[deliverable/linux.git] / security / selinux / xfrm.c

/*
 *  NSA Security-Enhanced Linux (SELinux) security module
 *
 *  This file contains the SELinux XFRM hook function implementations.
 *
 *  Authors:  Serge Hallyn <sergeh@us.ibm.com>
 *	      Trent Jaeger <jaegert@us.ibm.com>
 *
 *  Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com>
 *
 *           Granular IPSec Associations for use in MLS environments.
 *
 *  Copyright (C) 2005 International Business Machines Corporation
 *  Copyright (C) 2006 Trusted Computer Solutions, Inc.
 *
 *	This program is free software; you can redistribute it and/or modify
 *	it under the terms of the GNU General Public License version 2,
 *	as published by the Free Software Foundation.
 */

/*
 * USAGE:
 * NOTES:
 *   1. Make sure to enable the following options in your kernel config:
 *	CONFIG_SECURITY=y
 *	CONFIG_SECURITY_NETWORK=y
 *	CONFIG_SECURITY_NETWORK_XFRM=y
 *	CONFIG_SECURITY_SELINUX=m/y
 * ISSUES:
 *   1. Caching packets, so they are not dropped during negotiation
 *   2. Emulating a reasonable SO_PEERSEC across machines
 *   3. Testing addition of sk_policy's with security context via setsockopt
 */
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/security.h>
#include <linux/types.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/skbuff.h>
#include <linux/xfrm.h>
#include <net/xfrm.h>
#include <net/checksum.h>
#include <net/udp.h>
#include <asm/semaphore.h>

#include "avc.h"
#include "objsec.h"
#include "xfrm.h"


/*
 * Returns true if an LSM/SELinux context
 */
static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
{
	return (ctx &&
		(ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
		(ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
}

/*
 * Returns true if the xfrm contains a security blob for SELinux
 */
static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
{
	return selinux_authorizable_ctx(x->security);
}

/*
 * LSM hook implementation that authorizes that a flow can use
 * a xfrm policy rule.
 */
int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir)
{
	int rc;
	u32 sel_sid;
	struct xfrm_sec_ctx *ctx;

	/* Context sid is either set to label or ANY_ASSOC */
	if ((ctx = xp->security)) {
		if (!selinux_authorizable_ctx(ctx))
			return -EINVAL;

		sel_sid = ctx->ctx_sid;
	}
	else
		/*
		 * All flows should be treated as polmatch'ing an
		 * otherwise applicable "non-labeled" policy. This
		 * would prevent inadvertent "leaks".
		 */
		return 0;

	rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION,
			  ASSOCIATION__POLMATCH,
			  NULL);

	if (rc == -EACCES)
		rc = -ESRCH;

	return rc;
}

/*
 * LSM hook implementation that authorizes that a state matches
 * the given policy, flow combo.
 */

int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp,
			struct flowi *fl)
{
	u32 state_sid;
	int rc;

	if (!xp->security)
		if (x->security)
			/* unlabeled policy and labeled SA can't match */
			return 0;
		else
			/* unlabeled policy and unlabeled SA match all flows */
			return 1;
	else
		if (!x->security)
			/* unlabeled SA and labeled policy can't match */
			return 0;
		else
			if (!selinux_authorizable_xfrm(x))
				/* Not a SELinux-labeled SA */
				return 0;

	state_sid = x->security->ctx_sid;

	if (fl->secid != state_sid)
		return 0;

	rc = avc_has_perm(fl->secid, state_sid, SECCLASS_ASSOCIATION,
			  ASSOCIATION__SENDTO,
			  NULL)? 0:1;

	/*
	 * We don't need a separate SA Vs. policy polmatch check
	 * since the SA is now of the same label as the flow and
	 * a flow Vs. policy polmatch check had already happened
	 * in selinux_xfrm_policy_lookup() above.
	 */

	return rc;
}

/*
 * LSM hook implementation that checks and/or returns the xfrm sid for the
 * incoming packet.
 */

int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
{
	struct sec_path *sp;

	*sid = SECSID_NULL;

	if (skb == NULL)
		return 0;

	sp = skb->sp;
	if (sp) {
		int i, sid_set = 0;

		for (i = sp->len-1; i >= 0; i--) {
			struct xfrm_state *x = sp->xvec[i];
			if (selinux_authorizable_xfrm(x)) {
				struct xfrm_sec_ctx *ctx = x->security;

				if (!sid_set) {
					*sid = ctx->ctx_sid;
					sid_set = 1;

					if (!ckall)
						break;
				}
				else if (*sid != ctx->ctx_sid)
					return -EINVAL;
			}
		}
	}

	return 0;
}

/*
 * Security blob allocation for xfrm_policy and xfrm_state
 * CTX does not have a meaningful value on input
 */
static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
	struct xfrm_user_sec_ctx *uctx, u32 sid)
{
	int rc = 0;
	struct task_security_struct *tsec = current->security;
	struct xfrm_sec_ctx *ctx = NULL;
	char *ctx_str = NULL;
	u32 str_len;

	BUG_ON(uctx && sid);

	if (!uctx)
		goto not_from_user;

	if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX)
		return -EINVAL;

	str_len = uctx->ctx_len;
	if (str_len >= PAGE_SIZE)
		return -ENOMEM;

	*ctxp = ctx = kmalloc(sizeof(*ctx) +
			      str_len + 1,
			      GFP_KERNEL);

	if (!ctx)
		return -ENOMEM;

	ctx->ctx_doi = uctx->ctx_doi;
	ctx->ctx_len = str_len;
	ctx->ctx_alg = uctx->ctx_alg;

	memcpy(ctx->ctx_str,
	       uctx+1,
	       str_len);
	ctx->ctx_str[str_len] = 0;
	rc = security_context_to_sid(ctx->ctx_str,
				     str_len,
				     &ctx->ctx_sid);

	if (rc)
		goto out;

	/*
	 * Does the subject have permission to set security context?
	 */
	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
			  SECCLASS_ASSOCIATION,
			  ASSOCIATION__SETCONTEXT, NULL);
	if (rc)
		goto out;

	return rc;

not_from_user:
	rc = security_sid_to_context(sid, &ctx_str, &str_len);
	if (rc)
		goto out;

	*ctxp = ctx = kmalloc(sizeof(*ctx) +
			      str_len,
			      GFP_ATOMIC);

	if (!ctx) {
		rc = -ENOMEM;
		goto out;
	}

	ctx->ctx_doi = XFRM_SC_DOI_LSM;
	ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
	ctx->ctx_sid = sid;
	ctx->ctx_len = str_len;
	memcpy(ctx->ctx_str,
	       ctx_str,
	       str_len);

	goto out2;

out:
	*ctxp = NULL;
	kfree(ctx);
out2:
	kfree(ctx_str);
	return rc;
}

/*
 * LSM hook implementation that allocs and transfers uctx spec to
 * xfrm_policy.
 */
int selinux_xfrm_policy_alloc(struct xfrm_policy *xp,
		struct xfrm_user_sec_ctx *uctx)
{
	int err;

	BUG_ON(!xp);
	BUG_ON(!uctx);

	err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, 0);
	return err;
}


/*
 * LSM hook implementation that copies security data structure from old to
 * new for policy cloning.
 */
int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new)
{
	struct xfrm_sec_ctx *old_ctx, *new_ctx;

	old_ctx = old->security;

	if (old_ctx) {
		new_ctx = new->security = kmalloc(sizeof(*new_ctx) +
						  old_ctx->ctx_len,
						  GFP_KERNEL);

		if (!new_ctx)
			return -ENOMEM;

		memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
		memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
	}
	return 0;
}

/*
 * LSM hook implementation that frees xfrm_policy security information.
 */
void selinux_xfrm_policy_free(struct xfrm_policy *xp)
{
	struct xfrm_sec_ctx *ctx = xp->security;
	if (ctx)
		kfree(ctx);
}

/*
 * LSM hook implementation that authorizes deletion of labeled policies.
 */
int selinux_xfrm_policy_delete(struct xfrm_policy *xp)
{
	struct task_security_struct *tsec = current->security;
	struct xfrm_sec_ctx *ctx = xp->security;
	int rc = 0;

	if (ctx)
		rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
				  SECCLASS_ASSOCIATION,
				  ASSOCIATION__SETCONTEXT, NULL);

	return rc;
}

/*
 * LSM hook implementation that allocs and transfers sec_ctx spec to
 * xfrm_state.
 */
int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx,
		u32 secid)
{
	int err;

	BUG_ON(!x);

	err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid);
	return err;
}

/*
 * LSM hook implementation that frees xfrm_state security information.
 */
void selinux_xfrm_state_free(struct xfrm_state *x)
{
	struct xfrm_sec_ctx *ctx = x->security;
	if (ctx)
		kfree(ctx);
}

 /*
  * LSM hook implementation that authorizes deletion of labeled SAs.
  */
int selinux_xfrm_state_delete(struct xfrm_state *x)
{
	struct task_security_struct *tsec = current->security;
	struct xfrm_sec_ctx *ctx = x->security;
	int rc = 0;

	if (ctx)
		rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
				  SECCLASS_ASSOCIATION,
				  ASSOCIATION__SETCONTEXT, NULL);

	return rc;
}

/*
 * LSM hook that controls access to unlabelled packets.  If
 * a xfrm_state is authorizable (defined by macro) then it was
 * already authorized by the IPSec process.  If not, then
 * we need to check for unlabelled access since this may not have
 * gone thru the IPSec process.
 */
int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
				struct avc_audit_data *ad)
{
	int i, rc = 0;
	struct sec_path *sp;
	u32 sel_sid = SECINITSID_UNLABELED;

	sp = skb->sp;

	if (sp) {
		for (i = 0; i < sp->len; i++) {
			struct xfrm_state *x = sp->xvec[i];

			if (x && selinux_authorizable_xfrm(x)) {
				struct xfrm_sec_ctx *ctx = x->security;
				sel_sid = ctx->ctx_sid;
				break;
			}
		}
	}

	/*
	 * This check even when there's no association involved is
	 * intended, according to Trent Jaeger, to make sure a
	 * process can't engage in non-ipsec communication unless
	 * explicitly allowed by policy.
	 */

	rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION,
			  ASSOCIATION__RECVFROM, ad);

	return rc;
}

/*
 * POSTROUTE_LAST hook's XFRM processing:
 * If we have no security association, then we need to determine
 * whether the socket is allowed to send to an unlabelled destination.
 * If we do have a authorizable security association, then it has already been
 * checked in the selinux_xfrm_state_pol_flow_match hook above.
 */
int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
					struct avc_audit_data *ad, u8 proto)
{
	struct dst_entry *dst;
	int rc = 0;

	dst = skb->dst;

	if (dst) {
		struct dst_entry *dst_test;

		for (dst_test = dst; dst_test != NULL;
		     dst_test = dst_test->child) {
			struct xfrm_state *x = dst_test->xfrm;

			if (x && selinux_authorizable_xfrm(x))
				goto out;
		}
	}

	switch (proto) {
	case IPPROTO_AH:
	case IPPROTO_ESP:
	case IPPROTO_COMP:
		/*
		 * We should have already seen this packet once before
		 * it underwent xfrm(s). No need to subject it to the
		 * unlabeled check.
		 */
		goto out;
	default:
		break;
	}

	/*
	 * This check even when there's no association involved is
	 * intended, according to Trent Jaeger, to make sure a
	 * process can't engage in non-ipsec communication unless
	 * explicitly allowed by policy.
	 */

	rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
			  ASSOCIATION__SENDTO, ad);
out:
	return rc;
}
Commit	Line	Data
d28d1e08 TJ	1	/*
	2	* NSA Security-Enhanced Linux (SELinux) security module
	3	*
	4	* This file contains the SELinux XFRM hook function implementations.
	5	*
	6	* Authors: Serge Hallyn <sergeh@us.ibm.com>
	7	* Trent Jaeger <jaegert@us.ibm.com>
	8	*
e0d1caa7 VY	9	* Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com>
	10	*
	11	* Granular IPSec Associations for use in MLS environments.
	12	*
d28d1e08	13	* Copyright (C) 2005 International Business Machines Corporation
e0d1caa7	14	* Copyright (C) 2006 Trusted Computer Solutions, Inc.
d28d1e08 TJ	15	*
	16	* This program is free software; you can redistribute it and/or modify
	17	* it under the terms of the GNU General Public License version 2,
	18	* as published by the Free Software Foundation.
	19	*/
	20
	21	/*
	22	* USAGE:
	23	* NOTES:
	24	* 1. Make sure to enable the following options in your kernel config:
	25	* CONFIG_SECURITY=y
	26	* CONFIG_SECURITY_NETWORK=y
	27	* CONFIG_SECURITY_NETWORK_XFRM=y
	28	* CONFIG_SECURITY_SELINUX=m/y
	29	* ISSUES:
	30	* 1. Caching packets, so they are not dropped during negotiation
	31	* 2. Emulating a reasonable SO_PEERSEC across machines
	32	* 3. Testing addition of sk_policy's with security context via setsockopt
	33	*/
d28d1e08 TJ	34	#include <linux/kernel.h>
	35	#include <linux/init.h>
	36	#include <linux/security.h>
	37	#include <linux/types.h>
	38	#include <linux/netfilter.h>
	39	#include <linux/netfilter_ipv4.h>
	40	#include <linux/netfilter_ipv6.h>
	41	#include <linux/ip.h>
	42	#include <linux/tcp.h>
	43	#include <linux/skbuff.h>
	44	#include <linux/xfrm.h>
	45	#include <net/xfrm.h>
	46	#include <net/checksum.h>
	47	#include <net/udp.h>
	48	#include <asm/semaphore.h>
	49
	50	#include "avc.h"
	51	#include "objsec.h"
	52	#include "xfrm.h"
	53
	54
	55	/*
	56	* Returns true if an LSM/SELinux context
	57	*/
	58	static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
	59	{
	60	return (ctx &&
	61	(ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
	62	(ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
	63	}
	64
	65	/*
	66	* Returns true if the xfrm contains a security blob for SELinux
	67	*/
	68	static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
	69	{
	70	return selinux_authorizable_ctx(x->security);
	71	}
	72
	73	/*
e0d1caa7 VY	74	* LSM hook implementation that authorizes that a flow can use
e0d1caa7 VY	75	* a xfrm policy rule.
d28d1e08	76	*/
e0d1caa7	77	int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir)
d28d1e08	78	{
5b368e61 VY	79	int rc;
5b368e61 VY	80	u32 sel_sid;
d28d1e08 TJ	81	struct xfrm_sec_ctx *ctx;
	82
	83	/* Context sid is either set to label or ANY_ASSOC */
	84	if ((ctx = xp->security)) {
	85	if (!selinux_authorizable_ctx(ctx))
	86	return -EINVAL;
	87
	88	sel_sid = ctx->ctx_sid;
	89	}
5b368e61 VY	90	else
	91	/*
	92	* All flows should be treated as polmatch'ing an
	93	* otherwise applicable "non-labeled" policy. This
	94	* would prevent inadvertent "leaks".
	95	*/
	96	return 0;
d28d1e08	97
e0d1caa7 VY	98	rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION,
e0d1caa7 VY	99	ASSOCIATION__POLMATCH,
d28d1e08 TJ	100	NULL);
d28d1e08 TJ	101
5b368e61 VY	102	if (rc == -EACCES)
	103	rc = -ESRCH;
	104
d28d1e08 TJ	105	return rc;
	106	}
	107
e0d1caa7 VY	108	/*
	109	* LSM hook implementation that authorizes that a state matches
	110	* the given policy, flow combo.
	111	*/
	112
	113	int selinux_xfrm_state_pol_flow_match(struct xfrm_state x, struct xfrm_policy xp,
	114	struct flowi *fl)
	115	{
	116	u32 state_sid;
67f83cbf	117	int rc;
e0d1caa7	118
67f83cbf	119	if (!xp->security)
5b368e61 VY	120	if (x->security)
	121	/* unlabeled policy and labeled SA can't match */
	122	return 0;
	123	else
	124	/* unlabeled policy and unlabeled SA match all flows */
	125	return 1;
5b368e61	126	else
67f83cbf VY	127	if (!x->security)
67f83cbf VY	128	/* unlabeled SA and labeled policy can't match */
5b368e61	129	return 0;
67f83cbf VY	130	else
	131	if (!selinux_authorizable_xfrm(x))
	132	/* Not a SELinux-labeled SA */
	133	return 0;
5b368e61	134
67f83cbf	135	state_sid = x->security->ctx_sid;
e0d1caa7	136
67f83cbf VY	137	if (fl->secid != state_sid)
67f83cbf VY	138	return 0;
e0d1caa7	139
67f83cbf	140	rc = avc_has_perm(fl->secid, state_sid, SECCLASS_ASSOCIATION,
e0d1caa7 VY	141	ASSOCIATION__SENDTO,
	142	NULL)? 0:1;
	143
67f83cbf VY	144	/*
	145	* We don't need a separate SA Vs. policy polmatch check
	146	* since the SA is now of the same label as the flow and
	147	* a flow Vs. policy polmatch check had already happened
	148	* in selinux_xfrm_policy_lookup() above.
	149	*/
	150
e0d1caa7 VY	151	return rc;
	152	}
	153
	154	/*
6b877699 VY	155	* LSM hook implementation that checks and/or returns the xfrm sid for the
6b877699 VY	156	* incoming packet.
e0d1caa7 VY	157	*/
e0d1caa7 VY	158
beb8d13b	159	int selinux_xfrm_decode_session(struct sk_buff skb, u32 sid, int ckall)
e0d1caa7 VY	160	{
	161	struct sec_path *sp;
	162
beb8d13b	163	*sid = SECSID_NULL;
e0d1caa7 VY	164
	165	if (skb == NULL)
	166	return 0;
	167
	168	sp = skb->sp;
	169	if (sp) {
	170	int i, sid_set = 0;
	171
	172	for (i = sp->len-1; i >= 0; i--) {
	173	struct xfrm_state *x = sp->xvec[i];
	174	if (selinux_authorizable_xfrm(x)) {
	175	struct xfrm_sec_ctx *ctx = x->security;
	176
	177	if (!sid_set) {
beb8d13b	178	*sid = ctx->ctx_sid;
e0d1caa7	179	sid_set = 1;
beb8d13b VY	180
	181	if (!ckall)
	182	break;
e0d1caa7	183	}
beb8d13b	184	else if (*sid != ctx->ctx_sid)
e0d1caa7 VY	185	return -EINVAL;
	186	}
	187	}
	188	}
	189
	190	return 0;
	191	}
	192
d28d1e08 TJ	193	/*
	194	* Security blob allocation for xfrm_policy and xfrm_state
	195	* CTX does not have a meaningful value on input
	196	*/
e0d1caa7	197	static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
c1a856c9	198	struct xfrm_user_sec_ctx *uctx, u32 sid)
d28d1e08 TJ	199	{
	200	int rc = 0;
	201	struct task_security_struct *tsec = current->security;
e0d1caa7 VY	202	struct xfrm_sec_ctx *ctx = NULL;
	203	char *ctx_str = NULL;
	204	u32 str_len;
e0d1caa7	205
c1a856c9	206	BUG_ON(uctx && sid);
e0d1caa7	207
cb969f07 VY	208	if (!uctx)
cb969f07 VY	209	goto not_from_user;
e0d1caa7 VY	210
	211	if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX)
	212	return -EINVAL;
d28d1e08	213
57002bfb SR	214	str_len = uctx->ctx_len;
57002bfb SR	215	if (str_len >= PAGE_SIZE)
d28d1e08 TJ	216	return -ENOMEM;
	217
	218	ctxp = ctx = kmalloc(sizeof(ctx) +
57002bfb	219	str_len + 1,
d28d1e08 TJ	220	GFP_KERNEL);
	221
	222	if (!ctx)
	223	return -ENOMEM;
	224
	225	ctx->ctx_doi = uctx->ctx_doi;
57002bfb	226	ctx->ctx_len = str_len;
d28d1e08 TJ	227	ctx->ctx_alg = uctx->ctx_alg;
	228
	229	memcpy(ctx->ctx_str,
	230	uctx+1,
57002bfb SR	231	str_len);
57002bfb SR	232	ctx->ctx_str[str_len] = 0;
d28d1e08	233	rc = security_context_to_sid(ctx->ctx_str,
57002bfb	234	str_len,
d28d1e08 TJ	235	&ctx->ctx_sid);
	236
	237	if (rc)
	238	goto out;
	239
	240	/*
c8c05a8e	241	* Does the subject have permission to set security context?
d28d1e08	242	*/
d28d1e08 TJ	243	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
d28d1e08 TJ	244	SECCLASS_ASSOCIATION,
5f8ac64b	245	ASSOCIATION__SETCONTEXT, NULL);
d28d1e08 TJ	246	if (rc)
	247	goto out;
	248
	249	return rc;
	250
cb969f07	251	not_from_user:
c1a856c9	252	rc = security_sid_to_context(sid, &ctx_str, &str_len);
e0d1caa7 VY	253	if (rc)
	254	goto out;
	255
	256	ctxp = ctx = kmalloc(sizeof(ctx) +
	257	str_len,
	258	GFP_ATOMIC);
	259
	260	if (!ctx) {
	261	rc = -ENOMEM;
	262	goto out;
	263	}
	264
e0d1caa7 VY	265	ctx->ctx_doi = XFRM_SC_DOI_LSM;
e0d1caa7 VY	266	ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
c1a856c9	267	ctx->ctx_sid = sid;
e0d1caa7 VY	268	ctx->ctx_len = str_len;
	269	memcpy(ctx->ctx_str,
	270	ctx_str,
	271	str_len);
	272
	273	goto out2;
	274
d28d1e08	275	out:
ee2e6841	276	*ctxp = NULL;
d28d1e08	277	kfree(ctx);
e0d1caa7 VY	278	out2:
e0d1caa7 VY	279	kfree(ctx_str);
d28d1e08 TJ	280	return rc;
	281	}
	282
	283	/*
	284	* LSM hook implementation that allocs and transfers uctx spec to
	285	* xfrm_policy.
	286	*/
cb969f07	287	int selinux_xfrm_policy_alloc(struct xfrm_policy *xp,
c1a856c9	288	struct xfrm_user_sec_ctx *uctx)
d28d1e08 TJ	289	{
	290	int err;
	291
	292	BUG_ON(!xp);
c1a856c9	293	BUG_ON(!uctx);
d28d1e08	294
c1a856c9	295	err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, 0);
d28d1e08 TJ	296	return err;
	297	}
	298
	299
	300	/*
	301	* LSM hook implementation that copies security data structure from old to
	302	* new for policy cloning.
	303	*/
	304	int selinux_xfrm_policy_clone(struct xfrm_policy old, struct xfrm_policy new)
	305	{
	306	struct xfrm_sec_ctx old_ctx, new_ctx;
	307
	308	old_ctx = old->security;
	309
	310	if (old_ctx) {
	311	new_ctx = new->security = kmalloc(sizeof(*new_ctx) +
	312	old_ctx->ctx_len,
	313	GFP_KERNEL);
	314
	315	if (!new_ctx)
	316	return -ENOMEM;
	317
	318	memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
	319	memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
	320	}
	321	return 0;
	322	}
	323
	324	/*
	325	* LSM hook implementation that frees xfrm_policy security information.
	326	*/
	327	void selinux_xfrm_policy_free(struct xfrm_policy *xp)
	328	{
	329	struct xfrm_sec_ctx *ctx = xp->security;
	330	if (ctx)
	331	kfree(ctx);
	332	}
	333
c8c05a8e CZ	334	/*
	335	* LSM hook implementation that authorizes deletion of labeled policies.
	336	*/
	337	int selinux_xfrm_policy_delete(struct xfrm_policy *xp)
	338	{
	339	struct task_security_struct *tsec = current->security;
	340	struct xfrm_sec_ctx *ctx = xp->security;
	341	int rc = 0;
	342
	343	if (ctx)
	344	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
	345	SECCLASS_ASSOCIATION,
	346	ASSOCIATION__SETCONTEXT, NULL);
	347
	348	return rc;
	349	}
	350
d28d1e08 TJ	351	/*
	352	* LSM hook implementation that allocs and transfers sec_ctx spec to
	353	* xfrm_state.
	354	*/
e0d1caa7	355	int selinux_xfrm_state_alloc(struct xfrm_state x, struct xfrm_user_sec_ctx uctx,
c1a856c9	356	u32 secid)
d28d1e08 TJ	357	{
	358	int err;
	359
	360	BUG_ON(!x);
	361
c1a856c9	362	err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid);
d28d1e08 TJ	363	return err;
	364	}
	365
	366	/*
	367	* LSM hook implementation that frees xfrm_state security information.
	368	*/
	369	void selinux_xfrm_state_free(struct xfrm_state *x)
	370	{
	371	struct xfrm_sec_ctx *ctx = x->security;
	372	if (ctx)
	373	kfree(ctx);
	374	}
	375
c8c05a8e CZ	376	/*
	377	* LSM hook implementation that authorizes deletion of labeled SAs.
	378	*/
	379	int selinux_xfrm_state_delete(struct xfrm_state *x)
	380	{
	381	struct task_security_struct *tsec = current->security;
	382	struct xfrm_sec_ctx *ctx = x->security;
	383	int rc = 0;
	384
	385	if (ctx)
	386	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
	387	SECCLASS_ASSOCIATION,
	388	ASSOCIATION__SETCONTEXT, NULL);
	389
	390	return rc;
	391	}
	392
d28d1e08 TJ	393	/*
	394	* LSM hook that controls access to unlabelled packets. If
	395	* a xfrm_state is authorizable (defined by macro) then it was
	396	* already authorized by the IPSec process. If not, then
	397	* we need to check for unlabelled access since this may not have
	398	* gone thru the IPSec process.
	399	*/
e0d1caa7 VY	400	int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
e0d1caa7 VY	401	struct avc_audit_data *ad)
d28d1e08 TJ	402	{
	403	int i, rc = 0;
	404	struct sec_path *sp;
e0d1caa7	405	u32 sel_sid = SECINITSID_UNLABELED;
d28d1e08 TJ	406
	407	sp = skb->sp;
	408
	409	if (sp) {
d28d1e08	410	for (i = 0; i < sp->len; i++) {
67644726	411	struct xfrm_state *x = sp->xvec[i];
d28d1e08	412
e0d1caa7 VY	413	if (x && selinux_authorizable_xfrm(x)) {
	414	struct xfrm_sec_ctx *ctx = x->security;
	415	sel_sid = ctx->ctx_sid;
	416	break;
	417	}
d28d1e08 TJ	418	}
	419	}
	420
67f83cbf VY	421	/*
	422	* This check even when there's no association involved is
	423	* intended, according to Trent Jaeger, to make sure a
	424	* process can't engage in non-ipsec communication unless
	425	* explicitly allowed by policy.
	426	*/
	427
e0d1caa7 VY	428	rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION,
e0d1caa7 VY	429	ASSOCIATION__RECVFROM, ad);
d28d1e08	430
d28d1e08 TJ	431	return rc;
	432	}
	433
	434	/*
	435	* POSTROUTE_LAST hook's XFRM processing:
	436	* If we have no security association, then we need to determine
	437	* whether the socket is allowed to send to an unlabelled destination.
	438	* If we do have a authorizable security association, then it has already been
67f83cbf	439	* checked in the selinux_xfrm_state_pol_flow_match hook above.
d28d1e08	440	*/
e0d1caa7	441	int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
67f83cbf	442	struct avc_audit_data *ad, u8 proto)
d28d1e08 TJ	443	{
	444	struct dst_entry *dst;
	445	int rc = 0;
	446
	447	dst = skb->dst;
	448
	449	if (dst) {
	450	struct dst_entry *dst_test;
	451
c80544dc	452	for (dst_test = dst; dst_test != NULL;
d28d1e08 TJ	453	dst_test = dst_test->child) {
	454	struct xfrm_state *x = dst_test->xfrm;
	455
	456	if (x && selinux_authorizable_xfrm(x))
4e5ab4cb	457	goto out;
d28d1e08 TJ	458	}
	459	}
	460
67f83cbf VY	461	switch (proto) {
	462	case IPPROTO_AH:
	463	case IPPROTO_ESP:
	464	case IPPROTO_COMP:
	465	/*
	466	* We should have already seen this packet once before
	467	* it underwent xfrm(s). No need to subject it to the
	468	* unlabeled check.
	469	*/
	470	goto out;
	471	default:
	472	break;
	473	}
	474
	475	/*
	476	* This check even when there's no association involved is
	477	* intended, according to Trent Jaeger, to make sure a
	478	* process can't engage in non-ipsec communication unless
	479	* explicitly allowed by policy.
	480	*/
	481
d28d1e08	482	rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
e0d1caa7	483	ASSOCIATION__SENDTO, ad);
4e5ab4cb JM	484	out:
4e5ab4cb JM	485	return rc;
d28d1e08	486	}