aboutsummaryrefslogtreecommitdiffstats
path: root/include/net
diff options
context:
space:
mode:
authorTrent Jaeger <tjaeger@cse.psu.edu>2005-12-14 02:12:27 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2006-01-03 16:10:24 -0500
commitdf71837d5024e2524cd51c93621e558aa7dd9f3f (patch)
tree58938f1d46f3c6713b63e5a785e82fdbb10121a1 /include/net
parent88026842b0a760145aa71d69e74fbc9ec118ca44 (diff)
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the extension of the Linux Security Modules (LSM) interface by hooks in the XFRM and pfkey subsystems that leverage IPSec security associations to label packets. Extensions to the SELinux LSM are included that leverage the patch for this purpose. This patch implements the changes necessary to the XFRM subsystem, pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a socket to use only authorized security associations (or no security association) to send/receive network packets. Patch purpose: The patch is designed to enable access control per packets based on the strongly authenticated IPSec security association. Such access controls augment the existing ones based on network interface and IP address. The former are very coarse-grained, and the latter can be spoofed. By using IPSec, the system can control access to remote hosts based on cryptographic keys generated using the IPSec mechanism. This enables access control on a per-machine basis or per-application if the remote machine is running the same mechanism and trusted to enforce the access control policy. Patch design approach: The overall approach is that policy (xfrm_policy) entries set by user-level programs (e.g., setkey for ipsec-tools) are extended with a security context that is used at policy selection time in the XFRM subsystem to restrict the sockets that can send/receive packets via security associations (xfrm_states) that are built from those policies. A presentation available at www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf from the SELinux symposium describes the overall approach. Patch implementation details: On output, the policy retrieved (via xfrm_policy_lookup or xfrm_sk_policy_lookup) must be authorized for the security context of the socket and the same security context is required for resultant security association (retrieved or negotiated via racoon in ipsec-tools). This is enforced in xfrm_state_find. On input, the policy retrieved must also be authorized for the socket (at __xfrm_policy_check), and the security context of the policy must also match the security association being used. The patch has virtually no impact on packets that do not use IPSec. The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as before. Also, if IPSec is used without security contexts, the impact is minimal. The LSM must allow such policies to be selected for the combination of socket and remote machine, but subsequent IPSec processing proceeds as in the original case. Testing: The pfkey interface is tested using the ipsec-tools. ipsec-tools have been modified (a separate ipsec-tools patch is available for version 0.5) that supports assignment of xfrm_policy entries and security associations with security contexts via setkey and the negotiation using the security contexts via racoon. The xfrm_user interface is tested via ad hoc programs that set security contexts. These programs are also available from me, and contain programs for setting, getting, and deleting policy for testing this interface. Testing of sa functions was done by tracing kernel behavior. Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net')
-rw-r--r--include/net/flow.h7
-rw-r--r--include/net/xfrm.h27
2 files changed, 29 insertions, 5 deletions
diff --git a/include/net/flow.h b/include/net/flow.h
index 9a5c94b1a0e..ec7eb86eb20 100644
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -84,11 +84,12 @@ struct flowi {
84#define FLOW_DIR_OUT 1 84#define FLOW_DIR_OUT 1
85#define FLOW_DIR_FWD 2 85#define FLOW_DIR_FWD 2
86 86
87typedef void (*flow_resolve_t)(struct flowi *key, u16 family, u8 dir, 87struct sock;
88typedef void (*flow_resolve_t)(struct flowi *key, u32 sk_sid, u16 family, u8 dir,
88 void **objp, atomic_t **obj_refp); 89 void **objp, atomic_t **obj_refp);
89 90
90extern void *flow_cache_lookup(struct flowi *key, u16 family, u8 dir, 91extern void *flow_cache_lookup(struct flowi *key, u32 sk_sid, u16 family, u8 dir,
91 flow_resolve_t resolver); 92 flow_resolve_t resolver);
92extern void flow_cache_flush(void); 93extern void flow_cache_flush(void);
93extern atomic_t flow_cache_genid; 94extern atomic_t flow_cache_genid;
94 95
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 1cdb8791213..487abca3ca6 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -144,6 +144,9 @@ struct xfrm_state
144 * transformer. */ 144 * transformer. */
145 struct xfrm_type *type; 145 struct xfrm_type *type;
146 146
147 /* Security context */
148 struct xfrm_sec_ctx *security;
149
147 /* Private data of this transformer, format is opaque, 150 /* Private data of this transformer, format is opaque,
148 * interpreted by xfrm_type methods. */ 151 * interpreted by xfrm_type methods. */
149 void *data; 152 void *data;
@@ -298,6 +301,7 @@ struct xfrm_policy
298 __u8 flags; 301 __u8 flags;
299 __u8 dead; 302 __u8 dead;
300 __u8 xfrm_nr; 303 __u8 xfrm_nr;
304 struct xfrm_sec_ctx *security;
301 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH]; 305 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
302}; 306};
303 307
@@ -510,6 +514,25 @@ xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
510 return 0; 514 return 0;
511} 515}
512 516
517#ifdef CONFIG_SECURITY_NETWORK_XFRM
518/* If neither has a context --> match
519 * Otherwise, both must have a context and the sids, doi, alg must match
520 */
521static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
522{
523 return ((!s1 && !s2) ||
524 (s1 && s2 &&
525 (s1->ctx_sid == s2->ctx_sid) &&
526 (s1->ctx_doi == s2->ctx_doi) &&
527 (s1->ctx_alg == s2->ctx_alg)));
528}
529#else
530static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
531{
532 return 1;
533}
534#endif
535
513/* A struct encoding bundle of transformations to apply to some set of flow. 536/* A struct encoding bundle of transformations to apply to some set of flow.
514 * 537 *
515 * dst->child points to the next element of bundle. 538 * dst->child points to the next element of bundle.
@@ -878,8 +901,8 @@ static inline int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsig
878struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp); 901struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp);
879extern int xfrm_policy_walk(int (*func)(struct xfrm_policy *, int, int, void*), void *); 902extern int xfrm_policy_walk(int (*func)(struct xfrm_policy *, int, int, void*), void *);
880int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl); 903int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
881struct xfrm_policy *xfrm_policy_bysel(int dir, struct xfrm_selector *sel, 904struct xfrm_policy *xfrm_policy_bysel_ctx(int dir, struct xfrm_selector *sel,
882 int delete); 905 struct xfrm_sec_ctx *ctx, int delete);
883struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete); 906struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete);
884void xfrm_policy_flush(void); 907void xfrm_policy_flush(void);
885u32 xfrm_get_acqseq(void); 908u32 xfrm_get_acqseq(void);