Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 1 | /* |
| 2 | * NSA Security-Enhanced Linux (SELinux) security module |
| 3 | * |
| 4 | * This file contains the SELinux XFRM hook function implementations. |
| 5 | * |
| 6 | * Authors: Serge Hallyn <sergeh@us.ibm.com> |
| 7 | * Trent Jaeger <jaegert@us.ibm.com> |
| 8 | * |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 9 | * Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com> |
| 10 | * |
| 11 | * Granular IPSec Associations for use in MLS environments. |
| 12 | * |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 13 | * Copyright (C) 2005 International Business Machines Corporation |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 14 | * Copyright (C) 2006 Trusted Computer Solutions, Inc. |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 15 | * |
| 16 | * This program is free software; you can redistribute it and/or modify |
| 17 | * it under the terms of the GNU General Public License version 2, |
| 18 | * as published by the Free Software Foundation. |
| 19 | */ |
| 20 | |
| 21 | /* |
| 22 | * USAGE: |
| 23 | * NOTES: |
| 24 | * 1. Make sure to enable the following options in your kernel config: |
| 25 | * CONFIG_SECURITY=y |
| 26 | * CONFIG_SECURITY_NETWORK=y |
| 27 | * CONFIG_SECURITY_NETWORK_XFRM=y |
| 28 | * CONFIG_SECURITY_SELINUX=m/y |
| 29 | * ISSUES: |
| 30 | * 1. Caching packets, so they are not dropped during negotiation |
| 31 | * 2. Emulating a reasonable SO_PEERSEC across machines |
| 32 | * 3. Testing addition of sk_policy's with security context via setsockopt |
| 33 | */ |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 34 | #include <linux/kernel.h> |
| 35 | #include <linux/init.h> |
| 36 | #include <linux/security.h> |
| 37 | #include <linux/types.h> |
| 38 | #include <linux/netfilter.h> |
| 39 | #include <linux/netfilter_ipv4.h> |
| 40 | #include <linux/netfilter_ipv6.h> |
| 41 | #include <linux/ip.h> |
| 42 | #include <linux/tcp.h> |
| 43 | #include <linux/skbuff.h> |
| 44 | #include <linux/xfrm.h> |
| 45 | #include <net/xfrm.h> |
| 46 | #include <net/checksum.h> |
| 47 | #include <net/udp.h> |
| 48 | #include <asm/semaphore.h> |
| 49 | |
| 50 | #include "avc.h" |
| 51 | #include "objsec.h" |
| 52 | #include "xfrm.h" |
| 53 | |
| 54 | |
| 55 | /* |
| 56 | * Returns true if an LSM/SELinux context |
| 57 | */ |
| 58 | static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx) |
| 59 | { |
| 60 | return (ctx && |
| 61 | (ctx->ctx_doi == XFRM_SC_DOI_LSM) && |
| 62 | (ctx->ctx_alg == XFRM_SC_ALG_SELINUX)); |
| 63 | } |
| 64 | |
| 65 | /* |
| 66 | * Returns true if the xfrm contains a security blob for SELinux |
| 67 | */ |
| 68 | static inline int selinux_authorizable_xfrm(struct xfrm_state *x) |
| 69 | { |
| 70 | return selinux_authorizable_ctx(x->security); |
| 71 | } |
| 72 | |
| 73 | /* |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 74 | * LSM hook implementation that authorizes that a flow can use |
| 75 | * a xfrm policy rule. |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 76 | */ |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 77 | int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 78 | { |
Venkat Yekkirala | 5b368e6 | 2006-10-05 15:42:18 -0500 | [diff] [blame] | 79 | int rc; |
| 80 | u32 sel_sid; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 81 | struct xfrm_sec_ctx *ctx; |
| 82 | |
| 83 | /* Context sid is either set to label or ANY_ASSOC */ |
| 84 | if ((ctx = xp->security)) { |
| 85 | if (!selinux_authorizable_ctx(ctx)) |
| 86 | return -EINVAL; |
| 87 | |
| 88 | sel_sid = ctx->ctx_sid; |
| 89 | } |
Venkat Yekkirala | 5b368e6 | 2006-10-05 15:42:18 -0500 | [diff] [blame] | 90 | else |
| 91 | /* |
| 92 | * All flows should be treated as polmatch'ing an |
| 93 | * otherwise applicable "non-labeled" policy. This |
| 94 | * would prevent inadvertent "leaks". |
| 95 | */ |
| 96 | return 0; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 97 | |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 98 | rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION, |
| 99 | ASSOCIATION__POLMATCH, |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 100 | NULL); |
| 101 | |
Venkat Yekkirala | 5b368e6 | 2006-10-05 15:42:18 -0500 | [diff] [blame] | 102 | if (rc == -EACCES) |
| 103 | rc = -ESRCH; |
| 104 | |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 105 | return rc; |
| 106 | } |
| 107 | |
| 108 | /* |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 109 | * LSM hook implementation that authorizes that a state matches |
| 110 | * the given policy, flow combo. |
| 111 | */ |
| 112 | |
| 113 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp, |
| 114 | struct flowi *fl) |
| 115 | { |
| 116 | u32 state_sid; |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 117 | int rc; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 118 | |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 119 | if (!xp->security) |
Venkat Yekkirala | 5b368e6 | 2006-10-05 15:42:18 -0500 | [diff] [blame] | 120 | if (x->security) |
| 121 | /* unlabeled policy and labeled SA can't match */ |
| 122 | return 0; |
| 123 | else |
| 124 | /* unlabeled policy and unlabeled SA match all flows */ |
| 125 | return 1; |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 126 | else |
| 127 | if (!x->security) |
| 128 | /* unlabeled SA and labeled policy can't match */ |
| 129 | return 0; |
| 130 | else |
| 131 | if (!selinux_authorizable_xfrm(x)) |
| 132 | /* Not a SELinux-labeled SA */ |
| 133 | return 0; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 134 | |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 135 | state_sid = x->security->ctx_sid; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 136 | |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 137 | if (fl->secid != state_sid) |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 138 | return 0; |
| 139 | |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 140 | rc = avc_has_perm(fl->secid, state_sid, SECCLASS_ASSOCIATION, |
Venkat Yekkirala | 5b368e6 | 2006-10-05 15:42:18 -0500 | [diff] [blame] | 141 | ASSOCIATION__SENDTO, |
| 142 | NULL)? 0:1; |
| 143 | |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 144 | /* |
| 145 | * We don't need a separate SA Vs. policy polmatch check |
| 146 | * since the SA is now of the same label as the flow and |
| 147 | * a flow Vs. policy polmatch check had already happened |
| 148 | * in selinux_xfrm_policy_lookup() above. |
| 149 | */ |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 150 | |
| 151 | return rc; |
| 152 | } |
| 153 | |
| 154 | /* |
Venkat Yekkirala | 6b87769 | 2006-11-08 17:04:09 -0600 | [diff] [blame] | 155 | * LSM hook implementation that checks and/or returns the xfrm sid for the |
| 156 | * incoming packet. |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 157 | */ |
| 158 | |
Venkat Yekkirala | beb8d13 | 2006-08-04 23:12:42 -0700 | [diff] [blame] | 159 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 160 | { |
| 161 | struct sec_path *sp; |
| 162 | |
Venkat Yekkirala | beb8d13 | 2006-08-04 23:12:42 -0700 | [diff] [blame] | 163 | *sid = SECSID_NULL; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 164 | |
| 165 | if (skb == NULL) |
| 166 | return 0; |
| 167 | |
| 168 | sp = skb->sp; |
| 169 | if (sp) { |
| 170 | int i, sid_set = 0; |
| 171 | |
| 172 | for (i = sp->len-1; i >= 0; i--) { |
| 173 | struct xfrm_state *x = sp->xvec[i]; |
| 174 | if (selinux_authorizable_xfrm(x)) { |
| 175 | struct xfrm_sec_ctx *ctx = x->security; |
| 176 | |
| 177 | if (!sid_set) { |
Venkat Yekkirala | beb8d13 | 2006-08-04 23:12:42 -0700 | [diff] [blame] | 178 | *sid = ctx->ctx_sid; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 179 | sid_set = 1; |
Venkat Yekkirala | beb8d13 | 2006-08-04 23:12:42 -0700 | [diff] [blame] | 180 | |
| 181 | if (!ckall) |
| 182 | break; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 183 | } |
Venkat Yekkirala | beb8d13 | 2006-08-04 23:12:42 -0700 | [diff] [blame] | 184 | else if (*sid != ctx->ctx_sid) |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 185 | return -EINVAL; |
| 186 | } |
| 187 | } |
| 188 | } |
| 189 | |
| 190 | return 0; |
| 191 | } |
| 192 | |
| 193 | /* |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 194 | * Security blob allocation for xfrm_policy and xfrm_state |
| 195 | * CTX does not have a meaningful value on input |
| 196 | */ |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 197 | static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, |
Venkat Yekkirala | c1a856c | 2006-11-08 17:03:44 -0600 | [diff] [blame] | 198 | struct xfrm_user_sec_ctx *uctx, u32 sid) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 199 | { |
| 200 | int rc = 0; |
| 201 | struct task_security_struct *tsec = current->security; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 202 | struct xfrm_sec_ctx *ctx = NULL; |
| 203 | char *ctx_str = NULL; |
| 204 | u32 str_len; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 205 | |
Venkat Yekkirala | c1a856c | 2006-11-08 17:03:44 -0600 | [diff] [blame] | 206 | BUG_ON(uctx && sid); |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 207 | |
Venkat Yekkirala | cb969f0 | 2006-07-24 23:32:20 -0700 | [diff] [blame] | 208 | if (!uctx) |
| 209 | goto not_from_user; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 210 | |
| 211 | if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX) |
| 212 | return -EINVAL; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 213 | |
Stephen Rothwell | 57002bf | 2007-10-31 16:47:19 +1100 | [diff] [blame] | 214 | str_len = uctx->ctx_len; |
| 215 | if (str_len >= PAGE_SIZE) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 216 | return -ENOMEM; |
| 217 | |
| 218 | *ctxp = ctx = kmalloc(sizeof(*ctx) + |
Stephen Rothwell | 57002bf | 2007-10-31 16:47:19 +1100 | [diff] [blame] | 219 | str_len + 1, |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 220 | GFP_KERNEL); |
| 221 | |
| 222 | if (!ctx) |
| 223 | return -ENOMEM; |
| 224 | |
| 225 | ctx->ctx_doi = uctx->ctx_doi; |
Stephen Rothwell | 57002bf | 2007-10-31 16:47:19 +1100 | [diff] [blame] | 226 | ctx->ctx_len = str_len; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 227 | ctx->ctx_alg = uctx->ctx_alg; |
| 228 | |
| 229 | memcpy(ctx->ctx_str, |
| 230 | uctx+1, |
Stephen Rothwell | 57002bf | 2007-10-31 16:47:19 +1100 | [diff] [blame] | 231 | str_len); |
| 232 | ctx->ctx_str[str_len] = 0; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 233 | rc = security_context_to_sid(ctx->ctx_str, |
Stephen Rothwell | 57002bf | 2007-10-31 16:47:19 +1100 | [diff] [blame] | 234 | str_len, |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 235 | &ctx->ctx_sid); |
| 236 | |
| 237 | if (rc) |
| 238 | goto out; |
| 239 | |
| 240 | /* |
Catherine Zhang | c8c05a8 | 2006-06-08 23:39:49 -0700 | [diff] [blame] | 241 | * Does the subject have permission to set security context? |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 242 | */ |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 243 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, |
| 244 | SECCLASS_ASSOCIATION, |
Trent Jaeger | 5f8ac64 | 2006-01-06 13:22:39 -0800 | [diff] [blame] | 245 | ASSOCIATION__SETCONTEXT, NULL); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 246 | if (rc) |
| 247 | goto out; |
| 248 | |
| 249 | return rc; |
| 250 | |
Venkat Yekkirala | cb969f0 | 2006-07-24 23:32:20 -0700 | [diff] [blame] | 251 | not_from_user: |
Venkat Yekkirala | c1a856c | 2006-11-08 17:03:44 -0600 | [diff] [blame] | 252 | rc = security_sid_to_context(sid, &ctx_str, &str_len); |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 253 | if (rc) |
| 254 | goto out; |
| 255 | |
| 256 | *ctxp = ctx = kmalloc(sizeof(*ctx) + |
| 257 | str_len, |
| 258 | GFP_ATOMIC); |
| 259 | |
| 260 | if (!ctx) { |
| 261 | rc = -ENOMEM; |
| 262 | goto out; |
| 263 | } |
| 264 | |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 265 | ctx->ctx_doi = XFRM_SC_DOI_LSM; |
| 266 | ctx->ctx_alg = XFRM_SC_ALG_SELINUX; |
Venkat Yekkirala | c1a856c | 2006-11-08 17:03:44 -0600 | [diff] [blame] | 267 | ctx->ctx_sid = sid; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 268 | ctx->ctx_len = str_len; |
| 269 | memcpy(ctx->ctx_str, |
| 270 | ctx_str, |
| 271 | str_len); |
| 272 | |
| 273 | goto out2; |
| 274 | |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 275 | out: |
Luiz Capitulino | ee2e6841 | 2006-01-06 22:59:43 -0800 | [diff] [blame] | 276 | *ctxp = NULL; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 277 | kfree(ctx); |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 278 | out2: |
| 279 | kfree(ctx_str); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 280 | return rc; |
| 281 | } |
| 282 | |
| 283 | /* |
| 284 | * LSM hook implementation that allocs and transfers uctx spec to |
| 285 | * xfrm_policy. |
| 286 | */ |
Venkat Yekkirala | cb969f0 | 2006-07-24 23:32:20 -0700 | [diff] [blame] | 287 | int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, |
Venkat Yekkirala | c1a856c | 2006-11-08 17:03:44 -0600 | [diff] [blame] | 288 | struct xfrm_user_sec_ctx *uctx) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 289 | { |
| 290 | int err; |
| 291 | |
| 292 | BUG_ON(!xp); |
Venkat Yekkirala | c1a856c | 2006-11-08 17:03:44 -0600 | [diff] [blame] | 293 | BUG_ON(!uctx); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 294 | |
Venkat Yekkirala | c1a856c | 2006-11-08 17:03:44 -0600 | [diff] [blame] | 295 | err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, 0); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 296 | return err; |
| 297 | } |
| 298 | |
| 299 | |
| 300 | /* |
| 301 | * LSM hook implementation that copies security data structure from old to |
| 302 | * new for policy cloning. |
| 303 | */ |
| 304 | int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new) |
| 305 | { |
| 306 | struct xfrm_sec_ctx *old_ctx, *new_ctx; |
| 307 | |
| 308 | old_ctx = old->security; |
| 309 | |
| 310 | if (old_ctx) { |
| 311 | new_ctx = new->security = kmalloc(sizeof(*new_ctx) + |
| 312 | old_ctx->ctx_len, |
| 313 | GFP_KERNEL); |
| 314 | |
| 315 | if (!new_ctx) |
| 316 | return -ENOMEM; |
| 317 | |
| 318 | memcpy(new_ctx, old_ctx, sizeof(*new_ctx)); |
| 319 | memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len); |
| 320 | } |
| 321 | return 0; |
| 322 | } |
| 323 | |
| 324 | /* |
| 325 | * LSM hook implementation that frees xfrm_policy security information. |
| 326 | */ |
| 327 | void selinux_xfrm_policy_free(struct xfrm_policy *xp) |
| 328 | { |
| 329 | struct xfrm_sec_ctx *ctx = xp->security; |
| 330 | if (ctx) |
| 331 | kfree(ctx); |
| 332 | } |
| 333 | |
| 334 | /* |
Catherine Zhang | c8c05a8 | 2006-06-08 23:39:49 -0700 | [diff] [blame] | 335 | * LSM hook implementation that authorizes deletion of labeled policies. |
| 336 | */ |
| 337 | int selinux_xfrm_policy_delete(struct xfrm_policy *xp) |
| 338 | { |
| 339 | struct task_security_struct *tsec = current->security; |
| 340 | struct xfrm_sec_ctx *ctx = xp->security; |
| 341 | int rc = 0; |
| 342 | |
| 343 | if (ctx) |
| 344 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, |
| 345 | SECCLASS_ASSOCIATION, |
| 346 | ASSOCIATION__SETCONTEXT, NULL); |
| 347 | |
| 348 | return rc; |
| 349 | } |
| 350 | |
| 351 | /* |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 352 | * LSM hook implementation that allocs and transfers sec_ctx spec to |
| 353 | * xfrm_state. |
| 354 | */ |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 355 | int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx, |
Venkat Yekkirala | c1a856c | 2006-11-08 17:03:44 -0600 | [diff] [blame] | 356 | u32 secid) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 357 | { |
| 358 | int err; |
| 359 | |
| 360 | BUG_ON(!x); |
| 361 | |
Venkat Yekkirala | c1a856c | 2006-11-08 17:03:44 -0600 | [diff] [blame] | 362 | err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 363 | return err; |
| 364 | } |
| 365 | |
| 366 | /* |
| 367 | * LSM hook implementation that frees xfrm_state security information. |
| 368 | */ |
| 369 | void selinux_xfrm_state_free(struct xfrm_state *x) |
| 370 | { |
| 371 | struct xfrm_sec_ctx *ctx = x->security; |
| 372 | if (ctx) |
| 373 | kfree(ctx); |
| 374 | } |
| 375 | |
Catherine Zhang | c8c05a8 | 2006-06-08 23:39:49 -0700 | [diff] [blame] | 376 | /* |
| 377 | * LSM hook implementation that authorizes deletion of labeled SAs. |
| 378 | */ |
| 379 | int selinux_xfrm_state_delete(struct xfrm_state *x) |
| 380 | { |
| 381 | struct task_security_struct *tsec = current->security; |
| 382 | struct xfrm_sec_ctx *ctx = x->security; |
| 383 | int rc = 0; |
| 384 | |
| 385 | if (ctx) |
| 386 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, |
| 387 | SECCLASS_ASSOCIATION, |
| 388 | ASSOCIATION__SETCONTEXT, NULL); |
| 389 | |
| 390 | return rc; |
| 391 | } |
| 392 | |
Catherine Zhang | 2c7946a | 2006-03-20 22:41:23 -0800 | [diff] [blame] | 393 | /* |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 394 | * LSM hook that controls access to unlabelled packets. If |
| 395 | * a xfrm_state is authorizable (defined by macro) then it was |
| 396 | * already authorized by the IPSec process. If not, then |
| 397 | * we need to check for unlabelled access since this may not have |
| 398 | * gone thru the IPSec process. |
| 399 | */ |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 400 | int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, |
| 401 | struct avc_audit_data *ad) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 402 | { |
| 403 | int i, rc = 0; |
| 404 | struct sec_path *sp; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 405 | u32 sel_sid = SECINITSID_UNLABELED; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 406 | |
| 407 | sp = skb->sp; |
| 408 | |
| 409 | if (sp) { |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 410 | for (i = 0; i < sp->len; i++) { |
Dave Jones | 6764472 | 2006-04-02 23:34:19 -0700 | [diff] [blame] | 411 | struct xfrm_state *x = sp->xvec[i]; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 412 | |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 413 | if (x && selinux_authorizable_xfrm(x)) { |
| 414 | struct xfrm_sec_ctx *ctx = x->security; |
| 415 | sel_sid = ctx->ctx_sid; |
| 416 | break; |
| 417 | } |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 418 | } |
| 419 | } |
| 420 | |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 421 | /* |
| 422 | * This check even when there's no association involved is |
| 423 | * intended, according to Trent Jaeger, to make sure a |
| 424 | * process can't engage in non-ipsec communication unless |
| 425 | * explicitly allowed by policy. |
| 426 | */ |
| 427 | |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 428 | rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION, |
| 429 | ASSOCIATION__RECVFROM, ad); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 430 | |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 431 | return rc; |
| 432 | } |
| 433 | |
| 434 | /* |
| 435 | * POSTROUTE_LAST hook's XFRM processing: |
| 436 | * If we have no security association, then we need to determine |
| 437 | * whether the socket is allowed to send to an unlabelled destination. |
| 438 | * If we do have a authorizable security association, then it has already been |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 439 | * checked in the selinux_xfrm_state_pol_flow_match hook above. |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 440 | */ |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 441 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 442 | struct avc_audit_data *ad, u8 proto) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 443 | { |
| 444 | struct dst_entry *dst; |
| 445 | int rc = 0; |
| 446 | |
| 447 | dst = skb->dst; |
| 448 | |
| 449 | if (dst) { |
| 450 | struct dst_entry *dst_test; |
| 451 | |
Stephen Hemminger | c80544d | 2007-10-18 03:07:05 -0700 | [diff] [blame] | 452 | for (dst_test = dst; dst_test != NULL; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 453 | dst_test = dst_test->child) { |
| 454 | struct xfrm_state *x = dst_test->xfrm; |
| 455 | |
| 456 | if (x && selinux_authorizable_xfrm(x)) |
James Morris | 4e5ab4c | 2006-06-09 00:33:33 -0700 | [diff] [blame] | 457 | goto out; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 458 | } |
| 459 | } |
| 460 | |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 461 | switch (proto) { |
| 462 | case IPPROTO_AH: |
| 463 | case IPPROTO_ESP: |
| 464 | case IPPROTO_COMP: |
| 465 | /* |
| 466 | * We should have already seen this packet once before |
| 467 | * it underwent xfrm(s). No need to subject it to the |
| 468 | * unlabeled check. |
| 469 | */ |
| 470 | goto out; |
| 471 | default: |
| 472 | break; |
| 473 | } |
| 474 | |
| 475 | /* |
| 476 | * This check even when there's no association involved is |
| 477 | * intended, according to Trent Jaeger, to make sure a |
| 478 | * process can't engage in non-ipsec communication unless |
| 479 | * explicitly allowed by policy. |
| 480 | */ |
| 481 | |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 482 | rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION, |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 483 | ASSOCIATION__SENDTO, ad); |
James Morris | 4e5ab4c | 2006-06-09 00:33:33 -0700 | [diff] [blame] | 484 | out: |
| 485 | return rc; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 486 | } |