linux/net/ipv4
Catherine Zhang 2c7946a7bf [SECURITY]: TCP/UDP getpeersec
This patch implements an application of the LSM-IPSec networking
controls whereby an application can determine the label of the
security association its TCP or UDP sockets are currently connected to
via getsockopt and the auxiliary data mechanism of recvmsg.

Patch purpose:

This patch enables a security-aware application to retrieve the
security context of an IPSec security association a particular TCP or
UDP socket is using.  The application can then use this security
context to determine the security context for processing on behalf of
the peer at the other end of this connection.  In the case of UDP, the
security context is for each individual packet.  An example
application is the inetd daemon, which could be modified to start
daemons running at security contexts dependent on the remote client.

Patch design approach:

- Design for TCP
The patch enables the SELinux LSM to set the peer security context for
a socket based on the security context of the IPSec security
association.  The application may retrieve this context using
getsockopt.  When called, the kernel determines if the socket is a
connected (TCP_ESTABLISHED) TCP socket and, if so, uses the dst_entry
cache on the socket to retrieve the security associations.  If a
security association has a security context, the context string is
returned, as for UNIX domain sockets.

- Design for UDP
Unlike TCP, UDP is connectionless.  This requires a somewhat different
API to retrieve the peer security context.  With TCP, the peer
security context stays the same throughout the connection, thus it can
be retrieved at any time between when the connection is established
and when it is torn down.  With UDP, each read/write can have
different peer and thus the security context might change every time.
As a result the security context retrieval must be done TOGETHER with
the packet retrieval.

The solution is to build upon the existing Unix domain socket API for
retrieving user credentials.  Linux offers the API for obtaining user
credentials via ancillary messages (i.e., out of band/control messages
that are bundled together with a normal message).

Patch implementation details:

- Implementation for TCP
The security context can be retrieved by applications using getsockopt
with the existing SO_PEERSEC flag.  As an example (ignoring error
checking):

getsockopt(sockfd, SOL_SOCKET, SO_PEERSEC, optbuf, &optlen);
printf("Socket peer context is: %s\n", optbuf);

The SELinux function, selinux_socket_getpeersec, is extended to check
for labeled security associations for connected (TCP_ESTABLISHED ==
sk->sk_state) TCP sockets only.  If so, the socket has a dst_cache of
struct dst_entry values that may refer to security associations.  If
these have security associations with security contexts, the security
context is returned.

getsockopt returns a buffer that contains a security context string or
the buffer is unmodified.

- Implementation for UDP
To retrieve the security context, the application first indicates to
the kernel such desire by setting the IP_PASSSEC option via
getsockopt.  Then the application retrieves the security context using
the auxiliary data mechanism.

An example server application for UDP should look like this:

toggle = 1;
toggle_len = sizeof(toggle);

setsockopt(sockfd, SOL_IP, IP_PASSSEC, &toggle, &toggle_len);
recvmsg(sockfd, &msg_hdr, 0);
if (msg_hdr.msg_controllen > sizeof(struct cmsghdr)) {
    cmsg_hdr = CMSG_FIRSTHDR(&msg_hdr);
    if (cmsg_hdr->cmsg_len <= CMSG_LEN(sizeof(scontext)) &&
        cmsg_hdr->cmsg_level == SOL_IP &&
        cmsg_hdr->cmsg_type == SCM_SECURITY) {
        memcpy(&scontext, CMSG_DATA(cmsg_hdr), sizeof(scontext));
    }
}

ip_setsockopt is enhanced with a new socket option IP_PASSSEC to allow
a server socket to receive security context of the peer.  A new
ancillary message type SCM_SECURITY.

When the packet is received we get the security context from the
sec_path pointer which is contained in the sk_buff, and copy it to the
ancillary message space.  An additional LSM hook,
selinux_socket_getpeersec_udp, is defined to retrieve the security
context from the SELinux space.  The existing function,
selinux_socket_getpeersec does not suit our purpose, because the
security context is copied directly to user space, rather than to
kernel space.

Testing:

We have tested the patch by setting up TCP and UDP connections between
applications on two machines using the IPSec policies that result in
labeled security associations being built.  For TCP, we can then
extract the peer security context using getsockopt on either end.  For
UDP, the receiving end can retrieve the security context using the
auxiliary data mechanism of recvmsg.

Signed-off-by: Catherine Zhang <cxzhang@watson.ibm.com>
Acked-by: James Morris <jmorris@namei.org>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-20 22:41:23 -08:00
..
ipvs [NET]: sem2mutex part 2 2006-03-20 22:35:41 -08:00
netfilter [NETFILTER]: Fix warnings in ip_nat_snmp_basic.c 2006-03-20 22:36:21 -08:00
Kconfig [TCP] BIC: CUBIC window growth (2.0) 2006-01-03 13:10:28 -08:00
Makefile [NETFILTER]: net/ipv[46]/netfilter.c cleanups 2006-01-10 12:54:29 -08:00
af_inet.c [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
ah4.c [IPSEC]: Sync series - fast path 2006-03-20 19:15:29 -08:00
arp.c [IPV4] ARP: Alloc acceptance of unsolicited ARP via netdevice sysctl. 2006-03-20 22:39:47 -08:00
datagram.c [NET]: Fix sparse warnings 2005-08-29 16:01:32 -07:00
devinet.c [IPV4] ARP: Alloc acceptance of unsolicited ARP via netdevice sysctl. 2006-03-20 22:39:47 -08:00
esp4.c [IPSEC]: Sync series - fast path 2006-03-20 19:15:29 -08:00
fib_frontend.c x86: Work around compiler code generation bug with -Os 2006-01-14 22:08:28 -08:00
fib_hash.c [INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h 2006-01-03 13:11:21 -08:00
fib_lookup.h [IPV4]: Prepare FIB core for RCU. 2005-08-29 16:08:31 -07:00
fib_rules.c [IPV4] fib_rules.c: make struct fib_rules static again 2006-03-20 17:46:56 -08:00
fib_semantics.c [NETLINK]: illegal use of pid in rtnetlink 2006-02-09 16:43:41 -08:00
fib_trie.c [IPV4]: fib_trie stats fix 2006-03-20 21:35:01 -08:00
icmp.c [IPV4] ICMP: Invert default for invalid icmp msgs sysctl 2006-02-13 15:36:21 -08:00
igmp.c [NET]: dev_put/dev_hold cleanup 2006-03-20 22:32:28 -08:00
inet_connection_sock.c [ICSK]: Introduce inet_csk_ctl_sock_create 2006-03-20 22:01:03 -08:00
inet_diag.c [INET_DIAG]: Introduce sk_diag_fill 2006-01-09 14:56:56 -08:00
inet_hashtables.c [INET]: Generalise tcp_v4_hash_connect 2006-01-03 13:10:55 -08:00
inet_timewait_sock.c [TWSK]: Introduce struct timewait_sock_ops 2006-01-03 13:10:54 -08:00
inetpeer.c [NET]: Change some "if (x) BUG();" to "BUG_ON(x);" 2006-01-09 14:16:18 -08:00
ip_forward.c [IPV4]: Remove some dead code from ip_forward() 2005-08-29 16:03:06 -07:00
ip_fragment.c [NET]: Endian-annotate struct iphdr 2006-01-06 13:24:29 -08:00
ip_gre.c [XFRM]: Fix SNAT-related crash in xfrm4_output_finish 2006-02-15 15:10:22 -08:00
ip_input.c [NETFILTER]: Keep conntrack reference until IPsec policy checks are done 2006-01-07 12:57:36 -08:00
ip_options.c [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
ip_output.c [IPV4/6]: Fix UFO error propagation 2006-03-12 20:39:40 -08:00
ip_sockglue.c [SECURITY]: TCP/UDP getpeersec 2006-03-20 22:41:23 -08:00
ipcomp.c [NET] sem2mutex: net/ 2006-03-20 22:33:17 -08:00
ipconfig.c [NET]: Convert RTNL to mutex. 2006-03-20 22:23:58 -08:00
ipip.c [XFRM]: Fix SNAT-related crash in xfrm4_output_finish 2006-02-15 15:10:22 -08:00
ipmr.c [NET]: dev_put/dev_hold cleanup 2006-03-20 22:32:28 -08:00
multipath.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
multipath_drr.c [IPV4]: possible cleanups 2005-08-29 15:33:20 -07:00
multipath_random.c [IPV4]: Multipath modules need a license to prevent kernel tainting. 2005-06-13 14:29:06 -07:00
multipath_rr.c [IPV4]: Multipath modules need a license to prevent kernel tainting. 2005-06-13 14:29:06 -07:00
multipath_wrandom.c [IPV4] multipath_wrandom: Fix softirq-unsafe spin lock usage 2006-02-02 16:59:16 -08:00
netfilter.c [NETFILTER]: Fix xfrm lookup after SNAT 2006-02-15 01:34:23 -08:00
proc.c [PATCH] percpu data: only iterate over possible CPUs 2006-02-05 11:06:51 -08:00
protocol.c [TCP]: Move the tcp sock states to net/tcp_states.h 2005-08-29 15:41:54 -07:00
raw.c [PATCH] EDAC: atomic scrub operations 2006-01-18 19:20:30 -08:00
route.c [IPV4]: Fix garbage collection of multipath route entries 2006-02-23 16:10:52 -08:00
syncookies.c [ICSK]: Rename struct tcp_func to struct inet_connection_sock_af_ops 2006-01-03 13:10:38 -08:00
sysctl_net_ipv4.c [TCP]: sysctl to allow TCP window > 32767 sans wscale 2006-03-20 22:40:29 -08:00
tcp.c [IP_SOCKGLUE]: Remove most of the tcp specific calls 2006-01-03 13:10:58 -08:00
tcp_bic.c [TCP] BIC: spelling and whitespace 2006-01-03 13:10:27 -08:00
tcp_cong.c [TCP]: less inline's 2006-01-03 16:03:49 -08:00
tcp_cubic.c [TCP] cubic: use Newton-Raphson 2006-01-03 13:11:09 -08:00
tcp_diag.c [INET_DIAG]: Move the tcp_diag interface to the proper place 2005-08-29 15:57:54 -07:00
tcp_highspeed.c [TCP]: tcp_highspeed: fix AIMD table out-of-bounds access 2006-03-12 20:39:39 -08:00
tcp_htcp.c [TCP] H-TCP: Better time accounting 2006-03-20 22:23:10 -08:00
tcp_hybla.c [TCP]: fix congestion window update when using TSO deferal 2005-11-10 16:53:30 -08:00
tcp_input.c [TCP] mtu probing: move tcp-specific data out of inet_connection_sock 2006-03-20 21:32:58 -08:00
tcp_ipv4.c [ICSK]: Introduce inet_csk_ctl_sock_create 2006-03-20 22:01:03 -08:00
tcp_minisocks.c [IPV6]: Introduce inet6_timewait_sock 2006-01-03 13:10:47 -08:00
tcp_output.c [TCP]: sysctl to allow TCP window > 32767 sans wscale 2006-03-20 22:40:29 -08:00
tcp_scalable.c [TCP]: add tcp_slow_start helper 2005-11-10 17:07:24 -08:00
tcp_timer.c [TCP]: MTU probing 2006-03-20 17:53:41 -08:00
tcp_vegas.c [TCP] tcp_vegas: Fix slow start 2006-01-04 13:59:32 -08:00
tcp_westwood.c [INET_DIAG]: Rename tcp_diag.[ch] to inet_diag.[ch] 2005-08-29 15:57:48 -07:00
udp.c [NETFILTER]: Keep conntrack reference until IPsec policy checks are done 2006-01-07 12:57:36 -08:00
xfrm4_input.c [IPV4/6]: Netfilter IPsec input hooks 2006-01-07 12:57:31 -08:00
xfrm4_output.c [XFRM]: Fix SNAT-related crash in xfrm4_output_finish 2006-02-15 15:10:22 -08:00
xfrm4_policy.c [IPSEC]: Use TOS when doing tunnel lookups 2006-02-23 16:19:26 -08:00
xfrm4_state.c [XFRM]: IPsec tunnel wildcard address support 2006-01-13 14:34:36 -08:00
xfrm4_tunnel.c [NET] sem2mutex: net/ 2006-03-20 22:33:17 -08:00