The SELinux IPv4 networking hook function implementations perform
network layer access controls for outgoing and incoming packets. Many
of these hooks are implemented by using the existing Linux kernel
Netfilter framework, thereby minimizing the need for new hooks in the
network protocol implementation. These hooks may use the
security fields associated with network buffers (struct
sk_buff
), network devices (struct
net_device
), and sockets (the associated
struct inode
).
LSM allows a security module to intercept each Netfilter hook twice;
both before and after the packets have passed through the standard
kernel packet filtering mechanisms. Correspondingly, for each of the
five types of NetFilter hooks, there are two LSM hooks registered. The
hook name is suffixed with either _first
or
_last
as appropriate. These hook functions
follow the conventions of the Netfilter hooks rather than the
conventions of other LSM hooks; hence, these hooks must return
NF_ACCEPT
to allow the packet through and
NF_DROP
to reject the packet.
This helper function is used by the
selinux_ip_preroute_last
and
selinux_ip_input_last
hooks to perform some
functions common to those two hooks. This function takes as parameters
the network buffer, the network buffer's security structure, and the
receiving network device. If the network buffer is unlabeled, then
this hook initializes the source socket SID and message SID to the
default message SID of the receiving network device.
The hook function then uses the security_node_sid
interface of the security server to obtain the SID associated with the
source node (host) for the packet. It then checks a permission (based
on the protocol type) between the network buffer and the receiving
network interface and a permission between the network buffer and the
source node. The permission checked for each protocol type is shown
in Table 39.
This hook function intercepts incoming packets after they have been
received on the network interface, but prior to routing. Since it is
called after any other Netfilter pre-routing hooks, packets may be
modified or dropped prior to reaching this hook function. Since this
hook function is a pre-routing hook, it is applied to packets that
are not locally destined as well as those that are. The
selinux_ip_input_helper
function is called to
initialize the network buffer SIDs and to check permissions for all
received packets.
This hook function intercepts incoming packets that are locally destined.
It calls the NSID hook
nsid_ip_map_input
to map any remote SIDs saved in
the network buffer security structure by
selinux_ip_decode_options
to local SIDs. See
Section 20 for a description of the NSID functions.
This hook function intercepts incoming locally destined packets after
remote SIDs have been mapped. If the packet did not have a CIPSO
label, then this hook does nothing, since all of the necessary processing
was performed by selinux_ip_preroute_last
. Otherwise,
this hook function calls selinux_ip_input_helper
again
on the network buffer to recheck permissions based on the mapped SIDs.
This hook function will return NF_DROP
for packets
labeled as invalid in the network buffer security structure. Otherwise, the
nsid_ip_label_output
hook is called to set the
labels in the outgoing IP packet from the network buffer SIDs.
See Section 20 for a description of the NSID functions.
The result from this function call is returned by the hook.
This hook intercepts outgoing packets after network routing, just
before being put on the wire. Since it is called after any other
Netfilter post-routing hooks, packets may be modified or dropped prior
to reaching this hook function. This hook function must obtain
security information for the destination node (host). It uses the
security_node_sid
interface of the security
server to obtain the SID associated with the destination node.
This hook function then checks a permission (based on the protocol
type) between the network buffer and the sending network device. It
also checks the same permission between the network buffer and the
destination node. The permission checked for each protocol type is
shown in Table 40. The SID used in these
checks is the message SID stored in the network buffer security
structure. In the case of forwarded packets, this SID was initialized
by the selinux_ip_preroute_last
hook during input
processing. For locally generated packets, the
selinux_skb_set_owner_w
hook sets the message
SID.
The SELinux security module does not currently use the remaining
Netfilter-based hooks. The following list
of hook functions simply return NF_ACCEPT
:
selinux_ip_preroute_first
selinux_ip_forward_first
selinux_ip_forward_last
selinux_ip_output_last
selinux_ip_postroute_first
A small number of additional hooks are provided for IP packet lifecycle
events; they allow validation and propagation of security attributes
at various times during IP packet processing. These hooks are called
when IP packets are fragmented and defragmented, encapsulated and
decapsulated, and when IP security options need to be processed.
Since these hook calls are not implemented via Netfilter, they follow
the conventions of the normal LSM hooks, returning
0
on success.
This hook copies the network buffer security information from the existing buffer to the new buffer when the IP packet is being fragmented.
This hook calls the NSID hook nsid_ip_defragment
to handle any special processing needed when IP packets are defragmented.
See Section 20 for a description of the NSID functions.
The result of the call to nsid_ip_defragment
is
returned.
This hook function calls nsid_ip_decode_options
.
See Section 20 for a description of the NSID functions.
The result of the call to nsid_ip_decode_options
is returned by this hook.
The SELinux security module does not currently use the remaining IP packet lifecycle hooks. The following list of hook functions simply return success:
selinux_ip_encapsulate
selinux_ip_decapsulate