From patchwork Tue Aug 23 14:14:53 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Guido Trentalancia X-Patchwork-Id: 9295763 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3AEBF607F0 for ; Tue, 23 Aug 2016 14:34:10 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2A32B285DA for ; Tue, 23 Aug 2016 14:34:10 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1DB9028C53; Tue, 23 Aug 2016 14:34:10 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 812E2285DA for ; Tue, 23 Aug 2016 14:34:08 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.28,566,1464652800"; d="scan'208";a="18681598" IronPort-PHdr: =?us-ascii?q?9a23=3A7GDK8RESePDdmZHbHHUEwJ1GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ74o8SwAkXT6L1XgUPTWs2DsrQf2rOQ6PyrBjNIoc7Y9itTKNoUD15NoP?= =?us-ascii?q?5VtjRoONSCB0z/IayiRA0BN+MGamVY+WqmO1NeAsf0ag6aiHSz6TkPBke3blIt?= =?us-ascii?q?dazLE4Lfx/66y/q1s8WKJV4Z3XzmPfgtc1329VyX7ZhOx9M6a+4Y8VjgmjNwYe?= =?us-ascii?q?NYxGdldxq4vi3XwYOOxqNl6DlaoPk79sRNAu3QdqU8SqFEXnx9azhmrOWijxTI?= =?us-ascii?q?TBOO630ASS1W10MQW0mW1wnzW7f8uyf3rMR81S2Wde37RLw5Q3yZ5KBxSRnnwG?= =?us-ascii?q?dcb39qzXvTwvBUoOob5Uv55k83/4mBWIiIMLJbeaTHcJtOXWNcWu5JXjFFR4a7?= =?us-ascii?q?aJECSeEGOLALgZP6og4hsBqyAkGQHu7p1jZMj3n93KRyh+s8EA3B9BA6EtQSuX?= =?us-ascii?q?Ddqt70PeEUXPzjn/qA9inKc/4DgWS104PPaB105KHUUA=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2FiBQBpXrxX/wHyM5BdGwEBAYMLAQEBAQEcgVK5fCCHb0w?= =?us-ascii?q?BAQEBAQEBAgECWyeCMgQBFYIVAgQBAjcUIAsDAwkBARcnAggIAwEtDAkRBggLB?= =?us-ascii?q?RgEiBAEvXABCwEkjwwRAYV3BY4rix2QCIkJhWBIi3iDeVSCEhyBTm6EW4E2AQE?= =?us-ascii?q?B?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 23 Aug 2016 14:32:29 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7NEUemG031659; Tue, 23 Aug 2016 10:31:11 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u7NEFn35122845 for ; Tue, 23 Aug 2016 10:15:49 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7NEFidi029226 for ; Tue, 23 Aug 2016 10:15:49 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1ARAwCPWbxXh0c2WFFdHAGDDAEBAQEBgW6kUpElhAyGHQKCNAEBAQEBAQECEwEBAQgNCQkZhRACAQMjSwsQJQIYDgICPRoGE4g1rgWQAgEBAQEGAQEBASOBApE5gloFjiuLHZAIjmlIi3iDeYJmEQuBTm6GEQEBAQ X-IPAS-Result: A1ARAwCPWbxXh0c2WFFdHAGDDAEBAQEBgW6kUpElhAyGHQKCNAEBAQEBAQECEwEBAQgNCQkZhRACAQMjSwsQJQIYDgICPRoGE4g1rgWQAgEBAQEGAQEBASOBApE5gloFjiuLHZAIjmlIi3iDeYJmEQuBTm6GEQEBAQ X-IronPort-AV: E=Sophos;i="5.28,566,1464667200"; d="scan'208";a="5660271" Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov) ([10.208.41.36]) by goalie.tycho.ncsc.mil with ESMTP; 23 Aug 2016 10:15:31 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3Aiybo4B2t/8wJP8QTsmDT+DRfVm0co7zxezQtwd8Z?= =?us-ascii?q?sekVLvad9pjvdHbS+e9qxAeQG96KsrQf16GJ7+igATVGusfZ9ihaMdRlbFwssY?= =?us-ascii?q?0uhQsuAcqIWwXQDcXBSGgEJvlET0Jv5HqhMEJYS47UblzWpWCuv3ZJQk2sfTR8?= =?us-ascii?q?Kum9IIPOlcP/j7n0oMyKJV4Uz2XhKfMqdVPt/F2X7pFXyaJZaY8JgiPTpXVJf+?= =?us-ascii?q?kEjUhJHnm02yjG28Gr4ZR4+D5Rsf9yv+RJUKH9YrhqBecAVGduGykP6cbqrRjO?= =?us-ascii?q?SxeUrjtZCz1O00lzGwHAzBzzUprrnCr3suY1+CSTMcDsBYs/Xi6j6agjCESwyX?= =?us-ascii?q?RPCzlsyGjKjoRVi6VBrVr1vxVix6bMaZyRcf95ebnQO9gdQDwScNxWUnluH4Kw?= =?us-ascii?q?aMMzFecHIe9cpo/2plJG+RSjBAWrLP/1xzlUj3v/26Y72qInHB2Qj19oJM4HrH?= =?us-ascii?q?mB9Ia9D6wVS+3gifaQwA=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0H2AgCPWbxXh0c2WFFdHAGDDAEBAQEBg?= =?us-ascii?q?W6kUpElhAyGHQKCNAEBAQEBAQECAQIQAQEBCA0JCRkvgjIEARWCFQIBAyNLCxA?= =?us-ascii?q?lAhgOAgI9GgYTiDWuBZACAQEBAQYBAQEBI4ECkTmCWgWOK4sdkAiOaUiLeIN5g?= =?us-ascii?q?mYRC4FOboYRAQEB?= X-IPAS-Result: =?us-ascii?q?A0H2AgCPWbxXh0c2WFFdHAGDDAEBAQEBgW6kUpElhAyGHQK?= =?us-ascii?q?CNAEBAQEBAQECAQIQAQEBCA0JCRkvgjIEARWCFQIBAyNLCxAlAhgOAgI9GgYTi?= =?us-ascii?q?DWuBZACAQEBAQYBAQEBI4ECkTmCWgWOK4sdkAiOaUiLeIN5gmYRC4FOboYRAQE?= =?us-ascii?q?B?= X-IronPort-AV: E=Sophos;i="5.28,566,1464652800"; d="scan'208";a="16849333" Received: from authsmtp30.register.it (HELO authsmtp.register.it) ([81.88.54.71]) by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/DHE-RSA-AES128-SHA; 23 Aug 2016 14:15:08 +0000 Received: from vortex.lan ([151.76.69.70]) by paganini32 with id aeEt1t00d1Wy5Br01eEtFL; Tue, 23 Aug 2016 16:14:55 +0200 X-Rid: guido@trentalancia.net@151.76.69.70 Message-ID: <1471961693.30659.7.camel@trentalancia.net> Subject: [PATCH v5] Classify AF_ALG sockets From: Guido Trentalancia To: Paul Moore Date: Tue, 23 Aug 2016 16:14:53 +0200 In-Reply-To: <1471899875.19333.3.camel@trentalancia.net> References: <1471709886.22998.1.camel@trentalancia.net> <89E5C3EA-9794-4496-A195-1C997A5BBF44@trentalancia.net> <43BE5B4F-9AE4-4EDB-825A-F1C15042B385@trentalancia.net> <1471799849.2544.2.camel@trentalancia.net> <1471870947.2354.1.camel@trentalancia.net> <1471899875.19333.3.camel@trentalancia.net> X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: selinux@tycho.nsa.gov Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Modify the SELinux kernel code so that it is able to classify sockets with the new AF_ALG namespace (used for the user-space interface to the kernel Crypto API). A companion patch has been created for the Reference Policy and it will be posted to its mailing list, once this patch is merged. Signed-off-by: Guido Trentalancia --- security/selinux/hooks.c | 5 +++++ security/selinux/include/classmap.h | 2 ++ security/selinux/include/security.h | 2 ++ security/selinux/selinuxfs.c | 3 ++- security/selinux/ss/services.c | 6 +++++- 5 files changed, 16 insertions(+), 2 deletions(-) diff -pru linux-4.7.2-orig/security/selinux/hooks.c linux-4.7.2/security/selinux/hooks.c --- linux-4.7.2-orig/security/selinux/hooks.c 2016-08-22 22:31:27.737767819 +0200 +++ linux-4.7.2/security/selinux/hooks.c 2016-08-22 22:40:29.102526024 +0200 @@ -1315,6 +1315,11 @@ static inline u16 socket_type_to_securit return SECCLASS_KEY_SOCKET; case PF_APPLETALK: return SECCLASS_APPLETALK_SOCKET; + case PF_ALG: + if (selinux_policycap_algsocket) + return SECCLASS_ALG_SOCKET; + else + return SECCLASS_SOCKET; } return SECCLASS_SOCKET; diff -pru linux-4.7.2-orig/security/selinux/include/classmap.h linux-4.7.2/security/selinux/include/classmap.h --- linux-4.7.2-orig/security/selinux/include/classmap.h 2016-08-22 22:31:27.754768030 +0200 +++ linux-4.7.2/security/selinux/include/classmap.h 2016-08-22 22:32:14.795355585 +0200 @@ -144,6 +144,8 @@ struct security_class_mapping secclass_m { COMMON_SOCK_PERMS, NULL } }, { "appletalk_socket", { COMMON_SOCK_PERMS, NULL } }, + { "alg_socket", + { COMMON_SOCK_PERMS, NULL } }, { "packet", { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } }, { "key", diff -pru linux-4.7.2-orig/security/selinux/include/security.h linux-4.7.2/security/selinux/include/security.h --- linux-4.7.2-orig/security/selinux/include/security.h 2016-03-14 05:28:54.000000000 +0100 +++ linux-4.7.2/security/selinux/include/security.h 2016-08-22 22:53:57.911660238 +0200 @@ -75,6 +75,7 @@ enum { POLICYDB_CAPABILITY_OPENPERM, POLICYDB_CAPABILITY_REDHAT1, POLICYDB_CAPABILITY_ALWAYSNETWORK, + POLICYDB_CAPABILITY_ALGSOCKET, __POLICYDB_CAPABILITY_MAX }; #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) @@ -82,6 +83,7 @@ enum { extern int selinux_policycap_netpeer; extern int selinux_policycap_openperm; extern int selinux_policycap_alwaysnetwork; +extern int selinux_policycap_algsocket; /* * type_datum properties diff -pru linux-4.7.2-orig/security/selinux/selinuxfs.c linux-4.7.2/security/selinux/selinuxfs.c --- linux-4.7.2-orig/security/selinux/selinuxfs.c 2016-03-14 05:28:54.000000000 +0100 +++ linux-4.7.2/security/selinux/selinuxfs.c 2016-08-23 14:19:43.945217071 +0200 @@ -46,7 +46,8 @@ static char *policycap_names[] = { "network_peer_controls", "open_perms", "redhat1", - "always_check_network" + "always_check_network", + "alg_socket" }; unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; diff -pru linux-4.7.2-orig/security/selinux/ss/services.c linux-4.7.2/security/selinux/ss/services.c --- linux-4.7.2-orig/security/selinux/ss/services.c 2016-08-05 21:27:22.275588616 +0200 +++ linux-4.7.2/security/selinux/ss/services.c 2016-08-23 14:33:19.111185535 +0200 @@ -26,9 +26,10 @@ * * Added support for bounds domain and audit messaged on masked permissions * - * Updated: Guido Trentalancia + * Updated: Guido Trentalancia * * Added support for runtime switching of the policy type + * Added support for classifying the AF_ALG sockets (Crypto API) * * Copyright (C) 2008, 2009 NEC Corporation * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. @@ -73,6 +74,7 @@ int selinux_policycap_netpeer; int selinux_policycap_openperm; int selinux_policycap_alwaysnetwork; +int selinux_policycap_algsocket; static DEFINE_RWLOCK(policy_rwlock); @@ -2016,6 +2018,8 @@ static void security_load_policycaps(voi POLICYDB_CAPABILITY_OPENPERM); selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps, POLICYDB_CAPABILITY_ALWAYSNETWORK); + selinux_policycap_algsocket = ebitmap_get_bit(&policydb.policycaps, + POLICYDB_CAPABILITY_ALGSOCKET); } static int security_preserve_bools(struct policydb *p);