LKML Archive on lore.kernel.org
 help / color / Atom feed
From: Stephen Smalley <sds@tycho.nsa.gov>
To: casey@schaufler-ca.com
Cc: akpm@osdl.org, torvalds@osdl.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] Version 9 (2.6.24-rc1) Smack: Simplified Mandatory Access Control Kernel
Date: Fri, 26 Oct 2007 16:34:27 -0400
Message-ID: <1193430867.11953.200.camel@moss-spartans.epoch.ncsc.mil> (raw)
In-Reply-To: <4720118C.5020906@schaufler-ca.com>

On Wed, 2007-10-24 at 20:46 -0700, Casey Schaufler wrote:
> diff -uprN -X linux-2.6.24-rc1-base/Documentation/dontdiff linux-2.6.24-rc1-base/security/smack/smack_lsm.c linux-2.6.24-rc1-smack/security/smack/smack_lsm.c
> --- linux-2.6.24-rc1-base/security/smack/smack_lsm.c	1969-12-31 16:00:00.000000000 -0800
> +++ linux-2.6.24-rc1-smack/security/smack/smack_lsm.c	2007-10-23 16:45:06.000000000 -0700
<snip>
> +/**
> + * smack_inode_getsecurity - get smack xattrs
> + * @inode: the object
> + * @name: attribute name
> + * @buffer: where to put the result
> + * @size: size of the buffer
> + * @err: unused
> + *
> + * Returns the size of the attribute or an error code
> + */
> +static int smack_inode_getsecurity(const struct inode *inode,
> +				   const char *name, void *buffer,
> +				   size_t size, int err)
> +{
> +	struct socket_smack *ssp;
> +	struct socket *sock;
> +	struct super_block *sbp;
> +	struct inode *ip = (struct inode *)inode;
> +	char *bsp = buffer;
> +	char *isp;
> +
> +	if (size < SMK_LABELLEN || name == NULL || bsp == NULL ||
> +	    inode == NULL || inode->i_security == NULL)
> +		return 0;
> +
> +	if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
> +		isp = smk_of_inode(inode);
> +		strncpy(buffer, isp, SMK_LABELLEN);
> +		return strlen(isp) + 1;
> +	}
> +
> +	/*
> +	 * The rest of the Smack xattrs are only on sockets.
> +	 */
> +	sbp = ip->i_sb;
> +	if (sbp->s_magic != SOCKFS_MAGIC)
> +		return -EOPNOTSUPP;
> +
> +	sock = SOCKET_I(ip);
> +	if (sock == NULL)
> +		return -EOPNOTSUPP;
> +
> +	ssp = sock->sk->sk_security;
> +
> +	/*
> +	 * Should the packet attribute be unavailable return the error.
> +	 * This can happen if packets come in too fast.
> +	 */
> +	if (strcmp(name, XATTR_SMACK_PACKET) == 0) {
> +		if (ssp->smk_packet[0] == '\0')
> +			return -ENODATA;
> +		isp = ssp->smk_packet;

Wrong strategy, racy.  Use getpeersec hooks, SO_PEERSEC for stream or
SCM_SECURITY for datagram.  They aren't just for labeled IPSEC - they
work fine for NetLabel too, see SELinux for an example.

> +	} else if (strcmp(name, XATTR_SMACK_IPIN) == 0)
> +		isp = ssp->smk_in;
> +	else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
> +		isp = ssp->smk_out;
> +	else
> +		return -EOPNOTSUPP;
> +
> +	strncpy(buffer, isp, SMK_LABELLEN);
> +	return strlen(isp) + 1;
> +}
> +
<snip>
> +static int smack_socket_recvmsg(struct socket *sock, struct msghdr *msg,
> +				int size, int flags)
> +{
> +	struct socket_smack *ssp = sock->sk->sk_security;
> +
> +	/*
> +	 * If the depth is 0 no packets are queued.
> +	 * If the depth is > 1 the "current" has been overwritten.
> +	 */
> +
> +	if (ssp->smk_depth != 1)
> +		ssp->smk_packet[0] = '\0';
> +	if (ssp->smk_depth != 0)
> +		ssp->smk_depth--;
> +
> +	return 0;
> +}

Same deal, use SCM_SECURITY and the getpeersec_dgram hook to do this in
a race-free way.

> +
> +/**
> + * smack_socket_sock_rcv_skb - Smack packet delivery access check
> + * @sk: socket
> + * @skb: packet
> + *
> + * Returns 0 if the packet should be delivered, an error code otherwise
> + */
> +static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
> +{
> +	struct netlbl_lsm_secattr secattr;
> +	struct socket_smack *ssp = sk->sk_security;
> +	char smack[SMK_LABELLEN];
> +	int rc;
> +
> +	if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
> +		return 0;
> +
> +	/*
> +	 * Translate what netlabel gave us.
> +	 */
> +	memset(smack, '\0', SMK_LABELLEN);
> +	netlbl_secattr_init(&secattr);
> +	rc = netlbl_skbuff_getattr(skb, &secattr);
> +	if (rc == 0)
> +		smack_from_secattr(&secattr, smack);
> +	else
> +		strncpy(smack, smack_net_ambient, SMK_MAXLEN);
> +	netlbl_secattr_destroy(&secattr);
> +	/*
> +	 * Receiving a packet requires that the other end
> +	 * be able to write here. Read access is not required.
> +	 * This is the simplist possible security model
> +	 * for networking.
> +	 */
> +	rc = smk_access(smack, ssp->smk_in, MAY_WRITE);
> +	if (rc != 0)
> +		return rc;
> +
> +	/*
> +	 * If recv was called and there were no outstanding packets
> +	 * this is the "current" Smack value to make available.
> +	 */
> +	if (ssp->smk_depth == 0)
> +		strcpy(ssp->smk_packet, smack);
> +	ssp->smk_depth++;

Ditto.

> +
> +	return 0;
> +}
> +

-- 
Stephen Smalley
National Security Agency


  parent reply index

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-10-25  3:46 Casey Schaufler
2007-10-25 15:07 ` Stephen Smalley
2007-10-25 18:58   ` Casey Schaufler
2007-10-26 20:34 ` Stephen Smalley [this message]
2007-10-27  3:00 ` Ahmed S. Darwish
2007-10-27 19:20   ` Casey Schaufler
2007-10-27  9:01 ` Ahmed S. Darwish
2007-10-27 23:47   ` Al Viro
2007-10-28  5:41     ` Casey Schaufler
2007-10-28 12:46     ` Ahmed S. Darwish

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1193430867.11953.200.camel@moss-spartans.epoch.ncsc.mil \
    --to=sds@tycho.nsa.gov \
    --cc=akpm@osdl.org \
    --cc=casey@schaufler-ca.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=torvalds@osdl.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lkml.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lkml.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lkml.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lkml.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lkml.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lkml.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lkml.kernel.org/lkml/6 lkml/git/6.git
	git clone --mirror https://lkml.kernel.org/lkml/7 lkml/git/7.git
	git clone --mirror https://lkml.kernel.org/lkml/8 lkml/git/8.git
	git clone --mirror https://lkml.kernel.org/lkml/9 lkml/git/9.git
	git clone --mirror https://lkml.kernel.org/lkml/10 lkml/git/10.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lkml.kernel.org/lkml \
		linux-kernel@vger.kernel.org
	public-inbox-index lkml

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git