled to test overlayfs SELinux integration.
 # It is not required for SELinux operation itself.
 CONFIG_OVERLAY_FS=m
+
+# Android binder implementations.
+# These are enabled to test the binder controls in
+# tests/binder; they are not required for SELinux operation itself.
+CONFIG_ANDROID=y
+CONFIG_ANDROID_BINDER_DEVICES="binder"
+CONFIG_ANDROID_BINDER_IPC=y
diff --git a/policy/Makefile b/policy/Makefile
index 5e07ee2..15e3a0c 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -63,6 +63,10 @@ ifeq ($(shell grep -q nnp_transition 
$(POLDEV)/include/support/all_perms.spt &&
 export M4PARAM += -Dnnp_nosuid_transition_permission_defined
 endif
 
+ifeq ($(shell grep -q binder $(POLDEV)/include/support/all_perms.spt && echo 
true),true)
+TARGETS += test_binder.te
+endif
+
 ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
 TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS))
 endif
diff --git a/policy/test_binder.te b/policy/test_binder.te
new file mode 100644
index 000..3fd4dd5
--- /dev/null
+++ b/policy/test_binder.te
@@ -0,0 +1,96 @@
+
+attribute binderdomain;
+
+#
+## Manager ###
+#
+type test_binder_mgr_t;
+domain_type(test_binder_mgr_t)
+unconfined_runs_test(test_binder_mgr_t)
+typeattribute test_binder_mgr_t testdomain;
+typeattribute test_binder_mgr_t binderdomain;
+allow test_binder_mgr_t self:binder { set_context_mgr call };
+allow test_binder_mgr_t test_binder_provider_t:binder call;
+allow test_binder_mgr_t device_t:chr_file { ioctl open read write map };
+allow test_binder_mgr_t self:capability { sys_nice };
+allow test_binder_provider_t test_binder_mgr_t:fd use;
+fs_getattr_tmpfs(test_binder_mgr_t)
+allow test_binder_mgr_t tmpfs_t:file { read write open map };
+
+#
+## Manager no fd {use} ###
+#
+type test_binder_mgr_no_fd_t;
+domain_type(test_binder_mgr_no_fd_t)
+unconfined_runs_test(test_binder_mgr_no_fd_t)
+typeattribute test_binder_mgr_no_fd_t testdomain;
+typeattribute test_binder_mgr_no_fd_t binderdomain;
+allow test_binder_mgr_no_fd_t self:binder { set_context_mgr call };
+allow test_binder_mgr_no_fd_t test_binder_provider_t:binder { call };
+allow test_binder_mgr_no_fd_t device_t:chr_file { ioctl open read write map };
+allow test_binder_provider_t test_binder_mgr_no_fd_t:binder { call transfer 
impersonate };
+fs_getattr_tmpfs(test_binder_mgr_no_fd_t)
+allow test_binder_mgr_no_fd_t tmpfs_t:file { read write open map };
+
+#
+## Service Provider 
+#
+type test_binder_provider_t;
+domain_type(test_binder_provider_t)
+unconfined_runs_test(test_binder_provider_t)
+typeattribute test_binder_provider_t testdomain;
+typeattribute test_binder_provider_t binderdomain;
+allow test_binder_provider_t self:binder { call };
+allow test_binder_provider_t test_binder_mgr_t:binder { call transfer 
impersonate };
+allow test_binder_provider_t device_t:chr_file { ioctl open read write map };
+# For fstat:
+allow test_binder_provider_t device_t:chr_file getattr;
+fs_getattr_tmpfs(test_binder_provider_t)
+allow test_binder_provider_t tm

[RFC V2 PATCH 0/1] selinux-testsuite: Add binder tests

2018-05-20 Thread Richard Haines via Selinux

I've update this so it still tests all the binder permissions.

I didn't bother with a Client as I found another way to achieve the
same result. Plenty of comments in test_binder.c to explain. Hopefully
it is sane, otherwise a Client will be required.

I've tested on Fedora 28 with linux-4.17-rc5 so that it does not
suffer the same fate as V1 did. Also looked to see what other patches
were in the pipeline, none that should stop this version working (yet).

V2 Changes:
Fixed the policy and test Makefiles
Updated binder policy.
Updated the defconfig and now works to build linux-4.17-rc5
Updated the test to handle the -v option. Plenty of output
to see what is happening.

Richard Haines (1):
  selinux-testsuite: Add binder tests

 README.md   |   8 +
 defconfig   |   7 +
 policy/Makefile |   4 +
 policy/test_binder.te   |  96 +
 tests/Makefile  |   4 +
 tests/binder/Makefile   |   7 +
 tests/binder/check_binder.c |  80 +
 tests/binder/test   |  89 +
 tests/binder/test_binder.c  | 685 
 9 files changed, 980 insertions(+)
 create mode 100644 policy/test_binder.te
 create mode 100644 tests/binder/Makefile
 create mode 100644 tests/binder/check_binder.c
 create mode 100644 tests/binder/test
 create mode 100644 tests/binder/test_binder.c

-- 
2.17.0

Re: [RFC PATCH 1/1] selinux-testsuite: Add binder tests

2018-05-15 Thread Richard Haines via Selinux

On Tue, 2018-05-15 at 12:56 -0400, Stephen Smalley wrote:
> On 05/15/2018 12:38 PM, Stephen Smalley wrote:
> > On 05/15/2018 09:43 AM, Stephen Smalley wrote:
> > > On 05/15/2018 09:36 AM, Stephen Smalley wrote:
> > > > This test is failing for me (with or without -v):
> > > > # ./test -v
> > > > 1..6
> > > > Manager PID: 5608 Process context:
> > > > unconfined_u:unconfined_r:test_binder_mgr_t:s0-
> > > > s0:c0.c1023
> > > > Client PID: 5609 Process context:
> > > > unconfined_u:unconfined_r:test_binder_client_t:s0-
> > > > s0:c0.c1023
> > > > Client read_consumed: 28
> > > > Manager read_consumed: 72
> > > > Client command: BR_NOOP
> > > > Manager command: BR_NOOP
> > > > Client command: BR_INCREFS
> > > > Manager command: BR_TRANSACTION
> > > > Client command: BR_TRANSACTION_COMPLETE
> > > > BR_TRANSACTION data:
> > > > handle: 0
> > > > cookie: 0
> > > > code: 0
> > > > flag: TF_ACCEPT_FDS
> > > > sender pid: 5609
> > > > sender euid: 0
> > > > data_size: 24
> > > > offsets_size: 8
> > > > Sending BC_REPLY
> > > > Manager read_consumed: 8
> > > > Manager command: BR_NOOP
> > > > Manager command: BR_TRANSACTION_COMPLETE
> > > > Client read_consumed: 72
> > > > Client command: BR_NOOP
> > > > Client command: BR_REPLY
> > > > BR_REPLY data:
> > > > handle: 0
> > > > cookie: 0
> > > > code: 0
> > > > flag: TF_ACCEPT_FDS
> > > > sender pid: 0
> > > > sender euid: 0
> > > > data_size: 24
> > > > offsets_size: 8
> > > > Retrieved Managers fd: 4 st_dev: 6
> > > > Client read_consumed: 8
> > > > Client using Managers FD command: BR_NOOP
> > > > Client using Managers FD command: BR_FAILED_REPLY
> > > > Client using Managers received FD failed response
> > > > Manager read_consumed: 4
> > > > Manager command: BR_NOOP
> > > > not ok 1
> > > > #   Failed test at ./test line 36.
> > > 
> > > Just realized that I was testing with a kernel that still had
> > > Casey's stacking support enabled.
> > > Will re-try without that.
> > 
> > Still fails for me on F28 with stock/linus 4.17.0-rc5.  No AVC
> > messages from the failing test itself,
> > just the other ones.
> 
> Traced the client and saw that it was getting BR_FAILED_REPLY from
> the kernel.
> Looked at /sys/kernel/debug/binder/failed_transaction_log and saw
> that the failure
> occurs on line 2847.  Did a git blame on that line and found this
> commit,
> 
> commit 7aa135fcf26377f92dc0680a57566b4c7f3e281b
> Author: Martijn Coenen 
> Date:   Wed Mar 28 11:14:50 2018 +0200
> 
> ANDROID: binder: prevent transactions into own process.
> 
> This can't happen with normal nodes (because you can't get a ref
> to a node you own), but it could happen with the context manager;
> to make the behavior consistent with regular nodes, reject
> transactions into the context manager by the process owning it.
> 
> Reported-by: syzbot+09e05aba06723a94d...@syzkaller.appspotmail.co
> m
> Signed-off-by: Martijn Coenen 
> Cc: stable 
> Signed-off-by: Greg Kroah-Hartman 
> 
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index 764b63a5aade..e578eee31589 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -2839,6 +2839,14 @@ static void binder_transaction(struct
> binder_proc *proc,
> else
> return_error = BR_DEAD_REPLY;
> mutex_unlock(
> >context_mgr_node_lock);
> +   if (target_node && target_proc == proc) {
> +   binder_user_error("%d:%d got
> transaction to context manager from process owning it\n",
> + proc->pid, thread-
> >pid);
> +   return_error = BR_FAILED_REPLY;
> +   return_error_param = -EINVAL;
> +   return_error_line = __LINE__;
> +   goto err_invalid_target_handle;
> +   }
> }
> if (!target_node) {
> /*
> 
> 
> So that's a change in kernel behavior in v4.17-rc3 and later that
> breaks your test code.

Thanks for the info. I'll get a new kernel and see how far I can get.

>

Re: [RFC PATCH 1/1] selinux-testsuite: Add binder tests

2018-05-15 Thread Richard Haines via Selinux

On Tue, 2018-05-15 at 09:43 -0400, Stephen Smalley wrote:
> On 05/15/2018 09:36 AM, Stephen Smalley wrote:
> > On 05/15/2018 04:25 AM, Richard Haines via Selinux wrote:
> > > Add binder tests. See tests/binder/test_binder.c for details on
> > > message flows to test security_binder*() functions.
> > > 
> > > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
> > > ---
> > >  README.md   |   8 +
> > >  defconfig   |   8 +
> > >  policy/Makefile |   2 +-
> > >  policy/test_binder.te   |  83 +++
> > >  tests/Makefile  |   2 +-
> > >  tests/binder/Makefile   |   7 +
> > >  tests/binder/check_binder.c |  80 +++
> > >  tests/binder/test   | 131 +++
> > >  tests/binder/test_binder.c  | 543
> > > 
> > >  9 files changed, 862 insertions(+), 2 deletions(-)
> > >  create mode 100644 policy/test_binder.te
> > >  create mode 100644 tests/binder/Makefile
> > >  create mode 100644 tests/binder/check_binder.c
> > >  create mode 100644 tests/binder/test
> > >  create mode 100644 tests/binder/test_binder.c
> > > 
> > > diff --git a/README.md b/README.md
> > > index c9f3b2b..60a249e 100644
> > > --- a/README.md
> > > +++ b/README.md
> > > @@ -141,6 +141,14 @@ directory or you can follow these broken-out 
> > > steps:
> > >  The broken-out steps allow you to run the tests multiple times
> > > without
> > >  loading policy each time.
> > >  
> > > +Note that if leaving the test policy in-place for further
> > > testing, the
> > > +policy build process changes a boolean:
> > > +   On policy load:   setsebool allow_domain_fd_use=0
> > > +   On policy unload: setsebool allow_domain_fd_use=1
> > > +The consequence of this is that after a system reboot, the
> > > boolean
> > > +defaults to true. Therefore if running the fdreceive or binder
> > > tests,
> > > +reset the boolean to false, otherwise some tests will fail.
> > 
> > This isn't accurate - we aren't doing setsebool -P so the boolean
> > change is not persistent across
> > reboots.  It will persist across policy reloads however because the
> > kernel preserves booleans across
> > policy reloads.
> 
> Sorry, never mind - I misread the text above.  You are correct.
> 
> > 
> > > +
> > >  4) Review the test results.
> > >  
> > >  As each test script is run, the name of the script will be
> > > displayed followed
> > > diff --git a/defconfig b/defconfig
> > > index 7dce8bc..dc6ef30 100644
> > > --- a/defconfig
> > > +++ b/defconfig
> > > @@ -51,3 +51,11 @@ CONFIG_CRYPTO_USER=m
> > >  # This is enabled to test overlayfs SELinux integration.
> > >  # It is not required for SELinux operation itself.
> > >  CONFIG_OVERLAY_FS=m
> > > +
> > > +# Android binder implementations.
> > > +# These are enabled to test the binder controls in
> > > +# tests/binder; they are not required for SELinux operation
> > > itself.
> > > +CONFIG_ANDROID=y
> > > +CONFIG_ANDROID_BINDER_IPC=y
> > > +CONFIG_ANDROID_BINDER_DEVICES="binder"
> > > +# CONFIG_ANDROID_BINDER_IPC_SELFTEST is not set
> > 
> > I don't think we need the last line.

It appears it is requred as if not there are complaints when building,
in fact I missed some out and should be:

# Android binder implementations.
# These are enabled to test the binder controls in
# tests/binder; they are not required for SELinux operation itself.
# The 'is not set' items MUST be included unless they are required by
 your configuration.
# CONFIG_ASHMEM is not set
# CONFIG_ION is not set
CONFIG_ANDROID_BINDER_DEVICES="binder"
CONFIG_ANDROID_BINDER_IPC=y
# CONFIG_ANDROID_BINDER_IPC_SELFTEST is not set

> > 
> > > diff --git a/policy/Makefile b/policy/Makefile
> > > index 8ed5e46..5a9d411 100644
> > > --- a/policy/Makefile
> > > +++ b/policy/Makefile
> > > @@ -25,7 +25,7 @@ TARGETS = \
> > >   test_task_getsid.te test_task_setpgid.te
> > > test_task_setsched.te \
> > >   test_transition.te test_inet_socket.te
> > > test_unix_socket.te \
> > >   test_mmap.te test_overlayfs.te test_mqueue.te
> > > test_mac_admin.te \
> > > - test_ibpkey.te test_atsecure.te
> > > + test_ibpkey.te test_atsecure.te test_binder.te
> &

[RFC PATCH 1/1] selinux-testsuite: Add binder tests

2018-05-15 Thread Richard Haines via Selinux

Add binder tests. See tests/binder/test_binder.c for details on
message flows to test security_binder*() functions.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 README.md   |   8 +
 defconfig   |   8 +
 policy/Makefile |   2 +-
 policy/test_binder.te   |  83 +++
 tests/Makefile  |   2 +-
 tests/binder/Makefile   |   7 +
 tests/binder/check_binder.c |  80 +++
 tests/binder/test   | 131 +++
 tests/binder/test_binder.c  | 543 
 9 files changed, 862 insertions(+), 2 deletions(-)
 create mode 100644 policy/test_binder.te
 create mode 100644 tests/binder/Makefile
 create mode 100644 tests/binder/check_binder.c
 create mode 100644 tests/binder/test
 create mode 100644 tests/binder/test_binder.c

diff --git a/README.md b/README.md
index c9f3b2b..60a249e 100644
--- a/README.md
+++ b/README.md
@@ -141,6 +141,14 @@ directory or you can follow these broken-out steps:
 The broken-out steps allow you to run the tests multiple times without
 loading policy each time.
 
+Note that if leaving the test policy in-place for further testing, the
+policy build process changes a boolean:
+   On policy load:   setsebool allow_domain_fd_use=0
+   On policy unload: setsebool allow_domain_fd_use=1
+The consequence of this is that after a system reboot, the boolean
+defaults to true. Therefore if running the fdreceive or binder tests,
+reset the boolean to false, otherwise some tests will fail.
+
 4) Review the test results.
 
 As each test script is run, the name of the script will be displayed followed
diff --git a/defconfig b/defconfig
index 7dce8bc..dc6ef30 100644
--- a/defconfig
+++ b/defconfig
@@ -51,3 +51,11 @@ CONFIG_CRYPTO_USER=m
 # This is enabled to test overlayfs SELinux integration.
 # It is not required for SELinux operation itself.
 CONFIG_OVERLAY_FS=m
+
+# Android binder implementations.
+# These are enabled to test the binder controls in
+# tests/binder; they are not required for SELinux operation itself.
+CONFIG_ANDROID=y
+CONFIG_ANDROID_BINDER_IPC=y
+CONFIG_ANDROID_BINDER_DEVICES="binder"
+# CONFIG_ANDROID_BINDER_IPC_SELFTEST is not set
diff --git a/policy/Makefile b/policy/Makefile
index 8ed5e46..5a9d411 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -25,7 +25,7 @@ TARGETS = \
test_task_getsid.te test_task_setpgid.te test_task_setsched.te \
test_transition.te test_inet_socket.te test_unix_socket.te \
test_mmap.te test_overlayfs.te test_mqueue.te test_mac_admin.te \
-   test_ibpkey.te test_atsecure.te
+   test_ibpkey.te test_atsecure.te test_binder.te
 
 ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true)
 TARGETS += test_bounds.te
diff --git a/policy/test_binder.te b/policy/test_binder.te
new file mode 100644
index 000..c4ad2ae
--- /dev/null
+++ b/policy/test_binder.te
@@ -0,0 +1,83 @@
+
+attribute binderdomain;
+
+#
+## Manager ###
+#
+type test_binder_mgr_t;
+domain_type(test_binder_mgr_t)
+unconfined_runs_test(test_binder_mgr_t)
+typeattribute test_binder_mgr_t testdomain;
+typeattribute test_binder_mgr_t binderdomain;
+allow test_binder_mgr_t self:binder { set_context_mgr call };
+allow test_binder_mgr_t device_t:chr_file { ioctl open read write map };
+allow test_binder_mgr_t self:capability { sys_nice };
+allow test_binder_client_t test_binder_mgr_t:fd use;
+
+#
+# Client 
+#
+type test_binder_client_t;
+domain_type(test_binder_client_t)
+unconfined_runs_test(test_binder_client_t)
+typeattribute test_binder_client_t testdomain;
+typeattribute test_binder_client_t binderdomain;
+allow test_binder_client_t self:binder { call };
+allow test_binder_client_t test_binder_mgr_t:binder { call transfer 
impersonate };
+allow test_binder_client_t device_t:chr_file { ioctl open read write map };
+# For fstat:
+allow test_binder_client_t device_t:chr_file getattr;
+
+#
+## Client no call 
+#
+type test_binder_client_no_call_t;
+domain_type(test_binder_client_no_call_t)
+unconfined_runs_test(test_binder_client_no_call_t)
+typeattribute test_binder_client_no_call_t testdomain;
+typeattribute test_binder_client_no_call_t binderdomain;
+allow test_binder_client_no_call_t device_t:chr_file { ioctl open read write 
map };
+
+#
+ Client no transfer #
+#
+type test_binder_client_no_transfer_t;
+domain_type(test_binder_client_no_transfer_t)
+unconfined_runs_test(test_binder_client_no_transfer_t)
+typeattribute test_binder_client_no_transfer_t testdomain;
+typeattribute test_binder_client_no_transfer_t binderdomain;
+allow test_binder_client_no_transfer_t test_binder_mgr_t:binder { call };
+allow test_binder_client_no_transfer_t device_t:chr_file { io

[RFC PATCH 0/1] selinux-testsuite: Add binder tests

2018-05-15 Thread Richard Haines via Selinux

Not sure how useful this is but saw [1] and thought I'll have a go out
of idle curiosity.

I've only tested on Fedora 27 with kernel-4.16.3-200.fc27.x86_64

Use ./test -v to see the flow of binder info

I just added the following to the standard kernel-x86_64.config:
CONFIG_ANDROID_BINDER_DEVICES="binder"
CONFIG_ANDROID_BINDER_IPC=y
# CONFIG_ANDROID_BINDER_IPC_SELFTEST is not set

[1] https://github.com/SELinuxProject/selinux-testsuite/issues/27

Richard Haines (1):
  selinux-testsuite: Add binder tests

 README.md   |   8 +
 defconfig   |   8 +
 policy/Makefile |   2 +-
 policy/test_binder.te   |  83 +++
 tests/Makefile  |   2 +-
 tests/binder/Makefile   |   7 +
 tests/binder/check_binder.c |  80 +++
 tests/binder/test   | 131 +++
 tests/binder/test_binder.c  | 543 
 9 files changed, 862 insertions(+), 2 deletions(-)
 create mode 100644 policy/test_binder.te
 create mode 100644 tests/binder/Makefile
 create mode 100644 tests/binder/check_binder.c
 create mode 100644 tests/binder/test
 create mode 100644 tests/binder/test_binder.c

-- 
2.14.3

Re: [PATCH v2 1/3] selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()

2018-05-11 Thread Richard Haines via Selinux

On Fri, 2018-05-11 at 20:15 +0300, Alexey Kodanev wrote:
> Commit d452930fd3b9 ("selinux: Add SCTP support") breaks
> compatibility
> with the old programs that can pass sockaddr_in structure with
> AF_UNSPEC
> and INADDR_ANY to bind(). As a result, bind() returns EAFNOSUPPORT
> error.
> This was found with LTP/asapi_01 test.
> 
> Similar to commit 29c486df6a20 ("net: ipv4: relax AF_INET check in
> bind()"), which relaxed AF_INET check for compatibility, add
> AF_UNSPEC
> case to AF_INET and make sure that the address is INADDR_ANY.
> 
> Fixes: d452930fd3b9 ("selinux: Add SCTP support")
> Signed-off-by: Alexey Kodanev 
> ---
> 
> v2: As suggested by Paul:
> * return EINVAL for SCTP socket if sa_family is AF_UNSPEC and
>   address is not INADDR_ANY
> * add new 'sa_family' variable so that it equals either AF_INET
>   or AF_INET6. Besides, it it will be used in the next patch that
>   fixes audit record.
> 
>  security/selinux/hooks.c | 29 +++--
>  1 file changed, 19 insertions(+), 10 deletions(-)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 4cafe6a..1ed7004 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4576,6 +4576,7 @@ static int selinux_socket_post_create(struct
> socket *sock, int family,
>  static int selinux_socket_bind(struct socket *sock, struct sockaddr
> *address, int addrlen)
>  {
>   struct sock *sk = sock->sk;
> + struct sk_security_struct *sksec = sk->sk_security;
>   u16 family;
>   int err;
>  
> @@ -4587,11 +4588,11 @@ static int selinux_socket_bind(struct socket
> *sock, struct sockaddr *address, in
>   family = sk->sk_family;
>   if (family == PF_INET || family == PF_INET6) {
>   char *addrp;
> - struct sk_security_struct *sksec = sk->sk_security;
>   struct common_audit_data ad;
>   struct lsm_network_audit net = {0,};
>   struct sockaddr_in *addr4 = NULL;
>   struct sockaddr_in6 *addr6 = NULL;
> + u16 family_sa = address->sa_family;
>   unsigned short snum;
>   u32 sid, node_perm;
>  
> @@ -4601,11 +4602,20 @@ static int selinux_socket_bind(struct socket
> *sock, struct sockaddr *address, in
>* need to check address->sa_family as it is
> possible to have
>* sk->sk_family = PF_INET6 with addr->sa_family =
> AF_INET.
>*/
> - switch (address->sa_family) {
> + switch (family_sa) {
> + case AF_UNSPEC:
>   case AF_INET:
>   if (addrlen < sizeof(struct sockaddr_in))
>   return -EINVAL;
>   addr4 = (struct sockaddr_in *)address;
> + if (family_sa == AF_UNSPEC) {
> + /* see __inet_bind(), we only want
> to allow
> +  * AF_UNSPEC if the address is
> INADDR_ANY
> +  */
> + if (addr4->sin_addr.s_addr !=
> htonl(INADDR_ANY))
> + goto err_af;
> + family_sa = AF_INET;
> + }
>   snum = ntohs(addr4->sin_port);
>   addrp = (char *)>sin_addr.s_addr;
>   break;
> @@ -4617,13 +4627,7 @@ static int selinux_socket_bind(struct socket
> *sock, struct sockaddr *address, in
>   addrp = (char *)>sin6_addr.s6_addr;
>   break;
>   default:
> - /* Note that SCTP services expect -EINVAL,
> whereas
> -  * others expect -EAFNOSUPPORT.
> -  */
> - if (sksec->sclass == SECCLASS_SCTP_SOCKET)
> - return -EINVAL;
> - else
> - return -EAFNOSUPPORT;
> + goto err_af;
>   }
>  
>   if (snum) {
> @@ -4681,7 +4685,7 @@ static int selinux_socket_bind(struct socket
> *sock, struct sockaddr *address, in
>   ad.u.net->sport = htons(snum);
>   ad.u.net->family = family;
>  
> - if (address->sa_family == AF_INET)
> + if (family_sa == AF_INET)
>   ad.u.net->v4info.saddr = addr4-
> >sin_addr.s_addr;
>   else
>   ad.u.net->v6info.saddr = addr6->sin6_addr;
> @@ -4694,6 +4698,11 @@ static int selinux_socket_bind(struct socket
> *sock, struct sockaddr *address, in
>   }
>  out:
>   return err;
> +err_af:
> + /* Note that SCTP services expect -EINVAL, others
> -EAFNOSUPPORT. */
> + if (sksec->sclass == SECCLASS_SCTP_SOCKET)
> + return -EINVAL;
> + return -EAFNOSUPPORT;
>  }
>  
>  /* This supports connect(2) and SCTP connect services such as
> sctp_connectx(3)

Tested all

[PATCH] selinux-testsuite: Enhance inet_socket tests

2018-04-13 Thread Richard Haines via Selinux

Enhance the tests as follows:
1) Determine number of tests to run with current config.
2) Add CALIPSO STREAM tests (DGRAM not supported in kernel. See [1]).
3) Add support for CIPSO TAGS 1 & 2. Closes [2].
4) Run scripts using /bin/sh.
5) Shorten sleep time as more tests.

[1] https://github.com/SELinuxProject/selinux-kernel/issues/24
[2] https://github.com/SELinuxProject/selinux-testsuite/issues/1

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 tests/inet_socket/calipso-flush |   5 +
 tests/inet_socket/calipso-load  |   7 +
 tests/inet_socket/cipso-fl-flush|   0
 tests/inet_socket/cipso-fl-load |   0
 tests/inet_socket/cipso-flush   |   0
 tests/inet_socket/cipso-load-t1 |  11 +
 tests/inet_socket/cipso-load-t2 |  11 +
 tests/inet_socket/{cipso-load => cipso-load-t5} |   0
 tests/inet_socket/ipsec-flush   |   0
 tests/inet_socket/ipsec-load|   0
 tests/inet_socket/iptables-flush|   0
 tests/inet_socket/iptables-load |   0
 tests/inet_socket/server.c  |  16 +-
 tests/inet_socket/test  | 348 ++--
 14 files changed, 310 insertions(+), 88 deletions(-)
 create mode 100644 tests/inet_socket/calipso-flush
 create mode 100644 tests/inet_socket/calipso-load
 mode change 100755 => 100644 tests/inet_socket/cipso-fl-flush
 mode change 100755 => 100644 tests/inet_socket/cipso-fl-load
 mode change 100755 => 100644 tests/inet_socket/cipso-flush
 create mode 100644 tests/inet_socket/cipso-load-t1
 create mode 100644 tests/inet_socket/cipso-load-t2
 rename tests/inet_socket/{cipso-load => cipso-load-t5} (100%)
 mode change 100755 => 100644
 mode change 100755 => 100644 tests/inet_socket/ipsec-flush
 mode change 100755 => 100644 tests/inet_socket/ipsec-load
 mode change 100755 => 100644 tests/inet_socket/iptables-flush
 mode change 100755 => 100644 tests/inet_socket/iptables-load
 mode change 100755 => 100644 tests/inet_socket/test

diff --git a/tests/inet_socket/calipso-flush b/tests/inet_socket/calipso-flush
new file mode 100644
index 000..5143962
--- /dev/null
+++ b/tests/inet_socket/calipso-flush
@@ -0,0 +1,5 @@
+#!/bin/sh
+# Reset NetLabel configuration to unlabeled after CALIPSO/IPv6 tests.
+netlabelctl map del default
+netlabelctl calipso del doi:16
+netlabelctl map add default protocol:unlbl
diff --git a/tests/inet_socket/calipso-load b/tests/inet_socket/calipso-load
new file mode 100644
index 000..4bb9c7f
--- /dev/null
+++ b/tests/inet_socket/calipso-load
@@ -0,0 +1,7 @@
+#!/bin/sh
+# Define a doi for testing loopback for CALIPSO/IPv6.
+netlabelctl calipso add pass doi:16
+netlabelctl map del default
+netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
+netlabelctl map add default address:::/0 protocol:unlbl
+netlabelctl map add default address:::1 protocol:calipso,16
diff --git a/tests/inet_socket/cipso-fl-flush b/tests/inet_socket/cipso-fl-flush
old mode 100755
new mode 100644
diff --git a/tests/inet_socket/cipso-fl-load b/tests/inet_socket/cipso-fl-load
old mode 100755
new mode 100644
diff --git a/tests/inet_socket/cipso-flush b/tests/inet_socket/cipso-flush
old mode 100755
new mode 100644
diff --git a/tests/inet_socket/cipso-load-t1 b/tests/inet_socket/cipso-load-t1
new file mode 100644
index 000..974e746
--- /dev/null
+++ b/tests/inet_socket/cipso-load-t1
@@ -0,0 +1,11 @@
+#!/bin/sh
+# Based on http://paulmoore.livejournal.com/7234.html.
+#
+# Modifications:
+# - Defined a doi for testing loopback for CIPSOv4.
+
+netlabelctl cipsov4 add pass doi:16 tags:1
+netlabelctl map del default
+netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
+netlabelctl map add default address:::/0 protocol:unlbl
+netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16
diff --git a/tests/inet_socket/cipso-load-t2 b/tests/inet_socket/cipso-load-t2
new file mode 100644
index 000..9892f81
--- /dev/null
+++ b/tests/inet_socket/cipso-load-t2
@@ -0,0 +1,11 @@
+#!/bin/sh
+# Based on http://paulmoore.livejournal.com/7234.html.
+#
+# Modifications:
+# - Defined a doi for testing loopback for CIPSOv4.
+
+netlabelctl cipsov4 add pass doi:16 tags:2
+netlabelctl map del default
+netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
+netlabelctl map add default address:::/0 protocol:unlbl
+netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16
diff --git a/tests/inet_socket/cipso-load b/tests/inet_socket/cipso-load-t5
old mode 100755
new mode 100644
similarity index 100%
rename from tests/inet_socket/cipso-load
rename to tests/inet_socket/cipso-load-t5
diff --git a/tests/inet_socket/ipsec-flush b/tests/inet_socket/ipsec-flush
old mode 100755
new mode 100644
diff --git a/tests/inet_socket/ipsec-load b/tests/inet_socket/ipsec-load
old mode 100755
new mode 100644
diff --git

Re: [GIT PULL] SELinux patches for v4.17

2018-04-08 Thread Richard Haines via Selinux

On Sun, 2018-04-08 at 19:59 +0100, Richard Haines via Selinux wrote:
> On Mon, 2018-04-09 at 01:43 +0800, Xin Long wrote:
> > On Sun, Apr 8, 2018 at 10:09 PM, Richard Haines
> > <richard_c_hai...@btinternet.com> wrote:
> > > On Sun, 2018-04-08 at 08:50 -0400, Paul Moore wrote:
> > > > On April 7, 2018 1:03:57 PM Linus Torvalds <torvalds@linux-foun
> > > > da
> > > > tion
> > > > .org> wrote:
> > > > On Sat, Apr 7, 2018 at 9:54 AM, Richard Haines
> > > > <richard_c_hai...@btinternet.com> wrote:
> > > > 
> > > > So please check my resolution, but also somebody should tell me
> > > > "Linus, you're a cretin, sctp_connect() doesn't want that
> > > > security_sctp_bind_connect() at all because it was already done
> > > > by
> > > > XYZ"
> > > > 
> > > > sctp_connect() or __sctp_connect() do not need to call
> > > > security_sctp_bind_connect(). This is because the connect(2)
> > > > call
> > > > will
> > > > handle the checks required via security_socket_connect():
> > > > 
> > > > Ok, thanks, that's exactly what I wanted to get.
> > > > 
> > > > Anyway, somebody should still verify that it all looks good in
> > > > my
> > > > tree, but I don't actually expect the merge to have had any
> > > > issues
> > > > even if the refactoring made it a bit more complex than most
> > > > merges
> > > > are.
> > > > 
> > > > Thanks for the quick response Richard.
> > > > 
> > > > Xin Long looked it over and gave it the thumbs up, I'll take a
> > > > look
> > > > too, but to be honest I trust his SCTP understanding much more
> > > > than
> > > > mine.  I also do weekly tests of each rcX release at a minimum
> > > > so
> > > > if
> > > > something odd pops up I'll make sure you get a fix.
> > > > 
> > > > Thanks again everyone.
> > > 
> > > I built the kernel this morning and sorry to spoil the party, but
> > > I've
> > > run into a problem with lksctp-tools when running the func_tests:
> > > 
> > > make v6test
> > > ..
> > > ..
> > > ./test_timetolive_v6
> > > test_timetolive.c  0 INFO : Creating fillmsg of size 3087
> > > test_timetolive.c  1 PASS : Send a message with timeout
> > > test_timetolive.c  2 PASS : Send a message with no timeout
> > > test_timetolive.c  3 PASS : Send a fragmented message with
> > > timeout
> > > test_timetolive.c  0 INFO :  **  SLEEPING for 3 seconds **
> > > test_timetolive.c  4 BROK : Got a datamsg of unexpected
> > > length:23,
> > > expected length:27
> > > DUMP_CORE sctputil.c: 247
> > > /bin/sh: line 1: 30981 Segmentation fault  (core dumped) ./$a
> > > test_timetolive_v6 fails
> > > 
> > > make v4 test fails the same way. I'm using lksctp-tools from [1].
> > > I
> > > have not investigated the cause yet as just found this and
> > > thought
> > > I
> > > should flag first just in case someone has the answer !!!
> > 
> > test_timetolive(_v6) works for me, In lksctp-tools/src/func_tests,
> > I
> > had
> > another case failed,./test_1_to_1_events,  it's caused by:
> > commit 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b
> > Author: Xin Long <lucien@gmail.com>
> > Date:   Wed Mar 14 19:05:34 2018 +0800
> > 
> > sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT
> > 
> > It's not kernel's issue, after that commit, ./test_1_to_1_events
> > should
> > have been improved. or avoid it by 'sysctl -w
> > net.sctp.auth_enable=1'
> > 
> > I'm not sure why test_timetolive(_v6) is not working in your env.
> 
> It appears to depend on the run sequence of the tests. I rebooted the
> system, ran test_timetolive_v6, it worked okay.
> Ran "sctp-tests run" on a terminal, then ran test_timetolive_v6 at
> various intervals on another terminal. Once sctp-tests started the
> "===
> ndatasched ===" sequence, test_timetolive_v6 failed.

1) When SCTP is initialised /proc/sys/net/sctp/prsctp_enable = 1
2) When sctp-tests/testcase/regression/extoverflow/test.sh is executed,
on exit it sets prsctp_enable = 0. This seems to be causing the issue
I'm seeing. I can now simulate the problem:

Running from fresh boot:
checksctp
cat /proc/sys/net/sctp/prsctp_

Re: [GIT PULL] SELinux patches for v4.17

2018-04-08 Thread Richard Haines via Selinux

On Mon, 2018-04-09 at 01:43 +0800, Xin Long wrote:
> On Sun, Apr 8, 2018 at 10:09 PM, Richard Haines
> <richard_c_hai...@btinternet.com> wrote:
> > On Sun, 2018-04-08 at 08:50 -0400, Paul Moore wrote:
> > > On April 7, 2018 1:03:57 PM Linus Torvalds <torvalds@linux-founda
> > > tion
> > > .org> wrote:
> > > On Sat, Apr 7, 2018 at 9:54 AM, Richard Haines
> > > <richard_c_hai...@btinternet.com> wrote:
> > > 
> > > So please check my resolution, but also somebody should tell me
> > > "Linus, you're a cretin, sctp_connect() doesn't want that
> > > security_sctp_bind_connect() at all because it was already done
> > > by
> > > XYZ"
> > > 
> > > sctp_connect() or __sctp_connect() do not need to call
> > > security_sctp_bind_connect(). This is because the connect(2) call
> > > will
> > > handle the checks required via security_socket_connect():
> > > 
> > > Ok, thanks, that's exactly what I wanted to get.
> > > 
> > > Anyway, somebody should still verify that it all looks good in my
> > > tree, but I don't actually expect the merge to have had any
> > > issues
> > > even if the refactoring made it a bit more complex than most
> > > merges
> > > are.
> > > 
> > > Thanks for the quick response Richard.
> > > 
> > > Xin Long looked it over and gave it the thumbs up, I'll take a
> > > look
> > > too, but to be honest I trust his SCTP understanding much more
> > > than
> > > mine.  I also do weekly tests of each rcX release at a minimum so
> > > if
> > > something odd pops up I'll make sure you get a fix.
> > > 
> > > Thanks again everyone.
> > 
> > I built the kernel this morning and sorry to spoil the party, but
> > I've
> > run into a problem with lksctp-tools when running the func_tests:
> > 
> > make v6test
> > ..
> > ..
> > ./test_timetolive_v6
> > test_timetolive.c  0 INFO : Creating fillmsg of size 3087
> > test_timetolive.c  1 PASS : Send a message with timeout
> > test_timetolive.c  2 PASS : Send a message with no timeout
> > test_timetolive.c  3 PASS : Send a fragmented message with timeout
> > test_timetolive.c  0 INFO :  **  SLEEPING for 3 seconds **
> > test_timetolive.c  4 BROK : Got a datamsg of unexpected length:23,
> > expected length:27
> > DUMP_CORE sctputil.c: 247
> > /bin/sh: line 1: 30981 Segmentation fault  (core dumped) ./$a
> > test_timetolive_v6 fails
> > 
> > make v4 test fails the same way. I'm using lksctp-tools from [1]. I
> > have not investigated the cause yet as just found this and thought
> > I
> > should flag first just in case someone has the answer !!!
> 
> test_timetolive(_v6) works for me, In lksctp-tools/src/func_tests, I
> had
> another case failed,./test_1_to_1_events,  it's caused by:
> commit 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b
> Author: Xin Long <lucien@gmail.com>
> Date:   Wed Mar 14 19:05:34 2018 +0800
> 
> sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT
> 
> It's not kernel's issue, after that commit, ./test_1_to_1_events
> should
> have been improved. or avoid it by 'sysctl -w net.sctp.auth_enable=1'
> 
> I'm not sure why test_timetolive(_v6) is not working in your env.

It appears to depend on the run sequence of the tests. I rebooted the
system, ran test_timetolive_v6, it worked okay.
Ran "sctp-tests run" on a terminal, then ran test_timetolive_v6 at
various intervals on another terminal. Once sctp-tests started the "===
ndatasched ===" sequence, test_timetolive_v6 failed.

> 
> > 
> > On the bright side, I've run the sctp-tests from [2] with no
> > problems
> > and also the selinux-testsuite with my SCTP patch from [3] using an
> > updated Fedora policy from [4] (with sctp support added), all in
> > enforcing mode.
> > 
> > Also the LTP test passed:
> > cd /opt/ltp/
> > cat runtest/syscalls |grep connect01>runtest/connect-syscall
> > ./runltp -pq -f connect-syscall
> > 
> > 
> > [1] https://github.com/sctp/lksctp-tools
> > [2] https://github.com/sctp/sctp-tests
> > [3] https://marc.info/?l=selinux=152156947715709=2
> > [4] https://github.com/fedora-selinux/selinux-policy
> > 
> > 
> > > 
> > > --
> > > paul moore
> > > www.paul-moore.com
> > > 
> > > 
> > > 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-
> security-module" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [GIT PULL] SELinux patches for v4.17

2018-04-08 Thread Richard Haines via Selinux

On Sun, 2018-04-08 at 08:50 -0400, Paul Moore wrote:
> On April 7, 2018 1:03:57 PM Linus Torvalds <torvalds@linux-foundation
> .org> wrote:
> On Sat, Apr 7, 2018 at 9:54 AM, Richard Haines
> <richard_c_hai...@btinternet.com> wrote:
> 
> So please check my resolution, but also somebody should tell me
> "Linus, you're a cretin, sctp_connect() doesn't want that
> security_sctp_bind_connect() at all because it was already done by
> XYZ"
> 
> sctp_connect() or __sctp_connect() do not need to call
> security_sctp_bind_connect(). This is because the connect(2) call
> will
> handle the checks required via security_socket_connect():
> 
> Ok, thanks, that's exactly what I wanted to get.
> 
> Anyway, somebody should still verify that it all looks good in my
> tree, but I don't actually expect the merge to have had any issues
> even if the refactoring made it a bit more complex than most merges
> are.
> 
> Thanks for the quick response Richard.
> 
> Xin Long looked it over and gave it the thumbs up, I'll take a look
> too, but to be honest I trust his SCTP understanding much more than
> mine.  I also do weekly tests of each rcX release at a minimum so if
> something odd pops up I'll make sure you get a fix.
> 
> Thanks again everyone.

I built the kernel this morning and sorry to spoil the party, but I've
run into a problem with lksctp-tools when running the func_tests:

make v6test
..
..
./test_timetolive_v6
test_timetolive.c  0 INFO : Creating fillmsg of size 3087
test_timetolive.c  1 PASS : Send a message with timeout
test_timetolive.c  2 PASS : Send a message with no timeout
test_timetolive.c  3 PASS : Send a fragmented message with timeout
test_timetolive.c  0 INFO :  **  SLEEPING for 3 seconds **
test_timetolive.c  4 BROK : Got a datamsg of unexpected length:23,
expected length:27
DUMP_CORE sctputil.c: 247
/bin/sh: line 1: 30981 Segmentation fault  (core dumped) ./$a
test_timetolive_v6 fails

make v4 test fails the same way. I'm using lksctp-tools from [1]. I
have not investigated the cause yet as just found this and thought I
should flag first just in case someone has the answer !!!

On the bright side, I've run the sctp-tests from [2] with no problems
and also the selinux-testsuite with my SCTP patch from [3] using an
updated Fedora policy from [4] (with sctp support added), all in
enforcing mode.

Also the LTP test passed:
cd /opt/ltp/
cat runtest/syscalls |grep connect01>runtest/connect-syscall
./runltp -pq -f connect-syscall

[1] https://github.com/sctp/lksctp-tools
[2] https://github.com/sctp/sctp-tests
[3] https://marc.info/?l=selinux=152156947715709=2
[4] https://github.com/fedora-selinux/selinux-policy

> 
> --
> paul moore
> www.paul-moore.com
> 
> 
>

Re: [GIT PULL] SELinux patches for v4.17

2018-04-07 Thread Richard Haines via Selinux

On Fri, 2018-04-06 at 16:07 -0700, Linus Torvalds wrote:
> On Tue, Apr 3, 2018 at 6:37 PM, Paul Moore 
> wrote:
> > 
> > Everything passes the selinux-testsuite, but there are a few known
> > merge conflicts.  The first is with the netdev tree and is in
> > net/sctp/socket.c.  Unfortunately it is a bit ugly, thankfully
> > Stephen
> > Rothwell has already done the heavy lifting in resolving the merge
> > for
> > you, and the SCTP folks have given his merge patch a thumbs-up.
> 
> I ended up re-doing the merge, and it looks like some more sctp
> changes happened after Stephen's merge anyway, so mine didn't end up
> quite like his.
> 
> Adding Xin Long to see if he can verify it again, but it all *looks*
> sane.
> 
> While looking at it, it struck me that the new security hooks don't
> seem to hook into __sctp_connect(), which also does that
> 
> scope = sctp_scope();
> asoc = sctp_association_new(ep, sk, scope,
> GFP_KERNEL);
> 
> thing. Is that intentional? The sendmsg case does that
> security_sctp_bind_connect, the actual __sctp_connect() does not.
> 
> This is not because I screwed up the merge - it's that way in the
> SELinux tree too. And I obviously _left_ it that way, but while doing
> the merge and trying to understand what was going on, this struck me.
> 
> I'm probably missing something really obvious why the connect case
> doesn't want to do it thgere.
> 
> NOTE! I do see it being done in __sctp_setsockopt_connectx(). But
> __sctp_connect() has another caller (in sctp_connect()) which doesn't
> have that security_sctp_bind_connect() call.
> 
> So please check my resolution, but also somebody should tell me
> "Linus, you're a cretin, sctp_connect() doesn't want that
> security_sctp_bind_connect() at all because it was already done by
> XYZ"
> 
>  Linus

Thought I would answer the questions as I wrote the SELinux/SCTP
patches.

sctp_connect() or __sctp_connect() do not need to call
security_sctp_bind_connect(). This is because the connect(2) call will
handle the checks required via security_socket_connect():

   connect(2)
  |
 SYSCALL_DEFINE3(connect, )
  |
   security_socket_connect()
  |
 sctp_connect()

SCTP uses security_sctp_bind_connect() as this can handle one or more
addresses for either sctp_connectx(3) or sctp_bindx(3). It is also used
for handling the sendmsg(2) and sctp_sendmsg(3) calls in SCTP for a new
association (that is effectively a "connect").

Hope this helps

Richard

> --
> To unsubscribe from this list: send the line "unsubscribe linux-
> security-module" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] selinux-testsuite: Add SCTP test support

2018-03-20 Thread Richard Haines via Selinux

The sctp testsuite tests all new sctp SELinux functionality.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 policy/Makefile|   4 +
 policy/test_sctp.te| 159 +++
 tests/Makefile |   4 +
 tests/sctp/Makefile|  13 +
 tests/sctp/calipso-flush   |   5 +
 tests/sctp/calipso-load|   7 +
 tests/sctp/cipso-fl-flush  |   5 +
 tests/sctp/cipso-fl-load   |   7 +
 tests/sctp/cipso-flush |   5 +
 tests/sctp/cipso-load-t1   |   7 +
 tests/sctp/cipso-load-t2   |   7 +
 tests/sctp/cipso-load-t5   |   7 +
 tests/sctp/fb-deny-label-flush |   6 +
 tests/sctp/fb-deny-label-load  |   7 +
 tests/sctp/fb-label-flush  |   6 +
 tests/sctp/fb-label-load   |   8 +
 tests/sctp/iptables-flush  |   4 +
 tests/sctp/iptables-load   |  27 ++
 tests/sctp/sctp_asconf_params_client.c | 298 +
 tests/sctp/sctp_asconf_params_server.c | 236 ++
 tests/sctp/sctp_bind.c |  61 +++
 tests/sctp/sctp_bindx.c| 116 +
 tests/sctp/sctp_client.c   | 220 +
 tests/sctp/sctp_common.c   | 101 +
 tests/sctp/sctp_common.h   |  27 ++
 tests/sctp/sctp_connectx.c | 124 ++
 tests/sctp/sctp_peeloff_server.c   | 260 +++
 tests/sctp/sctp_server.c   | 335 ++
 tests/sctp/sctp_set_params.c   | 205 +
 tests/sctp/sctp_set_peer_addr.c| 414 +
 tests/sctp/sctp_set_pri_addr.c | 135 ++
 tests/sctp/test| 791 +
 32 files changed, 3611 insertions(+)
 create mode 100644 policy/test_sctp.te
 create mode 100644 tests/sctp/Makefile
 create mode 100644 tests/sctp/calipso-flush
 create mode 100644 tests/sctp/calipso-load
 create mode 100644 tests/sctp/cipso-fl-flush
 create mode 100644 tests/sctp/cipso-fl-load
 create mode 100644 tests/sctp/cipso-flush
 create mode 100644 tests/sctp/cipso-load-t1
 create mode 100644 tests/sctp/cipso-load-t2
 create mode 100644 tests/sctp/cipso-load-t5
 create mode 100644 tests/sctp/fb-deny-label-flush
 create mode 100644 tests/sctp/fb-deny-label-load
 create mode 100644 tests/sctp/fb-label-flush
 create mode 100644 tests/sctp/fb-label-load
 create mode 100644 tests/sctp/iptables-flush
 create mode 100644 tests/sctp/iptables-load
 create mode 100644 tests/sctp/sctp_asconf_params_client.c
 create mode 100644 tests/sctp/sctp_asconf_params_server.c
 create mode 100644 tests/sctp/sctp_bind.c
 create mode 100644 tests/sctp/sctp_bindx.c
 create mode 100644 tests/sctp/sctp_client.c
 create mode 100644 tests/sctp/sctp_common.c
 create mode 100644 tests/sctp/sctp_common.h
 create mode 100644 tests/sctp/sctp_connectx.c
 create mode 100644 tests/sctp/sctp_peeloff_server.c
 create mode 100644 tests/sctp/sctp_server.c
 create mode 100644 tests/sctp/sctp_set_params.c
 create mode 100644 tests/sctp/sctp_set_peer_addr.c
 create mode 100644 tests/sctp/sctp_set_pri_addr.c
 create mode 100644 tests/sctp/test

diff --git a/policy/Makefile b/policy/Makefile
index 8ed5e46..031429a 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -63,6 +63,10 @@ ifeq ($(shell grep -q nnp_transition 
$(POLDEV)/include/support/all_perms.spt &&
 export M4PARAM += -Dnnp_nosuid_transition_permission_defined
 endif
 
+ifeq ($(shell grep -q corenet_sctp_bind_all_nodes 
$(POLDEV)/include/kernel/corenetwork.if && echo true),true)
+TARGETS += test_sctp.te
+endif
+
 ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
 TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS))
 endif
diff --git a/policy/test_sctp.te b/policy/test_sctp.te
new file mode 100644
index 000..6d43208
--- /dev/null
+++ b/policy/test_sctp.te
@@ -0,0 +1,159 @@
+#
+# SCTP selinux-testsuite policy module ##
+#
+
+attribute sctpsocketdomain;
+
+#
+ NetLabel labels 
+#
+# Fall-back labeling label:
+type netlabel_sctp_peer_t;
+corenet_in_generic_node(netlabel_sctp_peer_t)
+corenet_in_generic_if(netlabel_sctp_peer_t)
+
+# Default label for CIPSO/CALIPSO:
+gen_require(`
+   type netlabel_peer_t;
+')
+
+#
+### Declare an attribute that will hold all peers ###
+###   allowed an association  ###
+#
+attribute sctp_assoc_peers;
+
+typeattribute netlabel_peer_t sctp_assoc_peers;
+typeattribute netlabel_sctp_peer_t sctp_assoc_peers;
+allow sctp_assoc_peers sctp_assoc_peers:sctp_socket { association };
+
+#
+# SCTP portcon for ports 1024-65535 ##
+#
+corenet_sctp_bind_all_unreserved_ports(sctpsocketdomain)
+corenet_sctp_connect_all_unreserved_

[PATCH] selinux: Update SELinux SCTP documentation

2018-03-19 Thread Richard Haines via Selinux

Update SELinux-sctp.rst "SCTP Peer Labeling" section to reflect
how the association permission is validated.

Reported-by: Dominick Grift <dac.overr...@gmail.com>
Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 Documentation/security/SELinux-sctp.rst | 11 ++-
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/Documentation/security/SELinux-sctp.rst 
b/Documentation/security/SELinux-sctp.rst
index 2f66bf3..a332cb1 100644
--- a/Documentation/security/SELinux-sctp.rst
+++ b/Documentation/security/SELinux-sctp.rst
@@ -116,11 +116,12 @@ statement as shown in the following example::
 SCTP Peer Labeling
 ===
 An SCTP socket will only have one peer label assigned to it. This will be
-assigned during the establishment of the first association. Once the peer
-label has been assigned, any new associations will have the ``association``
-permission validated by checking the socket peer sid against the received
-packets peer sid to determine whether the association should be allowed or
-denied.
+assigned during the establishment of the first association. Any further
+associations on this socket will have their packet peer label compared to
+the sockets peer label, and only if they are different will the
+``association`` permission be validated. This is validated by checking the
+socket peer sid against the received packets peer sid to determine whether
+the association should be allowed or denied.
 
 NOTES:
1) If peer labeling is not enabled, then the peer context will always be
-- 
2.14.3

[PATCH] selinux: Add support for the SCTP portcon keyword

2018-03-11 Thread Richard Haines via Selinux

Update libsepol, checkpolicy and the CIL compiler to support the SCTP
portcon keyword.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 checkpolicy/checkpolicy.c  | 5 +
 checkpolicy/policy_define.c| 5 +
 libsepol/cil/src/cil.c | 1 +
 libsepol/cil/src/cil_binary.c  | 6 ++
 libsepol/cil/src/cil_build_ast.c   | 2 ++
 libsepol/cil/src/cil_internal.h| 4 +++-
 libsepol/cil/src/cil_policy.c  | 2 ++
 libsepol/cil/src/cil_tree.c| 2 ++
 libsepol/include/sepol/port_record.h   | 1 +
 libsepol/src/kernel_to_cil.c   | 4 
 libsepol/src/kernel_to_common.c| 3 +++
 libsepol/src/kernel_to_conf.c  | 4 
 libsepol/src/module_to_cil.c   | 4 
 libsepol/src/port_record.c | 2 ++
 libsepol/src/ports.c   | 7 +++
 secilc/docs/cil_network_labeling_statements.md | 5 +++--
 secilc/test/policy.cil | 1 +
 17 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index 923b47c1..fbda4558 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -69,6 +69,9 @@
 #ifndef IPPROTO_DCCP
 #define IPPROTO_DCCP 33
 #endif
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
 #include 
 #include 
 #include 
@@ -944,6 +947,8 @@ int main(int argc, char **argv)
protocol = IPPROTO_UDP;
else if (!strcmp(ans, "dccp") || !strcmp(ans, "DCCP"))
protocol = IPPROTO_DCCP;
+   else if (!strcmp(ans, "sctp") || !strcmp(ans, "SCTP"))
+   protocol = IPPROTO_SCTP;
else {
printf("unknown protocol\n");
break;
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 2c5db55d..11fd37d8 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -40,6 +40,9 @@
 #ifndef IPPROTO_DCCP
 #define IPPROTO_DCCP 33
 #endif
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
 #include 
 #include 
 #include 
@@ -5004,6 +5007,8 @@ int define_port_context(unsigned int low, unsigned int 
high)
protocol = IPPROTO_UDP;
} else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) {
protocol = IPPROTO_DCCP;
+   } else if ((strcmp(id, "sctp") == 0) || (strcmp(id, "SCTP") == 0)) {
+   protocol = IPPROTO_SCTP;
} else {
yyerror2("unrecognized protocol %s", id);
goto bad;
diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index 5a64c2bc..2a7ec063 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -109,6 +109,7 @@ static void cil_init_keys(void)
CIL_KEY_UDP = cil_strpool_add("udp");
CIL_KEY_TCP = cil_strpool_add("tcp");
CIL_KEY_DCCP = cil_strpool_add("dccp");
+   CIL_KEY_SCTP = cil_strpool_add("sctp");
CIL_KEY_AUDITALLOW = cil_strpool_add("auditallow");
CIL_KEY_TUNABLEIF = cil_strpool_add("tunableif");
CIL_KEY_ALLOW = cil_strpool_add("allow");
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 431cd9cd..0cc6eeb1 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -34,6 +34,9 @@
 #ifndef IPPROTO_DCCP
 #define IPPROTO_DCCP 33
 #endif
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
 
 #include 
 #include 
@@ -3272,6 +3275,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct 
cil_sort *portcons)
case CIL_PROTOCOL_DCCP:
new_ocon->u.port.protocol = IPPROTO_DCCP;
break;
+   case CIL_PROTOCOL_SCTP:
+   new_ocon->u.port.protocol = IPPROTO_SCTP;
+   break;
default:
/* should not get here */
rc = SEPOL_ERR;
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index e84336bf..b90b0f60 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -4405,6 +4405,8 @@ int cil_gen_portcon(struct cil_db *db, struct 
cil_tree_node *parse_current, stru
portcon->proto = CIL_PROTOCOL_TCP;
} else if (proto == CIL_KEY_DCCP) {
portcon->proto = CIL_PROTOCOL_DCCP;
+   } else if (proto == CIL_KEY_SCTP) {
+   portcon->proto = CIL_PROTOCOL_SCTP;
} else {
cil_log(CIL_ERR, "Invalid protocol\n");

[PATCH] selinux: Fix ltp test connect-syscall failure

2018-03-05 Thread Richard Haines via Selinux

Fix the following error when running regression tests using LTP as follows:
cd /opt/ltp/
cat runtest/syscalls |grep connect01>runtest/connect-syscall
./runltp -pq -f connect-syscall

Running tests...
connect011  TPASS  :  bad file descriptor successful
connect012  TPASS  :  invalid socket buffer successful
connect013  TPASS  :  invalid salen successful
connect014  TPASS  :  invalid socket successful
connect015  TPASS  :  already connected successful
connect016  TPASS  :  connection refused successful
connect017  TFAIL  :  connect01.c:146: invalid address family ;
returned -1 (expected -1), errno 22 (expected 97)
INFO: ltp-pan reported some tests FAIL
LTP Version: 20180118

Reported-by: Anders Roxell <anders.rox...@linaro.org>
Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 security/selinux/hooks.c | 42 ++
 1 file changed, 30 insertions(+), 12 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 28a5c4e..d614df1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4470,22 +4470,29 @@ static int selinux_socket_bind(struct socket *sock, 
struct sockaddr *address, in
 * need to check address->sa_family as it is possible to have
 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
 */
-   if (address->sa_family == AF_INET) {
-   if (addrlen < sizeof(struct sockaddr_in)) {
-   err = -EINVAL;
-   goto out;
-   }
+   switch (address->sa_family) {
+   case AF_INET:
+   if (addrlen < sizeof(struct sockaddr_in))
+   return -EINVAL;
addr4 = (struct sockaddr_in *)address;
snum = ntohs(addr4->sin_port);
addrp = (char *)>sin_addr.s_addr;
-   } else {
-   if (addrlen < SIN6_LEN_RFC2133) {
-   err = -EINVAL;
-   goto out;
-   }
+   break;
+   case AF_INET6:
+   if (addrlen < SIN6_LEN_RFC2133)
+   return -EINVAL;
addr6 = (struct sockaddr_in6 *)address;
snum = ntohs(addr6->sin6_port);
addrp = (char *)>sin6_addr.s6_addr;
+   break;
+   default:
+   /* Note that SCTP services expect -EINVAL, whereas
+* others expect -EAFNOSUPPORT.
+*/
+   if (sksec->sclass == SECCLASS_SCTP_SOCKET)
+   return -EINVAL;
+   else
+   return -EAFNOSUPPORT;
}
 
if (snum) {
@@ -4589,16 +4596,27 @@ static int selinux_socket_connect_helper(struct socket 
*sock,
 * need to check address->sa_family as it is possible to have
 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
 */
-   if (address->sa_family == AF_INET) {
+   switch (address->sa_family) {
+   case AF_INET:
addr4 = (struct sockaddr_in *)address;
if (addrlen < sizeof(struct sockaddr_in))
return -EINVAL;
snum = ntohs(addr4->sin_port);
-   } else {
+   break;
+   case AF_INET6:
addr6 = (struct sockaddr_in6 *)address;
if (addrlen < SIN6_LEN_RFC2133)
return -EINVAL;
snum = ntohs(addr6->sin6_port);
+   break;
+   default:
+   /* Note that SCTP services expect -EINVAL, whereas
+* others expect -EAFNOSUPPORT.
+*/
+   if (sksec->sclass == SECCLASS_SCTP_SOCKET)
+   return -EINVAL;
+   else
+   return -EAFNOSUPPORT;
}
 
err = sel_netport_sid(sk->sk_protocol, snum, );
-- 
2.14.3

Re: Regression found when running LTP connect01 on next-20180301

2018-03-02 Thread Richard Haines via Selinux

On Thu, 2018-03-01 at 13:03 -0500, Paul Moore wrote:
> On March 1, 2018 9:36:37 AM Richard Haines <richard_c_haines@btintern
> et.com> wrote:
> > On Thu, 2018-03-01 at 08:42 -0500, Paul Moore wrote:
> > > On Thu, Mar 1, 2018 at 3:33 AM, Anders Roxell <anders.roxell@lina
> > > ro.o
> > > rg> wrote:
> > > > Hi,
> > > > 
> > > > I was running LTP's testcase connect01 [1] and found a
> > > > regression
> > > > in linux-next
> > > > (next-20180301).  Bisect gave me this patch as the problematic
> > > > patch (sha
> > > > d452930fd3b9 "selinux: Add SCTP support") on a x86 target.
> > > > 
> > > > Output from the test(LTP release 20180118):
> > > > $ cd /opt/ltp/
> > > > $ cat runtest/syscalls |grep connect01>runtest/connect-syscall
> > > > $ ./runltp -pq -f connect-syscall
> > > > "
> > > > Running tests...
> > > > connect011  TPASS  :  bad file descriptor successful
> > > > connect012  TPASS  :  invalid socket buffer successful
> > > > connect013  TPASS  :  invalid salen successful
> > > > connect014  TPASS  :  invalid socket successful
> > > > connect015  TPASS  :  already connected successful
> > > > connect016  TPASS  :  connection refused successful
> > > > connect017  TFAIL  :  connect01.c:146: invalid address
> > > > family ;
> > > > returned -1 (expected -1), errno 22 (expected 97)
> > > > INFO: ltp-pan reported some tests FAIL
> > > > LTP Version: 20180118
> > > > "
> > > > 
> > > > The output from the test expected 97 and we received 22, can
> > > > you
> > > > please
> > > > elaborate on what have been changed?
> > > > 
> > > > Cheers,
> > > > Anders
> > > > [1] https://github.com/linux-test-project/ltp/blob/20180118/tes
> > > > tcas
> > > > es/kernel/syscalls/connect/connect01.c#L146
> > > 
> > > Hi Anders,
> > > 
> > > Thanks for the report.  Out of curiosity, we're you running the
> > > full
> > > LTP test suite and this was the only failure, or did you just run
> > > the
> > > connect01 test?  Either answer is fine, I'm just trying to
> > > understand
> > > the scope of the regression.
> > > 
> > > Richard, are you able to look into this?  If not, let me know and
> > > I'll
> > > dig a bit deeper (I'll likely take a quick look today, but if the
> > > failure is subtle it might require some digging).
> > 
> > I'll have a look today.
> 
> One more thing I forgot to mention earlier, if there is a patch to
> fix this, could you please base it on top of the existing
> SELinux/SCTP patches that have already been merged, and not respin an
> earlier patch?
> 
> Thank you.


Just to keep you informed:

It appears that with the original hooks.c selinux_socket_connect()
function check: if (sk->sk_family == PF_INET) {, the test fell through
as sk->sk_family = 2 (AF_INET) with the error being picked up by the
caller - even though the test set an illegal family of 47 - but not on
the sk->sk_family, hence:

With the new check: if (address->sa_family == AF_INET) {, the address-
>sa_family = 47 and therefore treated it as an IPv6 address and failed
with -EINVAL. By a fluke this is what SCTP services expects when
invalid address family, however TCP and DCCP requires -EAFNOSUPPORT.

I can fix this with the following simple patch:
switch (address->sa_family) {
case AF_INET:
addr4 = (struct sockaddr_in *)address;
if (addrlen < sizeof(struct sockaddr_in))
return -EINVAL;
snum = ntohs(addr4->sin_port);
break;
case AF_INET6:
addr6 = (struct sockaddr_in6 *)address;
if (addrlen < SIN6_LEN_RFC2133)
return -EINVAL;
snum = ntohs(addr6->sin6_port);
break;
default:
/* Note that SCTP services expect -EINVAL, whereas
 * others expect -EAFNOSUPPORT.
 */
if (sksec->sclass == SECCLASS_SCTP_SOCKET)
return -EINVAL;
else
return -EAFNOSUPPORT;
}

This will pass the following LTP tests:
./runltp -pq -f connect-syscall
./runltp -pq -f net.sctp

The selinux-testsuite inet_socket and sctp tests all pass as well.

However: The selinux_socket_bind() function has the same issue that can
be fixed by the same type of patch.

So far I've tested three different patches to fix this problem and
this one above seems best. I'll post a patch based on this covering
the bind issue as well once I've done more testing.

I think the SCTP services should return -EAFNOSUPPORT for this (as
their sctp_connectx(3) man page states this), that will require kernel
patch and patches to their test services (plus of course may impact
some apps already out there ??).


> 
> --
> paul moore
> www.paul-moore.com
> 
>

Re: Regression found when running LTP connect01 on next-20180301

2018-03-01 Thread Richard Haines via Selinux

On Thu, 2018-03-01 at 08:42 -0500, Paul Moore wrote:
> On Thu, Mar 1, 2018 at 3:33 AM, Anders Roxell  rg> wrote:
> > Hi,
> > 
> > I was running LTP's testcase connect01 [1] and found a regression
> > in linux-next
> > (next-20180301).  Bisect gave me this patch as the problematic
> > patch (sha
> > d452930fd3b9 "selinux: Add SCTP support") on a x86 target.
> > 
> > Output from the test(LTP release 20180118):
> > $ cd /opt/ltp/
> > $ cat runtest/syscalls |grep connect01>runtest/connect-syscall
> > $ ./runltp -pq -f connect-syscall
> > "
> > Running tests...
> > connect011  TPASS  :  bad file descriptor successful
> > connect012  TPASS  :  invalid socket buffer successful
> > connect013  TPASS  :  invalid salen successful
> > connect014  TPASS  :  invalid socket successful
> > connect015  TPASS  :  already connected successful
> > connect016  TPASS  :  connection refused successful
> > connect017  TFAIL  :  connect01.c:146: invalid address family ;
> > returned -1 (expected -1), errno 22 (expected 97)
> > INFO: ltp-pan reported some tests FAIL
> > LTP Version: 20180118
> > "
> > 
> > The output from the test expected 97 and we received 22, can you
> > please
> > elaborate on what have been changed?
> > 
> > Cheers,
> > Anders
> > [1] https://github.com/linux-test-project/ltp/blob/20180118/testcas
> > es/kernel/syscalls/connect/connect01.c#L146
> 
> Hi Anders,
> 
> Thanks for the report.  Out of curiosity, we're you running the full
> LTP test suite and this was the only failure, or did you just run the
> connect01 test?  Either answer is fine, I'm just trying to understand
> the scope of the regression.
> 
> Richard, are you able to look into this?  If not, let me know and
> I'll
> dig a bit deeper (I'll likely take a quick look today, but if the
> failure is subtle it might require some digging).

I'll have a look today.
>

[PATCH V8 2/4] sctp: Add ip option support

2018-02-26 Thread Richard Haines via Selinux

Add ip option support to allow LSM security modules to utilise CIPSO/IPv4
and CALIPSO/IPv6 services.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.
All "./sctp-tests run" obtained from: https://github.com/sctp/sctp-tests
pass.

V7 Changes:
1) Log when copy ip options fail for IPv4 and IPv6
2) Correct sctp_setsockopt_maxseg() function. Note that the lksctp-tools
func_tests do not test with struct sctp_assoc_value. Just used simple test
and okay.
3) Move calculation of overheads to sctp_packet_config().
NOTE: Initially in sctp_packet_reset() I set packet->size and
packet->overhead to zero (as it is a reset). This was okay for all the
lksctp-tools function tests, however when running "sctp-tests" ndatshched
tests it causes these to fail with an st_s.log entry of:
sid: 3, expected: 3
sid: 3, expected: 3
unexpected sid packet !!!
sid: 1, expected: 3

I then found sctp_packet_transmit() relies on setting
"packet->size = packet->overhead;" to reset size to the current overhead
after sending packets, hence the comment in sctp_packet_reset()

V8 Change:
Fix sparse warning:
net/sctp/protocol.c:269:28: sparse: dereference of noderef expression
highlighted in [1] for sctp_v4_ip_options_len() function.

[1] https://lists.01.org/pipermail/kbuild-all/2018-February/043695.html

 include/net/sctp/sctp.h|  4 +++-
 include/net/sctp/structs.h |  2 ++
 net/sctp/chunk.c   | 10 +++---
 net/sctp/ipv6.c| 45 ++---
 net/sctp/output.c  | 34 +-
 net/sctp/protocol.c| 43 +++
 net/sctp/socket.c  | 11 ---
 7 files changed, 122 insertions(+), 27 deletions(-)

diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
index f7ae6b0..25c5c87 100644
--- a/include/net/sctp/sctp.h
+++ b/include/net/sctp/sctp.h
@@ -441,9 +441,11 @@ static inline int sctp_list_single_entry(struct list_head 
*head)
 static inline int sctp_frag_point(const struct sctp_association *asoc, int 
pmtu)
 {
struct sctp_sock *sp = sctp_sk(asoc->base.sk);
+   struct sctp_af *af = sp->pf->af;
int frag = pmtu;
 
-   frag -= sp->pf->af->net_header_len;
+   frag -= af->ip_options_len(asoc->base.sk);
+   frag -= af->net_header_len;
frag -= sizeof(struct sctphdr) + sctp_datachk_len(>stream);
 
if (asoc->user_frag)
diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 03e92dd..ead5fce 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -491,6 +491,7 @@ struct sctp_af {
void(*ecn_capable)(struct sock *sk);
__u16   net_header_len;
int sockaddr_len;
+   int (*ip_options_len)(struct sock *sk);
sa_family_t sa_family;
struct list_head list;
 };
@@ -515,6 +516,7 @@ struct sctp_pf {
int (*addr_to_user)(struct sctp_sock *sk, union sctp_addr *addr);
void (*to_sk_saddr)(union sctp_addr *, struct sock *sk);
void (*to_sk_daddr)(union sctp_addr *, struct sock *sk);
+   void (*copy_ip_options)(struct sock *sk, struct sock *newsk);
struct sctp_af *af;
 };
 
diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
index 991a530..d726d21 100644
--- a/net/sctp/chunk.c
+++ b/net/sctp/chunk.c
@@ -171,6 +171,8 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
sctp_association *asoc,
struct list_head *pos, *temp;
struct sctp_chunk *chunk;
struct sctp_datamsg *msg;
+   struct sctp_sock *sp;
+   struct sctp_af *af;
int err;
 
msg = sctp_datamsg_new(GFP_KERNEL);
@@ -189,9 +191,11 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
sctp_association *asoc,
/* This is the biggest possible DATA chunk that can fit into
 * the packet
 */
-   max_data = asoc->pathmtu -
-  sctp_sk(asoc->base.sk)->pf->af->net_header_len -
-  sizeof(struct sctphdr) - sctp_datachk_len(>stream);
+   sp = sctp_sk(asoc->base.sk);
+   af = sp->pf->af;
+   max_data = asoc->pathmtu - af->net_header_len -
+  sizeof(struct sctphdr) - sctp_datachk_len(>stream) -
+  af->ip_options_len(asoc->base.sk);
max_data = SCTP_TRUNC4(max_data);
 
/* If the the peer requested that we authenticate DATA chunks
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index e35d4f7..30a05a8 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -427,6 +427,41 @@ static void sctp_v6_copy_addrlist(struct list_head 
*addrlist,
rcu_read_unlock();
 }
 
+/* Copy over any ip options */
+static void sctp_v6_copy_ip_options(struct sock *sk, struct sock *newsk)
+{

Re: [PATCH] selinux: fix typo in selinux_netlbl_sctp_sk_clone declaration

2018-02-26 Thread Richard Haines via Selinux

On Fri, 2018-02-23 at 16:25 -0500, Paul Moore wrote:
> On Fri, Feb 23, 2018 at 4:12 PM, Arnd Bergmann  wrote:
> > A missing 'struct' keyword caused a build error when
> > CONFIG_NETLABEL
> > is disabled:
> > 
> > In file included from security/selinux/hooks.c:99:
> > security/selinux/include/netlabel.h:135:66: error: unknown type
> > name 'sock'
> >  static inline void selinux_netlbl_sctp_sk_clone(struct sock *sk,
> > sock *newsk)
> >   ^
> > ~~~
> > security/selinux/hooks.c: In function 'selinux_sctp_sk_clone':
> > security/selinux/hooks.c:5188:2: error: implicit declaration of
> > function 'selinux_netlbl_sctp_sk_clone'; did you mean
> > 'selinux_netlbl_inet_csk_clone'? [-Werror=implicit-function-
> > declaration]
> > 
> > Fixes: db97c9f9d312 ("selinux: Add SCTP support")
> > Signed-off-by: Arnd Bergmann 
> > ---
> >  security/selinux/include/netlabel.h | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> Thanks, merged and pushed to selinux/next.
> 
> Richard was going to submit a patch for that, but I don't think he
> would mind you beating him :)

Don't mind at all. What I will do then is fix the problem highlighted
by [1] that affects "[PATCH V7 2/4] sctp: Add ip option support", I'll
issue a V8 asap.

[1] https://lists.01.org/pipermail/kbuild-all/2018-February/043695.html

> 
> > diff --git a/security/selinux/include/netlabel.h
> > b/security/selinux/include/netlabel.h
> > index 6ef4953431dc..8671de09c363 100644
> > --- a/security/selinux/include/netlabel.h
> > +++ b/security/selinux/include/netlabel.h
> > @@ -132,7 +132,8 @@ static inline void
> > selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
> >  {
> > return;
> >  }
> > -static inline void selinux_netlbl_sctp_sk_clone(struct sock *sk,
> > sock *newsk)
> > +static inline void selinux_netlbl_sctp_sk_clone(struct sock *sk,
> > +   struct sock *newsk)
> >  {
> > return;
> >  }
> > --
> > 2.9.0
> > 
> 
>

Re: [pcmoore-selinux:next 5/5] security/selinux/include/netlabel.h:135:66: error: unknown type name 'sock'

2018-02-23 Thread Richard Haines via Selinux

On Fri, 2018-02-23 at 08:21 +0800, kbuild test robot wrote:
> tree:   https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selin
> ux.git next
> head:   db97c9f9d31217e3e133056fe2bea76639f87ec1
> commit: db97c9f9d31217e3e133056fe2bea76639f87ec1 [5/5] selinux: Add
> SCTP support
> config: x86_64-allyesdebian (attached as .config)
> compiler: gcc-7 (Debian 7.3.0-1) 7.3.0
> reproduce:
> git checkout db97c9f9d31217e3e133056fe2bea76639f87ec1
> # save the attached .config to linux build tree
> make ARCH=x86_64 
> 
> All errors (new ones prefixed by >>):
> 
>In file included from security/selinux/hooks.c:99:0:
> > > security/selinux/include/netlabel.h:135:66: error: unknown type
> > > name 'sock'
> 
> static inline void selinux_netlbl_sctp_sk_clone(struct sock *sk,
> sock *newsk)
>  
> ^~~~
>security/selinux/hooks.c: In function 'selinux_sctp_sk_clone':
> > > security/selinux/hooks.c:5182:2: error: implicit declaration of
> > > function 'selinux_netlbl_sctp_sk_clone'; did you mean
> > > 'selinux_netlbl_inet_csk_clone'? [-Werror=implicit-function-
> > > declaration]
> 
>  selinux_netlbl_sctp_sk_clone(sk, newsk);
>  ^~~~
>  selinux_netlbl_inet_csk_clone
>cc1: some warnings being treated as errors
> --
>In file included from security/selinux/ss/services.c:68:0:
> > > security/selinux/include/netlabel.h:135:66: error: unknown type
> > > name 'sock'
> 
> static inline void selinux_netlbl_sctp_sk_clone(struct sock *sk,
> sock *newsk)
>  
> ^~~~
> --
>In file included from security//selinux/hooks.c:99:0:
> > > security/selinux/include/netlabel.h:135:66: error: unknown type
> > > name 'sock'
> 
> static inline void selinux_netlbl_sctp_sk_clone(struct sock *sk,
> sock *newsk)
>  
> ^~~~
>security//selinux/hooks.c: In function 'selinux_sctp_sk_clone':
>security//selinux/hooks.c:5182:2: error: implicit declaration of
> function 'selinux_netlbl_sctp_sk_clone'; did you mean
> 'selinux_netlbl_inet_csk_clone'? [-Werror=implicit-function-
> declaration]
>  selinux_netlbl_sctp_sk_clone(sk, newsk);
>  ^~~~
>  selinux_netlbl_inet_csk_clone
>cc1: some warnings being treated as errors
> 
> vim +/sock +135 security/selinux/include/netlabel.h
> 
>120
>121static inline int
> selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep,
>122str
> uct sk_buff *skb)
>123{
>124return 0;
>125}
>126static inline int
> selinux_netlbl_inet_conn_request(struct request_sock *req,
>127   u16
> family)
>128{
>129return 0;
>130}
>131static inline void selinux_netlbl_inet_csk_clone(struct
> sock *sk, u16 family)
>132{
>133return;
>134}
>  > 135static inline void selinux_netlbl_sctp_sk_clone(struct
> sock *sk, sock *newsk)

Paul,
Would you like a new selinux-Add-SCTP-support.patch to fix this.

>136{
>137return;
>138}
>139static inline int
> selinux_netlbl_socket_post_create(struct sock *sk,
>140u16
> family)
>141{
>142return 0;
>143}
>144static inline int selinux_netlbl_sock_rcv_skb(struct
> sk_security_struct *sksec,
>145  struct
> sk_buff *skb,
>146  u16
> family,
>147  struct
> common_audit_data *ad)
>148{
>149return 0;
>150}
>151static inline int
> selinux_netlbl_socket_setsockopt(struct socket *sock,
>152   int
> level,
>153   int
> optname)
>154{
>155return 0;
>156}
>157static inline int selinux_netlbl_socket_connect(struct
> sock *sk,
>158struct
> sockaddr *addr)
>159{
>160return 0;
>161}
>162static inline int
> selinux_netlbl_socket_connect_locked(struct sock *sk,
>163   
> struct sockaddr *addr)
>164{
>165return 0;
>166}
>167#endif /* CONFIG_NETLABEL */
>168
> 
> ---
> 0-DAY kernel test

[PATCH V7 2/4] sctp: Add ip option support

2018-02-20 Thread Richard Haines via Selinux

Add ip option support to allow LSM security modules to utilise CIPSO/IPv4
and CALIPSO/IPv6 services.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.
All "./sctp-tests run" obtained from: https://github.com/sctp/sctp-tests
pass.

V7 Changes:
1) Log when copy ip options fail for IPv4 and IPv6
2) Correct sctp_setsockopt_maxseg() function. Note that the lksctp-tools
func_tests do not test with struct sctp_assoc_value. Just used simple test
and okay.
3) Move calculation of overheads to sctp_packet_config().
NOTE: Initially in sctp_packet_reset() I set packet->size and
packet->overhead to zero (as it is a reset). This was okay for all the
lksctp-tools function tests, however when running "sctp-tests" ndatshched
tests it causes these to fail with an st_s.log entry of:
sid: 3, expected: 3
sid: 3, expected: 3
unexpected sid packet !!!
sid: 1, expected: 3

I then found sctp_packet_transmit() relies on setting
"packet->size = packet->overhead;" to reset size to the current overhead
after sending packets, hence the comment in sctp_packet_reset()

 include/net/sctp/sctp.h|  4 +++-
 include/net/sctp/structs.h |  2 ++
 net/sctp/chunk.c   | 10 +++---
 net/sctp/ipv6.c| 45 ++---
 net/sctp/output.c  | 34 +-
 net/sctp/protocol.c| 38 ++
 net/sctp/socket.c  | 11 ---
 7 files changed, 117 insertions(+), 27 deletions(-)

diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
index f7ae6b0..25c5c87 100644
--- a/include/net/sctp/sctp.h
+++ b/include/net/sctp/sctp.h
@@ -441,9 +441,11 @@ static inline int sctp_list_single_entry(struct list_head 
*head)
 static inline int sctp_frag_point(const struct sctp_association *asoc, int 
pmtu)
 {
struct sctp_sock *sp = sctp_sk(asoc->base.sk);
+   struct sctp_af *af = sp->pf->af;
int frag = pmtu;
 
-   frag -= sp->pf->af->net_header_len;
+   frag -= af->ip_options_len(asoc->base.sk);
+   frag -= af->net_header_len;
frag -= sizeof(struct sctphdr) + sctp_datachk_len(>stream);
 
if (asoc->user_frag)
diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 03e92dd..ead5fce 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -491,6 +491,7 @@ struct sctp_af {
void(*ecn_capable)(struct sock *sk);
__u16   net_header_len;
int sockaddr_len;
+   int (*ip_options_len)(struct sock *sk);
sa_family_t sa_family;
struct list_head list;
 };
@@ -515,6 +516,7 @@ struct sctp_pf {
int (*addr_to_user)(struct sctp_sock *sk, union sctp_addr *addr);
void (*to_sk_saddr)(union sctp_addr *, struct sock *sk);
void (*to_sk_daddr)(union sctp_addr *, struct sock *sk);
+   void (*copy_ip_options)(struct sock *sk, struct sock *newsk);
struct sctp_af *af;
 };
 
diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
index 991a530..d726d21 100644
--- a/net/sctp/chunk.c
+++ b/net/sctp/chunk.c
@@ -171,6 +171,8 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
sctp_association *asoc,
struct list_head *pos, *temp;
struct sctp_chunk *chunk;
struct sctp_datamsg *msg;
+   struct sctp_sock *sp;
+   struct sctp_af *af;
int err;
 
msg = sctp_datamsg_new(GFP_KERNEL);
@@ -189,9 +191,11 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
sctp_association *asoc,
/* This is the biggest possible DATA chunk that can fit into
 * the packet
 */
-   max_data = asoc->pathmtu -
-  sctp_sk(asoc->base.sk)->pf->af->net_header_len -
-  sizeof(struct sctphdr) - sctp_datachk_len(>stream);
+   sp = sctp_sk(asoc->base.sk);
+   af = sp->pf->af;
+   max_data = asoc->pathmtu - af->net_header_len -
+  sizeof(struct sctphdr) - sctp_datachk_len(>stream) -
+  af->ip_options_len(asoc->base.sk);
max_data = SCTP_TRUNC4(max_data);
 
/* If the the peer requested that we authenticate DATA chunks
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index e35d4f7..30a05a8 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -427,6 +427,41 @@ static void sctp_v6_copy_addrlist(struct list_head 
*addrlist,
rcu_read_unlock();
 }
 
+/* Copy over any ip options */
+static void sctp_v6_copy_ip_options(struct sock *sk, struct sock *newsk)
+{
+   struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
+   struct ipv6_txoptions *opt;
+
+   newnp = inet6_sk(newsk);
+
+   rcu_read_lock();
+   opt = rcu_dereference(np->opt);
+   if (opt) {
+   opt = ipv6

Re: [PATCH V6 2/4] sctp: Add ip option support

2018-02-20 Thread Richard Haines via Selinux

On Fri, 2018-02-16 at 23:28 -0500, Neil Horman wrote:
> On Fri, Feb 16, 2018 at 07:51:02PM -0200, Marcelo Ricardo Leitner
> wrote:
> > On Fri, Feb 16, 2018 at 03:14:35PM -0500, Neil Horman wrote:
> > > On Fri, Feb 16, 2018 at 10:56:07AM -0200, Marcelo Ricardo Leitner
> > > wrote:
> > > > On Thu, Feb 15, 2018 at 09:15:40AM -0500, Neil Horman wrote:
> > > > > On Tue, Feb 13, 2018 at 08:54:44PM +, Richard Haines
> > > > > wrote:
> > > > > > Add ip option support to allow LSM security modules to
> > > > > > utilise CIPSO/IPv4
> > > > > > and CALIPSO/IPv6 services.
> > > > > > 
> > > > > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.
> > > > > > com>
> > > > > > ---
> > > > > >  include/net/sctp/sctp.h|  4 +++-
> > > > > >  include/net/sctp/structs.h |  2 ++
> > > > > >  net/sctp/chunk.c   | 12 +++-
> > > > > >  net/sctp/ipv6.c| 42
> > > > > > +++---
> > > > > >  net/sctp/output.c  |  5 -
> > > > > >  net/sctp/protocol.c| 36
> > > > > > 
> > > > > >  net/sctp/socket.c  | 14 ++
> > > > > >  7 files changed, 97 insertions(+), 18 deletions(-)
> > > > > > 
> > > > > > diff --git a/include/net/sctp/sctp.h
> > > > > > b/include/net/sctp/sctp.h
> > > > > > index f7ae6b0..25c5c87 100644
> > > > > > --- a/include/net/sctp/sctp.h
> > > > > > +++ b/include/net/sctp/sctp.h
> > > > > > @@ -441,9 +441,11 @@ static inline int
> > > > > > sctp_list_single_entry(struct list_head *head)
> > > > > >  static inline int sctp_frag_point(const struct
> > > > > > sctp_association *asoc, int pmtu)
> > > > > >  {
> > > > > > struct sctp_sock *sp = sctp_sk(asoc->base.sk);
> > > > > > +   struct sctp_af *af = sp->pf->af;
> > > > > > int frag = pmtu;
> > > > > >  
> > > > > > -   frag -= sp->pf->af->net_header_len;
> > > > > > +   frag -= af->ip_options_len(asoc->base.sk);
> > > > > > +   frag -= af->net_header_len;
> > > > > > frag -= sizeof(struct sctphdr) +
> > > > > > sctp_datachk_len(>stream);
> > > > > >  
> > > > > > if (asoc->user_frag)
> > > > > > diff --git a/include/net/sctp/structs.h
> > > > > > b/include/net/sctp/structs.h
> > > > > > index 03e92dd..ead5fce 100644
> > > > > > --- a/include/net/sctp/structs.h
> > > > > > +++ b/include/net/sctp/structs.h
> > > > > > @@ -491,6 +491,7 @@ struct sctp_af {
> > > > > > void(*ecn_capable)(struct sock
> > > > > > *sk);
> > > > > > __u16   net_header_len;
> > > > > > int sockaddr_len;
> > > > > > +   int (*ip_options_len)(struct sock
> > > > > > *sk);
> > > > > > sa_family_t sa_family;
> > > > > > struct list_head list;
> > > > > >  };
> > > > > > @@ -515,6 +516,7 @@ struct sctp_pf {
> > > > > > int (*addr_to_user)(struct sctp_sock *sk, union
> > > > > > sctp_addr *addr);
> > > > > > void (*to_sk_saddr)(union sctp_addr *, struct sock
> > > > > > *sk);
> > > > > > void (*to_sk_daddr)(union sctp_addr *, struct sock
> > > > > > *sk);
> > > > > > +   void (*copy_ip_options)(struct sock *sk, struct
> > > > > > sock *newsk);
> > > > > > struct sctp_af *af;
> > > > > >  };
> > > > > >  
> > > > > > diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
> > > > > > index 991a530..d5c0ef7 100644
> > > > > > --- a/net/sctp/chunk.c
> > > > > > +++ b/net/sctp/chunk.c
> > > > > > @@ -154,7 +154,6 @@ static void sctp_datamsg_assign(struct
> > > > > > sctp_datamsg *msg, struct sctp_chunk *chu
> > > > > > chunk->msg

Re: FYI: selinux/next rebased to v4.16-rc1

2018-02-13 Thread Richard Haines via Selinux

On Tue, 2018-02-13 at 12:55 -0500, Paul Moore wrote:
> On Tue, Feb 13, 2018 at 11:22 AM, Richard Haines
> <richard_c_hai...@btinternet.com> wrote:
> > On Mon, 2018-02-12 at 16:13 -0500, Paul Moore wrote:
> > > A quick note to let you know that I've just rebased the
> > > selinux/next
> > > branch to v4.16-rc1.  Over the next day or two I'm going to be
> > > working
> > > through the backlog of kernel patches, most notably the SCTP
> > > work.
> > > 
> > 
> > I've just rebuilt the SCTP patch set on Fedora using:
> > 
> > kernel-4.16.0-0.rc1.git0.1.fc28.src.rpm
> > 
> > I found there were a number of changes required to get the SCTP
> > specific patches (2/4 and 3/4) to build as there have been many
> > updates
> > since kernel 4.14.
> > 
> > The 4-16 kernel build passes my SCTP SELinux Testsuite although I
> > also
> > added the "netlabel: If PF_INET6, check sk_buff ip header version"
> > [1]
> > patch as well.
> > 
> > It's probably best I post these patches so the SCTP team can
> > finally ok
> > them (or not).
> 
> If you don't mind doing the rebase that would be helpful.  We'll have
> to wait and see what the changes look like, but I don't expect there
> to be a problem with the SCTP folks, Marcelo has been very helpful
> thus far.
> 
> As far as the NetLabel patch is concerned, yes, go ahead and include
> that in the patchset.

I did not include the "netlabel: If PF_INET6, check sk_buff ip header
version" [1] in the final V6 patches as it was the only one that did
not require a rebase, therefore [1] can still go standalone in kernel
4.16

> 
> Thanks!
> 
> > [1] https://marc.info/?l=selinux=151061619115945=2
> 
> 
>

[PATCH V6 3/4] sctp: Add LSM hooks

2018-02-13 Thread Richard Haines via Selinux

Add security hooks allowing security modules to exercise access control
over SCTP.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 include/net/sctp/structs.h | 10 
 include/uapi/linux/sctp.h  |  1 +
 net/sctp/sm_make_chunk.c   | 12 +
 net/sctp/sm_statefuns.c| 18 ++
 net/sctp/socket.c  | 62 +-
 5 files changed, 102 insertions(+), 1 deletion(-)

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index ead5fce..7a23896 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -1318,6 +1318,16 @@ struct sctp_endpoint {
  reconf_enable:1;
 
__u8  strreset_enable;
+
+   /* Security identifiers from incoming (INIT). These are set by
+* security_sctp_assoc_request(). These will only be used by
+* SCTP TCP type sockets and peeled off connections as they
+* cause a new socket to be generated. security_sctp_sk_clone()
+* will then plug these into the new socket.
+*/
+
+   u32 secid;
+   u32 peer_secid;
 };
 
 /* Recover the outter endpoint structure. */
diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h
index 4c4db14..64736ed 100644
--- a/include/uapi/linux/sctp.h
+++ b/include/uapi/linux/sctp.h
@@ -126,6 +126,7 @@ typedef __s32 sctp_assoc_t;
 #define SCTP_STREAM_SCHEDULER  123
 #define SCTP_STREAM_SCHEDULER_VALUE124
 #define SCTP_INTERLEAVING_SUPPORTED125
+#define SCTP_SENDMSG_CONNECT   126
 
 /* PR-SCTP policies */
 #define SCTP_PR_SCTP_NONE  0x
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index d01475f..70274ae 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -3071,6 +3071,12 @@ static __be16 sctp_process_asconf_param(struct 
sctp_association *asoc,
if (af->is_any())
memcpy(, >source, sizeof(addr));
 
+   if (security_sctp_bind_connect(asoc->ep->base.sk,
+  SCTP_PARAM_ADD_IP,
+  (struct sockaddr *),
+  af->sockaddr_len))
+   return SCTP_ERROR_REQ_REFUSED;
+
/* ADDIP 4.3 D9) If an endpoint receives an ADD IP address
 * request and does not have the local resources to add this
 * new address to the association, it MUST return an Error
@@ -3137,6 +3143,12 @@ static __be16 sctp_process_asconf_param(struct 
sctp_association *asoc,
if (af->is_any())
memcpy(, sctp_source(asconf), sizeof(addr));
 
+   if (security_sctp_bind_connect(asoc->ep->base.sk,
+  SCTP_PARAM_SET_PRIMARY,
+  (struct sockaddr *),
+  af->sockaddr_len))
+   return SCTP_ERROR_REQ_REFUSED;
+
peer = sctp_assoc_lookup_paddr(asoc, );
if (!peer)
return SCTP_ERROR_DNS_FAILED;
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index eb7905f..42659ab 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -321,6 +321,11 @@ enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net,
struct sctp_packet *packet;
int len;
 
+   /* Update socket peer label if first association. */
+   if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
+   chunk->skb))
+   return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
/* 6.10 Bundling
 * An endpoint MUST NOT bundle INIT, INIT ACK or
 * SHUTDOWN COMPLETE with any other chunks.
@@ -908,6 +913,9 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net,
 */
sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
 
+   /* Set peer label for connection. */
+   security_inet_conn_established(ep->base.sk, chunk->skb);
+
/* RFC 2960 5.1 Normal Establishment of an Association
 *
 * E) Upon reception of the COOKIE ACK, endpoint "A" will move
@@ -1436,6 +1444,11 @@ static enum sctp_disposition sctp_sf_do_unexpected_init(
struct sctp_packet *packet;
int len;
 
+   /* Update socket peer label if first association. */
+   if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
+   chunk->skb))
+   return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
/* 6.10 Bundling
 * An endpoint MUST NOT bundle INIT, INIT ACK or
 * SHUTDOWN COMPLETE with any other chunks.
@@ -2106,6 +2119,11 @@ enum sctp_disposition sctp_sf_do_5_2_4_dupcook(
}
}
 
+

[PATCH V6 2/4] sctp: Add ip option support

2018-02-13 Thread Richard Haines via Selinux

Add ip option support to allow LSM security modules to utilise CIPSO/IPv4
and CALIPSO/IPv6 services.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 include/net/sctp/sctp.h|  4 +++-
 include/net/sctp/structs.h |  2 ++
 net/sctp/chunk.c   | 12 +++-
 net/sctp/ipv6.c| 42 +++---
 net/sctp/output.c  |  5 -
 net/sctp/protocol.c| 36 
 net/sctp/socket.c  | 14 ++
 7 files changed, 97 insertions(+), 18 deletions(-)

diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
index f7ae6b0..25c5c87 100644
--- a/include/net/sctp/sctp.h
+++ b/include/net/sctp/sctp.h
@@ -441,9 +441,11 @@ static inline int sctp_list_single_entry(struct list_head 
*head)
 static inline int sctp_frag_point(const struct sctp_association *asoc, int 
pmtu)
 {
struct sctp_sock *sp = sctp_sk(asoc->base.sk);
+   struct sctp_af *af = sp->pf->af;
int frag = pmtu;
 
-   frag -= sp->pf->af->net_header_len;
+   frag -= af->ip_options_len(asoc->base.sk);
+   frag -= af->net_header_len;
frag -= sizeof(struct sctphdr) + sctp_datachk_len(>stream);
 
if (asoc->user_frag)
diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 03e92dd..ead5fce 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -491,6 +491,7 @@ struct sctp_af {
void(*ecn_capable)(struct sock *sk);
__u16   net_header_len;
int sockaddr_len;
+   int (*ip_options_len)(struct sock *sk);
sa_family_t sa_family;
struct list_head list;
 };
@@ -515,6 +516,7 @@ struct sctp_pf {
int (*addr_to_user)(struct sctp_sock *sk, union sctp_addr *addr);
void (*to_sk_saddr)(union sctp_addr *, struct sock *sk);
void (*to_sk_daddr)(union sctp_addr *, struct sock *sk);
+   void (*copy_ip_options)(struct sock *sk, struct sock *newsk);
struct sctp_af *af;
 };
 
diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
index 991a530..d5c0ef7 100644
--- a/net/sctp/chunk.c
+++ b/net/sctp/chunk.c
@@ -154,7 +154,6 @@ static void sctp_datamsg_assign(struct sctp_datamsg *msg, 
struct sctp_chunk *chu
chunk->msg = msg;
 }
 
-
 /* A data chunk can have a maximum payload of (2^16 - 20).  Break
  * down any such message into smaller chunks.  Opportunistically, fragment
  * the chunks down to the current MTU constraints.  We may get refragmented
@@ -171,6 +170,8 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
sctp_association *asoc,
struct list_head *pos, *temp;
struct sctp_chunk *chunk;
struct sctp_datamsg *msg;
+   struct sctp_sock *sp;
+   struct sctp_af *af;
int err;
 
msg = sctp_datamsg_new(GFP_KERNEL);
@@ -189,9 +190,11 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
sctp_association *asoc,
/* This is the biggest possible DATA chunk that can fit into
 * the packet
 */
-   max_data = asoc->pathmtu -
-  sctp_sk(asoc->base.sk)->pf->af->net_header_len -
-  sizeof(struct sctphdr) - sctp_datachk_len(>stream);
+   sp = sctp_sk(asoc->base.sk);
+   af = sp->pf->af;
+   max_data = asoc->pathmtu - af->net_header_len -
+  sizeof(struct sctphdr) - sctp_datachk_len(>stream) -
+  af->ip_options_len(asoc->base.sk);
max_data = SCTP_TRUNC4(max_data);
 
/* If the the peer requested that we authenticate DATA chunks
@@ -211,7 +214,6 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
sctp_association *asoc,
 
/* Set first_len and then account for possible bundles on first frag */
first_len = max_data;
-
/* Check to see if we have a pending SACK and try to let it be bundled
 * with this message.  Do this if we don't have any data queued already.
 * To check that, look at out_qlen and retransmit list.
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index e35d4f7..0b0f895 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -427,6 +427,38 @@ static void sctp_v6_copy_addrlist(struct list_head 
*addrlist,
rcu_read_unlock();
 }
 
+/* Copy over any ip options */
+static void sctp_v6_copy_ip_options(struct sock *sk, struct sock *newsk)
+{
+   struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
+   struct ipv6_txoptions *opt;
+
+   newnp = inet6_sk(newsk);
+
+   rcu_read_lock();
+   opt = rcu_dereference(np->opt);
+   if (opt)
+   opt = ipv6_dup_options(newsk, opt);
+   RCU_INIT_POINTER(newnp->opt, opt);
+   rcu_read_unlock();
+}
+
+/* Account for the IP options */
+static int sctp_v6_ip_options_len(struct sock *sk)
+{
+   struct ipv6_pinfo *np = inet6_sk(sk);
+   struct ipv6_txoptions *opt;
+   int l

[PATCH V6 1/4] security: Add support for SCTP security hooks

2018-02-13 Thread Richard Haines via Selinux

The SCTP security hooks are explained in:
Documentation/security/LSM-sctp.rst

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 Documentation/security/LSM-sctp.rst | 175 
 include/linux/lsm_hooks.h   |  36 
 include/linux/security.h|  25 ++
 security/security.c |  22 +
 4 files changed, 258 insertions(+)
 create mode 100644 Documentation/security/LSM-sctp.rst

diff --git a/Documentation/security/LSM-sctp.rst 
b/Documentation/security/LSM-sctp.rst
new file mode 100644
index 000..6e5a392
--- /dev/null
+++ b/Documentation/security/LSM-sctp.rst
@@ -0,0 +1,175 @@
+SCTP LSM Support
+
+
+For security module support, three SCTP specific hooks have been implemented::
+
+security_sctp_assoc_request()
+security_sctp_bind_connect()
+security_sctp_sk_clone()
+
+Also the following security hook has been utilised::
+
+security_inet_conn_established()
+
+The usage of these hooks are described below with the SELinux implementation
+described in ``Documentation/security/SELinux-sctp.rst``
+
+
+security_sctp_assoc_request()
+-
+Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
+security module. Returns 0 on success, error on failure.
+::
+
+@ep - pointer to sctp endpoint structure.
+@skb - pointer to skbuff of association packet.
+
+
+security_sctp_bind_connect()
+-
+Passes one or more ipv4/ipv6 addresses to the security module for validation
+based on the ``@optname`` that will result in either a bind or connect
+service as shown in the permission check tables below.
+Returns 0 on success, error on failure.
+::
+
+@sk  - Pointer to sock structure.
+@optname - Name of the option to validate.
+@address - One or more ipv4 / ipv6 addresses.
+@addrlen - The total length of address(s). This is calculated on each
+   ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
+   sizeof(struct sockaddr_in6).
+
+  --
+  | BIND Type Checks   |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
+  | SCTP_PRIMARY_ADDR  | Single ipv4 or ipv6 address   |
+  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address   |
+  --
+
+  --
+  |   CONNECT Type Checks  |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_CONNECTX  | One or more ipv4 / ipv6 addresses |
+  | SCTP_PARAM_ADD_IP  | One or more ipv4 / ipv6 addresses |
+  | SCTP_SENDMSG_CONNECT   | Single ipv4 or ipv6 address   |
+  | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address   |
+  --
+
+A summary of the ``@optname`` entries is as follows::
+
+SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
+ associated after (optionally) calling
+ bind(3).
+ sctp_bindx(3) adds a set of bind
+ addresses on a socket.
+
+SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
+addresses for reaching a peer
+(multi-homed).
+sctp_connectx(3) initiates a connection
+on an SCTP socket using multiple
+destination addresses.
+
+SCTP_SENDMSG_CONNECT  - Initiate a connection that is generated by a
+sendmsg(2) or sctp_sendmsg(3) on a new asociation.
+
+SCTP_PRIMARY_ADDR - Set local primary address.
+
+SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
+ association primary.
+
+SCTP_PARAM_ADD_IP  - These are used when Dynamic Address
+SCTP_PARAM_SET_PRIMARY - Reconfiguration is enabled as explained below.
+
+
+To support Dynamic Address Reconfiguration the following parameters must be
+enabled on both endpoints (or use the appropriate **setsockopt**\(2))::
+
+/proc/sys/net/sctp/addip_enable
+/proc/sys/net/sctp/addip_noauth_enable
+
+then the following *_PARAM_*'s are sent to the peer in an
+ASCONF chunk when the corresponding ``@optname``'s are present::
+
+  @optname  ASCONF Parameter
+ ----
+SCTP_SOCKOPT_

[PATCH V6 0/4] Add SELinux SCTP protocol support

2018-02-13 Thread Richard Haines via Selinux

These patches have been built on Fedora 27 with kernel-4.16.0-0.rc1 plus
the following userspace patches to enable testing:

1) Updates to libsepol 2.7 to support the sctp portcon statement.
   The patch is available from:
 http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
 selinux-Add-support-for-the-SCTP-portcon-keyword.patch

2) Updates to the SELinux Test Suite adding SCTP tests. Please read the
   selinux-testsuite/README.sctp for details. The patch is available from:
 http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
 selinux-testsuite-Add-SCTP-test-support.patch

3) Updates to lksctp-tools that show SELinux info in sctp_darn and
   sctp_test. It also contains a minor patch for test_1_to_1_connect.c
   as when CIPSO/CALIPSO configured, NetLabel returns a different error
   code for illegal addresses in test 5. The patch is available from:
 http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
 lksctp-tools-Add-SELinux-support-to-sctp_test-and-sc.patch

All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.

All SCTP regression tests "./sctp-tests run" run correctly in enforcing
mode. These tests are obtained from: https://github.com/sctp/sctp-tests

The selinux-testsuite patch also adds remote tests (that need some manual
configuration). These are useful for testing CIPSO/CALIPSO over a network
with a number of categories to produce large ip option fields with various
message sizes forcing fragmentation etc..

Changes since RFC Patch:
Removed the NetLabel patch (was [RFC PATCH 4/5] netlabel: Add SCTP support)
as re-engineered. However this patchset will require the NetLabel
patch at [1] to fully run the SCTP selinux-testsuite.

V1 Changes:
PATCH 1/4
Remove unused parameter from security_sctp_assoc_request().
Reformat and update LSM-sctp.rst documentation.
PATCH 2/4
Add variables and RCU locks as requested in [2] to support IP options.
PATCH 3/4
Added security_sctp_assoc_request() hook to sctp_sf_do_unexpected_init()
and sctp_sf_do_5_2_4_dupcook().
Removed security_sctp_assoc_request() hook from sctp_sf_do_5_1C_ack() as
no longer required.
PATCH 4/4
Reformat and update SELinux-sctp.rst documentation.
Remove bindx and connectx permissions.
Rework selinux_socket_connect() and selinux_netlbl_socket_connect() to
utilise helpers for code reuse.
Add spinlock to selinux_sctp_assoc_request().
Remove unused parameter from security_sctp_assoc_request().
Use address->sa_family == AF_INET in *_bind and *_connect to ensure
correct address type.
Minor cleanups.

V2 Changes:
PATCH 4/4 - Remove spin lock from selinux_sctp_assoc_request()
PATCH 4/4 - Fix selinux_sctp_sk_clone() kbuild test robot catch [3]

V3 Changes:
PATCH 2/4 - Account for IP options length in sctp.h sctp_frag_point() by
Marcelo

V4 Changes:
PATCH 1/4 - Move specific SELinux descriptions from LSM-sctp.rst and
lsm_hooks.h to SELinux-sctp.rst in PATCH 4/4
PATCH 4/4 - Rename selinux_netlbl_sctp_socket_connect() to
selinux_netlbl_socket_connect_locked() and move description comments to
selinux_sctp_bind_connect()

V5 Change: Rework selinux_netlbl_socket_connect() and
selinux_netlbl_socket_connect_locked as requested by Paul.

V6 Changes:
Rework SCTP patches 2/4 and 3/4 as there have been major SCTP updates since
kernel 4.14.

[1] https://marc.info/?l=selinux=151061619115945=2
[2] https://marc.info/?l=selinux=150962470215797=2
[3] https://marc.info/?l=selinux=151198281817779=2

Richard Haines (4):
  security: Add support for SCTP security hooks
  sctp: Add ip option support
  sctp: Add LSM hooks
  selinux: Add SCTP support

 Documentation/security/LSM-sctp.rst | 175 
 Documentation/security/SELinux-sctp.rst | 157 ++
 include/linux/lsm_hooks.h   |  36 
 include/linux/security.h|  25 +++
 include/net/sctp/sctp.h |   4 +-
 include/net/sctp/structs.h  |  12 ++
 include/uapi/linux/sctp.h   |   1 +
 net/sctp/chunk.c|  12 +-
 net/sctp/ipv6.c |  42 -
 net/sctp/output.c   |   5 +-
 net/sctp/protocol.c |  36 
 net/sctp/sm_make_chunk.c|  12 ++
 net/sctp/sm_statefuns.c |  18 ++
 net/sctp/socket.c   |  76 -
 security/security.c |  22 +++
 security/selinux/hooks.c| 280 +---
 security/selinux/include/classmap.h |   2 +-
 security/selinux/include/netlabel.h |  21 ++-
 security/selinux/include/objsec.h   |   4 +
 security/selinux/netlabel.c | 133 +--
 20 files changed, 1022 insertions(+), 51 deletions(-)
 create mode 100644 Documentation/security/LSM-sctp.rst
 create mode 100644 Documentation/security/SELinux-sctp.rst

-- 
2.14.3

Re: FYI: selinux/next rebased to v4.16-rc1

2018-02-13 Thread Richard Haines via Selinux

On Mon, 2018-02-12 at 16:13 -0500, Paul Moore wrote:
> A quick note to let you know that I've just rebased the selinux/next
> branch to v4.16-rc1.  Over the next day or two I'm going to be
> working
> through the backlog of kernel patches, most notably the SCTP work.
> 

I've just rebuilt the SCTP patch set on Fedora using:

kernel-4.16.0-0.rc1.git0.1.fc28.src.rpm

I found there were a number of changes required to get the SCTP
specific patches (2/4 and 3/4) to build as there have been many updates
since kernel 4.14.

The 4-16 kernel build passes my SCTP SELinux Testsuite although I also
added the "netlabel: If PF_INET6, check sk_buff ip header version" [1]
patch as well.

It's probably best I post these patches so the SCTP team can finally ok
them (or not). 

[1] https://marc.info/?l=selinux=151061619115945=2

[PATCH V3] libsemanage: Allow tmp files to be kept if a compile fails

2018-01-24 Thread Richard Haines

Allow the tmp build files to be kept for debugging when a policy
build fails.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
V2 Changes: 
Remove the retain-tmp flag and just keep tmp files on build errors.
V3 Changes:
Release transaction lock after tmp files removed.
Add additional comments to commit_err in handle.h

 libsemanage/src/direct_api.c | 56 ++--
 libsemanage/src/handle.c |  2 ++
 libsemanage/src/handle.h |  4 
 3 files changed, 44 insertions(+), 18 deletions(-)

diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
index a455612f..88873c43 100644
--- a/libsemanage/src/direct_api.c
+++ b/libsemanage/src/direct_api.c
@@ -323,25 +323,43 @@ static void semanage_direct_destroy(semanage_handle_t * sh
/* do nothing */
 }
 
-static int semanage_direct_disconnect(semanage_handle_t * sh)
+static int semanage_remove_tmps(semanage_handle_t *sh)
 {
-   /* destroy transaction */
-   if (sh->is_in_transaction) {
-   /* destroy sandbox */
-   if (semanage_remove_directory
-   (semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)) < 0) {
+   if (sh->commit_err)
+   return 0;
+
+   /* destroy sandbox if it exists */
+   if (semanage_remove_directory
+   (semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)) < 0) {
+   if (errno != ENOENT) {
ERR(sh, "Could not cleanly remove sandbox %s.",
semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL));
return -1;
}
-   if (semanage_remove_directory
-   (semanage_final_path(SEMANAGE_FINAL_TMP,
-SEMANAGE_FINAL_TOPLEVEL)) < 0) {
+   }
+
+   /* destroy tmp policy if it exists */
+   if (semanage_remove_directory
+   (semanage_final_path(SEMANAGE_FINAL_TMP,
+SEMANAGE_FINAL_TOPLEVEL)) < 0) {
+   if (errno != ENOENT) {
ERR(sh, "Could not cleanly remove tmp %s.",
semanage_final_path(SEMANAGE_FINAL_TMP,
SEMANAGE_FINAL_TOPLEVEL));
return -1;
}
+   }
+
+   return 0;
+}
+
+static int semanage_direct_disconnect(semanage_handle_t *sh)
+{
+   int retval = 0;
+
+   /* destroy transaction and remove tmp files if no commit error */
+   if (sh->is_in_transaction) {
+   retval = semanage_remove_tmps(sh);
semanage_release_trans_lock(sh);
}
 
@@ -375,7 +393,7 @@ static int semanage_direct_disconnect(semanage_handle_t * 
sh)
/* Release object databases: active kernel policy */
bool_activedb_dbase_release(semanage_bool_dbase_active(sh));
 
-   return 0;
+   return retval;
 }
 
 static int semanage_direct_begintrans(semanage_handle_t * sh)
@@ -1635,17 +1653,19 @@ cleanup:
free(mod_filenames);
sepol_policydb_free(out);
cil_db_destroy();
-   semanage_release_trans_lock(sh);
 
free(fc_buffer);
 
-   /* regardless if the commit was successful or not, remove the
-  sandbox if it is still there */
-   semanage_remove_directory(semanage_path
- (SEMANAGE_TMP, SEMANAGE_TOPLEVEL));
-   semanage_remove_directory(semanage_final_path
- (SEMANAGE_FINAL_TMP,
-  SEMANAGE_FINAL_TOPLEVEL));
+   /* Set commit_err so other functions can detect any errors. Note that
+* retval > 0 will be the commit number.
+*/
+   if (retval < 0)
+   sh->commit_err = retval;
+
+   if (semanage_remove_tmps(sh) != 0)
+   retval = -1;
+
+   semanage_release_trans_lock(sh);
umask(mask);
 
return retval;
diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
index 4ce1df03..a6567bd4 100644
--- a/libsemanage/src/handle.c
+++ b/libsemanage/src/handle.c
@@ -86,6 +86,8 @@ semanage_handle_t *semanage_handle_create(void)
 * If any changes are made, this flag is ignored */
sh->do_rebuild = 0;
 
+   sh->commit_err = 0;
+
/* By default always reload policy after commit if SELinux is enabled. 
*/
sh->do_reload = (is_selinux_enabled() > 0);
 
diff --git a/libsemanage/src/handle.h b/libsemanage/src/handle.h
index 1780ac81..a91907b0 100644
--- a/libsemanage/src/handle.h
+++ b/libsemanage/src/handle.h
@@ -62,6 +62,10 @@ struct semanage_handle {
int is_in_transaction;
int do_reload;  /* whether to reload policy after commit */
int do_rebuild; /* whether to rebuild policy if there were no 
changes */
+   int commit_err; /* set by semanage_direct_commit() if t

[PATCH V2] libsemanage: Allow tmp files to be kept if a compile fails

2018-01-22 Thread Richard Haines

Allow the tmp build files to be kept for debugging when a policy
build fails.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
V2 Changes: 
Remove the retain-tmp flag and just keep tmp files on build errors.

 libsemanage/src/direct_api.c | 54 ++--
 libsemanage/src/handle.c |  2 ++
 libsemanage/src/handle.h |  1 +
 3 files changed, 40 insertions(+), 17 deletions(-)

diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
index a455612f..3d1cf1fe 100644
--- a/libsemanage/src/direct_api.c
+++ b/libsemanage/src/direct_api.c
@@ -323,26 +323,44 @@ static void semanage_direct_destroy(semanage_handle_t * sh
/* do nothing */
 }
 
-static int semanage_direct_disconnect(semanage_handle_t * sh)
+static int semanage_remove_tmps(semanage_handle_t *sh)
 {
-   /* destroy transaction */
-   if (sh->is_in_transaction) {
-   /* destroy sandbox */
-   if (semanage_remove_directory
-   (semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)) < 0) {
+   if (sh->commit_err)
+   return 0;
+
+   /* destroy sandbox if it exists */
+   if (semanage_remove_directory
+   (semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)) < 0) {
+   if (errno != ENOENT) {
ERR(sh, "Could not cleanly remove sandbox %s.",
semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL));
return -1;
}
-   if (semanage_remove_directory
-   (semanage_final_path(SEMANAGE_FINAL_TMP,
-SEMANAGE_FINAL_TOPLEVEL)) < 0) {
+   }
+
+   /* destroy tmp policy if it exists */
+   if (semanage_remove_directory
+   (semanage_final_path(SEMANAGE_FINAL_TMP,
+SEMANAGE_FINAL_TOPLEVEL)) < 0) {
+   if (errno != ENOENT) {
ERR(sh, "Could not cleanly remove tmp %s.",
semanage_final_path(SEMANAGE_FINAL_TMP,
SEMANAGE_FINAL_TOPLEVEL));
return -1;
}
+   }
+
+   return 0;
+}
+
+static int semanage_direct_disconnect(semanage_handle_t *sh)
+{
+   int retval = 0;
+
+   /* destroy transaction and remove tmp files if no commit error */
+   if (sh->is_in_transaction) {
semanage_release_trans_lock(sh);
+   retval = semanage_remove_tmps(sh);
}
 
/* Release object databases: local modifications */
@@ -375,7 +393,7 @@ static int semanage_direct_disconnect(semanage_handle_t * 
sh)
/* Release object databases: active kernel policy */
bool_activedb_dbase_release(semanage_bool_dbase_active(sh));
 
-   return 0;
+   return retval;
 }
 
 static int semanage_direct_begintrans(semanage_handle_t * sh)
@@ -1639,13 +1657,15 @@ cleanup:
 
free(fc_buffer);
 
-   /* regardless if the commit was successful or not, remove the
-  sandbox if it is still there */
-   semanage_remove_directory(semanage_path
- (SEMANAGE_TMP, SEMANAGE_TOPLEVEL));
-   semanage_remove_directory(semanage_final_path
- (SEMANAGE_FINAL_TMP,
-  SEMANAGE_FINAL_TOPLEVEL));
+   /* Set commit_err so other functions can detect any errors. Note that
+* retval > 0 will be the commit number.
+*/
+   if (retval < 0)
+   sh->commit_err = retval;
+
+   if (semanage_remove_tmps(sh) != 0)
+   retval = -1;
+
umask(mask);
 
return retval;
diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
index 4ce1df03..a6567bd4 100644
--- a/libsemanage/src/handle.c
+++ b/libsemanage/src/handle.c
@@ -86,6 +86,8 @@ semanage_handle_t *semanage_handle_create(void)
 * If any changes are made, this flag is ignored */
sh->do_rebuild = 0;
 
+   sh->commit_err = 0;
+
/* By default always reload policy after commit if SELinux is enabled. 
*/
sh->do_reload = (is_selinux_enabled() > 0);
 
diff --git a/libsemanage/src/handle.h b/libsemanage/src/handle.h
index 1780ac81..65b15600 100644
--- a/libsemanage/src/handle.h
+++ b/libsemanage/src/handle.h
@@ -62,6 +62,7 @@ struct semanage_handle {
int is_in_transaction;
int do_reload;  /* whether to reload policy after commit */
int do_rebuild; /* whether to rebuild policy if there were no 
changes */
+   int commit_err; /* set by semanage_direct_commit() */
int modules_modified;
int create_store;   /* whether to create the store if it does not 
exist
 * this will only have an effect on direct 
connections */
-- 
2.14.3

[PATCH] libsemanage: Return commit number if save-previous false

2018-01-22 Thread Richard Haines

Stop overwriting the commit number for the default save-previous flag
setting (false) in semanage.conf.

Allows semodule -v -i  to show the correct commit number.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 libsemanage/src/semanage_store.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
index 37ff5ace..936e6495 100644
--- a/libsemanage/src/semanage_store.c
+++ b/libsemanage/src/semanage_store.c
@@ -1740,9 +1740,9 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
 
if (!sh->conf->save_previous) {
int errsv = errno;
-   retval = semanage_remove_directory(backup);
-   if (retval < 0) {
+   if (semanage_remove_directory(backup) != 0) {
ERR(sh, "Could not delete previous directory %s.", 
backup);
+   retval = -1;
goto cleanup;
}
errno = errsv;
-- 
2.14.3

Re: [PATCH] libsemanage: Allow tmp files to be kept if a compile fails

2018-01-20 Thread Richard Haines

On Fri, 2018-01-19 at 12:04 -0800, William Roberts wrote:
> Richard, are you going to respin this?

Yes - Next week

> 
> On Tue, Jan 16, 2018 at 9:35 AM, William Roberts
> <bill.c.robe...@gmail.com> wrote:
> > On Tue, Jan 16, 2018 at 8:00 AM, Stephen Smalley <s...@tycho.nsa.gov
> > > wrote:
> > > On Tue, 2018-01-16 at 07:47 -0800, William Roberts wrote:
> > > > On Mon, Jan 15, 2018 at 9:32 AM, Stephen Smalley
> > > > <stephen.smal...@gmail.com> wrote:
> > > > > On Jan 14, 2018 10:36 AM, "Richard Haines" <richard_c_haines@
> > > > > btinte
> > > > > rnet.com>
> > > > > wrote:
> > > > > 
> > > > > Add new option to semanage.conf that allows the tmp build
> > > > > files
> > > > > to be kept for debugging when building policy.
> > > > > 
> > > > > 
> > > > > Would it be better to just retain the files by default if
> > > > > there is
> > > > > an error?
> > > > 
> > > > I thought about this as well, my reasoning as to why Richard's
> > > > approach was
> > > > better is that if someone does it N times trying to figure out
> > > > an
> > > > issue,
> > > > then there would be N piles of files in the tmp folder. This
> > > > way they
> > > > have to opt in to have their tmp folder spammed.
> > > 
> > > I believe that the tmp directories are deleted and re-created by
> > > libsemanage each time before use (otherwise we'd have a different
> > > problem with not removing them, since we could end up with a mix
> > > of
> > > files from different, incomplete transactions being intermingled
> > > there). So I don't think this would be a problem.  It might
> > > however
> > 
> > Oh I see it looks like its just generating a /tmp "store" directory
> > under the semanage path. I thought that enum was triggering a true
> > /tmp style thing. I should have looksed closer.
> > 
> > > require saving the commit success/failure result in the handle so
> > > that
> > > we know in semanage_direct_disconnect() whether or not we should
> > > delete
> > > it.
> > 
> > Now that I understand that tid-bit, I think you're right, let's
> > just
> > leave it on error.
> > 
> > > 
> > > If we truly need to make it optional, then I'd rather have it be
> > > an
> > > option flag to semodule and a runtime setting of libsemanage (ala
> > > reload, disable_dontaudit, etc) than a semanage.conf setting, as
> > > this
> > > is something a user will want to be able to use without having to
> > > edit
> > > a config file, re-run the transaction, and then re-edit the
> > > config file
> > > each time.  But I'm not convinced we can't just make it the
> > > default
> > > behavior whenever the commit fails.  Deleting the tmp files
> > > automatically only really makes sense when it succeeds.
> > 
> > 
> > 
> > > 
> > > > 
> > > > > 
> > > > > 
> > > > > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.co
> > > > > m>
> > > > > ---
> > > > >  libsemanage/man/man5/semanage.conf.5 |  8 
> > > > >  libsemanage/src/conf-parse.y | 15 ++-
> > > > >  libsemanage/src/conf-scan.l  |  1 +
> > > > >  libsemanage/src/direct_api.c | 21 
> > > > > -
> > > > >  libsemanage/src/semanage_conf.h  |  1 +
> > > > >  5 files changed, 36 insertions(+), 10 deletions(-)
> > > > > 
> > > > > diff --git a/libsemanage/man/man5/semanage.conf.5
> > > > > b/libsemanage/man/man5/semanage.conf.5
> > > > > index 8f8de55a..10cab65a 100644
> > > > > --- a/libsemanage/man/man5/semanage.conf.5
> > > > > +++ b/libsemanage/man/man5/semanage.conf.5
> > > > > @@ -121,6 +121,14 @@ and by default it is set to "false".
> > > > >  Please note that since this option deletes all HLL files, an
> > > > > updated HLL
> > > > > compiler will not be able to recompile the original HLL file
> > > > > into
> > > > > CIL.
> > > > >  In order to compile the original HLL file into CIL, the same
> > > >

[PATCH] libsemanage: Allow tmp files to be kept if a compile fails

2018-01-14 Thread Richard Haines

Add new option to semanage.conf that allows the tmp build files
to be kept for debugging when building policy.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 libsemanage/man/man5/semanage.conf.5 |  8 
 libsemanage/src/conf-parse.y | 15 ++-
 libsemanage/src/conf-scan.l  |  1 +
 libsemanage/src/direct_api.c | 21 -
 libsemanage/src/semanage_conf.h  |  1 +
 5 files changed, 36 insertions(+), 10 deletions(-)

diff --git a/libsemanage/man/man5/semanage.conf.5 
b/libsemanage/man/man5/semanage.conf.5
index 8f8de55a..10cab65a 100644
--- a/libsemanage/man/man5/semanage.conf.5
+++ b/libsemanage/man/man5/semanage.conf.5
@@ -121,6 +121,14 @@ and by default it is set to "false".
 Please note that since this option deletes all HLL files, an updated HLL 
compiler will not be able to recompile the original HLL file into CIL.
 In order to compile the original HLL file into CIL, the same HLL file will 
need to be reinstalled.
 
+.TP
+.B retain-tmp
+When set to "true", tmp directories (the sandbox at 
\fBstore-root/\fR[\fIpolicy-store\fR]\fB/tmp \fRand/or the final policy at 
\fBstore-root/final/\fR[\fIpolicy-store\fR]) will be retained after compilation 
to allow debugging of any build errors. Note that on a successful build the 
sandbox becomes \fBstore-root/\fR[\fIpolicy-store\fR]\fB/active\fR.
+.br
+The
+.B retain-tmp
+option can be set to either "true" or "false" and by default it is set to 
"false".
+
 .SH "SEE ALSO"
 .TP
 semanage(8)
diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y
index b527e893..f098e55d 100644
--- a/libsemanage/src/conf-parse.y
+++ b/libsemanage/src/conf-parse.y
@@ -61,7 +61,7 @@ static int parse_errors;
 
 %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED 
TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT
 %token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START 
DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS
-%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL
+%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL RETAIN_TMP
 %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
 %token PROG_PATH PROG_ARGS
 %token  ARG
@@ -95,6 +95,7 @@ single_opt: module_store
|   bzip_blocksize
|   bzip_small
|   remove_hll
+   |   retain_tmp
 ;
 
 module_store:   MODULE_STORE '=' ARG {
@@ -268,6 +269,17 @@ remove_hll:  REMOVE_HLL'=' ARG {
free($3);
 }
 
+retain_tmp:  RETAIN_TMP'=' ARG {
+   if (strcasecmp($3, "false") == 0) {
+   current_conf->retain_tmp = 0;
+   } else if (strcasecmp($3, "true") == 0) {
+   current_conf->retain_tmp = 1;
+   } else {
+   yyerror("retain-tmp can only be 'true' or 'false'");
+   }
+   free($3);
+}
+
 command_block: 
 command_start external_opts BLOCK_END  {
 if (new_external->path == NULL) {
@@ -352,6 +364,7 @@ static int semanage_conf_init(semanage_conf_t * conf)
conf->bzip_small = 0;
conf->ignore_module_cache = 0;
conf->remove_hll = 0;
+   conf->retain_tmp = 0;
 
conf->save_previous = 0;
conf->save_linked = 0;
diff --git a/libsemanage/src/conf-scan.l b/libsemanage/src/conf-scan.l
index 607bbf0b..e26c3494 100644
--- a/libsemanage/src/conf-scan.l
+++ b/libsemanage/src/conf-scan.l
@@ -54,6 +54,7 @@ handle-unknownreturn HANDLE_UNKNOWN;
 bzip-blocksize return BZIP_BLOCKSIZE;
 bzip-small return BZIP_SMALL;
 remove-hll return REMOVE_HLL;
+retain-tmp return RETAIN_TMP;
 "[load_policy]"   return LOAD_POLICY_START;
 "[setfiles]"  return SETFILES_START;
 "[sefcontext_compile]"  return SEFCONTEXT_COMPILE_START;
diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
index a455612f..5d2a443c 100644
--- a/libsemanage/src/direct_api.c
+++ b/libsemanage/src/direct_api.c
@@ -326,7 +326,10 @@ static void semanage_direct_destroy(semanage_handle_t * sh
 static int semanage_direct_disconnect(semanage_handle_t * sh)
 {
/* destroy transaction */
-   if (sh->is_in_transaction) {
+   if (sh->is_in_transaction)
+   semanage_release_trans_lock(sh);
+
+   if (!sh->conf->retain_tmp && sh->is_in_transaction) {
/* destroy sandbox */
if (semanage_remove_directory
(semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)) < 0) {
@@ -342,7 +345,6 @@ static int semanage_direct_disconnect(semanage_handle_t * 
sh)
SEMANAGE_FINAL_TOPLEVEL));
return -1;
}
-   semanage_release_trans_lock(sh);
}
 
/* Release object databases: local mod

PATCH V5 4/4] selinux: Add SCTP support

2018-01-11 Thread Richard Haines

The SELinux SCTP implementation is explained in:
Documentation/security/SELinux-sctp.rst

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
V5 Change: Rework selinux_netlbl_socket_connect() and
selinux_netlbl_socket_connect_locked as requested by Paul.

 Documentation/security/SELinux-sctp.rst | 157 ++
 security/selinux/hooks.c| 280 +---
 security/selinux/include/classmap.h |   2 +-
 security/selinux/include/netlabel.h |  21 ++-
 security/selinux/include/objsec.h   |   4 +
 security/selinux/netlabel.c | 133 +--
 6 files changed, 565 insertions(+), 32 deletions(-)
 create mode 100644 Documentation/security/SELinux-sctp.rst

diff --git a/Documentation/security/SELinux-sctp.rst 
b/Documentation/security/SELinux-sctp.rst
new file mode 100644
index 000..2f66bf3
--- /dev/null
+++ b/Documentation/security/SELinux-sctp.rst
@@ -0,0 +1,157 @@
+SCTP SELinux Support
+=
+
+Security Hooks
+===
+
+``Documentation/security/LSM-sctp.rst`` describes the following SCTP security
+hooks with the SELinux specifics expanded below::
+
+security_sctp_assoc_request()
+security_sctp_bind_connect()
+security_sctp_sk_clone()
+security_inet_conn_established()
+
+
+security_sctp_assoc_request()
+-
+Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
+security module. Returns 0 on success, error on failure.
+::
+
+@ep - pointer to sctp endpoint structure.
+@skb - pointer to skbuff of association packet.
+
+The security module performs the following operations:
+ IF this is the first association on ``@ep->base.sk``, then set the peer
+ sid to that in ``@skb``. This will ensure there is only one peer sid
+ assigned to ``@ep->base.sk`` that may support multiple associations.
+
+ ELSE validate the ``@ep->base.sk peer_sid`` against the ``@skb peer sid``
+ to determine whether the association should be allowed or denied.
+
+ Set the sctp ``@ep sid`` to socket's sid (from ``ep->base.sk``) with
+ MLS portion taken from ``@skb peer sid``. This will be used by SCTP
+ TCP style sockets and peeled off connections as they cause a new socket
+ to be generated.
+
+ If IP security options are configured (CIPSO/CALIPSO), then the ip
+ options are set on the socket.
+
+
+security_sctp_bind_connect()
+-
+Checks permissions required for ipv4/ipv6 addresses based on the ``@optname``
+as follows::
+
+  --
+  |   BIND Permission Checks   |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
+  | SCTP_PRIMARY_ADDR  | Single ipv4 or ipv6 address   |
+  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address   |
+  --
+
+  --
+  | CONNECT Permission Checks  |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_CONNECTX  | One or more ipv4 / ipv6 addresses |
+  | SCTP_PARAM_ADD_IP  | One or more ipv4 / ipv6 addresses |
+  | SCTP_SENDMSG_CONNECT   | Single ipv4 or ipv6 address   |
+  | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address   |
+  --
+
+
+``Documentation/security/LSM-sctp.rst`` gives a summary of the ``@optname``
+entries and also describes ASCONF chunk processing when Dynamic Address
+Reconfiguration is enabled.
+
+
+security_sctp_sk_clone()
+-
+Called whenever a new socket is created by **accept**\(2) (i.e. a TCP style
+socket) or when a socket is 'peeled off' e.g userspace calls
+**sctp_peeloff**\(3). ``security_sctp_sk_clone()`` will set the new
+sockets sid and peer sid to that contained in the ``@ep sid`` and
+``@ep peer sid`` respectively.
+::
+
+@ep - pointer to current sctp endpoint structure.
+@sk - pointer to current sock structure.
+@sk - pointer to new sock structure.
+
+
+security_inet_conn_established()
+-
+Called when a COOKIE ACK is received where it sets the connection's peer sid
+to that in ``@skb``::
+
+@sk  - pointer to sock structure.
+@skb - pointer to skbuff of the COOKIE ACK packet.
+
+
+Policy Statements
+==
+The following class and permissions to support SCTP are available within the
+kernel::
+
+class sctp_socket inherits socket { node_bind }
+
+whenever the following policy

Re: [PATCH V4 4/4] selinux: Add SCTP support

2018-01-10 Thread Richard Haines

On Wed, 2018-01-10 at 11:37 -0500, Paul Moore wrote:
> On Sat, Dec 30, 2017 at 12:20 PM, Richard Haines
> <richard_c_hai...@btinternet.com> wrote:
> > The SELinux SCTP implementation is explained in:
> > Documentation/security/SELinux-sctp.rst
> > 
> > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
> > ---
> >  Documentation/security/SELinux-sctp.rst | 157 ++
> >  security/selinux/hooks.c| 280
> > +---
> >  security/selinux/include/classmap.h |   2 +-
> >  security/selinux/include/netlabel.h |  21 ++-
> >  security/selinux/include/objsec.h   |   4 +
> >  security/selinux/netlabel.c | 138 ++--
> >  6 files changed, 570 insertions(+), 32 deletions(-)
> >  create mode 100644 Documentation/security/SELinux-sctp.rst
> 
> ...
> 
> > +/**
> > + * selinux_netlbl_socket_connect - Label a client-side socket on
> > connect
> > + * @sk: the socket to label
> > + * @addr: the destination address
> > + *
> > + * Description:
> > + * Attempt to label a connected socket with NetLabel using the
> > given address.
> > + * Returns zero values on success, negative values on failure.
> > + *
> > + */
> > +int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr
> > *addr)
> > +{
> > +   int rc;
> > +   struct sk_security_struct *sksec = sk->sk_security;
> > +
> > +   if (sksec->nlbl_state != NLBL_REQSKB &&
> > +   sksec->nlbl_state != NLBL_CONNLABELED)
> > +   return 0;
> > +
> > +   lock_sock(sk);
> > +   rc = selinux_netlbl_socket_connect_helper(sk, addr);
> > release_sock(sk);
> > +
> > return rc;
> >  }
> > +
> > +/**
> > + * selinux_netlbl_socket_connect_locked - Label a client-side
> > socket on
> > + * connect
> > + * @sk: the socket to label
> > + * @addr: the destination address
> > + *
> > + * Description:
> > + * Attempt to label a connected socket that already has the socket
> > locked
> > + * with NetLabel using the given address.
> > + * Returns zero values on success, negative values on failure.
> > + *
> > + */
> > +int selinux_netlbl_socket_connect_locked(struct sock *sk,
> > +struct sockaddr *addr)
> > +{
> > +   struct sk_security_struct *sksec = sk->sk_security;
> > +
> > +   if (sksec->nlbl_state != NLBL_REQSKB &&
> > +   sksec->nlbl_state != NLBL_CONNLABELED)
> > +   return 0;
> > +
> > +   return selinux_netlbl_socket_connect_helper(sk, addr);
> > +}
> 
> [Sorry for the review delay, the holidays and some associated travel
> made it hard to find some quiet time to look at the latest patches.]
> 
> I probably should have been a bit more clear in my last comment, but
> what I had in mind was something like the following:
> 
> int selinux_netlbl_socket_connect_locked(...)
> {
> if (sksec->nlbl_state ...)
> return 0;
> 
> return selinux_netlbl_socket_connect_helper();
> }
> 
> int selinux_netlbl_socket_connect(...)
> {
> int rc;
> 
> lock_sock();
> rc = selinux_netlbl_socket_connect_locked();
> release_sock();
> 
> return rc;
> }
> 
> Yes, you do end up checking nlbl_state while the socket lock is held,
> but I believe the benefit of consolidating the code outweighs any
> additional overhead (I believe it would be "noise" anyway).

Okay I'll send an updated [PATCH V5 4/4] tomorrow.

> 
> Otherwise, this all looks good to me.
>

[PATCH] libselinux: Correct manpages regarding removable_context

2018-01-10 Thread Richard Haines

The selabel_media(5) man page incorrectly stated that the
removable_context(5) would be read if an selabel_lookup(3)
failed. Correct the man pages that fixes [1].

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1395621

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 libselinux/man/man5/removable_context.5 | 5 ++---
 libselinux/man/man5/selabel_media.5 | 4 +---
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/libselinux/man/man5/removable_context.5 
b/libselinux/man/man5/removable_context.5
index 60aaa938..f16e8bdc 100644
--- a/libselinux/man/man5/removable_context.5
+++ b/libselinux/man/man5/removable_context.5
@@ -3,8 +3,7 @@
 removable_context \- The SELinux removable devices context configuration file
 .
 .SH "DESCRIPTION"
-This file contains the default label that should be used for removable devices 
that are not defined in the \fImedia\fR file (that is described in
-.BR selabel_media "(5)). "
+This file contains the default label that should be used for removable devices.
 .sp
 .BR selinux_removable_context_path "(3) "
 will return the active policy path to this file. The default removable context 
file is:
@@ -34,4 +33,4 @@ A user, role, type and optional range (for MCS/MLS) separated 
by colons (:) that
 system_u:object_r:removable_t:s0
 .
 .SH "SEE ALSO"
-.BR selinux "(8), " selinux_removable_context_path "(3), " selabel_media "(5), 
" selinux_config "(5) "
+.BR selinux "(8), " selinux_removable_context_path "(3), " selinux_config "(5) 
"
diff --git a/libselinux/man/man5/selabel_media.5 
b/libselinux/man/man5/selabel_media.5
index 395ed0e7..b7c28e32 100644
--- a/libselinux/man/man5/selabel_media.5
+++ b/libselinux/man/man5/selabel_media.5
@@ -52,8 +52,6 @@ The default media contexts file is:
 .RE
 .sp
 Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file 
\fIconfig\fR (see \fBselinux_config\fR(5)).
-.sp
-Should there not be a valid entry in the \fImedia\fR file, then the default 
\fIremovable_context\fR file will be read (see \fBremovable_context\fR(5)).
 .
 .SH "FILE FORMAT"
 Each line within the \fImedia\fR file is as follows:
@@ -90,4 +88,4 @@ this is not set, then it is possible for an invalid context 
to be returned.
 .SH "SEE ALSO"
 .ad l
 .nh
-.BR selinux "(8), " selabel_open "(3), " selabel_lookup "(3), " selabel_stats 
"(3), " selabel_close "(3), " selinux_set_callback "(3), " 
selinux_media_context_path "(3), " freecon "(3), " selinux_config "(5), " 
removable_context "(5) "
+.BR selinux "(8), " selabel_open "(3), " selabel_lookup "(3), " selabel_stats 
"(3), " selabel_close "(3), " selinux_set_callback "(3), " 
selinux_media_context_path "(3), " freecon "(3), " selinux_config "(5) "
-- 
2.14.3

Re: selabel_lookup() with MEDIA backend issue

2018-01-09 Thread Richard Haines

On Tue, 2018-01-09 at 10:11 -0500, Stephen Smalley wrote:
> On Mon, 2018-01-08 at 16:10 +0100, Vit Mojzis wrote:
> > Hi all,
> > there seems to be a discrepancy between man page and actual
> > behavior
> > of 
> > selabel_lookup() with MEDIA backend.
> > selabel_media man page says:
> >  "Should there not be a valid entry in the media file, then
> > the 
> > default removable_context file will be read (see
> > removable_context(5))."
> > 
> > but the removable_context file is never used (for more details and
> > a 
> > reproducer see https://bugzilla.redhat.com/show_bug.cgi?id=1395621)
> > .
> > 
> > I can see two possible solutions:
> >1) Remove the removable_context file and adjust man pages
> > accordingly.
> > 
> >2) (Probably better) Add mechanism for using the
> > removable_context
> > 
> > Which one would you prefer?
> > 
> > In case of the latter, would adding the content of
> > removable_context 
> > file to saved_data->spec_arr[nspec + 1] (label_media.c) and
> > returning
> > it 
> > in case lookup fails be a reasonable solution?
> > 
> > Thank you.
> 
> It appears that selinux_removable_context_path() and the
> removable_context configuration were added by Dan Walsh in 2004 for
> use
> by an external caller.  The selabel_media backend wasn't introduced
> until 2007, and has never called selinux_removable_context_path()
> AFAICT.  The man page reference to removable_context in
> selabel_media.5
> was added by Richard Haines in 2011.  I think the man page is just
> wrong.  I don't know if there are any users of
> selinux_removable_context_path() still but we can't remove it without
> breaking ABI.
> 

As I screwed up the man page I'll fix, however would you prefer option
2 where it will check the removable_context file as I'm happy to do
that instead.

[PATCH V4 4/4] selinux: Add SCTP support

2018-01-02 Thread Richard Haines

The SELinux SCTP implementation is explained in:
Documentation/security/SELinux-sctp.rst

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 Documentation/security/SELinux-sctp.rst | 157 ++
 security/selinux/hooks.c| 280 +---
 security/selinux/include/classmap.h |   2 +-
 security/selinux/include/netlabel.h |  21 ++-
 security/selinux/include/objsec.h   |   4 +
 security/selinux/netlabel.c | 138 ++--
 6 files changed, 570 insertions(+), 32 deletions(-)
 create mode 100644 Documentation/security/SELinux-sctp.rst

diff --git a/Documentation/security/SELinux-sctp.rst 
b/Documentation/security/SELinux-sctp.rst
new file mode 100644
index 000..2f66bf3
--- /dev/null
+++ b/Documentation/security/SELinux-sctp.rst
@@ -0,0 +1,157 @@
+SCTP SELinux Support
+=
+
+Security Hooks
+===
+
+``Documentation/security/LSM-sctp.rst`` describes the following SCTP security
+hooks with the SELinux specifics expanded below::
+
+security_sctp_assoc_request()
+security_sctp_bind_connect()
+security_sctp_sk_clone()
+security_inet_conn_established()
+
+
+security_sctp_assoc_request()
+-
+Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
+security module. Returns 0 on success, error on failure.
+::
+
+@ep - pointer to sctp endpoint structure.
+@skb - pointer to skbuff of association packet.
+
+The security module performs the following operations:
+ IF this is the first association on ``@ep->base.sk``, then set the peer
+ sid to that in ``@skb``. This will ensure there is only one peer sid
+ assigned to ``@ep->base.sk`` that may support multiple associations.
+
+ ELSE validate the ``@ep->base.sk peer_sid`` against the ``@skb peer sid``
+ to determine whether the association should be allowed or denied.
+
+ Set the sctp ``@ep sid`` to socket's sid (from ``ep->base.sk``) with
+ MLS portion taken from ``@skb peer sid``. This will be used by SCTP
+ TCP style sockets and peeled off connections as they cause a new socket
+ to be generated.
+
+ If IP security options are configured (CIPSO/CALIPSO), then the ip
+ options are set on the socket.
+
+
+security_sctp_bind_connect()
+-
+Checks permissions required for ipv4/ipv6 addresses based on the ``@optname``
+as follows::
+
+  --
+  |   BIND Permission Checks   |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
+  | SCTP_PRIMARY_ADDR  | Single ipv4 or ipv6 address   |
+  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address   |
+  --
+
+  --
+  | CONNECT Permission Checks  |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_CONNECTX  | One or more ipv4 / ipv6 addresses |
+  | SCTP_PARAM_ADD_IP  | One or more ipv4 / ipv6 addresses |
+  | SCTP_SENDMSG_CONNECT   | Single ipv4 or ipv6 address   |
+  | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address   |
+  --
+
+
+``Documentation/security/LSM-sctp.rst`` gives a summary of the ``@optname``
+entries and also describes ASCONF chunk processing when Dynamic Address
+Reconfiguration is enabled.
+
+
+security_sctp_sk_clone()
+-
+Called whenever a new socket is created by **accept**\(2) (i.e. a TCP style
+socket) or when a socket is 'peeled off' e.g userspace calls
+**sctp_peeloff**\(3). ``security_sctp_sk_clone()`` will set the new
+sockets sid and peer sid to that contained in the ``@ep sid`` and
+``@ep peer sid`` respectively.
+::
+
+@ep - pointer to current sctp endpoint structure.
+@sk - pointer to current sock structure.
+@sk - pointer to new sock structure.
+
+
+security_inet_conn_established()
+-
+Called when a COOKIE ACK is received where it sets the connection's peer sid
+to that in ``@skb``::
+
+@sk  - pointer to sock structure.
+@skb - pointer to skbuff of the COOKIE ACK packet.
+
+
+Policy Statements
+==
+The following class and permissions to support SCTP are available within the
+kernel::
+
+class sctp_socket inherits socket { node_bind }
+
+whenever the following policy capability is enabled::
+
+policycap extended_socket_class;
+
+SELinux SCTP support adds the ``name_connect`` perm

[PATCH V4 1/4] security: Add support for SCTP security hooks

2018-01-02 Thread Richard Haines

The SCTP security hooks are explained in:
Documentation/security/LSM-sctp.rst

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 Documentation/security/LSM-sctp.rst | 175 
 include/linux/lsm_hooks.h   |  36 
 include/linux/security.h|  25 ++
 security/security.c |  22 +
 4 files changed, 258 insertions(+)
 create mode 100644 Documentation/security/LSM-sctp.rst

diff --git a/Documentation/security/LSM-sctp.rst 
b/Documentation/security/LSM-sctp.rst
new file mode 100644
index 000..6e5a392
--- /dev/null
+++ b/Documentation/security/LSM-sctp.rst
@@ -0,0 +1,175 @@
+SCTP LSM Support
+
+
+For security module support, three SCTP specific hooks have been implemented::
+
+security_sctp_assoc_request()
+security_sctp_bind_connect()
+security_sctp_sk_clone()
+
+Also the following security hook has been utilised::
+
+security_inet_conn_established()
+
+The usage of these hooks are described below with the SELinux implementation
+described in ``Documentation/security/SELinux-sctp.rst``
+
+
+security_sctp_assoc_request()
+-
+Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
+security module. Returns 0 on success, error on failure.
+::
+
+@ep - pointer to sctp endpoint structure.
+@skb - pointer to skbuff of association packet.
+
+
+security_sctp_bind_connect()
+-
+Passes one or more ipv4/ipv6 addresses to the security module for validation
+based on the ``@optname`` that will result in either a bind or connect
+service as shown in the permission check tables below.
+Returns 0 on success, error on failure.
+::
+
+@sk  - Pointer to sock structure.
+@optname - Name of the option to validate.
+@address - One or more ipv4 / ipv6 addresses.
+@addrlen - The total length of address(s). This is calculated on each
+   ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
+   sizeof(struct sockaddr_in6).
+
+  --
+  | BIND Type Checks   |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
+  | SCTP_PRIMARY_ADDR  | Single ipv4 or ipv6 address   |
+  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address   |
+  --
+
+  --
+  |   CONNECT Type Checks  |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_CONNECTX  | One or more ipv4 / ipv6 addresses |
+  | SCTP_PARAM_ADD_IP  | One or more ipv4 / ipv6 addresses |
+  | SCTP_SENDMSG_CONNECT   | Single ipv4 or ipv6 address   |
+  | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address   |
+  --
+
+A summary of the ``@optname`` entries is as follows::
+
+SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
+ associated after (optionally) calling
+ bind(3).
+ sctp_bindx(3) adds a set of bind
+ addresses on a socket.
+
+SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
+addresses for reaching a peer
+(multi-homed).
+sctp_connectx(3) initiates a connection
+on an SCTP socket using multiple
+destination addresses.
+
+SCTP_SENDMSG_CONNECT  - Initiate a connection that is generated by a
+sendmsg(2) or sctp_sendmsg(3) on a new asociation.
+
+SCTP_PRIMARY_ADDR - Set local primary address.
+
+SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
+ association primary.
+
+SCTP_PARAM_ADD_IP  - These are used when Dynamic Address
+SCTP_PARAM_SET_PRIMARY - Reconfiguration is enabled as explained below.
+
+
+To support Dynamic Address Reconfiguration the following parameters must be
+enabled on both endpoints (or use the appropriate **setsockopt**\(2))::
+
+/proc/sys/net/sctp/addip_enable
+/proc/sys/net/sctp/addip_noauth_enable
+
+then the following *_PARAM_*'s are sent to the peer in an
+ASCONF chunk when the corresponding ``@optname``'s are present::
+
+  @optname  ASCONF Parameter
+ ----
+SCTP_SOCKOPT_

[PATCH V4 2/4] sctp: Add ip option support

2018-01-02 Thread Richard Haines

Add ip option support to allow LSM security modules to utilise CIPSO/IPv4
and CALIPSO/IPv6 services.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 include/net/sctp/sctp.h|  4 +++-
 include/net/sctp/structs.h |  2 ++
 net/sctp/chunk.c   | 13 -
 net/sctp/ipv6.c| 42 +++---
 net/sctp/output.c  |  5 -
 net/sctp/protocol.c| 36 
 net/sctp/socket.c  |  9 +++--
 7 files changed, 95 insertions(+), 16 deletions(-)

diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
index d7d8cba..1b2f40a 100644
--- a/include/net/sctp/sctp.h
+++ b/include/net/sctp/sctp.h
@@ -436,9 +436,11 @@ static inline int sctp_list_single_entry(struct list_head 
*head)
 static inline int sctp_frag_point(const struct sctp_association *asoc, int 
pmtu)
 {
struct sctp_sock *sp = sctp_sk(asoc->base.sk);
+   struct sctp_af *af = sp->pf->af;
int frag = pmtu;
 
-   frag -= sp->pf->af->net_header_len;
+   frag -= af->ip_options_len(asoc->base.sk);
+   frag -= af->net_header_len;
frag -= sizeof(struct sctphdr) + sizeof(struct sctp_data_chunk);
 
if (asoc->user_frag)
diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 0477945..9942ed5 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -461,6 +461,7 @@ struct sctp_af {
void(*ecn_capable)(struct sock *sk);
__u16   net_header_len;
int sockaddr_len;
+   int (*ip_options_len)(struct sock *sk);
sa_family_t sa_family;
struct list_head list;
 };
@@ -485,6 +486,7 @@ struct sctp_pf {
int (*addr_to_user)(struct sctp_sock *sk, union sctp_addr *addr);
void (*to_sk_saddr)(union sctp_addr *, struct sock *sk);
void (*to_sk_daddr)(union sctp_addr *, struct sock *sk);
+   void (*copy_ip_options)(struct sock *sk, struct sock *newsk);
struct sctp_af *af;
 };
 
diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
index 3afac27..9d130f4 100644
--- a/net/sctp/chunk.c
+++ b/net/sctp/chunk.c
@@ -153,7 +153,6 @@ static void sctp_datamsg_assign(struct sctp_datamsg *msg, 
struct sctp_chunk *chu
chunk->msg = msg;
 }
 
-
 /* A data chunk can have a maximum payload of (2^16 - 20).  Break
  * down any such message into smaller chunks.  Opportunistically, fragment
  * the chunks down to the current MTU constraints.  We may get refragmented
@@ -170,6 +169,8 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
sctp_association *asoc,
struct list_head *pos, *temp;
struct sctp_chunk *chunk;
struct sctp_datamsg *msg;
+   struct sctp_sock *sp;
+   struct sctp_af *af;
int err;
 
msg = sctp_datamsg_new(GFP_KERNEL);
@@ -188,9 +189,12 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
sctp_association *asoc,
/* This is the biggest possible DATA chunk that can fit into
 * the packet
 */
-   max_data = asoc->pathmtu -
-  sctp_sk(asoc->base.sk)->pf->af->net_header_len -
-  sizeof(struct sctphdr) - sizeof(struct sctp_data_chunk);
+   sp = sctp_sk(asoc->base.sk);
+   af = sp->pf->af;
+   max_data = asoc->pathmtu - af->net_header_len -
+  sizeof(struct sctphdr) - sizeof(struct sctp_data_chunk) -
+  af->ip_options_len(asoc->base.sk);
+
max_data = SCTP_TRUNC4(max_data);
 
/* If the the peer requested that we authenticate DATA chunks
@@ -210,7 +214,6 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
sctp_association *asoc,
 
/* Set first_len and then account for possible bundles on first frag */
first_len = max_data;
-
/* Check to see if we have a pending SACK and try to let it be bundled
 * with this message.  Do this if we don't have any data queued already.
 * To check that, look at out_qlen and retransmit list.
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index 3b18085..b06dc81 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -423,6 +423,38 @@ static void sctp_v6_copy_addrlist(struct list_head 
*addrlist,
rcu_read_unlock();
 }
 
+/* Copy over any ip options */
+static void sctp_v6_copy_ip_options(struct sock *sk, struct sock *newsk)
+{
+   struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
+   struct ipv6_txoptions *opt;
+
+   newnp = inet6_sk(newsk);
+
+   rcu_read_lock();
+   opt = rcu_dereference(np->opt);
+   if (opt)
+   opt = ipv6_dup_options(newsk, opt);
+   RCU_INIT_POINTER(newnp->opt, opt);
+   rcu_read_unlock();
+}
+
+/* Account for the IP options */
+static int sctp_v6_ip_options_len(struct sock *sk)
+{
+   struct ipv6_pinfo *np = inet6_sk(sk);
+   struct ipv6_txoptions *opt;
+

[PATCH V4 0/4] Add SELinux SCTP protocol support

2018-01-02 Thread Richard Haines

Note: Some conflicts are expected when merging with current net-next due to
Interleaving Data (I-DATA) sets of patches:
PATCH 2/4 - Where 'sctp_datachk_len(>stream)' has replaced
'sizeof(struct sctp_data_chunk)' in include/net/sctp/sctp.h, 
net/sctp/chunk.c and net/sctp/socket.c 
PATCH 3/4 - Where include/uapi/linux/sctp.h requires a fix to update the
#define SCTP_SENDMSG_CONNECT to a higher number.

These patches have been built on Fedora 27 with kernel 4.14.8 plus
the following userspace patches to enable testing:

1) Updates to libsepol 2.7 to support the sctp portcon statement.
   The patch is available from:
 http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
 selinux-Add-support-for-the-SCTP-portcon-keyword.patch

2) Updates to the SELinux Test Suite adding SCTP tests. Please read the
   selinux-testsuite/README.sctp for details. The patch is available from:
 http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
 selinux-testsuite-Add-SCTP-test-support.patch

3) Updates to lksctp-tools that show SELinux info in sctp_darn and
   sctp_test. It also contains a minor patch for test_1_to_1_connect.c
   as when CIPSO/CALIPSO configured, NetLabel returns a different error
   code for illegal addresses in test 5. The patch is available from:
 http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
 lksctp-tools-Add-SELinux-support-to-sctp_test-and-sc.patch

All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.

All SCTP regression tests "./sctp-tests run" run correctly in enforcing
mode. These tests are obtained from: https://github.com/sctp/sctp-tests

The selinux-testsuite patch also adds remote tests (that need some manual
configuration). These are useful for testing CIPSO/CALIPSO over a network
with a number of categories to produce large ip option fields with various
message sizes forcing fragmentation etc..

Changes since RFC Patch:
Removed the NetLabel patch (was [RFC PATCH 4/5] netlabel: Add SCTP support)
as re-engineered. However this patchset will require the NetLabel
patch at [1] to fully run the SCTP selinux-testsuite.

V1 Changes:
PATCH 1/4
Remove unused parameter from security_sctp_assoc_request().
Reformat and update LSM-sctp.rst documentation.
PATCH 2/4
Add variables and RCU locks as requested in [2] to support IP options.
PATCH 3/4
Added security_sctp_assoc_request() hook to sctp_sf_do_unexpected_init()
and sctp_sf_do_5_2_4_dupcook().
Removed security_sctp_assoc_request() hook from sctp_sf_do_5_1C_ack() as
no longer required.
PATCH 4/4
Reformat and update SELinux-sctp.rst documentation.
Remove bindx and connectx permissions.
Rework selinux_socket_connect() and selinux_netlbl_socket_connect() to
utilise helpers for code reuse.
Add spinlock to selinux_sctp_assoc_request().
Remove unused parameter from security_sctp_assoc_request().
Use address->sa_family == AF_INET in *_bind and *_connect to ensure
correct address type.
Minor cleanups.

V2 Changes:
PATCH 4/4 - Remove spin lock from selinux_sctp_assoc_request()
PATCH 4/4 - Fix selinux_sctp_sk_clone() kbuild test robot catch [3]

V3 Changes:
PATCH 2/4 - Account for IP options length in sctp.h sctp_frag_point() by
Marcelo

V4 Changes:
PATCH 1/4 - Move specific SELinux descriptions from LSM-sctp.rst and
lsm_hooks.h to SELinux-sctp.rst in PATCH 4/4
PATCH 4/4 - Rename selinux_netlbl_sctp_socket_connect() to
selinux_netlbl_socket_connect_locked() and move description comments to
selinux_sctp_bind_connect()

[1] https://marc.info/?l=selinux=151061619115945=2
[2] https://marc.info/?l=selinux=150962470215797=2
[3] https://marc.info/?l=selinux=151198281817779=2


Richard Haines (4):
  security: Add support for SCTP security hooks
  sctp: Add ip option support
  sctp: Add LSM hooks
  selinux: Add SCTP support

 Documentation/security/LSM-sctp.rst | 175 
 Documentation/security/SELinux-sctp.rst | 157 ++
 include/linux/lsm_hooks.h   |  36 
 include/linux/security.h|  25 +++
 include/net/sctp/sctp.h |   4 +-
 include/net/sctp/structs.h  |  12 ++
 include/uapi/linux/sctp.h   |   1 +
 net/sctp/chunk.c|  13 +-
 net/sctp/ipv6.c |  42 -
 net/sctp/output.c   |   5 +-
 net/sctp/protocol.c |  36 
 net/sctp/sm_make_chunk.c|  12 ++
 net/sctp/sm_statefuns.c |  18 ++
 net/sctp/socket.c   |  70 +++-
 security/security.c |  22 +++
 security/selinux/hooks.c| 280 +---
 security/selinux/include/classmap.h |   2 +-
 security/selinux/include/netlabel.h |  21 ++-
 security/selinux/include/objsec.h   |   4 +
 security/selinux/netlabel.c | 138 ++--
 20 files changed, 1024 insertions(+), 49 deletions(-)
 create mode 100644 Documentat

Re: [PATCH v3 1/4] security: Add support for SCTP security hooks

2018-01-02 Thread Richard Haines

On Fri, 2017-12-22 at 15:45 -0200, Marcelo Ricardo Leitner wrote:
> On Fri, Dec 22, 2017 at 09:20:45AM -0800, Casey Schaufler wrote:
> > On 12/22/2017 5:05 AM, Marcelo Ricardo Leitner wrote:
> > > From: Richard Haines <richard_c_hai...@btinternet.com>
> > > 
> > > The SCTP security hooks are explained in:
> > > Documentation/security/LSM-sctp.rst
> 
> Thanks Casey for your comments. However, I'm not that acquainted with
> these area of codes and I cannot work on them. I'll just wait for
> Richard then.

I'm back online and will post a V4 set of patches within a week. These
will address Paul's comments as per [1] and Casey's regarding the
documentation.
Sorry for the delay


[1] https://marc.info/?l=selinux=151274018809822=2

> 
>   Marcelo
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" 
> in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH V4 3/4] sctp: Add LSM hooks

2018-01-02 Thread Richard Haines

Add security hooks to allow security modules to exercise access control
over SCTP.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 include/net/sctp/structs.h | 10 
 include/uapi/linux/sctp.h  |  1 +
 net/sctp/sm_make_chunk.c   | 12 +
 net/sctp/sm_statefuns.c| 18 ++
 net/sctp/socket.c  | 61 +-
 5 files changed, 101 insertions(+), 1 deletion(-)

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 9942ed5..2ca0a3f 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -1271,6 +1271,16 @@ struct sctp_endpoint {
  reconf_enable:1;
 
__u8  strreset_enable;
+
+   /* Security identifiers from incoming (INIT). These are set by
+* security_sctp_assoc_request(). These will only be used by
+* SCTP TCP type sockets and peeled off connections as they
+* cause a new socket to be generated. security_sctp_sk_clone()
+* will then plug these into the new socket.
+*/
+
+   u32 secid;
+   u32 peer_secid;
 };
 
 /* Recover the outter endpoint structure. */
diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h
index cfe9712..cafac36 100644
--- a/include/uapi/linux/sctp.h
+++ b/include/uapi/linux/sctp.h
@@ -123,6 +123,7 @@ typedef __s32 sctp_assoc_t;
 #define SCTP_RESET_ASSOC   120
 #define SCTP_ADD_STREAMS   121
 #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
+#define SCTP_SENDMSG_CONNECT   123
 
 /* PR-SCTP policies */
 #define SCTP_PR_SCTP_NONE  0x
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 514465b..269fd3d 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -3054,6 +3054,12 @@ static __be16 sctp_process_asconf_param(struct 
sctp_association *asoc,
if (af->is_any())
memcpy(, >source, sizeof(addr));
 
+   if (security_sctp_bind_connect(asoc->ep->base.sk,
+  SCTP_PARAM_ADD_IP,
+  (struct sockaddr *),
+  af->sockaddr_len))
+   return SCTP_ERROR_REQ_REFUSED;
+
/* ADDIP 4.3 D9) If an endpoint receives an ADD IP address
 * request and does not have the local resources to add this
 * new address to the association, it MUST return an Error
@@ -3120,6 +3126,12 @@ static __be16 sctp_process_asconf_param(struct 
sctp_association *asoc,
if (af->is_any())
memcpy(, sctp_source(asconf), sizeof(addr));
 
+   if (security_sctp_bind_connect(asoc->ep->base.sk,
+  SCTP_PARAM_SET_PRIMARY,
+  (struct sockaddr *),
+  af->sockaddr_len))
+   return SCTP_ERROR_REQ_REFUSED;
+
peer = sctp_assoc_lookup_paddr(asoc, );
if (!peer)
return SCTP_ERROR_DNS_FAILED;
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 8f8ccde..a2dfc5a 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -318,6 +318,11 @@ enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net,
struct sctp_packet *packet;
int len;
 
+   /* Update socket peer label if first association. */
+   if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
+   chunk->skb))
+   return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
/* 6.10 Bundling
 * An endpoint MUST NOT bundle INIT, INIT ACK or
 * SHUTDOWN COMPLETE with any other chunks.
@@ -905,6 +910,9 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net,
 */
sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
 
+   /* Set peer label for connection. */
+   security_inet_conn_established(ep->base.sk, chunk->skb);
+
/* RFC 2960 5.1 Normal Establishment of an Association
 *
 * E) Upon reception of the COOKIE ACK, endpoint "A" will move
@@ -1433,6 +1441,11 @@ static enum sctp_disposition sctp_sf_do_unexpected_init(
struct sctp_packet *packet;
int len;
 
+   /* Update socket peer label if first association. */
+   if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
+   chunk->skb))
+   return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
/* 6.10 Bundling
 * An endpoint MUST NOT bundle INIT, INIT ACK or
 * SHUTDOWN COMPLETE with any other chunks.
@@ -2103,6 +2116,11 @@ enum sctp_disposition sctp_sf_do_5_2_4_dupcook(
}
}
 
+   /* Update socket peer label if first

[PATCH V2] selinux: Add SCTP support

2017-12-06 Thread Richard Haines

The SELinux SCTP implementation is explained in:
Documentation/security/SELinux-sctp.rst

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
V2 Changes
Remove lock from selinux_sctp_assoc_request()
Fix selinux_sctp_sk_clone() kbuild test robot catch [1]

[1] https://marc.info/?l=selinux=151198281817779=2

 Documentation/security/SELinux-sctp.rst | 104 
 security/selinux/hooks.c| 270 +---
 security/selinux/include/classmap.h |   2 +-
 security/selinux/include/netlabel.h |  20 ++-
 security/selinux/include/objsec.h   |   4 +
 security/selinux/netlabel.c | 144 +++--
 6 files changed, 512 insertions(+), 32 deletions(-)
 create mode 100644 Documentation/security/SELinux-sctp.rst

diff --git a/Documentation/security/SELinux-sctp.rst 
b/Documentation/security/SELinux-sctp.rst
new file mode 100644
index 000..f6a9162
--- /dev/null
+++ b/Documentation/security/SELinux-sctp.rst
@@ -0,0 +1,104 @@
+SCTP SELinux Support
+=
+
+Security Hooks
+===
+
+The ``Documentation/security/LSM-sctp.rst`` document describes how the
+following sctp security hooks are utilised::
+
+security_sctp_assoc_request()
+security_sctp_bind_connect()
+security_sctp_sk_clone()
+security_inet_conn_established()
+
+
+Policy Statements
+==
+The following class and permissions to support SCTP are available within the
+kernel::
+
+class sctp_socket inherits socket { node_bind }
+
+whenever the following policy capability is enabled::
+
+policycap extended_socket_class;
+
+SELinux SCTP support adds the ``name_connect`` permission for connecting
+to a specific port type and the ``association`` permission that is explained
+in the section below.
+
+If userspace tools have been updated, SCTP will support the ``portcon``
+statement as shown in the following example::
+
+portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0
+
+
+SCTP Bind, Connect and ASCONF Chunk Parameter Permission Checks
+
+The hook ``security_sctp_bind_connect()`` is called by SCTP to check
+permissions required for ipv4/ipv6 addresses based on the ``@optname`` as
+follows::
+
+  --
+  |   BIND Permission Checks   |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
+  | SCTP_PRIMARY_ADDR  | Single ipv4 or ipv6 address   |
+  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address   |
+  --
+
+  --
+  | CONNECT Permission Checks  |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_CONNECTX  | One or more ipv4 / ipv6 addresses |
+  | SCTP_PARAM_ADD_IP  | One or more ipv4 / ipv6 addresses |
+  | SCTP_SENDMSG_CONNECT   | Single ipv4 or ipv6 address   |
+  | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address   |
+  --
+
+
+SCTP Peer Labeling
+===
+An SCTP socket will only have one peer label assigned to it. This will be
+assigned during the establishment of the first association. Once the peer
+label has been assigned, any new associations will have the ``association``
+permission validated by checking the socket peer sid against the received
+packets peer sid to determine whether the association should be allowed or
+denied.
+
+NOTES:
+   1) If peer labeling is not enabled, then the peer context will always be
+  ``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy).
+
+   2) As SCTP can support more than one transport address per endpoint
+  (multi-homing) on a single socket, it is possible to configure policy
+  and NetLabel to provide different peer labels for each of these. As the
+  socket peer label is determined by the first associations transport
+  address, it is recommended that all peer labels are consistent.
+
+   3) **getpeercon**\(3) may be used by userspace to retrieve the sockets peer
+  context.
+
+   4) While not SCTP specific, be aware when using NetLabel that if a label
+  is assigned to a specific interface, and that interface 'goes down',
+  then the NetLabel service will remove the entry. Therefore ensure that
+  the network startup scripts call **netlabelctl**\(8) to set the required
+  label (see **netlabel-config**\(8) helper script for details).
+
+   5) The NetLabel SCTP peer labeling rules apply as dis

Re: [PATCH 4/4] selinux: Add SCTP support

2017-12-05 Thread Richard Haines

On Tue, 2017-11-28 at 14:59 -0500, Stephen Smalley wrote:
> On Tue, 2017-11-28 at 14:39 -0500, Stephen Smalley wrote:
> > On Mon, 2017-11-27 at 19:32 +, Richard Haines wrote:
> > > The SELinux SCTP implementation is explained in:
> > > Documentation/security/SELinux-sctp.rst
> > > 
> > > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
> > > ---
> > >  Documentation/security/SELinux-sctp.rst | 104 
> > >  security/selinux/hooks.c| 278
> > > +---
> > >  security/selinux/include/classmap.h |   2 +-
> > >  security/selinux/include/netlabel.h |  15 +-
> > >  security/selinux/include/objsec.h   |   4 +
> > >  security/selinux/netlabel.c | 128 +--
> > >  6 files changed, 499 insertions(+), 32 deletions(-)
> > >  create mode 100644 Documentation/security/SELinux-sctp.rst
> > > 
> > > diff --git a/Documentation/security/SELinux-sctp.rst
> > > b/Documentation/security/SELinux-sctp.rst
> > > new file mode 100644
> > > index 000..f6a9162
> > > --- /dev/null
> > > +++ b/Documentation/security/SELinux-sctp.rst
> > > @@ -0,0 +1,104 @@
> > > +SCTP SELinux Support
> > > +=
> > > +
> > > +Security Hooks
> > > +===
> > > +
> > > +The ``Documentation/security/LSM-sctp.rst`` document describes
> > > how
> > > the
> > > +following sctp security hooks are utilised::
> > > +
> > > +security_sctp_assoc_request()
> > > +security_sctp_bind_connect()
> > > +security_sctp_sk_clone()
> > > +security_inet_conn_established()
> > > +
> > > +
> > > +Policy Statements
> > > +==
> > > +The following class and permissions to support SCTP are
> > > available
> > > within the
> > > +kernel::
> > > +
> > > +class sctp_socket inherits socket { node_bind }
> > > +
> > > +whenever the following policy capability is enabled::
> > > +
> > > +policycap extended_socket_class;
> > > +
> > > +SELinux SCTP support adds the ``name_connect`` permission for
> > > connecting
> > > +to a specific port type and the ``association`` permission that
> > > is
> > > explained
> > > +in the section below.
> > > +
> > > +If userspace tools have been updated, SCTP will support the
> > > ``portcon``
> > > +statement as shown in the following example::
> > > +
> > > +portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0
> > > +
> > > +
> > > +SCTP Bind, Connect and ASCONF Chunk Parameter Permission Checks
> > > +
> > > +The hook ``security_sctp_bind_connect()`` is called by SCTP to
> > > check
> > > +permissions required for ipv4/ipv6 addresses based on the ``@opt
> > > na
> > > me
> > > `` as
> > > +follows::
> > > +
> > > +  --
> > > 
> > > +  |   BIND Permission
> > > Checks   |
> > > +  |   @optname | @address
> > > contains |
> > > +  ||
> > > ---|
> > > +  | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6
> > > addresses
> > > > 
> > > 
> > > +  | SCTP_PRIMARY_ADDR  | Single ipv4 or ipv6
> > > address   |
> > > +  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6
> > > address   |
> > > +  --
> > > 
> > > +
> > > +  --
> > > 
> > > +  | CONNECT Permission
> > > Checks  |
> > > +  |   @optname | @address
> > > contains |
> > > +  ||
> > > ---|
> > > +  | SCTP_SOCKOPT_CONNECTX  | One or more ipv4 / ipv6
> > > addresses
> > > > 
> > > 
> > > +  | SCTP_PARAM_ADD_IP  | One or more ipv4 / ipv6
> > > addresses
> > > > 
> > > 
> > &g

[PATCH 1/4] security: Add support for SCTP security hooks

2017-11-28 Thread Richard Haines

The SCTP security hooks are explained in:
Documentation/security/LSM-sctp.rst

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 Documentation/security/LSM-sctp.rst | 194 
 include/linux/lsm_hooks.h   |  35 +++
 include/linux/security.h|  25 +
 security/security.c |  22 
 4 files changed, 276 insertions(+)
 create mode 100644 Documentation/security/LSM-sctp.rst

diff --git a/Documentation/security/LSM-sctp.rst 
b/Documentation/security/LSM-sctp.rst
new file mode 100644
index 000..6137367
--- /dev/null
+++ b/Documentation/security/LSM-sctp.rst
@@ -0,0 +1,194 @@
+SCTP LSM Support
+
+
+For security module support, three sctp specific hooks have been implemented::
+
+security_sctp_assoc_request()
+security_sctp_bind_connect()
+security_sctp_sk_clone()
+
+Also the following security hook has been utilised::
+
+security_inet_conn_established()
+
+The usage of these hooks are described below with the SELinux implementation
+described in ``Documentation/security/SELinux-sctp.rst``
+
+
+security_sctp_assoc_request()
+-
+This new hook passes the ``@ep`` and ``@chunk->skb`` (the association INIT
+packet) to the security module. Returns 0 on success, error on failure.
+::
+
+@ep - pointer to sctp endpoint structure.
+@skb - pointer to skbuff of association packet.
+
+The security module performs the following operations:
+ IF this is the first association on ``@ep->base.sk``, then set the peer
+ sid to that in ``@skb``. This will ensure there is only one peer sid
+ assigned to ``@ep->base.sk`` that may support multiple associations.
+
+ ELSE validate the ``@ep->base.sk peer_sid`` against the ``@skb peer sid``
+ to determine whether the association should be allowed or denied.
+
+ Set the sctp ``@ep sid`` to socket's sid (from ``ep->base.sk``) with
+ MLS portion taken from ``@skb peer sid``. This will be used by SCTP
+ TCP style sockets and peeled off connections as they cause a new socket
+ to be generated.
+
+ If IP security options are configured (CIPSO/CALIPSO), then the ip
+ options are set on the socket.
+
+
+security_sctp_bind_connect()
+-
+This new hook passes one or more ipv4/ipv6 addresses to the security module
+for validation based on the ``@optname`` that will result in either a bind or
+connect service as shown in the permission check tables below.
+Returns 0 on success, error on failure.
+::
+
+@sk  - Pointer to sock structure.
+@optname - Name of the option to validate.
+@address - One or more ipv4 / ipv6 addresses.
+@addrlen - The total length of address(s). This is calculated on each
+   ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
+   sizeof(struct sockaddr_in6).
+
+  --
+  | BIND Type Checks   |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
+  | SCTP_PRIMARY_ADDR  | Single ipv4 or ipv6 address   |
+  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address   |
+  --
+
+  --
+  |   CONNECT Type Checks  |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_CONNECTX  | One or more ipv4 / ipv6 addresses |
+  | SCTP_PARAM_ADD_IP  | One or more ipv4 / ipv6 addresses |
+  | SCTP_SENDMSG_CONNECT   | Single ipv4 or ipv6 address   |
+  | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address   |
+  --
+
+A summary of the ``@optname`` entries is as follows::
+
+SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
+ associated after (optionally) calling
+ bind(3).
+ sctp_bindx(3) adds a set of bind
+ addresses on a socket.
+
+SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
+addresses for reaching a peer
+(multi-homed).
+sctp_connectx(3) initiates a connection
+on an SCTP socket using multiple
+destination addresses.
+
+SCTP_SENDMSG_CONNECT  - Initiate a connection that is generated by a
+sendmsg(2) or sctp_sendmsg(3) on a new asociation.
+
+

[PATCH 0/4] Add SELinux SCTP protocol support

2017-11-28 Thread Richard Haines

The kernel patches have been built on Fedora 27 with kernel 4.13.12 plus
the following userspace patches to enable testing:

1) Updates to libsepol 2.7 to support the sctp portcon statement.
   The patch is available from:
 http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
 selinux-Add-support-for-the-SCTP-portcon-keyword.patch

2) Updates to the SELinux Test Suite adding SCTP tests. Please read the
   selinux-testsuite/README.sctp for details. The patch is available from:
 http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
 selinux-testsuite-Add-SCTP-test-support.patch

3) Updates to lksctp-tools that show SELinux info in sctp_darn and
   sctp_test. It also contains a minor patch for test_1_to_1_connect.c
   as when CIPSO/CALIPSO configured, NetLabel returns a different error
   code for illegal addresses in test 5. The patch is available from:
 http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
 lksctp-tools-Add-SELinux-support-to-sctp_test-and-sc.patch

All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.

All SCTP regression tests "./sctp-tests run" run correctly in enforcing
mode. These tests are obtained from: https://github.com/sctp/sctp-tests

The selinux-testsuite patch also adds remote tests (that need some manual
configuration). These are useful for testing CIPSO/CALIPSO over a network
with a number of categories to produce large ip option fields with various
message sizes forcing fragmentation etc..

Changes since RFC Patch:
Removed the NetLabel patch (was [RFC PATCH 4/5] netlabel: Add SCTP support)
as re-engineered. However this patchset will require the NetLabel
patch at [1] to fully run the SCTP selinux-testsuite.

PATCH 1/4
Remove unused parameter from security_sctp_assoc_request().
Reformat and update LSM-sctp.rst documentation.
PATCH 2/4
Add variables and RCU locks as requested in [2] to support IP options.
PATCH 3/4
Added security_sctp_assoc_request() hook to sctp_sf_do_unexpected_init()
and sctp_sf_do_5_2_4_dupcook().
Removed security_sctp_assoc_request() hook from sctp_sf_do_5_1C_ack() as
no longer required.
PATCH 4/4
Reformat and update SELinux-sctp.rst documentation.
Remove bindx and connectx permissions.
Rework selinux_socket_connect() and selinux_netlbl_socket_connect() to
utilise helpers for code reuse.
Add spinlock to selinux_sctp_assoc_request().
Remove unused parameter from security_sctp_assoc_request().
Use address->sa_family == AF_INET in *_bind and *_connect to ensure
correct address type.
Minor cleanups.

[1] https://marc.info/?l=selinux=151061619115945=2
[2] https://marc.info/?l=selinux=150962470215797=2

Richard Haines (4):
  security: Add support for SCTP security hooks
  sctp: Add ip option support
  sctp: Add LSM hooks
  selinux: Add SCTP support

 Documentation/security/LSM-sctp.rst | 194 ++
 Documentation/security/SELinux-sctp.rst | 104 
 include/linux/lsm_hooks.h   |  35 
 include/linux/security.h|  25 +++
 include/net/sctp/structs.h  |  12 ++
 include/uapi/linux/sctp.h   |   1 +
 net/sctp/chunk.c|  13 +-
 net/sctp/ipv6.c |  42 -
 net/sctp/output.c   |   5 +-
 net/sctp/protocol.c |  36 +
 net/sctp/sm_make_chunk.c|  12 ++
 net/sctp/sm_statefuns.c |  18 +++
 net/sctp/socket.c   |  69 +++-
 security/security.c |  22 +++
 security/selinux/hooks.c| 278 +---
 security/selinux/include/classmap.h |   2 +-
 security/selinux/include/netlabel.h |  15 +-
 security/selinux/include/objsec.h   |   4 +
 security/selinux/netlabel.c | 128 +--
 19 files changed, 967 insertions(+), 48 deletions(-)
 create mode 100644 Documentation/security/LSM-sctp.rst
 create mode 100644 Documentation/security/SELinux-sctp.rst

-- 
2.14.3

[PATCH 3/4] sctp: Add LSM hooks

2017-11-28 Thread Richard Haines

Add security hooks to allow security modules to exercise access control
over SCTP.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 include/net/sctp/structs.h | 10 
 include/uapi/linux/sctp.h  |  1 +
 net/sctp/sm_make_chunk.c   | 12 +
 net/sctp/sm_statefuns.c| 18 ++
 net/sctp/socket.c  | 61 +-
 5 files changed, 101 insertions(+), 1 deletion(-)

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 7767577..6e72e3e 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -1270,6 +1270,16 @@ struct sctp_endpoint {
  reconf_enable:1;
 
__u8  strreset_enable;
+
+   /* Security identifiers from incoming (INIT). These are set by
+* security_sctp_assoc_request(). These will only be used by
+* SCTP TCP type sockets and peeled off connections as they
+* cause a new socket to be generated. security_sctp_sk_clone()
+* will then plug these into the new socket.
+*/
+
+   u32 secid;
+   u32 peer_secid;
 };
 
 /* Recover the outter endpoint structure. */
diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h
index 6217ff8..c04812f 100644
--- a/include/uapi/linux/sctp.h
+++ b/include/uapi/linux/sctp.h
@@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
 #define SCTP_RESET_ASSOC   120
 #define SCTP_ADD_STREAMS   121
 #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
+#define SCTP_SENDMSG_CONNECT   123
 
 /* PR-SCTP policies */
 #define SCTP_PR_SCTP_NONE  0x
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 6110447..ca4705b 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -3059,6 +3059,12 @@ static __be16 sctp_process_asconf_param(struct 
sctp_association *asoc,
if (af->is_any())
memcpy(, >source, sizeof(addr));
 
+   if (security_sctp_bind_connect(asoc->ep->base.sk,
+  SCTP_PARAM_ADD_IP,
+  (struct sockaddr *),
+  af->sockaddr_len))
+   return SCTP_ERROR_REQ_REFUSED;
+
/* ADDIP 4.3 D9) If an endpoint receives an ADD IP address
 * request and does not have the local resources to add this
 * new address to the association, it MUST return an Error
@@ -3125,6 +3131,12 @@ static __be16 sctp_process_asconf_param(struct 
sctp_association *asoc,
if (af->is_any())
memcpy(, sctp_source(asconf), sizeof(addr));
 
+   if (security_sctp_bind_connect(asoc->ep->base.sk,
+  SCTP_PARAM_SET_PRIMARY,
+  (struct sockaddr *),
+  af->sockaddr_len))
+   return SCTP_ERROR_REQ_REFUSED;
+
peer = sctp_assoc_lookup_paddr(asoc, );
if (!peer)
return SCTP_ERROR_DNS_FAILED;
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index b2a74c3..67c6a7d 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -314,6 +314,11 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
sctp_unrecognized_param_t *unk_param;
int len;
 
+   /* Update socket peer label if first association. */
+   if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
+   chunk->skb))
+   return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
/* 6.10 Bundling
 * An endpoint MUST NOT bundle INIT, INIT ACK or
 * SHUTDOWN COMPLETE with any other chunks.
@@ -899,6 +904,9 @@ sctp_disposition_t sctp_sf_do_5_1E_ca(struct net *net,
 */
sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
 
+   /* Set peer label for connection. */
+   security_inet_conn_established(ep->base.sk, chunk->skb);
+
/* RFC 2960 5.1 Normal Establishment of an Association
 *
 * E) Upon reception of the COOKIE ACK, endpoint "A" will move
@@ -1428,6 +1436,11 @@ static sctp_disposition_t sctp_sf_do_unexpected_init(
sctp_unrecognized_param_t *unk_param;
int len;
 
+   /* Update socket peer label if first association. */
+   if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
+   chunk->skb))
+   return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
/* 6.10 Bundling
 * An endpoint MUST NOT bundle INIT, INIT ACK or
 * SHUTDOWN COMPLETE with any other chunks.
@@ -2089,6 +2102,11 @@ sctp_disposition_t sctp_sf_do_5_2_4_dupcook(struct net 
*net,
}
}
 
+

[PATCH 2/4] sctp: Add ip option support

2017-11-28 Thread Richard Haines

Add ip option support to allow LSM security modules to utilise CIPSO/IPv4
and CALIPSO/IPv6 services.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 include/net/sctp/structs.h |  2 ++
 net/sctp/chunk.c   | 13 -
 net/sctp/ipv6.c| 42 +++---
 net/sctp/output.c  |  5 -
 net/sctp/protocol.c| 36 
 net/sctp/socket.c  |  8 ++--
 6 files changed, 91 insertions(+), 15 deletions(-)

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 5ab29af..7767577 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -461,6 +461,7 @@ struct sctp_af {
void(*ecn_capable)(struct sock *sk);
__u16   net_header_len;
int sockaddr_len;
+   int (*ip_options_len)(struct sock *sk);
sa_family_t sa_family;
struct list_head list;
 };
@@ -485,6 +486,7 @@ struct sctp_pf {
int (*addr_to_user)(struct sctp_sock *sk, union sctp_addr *addr);
void (*to_sk_saddr)(union sctp_addr *, struct sock *sk);
void (*to_sk_daddr)(union sctp_addr *, struct sock *sk);
+   void (*copy_ip_options)(struct sock *sk, struct sock *newsk);
struct sctp_af *af;
 };
 
diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
index 1323d41..ba15a72 100644
--- a/net/sctp/chunk.c
+++ b/net/sctp/chunk.c
@@ -153,7 +153,6 @@ static void sctp_datamsg_assign(struct sctp_datamsg *msg, 
struct sctp_chunk *chu
chunk->msg = msg;
 }
 
-
 /* A data chunk can have a maximum payload of (2^16 - 20).  Break
  * down any such message into smaller chunks.  Opportunistically, fragment
  * the chunks down to the current MTU constraints.  We may get refragmented
@@ -170,6 +169,8 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
sctp_association *asoc,
struct list_head *pos, *temp;
struct sctp_chunk *chunk;
struct sctp_datamsg *msg;
+   struct sctp_sock *sp;
+   struct sctp_af *af;
int err;
 
msg = sctp_datamsg_new(GFP_KERNEL);
@@ -188,9 +189,12 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
sctp_association *asoc,
/* This is the biggest possible DATA chunk that can fit into
 * the packet
 */
-   max_data = asoc->pathmtu -
-  sctp_sk(asoc->base.sk)->pf->af->net_header_len -
-  sizeof(struct sctphdr) - sizeof(struct sctp_data_chunk);
+   sp = sctp_sk(asoc->base.sk);
+   af = sp->pf->af;
+   max_data = asoc->pathmtu - af->net_header_len -
+  sizeof(struct sctphdr) - sizeof(struct sctp_data_chunk) -
+  af->ip_options_len(asoc->base.sk);
+
max_data = SCTP_TRUNC4(max_data);
 
/* If the the peer requested that we authenticate DATA chunks
@@ -210,7 +214,6 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
sctp_association *asoc,
 
/* Set first_len and then account for possible bundles on first frag */
first_len = max_data;
-
/* Check to see if we have a pending SACK and try to let it be bundled
 * with this message.  Do this if we don't have any data queued already.
 * To check that, look at out_qlen and retransmit list.
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index a4b6ffb..cddd237 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -423,6 +423,38 @@ static void sctp_v6_copy_addrlist(struct list_head 
*addrlist,
rcu_read_unlock();
 }
 
+/* Copy over any ip options */
+static void sctp_v6_copy_ip_options(struct sock *sk, struct sock *newsk)
+{
+   struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
+   struct ipv6_txoptions *opt;
+
+   newnp = inet6_sk(newsk);
+
+   rcu_read_lock();
+   opt = rcu_dereference(np->opt);
+   if (opt)
+   opt = ipv6_dup_options(newsk, opt);
+   RCU_INIT_POINTER(newnp->opt, opt);
+   rcu_read_unlock();
+}
+
+/* Account for the IP options */
+static int sctp_v6_ip_options_len(struct sock *sk)
+{
+   struct ipv6_pinfo *np = inet6_sk(sk);
+   struct ipv6_txoptions *opt;
+   int len = 0;
+
+   rcu_read_lock();
+   opt = rcu_dereference(np->opt);
+   if (opt)
+   len = opt->opt_flen + opt->opt_nflen;
+
+   rcu_read_unlock();
+   return len;
+}
+
 /* Initialize a sockaddr_storage from in incoming skb. */
 static void sctp_v6_from_skb(union sctp_addr *addr, struct sk_buff *skb,
 int is_saddr)
@@ -662,7 +694,6 @@ static struct sock *sctp_v6_create_accept_sk(struct sock 
*sk,
struct sock *newsk;
struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
struct sctp6_sock *newsctp6sk;
-   struct ipv6_txoptions *opt;
 
newsk = sk_alloc(sock_net(sk), PF_INET6, GFP_KERNEL, sk->sk_prot, kern);
if (!newsk)
@@ -685,12 +716,7 @

[PATCH 4/4] selinux: Add SCTP support

2017-11-28 Thread Richard Haines

The SELinux SCTP implementation is explained in:
Documentation/security/SELinux-sctp.rst

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 Documentation/security/SELinux-sctp.rst | 104 
 security/selinux/hooks.c| 278 +---
 security/selinux/include/classmap.h |   2 +-
 security/selinux/include/netlabel.h |  15 +-
 security/selinux/include/objsec.h   |   4 +
 security/selinux/netlabel.c | 128 +--
 6 files changed, 499 insertions(+), 32 deletions(-)
 create mode 100644 Documentation/security/SELinux-sctp.rst

diff --git a/Documentation/security/SELinux-sctp.rst 
b/Documentation/security/SELinux-sctp.rst
new file mode 100644
index 000..f6a9162
--- /dev/null
+++ b/Documentation/security/SELinux-sctp.rst
@@ -0,0 +1,104 @@
+SCTP SELinux Support
+=
+
+Security Hooks
+===
+
+The ``Documentation/security/LSM-sctp.rst`` document describes how the
+following sctp security hooks are utilised::
+
+security_sctp_assoc_request()
+security_sctp_bind_connect()
+security_sctp_sk_clone()
+security_inet_conn_established()
+
+
+Policy Statements
+==
+The following class and permissions to support SCTP are available within the
+kernel::
+
+class sctp_socket inherits socket { node_bind }
+
+whenever the following policy capability is enabled::
+
+policycap extended_socket_class;
+
+SELinux SCTP support adds the ``name_connect`` permission for connecting
+to a specific port type and the ``association`` permission that is explained
+in the section below.
+
+If userspace tools have been updated, SCTP will support the ``portcon``
+statement as shown in the following example::
+
+portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0
+
+
+SCTP Bind, Connect and ASCONF Chunk Parameter Permission Checks
+
+The hook ``security_sctp_bind_connect()`` is called by SCTP to check
+permissions required for ipv4/ipv6 addresses based on the ``@optname`` as
+follows::
+
+  --
+  |   BIND Permission Checks   |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
+  | SCTP_PRIMARY_ADDR  | Single ipv4 or ipv6 address   |
+  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address   |
+  --
+
+  --
+  | CONNECT Permission Checks  |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_CONNECTX  | One or more ipv4 / ipv6 addresses |
+  | SCTP_PARAM_ADD_IP  | One or more ipv4 / ipv6 addresses |
+  | SCTP_SENDMSG_CONNECT   | Single ipv4 or ipv6 address   |
+  | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address   |
+  --
+
+
+SCTP Peer Labeling
+===
+An SCTP socket will only have one peer label assigned to it. This will be
+assigned during the establishment of the first association. Once the peer
+label has been assigned, any new associations will have the ``association``
+permission validated by checking the socket peer sid against the received
+packets peer sid to determine whether the association should be allowed or
+denied.
+
+NOTES:
+   1) If peer labeling is not enabled, then the peer context will always be
+  ``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy).
+
+   2) As SCTP can support more than one transport address per endpoint
+  (multi-homing) on a single socket, it is possible to configure policy
+  and NetLabel to provide different peer labels for each of these. As the
+  socket peer label is determined by the first associations transport
+  address, it is recommended that all peer labels are consistent.
+
+   3) **getpeercon**\(3) may be used by userspace to retrieve the sockets peer
+  context.
+
+   4) While not SCTP specific, be aware when using NetLabel that if a label
+  is assigned to a specific interface, and that interface 'goes down',
+  then the NetLabel service will remove the entry. Therefore ensure that
+  the network startup scripts call **netlabelctl**\(8) to set the required
+  label (see **netlabel-config**\(8) helper script for details).
+
+   5) The NetLabel SCTP peer labeling rules apply as discussed in the following
+  set of posts tagged "netlabel" at: http://www.paul-moore.com/blog/t.
+
+   6) CIPSO is only supported for IPv4 addressing:

Re: [RFC PATCH 5/5] selinux: Add SCTP support

2017-11-15 Thread Richard Haines

On Mon, 2017-11-13 at 17:40 -0500, Paul Moore wrote:
> On Mon, Nov 13, 2017 at 5:05 PM, Richard Haines
> <richard_c_hai...@btinternet.com> wrote:
> > On Mon, 2017-11-06 at 19:09 -0500, Paul Moore wrote:
> > > On Tue, Oct 17, 2017 at 9:59 AM, Richard Haines
> > > <richard_c_hai...@btinternet.com> wrote:
> > > > The SELinux SCTP implementation is explained in:
> > > > Documentation/security/SELinux-sctp.txt
> > > > 
> > > > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
> > > > ---
> > > >  Documentation/security/SELinux-sctp.txt | 108 +
> > > >  security/selinux/hooks.c| 268
> > > > ++--
> > > >  security/selinux/include/classmap.h |   3 +-
> > > >  security/selinux/include/netlabel.h |   9 +-
> > > >  security/selinux/include/objsec.h   |   5 +
> > > >  security/selinux/netlabel.c |  52 ++-
> > > >  6 files changed, 427 insertions(+), 18 deletions(-)
> > > >  create mode 100644 Documentation/security/SELinux-sctp.txt
> 
> ...
> 
> > > > +Policy Statements
> > > > +==
> > > > +The following class and permissions to support SCTP are
> > > > available
> > > > within the
> > > > +kernel:
> > > > +class sctp_socket inherits socket { node_bind }
> > > > +
> > > > +whenever the following policy capability is enabled:
> > > > +policycap extended_socket_class;
> > > > +
> > > > +The SELinux SCTP support adds the additional permissions that
> > > > are
> > > > explained
> > > > +in the sections below:
> > > > +association bindx connectx
> > > 
> > > Is the distinction between bind and bindx significant?  The same
> > > question applies to connect/connectx.  I think we can probably
> > > just
> > > reuse bind and connect in these cases.
> > 
> > This has been discussed before with Marcelo and keeping
> > bindx/connectx
> > is a useful distinction.
> 
> My apologies, I must have forgotten/missed that discussion.  Do you
> have an archive pointer?

No this was off list, however I've copied the relevant bits:

> SCTP Socket Option Permissions
> ===
> Permissions that are validated on setsockopt(2) calls (note that the
> sctp_socket SETOPT permission must be allowed):
>
> This option requires the BINDX_ADDR permission:
> SCTP_SOCKOPT_BINDX_REM - Remove additional bind address.

Can't see an usage for this one.

>
> These options require the SET_PARAMS permission:
> SCTP_PEER_ADDR_PARAMS  - Set heartbeats and address max
> retransmissions.
> SCTP_PEER_ADDR_THLDS  - Set thresholds.
> SCTP_ASSOCINFO- Set association / endpoint parameters.

Also for these, considering we are not willing to go as deep as to only
allow these if within a given threshold. But still even then, sounds
like too much.

>
>
> SCTP Bind, Connect and ASCONF Chunk Parameter Permission Checks
> ==
> The hook security_sctp_addr_list() is called by SCTP when processing
> various options (@optname) to check permissions required for the list
> of ipv4/ipv6 addresses (@address) as follows:
> 
> |sctp_socket BIND type permission checks  |
> |(The socket must also have the BIND permission)  |
> |  @optname| Permission  |  @address  |
> |--|-|-|
> |SCTP_SOCKOPT_BINDX_ADD|BINDX_ADDRS  |One or more ipv4/ipv6 adr|

This one can be useful, for that privilege-dropping case.

Paul note: I later changed BINDX_ADDRS to just BINDX

> |SCTP_PRIMARY_ADDR|SET_PRI_ADDR |Single ipv4 or ipv6 adr  |
> |SCTP_SET_PEER_PRIMARY_ADDR|SET_PEER_ADDR|Single ipv4 or ipv6 adr  |

But these, can't use an use-case.

> 
> 
> |sctp_socket CONNECT type permission checks|
> |(The socket must also have the CONNECT permission)|
> |  @optname| Permission  |  @address  |
> |--|-|-|
> |SCTP_SOCKOPT_CONNECTX|CONNECTX|One or more ipv4/ipv6 adr|
> |SCTP_PARAM_ADD_IP|BINDX_ADDRS  |One or more ipv4/ip

Re: [RFC PATCH 5/5] selinux: Add SCTP support

2017-11-14 Thread Richard Haines

On Mon, 2017-11-06 at 19:09 -0500, Paul Moore wrote:
> On Tue, Oct 17, 2017 at 9:59 AM, Richard Haines
> <richard_c_hai...@btinternet.com> wrote:
> > The SELinux SCTP implementation is explained in:
> > Documentation/security/SELinux-sctp.txt
> > 
> > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
> > ---
> >  Documentation/security/SELinux-sctp.txt | 108 +
> >  security/selinux/hooks.c| 268
> > ++--
> >  security/selinux/include/classmap.h |   3 +-
> >  security/selinux/include/netlabel.h |   9 +-
> >  security/selinux/include/objsec.h   |   5 +
> >  security/selinux/netlabel.c |  52 ++-
> >  6 files changed, 427 insertions(+), 18 deletions(-)
> >  create mode 100644 Documentation/security/SELinux-sctp.txt
> > 
> > diff --git a/Documentation/security/SELinux-sctp.txt
> > b/Documentation/security/SELinux-sctp.txt
> > new file mode 100644
> > index 000..32e0255
> > --- /dev/null
> > +++ b/Documentation/security/SELinux-sctp.txt
> > @@ -0,0 +1,108 @@
> 
> See my previous comments about moving to reStructuredText for these
> docs.

Done
> 
> > +   SCTP SELinux Support
> > +  ==
> > +
> > +Security Hooks
> > +===
> > +
> > +The Documentation/security/LSM-sctp.txt document describes how the
> > following
> > +sctp security hooks are utilised:
> > +security_sctp_assoc_request()
> > +security_sctp_bind_connect()
> > +security_sctp_sk_clone()
> > +
> > +security_inet_conn_established()
> > +
> > +
> > +Policy Statements
> > +==
> > +The following class and permissions to support SCTP are available
> > within the
> > +kernel:
> > +class sctp_socket inherits socket { node_bind }
> > +
> > +whenever the following policy capability is enabled:
> > +policycap extended_socket_class;
> > +
> > +The SELinux SCTP support adds the additional permissions that are
> > explained
> > +in the sections below:
> > +association bindx connectx
> 
> Is the distinction between bind and bindx significant?  The same
> question applies to connect/connectx.  I think we can probably just
> reuse bind and connect in these cases.

This has been discussed before with Marcelo and keeping bindx/connectx
is a useful distinction.
> 
> See my question on sctp_socket:association below.
> 
> > +If userspace tools have been updated, SCTP will support the
> > portcon
> > +statement as shown in the following example:
> > +portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0
> > +
> > +
> > +SCTP Bind, Connect and ASCONF Chunk Parameter Permission Checks
> > +
> > +The hook security_sctp_bind_connect() is called by SCTP to check
> > permissions
> > +required for ipv4/ipv6 addresses based on the @optname as follows:
> > +
> > +  --
> > 
> > +  |  BINDX Permission
> > Check|
> > +  |   @optname | @address
> > contains |
> > +  ||
> > ---|
> > +  | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses
> > |
> > +  --
> > 
> > +
> > +  --
> > 
> > +  |  BIND Permission
> > Checks|
> > +  |   @optname | @address
> > contains |
> > +  ||
> > ---|
> > +  | SCTP_PRIMARY_ADDR  | Single ipv4 or ipv6
> > address   |
> > +  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6
> > address   |
> > +  --
> > 
> > +
> > +  --
> > 
> > +  | CONNECTX Permission
> > Check  |
> > +  |   @optname | @address
> > contains |
> > +  ||
> > ---|
> > +  | SCTP_SOCKOPT_CONNECTX  | One or

Re: [RFC PATCH 4/5] netlabel: Add SCTP support

2017-11-14 Thread Richard Haines

On Mon, 2017-11-06 at 18:15 -0500, Paul Moore wrote:
> On Tue, Oct 17, 2017 at 9:58 AM, Richard Haines
> <richard_c_hai...@btinternet.com> wrote:
> > Add support to label SCTP associations and cater for a situation
> > where
> > family = PF_INET6 with an ip_hdr(skb)->version = 4.
> > 
> > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
> > ---
> >  include/net/netlabel.h|  3 ++
> >  net/netlabel/netlabel_kapi.c  | 80
> > +++
> >  net/netlabel/netlabel_unlabeled.c | 10 +
> >  3 files changed, 93 insertions(+)
> > 
> > diff --git a/include/net/netlabel.h b/include/net/netlabel.h
> > index 72d6435..7348966 100644
> > --- a/include/net/netlabel.h
> > +++ b/include/net/netlabel.h
> > @@ -494,6 +494,9 @@ int netlbl_conn_setattr(struct sock *sk,
> > const struct netlbl_lsm_secattr *secattr);
> >  int netlbl_req_setattr(struct request_sock *req,
> >const struct netlbl_lsm_secattr *secattr);
> > +int netlbl_sctp_setattr(struct sock *sk,
> > +   struct sk_buff *skb,
> > +   const struct netlbl_lsm_secattr *secattr);
> >  void netlbl_req_delattr(struct request_sock *req);
> >  int netlbl_skbuff_setattr(struct sk_buff *skb,
> >   u16 family,
> > diff --git a/net/netlabel/netlabel_kapi.c
> > b/net/netlabel/netlabel_kapi.c
> > index ea7c670..1c82bbe 100644
> > --- a/net/netlabel/netlabel_kapi.c
> > +++ b/net/netlabel/netlabel_kapi.c
> > @@ -1121,6 +1121,7 @@ int netlbl_conn_setattr(struct sock *sk,
> > switch (addr->sa_family) {
> > case AF_INET:
> > addr4 = (struct sockaddr_in *)addr;
> > +
> 
> I'm guessing this bit of extra whitespace was an accident; but just
> in
> case, drop it from this patch please.
Done
> 
> > entry = netlbl_domhsh_getentry_af4(secattr->domain,
> >addr4-
> > >sin_addr.s_addr);
> > if (entry == NULL) {
> > @@ -1177,6 +1178,85 @@ int netlbl_conn_setattr(struct sock *sk,
> >  }
> > 
> >  /**
> > + * netlbl_sctp_setattr - Label an incoming sctp association socket
> > using
> > + * the correct protocol
> > + * @sk: the socket to label
> > + * @skb: the packet
> > + * @secattr: the security attributes
> > + *
> > + * Description:
> > + * Attach the correct label to the given socket using the security
> > attributes
> > + * specified in @secattr.  Returns zero on success, negative
> > values on failure.
> > + *
> > + */
> > +int netlbl_sctp_setattr(struct sock *sk,
> > +   struct sk_buff *skb,
> > +   const struct netlbl_lsm_secattr *secattr)
> > +{
> > +   int ret_val = -EINVAL;
> > +   struct netlbl_dommap_def *entry;
> > +   struct iphdr *hdr4;
> > +#if IS_ENABLED(CONFIG_IPV6)
> > +   struct ipv6hdr *hdr6;
> > +#endif
> > +
> > +   rcu_read_lock();
> > +   switch (sk->sk_family) {
> > +   case AF_INET:
> > +   hdr4 = ip_hdr(skb);
> > +
> > +   entry = netlbl_domhsh_getentry_af4(secattr->domain,
> > +  hdr4->saddr);
> > +   if (entry == NULL) {
> > +   ret_val = -ENOENT;
> > +   goto sctp_setattr_return;
> > +   }
> > +   switch (entry->type) {
> > +   case NETLBL_NLTYPE_CIPSOV4:
> > +   ret_val = cipso_v4_sock_setattr(sk, entry-
> > >cipso,
> > +   secattr);
> > +   break;
> > +   case NETLBL_NLTYPE_UNLABELED:
> > +   netlbl_sock_delattr(sk);
> > +   ret_val = 0;
> > +   break;
> > +   default:
> > +   ret_val = -ENOENT;
> > +   }
> > +   break;
> > +#if IS_ENABLED(CONFIG_IPV6)
> > +   case AF_INET6:
> > +   hdr6 = ipv6_hdr(skb);
> > +   entry = netlbl_domhsh_getentry_af6(secattr->domain,
> > +  >saddr);
> > +   if (entry == NULL) {
> > +   ret_val = -ENOENT;
> > +

[PATCH] netlabel: If PF_INET6, check sk_buff ip header version

2017-11-13 Thread Richard Haines

When resolving a fallback label, check the sk_buff version as it
is possible (e.g. SCTP) to have family = PF_INET6 while
receiving ip_hdr(skb)->version = 4.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 net/netlabel/netlabel_unlabeled.c | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/net/netlabel/netlabel_unlabeled.c 
b/net/netlabel/netlabel_unlabeled.c
index 22dc1b9..c070dfc 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -1472,6 +1472,16 @@ int netlbl_unlabel_getattr(const struct sk_buff *skb,
iface = rcu_dereference(netlbl_unlhsh_def);
if (iface == NULL || !iface->valid)
goto unlabel_getattr_nolabel;
+
+#if IS_ENABLED(CONFIG_IPV6)
+   /* When resolving a fallback label, check the sk_buff version as
+* it is possible (e.g. SCTP) to have family = PF_INET6 while
+* receiving ip_hdr(skb)->version = 4.
+*/
+   if (family == PF_INET6 && ip_hdr(skb)->version == 4)
+   family = PF_INET;
+#endif /* IPv6 */
+
switch (family) {
case PF_INET: {
struct iphdr *hdr4;
-- 
2.13.6

Re: [RFC PATCH 2/5] sctp: Add ip option support

2017-11-02 Thread Richard Haines

On Tue, 2017-10-31 at 15:06 -0200, Marcelo Ricardo Leitner wrote:
> Hello,
> 
> On Tue, Oct 17, 2017 at 02:58:06PM +0100, Richard Haines wrote:
> > Add ip option support to allow LSM security modules to utilise
> > CIPSO/IPv4
> > and CALIPSO/IPv6 services.
> > 
> > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
> > ---
> >  include/net/sctp/structs.h |  2 ++
> >  net/sctp/chunk.c   |  7 ---
> >  net/sctp/ipv6.c| 37 ++--
> > -
> >  net/sctp/output.c  |  3 ++-
> >  net/sctp/protocol.c| 36
> > 
> >  net/sctp/socket.c  |  5 -
> >  6 files changed, 78 insertions(+), 12 deletions(-)
> > 
> > diff --git a/include/net/sctp/structs.h
> > b/include/net/sctp/structs.h
> > index 5ab29af..7767577 100644
> > --- a/include/net/sctp/structs.h
> > +++ b/include/net/sctp/structs.h
> > @@ -461,6 +461,7 @@ struct sctp_af {
> > void(*ecn_capable)(struct sock *sk);
> > __u16   net_header_len;
> > int sockaddr_len;
> > +   int (*ip_options_len)(struct sock *sk);
> > sa_family_t sa_family;
> > struct list_head list;
> >  };
> > @@ -485,6 +486,7 @@ struct sctp_pf {
> > int (*addr_to_user)(struct sctp_sock *sk, union sctp_addr
> > *addr);
> > void (*to_sk_saddr)(union sctp_addr *, struct sock *sk);
> > void (*to_sk_daddr)(union sctp_addr *, struct sock *sk);
> > +   void (*copy_ip_options)(struct sock *sk, struct sock
> > *newsk);
> > struct sctp_af *af;
> >  };
> >  
> > diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
> > index 1323d41..e49e240 100644
> > --- a/net/sctp/chunk.c
> > +++ b/net/sctp/chunk.c
> > @@ -153,7 +153,6 @@ static void sctp_datamsg_assign(struct
> > sctp_datamsg *msg, struct sctp_chunk *chu
> > chunk->msg = msg;
> >  }
> >  
> > -
> >  /* A data chunk can have a maximum payload of (2^16 - 20).  Break
> >   * down any such message into smaller chunks.  Opportunistically,
> > fragment
> >   * the chunks down to the current MTU constraints.  We may get
> > refragmented
> > @@ -190,7 +189,10 @@ struct sctp_datamsg
> > *sctp_datamsg_from_user(struct sctp_association *asoc,
> >  */
> > max_data = asoc->pathmtu -
> >sctp_sk(asoc->base.sk)->pf->af->net_header_len
> > -
> 
> 
> > -  sizeof(struct sctphdr) - sizeof(struct
> > sctp_data_chunk);
> > +  sizeof(struct sctphdr) - sizeof(struct
> > sctp_data_chunk) -
> > +  sctp_sk(asoc->base.sk)->pf->af->
> 
> 
> > +  ip_options_len(asoc->base.sk);
> 
> Please add a var for sctp_sk(asoc->base.sk)->pf->af. That should also
> help to not break the dereferencing into multiple lines.
DONE
> 
> > +
> > max_data = SCTP_TRUNC4(max_data);
> >  
> > /* If the the peer requested that we authenticate DATA
> > chunks
> > @@ -210,7 +212,6 @@ struct sctp_datamsg
> > *sctp_datamsg_from_user(struct sctp_association *asoc,
> >  
> > /* Set first_len and then account for possible bundles on
> > first frag */
> > first_len = max_data;
> > -
> > /* Check to see if we have a pending SACK and try to let
> > it be bundled
> >  * with this message.  Do this if we don't have any data
> > queued already.
> >  * To check that, look at out_qlen and retransmit list.
> > diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
> > index a4b6ffb..49c9011 100644
> > --- a/net/sctp/ipv6.c
> > +++ b/net/sctp/ipv6.c
> > @@ -423,6 +423,33 @@ static void sctp_v6_copy_addrlist(struct
> > list_head *addrlist,
> > rcu_read_unlock();
> >  }
> >  
> > +/* Copy over any ip options */
> > +static void sctp_v6_copy_ip_options(struct sock *sk, struct sock
> > *newsk)
> > +{
> > +   struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
> > +   struct ipv6_txoptions *opt;
> > +
> > +   newnp = inet6_sk(newsk);
> > +
> > +   rcu_read_lock();
> > +   opt = rcu_dereference(np->opt);
> > +   if (opt)
> > +   opt = ipv6_dup_options(newsk, opt);
> > +   RCU_INIT_POINTER(newnp->opt, opt);
> > +   rcu_read_unlock();
> > +}
> > +
> > +/* Account for the IP options */
>

Re: [RFC PATCH 5/5] selinux: Add SCTP support

2017-11-01 Thread Richard Haines

On Tue, 2017-10-31 at 15:16 -0200, Marcelo Ricardo Leitner wrote:
> On Tue, Oct 17, 2017 at 02:59:53PM +0100, Richard Haines wrote:
> > The SELinux SCTP implementation is explained in:
> > Documentation/security/SELinux-sctp.txt
> > 
> > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
> > ---
> 
> ...
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > index 33fd061..c3e9600 100644
> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> 
> ...
> > @@ -4521,7 +4565,14 @@ static int selinux_socket_connect(struct
> > socket *sock, struct sockaddr *address,
> > unsigned short snum;
> > u32 sid, perm;
> >  
> > -   if (sk->sk_family == PF_INET) {
> > +   /* sctp_connectx(3) calls via
> > +*selinux_sctp_bind_connect() that validates
> > multiple
> > +* connect addresses. Because of this need to
> > check
> > +* address->sa_family as it is possible to have
> > +* sk->sk_family = PF_INET6 with addr->sa_family =
> > AF_INET.
> > +*/
> > +   if (sk->sk_family == PF_INET ||
> > +   address->sa_family ==
> > AF_INET) {
> 
> Not sure which code style applies on this file but the if () above
> looks odd. At least, checkpatch.pl complained about it.
Changed to read:
if (sk->sk_family == PF_INET ||
address->sa_family == AF_INET) {

> 
>   Marcelo
> --
> To unsubscribe from this list: send the line "unsubscribe linux-
> security-module" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH 3/5] sctp: Add LSM hooks

2017-10-24 Thread Richard Haines

On Fri, 2017-10-20 at 21:14 +0800, Xin Long wrote:
> On Fri, Oct 20, 2017 at 8:04 PM, Richard Haines
> <richard_c_hai...@btinternet.com> wrote:
> > On Fri, 2017-10-20 at 07:16 -0400, Neil Horman wrote:
> > > On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote:
> > > > On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines
> > > > <richard_c_hai...@btinternet.com> wrote:
> > > > > Add security hooks to allow security modules to exercise
> > > > > access
> > > > > control
> > > > > over SCTP.
> > > > > 
> > > > > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.co
> > > > > m>
> > > > > ---
> > > > >  include/net/sctp/structs.h | 10 
> > > > >  include/uapi/linux/sctp.h  |  1 +
> > > > >  net/sctp/sm_make_chunk.c   | 12 +
> > > > >  net/sctp/sm_statefuns.c| 14 ++-
> > > > >  net/sctp/socket.c  | 61
> > > > > +-
> > > > >  5 files changed, 96 insertions(+), 2 deletions(-)
> > > > > 
> > > > > diff --git a/include/net/sctp/structs.h
> > > > > b/include/net/sctp/structs.h
> > > > > index 7767577..6e72e3e 100644
> > > > > --- a/include/net/sctp/structs.h
> > > > > +++ b/include/net/sctp/structs.h
> > > > > @@ -1270,6 +1270,16 @@ struct sctp_endpoint {
> > > > >   reconf_enable:1;
> > > > > 
> > > > > __u8  strreset_enable;
> > > > > +
> > > > > +   /* Security identifiers from incoming (INIT). These
> > > > > are
> > > > > set by
> > > > > +* security_sctp_assoc_request(). These will only be
> > > > > used
> > > > > by
> > > > > +* SCTP TCP type sockets and peeled off connections
> > > > > as
> > > > > they
> > > > > +* cause a new socket to be generated.
> > > > > security_sctp_sk_clone()
> > > > > +* will then plug these into the new socket.
> > > > > +*/
> > > > > +
> > > > > +   u32 secid;
> > > > > +   u32 peer_secid;
> > > > >  };
> > > > > 
> > > > >  /* Recover the outter endpoint structure. */
> > > > > diff --git a/include/uapi/linux/sctp.h
> > > > > b/include/uapi/linux/sctp.h
> > > > > index 6217ff8..c04812f 100644
> > > > > --- a/include/uapi/linux/sctp.h
> > > > > +++ b/include/uapi/linux/sctp.h
> > > > > @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
> > > > >  #define SCTP_RESET_ASSOC   120
> > > > >  #define SCTP_ADD_STREAMS   121
> > > > >  #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
> > > > > +#define SCTP_SENDMSG_CONNECT   123
> > > > > 
> > > > >  /* PR-SCTP policies */
> > > > >  #define SCTP_PR_SCTP_NONE  0x
> > > > > diff --git a/net/sctp/sm_make_chunk.c
> > > > > b/net/sctp/sm_make_chunk.c
> > > > > index 6110447..ca4705b 100644
> > > > > --- a/net/sctp/sm_make_chunk.c
> > > > > +++ b/net/sctp/sm_make_chunk.c
> > > > > @@ -3059,6 +3059,12 @@ static __be16
> > > > > sctp_process_asconf_param(struct sctp_association *asoc,
> > > > > if (af->is_any())
> > > > > memcpy(, >source,
> > > > > sizeof(addr));
> > > > > 
> > > > > +   if (security_sctp_bind_connect(asoc->ep-
> > > > > >base.sk,
> > > > > +  SCTP_PARAM_ADD
> > > > > _IP,
> > > > > +  (struct
> > > > > sockaddr
> > > > > *),
> > > > > +  af-
> > > > > >sockaddr_len))
> > > > > +   return SCTP_ERROR_REQ_REFUSED;
> > > > > +
> > > > > /* ADDIP 4.3 D9) If an endpoint receives an
> > > > > ADD
> > > > > IP address
> > > > >  * request and does not have the local
> > > > > resources
> &

Re: [RFC PATCH 3/5] sctp: Add LSM hooks

2017-10-20 Thread Richard Haines

On Fri, 2017-10-20 at 07:16 -0400, Neil Horman wrote:
> On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote:
> > On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines
> > <richard_c_hai...@btinternet.com> wrote:
> > > Add security hooks to allow security modules to exercise access
> > > control
> > > over SCTP.
> > > 
> > > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
> > > ---
> > >  include/net/sctp/structs.h | 10 
> > >  include/uapi/linux/sctp.h  |  1 +
> > >  net/sctp/sm_make_chunk.c   | 12 +
> > >  net/sctp/sm_statefuns.c| 14 ++-
> > >  net/sctp/socket.c  | 61
> > > +-
> > >  5 files changed, 96 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/include/net/sctp/structs.h
> > > b/include/net/sctp/structs.h
> > > index 7767577..6e72e3e 100644
> > > --- a/include/net/sctp/structs.h
> > > +++ b/include/net/sctp/structs.h
> > > @@ -1270,6 +1270,16 @@ struct sctp_endpoint {
> > >   reconf_enable:1;
> > > 
> > > __u8  strreset_enable;
> > > +
> > > +   /* Security identifiers from incoming (INIT). These are
> > > set by
> > > +* security_sctp_assoc_request(). These will only be used
> > > by
> > > +* SCTP TCP type sockets and peeled off connections as
> > > they
> > > +* cause a new socket to be generated.
> > > security_sctp_sk_clone()
> > > +* will then plug these into the new socket.
> > > +*/
> > > +
> > > +   u32 secid;
> > > +   u32 peer_secid;
> > >  };
> > > 
> > >  /* Recover the outter endpoint structure. */
> > > diff --git a/include/uapi/linux/sctp.h
> > > b/include/uapi/linux/sctp.h
> > > index 6217ff8..c04812f 100644
> > > --- a/include/uapi/linux/sctp.h
> > > +++ b/include/uapi/linux/sctp.h
> > > @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
> > >  #define SCTP_RESET_ASSOC   120
> > >  #define SCTP_ADD_STREAMS   121
> > >  #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
> > > +#define SCTP_SENDMSG_CONNECT   123
> > > 
> > >  /* PR-SCTP policies */
> > >  #define SCTP_PR_SCTP_NONE  0x
> > > diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> > > index 6110447..ca4705b 100644
> > > --- a/net/sctp/sm_make_chunk.c
> > > +++ b/net/sctp/sm_make_chunk.c
> > > @@ -3059,6 +3059,12 @@ static __be16
> > > sctp_process_asconf_param(struct sctp_association *asoc,
> > > if (af->is_any())
> > > memcpy(, >source,
> > > sizeof(addr));
> > > 
> > > +   if (security_sctp_bind_connect(asoc->ep->base.sk,
> > > +  SCTP_PARAM_ADD_IP,
> > > +  (struct sockaddr
> > > *),
> > > +  af->sockaddr_len))
> > > +   return SCTP_ERROR_REQ_REFUSED;
> > > +
> > > /* ADDIP 4.3 D9) If an endpoint receives an ADD
> > > IP address
> > >  * request and does not have the local resources
> > > to add this
> > >  * new address to the association, it MUST return
> > > an Error
> > > @@ -3125,6 +3131,12 @@ static __be16
> > > sctp_process_asconf_param(struct sctp_association *asoc,
> > > if (af->is_any())
> > > memcpy(, sctp_source(asconf),
> > > sizeof(addr));
> > > 
> > > +   if (security_sctp_bind_connect(asoc->ep->base.sk,
> > > +  SCTP_PARAM_SET_PRI
> > > MARY,
> > > +  (struct sockaddr
> > > *),
> > > +  af->sockaddr_len))
> > > +   return SCTP_ERROR_REQ_REFUSED;
> > > +
> > > peer = sctp_assoc_lookup_paddr(asoc, );
> > > if (!peer)
> > > return SCTP_ERROR_DNS_FAILED;
> > > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> > > index b2a74c3..4ba5805 100644
> > > --- a/net/sctp/sm_statefuns.c
> > &

[RFC PATCH 1/1] selinux-testsuite: Add CALIPSO/IPv6 tests

2017-10-19 Thread Richard Haines

Add CALIPSO tests to inet_socket.

Note the CALIPSO/IPv6 datagram tests check whether the kernel patch
described in "Add SCM_SECURITY support to IPv6" [1] is installed.

[1] https://github.com/SELinuxProject/selinux-kernel/issues/24

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 tests/inet_socket/Makefile  |   3 +
 tests/inet_socket/calipso-flush |   5 ++
 tests/inet_socket/calipso-load  |   7 +++
 tests/inet_socket/server.c  |  67 +--
 tests/inet_socket/test  | 118 
 5 files changed, 173 insertions(+), 27 deletions(-)
 create mode 100644 tests/inet_socket/calipso-flush
 create mode 100644 tests/inet_socket/calipso-load

diff --git a/tests/inet_socket/Makefile b/tests/inet_socket/Makefile
index 5bfd561..a0a0d47 100644
--- a/tests/inet_socket/Makefile
+++ b/tests/inet_socket/Makefile
@@ -3,5 +3,8 @@ TARGETS=client server bind connect
 LDLIBS+= -lselinux
 
 all: $(TARGETS)
+   chmod +x *-load
+   chmod +x *-flush
+
 clean:
rm -f $(TARGETS)
diff --git a/tests/inet_socket/calipso-flush b/tests/inet_socket/calipso-flush
new file mode 100644
index 000..5143962
--- /dev/null
+++ b/tests/inet_socket/calipso-flush
@@ -0,0 +1,5 @@
+#!/bin/sh
+# Reset NetLabel configuration to unlabeled after CALIPSO/IPv6 tests.
+netlabelctl map del default
+netlabelctl calipso del doi:16
+netlabelctl map add default protocol:unlbl
diff --git a/tests/inet_socket/calipso-load b/tests/inet_socket/calipso-load
new file mode 100644
index 000..4bb9c7f
--- /dev/null
+++ b/tests/inet_socket/calipso-load
@@ -0,0 +1,7 @@
+#!/bin/sh
+# Define a doi for testing loopback for CALIPSO/IPv6.
+netlabelctl calipso add pass doi:16
+netlabelctl map del default
+netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
+netlabelctl map add default address:::/0 protocol:unlbl
+netlabelctl map add default address:::1 protocol:calipso,16
diff --git a/tests/inet_socket/server.c b/tests/inet_socket/server.c
index 2801397..f7e38c8 100644
--- a/tests/inet_socket/server.c
+++ b/tests/inet_socket/server.c
@@ -10,6 +10,9 @@
 #include 
 #include 
 
+ /* Defines IPV6_PASSSEC if kernel supports IPV6 cmsg_type */
+#include 
+
 #ifndef SO_PEERSEC
 #define SO_PEERSEC 31
 #endif
@@ -79,11 +82,25 @@ int main(int argc, char **argv)
perror("socket");
exit(1);
}
-   result = setsockopt(sock, SOL_IP, IP_PASSSEC, , sizeof(on));
-   if (result < 0) {
-   perror("setsockopt: SO_PASSSEC");
-   close(sock);
-   exit(1);
+
+   /* Allow retrival of IPv4 and IPv6 UDP/Datagram security contexts */
+   if (hints.ai_socktype == SOCK_DGRAM) {
+   result = setsockopt(sock, SOL_IP, IP_PASSSEC, , sizeof(on));
+   if (result < 0) {
+   perror("setsockopt: IP_PASSSEC");
+   close(sock);
+   exit(1);
+   }
+
+#ifdef IPV6_PASSSEC
+   result = setsockopt(sock, SOL_IPV6, IPV6_PASSSEC, ,
+   sizeof(on));
+   if (result < 0) {
+   perror("setsockopt: IPV6_PASSSEC");
+   close(sock);
+   exit(1);
+   }
+#endif
}
 
result = setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, , sizeof(on));
@@ -176,18 +193,34 @@ int main(int argc, char **argv)
}
if (nopeer) {
strcpy(msglabel, "nopeer");
-   }
-   for (cmsg = CMSG_FIRSTHDR(); cmsg;
-cmsg = CMSG_NXTHDR(, cmsg)) {
-   if (cmsg->cmsg_level == SOL_IP &&
-   cmsg->cmsg_type == SCM_SECURITY) {
-   size_t len = cmsg->cmsg_len - 
CMSG_LEN(0);
-
-   if (len > 0 && len < sizeof(msglabel)) {
-   memcpy(msglabel, 
CMSG_DATA(cmsg), len);
-   msglabel[len] = 0;
-   printf("%s: Got 
SCM_SECURITY=%s\n",
-  argv[0], msglabel);
+   } else {
+   for (cmsg = CMSG_FIRSTHDR(); cmsg;
+cmsg = CMSG_NXTHDR(, cmsg)) {
+#ifdef IPV6_PASSSEC
+   if ((cmsg->cmsg_level == SOL_IP &&
+   cmsg->cmsg_type == SCM_SECURITY) ||
+   (cmsg->cmsg_level == SOL_IPV6 &&
+   cmsg->cmsg_type == IPV6_PASSSEC)) {
+#else
+

[PATCH] selinux-testsuite: Stop Infiniband building if not enabled

2017-10-19 Thread Richard Haines

The default is not to test, however it still tries to build
create_modify_qp.c that requires a header and library that may not
exist.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 tests/infiniband_pkey/Makefile | 10 +-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/tests/infiniband_pkey/Makefile b/tests/infiniband_pkey/Makefile
index 60f0d24..4fa6fb2 100644
--- a/tests/infiniband_pkey/Makefile
+++ b/tests/infiniband_pkey/Makefile
@@ -2,6 +2,14 @@ TARGETS=create_modify_qp
 
 LDLIBS+= -libverbs
 
-all: $(TARGETS)
+RESULT=$(shell grep "SELINUX_INFINIBAND_PKEY_TEST=0" ./ibpkey_test.conf)
+
+ifeq  ($(RESULT), )
+all: $(TARGETS)
+else
+all:
+   @echo "Infiniband test disabled"
+endif
+
 clean:
rm -f $(TARGETS)
-- 
2.13.6

[RFC PATCH 0/1] selinux-testsuite: Add CALIPSO/IPv6 tests

2017-10-19 Thread Richard Haines

I've tested this patch with and without the kernel patch described in
"Add SCM_SECURITY support to IPv6" [1] over a few kernel releases (4.13.4
was my latest test).

Thought I would post and see how it goes as you may want the datagram
support removed as the kernel patch has not been submitted yet.

[1] https://github.com/SELinuxProject/selinux-kernel/issues/24

Richard Haines (1):
  selinux-testsuite: Add CALIPSO/IPv6 tests

 tests/inet_socket/Makefile  |   3 +
 tests/inet_socket/calipso-flush |   5 ++
 tests/inet_socket/calipso-load  |   7 +++
 tests/inet_socket/server.c  |  67 +--
 tests/inet_socket/test  | 118 
 5 files changed, 173 insertions(+), 27 deletions(-)
 create mode 100644 tests/inet_socket/calipso-flush
 create mode 100644 tests/inet_socket/calipso-load

-- 
2.13.6

[RFC PATCH 4/5] netlabel: Add SCTP support

2017-10-17 Thread Richard Haines

Add support to label SCTP associations and cater for a situation where
family = PF_INET6 with an ip_hdr(skb)->version = 4.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 include/net/netlabel.h|  3 ++
 net/netlabel/netlabel_kapi.c  | 80 +++
 net/netlabel/netlabel_unlabeled.c | 10 +
 3 files changed, 93 insertions(+)

diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 72d6435..7348966 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -494,6 +494,9 @@ int netlbl_conn_setattr(struct sock *sk,
const struct netlbl_lsm_secattr *secattr);
 int netlbl_req_setattr(struct request_sock *req,
   const struct netlbl_lsm_secattr *secattr);
+int netlbl_sctp_setattr(struct sock *sk,
+   struct sk_buff *skb,
+   const struct netlbl_lsm_secattr *secattr);
 void netlbl_req_delattr(struct request_sock *req);
 int netlbl_skbuff_setattr(struct sk_buff *skb,
  u16 family,
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index ea7c670..1c82bbe 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -1121,6 +1121,7 @@ int netlbl_conn_setattr(struct sock *sk,
switch (addr->sa_family) {
case AF_INET:
addr4 = (struct sockaddr_in *)addr;
+
entry = netlbl_domhsh_getentry_af4(secattr->domain,
   addr4->sin_addr.s_addr);
if (entry == NULL) {
@@ -1177,6 +1178,85 @@ int netlbl_conn_setattr(struct sock *sk,
 }
 
 /**
+ * netlbl_sctp_setattr - Label an incoming sctp association socket using
+ * the correct protocol
+ * @sk: the socket to label
+ * @skb: the packet
+ * @secattr: the security attributes
+ *
+ * Description:
+ * Attach the correct label to the given socket using the security attributes
+ * specified in @secattr.  Returns zero on success, negative values on failure.
+ *
+ */
+int netlbl_sctp_setattr(struct sock *sk,
+   struct sk_buff *skb,
+   const struct netlbl_lsm_secattr *secattr)
+{
+   int ret_val = -EINVAL;
+   struct netlbl_dommap_def *entry;
+   struct iphdr *hdr4;
+#if IS_ENABLED(CONFIG_IPV6)
+   struct ipv6hdr *hdr6;
+#endif
+
+   rcu_read_lock();
+   switch (sk->sk_family) {
+   case AF_INET:
+   hdr4 = ip_hdr(skb);
+
+   entry = netlbl_domhsh_getentry_af4(secattr->domain,
+  hdr4->saddr);
+   if (entry == NULL) {
+   ret_val = -ENOENT;
+   goto sctp_setattr_return;
+   }
+   switch (entry->type) {
+   case NETLBL_NLTYPE_CIPSOV4:
+   ret_val = cipso_v4_sock_setattr(sk, entry->cipso,
+   secattr);
+   break;
+   case NETLBL_NLTYPE_UNLABELED:
+   netlbl_sock_delattr(sk);
+   ret_val = 0;
+   break;
+   default:
+   ret_val = -ENOENT;
+   }
+   break;
+#if IS_ENABLED(CONFIG_IPV6)
+   case AF_INET6:
+   hdr6 = ipv6_hdr(skb);
+   entry = netlbl_domhsh_getentry_af6(secattr->domain,
+  >saddr);
+   if (entry == NULL) {
+   ret_val = -ENOENT;
+   goto sctp_setattr_return;
+   }
+   switch (entry->type) {
+   case NETLBL_NLTYPE_CALIPSO:
+   ret_val = calipso_sock_setattr(sk, entry->calipso,
+  secattr);
+   break;
+   case NETLBL_NLTYPE_UNLABELED:
+   netlbl_sock_delattr(sk);
+   ret_val = 0;
+   break;
+   default:
+   ret_val = -ENOENT;
+   }
+   break;
+#endif /* IPv6 */
+   default:
+   ret_val = -EPROTONOSUPPORT;
+   }
+
+sctp_setattr_return:
+   rcu_read_unlock();
+   return ret_val;
+}
+
+/**
  * netlbl_req_setattr - Label a request socket using the correct protocol
  * @req: the request socket to label
  * @secattr: the security attributes
diff --git a/net/netlabel/netlabel_unlabeled.c 
b/net/netlabel/netlabel_unlabeled.c
index 22dc1b9..c070dfc 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -1472,6 +1472,16 @@ int netlbl_unlabel_getattr(const struct sk_buff *skb,
iface = rcu_dereference(netlbl_unlhsh_def);
if (iface == NULL || !iface->valid)
goto unlabel_getattr_nolabel

[RFC PATCH 5/5] selinux: Add SCTP support

2017-10-17 Thread Richard Haines

The SELinux SCTP implementation is explained in:
Documentation/security/SELinux-sctp.txt

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 Documentation/security/SELinux-sctp.txt | 108 +
 security/selinux/hooks.c| 268 ++--
 security/selinux/include/classmap.h |   3 +-
 security/selinux/include/netlabel.h |   9 +-
 security/selinux/include/objsec.h   |   5 +
 security/selinux/netlabel.c |  52 ++-
 6 files changed, 427 insertions(+), 18 deletions(-)
 create mode 100644 Documentation/security/SELinux-sctp.txt

diff --git a/Documentation/security/SELinux-sctp.txt 
b/Documentation/security/SELinux-sctp.txt
new file mode 100644
index 000..32e0255
--- /dev/null
+++ b/Documentation/security/SELinux-sctp.txt
@@ -0,0 +1,108 @@
+   SCTP SELinux Support
+  ==
+
+Security Hooks
+===
+
+The Documentation/security/LSM-sctp.txt document describes how the following
+sctp security hooks are utilised:
+security_sctp_assoc_request()
+security_sctp_bind_connect()
+security_sctp_sk_clone()
+
+security_inet_conn_established()
+
+
+Policy Statements
+==
+The following class and permissions to support SCTP are available within the
+kernel:
+class sctp_socket inherits socket { node_bind }
+
+whenever the following policy capability is enabled:
+policycap extended_socket_class;
+
+The SELinux SCTP support adds the additional permissions that are explained
+in the sections below:
+association bindx connectx
+
+If userspace tools have been updated, SCTP will support the portcon
+statement as shown in the following example:
+portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0
+
+
+SCTP Bind, Connect and ASCONF Chunk Parameter Permission Checks
+
+The hook security_sctp_bind_connect() is called by SCTP to check permissions
+required for ipv4/ipv6 addresses based on the @optname as follows:
+
+  --
+  |  BINDX Permission Check|
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
+  --
+
+  --
+  |  BIND Permission Checks|
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_PRIMARY_ADDR  | Single ipv4 or ipv6 address   |
+  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address   |
+  --
+
+  --
+  | CONNECTX Permission Check  |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_CONNECTX  | One or more ipv4 / ipv6 addresses |
+  --
+
+  --
+  | CONNECT Permission Checks  |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SENDMSG_CONNECT   | Single ipv4 or ipv6 address   |
+  | SCTP_PARAM_ADD_IP  | One or more ipv4 / ipv6 addresses |
+  | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address   |
+  --
+
+SCTP Peer Labeling
+===
+An SCTP socket will only have one peer label assigned to it. This will be
+assigned during the establishment of the first association. Once the peer
+label has been assigned, any new associations will have the "association"
+permission validated by checking the socket peer sid against the received
+packets peer sid to determine whether the association should be allowed or
+denied.
+
+NOTES:
+   1) If peer labeling is not enabled, then the peer context will always be
+  SECINITSID_UNLABELED (unlabeled_t in Reference Policy).
+
+   2) As SCTP supports multiple endpoints with multi-homing on a single socket
+  it is recommended that peer labels are consistent.
+
+   3) getpeercon(3) may be used by userspace to retrieve the sockets peer
+   context.
+
+   4) If using NetLabel be aware that if a label is assigned to a specific
+  interface, and that interface 'goes down', then the NetLabel service
+  will

[RFC PATCH 3/5] sctp: Add LSM hooks

2017-10-17 Thread Richard Haines

Add security hooks to allow security modules to exercise access control
over SCTP.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 include/net/sctp/structs.h | 10 
 include/uapi/linux/sctp.h  |  1 +
 net/sctp/sm_make_chunk.c   | 12 +
 net/sctp/sm_statefuns.c| 14 ++-
 net/sctp/socket.c  | 61 +-
 5 files changed, 96 insertions(+), 2 deletions(-)

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 7767577..6e72e3e 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -1270,6 +1270,16 @@ struct sctp_endpoint {
  reconf_enable:1;
 
__u8  strreset_enable;
+
+   /* Security identifiers from incoming (INIT). These are set by
+* security_sctp_assoc_request(). These will only be used by
+* SCTP TCP type sockets and peeled off connections as they
+* cause a new socket to be generated. security_sctp_sk_clone()
+* will then plug these into the new socket.
+*/
+
+   u32 secid;
+   u32 peer_secid;
 };
 
 /* Recover the outter endpoint structure. */
diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h
index 6217ff8..c04812f 100644
--- a/include/uapi/linux/sctp.h
+++ b/include/uapi/linux/sctp.h
@@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
 #define SCTP_RESET_ASSOC   120
 #define SCTP_ADD_STREAMS   121
 #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
+#define SCTP_SENDMSG_CONNECT   123
 
 /* PR-SCTP policies */
 #define SCTP_PR_SCTP_NONE  0x
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 6110447..ca4705b 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -3059,6 +3059,12 @@ static __be16 sctp_process_asconf_param(struct 
sctp_association *asoc,
if (af->is_any())
memcpy(, >source, sizeof(addr));
 
+   if (security_sctp_bind_connect(asoc->ep->base.sk,
+  SCTP_PARAM_ADD_IP,
+  (struct sockaddr *),
+  af->sockaddr_len))
+   return SCTP_ERROR_REQ_REFUSED;
+
/* ADDIP 4.3 D9) If an endpoint receives an ADD IP address
 * request and does not have the local resources to add this
 * new address to the association, it MUST return an Error
@@ -3125,6 +3131,12 @@ static __be16 sctp_process_asconf_param(struct 
sctp_association *asoc,
if (af->is_any())
memcpy(, sctp_source(asconf), sizeof(addr));
 
+   if (security_sctp_bind_connect(asoc->ep->base.sk,
+  SCTP_PARAM_SET_PRIMARY,
+  (struct sockaddr *),
+  af->sockaddr_len))
+   return SCTP_ERROR_REQ_REFUSED;
+
peer = sctp_assoc_lookup_paddr(asoc, );
if (!peer)
return SCTP_ERROR_DNS_FAILED;
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index b2a74c3..4ba5805 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -314,6 +314,11 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
sctp_unrecognized_param_t *unk_param;
int len;
 
+   /* Update socket peer label if first association. */
+   if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
+   chunk->skb, SCTP_CID_INIT))
+   return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
/* 6.10 Bundling
 * An endpoint MUST NOT bundle INIT, INIT ACK or
 * SHUTDOWN COMPLETE with any other chunks.
@@ -446,7 +451,6 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
}
 
sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
-
sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
 
/*
@@ -507,6 +511,11 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net,
struct sctp_chunk *err_chunk;
struct sctp_packet *packet;
 
+   /* Update socket peer label if first association. */
+   if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
+   chunk->skb, SCTP_CID_INIT_ACK))
+   return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
if (!sctp_vtag_verify(chunk, asoc))
return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 
@@ -899,6 +908,9 @@ sctp_disposition_t sctp_sf_do_5_1E_ca(struct net *net,
 */
sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
 
+   /* Set peer label for connection. */
+   security_inet_conn_established(ep->base.sk, chunk->skb);
+

[RFC PATCH 0/5] Add SELinux SCTP protocol support

2017-10-17 Thread Richard Haines

This patch set adds SELinux support to SCTP and incorporates all the
comments received from my previous attemps (thanks to all who responded).
There are also other changes mainly supporting ip options so that CIPSO
and CALIPSO work over SCTP.

The kernel patches have been built on Fedora 26 with kernel 4.13.4 plus the
following userspace patches to enable testing:

1) Updates to libsepol 2.7 to support the sctp portcon statement.
   The patch is available from:
 http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
 selinux-Add-support-for-the-SCTP-portcon-keyword.patch

2) Updates to the SELinux Test Suite adding SCTP tests. Please read the
   selinux-testsuite/README.sctp for details. The patch is available from:
 http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
 selinux-testsuite-Add-SCTP-test-support.patch

3) Updates to lksctp-tools that show SELinux info in sctp_darn and
   sctp_test. It also contains a minor patch for test_1_to_1_connect.c
   as when CIPSO/CALIPSO configured, NetLabel returns a different error
   code for illegal addresses in test 5. The patch is available from:
 http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
 lksctp-tools-Add-SELinux-support-to-sctp_test-and-sc.patch

All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.

All SCTP regression tests "./sctp-tests run" run correctly in enforcing
mode. These tests are obtained from: https://github.com/sctp/sctp-tests

The selinux-testsuite patch also adds remote tests (that need some manual
configuration). These are useful for testing CIPSO/CALIPSO over a network
with a number of categories to produce large ip option fields with various
message sizes forcing fragmentation etc..


Richard Haines (5):
  security: Add support for SCTP security hooks
  sctp: Add ip option support
  sctp: Add LSM hooks
  netlabel: Add SCTP support
  selinux: Add SCTP support

 Documentation/security/LSM-sctp.txt | 212 +
 Documentation/security/SELinux-sctp.txt | 108 +
 include/linux/lsm_hooks.h   |  37 +
 include/linux/security.h|  27 
 include/net/netlabel.h  |   3 +
 include/net/sctp/structs.h  |  12 ++
 include/uapi/linux/sctp.h   |   1 +
 net/netlabel/netlabel_kapi.c|  80 ++
 net/netlabel/netlabel_unlabeled.c   |  10 ++
 net/sctp/chunk.c|   7 +-
 net/sctp/ipv6.c |  37 -
 net/sctp/output.c   |   3 +-
 net/sctp/protocol.c |  36 +
 net/sctp/sm_make_chunk.c|  12 ++
 net/sctp/sm_statefuns.c |  14 +-
 net/sctp/socket.c   |  66 +++-
 security/security.c |  23 +++
 security/selinux/hooks.c| 268 ++--
 security/selinux/include/classmap.h |   3 +-
 security/selinux/include/netlabel.h |   9 +-
 security/selinux/include/objsec.h   |   5 +
 security/selinux/netlabel.c |  52 ++-
 22 files changed, 993 insertions(+), 32 deletions(-)
 create mode 100644 Documentation/security/LSM-sctp.txt
 create mode 100644 Documentation/security/SELinux-sctp.txt

-- 
2.13.6

[RFC PATCH 1/5] security: Add support for SCTP security hooks

2017-10-17 Thread Richard Haines

The SCTP security hooks are explained in:
Documentation/security/LSM-sctp.txt

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 Documentation/security/LSM-sctp.txt | 212 
 include/linux/lsm_hooks.h   |  37 +++
 include/linux/security.h|  27 +
 security/security.c |  23 
 4 files changed, 299 insertions(+)
 create mode 100644 Documentation/security/LSM-sctp.txt

diff --git a/Documentation/security/LSM-sctp.txt 
b/Documentation/security/LSM-sctp.txt
new file mode 100644
index 000..30fe9b5
--- /dev/null
+++ b/Documentation/security/LSM-sctp.txt
@@ -0,0 +1,212 @@
+   SCTP LSM Support
+  ==
+
+For security module support, three sctp specific hooks have been implemented:
+security_sctp_assoc_request()
+security_sctp_bind_connect()
+security_sctp_sk_clone()
+
+Also the following security hook has been utilised:
+security_inet_conn_established()
+
+The usage of these hooks are described below with the SELinux implementation
+described in Documentation/security/SELinux-sctp.txt
+
+
+security_sctp_assoc_request()
+--
+This new hook has been added to net/sctp/sm_statefuns.c where it passes the
+@ep and @chunk->skb (the association INIT or INIT ACK packet) to the security
+module. Returns 0 on success, error on failure.
+
+@ep - pointer to sctp endpoint structure.
+@skb - pointer to skbuff of association packet.
+@sctp_cid - set to sctp packet type (SCTP_CID_INIT or SCTP_CID_INIT_ACK).
+
+The security module performs the following operations:
+  1) If this is the first association on @ep->base.sk, then set the peer sid
+ to that in @skb. This will ensure there is only one peer sid assigned
+ to @ep->base.sk that may support multiple associations.
+
+  2) If not the first association, validate the @ep->base.sk peer_sid against
+ the @skb peer sid to determine whether the association should be allowed
+ or denied.
+
+  3) If @sctp_cid = SCTP_CID_INIT, then set the sctp @ep sid to socket's sid
+ (from ep->base.sk) with MLS portion taken from @skb peer sid. This will
+ only be used by SCTP TCP style sockets and peeled off connections as they
+ cause a new socket to be generated.
+
+ If IP security options are configured (CIPSO/CALIPSO), then the ip options
+ are set on the socket.
+
+ To support this hook include/net/sctp/structs.h "struct sctp_endpoint"
+ has been updated with the following:
+
+   /* Security identifiers from incoming (INIT). These are set by
+* security_sctp_assoc_request(). These will only be used by
+* SCTP TCP type sockets and peeled off connections as they
+* cause a new socket to be generated. security_sctp_sk_clone()
+* will then plug these into the new socket.
+*/
+   u32 secid;
+   u32 peer_secid;
+
+
+security_sctp_bind_connect()
+-
+This new hook has been added to net/sctp/socket.c and net/sctp/sm_make_chunk.c.
+It passes one or more ipv4/ipv6 addresses to the security module for
+validation based on the @optname that will result in either a bind or connect
+service as shown in the permission check tables below.
+Returns 0 on success, error on failure.
+
+@sk  - Pointer to sock structure.
+@optname - Name of the option to validate.
+@address - One or more ipv4 / ipv6 addresses.
+@addrlen - The total length of address(s). This is calculated on each
+   ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
+   sizeof(struct sockaddr_in6).
+
+  --
+  | BIND Type Checks   |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
+  | SCTP_PRIMARY_ADDR  | Single ipv4 or ipv6 address   |
+  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address   |
+  --
+
+  --
+  |   CONNECT Type Checks  |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_CONNECTX  | One or more ipv4 / ipv6 addresses |
+  | SCTP_PARAM_ADD_IP  | One or more ipv4 / ipv6 addresses |
+  | SCTP_SENDMSG_CONNECT   | Single ipv4 or ipv6 address   |
+  | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address   |
+  --
+
+A summary of the @optname entries is as follows

[PATCH] secilc: Update test policy and documentation for Infiniband

2017-06-12 Thread Richard Haines

CIL updates to support the InfiniBand development.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 secilc/docs/Makefile |  1 +
 secilc/docs/README.md|  4 ++
 secilc/docs/cil_infiniband_statements.md | 90 
 secilc/test/policy.cil   |  6 +++
 4 files changed, 101 insertions(+)
 create mode 100644 secilc/docs/cil_infiniband_statements.md

diff --git a/secilc/docs/Makefile b/secilc/docs/Makefile
index 52c7435..c0fa6b7 100644
--- a/secilc/docs/Makefile
+++ b/secilc/docs/Makefile
@@ -23,6 +23,7 @@ FILE_LIST ?= cil_introduction.md \
cil_sid_statements.md \
cil_type_statements.md \
cil_user_statements.md \
+   cil_infiniband_statements.md \
cil_xen_statements.md
 
 PANDOC_FILE_LIST = $(addprefix $(TMPDIR)/,$(FILE_LIST))
diff --git a/secilc/docs/README.md b/secilc/docs/README.md
index aada78f..3f1838e 100644
--- a/secilc/docs/README.md
+++ b/secilc/docs/README.md
@@ -144,6 +144,10 @@ CIL (Common Intermediate Language)
   * [selinuxuser](cil_user_statements.md#selinuxuser)
   * [selinuxuserdefault](cil_user_statements.md#selinuxuserdefault)
 
+* [Infiniband Statements](cil_infiniband_statements.md#infiniband-statements)
+  * [ibpkeycon](cil_infiniband_statements.md#ibpkeycon)
+  * [ibendportcon](cil_infiniband_statements.md#ibendportcon)
+
 * [Xen Statements](cil_xen_statements.md#xen-statements)
   * [iomemcon](cil_xen_statements.md#iomemcon)
   * [ioportcon](cil_xen_statements.md#ioportcon)
diff --git a/secilc/docs/cil_infiniband_statements.md 
b/secilc/docs/cil_infiniband_statements.md
new file mode 100644
index 000..38c15bd
--- /dev/null
+++ b/secilc/docs/cil_infiniband_statements.md
@@ -0,0 +1,90 @@
+Infiniband Statements
+=
+
+To support access control for InfiniBand (IB) partitions and subnet 
management, security contexts are provided for: Partition Keys (Pkey) that are 
16 bit numbers assigned to subnets and their IB end ports. An overview of the 
SELinux IB implementation can be found at: 
[http://marc.info/?l=selinux=149519833917911=2](http://marc.info/?l=selinux=149519833917911=2).
+
+ibpkeycon
+-
+
+Label IB partition keys. This may be a single key or a range.
+
+**Statement definition:**
+
+(ibpkeycon subnet pkey|(pkey_low pkey_high)  context_id)
+
+**Where:**
+
+
+
+
+
+
+
+
+ibpkeycon
+The ibpkeycon keyword.
+
+
+subnet
+IP address in IPv6 format.
+
+
+pkey | (pkey_low pkey_high)
+A single partition key or a range of partition keys.
+
+
+context_id
+A previously declared context identifier or 
an anonymous security context (user role type levelrange), the 
range MUST be defined whether the policy is MLS/MCS enabled or not.
+
+
+
+
+**Example:**
+
+An anonymous context for a partition key range of `0x0-0x10` assigned to an 
IPv6 subnet:
+
+(ibpkeycon fe80:: (0 0x10) (system_u system_r kernel_t (low (s3 (cats01 
cats02)
+
+
+ibendportcon
+
+
+Label IB end ports.
+
+**Statement definition:**
+
+(ibendportcon device_id port context_id)
+
+**Where:**
+
+
+
+
+
+
+
+
+ibendportcon
+The ibendportcon keyword.
+
+
+device_id
+A single device identifier.
+
+
+port
+A single port number.
+
+
+context_id
+A previously declared context identifier or 
an anonymous security context (user role type levelrange), the 
range MUST be defined whether the policy is MLS/MCS enabled or not.
+
+
+
+
+**Example:**
+
+A named context for device `mlx5_0` on port `1`:
+
+(ibendportcon mlx5_0 1 system_u_bin_t_l2h)
+
diff --git a/secilc/test/policy.cil b/secilc/test/policy.cil
index 2078399..4c37ecc 100644
--- a/secilc/test/policy.cil
+++ b/secilc/test/policy.cil
@@ -282,6 +282,12 @@
(pcidevicecon 345 system_u_bin_t_l2h)
(devicetreecon "/this is/a/path" system_u_bin_t_l2h)
 
+   ; InfiniBand
+   (ibpkeycon fe80:: (0 0x10) system_u_bin_t_l2h)
+   (ibpkeycon fe80::7629:afff:fe0f:8e5d (15 25) (system_u system_r 
kernel_t (low (s3 (cats01 cats02)
+   (ibendportcon mlx5_0 1 system_u_bin_t_l2h)
+   (ibendportcon mlx4_3 5 (system_u system_r kernel_t (low (s3 (cats01 
cats02)
+
(constrain (files (read)) (not (or (and (eq t1 exec_t) (eq t2 bin_t)) 
(eq r1 r2
(constrain char_w (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 
r2
 
-- 
2.9.4

[PATCH] libsepol/cil: ibendportcon fails to resolve in CIL policy

2017-06-12 Thread Richard Haines

Fix named ibendportcon context not resolving correctly.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 libsepol/cil/src/cil_build_ast.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 4258b18..04492e5 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -4698,7 +4698,7 @@ int cil_gen_ibendportcon(__attribute__((unused)) struct 
cil_db *db, struct cil_t
}
 
if (!parse_current->next->next->next->cl_head) {
-   ibendportcon->context_str = parse_current->next->next->data;
+   ibendportcon->context_str = 
parse_current->next->next->next->data;
} else {
cil_context_init(>context);
 
-- 
2.9.4

[PATCH] net/ipv6: Fix CALIPSO causing GPF with datagram support

2017-06-05 Thread Richard Haines

When using CALIPSO with IPPROTO_UDP it is possible to trigger a GPF as the
IP header may have moved.

Also update the payload length after adding the CALIPSO option.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 net/ipv6/calipso.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
index 37ac9de..8d772fe 100644
--- a/net/ipv6/calipso.c
+++ b/net/ipv6/calipso.c
@@ -1319,7 +1319,7 @@ static int calipso_skbuff_setattr(struct sk_buff *skb,
struct ipv6hdr *ip6_hdr;
struct ipv6_opt_hdr *hop;
unsigned char buf[CALIPSO_MAX_BUFFER];
-   int len_delta, new_end, pad;
+   int len_delta, new_end, pad, payload;
unsigned int start, end;
 
ip6_hdr = ipv6_hdr(skb);
@@ -1346,6 +1346,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb,
if (ret_val < 0)
return ret_val;
 
+   ip6_hdr = ipv6_hdr(skb); /* Reset as skb_cow() may have moved it */
+
if (len_delta) {
if (len_delta > 0)
skb_push(skb, len_delta);
@@ -1355,6 +1357,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb,
sizeof(*ip6_hdr) + start);
skb_reset_network_header(skb);
ip6_hdr = ipv6_hdr(skb);
+   payload = ntohs(ip6_hdr->payload_len);
+   ip6_hdr->payload_len = htons(payload + len_delta);
}
 
hop = (struct ipv6_opt_hdr *)(ip6_hdr + 1);
-- 
2.9.4

[PATCH] libselinux: Remove util/selinux_restorecon.c

2017-05-01 Thread Richard Haines

Remove util/selinux_restorecon.c and tidy up. This is removed as
the functionality is now in policycoreutils/setfiles.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 libselinux/utils/.gitignore   |   1 -
 libselinux/utils/Makefile |   2 -
 libselinux/utils/selinux_restorecon.c | 299 --
 3 files changed, 302 deletions(-)
 delete mode 100644 libselinux/utils/selinux_restorecon.c

diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
index ed3bf0b..b4f9f78 100644
--- a/libselinux/utils/.gitignore
+++ b/libselinux/utils/.gitignore
@@ -19,7 +19,6 @@ selabel_lookup
 selabel_lookup_best_match
 selabel_partial_match
 selinux_check_securetty_context
-selinux_restorecon
 selinuxenabled
 selinuxexeccon
 setenforce
diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
index 995f444..5d61031 100644
--- a/libselinux/utils/Makefile
+++ b/libselinux/utils/Makefile
@@ -59,8 +59,6 @@ sefcontext_compile: LDLIBS += $(PCRE_LDLIBS) 
../src/libselinux.a -lsepol
 
 sefcontext_compile: sefcontext_compile.o ../src/regex.o
 
-selinux_restorecon: LDLIBS += -lsepol
-
 all: $(TARGETS)
 
 install: all
diff --git a/libselinux/utils/selinux_restorecon.c 
b/libselinux/utils/selinux_restorecon.c
deleted file mode 100644
index 4d2b08f..000
--- a/libselinux/utils/selinux_restorecon.c
+++ /dev/null
@@ -1,299 +0,0 @@
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-static char *policyfile;
-
-static char **exclude_list;
-static int exclude_count;
-
-static int validate_context(char **contextp)
-{
-   char *context = *contextp, *tmpcon;
-
-   if (policyfile) {
-   if (sepol_check_context(context) < 0) {
-   fprintf(stderr, "Invalid context %s\n", context);
-   exit(-1);
-   }
-   } else if (security_canonicalize_context_raw(context, ) == 0) {
-   free(context);
-   *contextp = tmpcon;
-   } else if (errno != ENOENT) {
-   fprintf(stderr, "Validate context error: %s\n",
-   strerror(errno));
-   exit(-1);
-   }
-
-   return 0;
-}
-
-static __attribute__ ((__noreturn__)) void usage(const char *progname)
-{
-   fprintf(stderr,
-   "\nusage: %s [-FCnRrdmiIaAsl] [-e dir] [-v|-P]\n"
-   "[-x alt_rootpath] [-p policy] [-f specfile] pathname ...\n"
-   "\nWhere:\n\t"
-   "-F  Set the label to that in specfile.\n\t"
-   "If not set then reset the \"type\" component of the "
-   "label to that\n\tin the specfile.\n\t"
-   "-C  Check labels even if the stored SHA1 digest matches\n\t"
-   "the specfiles SHA1 digest.\n\t"
-   "-n  Don't change any file labels (passive check).\n\t"
-   "-R  Recursively change file and directory labels.\n\t"
-   "-v  Show changes in file labels (-v and -P are mutually "
-   " exclusive).\n\t"
-   "-P  Show progress by printing \"*\" to stdout every 1000 files"
-   ",\n\tunless relabeling entire OS, then show percentage 
complete.\n\t"
-   "-r  Use realpath(3) to convert pathnames to canonical 
form.\n\t"
-   "-d  Prevent descending into directories that have a "
-   "different\n\tdevice number than the pathname from  which "
-   "the descent began.\n\t"
-   "-m  Do not automatically read /proc/mounts to determine 
what\n\t"
-   "non-seclabel mounts to exclude from relabeling.\n\t"
-   "-e  Exclude this directory (add multiple -e entries).\n\t"
-   "-i  Do not set SELABEL_OPT_DIGEST option when calling "
-   " selabel_open(3).\n\t"
-   "-I  Ignore files that do not exist.\n\t"
-   "-a  Add an association between an inode and a context.\n\t"
-   "If there is a different context that matched the 
inode,\n\t"
-   "then use the first context that matched.\n\t"
-   "-A  Abort on errors during the file tree walk.\n\t"
-   "-s  Log any label changes to syslog(3).\n\t"
-   "-l  Log what specfile context matched each file.\n\t"
-   "-x  Set alternate rootpath.\n\t"
-   "-p  Optional binary policy file (also sets validate context "
-   "option).\n\t"
-   "-f  Optional file contexts fil

Re: [PATCH] libselinux: Add permissive= entry to avc audit log

2017-05-01 Thread Richard Haines

On Thu, 2017-04-27 at 10:34 -0400, Stephen Smalley wrote:
> On Wed, 2017-04-26 at 14:47 +0100, Richard Haines wrote:
> > Add audit log entry to specify whether the decision was made in
> > permissive mode/permissive domain or enforcing mode.
> > 
> > There are two utilities for testing:
> > utils/avc_has_perm - This can set the AVC mode to follow SELinux,
> > set
> > AVC permissive, or set AVC enforcing.
> > 
> > utils/selinux_check_access - This follows SELinux as it calls
> > selinux_check_access(3).
> > 
> > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
> > ---
> >  libselinux/src/avc.c|   4 +
> >  libselinux/utils/avc_has_perm.c | 203
> > 
> >  libselinux/utils/selinux_check_access.c | 145
> > +++
> >  3 files changed, 352 insertions(+)
> >  create mode 100644 libselinux/utils/avc_has_perm.c
> >  create mode 100644 libselinux/utils/selinux_check_access.c
> 
> I think the utilities should be in a separate patch since someone may
> want the permissive= logging but not the new utilities.  But maybe we
> ought to reconsider whether these new utilities are helpful or
> not.  Do
> we really need both of them?  If we can get away with just using one
> of
> them, I'd prefer selinux_check_access since we would like to migrate
> most users to that interface instead of directly using the AVC.
I'll send an updated patch for selinux_check_access today.

> 
> We also need to rethink the libselinux utils in general.  Some of
> them
> are actually used by end users and system scripts, but many of them
> are
> more akin to test programs than real utilities.  Maybe we need a
> libselinux/tests or libselinux/samples or something.
I checked the utils and I've added all the selabel_* ones. Not sure if
you count them as utils or test/sample/examples.

I must admit I like examples that show as much variation as possible as
the function man pages only give basic facts. For example
selinux_check_access has an option to add supplementary audit info,
however this does not work unless you add the correct callback. It's
okay for experts but for the rest of us !!!

I guess the main issue for having examples is maintaining them. However
if there is interest, I would be happy to submit some. They could of
course also be used for testing, although I guess you would prefer some
form of test harness instead - like the selinux-testsuite as some
require policy to fully test/demonstrate.


>   For example, it
> is likely confusing to have a selinux_restorecon utility in
> libselinux
> when we also have restorecon itself in policycoreutils.  Is there
> still
> value in having selinux_restorecon as a separate utility or can we
> drop
> it now that setfiles/restorecon has been rewritten to use the new
> interface?
I'll send a patch to remove utils/selinux_restorecon.c today.
> 
> > 
> > diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
> > index b1ec57f..5600f80 100644
> > --- a/libselinux/src/avc.c
> > +++ b/libselinux/src/avc.c
> > @@ -723,6 +723,10 @@ void avc_audit(security_id_t ssid,
> > security_id_t
> > tsid,
> >  
> >     log_append(avc_audit_buf, " ");
> >     avc_dump_query(ssid, tsid, tclass);
> > +
> > +   log_append(avc_audit_buf, " permissive=%u", avc_enforcing
> > &&
> > +      !(avd->flags & SELINUX_AVD_FLAGS_PERMISSIVE) ?
> > 0
> > : 1);
> > +
> 
> Looking at the kernel logic, it would seem we could do the following
> instead:
>   if (denied)
>   log_append(avc_audit_buf, " permissive=%u", result ? 0
> : 1);
> 
> This has the benefit of only adding it on a denial (no point in
> logging
> it on a granting) and not needing to re-check enforcing/permissive
> mode
> but rather just make use of the fact that the only case where a
> denied
> permission will yield a successful return is if it was permissive.
> 
> >     log_append(avc_audit_buf, "\n");
> >     avc_log(SELINUX_AVC, "%s", avc_audit_buf);
> >  
> > diff --git a/libselinux/utils/avc_has_perm.c
> > b/libselinux/utils/avc_has_perm.c
> > new file mode 100644
> > index 000..3d4bfc0
> > --- /dev/null
> > +++ b/libselinux/utils/avc_has_perm.c
> > @@ -0,0 +1,203 @@
> > +#include 
> > +#include 
> > +#include 
> > +#include 
> > +#include 
> > +#include 
> > +#include 
> > +#include 
> > +
> > +static void usage(char *progname)
> > +{
> > +   fprintf(stderr, "usage:  %s [-f | -

Re: [PATCH V2] libselinux: Add permissive= entry to avc audit log

2017-04-28 Thread Richard Haines

On Fri, 2017-04-28 at 15:10 +0200, Dominick Grift wrote:
> On Fri, Apr 28, 2017 at 02:05:16PM +0100, Richard Haines wrote:
> > Add audit log entry to specify whether the decision was made in
> > permissive mode/permissive domain or enforcing mode.
> > 
> > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
> > ---
> > V2 changes: Remove utilities and follow the kernel way of detecting
> > whether permissive or not.
> > 
> >  libselinux/src/avc.c | 4 
> >  1 file changed, 4 insertions(+)
> > 
> > diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
> > index b1ec57f..96b2678 100644
> > --- a/libselinux/src/avc.c
> > +++ b/libselinux/src/avc.c
> > @@ -723,6 +723,10 @@ void avc_audit(security_id_t ssid,
> > security_id_t tsid,
> >  
> >     log_append(avc_audit_buf, " ");
> >     avc_dump_query(ssid, tsid, tclass);
> > +
> > +   if (denied)
> > +   log_append(avc_audit_buf, " permissive=%u", result
> > ? 0 : 1);
> > +
> >     log_append(avc_audit_buf, "\n");
> >     avc_log(SELINUX_AVC, "%s", avc_audit_buf);
> >  
> > -- 
> > 2.9.3
> > 
> 
> I hope you will still submit the utils as well. I think/hope that the
> selinux_check_access util can be used with shell scripts to create a
> simple user space object manager example

Yes I will at some stage - just thinking of how to reply to Stephen's
email on the subject and checking what ones I've already submitted to
libselinux/utils. I have a number of these little
utils/samples/examples that I use to test various bits of
libsepol/libselinux and submit those I use to test my patches.

Before I submit any I'll take your suggestion into acount. All ideas
welcome.
>

[PATCH] libselinux: Add permissive= entry to avc audit log

2017-04-26 Thread Richard Haines

Add audit log entry to specify whether the decision was made in
permissive mode/permissive domain or enforcing mode.

There are two utilities for testing:
utils/avc_has_perm - This can set the AVC mode to follow SELinux, set
AVC permissive, or set AVC enforcing.

utils/selinux_check_access - This follows SELinux as it calls
selinux_check_access(3).

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 libselinux/src/avc.c|   4 +
 libselinux/utils/avc_has_perm.c | 203 
 libselinux/utils/selinux_check_access.c | 145 +++
 3 files changed, 352 insertions(+)
 create mode 100644 libselinux/utils/avc_has_perm.c
 create mode 100644 libselinux/utils/selinux_check_access.c

diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index b1ec57f..5600f80 100644
--- a/libselinux/src/avc.c
+++ b/libselinux/src/avc.c
@@ -723,6 +723,10 @@ void avc_audit(security_id_t ssid, security_id_t tsid,
 
log_append(avc_audit_buf, " ");
avc_dump_query(ssid, tsid, tclass);
+
+   log_append(avc_audit_buf, " permissive=%u", avc_enforcing &&
+  !(avd->flags & SELINUX_AVD_FLAGS_PERMISSIVE) ? 0 : 1);
+
log_append(avc_audit_buf, "\n");
avc_log(SELINUX_AVC, "%s", avc_audit_buf);
 
diff --git a/libselinux/utils/avc_has_perm.c b/libselinux/utils/avc_has_perm.c
new file mode 100644
index 000..3d4bfc0
--- /dev/null
+++ b/libselinux/utils/avc_has_perm.c
@@ -0,0 +1,203 @@
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+static void usage(char *progname)
+{
+   fprintf(stderr, "usage:  %s [-f | -p] [-i] scon tcon class perm\n"
+   "\nWhere:\n\t"
+   "-f  Follow SELinux permissive or enforcing mode, or\n\t"
+   "-p  Set avc_open to permissive mode.\n\t"
+   "The default is to set avc_open to enforcing mode.\n\t"
+   "-i  Interactive mode. Once displayed first result, can\n\t"
+   "enter additional entries and display AVC cache info.\n",
+   progname);
+   exit(1);
+}
+
+static void get_entry(char **buffer)
+{
+   char *buf;
+   int len;
+#define BUF_LEN 81
+
+   buf = malloc(BUF_LEN * sizeof(char));
+   if (!buf) {
+   perror("malloc");
+   exit(1);
+   }
+
+   if (fgets(buf, BUF_LEN - 1, stdin) == NULL) {
+   perror("fgets");
+   exit(1);
+   }
+
+   len = strlen(buf);
+   if (buf[len - 1] == '\n')
+   buf[len - 1] = 0;
+
+   *buffer = buf;
+}
+
+/*
+ * Function to print the AVC statistics. Because no audit logging call back
+ * has been set, the avc_cache_stats will be displayed on stderr.
+ */
+static void print_avc_stats(void)
+{
+   struct avc_cache_stats acs;
+
+   avc_cache_stats();
+   printf("\nThe avc_cache_stats are as follows:\n");
+   printf("entry_hits: %d\t(Decisions found in aeref)\n",
+  acs.entry_hits);
+   printf("entry_misses:   %d\t(Decisions not found in aeref)\n",
+  acs.entry_misses);
+   printf("entry_discards: %d\t(Decisions not found in aeref that were "
+  "also non-NULL)\n", acs.entry_discards);
+   printf("entry_lookups:  %d\t(Queries made)\n", acs.entry_lookups);
+   printf("cav_lookups:%d\t(Cache lookups)\n", acs.cav_lookups);
+   printf("cav_hits:   %d\t(Cache hits)\n", acs.cav_hits);
+   printf("cav_probes: %d\t(Entries examined searching the cache)\n",
+  acs.cav_probes);
+   printf("cav_misses: %d\t(Cache misses)\n\n", acs.cav_misses);
+}
+
+struct avc_entry_ref aeref;
+static void exec_func(char *scon, char *tcon, char *class, char *perm)
+{
+   int rc;
+   security_id_t scon_id;
+   security_id_t tcon_id;
+   security_class_t sclass;
+   access_vector_t av;
+
+   rc = avc_context_to_sid(scon, _id);
+   if (rc < 0) {
+   perror("Error scon avc_context_to_sid");
+   exit(1);
+   }
+
+   rc = avc_context_to_sid(tcon, _id);
+   if (rc < 0) {
+   perror("Error tcon avc_context_to_sid");
+   exit(1);
+   }
+
+   sclass = string_to_security_class(class);
+   av = string_to_av_perm(sclass, perm);
+
+   printf("\nAny avc_log error messages are shown on stderr:\n");
+   rc = avc_has_perm(scon_id, tcon_id, sclass, av, , NULL);
+   printf("\nEnd of avc_log error messages.\n\n");
+
+   if (rc < 0)
+   printf("Error avc_has_perm: %s\n", strerror(errno));
+   else
+

Re: [RFC PATCH 0/1] libselinux: Add support for selinux_check_access_flags

2017-04-24 Thread Richard Haines

On Mon, 2017-04-24 at 10:06 -0400, Stephen Smalley wrote:
> On Mon, 2017-04-24 at 14:09 +0100, Richard Haines wrote:
> > Only wanted the avd flags to check whether the domain was
> > permissive
> > or not using an selinux_check_access() type call.
> 
> Why?  What's the intended user?
I was writing patches to update racoon and pluto to use
selinux_check_access in place of avc_open etc. As these programs also
log useful info I thought I would log the SELinux status (permissive
mode etc. etc. for debugging). The only thing missing was if they were
running in a permissive domain so I thought I would see if I could
retrieve this as well. With this patch I can check if permission
granted or not and also if permissive domain (provided of course the
call returned the avd flags).

The other way I thought of was add another entry to selinuxfs and pass
the context to kernel and get whether permissive domain or not.

Is there an easier way to detect a permissive domain without reading
the policy ?


> 
> > 
> > As a consequence of implementing selinux_check_access_flags,
> > additional
> > calls have been added to avc.c: avc_has_perm_flags() and
> > avc_has_perm_noaudit_flags(). Added man page entries for them but
> > not
> > sure
> > if they should be hidden.
> > 
> > Richard Haines (1):
> >   libselinux: Add support for selinux_check_access_flags
> > 
> >  libselinux/include/selinux/avc.h |  68 +++
> >  libselinux/include/selinux/selinux.h |  32 +++
> >  libselinux/man/man3/avc_has_perm.3   |  37 +++-
> >  libselinux/man/man3/security_compute_av.3|  21 +-
> >  libselinux/man/man3/selinux_check_access_flags.3 |   1 +
> >  libselinux/src/avc.c |  44 -
> >  libselinux/src/avc_internal.h|   1 +
> >  libselinux/src/checkAccess.c |  63 +++---
> >  libselinux/utils/.gitignore  |   2 +
> >  libselinux/utils/avc_has_perm.c  | 235
> > +++
> >  libselinux/utils/selinux_check_access.c  | 189
> > ++
> >  11 files changed, 660 insertions(+), 33 deletions(-)
> >  create mode 100644
> > libselinux/man/man3/selinux_check_access_flags.3
> >  create mode 100644 libselinux/utils/avc_has_perm.c
> >  create mode 100644 libselinux/utils/selinux_check_access.c
> >

[RFC PATCH 1/1] libselinux: Add support for selinux_check_access_flags

2017-04-24 Thread Richard Haines

Add function selinux_check_access_flags() that is the same as
selinux_check_access() except that it will also return the avd
flags. Currently only the SELINUX_AVD_FLAGS_PERMISSIVE flag is
used to signify that the source type is defined as permissive
in policy.

Because selinux_check_access_flags() can return before the AVC
call, and also the AVC call may return with undefined avd flags,
the returned flags should be checked for SELINUX_AVD_FLAGS_UNDEFINED,
first. If set, the remaining flags are undefined. See the
selinux_check_access_flags() man page entry for details. There is a
utility for testing the functionality:
utils/selinux_check_access -f scon tcon class perm

As a consequence of implementing selinux_check_access_flags, additional
calls have been added to avc.c: avc_has_perm_flags() and
avc_has_perm_noaudit_flags(). The appropriate man pages have been updated.

There is a utility for testing the avc_has_perm() and avc_has_perm_flags():
utils/avc_has_perm -f scon tcon class perm

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 libselinux/include/selinux/avc.h |  68 +++
 libselinux/include/selinux/selinux.h |  32 +++
 libselinux/man/man3/avc_has_perm.3   |  37 +++-
 libselinux/man/man3/security_compute_av.3|  21 +-
 libselinux/man/man3/selinux_check_access_flags.3 |   1 +
 libselinux/src/avc.c |  44 -
 libselinux/src/avc_internal.h|   1 +
 libselinux/src/checkAccess.c |  63 +++---
 libselinux/utils/.gitignore  |   2 +
 libselinux/utils/avc_has_perm.c  | 235 +++
 libselinux/utils/selinux_check_access.c  | 189 ++
 11 files changed, 660 insertions(+), 33 deletions(-)
 create mode 100644 libselinux/man/man3/selinux_check_access_flags.3
 create mode 100644 libselinux/utils/avc_has_perm.c
 create mode 100644 libselinux/utils/selinux_check_access.c

diff --git a/libselinux/include/selinux/avc.h b/libselinux/include/selinux/avc.h
index b4bc6f3..89d75c3 100644
--- a/libselinux/include/selinux/avc.h
+++ b/libselinux/include/selinux/avc.h
@@ -264,6 +264,43 @@ int avc_has_perm_noaudit(security_id_t ssid,
 struct avc_entry_ref *aeref, struct av_decision *avd);
 
 /**
+ * avc_has_perm_noaudit_flags - Check permissions but perform no auditing,
+ *  return avd flags.
+ * @ssid: source security identifier
+ * @tsid: target security identifier
+ * @tclass: target security class
+ * @requested: requested permissions, interpreted based on @tclass
+ * @aeref:  AVC entry reference
+ * @avd: access vector decisions
+ * @flags: returned avd flags. Currently two flags are supported:
+ * SELINUX_AVD_FLAGS_UNDEFINED This is typically set when the
+ * source or target context is not valid in policy, or the
+ * avc is in permissive mode, or the returned entry could not be
+ * inserted into the avc cache.
+ * SELINUX_AVD_FLAGS_PERMISSIVE, which indicates the decision is
+ * computed on a policy defined permissive domain.
+ *
+ * Check the AVC to determine whether the @requested permissions are granted
+ * for the SID pair (@ssid, @tsid), interpreting the permissions
+ * based on @tclass, and call the security server on a cache miss to obtain
+ * a new decision and add it to the cache.  Update @aeref to refer to an AVC
+ * entry with the resulting decisions, and return a copy of the decisions
+ * in @avd.  Return %0 if all @requested permissions are granted, -%1 with
+ * @errno set to %EACCES if any permissions are denied, or to another value
+ * upon other errors.  This function is typically called by avc_has_perm(),
+ * but may also be called directly to separate permission checking from
+ * auditing, e.g. in cases where a lock must be held for the check but
+ * should be released for the auditing.
+ */
+int avc_has_perm_noaudit_flags(security_id_t ssid,
+  security_id_t tsid,
+  security_class_t tclass,
+  access_vector_t requested,
+  struct avc_entry_ref *aeref,
+  struct av_decision *avd,
+  unsigned int *flags);
+
+/**
  * avc_has_perm - Check permissions and perform any appropriate auditing.
  * @ssid: source security identifier
  * @tsid: target security identifier
@@ -286,6 +323,37 @@ int avc_has_perm(security_id_t ssid, security_id_t tsid,
 struct avc_entry_ref *aeref, void *auditdata);
 
 /**
+ * avc_has_perm_flags - Check permissions, returning avd flags and perform any
+ *  appropriate auditing.
+ * @ssid: source security identifier
+ * @tsid: target security identifier
+ * @tclass: target security class
+ * @requested: requested permissions, interpreted based on @tclass
+ * @aeref:  AVC

[RFC PATCH 0/1] libselinux: Add support for selinux_check_access_flags

2017-04-24 Thread Richard Haines

Only wanted the avd flags to check whether the domain was permissive
or not using an selinux_check_access() type call.

As a consequence of implementing selinux_check_access_flags, additional
calls have been added to avc.c: avc_has_perm_flags() and
avc_has_perm_noaudit_flags(). Added man page entries for them but not sure
if they should be hidden.

Richard Haines (1):
  libselinux: Add support for selinux_check_access_flags

 libselinux/include/selinux/avc.h |  68 +++
 libselinux/include/selinux/selinux.h |  32 +++
 libselinux/man/man3/avc_has_perm.3   |  37 +++-
 libselinux/man/man3/security_compute_av.3|  21 +-
 libselinux/man/man3/selinux_check_access_flags.3 |   1 +
 libselinux/src/avc.c |  44 -
 libselinux/src/avc_internal.h|   1 +
 libselinux/src/checkAccess.c |  63 +++---
 libselinux/utils/.gitignore  |   2 +
 libselinux/utils/avc_has_perm.c  | 235 +++
 libselinux/utils/selinux_check_access.c  | 189 ++
 11 files changed, 660 insertions(+), 33 deletions(-)
 create mode 100644 libselinux/man/man3/selinux_check_access_flags.3
 create mode 100644 libselinux/utils/avc_has_perm.c
 create mode 100644 libselinux/utils/selinux_check_access.c

-- 
2.9.3

Re: [RFC v2 PATCH 2/2] kernel: Add SELinux SCTP protocol support

2017-03-22 Thread Richard Haines

On Mon, 2017-03-20 at 14:23 -0300, Marcelo Ricardo Leitner wrote:
> On Thu, Mar 02, 2017 at 03:45:40PM -0500, Stephen Smalley wrote:
> > On Wed, 2017-02-22 at 17:03 +, Richard Haines wrote:
> 
> 
> 
> > > + return err;
> > > +}
> > > +
> > > +static int selinux_sctp_accept_conn(struct sctp_endpoint *ep,
> > > + struct sk_buff *skb)
> > > +{
> > > + struct sk_security_struct *sksec = ep->base.sk-
> > > >sk_security;
> > > + int err;
> > > + u32 connsid;
> > > + u32 peersid;
> > > +
> > > + /* Have COOKIE ECHO so compute the MLS component for the
> > > connection
> > > +  * and store the information in ep. This will only be
> > > used
> > > by
> > > +  * TCP/peeloff connections as they cause a new socket to
> > > be
> > > generated.
> > 
> > Not sure why you say TCP above.  And won't this be true of
> > accept()'d
> 
> Probably just a typo, should be SCTP instead.
Yes so changed to "This will only be used by SCTP TCP type sockets
and peeled off connections".

> 
> > sockets too in addition to peeloff ones?
> 
> Speaking of accept() path, I think we have an issue there with this
> patch, because it's doing:
> @@ -7683,8 +7717,6 @@ void sctp_copy_sock(struct sock *newsk, struct
> sock *sk,
> -   security_sk_clone(sk, newsk);
> @@ -7829,6 +7862,11 @@ static void sctp_sock_migrate(struct sock
> *oldsk,
> struct
> +   security_sctp_sk_clone(oldep, oldsk, newsk);
> 
> But sctp_copy_sock() is called from places other than
> sctp_sock_migrate, mainly:
> net/sctp/ipv6.c:sctp_copy_sock(newsk, sk, asoc);
> net/sctp/protocol.c:sctp_copy_sock(newsk, sk, asoc);
> Which are on the accept() path.
> 
> Ideally it's better to keep the call to security_sctp_sk_clone in
> sctp_copy_sock() to get those covered too.

Thanks for pointing this out, I'll fix in next patch set.
> 
>   Marcelo
> 
> > 
> > > +  * selinux_sctp_sk_clone() will then plug this into the
> > > new
> > > socket
> > > +  * as described in Documentation/security/LSM-sctp.txt
> > > +  */
> > > + err = selinux_skb_peerlbl_sid(skb, ep->base.sk-
> > > >sk_family,
> > > );
> > > + if (err)
> > > + return err;
> > > +
> > > + err = selinux_conn_sid(sksec->sid, peersid, );
> > > + if (err)
> > > + return err;
> > > +
> > > + ep->secid = connsid;
> > > + ep->peer_secid = peersid;
> > > +
> > > + return 0;
> > > +}
> > > +
> > 
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-
> > sctp" in
> > the body of a message to majord...@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" 
> in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [RFC v2 PATCH 2/2] kernel: Add SELinux SCTP protocol support

2017-03-22 Thread Richard Haines

On Thu, 2017-03-02 at 15:45 -0500, Stephen Smalley wrote:
> On Wed, 2017-02-22 at 17:03 +0000, Richard Haines wrote:
> > Add SELinux support for the SCTP protocol. The SELinux-sctp.txt
> > document
> > describes how the patch has been implemented.
> > 
> > Patches to assist the testing of this kernel patch are:
> > 1) Support new SCTP portcon statement used by SCTP tests in the
> > selinux-testsuite [1].
> > 2) Add SCTP tests to the selinux-testsuite [2].
> > 
> > Built and tested on Fedora 25 with linux-4.9.9 kernel.
> 
> Need to re-base and test on a suitable upstream tree (maybe security
> next or selinux next).  Since the extended socket class policy
> capability has been merged, you can leverage it and drop the
> duplicated
> portions.
> 
Okay I'll find a suitable kernel to build the next patch set

> > 
> > [1] http://arctic.selinuxproject.org/~rhaines/selinux-sctp/selinux-
> > Ad
> > d-support-for-the-SCTP-portcon-keyword.patch
> > [2] http://arctic.selinuxproject.org/~rhaines/selinux-sctp/selinux-
> > testsuite-Add-SCTP-test-support.patch
> 
> I wouldn't include URLs for these userspace patches in the patch
> description or in-tree documentation; you can note them in your cover
> letter posting as an aid to testing but they shouldn't be part of the
> permanent history since they will presumably be upstreamed too.
> 
I'll add any of these to the cover letter.

> > 
> > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
> > ---
> >  Documentation/security/SELinux-sctp.txt | 178
> > ++
> >  include/net/sctp/structs.h  |   7 ++
> >  net/sctp/sm_make_chunk.c|  12 ++
> >  net/sctp/sm_statefuns.c |  20 +++
> >  net/sctp/socket.c   |  42 ++-
> 
> I'd either move the net/sctp changes into the first patch that
> defines
> the LSM hooks or move them into their own separate patch between
> these
> two patches.
I'll split these into their own patches (looks like I'll end up with
netlabel patches as well to get CIPSO/CALIPSO working fully !!)

> 
> >  security/selinux/hooks.c| 213
> > ++--
> >  security/selinux/include/classmap.h |   3 +
> >  7 files changed, 466 insertions(+), 9 deletions(-)
> >  create mode 100644 Documentation/security/SELinux-sctp.txt
> > 
> > diff --git a/Documentation/security/SELinux-sctp.txt
> > b/Documentation/security/SELinux-sctp.txt
> > new file mode 100644
> > index 000..ada666f
> > --- /dev/null
> > +++ b/Documentation/security/SELinux-sctp.txt
> > @@ -0,0 +1,178 @@
> > +   SCTP SELinux Support
> > +  ==
> > +
> > +Testing - selinux-testsuite
> > +
> > +There is a patch available that adds SCTP/SELinux tests to the
> > +selinux-testsuite. This is available from:
> > +
> > +http://arctic.selinuxproject.org/~rhaines/selinux-sctp/selinux-tes
> > ts
> > uite-Add-SCTP-test-support.patch
> > +
> > +These tests require libsepol to support the new sctp portcon
> > statement.
> > +A patch is available from:
> > +
> > +http://arctic.selinuxproject.org/~rhaines/selinux-sctp/selinux-Add
> > -
> > support-for-the-SCTP-portcon-keyword.patch
> 
> Ditto here; I wouldn't include these patch URLs in the in-tree
> documentation since the patches should get upstreamed.
> 
> > +
> > +Before running these tests, read the selinux-testsuite/README.sctp
> > as it is
> > +also possible to run the lksctp-tools/src/func_tests that are
> > available from:
> > +
> > +https://github.com/sctp/lksctp-tools
> > +
> > +
> > +Security Hooks
> > +===
> > +
> > +The Documentation/security/LSM-sctp.txt document describes how the
> > following
> > +sctp security hooks are utilised:
> > +security_sctp_assoc_request()
> > +security_sctp_accept_conn()
> > +security_sctp_sk_clone()
> > +security_sctp_addr_list()
> > +
> > +
> > +Policy Statements
> > +==
> > +A new object class "sctp_socket" has been introduced with the
> > following SCTP
> > +specific permissions: association bindx_add connectx
> > +
> > +The permissions are explained in the sections below.
> > +
> > +Kernel policy language
> > +---
> > +class sctp_socket
> > +class sctp_socket inherits socket { node_bind name_connect

[RFC v2 PATCH 2/2] kernel: Add SELinux SCTP protocol support

2017-02-22 Thread Richard Haines

Add SELinux support for the SCTP protocol. The SELinux-sctp.txt document
describes how the patch has been implemented.

Patches to assist the testing of this kernel patch are:
1) Support new SCTP portcon statement used by SCTP tests in the
selinux-testsuite [1].
2) Add SCTP tests to the selinux-testsuite [2].

Built and tested on Fedora 25 with linux-4.9.9 kernel.

[1] 
http://arctic.selinuxproject.org/~rhaines/selinux-sctp/selinux-Add-support-for-the-SCTP-portcon-keyword.patch
[2] 
http://arctic.selinuxproject.org/~rhaines/selinux-sctp/selinux-testsuite-Add-SCTP-test-support.patch

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 Documentation/security/SELinux-sctp.txt | 178 ++
 include/net/sctp/structs.h  |   7 ++
 net/sctp/sm_make_chunk.c|  12 ++
 net/sctp/sm_statefuns.c |  20 +++
 net/sctp/socket.c   |  42 ++-
 security/selinux/hooks.c| 213 ++--
 security/selinux/include/classmap.h |   3 +
 7 files changed, 466 insertions(+), 9 deletions(-)
 create mode 100644 Documentation/security/SELinux-sctp.txt

diff --git a/Documentation/security/SELinux-sctp.txt 
b/Documentation/security/SELinux-sctp.txt
new file mode 100644
index 000..ada666f
--- /dev/null
+++ b/Documentation/security/SELinux-sctp.txt
@@ -0,0 +1,178 @@
+   SCTP SELinux Support
+  ==
+
+Testing - selinux-testsuite
+
+There is a patch available that adds SCTP/SELinux tests to the
+selinux-testsuite. This is available from:
+
+http://arctic.selinuxproject.org/~rhaines/selinux-sctp/selinux-testsuite-Add-SCTP-test-support.patch
+
+These tests require libsepol to support the new sctp portcon statement.
+A patch is available from:
+
+http://arctic.selinuxproject.org/~rhaines/selinux-sctp/selinux-Add-support-for-the-SCTP-portcon-keyword.patch
+
+Before running these tests, read the selinux-testsuite/README.sctp as it is
+also possible to run the lksctp-tools/src/func_tests that are available from:
+
+https://github.com/sctp/lksctp-tools
+
+
+Security Hooks
+===
+
+The Documentation/security/LSM-sctp.txt document describes how the following
+sctp security hooks are utilised:
+security_sctp_assoc_request()
+security_sctp_accept_conn()
+security_sctp_sk_clone()
+security_sctp_addr_list()
+
+
+Policy Statements
+==
+A new object class "sctp_socket" has been introduced with the following SCTP
+specific permissions: association bindx_add connectx
+
+The permissions are explained in the sections below.
+
+Kernel policy language
+---
+class sctp_socket
+class sctp_socket inherits socket { node_bind name_connect association
+bindx_add connectx }
+
+CIL policy language
+
+(classcommon sctp_socket socket)
+(class sctp_socket (node_bind name_connect association bindx_add connectx))
+(classorder (unordered sctp_socket))
+
+If the SELinux userspace tools have been updated, then the portcon statement
+may be used as shown in the following example:
+(portcon sctp (1024 1035) (system_u object_r sctp_port_t ((s0) (s0
+
+Rule validation parameters used when 'network_peer_controls = 1':
+---
+Rule  Source   Target ClassPermissions
+---
+allow socket_t socket_t : sctp_socket { bindx_add connectx }; [1]
+allow socket_t port_t   : sctp_socket { name_bind name_connect }; [2]
+allow socket_t node_t   : sctp_socket { node_bind };
+allow socket_t peer_t   : sctp_socket { association };
+
+[1] setsockcreatecon(3) may be used to create a new labeled socket.
+[2] The port types may differ for name_bind and name_connect.
+
+
+SCTP Bind, Connect and ASCONF Chunk Parameter Permission Checks
+
+The hook security_sctp_addr_list() is called by SCTP to check permissions
+required for ipv4/ipv6 addresses based on the @optname as follows:
+
+  --
+  |  BINDX_ADD Permission Check|
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
+  --
+
+  --
+  |  BIND Permission Checks|
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_PRIMARY_ADDR

[RFC v2 PATCH 1/2] kernel: Add LSM hooks for SCTP support

2017-02-22 Thread Richard Haines

Add four new SCTP hooks that are detailed in:
Documentation/security/LSM-sctp.txt

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 Documentation/security/LSM-sctp.txt | 171 
 include/linux/lsm_hooks.h   |  37 
 include/linux/security.h|  33 +++
 security/security.c |  34 +++
 4 files changed, 275 insertions(+)
 create mode 100644 Documentation/security/LSM-sctp.txt

diff --git a/Documentation/security/LSM-sctp.txt 
b/Documentation/security/LSM-sctp.txt
new file mode 100644
index 000..a96ad0a
--- /dev/null
+++ b/Documentation/security/LSM-sctp.txt
@@ -0,0 +1,171 @@
+   SCTP LSM Support
+  ==
+
+For security module support, four new sctp specific hooks have been
+implemented:
+security_sctp_assoc_request()
+security_sctp_accept_conn()
+security_sctp_sk_clone()
+security_sctp_addr_list()
+
+The usage of these hooks are described below with further information
+available in include/linux/lsm_hooks.h. The SELinux implementation is
+described in Documentation/security/SELinux-sctp.txt
+
+
+security_sctp_assoc_request()
+--
+This new hook has been added to net/sctp/sm_statefuns.c where it passes the
+@sk and @chunk->skb (the association INIT or INIT ACK packet) to the security
+module. Returns 0 on success, error on failure.
+
+@sk  - pointer to sock structure.
+@skb - pointer to skbuff of association packet (INIT or INIT ACK)
+
+The security module performs two operations:
+  1) If this is the first association on @sk, then set the peer sid
+ to that in @skb. This will ensure that there is only one peer sid
+ assigned to @sk that may support multiple associations.
+
+  2) Validate the @sk sid against the @sk peer sid to determine whether the
+ association should be allowed or denied.
+
+
+security_sctp_accept_conn()
+
+This new hook has been added to net/sctp/sm_statefuns.c where it sets the
+sctp endpoint @ep->secid to the socket's sid (@ep->base.sk) with the MLS
+portion taken from the COOKIE ECHO packet @skb peer sid. Returns 0 on success,
+error on failure.
+
+@ep  - pointer to sctp endpoint structure.
+@skb - pointer to skbuff of the COOKIE ECHO packet.
+
+To support this hook include/net/sctp/structs.h "struct sctp_endpoint" has
+been updated with the following:
+
+   /* Security identifiers from incoming (COOKIE-ECHO) connection.
+* These are set by security_sctp_accept_conn() and used by
+* security_sctp_sk_clone() to set sids on newsock.
+*/
+   u32 secid;
+   u32 peer_secid;
+
+
+security_sctp_sk_clone()
+-
+This new hook has been added to net/sctp/socket.c sctp_sock_migrate() that is
+called whenever a new socket is created for accept(2) (i.e. a TCP type socket)
+or when a socket is 'peeled off' e.g userspace calling sctp_peeloff(3).
+security_sctp_sk_clone() will set the new sockets sid and peer sid to that
+contained in the old @ep sid and peer sid respectively.
+
+@ep - pointer to old sctp endpoint structure.
+@sk - pointer to old sock structure.
+@sk - pointer to new sock structure.
+
+
+security_sctp_addr_list()
+--
+This new hook has been added to net/sctp/socket.c and net/sctp/sm_make_chunk.c.
+It passes one or more ipv4/ipv6 addresses to the security module for
+validation based on the @optname as shown in the permission check tables below.
+Returns 0 on success, error on failure.
+
+@sk  - Pointer to sock structure.
+@optname - Name of the option to validate.
+@address - One or more ipv4 / ipv6 addresses.
+@addrlen - The total length of address(s). This is calculated on each
+   ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
+   sizeof(struct sockaddr_in6).
+
+  --
+  | BIND Type Checks   |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
+  | SCTP_PRIMARY_ADDR  | Single ipv4 or ipv6 address   |
+  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address   |
+  --
+
+  --
+  |   CONNECT Type Checks  |
+  |   @optname | @address contains |
+  ||---|
+  | SCTP_SOCKOPT_CONNECTX  | One or more ipv4 / ipv6 addresses |
+  | SCTP_PARAM_ADD_IP  | One or more ipv4 / ipv6 addresses |
+  | SCTP_PARAM

[RFC v2 PATCH 0/2] kernel: Add SELinux SCTP protocol support

2017-02-22 Thread Richard Haines

This patch has been tested on Fedora 25 with kernel 4.9.9 using
the targeted policy. It therefore does not require the
"support distinctions among all network address families" [1] kernel
patch.

V2 Changes:
1) All comments in [2], [3] and [4] should now be resolved.
2) After discussions with Marcelo (thanks very much for your help),
   the permissions have been simplified and support added for ASCONF
   chunk processing.
3) The SCTP SELinux code has been moved into hooks.c
4) There are support patches listed in PATCH 2/2 for the new
   sctp portcon statement and sctp tests for the selinux-testsuite.

ToDo:
1) Add code to support a policy capability or utilise the
"extended_socket_class" [1] depending on how this patch progresses.
2) Produce refpolicy updates.

[1] http://marc.info/?l=selinux=148103642804873=2
[2] http://marc.info/?l=linux-sctp=148173536525998=2
[3] http://marc.info/?l=linux-sctp=148174029127754=2
[4] http://marc.info/?l=selinux=148233701411363=2

Richard Haines (2):
  kernel: Add LSM hooks for SCTP support
  kernel: Add SELinux SCTP protocol support

 Documentation/security/LSM-sctp.txt | 171 +
 Documentation/security/SELinux-sctp.txt | 178 ++
 include/linux/lsm_hooks.h   |  37 ++
 include/linux/security.h|  33 +
 include/net/sctp/structs.h  |   7 ++
 net/sctp/sm_make_chunk.c|  12 ++
 net/sctp/sm_statefuns.c |  20 +++
 net/sctp/socket.c   |  42 ++-
 security/security.c |  34 +
 security/selinux/hooks.c| 213 ++--
 security/selinux/include/classmap.h |   3 +
 11 files changed, 741 insertions(+), 9 deletions(-)
 create mode 100644 Documentation/security/LSM-sctp.txt
 create mode 100644 Documentation/security/SELinux-sctp.txt

-- 
2.9.3

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [RFC PATCH 1/1] kernel: Add SELinux SCTP protocol support

2017-02-06 Thread Richard Haines

On Wed, 2016-12-21 at 14:09 -0200, Marcelo Ricardo Leitner wrote:
> On Wed, Dec 14, 2016 at 01:39:59PM +0000, Richard Haines wrote:
> > +SCTP Socket Option Permissions
> > +===
> > +The permissions consist of: "bindx_add" "bindx_rem" "connectx"
> > "set_addr" and
> > +"set_params" that are validated on setsockopt(2) calls, and
> > "peeloff" that is
> > +validated on getsockopt(2) calls.
> > +
> > +SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
> > + associated after (optionally) calling
> > bind(2)
> > + if given the "bind_add" permission.
> > +
> > +SCTP_SOCKOPT_CONNECTX  - Allows the allocation of multiple
> > + addresses for reaching a multi-homed peer
> > + if given the "connectx" permission.
> > +
> > +  Together they are used to form SCTP associations with
> > information being
> > +  passed over the link to inform the peer of any changes. As these
> > two options
> > +  can support multiple addresses, each address is checked via
> > +  selinux_socket_bind() or selinux_socket_connect() to determine
> > whether they
> > +  have the correct permissions:
> > +bindx_add: bind, name_bind, node_bind + node SID + port SID
> > via the
> > +   (portcon sctp port ctx) policy statement.
> > +connectx:  connect, name_connect + port SID via the
> > +   (portcon sctp port ctx) policy statement.
> > +
> > +SCTP_SOCKOPT_BINDX_REM - Allows additional bind addresses to be
> > removed
> > + if given the "bind_rem" permission.
> > +
> > +SCTP_PEER_ADDR_PARAMS - Alter heartbeats and address max
> > retransmissions.
> > +SCTP_PEER_ADDR_THLDS  - Alter the thresholds.
> > +SCTP_ASSOCINFO- Alter association and endpoint parameters.
> > + These require the "set_params" permission.
> > +
> > +SCTP_PRIMARY_ADDR  - Set local primary address.
> > +SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
> > association primary.
> > + These require the "set_addr" permission.
> > +
> > +SCTP_SOCKOPT_PEELOFF - Branch off an association into a new socket
> > that
> > +will be a one-to-one style socket. As SELinux already handles the
> > creation
> > +of new sockets, only the "peeloff" permission is checked.
> 
> ...
> 
> > diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> > index 7b0e059..ff4f1a8 100644
> > --- a/net/sctp/socket.c
> > +++ b/net/sctp/socket.c
> > @@ -1009,6 +1009,12 @@ static int sctp_setsockopt_bindx(struct sock
> > *sk,
> >     /* Do the work. */
> >     switch (op) {
> >     case SCTP_BINDX_ADD_ADDR:
> > +   /* Allow security module to validate bindx
> > addresses. */
> > +   err = security_sk_setsockopt(sk, SOL_SCTP,
> > +    SCTP_SOCKOPT_BINDX_AD
> > D,
> > +    (char *)kaddrs,
> > addrs_size);
> 
> Here, kaddrs is about the addresses that we are going to bind to.
> 
> > +   if (err)
> > +   goto out;
> >     err = sctp_bindx_add(sk, kaddrs, addrcnt);
> >     if (err)
> >     goto out;
> > @@ -1329,9 +1335,17 @@ static int __sctp_setsockopt_connectx(struct
> > sock *sk,
> >     if (__copy_from_user(kaddrs, addrs, addrs_size)) {
> >     err = -EFAULT;
> >     } else {
> > +   /* Allow security module to validate connectx
> > addresses. */
> > +   err = security_sk_setsockopt(sk, SOL_SCTP,
> > +    SCTP_SOCKOPT_CONNECTX
> > ,
> > +   (char *)kaddrs,
> > addrs_size);
> 

Sorry for the delay but I now think I've resolved all but one of the
SCTP issues with tests to check them. The only area I'm having trouble
with is labeling TCP-style child sockets but hope to resolve.

> Here, kaddrs is about the remote addresses that we are connecting to.
> Not sure how feasible this is for SELinux, to maintain a list of
> allowed
> peers. 
SELinux does not maintain lists, however it can check whether the
addresses/ports are allowed or not (which is what I do for binds,
connects etc.).

> But this being right, I think we are missing the hooks at ASCONF
> handling side.
> One SCTP peer can start/stop binding to another IP in

[PATCH] setfiles: Fix setfiles progress indicator

2017-01-27 Thread Richard Haines

This fixes the following bug:
UX regression: setfiles progress indicator is now misleading and
confusing in fixfiles.

The outputting of * is replaced by the number of files in 1k increments
as the previous versions. If "/" is specified on the pathname, then this
will indicate a mass relabel, an example output will be:
restorecon -nRp /etc /tmp /boot /
/etc 100.0%
/tmp 100.0%
/boot 100.0%
3.2%

Also setfiles(8) and restorecon(8) versions that are implemented using
the selinux_restorecon(3) function do not support the [-o filename]
option as this was deprecated. This has now been made clear by displaying
a message to stderr.

The documentation has also been updated to reflect these changes.

Reported-by: Alan Jenkins <alan.christopher.jenk...@gmail.com>
Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 libselinux/include/selinux/restorecon.h  | 11 +++---
 libselinux/man/man3/selinux_restorecon.3 | 12 +--
 libselinux/src/selinux_restorecon.c  | 37 
 policycoreutils/setfiles/.gitignore  |  1 -
 policycoreutils/setfiles/Makefile|  7 ++
 policycoreutils/setfiles/restore.c   |  3 ++-
 policycoreutils/setfiles/restore.h   |  9 +---
 policycoreutils/setfiles/restorecon.8|  4 ++--
 policycoreutils/setfiles/setfiles.8  |  6 +++---
 policycoreutils/setfiles/setfiles.c  | 27 +++
 10 files changed, 45 insertions(+), 72 deletions(-)

diff --git a/libselinux/include/selinux/restorecon.h 
b/libselinux/include/selinux/restorecon.h
index 7cfdee1..de694cd 100644
--- a/libselinux/include/selinux/restorecon.h
+++ b/libselinux/include/selinux/restorecon.h
@@ -50,9 +50,9 @@ extern int selinux_restorecon(const char *pathname,
  */
 #define SELINUX_RESTORECON_VERBOSE 0x0010
 /*
- * Show progress by printing * to stdout every 1000 files, unless
- * relabeling the entire OS, that will then show the approximate
- * percentage complete.
+ * If SELINUX_RESTORECON_PROGRESS is true and
+ * SELINUX_RESTORECON_MASS_RELABEL is true, then output approx % complete,
+ * else output the number of files in 1k blocks processed to stdout.
  */
 #define SELINUX_RESTORECON_PROGRESS0x0020
 /*
@@ -91,6 +91,11 @@ extern int selinux_restorecon(const char *pathname,
  * mounts to be excluded from relabeling checks.
  */
 #define SELINUX_RESTORECON_IGNORE_MOUNTS   0x2000
+/*
+ * Set if there is a mass relabel required.
+ * See SELINUX_RESTORECON_PROGRESS flag for details.
+ */
+#define SELINUX_RESTORECON_MASS_RELABEL0x4000
 
 /**
  * selinux_restorecon_set_sehandle - Set the global fc handle.
diff --git a/libselinux/man/man3/selinux_restorecon.3 
b/libselinux/man/man3/selinux_restorecon.3
index d698818..1eac6ed 100644
--- a/libselinux/man/man3/selinux_restorecon.3
+++ b/libselinux/man/man3/selinux_restorecon.3
@@ -88,8 +88,16 @@ will take precedence.
 .RE
 .sp
 .B SELINUX_RESTORECON_PROGRESS
-show progress by printing * to stdout every 1000 files unless relabeling the
-entire OS, that will then show the approximate percentage complete.
+show progress by outputting the number of files in 1k blocks processed
+to stdout. If the
+.B SELINUX_RESTORECON_MASS_RELABEL
+flag is also set then the approximate percentage complete will be shown.
+.sp
+.B SELINUX_RESTORECON_MASS_RELABEL
+generally set when relabeling the entire OS, that will then show the
+approximate percentage complete. The
+.B SELINUX_RESTORECON_PROGRESS
+flag must also be set.
 .sp
 .B SELINUX_RESTORECON_REALPATH
 convert passed-in
diff --git a/libselinux/src/selinux_restorecon.c 
b/libselinux/src/selinux_restorecon.c
index 38acbd2..9fdafea 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -41,7 +41,7 @@
 #define SYS_PATH "/sys"
 #define SYS_PREFIX SYS_PATH "/"
 
-#define STAR_COUNT 1000
+#define STAR_COUNT 1024
 
 static struct selabel_handle *fc_sehandle = NULL;
 static unsigned char *fc_digest = NULL;
@@ -68,18 +68,12 @@ static uint64_t efile_count;/* Estimated total 
number of files */
 struct dir_xattr *dir_xattr_list;
 static struct dir_xattr *dir_xattr_last;
 
-/*
- * If SELINUX_RESTORECON_PROGRESS is set and mass_relabel = true, then
- * output approx % complete, else output * for every STAR_COUNT files
- * processed to stdout.
- */
-static bool mass_relabel;
-
 /* restorecon_flags for passing to restorecon_sb() */
 struct rest_flags {
bool nochange;
bool verbose;
bool progress;
+   bool mass_relabel;
bool set_specctx;
bool add_assoc;
bool ignore_digest;
@@ -631,14 +625,14 @@ static int restorecon_sb(const char *pathname, const 
struct stat *sb,
if (flags->progress) {
fc_count++;
if (fc_count % STAR_COUNT == 0) {
-   if (mass_relabel && efile_count > 0) {
+

Re: [RFC PATCH 1/1] kernel: Add SELinux SCTP protocol support

2016-12-21 Thread Richard Haines

On Fri, 2016-12-16 at 11:40 -0200, Marcelo Ricardo Leitner wrote:
> On Wed, Dec 14, 2016 at 02:01:35PM +, David Laight wrote:
> > From: Richard Haines
> > > Sent: 14 December 2016 13:40
> > > Add SELinux support for the SCTP protocol. The SELinux-sctp.txt
> > > document
> > > describes how the patch has been implemented with an example
> > > policy and
> > > tests using lkstcp-tools.
> > 
> > ...
> > > +SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
> > > + associated after (optionally) calling
> > > bind(2)
> > > + if given the "bind_add" permission.
> > 
> > Does restricting bindx make any sense at all?
> > The only addresses than can be specified are those of local
> > interfaces.
> > If bindx isn't called then the default is to include the addresses
> > of
> > all local interfaces.
> > So bindx only actually removes local addresses, it doesn't add
> > them.
> 
> You could bind the socket while on a priviledged process and then
> drop
> the priviledges, like daemons do for binding on lower ports. Then the
> application wouldn't be able to bind on another address that it's not
> expected to.
> 
>   Marcelo
> 

It appears from Marcelo's comments that keeping bindx_add/bindx_rem
would be useful. However I will rename the permissions to a single
permission of "bindx_addr" if that's okay.

Any more sctp specific comments gratefully received (SELinux/LSM as
well of course). I plan to issue an updated patch mid-late Jan '17.

> --
> To unsubscribe from this list: send the line "unsubscribe linux-
> security-module" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[RFC PATCH 1/1] kernel: Add SELinux SCTP protocol support

2016-12-14 Thread Richard Haines

Add SELinux support for the SCTP protocol. The SELinux-sctp.txt document
describes how the patch has been implemented with an example policy and
tests using lkstcp-tools.

Patches to assist the testing of this kernel patch are:
1) Support the new SCTP portcon statement used in the test CIL policy
module shown in Documentation/security/SELinux-sctp.txt can be found
at [1].
2) Add SELinux support for the http://lksctp.sourceforge.net/ apps
sctp_test.c and sctp_darn.c can be found at [2].

Built and tested on Fedora 25 with linux-4.8 kernel.

[1] 
http://arctic.selinuxproject.org/~rhaines/selinux-sctp/selinux-Add-support-for-the-SCTP-portcon-keyword.patch
[2] 
http://arctic.selinuxproject.org/~rhaines/selinux-sctp/lksctp-tools-Add-SELinux-support-to-sctp_test-and-sc.patch

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 Documentation/security/SELinux-sctp.txt | 508 
 include/linux/lsm_hooks.h   |  27 ++
 include/linux/security.h|  16 +
 net/sctp/sm_statefuns.c |  12 +
 net/sctp/socket.c   |  16 +
 security/security.c |  18 ++
 security/selinux/Makefile   |   2 +
 security/selinux/hooks.c| 124 +++-
 security/selinux/include/classmap.h |   4 +
 security/selinux/include/sctp.h |  50 
 security/selinux/include/sctp_private.h |  39 +++
 security/selinux/netlabel.c |   3 +
 security/selinux/sctp.c | 194 
 13 files changed, 1002 insertions(+), 11 deletions(-)
 create mode 100644 Documentation/security/SELinux-sctp.txt
 create mode 100644 security/selinux/include/sctp.h
 create mode 100644 security/selinux/include/sctp_private.h
 create mode 100644 security/selinux/sctp.c

diff --git a/Documentation/security/SELinux-sctp.txt 
b/Documentation/security/SELinux-sctp.txt
new file mode 100644
index 000..dcad4b2
--- /dev/null
+++ b/Documentation/security/SELinux-sctp.txt
@@ -0,0 +1,508 @@
+   SCTP SELinux Support
+  ==
+
+Security Hooks
+===
+security_sk_setsockopt()
+-
+A new security hook security_sk_setsockopt() is introduced that checks
+permissions before setting the options associated with sock @sk.
+This is supported in security/selinux/hooks.c and net/sctp/socket.c
+
+An example usage is where sctp_getsockopt_connectx3() and
+__sctp_setsockopt_connectx() manage the @optval data into a certain
+state before security_sk_setsockopt is called for permission checks. This
+means that the code to manage options does not need to be replicated in the
+security module. See include/linux/lsm_hooks.h for details.
+
+security_sctp_assoc_request()
+-
+security/selinux/hooks.c selinux_sctp_assoc_request() has been introduced to
+support SCTP and obtains the sock peer context if first association and
+also checks the association permission as shown in the "SCTP Peer Labeling
+and Permission Checks" section below.
+
+The security_sctp_assoc_request() security hook has been added to
+net/sctp/sm_statefuns.c where it passes the sk and chunk->skb to the security
+module.
+
+security_sk_clone()
+
+Added to net/sctp/socket.c sctp_sock_migrate() for cloning the security
+context on a new socket.
+
+
+Policy Statements
+==
+A new object class "sctp_socket" has been introduced with the following SCTP
+specific permissions: "association" "bindx_add" "bindx_rem" "connectx"
+"peeloff" "set_addr" and "set_params". These are explained in the sections
+below.
+
+Kernel policy language
+---
+class sctp_socket
+class sctp_socket inherits socket { node_bind name_connect association
+bindx_add bindx_rem connectx peeloff set_addr set_params }
+
+CIL policy language
+
+(classcommon sctp_socket socket)
+(class sctp_socket (node_bind name_connect association bindx_add bindx_rem
+   connectx peeloff set_addr set_params))
+(classorder (unordered sctp_socket))
+
+If userspace tools have been updated (see "Testing" section), then the portcon
+statement may be used as shown in the following example:
+(portcon sctp (2000 2) (system_u object_r port_test_t ((s0) (s0
+
+Rule validation parameters used when 'network_peer_controls = 1':
+---
+Rule  Source   Target ClassPermissions
+---
+allow domain_t self : sctp_socket {connectx peeloff set_addr set_params};
+allow domain_t socket_t : sctp_socket {bindx_add bindx_rem set_params peeloff};
+allow socket_t port_t   : sctp_socket {name_bind name_connect};
+allow socket_t node_t   :

[RFC PATCH 1/1] selinux-testsuite: Add IPv6 client/server support plus tests

2016-12-05 Thread Richard Haines

Split the Netlabel tests into two, one for full labeling and the
other for plain CIPSO4.

Added comments to tests where required to explain pass/fail as
there is no support for retrieving UDP peer labels on IPv6 stack.

Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
---
 README |   1 +
 .../inet_socket/{netlabel-flush => cipso-fl-flush} |   0
 tests/inet_socket/{netlabel-load => cipso-fl-load} |   2 +-
 tests/inet_socket/cipso-flush  |   5 +
 tests/inet_socket/cipso-load   |  11 ++
 tests/inet_socket/client.c |  91 +++---
 tests/inet_socket/ipsec-load   |   6 +
 tests/inet_socket/iptables-flush   |   2 +
 tests/inet_socket/iptables-load|  20 +++
 tests/inet_socket/server.c |  67 +-
 tests/inet_socket/test | 140 ++---
 11 files changed, 251 insertions(+), 94 deletions(-)
 rename tests/inet_socket/{netlabel-flush => cipso-fl-flush} (100%)
 rename tests/inet_socket/{netlabel-load => cipso-fl-load} (89%)
 create mode 100755 tests/inet_socket/cipso-flush
 create mode 100755 tests/inet_socket/cipso-load

diff --git a/README b/README
index 69b4839..8dbbbda 100644
--- a/README
+++ b/README
@@ -16,6 +16,7 @@ test SELinux:
 CONFIG_AUDIT=y
 CONFIG_NET=y
 CONFIG_INET=y
+CONFIG_IPV6=y
 CONFIG_SECURITY=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_NETWORK_XFRM=y
diff --git a/tests/inet_socket/netlabel-flush b/tests/inet_socket/cipso-fl-flush
similarity index 100%
rename from tests/inet_socket/netlabel-flush
rename to tests/inet_socket/cipso-fl-flush
diff --git a/tests/inet_socket/netlabel-load b/tests/inet_socket/cipso-fl-load
similarity index 89%
rename from tests/inet_socket/netlabel-load
rename to tests/inet_socket/cipso-fl-load
index 35898d3..3fbc928 100755
--- a/tests/inet_socket/netlabel-load
+++ b/tests/inet_socket/cipso-fl-load
@@ -7,7 +7,7 @@
 #   CIPSOv4 only supports passing MLS labels across the network).
 
 # Define a localhost/loopback doi and apply it to the loopback address
-# so that we get full SELinux labels over loopback connections.
+# so that we get full SELinux labels over IPv4 loopback connections.
 netlabelctl cipsov4 add local doi:1
 netlabelctl map del default
 netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
diff --git a/tests/inet_socket/cipso-flush b/tests/inet_socket/cipso-flush
new file mode 100755
index 000..2ac8523
--- /dev/null
+++ b/tests/inet_socket/cipso-flush
@@ -0,0 +1,5 @@
+#!/bin/sh
+# Reset NetLabel configuration to unlabeled for all.
+netlabelctl map del default
+netlabelctl cipsov4 del doi:16
+netlabelctl map add default protocol:unlbl
diff --git a/tests/inet_socket/cipso-load b/tests/inet_socket/cipso-load
new file mode 100755
index 000..662747d
--- /dev/null
+++ b/tests/inet_socket/cipso-load
@@ -0,0 +1,11 @@
+#!/bin/sh
+# Based on http://paulmoore.livejournal.com/7234.html.
+#
+# Modifications:
+# - Defined a doi for testing loopback for CIPSOv4.
+
+netlabelctl cipsov4 add pass doi:16 tags:5
+netlabelctl map del default
+netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
+netlabelctl map add default address:::/0 protocol:unlbl
+netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16
diff --git a/tests/inet_socket/client.c b/tests/inet_socket/client.c
index cf274cf..f104b0d 100644
--- a/tests/inet_socket/client.c
+++ b/tests/inet_socket/client.c
@@ -2,6 +2,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -18,51 +19,62 @@
 void usage(char *progname)
 {
fprintf(stderr,
-   "usage:  %s [-n] [stream|dgram] port\n",
-   progname);
+   "usage:  %s [-e expected_msg] [stream|dgram] addr port\n"
+   "\nWhere:\n\t"
+   "-e  Optional expected message from server e.g. 
\"nopeer\".\n\t"
+   "If not present the client context will be used as 
a\n\t"
+   "comparison with the servers the reply.\n\t"
+   "stream  Use TCP protocol or:\n\t"
+   "dgram   use UDP protocol.\n\t"
+   "addrIPv4 or IPv6 address (e.g. 127.0.0.1 or ::1)\n\t"
+   "portPort for accessing server.\n", progname);
exit(1);
 }
 
-int
-main(int argc, char **argv)
+int main(int argc, char **argv)
 {
-   char byte, label[256];
-   int sock;
-   int result;
-   struct sockaddr_in sin;
-   socklen_t sinlen;
-   int type;
-   char *mycon;
+   char byte, label[256], *expected = NULL;
+   int sock, result, opt;
+   struct addrinfo hints, *serverinfo;
unsigned short port;
struct timeval tm;
-   int opt;
-   bool

[RFC PATCH 0/1] selinux-testsuite: Add IPv6 client/server support plus tests

2016-12-05 Thread Richard Haines

I've added support for IPv6 to the test suite and added some additional
tests. Thought I would make this an RFC as I'm not sure if all tests are
suitable. If any additions required let me know.

Remember if you add this with patch(1) the tests/inet_socket/cipso-flush
and load files do not get their executable bits set so need to do this
manually.

Runs okay on Fedora 25 apart from the overlay test that is a known problem.

Richard Haines (1):
  selinux-testsuite: Add IPv6 client/server support plus tests

 README |   1 +
 .../inet_socket/{netlabel-flush => cipso-fl-flush} |   0
 tests/inet_socket/{netlabel-load => cipso-fl-load} |   2 +-
 tests/inet_socket/cipso-flush  |   5 +
 tests/inet_socket/cipso-load   |  11 ++
 tests/inet_socket/client.c |  91 +++---
 tests/inet_socket/ipsec-load   |   6 +
 tests/inet_socket/iptables-flush   |   2 +
 tests/inet_socket/iptables-load|  20 +++
 tests/inet_socket/server.c |  67 +-
 tests/inet_socket/test | 140 ++---
 11 files changed, 251 insertions(+), 94 deletions(-)
 rename tests/inet_socket/{netlabel-flush => cipso-fl-flush} (100%)
 rename tests/inet_socket/{netlabel-load => cipso-fl-load} (89%)
 create mode 100755 tests/inet_socket/cipso-flush
 create mode 100755 tests/inet_socket/cipso-load

-- 
2.9.3

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: SELinux system configuration using CIPSO

2016-11-22 Thread Richard Haines

On Tue, 2016-11-15 at 09:28 -0800, Casey Schaufler wrote:
> I am looking for an SELinux configuration that uses CIPSO.
> Ideally, it would be based on a readily available distro,
> but I'm willing to perform semi-heroic acts if I have too.
> I'm not in a position to develop it myself, nor would that
> really suit my nefarious purposes. Thank you.
> 
I put this together out of idle curiosity using the targeted policy as
no policy updates are required only netlabelctl commands. If you need
something else like policy config let me know and I'll see what I can
do.



> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho
> .nsa.gov.This is a simple CIPSO demo showing that separation across the network is
possible where there are two services on machine A and two clients on
machine B where client B1 can talk to service A1 but not A2 and
client B2 can talk to service A2 but not A1.

The demo shown requires:
1) Two systems with the NETLABEL kernel config and the "targeted" SELinux
   policy. Used Fedora 24 for demo as this does not require any additional
   configuration.

2) netlabel_tools and tcpdump installed on each system.

3) Machine "A" requires a server app installed and Machine "B" a client
   app. I've added the code below that can be copied and built/installed on
   each machine. Note that the binaries must be labeled bin_t so these were
   installed in /usr/local/bin.

4) The demo network used: 

   --  Ethernet 193.168.1.65 --
   | A1, A2 | <> | B1, B2 |
   -- 193.168.1.78   --


Basically the demo configures the network for CIPSO using netlabelctl(8) and
then runs the client / server apps using runcon(1) with different levels.
Because the targeted policy is being used there is only the single
s0 sensitivity with 1024 categories, however I think it does show the basics.

Demo 1 - Just prove the system works
-

On Machine A run a server from a terminal session:
server 

On Machine B run a client from a terminal session:
client 193.168.1.78 

There should be output from each app with an example client:

client 193.168.1.78 
open socket - Peer Context: system_u:object_r:unlabeled_t:s0
connect - No Peer Context Available
recv - No Peer Context Available

Information from Server in RED:
This is Message-1 from the server listening on port: 
Client source port: 40152
Server Context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Server Peer Context: No Peer Context Available

Client Information in GREEN:
Client Context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Client Peer Context: No Peer Context Available


 Now exit the server session. 

Demo 2 - Add cipso config
--

On Machine A run the following to set up cipso:
netlabelctl cipsov4 add pass doi:15 tags:5
netlabelctl map add domain:unconfined_t address:0.0.0.0/0 protocol:unlbl
netlabelctl map add domain:unconfined_t address:193.168.1.65 protocol:cipsov4,15
netlabelctl -p map list

On Machine B run:
netlabelctl cipsov4 add pass doi:15 tags:5
netlabelctl map add domain:unconfined_t address:0.0.0.0/0 protocol:unlbl
netlabelctl map add domain:unconfined_t address:193.168.1.78 protocol:cipsov4,15
netlabelctl -p map list

The output from the "netlabelctl -p map list" command should be like:
netlabelctl -p map list
Configured NetLabel domain mappings (2)
 domain: "unconfined_t"
   address: 193.168.1.78/32
protocol: CIPSOv4, DOI = 15
   address: 0.0.0.0/0
protocol: UNLABELED
 domain: DEFAULT
   protocol: UNLABELED


If okay then run the sessions shown in Demo 3 using "tcpdump -x -i "
to monitor the sessions. There is an example client tcpdump session showing the
relevant info after the demos.

Demo 3 - Check cipso network separation.
-

On Machine A run two servers from separate terminal sessions:
A1
runcon -l s0:c10,c40.c50 server 
A2
runcon -l s0:c20,c100.c200 server 

On Machine B run two clients from separate terminal sessions:
B1 -> A1
runcon -l s0:c10,c40.c45 client 193.168.1.78 
B2 -> A2
runcon -l s0:c20,c100.c200 client 193.168.1.78 

There should be valid output from each session, for example:

runcon -l s0:c10,c40.c45 client 193.168.1.78 
open socket - Peer Context: system_u:object_r:unlabeled_t:s0
connect - Peer Context: system_u:object_r:netlabel_peer_t:s0:c10,c40.c45
recv - Peer Context: system_u:object_r:netlabel_peer_t:s0:c10,c40.c45

Information from Server in RED:
This is Message-1 from the server listening on port: 
Client source port: 40250
Server Context: unconfined_u:unconfined_r:unconfined_t:s0:c10,c40.c50
Server Peer Context: system_u:object_r:netlabel_peer_t:s0:c10,c40.c45

Client

Re: github issue trackers

2016-11-22 Thread Richard Haines

On Fri, 2016-11-18 at 12:02 -0500, Stephen Smalley wrote:
> On 11/18/2016 11:49 AM, Richard Haines wrote:
> > 
> > On Fri, 2016-11-18 at 10:30 -0500, Stephen Smalley wrote:
> > > 
> > > Hi,
> > > 
> > > I've populated the github issue trackers for the selinux
> > > (userspace)
> > > and
> > > selinux-kernel github projects, see:
> > > https://github.com/SELinuxProject/selinux/issues
> > > and
> > > https://github.com/SELinuxProject/selinux-kernel/issues
> > > 
> > > The old ToDo wiki pages are being migrated over, although I would
> > > like
> > > to drop items that are either a) already in progress, b)
> > > vague/ill-defined, or c) unlikely to be done.  Going forward,
> > > we'll
> > > just
> > > use the issue trackers for all new items.
> > > 
> > > Feel free to identify additional issues that I may have missed,
> > > but
> > > please try to keep them well-defined and feasible.
> > 
> > Just thought I would update you regarding the status of the RFC
> > SCTP
> > kernel patches I sent a few years ago that are referenced at:
> > https://github.com/SELinuxProject/selinux-kernel/issues/5
> > 
> > I have been keeping these updated and fixing problems as I find
> > them,
> > however I have not resubmitted. If there is interest I'm happy to
> > submit again and see how far I can get. If anyone is interested
> > I keep a set of patches at:
> > http://arctic.selinuxproject.org/~rhaines/selinux-sctp
> > 
> > For the gory details read:
> > http://arctic.selinuxproject.org/~rhaines/selinux-sctp/readme.txt
> 
> Thanks, I'd certainly like to see them upstreamed.  Were there
> specific
> objections or just a lack of response?

It was really lack of response so I thought I would wait until
someone had a real requirement. Paul gave me some feedback on the
patches and I incorporated all except the "special accept()/child
socket labeling trick" (see comments at 
http://marc.info/?l=selinux=141801137004870=2), mainly because
I was not sure if required or not.
Also needed feedback from sctp maintainers particularly regarding
the placing of security hooks in sm_statefuns.c (see the drawing in
SELinux-sctp.txt)

What I can do is rebuild and test on latest Fedora 25 then submit
again as a new RFC patch and see how it goes.

> 
> 

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: github issue trackers

2016-11-18 Thread Richard Haines

On Fri, 2016-11-18 at 10:30 -0500, Stephen Smalley wrote:
> Hi,
> 
> I've populated the github issue trackers for the selinux (userspace)
> and
> selinux-kernel github projects, see:
> https://github.com/SELinuxProject/selinux/issues
> and
> https://github.com/SELinuxProject/selinux-kernel/issues
> 
> The old ToDo wiki pages are being migrated over, although I would
> like
> to drop items that are either a) already in progress, b)
> vague/ill-defined, or c) unlikely to be done.  Going forward, we'll
> just
> use the issue trackers for all new items.
> 
> Feel free to identify additional issues that I may have missed, but
> please try to keep them well-defined and feasible.

Just thought I would update you regarding the status of the RFC SCTP
kernel patches I sent a few years ago that are referenced at:
https://github.com/SELinuxProject/selinux-kernel/issues/5

I have been keeping these updated and fixing problems as I find them,
however I have not resubmitted. If there is interest I'm happy to
submit again and see how far I can get. If anyone is interested
I keep a set of patches at:
http://arctic.selinuxproject.org/~rhaines/selinux-sctp

For the gory details read:
http://arctic.selinuxproject.org/~rhaines/selinux-sctp/readme.txt

> 
> Thanks.
> 
> 
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho
> .nsa.gov.

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

1 2 >

1 - 100 of 142 matches

Mail list logo