Commit 8d9107e8 authored by Linus Torvalds's avatar Linus Torvalds

Revert "SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel"

This reverts commit 9faf65fb.

It bit people like Michal Piotrowski:

  "My system is too secure, I can not login :)"

because it changed how CONFIG_NETLABEL worked, and broke older SElinux
policies.

As a result, quoth James Morris:

  "Can you please revert this patch?

   We thought it only affected people running MLS, but it will affect others.

   Sorry for the hassle."

Cc: James Morris <jmorris@namei.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Michal Piotrowski <michal.k.k.piotrowski@gmail.com>
Cc: Paul Moore <paul.moore@hp.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 16cefa8c
...@@ -3129,19 +3129,17 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, ...@@ -3129,19 +3129,17 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
/** /**
* selinux_skb_extlbl_sid - Determine the external label of a packet * selinux_skb_extlbl_sid - Determine the external label of a packet
* @skb: the packet * @skb: the packet
* @base_sid: the SELinux SID to use as a context for MLS only external labels
* @sid: the packet's SID * @sid: the packet's SID
* *
* Description: * Description:
* Check the various different forms of external packet labeling and determine * Check the various different forms of external packet labeling and determine
* the external SID for the packet. If only one form of external labeling is * the external SID for the packet.
* present then it is used, if both labeled IPsec and NetLabel labels are
* present then the SELinux type information is taken from the labeled IPsec
* SA and the MLS sensitivity label information is taken from the NetLabel
* security attributes. This bit of "magic" is done in the call to
* selinux_netlbl_skbuff_getsid().
* *
*/ */
static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid) static void selinux_skb_extlbl_sid(struct sk_buff *skb,
u32 base_sid,
u32 *sid)
{ {
u32 xfrm_sid; u32 xfrm_sid;
u32 nlbl_sid; u32 nlbl_sid;
...@@ -3149,9 +3147,10 @@ static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid) ...@@ -3149,9 +3147,10 @@ static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
selinux_skb_xfrm_sid(skb, &xfrm_sid); selinux_skb_xfrm_sid(skb, &xfrm_sid);
if (selinux_netlbl_skbuff_getsid(skb, if (selinux_netlbl_skbuff_getsid(skb,
(xfrm_sid == SECSID_NULL ? (xfrm_sid == SECSID_NULL ?
SECINITSID_NETMSG : xfrm_sid), base_sid : xfrm_sid),
&nlbl_sid) != 0) &nlbl_sid) != 0)
nlbl_sid = SECSID_NULL; nlbl_sid = SECSID_NULL;
*sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
} }
...@@ -3696,7 +3695,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * ...@@ -3696,7 +3695,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
if (sock && sock->sk->sk_family == PF_UNIX) if (sock && sock->sk->sk_family == PF_UNIX)
selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
else if (skb) else if (skb)
selinux_skb_extlbl_sid(skb, &peer_secid); selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid);
if (peer_secid == SECSID_NULL) if (peer_secid == SECSID_NULL)
err = -EINVAL; err = -EINVAL;
...@@ -3757,7 +3756,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, ...@@ -3757,7 +3756,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
u32 newsid; u32 newsid;
u32 peersid; u32 peersid;
selinux_skb_extlbl_sid(skb, &peersid); selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
if (peersid == SECSID_NULL) { if (peersid == SECSID_NULL) {
req->secid = sksec->sid; req->secid = sksec->sid;
req->peer_secid = SECSID_NULL; req->peer_secid = SECSID_NULL;
...@@ -3795,7 +3794,7 @@ static void selinux_inet_conn_established(struct sock *sk, ...@@ -3795,7 +3794,7 @@ static void selinux_inet_conn_established(struct sock *sk,
{ {
struct sk_security_struct *sksec = sk->sk_security; struct sk_security_struct *sksec = sk->sk_security;
selinux_skb_extlbl_sid(skb, &sksec->peer_sid); selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
} }
static void selinux_req_classify_flow(const struct request_sock *req, static void selinux_req_classify_flow(const struct request_sock *req,
......
...@@ -158,7 +158,9 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid) ...@@ -158,7 +158,9 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
netlbl_secattr_init(&secattr); netlbl_secattr_init(&secattr);
rc = netlbl_skbuff_getattr(skb, &secattr); rc = netlbl_skbuff_getattr(skb, &secattr);
if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid); rc = security_netlbl_secattr_to_sid(&secattr,
base_sid,
sid);
else else
*sid = SECSID_NULL; *sid = SECSID_NULL;
netlbl_secattr_destroy(&secattr); netlbl_secattr_destroy(&secattr);
...@@ -196,7 +198,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) ...@@ -196,7 +198,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
if (netlbl_sock_getattr(sk, &secattr) == 0 && if (netlbl_sock_getattr(sk, &secattr) == 0 &&
secattr.flags != NETLBL_SECATTR_NONE && secattr.flags != NETLBL_SECATTR_NONE &&
security_netlbl_secattr_to_sid(&secattr, security_netlbl_secattr_to_sid(&secattr,
SECINITSID_NETMSG, SECINITSID_UNLABELED,
&nlbl_peer_sid) == 0) &nlbl_peer_sid) == 0)
sksec->peer_sid = nlbl_peer_sid; sksec->peer_sid = nlbl_peer_sid;
netlbl_secattr_destroy(&secattr); netlbl_secattr_destroy(&secattr);
...@@ -293,31 +295,37 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, ...@@ -293,31 +295,37 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
struct avc_audit_data *ad) struct avc_audit_data *ad)
{ {
int rc; int rc;
u32 nlbl_sid; u32 netlbl_sid;
u32 perm; u32 recv_perm;
rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &nlbl_sid); rc = selinux_netlbl_skbuff_getsid(skb,
SECINITSID_UNLABELED,
&netlbl_sid);
if (rc != 0) if (rc != 0)
return rc; return rc;
if (nlbl_sid == SECSID_NULL)
nlbl_sid = SECINITSID_UNLABELED; if (netlbl_sid == SECSID_NULL)
return 0;
switch (sksec->sclass) { switch (sksec->sclass) {
case SECCLASS_UDP_SOCKET: case SECCLASS_UDP_SOCKET:
perm = UDP_SOCKET__RECVFROM; recv_perm = UDP_SOCKET__RECVFROM;
break; break;
case SECCLASS_TCP_SOCKET: case SECCLASS_TCP_SOCKET:
perm = TCP_SOCKET__RECVFROM; recv_perm = TCP_SOCKET__RECVFROM;
break; break;
default: default:
perm = RAWIP_SOCKET__RECVFROM; recv_perm = RAWIP_SOCKET__RECVFROM;
} }
rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad); rc = avc_has_perm(sksec->sid,
netlbl_sid,
sksec->sclass,
recv_perm,
ad);
if (rc == 0) if (rc == 0)
return 0; return 0;
if (nlbl_sid != SECINITSID_UNLABELED)
netlbl_skbuff_err(skb, rc); netlbl_skbuff_err(skb, rc);
return rc; return rc;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment