Commit | Line | Data |
---|---|---|
d28d1e08 TJ |
1 | /* |
2 | * SELinux support for the XFRM LSM hooks | |
3 | * | |
4 | * Author : Trent Jaeger, <jaegert@us.ibm.com> | |
5 | */ | |
6 | #ifndef _SELINUX_XFRM_H_ | |
7 | #define _SELINUX_XFRM_H_ | |
8 | ||
9 | int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx); | |
10 | int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new); | |
11 | void selinux_xfrm_policy_free(struct xfrm_policy *xp); | |
c8c05a8e | 12 | int selinux_xfrm_policy_delete(struct xfrm_policy *xp); |
d28d1e08 TJ |
13 | int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx); |
14 | void selinux_xfrm_state_free(struct xfrm_state *x); | |
c8c05a8e | 15 | int selinux_xfrm_state_delete(struct xfrm_state *x); |
d28d1e08 TJ |
16 | int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir); |
17 | ||
18 | /* | |
19 | * Extract the security blob from the sock (it's actually on the socket) | |
20 | */ | |
21 | static inline struct inode_security_struct *get_sock_isec(struct sock *sk) | |
22 | { | |
23 | if (!sk->sk_socket) | |
24 | return NULL; | |
25 | ||
26 | return SOCK_INODE(sk->sk_socket)->i_security; | |
27 | } | |
28 | ||
29 | ||
30 | static inline u32 selinux_no_sk_sid(struct flowi *fl) | |
31 | { | |
32 | /* NOTE: no sock occurs on ICMP reply, forwards, ... */ | |
33 | /* icmp_reply: authorize as kernel packet */ | |
34 | if (fl && fl->proto == IPPROTO_ICMP) { | |
35 | return SECINITSID_KERNEL; | |
36 | } | |
37 | ||
38 | return SECINITSID_ANY_SOCKET; | |
39 | } | |
40 | ||
41 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | |
42 | int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb); | |
43 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb); | |
2c7946a7 CZ |
44 | u32 selinux_socket_getpeer_stream(struct sock *sk); |
45 | u32 selinux_socket_getpeer_dgram(struct sk_buff *skb); | |
d28d1e08 TJ |
46 | #else |
47 | static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb) | |
48 | { | |
49 | return 0; | |
50 | } | |
51 | ||
52 | static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb) | |
53 | { | |
54 | return NF_ACCEPT; | |
55 | } | |
e6f50719 CZ |
56 | |
57 | static inline int selinux_socket_getpeer_stream(struct sock *sk) | |
58 | { | |
59 | return SECSID_NULL; | |
60 | } | |
61 | ||
62 | static inline int selinux_socket_getpeer_dgram(struct sk_buff *skb) | |
63 | { | |
64 | return SECSID_NULL; | |
65 | } | |
d28d1e08 TJ |
66 | #endif |
67 | ||
68 | #endif /* _SELINUX_XFRM_H_ */ |