Loading...
1/*
2 * SELinux support for the XFRM LSM hooks
3 *
4 * Author : Trent Jaeger, <jaegert@us.ibm.com>
5 * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com>
6 */
7#ifndef _SELINUX_XFRM_H_
8#define _SELINUX_XFRM_H_
9
10int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
11 struct xfrm_user_sec_ctx *sec_ctx);
12int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
13 struct xfrm_sec_ctx **new_ctxp);
14void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
15int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
16int selinux_xfrm_state_alloc(struct xfrm_state *x,
17 struct xfrm_user_sec_ctx *sec_ctx, u32 secid);
18void selinux_xfrm_state_free(struct xfrm_state *x);
19int selinux_xfrm_state_delete(struct xfrm_state *x);
20int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
21int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
22 struct xfrm_policy *xp, const struct flowi *fl);
23
24/*
25 * Extract the security blob from the sock (it's actually on the socket)
26 */
27static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
28{
29 if (!sk->sk_socket)
30 return NULL;
31
32 return SOCK_INODE(sk->sk_socket)->i_security;
33}
34
35#ifdef CONFIG_SECURITY_NETWORK_XFRM
36extern atomic_t selinux_xfrm_refcount;
37
38static inline int selinux_xfrm_enabled(void)
39{
40 return (atomic_read(&selinux_xfrm_refcount) > 0);
41}
42
43int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
44 struct common_audit_data *ad);
45int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
46 struct common_audit_data *ad, u8 proto);
47int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
48
49static inline void selinux_xfrm_notify_policyload(void)
50{
51 atomic_inc(&flow_cache_genid);
52}
53#else
54static inline int selinux_xfrm_enabled(void)
55{
56 return 0;
57}
58
59static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
60 struct common_audit_data *ad)
61{
62 return 0;
63}
64
65static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
66 struct common_audit_data *ad, u8 proto)
67{
68 return 0;
69}
70
71static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
72{
73 *sid = SECSID_NULL;
74 return 0;
75}
76
77static inline void selinux_xfrm_notify_policyload(void)
78{
79}
80#endif
81
82static inline void selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid)
83{
84 int err = selinux_xfrm_decode_session(skb, sid, 0);
85 BUG_ON(err);
86}
87
88#endif /* _SELINUX_XFRM_H_ */
1/* SPDX-License-Identifier: GPL-2.0 */
2/*
3 * SELinux support for the XFRM LSM hooks
4 *
5 * Author : Trent Jaeger, <jaegert@us.ibm.com>
6 * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com>
7 */
8#ifndef _SELINUX_XFRM_H_
9#define _SELINUX_XFRM_H_
10
11#include <net/flow.h>
12
13int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
14 struct xfrm_user_sec_ctx *uctx,
15 gfp_t gfp);
16int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
17 struct xfrm_sec_ctx **new_ctxp);
18void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
19int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
20int selinux_xfrm_state_alloc(struct xfrm_state *x,
21 struct xfrm_user_sec_ctx *uctx);
22int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
23 struct xfrm_sec_ctx *polsec, u32 secid);
24void selinux_xfrm_state_free(struct xfrm_state *x);
25int selinux_xfrm_state_delete(struct xfrm_state *x);
26int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
27int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
28 struct xfrm_policy *xp,
29 const struct flowi *fl);
30
31#ifdef CONFIG_SECURITY_NETWORK_XFRM
32extern atomic_t selinux_xfrm_refcount;
33
34static inline int selinux_xfrm_enabled(void)
35{
36 return (atomic_read(&selinux_xfrm_refcount) > 0);
37}
38
39int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
40 struct common_audit_data *ad);
41int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
42 struct common_audit_data *ad, u8 proto);
43int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
44int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid);
45
46static inline void selinux_xfrm_notify_policyload(void)
47{
48 struct net *net;
49
50 down_read(&net_rwsem);
51 for_each_net(net)
52 rt_genid_bump_all(net);
53 up_read(&net_rwsem);
54}
55#else
56static inline int selinux_xfrm_enabled(void)
57{
58 return 0;
59}
60
61static inline int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
62 struct common_audit_data *ad)
63{
64 return 0;
65}
66
67static inline int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
68 struct common_audit_data *ad,
69 u8 proto)
70{
71 return 0;
72}
73
74static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid,
75 int ckall)
76{
77 *sid = SECSID_NULL;
78 return 0;
79}
80
81static inline void selinux_xfrm_notify_policyload(void)
82{
83}
84
85static inline int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
86{
87 *sid = SECSID_NULL;
88 return 0;
89}
90#endif
91
92#endif /* _SELINUX_XFRM_H_ */