Loading...
1/* SPDX-License-Identifier: GPL-2.0 */
2/*
3 * SELinux support for the XFRM LSM hooks
4 *
5 * Author : Trent Jaeger, <jaegert@us.ibm.com>
6 * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com>
7 */
8#ifndef _SELINUX_XFRM_H_
9#define _SELINUX_XFRM_H_
10
11#include <linux/lsm_audit.h>
12#include <net/flow.h>
13#include <net/xfrm.h>
14
15int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
16 struct xfrm_user_sec_ctx *uctx,
17 gfp_t gfp);
18int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
19 struct xfrm_sec_ctx **new_ctxp);
20void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
21int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
22int selinux_xfrm_state_alloc(struct xfrm_state *x,
23 struct xfrm_user_sec_ctx *uctx);
24int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
25 struct xfrm_sec_ctx *polsec, u32 secid);
26void selinux_xfrm_state_free(struct xfrm_state *x);
27int selinux_xfrm_state_delete(struct xfrm_state *x);
28int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid);
29int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
30 struct xfrm_policy *xp,
31 const struct flowi_common *flic);
32
33#ifdef CONFIG_SECURITY_NETWORK_XFRM
34extern atomic_t selinux_xfrm_refcount;
35
36static inline int selinux_xfrm_enabled(void)
37{
38 return (atomic_read(&selinux_xfrm_refcount) > 0);
39}
40
41int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
42 struct common_audit_data *ad);
43int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
44 struct common_audit_data *ad, u8 proto);
45int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
46int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid);
47
48static inline void selinux_xfrm_notify_policyload(void)
49{
50 struct net *net;
51
52 down_read(&net_rwsem);
53 for_each_net(net)
54 rt_genid_bump_all(net);
55 up_read(&net_rwsem);
56}
57#else
58static inline int selinux_xfrm_enabled(void)
59{
60 return 0;
61}
62
63static inline int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
64 struct common_audit_data *ad)
65{
66 return 0;
67}
68
69static inline int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
70 struct common_audit_data *ad,
71 u8 proto)
72{
73 return 0;
74}
75
76static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid,
77 int ckall)
78{
79 *sid = SECSID_NULL;
80 return 0;
81}
82
83static inline void selinux_xfrm_notify_policyload(void)
84{
85}
86
87static inline int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
88{
89 *sid = SECSID_NULL;
90 return 0;
91}
92#endif
93
94#endif /* _SELINUX_XFRM_H_ */
1/*
2 * SELinux support for the XFRM LSM hooks
3 *
4 * Author : Trent Jaeger, <jaegert@us.ibm.com>
5 * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com>
6 */
7#ifndef _SELINUX_XFRM_H_
8#define _SELINUX_XFRM_H_
9
10#include <net/flow.h>
11
12int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
13 struct xfrm_user_sec_ctx *sec_ctx);
14int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
15 struct xfrm_sec_ctx **new_ctxp);
16void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
17int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
18int selinux_xfrm_state_alloc(struct xfrm_state *x,
19 struct xfrm_user_sec_ctx *sec_ctx, u32 secid);
20void selinux_xfrm_state_free(struct xfrm_state *x);
21int selinux_xfrm_state_delete(struct xfrm_state *x);
22int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
23int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
24 struct xfrm_policy *xp, const struct flowi *fl);
25
26/*
27 * Extract the security blob from the sock (it's actually on the socket)
28 */
29static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
30{
31 if (!sk->sk_socket)
32 return NULL;
33
34 return SOCK_INODE(sk->sk_socket)->i_security;
35}
36
37#ifdef CONFIG_SECURITY_NETWORK_XFRM
38extern atomic_t selinux_xfrm_refcount;
39
40static inline int selinux_xfrm_enabled(void)
41{
42 return (atomic_read(&selinux_xfrm_refcount) > 0);
43}
44
45int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
46 struct common_audit_data *ad);
47int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
48 struct common_audit_data *ad, u8 proto);
49int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
50
51static inline void selinux_xfrm_notify_policyload(void)
52{
53 atomic_inc(&flow_cache_genid);
54}
55#else
56static inline int selinux_xfrm_enabled(void)
57{
58 return 0;
59}
60
61static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
62 struct common_audit_data *ad)
63{
64 return 0;
65}
66
67static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
68 struct common_audit_data *ad, u8 proto)
69{
70 return 0;
71}
72
73static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
74{
75 *sid = SECSID_NULL;
76 return 0;
77}
78
79static inline void selinux_xfrm_notify_policyload(void)
80{
81}
82#endif
83
84static inline void selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid)
85{
86 int err = selinux_xfrm_decode_session(skb, sid, 0);
87 BUG_ON(err);
88}
89
90#endif /* _SELINUX_XFRM_H_ */