[Swan-dev] [PATCH] pluto: Update pluto to support selinux_check_access(3).
Richard Haines
richard_c_haines at btinternet.com
Fri May 12 15:01:16 UTC 2017
Replace the SELinux avc_* calls with selinux_check_access(3) that
combines all those services, plus:
Checks if SELinux enabled.
Supports reordering of classes/permissions at runtime.
Handles unknown classes/permissions (allow|deny|reject).
Requires libselinux 2.1.9 or greater.
Signed-off-by: Richard Haines <richard_c_haines at btinternet.com>
---
programs/pluto/ikev1_spdb_struct.c | 2 +-
programs/pluto/plutomain.c | 2 +-
programs/pluto/security_selinux.c | 68 +++++++++-----------------------------
programs/pluto/security_selinux.h | 6 ++--
4 files changed, 20 insertions(+), 58 deletions(-)
diff --git a/programs/pluto/ikev1_spdb_struct.c b/programs/pluto/ikev1_spdb_struct.c
index 53aed7f..6fee5ef 100644
--- a/programs/pluto/ikev1_spdb_struct.c
+++ b/programs/pluto/ikev1_spdb_struct.c
@@ -126,7 +126,7 @@ static bool parse_secctx_attr(pb_stream *pbs, struct state *st)
st->st_connection->policy_label)) {
DBG_log("security context verification succeeded");
} else {
- libreswan_log("security context verification failed (perhaps policy_label is not confgured for this connection)");
+ libreswan_log("security context verification failed (perhaps policy-label is not confgured for this connection)");
return FALSE;
}
/*
diff --git a/programs/pluto/plutomain.c b/programs/pluto/plutomain.c
index 33c139c..a5097e0 100644
--- a/programs/pluto/plutomain.c
+++ b/programs/pluto/plutomain.c
@@ -1700,7 +1700,7 @@ int main(int argc, char **argv)
init_fetch();
#endif
#ifdef HAVE_LABELED_IPSEC
- init_avc();
+ init_selinux();
#endif
daily_log_event();
#ifdef USE_SYSTEMD_WATCHDOG
diff --git a/programs/pluto/security_selinux.c b/programs/pluto/security_selinux.c
index ac5028e..865f7c8 100644
--- a/programs/pluto/security_selinux.c
+++ b/programs/pluto/security_selinux.c
@@ -13,72 +13,36 @@
*
*/
+#include <errno.h>
+
#include "security_selinux.h"
#include "lswlog.h"
-static int selinux_ready = 0;
-
-void init_avc(void)
+void init_selinux(void)
{
- if (!is_selinux_enabled()) {
- DBG_log("selinux support is NOT enabled.");
- return;
- } else {
- DBG_log("selinux support is enabled.");
- }
-
- if (avc_init("libreswan", NULL, NULL, NULL, NULL) == 0)
- selinux_ready = 1;
+ if (!is_selinux_enabled())
+ DBG_log("SELinux support is NOT enabled.");
else
- DBG_log("selinux: could not initialize avc.");
+ DBG_log("SELinux support is enabled in %s mode.",
+ security_getenforce() ? "ENFORCING" : "PERMISSIVE");
}
-int within_range(security_context_t sl, security_context_t range)
+int within_range(const char *sl, const char *range)
{
- int rtn = 1;
- security_id_t slsid;
- security_id_t rangesid;
- struct av_decision avd;
- security_class_t tclass;
- access_vector_t av;
-
- if (!selinux_ready) {
- /* mls may not be enabled */
- DBG_log("selinux check failed");
- return 0;
- }
-
- /*
- * * Get the sids for the sl and range contexts
- */
- rtn = avc_context_to_sid(sl, &slsid);
- if (rtn != 0) {
- DBG_log("within_range: Unable to retrieve sid for sl context (%s)",
- sl);
- return 0;
- }
- rtn = avc_context_to_sid(range, &rangesid);
- if (rtn != 0) {
- DBG_log("within_range: Unable to retrieve sid for range context (%s)",
- range);
- sidput(slsid);
- return 0;
- }
+ int rtn;
/*
- ** Straight up test between sl and range
+ ** Check access permission for sl (connection policy label from SAD)
+ ** and range (connection flow label from SPD but initially the
+ ** conn policy-label= entry of the ipsec.conf(5) configuration file).
**/
- tclass = string_to_security_class("association");
- av = string_to_av_perm(tclass, "polmatch");
- rtn = avc_has_perm(slsid, rangesid, tclass, av, NULL, &avd);
+ rtn = selinux_check_access(sl, range, "association", "polmatch", NULL);
if (rtn != 0) {
- DBG_log("within_range: The sl (%s) is not within range of (%s)", sl,
- range);
- sidput(slsid);
- sidput(rangesid);
+ DBG_log("within_range: sl (%s) - range (%s) error: %s\n",
+ sl, range, strerror(errno));
return 0;
}
- DBG_log("within_range: The sl (%s) is within range of (%s)", sl,
+ DBG_log("within_range: Permission granted sl (%s) - range (%s)", sl,
range);
return 1;
}
diff --git a/programs/pluto/security_selinux.h b/programs/pluto/security_selinux.h
index cccd60f..554b75e 100644
--- a/programs/pluto/security_selinux.h
+++ b/programs/pluto/security_selinux.h
@@ -16,10 +16,8 @@
#define _SECURITY_SELINUX_H
#include <selinux/selinux.h>
-#include <selinux/avc.h>
-#include <selinux/context.h>
-void init_avc(void);
-int within_range(security_context_t sl, security_context_t range);
+void init_selinux(void);
+int within_range(const char *sl, const char *range);
#endif /* _SECURITY_SELINUX_H */
--
2.9.3
More information about the Swan-dev
mailing list