[redhat-lspp] [RFC][PATCH 2/2] MLSXFRM: Flow labeling outside of socket context
Venkat Yekkirala
vyekkirala at trustedcs.com
Thu Jul 6 00:22:29 UTC 2006
(WILL BREAK THIS UP FOR UPSTREAM)
The following takes the labeling of flows close to their origination points,
and takes the label from either the socket, if any, or the incoming packet
as the case may be.
This has been done by going thru the code paths for xfrm_lookup, ip_route_output_flow,
and ip_route_output_key, and deriving the sid for the flow from approproiate sources
as described earlier.
The following aren't addressed in this round. These will however still be able to use
single-labeled associations like they currently do as defined by policy, and as such
I currently do not have any plans to add support for them.
ipmr
ip_gre
ipip
igmp
sit
sctp
ip6_tunnel (IPv6 over IPv6 tunnel device)
decnet
A follow up patch in a couple of days will address auto-labeling of TCP child sockets.
This has only barely been tested so I would appreciate review/testing/comments from
the lspp community. Also, anyone interested, please feel free to take on one or more
of the unsupported items listed above.
---
Documentation/networking/flow_sid.txt | 12 +++++++++
include/linux/security.h | 29 +++++++++++++++---------
include/net/route.h | 3 ++
net/dccp/ipv4.c | 1
net/dccp/ipv6.c | 6 ++++
net/ipv4/af_inet.c | 1
net/ipv4/icmp.c | 2 +
net/ipv4/inet_connection_sock.c | 1
net/ipv4/ip_gre.c | 2 +
net/ipv4/ip_output.c | 2 +
net/ipv4/ipip.c | 3 ++
net/ipv4/netfilter/ipt_REJECT.c | 1
net/ipv4/raw.c | 1
net/ipv4/syncookies.c | 1
net/ipv4/udp.c | 1
net/ipv6/af_inet6.c | 1
net/ipv6/datagram.c | 2 +
net/ipv6/icmp.c | 2 +
net/ipv6/inet6_connection_sock.c | 1
net/ipv6/ndisc.c | 1
net/ipv6/netfilter/ip6t_REJECT.c | 1
net/ipv6/raw.c | 1
net/ipv4/syncookies.c | 1
net/ipv4/udp.c | 1
net/ipv6/af_inet6.c | 1
net/ipv6/datagram.c | 2 +
net/ipv6/icmp.c | 2 +
net/ipv6/inet6_connection_sock.c | 1
net/ipv6/ndisc.c | 1
net/ipv6/netfilter/ip6t_REJECT.c | 1
net/ipv6/raw.c | 1
net/ipv6/sit.c | 1
net/ipv6/tcp_ipv6.c | 7 +++++
net/ipv6/udp.c | 2 +
net/xfrm/xfrm_policy.c | 3 --
security/dummy.c | 4 +--
security/selinux/hooks.c | 9 ++++---
security/selinux/include/xfrm.h | 2 -
security/selinux/xfrm.c | 11 +++++----
30 files changed, 92 insertions(+), 22 deletions(-)
--- linux-2.6.17.i686.patch11.1/Documentation/networking/flow_sid.txt 1969-12-31 18:00:00.000000000 -0600
+++ linux-2.6.17.i686/Documentation/networking/flow_sid.txt 2006-07-05 17:16:13.000000000 -0500
@@ -0,0 +1,12 @@
+The sid member in the flow structure is used by LSMs (e.g. SELinux) to indicate
+the label of the flow. This label of the flow is currently used in selecting
+matching labeled xfrm(s).
+
+If this is an outbound flow, the label is derived from the socket, if any, or
+the incoming packet this flow is being generated as a response to (e.g. tcp
+resets, timewait ack, etc.). It is also conceivable that the label could be
+derived from other sources such as process context, device, etc., in special
+cases, as may be appropriate.
+
+If this is an inbound flow, the label is derived from the IPSec security
+associations, if any, used by the packet.
--- linux-2.6.17.i686.patch11.1/include/linux/security.h 2006-07-05 14:38:51.000000000 -0500
+++ linux-2.6.17.i686/include/linux/security.h 2006-07-05 14:51:16.000000000 -0500
@@ -859,7 +859,8 @@ struct swap_info_struct;
* Return 1 if there is a match.
* @xfrm_decode_session:
* @skb points to skb to decode.
- * @fl points to the flow key to set.
+ * @sid points to the flow key sid to set.
+ * @ckall says if all xfrms used should be checked for same sid.
* Return 0 if successful decoding.
*
* Security hooks affecting all Key Management operations
@@ -1313,7 +1314,7 @@ struct security_operations {
int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority);
void (*sk_free_security) (struct sock *sk);
void (*sk_clone_security) (const struct sock *sk, struct sock *newsk);
- unsigned int (*sk_getsid) (struct sock *sk, struct flowi *fl, u8 dir);
+ void (*sk_getsid) (struct sock *sk, u32 *sid);
#endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -1328,7 +1329,7 @@ struct security_operations {
int (*xfrm_state_pol_flow_match)(struct xfrm_state *x,
struct xfrm_policy *xp, struct flowi *fl);
int (*xfrm_flow_state_match)(struct flowi *fl, struct xfrm_state *xfrm);
- int (*xfrm_decode_session)(struct sk_buff *skb, struct flowi *fl);
+ int (*xfrm_decode_session)(struct sk_buff *skb, u32 *sid, int ckall);
#endif /* CONFIG_SECURITY_NETWORK_XFRM */
/* key management security hooks */
@@ -2818,9 +2819,9 @@ static inline void security_sk_clone(con
return security_ops->sk_clone_security(sk, newsk);
}
-static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir)
+static inline void security_sk_sid(struct sock *sk, u32 *sid)
{
- return security_ops->sk_getsid(sk, fl, dir);
+ security_ops->sk_getsid(sk, sid);
}
#else /* CONFIG_SECURITY_NETWORK */
static inline int security_unix_stream_connect(struct socket * sock,
@@ -2950,9 +2951,8 @@ static inline void security_sk_clone(con
{
}
-static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir)
+static inline void security_sk_sid(struct sock *sk, u32 *sid)
{
- return 0;
}
#endif /* CONFIG_SECURITY_NETWORK */
@@ -3005,9 +3005,14 @@ static inline int security_xfrm_flow_sta
return security_ops->xfrm_flow_state_match(fl, xfrm);
}
-static inline int security_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl)
+static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *sid)
+{
+ return security_ops->xfrm_decode_session(skb, sid, 1);
+}
+
+static inline void security_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
{
- return security_ops->xfrm_decode_session(skb, fl);
+ BUG_ON(security_ops->xfrm_decode_session(skb, sid, 0));
}
#else /* CONFIG_SECURITY_NETWORK_XFRM */
static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
@@ -3057,11 +3062,15 @@ static inline int security_xfrm_flow_sta
return 1;
}
-static inline int security_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl)
+static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *sid)
{
return 0;
}
+static inline void security_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
+{
+}
+
#endif /* CONFIG_SECURITY_NETWORK_XFRM */
#ifdef CONFIG_KEYS
--- linux-2.6.17.i686.patch11.1/include/net/route.h 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/include/net/route.h 2006-07-05 14:44:23.000000000 -0500
@@ -33,6 +33,7 @@
#include <linux/route.h>
#include <linux/ip.h>
#include <linux/cache.h>
+#include <linux/security.h>
#ifndef __KERNEL__
#warning This file is not supposed to be used outside of kernel.
@@ -167,6 +168,7 @@ static inline int ip_route_connect(struc
ip_rt_put(*rp);
*rp = NULL;
}
+ security_sk_sid(sk, &fl.sid);
return ip_route_output_flow(rp, &fl, sk, 0);
}
@@ -183,6 +185,7 @@ static inline int ip_route_newports(stru
fl.proto = protocol;
ip_rt_put(*rp);
*rp = NULL;
+ security_sk_sid(sk, &fl.sid);
return ip_route_output_flow(rp, &fl, sk, 0);
}
return 0;
--- linux-2.6.17.i686.patch11.1/security/dummy.c 2006-07-05 14:38:51.000000000 -0500
+++ linux-2.6.17.i686/security/dummy.c 2006-07-05 14:44:23.000000000 -0500
@@ -793,7 +793,7 @@ static inline void dummy_sk_clone_securi
{
}
-static unsigned int dummy_sk_getsid(struct sock *sk, struct flowi *fl, u8 dir)
+static unsigned int dummy_sk_getsid(struct sock *sk)
{
return 0;
}
@@ -840,7 +840,7 @@ static int dummy_xfrm_flow_state_match(s
return 1;
}
-static int dummy_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl)
+static int dummy_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall)
{
return 0;
}
--- linux-2.6.17.i686.patch11.1/security/selinux/hooks.c 2006-07-05 14:38:51.000000000 -0500
+++ linux-2.6.17.i686/security/selinux/hooks.c 2006-07-05 14:54:56.000000000 -0500
@@ -3436,13 +3436,13 @@ static void selinux_sk_clone_security(co
newssec->peer_sid = ssec->peer_sid;
}
-static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
+static void selinux_sk_getsid_security(struct sock *sk, u32 *sid)
{
struct inode_security_struct *isec;
u32 sock_sid = SECINITSID_ANY_SOCKET;
if (!sk)
- return selinux_no_sk_sid(fl);
+ goto out;
read_lock_bh(&sk->sk_callback_lock);
isec = get_sock_isec(sk);
@@ -3455,7 +3455,10 @@ static unsigned int selinux_sk_getsid_se
}
read_unlock_bh(&sk->sk_callback_lock);
- return sock_sid;
+
+out:
+ *sid = sock_sid;
+ return;
}
static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
--- linux-2.6.17.i686.patch11.1/security/selinux/include/xfrm.h 2006-07-05 14:38:51.000000000 -0500
+++ linux-2.6.17.i686/security/selinux/include/xfrm.h 2006-07-05 14:44:23.000000000 -0500
@@ -17,7 +17,7 @@ int selinux_xfrm_policy_lookup(struct xf
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp,
struct flowi *fl);
int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm);
-int selinux_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl);
+int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall);
/*
* Extract the security blob from the sock (it's actually on the socket)
--- linux-2.6.17.i686.patch11.1/security/selinux/xfrm.c 2006-07-05 14:38:51.000000000 -0500
+++ linux-2.6.17.i686/security/selinux/xfrm.c 2006-07-05 14:44:23.000000000 -0500
@@ -159,11 +159,11 @@ int selinux_xfrm_flow_state_match(struct
* LSM hook implementation that determines the sid for the session.
*/
-int selinux_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl)
+int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
{
struct sec_path *sp;
- fl->sid = SECSID_NULL;
+ *sid = SECSID_NULL;
if (skb == NULL)
return 0;
@@ -178,10 +178,13 @@ int selinux_xfrm_decode_session(struct s
struct xfrm_sec_ctx *ctx = x->security;
if (!sid_set) {
- fl->sid = ctx->ctx_sid;
+ *sid = ctx->ctx_sid;
sid_set = 1;
+
+ if (!ckall)
+ break;
}
- else if (fl->sid != ctx->ctx_sid)
+ else if (*sid != ctx->ctx_sid)
return -EINVAL;
}
}
--- linux-2.6.17.i686.patch11.1/net/dccp/ipv4.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/dccp/ipv4.c 2006-07-05 14:44:23.000000000 -0500
@@ -680,6 +680,7 @@ static struct dst_entry* dccp_v4_route_s
}
};
+ security_xfrm_skb_sid(skb, &fl.sid);
if (ip_route_output_flow(&rt, &fl, sk, 0)) {
IP_INC_STATS_BH(IPSTATS_MIB_OUTNOROUTES);
return NULL;
--- linux-2.6.17.i686.patch11.1/net/dccp/ipv6.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/dccp/ipv6.c 2006-07-05 14:44:23.000000000 -0500
@@ -201,6 +201,7 @@ static int dccp_v6_connect(struct sock *
fl.oif = sk->sk_bound_dev_if;
fl.fl_ip_dport = usin->sin6_port;
fl.fl_ip_sport = inet->sport;
+ security_sk_sid(sk, &fl.sid);
if (np->opt != NULL && np->opt->srcrt != NULL) {
const struct rt0_hdr *rt0 = (struct rt0_hdr *)np->opt->srcrt;
@@ -322,6 +323,7 @@ static void dccp_v6_err(struct sk_buff *
fl.oif = sk->sk_bound_dev_if;
fl.fl_ip_dport = inet->dport;
fl.fl_ip_sport = inet->sport;
+ security_sk_sid(sk, &fl.sid);
err = ip6_dst_lookup(sk, &dst, &fl);
if (err) {
@@ -422,6 +424,7 @@ static int dccp_v6_send_response(struct
fl.oif = ireq6->iif;
fl.fl_ip_dport = inet_rsk(req)->rmt_port;
fl.fl_ip_sport = inet_sk(sk)->sport;
+ security_sk_sid(sk, &fl.sid);
if (dst == NULL) {
opt = np->opt;
@@ -566,6 +569,7 @@ static void dccp_v6_ctl_send_reset(struc
fl.oif = inet6_iif(rxskb);
fl.fl_ip_dport = dh->dccph_dport;
fl.fl_ip_sport = dh->dccph_sport;
+ security_xfrm_skb_sid(rxskb, &fl.sid);
/* sk = NULL, but it is safe for now. RST socket required. */
if (!ip6_dst_lookup(NULL, &skb->dst, &fl)) {
@@ -622,6 +626,7 @@ static void dccp_v6_reqsk_send_ack(struc
fl.oif = inet6_iif(rxskb);
fl.fl_ip_dport = dh->dccph_dport;
fl.fl_ip_sport = dh->dccph_sport;
+ security_xfrm_skb_sid(rxskb, &fl.sid);
if (!ip6_dst_lookup(NULL, &skb->dst, &fl)) {
if (xfrm_lookup(&skb->dst, &fl, NULL, 0) >= 0) {
@@ -843,6 +848,7 @@ static struct sock *dccp_v6_request_recv
fl.oif = sk->sk_bound_dev_if;
fl.fl_ip_dport = inet_rsk(req)->rmt_port;
fl.fl_ip_sport = inet_sk(sk)->sport;
+ security_sk_sid(sk, &fl.sid);
if (ip6_dst_lookup(sk, &dst, &fl))
goto out;
--- linux-2.6.17.i686.patch11.1/net/ipv4/af_inet.c 2006-07-05 14:36:43.000000000 -0500
+++ linux-2.6.17.i686/net/ipv4/af_inet.c 2006-07-05 14:44:23.000000000 -0500
@@ -1076,6 +1076,7 @@ int inet_sk_rebuild_header(struct sock *
},
};
+ security_sk_sid(sk, &fl.sid);
err = ip_route_output_flow(&rt, &fl, sk, 0);
}
if (!err)
--- linux-2.6.17.i686.patch11.1/net/ipv4/icmp.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/ipv4/icmp.c 2006-07-05 14:44:23.000000000 -0500
@@ -407,6 +407,7 @@ static void icmp_reply(struct icmp_bxm *
.saddr = rt->rt_spec_dst,
.tos = RT_TOS(skb->nh.iph->tos) } },
.proto = IPPROTO_ICMP };
+ security_xfrm_skb_sid(skb, &fl.sid);
if (ip_route_output_key(&rt, &fl))
goto out_unlock;
}
@@ -561,6 +562,7 @@ void icmp_send(struct sk_buff *skb_in, i
}
}
};
+ security_xfrm_skb_sid(skb_in, &fl.sid);
if (ip_route_output_key(&rt, &fl))
goto out_unlock;
}
--- linux-2.6.17.i686.patch11.1/net/ipv4/inet_connection_sock.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/ipv4/inet_connection_sock.c 2006-07-05 14:44:23.000000000 -0500
@@ -328,6 +328,7 @@ struct dst_entry* inet_csk_route_req(str
{ .sport = inet_sk(sk)->sport,
.dport = ireq->rmt_port } } };
+ security_sk_sid(sk, &fl.sid);
if (ip_route_output_flow(&rt, &fl, sk, 0)) {
IP_INC_STATS_BH(IPSTATS_MIB_OUTNOROUTES);
return NULL;
--- linux-2.6.17.i686.patch11.1/net/ipv4/ip_gre.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/ipv4/ip_gre.c 2006-07-05 14:44:23.000000000 -0500
@@ -479,6 +479,7 @@ out:
fl.fl4_dst = eiph->saddr;
fl.fl4_tos = RT_TOS(eiph->tos);
fl.proto = IPPROTO_GRE;
+ security_xfrm_skb_sid(skb, &fl.sid);
if (ip_route_output_key(&rt, &fl)) {
kfree_skb(skb2);
return;
@@ -492,6 +493,7 @@ out:
fl.fl4_dst = eiph->daddr;
fl.fl4_src = eiph->saddr;
fl.fl4_tos = eiph->tos;
+ security_xfrm_skb_sid(skb, &fl.sid);
if (ip_route_output_key(&rt, &fl) ||
rt->u.dst.dev->type != ARPHRD_IPGRE) {
ip_rt_put(rt);
--- linux-2.6.17.i686.patch11.1/net/ipv4/ipip.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/ipv4/ipip.c 2006-07-05 14:44:23.000000000 -0500
@@ -411,6 +411,7 @@ out:
fl.fl4_daddr = eiph->saddr;
fl.fl4_tos = RT_TOS(eiph->tos);
fl.proto = IPPROTO_IPIP;
+ security_xfrm_skb_sid(skb, &fl.sid);
if (ip_route_output_key(&rt, &key)) {
kfree_skb(skb2);
return 0;
@@ -424,6 +425,7 @@ out:
fl.fl4_daddr = eiph->daddr;
fl.fl4_src = eiph->saddr;
fl.fl4_tos = eiph->tos;
+ security_xfrm_skb_sid(skb, &fl.sid);
if (ip_route_output_key(&rt, &fl) ||
rt->u.dst.dev->type != ARPHRD_TUNNEL) {
ip_rt_put(rt);
@@ -556,6 +558,7 @@ static int ipip_tunnel_xmit(struct sk_bu
.saddr = tiph->saddr,
.tos = RT_TOS(tos) } },
.proto = IPPROTO_IPIP };
+ security_xfrm_skb_sid(skb, &fl.sid);
if (ip_route_output_key(&rt, &fl)) {
tunnel->stat.tx_carrier_errors++;
goto tx_error_icmp;
--- linux-2.6.17.i686.patch11.1/net/ipv4/ip_output.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/ipv4/ip_output.c 2006-07-05 14:44:23.000000000 -0500
@@ -330,6 +330,7 @@ int ip_queue_xmit(struct sk_buff *skb, i
* keep trying until route appears or the connection times
* itself out.
*/
+ security_sk_sid(sk, &fl.sid);
if (ip_route_output_flow(&rt, &fl, sk, 0))
goto no_route;
}
@@ -1362,6 +1363,7 @@ void ip_send_reply(struct sock *sk, stru
{ .sport = skb->h.th->dest,
.dport = skb->h.th->source } },
.proto = sk->sk_protocol };
+ security_xfrm_skb_sid(skb, &fl.sid);
if (ip_route_output_key(&rt, &fl))
return;
}
--- linux-2.6.17.i686.patch11.1/net/ipv4/netfilter/ipt_REJECT.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/ipv4/netfilter/ipt_REJECT.c 2006-07-05 14:44:23.000000000 -0500
@@ -91,6 +91,7 @@ static inline struct rtable *route_rever
fl.proto = IPPROTO_TCP;
fl.fl_ip_sport = tcph->dest;
fl.fl_ip_dport = tcph->source;
+ security_xfrm_skb_sid(skb, &fl.sid);
xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0);
--- linux-2.6.17.i686.patch11.1/net/ipv4/raw.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/ipv4/raw.c 2006-07-05 14:44:23.000000000 -0500
@@ -484,6 +484,7 @@ static int raw_sendmsg(struct kiocb *ioc
if (!inet->hdrincl)
raw_probe_proto_opt(&fl, msg);
+ security_sk_sid(sk, &fl.sid);
err = ip_route_output_flow(&rt, &fl, sk, !(msg->msg_flags&MSG_DONTWAIT));
}
if (err)
--- linux-2.6.17.i686.patch11.1/net/ipv4/syncookies.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/ipv4/syncookies.c 2006-07-05 14:44:23.000000000 -0500
@@ -259,6 +259,7 @@ struct sock *cookie_v4_check(struct sock
.uli_u = { .ports =
{ .sport = skb->h.th->dest,
.dport = skb->h.th->source } } };
+ security_sk_sid(sk, &fl.sid);
if (ip_route_output_key(&rt, &fl)) {
reqsk_free(req);
goto out;
--- linux-2.6.17.i686.patch11.1/net/ipv4/udp.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/ipv4/udp.c 2006-07-05 14:44:23.000000000 -0500
@@ -604,6 +604,7 @@ int udp_sendmsg(struct kiocb *iocb, stru
.uli_u = { .ports =
{ .sport = inet->sport,
.dport = dport } } };
+ security_sk_sid(sk, &fl.sid);
err = ip_route_output_flow(&rt, &fl, sk, !(msg->msg_flags&MSG_DONTWAIT));
if (err)
goto out;
--- linux-2.6.17.i686.patch11.1/net/ipv6/af_inet6.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/ipv6/af_inet6.c 2006-07-05 14:44:23.000000000 -0500
@@ -638,6 +638,7 @@ int inet6_sk_rebuild_header(struct sock
fl.oif = sk->sk_bound_dev_if;
fl.fl_ip_dport = inet->dport;
fl.fl_ip_sport = inet->sport;
+ security_sk_sid(sk, &fl.sid);
if (np->opt && np->opt->srcrt) {
struct rt0_hdr *rt0 = (struct rt0_hdr *) np->opt->srcrt;
--- linux-2.6.17.i686.patch11.1/net/ipv6/datagram.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/ipv6/datagram.c 2006-07-05 14:44:23.000000000 -0500
@@ -156,6 +156,8 @@ ipv4_connected:
if (!fl.oif && (addr_type&IPV6_ADDR_MULTICAST))
fl.oif = np->mcast_oif;
+ security_sk_sid(sk, &fl.sid);
+
if (flowlabel) {
if (flowlabel->opt && flowlabel->opt->srcrt) {
struct rt0_hdr *rt0 = (struct rt0_hdr *) flowlabel->opt->srcrt;
--- linux-2.6.17.i686.patch11.1/net/ipv6/icmp.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/ipv6/icmp.c 2006-07-05 14:44:23.000000000 -0500
@@ -358,6 +358,7 @@ void icmpv6_send(struct sk_buff *skb, in
fl.oif = iif;
fl.fl_icmp_type = type;
fl.fl_icmp_code = code;
+ security_xfrm_skb_sid(skb, &fl.sid);
if (icmpv6_xmit_lock())
return;
@@ -472,6 +473,7 @@ static void icmpv6_echo_reply(struct sk_
ipv6_addr_copy(&fl.fl6_src, saddr);
fl.oif = skb->dev->ifindex;
fl.fl_icmp_type = ICMPV6_ECHO_REPLY;
+ security_xfrm_skb_sid(skb, &fl.sid);
if (icmpv6_xmit_lock())
return;
--- linux-2.6.17.i686.patch11.1/net/ipv6/inet6_connection_sock.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/ipv6/inet6_connection_sock.c 2006-07-05 14:44:23.000000000 -0500
@@ -158,6 +158,7 @@ int inet6_csk_xmit(struct sk_buff *skb,
fl.oif = sk->sk_bound_dev_if;
fl.fl_ip_sport = inet->sport;
fl.fl_ip_dport = inet->dport;
+ security_sk_sid(sk, &fl.sid);
if (np->opt && np->opt->srcrt) {
struct rt0_hdr *rt0 = (struct rt0_hdr *)np->opt->srcrt;
--- linux-2.6.17.i686.patch11.1/net/ipv6/ndisc.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/ipv6/ndisc.c 2006-07-05 14:44:23.000000000 -0500
@@ -420,6 +420,7 @@ static inline void ndisc_flow_init(struc
fl->proto = IPPROTO_ICMPV6;
fl->fl_icmp_type = type;
fl->fl_icmp_code = 0;
+ security_sk_sid(ndisc_socket->sk, &fl->sid);
}
static void ndisc_send_na(struct net_device *dev, struct neighbour *neigh,
--- linux-2.6.17.i686.patch11.1/net/ipv6/netfilter/ip6t_REJECT.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/ipv6/netfilter/ip6t_REJECT.c 2006-07-05 14:44:23.000000000 -0500
@@ -97,6 +97,7 @@ static void send_reset(struct sk_buff *o
ipv6_addr_copy(&fl.fl6_dst, &oip6h->saddr);
fl.fl_ip_sport = otcph.dest;
fl.fl_ip_dport = otcph.source;
+ security_xfrm_skb_sid(oldskb, &fl.sid);
dst = ip6_route_output(NULL, &fl);
if (dst == NULL)
return;
--- linux-2.6.17.i686.patch11.1/net/ipv6/raw.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/ipv6/raw.c 2006-07-05 14:44:23.000000000 -0500
@@ -758,6 +758,7 @@ static int rawv6_sendmsg(struct kiocb *i
if (!fl.oif && ipv6_addr_is_multicast(&fl.fl6_dst))
fl.oif = np->mcast_oif;
+ security_sk_sid(sk, &fl.sid);
err = ip6_dst_lookup(sk, &dst, &fl);
if (err)
--- linux-2.6.17.i686.patch11.1/net/ipv6/sit.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/ipv6/sit.c 2006-07-05 14:44:23.000000000 -0500
@@ -483,6 +483,7 @@ static int ipip6_tunnel_xmit(struct sk_b
.tos = RT_TOS(tos) } },
.oif = tunnel->parms.link,
.proto = IPPROTO_IPV6 };
+ security_xfrm_skb_sid(skb, &fl.sid);
if (ip_route_output_key(&rt, &fl)) {
tunnel->stat.tx_carrier_errors++;
goto tx_error_icmp;
--- linux-2.6.17.i686.patch11.1/net/ipv6/tcp_ipv6.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/ipv6/tcp_ipv6.c 2006-07-05 14:44:23.000000000 -0500
@@ -252,6 +252,8 @@ static int tcp_v6_connect(struct sock *s
final_p = &final;
}
+ security_sk_sid(sk, &fl.sid);
+
err = ip6_dst_lookup(sk, &dst, &fl);
if (err)
goto failure;
@@ -376,6 +378,7 @@ static void tcp_v6_err(struct sk_buff *s
fl.oif = sk->sk_bound_dev_if;
fl.fl_ip_dport = inet->dport;
fl.fl_ip_sport = inet->sport;
+ security_xfrm_skb_sid(skb, &fl.sid);
if ((err = ip6_dst_lookup(sk, &dst, &fl))) {
sk->sk_err_soft = -err;
@@ -470,6 +473,7 @@ static int tcp_v6_send_synack(struct soc
fl.oif = treq->iif;
fl.fl_ip_dport = inet_rsk(req)->rmt_port;
fl.fl_ip_sport = inet_sk(sk)->sport;
+ security_sk_sid(sk, &fl.sid);
if (dst == NULL) {
opt = np->opt;
@@ -610,6 +614,7 @@ static void tcp_v6_send_reset(struct sk_
fl.oif = inet6_iif(skb);
fl.fl_ip_dport = t1->dest;
fl.fl_ip_sport = t1->source;
+ security_xfrm_skb_sid(skb, &fl.sid);
/* sk = NULL, but it is safe for now. RST socket required. */
if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) {
@@ -676,6 +681,7 @@ static void tcp_v6_send_ack(struct sk_bu
fl.oif = inet6_iif(skb);
fl.fl_ip_dport = t1->dest;
fl.fl_ip_sport = t1->source;
+ security_xfrm_skb_sid(skb, &fl.sid);
if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) {
if (xfrm_lookup(&buff->dst, &fl, NULL, 0) >= 0) {
@@ -909,6 +915,7 @@ static struct sock * tcp_v6_syn_recv_soc
fl.oif = sk->sk_bound_dev_if;
fl.fl_ip_dport = inet_rsk(req)->rmt_port;
fl.fl_ip_sport = inet_sk(sk)->sport;
+ security_sk_sid(sk, &fl.sid);
if (ip6_dst_lookup(sk, &dst, &fl))
goto out;
--- linux-2.6.17.i686.patch11.1/net/ipv6/udp.c 2006-06-17 20:49:35.000000000 -0500
+++ linux-2.6.17.i686/net/ipv6/udp.c 2006-07-05 14:44:23.000000000 -0500
@@ -783,6 +783,8 @@ do_udp_sendmsg:
connected = 0;
}
+ security_sk_sid(sk, &fl->sid);
+
err = ip6_dst_lookup(sk, &dst, fl);
if (err)
goto out;
--- linux-2.6.17.i686.patch11.1/net/xfrm/xfrm_policy.c 2006-07-05 14:38:51.000000000 -0500
+++ linux-2.6.17.i686/net/xfrm/xfrm_policy.c 2006-07-05 14:44:23.000000000 -0500
@@ -786,7 +786,6 @@ int xfrm_lookup(struct dst_entry **dst_p
u16 family;
u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
- fl->sid = security_sk_sid(sk, fl, dir);
restart:
genid = atomic_read(&flow_cache_genid);
policy = NULL;
@@ -962,7 +961,7 @@ xfrm_decode_session(struct sk_buff *skb,
return -EAFNOSUPPORT;
afinfo->decode_session(skb, fl);
- err = security_xfrm_decode_session(skb, fl);
+ err = security_xfrm_decode_session(skb, &fl->sid);
xfrm_policy_put_afinfo(afinfo);
return err;
}
More information about the redhat-lspp
mailing list