Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 1 | /* |
| 2 | * NSA Security-Enhanced Linux (SELinux) security module |
| 3 | * |
| 4 | * This file contains the SELinux XFRM hook function implementations. |
| 5 | * |
| 6 | * Authors: Serge Hallyn <sergeh@us.ibm.com> |
| 7 | * Trent Jaeger <jaegert@us.ibm.com> |
| 8 | * |
| 9 | * Copyright (C) 2005 International Business Machines Corporation |
| 10 | * |
| 11 | * This program is free software; you can redistribute it and/or modify |
| 12 | * it under the terms of the GNU General Public License version 2, |
| 13 | * as published by the Free Software Foundation. |
| 14 | */ |
| 15 | |
| 16 | /* |
| 17 | * USAGE: |
| 18 | * NOTES: |
| 19 | * 1. Make sure to enable the following options in your kernel config: |
| 20 | * CONFIG_SECURITY=y |
| 21 | * CONFIG_SECURITY_NETWORK=y |
| 22 | * CONFIG_SECURITY_NETWORK_XFRM=y |
| 23 | * CONFIG_SECURITY_SELINUX=m/y |
| 24 | * ISSUES: |
| 25 | * 1. Caching packets, so they are not dropped during negotiation |
| 26 | * 2. Emulating a reasonable SO_PEERSEC across machines |
| 27 | * 3. Testing addition of sk_policy's with security context via setsockopt |
| 28 | */ |
| 29 | #include <linux/config.h> |
| 30 | #include <linux/module.h> |
| 31 | #include <linux/kernel.h> |
| 32 | #include <linux/init.h> |
| 33 | #include <linux/security.h> |
| 34 | #include <linux/types.h> |
| 35 | #include <linux/netfilter.h> |
| 36 | #include <linux/netfilter_ipv4.h> |
| 37 | #include <linux/netfilter_ipv6.h> |
| 38 | #include <linux/ip.h> |
| 39 | #include <linux/tcp.h> |
| 40 | #include <linux/skbuff.h> |
| 41 | #include <linux/xfrm.h> |
| 42 | #include <net/xfrm.h> |
| 43 | #include <net/checksum.h> |
| 44 | #include <net/udp.h> |
| 45 | #include <asm/semaphore.h> |
| 46 | |
| 47 | #include "avc.h" |
| 48 | #include "objsec.h" |
| 49 | #include "xfrm.h" |
| 50 | |
| 51 | |
| 52 | /* |
| 53 | * Returns true if an LSM/SELinux context |
| 54 | */ |
| 55 | static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx) |
| 56 | { |
| 57 | return (ctx && |
| 58 | (ctx->ctx_doi == XFRM_SC_DOI_LSM) && |
| 59 | (ctx->ctx_alg == XFRM_SC_ALG_SELINUX)); |
| 60 | } |
| 61 | |
| 62 | /* |
| 63 | * Returns true if the xfrm contains a security blob for SELinux |
| 64 | */ |
| 65 | static inline int selinux_authorizable_xfrm(struct xfrm_state *x) |
| 66 | { |
| 67 | return selinux_authorizable_ctx(x->security); |
| 68 | } |
| 69 | |
| 70 | /* |
| 71 | * LSM hook implementation that authorizes that a socket can be used |
| 72 | * with the corresponding xfrm_sec_ctx and direction. |
| 73 | */ |
| 74 | int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir) |
| 75 | { |
| 76 | int rc = 0; |
| 77 | u32 sel_sid = SECINITSID_UNLABELED; |
| 78 | struct xfrm_sec_ctx *ctx; |
| 79 | |
| 80 | /* Context sid is either set to label or ANY_ASSOC */ |
| 81 | if ((ctx = xp->security)) { |
| 82 | if (!selinux_authorizable_ctx(ctx)) |
| 83 | return -EINVAL; |
| 84 | |
| 85 | sel_sid = ctx->ctx_sid; |
| 86 | } |
| 87 | |
| 88 | rc = avc_has_perm(sk_sid, sel_sid, SECCLASS_ASSOCIATION, |
| 89 | ((dir == FLOW_DIR_IN) ? ASSOCIATION__RECVFROM : |
| 90 | ((dir == FLOW_DIR_OUT) ? ASSOCIATION__SENDTO : |
| 91 | (ASSOCIATION__SENDTO | ASSOCIATION__RECVFROM))), |
| 92 | NULL); |
| 93 | |
| 94 | return rc; |
| 95 | } |
| 96 | |
| 97 | /* |
| 98 | * Security blob allocation for xfrm_policy and xfrm_state |
| 99 | * CTX does not have a meaningful value on input |
| 100 | */ |
| 101 | static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *uctx) |
| 102 | { |
| 103 | int rc = 0; |
| 104 | struct task_security_struct *tsec = current->security; |
| 105 | struct xfrm_sec_ctx *ctx; |
| 106 | |
| 107 | BUG_ON(!uctx); |
| 108 | BUG_ON(uctx->ctx_doi != XFRM_SC_ALG_SELINUX); |
| 109 | |
| 110 | if (uctx->ctx_len >= PAGE_SIZE) |
| 111 | return -ENOMEM; |
| 112 | |
| 113 | *ctxp = ctx = kmalloc(sizeof(*ctx) + |
| 114 | uctx->ctx_len, |
| 115 | GFP_KERNEL); |
| 116 | |
| 117 | if (!ctx) |
| 118 | return -ENOMEM; |
| 119 | |
| 120 | ctx->ctx_doi = uctx->ctx_doi; |
| 121 | ctx->ctx_len = uctx->ctx_len; |
| 122 | ctx->ctx_alg = uctx->ctx_alg; |
| 123 | |
| 124 | memcpy(ctx->ctx_str, |
| 125 | uctx+1, |
| 126 | ctx->ctx_len); |
| 127 | rc = security_context_to_sid(ctx->ctx_str, |
| 128 | ctx->ctx_len, |
| 129 | &ctx->ctx_sid); |
| 130 | |
| 131 | if (rc) |
| 132 | goto out; |
| 133 | |
| 134 | /* |
| 135 | * Does the subject have permission to set security or permission to |
| 136 | * do the relabel? |
| 137 | * Must be permitted to relabel from default socket type (process type) |
| 138 | * to specified context |
| 139 | */ |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 140 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, |
| 141 | SECCLASS_ASSOCIATION, |
Trent Jaeger | 5f8ac64 | 2006-01-06 13:22:39 -0800 | [diff] [blame] | 142 | ASSOCIATION__SETCONTEXT, NULL); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 143 | if (rc) |
| 144 | goto out; |
| 145 | |
| 146 | return rc; |
| 147 | |
| 148 | out: |
Luiz Capitulino | ee2e6841 | 2006-01-06 22:59:43 -0800 | [diff] [blame^] | 149 | *ctxp = NULL; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 150 | kfree(ctx); |
| 151 | return rc; |
| 152 | } |
| 153 | |
| 154 | /* |
| 155 | * LSM hook implementation that allocs and transfers uctx spec to |
| 156 | * xfrm_policy. |
| 157 | */ |
| 158 | int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *uctx) |
| 159 | { |
| 160 | int err; |
| 161 | |
| 162 | BUG_ON(!xp); |
| 163 | |
| 164 | err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx); |
| 165 | return err; |
| 166 | } |
| 167 | |
| 168 | |
| 169 | /* |
| 170 | * LSM hook implementation that copies security data structure from old to |
| 171 | * new for policy cloning. |
| 172 | */ |
| 173 | int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new) |
| 174 | { |
| 175 | struct xfrm_sec_ctx *old_ctx, *new_ctx; |
| 176 | |
| 177 | old_ctx = old->security; |
| 178 | |
| 179 | if (old_ctx) { |
| 180 | new_ctx = new->security = kmalloc(sizeof(*new_ctx) + |
| 181 | old_ctx->ctx_len, |
| 182 | GFP_KERNEL); |
| 183 | |
| 184 | if (!new_ctx) |
| 185 | return -ENOMEM; |
| 186 | |
| 187 | memcpy(new_ctx, old_ctx, sizeof(*new_ctx)); |
| 188 | memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len); |
| 189 | } |
| 190 | return 0; |
| 191 | } |
| 192 | |
| 193 | /* |
| 194 | * LSM hook implementation that frees xfrm_policy security information. |
| 195 | */ |
| 196 | void selinux_xfrm_policy_free(struct xfrm_policy *xp) |
| 197 | { |
| 198 | struct xfrm_sec_ctx *ctx = xp->security; |
| 199 | if (ctx) |
| 200 | kfree(ctx); |
| 201 | } |
| 202 | |
| 203 | /* |
| 204 | * LSM hook implementation that allocs and transfers sec_ctx spec to |
| 205 | * xfrm_state. |
| 206 | */ |
| 207 | int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx) |
| 208 | { |
| 209 | int err; |
| 210 | |
| 211 | BUG_ON(!x); |
| 212 | |
| 213 | err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx); |
| 214 | return err; |
| 215 | } |
| 216 | |
| 217 | /* |
| 218 | * LSM hook implementation that frees xfrm_state security information. |
| 219 | */ |
| 220 | void selinux_xfrm_state_free(struct xfrm_state *x) |
| 221 | { |
| 222 | struct xfrm_sec_ctx *ctx = x->security; |
| 223 | if (ctx) |
| 224 | kfree(ctx); |
| 225 | } |
| 226 | |
| 227 | /* |
| 228 | * LSM hook that controls access to unlabelled packets. If |
| 229 | * a xfrm_state is authorizable (defined by macro) then it was |
| 230 | * already authorized by the IPSec process. If not, then |
| 231 | * we need to check for unlabelled access since this may not have |
| 232 | * gone thru the IPSec process. |
| 233 | */ |
| 234 | int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb) |
| 235 | { |
| 236 | int i, rc = 0; |
| 237 | struct sec_path *sp; |
| 238 | |
| 239 | sp = skb->sp; |
| 240 | |
| 241 | if (sp) { |
| 242 | /* |
| 243 | * __xfrm_policy_check does not approve unless xfrm_policy_ok |
| 244 | * says that spi's match for policy and the socket. |
| 245 | * |
| 246 | * Only need to verify the existence of an authorizable sp. |
| 247 | */ |
| 248 | for (i = 0; i < sp->len; i++) { |
| 249 | struct xfrm_state *x = sp->x[i].xvec; |
| 250 | |
| 251 | if (x && selinux_authorizable_xfrm(x)) |
| 252 | goto accept; |
| 253 | } |
| 254 | } |
| 255 | |
| 256 | /* check SELinux sock for unlabelled access */ |
| 257 | rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION, |
| 258 | ASSOCIATION__RECVFROM, NULL); |
| 259 | if (rc) |
| 260 | goto drop; |
| 261 | |
| 262 | accept: |
| 263 | return 0; |
| 264 | |
| 265 | drop: |
| 266 | return rc; |
| 267 | } |
| 268 | |
| 269 | /* |
| 270 | * POSTROUTE_LAST hook's XFRM processing: |
| 271 | * If we have no security association, then we need to determine |
| 272 | * whether the socket is allowed to send to an unlabelled destination. |
| 273 | * If we do have a authorizable security association, then it has already been |
| 274 | * checked in xfrm_policy_lookup hook. |
| 275 | */ |
| 276 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb) |
| 277 | { |
| 278 | struct dst_entry *dst; |
| 279 | int rc = 0; |
| 280 | |
| 281 | dst = skb->dst; |
| 282 | |
| 283 | if (dst) { |
| 284 | struct dst_entry *dst_test; |
| 285 | |
| 286 | for (dst_test = dst; dst_test != 0; |
| 287 | dst_test = dst_test->child) { |
| 288 | struct xfrm_state *x = dst_test->xfrm; |
| 289 | |
| 290 | if (x && selinux_authorizable_xfrm(x)) |
| 291 | goto accept; |
| 292 | } |
| 293 | } |
| 294 | |
| 295 | rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION, |
| 296 | ASSOCIATION__SENDTO, NULL); |
| 297 | if (rc) |
| 298 | goto drop; |
| 299 | |
| 300 | accept: |
| 301 | return NF_ACCEPT; |
| 302 | |
| 303 | drop: |
| 304 | return NF_DROP; |
| 305 | } |