Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 1 | /* |
| 2 | * NSA Security-Enhanced Linux (SELinux) security module |
| 3 | * |
| 4 | * This file contains the SELinux XFRM hook function implementations. |
| 5 | * |
| 6 | * Authors: Serge Hallyn <sergeh@us.ibm.com> |
| 7 | * Trent Jaeger <jaegert@us.ibm.com> |
| 8 | * |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 9 | * Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com> |
| 10 | * |
| 11 | * Granular IPSec Associations for use in MLS environments. |
| 12 | * |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 13 | * Copyright (C) 2005 International Business Machines Corporation |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 14 | * Copyright (C) 2006 Trusted Computer Solutions, Inc. |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 15 | * |
| 16 | * This program is free software; you can redistribute it and/or modify |
| 17 | * it under the terms of the GNU General Public License version 2, |
| 18 | * as published by the Free Software Foundation. |
| 19 | */ |
| 20 | |
| 21 | /* |
| 22 | * USAGE: |
| 23 | * NOTES: |
| 24 | * 1. Make sure to enable the following options in your kernel config: |
| 25 | * CONFIG_SECURITY=y |
| 26 | * CONFIG_SECURITY_NETWORK=y |
| 27 | * CONFIG_SECURITY_NETWORK_XFRM=y |
| 28 | * CONFIG_SECURITY_SELINUX=m/y |
| 29 | * ISSUES: |
| 30 | * 1. Caching packets, so they are not dropped during negotiation |
| 31 | * 2. Emulating a reasonable SO_PEERSEC across machines |
| 32 | * 3. Testing addition of sk_policy's with security context via setsockopt |
| 33 | */ |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 34 | #include <linux/kernel.h> |
| 35 | #include <linux/init.h> |
| 36 | #include <linux/security.h> |
| 37 | #include <linux/types.h> |
| 38 | #include <linux/netfilter.h> |
| 39 | #include <linux/netfilter_ipv4.h> |
| 40 | #include <linux/netfilter_ipv6.h> |
| 41 | #include <linux/ip.h> |
| 42 | #include <linux/tcp.h> |
| 43 | #include <linux/skbuff.h> |
| 44 | #include <linux/xfrm.h> |
| 45 | #include <net/xfrm.h> |
| 46 | #include <net/checksum.h> |
| 47 | #include <net/udp.h> |
Paul Moore | d621d35 | 2008-01-29 08:43:36 -0500 | [diff] [blame] | 48 | #include <asm/atomic.h> |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 49 | |
| 50 | #include "avc.h" |
| 51 | #include "objsec.h" |
| 52 | #include "xfrm.h" |
| 53 | |
Paul Moore | d621d35 | 2008-01-29 08:43:36 -0500 | [diff] [blame] | 54 | /* Labeled XFRM instance counter */ |
| 55 | atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 56 | |
| 57 | /* |
| 58 | * Returns true if an LSM/SELinux context |
| 59 | */ |
| 60 | static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx) |
| 61 | { |
| 62 | return (ctx && |
| 63 | (ctx->ctx_doi == XFRM_SC_DOI_LSM) && |
| 64 | (ctx->ctx_alg == XFRM_SC_ALG_SELINUX)); |
| 65 | } |
| 66 | |
| 67 | /* |
| 68 | * Returns true if the xfrm contains a security blob for SELinux |
| 69 | */ |
| 70 | static inline int selinux_authorizable_xfrm(struct xfrm_state *x) |
| 71 | { |
| 72 | return selinux_authorizable_ctx(x->security); |
| 73 | } |
| 74 | |
| 75 | /* |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 76 | * LSM hook implementation that authorizes that a flow can use |
| 77 | * a xfrm policy rule. |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 78 | */ |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 79 | int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 80 | { |
Venkat Yekkirala | 5b368e6 | 2006-10-05 15:42:18 -0500 | [diff] [blame] | 81 | int rc; |
| 82 | u32 sel_sid; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 83 | |
| 84 | /* Context sid is either set to label or ANY_ASSOC */ |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 85 | if (ctx) { |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 86 | if (!selinux_authorizable_ctx(ctx)) |
| 87 | return -EINVAL; |
| 88 | |
| 89 | sel_sid = ctx->ctx_sid; |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 90 | } else |
Venkat Yekkirala | 5b368e6 | 2006-10-05 15:42:18 -0500 | [diff] [blame] | 91 | /* |
| 92 | * All flows should be treated as polmatch'ing an |
| 93 | * otherwise applicable "non-labeled" policy. This |
| 94 | * would prevent inadvertent "leaks". |
| 95 | */ |
| 96 | return 0; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 97 | |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 98 | rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION, |
| 99 | ASSOCIATION__POLMATCH, |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 100 | NULL); |
| 101 | |
Venkat Yekkirala | 5b368e6 | 2006-10-05 15:42:18 -0500 | [diff] [blame] | 102 | if (rc == -EACCES) |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 103 | return -ESRCH; |
Venkat Yekkirala | 5b368e6 | 2006-10-05 15:42:18 -0500 | [diff] [blame] | 104 | |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 105 | return rc; |
| 106 | } |
| 107 | |
| 108 | /* |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 109 | * LSM hook implementation that authorizes that a state matches |
| 110 | * the given policy, flow combo. |
| 111 | */ |
| 112 | |
| 113 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp, |
| 114 | struct flowi *fl) |
| 115 | { |
| 116 | u32 state_sid; |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 117 | int rc; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 118 | |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 119 | if (!xp->security) |
Venkat Yekkirala | 5b368e6 | 2006-10-05 15:42:18 -0500 | [diff] [blame] | 120 | if (x->security) |
| 121 | /* unlabeled policy and labeled SA can't match */ |
| 122 | return 0; |
| 123 | else |
| 124 | /* unlabeled policy and unlabeled SA match all flows */ |
| 125 | return 1; |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 126 | else |
| 127 | if (!x->security) |
| 128 | /* unlabeled SA and labeled policy can't match */ |
| 129 | return 0; |
| 130 | else |
| 131 | if (!selinux_authorizable_xfrm(x)) |
| 132 | /* Not a SELinux-labeled SA */ |
| 133 | return 0; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 134 | |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 135 | state_sid = x->security->ctx_sid; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 136 | |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 137 | if (fl->secid != state_sid) |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 138 | return 0; |
| 139 | |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 140 | rc = avc_has_perm(fl->secid, state_sid, SECCLASS_ASSOCIATION, |
Venkat Yekkirala | 5b368e6 | 2006-10-05 15:42:18 -0500 | [diff] [blame] | 141 | ASSOCIATION__SENDTO, |
| 142 | NULL)? 0:1; |
| 143 | |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 144 | /* |
| 145 | * We don't need a separate SA Vs. policy polmatch check |
| 146 | * since the SA is now of the same label as the flow and |
| 147 | * a flow Vs. policy polmatch check had already happened |
| 148 | * in selinux_xfrm_policy_lookup() above. |
| 149 | */ |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 150 | |
| 151 | return rc; |
| 152 | } |
| 153 | |
| 154 | /* |
Venkat Yekkirala | 6b87769 | 2006-11-08 17:04:09 -0600 | [diff] [blame] | 155 | * LSM hook implementation that checks and/or returns the xfrm sid for the |
| 156 | * incoming packet. |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 157 | */ |
| 158 | |
Venkat Yekkirala | beb8d13 | 2006-08-04 23:12:42 -0700 | [diff] [blame] | 159 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 160 | { |
| 161 | struct sec_path *sp; |
| 162 | |
Venkat Yekkirala | beb8d13 | 2006-08-04 23:12:42 -0700 | [diff] [blame] | 163 | *sid = SECSID_NULL; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 164 | |
| 165 | if (skb == NULL) |
| 166 | return 0; |
| 167 | |
| 168 | sp = skb->sp; |
| 169 | if (sp) { |
| 170 | int i, sid_set = 0; |
| 171 | |
| 172 | for (i = sp->len-1; i >= 0; i--) { |
| 173 | struct xfrm_state *x = sp->xvec[i]; |
| 174 | if (selinux_authorizable_xfrm(x)) { |
| 175 | struct xfrm_sec_ctx *ctx = x->security; |
| 176 | |
| 177 | if (!sid_set) { |
Venkat Yekkirala | beb8d13 | 2006-08-04 23:12:42 -0700 | [diff] [blame] | 178 | *sid = ctx->ctx_sid; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 179 | sid_set = 1; |
Venkat Yekkirala | beb8d13 | 2006-08-04 23:12:42 -0700 | [diff] [blame] | 180 | |
| 181 | if (!ckall) |
| 182 | break; |
Eric Paris | 3c1c88a | 2008-04-18 17:38:27 -0400 | [diff] [blame] | 183 | } else if (*sid != ctx->ctx_sid) |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 184 | return -EINVAL; |
| 185 | } |
| 186 | } |
| 187 | } |
| 188 | |
| 189 | return 0; |
| 190 | } |
| 191 | |
| 192 | /* |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 193 | * Security blob allocation for xfrm_policy and xfrm_state |
| 194 | * CTX does not have a meaningful value on input |
| 195 | */ |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 196 | static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, |
Venkat Yekkirala | c1a856c | 2006-11-08 17:03:44 -0600 | [diff] [blame] | 197 | struct xfrm_user_sec_ctx *uctx, u32 sid) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 198 | { |
| 199 | int rc = 0; |
David Howells | 86a264a | 2008-11-14 10:39:18 +1100 | [diff] [blame] | 200 | const struct task_security_struct *tsec = current_security(); |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 201 | struct xfrm_sec_ctx *ctx = NULL; |
| 202 | char *ctx_str = NULL; |
| 203 | u32 str_len; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 204 | |
Venkat Yekkirala | c1a856c | 2006-11-08 17:03:44 -0600 | [diff] [blame] | 205 | BUG_ON(uctx && sid); |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 206 | |
Venkat Yekkirala | cb969f0 | 2006-07-24 23:32:20 -0700 | [diff] [blame] | 207 | if (!uctx) |
| 208 | goto not_from_user; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 209 | |
| 210 | if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX) |
| 211 | return -EINVAL; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 212 | |
Stephen Rothwell | 57002bf | 2007-10-31 16:47:19 +1100 | [diff] [blame] | 213 | str_len = uctx->ctx_len; |
| 214 | if (str_len >= PAGE_SIZE) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 215 | return -ENOMEM; |
| 216 | |
| 217 | *ctxp = ctx = kmalloc(sizeof(*ctx) + |
Stephen Rothwell | 57002bf | 2007-10-31 16:47:19 +1100 | [diff] [blame] | 218 | str_len + 1, |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 219 | GFP_KERNEL); |
| 220 | |
| 221 | if (!ctx) |
| 222 | return -ENOMEM; |
| 223 | |
| 224 | ctx->ctx_doi = uctx->ctx_doi; |
Stephen Rothwell | 57002bf | 2007-10-31 16:47:19 +1100 | [diff] [blame] | 225 | ctx->ctx_len = str_len; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 226 | ctx->ctx_alg = uctx->ctx_alg; |
| 227 | |
| 228 | memcpy(ctx->ctx_str, |
| 229 | uctx+1, |
Stephen Rothwell | 57002bf | 2007-10-31 16:47:19 +1100 | [diff] [blame] | 230 | str_len); |
| 231 | ctx->ctx_str[str_len] = 0; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 232 | rc = security_context_to_sid(ctx->ctx_str, |
Stephen Rothwell | 57002bf | 2007-10-31 16:47:19 +1100 | [diff] [blame] | 233 | str_len, |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 234 | &ctx->ctx_sid); |
| 235 | |
| 236 | if (rc) |
| 237 | goto out; |
| 238 | |
| 239 | /* |
Catherine Zhang | c8c05a8 | 2006-06-08 23:39:49 -0700 | [diff] [blame] | 240 | * Does the subject have permission to set security context? |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 241 | */ |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 242 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, |
| 243 | SECCLASS_ASSOCIATION, |
Trent Jaeger | 5f8ac64 | 2006-01-06 13:22:39 -0800 | [diff] [blame] | 244 | ASSOCIATION__SETCONTEXT, NULL); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 245 | if (rc) |
| 246 | goto out; |
| 247 | |
| 248 | return rc; |
| 249 | |
Venkat Yekkirala | cb969f0 | 2006-07-24 23:32:20 -0700 | [diff] [blame] | 250 | not_from_user: |
Venkat Yekkirala | c1a856c | 2006-11-08 17:03:44 -0600 | [diff] [blame] | 251 | rc = security_sid_to_context(sid, &ctx_str, &str_len); |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 252 | if (rc) |
| 253 | goto out; |
| 254 | |
| 255 | *ctxp = ctx = kmalloc(sizeof(*ctx) + |
| 256 | str_len, |
| 257 | GFP_ATOMIC); |
| 258 | |
| 259 | if (!ctx) { |
| 260 | rc = -ENOMEM; |
| 261 | goto out; |
| 262 | } |
| 263 | |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 264 | ctx->ctx_doi = XFRM_SC_DOI_LSM; |
| 265 | ctx->ctx_alg = XFRM_SC_ALG_SELINUX; |
Venkat Yekkirala | c1a856c | 2006-11-08 17:03:44 -0600 | [diff] [blame] | 266 | ctx->ctx_sid = sid; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 267 | ctx->ctx_len = str_len; |
| 268 | memcpy(ctx->ctx_str, |
| 269 | ctx_str, |
| 270 | str_len); |
| 271 | |
| 272 | goto out2; |
| 273 | |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 274 | out: |
Luiz Capitulino | ee2e6841 | 2006-01-06 22:59:43 -0800 | [diff] [blame] | 275 | *ctxp = NULL; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 276 | kfree(ctx); |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 277 | out2: |
| 278 | kfree(ctx_str); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 279 | return rc; |
| 280 | } |
| 281 | |
| 282 | /* |
| 283 | * LSM hook implementation that allocs and transfers uctx spec to |
| 284 | * xfrm_policy. |
| 285 | */ |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 286 | int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, |
| 287 | struct xfrm_user_sec_ctx *uctx) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 288 | { |
| 289 | int err; |
| 290 | |
Venkat Yekkirala | c1a856c | 2006-11-08 17:03:44 -0600 | [diff] [blame] | 291 | BUG_ON(!uctx); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 292 | |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 293 | err = selinux_xfrm_sec_ctx_alloc(ctxp, uctx, 0); |
Paul Moore | d621d35 | 2008-01-29 08:43:36 -0500 | [diff] [blame] | 294 | if (err == 0) |
| 295 | atomic_inc(&selinux_xfrm_refcount); |
| 296 | |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 297 | return err; |
| 298 | } |
| 299 | |
| 300 | |
| 301 | /* |
| 302 | * LSM hook implementation that copies security data structure from old to |
| 303 | * new for policy cloning. |
| 304 | */ |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 305 | int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, |
| 306 | struct xfrm_sec_ctx **new_ctxp) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 307 | { |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 308 | struct xfrm_sec_ctx *new_ctx; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 309 | |
| 310 | if (old_ctx) { |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 311 | new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len, |
| 312 | GFP_KERNEL); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 313 | if (!new_ctx) |
| 314 | return -ENOMEM; |
| 315 | |
| 316 | memcpy(new_ctx, old_ctx, sizeof(*new_ctx)); |
| 317 | memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len); |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 318 | *new_ctxp = new_ctx; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 319 | } |
| 320 | return 0; |
| 321 | } |
| 322 | |
| 323 | /* |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 324 | * LSM hook implementation that frees xfrm_sec_ctx security information. |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 325 | */ |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 326 | void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 327 | { |
Eric Paris | 3c1c88a | 2008-04-18 17:38:27 -0400 | [diff] [blame] | 328 | kfree(ctx); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 329 | } |
| 330 | |
| 331 | /* |
Catherine Zhang | c8c05a8 | 2006-06-08 23:39:49 -0700 | [diff] [blame] | 332 | * LSM hook implementation that authorizes deletion of labeled policies. |
| 333 | */ |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 334 | int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) |
Catherine Zhang | c8c05a8 | 2006-06-08 23:39:49 -0700 | [diff] [blame] | 335 | { |
David Howells | 86a264a | 2008-11-14 10:39:18 +1100 | [diff] [blame] | 336 | const struct task_security_struct *tsec = current_security(); |
Catherine Zhang | c8c05a8 | 2006-06-08 23:39:49 -0700 | [diff] [blame] | 337 | int rc = 0; |
| 338 | |
Paul Moore | d621d35 | 2008-01-29 08:43:36 -0500 | [diff] [blame] | 339 | if (ctx) { |
Catherine Zhang | c8c05a8 | 2006-06-08 23:39:49 -0700 | [diff] [blame] | 340 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, |
| 341 | SECCLASS_ASSOCIATION, |
| 342 | ASSOCIATION__SETCONTEXT, NULL); |
Paul Moore | d621d35 | 2008-01-29 08:43:36 -0500 | [diff] [blame] | 343 | if (rc == 0) |
| 344 | atomic_dec(&selinux_xfrm_refcount); |
| 345 | } |
Catherine Zhang | c8c05a8 | 2006-06-08 23:39:49 -0700 | [diff] [blame] | 346 | |
| 347 | return rc; |
| 348 | } |
| 349 | |
| 350 | /* |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 351 | * LSM hook implementation that allocs and transfers sec_ctx spec to |
| 352 | * xfrm_state. |
| 353 | */ |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 354 | int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx, |
Venkat Yekkirala | c1a856c | 2006-11-08 17:03:44 -0600 | [diff] [blame] | 355 | u32 secid) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 356 | { |
| 357 | int err; |
| 358 | |
| 359 | BUG_ON(!x); |
| 360 | |
Venkat Yekkirala | c1a856c | 2006-11-08 17:03:44 -0600 | [diff] [blame] | 361 | err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid); |
Paul Moore | d621d35 | 2008-01-29 08:43:36 -0500 | [diff] [blame] | 362 | if (err == 0) |
| 363 | atomic_inc(&selinux_xfrm_refcount); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 364 | return err; |
| 365 | } |
| 366 | |
| 367 | /* |
| 368 | * LSM hook implementation that frees xfrm_state security information. |
| 369 | */ |
| 370 | void selinux_xfrm_state_free(struct xfrm_state *x) |
| 371 | { |
| 372 | struct xfrm_sec_ctx *ctx = x->security; |
Eric Paris | 3c1c88a | 2008-04-18 17:38:27 -0400 | [diff] [blame] | 373 | kfree(ctx); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 374 | } |
| 375 | |
Catherine Zhang | c8c05a8 | 2006-06-08 23:39:49 -0700 | [diff] [blame] | 376 | /* |
| 377 | * LSM hook implementation that authorizes deletion of labeled SAs. |
| 378 | */ |
| 379 | int selinux_xfrm_state_delete(struct xfrm_state *x) |
| 380 | { |
David Howells | 86a264a | 2008-11-14 10:39:18 +1100 | [diff] [blame] | 381 | const struct task_security_struct *tsec = current_security(); |
Catherine Zhang | c8c05a8 | 2006-06-08 23:39:49 -0700 | [diff] [blame] | 382 | struct xfrm_sec_ctx *ctx = x->security; |
| 383 | int rc = 0; |
| 384 | |
Paul Moore | d621d35 | 2008-01-29 08:43:36 -0500 | [diff] [blame] | 385 | if (ctx) { |
Catherine Zhang | c8c05a8 | 2006-06-08 23:39:49 -0700 | [diff] [blame] | 386 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, |
| 387 | SECCLASS_ASSOCIATION, |
| 388 | ASSOCIATION__SETCONTEXT, NULL); |
Paul Moore | d621d35 | 2008-01-29 08:43:36 -0500 | [diff] [blame] | 389 | if (rc == 0) |
| 390 | atomic_dec(&selinux_xfrm_refcount); |
| 391 | } |
Catherine Zhang | c8c05a8 | 2006-06-08 23:39:49 -0700 | [diff] [blame] | 392 | |
| 393 | return rc; |
| 394 | } |
| 395 | |
Catherine Zhang | 2c7946a | 2006-03-20 22:41:23 -0800 | [diff] [blame] | 396 | /* |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 397 | * LSM hook that controls access to unlabelled packets. If |
| 398 | * a xfrm_state is authorizable (defined by macro) then it was |
| 399 | * already authorized by the IPSec process. If not, then |
| 400 | * we need to check for unlabelled access since this may not have |
| 401 | * gone thru the IPSec process. |
| 402 | */ |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 403 | int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, |
| 404 | struct avc_audit_data *ad) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 405 | { |
| 406 | int i, rc = 0; |
| 407 | struct sec_path *sp; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 408 | u32 sel_sid = SECINITSID_UNLABELED; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 409 | |
| 410 | sp = skb->sp; |
| 411 | |
| 412 | if (sp) { |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 413 | for (i = 0; i < sp->len; i++) { |
Dave Jones | 6764472 | 2006-04-02 23:34:19 -0700 | [diff] [blame] | 414 | struct xfrm_state *x = sp->xvec[i]; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 415 | |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 416 | if (x && selinux_authorizable_xfrm(x)) { |
| 417 | struct xfrm_sec_ctx *ctx = x->security; |
| 418 | sel_sid = ctx->ctx_sid; |
| 419 | break; |
| 420 | } |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 421 | } |
| 422 | } |
| 423 | |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 424 | /* |
| 425 | * This check even when there's no association involved is |
| 426 | * intended, according to Trent Jaeger, to make sure a |
| 427 | * process can't engage in non-ipsec communication unless |
| 428 | * explicitly allowed by policy. |
| 429 | */ |
| 430 | |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 431 | rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION, |
| 432 | ASSOCIATION__RECVFROM, ad); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 433 | |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 434 | return rc; |
| 435 | } |
| 436 | |
| 437 | /* |
| 438 | * POSTROUTE_LAST hook's XFRM processing: |
| 439 | * If we have no security association, then we need to determine |
| 440 | * whether the socket is allowed to send to an unlabelled destination. |
| 441 | * If we do have a authorizable security association, then it has already been |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 442 | * checked in the selinux_xfrm_state_pol_flow_match hook above. |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 443 | */ |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 444 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 445 | struct avc_audit_data *ad, u8 proto) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 446 | { |
| 447 | struct dst_entry *dst; |
| 448 | int rc = 0; |
| 449 | |
| 450 | dst = skb->dst; |
| 451 | |
| 452 | if (dst) { |
| 453 | struct dst_entry *dst_test; |
| 454 | |
Stephen Hemminger | c80544d | 2007-10-18 03:07:05 -0700 | [diff] [blame] | 455 | for (dst_test = dst; dst_test != NULL; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 456 | dst_test = dst_test->child) { |
| 457 | struct xfrm_state *x = dst_test->xfrm; |
| 458 | |
| 459 | if (x && selinux_authorizable_xfrm(x)) |
James Morris | 4e5ab4c | 2006-06-09 00:33:33 -0700 | [diff] [blame] | 460 | goto out; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 461 | } |
| 462 | } |
| 463 | |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 464 | switch (proto) { |
| 465 | case IPPROTO_AH: |
| 466 | case IPPROTO_ESP: |
| 467 | case IPPROTO_COMP: |
| 468 | /* |
| 469 | * We should have already seen this packet once before |
| 470 | * it underwent xfrm(s). No need to subject it to the |
| 471 | * unlabeled check. |
| 472 | */ |
| 473 | goto out; |
| 474 | default: |
| 475 | break; |
| 476 | } |
| 477 | |
| 478 | /* |
| 479 | * This check even when there's no association involved is |
| 480 | * intended, according to Trent Jaeger, to make sure a |
| 481 | * process can't engage in non-ipsec communication unless |
| 482 | * explicitly allowed by policy. |
| 483 | */ |
| 484 | |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 485 | rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION, |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 486 | ASSOCIATION__SENDTO, ad); |
James Morris | 4e5ab4c | 2006-06-09 00:33:33 -0700 | [diff] [blame] | 487 | out: |
| 488 | return rc; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 489 | } |