IP Networking Hook Functions

The LSM kernel patch added a set of security fields and hooks to allow management of security data for several network-related data structures, including network buffers, network devices, and network layer sockets. It also added a number of hooks to the IP network stack to support IP packet lifecycle management, particularly to support packet labeling using CIPSO-style options, that could not be directly supported via the existing NetFilter hooks. The LSM-based SELinux network access control functionality was originally implemented using these security fields and hooks as well as several NetFilter hooks. However, the LSM security fields and hooks for networking were not accepted for inclusion in Linux 2.6. As a result, the SELinux network access controls were redesigned and implemented using only the socket layer hooks and NetFilter hooks, and some functionality such as packet labeling was dropped from SELinux. This section describes the SELinux NetFilter hook functions. Note: The preceding statements are historical and no longer apply to modern SELinux systems, which do include a set of network hooks and support packet labeling.

The SELinux IPv4 and IPv6 NetFilter hook functions, selinux_ipv4_postroute_last and selinux_ipv6_postroute_last, perform permission checks for outgoing packets after routing has occurred. Incoming packets are mediated by the selinux_socket_sock_rcv_skb LSM hook, which is described in the Section called Controlling Receipt of Packets. Both of the NetFilter hook functions call a common helper, selinux_ip_postroute_last, to perform all processing.

The helper function begins by extracting the socket security information from the associated inode security structure. After obtaining the socket security information, the hook function must also obtain security information for the sending network device. It calls the sel_netif_sids function to obtain the interface SID associated with the device. It then determines the right set of permissions to check based on the socket class, sets up auxiliary audit data, and calls selinux_parse_skb to parse the headers for address information to include in the audit data. It then performs permission checks between the socket SID and the SIDs associated with the sending network interface, the remote host, and the destination port, as shown in Table 39. Note that these permission checks differ from the original set of permission checks for packet receipt prior to the redesign for Linux 2.6.

Table 39. Permission Checks for Sending a Packet from a Socket

SourceTargetPermission(s)
SocketNetworkInterface

udp_send
tcp_send
rawip_send

SocketRemoteNode (Host)

udp_send
tcp_send
rawip_send

SocketDestinationPortsend_msg