Commit | Line | Data |
---|---|---|
d28d1e08 TJ |
1 | /* |
2 | * NSA Security-Enhanced Linux (SELinux) security module | |
3 | * | |
4 | * This file contains the SELinux XFRM hook function implementations. | |
5 | * | |
6 | * Authors: Serge Hallyn <sergeh@us.ibm.com> | |
7 | * Trent Jaeger <jaegert@us.ibm.com> | |
8 | * | |
e0d1caa7 VY |
9 | * Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com> |
10 | * | |
11 | * Granular IPSec Associations for use in MLS environments. | |
12 | * | |
d28d1e08 | 13 | * Copyright (C) 2005 International Business Machines Corporation |
e0d1caa7 | 14 | * Copyright (C) 2006 Trusted Computer Solutions, Inc. |
d28d1e08 TJ |
15 | * |
16 | * This program is free software; you can redistribute it and/or modify | |
17 | * it under the terms of the GNU General Public License version 2, | |
18 | * as published by the Free Software Foundation. | |
19 | */ | |
20 | ||
21 | /* | |
22 | * USAGE: | |
23 | * NOTES: | |
24 | * 1. Make sure to enable the following options in your kernel config: | |
25 | * CONFIG_SECURITY=y | |
26 | * CONFIG_SECURITY_NETWORK=y | |
27 | * CONFIG_SECURITY_NETWORK_XFRM=y | |
28 | * CONFIG_SECURITY_SELINUX=m/y | |
29 | * ISSUES: | |
30 | * 1. Caching packets, so they are not dropped during negotiation | |
31 | * 2. Emulating a reasonable SO_PEERSEC across machines | |
32 | * 3. Testing addition of sk_policy's with security context via setsockopt | |
33 | */ | |
d28d1e08 TJ |
34 | #include <linux/kernel.h> |
35 | #include <linux/init.h> | |
36 | #include <linux/security.h> | |
37 | #include <linux/types.h> | |
38 | #include <linux/netfilter.h> | |
39 | #include <linux/netfilter_ipv4.h> | |
40 | #include <linux/netfilter_ipv6.h> | |
5a0e3ad6 | 41 | #include <linux/slab.h> |
d28d1e08 TJ |
42 | #include <linux/ip.h> |
43 | #include <linux/tcp.h> | |
44 | #include <linux/skbuff.h> | |
45 | #include <linux/xfrm.h> | |
46 | #include <net/xfrm.h> | |
47 | #include <net/checksum.h> | |
48 | #include <net/udp.h> | |
60063497 | 49 | #include <linux/atomic.h> |
d28d1e08 TJ |
50 | |
51 | #include "avc.h" | |
52 | #include "objsec.h" | |
53 | #include "xfrm.h" | |
54 | ||
d621d35e PM |
55 | /* Labeled XFRM instance counter */ |
56 | atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0); | |
d28d1e08 TJ |
57 | |
58 | /* | |
4baabeec | 59 | * Returns true if the context is an LSM/SELinux context. |
d28d1e08 TJ |
60 | */ |
61 | static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx) | |
62 | { | |
63 | return (ctx && | |
64 | (ctx->ctx_doi == XFRM_SC_DOI_LSM) && | |
65 | (ctx->ctx_alg == XFRM_SC_ALG_SELINUX)); | |
66 | } | |
67 | ||
68 | /* | |
4baabeec | 69 | * Returns true if the xfrm contains a security blob for SELinux. |
d28d1e08 TJ |
70 | */ |
71 | static inline int selinux_authorizable_xfrm(struct xfrm_state *x) | |
72 | { | |
73 | return selinux_authorizable_ctx(x->security); | |
74 | } | |
75 | ||
2e5aa866 PM |
76 | /* |
77 | * Allocates a xfrm_sec_state and populates it using the supplied security | |
78 | * xfrm_user_sec_ctx context. | |
79 | */ | |
80 | static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp, | |
81 | struct xfrm_user_sec_ctx *uctx) | |
82 | { | |
83 | int rc; | |
84 | const struct task_security_struct *tsec = current_security(); | |
85 | struct xfrm_sec_ctx *ctx = NULL; | |
86 | u32 str_len; | |
87 | ||
88 | if (ctxp == NULL || uctx == NULL || | |
89 | uctx->ctx_doi != XFRM_SC_DOI_LSM || | |
90 | uctx->ctx_alg != XFRM_SC_ALG_SELINUX) | |
91 | return -EINVAL; | |
92 | ||
93 | str_len = uctx->ctx_len; | |
94 | if (str_len >= PAGE_SIZE) | |
95 | return -ENOMEM; | |
96 | ||
97 | ctx = kmalloc(sizeof(*ctx) + str_len + 1, GFP_KERNEL); | |
98 | if (!ctx) | |
99 | return -ENOMEM; | |
100 | ||
101 | ctx->ctx_doi = XFRM_SC_DOI_LSM; | |
102 | ctx->ctx_alg = XFRM_SC_ALG_SELINUX; | |
103 | ctx->ctx_len = str_len; | |
104 | memcpy(ctx->ctx_str, &uctx[1], str_len); | |
105 | ctx->ctx_str[str_len] = '\0'; | |
106 | rc = security_context_to_sid(ctx->ctx_str, str_len, &ctx->ctx_sid); | |
107 | if (rc) | |
108 | goto err; | |
109 | ||
110 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, | |
111 | SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL); | |
112 | if (rc) | |
113 | goto err; | |
114 | ||
115 | *ctxp = ctx; | |
116 | atomic_inc(&selinux_xfrm_refcount); | |
117 | return 0; | |
118 | ||
119 | err: | |
120 | kfree(ctx); | |
121 | return rc; | |
122 | } | |
123 | ||
ccf17cc4 PM |
124 | /* |
125 | * Free the xfrm_sec_ctx structure. | |
126 | */ | |
127 | static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx) | |
128 | { | |
129 | if (!ctx) | |
130 | return; | |
131 | ||
132 | atomic_dec(&selinux_xfrm_refcount); | |
133 | kfree(ctx); | |
134 | } | |
135 | ||
136 | /* | |
137 | * Authorize the deletion of a labeled SA or policy rule. | |
138 | */ | |
139 | static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx) | |
140 | { | |
141 | const struct task_security_struct *tsec = current_security(); | |
142 | ||
143 | if (!ctx) | |
144 | return 0; | |
145 | ||
146 | return avc_has_perm(tsec->sid, ctx->ctx_sid, | |
147 | SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, | |
148 | NULL); | |
149 | } | |
150 | ||
d28d1e08 | 151 | /* |
4baabeec PM |
152 | * LSM hook implementation that authorizes that a flow can use a xfrm policy |
153 | * rule. | |
d28d1e08 | 154 | */ |
03e1ad7b | 155 | int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) |
d28d1e08 | 156 | { |
5b368e61 | 157 | int rc; |
d28d1e08 | 158 | |
96484348 PM |
159 | /* All flows should be treated as polmatch'ing an otherwise applicable |
160 | * "non-labeled" policy. This would prevent inadvertent "leaks". */ | |
161 | if (!ctx) | |
5b368e61 | 162 | return 0; |
d28d1e08 | 163 | |
96484348 PM |
164 | /* Context sid is either set to label or ANY_ASSOC */ |
165 | if (!selinux_authorizable_ctx(ctx)) | |
166 | return -EINVAL; | |
5b368e61 | 167 | |
96484348 PM |
168 | rc = avc_has_perm(fl_secid, ctx->ctx_sid, |
169 | SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL); | |
170 | return (rc == -EACCES ? -ESRCH : rc); | |
d28d1e08 TJ |
171 | } |
172 | ||
e0d1caa7 VY |
173 | /* |
174 | * LSM hook implementation that authorizes that a state matches | |
175 | * the given policy, flow combo. | |
176 | */ | |
96484348 PM |
177 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, |
178 | struct xfrm_policy *xp, | |
179 | const struct flowi *fl) | |
e0d1caa7 VY |
180 | { |
181 | u32 state_sid; | |
e0d1caa7 | 182 | |
67f83cbf | 183 | if (!xp->security) |
5b368e61 VY |
184 | if (x->security) |
185 | /* unlabeled policy and labeled SA can't match */ | |
186 | return 0; | |
187 | else | |
188 | /* unlabeled policy and unlabeled SA match all flows */ | |
189 | return 1; | |
5b368e61 | 190 | else |
67f83cbf VY |
191 | if (!x->security) |
192 | /* unlabeled SA and labeled policy can't match */ | |
5b368e61 | 193 | return 0; |
67f83cbf VY |
194 | else |
195 | if (!selinux_authorizable_xfrm(x)) | |
196 | /* Not a SELinux-labeled SA */ | |
197 | return 0; | |
5b368e61 | 198 | |
67f83cbf | 199 | state_sid = x->security->ctx_sid; |
e0d1caa7 | 200 | |
1d28f42c | 201 | if (fl->flowi_secid != state_sid) |
67f83cbf | 202 | return 0; |
e0d1caa7 | 203 | |
96484348 PM |
204 | /* We don't need a separate SA Vs. policy polmatch check since the SA |
205 | * is now of the same label as the flow and a flow Vs. policy polmatch | |
206 | * check had already happened in selinux_xfrm_policy_lookup() above. */ | |
207 | return (avc_has_perm(fl->flowi_secid, state_sid, | |
208 | SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, | |
209 | NULL) ? 0 : 1); | |
e0d1caa7 VY |
210 | } |
211 | ||
212 | /* | |
6b877699 VY |
213 | * LSM hook implementation that checks and/or returns the xfrm sid for the |
214 | * incoming packet. | |
e0d1caa7 | 215 | */ |
beb8d13b | 216 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) |
e0d1caa7 | 217 | { |
e2193695 | 218 | u32 sid_session = SECSID_NULL; |
e0d1caa7 VY |
219 | struct sec_path *sp; |
220 | ||
e0d1caa7 | 221 | if (skb == NULL) |
e2193695 | 222 | goto out; |
e0d1caa7 VY |
223 | |
224 | sp = skb->sp; | |
225 | if (sp) { | |
e2193695 | 226 | int i; |
e0d1caa7 | 227 | |
e2193695 | 228 | for (i = sp->len - 1; i >= 0; i--) { |
e0d1caa7 VY |
229 | struct xfrm_state *x = sp->xvec[i]; |
230 | if (selinux_authorizable_xfrm(x)) { | |
231 | struct xfrm_sec_ctx *ctx = x->security; | |
232 | ||
e2193695 PM |
233 | if (sid_session == SECSID_NULL) { |
234 | sid_session = ctx->ctx_sid; | |
beb8d13b | 235 | if (!ckall) |
e2193695 PM |
236 | goto out; |
237 | } else if (sid_session != ctx->ctx_sid) { | |
238 | *sid = SECSID_NULL; | |
e0d1caa7 | 239 | return -EINVAL; |
e2193695 | 240 | } |
e0d1caa7 VY |
241 | } |
242 | } | |
243 | } | |
244 | ||
e2193695 PM |
245 | out: |
246 | *sid = sid_session; | |
e0d1caa7 VY |
247 | return 0; |
248 | } | |
249 | ||
d28d1e08 | 250 | /* |
4baabeec | 251 | * LSM hook implementation that allocs and transfers uctx spec to xfrm_policy. |
d28d1e08 | 252 | */ |
03e1ad7b PM |
253 | int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, |
254 | struct xfrm_user_sec_ctx *uctx) | |
d28d1e08 | 255 | { |
2e5aa866 | 256 | return selinux_xfrm_alloc_user(ctxp, uctx); |
d28d1e08 TJ |
257 | } |
258 | ||
d28d1e08 | 259 | /* |
4baabeec PM |
260 | * LSM hook implementation that copies security data structure from old to new |
261 | * for policy cloning. | |
d28d1e08 | 262 | */ |
03e1ad7b PM |
263 | int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, |
264 | struct xfrm_sec_ctx **new_ctxp) | |
d28d1e08 | 265 | { |
03e1ad7b | 266 | struct xfrm_sec_ctx *new_ctx; |
d28d1e08 | 267 | |
ccf17cc4 PM |
268 | if (!old_ctx) |
269 | return 0; | |
270 | ||
7d1db4b2 DJ |
271 | new_ctx = kmemdup(old_ctx, sizeof(*old_ctx) + old_ctx->ctx_len, |
272 | GFP_ATOMIC); | |
ccf17cc4 PM |
273 | if (!new_ctx) |
274 | return -ENOMEM; | |
ccf17cc4 PM |
275 | atomic_inc(&selinux_xfrm_refcount); |
276 | *new_ctxp = new_ctx; | |
d28d1e08 | 277 | |
d28d1e08 TJ |
278 | return 0; |
279 | } | |
280 | ||
281 | /* | |
03e1ad7b | 282 | * LSM hook implementation that frees xfrm_sec_ctx security information. |
d28d1e08 | 283 | */ |
03e1ad7b | 284 | void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) |
d28d1e08 | 285 | { |
ccf17cc4 | 286 | selinux_xfrm_free(ctx); |
d28d1e08 TJ |
287 | } |
288 | ||
c8c05a8e CZ |
289 | /* |
290 | * LSM hook implementation that authorizes deletion of labeled policies. | |
291 | */ | |
03e1ad7b | 292 | int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) |
c8c05a8e | 293 | { |
ccf17cc4 | 294 | return selinux_xfrm_delete(ctx); |
c8c05a8e CZ |
295 | } |
296 | ||
d28d1e08 | 297 | /* |
2e5aa866 PM |
298 | * LSM hook implementation that allocates a xfrm_sec_state, populates it using |
299 | * the supplied security context, and assigns it to the xfrm_state. | |
d28d1e08 | 300 | */ |
2e5aa866 PM |
301 | int selinux_xfrm_state_alloc(struct xfrm_state *x, |
302 | struct xfrm_user_sec_ctx *uctx) | |
d28d1e08 | 303 | { |
2e5aa866 PM |
304 | return selinux_xfrm_alloc_user(&x->security, uctx); |
305 | } | |
d28d1e08 | 306 | |
2e5aa866 PM |
307 | /* |
308 | * LSM hook implementation that allocates a xfrm_sec_state and populates based | |
309 | * on a secid. | |
310 | */ | |
311 | int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, | |
312 | struct xfrm_sec_ctx *polsec, u32 secid) | |
313 | { | |
314 | int rc; | |
315 | struct xfrm_sec_ctx *ctx; | |
316 | char *ctx_str = NULL; | |
317 | int str_len; | |
d28d1e08 | 318 | |
2e5aa866 PM |
319 | if (!polsec) |
320 | return 0; | |
321 | ||
322 | if (secid == 0) | |
323 | return -EINVAL; | |
324 | ||
325 | rc = security_sid_to_context(secid, &ctx_str, &str_len); | |
326 | if (rc) | |
327 | return rc; | |
328 | ||
329 | ctx = kmalloc(sizeof(*ctx) + str_len, GFP_ATOMIC); | |
8e645c34 GB |
330 | if (!ctx) { |
331 | rc = -ENOMEM; | |
332 | goto out; | |
333 | } | |
2e5aa866 PM |
334 | |
335 | ctx->ctx_doi = XFRM_SC_DOI_LSM; | |
336 | ctx->ctx_alg = XFRM_SC_ALG_SELINUX; | |
337 | ctx->ctx_sid = secid; | |
338 | ctx->ctx_len = str_len; | |
339 | memcpy(ctx->ctx_str, ctx_str, str_len); | |
2e5aa866 PM |
340 | |
341 | x->security = ctx; | |
342 | atomic_inc(&selinux_xfrm_refcount); | |
8e645c34 GB |
343 | out: |
344 | kfree(ctx_str); | |
345 | return rc; | |
d28d1e08 TJ |
346 | } |
347 | ||
348 | /* | |
349 | * LSM hook implementation that frees xfrm_state security information. | |
350 | */ | |
351 | void selinux_xfrm_state_free(struct xfrm_state *x) | |
352 | { | |
ccf17cc4 | 353 | selinux_xfrm_free(x->security); |
d28d1e08 TJ |
354 | } |
355 | ||
4baabeec PM |
356 | /* |
357 | * LSM hook implementation that authorizes deletion of labeled SAs. | |
358 | */ | |
c8c05a8e CZ |
359 | int selinux_xfrm_state_delete(struct xfrm_state *x) |
360 | { | |
ccf17cc4 | 361 | return selinux_xfrm_delete(x->security); |
c8c05a8e CZ |
362 | } |
363 | ||
d28d1e08 TJ |
364 | /* |
365 | * LSM hook that controls access to unlabelled packets. If | |
366 | * a xfrm_state is authorizable (defined by macro) then it was | |
367 | * already authorized by the IPSec process. If not, then | |
368 | * we need to check for unlabelled access since this may not have | |
369 | * gone thru the IPSec process. | |
370 | */ | |
eef9b416 PM |
371 | int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb, |
372 | struct common_audit_data *ad) | |
d28d1e08 | 373 | { |
eef9b416 PM |
374 | int i; |
375 | struct sec_path *sp = skb->sp; | |
376 | u32 peer_sid = SECINITSID_UNLABELED; | |
d28d1e08 TJ |
377 | |
378 | if (sp) { | |
d28d1e08 | 379 | for (i = 0; i < sp->len; i++) { |
67644726 | 380 | struct xfrm_state *x = sp->xvec[i]; |
d28d1e08 | 381 | |
e0d1caa7 VY |
382 | if (x && selinux_authorizable_xfrm(x)) { |
383 | struct xfrm_sec_ctx *ctx = x->security; | |
eef9b416 | 384 | peer_sid = ctx->ctx_sid; |
e0d1caa7 VY |
385 | break; |
386 | } | |
d28d1e08 TJ |
387 | } |
388 | } | |
389 | ||
eef9b416 PM |
390 | /* This check even when there's no association involved is intended, |
391 | * according to Trent Jaeger, to make sure a process can't engage in | |
392 | * non-IPsec communication unless explicitly allowed by policy. */ | |
393 | return avc_has_perm(sk_sid, peer_sid, | |
394 | SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad); | |
d28d1e08 TJ |
395 | } |
396 | ||
397 | /* | |
398 | * POSTROUTE_LAST hook's XFRM processing: | |
399 | * If we have no security association, then we need to determine | |
400 | * whether the socket is allowed to send to an unlabelled destination. | |
401 | * If we do have a authorizable security association, then it has already been | |
67f83cbf | 402 | * checked in the selinux_xfrm_state_pol_flow_match hook above. |
d28d1e08 | 403 | */ |
eef9b416 PM |
404 | int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb, |
405 | struct common_audit_data *ad, u8 proto) | |
d28d1e08 TJ |
406 | { |
407 | struct dst_entry *dst; | |
d28d1e08 | 408 | |
67f83cbf VY |
409 | switch (proto) { |
410 | case IPPROTO_AH: | |
411 | case IPPROTO_ESP: | |
412 | case IPPROTO_COMP: | |
eef9b416 PM |
413 | /* We should have already seen this packet once before it |
414 | * underwent xfrm(s). No need to subject it to the unlabeled | |
415 | * check. */ | |
416 | return 0; | |
67f83cbf VY |
417 | default: |
418 | break; | |
419 | } | |
420 | ||
eef9b416 PM |
421 | dst = skb_dst(skb); |
422 | if (dst) { | |
423 | struct dst_entry *iter; | |
67f83cbf | 424 | |
eef9b416 PM |
425 | for (iter = dst; iter != NULL; iter = iter->child) { |
426 | struct xfrm_state *x = iter->xfrm; | |
427 | ||
428 | if (x && selinux_authorizable_xfrm(x)) | |
429 | return 0; | |
430 | } | |
431 | } | |
432 | ||
433 | /* This check even when there's no association involved is intended, | |
434 | * according to Trent Jaeger, to make sure a process can't engage in | |
435 | * non-IPsec communication unless explicitly allowed by policy. */ | |
436 | return avc_has_perm(sk_sid, SECINITSID_UNLABELED, | |
437 | SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad); | |
d28d1e08 | 438 | } |