19. IPv4 Networking Hook Functions

The SELinux IPv4 networking hook function implementations perform network layer access controls for outgoing and incoming packets. Many of these hooks are implemented by using the existing Linux kernel Netfilter framework, thereby minimizing the need for new hooks in the network protocol implementation. These hooks may use the security fields associated with network buffers (struct sk_buff), network devices (struct net_device), and sockets (the associated struct inode).

19.1. Netfilter-based Hook Functions

LSM allows a security module to intercept each Netfilter hook twice; both before and after the packets have passed through the standard kernel packet filtering mechanisms. Correspondingly, for each of the five types of NetFilter hooks, there are two LSM hooks registered. The hook name is suffixed with either _first or _last as appropriate. These hook functions follow the conventions of the Netfilter hooks rather than the conventions of other LSM hooks; hence, these hooks must return NF_ACCEPT to allow the packet through and NF_DROP to reject the packet.

19.1.1. selinux_ip_input_helper

This helper function is used by the selinux_ip_preroute_last and selinux_ip_input_last hooks to perform some functions common to those two hooks. This function takes as parameters the network buffer, the network buffer's security structure, and the receiving network device. If the network buffer is unlabeled, then this hook initializes the source socket SID and message SID to the default message SID of the receiving network device.

The hook function then uses the security_node_sid interface of the security server to obtain the SID associated with the source node (host) for the packet. It then checks a permission (based on the protocol type) between the network buffer and the receiving network interface and a permission between the network buffer and the source node. The permission checked for each protocol type is shown in Table 39.

Table 39. Packet Receive Permissions

ProtocolPermission
UDPudp_recv
TCPtcp_recv
otherrawip_recv

19.1.2. selinux_ip_preroute_last

This hook function intercepts incoming packets after they have been received on the network interface, but prior to routing. Since it is called after any other Netfilter pre-routing hooks, packets may be modified or dropped prior to reaching this hook function. Since this hook function is a pre-routing hook, it is applied to packets that are not locally destined as well as those that are. The selinux_ip_input_helper function is called to initialize the network buffer SIDs and to check permissions for all received packets.

19.1.3. selinux_ip_input_first

This hook function intercepts incoming packets that are locally destined. It calls the NSID hook nsid_ip_map_input to map any remote SIDs saved in the network buffer security structure by selinux_ip_decode_options to local SIDs. See Section 20 for a description of the NSID functions.

19.1.4. selinux_ip_input_last

This hook function intercepts incoming locally destined packets after remote SIDs have been mapped. If the packet did not have a CIPSO label, then this hook does nothing, since all of the necessary processing was performed by selinux_ip_preroute_last. Otherwise, this hook function calls selinux_ip_input_helper again on the network buffer to recheck permissions based on the mapped SIDs.

19.1.5. selinux_ip_output_first

This hook function will return NF_DROP for packets labeled as invalid in the network buffer security structure. Otherwise, the nsid_ip_label_output hook is called to set the labels in the outgoing IP packet from the network buffer SIDs. See Section 20 for a description of the NSID functions. The result from this function call is returned by the hook.

19.1.6. selinux_ip_postroute_last

This hook intercepts outgoing packets after network routing, just before being put on the wire. Since it is called after any other Netfilter post-routing hooks, packets may be modified or dropped prior to reaching this hook function. This hook function must obtain security information for the destination node (host). It uses the security_node_sid interface of the security server to obtain the SID associated with the destination node.

This hook function then checks a permission (based on the protocol type) between the network buffer and the sending network device. It also checks the same permission between the network buffer and the destination node. The permission checked for each protocol type is shown in Table 40. The SID used in these checks is the message SID stored in the network buffer security structure. In the case of forwarded packets, this SID was initialized by the selinux_ip_preroute_last hook during input processing. For locally generated packets, the selinux_skb_set_owner_w hook sets the message SID.

Table 40. Packet Send Permissions

ProtocolPermission
UDPudp_send
TCPtcp_send
otherrawip_send

19.1.7. Unused NetFilter-based Hooks

The SELinux security module does not currently use the remaining Netfilter-based hooks. The following list of hook functions simply return NF_ACCEPT:

  • selinux_ip_preroute_first

  • selinux_ip_forward_first

  • selinux_ip_forward_last

  • selinux_ip_output_last

  • selinux_ip_postroute_first

19.2. IP Packet Lifecycle Hooks

A small number of additional hooks are provided for IP packet lifecycle events; they allow validation and propagation of security attributes at various times during IP packet processing. These hooks are called when IP packets are fragmented and defragmented, encapsulated and decapsulated, and when IP security options need to be processed. Since these hook calls are not implemented via Netfilter, they follow the conventions of the normal LSM hooks, returning 0 on success.

19.2.1. selinux_ip_fragment

This hook copies the network buffer security information from the existing buffer to the new buffer when the IP packet is being fragmented.

19.2.2. selinux_ip_defragment

This hook calls the NSID hook nsid_ip_defragment to handle any special processing needed when IP packets are defragmented. See Section 20 for a description of the NSID functions. The result of the call to nsid_ip_defragment is returned.

19.2.3. selinux_ip_decode_options

This hook function calls nsid_ip_decode_options. See Section 20 for a description of the NSID functions. The result of the call to nsid_ip_decode_options is returned by this hook.

19.2.4. Unused IP Packet Lifecycle Hooks

The SELinux security module does not currently use the remaining IP packet lifecycle hooks. The following list of hook functions simply return success:

  • selinux_ip_encapsulate

  • selinux_ip_decapsulate