Commit 21abb1ec authored by Casey Schaufler's avatar Casey Schaufler

Smack: IPv6 host labeling

IPv6 appears to be (finally) coming of age with the
influx of autonomous devices. In support of this, add
the ability to associate a Smack label with IPv6 addresses.

This patch also cleans up some of the conditional
compilation associated with the introduction of
secmark processing. It's now more obvious which bit
of code goes with which feature.
Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
parent ca70d27e
...@@ -28,6 +28,10 @@ Smack kernels use the CIPSO IP option. Some network ...@@ -28,6 +28,10 @@ Smack kernels use the CIPSO IP option. Some network
configurations are intolerant of IP options and can impede configurations are intolerant of IP options and can impede
access to systems that use them as Smack does. access to systems that use them as Smack does.
Smack is used in the Tizen operating system. Please
go to http://wiki.tizen.org for information about how
Smack is used in Tizen.
The current git repository for Smack user space is: The current git repository for Smack user space is:
git://github.com/smack-team/smack.git git://github.com/smack-team/smack.git
...@@ -108,6 +112,8 @@ in the smackfs filesystem. This pseudo-filesystem is mounted ...@@ -108,6 +112,8 @@ in the smackfs filesystem. This pseudo-filesystem is mounted
on /sys/fs/smackfs. on /sys/fs/smackfs.
access access
Provided for backward compatibility. The access2 interface
is preferred and should be used instead.
This interface reports whether a subject with the specified This interface reports whether a subject with the specified
Smack label has a particular access to an object with a Smack label has a particular access to an object with a
specified Smack label. Write a fixed format access rule to specified Smack label. Write a fixed format access rule to
...@@ -136,6 +142,8 @@ change-rule ...@@ -136,6 +142,8 @@ change-rule
those in the fourth string. If there is no such rule it will be those in the fourth string. If there is no such rule it will be
created using the access specified in the third and the fourth strings. created using the access specified in the third and the fourth strings.
cipso cipso
Provided for backward compatibility. The cipso2 interface
is preferred and should be used instead.
This interface allows a specific CIPSO header to be assigned This interface allows a specific CIPSO header to be assigned
to a Smack label. The format accepted on write is: to a Smack label. The format accepted on write is:
"%24s%4d%4d"["%4d"]... "%24s%4d%4d"["%4d"]...
...@@ -157,7 +165,19 @@ direct ...@@ -157,7 +165,19 @@ direct
doi doi
This contains the CIPSO domain of interpretation used in This contains the CIPSO domain of interpretation used in
network packets. network packets.
ipv6host
This interface allows specific IPv6 internet addresses to be
treated as single label hosts. Packets are sent to single
label hosts only from processes that have Smack write access
to the host label. All packets received from single label hosts
are given the specified label. The format accepted on write is:
"%h:%h:%h:%h:%h:%h:%h:%h label" or
"%h:%h:%h:%h:%h:%h:%h:%h/%d label".
The "::" address shortcut is not supported.
If label is "-DELETE" a matched entry will be deleted.
load load
Provided for backward compatibility. The load2 interface
is preferred and should be used instead.
This interface allows access control rules in addition to This interface allows access control rules in addition to
the system defined rules to be specified. The format accepted the system defined rules to be specified. The format accepted
on write is: on write is:
...@@ -181,6 +201,8 @@ load2 ...@@ -181,6 +201,8 @@ load2
permissions that are not allowed. The string "r-x--" would permissions that are not allowed. The string "r-x--" would
specify read and execute access. specify read and execute access.
load-self load-self
Provided for backward compatibility. The load-self2 interface
is preferred and should be used instead.
This interface allows process specific access rules to be This interface allows process specific access rules to be
defined. These rules are only consulted if access would defined. These rules are only consulted if access would
otherwise be permitted, and are intended to provide additional otherwise be permitted, and are intended to provide additional
...@@ -205,6 +227,8 @@ netlabel ...@@ -205,6 +227,8 @@ netlabel
received from single label hosts are given the specified received from single label hosts are given the specified
label. The format accepted on write is: label. The format accepted on write is:
"%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label". "%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label".
If the label specified is "-CIPSO" the address is treated
as a host that supports CIPSO headers.
onlycap onlycap
This contains labels processes must have for CAP_MAC_ADMIN This contains labels processes must have for CAP_MAC_ADMIN
and CAP_MAC_OVERRIDE to be effective. If this file is empty and CAP_MAC_OVERRIDE to be effective. If this file is empty
...@@ -232,7 +256,8 @@ unconfined ...@@ -232,7 +256,8 @@ unconfined
is dangerous and can ruin the proper labeling of your system. is dangerous and can ruin the proper labeling of your system.
It should never be used in production. It should never be used in production.
You can add access rules in /etc/smack/accesses. They take the form: If you are using the smackload utility
you can add access rules in /etc/smack/accesses. They take the form:
subjectlabel objectlabel access subjectlabel objectlabel access
......
...@@ -17,11 +17,26 @@ ...@@ -17,11 +17,26 @@
#include <linux/spinlock.h> #include <linux/spinlock.h>
#include <linux/lsm_hooks.h> #include <linux/lsm_hooks.h>
#include <linux/in.h> #include <linux/in.h>
#if IS_ENABLED(CONFIG_IPV6)
#include <linux/in6.h>
#endif /* CONFIG_IPV6 */
#include <net/netlabel.h> #include <net/netlabel.h>
#include <linux/list.h> #include <linux/list.h>
#include <linux/rculist.h> #include <linux/rculist.h>
#include <linux/lsm_audit.h> #include <linux/lsm_audit.h>
/*
* Use IPv6 port labeling if IPv6 is enabled and secmarks
* are not being used.
*/
#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
#define SMACK_IPV6_PORT_LABELING 1
#endif
#if IS_ENABLED(CONFIG_IPV6) && defined(CONFIG_SECURITY_SMACK_NETFILTER)
#define SMACK_IPV6_SECMARK_LABELING 1
#endif
/* /*
* Smack labels were limited to 23 characters for a long time. * Smack labels were limited to 23 characters for a long time.
*/ */
...@@ -118,15 +133,30 @@ struct smack_rule { ...@@ -118,15 +133,30 @@ struct smack_rule {
}; };
/* /*
* An entry in the table identifying hosts. * An entry in the table identifying IPv4 hosts.
*/ */
struct smk_netlbladdr { struct smk_net4addr {
struct list_head list; struct list_head list;
struct sockaddr_in smk_host; /* network address */ struct in_addr smk_host; /* network address */
struct in_addr smk_mask; /* network mask */ struct in_addr smk_mask; /* network mask */
int smk_masks; /* mask size */
struct smack_known *smk_label; /* label */
};
#if IS_ENABLED(CONFIG_IPV6)
/*
* An entry in the table identifying IPv6 hosts.
*/
struct smk_net6addr {
struct list_head list;
struct in6_addr smk_host; /* network address */
struct in6_addr smk_mask; /* network mask */
int smk_masks; /* mask size */
struct smack_known *smk_label; /* label */ struct smack_known *smk_label; /* label */
}; };
#endif /* CONFIG_IPV6 */
#ifdef SMACK_IPV6_PORT_LABELING
/* /*
* An entry in the table identifying ports. * An entry in the table identifying ports.
*/ */
...@@ -137,6 +167,7 @@ struct smk_port_label { ...@@ -137,6 +167,7 @@ struct smk_port_label {
struct smack_known *smk_in; /* inbound label */ struct smack_known *smk_in; /* inbound label */
struct smack_known *smk_out; /* outgoing label */ struct smack_known *smk_out; /* outgoing label */
}; };
#endif /* SMACK_IPV6_PORT_LABELING */
struct smack_onlycap { struct smack_onlycap {
struct list_head list; struct list_head list;
...@@ -170,6 +201,7 @@ enum { ...@@ -170,6 +201,7 @@ enum {
#define SMK_FSROOT "smackfsroot=" #define SMK_FSROOT "smackfsroot="
#define SMK_FSTRANS "smackfstransmute=" #define SMK_FSTRANS "smackfstransmute="
#define SMACK_DELETE_OPTION "-DELETE"
#define SMACK_CIPSO_OPTION "-CIPSO" #define SMACK_CIPSO_OPTION "-CIPSO"
/* /*
...@@ -252,10 +284,6 @@ struct smk_audit_info { ...@@ -252,10 +284,6 @@ struct smk_audit_info {
struct smack_audit_data sad; struct smack_audit_data sad;
#endif #endif
}; };
/*
* These functions are in smack_lsm.c
*/
struct inode_smack *new_inode_smack(struct smack_known *);
/* /*
* These functions are in smack_access.c * These functions are in smack_access.c
...@@ -285,7 +313,6 @@ extern struct smack_known *smack_syslog_label; ...@@ -285,7 +313,6 @@ extern struct smack_known *smack_syslog_label;
#ifdef CONFIG_SECURITY_SMACK_BRINGUP #ifdef CONFIG_SECURITY_SMACK_BRINGUP
extern struct smack_known *smack_unconfined; extern struct smack_known *smack_unconfined;
#endif #endif
extern struct smack_known smack_cipso_option;
extern int smack_ptrace_rule; extern int smack_ptrace_rule;
extern struct smack_known smack_known_floor; extern struct smack_known smack_known_floor;
...@@ -297,7 +324,10 @@ extern struct smack_known smack_known_web; ...@@ -297,7 +324,10 @@ extern struct smack_known smack_known_web;
extern struct mutex smack_known_lock; extern struct mutex smack_known_lock;
extern struct list_head smack_known_list; extern struct list_head smack_known_list;
extern struct list_head smk_netlbladdr_list; extern struct list_head smk_net4addr_list;
#if IS_ENABLED(CONFIG_IPV6)
extern struct list_head smk_net6addr_list;
#endif /* CONFIG_IPV6 */
extern struct mutex smack_onlycap_lock; extern struct mutex smack_onlycap_lock;
extern struct list_head smack_onlycap_list; extern struct list_head smack_onlycap_list;
......
This diff is collapsed.
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment