Commit | Line | Data |
---|---|---|
d28d1e08 TJ |
1 | /* |
2 | * SELinux support for the XFRM LSM hooks | |
3 | * | |
4 | * Author : Trent Jaeger, <jaegert@us.ibm.com> | |
e0d1caa7 | 5 | * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com> |
d28d1e08 TJ |
6 | */ |
7 | #ifndef _SELINUX_XFRM_H_ | |
8 | #define _SELINUX_XFRM_H_ | |
9 | ||
778aae84 DH |
10 | #include <net/flow.h> |
11 | ||
03e1ad7b PM |
12 | int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, |
13 | struct xfrm_user_sec_ctx *sec_ctx); | |
14 | int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, | |
15 | struct xfrm_sec_ctx **new_ctxp); | |
16 | void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx); | |
17 | int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx); | |
e0d1caa7 | 18 | int selinux_xfrm_state_alloc(struct xfrm_state *x, |
c1a856c9 | 19 | struct xfrm_user_sec_ctx *sec_ctx, u32 secid); |
d28d1e08 | 20 | void selinux_xfrm_state_free(struct xfrm_state *x); |
c8c05a8e | 21 | int selinux_xfrm_state_delete(struct xfrm_state *x); |
03e1ad7b | 22 | int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); |
e0d1caa7 | 23 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, |
e33f7704 | 24 | struct xfrm_policy *xp, const struct flowi *fl); |
d28d1e08 TJ |
25 | |
26 | /* | |
27 | * Extract the security blob from the sock (it's actually on the socket) | |
28 | */ | |
29 | static inline struct inode_security_struct *get_sock_isec(struct sock *sk) | |
30 | { | |
31 | if (!sk->sk_socket) | |
32 | return NULL; | |
33 | ||
34 | return SOCK_INODE(sk->sk_socket)->i_security; | |
35 | } | |
36 | ||
d28d1e08 | 37 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
d621d35e PM |
38 | extern atomic_t selinux_xfrm_refcount; |
39 | ||
40 | static inline int selinux_xfrm_enabled(void) | |
41 | { | |
42 | return (atomic_read(&selinux_xfrm_refcount) > 0); | |
43 | } | |
44 | ||
e0d1caa7 | 45 | int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, |
2bf49690 | 46 | struct common_audit_data *ad); |
e0d1caa7 | 47 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, |
2bf49690 | 48 | struct common_audit_data *ad, u8 proto); |
a51c64f1 | 49 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); |
342a0cff VY |
50 | |
51 | static inline void selinux_xfrm_notify_policyload(void) | |
52 | { | |
53 | atomic_inc(&flow_cache_genid); | |
ee8372dd | 54 | rt_genid_bump(&init_net); |
342a0cff | 55 | } |
d28d1e08 | 56 | #else |
d621d35e PM |
57 | static inline int selinux_xfrm_enabled(void) |
58 | { | |
59 | return 0; | |
60 | } | |
61 | ||
e0d1caa7 | 62 | static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, |
2bf49690 | 63 | struct common_audit_data *ad) |
d28d1e08 TJ |
64 | { |
65 | return 0; | |
66 | } | |
67 | ||
e0d1caa7 | 68 | static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, |
2bf49690 | 69 | struct common_audit_data *ad, u8 proto) |
d28d1e08 | 70 | { |
4e5ab4cb | 71 | return 0; |
d28d1e08 | 72 | } |
e6f50719 | 73 | |
a51c64f1 VY |
74 | static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) |
75 | { | |
76 | *sid = SECSID_NULL; | |
77 | return 0; | |
78 | } | |
342a0cff VY |
79 | |
80 | static inline void selinux_xfrm_notify_policyload(void) | |
81 | { | |
82 | } | |
d28d1e08 TJ |
83 | #endif |
84 | ||
6b877699 VY |
85 | static inline void selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid) |
86 | { | |
87 | int err = selinux_xfrm_decode_session(skb, sid, 0); | |
88 | BUG_ON(err); | |
89 | } | |
90 | ||
d28d1e08 | 91 | #endif /* _SELINUX_XFRM_H_ */ |