aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux/security.h
diff options
context:
space:
mode:
authorTrent Jaeger <tjaeger@cse.psu.edu>2005-12-14 02:12:27 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2006-01-03 16:10:24 -0500
commitdf71837d5024e2524cd51c93621e558aa7dd9f3f (patch)
tree58938f1d46f3c6713b63e5a785e82fdbb10121a1 /include/linux/security.h
parent88026842b0a760145aa71d69e74fbc9ec118ca44 (diff)
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the extension of the Linux Security Modules (LSM) interface by hooks in the XFRM and pfkey subsystems that leverage IPSec security associations to label packets. Extensions to the SELinux LSM are included that leverage the patch for this purpose. This patch implements the changes necessary to the XFRM subsystem, pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a socket to use only authorized security associations (or no security association) to send/receive network packets. Patch purpose: The patch is designed to enable access control per packets based on the strongly authenticated IPSec security association. Such access controls augment the existing ones based on network interface and IP address. The former are very coarse-grained, and the latter can be spoofed. By using IPSec, the system can control access to remote hosts based on cryptographic keys generated using the IPSec mechanism. This enables access control on a per-machine basis or per-application if the remote machine is running the same mechanism and trusted to enforce the access control policy. Patch design approach: The overall approach is that policy (xfrm_policy) entries set by user-level programs (e.g., setkey for ipsec-tools) are extended with a security context that is used at policy selection time in the XFRM subsystem to restrict the sockets that can send/receive packets via security associations (xfrm_states) that are built from those policies. A presentation available at www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf from the SELinux symposium describes the overall approach. Patch implementation details: On output, the policy retrieved (via xfrm_policy_lookup or xfrm_sk_policy_lookup) must be authorized for the security context of the socket and the same security context is required for resultant security association (retrieved or negotiated via racoon in ipsec-tools). This is enforced in xfrm_state_find. On input, the policy retrieved must also be authorized for the socket (at __xfrm_policy_check), and the security context of the policy must also match the security association being used. The patch has virtually no impact on packets that do not use IPSec. The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as before. Also, if IPSec is used without security contexts, the impact is minimal. The LSM must allow such policies to be selected for the combination of socket and remote machine, but subsequent IPSec processing proceeds as in the original case. Testing: The pfkey interface is tested using the ipsec-tools. ipsec-tools have been modified (a separate ipsec-tools patch is available for version 0.5) that supports assignment of xfrm_policy entries and security associations with security contexts via setkey and the negotiation using the security contexts via racoon. The xfrm_user interface is tested via ad hoc programs that set security contexts. These programs are also available from me, and contain programs for setting, getting, and deleting policy for testing this interface. Testing of sa functions was done by tracing kernel behavior. Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/linux/security.h')
-rw-r--r--include/linux/security.h132
1 files changed, 132 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index f7e0ae018712..ef753654daa5 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -59,6 +59,12 @@ struct sk_buff;
59struct sock; 59struct sock;
60struct sockaddr; 60struct sockaddr;
61struct socket; 61struct socket;
62struct flowi;
63struct dst_entry;
64struct xfrm_selector;
65struct xfrm_policy;
66struct xfrm_state;
67struct xfrm_user_sec_ctx;
62 68
63extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb); 69extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
64extern int cap_netlink_recv(struct sk_buff *skb); 70extern int cap_netlink_recv(struct sk_buff *skb);
@@ -788,6 +794,52 @@ struct swap_info_struct;
788 * which is used to copy security attributes between local stream sockets. 794 * which is used to copy security attributes between local stream sockets.
789 * @sk_free_security: 795 * @sk_free_security:
790 * Deallocate security structure. 796 * Deallocate security structure.
797 * @sk_getsid:
798 * Retrieve the LSM-specific sid for the sock to enable caching of network
799 * authorizations.
800 *
801 * Security hooks for XFRM operations.
802 *
803 * @xfrm_policy_alloc_security:
804 * @xp contains the xfrm_policy being added to Security Policy Database
805 * used by the XFRM system.
806 * @sec_ctx contains the security context information being provided by
807 * the user-level policy update program (e.g., setkey).
808 * Allocate a security structure to the xp->selector.security field.
809 * The security field is initialized to NULL when the xfrm_policy is
810 * allocated.
811 * Return 0 if operation was successful (memory to allocate, legal context)
812 * @xfrm_policy_clone_security:
813 * @old contains an existing xfrm_policy in the SPD.
814 * @new contains a new xfrm_policy being cloned from old.
815 * Allocate a security structure to the new->selector.security field
816 * that contains the information from the old->selector.security field.
817 * Return 0 if operation was successful (memory to allocate).
818 * @xfrm_policy_free_security:
819 * @xp contains the xfrm_policy
820 * Deallocate xp->selector.security.
821 * @xfrm_state_alloc_security:
822 * @x contains the xfrm_state being added to the Security Association
823 * Database by the XFRM system.
824 * @sec_ctx contains the security context information being provided by
825 * the user-level SA generation program (e.g., setkey or racoon).
826 * Allocate a security structure to the x->sel.security field. The
827 * security field is initialized to NULL when the xfrm_state is
828 * allocated.
829 * Return 0 if operation was successful (memory to allocate, legal context).
830 * @xfrm_state_free_security:
831 * @x contains the xfrm_state.
832 * Deallocate x>sel.security.
833 * @xfrm_policy_lookup:
834 * @xp contains the xfrm_policy for which the access control is being
835 * checked.
836 * @sk_sid contains the sock security label that is used to authorize
837 * access to the policy xp.
838 * @dir contains the direction of the flow (input or output).
839 * Check permission when a sock selects a xfrm_policy for processing
840 * XFRMs on a packet. The hook is called when selecting either a
841 * per-socket policy or a generic xfrm policy.
842 * Return 0 if permission is granted.
791 * 843 *
792 * Security hooks affecting all Key Management operations 844 * Security hooks affecting all Key Management operations
793 * 845 *
@@ -1237,8 +1289,18 @@ struct security_operations {
1237 int (*socket_getpeersec) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len); 1289 int (*socket_getpeersec) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len);
1238 int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority); 1290 int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority);
1239 void (*sk_free_security) (struct sock *sk); 1291 void (*sk_free_security) (struct sock *sk);
1292 unsigned int (*sk_getsid) (struct sock *sk, struct flowi *fl, u8 dir);
1240#endif /* CONFIG_SECURITY_NETWORK */ 1293#endif /* CONFIG_SECURITY_NETWORK */
1241 1294
1295#ifdef CONFIG_SECURITY_NETWORK_XFRM
1296 int (*xfrm_policy_alloc_security) (struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx);
1297 int (*xfrm_policy_clone_security) (struct xfrm_policy *old, struct xfrm_policy *new);
1298 void (*xfrm_policy_free_security) (struct xfrm_policy *xp);
1299 int (*xfrm_state_alloc_security) (struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx);
1300 void (*xfrm_state_free_security) (struct xfrm_state *x);
1301 int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 sk_sid, u8 dir);
1302#endif /* CONFIG_SECURITY_NETWORK_XFRM */
1303
1242 /* key management security hooks */ 1304 /* key management security hooks */
1243#ifdef CONFIG_KEYS 1305#ifdef CONFIG_KEYS
1244 int (*key_alloc)(struct key *key); 1306 int (*key_alloc)(struct key *key);
@@ -2679,6 +2741,11 @@ static inline void security_sk_free(struct sock *sk)
2679{ 2741{
2680 return security_ops->sk_free_security(sk); 2742 return security_ops->sk_free_security(sk);
2681} 2743}
2744
2745static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir)
2746{
2747 return security_ops->sk_getsid(sk, fl, dir);
2748}
2682#else /* CONFIG_SECURITY_NETWORK */ 2749#else /* CONFIG_SECURITY_NETWORK */
2683static inline int security_unix_stream_connect(struct socket * sock, 2750static inline int security_unix_stream_connect(struct socket * sock,
2684 struct socket * other, 2751 struct socket * other,
@@ -2795,8 +2862,73 @@ static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
2795static inline void security_sk_free(struct sock *sk) 2862static inline void security_sk_free(struct sock *sk)
2796{ 2863{
2797} 2864}
2865
2866static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir)
2867{
2868 return 0;
2869}
2798#endif /* CONFIG_SECURITY_NETWORK */ 2870#endif /* CONFIG_SECURITY_NETWORK */
2799 2871
2872#ifdef CONFIG_SECURITY_NETWORK_XFRM
2873static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
2874{
2875 return security_ops->xfrm_policy_alloc_security(xp, sec_ctx);
2876}
2877
2878static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new)
2879{
2880 return security_ops->xfrm_policy_clone_security(old, new);
2881}
2882
2883static inline void security_xfrm_policy_free(struct xfrm_policy *xp)
2884{
2885 security_ops->xfrm_policy_free_security(xp);
2886}
2887
2888static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx)
2889{
2890 return security_ops->xfrm_state_alloc_security(x, sec_ctx);
2891}
2892
2893static inline void security_xfrm_state_free(struct xfrm_state *x)
2894{
2895 security_ops->xfrm_state_free_security(x);
2896}
2897
2898static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)
2899{
2900 return security_ops->xfrm_policy_lookup(xp, sk_sid, dir);
2901}
2902#else /* CONFIG_SECURITY_NETWORK_XFRM */
2903static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
2904{
2905 return 0;
2906}
2907
2908static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new)
2909{
2910 return 0;
2911}
2912
2913static inline void security_xfrm_policy_free(struct xfrm_policy *xp)
2914{
2915}
2916
2917static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx)
2918{
2919 return 0;
2920}
2921
2922static inline void security_xfrm_state_free(struct xfrm_state *x)
2923{
2924}
2925
2926static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)
2927{
2928 return 0;
2929}
2930#endif /* CONFIG_SECURITY_NETWORK_XFRM */
2931
2800#ifdef CONFIG_KEYS 2932#ifdef CONFIG_KEYS
2801#ifdef CONFIG_SECURITY 2933#ifdef CONFIG_SECURITY
2802static inline int security_key_alloc(struct key *key) 2934static inline int security_key_alloc(struct key *key)