xfrm.h - security/selinux/include/xfrm.h - Linux diff v3.5.6

 
 1/*
 2 * SELinux support for the XFRM LSM hooks
 3 *
 4 * Author : Trent Jaeger, <jaegert@us.ibm.com>
 5 * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com>
 6 */
 7#ifndef _SELINUX_XFRM_H_
 8#define _SELINUX_XFRM_H_
 9
10#include <net/flow.h>
11
12int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
13			      struct xfrm_user_sec_ctx *sec_ctx);
 
14int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
15			      struct xfrm_sec_ctx **new_ctxp);
16void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
17int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
18int selinux_xfrm_state_alloc(struct xfrm_state *x,
19	struct xfrm_user_sec_ctx *sec_ctx, u32 secid);
 
 
20void selinux_xfrm_state_free(struct xfrm_state *x);
21int selinux_xfrm_state_delete(struct xfrm_state *x);
22int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
23int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
24			struct xfrm_policy *xp, const struct flowi *fl);
25
26/*
27 * Extract the security blob from the sock (it's actually on the socket)
28 */
29static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
30{
31	if (!sk->sk_socket)
32		return NULL;
33
34	return SOCK_INODE(sk->sk_socket)->i_security;
35}
36
37#ifdef CONFIG_SECURITY_NETWORK_XFRM
38extern atomic_t selinux_xfrm_refcount;
39
40static inline int selinux_xfrm_enabled(void)
41{
42	return (atomic_read(&selinux_xfrm_refcount) > 0);
43}
44
45int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
46			struct common_audit_data *ad);
47int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
48			struct common_audit_data *ad, u8 proto);
49int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
 
50
51static inline void selinux_xfrm_notify_policyload(void)
52{
53	atomic_inc(&flow_cache_genid);
 
 
 
 
 
54}
55#else
56static inline int selinux_xfrm_enabled(void)
57{
58	return 0;
59}
60
61static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
62			struct common_audit_data *ad)
63{
64	return 0;
65}
66
67static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
68			struct common_audit_data *ad, u8 proto)
 
69{
70	return 0;
71}
72
73static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
 
74{
75	*sid = SECSID_NULL;
76	return 0;
77}
78
79static inline void selinux_xfrm_notify_policyload(void)
80{
81}
82#endif
83
84static inline void selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid)
85{
86	int err = selinux_xfrm_decode_session(skb, sid, 0);
87	BUG_ON(err);
88}
 
89
90#endif /* _SELINUX_XFRM_H_ */

 1/* SPDX-License-Identifier: GPL-2.0 */
 2/*
 3 * SELinux support for the XFRM LSM hooks
 4 *
 5 * Author : Trent Jaeger, <jaegert@us.ibm.com>
 6 * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com>
 7 */
 8#ifndef _SELINUX_XFRM_H_
 9#define _SELINUX_XFRM_H_
10
11#include <net/flow.h>
12
13int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
14			      struct xfrm_user_sec_ctx *uctx,
15			      gfp_t gfp);
16int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
17			      struct xfrm_sec_ctx **new_ctxp);
18void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
19int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
20int selinux_xfrm_state_alloc(struct xfrm_state *x,
21			     struct xfrm_user_sec_ctx *uctx);
22int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
23				     struct xfrm_sec_ctx *polsec, u32 secid);
24void selinux_xfrm_state_free(struct xfrm_state *x);
25int selinux_xfrm_state_delete(struct xfrm_state *x);
26int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid);
27int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
28				      struct xfrm_policy *xp,
29				      const struct flowi_common *flic);
 
 
 
 
 
 
 
 
 
 
30
31#ifdef CONFIG_SECURITY_NETWORK_XFRM
32extern atomic_t selinux_xfrm_refcount;
33
34static inline int selinux_xfrm_enabled(void)
35{
36	return (atomic_read(&selinux_xfrm_refcount) > 0);
37}
38
39int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
40			      struct common_audit_data *ad);
41int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
42				struct common_audit_data *ad, u8 proto);
43int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
44int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid);
45
46static inline void selinux_xfrm_notify_policyload(void)
47{
48	struct net *net;
49
50	down_read(&net_rwsem);
51	for_each_net(net)
52		rt_genid_bump_all(net);
53	up_read(&net_rwsem);
54}
55#else
56static inline int selinux_xfrm_enabled(void)
57{
58	return 0;
59}
60
61static inline int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
62					    struct common_audit_data *ad)
63{
64	return 0;
65}
66
67static inline int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
68					      struct common_audit_data *ad,
69					      u8 proto)
70{
71	return 0;
72}
73
74static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid,
75					      int ckall)
76{
77	*sid = SECSID_NULL;
78	return 0;
79}
80
81static inline void selinux_xfrm_notify_policyload(void)
82{
83}
 
84
85static inline int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
86{
87	*sid = SECSID_NULL;
88	return 0;
89}
90#endif
91
92#endif /* _SELINUX_XFRM_H_ */