Implementing SELinux as a Linux Security Module | ||
---|---|---|
<<< Previous | Next >>> |
SELinux can optionally be built with support for labeled networking via CIPSO/FIPS-188 IP Options. The Network SID (NSID) API provides a general framework for labeled networking for SELinux. Selopt is a particular implementation of this API that provides labeled networking for SELinux using CIPSO/FIPS-188 IP Options. The NSID and Selopt components were contributed to SELinux by James Morris. This section provides a brief discussion of the NSID API and Selopt, drawing from the existing documentation in [MorrisSeloptOverview2002].
The Network SID (NSID) API provides a general framework for labeled networking that is intended to be independent of the underlying mechanism. The NSID interfaces called by SELinux are:
nsid_sock_sendmsg: Adjust effective MSS for outgoing TCP data segments if necessary for network security labels. Called by selinux_socket_sendmsg.
nsid_ip_label_output: Adds network security labels to outgoing packets based on the security structure of the associated network buffer. Called by selinux_ip_output_first.
nsid_ip_decode_options: Decodes network security labels on incoming packets into the security structure of the associated network buffer. Called by selinux_ip_decode_options.
nsid_ip_map_input: Maps remote security labels on incoming packets to local security labels. Called by selinux_ip_input_first.
nsid_ip_defragment: Validates the security labels on incoming fragments so that the security information for a packet is consistent across the fragments.
Selopt implements the NSID API using CIPSO/FIPS-188 IP options as the underlying mechanism for passing SIDs across the network. Selopt provides mechanisms for:
Labeling IPv4 packets with local SIDs
Specifying which packets require labeling
Decoding labels from peers
Mapping remote SIDs to local SIDs
Selopt adds the concept of a security perimeter to SELinux. A security perimeter is a group of trusted peers that have equivalent security policies. Security policies are equivalent if the security attribute spaces are identical and have the same meanings on each system. Hosts can be added to or removed from the perimeter at any time by using the pt utility. Outgoing packets to a host within the perimeter will be labeled. Incoming packets from a host within the perimeter must be labeled or they will be dropped. Labeled packets from hosts outside of the parameter will be dropped.
Since Selopt labels outgoing packets with local SIDs in the IP option and SIDs have only local meaning, a mapping mechanism is required to translate remote SIDs to local SIDs for incoming packets. To support such translation, a Security Context Mapping Protocol (SCMP) was defined that allows a peer to request a security context for a given SID. This protocol is described in [MorrisSCMP2001]. The security context can then be translated to a local SID by the local security server and stored in a network SID mapping cache. A daemon called scmpd implements the SCMP protocol.
Selopt defines up to three SIDs that can be included in the IP option. These SIDs are copied from the network buffer security structure for outgoing packets, and copied into the network buffer security structure for incoming packets. The complete list of Selopt security parameters is:
Bypass: A flags indicating that the packet is implicitly labeled. The SCMP packets don't have security labels and will have this flag set.
Serial: 32-bit policy serial number
SSID: 32-bit source socket SID
MSID: 32-bit message SID
DSID: 32-bit destination socket SID
This function adds security labels to the IP packet by copying the SIDs from the network buffer security structure into the IP packet's options. However, if the packet destination is not in the perimeter, or is local, the packet is not labeled. The SSID is always set in the IP option. The MSID is only set if it differs from the SSID. The DSID is only set if it was specified.
This function will return NF_DROP
for any packet
from outside the perimeter that is labeled, and for any unlabeled packet
from within the perimeter. Otherwise, mapping of the packet SIDs is
attempted.
Any packet that has the Bypass flag set in the options is
accepted without mapping. Packets that have a local source address are also
accepted without mapping. The packet SIDs are mapped
by first checking the peer cache for a previous mapping (the ``fast'' path).
If the cache lookup succeeds, then the packet is accepted. Otherwise,
a map request is sent to the cache manager (the ``slow'' path),
and NF_QUEUE
is returned. In this case, the Netfilter
logic will call the selopt_queue_handler funtion to
queue the network buffer.
When the reply message is received for the map request, Selopt will
reinject the network buffer by calling the Netfilter function
nf_reinject. Processing of the SKB will then continue
on to the next Netfilter hook.
This function will decode the security labels from the options field of the IP packet header. For packets that are not being delivered to the local host, this function returns without decoding the options. Otherwise, the Selopt policy serial number, source SID, message SID, and destination SID are copied from the packet options field into the SKB security structure.
This function is used verify security labels across IP fragments. At this time, labeled fragments are not supported, so this function prints a warning message to the system log and returns success.
Before an IP packet with options can be sent out, the maximum segment size (MSS) must be adjusted. This function is called by the selinux_socket_sendmsg hook function to adjust the size of the MSS to account for the presence of Selopt security labels in the IP options field.
<<< Previous | Home | Next >>> |
IPv4 Networking Hook Functions | Network Device Hook Functions |