[net-next-2.6.git] / security / selinux / xfrm.c

/*
 *  NSA Security-Enhanced Linux (SELinux) security module
 *
 *  This file contains the SELinux XFRM hook function implementations.
 *
 *  Authors:  Serge Hallyn <sergeh@us.ibm.com>
 *	      Trent Jaeger <jaegert@us.ibm.com>
 *
 *  Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com>
 *
 *           Granular IPSec Associations for use in MLS environments.
 *
 *  Copyright (C) 2005 International Business Machines Corporation
 *  Copyright (C) 2006 Trusted Computer Solutions, Inc.
 *
 *	This program is free software; you can redistribute it and/or modify
 *	it under the terms of the GNU General Public License version 2,
 *	as published by the Free Software Foundation.
 */

/*
 * USAGE:
 * NOTES:
 *   1. Make sure to enable the following options in your kernel config:
 *	CONFIG_SECURITY=y
 *	CONFIG_SECURITY_NETWORK=y
 *	CONFIG_SECURITY_NETWORK_XFRM=y
 *	CONFIG_SECURITY_SELINUX=m/y
 * ISSUES:
 *   1. Caching packets, so they are not dropped during negotiation
 *   2. Emulating a reasonable SO_PEERSEC across machines
 *   3. Testing addition of sk_policy's with security context via setsockopt
 */
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/security.h>
#include <linux/types.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/skbuff.h>
#include <linux/xfrm.h>
#include <net/xfrm.h>
#include <net/checksum.h>
#include <net/udp.h>
#include <asm/semaphore.h>

#include "avc.h"
#include "objsec.h"
#include "xfrm.h"


/*
 * Returns true if an LSM/SELinux context
 */
static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
{
	return (ctx &&
		(ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
		(ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
}

/*
 * Returns true if the xfrm contains a security blob for SELinux
 */
static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
{
	return selinux_authorizable_ctx(x->security);
}

/*
 * LSM hook implementation that authorizes that a flow can use
 * a xfrm policy rule.
 */
int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir)
{
	int rc;
	u32 sel_sid;
	struct xfrm_sec_ctx *ctx;

	/* Context sid is either set to label or ANY_ASSOC */
	if ((ctx = xp->security)) {
		if (!selinux_authorizable_ctx(ctx))
			return -EINVAL;

		sel_sid = ctx->ctx_sid;
	}
	else
		/*
		 * All flows should be treated as polmatch'ing an
		 * otherwise applicable "non-labeled" policy. This
		 * would prevent inadvertent "leaks".
		 */
		return 0;

	rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION,
			  ASSOCIATION__POLMATCH,
			  NULL);

	if (rc == -EACCES)
		rc = -ESRCH;

	return rc;
}

/*
 * LSM hook implementation that authorizes that a state matches
 * the given policy, flow combo.
 */

int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp,
			struct flowi *fl)
{
	u32 state_sid;
	u32 pol_sid;
	int err;

	if (xp->security) {
		if (!x->security)
			/* unlabeled SA and labeled policy can't match */
			return 0;
		else
			state_sid = x->security->ctx_sid;
		pol_sid = xp->security->ctx_sid;
	} else
		if (x->security)
			/* unlabeled policy and labeled SA can't match */
			return 0;
		else
			/* unlabeled policy and unlabeled SA match all flows */
			return 1;

	err = avc_has_perm(state_sid, pol_sid, SECCLASS_ASSOCIATION,
			  ASSOCIATION__POLMATCH,
			  NULL);

	if (err)
		return 0;

	err = avc_has_perm(fl->secid, state_sid, SECCLASS_ASSOCIATION,
			  ASSOCIATION__SENDTO,
			  NULL)? 0:1;

	return err;
}

/*
 * LSM hook implementation that authorizes that a particular outgoing flow
 * can use a given security association.
 */

int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm,
				  struct xfrm_policy *xp)
{
	int rc = 0;
	u32 sel_sid = SECINITSID_UNLABELED;
	struct xfrm_sec_ctx *ctx;

	if (!xp->security)
		if (!xfrm->security)
			return 1;
		else
			return 0;
	else
		if (!xfrm->security)
			return 0;

	/* Context sid is either set to label or ANY_ASSOC */
	if ((ctx = xfrm->security)) {
		if (!selinux_authorizable_ctx(ctx))
			return 0;

		sel_sid = ctx->ctx_sid;
	}

	rc = avc_has_perm(fl->secid, sel_sid, SECCLASS_ASSOCIATION,
			  ASSOCIATION__SENDTO,
			  NULL)? 0:1;

	return rc;
}

/*
 * LSM hook implementation that checks and/or returns the xfrm sid for the
 * incoming packet.
 */

int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
{
	struct sec_path *sp;

	*sid = SECSID_NULL;

	if (skb == NULL)
		return 0;

	sp = skb->sp;
	if (sp) {
		int i, sid_set = 0;

		for (i = sp->len-1; i >= 0; i--) {
			struct xfrm_state *x = sp->xvec[i];
			if (selinux_authorizable_xfrm(x)) {
				struct xfrm_sec_ctx *ctx = x->security;

				if (!sid_set) {
					*sid = ctx->ctx_sid;
					sid_set = 1;

					if (!ckall)
						break;
				}
				else if (*sid != ctx->ctx_sid)
					return -EINVAL;
			}
		}
	}

	return 0;
}

/*
 * Security blob allocation for xfrm_policy and xfrm_state
 * CTX does not have a meaningful value on input
 */
static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
	struct xfrm_user_sec_ctx *uctx, u32 sid)
{
	int rc = 0;
	struct task_security_struct *tsec = current->security;
	struct xfrm_sec_ctx *ctx = NULL;
	char *ctx_str = NULL;
	u32 str_len;

	BUG_ON(uctx && sid);

	if (!uctx)
		goto not_from_user;

	if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX)
		return -EINVAL;

	if (uctx->ctx_len >= PAGE_SIZE)
		return -ENOMEM;

	*ctxp = ctx = kmalloc(sizeof(*ctx) +
			      uctx->ctx_len,
			      GFP_KERNEL);

	if (!ctx)
		return -ENOMEM;

	ctx->ctx_doi = uctx->ctx_doi;
	ctx->ctx_len = uctx->ctx_len;
	ctx->ctx_alg = uctx->ctx_alg;

	memcpy(ctx->ctx_str,
	       uctx+1,
	       ctx->ctx_len);
	rc = security_context_to_sid(ctx->ctx_str,
				     ctx->ctx_len,
				     &ctx->ctx_sid);

	if (rc)
		goto out;

	/*
	 * Does the subject have permission to set security context?
	 */
	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
			  SECCLASS_ASSOCIATION,
			  ASSOCIATION__SETCONTEXT, NULL);
	if (rc)
		goto out;

	return rc;

not_from_user:
	rc = security_sid_to_context(sid, &ctx_str, &str_len);
	if (rc)
		goto out;

	*ctxp = ctx = kmalloc(sizeof(*ctx) +
			      str_len,
			      GFP_ATOMIC);

	if (!ctx) {
		rc = -ENOMEM;
		goto out;
	}

	ctx->ctx_doi = XFRM_SC_DOI_LSM;
	ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
	ctx->ctx_sid = sid;
	ctx->ctx_len = str_len;
	memcpy(ctx->ctx_str,
	       ctx_str,
	       str_len);

	goto out2;

out:
	*ctxp = NULL;
	kfree(ctx);
out2:
	kfree(ctx_str);
	return rc;
}

/*
 * LSM hook implementation that allocs and transfers uctx spec to
 * xfrm_policy.
 */
int selinux_xfrm_policy_alloc(struct xfrm_policy *xp,
		struct xfrm_user_sec_ctx *uctx)
{
	int err;

	BUG_ON(!xp);
	BUG_ON(!uctx);

	err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, 0);
	return err;
}


/*
 * LSM hook implementation that copies security data structure from old to
 * new for policy cloning.
 */
int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new)
{
	struct xfrm_sec_ctx *old_ctx, *new_ctx;

	old_ctx = old->security;

	if (old_ctx) {
		new_ctx = new->security = kmalloc(sizeof(*new_ctx) +
						  old_ctx->ctx_len,
						  GFP_KERNEL);

		if (!new_ctx)
			return -ENOMEM;

		memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
		memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
	}
	return 0;
}

/*
 * LSM hook implementation that frees xfrm_policy security information.
 */
void selinux_xfrm_policy_free(struct xfrm_policy *xp)
{
	struct xfrm_sec_ctx *ctx = xp->security;
	if (ctx)
		kfree(ctx);
}

/*
 * LSM hook implementation that authorizes deletion of labeled policies.
 */
int selinux_xfrm_policy_delete(struct xfrm_policy *xp)
{
	struct task_security_struct *tsec = current->security;
	struct xfrm_sec_ctx *ctx = xp->security;
	int rc = 0;

	if (ctx)
		rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
				  SECCLASS_ASSOCIATION,
				  ASSOCIATION__SETCONTEXT, NULL);

	return rc;
}

/*
 * LSM hook implementation that allocs and transfers sec_ctx spec to
 * xfrm_state.
 */
int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx,
		u32 secid)
{
	int err;

	BUG_ON(!x);

	err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid);
	return err;
}

/*
 * LSM hook implementation that frees xfrm_state security information.
 */
void selinux_xfrm_state_free(struct xfrm_state *x)
{
	struct xfrm_sec_ctx *ctx = x->security;
	if (ctx)
		kfree(ctx);
}

/*
 * SELinux internal function to retrieve the context of a UDP packet
 * based on its security association.
 *
 * Retrieve via setsockopt IP_PASSSEC and recvmsg with control message
 * type SCM_SECURITY.
 */
u32 selinux_socket_getpeer_dgram(struct sk_buff *skb)
{
	struct sec_path *sp;

	if (skb == NULL)
		return SECSID_NULL;

	if (skb->sk->sk_protocol != IPPROTO_UDP)
		return SECSID_NULL;

	sp = skb->sp;
	if (sp) {
		int i;

		for (i = sp->len-1; i >= 0; i--) {
			struct xfrm_state *x = sp->xvec[i];
			if (selinux_authorizable_xfrm(x)) {
				struct xfrm_sec_ctx *ctx = x->security;
				return ctx->ctx_sid;
			}
		}
	}

	return SECSID_NULL;
}

 /*
  * LSM hook implementation that authorizes deletion of labeled SAs.
  */
int selinux_xfrm_state_delete(struct xfrm_state *x)
{
	struct task_security_struct *tsec = current->security;
	struct xfrm_sec_ctx *ctx = x->security;
	int rc = 0;

	if (ctx)
		rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
				  SECCLASS_ASSOCIATION,
				  ASSOCIATION__SETCONTEXT, NULL);

	return rc;
}

/*
 * LSM hook that controls access to unlabelled packets.  If
 * a xfrm_state is authorizable (defined by macro) then it was
 * already authorized by the IPSec process.  If not, then
 * we need to check for unlabelled access since this may not have
 * gone thru the IPSec process.
 */
int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
				struct avc_audit_data *ad)
{
	int i, rc = 0;
	struct sec_path *sp;
	u32 sel_sid = SECINITSID_UNLABELED;

	sp = skb->sp;

	if (sp) {
		for (i = 0; i < sp->len; i++) {
			struct xfrm_state *x = sp->xvec[i];

			if (x && selinux_authorizable_xfrm(x)) {
				struct xfrm_sec_ctx *ctx = x->security;
				sel_sid = ctx->ctx_sid;
				break;
			}
		}
	}

	rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION,
			  ASSOCIATION__RECVFROM, ad);

	return rc;
}

/*
 * POSTROUTE_LAST hook's XFRM processing:
 * If we have no security association, then we need to determine
 * whether the socket is allowed to send to an unlabelled destination.
 * If we do have a authorizable security association, then it has already been
 * checked in xfrm_policy_lookup hook.
 */
int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
					struct avc_audit_data *ad)
{
	struct dst_entry *dst;
	int rc = 0;

	dst = skb->dst;

	if (dst) {
		struct dst_entry *dst_test;

		for (dst_test = dst; dst_test != 0;
		     dst_test = dst_test->child) {
			struct xfrm_state *x = dst_test->xfrm;

			if (x && selinux_authorizable_xfrm(x))
				goto out;
		}
	}

	rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
			  ASSOCIATION__SENDTO, ad);
out:
	return rc;
}
Commit	Line	Data
d28d1e08 TJ	1	/*
	2	* NSA Security-Enhanced Linux (SELinux) security module
	3	*
	4	* This file contains the SELinux XFRM hook function implementations.
	5	*
	6	* Authors: Serge Hallyn <sergeh@us.ibm.com>
	7	* Trent Jaeger <jaegert@us.ibm.com>
	8	*
e0d1caa7 VY	9	* Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com>
	10	*
	11	* Granular IPSec Associations for use in MLS environments.
	12	*
d28d1e08	13	* Copyright (C) 2005 International Business Machines Corporation
e0d1caa7	14	* Copyright (C) 2006 Trusted Computer Solutions, Inc.
d28d1e08 TJ	15	*
	16	* This program is free software; you can redistribute it and/or modify
	17	* it under the terms of the GNU General Public License version 2,
	18	* as published by the Free Software Foundation.
	19	*/
	20
	21	/*
	22	* USAGE:
	23	* NOTES:
	24	* 1. Make sure to enable the following options in your kernel config:
	25	* CONFIG_SECURITY=y
	26	* CONFIG_SECURITY_NETWORK=y
	27	* CONFIG_SECURITY_NETWORK_XFRM=y
	28	* CONFIG_SECURITY_SELINUX=m/y
	29	* ISSUES:
	30	* 1. Caching packets, so they are not dropped during negotiation
	31	* 2. Emulating a reasonable SO_PEERSEC across machines
	32	* 3. Testing addition of sk_policy's with security context via setsockopt
	33	*/
d28d1e08 TJ	34	#include <linux/module.h>
	35	#include <linux/kernel.h>
	36	#include <linux/init.h>
	37	#include <linux/security.h>
	38	#include <linux/types.h>
	39	#include <linux/netfilter.h>
	40	#include <linux/netfilter_ipv4.h>
	41	#include <linux/netfilter_ipv6.h>
	42	#include <linux/ip.h>
	43	#include <linux/tcp.h>
	44	#include <linux/skbuff.h>
	45	#include <linux/xfrm.h>
	46	#include <net/xfrm.h>
	47	#include <net/checksum.h>
	48	#include <net/udp.h>
	49	#include <asm/semaphore.h>
	50
	51	#include "avc.h"
	52	#include "objsec.h"
	53	#include "xfrm.h"
	54
	55
	56	/*
	57	* Returns true if an LSM/SELinux context
	58	*/
	59	static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
	60	{
	61	return (ctx &&
	62	(ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
	63	(ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
	64	}
	65
	66	/*
	67	* Returns true if the xfrm contains a security blob for SELinux
	68	*/
	69	static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
	70	{
	71	return selinux_authorizable_ctx(x->security);
	72	}
	73
	74	/*
e0d1caa7 VY	75	* LSM hook implementation that authorizes that a flow can use
e0d1caa7 VY	76	* a xfrm policy rule.
d28d1e08	77	*/
e0d1caa7	78	int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir)
d28d1e08	79	{
5b368e61 VY	80	int rc;
5b368e61 VY	81	u32 sel_sid;
d28d1e08 TJ	82	struct xfrm_sec_ctx *ctx;
	83
	84	/* Context sid is either set to label or ANY_ASSOC */
	85	if ((ctx = xp->security)) {
	86	if (!selinux_authorizable_ctx(ctx))
	87	return -EINVAL;
	88
	89	sel_sid = ctx->ctx_sid;
	90	}
5b368e61 VY	91	else
	92	/*
	93	* All flows should be treated as polmatch'ing an
	94	* otherwise applicable "non-labeled" policy. This
	95	* would prevent inadvertent "leaks".
	96	*/
	97	return 0;
d28d1e08	98
e0d1caa7 VY	99	rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION,
e0d1caa7 VY	100	ASSOCIATION__POLMATCH,
d28d1e08 TJ	101	NULL);
d28d1e08 TJ	102
5b368e61 VY	103	if (rc == -EACCES)
	104	rc = -ESRCH;
	105
d28d1e08 TJ	106	return rc;
	107	}
	108
e0d1caa7 VY	109	/*
	110	* LSM hook implementation that authorizes that a state matches
	111	* the given policy, flow combo.
	112	*/
	113
	114	int selinux_xfrm_state_pol_flow_match(struct xfrm_state x, struct xfrm_policy xp,
	115	struct flowi *fl)
	116	{
	117	u32 state_sid;
	118	u32 pol_sid;
	119	int err;
	120
5b368e61 VY	121	if (xp->security) {
	122	if (!x->security)
	123	/* unlabeled SA and labeled policy can't match */
	124	return 0;
	125	else
	126	state_sid = x->security->ctx_sid;
e0d1caa7	127	pol_sid = xp->security->ctx_sid;
5b368e61 VY	128	} else
	129	if (x->security)
	130	/* unlabeled policy and labeled SA can't match */
	131	return 0;
	132	else
	133	/* unlabeled policy and unlabeled SA match all flows */
	134	return 1;
e0d1caa7 VY	135
	136	err = avc_has_perm(state_sid, pol_sid, SECCLASS_ASSOCIATION,
	137	ASSOCIATION__POLMATCH,
	138	NULL);
	139
	140	if (err)
	141	return 0;
	142
5b368e61 VY	143	err = avc_has_perm(fl->secid, state_sid, SECCLASS_ASSOCIATION,
	144	ASSOCIATION__SENDTO,
	145	NULL)? 0:1;
	146
	147	return err;
e0d1caa7 VY	148	}
	149
	150	/*
	151	* LSM hook implementation that authorizes that a particular outgoing flow
	152	* can use a given security association.
	153	*/
	154
5b368e61 VY	155	int selinux_xfrm_flow_state_match(struct flowi fl, struct xfrm_state xfrm,
5b368e61 VY	156	struct xfrm_policy *xp)
e0d1caa7 VY	157	{
	158	int rc = 0;
	159	u32 sel_sid = SECINITSID_UNLABELED;
	160	struct xfrm_sec_ctx *ctx;
	161
5b368e61 VY	162	if (!xp->security)
	163	if (!xfrm->security)
	164	return 1;
	165	else
	166	return 0;
	167	else
	168	if (!xfrm->security)
	169	return 0;
	170
e0d1caa7 VY	171	/* Context sid is either set to label or ANY_ASSOC */
	172	if ((ctx = xfrm->security)) {
	173	if (!selinux_authorizable_ctx(ctx))
	174	return 0;
	175
	176	sel_sid = ctx->ctx_sid;
	177	}
	178
	179	rc = avc_has_perm(fl->secid, sel_sid, SECCLASS_ASSOCIATION,
	180	ASSOCIATION__SENDTO,
	181	NULL)? 0:1;
	182
	183	return rc;
	184	}
	185
	186	/*
6b877699 VY	187	* LSM hook implementation that checks and/or returns the xfrm sid for the
6b877699 VY	188	* incoming packet.
e0d1caa7 VY	189	*/
e0d1caa7 VY	190
beb8d13b	191	int selinux_xfrm_decode_session(struct sk_buff skb, u32 sid, int ckall)
e0d1caa7 VY	192	{
	193	struct sec_path *sp;
	194
beb8d13b	195	*sid = SECSID_NULL;
e0d1caa7 VY	196
	197	if (skb == NULL)
	198	return 0;
	199
	200	sp = skb->sp;
	201	if (sp) {
	202	int i, sid_set = 0;
	203
	204	for (i = sp->len-1; i >= 0; i--) {
	205	struct xfrm_state *x = sp->xvec[i];
	206	if (selinux_authorizable_xfrm(x)) {
	207	struct xfrm_sec_ctx *ctx = x->security;
	208
	209	if (!sid_set) {
beb8d13b	210	*sid = ctx->ctx_sid;
e0d1caa7	211	sid_set = 1;
beb8d13b VY	212
	213	if (!ckall)
	214	break;
e0d1caa7	215	}
beb8d13b	216	else if (*sid != ctx->ctx_sid)
e0d1caa7 VY	217	return -EINVAL;
	218	}
	219	}
	220	}
	221
	222	return 0;
	223	}
	224
d28d1e08 TJ	225	/*
	226	* Security blob allocation for xfrm_policy and xfrm_state
	227	* CTX does not have a meaningful value on input
	228	*/
e0d1caa7	229	static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
c1a856c9	230	struct xfrm_user_sec_ctx *uctx, u32 sid)
d28d1e08 TJ	231	{
	232	int rc = 0;
	233	struct task_security_struct *tsec = current->security;
e0d1caa7 VY	234	struct xfrm_sec_ctx *ctx = NULL;
	235	char *ctx_str = NULL;
	236	u32 str_len;
e0d1caa7	237
c1a856c9	238	BUG_ON(uctx && sid);
e0d1caa7	239
cb969f07 VY	240	if (!uctx)
cb969f07 VY	241	goto not_from_user;
e0d1caa7 VY	242
	243	if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX)
	244	return -EINVAL;
d28d1e08 TJ	245
	246	if (uctx->ctx_len >= PAGE_SIZE)
	247	return -ENOMEM;
	248
	249	ctxp = ctx = kmalloc(sizeof(ctx) +
	250	uctx->ctx_len,
	251	GFP_KERNEL);
	252
	253	if (!ctx)
	254	return -ENOMEM;
	255
	256	ctx->ctx_doi = uctx->ctx_doi;
	257	ctx->ctx_len = uctx->ctx_len;
	258	ctx->ctx_alg = uctx->ctx_alg;
	259
	260	memcpy(ctx->ctx_str,
	261	uctx+1,
	262	ctx->ctx_len);
	263	rc = security_context_to_sid(ctx->ctx_str,
	264	ctx->ctx_len,
	265	&ctx->ctx_sid);
	266
	267	if (rc)
	268	goto out;
	269
	270	/*
c8c05a8e	271	* Does the subject have permission to set security context?
d28d1e08	272	*/
d28d1e08 TJ	273	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
d28d1e08 TJ	274	SECCLASS_ASSOCIATION,
5f8ac64b	275	ASSOCIATION__SETCONTEXT, NULL);
d28d1e08 TJ	276	if (rc)
	277	goto out;
	278
	279	return rc;
	280
cb969f07	281	not_from_user:
c1a856c9	282	rc = security_sid_to_context(sid, &ctx_str, &str_len);
e0d1caa7 VY	283	if (rc)
	284	goto out;
	285
	286	ctxp = ctx = kmalloc(sizeof(ctx) +
	287	str_len,
	288	GFP_ATOMIC);
	289
	290	if (!ctx) {
	291	rc = -ENOMEM;
	292	goto out;
	293	}
	294
e0d1caa7 VY	295	ctx->ctx_doi = XFRM_SC_DOI_LSM;
e0d1caa7 VY	296	ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
c1a856c9	297	ctx->ctx_sid = sid;
e0d1caa7 VY	298	ctx->ctx_len = str_len;
	299	memcpy(ctx->ctx_str,
	300	ctx_str,
	301	str_len);
	302
	303	goto out2;
	304
d28d1e08	305	out:
ee2e6841	306	*ctxp = NULL;
d28d1e08	307	kfree(ctx);
e0d1caa7 VY	308	out2:
e0d1caa7 VY	309	kfree(ctx_str);
d28d1e08 TJ	310	return rc;
	311	}
	312
	313	/*
	314	* LSM hook implementation that allocs and transfers uctx spec to
	315	* xfrm_policy.
	316	*/
cb969f07	317	int selinux_xfrm_policy_alloc(struct xfrm_policy *xp,
c1a856c9	318	struct xfrm_user_sec_ctx *uctx)
d28d1e08 TJ	319	{
	320	int err;
	321
	322	BUG_ON(!xp);
c1a856c9	323	BUG_ON(!uctx);
d28d1e08	324
c1a856c9	325	err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, 0);
d28d1e08 TJ	326	return err;
	327	}
	328
	329
	330	/*
	331	* LSM hook implementation that copies security data structure from old to
	332	* new for policy cloning.
	333	*/
	334	int selinux_xfrm_policy_clone(struct xfrm_policy old, struct xfrm_policy new)
	335	{
	336	struct xfrm_sec_ctx old_ctx, new_ctx;
	337
	338	old_ctx = old->security;
	339
	340	if (old_ctx) {
	341	new_ctx = new->security = kmalloc(sizeof(*new_ctx) +
	342	old_ctx->ctx_len,
	343	GFP_KERNEL);
	344
	345	if (!new_ctx)
	346	return -ENOMEM;
	347
	348	memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
	349	memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
	350	}
	351	return 0;
	352	}
	353
	354	/*
	355	* LSM hook implementation that frees xfrm_policy security information.
	356	*/
	357	void selinux_xfrm_policy_free(struct xfrm_policy *xp)
	358	{
	359	struct xfrm_sec_ctx *ctx = xp->security;
	360	if (ctx)
	361	kfree(ctx);
	362	}
	363
c8c05a8e CZ	364	/*
	365	* LSM hook implementation that authorizes deletion of labeled policies.
	366	*/
	367	int selinux_xfrm_policy_delete(struct xfrm_policy *xp)
	368	{
	369	struct task_security_struct *tsec = current->security;
	370	struct xfrm_sec_ctx *ctx = xp->security;
	371	int rc = 0;
	372
	373	if (ctx)
	374	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
	375	SECCLASS_ASSOCIATION,
	376	ASSOCIATION__SETCONTEXT, NULL);
	377
	378	return rc;
	379	}
	380
d28d1e08 TJ	381	/*
	382	* LSM hook implementation that allocs and transfers sec_ctx spec to
	383	* xfrm_state.
	384	*/
e0d1caa7	385	int selinux_xfrm_state_alloc(struct xfrm_state x, struct xfrm_user_sec_ctx uctx,
c1a856c9	386	u32 secid)
d28d1e08 TJ	387	{
	388	int err;
	389
	390	BUG_ON(!x);
	391
c1a856c9	392	err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid);
d28d1e08 TJ	393	return err;
	394	}
	395
	396	/*
	397	* LSM hook implementation that frees xfrm_state security information.
	398	*/
	399	void selinux_xfrm_state_free(struct xfrm_state *x)
	400	{
	401	struct xfrm_sec_ctx *ctx = x->security;
	402	if (ctx)
	403	kfree(ctx);
	404	}
	405
2c7946a7 CZ	406	/*
2c7946a7 CZ	407	* SELinux internal function to retrieve the context of a UDP packet
6b877699	408	* based on its security association.
2c7946a7 CZ	409	*
	410	* Retrieve via setsockopt IP_PASSSEC and recvmsg with control message
	411	* type SCM_SECURITY.
	412	*/
	413	u32 selinux_socket_getpeer_dgram(struct sk_buff *skb)
	414	{
	415	struct sec_path *sp;
	416
	417	if (skb == NULL)
	418	return SECSID_NULL;
	419
	420	if (skb->sk->sk_protocol != IPPROTO_UDP)
	421	return SECSID_NULL;
	422
	423	sp = skb->sp;
	424	if (sp) {
	425	int i;
	426
	427	for (i = sp->len-1; i >= 0; i--) {
67644726	428	struct xfrm_state *x = sp->xvec[i];
2c7946a7 CZ	429	if (selinux_authorizable_xfrm(x)) {
	430	struct xfrm_sec_ctx *ctx = x->security;
	431	return ctx->ctx_sid;
	432	}
	433	}
	434	}
	435
	436	return SECSID_NULL;
	437	}
	438
c8c05a8e CZ	439	/*
	440	* LSM hook implementation that authorizes deletion of labeled SAs.
	441	*/
	442	int selinux_xfrm_state_delete(struct xfrm_state *x)
	443	{
	444	struct task_security_struct *tsec = current->security;
	445	struct xfrm_sec_ctx *ctx = x->security;
	446	int rc = 0;
	447
	448	if (ctx)
	449	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
	450	SECCLASS_ASSOCIATION,
	451	ASSOCIATION__SETCONTEXT, NULL);
	452
	453	return rc;
	454	}
	455
d28d1e08 TJ	456	/*
	457	* LSM hook that controls access to unlabelled packets. If
	458	* a xfrm_state is authorizable (defined by macro) then it was
	459	* already authorized by the IPSec process. If not, then
	460	* we need to check for unlabelled access since this may not have
	461	* gone thru the IPSec process.
	462	*/
e0d1caa7 VY	463	int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
e0d1caa7 VY	464	struct avc_audit_data *ad)
d28d1e08 TJ	465	{
	466	int i, rc = 0;
	467	struct sec_path *sp;
e0d1caa7	468	u32 sel_sid = SECINITSID_UNLABELED;
d28d1e08 TJ	469
	470	sp = skb->sp;
	471
	472	if (sp) {
d28d1e08	473	for (i = 0; i < sp->len; i++) {
67644726	474	struct xfrm_state *x = sp->xvec[i];
d28d1e08	475
e0d1caa7 VY	476	if (x && selinux_authorizable_xfrm(x)) {
	477	struct xfrm_sec_ctx *ctx = x->security;
	478	sel_sid = ctx->ctx_sid;
	479	break;
	480	}
d28d1e08 TJ	481	}
	482	}
	483
e0d1caa7 VY	484	rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION,
e0d1caa7 VY	485	ASSOCIATION__RECVFROM, ad);
d28d1e08	486
d28d1e08 TJ	487	return rc;
	488	}
	489
	490	/*
	491	* POSTROUTE_LAST hook's XFRM processing:
	492	* If we have no security association, then we need to determine
	493	* whether the socket is allowed to send to an unlabelled destination.
	494	* If we do have a authorizable security association, then it has already been
	495	* checked in xfrm_policy_lookup hook.
	496	*/
e0d1caa7 VY	497	int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
e0d1caa7 VY	498	struct avc_audit_data *ad)
d28d1e08 TJ	499	{
	500	struct dst_entry *dst;
	501	int rc = 0;
	502
	503	dst = skb->dst;
	504
	505	if (dst) {
	506	struct dst_entry *dst_test;
	507
	508	for (dst_test = dst; dst_test != 0;
	509	dst_test = dst_test->child) {
	510	struct xfrm_state *x = dst_test->xfrm;
	511
	512	if (x && selinux_authorizable_xfrm(x))
4e5ab4cb	513	goto out;
d28d1e08 TJ	514	}
	515	}
	516
	517	rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
e0d1caa7	518	ASSOCIATION__SENDTO, ad);
4e5ab4cb JM	519	out:
4e5ab4cb JM	520	return rc;
d28d1e08	521	}