This patch adds a polmatch avperm to arbitrate flow/state's access to
a xfrm policy. It also defines MLS policy for association { sendto, recvfrom, polmatch }. NOTE: When an inbound packet is not using an IPSec SA, a check is performed between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For MLS purposes however, the target of the check should be the MLS label taken from the node sid (or secmark in the new secmark world). This would present a severe performance overhead (to make a new sid based on the unlabeled sid with the MLS taken from the node sid or secmark and then using this sid as the target). Pending reconciliation of the netlabel, ipsec and iptables contexts, I have chosen to currently make an exception for unlabeled_t SAs if TE policy allowed it. A similar problem exists for the outbound case and it has been similarly handled in the policy below (by making an exception for unlabeled_t). I am submitting the below limited patch pending a comprehensive patch from Joy Latten at IBM (latten@austin.ibm.com). I am not sure if I needed to manually do a "make tolib" in the flask subdir and submit the results as well. Please let me know if I needed to. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
This commit is contained in:
parent
eac818f040
commit
9b45c60308
@ -603,6 +603,7 @@ class association
|
|||||||
sendto
|
sendto
|
||||||
recvfrom
|
recvfrom
|
||||||
setcontext
|
setcontext
|
||||||
|
polmatch
|
||||||
}
|
}
|
||||||
|
|
||||||
# Updated Netlink class for KOBJECT_UEVENT family.
|
# Updated Netlink class for KOBJECT_UEVENT family.
|
||||||
|
15
policy/mls
15
policy/mls
@ -661,7 +661,18 @@ mlsconstrain xinput { setattr relabelinput }
|
|||||||
# MLS policy for the association class
|
# MLS policy for the association class
|
||||||
#
|
#
|
||||||
|
|
||||||
# these access vectors have no MLS restrictions
|
mlsconstrain association { recvfrom }
|
||||||
# association *
|
((( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||||
|
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
|
||||||
|
( t1 == mlsnetread ) or
|
||||||
|
( t2 == unlabeled_t ));
|
||||||
|
|
||||||
|
mlsconstrain association { sendto }
|
||||||
|
((( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||||
|
( t2 == unlabeled_t ));
|
||||||
|
|
||||||
|
mlsconstrain association { polmatch }
|
||||||
|
((( l1 dom l2 ) and ( h1 domby h2 )) or
|
||||||
|
( t2 == unlabeled_t ));
|
||||||
|
|
||||||
') dnl end enable_mls
|
') dnl end enable_mls
|
||||||
|
Loading…
Reference in New Issue
Block a user