commit 8d9107e8c50e1c4ff43c91c8841805833f3ecfb9 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Revert "SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel"

This reverts commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0.

It bit people like Michal Piotrowski:

"My system is too secure, I can not login :)"

because it changed how CONFIG_NETLABEL worked, and broke older SElinux
policies.

As a result, quoth James Morris:

"Can you please revert this patch?

We thought it only affected people running MLS, but it will affect others.

Sorry for the hassle."

Cc: James Morris <jmorris@namei.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Michal Piotrowski <michal.k.k.piotrowski@gmail.com>
Cc: Paul Moore <paul.moore@hp.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Linus Torvalds 18 years ago 8d9107e8 16cefa8c

+31 -24

2 changed files

expand all

unified split

security

selinux

hooks.c

netlabel.c

+10 -11

security/selinux/hooks.c

··· 3129 /** 3130 * selinux_skb_extlbl_sid - Determine the external label of a packet 3131 * @skb: the packet 3132 * @sid: the packet's SID 3133 * 3134 * Description: 3135 * Check the various different forms of external packet labeling and determine 3136 - * the external SID for the packet. If only one form of external labeling is 3137 - * present then it is used, if both labeled IPsec and NetLabel labels are 3138 - * present then the SELinux type information is taken from the labeled IPsec 3139 - * SA and the MLS sensitivity label information is taken from the NetLabel 3140 - * security attributes. This bit of "magic" is done in the call to 3141 - * selinux_netlbl_skbuff_getsid(). 3142 * 3143 */ 3144 - static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid) 3145 { 3146 u32 xfrm_sid; 3147 u32 nlbl_sid; ··· 3147 selinux_skb_xfrm_sid(skb, &xfrm_sid); 3148 if (selinux_netlbl_skbuff_getsid(skb, 3149 (xfrm_sid == SECSID_NULL ? 3150 - SECINITSID_NETMSG : xfrm_sid), 3151 &nlbl_sid) != 0) 3152 nlbl_sid = SECSID_NULL; 3153 *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); 3154 } 3155 ··· 3695 if (sock && sock->sk->sk_family == PF_UNIX) 3696 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); 3697 else if (skb) 3698 - selinux_skb_extlbl_sid(skb, &peer_secid); 3699 3700 if (peer_secid == SECSID_NULL) 3701 err = -EINVAL; ··· 3756 u32 newsid; 3757 u32 peersid; 3758 3759 - selinux_skb_extlbl_sid(skb, &peersid); 3760 if (peersid == SECSID_NULL) { 3761 req->secid = sksec->sid; 3762 req->peer_secid = SECSID_NULL; ··· 3794 { 3795 struct sk_security_struct *sksec = sk->sk_security; 3796 3797 - selinux_skb_extlbl_sid(skb, &sksec->peer_sid); 3798 } 3799 3800 static void selinux_req_classify_flow(const struct request_sock *req,

··· 3129 /** 3130 * selinux_skb_extlbl_sid - Determine the external label of a packet 3131 * @skb: the packet 3132 + * @base_sid: the SELinux SID to use as a context for MLS only external labels 3133 * @sid: the packet's SID 3134 * 3135 * Description: 3136 * Check the various different forms of external packet labeling and determine 3137 + * the external SID for the packet. 3138 * 3139 */ 3140 + static void selinux_skb_extlbl_sid(struct sk_buff *skb, 3141 + u32 base_sid, 3142 + u32 *sid) 3143 { 3144 u32 xfrm_sid; 3145 u32 nlbl_sid; ··· 3149 selinux_skb_xfrm_sid(skb, &xfrm_sid); 3150 if (selinux_netlbl_skbuff_getsid(skb, 3151 (xfrm_sid == SECSID_NULL ? 3152 + base_sid : xfrm_sid), 3153 &nlbl_sid) != 0) 3154 nlbl_sid = SECSID_NULL; 3155 + 3156 *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); 3157 } 3158 ··· 3696 if (sock && sock->sk->sk_family == PF_UNIX) 3697 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); 3698 else if (skb) 3699 + selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid); 3700 3701 if (peer_secid == SECSID_NULL) 3702 err = -EINVAL; ··· 3757 u32 newsid; 3758 u32 peersid; 3759 3760 + selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid); 3761 if (peersid == SECSID_NULL) { 3762 req->secid = sksec->sid; 3763 req->peer_secid = SECSID_NULL; ··· 3795 { 3796 struct sk_security_struct *sksec = sk->sk_security; 3797 3798 + selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid); 3799 } 3800 3801 static void selinux_req_classify_flow(const struct request_sock *req,

+21 -13

security/selinux/netlabel.c

··· 158 netlbl_secattr_init(&secattr); 159 rc = netlbl_skbuff_getattr(skb, &secattr); 160 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 161 - rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid); 162 else 163 *sid = SECSID_NULL; 164 netlbl_secattr_destroy(&secattr); ··· 198 if (netlbl_sock_getattr(sk, &secattr) == 0 && 199 secattr.flags != NETLBL_SECATTR_NONE && 200 security_netlbl_secattr_to_sid(&secattr, 201 - SECINITSID_NETMSG, 202 &nlbl_peer_sid) == 0) 203 sksec->peer_sid = nlbl_peer_sid; 204 netlbl_secattr_destroy(&secattr); ··· 295 struct avc_audit_data *ad) 296 { 297 int rc; 298 - u32 nlbl_sid; 299 - u32 perm; 300 301 - rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &nlbl_sid); 302 if (rc != 0) 303 return rc; 304 - if (nlbl_sid == SECSID_NULL) 305 - nlbl_sid = SECINITSID_UNLABELED; 306 307 switch (sksec->sclass) { 308 case SECCLASS_UDP_SOCKET: 309 - perm = UDP_SOCKET__RECVFROM; 310 break; 311 case SECCLASS_TCP_SOCKET: 312 - perm = TCP_SOCKET__RECVFROM; 313 break; 314 default: 315 - perm = RAWIP_SOCKET__RECVFROM; 316 } 317 318 - rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad); 319 if (rc == 0) 320 return 0; 321 322 - if (nlbl_sid != SECINITSID_UNLABELED) 323 - netlbl_skbuff_err(skb, rc); 324 return rc; 325 } 326

··· 158 netlbl_secattr_init(&secattr); 159 rc = netlbl_skbuff_getattr(skb, &secattr); 160 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 161 + rc = security_netlbl_secattr_to_sid(&secattr, 162 + base_sid, 163 + sid); 164 else 165 *sid = SECSID_NULL; 166 netlbl_secattr_destroy(&secattr); ··· 196 if (netlbl_sock_getattr(sk, &secattr) == 0 && 197 secattr.flags != NETLBL_SECATTR_NONE && 198 security_netlbl_secattr_to_sid(&secattr, 199 + SECINITSID_UNLABELED, 200 &nlbl_peer_sid) == 0) 201 sksec->peer_sid = nlbl_peer_sid; 202 netlbl_secattr_destroy(&secattr); ··· 293 struct avc_audit_data *ad) 294 { 295 int rc; 296 + u32 netlbl_sid; 297 + u32 recv_perm; 298 299 + rc = selinux_netlbl_skbuff_getsid(skb, 300 + SECINITSID_UNLABELED, 301 + &netlbl_sid); 302 if (rc != 0) 303 return rc; 304 + 305 + if (netlbl_sid == SECSID_NULL) 306 + return 0; 307 308 switch (sksec->sclass) { 309 case SECCLASS_UDP_SOCKET: 310 + recv_perm = UDP_SOCKET__RECVFROM; 311 break; 312 case SECCLASS_TCP_SOCKET: 313 + recv_perm = TCP_SOCKET__RECVFROM; 314 break; 315 default: 316 + recv_perm = RAWIP_SOCKET__RECVFROM; 317 } 318 319 + rc = avc_has_perm(sksec->sid, 320 + netlbl_sid, 321 + sksec->sclass, 322 + recv_perm, 323 + ad); 324 if (rc == 0) 325 return 0; 326 327 + netlbl_skbuff_err(skb, rc); 328 return rc; 329 } 330