xfrm.h - security/selinux/include/xfrm.h - Linux diff v3.5.6

 1/*
 2 * SELinux support for the XFRM LSM hooks
 3 *
 4 * Author : Trent Jaeger, <jaegert@us.ibm.com>
 5 * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com>
 6 */
 7#ifndef _SELINUX_XFRM_H_
 8#define _SELINUX_XFRM_H_
 9
10#include <net/flow.h>
11
12int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
13			      struct xfrm_user_sec_ctx *sec_ctx);
14int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
15			      struct xfrm_sec_ctx **new_ctxp);
16void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
17int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
18int selinux_xfrm_state_alloc(struct xfrm_state *x,
19	struct xfrm_user_sec_ctx *sec_ctx, u32 secid);
20void selinux_xfrm_state_free(struct xfrm_state *x);
21int selinux_xfrm_state_delete(struct xfrm_state *x);
22int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
23int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
24			struct xfrm_policy *xp, const struct flowi *fl);
25
26/*
27 * Extract the security blob from the sock (it's actually on the socket)
28 */
29static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
30{
31	if (!sk->sk_socket)
32		return NULL;
33
34	return SOCK_INODE(sk->sk_socket)->i_security;
35}
36
37#ifdef CONFIG_SECURITY_NETWORK_XFRM
38extern atomic_t selinux_xfrm_refcount;
39
40static inline int selinux_xfrm_enabled(void)
41{
42	return (atomic_read(&selinux_xfrm_refcount) > 0);
43}
44
45int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
46			struct common_audit_data *ad);
47int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
48			struct common_audit_data *ad, u8 proto);
49int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
50
51static inline void selinux_xfrm_notify_policyload(void)
52{
53	atomic_inc(&flow_cache_genid);
54}
55#else
56static inline int selinux_xfrm_enabled(void)
57{
58	return 0;
59}
60
61static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
62			struct common_audit_data *ad)
63{
64	return 0;
65}
66
67static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
68			struct common_audit_data *ad, u8 proto)
69{
70	return 0;
71}
72
73static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
74{
75	*sid = SECSID_NULL;
76	return 0;
77}
78
79static inline void selinux_xfrm_notify_policyload(void)
80{
81}
82#endif
83
84static inline void selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid)
85{
86	int err = selinux_xfrm_decode_session(skb, sid, 0);
87	BUG_ON(err);
88}
89
90#endif /* _SELINUX_XFRM_H_ */

 1/*
 2 * SELinux support for the XFRM LSM hooks
 3 *
 4 * Author : Trent Jaeger, <jaegert@us.ibm.com>
 5 * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com>
 6 */
 7#ifndef _SELINUX_XFRM_H_
 8#define _SELINUX_XFRM_H_
 9
 
 
10int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
11			      struct xfrm_user_sec_ctx *sec_ctx);
12int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
13			      struct xfrm_sec_ctx **new_ctxp);
14void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
15int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
16int selinux_xfrm_state_alloc(struct xfrm_state *x,
17	struct xfrm_user_sec_ctx *sec_ctx, u32 secid);
18void selinux_xfrm_state_free(struct xfrm_state *x);
19int selinux_xfrm_state_delete(struct xfrm_state *x);
20int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
21int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
22			struct xfrm_policy *xp, const struct flowi *fl);
23
24/*
25 * Extract the security blob from the sock (it's actually on the socket)
26 */
27static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
28{
29	if (!sk->sk_socket)
30		return NULL;
31
32	return SOCK_INODE(sk->sk_socket)->i_security;
33}
34
35#ifdef CONFIG_SECURITY_NETWORK_XFRM
36extern atomic_t selinux_xfrm_refcount;
37
38static inline int selinux_xfrm_enabled(void)
39{
40	return (atomic_read(&selinux_xfrm_refcount) > 0);
41}
42
43int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
44			struct common_audit_data *ad);
45int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
46			struct common_audit_data *ad, u8 proto);
47int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
48
49static inline void selinux_xfrm_notify_policyload(void)
50{
51	atomic_inc(&flow_cache_genid);
52}
53#else
54static inline int selinux_xfrm_enabled(void)
55{
56	return 0;
57}
58
59static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
60			struct common_audit_data *ad)
61{
62	return 0;
63}
64
65static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
66			struct common_audit_data *ad, u8 proto)
67{
68	return 0;
69}
70
71static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
72{
73	*sid = SECSID_NULL;
74	return 0;
75}
76
77static inline void selinux_xfrm_notify_policyload(void)
78{
79}
80#endif
81
82static inline void selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid)
83{
84	int err = selinux_xfrm_decode_session(skb, sid, 0);
85	BUG_ON(err);
86}
87
88#endif /* _SELINUX_XFRM_H_ */