From patchwork Mon Aug 22 21:04:35 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Guido Trentalancia <guido@trentalancia.net>
X-Patchwork-Id: 9294391
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	E906E607FF for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 22 Aug 2016 21:04:45 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D994328AAA
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 22 Aug 2016 21:04:45 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id CE8D428AAC; Mon, 22 Aug 2016 21:04:45 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id B67AF28AAA
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 22 Aug 2016 21:04:44 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.28,562,1464652800"; d="scan'208";a="18662434"
IronPort-PHdr: =?us-ascii?q?9a23=3Au3KlvRJYK8sdZg4iUtmcpTZWNBhigK39O0sv0rFi?=
	=?us-ascii?q?tYgVLvTxwZ3uMQTl6Ol3ixeRBMOAuqsC0LCd7fyoGTRZp83Q6DZaKN0EfiRGoP?=
	=?us-ascii?q?1epxYnDs+BBB+zB9/RRAt+Iv5/UkR49WqwK0lfFZW2TVTTpnqv8WxaQU2nZkJL?=
	=?us-ascii?q?L+j4UrTfk96wn7jrvcaCOkMT3nHjPfsydEzw9lSJ8JFOwMNLEeUY8lPxuHxGeu?=
	=?us-ascii?q?BblytDBGm4uFLC3Pq254Np6C9KuvgspIZqWKT+eLkkH/QDVGx1e0h83sDgtAHC?=
	=?us-ascii?q?QA2T/TNcFzxOylsbOBDM6TH3V5v8qAX7u+5xkAmXNMH7V/gPUjO47qFkAF+z0G?=
	=?us-ascii?q?ZUCiQ9uF3zpoQwyfsD4UHpmxsq+4fJZMmwM/1kc+uJZdoHQUJZV9tVEilGBZmx?=
	=?us-ascii?q?KYAICrxSE/xfqtzSuloCqlOCHwSqGOrrwzlDh3a+iaIn0ugmOR3c0Qo8FtYHtn?=
	=?us-ascii?q?/VpZPzObtEArP997XB0TiWN6Ae4jz68oWdN0B5rA=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2H1BQBgaLtX/wHyM5BdHAEBgyaBUrl8IIdtTAEBAQEBAQE?=
	=?us-ascii?q?CAQJbJ4IyBAETghUCBAECNxQgCwMDCQEBFycCCAgDAS0MCREGCAsFGASIEAS+J?=
	=?us-ascii?q?wELASSPChEBhXcFmUiQBokJhWBIi3eDeFSCEhyBTm6FRYE2AQEB?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 22 Aug 2016 21:04:42 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7ML4fdT020219;
	Mon, 22 Aug 2016 17:04:41 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u7ML4ejA107593 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Mon, 22 Aug 2016 17:04:40 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7ML4duv020214
	for <selinux@tycho.nsa.gov>; Mon, 22 Aug 2016 17:04:39 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1A7AgBgaLtXh0s2WFFdHAGEeaRSkSWEDIYdAoIzAQEBAQEBAQITAQEBCA0JCRmFDgIBAyNLCxAlAhgOAgI9GgYTiDWuHZAKAQEBAQYBAQEBI4ECkTeCWgWZSJAGjmlIi3eDeIJmEQuBTm6GewEBAQ
X-IPAS-Result: 
 A1A7AgBgaLtXh0s2WFFdHAGEeaRSkSWEDIYdAoIzAQEBAQEBAQITAQEBCA0JCRmFDgIBAyNLCxAlAhgOAgI9GgYTiDWuHZAKAQEBAQYBAQEBI4ECkTeCWgWZSJAGjmlIi3eDeIJmEQuBTm6GewEBAQ
X-IronPort-AV: E=Sophos;i="5.28,562,1464667200"; d="scan'208";a="5658923"
Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov)
	([10.208.41.37])
	by goalie.tycho.ncsc.mil with ESMTP; 22 Aug 2016 17:04:38 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3Aa8VAYh0YrBCV3VbPsmDT+DRfVm0co7zxezQtwd8Z?=
	=?us-ascii?q?sekVLvad9pjvdHbS+e9qxAeQG96KsrQf0aGI7+igATVGusfZ9ihaMdRlbFwssY?=
	=?us-ascii?q?0uhQsuAcqIWwXQDcXBSGgEJvlET0Jv5HqhMEJYS47UblzWpWCuv3ZJQk2sfTR8?=
	=?us-ascii?q?Kum9IIPOlcP/j7n0oMyKJV4Sz2ThKfMqdVPt/F2X7pFXyaJZaY8JgiPTpXVJf+?=
	=?us-ascii?q?kEjUhJHnm02yjG28Gr4ZR4+D5Rsf9yv+RJUKH9YrhqBecAVGduGykP6cbqrRjO?=
	=?us-ascii?q?SxeUrjtZCz1O00lzGwHAzBzzUprrnCr3suY1+CSTMcDsBYs/Xi6j6agjCESwyX?=
	=?us-ascii?q?RPCzlsyGjKjoRVi6VBrVr1vxVix6bMaZyRcf95ebnQO9gdQDwScNxWUnluH4Kw?=
	=?us-ascii?q?aMMzFecHIe9cpo/2plJG+RSjBAWrLP/1xzlUj3v/26Y72qInHB2Qj19oJM4HrH?=
	=?us-ascii?q?mB9Ia9D6wVS+3gifaQwA=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0FbAgBgaLtXh0s2WFFdHAGEeaRSkSWED?=
	=?us-ascii?q?IYdAoIzAQEBAQEBAQIBAhABAQEIDQkJGS+CMgQBE4IVAgEDI0sLECUCGA4CAj0?=
	=?us-ascii?q?aBhOINa4dkAoBAQEBBgEBAQEjgQKRN4JaBZlIkAaOaUiLd4N4gmYRC4FOboZ7A?=
	=?us-ascii?q?QEB?=
X-IPAS-Result: =?us-ascii?q?A0FbAgBgaLtXh0s2WFFdHAGEeaRSkSWEDIYdAoIzAQEBAQE?=
	=?us-ascii?q?BAQIBAhABAQEIDQkJGS+CMgQBE4IVAgEDI0sLECUCGA4CAj0aBhOINa4dkAoBA?=
	=?us-ascii?q?QEBBgEBAQEjgQKRN4JaBZlIkAaOaUiLd4N4gmYRC4FOboZ7AQEB?=
X-IronPort-AV: E=Sophos;i="5.28,562,1464652800"; d="scan'208";a="18662431"
Received: from authsmtp34.register.it (HELO authsmtp.register.it)
	([81.88.54.75])
	by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES128-SHA;
	22 Aug 2016 21:04:37 +0000
Received: from vortex.lan ([151.76.82.60]) by paganini35 with
	id aM4b1t00C1J5JUf01M4bAW; Mon, 22 Aug 2016 23:04:36 +0200
X-Rid: guido@trentalancia.net@151.76.82.60
Message-ID: <1471899875.19333.3.camel@trentalancia.net>
Subject: [PATCH v4] Classify AF_ALG sockets
From: Guido Trentalancia <guido@trentalancia.net>
To: Paul Moore <paul@paul-moore.com>
Date: Mon, 22 Aug 2016 23:04:35 +0200
In-Reply-To: <1471870947.2354.1.camel@trentalancia.net>
References: <1471709886.22998.1.camel@trentalancia.net>
	<CAHC9VhRouoqqrq_Vn1A3wh7kwvodUK-j7xR3=uwep7t0Ktdh3w@mail.gmail.com>
	<89E5C3EA-9794-4496-A195-1C997A5BBF44@trentalancia.net>
	<CAGH-KguvJZVLAUYQP_iFk2KG7DDFe9kGADWK_dkbGPHuStjpcQ@mail.gmail.com>
	<43BE5B4F-9AE4-4EDB-825A-F1C15042B385@trentalancia.net>
	<CAHC9VhQOTQNsNT7T53qE5g1pK8BN270ZAFyUJ0xAnzsbPg57YA@mail.gmail.com>
	<1471799849.2544.2.camel@trentalancia.net>
	<1471870947.2354.1.camel@trentalancia.net>
X-Mailer: Evolution 3.20.5 
Mime-Version: 1.0
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: selinux@tycho.nsa.gov
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

Modify the SELinux kernel code so that it is able to classify sockets with
the new AF_ALG namespace (used for the user-space interface to the kernel
Crypto API).

A companion patch has been created for the Reference Policy and it will be
posted to its mailing list, once this patch is merged.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 security/selinux/hooks.c            |    5 +++++
 security/selinux/include/classmap.h |    2 ++
 security/selinux/include/security.h |    2 ++
 security/selinux/ss/services.c      |    3 +++
 4 files changed, 12 insertions(+)

diff -pru linux-4.7.2-orig/security/selinux/hooks.c linux-4.7.2/security/selinux/hooks.c
--- linux-4.7.2-orig/security/selinux/hooks.c	2016-08-22 22:31:27.737767819 +0200
+++ linux-4.7.2/security/selinux/hooks.c	2016-08-22 22:40:29.102526024 +0200
@@ -1315,6 +1315,11 @@ static inline u16 socket_type_to_securit
 		return SECCLASS_KEY_SOCKET;
 	case PF_APPLETALK:
 		return SECCLASS_APPLETALK_SOCKET;
+	case PF_ALG:
+		if (selinux_policycap_algsocket)
+			return SECCLASS_ALG_SOCKET;
+		else
+			return SECCLASS_SOCKET;
 	}
 
 	return SECCLASS_SOCKET;
diff -pru linux-4.7.2-orig/security/selinux/include/classmap.h linux-4.7.2/security/selinux/include/classmap.h
--- linux-4.7.2-orig/security/selinux/include/classmap.h	2016-08-22 22:31:27.754768030 +0200
+++ linux-4.7.2/security/selinux/include/classmap.h	2016-08-22 22:32:14.795355585 +0200
@@ -144,6 +144,8 @@ struct security_class_mapping secclass_m
 	  { COMMON_SOCK_PERMS, NULL } },
 	{ "appletalk_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
+	{ "alg_socket",
+	  { COMMON_SOCK_PERMS, NULL } },
 	{ "packet",
 	  { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } },
 	{ "key",
diff -pru linux-4.7.2-orig/security/selinux/include/security.h linux-4.7.2/security/selinux/include/security.h
--- linux-4.7.2-orig/security/selinux/include/security.h	2016-03-14 05:28:54.000000000 +0100
+++ linux-4.7.2/security/selinux/include/security.h	2016-08-22 22:53:57.911660238 +0200
@@ -75,6 +75,7 @@ enum {
 	POLICYDB_CAPABILITY_OPENPERM,
 	POLICYDB_CAPABILITY_REDHAT1,
 	POLICYDB_CAPABILITY_ALWAYSNETWORK,
+	POLICYDB_CAPABILITY_ALGSOCKET,
 	__POLICYDB_CAPABILITY_MAX
 };
 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
@@ -82,6 +83,7 @@ enum {
 extern int selinux_policycap_netpeer;
 extern int selinux_policycap_openperm;
 extern int selinux_policycap_alwaysnetwork;
+extern int selinux_policycap_algsocket;
 
 /*
  * type_datum properties
diff -pru linux-4.7.2-orig/security/selinux/ss/services.c linux-4.7.2/security/selinux/ss/services.c
--- linux-4.7.2-orig/security/selinux/ss/services.c	2016-08-05 21:27:22.275588616 +0200
+++ linux-4.7.2/security/selinux/ss/services.c	2016-08-22 22:56:58.616187510 +0200
@@ -73,6 +73,7 @@
 int selinux_policycap_netpeer;
 int selinux_policycap_openperm;
 int selinux_policycap_alwaysnetwork;
+int selinux_policycap_algsocket;
 
 static DEFINE_RWLOCK(policy_rwlock);
 
@@ -2016,6 +2017,8 @@ static void security_load_policycaps(voi
 						  POLICYDB_CAPABILITY_OPENPERM);
 	selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps,
 						  POLICYDB_CAPABILITY_ALWAYSNETWORK);
+	selinux_policycap_algsocket = ebitmap_get_bit(&policydb.policycaps,
+						  POLICYDB_CAPABILITY_ALGSOCKET);
 }
 
 static int security_preserve_bools(struct policydb *p);