Changeset 2701

Timestamp:

05/26/08 13:38:06 (6 months ago)

Author:

pebenito

Message:

trunk: Patch for labeled networking controls in 2.6.25 from Paul Moore.

Files:

• trunk/Changelog (modified) (1 diff)
• trunk/policy/modules/kernel/corenetwork.if.in (modified) (43 diffs)
• trunk/policy/modules/kernel/corenetwork.if.m4 (modified) (10 diffs)
• trunk/policy/modules/kernel/corenetwork.te.in (modified) (1 diff)
• trunk/policy/modules/kernel/kernel.if (modified) (1 diff)
• trunk/policy/modules/kernel/kernel.te (modified) (2 diffs)

trunk/Changelog

@@ +1 @@
+- Patch for labeled networking controls in 2.6.25 from Paul Moore.
-- Module loading now requires setsched on kernel threads.
-- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.

trunk/policy/modules/kernel/corenetwork.if.in

@@ -155 +155 @@
-        ')
-
-
+egress ingress 
-')
-
@@ -173 +173 @@
-        ')
-
-udp_send
+{ udp_send egress }
-')
-
@@ -192 +192 @@
-        ')
-
-udp_send
+{ udp_send egress }
-')
-
@@ -210 +210 @@
-        ')
-
-udp_recv
+{ udp_recv ingress }
-')
-
@@ -229 +229 @@
-        ')
-
-udp_recv
+{ udp_recv ingress }
-')
-
@@ -278 +278 @@
-        ')
-
-rawip_send
+{ rawip_send egress }
-')
-
@@ -296 +296 @@
-        ')
-
-rawip_recv
+{ rawip_recv ingress }
-')
-
@@ -329 +329 @@
-        ')
-
-
+egress ingress 
-')
-
@@ -347 +347 @@
-        ')
-
-udp_send
+{ udp_send egress }
-')
-
@@ -365 +365 @@
-        ')
-
-udp_recv
+{ udp_recv ingress }
-')
-
@@ -398 +398 @@
-        ')
-
-rawip_send
+{ rawip_send egress }
-')
-
@@ -416 +416 @@
-        ')
-
-rawip_recv
+{ rawip_recv ingress }
-')
-
@@ -449 +449 @@
-        ')
-
-
+sendto recvfrom 
-')
-
@@ -467 +467 @@
-        ')
-
-udp_send
+{ udp_send sendto }
-')
-
@@ -485 +485 @@
-        ')
-
-udp_recv
+{ udp_recv recvfrom }
-')
-
@@ -518 +518 @@
-        ')
-
-rawip_send
+{ rawip_send sendto }
-')
-
@@ -536 +536 @@
-        ')
-
-rawip_recv
+{ rawip_recv recvfrom }
-')
-
@@ -605 +605 @@
-        ')
-
-
+sendto recvfrom 
-')
-
@@ -623 +623 @@
-        ')
-
-udp_send
+{ udp_send sendto }
-')
-
@@ -642 +642 @@
-        ')
-
-udp_send
+{ udp_send sendto }
-')
-
@@ -660 +660 @@
-        ')
-
-udp_recv
+{ udp_recv recvfrom }
-')
-
@@ -679 +679 @@
-        ')
-
-udp_recv
+{ udp_recv recvfrom }
-')
-
@@ -728 +728 @@
-        ')
-
-rawip_send
+{ rawip_send sendto }
-')
-
@@ -746 +746 @@
-        ')
-
-rawip_recv
+{ rawip_recv recvfrom }
-')
-
@@ -1738 +1738 @@
-        ')
-
+        allow $1 netlabel_peer_t:peer recv;
-        allow $1 netlabel_peer_t:tcp_socket recvfrom;
-')
@@ -1753 +1754 @@
-interface(`corenet_tcp_recvfrom_unlabeled',`
-        kernel_tcp_recvfrom_unlabeled($1)
+        kernel_recvfrom_unlabeled_peer($1)
-
-        # XXX - at some point the oubound/send access check will be removed
@@ -1792 +1794 @@
-        ')
-
+        dontaudit $1 netlabel_peer_t:peer recv;
-        dontaudit $1 netlabel_peer_t:tcp_socket recvfrom;
-')
@@ -1808 +1811 @@
-interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',`
-        kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+        kernel_dontaudit_recvfrom_unlabeled_peer($1)
-
-        # XXX - at some point the oubound/send access check will be removed
@@ -1845 +1849 @@
-        ')
-
+        allow $1 netlabel_peer_t:peer recv;
-        allow $1 netlabel_peer_t:udp_socket recvfrom;
-')
@@ -1860 +1865 @@
-interface(`corenet_udp_recvfrom_unlabeled',`
-        kernel_udp_recvfrom_unlabeled($1)
+        kernel_recvfrom_unlabeled_peer($1)
-
-        # XXX - at some point the oubound/send access check will be removed
@@ -1899 +1905 @@
-        ')
-
+        dontaudit $1 netlabel_peer_t:peer recv;
-        dontaudit $1 netlabel_peer_t:udp_socket recvfrom;
-')
@@ -1915 +1922 @@
-interface(`corenet_dontaudit_udp_recvfrom_unlabeled',`
-        kernel_dontaudit_udp_recvfrom_unlabeled($1)
+        kernel_dontaudit_recvfrom_unlabeled_peer($1)
-
-        # XXX - at some point the oubound/send access check will be removed
@@ -1952 +1960 @@
-        ')
-
+        allow $1 netlabel_peer_t:peer recv;
-        allow $1 netlabel_peer_t:rawip_socket recvfrom;
-')
@@ -1967 +1976 @@
-interface(`corenet_raw_recvfrom_unlabeled',`
-        kernel_raw_recvfrom_unlabeled($1)
+        kernel_recvfrom_unlabeled_peer($1)
-
-        # XXX - at some point the oubound/send access check will be removed
@@ -2006 +2016 @@
-        ')
-
+        dontaudit $1 netlabel_peer_t:peer recv;
-        dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
-')
@@ -2022 +2033 @@
-interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
-        kernel_dontaudit_raw_recvfrom_unlabeled($1)
+        kernel_dontaudit_recvfrom_unlabeled_peer($1)
-
-        # XXX - at some point the oubound/send access check will be removed
@@ -2043 +2055 @@
-        kernel_udp_recvfrom_unlabeled($1)
-        kernel_raw_recvfrom_unlabeled($1)
+        kernel_recvfrom_unlabeled_peer($1)
-
-        # XXX - at some point the oubound/send access check will be removed
@@ -2065 +2078 @@
-        ')
-
+        allow $1 netlabel_peer_t:peer recv;
-        allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
-')
@@ -2082 +2096 @@
-        kernel_dontaudit_udp_recvfrom_unlabeled($1)
-        kernel_dontaudit_raw_recvfrom_unlabeled($1)
+        kernel_dontaudit_recvfrom_unlabeled_peer($1)
-
-        # XXX - at some point the oubound/send access check will be removed
@@ -2105 +2120 @@
-        ')
-
+        dontaudit $1 netlabel_peer_t:peer recv;
-        dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
-')
@@ -2136 +2152 @@
-        allow $2 $1:{ association tcp_socket } recvfrom;
-
-
-
+
+
+
+
-        corenet_tcp_recvfrom_netlabel($1)
-        corenet_tcp_recvfrom_netlabel($2)
@@ -2161 +2179 @@
-        allow $1 $2:{ association udp_socket } recvfrom;
-
-
-
+
+
+
-        corenet_udp_recvfrom_netlabel($1)
-')
@@ -2185 +2204 @@
-        allow $1 $2:{ association rawip_socket } recvfrom;
-
-
-
+
+
+
-        corenet_raw_recvfrom_netlabel($1)
-')

trunk/policy/modules/kernel/corenetwork.if.m4

@@ -29 +29 @@
-        ')
-
-
+egress ingress 
-')
-
@@ -48 +48 @@
-        ')
-
-udp_send
+{ udp_send egress }
-')
-
@@ -67 +67 @@
-        ')
-
-udp_recv
+{ udp_recv ingress }
-')
-
@@ -102 +102 @@
-        ')
-
-rawip_send
+{ rawip_send egress }
-')
-
@@ -121 +121 @@
-        ')
-
-rawip_recv
+{ rawip_recv ingress }
-')
-
@@ -164 +164 @@
-        ')
-
-
+sendto recvfrom 
-')
-
@@ -183 +183 @@
-        ')
-
-udp_send
+{ udp_send sendto }
-')
-
@@ -202 +202 @@
-        ')
-
-udp_recv
+{ udp_recv recvfrom }
-')
-
@@ -237 +237 @@
-        ')
-
-rawip_send
+{ rawip_send sendto }
-')
-
@@ -256 +256 @@
-        ')
-
-rawip_recv
+{ rawip_recv recvfrom }
-')
-

trunk/policy/modules/kernel/corenetwork.te.in

@@ -1 +1 @@
-
-5
+6
-
-########################################

trunk/policy/modules/kernel/kernel.if

@@ -2498 +2498 @@
-########################################
-## <summary>
+##      Receive packets from an unlabeled peer.
+## </summary>
+## <desc>
+##      <p>
+##      Receive packets from an unlabeled peer, these packets do not have any
+##      peer labeling information present.
+##      </p>
+##      <p>
+##      The corenetwork interface corenet_recvfrom_unlabeled_peer() should
+##      be used instead of this one.
+##      </p>
+## </desc>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kernel_recvfrom_unlabeled_peer',`
+        gen_require(`
+                type unlabeled_t;
+        ')
+
+        allow $1 unlabeled_t:peer recv;
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive packets from an unlabeled peer.
+## </summary>
+## <desc>
+##      <p>
+##      Do not audit attempts to receive packets from an unlabeled peer,
+##      these packets do not have any peer labeling information present.
+##      </p>
+##      <p>
+##      The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled()
+##      should be used instead of this one.
+##      </p>
+## </desc>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`kernel_dontaudit_recvfrom_unlabeled_peer',`
+        gen_require(`
+                type unlabeled_t;
+        ')
+
+        dontaudit $1 unlabeled_t:peer recv;
+')
+
+########################################
+## <summary>
-##      Unconfined access to kernel module resources.
-## </summary>

trunk/policy/modules/kernel/kernel.te

@@ -1 +1 @@
-
-2
+3
-
-########################################
@@ -213 +213 @@
-allow kernel_t unlabeled_t:packet send;
-
+# Forwarded network traffic
+allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+
-corenet_all_recvfrom_unlabeled(kernel_t)
-corenet_all_recvfrom_netlabel(kernel_t)