From 21f1345260b20482c50ef4d94e697c31864a8740 Mon Sep 17 00:00:00 2001 From: Sooyoung Ha Date: Mon, 20 Jun 2016 11:53:36 +0900 Subject: [PATCH] Revert "Smack: secmark support for netfilter" This reverts commit bfc68eeb399fc6351637b22605e23a4f54e443ec. Change-Id: Id5128cbd365bdbf7095a026421f03a81ac277960 Signed-off-by: Sooyoung Ha --- security/smack/Kconfig | 42 +++++--------- security/smack/Makefile | 1 - security/smack/smack.h | 1 - security/smack/smack_lsm.c | 93 +++---------------------------- security/smack/smack_netfilter.c | 96 -------------------------------- 5 files changed, 23 insertions(+), 210 deletions(-) delete mode 100755 security/smack/smack_netfilter.c diff --git a/security/smack/Kconfig b/security/smack/Kconfig index 271adae81796..ba5527e9aa76 100644 --- a/security/smack/Kconfig +++ b/security/smack/Kconfig @@ -13,30 +13,18 @@ config SECURITY_SMACK If you are unsure how to answer this question, answer N. config SECURITY_SMACK_BRINGUP - bool "Reporting on access granted by Smack rules" - depends on SECURITY_SMACK - default n - help - Enable the bring-up ("b") access mode in Smack rules. - When access is granted by a rule with the "b" mode a - message about the access requested is generated. The - intention is that a process can be granted a wide set - of access initially with the bringup mode set on the - rules. The developer can use the information to - identify which rules are necessary and what accesses - may be inappropriate. The developer can reduce the - access rule set once the behavior is well understood. - This is a superior mechanism to the oft abused - "permissive" mode of other systems. - If you are unsure how to answer this question, answer N. - -config SECURITY_SMACK_NETFILTER - bool "Packet marking using secmarks for netfilter" - depends on SECURITY_SMACK - depends on NETWORK_SECMARK - depends on NETFILTER - default n - help - This enables security marking of network packets using - Smack labels. - If you are unsure how to answer this question, answer N. + bool "Reporting on access granted by Smack rules" + depends on SECURITY_SMACK + default n + help + Enable the bring-up ("b") access mode in Smack rules. + When access is granted by a rule with the "b" mode a + message about the access requested is generated. The + intention is that a process can be granted a wide set + of access initially with the bringup mode set on the + rules. The developer can use the information to + identify which rules are necessary and what accesses + may be inappropriate. The developer can reduce the + access rule set once the behavior is well understood. + This is a superior mechanism to the oft abused + "permissive" mode of other systems. diff --git a/security/smack/Makefile b/security/smack/Makefile index 28a035dd0191..6a1931efd46a 100644 --- a/security/smack/Makefile +++ b/security/smack/Makefile @@ -6,5 +6,4 @@ ifndef CONFIG_MARU_EXTENSION_SOURCE obj-$(CONFIG_SECURITY_SMACK) := smack.o smack-y := smack_lsm.o smack_access.o smackfs.o -smack-$(CONFIG_SECURITY_SMACK_NETFILTER) += smack_netfilter.o endif diff --git a/security/smack/smack.h b/security/smack/smack.h index e83a6eadb99c..ed66a9c3f20c 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -267,7 +267,6 @@ void smk_destroy_label_list(struct list_head *list); /* * Shared data. */ -extern int smack_enabled; extern int smack_cipso_direct; extern int smack_cipso_mapped; extern struct smack_known *smack_net_ambient; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 5b367d320ee7..021699451705 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -52,11 +52,8 @@ #define SMK_RECEIVING 1 #define SMK_SENDING 2 -#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER) LIST_HEAD(smk_ipv6_port_list); -#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */ static struct kmem_cache *smack_inode_cache; -int smack_enabled; #ifdef CONFIG_SECURITY_SMACK_BRINGUP static char *smk_bu_mess[] = { @@ -2313,7 +2310,6 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) return smack_netlabel(sk, sk_lbl); } -#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER) /** * smk_ipv6_port_label - Smack port access table management * @sock: socket @@ -2463,7 +2459,6 @@ auditout: rc = smk_bu_note("IPv6 port check", skp, object, MAY_WRITE, rc); return rc; } -#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */ /** * smack_inode_setsecurity - set smack xattrs @@ -2524,10 +2519,8 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name, } else return -EOPNOTSUPP; -#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER) if (sock->sk->sk_family == PF_INET6) smk_ipv6_port_label(sock, NULL); -#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */ return 0; } @@ -2555,7 +2548,6 @@ static int smack_socket_post_create(struct socket *sock, int family, return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); } -#ifndef CONFIG_SECURITY_SMACK_NETFILTER /** * smack_socket_bind - record port binding information. * @sock: the socket @@ -2569,14 +2561,11 @@ static int smack_socket_post_create(struct socket *sock, int family, static int smack_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) { -#if IS_ENABLED(CONFIG_IPV6) if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) smk_ipv6_port_label(sock, address); -#endif return 0; } -#endif /* !CONFIG_SECURITY_SMACK_NETFILTER */ /** * smack_socket_connect - connect access check @@ -2605,10 +2594,8 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, case PF_INET6: if (addrlen < sizeof(struct sockaddr_in6)) return -EINVAL; -#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER) rc = smk_ipv6_port_check(sock->sk, (struct sockaddr_in6 *)sap, SMK_CONNECTING); -#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */ break; } return rc; @@ -3508,9 +3495,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size) { struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; -#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER) struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; -#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */ int rc = 0; /* @@ -3524,9 +3509,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, rc = smack_netlabel_send(sock->sk, sip); break; case AF_INET6: -#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER) rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); -#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */ break; } return rc; @@ -3617,7 +3600,6 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, return smack_net_ambient; } -#if IS_ENABLED(CONFIG_IPV6) static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) { u8 nexthdr; @@ -3664,7 +3646,6 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) } return proto; } -#endif /* CONFIG_IPV6 */ /** * smack_socket_sock_rcv_skb - Smack packet delivery access check @@ -3677,30 +3658,15 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { struct netlbl_lsm_secattr secattr; struct socket_smack *ssp = sk->sk_security; - struct smack_known *skp = NULL; + struct smack_known *skp; + struct sockaddr_in6 sadd; int rc = 0; struct smk_audit_info ad; #ifdef CONFIG_AUDIT struct lsm_network_audit net; #endif -#if IS_ENABLED(CONFIG_IPV6) - struct sockaddr_in6 sadd; - int proto; -#endif /* CONFIG_IPV6 */ - switch (sk->sk_family) { case PF_INET: -#ifdef CONFIG_SECURITY_SMACK_NETFILTER - /* - * If there is a secmark use it rather than the CIPSO label. - * If there is no secmark fall back to CIPSO. - * The secmark is assumed to reflect policy better. - */ - if (skb && skb->secmark != 0) { - skp = smack_from_secid(skb->secmark); - goto access_check; - } -#endif /* CONFIG_SECURITY_SMACK_NETFILTER */ /* * Translate what netlabel gave us. */ @@ -3714,9 +3680,6 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) netlbl_secattr_destroy(&secattr); -#ifdef CONFIG_SECURITY_SMACK_NETFILTER -access_check: -#endif #ifdef CONFIG_AUDIT smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); ad.a.u.net->family = sk->sk_family; @@ -3735,30 +3698,13 @@ access_check: if (rc != 0) netlbl_skbuff_err(skb, rc, 0); break; -#if IS_ENABLED(CONFIG_IPV6) case PF_INET6: - proto = smk_skb_to_addr_ipv6(skb, &sadd); - if (proto != IPPROTO_UDP && proto != IPPROTO_TCP) - break; -#ifdef CONFIG_SECURITY_SMACK_NETFILTER - if (skb && skb->secmark != 0) - skp = smack_from_secid(skb->secmark); + rc = smk_skb_to_addr_ipv6(skb, &sadd); + if (rc == IPPROTO_UDP || rc == IPPROTO_TCP) + rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); else - skp = smack_net_ambient; -#ifdef CONFIG_AUDIT - smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); - ad.a.u.net->family = sk->sk_family; - ad.a.u.net->netif = skb->skb_iif; - ipv6_skb_to_auditdata(skb, &ad.a, NULL); -#endif /* CONFIG_AUDIT */ - rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); - rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, - MAY_WRITE, rc); -#else /* CONFIG_SECURITY_SMACK_NETFILTER */ - rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); -#endif /* CONFIG_SECURITY_SMACK_NETFILTER */ + rc = 0; break; -#endif /* CONFIG_IPV6 */ } return rc; } @@ -3821,25 +3767,16 @@ static int smack_socket_getpeersec_dgram(struct socket *sock, if (skb != NULL) { if (skb->protocol == htons(ETH_P_IP)) family = PF_INET; -#if IS_ENABLED(CONFIG_IPV6) else if (skb->protocol == htons(ETH_P_IPV6)) family = PF_INET6; -#endif /* CONFIG_IPV6 */ } if (family == PF_UNSPEC && sock != NULL) family = sock->sk->sk_family; - switch (family) { - case PF_UNIX: + if (family == PF_UNIX) { ssp = sock->sk->sk_security; s = ssp->smk_out->smk_secid; - break; - case PF_INET: -#ifdef CONFIG_SECURITY_SMACK_NETFILTER - s = skb->secmark; - if (s != 0) - break; -#endif + } else if (family == PF_INET || family == PF_INET6) { /* * Translate what netlabel gave us. */ @@ -3852,14 +3789,6 @@ static int smack_socket_getpeersec_dgram(struct socket *sock, s = skp->smk_secid; } netlbl_secattr_destroy(&secattr); - break; -#if IS_ENABLED(CONFIG_IPV6) - case PF_INET6: -#ifdef CONFIG_SECURITY_SMACK_NETFILTER - s = skb->secmark; -#endif /* CONFIG_SECURITY_SMACK_NETFILTER */ - break; -#endif /* CONFIG_IPV6 */ } *secid = s; if (s == 0) @@ -3915,7 +3844,6 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, struct lsm_network_audit net; #endif -#if IS_ENABLED(CONFIG_IPV6) if (family == PF_INET6) { /* * Handle mapped IPv4 packets arriving @@ -3927,7 +3855,6 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, else return 0; } -#endif /* CONFIG_IPV6 */ netlbl_secattr_init(&secattr); rc = netlbl_skbuff_getattr(skb, family, &secattr); @@ -4374,9 +4301,7 @@ struct security_operations smack_ops = { .unix_may_send = smack_unix_may_send, .socket_post_create = smack_socket_post_create, -#ifndef CONFIG_SECURITY_SMACK_NETFILTER .socket_bind = smack_socket_bind, -#endif /* CONFIG_SECURITY_SMACK_NETFILTER */ .socket_connect = smack_socket_connect, .socket_sendmsg = smack_socket_sendmsg, .socket_sock_rcv_skb = smack_socket_sock_rcv_skb, @@ -4461,8 +4386,6 @@ static __init int smack_init(void) if (!security_module_enable(&smack_ops)) return 0; - smack_enabled = 1; - smack_rule_cache = KMEM_CACHE(smack_rule, 0); if (!smack_rule_cache) return -ENOMEM; diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c deleted file mode 100755 index 29d041152385..000000000000 --- a/security/smack/smack_netfilter.c +++ /dev/null @@ -1,96 +0,0 @@ -/* - * Simplified MAC Kernel (smack) security module - * - * This file contains the Smack netfilter implementation - * - * Author: - * Casey Schaufler - * - * Copyright (C) 2014 Casey Schaufler - * Copyright (C) 2014 Intel Corporation. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2, - * as published by the Free Software Foundation. - */ - -#include -#include -#include -#include "smack.h" - -#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) - -static unsigned int smack_ipv6_output(unsigned int hooknum, - struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - struct socket_smack *ssp; - struct smack_known *skp; - - if (skb && skb->sk && skb->sk->sk_security) { - ssp = skb->sk->sk_security; - skp = ssp->smk_out; - skb->secmark = skp->smk_secid; - } - - return NF_ACCEPT; -} -#endif /* IPV6 */ - -static unsigned int smack_ipv4_output(unsigned int hooknum, - struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - struct socket_smack *ssp; - struct smack_known *skp; - - if (skb && skb->sk && skb->sk->sk_security) { - ssp = skb->sk->sk_security; - skp = ssp->smk_out; - skb->secmark = skp->smk_secid; - } - - return NF_ACCEPT; -} - -static struct nf_hook_ops smack_nf_ops[] = { - { - .hook = smack_ipv4_output, - .owner = THIS_MODULE, - .pf = NFPROTO_IPV4, - .hooknum = NF_INET_LOCAL_OUT, - .priority = NF_IP_PRI_SELINUX_FIRST, - }, -#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) - { - .hook = smack_ipv6_output, - .owner = THIS_MODULE, - .pf = NFPROTO_IPV6, - .hooknum = NF_INET_LOCAL_OUT, - .priority = NF_IP6_PRI_SELINUX_FIRST, - }, -#endif /* IPV6 */ -}; - -static int __init smack_nf_ip_init(void) -{ - int err; - - if (smack_enabled == 0) - return 0; - - printk(KERN_DEBUG "Smack: Registering netfilter hooks\n"); - - err = nf_register_hooks(smack_nf_ops, ARRAY_SIZE(smack_nf_ops)); - if (err) - pr_info("Smack: nf_register_hooks: error %d\n", err); - - return 0; -} - -__initcall(smack_nf_ip_init); -- 2.34.1