LSM provides a set of hooks for maintaining and propagating security
information for network buffer structures (struct
sk_buff
). A security field was added to this structure,
and the hooks provide methods for allocating, cloning, copying, and
freeing this security field. The basic lifecycle hook functions are:
selinux_skb_alloc_security
: Allocates and assigns a security structure to a new network buffer.
selinux_skb_clone
: Sets the security field on a newly cloned buffer and increments the reference count.
selinux_skb_copy
: Copies the security structure to a newly copied buffer.
selinux_skb_free_security
: Decrements the reference count and, if zero, frees the security structure.
selinux_skb_set_owner_w
and
selinux_skb_recv_datagram
. The remainder of this
section describes the network buffer security structure and the
implementation for these two hooks.The skb_security_struct
structure contains security
information for network buffers. This structure is defined as:
struct skb_security_struct { unsigned long magic; /* magic number for this module */ struct sk_buff *skb; /* back pointer */ struct list_head list; /* list of skb_security_struct */ __u8 opts; /* Bitmap of current options */ __u8 mapped; /* Bitmap of mapped SIDs */ __u8 invalid; /* Security state invalidated */ atomic_t use; /* reference count */ __u32 serial; /* Policy ID used to label datagram */ security_id_t ssid; /* Source SID */ security_id_t msid; /* Message SID */ security_id_t dsid; /* Destination SID */ void *data; /* Implementation specific data */ };
Table 38. skb_security_struct
Field | Description |
---|---|
magic | Module id for the SELinux module. |
skb | Pointer to the SKB this structure belongs to. |
list | Pointer used to maintain the list of allocated SKB security structures. |
opts | Bitmap of flags indicating current packet labeling options. |
mapped | Bitmap of flags indicating currently mapped remote SIDs. |
invalid | Flag indicating that the security state of the SKB is invalid. |
use | Reference count for the security structure. |
serial | The policy serial number. |
ssid | The SID of the source socket. |
msid | The SID of the message; sockets that maintain message boundaries may label each message. |
dsid | The desired SID of the destination socket. |
data | Opaque pointer to data that may be associated with the SKB. Not currently used. |
See Section 20, Section 19, and Section 17.3.3 for a discussion of how these fields are used
by the labeled networking support, the IP hooks, and the
sock_rcv_skb
hook.
This hook sets the SID fields in a network buffer for an outgoing
packet when the buffer is associated with a particular sending socket.
The SID fields can then be used for permission checks and other
processing related to the buffer. If labeled networking is used for
the outgoing packet, then the SID fields are copied into the IP option
by the selopt_ip_label_output
function.
If the sending socket has no associated user socket, and the socket is a TCP socket, then the network buffer source and message SIDs are set to the kernel socket SID. Otherwise, no further determination is possible and the network buffer is left unlabeled.
If the sending socket has an associated user socket, but there is no inode security structure, then the network buffer' source and message SIDs are assigned either the TCP reset socket SID or the ICMP socket SID based on its family and protocol, and this hook returns. This logic handles kernel created sockets, since they are not caught by the LSM hooks.
Where there exists a inode for the socket, the source socket SID and message SID for the network buffer are set by default to the SID of the sending socket. However, the extended socket calls may change the SIDs used for the network buffer. See Section 17.4.3.19 for a discussion of the optional extended socket call processing.
This hook calls the extsocket_skb_recv_datagram
function
to perform the processing necessary for the extended socket calls.