[deliverable/linux.git] / security / selinux / xfrm.c

/*
 *  NSA Security-Enhanced Linux (SELinux) security module
 *
 *  This file contains the SELinux XFRM hook function implementations.
 *
 *  Authors:  Serge Hallyn <sergeh@us.ibm.com>
 *	      Trent Jaeger <jaegert@us.ibm.com>
 *
 *  Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com>
 *
 *           Granular IPSec Associations for use in MLS environments.
 *
 *  Copyright (C) 2005 International Business Machines Corporation
 *  Copyright (C) 2006 Trusted Computer Solutions, Inc.
 *
 *	This program is free software; you can redistribute it and/or modify
 *	it under the terms of the GNU General Public License version 2,
 *	as published by the Free Software Foundation.
 */

/*
 * USAGE:
 * NOTES:
 *   1. Make sure to enable the following options in your kernel config:
 *	CONFIG_SECURITY=y
 *	CONFIG_SECURITY_NETWORK=y
 *	CONFIG_SECURITY_NETWORK_XFRM=y
 *	CONFIG_SECURITY_SELINUX=m/y
 * ISSUES:
 *   1. Caching packets, so they are not dropped during negotiation
 *   2. Emulating a reasonable SO_PEERSEC across machines
 *   3. Testing addition of sk_policy's with security context via setsockopt
 */
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/security.h>
#include <linux/types.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
#include <linux/slab.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/skbuff.h>
#include <linux/xfrm.h>
#include <net/xfrm.h>
#include <net/checksum.h>
#include <net/udp.h>
#include <linux/atomic.h>

#include "avc.h"
#include "objsec.h"
#include "xfrm.h"

/* Labeled XFRM instance counter */
atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0);

/*
 * Returns true if the context is an LSM/SELinux context.
 */
static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
{
	return (ctx &&
		(ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
		(ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
}

/*
 * Returns true if the xfrm contains a security blob for SELinux.
 */
static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
{
	return selinux_authorizable_ctx(x->security);
}

/*
 * Allocates a xfrm_sec_state and populates it using the supplied security
 * xfrm_user_sec_ctx context.
 */
static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
				   struct xfrm_user_sec_ctx *uctx)
{
	int rc;
	const struct task_security_struct *tsec = current_security();
	struct xfrm_sec_ctx *ctx = NULL;
	u32 str_len;

	if (ctxp == NULL || uctx == NULL ||
	    uctx->ctx_doi != XFRM_SC_DOI_LSM ||
	    uctx->ctx_alg != XFRM_SC_ALG_SELINUX)
		return -EINVAL;

	str_len = uctx->ctx_len;
	if (str_len >= PAGE_SIZE)
		return -ENOMEM;

	ctx = kmalloc(sizeof(*ctx) + str_len + 1, GFP_KERNEL);
	if (!ctx)
		return -ENOMEM;

	ctx->ctx_doi = XFRM_SC_DOI_LSM;
	ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
	ctx->ctx_len = str_len;
	memcpy(ctx->ctx_str, &uctx[1], str_len);
	ctx->ctx_str[str_len] = '\0';
	rc = security_context_to_sid(ctx->ctx_str, str_len, &ctx->ctx_sid);
	if (rc)
		goto err;

	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
			  SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL);
	if (rc)
		goto err;

	*ctxp = ctx;
	atomic_inc(&selinux_xfrm_refcount);
	return 0;

err:
	kfree(ctx);
	return rc;
}

/*
 * Free the xfrm_sec_ctx structure.
 */
static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
{
	if (!ctx)
		return;

	atomic_dec(&selinux_xfrm_refcount);
	kfree(ctx);
}

/*
 * Authorize the deletion of a labeled SA or policy rule.
 */
static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
{
	const struct task_security_struct *tsec = current_security();

	if (!ctx)
		return 0;

	return avc_has_perm(tsec->sid, ctx->ctx_sid,
			    SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
			    NULL);
}

/*
 * LSM hook implementation that authorizes that a flow can use a xfrm policy
 * rule.
 */
int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
{
	int rc;

	/* All flows should be treated as polmatch'ing an otherwise applicable
	 * "non-labeled" policy. This would prevent inadvertent "leaks". */
	if (!ctx)
		return 0;

	/* Context sid is either set to label or ANY_ASSOC */
	if (!selinux_authorizable_ctx(ctx))
		return -EINVAL;

	rc = avc_has_perm(fl_secid, ctx->ctx_sid,
			  SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);
	return (rc == -EACCES ? -ESRCH : rc);
}

/*
 * LSM hook implementation that authorizes that a state matches
 * the given policy, flow combo.
 */
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
				      struct xfrm_policy *xp,
				      const struct flowi *fl)
{
	u32 state_sid;

	if (!xp->security)
		if (x->security)
			/* unlabeled policy and labeled SA can't match */
			return 0;
		else
			/* unlabeled policy and unlabeled SA match all flows */
			return 1;
	else
		if (!x->security)
			/* unlabeled SA and labeled policy can't match */
			return 0;
		else
			if (!selinux_authorizable_xfrm(x))
				/* Not a SELinux-labeled SA */
				return 0;

	state_sid = x->security->ctx_sid;

	if (fl->flowi_secid != state_sid)
		return 0;

	/* We don't need a separate SA Vs. policy polmatch check since the SA
	 * is now of the same label as the flow and a flow Vs. policy polmatch
	 * check had already happened in selinux_xfrm_policy_lookup() above. */
	return (avc_has_perm(fl->flowi_secid, state_sid,
			    SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,
			    NULL) ? 0 : 1);
}

/*
 * LSM hook implementation that checks and/or returns the xfrm sid for the
 * incoming packet.
 */
int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
{
	u32 sid_session = SECSID_NULL;
	struct sec_path *sp;

	if (skb == NULL)
		goto out;

	sp = skb->sp;
	if (sp) {
		int i;

		for (i = sp->len - 1; i >= 0; i--) {
			struct xfrm_state *x = sp->xvec[i];
			if (selinux_authorizable_xfrm(x)) {
				struct xfrm_sec_ctx *ctx = x->security;

				if (sid_session == SECSID_NULL) {
					sid_session = ctx->ctx_sid;
					if (!ckall)
						goto out;
				} else if (sid_session != ctx->ctx_sid) {
					*sid = SECSID_NULL;
					return -EINVAL;
				}
			}
		}
	}

out:
	*sid = sid_session;
	return 0;
}

/*
 * LSM hook implementation that allocs and transfers uctx spec to xfrm_policy.
 */
int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
			      struct xfrm_user_sec_ctx *uctx)
{
	return selinux_xfrm_alloc_user(ctxp, uctx);
}

/*
 * LSM hook implementation that copies security data structure from old to new
 * for policy cloning.
 */
int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
			      struct xfrm_sec_ctx **new_ctxp)
{
	struct xfrm_sec_ctx *new_ctx;

	if (!old_ctx)
		return 0;

	new_ctx = kmemdup(old_ctx, sizeof(*old_ctx) + old_ctx->ctx_len,
			  GFP_ATOMIC);
	if (!new_ctx)
		return -ENOMEM;
	atomic_inc(&selinux_xfrm_refcount);
	*new_ctxp = new_ctx;

	return 0;
}

/*
 * LSM hook implementation that frees xfrm_sec_ctx security information.
 */
void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
{
	selinux_xfrm_free(ctx);
}

/*
 * LSM hook implementation that authorizes deletion of labeled policies.
 */
int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
{
	return selinux_xfrm_delete(ctx);
}

/*
 * LSM hook implementation that allocates a xfrm_sec_state, populates it using
 * the supplied security context, and assigns it to the xfrm_state.
 */
int selinux_xfrm_state_alloc(struct xfrm_state *x,
			     struct xfrm_user_sec_ctx *uctx)
{
	return selinux_xfrm_alloc_user(&x->security, uctx);
}

/*
 * LSM hook implementation that allocates a xfrm_sec_state and populates based
 * on a secid.
 */
int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
				     struct xfrm_sec_ctx *polsec, u32 secid)
{
	int rc;
	struct xfrm_sec_ctx *ctx;
	char *ctx_str = NULL;
	int str_len;

	if (!polsec)
		return 0;

	if (secid == 0)
		return -EINVAL;

	rc = security_sid_to_context(secid, &ctx_str, &str_len);
	if (rc)
		return rc;

	ctx = kmalloc(sizeof(*ctx) + str_len, GFP_ATOMIC);
	if (!ctx) {
		rc = -ENOMEM;
		goto out;
	}

	ctx->ctx_doi = XFRM_SC_DOI_LSM;
	ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
	ctx->ctx_sid = secid;
	ctx->ctx_len = str_len;
	memcpy(ctx->ctx_str, ctx_str, str_len);

	x->security = ctx;
	atomic_inc(&selinux_xfrm_refcount);
out:
	kfree(ctx_str);
	return rc;
}

/*
 * LSM hook implementation that frees xfrm_state security information.
 */
void selinux_xfrm_state_free(struct xfrm_state *x)
{
	selinux_xfrm_free(x->security);
}

/*
 * LSM hook implementation that authorizes deletion of labeled SAs.
 */
int selinux_xfrm_state_delete(struct xfrm_state *x)
{
	return selinux_xfrm_delete(x->security);
}

/*
 * LSM hook that controls access to unlabelled packets.  If
 * a xfrm_state is authorizable (defined by macro) then it was
 * already authorized by the IPSec process.  If not, then
 * we need to check for unlabelled access since this may not have
 * gone thru the IPSec process.
 */
int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
			      struct common_audit_data *ad)
{
	int i;
	struct sec_path *sp = skb->sp;
	u32 peer_sid = SECINITSID_UNLABELED;

	if (sp) {
		for (i = 0; i < sp->len; i++) {
			struct xfrm_state *x = sp->xvec[i];

			if (x && selinux_authorizable_xfrm(x)) {
				struct xfrm_sec_ctx *ctx = x->security;
				peer_sid = ctx->ctx_sid;
				break;
			}
		}
	}

	/* This check even when there's no association involved is intended,
	 * according to Trent Jaeger, to make sure a process can't engage in
	 * non-IPsec communication unless explicitly allowed by policy. */
	return avc_has_perm(sk_sid, peer_sid,
			    SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad);
}

/*
 * POSTROUTE_LAST hook's XFRM processing:
 * If we have no security association, then we need to determine
 * whether the socket is allowed to send to an unlabelled destination.
 * If we do have a authorizable security association, then it has already been
 * checked in the selinux_xfrm_state_pol_flow_match hook above.
 */
int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
				struct common_audit_data *ad, u8 proto)
{
	struct dst_entry *dst;

	switch (proto) {
	case IPPROTO_AH:
	case IPPROTO_ESP:
	case IPPROTO_COMP:
		/* We should have already seen this packet once before it
		 * underwent xfrm(s). No need to subject it to the unlabeled
		 * check. */
		return 0;
	default:
		break;
	}

	dst = skb_dst(skb);
	if (dst) {
		struct dst_entry *iter;

		for (iter = dst; iter != NULL; iter = iter->child) {
			struct xfrm_state *x = iter->xfrm;

			if (x && selinux_authorizable_xfrm(x))
				return 0;
		}
	}

	/* This check even when there's no association involved is intended,
	 * according to Trent Jaeger, to make sure a process can't engage in
	 * non-IPsec communication unless explicitly allowed by policy. */
	return avc_has_perm(sk_sid, SECINITSID_UNLABELED,
			    SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad);
}
Commit	Line	Data
d28d1e08 TJ	1	/*
	2	* NSA Security-Enhanced Linux (SELinux) security module
	3	*
	4	* This file contains the SELinux XFRM hook function implementations.
	5	*
	6	* Authors: Serge Hallyn <sergeh@us.ibm.com>
	7	* Trent Jaeger <jaegert@us.ibm.com>
	8	*
e0d1caa7 VY	9	* Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com>
	10	*
	11	* Granular IPSec Associations for use in MLS environments.
	12	*
d28d1e08	13	* Copyright (C) 2005 International Business Machines Corporation
e0d1caa7	14	* Copyright (C) 2006 Trusted Computer Solutions, Inc.
d28d1e08 TJ	15	*
	16	* This program is free software; you can redistribute it and/or modify
	17	* it under the terms of the GNU General Public License version 2,
	18	* as published by the Free Software Foundation.
	19	*/
	20
	21	/*
	22	* USAGE:
	23	* NOTES:
	24	* 1. Make sure to enable the following options in your kernel config:
	25	* CONFIG_SECURITY=y
	26	* CONFIG_SECURITY_NETWORK=y
	27	* CONFIG_SECURITY_NETWORK_XFRM=y
	28	* CONFIG_SECURITY_SELINUX=m/y
	29	* ISSUES:
	30	* 1. Caching packets, so they are not dropped during negotiation
	31	* 2. Emulating a reasonable SO_PEERSEC across machines
	32	* 3. Testing addition of sk_policy's with security context via setsockopt
	33	*/
d28d1e08 TJ	34	#include <linux/kernel.h>
	35	#include <linux/init.h>
	36	#include <linux/security.h>
	37	#include <linux/types.h>
	38	#include <linux/netfilter.h>
	39	#include <linux/netfilter_ipv4.h>
	40	#include <linux/netfilter_ipv6.h>
5a0e3ad6	41	#include <linux/slab.h>
d28d1e08 TJ	42	#include <linux/ip.h>
	43	#include <linux/tcp.h>
	44	#include <linux/skbuff.h>
	45	#include <linux/xfrm.h>
	46	#include <net/xfrm.h>
	47	#include <net/checksum.h>
	48	#include <net/udp.h>
60063497	49	#include <linux/atomic.h>
d28d1e08 TJ	50
	51	#include "avc.h"
	52	#include "objsec.h"
	53	#include "xfrm.h"
	54
d621d35e PM	55	/* Labeled XFRM instance counter */
d621d35e PM	56	atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0);
d28d1e08 TJ	57
d28d1e08 TJ	58	/*
4baabeec	59	* Returns true if the context is an LSM/SELinux context.
d28d1e08 TJ	60	*/
	61	static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
	62	{
	63	return (ctx &&
	64	(ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
	65	(ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
	66	}
	67
	68	/*
4baabeec	69	* Returns true if the xfrm contains a security blob for SELinux.
d28d1e08 TJ	70	*/
	71	static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
	72	{
	73	return selinux_authorizable_ctx(x->security);
	74	}
	75
2e5aa866 PM	76	/*
	77	* Allocates a xfrm_sec_state and populates it using the supplied security
	78	* xfrm_user_sec_ctx context.
	79	*/
	80	static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
	81	struct xfrm_user_sec_ctx *uctx)
	82	{
	83	int rc;
	84	const struct task_security_struct *tsec = current_security();
	85	struct xfrm_sec_ctx *ctx = NULL;
	86	u32 str_len;
	87
	88	if (ctxp == NULL \|\| uctx == NULL \|\|
	89	uctx->ctx_doi != XFRM_SC_DOI_LSM \|\|
	90	uctx->ctx_alg != XFRM_SC_ALG_SELINUX)
	91	return -EINVAL;
	92
	93	str_len = uctx->ctx_len;
	94	if (str_len >= PAGE_SIZE)
	95	return -ENOMEM;
	96
	97	ctx = kmalloc(sizeof(*ctx) + str_len + 1, GFP_KERNEL);
	98	if (!ctx)
	99	return -ENOMEM;
	100
	101	ctx->ctx_doi = XFRM_SC_DOI_LSM;
	102	ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
	103	ctx->ctx_len = str_len;
	104	memcpy(ctx->ctx_str, &uctx[1], str_len);
	105	ctx->ctx_str[str_len] = '\0';
	106	rc = security_context_to_sid(ctx->ctx_str, str_len, &ctx->ctx_sid);
	107	if (rc)
	108	goto err;
	109
	110	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
	111	SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL);
	112	if (rc)
	113	goto err;
	114
	115	*ctxp = ctx;
	116	atomic_inc(&selinux_xfrm_refcount);
	117	return 0;
	118
	119	err:
	120	kfree(ctx);
	121	return rc;
	122	}
	123
ccf17cc4 PM	124	/*
	125	* Free the xfrm_sec_ctx structure.
	126	*/
	127	static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
	128	{
	129	if (!ctx)
	130	return;
	131
	132	atomic_dec(&selinux_xfrm_refcount);
	133	kfree(ctx);
	134	}
	135
	136	/*
	137	* Authorize the deletion of a labeled SA or policy rule.
	138	*/
	139	static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
	140	{
	141	const struct task_security_struct *tsec = current_security();
	142
	143	if (!ctx)
	144	return 0;
	145
	146	return avc_has_perm(tsec->sid, ctx->ctx_sid,
	147	SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
	148	NULL);
	149	}
	150
d28d1e08	151	/*
4baabeec PM	152	* LSM hook implementation that authorizes that a flow can use a xfrm policy
4baabeec PM	153	* rule.
d28d1e08	154	*/
03e1ad7b	155	int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
d28d1e08	156	{
5b368e61	157	int rc;
d28d1e08	158
96484348 PM	159	/* All flows should be treated as polmatch'ing an otherwise applicable
	160	* "non-labeled" policy. This would prevent inadvertent "leaks". */
	161	if (!ctx)
5b368e61	162	return 0;
d28d1e08	163
96484348 PM	164	/* Context sid is either set to label or ANY_ASSOC */
	165	if (!selinux_authorizable_ctx(ctx))
	166	return -EINVAL;
5b368e61	167
96484348 PM	168	rc = avc_has_perm(fl_secid, ctx->ctx_sid,
	169	SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);
	170	return (rc == -EACCES ? -ESRCH : rc);
d28d1e08 TJ	171	}
d28d1e08 TJ	172
e0d1caa7 VY	173	/*
	174	* LSM hook implementation that authorizes that a state matches
	175	* the given policy, flow combo.
	176	*/
96484348 PM	177	int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
	178	struct xfrm_policy *xp,
	179	const struct flowi *fl)
e0d1caa7 VY	180	{
e0d1caa7 VY	181	u32 state_sid;
e0d1caa7	182
67f83cbf	183	if (!xp->security)
5b368e61 VY	184	if (x->security)
	185	/* unlabeled policy and labeled SA can't match */
	186	return 0;
	187	else
	188	/* unlabeled policy and unlabeled SA match all flows */
	189	return 1;
5b368e61	190	else
67f83cbf VY	191	if (!x->security)
67f83cbf VY	192	/* unlabeled SA and labeled policy can't match */
5b368e61	193	return 0;
67f83cbf VY	194	else
	195	if (!selinux_authorizable_xfrm(x))
	196	/* Not a SELinux-labeled SA */
	197	return 0;
5b368e61	198
67f83cbf	199	state_sid = x->security->ctx_sid;
e0d1caa7	200
1d28f42c	201	if (fl->flowi_secid != state_sid)
67f83cbf	202	return 0;
e0d1caa7	203
96484348 PM	204	/* We don't need a separate SA Vs. policy polmatch check since the SA
	205	* is now of the same label as the flow and a flow Vs. policy polmatch
	206	* check had already happened in selinux_xfrm_policy_lookup() above. */
	207	return (avc_has_perm(fl->flowi_secid, state_sid,
	208	SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,
	209	NULL) ? 0 : 1);
e0d1caa7 VY	210	}
	211
	212	/*
6b877699 VY	213	* LSM hook implementation that checks and/or returns the xfrm sid for the
6b877699 VY	214	* incoming packet.
e0d1caa7	215	*/
beb8d13b	216	int selinux_xfrm_decode_session(struct sk_buff skb, u32 sid, int ckall)
e0d1caa7	217	{
e2193695	218	u32 sid_session = SECSID_NULL;
e0d1caa7 VY	219	struct sec_path *sp;
e0d1caa7 VY	220
e0d1caa7	221	if (skb == NULL)
e2193695	222	goto out;
e0d1caa7 VY	223
	224	sp = skb->sp;
	225	if (sp) {
e2193695	226	int i;
e0d1caa7	227
e2193695	228	for (i = sp->len - 1; i >= 0; i--) {
e0d1caa7 VY	229	struct xfrm_state *x = sp->xvec[i];
	230	if (selinux_authorizable_xfrm(x)) {
	231	struct xfrm_sec_ctx *ctx = x->security;
	232
e2193695 PM	233	if (sid_session == SECSID_NULL) {
e2193695 PM	234	sid_session = ctx->ctx_sid;
beb8d13b	235	if (!ckall)
e2193695 PM	236	goto out;
	237	} else if (sid_session != ctx->ctx_sid) {
	238	*sid = SECSID_NULL;
e0d1caa7	239	return -EINVAL;
e2193695	240	}
e0d1caa7 VY	241	}
	242	}
	243	}
	244
e2193695 PM	245	out:
e2193695 PM	246	*sid = sid_session;
e0d1caa7 VY	247	return 0;
	248	}
	249
d28d1e08	250	/*
4baabeec	251	* LSM hook implementation that allocs and transfers uctx spec to xfrm_policy.
d28d1e08	252	*/
03e1ad7b PM	253	int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
03e1ad7b PM	254	struct xfrm_user_sec_ctx *uctx)
d28d1e08	255	{
2e5aa866	256	return selinux_xfrm_alloc_user(ctxp, uctx);
d28d1e08 TJ	257	}
d28d1e08 TJ	258
d28d1e08	259	/*
4baabeec PM	260	* LSM hook implementation that copies security data structure from old to new
4baabeec PM	261	* for policy cloning.
d28d1e08	262	*/
03e1ad7b PM	263	int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
03e1ad7b PM	264	struct xfrm_sec_ctx **new_ctxp)
d28d1e08	265	{
03e1ad7b	266	struct xfrm_sec_ctx *new_ctx;
d28d1e08	267
ccf17cc4 PM	268	if (!old_ctx)
	269	return 0;
	270
7d1db4b2 DJ	271	new_ctx = kmemdup(old_ctx, sizeof(*old_ctx) + old_ctx->ctx_len,
7d1db4b2 DJ	272	GFP_ATOMIC);
ccf17cc4 PM	273	if (!new_ctx)
ccf17cc4 PM	274	return -ENOMEM;
ccf17cc4 PM	275	atomic_inc(&selinux_xfrm_refcount);
ccf17cc4 PM	276	*new_ctxp = new_ctx;
d28d1e08	277
d28d1e08 TJ	278	return 0;
	279	}
	280
	281	/*
03e1ad7b	282	* LSM hook implementation that frees xfrm_sec_ctx security information.
d28d1e08	283	*/
03e1ad7b	284	void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
d28d1e08	285	{
ccf17cc4	286	selinux_xfrm_free(ctx);
d28d1e08 TJ	287	}
d28d1e08 TJ	288
c8c05a8e CZ	289	/*
	290	* LSM hook implementation that authorizes deletion of labeled policies.
	291	*/
03e1ad7b	292	int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
c8c05a8e	293	{
ccf17cc4	294	return selinux_xfrm_delete(ctx);
c8c05a8e CZ	295	}
c8c05a8e CZ	296
d28d1e08	297	/*
2e5aa866 PM	298	* LSM hook implementation that allocates a xfrm_sec_state, populates it using
2e5aa866 PM	299	* the supplied security context, and assigns it to the xfrm_state.
d28d1e08	300	*/
2e5aa866 PM	301	int selinux_xfrm_state_alloc(struct xfrm_state *x,
2e5aa866 PM	302	struct xfrm_user_sec_ctx *uctx)
d28d1e08	303	{
2e5aa866 PM	304	return selinux_xfrm_alloc_user(&x->security, uctx);
2e5aa866 PM	305	}
d28d1e08	306
2e5aa866 PM	307	/*
	308	* LSM hook implementation that allocates a xfrm_sec_state and populates based
	309	* on a secid.
	310	*/
	311	int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
	312	struct xfrm_sec_ctx *polsec, u32 secid)
	313	{
	314	int rc;
	315	struct xfrm_sec_ctx *ctx;
	316	char *ctx_str = NULL;
	317	int str_len;
d28d1e08	318
2e5aa866 PM	319	if (!polsec)
	320	return 0;
	321
	322	if (secid == 0)
	323	return -EINVAL;
	324
	325	rc = security_sid_to_context(secid, &ctx_str, &str_len);
	326	if (rc)
	327	return rc;
	328
	329	ctx = kmalloc(sizeof(*ctx) + str_len, GFP_ATOMIC);
8e645c34 GB	330	if (!ctx) {
	331	rc = -ENOMEM;
	332	goto out;
	333	}
2e5aa866 PM	334
	335	ctx->ctx_doi = XFRM_SC_DOI_LSM;
	336	ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
	337	ctx->ctx_sid = secid;
	338	ctx->ctx_len = str_len;
	339	memcpy(ctx->ctx_str, ctx_str, str_len);
2e5aa866 PM	340
	341	x->security = ctx;
	342	atomic_inc(&selinux_xfrm_refcount);
8e645c34 GB	343	out:
	344	kfree(ctx_str);
	345	return rc;
d28d1e08 TJ	346	}
	347
	348	/*
	349	* LSM hook implementation that frees xfrm_state security information.
	350	*/
	351	void selinux_xfrm_state_free(struct xfrm_state *x)
	352	{
ccf17cc4	353	selinux_xfrm_free(x->security);
d28d1e08 TJ	354	}
d28d1e08 TJ	355
4baabeec PM	356	/*
	357	* LSM hook implementation that authorizes deletion of labeled SAs.
	358	*/
c8c05a8e CZ	359	int selinux_xfrm_state_delete(struct xfrm_state *x)
c8c05a8e CZ	360	{
ccf17cc4	361	return selinux_xfrm_delete(x->security);
c8c05a8e CZ	362	}
c8c05a8e CZ	363
d28d1e08 TJ	364	/*
	365	* LSM hook that controls access to unlabelled packets. If
	366	* a xfrm_state is authorizable (defined by macro) then it was
	367	* already authorized by the IPSec process. If not, then
	368	* we need to check for unlabelled access since this may not have
	369	* gone thru the IPSec process.
	370	*/
eef9b416 PM	371	int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
eef9b416 PM	372	struct common_audit_data *ad)
d28d1e08	373	{
eef9b416 PM	374	int i;
	375	struct sec_path *sp = skb->sp;
	376	u32 peer_sid = SECINITSID_UNLABELED;
d28d1e08 TJ	377
d28d1e08 TJ	378	if (sp) {
d28d1e08	379	for (i = 0; i < sp->len; i++) {
67644726	380	struct xfrm_state *x = sp->xvec[i];
d28d1e08	381
e0d1caa7 VY	382	if (x && selinux_authorizable_xfrm(x)) {
e0d1caa7 VY	383	struct xfrm_sec_ctx *ctx = x->security;
eef9b416	384	peer_sid = ctx->ctx_sid;
e0d1caa7 VY	385	break;
e0d1caa7 VY	386	}
d28d1e08 TJ	387	}
	388	}
	389
eef9b416 PM	390	/* This check even when there's no association involved is intended,
	391	* according to Trent Jaeger, to make sure a process can't engage in
	392	* non-IPsec communication unless explicitly allowed by policy. */
	393	return avc_has_perm(sk_sid, peer_sid,
	394	SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad);
d28d1e08 TJ	395	}
	396
	397	/*
	398	* POSTROUTE_LAST hook's XFRM processing:
	399	* If we have no security association, then we need to determine
	400	* whether the socket is allowed to send to an unlabelled destination.
	401	* If we do have a authorizable security association, then it has already been
67f83cbf	402	* checked in the selinux_xfrm_state_pol_flow_match hook above.
d28d1e08	403	*/
eef9b416 PM	404	int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
eef9b416 PM	405	struct common_audit_data *ad, u8 proto)
d28d1e08 TJ	406	{
d28d1e08 TJ	407	struct dst_entry *dst;
d28d1e08	408
67f83cbf VY	409	switch (proto) {
	410	case IPPROTO_AH:
	411	case IPPROTO_ESP:
	412	case IPPROTO_COMP:
eef9b416 PM	413	/* We should have already seen this packet once before it
	414	* underwent xfrm(s). No need to subject it to the unlabeled
	415	* check. */
	416	return 0;
67f83cbf VY	417	default:
	418	break;
	419	}
	420
eef9b416 PM	421	dst = skb_dst(skb);
	422	if (dst) {
	423	struct dst_entry *iter;
67f83cbf	424
eef9b416 PM	425	for (iter = dst; iter != NULL; iter = iter->child) {
	426	struct xfrm_state *x = iter->xfrm;
	427
	428	if (x && selinux_authorizable_xfrm(x))
	429	return 0;
	430	}
	431	}
	432
	433	/* This check even when there's no association involved is intended,
	434	* according to Trent Jaeger, to make sure a process can't engage in
	435	* non-IPsec communication unless explicitly allowed by policy. */
	436	return avc_has_perm(sk_sid, SECINITSID_UNLABELED,
	437	SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad);
d28d1e08	438	}