Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8d9107e8 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Revert "SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel" 



This reverts commit 9faf65fb.

It bit people like Michal Piotrowski:

  "My system is too secure, I can not login :)"

because it changed how CONFIG_NETLABEL worked, and broke older SElinux
policies.

As a result, quoth James Morris:

  "Can you please revert this patch?

   We thought it only affected people running MLS, but it will affect others.

   Sorry for the hassle."

Cc: James Morris <jmorris@namei.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Michal Piotrowski <michal.k.k.piotrowski@gmail.com>
Cc: Paul Moore <paul.moore@hp.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 16cefa8c

security/selinux/hooks.c

+10 −11
Original line number Diff line number Diff line
@@ -3129,19 +3129,17 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, 
/**

 * selinux_skb_extlbl_sid - Determine the external label of a packet

 * @skb: the packet

 * @base_sid: the SELinux SID to use as a context for MLS only external labels

 * @sid: the packet's SID

 *

 * Description:

 * Check the various different forms of external packet labeling and determine

 * the external SID for the packet.  If only one form of external labeling is

 * present then it is used, if both labeled IPsec and NetLabel labels are

 * present then the SELinux type information is taken from the labeled IPsec

 * SA and the MLS sensitivity label information is taken from the NetLabel

 * security attributes.  This bit of "magic" is done in the call to

 * selinux_netlbl_skbuff_getsid().

 * the external SID for the packet.

 *

 */

static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)

static void selinux_skb_extlbl_sid(struct sk_buff *skb,

				   u32 base_sid,

				   u32 *sid)

{

	u32 xfrm_sid;

	u32 nlbl_sid;
@@ -3149,9 +3147,10 @@ static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid) 
	selinux_skb_xfrm_sid(skb, &xfrm_sid);

	if (selinux_netlbl_skbuff_getsid(skb,

					 (xfrm_sid == SECSID_NULL ?

					  SECINITSID_NETMSG : xfrm_sid),

					  base_sid : xfrm_sid),

					 &nlbl_sid) != 0)

		nlbl_sid = SECSID_NULL;



	*sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);

}
@@ -3696,7 +3695,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff * 
	if (sock && sock->sk->sk_family == PF_UNIX)

		selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);

	else if (skb)

		selinux_skb_extlbl_sid(skb, &peer_secid);

		selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid);



	if (peer_secid == SECSID_NULL)

		err = -EINVAL;
@@ -3757,7 +3756,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 
	u32 newsid;

	u32 peersid;



	selinux_skb_extlbl_sid(skb, &peersid);

	selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);

	if (peersid == SECSID_NULL) {

		req->secid = sksec->sid;

		req->peer_secid = SECSID_NULL;
@@ -3795,7 +3794,7 @@ static void selinux_inet_conn_established(struct sock *sk, 
{

	struct sk_security_struct *sksec = sk->sk_security;



	selinux_skb_extlbl_sid(skb, &sksec->peer_sid);

	selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);

}



static void selinux_req_classify_flow(const struct request_sock *req,

security/selinux/netlabel.c

+21 −13
Original line number Diff line number Diff line
@@ -158,7 +158,9 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid) 
	netlbl_secattr_init(&secattr);

	rc = netlbl_skbuff_getattr(skb, &secattr);

	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)

		rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid);

		rc = security_netlbl_secattr_to_sid(&secattr,

						    base_sid,

						    sid);

	else

		*sid = SECSID_NULL;

	netlbl_secattr_destroy(&secattr);
@@ -196,7 +198,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) 
	if (netlbl_sock_getattr(sk, &secattr) == 0 &&

	    secattr.flags != NETLBL_SECATTR_NONE &&

	    security_netlbl_secattr_to_sid(&secattr,

					   SECINITSID_NETMSG,

					   SECINITSID_UNLABELED,

					   &nlbl_peer_sid) == 0)

		sksec->peer_sid = nlbl_peer_sid;

	netlbl_secattr_destroy(&secattr);
@@ -293,31 +295,37 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 
				struct avc_audit_data *ad)

{

	int rc;

	u32 nlbl_sid;

	u32 perm;

	u32 netlbl_sid;

	u32 recv_perm;



	rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &nlbl_sid);

	rc = selinux_netlbl_skbuff_getsid(skb,

					  SECINITSID_UNLABELED,

					  &netlbl_sid);

	if (rc != 0)

		return rc;

	if (nlbl_sid == SECSID_NULL)

		nlbl_sid = SECINITSID_UNLABELED;



	if (netlbl_sid == SECSID_NULL)

		return 0;



	switch (sksec->sclass) {

	case SECCLASS_UDP_SOCKET:

		perm = UDP_SOCKET__RECVFROM;

		recv_perm = UDP_SOCKET__RECVFROM;

		break;

	case SECCLASS_TCP_SOCKET:

		perm = TCP_SOCKET__RECVFROM;

		recv_perm = TCP_SOCKET__RECVFROM;

		break;

	default:

		perm = RAWIP_SOCKET__RECVFROM;

		recv_perm = RAWIP_SOCKET__RECVFROM;

	}



	rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad);

	rc = avc_has_perm(sksec->sid,

			  netlbl_sid,

			  sksec->sclass,

			  recv_perm,

			  ad);

	if (rc == 0)

		return 0;



	if (nlbl_sid != SECINITSID_UNLABELED)

	netlbl_skbuff_err(skb, rc);

	return rc;

}