[deliverable/linux.git] / security / selinux / xfrm.c

/*
 *  NSA Security-Enhanced Linux (SELinux) security module
 *
 *  This file contains the SELinux XFRM hook function implementations.
 *
 *  Authors:  Serge Hallyn <sergeh@us.ibm.com>
 *	      Trent Jaeger <jaegert@us.ibm.com>
 *
 *  Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com>
 *
 *           Granular IPSec Associations for use in MLS environments.
 *
 *  Copyright (C) 2005 International Business Machines Corporation
 *  Copyright (C) 2006 Trusted Computer Solutions, Inc.
 *
 *	This program is free software; you can redistribute it and/or modify
 *	it under the terms of the GNU General Public License version 2,
 *	as published by the Free Software Foundation.
 */

/*
 * USAGE:
 * NOTES:
 *   1. Make sure to enable the following options in your kernel config:
 *	CONFIG_SECURITY=y
 *	CONFIG_SECURITY_NETWORK=y
 *	CONFIG_SECURITY_NETWORK_XFRM=y
 *	CONFIG_SECURITY_SELINUX=m/y
 * ISSUES:
 *   1. Caching packets, so they are not dropped during negotiation
 *   2. Emulating a reasonable SO_PEERSEC across machines
 *   3. Testing addition of sk_policy's with security context via setsockopt
 */
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/security.h>
#include <linux/types.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/skbuff.h>
#include <linux/xfrm.h>
#include <net/xfrm.h>
#include <net/checksum.h>
#include <net/udp.h>
#include <asm/semaphore.h>

#include "avc.h"
#include "objsec.h"
#include "xfrm.h"


/*
 * Returns true if an LSM/SELinux context
 */
static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
{
	return (ctx &&
		(ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
		(ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
}

/*
 * Returns true if the xfrm contains a security blob for SELinux
 */
static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
{
	return selinux_authorizable_ctx(x->security);
}

/*
 * LSM hook implementation that authorizes that a flow can use
 * a xfrm policy rule.
 */
int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir)
{
	int rc = 0;
	u32 sel_sid = SECINITSID_UNLABELED;
	struct xfrm_sec_ctx *ctx;

	/* Context sid is either set to label or ANY_ASSOC */
	if ((ctx = xp->security)) {
		if (!selinux_authorizable_ctx(ctx))
			return -EINVAL;

		sel_sid = ctx->ctx_sid;
	}

	rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION,
			  ASSOCIATION__POLMATCH,
			  NULL);

	return rc;
}

/*
 * LSM hook implementation that authorizes that a state matches
 * the given policy, flow combo.
 */

int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp,
			struct flowi *fl)
{
	u32 state_sid;
	u32 pol_sid;
	int err;

	if (x->security)
		state_sid = x->security->ctx_sid;
	else
		state_sid = SECINITSID_UNLABELED;

	if (xp->security)
		pol_sid = xp->security->ctx_sid;
	else
		pol_sid = SECINITSID_UNLABELED;

	err = avc_has_perm(state_sid, pol_sid, SECCLASS_ASSOCIATION,
			  ASSOCIATION__POLMATCH,
			  NULL);

	if (err)
		return 0;

	return selinux_xfrm_flow_state_match(fl, x);
}

/*
 * LSM hook implementation that authorizes that a particular outgoing flow
 * can use a given security association.
 */

int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm)
{
	int rc = 0;
	u32 sel_sid = SECINITSID_UNLABELED;
	struct xfrm_sec_ctx *ctx;

	/* Context sid is either set to label or ANY_ASSOC */
	if ((ctx = xfrm->security)) {
		if (!selinux_authorizable_ctx(ctx))
			return 0;

		sel_sid = ctx->ctx_sid;
	}

	rc = avc_has_perm(fl->secid, sel_sid, SECCLASS_ASSOCIATION,
			  ASSOCIATION__SENDTO,
			  NULL)? 0:1;

	return rc;
}

/*
 * LSM hook implementation that determines the sid for the session.
 */

int selinux_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl)
{
	struct sec_path *sp;

	fl->secid = SECSID_NULL;

	if (skb == NULL)
		return 0;

	sp = skb->sp;
	if (sp) {
		int i, sid_set = 0;

		for (i = sp->len-1; i >= 0; i--) {
			struct xfrm_state *x = sp->xvec[i];
			if (selinux_authorizable_xfrm(x)) {
				struct xfrm_sec_ctx *ctx = x->security;

				if (!sid_set) {
					fl->secid = ctx->ctx_sid;
					sid_set = 1;
				}
				else if (fl->secid != ctx->ctx_sid)
					return -EINVAL;
			}
		}
	}

	return 0;
}

/*
 * Security blob allocation for xfrm_policy and xfrm_state
 * CTX does not have a meaningful value on input
 */
static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
	struct xfrm_user_sec_ctx *uctx, struct xfrm_sec_ctx *pol, u32 sid)
{
	int rc = 0;
	struct task_security_struct *tsec = current->security;
	struct xfrm_sec_ctx *ctx = NULL;
	char *ctx_str = NULL;
	u32 str_len;
	u32 ctx_sid;

	BUG_ON(uctx && pol);

	if (pol)
		goto from_policy;

	BUG_ON(!uctx);

	if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX)
		return -EINVAL;

	if (uctx->ctx_len >= PAGE_SIZE)
		return -ENOMEM;

	*ctxp = ctx = kmalloc(sizeof(*ctx) +
			      uctx->ctx_len,
			      GFP_KERNEL);

	if (!ctx)
		return -ENOMEM;

	ctx->ctx_doi = uctx->ctx_doi;
	ctx->ctx_len = uctx->ctx_len;
	ctx->ctx_alg = uctx->ctx_alg;

	memcpy(ctx->ctx_str,
	       uctx+1,
	       ctx->ctx_len);
	rc = security_context_to_sid(ctx->ctx_str,
				     ctx->ctx_len,
				     &ctx->ctx_sid);

	if (rc)
		goto out;

	/*
	 * Does the subject have permission to set security context?
	 */
	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
			  SECCLASS_ASSOCIATION,
			  ASSOCIATION__SETCONTEXT, NULL);
	if (rc)
		goto out;

	return rc;

from_policy:
	BUG_ON(!pol);
	rc = security_sid_mls_copy(pol->ctx_sid, sid, &ctx_sid);
	if (rc)
		goto out;

	rc = security_sid_to_context(ctx_sid, &ctx_str, &str_len);
	if (rc)
		goto out;

	*ctxp = ctx = kmalloc(sizeof(*ctx) +
			      str_len,
			      GFP_ATOMIC);

	if (!ctx) {
		rc = -ENOMEM;
		goto out;
	}


	ctx->ctx_doi = XFRM_SC_DOI_LSM;
	ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
	ctx->ctx_sid = ctx_sid;
	ctx->ctx_len = str_len;
	memcpy(ctx->ctx_str,
	       ctx_str,
	       str_len);

	goto out2;

out:
	*ctxp = NULL;
	kfree(ctx);
out2:
	kfree(ctx_str);
	return rc;
}

/*
 * LSM hook implementation that allocs and transfers uctx spec to
 * xfrm_policy.
 */
int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *uctx)
{
	int err;

	BUG_ON(!xp);

	err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, NULL, 0);
	return err;
}


/*
 * LSM hook implementation that copies security data structure from old to
 * new for policy cloning.
 */
int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new)
{
	struct xfrm_sec_ctx *old_ctx, *new_ctx;

	old_ctx = old->security;

	if (old_ctx) {
		new_ctx = new->security = kmalloc(sizeof(*new_ctx) +
						  old_ctx->ctx_len,
						  GFP_KERNEL);

		if (!new_ctx)
			return -ENOMEM;

		memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
		memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
	}
	return 0;
}

/*
 * LSM hook implementation that frees xfrm_policy security information.
 */
void selinux_xfrm_policy_free(struct xfrm_policy *xp)
{
	struct xfrm_sec_ctx *ctx = xp->security;
	if (ctx)
		kfree(ctx);
}

/*
 * LSM hook implementation that authorizes deletion of labeled policies.
 */
int selinux_xfrm_policy_delete(struct xfrm_policy *xp)
{
	struct task_security_struct *tsec = current->security;
	struct xfrm_sec_ctx *ctx = xp->security;
	int rc = 0;

	if (ctx)
		rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
				  SECCLASS_ASSOCIATION,
				  ASSOCIATION__SETCONTEXT, NULL);

	return rc;
}

/*
 * LSM hook implementation that allocs and transfers sec_ctx spec to
 * xfrm_state.
 */
int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx,
		struct xfrm_sec_ctx *pol, u32 secid)
{
	int err;

	BUG_ON(!x);

	err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, pol, secid);
	return err;
}

/*
 * LSM hook implementation that frees xfrm_state security information.
 */
void selinux_xfrm_state_free(struct xfrm_state *x)
{
	struct xfrm_sec_ctx *ctx = x->security;
	if (ctx)
		kfree(ctx);
}

/*
 * SELinux internal function to retrieve the context of a connected
 * (sk->sk_state == TCP_ESTABLISHED) TCP socket based on its security
 * association used to connect to the remote socket.
 *
 * Retrieve via getsockopt SO_PEERSEC.
 */
u32 selinux_socket_getpeer_stream(struct sock *sk)
{
	struct dst_entry *dst, *dst_test;
	u32 peer_sid = SECSID_NULL;

	if (sk->sk_state != TCP_ESTABLISHED)
		goto out;

	dst = sk_dst_get(sk);
	if (!dst)
		goto out;

 	for (dst_test = dst; dst_test != 0;
      	     dst_test = dst_test->child) {
		struct xfrm_state *x = dst_test->xfrm;

 		if (x && selinux_authorizable_xfrm(x)) {
	 	 	struct xfrm_sec_ctx *ctx = x->security;
			peer_sid = ctx->ctx_sid;
			break;
		}
	}
	dst_release(dst);

out:
	return peer_sid;
}

/*
 * SELinux internal function to retrieve the context of a UDP packet
 * based on its security association used to connect to the remote socket.
 *
 * Retrieve via setsockopt IP_PASSSEC and recvmsg with control message
 * type SCM_SECURITY.
 */
u32 selinux_socket_getpeer_dgram(struct sk_buff *skb)
{
	struct sec_path *sp;

	if (skb == NULL)
		return SECSID_NULL;

	if (skb->sk->sk_protocol != IPPROTO_UDP)
		return SECSID_NULL;

	sp = skb->sp;
	if (sp) {
		int i;

		for (i = sp->len-1; i >= 0; i--) {
			struct xfrm_state *x = sp->xvec[i];
			if (selinux_authorizable_xfrm(x)) {
				struct xfrm_sec_ctx *ctx = x->security;
				return ctx->ctx_sid;
			}
		}
	}

	return SECSID_NULL;
}

 /*
  * LSM hook implementation that authorizes deletion of labeled SAs.
  */
int selinux_xfrm_state_delete(struct xfrm_state *x)
{
	struct task_security_struct *tsec = current->security;
	struct xfrm_sec_ctx *ctx = x->security;
	int rc = 0;

	if (ctx)
		rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
				  SECCLASS_ASSOCIATION,
				  ASSOCIATION__SETCONTEXT, NULL);

	return rc;
}

/*
 * LSM hook that controls access to unlabelled packets.  If
 * a xfrm_state is authorizable (defined by macro) then it was
 * already authorized by the IPSec process.  If not, then
 * we need to check for unlabelled access since this may not have
 * gone thru the IPSec process.
 */
int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
				struct avc_audit_data *ad)
{
	int i, rc = 0;
	struct sec_path *sp;
	u32 sel_sid = SECINITSID_UNLABELED;

	sp = skb->sp;

	if (sp) {
		for (i = 0; i < sp->len; i++) {
			struct xfrm_state *x = sp->xvec[i];

			if (x && selinux_authorizable_xfrm(x)) {
				struct xfrm_sec_ctx *ctx = x->security;
				sel_sid = ctx->ctx_sid;
				break;
			}
		}
	}

	rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION,
			  ASSOCIATION__RECVFROM, ad);

	return rc;
}

/*
 * POSTROUTE_LAST hook's XFRM processing:
 * If we have no security association, then we need to determine
 * whether the socket is allowed to send to an unlabelled destination.
 * If we do have a authorizable security association, then it has already been
 * checked in xfrm_policy_lookup hook.
 */
int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
					struct avc_audit_data *ad)
{
	struct dst_entry *dst;
	int rc = 0;

	dst = skb->dst;

	if (dst) {
		struct dst_entry *dst_test;

		for (dst_test = dst; dst_test != 0;
		     dst_test = dst_test->child) {
			struct xfrm_state *x = dst_test->xfrm;

			if (x && selinux_authorizable_xfrm(x))
				goto out;
		}
	}

	rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
			  ASSOCIATION__SENDTO, ad);
out:
	return rc;
}
Commit	Line	Data
d28d1e08 TJ	1	/*
	2	* NSA Security-Enhanced Linux (SELinux) security module
	3	*
	4	* This file contains the SELinux XFRM hook function implementations.
	5	*
	6	* Authors: Serge Hallyn <sergeh@us.ibm.com>
	7	* Trent Jaeger <jaegert@us.ibm.com>
	8	*
e0d1caa7 VY	9	* Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com>
	10	*
	11	* Granular IPSec Associations for use in MLS environments.
	12	*
d28d1e08	13	* Copyright (C) 2005 International Business Machines Corporation
e0d1caa7	14	* Copyright (C) 2006 Trusted Computer Solutions, Inc.
d28d1e08 TJ	15	*
	16	* This program is free software; you can redistribute it and/or modify
	17	* it under the terms of the GNU General Public License version 2,
	18	* as published by the Free Software Foundation.
	19	*/
	20
	21	/*
	22	* USAGE:
	23	* NOTES:
	24	* 1. Make sure to enable the following options in your kernel config:
	25	* CONFIG_SECURITY=y
	26	* CONFIG_SECURITY_NETWORK=y
	27	* CONFIG_SECURITY_NETWORK_XFRM=y
	28	* CONFIG_SECURITY_SELINUX=m/y
	29	* ISSUES:
	30	* 1. Caching packets, so they are not dropped during negotiation
	31	* 2. Emulating a reasonable SO_PEERSEC across machines
	32	* 3. Testing addition of sk_policy's with security context via setsockopt
	33	*/
d28d1e08 TJ	34	#include <linux/module.h>
	35	#include <linux/kernel.h>
	36	#include <linux/init.h>
	37	#include <linux/security.h>
	38	#include <linux/types.h>
	39	#include <linux/netfilter.h>
	40	#include <linux/netfilter_ipv4.h>
	41	#include <linux/netfilter_ipv6.h>
	42	#include <linux/ip.h>
	43	#include <linux/tcp.h>
	44	#include <linux/skbuff.h>
	45	#include <linux/xfrm.h>
	46	#include <net/xfrm.h>
	47	#include <net/checksum.h>
	48	#include <net/udp.h>
	49	#include <asm/semaphore.h>
	50
	51	#include "avc.h"
	52	#include "objsec.h"
	53	#include "xfrm.h"
	54
	55
	56	/*
	57	* Returns true if an LSM/SELinux context
	58	*/
	59	static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
	60	{
	61	return (ctx &&
	62	(ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
	63	(ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
	64	}
	65
	66	/*
	67	* Returns true if the xfrm contains a security blob for SELinux
	68	*/
	69	static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
	70	{
	71	return selinux_authorizable_ctx(x->security);
	72	}
	73
	74	/*
e0d1caa7 VY	75	* LSM hook implementation that authorizes that a flow can use
e0d1caa7 VY	76	* a xfrm policy rule.
d28d1e08	77	*/
e0d1caa7	78	int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir)
d28d1e08 TJ	79	{
	80	int rc = 0;
	81	u32 sel_sid = SECINITSID_UNLABELED;
	82	struct xfrm_sec_ctx *ctx;
	83
	84	/* Context sid is either set to label or ANY_ASSOC */
	85	if ((ctx = xp->security)) {
	86	if (!selinux_authorizable_ctx(ctx))
	87	return -EINVAL;
	88
	89	sel_sid = ctx->ctx_sid;
	90	}
	91
e0d1caa7 VY	92	rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION,
e0d1caa7 VY	93	ASSOCIATION__POLMATCH,
d28d1e08 TJ	94	NULL);
	95
	96	return rc;
	97	}
	98
e0d1caa7 VY	99	/*
	100	* LSM hook implementation that authorizes that a state matches
	101	* the given policy, flow combo.
	102	*/
	103
	104	int selinux_xfrm_state_pol_flow_match(struct xfrm_state x, struct xfrm_policy xp,
	105	struct flowi *fl)
	106	{
	107	u32 state_sid;
	108	u32 pol_sid;
	109	int err;
	110
	111	if (x->security)
	112	state_sid = x->security->ctx_sid;
	113	else
	114	state_sid = SECINITSID_UNLABELED;
	115
	116	if (xp->security)
	117	pol_sid = xp->security->ctx_sid;
	118	else
	119	pol_sid = SECINITSID_UNLABELED;
	120
	121	err = avc_has_perm(state_sid, pol_sid, SECCLASS_ASSOCIATION,
	122	ASSOCIATION__POLMATCH,
	123	NULL);
	124
	125	if (err)
	126	return 0;
	127
	128	return selinux_xfrm_flow_state_match(fl, x);
	129	}
	130
	131	/*
	132	* LSM hook implementation that authorizes that a particular outgoing flow
	133	* can use a given security association.
	134	*/
	135
	136	int selinux_xfrm_flow_state_match(struct flowi fl, struct xfrm_state xfrm)
	137	{
	138	int rc = 0;
	139	u32 sel_sid = SECINITSID_UNLABELED;
	140	struct xfrm_sec_ctx *ctx;
	141
	142	/* Context sid is either set to label or ANY_ASSOC */
	143	if ((ctx = xfrm->security)) {
	144	if (!selinux_authorizable_ctx(ctx))
	145	return 0;
	146
	147	sel_sid = ctx->ctx_sid;
	148	}
	149
	150	rc = avc_has_perm(fl->secid, sel_sid, SECCLASS_ASSOCIATION,
	151	ASSOCIATION__SENDTO,
	152	NULL)? 0:1;
	153
	154	return rc;
	155	}
	156
	157	/*
	158	* LSM hook implementation that determines the sid for the session.
	159	*/
	160
	161	int selinux_xfrm_decode_session(struct sk_buff skb, struct flowi fl)
	162	{
163	struct sec_path *sp;
164
165	fl->secid = SECSID_NULL;
166
167	if (skb == NULL)
168	return 0;
169
170	sp = skb->sp;
171	if (sp) {
172	int i, sid_set = 0;
173
174	for (i = sp->len-1; i >= 0; i--) {
175	struct xfrm_state *x = sp->xvec[i];
176	if (selinux_authorizable_xfrm(x)) {
177	struct xfrm_sec_ctx *ctx = x->security;
178
179	if (!sid_set) {
180	fl->secid = ctx->ctx_sid;
181	sid_set = 1;
182	}
183	else if (fl->secid != ctx->ctx_sid)
184	return -EINVAL;
185	}
186	}
187	}
188
189	return 0;
190	}
191
d28d1e08 TJ	192	/*
	193	* Security blob allocation for xfrm_policy and xfrm_state
	194	* CTX does not have a meaningful value on input
	195	*/
e0d1caa7 VY	196	static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
e0d1caa7 VY	197	struct xfrm_user_sec_ctx uctx, struct xfrm_sec_ctx pol, u32 sid)
d28d1e08 TJ	198	{
	199	int rc = 0;
	200	struct task_security_struct *tsec = current->security;
e0d1caa7 VY	201	struct xfrm_sec_ctx *ctx = NULL;
	202	char *ctx_str = NULL;
	203	u32 str_len;
	204	u32 ctx_sid;
	205
	206	BUG_ON(uctx && pol);
	207
	208	if (pol)
	209	goto from_policy;
d28d1e08 TJ	210
d28d1e08 TJ	211	BUG_ON(!uctx);
e0d1caa7 VY	212
	213	if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX)
	214	return -EINVAL;
d28d1e08 TJ	215
	216	if (uctx->ctx_len >= PAGE_SIZE)
	217	return -ENOMEM;
	218
	219	ctxp = ctx = kmalloc(sizeof(ctx) +
	220	uctx->ctx_len,
	221	GFP_KERNEL);
	222
	223	if (!ctx)
	224	return -ENOMEM;
	225
	226	ctx->ctx_doi = uctx->ctx_doi;
	227	ctx->ctx_len = uctx->ctx_len;
	228	ctx->ctx_alg = uctx->ctx_alg;
	229
	230	memcpy(ctx->ctx_str,
	231	uctx+1,
	232	ctx->ctx_len);
	233	rc = security_context_to_sid(ctx->ctx_str,
	234	ctx->ctx_len,
	235	&ctx->ctx_sid);
	236
	237	if (rc)
	238	goto out;
	239
	240	/*
c8c05a8e	241	* Does the subject have permission to set security context?
d28d1e08	242	*/
d28d1e08 TJ	243	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
d28d1e08 TJ	244	SECCLASS_ASSOCIATION,
5f8ac64b	245	ASSOCIATION__SETCONTEXT, NULL);
d28d1e08 TJ	246	if (rc)
	247	goto out;
	248
	249	return rc;
	250
e0d1caa7 VY	251	from_policy:
	252	BUG_ON(!pol);
	253	rc = security_sid_mls_copy(pol->ctx_sid, sid, &ctx_sid);
	254	if (rc)
	255	goto out;
	256
	257	rc = security_sid_to_context(ctx_sid, &ctx_str, &str_len);
	258	if (rc)
	259	goto out;
	260
	261	ctxp = ctx = kmalloc(sizeof(ctx) +
	262	str_len,
	263	GFP_ATOMIC);
	264
	265	if (!ctx) {
	266	rc = -ENOMEM;
	267	goto out;
	268	}
	269
	270
	271	ctx->ctx_doi = XFRM_SC_DOI_LSM;
	272	ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
	273	ctx->ctx_sid = ctx_sid;
	274	ctx->ctx_len = str_len;
	275	memcpy(ctx->ctx_str,
	276	ctx_str,
	277	str_len);
	278
	279	goto out2;
	280
d28d1e08	281	out:
ee2e6841	282	*ctxp = NULL;
d28d1e08	283	kfree(ctx);
e0d1caa7 VY	284	out2:
e0d1caa7 VY	285	kfree(ctx_str);
d28d1e08 TJ	286	return rc;
	287	}
	288
	289	/*
	290	* LSM hook implementation that allocs and transfers uctx spec to
	291	* xfrm_policy.
	292	*/
	293	int selinux_xfrm_policy_alloc(struct xfrm_policy xp, struct xfrm_user_sec_ctx uctx)
	294	{
	295	int err;
	296
	297	BUG_ON(!xp);
	298
e0d1caa7	299	err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, NULL, 0);
d28d1e08 TJ	300	return err;
	301	}
	302
	303
	304	/*
	305	* LSM hook implementation that copies security data structure from old to
	306	* new for policy cloning.
	307	*/
	308	int selinux_xfrm_policy_clone(struct xfrm_policy old, struct xfrm_policy new)
	309	{
	310	struct xfrm_sec_ctx old_ctx, new_ctx;
	311
	312	old_ctx = old->security;
	313
	314	if (old_ctx) {
	315	new_ctx = new->security = kmalloc(sizeof(*new_ctx) +
	316	old_ctx->ctx_len,
	317	GFP_KERNEL);
	318
	319	if (!new_ctx)
	320	return -ENOMEM;
	321
	322	memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
	323	memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
	324	}
	325	return 0;
	326	}
	327
	328	/*
	329	* LSM hook implementation that frees xfrm_policy security information.
	330	*/
	331	void selinux_xfrm_policy_free(struct xfrm_policy *xp)
	332	{
	333	struct xfrm_sec_ctx *ctx = xp->security;
	334	if (ctx)
	335	kfree(ctx);
	336	}
	337
c8c05a8e CZ	338	/*
	339	* LSM hook implementation that authorizes deletion of labeled policies.
	340	*/
	341	int selinux_xfrm_policy_delete(struct xfrm_policy *xp)
	342	{
	343	struct task_security_struct *tsec = current->security;
	344	struct xfrm_sec_ctx *ctx = xp->security;
	345	int rc = 0;
	346
	347	if (ctx)
	348	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
	349	SECCLASS_ASSOCIATION,
	350	ASSOCIATION__SETCONTEXT, NULL);
	351
	352	return rc;
	353	}
	354
d28d1e08 TJ	355	/*
	356	* LSM hook implementation that allocs and transfers sec_ctx spec to
	357	* xfrm_state.
	358	*/
e0d1caa7 VY	359	int selinux_xfrm_state_alloc(struct xfrm_state x, struct xfrm_user_sec_ctx uctx,
e0d1caa7 VY	360	struct xfrm_sec_ctx *pol, u32 secid)
d28d1e08 TJ	361	{
	362	int err;
	363
	364	BUG_ON(!x);
	365
e0d1caa7	366	err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, pol, secid);
d28d1e08 TJ	367	return err;
	368	}
	369
	370	/*
	371	* LSM hook implementation that frees xfrm_state security information.
	372	*/
	373	void selinux_xfrm_state_free(struct xfrm_state *x)
	374	{
	375	struct xfrm_sec_ctx *ctx = x->security;
	376	if (ctx)
	377	kfree(ctx);
	378	}
	379
2c7946a7 CZ	380	/*
	381	* SELinux internal function to retrieve the context of a connected
	382	* (sk->sk_state == TCP_ESTABLISHED) TCP socket based on its security
	383	* association used to connect to the remote socket.
	384	*
	385	* Retrieve via getsockopt SO_PEERSEC.
	386	*/
	387	u32 selinux_socket_getpeer_stream(struct sock *sk)
	388	{
	389	struct dst_entry dst, dst_test;
	390	u32 peer_sid = SECSID_NULL;
	391
	392	if (sk->sk_state != TCP_ESTABLISHED)
	393	goto out;
	394
	395	dst = sk_dst_get(sk);
	396	if (!dst)
	397	goto out;
	398
	399	for (dst_test = dst; dst_test != 0;
	400	dst_test = dst_test->child) {
	401	struct xfrm_state *x = dst_test->xfrm;
	402
	403	if (x && selinux_authorizable_xfrm(x)) {
	404	struct xfrm_sec_ctx *ctx = x->security;
	405	peer_sid = ctx->ctx_sid;
	406	break;
	407	}
	408	}
	409	dst_release(dst);
	410
	411	out:
	412	return peer_sid;
	413	}
	414
	415	/*
	416	* SELinux internal function to retrieve the context of a UDP packet
	417	* based on its security association used to connect to the remote socket.
	418	*
	419	* Retrieve via setsockopt IP_PASSSEC and recvmsg with control message
	420	* type SCM_SECURITY.
	421	*/
	422	u32 selinux_socket_getpeer_dgram(struct sk_buff *skb)
	423	{
	424	struct sec_path *sp;
	425
	426	if (skb == NULL)
	427	return SECSID_NULL;
	428
	429	if (skb->sk->sk_protocol != IPPROTO_UDP)
	430	return SECSID_NULL;
	431
	432	sp = skb->sp;
	433	if (sp) {
	434	int i;
	435
	436	for (i = sp->len-1; i >= 0; i--) {
67644726	437	struct xfrm_state *x = sp->xvec[i];
2c7946a7 CZ	438	if (selinux_authorizable_xfrm(x)) {
	439	struct xfrm_sec_ctx *ctx = x->security;
	440	return ctx->ctx_sid;
	441	}
	442	}
	443	}
	444
	445	return SECSID_NULL;
	446	}
	447
c8c05a8e CZ	448	/*
	449	* LSM hook implementation that authorizes deletion of labeled SAs.
	450	*/
	451	int selinux_xfrm_state_delete(struct xfrm_state *x)
	452	{
	453	struct task_security_struct *tsec = current->security;
	454	struct xfrm_sec_ctx *ctx = x->security;
	455	int rc = 0;
	456
	457	if (ctx)
	458	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
	459	SECCLASS_ASSOCIATION,
	460	ASSOCIATION__SETCONTEXT, NULL);
	461
	462	return rc;
	463	}
	464
d28d1e08 TJ	465	/*
	466	* LSM hook that controls access to unlabelled packets. If
	467	* a xfrm_state is authorizable (defined by macro) then it was
	468	* already authorized by the IPSec process. If not, then
	469	* we need to check for unlabelled access since this may not have
	470	* gone thru the IPSec process.
	471	*/
e0d1caa7 VY	472	int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
e0d1caa7 VY	473	struct avc_audit_data *ad)
d28d1e08 TJ	474	{
	475	int i, rc = 0;
	476	struct sec_path *sp;
e0d1caa7	477	u32 sel_sid = SECINITSID_UNLABELED;
d28d1e08 TJ	478
	479	sp = skb->sp;
	480
	481	if (sp) {
d28d1e08	482	for (i = 0; i < sp->len; i++) {
67644726	483	struct xfrm_state *x = sp->xvec[i];
d28d1e08	484
e0d1caa7 VY	485	if (x && selinux_authorizable_xfrm(x)) {
	486	struct xfrm_sec_ctx *ctx = x->security;
	487	sel_sid = ctx->ctx_sid;
	488	break;
	489	}
d28d1e08 TJ	490	}
	491	}
	492
e0d1caa7 VY	493	rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION,
e0d1caa7 VY	494	ASSOCIATION__RECVFROM, ad);
d28d1e08	495
d28d1e08 TJ	496	return rc;
	497	}
	498
	499	/*
	500	* POSTROUTE_LAST hook's XFRM processing:
	501	* If we have no security association, then we need to determine
	502	* whether the socket is allowed to send to an unlabelled destination.
	503	* If we do have a authorizable security association, then it has already been
	504	* checked in xfrm_policy_lookup hook.
	505	*/
e0d1caa7 VY	506	int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
e0d1caa7 VY	507	struct avc_audit_data *ad)
d28d1e08 TJ	508	{
	509	struct dst_entry *dst;
	510	int rc = 0;
	511
	512	dst = skb->dst;
	513
	514	if (dst) {
	515	struct dst_entry *dst_test;
	516
	517	for (dst_test = dst; dst_test != 0;
	518	dst_test = dst_test->child) {
	519	struct xfrm_state *x = dst_test->xfrm;
	520
	521	if (x && selinux_authorizable_xfrm(x))
4e5ab4cb	522	goto out;
d28d1e08 TJ	523	}
	524	}
	525
	526	rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
e0d1caa7	527	ASSOCIATION__SENDTO, ad);
4e5ab4cb JM	528	out:
4e5ab4cb JM	529	return rc;
d28d1e08	530	}