[PATCH][RFC] fix for ip_fragment() hook

From: James Morris (jmorrisat_private)
Date: Sun Oct 13 2002 - 21:03:27 PDT

  • Next message: James Morris: "Re: [PATCH][RFC] fix for ip_fragment() hook" 

    Below is a patch against current lsm-2.5 which attempts to provide a 
solution to the ip_fragment() hook issue.

As fragments can be generated in the context of an inital skb or parent 
sock, the hook has been modified to take a void pointer for the source 
object and a type parameter indicating the type of source object.

Does this look ok for SELinux (or anyone else using the hook?).

- James
-- 
James Morris
<jmorrisat_private>

diff -X dontdiff -urN lsm-2.5.orig/include/linux/security.h lsm-2.5-frag/include/linux/security.h
--- lsm-2.5.orig/include/linux/security.h	Mon Oct 14 12:47:12 2002
+++ lsm-2.5-frag/include/linux/security.h	Mon Oct 14 13:49:09 2002
@@ -50,6 +50,10 @@
 /* setfsuid or setfsgid, id0 == fsuid or fsgid */
 #define LSM_SETID_FS	8
 
+/* Identifiers for the source object for ip_fragment(). */
+#define LSM_SRC_SOCK	1
+#define LSM_SRC_SKB	2
+
 /* forward declares to avoid warnings */
 struct sk_buff;
 struct net_device;
@@ -749,9 +753,12 @@
  * @ip_fragment:
  *	This is called for each fragment generated when an outgoing packet is
  *	being fragmented, and may be used to copy security attributes from the
- *	original packet to each fragment.
+ *	original packet or parent sock to each fragment.
  *	@newskb contains the newly created fragment.
- *	@oldskb contains the original packet being fragmented.
+ *	@src is the source object (&sk_buff or &sock).
+ *	@type indicates the source object type, either LSM_SRC_SOCK or
+ *      LSM_SRC_SKB.
+ *
  * @ip_defragment:
  *	This hook is called when an incoming fragment is about to be inserted
  *	into a reassembly queue.  It's purpose is to enable the validation of
@@ -1327,7 +1334,7 @@
 	void (*skb_free_security) (struct sk_buff * skb);
 
 	void (*ip_fragment) (struct sk_buff * newskb,
-			     const struct sk_buff * oldskb);
+	                     const void * src, int type);
 	int (*ip_defragment) (struct sk_buff * skb);
 	void (*ip_encapsulate) (struct sk_buff * skb);
 	void (*ip_decapsulate) (struct sk_buff * skb);
diff -X dontdiff -urN lsm-2.5.orig/net/ipv4/ip_output.c lsm-2.5-frag/net/ipv4/ip_output.c
--- lsm-2.5.orig/net/ipv4/ip_output.c	Thu Oct 10 11:04:25 2002
+++ lsm-2.5-frag/net/ipv4/ip_output.c	Mon Oct 14 13:30:39 2002
@@ -623,6 +623,8 @@
 
 		nfrags++;
 
+		security_ops->ip_fragment(skb, sk, LSM_SRC_SOCK);
+		
 		err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, 
 			      skb->dst->dev, output_maybe_reroute);
 		if (err) {
@@ -898,7 +900,7 @@
 		skb2->nf_debug = skb->nf_debug;
 #endif
 #endif
-		security_ops->ip_fragment(skb2, skb);
+		security_ops->ip_fragment(skb2, skb, LSM_SRC_SKB);
 
 		/*
 		 *	Put this fragment into the sending queue.
diff -X dontdiff -urN lsm-2.5.orig/security/capability.c lsm-2.5-frag/security/capability.c
--- lsm-2.5.orig/security/capability.c	Mon Oct 14 12:47:13 2002
+++ lsm-2.5-frag/security/capability.c	Mon Oct 14 13:47:58 2002
@@ -748,7 +748,7 @@
 }
 
 static void cap_ip_fragment (struct sk_buff *newskb,
-			     const struct sk_buff *oldskb)
+                             const void *src, int type)
 {
 	return;
 }
diff -X dontdiff -urN lsm-2.5.orig/security/dummy.c lsm-2.5-frag/security/dummy.c
--- lsm-2.5.orig/security/dummy.c	Mon Oct 14 12:47:13 2002
+++ lsm-2.5-frag/security/dummy.c	Mon Oct 14 13:47:38 2002
@@ -565,7 +565,7 @@
 }
 
 static void dummy_ip_fragment (struct sk_buff *newskb,
-			       const struct sk_buff *oldskb)
+                               const void *src, int type)
 {
 	return;
 }
diff -X dontdiff -urN lsm-2.5.orig/security/lids/lids_lsm.c lsm-2.5-frag/security/lids/lids_lsm.c
--- lsm-2.5.orig/security/lids/lids_lsm.c	Thu Oct 10 23:40:48 2002
+++ lsm-2.5-frag/security/lids/lids_lsm.c	Mon Oct 14 13:48:31 2002
@@ -742,7 +742,7 @@
 }
 
 static void lids_ip_fragment (struct sk_buff *newskb,
-			       const struct sk_buff *oldskb)
+                              const void *src, int type)
 {
 	return;
 }
diff -X dontdiff -urN lsm-2.5.orig/security/owlsm.c lsm-2.5-frag/security/owlsm.c
--- lsm-2.5.orig/security/owlsm.c	Thu Oct 10 23:40:49 2002
+++ lsm-2.5-frag/security/owlsm.c	Mon Oct 14 13:48:16 2002
@@ -580,8 +580,8 @@
 	return; 
 }
 
-static void owlsm_ip_fragment (struct sk_buff *newskb, 
-			      const struct sk_buff *oldskb) 
+static void owlsm_ip_fragment (struct sk_buff *newskb,
+                               const void *src, int type)
 {
 	return;
 }
diff -X dontdiff -urN lsm-2.5.orig/security/selinux/hooks.c lsm-2.5-frag/security/selinux/hooks.c
--- lsm-2.5.orig/security/selinux/hooks.c	Mon Oct 14 12:47:13 2002
+++ lsm-2.5-frag/security/selinux/hooks.c	Mon Oct 14 13:40:24 2002
@@ -2748,10 +2748,23 @@
 
 #endif	/* CONFIG_NETFILTER */
 
-static void selinux_ip_fragment(struct sk_buff *newskb, 
-				const struct sk_buff *oldskb)
+static void selinux_ip_fragment(struct sk_buff *newskb,
+                                const void *src, int type)
 {
-	skb_copy_security(newskb->lsm_security, oldskb->lsm_security);
+	switch (type) {
+	case LSM_SRC_SKB:
+		skb_copy_security(newskb->lsm_security,
+		                  ((struct sk_buff *)src)->lsm_security);
+		break;
+	
+	case LSM_SRC_SOCK:
+		/* skb_copy_sk_security() ? */
+		break;
+	
+	default:
+		/* panic() ? */
+	}
+	
 	return;
 }
 

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

    This archive was generated by hypermail 2b30 : Sun Oct 13 2002 - 21:05:08 PDT