[RFC PATCH] lsm,selinux: pass the family information along with xfrm flow
Casey Schaufler
casey at schaufler-ca.com
Tue Sep 29 22:38:56 UTC 2020
On 9/29/2020 2:54 PM, Paul Moore wrote:
> As pointed out by Herbert in a recent related patch, the LSM hooks
> should pass the address family in addition to the xfrm flow as the
> family information is needed to safely access the flow.
>
> While this is not technically a problem for the current LSM/SELinux
> code as it only accesses fields common to all address families, we
> should still pass the address family so that the LSM hook isn't
> inherently flawed. An alternate solution could be to simply pass
> the LSM secid instead of flow, but this introduces the problem of
> the LSM hook callers sending the wrong secid which would be much
> worse.
>
> Reported-by: Herbert Xu <herbert at gondor.apana.org.au>
> Signed-off-by: Paul Moore <paul at paul-moore.com>
For what it may be worth
Acked-by: Casey Schaufler <casey at schaufler-ca.com>
> ---
> include/linux/lsm_hook_defs.h | 2 +-
> include/linux/lsm_hooks.h | 1 +
> include/linux/security.h | 7 +++++--
> net/xfrm/xfrm_state.c | 4 ++--
> security/security.c | 5 +++--
> security/selinux/include/xfrm.h | 3 ++-
> security/selinux/xfrm.c | 3 ++-
> 7 files changed, 16 insertions(+), 9 deletions(-)
>
> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> index 2a8c74d99015..e3c3b5d20469 100644
> --- a/include/linux/lsm_hook_defs.h
> +++ b/include/linux/lsm_hook_defs.h
> @@ -349,7 +349,7 @@ LSM_HOOK(int, 0, xfrm_state_delete_security, struct xfrm_state *x)
> LSM_HOOK(int, 0, xfrm_policy_lookup, struct xfrm_sec_ctx *ctx, u32 fl_secid,
> u8 dir)
> LSM_HOOK(int, 1, xfrm_state_pol_flow_match, struct xfrm_state *x,
> - struct xfrm_policy *xp, const struct flowi *fl)
> + struct xfrm_policy *xp, const struct flowi *fl, unsigned short family)
> LSM_HOOK(int, 0, xfrm_decode_session, struct sk_buff *skb, u32 *secid,
> int ckall)
> #endif /* CONFIG_SECURITY_NETWORK_XFRM */
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 9e2e3e63719d..ea088aacfdad 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -1093,6 +1093,7 @@
> * @x contains the state to match.
> * @xp contains the policy to check for a match.
> * @fl contains the flow to check for a match.
> + * @family the flow's address family.
> * Return 1 if there is a match.
> * @xfrm_decode_session:
> * @skb points to skb to decode.
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 0a0a03b36a3b..701b41eb090c 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1625,7 +1625,8 @@ void security_xfrm_state_free(struct xfrm_state *x);
> int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
> int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
> struct xfrm_policy *xp,
> - const struct flowi *fl);
> + const struct flowi *fl,
> + unsigned short family);
> int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid);
> void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl);
>
> @@ -1679,7 +1680,9 @@ static inline int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_s
> }
>
> static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
> - struct xfrm_policy *xp, const struct flowi *fl)
> + struct xfrm_policy *xp,
> + const struct flowi *fl,
> + unsigned short family)
> {
> return 1;
> }
> diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
> index 69520ad3d83b..f90d2f1da44a 100644
> --- a/net/xfrm/xfrm_state.c
> +++ b/net/xfrm/xfrm_state.c
> @@ -1020,7 +1020,7 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x,
> if (x->km.state == XFRM_STATE_VALID) {
> if ((x->sel.family &&
> !xfrm_selector_match(&x->sel, fl, x->sel.family)) ||
> - !security_xfrm_state_pol_flow_match(x, pol, fl))
> + !security_xfrm_state_pol_flow_match(x, pol, fl, family))
> return;
>
> if (!*best ||
> @@ -1033,7 +1033,7 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x,
> } else if (x->km.state == XFRM_STATE_ERROR ||
> x->km.state == XFRM_STATE_EXPIRED) {
> if (xfrm_selector_match(&x->sel, fl, x->sel.family) &&
> - security_xfrm_state_pol_flow_match(x, pol, fl))
> + security_xfrm_state_pol_flow_match(x, pol, fl, family))
> *error = -ESRCH;
> }
> }
> diff --git a/security/security.c b/security/security.c
> index 70a7ad357bc6..62dd0af7c6bc 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -2391,7 +2391,8 @@ int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
>
> int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
> struct xfrm_policy *xp,
> - const struct flowi *fl)
> + const struct flowi *fl,
> + unsigned short family)
> {
> struct security_hook_list *hp;
> int rc = LSM_RET_DEFAULT(xfrm_state_pol_flow_match);
> @@ -2407,7 +2408,7 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
> */
> hlist_for_each_entry(hp, &security_hook_heads.xfrm_state_pol_flow_match,
> list) {
> - rc = hp->hook.xfrm_state_pol_flow_match(x, xp, fl);
> + rc = hp->hook.xfrm_state_pol_flow_match(x, xp, fl, family);
> break;
> }
> return rc;
> diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
> index a0b465316292..36907dd06647 100644
> --- a/security/selinux/include/xfrm.h
> +++ b/security/selinux/include/xfrm.h
> @@ -26,7 +26,8 @@ int selinux_xfrm_state_delete(struct xfrm_state *x);
> int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
> int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
> struct xfrm_policy *xp,
> - const struct flowi *fl);
> + const struct flowi *fl,
> + unsigned short family);
>
> #ifdef CONFIG_SECURITY_NETWORK_XFRM
> extern atomic_t selinux_xfrm_refcount;
> diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
> index 7314196185d1..5beb30237d3a 100644
> --- a/security/selinux/xfrm.c
> +++ b/security/selinux/xfrm.c
> @@ -175,7 +175,8 @@ int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
> */
> int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
> struct xfrm_policy *xp,
> - const struct flowi *fl)
> + const struct flowi *fl,
> + unsigned short family)
> {
> u32 state_sid;
>
>
More information about the Linux-security-module-archive
mailing list