Commit e0e9c58e authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] selinux: improve skb audit logging

From: James Morris <jmorris@redhat.com>

This patch is a rework of the skb audit logging code in SELinux.  Rather
than relying on skb header pointers, it parses the skb for specific
protocols (TCP and UDP for IPv4 at this stage).  This is safer for the case
of locally generated raw packets, which can be malformed.  It also now
takes fragmented skbs into account.  The new code allows the caller to
parse the skb so that parsed information can be more readily re-used.
parent bef7d803
......@@ -22,8 +22,6 @@
#include <linux/un.h>
#include <net/af_unix.h>
#include <linux/ip.h>
#include <linux/udp.h>
#include <linux/tcp.h>
#include "avc.h"
#include "avc_ss.h"
#include "class_to_string.h"
......@@ -640,46 +638,12 @@ void avc_audit(u32 ssid, u32 tsid,
break;
}
}
if (a->u.net.daddr) {
printk(" daddr=%d.%d.%d.%d",
NIPQUAD(a->u.net.daddr));
if (a->u.net.port)
printk(" dest=%d", a->u.net.port);
} else if (a->u.net.saddr) {
printk(" saddr=%d.%d.%d.%d",
NIPQUAD(a->u.net.saddr));
if (a->u.net.port)
printk(" src=%d", a->u.net.port);
} else if (a->u.net.port)
printk(" port=%d", a->u.net.port);
if (a->u.net.skb) {
struct sk_buff *skb = a->u.net.skb;
if ((skb->protocol == htons(ETH_P_IP)) &&
skb->nh.iph) {
u16 source = 0, dest = 0;
u8 protocol = skb->nh.iph->protocol;
if (protocol == IPPROTO_TCP &&
skb->h.th) {
source = skb->h.th->source;
dest = skb->h.th->dest;
}
if (protocol == IPPROTO_UDP &&
skb->h.uh) {
source = skb->h.uh->source;
dest = skb->h.uh->dest;
}
avc_print_ipv4_addr(skb->nh.iph->saddr,
source,
"saddr", "source");
avc_print_ipv4_addr(skb->nh.iph->daddr,
dest,
avc_print_ipv4_addr(a->u.net.saddr, a->u.net.sport,
"saddr", "src");
avc_print_ipv4_addr(a->u.net.daddr, a->u.net.dport,
"daddr", "dest");
}
}
if (a->u.net.netif)
printk(" netif=%s", a->u.net.netif);
break;
......
......@@ -56,6 +56,7 @@
#include <linux/netdevice.h> /* for network interface checks */
#include <linux/netlink.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/quota.h>
#include <linux/un.h> /* for Unix socket types */
#include <net/af_unix.h> /* for Unix socket types */
......@@ -2372,6 +2373,69 @@ static void selinux_task_to_inode(struct task_struct *p,
#ifdef CONFIG_SECURITY_NETWORK
static void selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
{
int dlen, ihlen;
struct iphdr *iph;
if (skb->len < sizeof(struct iphdr))
goto out;
iph = skb->nh.iph;
ihlen = iph->ihl * 4;
if (ihlen < sizeof(struct iphdr))
goto out;
dlen = skb->len - ihlen;
ad->u.net.saddr = iph->saddr;
ad->u.net.daddr = iph->daddr;
switch (iph->protocol) {
case IPPROTO_TCP: {
int offset;
struct tcphdr tcph;
if (ntohs(iph->frag_off) & IP_OFFSET)
break;
if (dlen < sizeof(tcph))
break;
offset = skb->nh.raw - skb->data + ihlen;
if (skb_copy_bits(skb, offset, &tcph, sizeof(tcph)) < 0)
break;
ad->u.net.sport = tcph.source;
ad->u.net.dport = tcph.dest;
break;
}
case IPPROTO_UDP: {
int offset;
struct udphdr udph;
if (ntohs(iph->frag_off) & IP_OFFSET)
break;
if (dlen < sizeof(udph))
break;
offset = skb->nh.raw - skb->data + ihlen;
if (skb_copy_bits(skb, offset, &udph, sizeof(udph)) < 0)
break;
ad->u.net.sport = udph.source;
ad->u.net.dport = udph.dest;
break;
}
default:
break;
}
out:
return;
}
/* socket security operations */
static int socket_has_perm(struct task_struct *task, struct socket *sock,
u32 perms)
......@@ -2460,7 +2524,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
if (err)
goto out;
AVC_AUDIT_DATA_INIT(&ad,NET);
ad.u.net.port = snum;
ad.u.net.sport = htons(snum);
err = avc_has_perm(isec->sid, sid,
isec->sclass,
SOCKET__NAME_BIND, NULL, &ad);
......@@ -2488,7 +2552,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
goto out;
AVC_AUDIT_DATA_INIT(&ad,NET);
ad.u.net.port = snum;
ad.u.net.sport = htons(snum);
ad.u.net.saddr = addr->sin_addr.s_addr;
err = avc_has_perm(isec->sid, sid,
isec->sclass, node_perm, NULL, &ad);
......@@ -2686,7 +2750,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.netif = dev->name;
ad.u.net.skb = skb;
selinux_parse_skb_ipv4(skb, &ad);
err = avc_has_perm(isec->sid, nsec->if_sid, SECCLASS_NETIF,
netif_perm, &nsec->avcr, &ad);
......@@ -2812,7 +2876,7 @@ static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
AVC_AUDIT_DATA_INIT(&ad, NET);
ad.u.net.netif = dev->name;
ad.u.net.skb = skb;
selinux_parse_skb_ipv4(skb, &ad);
err = avc_has_perm(isec->sid, nsec->if_sid, SECCLASS_NETIF,
netif_perm, &nsec->avcr, &ad) ? NF_DROP : NF_ACCEPT;
......
......@@ -63,9 +63,9 @@ struct avc_audit_data {
} fs;
struct {
char *netif;
struct sk_buff *skb;
struct sock *sk;
u16 port;
u16 dport;
u16 sport;
u32 daddr;
u32 saddr;
} net;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment