[PATCH] selinux: add netif controls

From: James Morris <jmorris@redhat.com>

This patch adds netif access controls for SELinux, which allows network
traffic to be controlled on the basis of associated network interface.

Similar functionality was present in earlier SELinux implementations; this
is a rework within the constraints of the LSM hooks present in the mainline
kernel.

security/selinux/Makefile

@@ -6,5 +6,9 @@ obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/
 
 selinux-objs := avc.o hooks.o selinuxfs.o
 
+ifeq ($(CONFIG_SECURITY_NETWORK),y)
+	selinux-objs += netif.o
+endif
+
 EXTRA_CFLAGS += -Isecurity/selinux/include
 

security/selinux/hooks.c

@@ -44,6 +44,7 @@
 #include <linux/ext2_fs.h>
 #include <linux/proc_fs.h>
 #include <linux/kd.h>
+#include <linux/netfilter_ipv4.h>
 #include <net/icmp.h>
 #include <net/ip.h>		/* for sysctl_local_port_range[] */
 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
@@ -61,6 +62,7 @@
 
 #include "avc.h"
 #include "objsec.h"
+#include "netif.h"
 
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 int selinux_enforcing = 0;
@@ -2663,7 +2665,137 @@ static int selinux_socket_unix_may_send(struct socket *sock,
 	return 0;
 }
 
-#endif
+static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
+{
+	int err = 0;
+	u32 netif_perm;
+	struct socket *sock;
+	struct inode *inode;
+	struct net_device *dev;
+	struct sel_netif *netif;
+	struct netif_security_struct *nsec;
+	struct inode_security_struct *isec;
+	struct avc_audit_data ad;
+
+	/* Only IPv4 is supported here at this stage */
+	if (sk->sk_family != PF_INET)
+		goto out;
+
+	sock = sk->sk_socket;
+	
+	/* TCP control messages don't always have a socket. */
+	if (!sock)
+		goto out;
+
+	inode = SOCK_INODE(sock);
+	if (!inode)
+		goto out;
+
+	dev = skb->dev;
+	if (!dev)
+		goto out;
+
+	netif = sel_netif_lookup(dev);
+	if (IS_ERR(netif)) {
+		err = PTR_ERR(netif);
+		goto out;
+	}
+	
+	nsec = &netif->nsec;
+	isec = inode->i_security;
+
+	switch (isec->sclass) {
+	case SECCLASS_UDP_SOCKET:
+		netif_perm = NETIF__UDP_RECV;
+		break;
+	
+	case SECCLASS_TCP_SOCKET:
+		netif_perm = NETIF__TCP_RECV;
+		break;
+	
+	default:
+		netif_perm = NETIF__RAWIP_RECV;
+		break;
+	}
+
+	AVC_AUDIT_DATA_INIT(&ad, NET);
+	ad.u.net.netif = dev->name;
+	ad.u.net.skb = skb;
+
+	err = avc_has_perm(isec->sid, nsec->if_sid, SECCLASS_NETIF,
+	                   netif_perm, &nsec->avcr, &ad);
+
+	sel_netif_put(netif);
+out:	
+	return err;
+}
+
+#ifdef CONFIG_NETFILTER
+static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
+                                              struct sk_buff **pskb,
+                                              const struct net_device *in,
+                                              const struct net_device *out,
+                                              int (*okfn)(struct sk_buff *))
+{
+	int err = NF_ACCEPT;
+	u32 netif_perm;
+	struct socket *sock;
+	struct inode *inode;
+	struct sel_netif *netif;
+	struct sk_buff *skb = *pskb;
+	struct netif_security_struct *nsec;
+	struct inode_security_struct *isec;
+	struct avc_audit_data ad;
+	struct net_device *dev = (struct net_device *)out;
+	
+	if (!skb->sk)
+		goto out;
+		
+	sock = skb->sk->sk_socket;
+	if (!sock)
+		goto out;
+		
+	inode = SOCK_INODE(sock);
+	if (!inode)
+		goto out;
+
+	netif = sel_netif_lookup(dev);
+	if (IS_ERR(netif)) {
+		err = NF_DROP;
+		goto out;
+	}
+	
+	nsec = &netif->nsec;
+	isec = inode->i_security;
+	
+	switch (isec->sclass) {
+	case SECCLASS_UDP_SOCKET:
+		netif_perm = NETIF__UDP_SEND;
+		break;
+	
+	case SECCLASS_TCP_SOCKET:
+		netif_perm = NETIF__TCP_SEND;
+		break;
+	
+	default:
+		netif_perm = NETIF__RAWIP_SEND;
+		break;
+	}
+
+	AVC_AUDIT_DATA_INIT(&ad, NET);
+	ad.u.net.netif = dev->name;
+	ad.u.net.skb = skb;
+
+	err = avc_has_perm(isec->sid, nsec->if_sid, SECCLASS_NETIF,
+	                   netif_perm, &nsec->avcr, &ad) ? NF_DROP : NF_ACCEPT;
+
+	sel_netif_put(netif);
+out:
+	return err;
+}
+#endif	/* CONFIG_NETFILTER */
+
+#endif	/* CONFIG_SECURITY_NETWORK */
 
 static int ipc_alloc_security(struct task_struct *task,
 			      struct kern_ipc_perm *perm,
@@ -3398,6 +3530,7 @@ struct security_operations selinux_ops = {
 	.socket_getsockopt =		selinux_socket_getsockopt,
 	.socket_setsockopt =		selinux_socket_setsockopt,
 	.socket_shutdown =		selinux_socket_shutdown,
+	.socket_sock_rcv_skb =		selinux_socket_sock_rcv_skb,
 #endif
 };
 
@@ -3467,3 +3600,33 @@ void selinux_complete_init(void)
    all processes and objects when they are created. */
 security_initcall(selinux_init);
 
+#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
+
+static struct nf_hook_ops selinux_ip_ops[] = {
+	{ .hook =	selinux_ip_postroute_last,
+	  .owner =	THIS_MODULE,
+	  .pf =		PF_INET, 
+	  .hooknum =	NF_IP_POST_ROUTING, 
+	  .priority =	NF_IP_PRI_SELINUX_LAST, },
+};
+
+static int __init selinux_nf_ip_init(void)
+{
+	int err = 0;
+
+	if (!selinux_enabled)
+		goto out;
+		
+	printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
+	
+	err = nf_register_hook(&selinux_ip_ops[0]);
+	if (err)
+		panic("SELinux: nf_register_hook 0 error %d\n", err);
+
+out:
+	return err;
+}
+
+__initcall(selinux_nf_ip_init);
+
+#endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */

security/selinux/include/netif.h

+/*
+ * Network interface table.
+ *
+ * Network interfaces (devices) do not have a security field, so we
+ * maintain a table associating each interface with a SID.
+ *
+ * Author: James Morris <jmorris@redhat.com>
+ *
+ * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ */
+#ifndef _SELINUX_NETIF_H_
+#define _SELINUX_NETIF_H_
+
+struct sel_netif
+{
+	struct list_head list;
+	atomic_t users;
+	struct netif_security_struct nsec;
+	struct rcu_head rcu_head;
+};
+
+struct sel_netif *sel_netif_lookup(struct net_device *dev);
+void sel_netif_put(struct sel_netif *netif);
+
+#endif	/* _SELINUX_NETIF_H_ */
+

security/selinux/include/objsec.h

@@ -93,6 +93,13 @@ struct bprm_security_struct {
 	unsigned char set;
 };
 
+struct netif_security_struct {
+	struct net_device *dev;		/* back pointer */
+	u32 if_sid;			/* SID for this interface */
+	u32 msg_sid;			/* default SID for messages received on this interface */
+	struct avc_entry_ref avcr;	/* reference to permissions */
+};
+
 extern int inode_security_set_sid(struct inode *inode, u32 sid);
 
 #endif /* _SELINUX_OBJSEC_H_ */

security/selinux/netif.c

+/*
+ * Network interface table.
+ *
+ * Network interfaces (devices) do not have a security field, so we
+ * maintain a table associating each interface with a SID.
+ *
+ * Author: James Morris <jmorris@redhat.com>
+ *
+ * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ */
+#include <linux/types.h>
+#include <linux/stddef.h>
+#include <linux/kernel.h>
+#include <linux/list.h>
+#include <linux/notifier.h>
+#include <linux/netdevice.h>
+#include <linux/rcupdate.h>
+
+#include "security.h"
+#include "objsec.h"
+#include "netif.h"
+
+#define SEL_NETIF_HASH_SIZE	64
+#define SEL_NETIF_HASH_MAX	1024
+
+#undef DEBUG
+
+#ifdef DEBUG
+#define DEBUGP printk
+#else
+#define DEBUGP(format, args...)
+#endif
+
+static u32 sel_netif_total;
+static LIST_HEAD(sel_netif_list);
+static spinlock_t sel_netif_lock = SPIN_LOCK_UNLOCKED;
+static struct sel_netif sel_netif_hash[SEL_NETIF_HASH_SIZE];
+
+static inline u32 sel_netif_hasfn(struct net_device *dev)
+{
+	return (dev->ifindex & (SEL_NETIF_HASH_SIZE - 1));
+}
+
+/*
+ * All of the devices should normally fit in the hash, so we optimize
+ * for that case.
+ */
+static struct sel_netif *sel_netif_find(struct net_device *dev)
+{
+	struct list_head *pos;
+	int idx = sel_netif_hasfn(dev);
+
+	__list_for_each_rcu(pos, &sel_netif_hash[idx].list) {
+		struct sel_netif *netif = list_entry(pos,
+		                                     struct sel_netif, list);
+		if (likely(netif->nsec.dev == dev))
+			return netif;
+	}
+	return NULL;
+}
+
+static int sel_netif_insert(struct sel_netif *netif)
+{
+	int idx, ret = 0;
+	
+	if (sel_netif_total >= SEL_NETIF_HASH_MAX) {
+		ret = -ENOSPC;
+		goto out;
+	}
+	
+	idx = sel_netif_hasfn(netif->nsec.dev);
+	list_add_rcu(&netif->list, &sel_netif_hash[idx].list);
+	atomic_set(&netif->users, 1);
+	sel_netif_total++;
+out:
+	return ret;
+}
+
+struct sel_netif *sel_netif_lookup(struct net_device *dev)
+{
+	int ret;
+	struct sel_netif *netif, *new;
+	struct netif_security_struct *nsec;
+
+	rcu_read_lock();
+	netif = sel_netif_find(dev);
+	rcu_read_unlock();
+	
+	if (likely(netif != NULL))
+		goto out_hold;
+	
+	new = kmalloc(sizeof(*new), GFP_ATOMIC);
+	if (!new) {
+		netif = ERR_PTR(-ENOMEM);
+		goto out;
+	}
+	
+	memset(new, 0, sizeof(*new));
+	nsec = &new->nsec;
+
+	ret = security_netif_sid(dev->name, &nsec->if_sid, &nsec->msg_sid);
+	if (ret < 0) {
+		kfree(new);
+		netif = ERR_PTR(ret);
+		goto out;
+	}
+
+	nsec->dev = dev;
+	
+	spin_lock_bh(&sel_netif_lock);
+	
+	netif = sel_netif_find(dev);
+	if (netif) {
+		spin_unlock_bh(&sel_netif_lock);
+		kfree(new);
+		goto out_hold;
+	}
+	
+	sel_netif_insert(new);
+	spin_unlock_bh(&sel_netif_lock);
+	
+	netif = new;
+	
+	DEBUGP("new: ifindex=%u name=%s if_sid=%u msg_sid=%u\n", dev->ifindex, dev->name,
+	        nsec->if_sid, nsec->msg_sid);
+out_hold:
+	atomic_inc(&netif->users);
+out:
+	return netif;
+}
+
+static void sel_netif_free(void *p)
+{
+	struct sel_netif *netif = p;
+	
+	DEBUGP("%s: %s\n", __FUNCTION__, netif->nsec.dev->name);
+	kfree(netif);
+}
+
+static void sel_netif_destroy(struct sel_netif *netif)
+{
+	DEBUGP("%s: %s\n", __FUNCTION__, netif->nsec.dev->name);
+	
+	spin_lock_bh(&sel_netif_lock);
+	list_del_rcu(&netif->list);
+	sel_netif_total--;
+	spin_unlock_bh(&sel_netif_lock);
+
+	call_rcu(&netif->rcu_head, sel_netif_free, netif);
+}
+
+void sel_netif_put(struct sel_netif *netif)
+{
+	if (atomic_dec_and_test(&netif->users))
+		sel_netif_destroy(netif);
+}
+
+static void sel_netif_kill(struct net_device *dev)
+{
+	struct sel_netif *netif;
+	
+	rcu_read_lock();
+	netif = sel_netif_find(dev);
+	rcu_read_unlock();
+
+	/* Drop internal reference */
+	if (netif)
+		sel_netif_put(netif);
+}
+
+static void sel_netif_flush(void)
+{
+	int idx;
+
+	for (idx = 0; idx < SEL_NETIF_HASH_SIZE; idx++) {
+		struct list_head *pos;
+		
+		list_for_each_rcu(pos, &sel_netif_hash[idx].list) {
+			struct sel_netif *netif;
+			
+			netif = list_entry(pos, struct sel_netif, list);
+			if (netif)
+				sel_netif_put(netif);
+		}
+	}
+}
+
+static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid,
+                                  u16 class, u32 perms, u32 *retained)
+{
+	if (event == AVC_CALLBACK_RESET) {
+		sel_netif_flush();
+		synchronize_net();
+	}
+	return 0;
+}
+
+static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
+                                             unsigned long event, void *ptr)
+{
+	struct net_device *dev = ptr;
+
+	if (event == NETDEV_DOWN)
+		sel_netif_kill(dev);
+
+	return NOTIFY_DONE;
+}
+
+static struct notifier_block sel_netif_netdev_notifier = {
+	.notifier_call = sel_netif_netdev_notifier_handler,
+};
+
+static __init int sel_netif_init(void)
+{
+	int i, err = 0;
+	
+	if (!selinux_enabled)
+		goto out;
+
+	for (i = 0; i < SEL_NETIF_HASH_SIZE; i++)
+		INIT_LIST_HEAD(&sel_netif_hash[i].list);
+
+	register_netdevice_notifier(&sel_netif_netdev_notifier);
+	
+	err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET,
+	                       SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
+	if (err)
+		panic("avc_add_callback() failed, error %d\n", err);
+
+out:
+	return err;
+}
+
+__initcall(sel_netif_init);
+