next up previous contents
Next: API extensions Up: Implementation Previous: Implementation   Contents

Labeling


Table 31: Changes to network data structures for labeling.
STRUCT FIELD
sock sclass
  sid
  newconn_sid
  useclient
  peer_sid
open_request conn_request_sid
  newconn_sid
sk_buff sso_sid
  dso_sid
  msg_sid
device sid
  default_msg_sid


The kernel data structures were studied to identify the structures used internally for sockets (struct sock and struct socket), open connection requests (struct open_request), messages (struct sk_buff), and network interfaces (struct device). Since these structures are private to the kernel and have no specific size requirements, they were extended to include additional fields, as shown in Table 31.

The struct sock structure was extended to include the security class (sclass) and the SID (sid) of the socket, the SID to use for new sockets created by connections to the socket (newconn_sid), a flag to indicate the use of the client SID for this purpose (useclient), and the SID of the peer socket (peer_sid). The allocator for struct sock objects, sk_alloc, initializes the security class field to the general socket class, the SID field to the SID of the current process, and the peer SID field to the any_socket initial SID. The inet_create function sets the security class field to be one of TCP socket, UDP socket, or raw IP socket based on the specified socket type. The unix_create function sets the security class field to be either Unix stream socket or Unix datagram socket. The inet_listen and unix_listen functions set the newconn_sid field to the SID of the socket by default. The udp_connect and unix_dgram_connect functions reset the peer_sid field to the any_socket initial SID if the association is broken.

The more abstract struct socket structure is embedded in an inode structure (struct inode), which has a security class and SID field used by the file controls. The allocator for struct socket objects, sock_alloc, initializes the security class and the SID of the inode to the general socket class and the SID of the current process, respectively. The inet_create and unix_create functions set the security class field in the inode to the same value as in the struct sock object.

The struct open_request structure was extended to include the SID of the connection request (conn_request_sid) and the SID to use when the socket for the connection is created (newconn_sid). This structure temporarily stores these SID values for TCP until the new server socket is created at the completion of the connection establishment.

The struct sk_buff structure was extended to include the SID of the source socket (sso_sid), the desired SID of the destination socket (dso_sid) and the SID of the message (msg_sid). The allocator for struct sk_buff objects, alloc_skb, initializes the source socket SID and the message SID to the unlabeled initial SID, and it initializes the destination socket SID to the any_socket initial SID. The skb_clone, skb_copy, and skb_realloc_headroom functions preserve the values of these three SID fields when messages are copied. The ip_defrag and ip_glue functions ensure that all fragments of a message have the same values for the three SID fields and that the three SID fields are set correctly for the complete message.

When a message is allocated from a socket's send buffer, the sock_wmalloc function sets the source socket SID and message SID to the SID of the socket, and the destination socket SID to the peer SID of the socket. When an unlabeled message is associated with a sending socket, the skb_set_owner_w inline function sets the three SID fields in the same manner. There are two special cases for setting the SID fields of an outbound TCP message. When a SYN-ACK is created for a normal connection, tcp_make_synack sets the source socket SID and the message SID to the value of the newconn_sid field of the struct open_request object, so that the SYN-ACK is labeled with the SID of the server socket that will be created by the connection rather than the SID of the listening socket. When an ACK is sent to complete a connection handshake, the tcp_send_ack function sets the destination socket SID to the any_socket initial SID, since the listening socket may have a different SID than the server socket.

The struct device structure was extended to include the SID of the network interface (sid) and the default message SID for the interface (default_msg_sid). The devinet_ioctl function sets the SID field and the default message SID field of the network interface if it has not been previously set. These SID values are obtained from the security server based on the name of the network interface. When an unlabeled message is received on a network interface, the ip_rcv function sets the source socket SID and the message SID to the default message SID of the network interface, and the destination socket SID to the any_socket initial SID.

When a TCP SYN is received on a listening TCP socket, the tcp_v4_conn_request function sets the conn_request_sid field of the newly allocated struct open_request object to the source socket SID of the message. If the useclient flag is set for the socket, then the newconn_sid field of the open request object is also set to this value. Otherwise, the newconn_sid field of the open request object is copied from the corresponding field of the socket. If SYN cookies are being used, then the open request object is discarded and recreated when the client's ACK is received. In this case, the conn_request_sid field is set to the SID of the ACK message.

When a TCP ACK is received for an existing struct open_request object, the tcp_create_openreq_child function sets the peer SID of the newly allocated struct sock object to the conn_request_sid field of the open request object, and it sets the SID of the new socket to the newconn_sid field of the open request object. The security class for the newly allocated struct sock object is copied from the listening socket. When a connection is accepted, the inet_accept function copies the socket SID and security class from the struct sock object into the inode for the struct socket object.

When a TCP SYN-ACK is received in the SYN_SENT state, the tcp_rcv_state_process function sets the peer SID of the client socket to the source socket SID of the message. When a SYN is received in the SYN_SENT state (a simultaneous open), the tcp_rcv_state_process function sets the peer SID of each socket to the source socket SID of the message.

For Unix stream sockets, the equivalent processing for connection establishment occurs entirely within the unix_stream_connect function. If the useclient flag is set on the listening socket, then the SID of the newly allocated struct sock object is set to the SID of the client socket. Otherwise, the SID of the new server socket is copied from the newconn_sid field of the listening socket. The peer SID of the client socket is set to the SID of the server socket, and the peer SID of the server socket is set to the SID of the client socket.


next up previous contents
Next: API extensions Up: Implementation Previous: Implementation   Contents