Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 1 | /* |
| 2 | * NSA Security-Enhanced Linux (SELinux) security module |
| 3 | * |
| 4 | * This file contains the SELinux XFRM hook function implementations. |
| 5 | * |
| 6 | * Authors: Serge Hallyn <sergeh@us.ibm.com> |
| 7 | * Trent Jaeger <jaegert@us.ibm.com> |
| 8 | * |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 9 | * Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com> |
| 10 | * |
| 11 | * Granular IPSec Associations for use in MLS environments. |
| 12 | * |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 13 | * Copyright (C) 2005 International Business Machines Corporation |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 14 | * Copyright (C) 2006 Trusted Computer Solutions, Inc. |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 15 | * |
| 16 | * This program is free software; you can redistribute it and/or modify |
| 17 | * it under the terms of the GNU General Public License version 2, |
| 18 | * as published by the Free Software Foundation. |
| 19 | */ |
| 20 | |
| 21 | /* |
| 22 | * USAGE: |
| 23 | * NOTES: |
| 24 | * 1. Make sure to enable the following options in your kernel config: |
| 25 | * CONFIG_SECURITY=y |
| 26 | * CONFIG_SECURITY_NETWORK=y |
| 27 | * CONFIG_SECURITY_NETWORK_XFRM=y |
| 28 | * CONFIG_SECURITY_SELINUX=m/y |
| 29 | * ISSUES: |
| 30 | * 1. Caching packets, so they are not dropped during negotiation |
| 31 | * 2. Emulating a reasonable SO_PEERSEC across machines |
| 32 | * 3. Testing addition of sk_policy's with security context via setsockopt |
| 33 | */ |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 34 | #include <linux/kernel.h> |
| 35 | #include <linux/init.h> |
| 36 | #include <linux/security.h> |
| 37 | #include <linux/types.h> |
| 38 | #include <linux/netfilter.h> |
| 39 | #include <linux/netfilter_ipv4.h> |
| 40 | #include <linux/netfilter_ipv6.h> |
Tejun Heo | 5a0e3ad | 2010-03-24 17:04:11 +0900 | [diff] [blame] | 41 | #include <linux/slab.h> |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 42 | #include <linux/ip.h> |
| 43 | #include <linux/tcp.h> |
| 44 | #include <linux/skbuff.h> |
| 45 | #include <linux/xfrm.h> |
| 46 | #include <net/xfrm.h> |
| 47 | #include <net/checksum.h> |
| 48 | #include <net/udp.h> |
Arun Sharma | 60063497 | 2011-07-26 16:09:06 -0700 | [diff] [blame] | 49 | #include <linux/atomic.h> |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 50 | |
| 51 | #include "avc.h" |
| 52 | #include "objsec.h" |
| 53 | #include "xfrm.h" |
| 54 | |
Paul Moore | d621d35 | 2008-01-29 08:43:36 -0500 | [diff] [blame] | 55 | /* Labeled XFRM instance counter */ |
| 56 | atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 57 | |
| 58 | /* |
Paul Moore | 4baabee | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 59 | * Returns true if the context is an LSM/SELinux context. |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 60 | */ |
| 61 | static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx) |
| 62 | { |
| 63 | return (ctx && |
| 64 | (ctx->ctx_doi == XFRM_SC_DOI_LSM) && |
| 65 | (ctx->ctx_alg == XFRM_SC_ALG_SELINUX)); |
| 66 | } |
| 67 | |
| 68 | /* |
Paul Moore | 4baabee | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 69 | * Returns true if the xfrm contains a security blob for SELinux. |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 70 | */ |
| 71 | static inline int selinux_authorizable_xfrm(struct xfrm_state *x) |
| 72 | { |
| 73 | return selinux_authorizable_ctx(x->security); |
| 74 | } |
| 75 | |
| 76 | /* |
Paul Moore | 2e5aa86 | 2013-07-23 17:38:38 -0400 | [diff] [blame] | 77 | * Allocates a xfrm_sec_state and populates it using the supplied security |
| 78 | * xfrm_user_sec_ctx context. |
| 79 | */ |
| 80 | static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp, |
| 81 | struct xfrm_user_sec_ctx *uctx) |
| 82 | { |
| 83 | int rc; |
| 84 | const struct task_security_struct *tsec = current_security(); |
| 85 | struct xfrm_sec_ctx *ctx = NULL; |
| 86 | u32 str_len; |
| 87 | |
| 88 | if (ctxp == NULL || uctx == NULL || |
| 89 | uctx->ctx_doi != XFRM_SC_DOI_LSM || |
| 90 | uctx->ctx_alg != XFRM_SC_ALG_SELINUX) |
| 91 | return -EINVAL; |
| 92 | |
| 93 | str_len = uctx->ctx_len; |
| 94 | if (str_len >= PAGE_SIZE) |
| 95 | return -ENOMEM; |
| 96 | |
| 97 | ctx = kmalloc(sizeof(*ctx) + str_len + 1, GFP_KERNEL); |
| 98 | if (!ctx) |
| 99 | return -ENOMEM; |
| 100 | |
| 101 | ctx->ctx_doi = XFRM_SC_DOI_LSM; |
| 102 | ctx->ctx_alg = XFRM_SC_ALG_SELINUX; |
| 103 | ctx->ctx_len = str_len; |
| 104 | memcpy(ctx->ctx_str, &uctx[1], str_len); |
| 105 | ctx->ctx_str[str_len] = '\0'; |
| 106 | rc = security_context_to_sid(ctx->ctx_str, str_len, &ctx->ctx_sid); |
| 107 | if (rc) |
| 108 | goto err; |
| 109 | |
| 110 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, |
| 111 | SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL); |
| 112 | if (rc) |
| 113 | goto err; |
| 114 | |
| 115 | *ctxp = ctx; |
| 116 | atomic_inc(&selinux_xfrm_refcount); |
| 117 | return 0; |
| 118 | |
| 119 | err: |
| 120 | kfree(ctx); |
| 121 | return rc; |
| 122 | } |
| 123 | |
| 124 | /* |
Paul Moore | ccf17cc | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 125 | * Free the xfrm_sec_ctx structure. |
| 126 | */ |
| 127 | static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx) |
| 128 | { |
| 129 | if (!ctx) |
| 130 | return; |
| 131 | |
| 132 | atomic_dec(&selinux_xfrm_refcount); |
| 133 | kfree(ctx); |
| 134 | } |
| 135 | |
| 136 | /* |
| 137 | * Authorize the deletion of a labeled SA or policy rule. |
| 138 | */ |
| 139 | static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx) |
| 140 | { |
| 141 | const struct task_security_struct *tsec = current_security(); |
| 142 | |
| 143 | if (!ctx) |
| 144 | return 0; |
| 145 | |
| 146 | return avc_has_perm(tsec->sid, ctx->ctx_sid, |
| 147 | SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, |
| 148 | NULL); |
| 149 | } |
| 150 | |
| 151 | /* |
Paul Moore | 4baabee | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 152 | * LSM hook implementation that authorizes that a flow can use a xfrm policy |
| 153 | * rule. |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 154 | */ |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 155 | int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 156 | { |
Venkat Yekkirala | 5b368e6 | 2006-10-05 15:42:18 -0500 | [diff] [blame] | 157 | int rc; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 158 | |
Paul Moore | 9648434 | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 159 | /* All flows should be treated as polmatch'ing an otherwise applicable |
| 160 | * "non-labeled" policy. This would prevent inadvertent "leaks". */ |
| 161 | if (!ctx) |
Venkat Yekkirala | 5b368e6 | 2006-10-05 15:42:18 -0500 | [diff] [blame] | 162 | return 0; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 163 | |
Paul Moore | 9648434 | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 164 | /* Context sid is either set to label or ANY_ASSOC */ |
| 165 | if (!selinux_authorizable_ctx(ctx)) |
| 166 | return -EINVAL; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 167 | |
Paul Moore | 9648434 | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 168 | rc = avc_has_perm(fl_secid, ctx->ctx_sid, |
| 169 | SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL); |
| 170 | return (rc == -EACCES ? -ESRCH : rc); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 171 | } |
| 172 | |
| 173 | /* |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 174 | * LSM hook implementation that authorizes that a state matches |
| 175 | * the given policy, flow combo. |
| 176 | */ |
Paul Moore | 9648434 | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 177 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, |
| 178 | struct xfrm_policy *xp, |
| 179 | const struct flowi *fl) |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 180 | { |
| 181 | u32 state_sid; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 182 | |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 183 | if (!xp->security) |
Venkat Yekkirala | 5b368e6 | 2006-10-05 15:42:18 -0500 | [diff] [blame] | 184 | if (x->security) |
| 185 | /* unlabeled policy and labeled SA can't match */ |
| 186 | return 0; |
| 187 | else |
| 188 | /* unlabeled policy and unlabeled SA match all flows */ |
| 189 | return 1; |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 190 | else |
| 191 | if (!x->security) |
| 192 | /* unlabeled SA and labeled policy can't match */ |
| 193 | return 0; |
| 194 | else |
| 195 | if (!selinux_authorizable_xfrm(x)) |
| 196 | /* Not a SELinux-labeled SA */ |
| 197 | return 0; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 198 | |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 199 | state_sid = x->security->ctx_sid; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 200 | |
David S. Miller | 1d28f42 | 2011-03-12 00:29:39 -0500 | [diff] [blame] | 201 | if (fl->flowi_secid != state_sid) |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 202 | return 0; |
| 203 | |
Paul Moore | 9648434 | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 204 | /* We don't need a separate SA Vs. policy polmatch check since the SA |
| 205 | * is now of the same label as the flow and a flow Vs. policy polmatch |
| 206 | * check had already happened in selinux_xfrm_policy_lookup() above. */ |
| 207 | return (avc_has_perm(fl->flowi_secid, state_sid, |
| 208 | SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, |
| 209 | NULL) ? 0 : 1); |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 210 | } |
| 211 | |
Paul Moore | 817eff7 | 2013-12-10 14:57:54 -0500 | [diff] [blame] | 212 | static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb) |
| 213 | { |
| 214 | struct dst_entry *dst = skb_dst(skb); |
| 215 | struct xfrm_state *x; |
| 216 | |
| 217 | if (dst == NULL) |
| 218 | return SECSID_NULL; |
| 219 | x = dst->xfrm; |
| 220 | if (x == NULL || !selinux_authorizable_xfrm(x)) |
| 221 | return SECSID_NULL; |
| 222 | |
| 223 | return x->security->ctx_sid; |
| 224 | } |
| 225 | |
| 226 | static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb, |
| 227 | u32 *sid, int ckall) |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 228 | { |
Paul Moore | e219369 | 2013-07-23 17:38:40 -0400 | [diff] [blame] | 229 | u32 sid_session = SECSID_NULL; |
Paul Moore | 817eff7 | 2013-12-10 14:57:54 -0500 | [diff] [blame] | 230 | struct sec_path *sp = skb->sp; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 231 | |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 232 | if (sp) { |
Paul Moore | e219369 | 2013-07-23 17:38:40 -0400 | [diff] [blame] | 233 | int i; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 234 | |
Paul Moore | e219369 | 2013-07-23 17:38:40 -0400 | [diff] [blame] | 235 | for (i = sp->len - 1; i >= 0; i--) { |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 236 | struct xfrm_state *x = sp->xvec[i]; |
| 237 | if (selinux_authorizable_xfrm(x)) { |
| 238 | struct xfrm_sec_ctx *ctx = x->security; |
| 239 | |
Paul Moore | e219369 | 2013-07-23 17:38:40 -0400 | [diff] [blame] | 240 | if (sid_session == SECSID_NULL) { |
| 241 | sid_session = ctx->ctx_sid; |
Venkat Yekkirala | beb8d13 | 2006-08-04 23:12:42 -0700 | [diff] [blame] | 242 | if (!ckall) |
Paul Moore | e219369 | 2013-07-23 17:38:40 -0400 | [diff] [blame] | 243 | goto out; |
| 244 | } else if (sid_session != ctx->ctx_sid) { |
| 245 | *sid = SECSID_NULL; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 246 | return -EINVAL; |
Paul Moore | e219369 | 2013-07-23 17:38:40 -0400 | [diff] [blame] | 247 | } |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 248 | } |
| 249 | } |
| 250 | } |
| 251 | |
Paul Moore | e219369 | 2013-07-23 17:38:40 -0400 | [diff] [blame] | 252 | out: |
| 253 | *sid = sid_session; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 254 | return 0; |
| 255 | } |
| 256 | |
| 257 | /* |
Paul Moore | 817eff7 | 2013-12-10 14:57:54 -0500 | [diff] [blame] | 258 | * LSM hook implementation that checks and/or returns the xfrm sid for the |
| 259 | * incoming packet. |
| 260 | */ |
| 261 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) |
| 262 | { |
| 263 | if (skb == NULL) { |
| 264 | *sid = SECSID_NULL; |
| 265 | return 0; |
| 266 | } |
| 267 | return selinux_xfrm_skb_sid_ingress(skb, sid, ckall); |
| 268 | } |
| 269 | |
| 270 | int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid) |
| 271 | { |
| 272 | int rc; |
| 273 | |
| 274 | rc = selinux_xfrm_skb_sid_ingress(skb, sid, 0); |
| 275 | if (rc == 0 && *sid == SECSID_NULL) |
| 276 | *sid = selinux_xfrm_skb_sid_egress(skb); |
| 277 | |
| 278 | return rc; |
| 279 | } |
| 280 | |
| 281 | /* |
Paul Moore | 4baabee | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 282 | * LSM hook implementation that allocs and transfers uctx spec to xfrm_policy. |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 283 | */ |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 284 | int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, |
| 285 | struct xfrm_user_sec_ctx *uctx) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 286 | { |
Paul Moore | 2e5aa86 | 2013-07-23 17:38:38 -0400 | [diff] [blame] | 287 | return selinux_xfrm_alloc_user(ctxp, uctx); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 288 | } |
| 289 | |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 290 | /* |
Paul Moore | 4baabee | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 291 | * LSM hook implementation that copies security data structure from old to new |
| 292 | * for policy cloning. |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 293 | */ |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 294 | int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, |
| 295 | struct xfrm_sec_ctx **new_ctxp) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 296 | { |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 297 | struct xfrm_sec_ctx *new_ctx; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 298 | |
Paul Moore | ccf17cc | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 299 | if (!old_ctx) |
| 300 | return 0; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 301 | |
Duan Jiong | 7d1db4b | 2013-09-26 15:52:13 -0400 | [diff] [blame] | 302 | new_ctx = kmemdup(old_ctx, sizeof(*old_ctx) + old_ctx->ctx_len, |
| 303 | GFP_ATOMIC); |
Paul Moore | ccf17cc | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 304 | if (!new_ctx) |
| 305 | return -ENOMEM; |
Paul Moore | ccf17cc | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 306 | atomic_inc(&selinux_xfrm_refcount); |
| 307 | *new_ctxp = new_ctx; |
| 308 | |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 309 | return 0; |
| 310 | } |
| 311 | |
| 312 | /* |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 313 | * LSM hook implementation that frees xfrm_sec_ctx security information. |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 314 | */ |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 315 | void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 316 | { |
Paul Moore | ccf17cc | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 317 | selinux_xfrm_free(ctx); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 318 | } |
| 319 | |
| 320 | /* |
Catherine Zhang | c8c05a8 | 2006-06-08 23:39:49 -0700 | [diff] [blame] | 321 | * LSM hook implementation that authorizes deletion of labeled policies. |
| 322 | */ |
Paul Moore | 03e1ad7 | 2008-04-12 19:07:52 -0700 | [diff] [blame] | 323 | int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) |
Catherine Zhang | c8c05a8 | 2006-06-08 23:39:49 -0700 | [diff] [blame] | 324 | { |
Paul Moore | ccf17cc | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 325 | return selinux_xfrm_delete(ctx); |
Catherine Zhang | c8c05a8 | 2006-06-08 23:39:49 -0700 | [diff] [blame] | 326 | } |
| 327 | |
| 328 | /* |
Paul Moore | 2e5aa86 | 2013-07-23 17:38:38 -0400 | [diff] [blame] | 329 | * LSM hook implementation that allocates a xfrm_sec_state, populates it using |
| 330 | * the supplied security context, and assigns it to the xfrm_state. |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 331 | */ |
Paul Moore | 2e5aa86 | 2013-07-23 17:38:38 -0400 | [diff] [blame] | 332 | int selinux_xfrm_state_alloc(struct xfrm_state *x, |
| 333 | struct xfrm_user_sec_ctx *uctx) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 334 | { |
Paul Moore | 2e5aa86 | 2013-07-23 17:38:38 -0400 | [diff] [blame] | 335 | return selinux_xfrm_alloc_user(&x->security, uctx); |
| 336 | } |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 337 | |
Paul Moore | 2e5aa86 | 2013-07-23 17:38:38 -0400 | [diff] [blame] | 338 | /* |
| 339 | * LSM hook implementation that allocates a xfrm_sec_state and populates based |
| 340 | * on a secid. |
| 341 | */ |
| 342 | int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, |
| 343 | struct xfrm_sec_ctx *polsec, u32 secid) |
| 344 | { |
| 345 | int rc; |
| 346 | struct xfrm_sec_ctx *ctx; |
| 347 | char *ctx_str = NULL; |
| 348 | int str_len; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 349 | |
Paul Moore | 2e5aa86 | 2013-07-23 17:38:38 -0400 | [diff] [blame] | 350 | if (!polsec) |
| 351 | return 0; |
| 352 | |
| 353 | if (secid == 0) |
| 354 | return -EINVAL; |
| 355 | |
| 356 | rc = security_sid_to_context(secid, &ctx_str, &str_len); |
| 357 | if (rc) |
| 358 | return rc; |
| 359 | |
| 360 | ctx = kmalloc(sizeof(*ctx) + str_len, GFP_ATOMIC); |
Geyslan G. Bem | 0af9016 | 2013-12-04 16:10:24 -0500 | [diff] [blame] | 361 | if (!ctx) { |
| 362 | rc = -ENOMEM; |
| 363 | goto out; |
| 364 | } |
Paul Moore | 2e5aa86 | 2013-07-23 17:38:38 -0400 | [diff] [blame] | 365 | |
| 366 | ctx->ctx_doi = XFRM_SC_DOI_LSM; |
| 367 | ctx->ctx_alg = XFRM_SC_ALG_SELINUX; |
| 368 | ctx->ctx_sid = secid; |
| 369 | ctx->ctx_len = str_len; |
| 370 | memcpy(ctx->ctx_str, ctx_str, str_len); |
Paul Moore | 2e5aa86 | 2013-07-23 17:38:38 -0400 | [diff] [blame] | 371 | |
| 372 | x->security = ctx; |
| 373 | atomic_inc(&selinux_xfrm_refcount); |
Geyslan G. Bem | 0af9016 | 2013-12-04 16:10:24 -0500 | [diff] [blame] | 374 | out: |
| 375 | kfree(ctx_str); |
| 376 | return rc; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 377 | } |
| 378 | |
| 379 | /* |
| 380 | * LSM hook implementation that frees xfrm_state security information. |
| 381 | */ |
| 382 | void selinux_xfrm_state_free(struct xfrm_state *x) |
| 383 | { |
Paul Moore | ccf17cc | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 384 | selinux_xfrm_free(x->security); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 385 | } |
| 386 | |
Paul Moore | 4baabee | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 387 | /* |
| 388 | * LSM hook implementation that authorizes deletion of labeled SAs. |
| 389 | */ |
Catherine Zhang | c8c05a8 | 2006-06-08 23:39:49 -0700 | [diff] [blame] | 390 | int selinux_xfrm_state_delete(struct xfrm_state *x) |
| 391 | { |
Paul Moore | ccf17cc | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 392 | return selinux_xfrm_delete(x->security); |
Catherine Zhang | c8c05a8 | 2006-06-08 23:39:49 -0700 | [diff] [blame] | 393 | } |
| 394 | |
Catherine Zhang | 2c7946a | 2006-03-20 22:41:23 -0800 | [diff] [blame] | 395 | /* |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 396 | * LSM hook that controls access to unlabelled packets. If |
| 397 | * a xfrm_state is authorizable (defined by macro) then it was |
| 398 | * already authorized by the IPSec process. If not, then |
| 399 | * we need to check for unlabelled access since this may not have |
| 400 | * gone thru the IPSec process. |
| 401 | */ |
Paul Moore | eef9b41 | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 402 | int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb, |
| 403 | struct common_audit_data *ad) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 404 | { |
Paul Moore | eef9b41 | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 405 | int i; |
| 406 | struct sec_path *sp = skb->sp; |
| 407 | u32 peer_sid = SECINITSID_UNLABELED; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 408 | |
| 409 | if (sp) { |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 410 | for (i = 0; i < sp->len; i++) { |
Dave Jones | 6764472 | 2006-04-02 23:34:19 -0700 | [diff] [blame] | 411 | struct xfrm_state *x = sp->xvec[i]; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 412 | |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 413 | if (x && selinux_authorizable_xfrm(x)) { |
| 414 | struct xfrm_sec_ctx *ctx = x->security; |
Paul Moore | eef9b41 | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 415 | peer_sid = ctx->ctx_sid; |
Venkat Yekkirala | e0d1caa | 2006-07-24 23:29:07 -0700 | [diff] [blame] | 416 | break; |
| 417 | } |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 418 | } |
| 419 | } |
| 420 | |
Paul Moore | eef9b41 | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 421 | /* This check even when there's no association involved is intended, |
| 422 | * according to Trent Jaeger, to make sure a process can't engage in |
| 423 | * non-IPsec communication unless explicitly allowed by policy. */ |
| 424 | return avc_has_perm(sk_sid, peer_sid, |
| 425 | SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 426 | } |
| 427 | |
| 428 | /* |
| 429 | * POSTROUTE_LAST hook's XFRM processing: |
| 430 | * If we have no security association, then we need to determine |
| 431 | * whether the socket is allowed to send to an unlabelled destination. |
| 432 | * If we do have a authorizable security association, then it has already been |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 433 | * checked in the selinux_xfrm_state_pol_flow_match hook above. |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 434 | */ |
Paul Moore | eef9b41 | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 435 | int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb, |
| 436 | struct common_audit_data *ad, u8 proto) |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 437 | { |
| 438 | struct dst_entry *dst; |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 439 | |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 440 | switch (proto) { |
| 441 | case IPPROTO_AH: |
| 442 | case IPPROTO_ESP: |
| 443 | case IPPROTO_COMP: |
Paul Moore | eef9b41 | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 444 | /* We should have already seen this packet once before it |
| 445 | * underwent xfrm(s). No need to subject it to the unlabeled |
| 446 | * check. */ |
| 447 | return 0; |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 448 | default: |
| 449 | break; |
| 450 | } |
| 451 | |
Paul Moore | eef9b41 | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 452 | dst = skb_dst(skb); |
| 453 | if (dst) { |
| 454 | struct dst_entry *iter; |
Venkat Yekkirala | 67f83cb | 2006-11-08 17:04:26 -0600 | [diff] [blame] | 455 | |
Paul Moore | eef9b41 | 2013-07-23 17:38:39 -0400 | [diff] [blame] | 456 | for (iter = dst; iter != NULL; iter = iter->child) { |
| 457 | struct xfrm_state *x = iter->xfrm; |
| 458 | |
| 459 | if (x && selinux_authorizable_xfrm(x)) |
| 460 | return 0; |
| 461 | } |
| 462 | } |
| 463 | |
| 464 | /* This check even when there's no association involved is intended, |
| 465 | * according to Trent Jaeger, to make sure a process can't engage in |
| 466 | * non-IPsec communication unless explicitly allowed by policy. */ |
| 467 | return avc_has_perm(sk_sid, SECINITSID_UNLABELED, |
| 468 | SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad); |
Trent Jaeger | d28d1e0 | 2005-12-13 23:12:40 -0800 | [diff] [blame] | 469 | } |