aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux/security.h
diff options
context:
space:
mode:
authorCatherine Zhang <cxzhang@watson.ibm.com>2006-06-09 02:39:49 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-06-18 00:29:45 -0400
commitc8c05a8eec6f1258f6d5cb71a44ee5dc1e989b63 (patch)
treeb4a04dd9e2b940cb5b2911fb67fbe49c5f8b3fbf /include/linux/security.h
parentcec6f7f39c3db7d9f6091bf2f8fc8d520f372719 (diff)
[LSM-IPsec]: SELinux Authorize
This patch contains a fix for the previous patch that adds security contexts to IPsec policies and security associations. In the previous patch, no authorization (besides the check for write permissions to SAD and SPD) is required to delete IPsec policies and security assocations with security contexts. Thus a user authorized to change SAD and SPD can bypass the IPsec policy authorization by simply deleteing policies with security contexts. To fix this security hole, an additional authorization check is added for removing security policies and security associations with security contexts. Note that if no security context is supplied on add or present on policy to be deleted, the SELinux module allows the change unconditionally. The hook is called on deletion when no context is present, which we may want to change. At present, I left it up to the module. LSM changes: The patch adds two new LSM hooks: xfrm_policy_delete and xfrm_state_delete. The new hooks are necessary to authorize deletion of IPsec policies that have security contexts. The existing hooks xfrm_policy_free and xfrm_state_free lack the context to do the authorization, so I decided to split authorization of deletion and memory management of security data, as is typical in the LSM interface. Use: The new delete hooks are checked when xfrm_policy or xfrm_state are deleted by either the xfrm_user interface (xfrm_get_policy, xfrm_del_sa) or the pfkey interface (pfkey_spddelete, pfkey_delete). SELinux changes: The new policy_delete and state_delete functions are added. Signed-off-by: Catherine Zhang <cxzhang@watson.ibm.com> Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/linux/security.h')
-rw-r--r--include/linux/security.h40
1 files changed, 34 insertions, 6 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 1bab48f6aeac..14c9bd050607 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -805,31 +805,37 @@ struct swap_info_struct;
805 * used by the XFRM system. 805 * used by the XFRM system.
806 * @sec_ctx contains the security context information being provided by 806 * @sec_ctx contains the security context information being provided by
807 * the user-level policy update program (e.g., setkey). 807 * the user-level policy update program (e.g., setkey).
808 * Allocate a security structure to the xp->selector.security field. 808 * Allocate a security structure to the xp->security field.
809 * The security field is initialized to NULL when the xfrm_policy is 809 * The security field is initialized to NULL when the xfrm_policy is
810 * allocated. 810 * allocated.
811 * Return 0 if operation was successful (memory to allocate, legal context) 811 * Return 0 if operation was successful (memory to allocate, legal context)
812 * @xfrm_policy_clone_security: 812 * @xfrm_policy_clone_security:
813 * @old contains an existing xfrm_policy in the SPD. 813 * @old contains an existing xfrm_policy in the SPD.
814 * @new contains a new xfrm_policy being cloned from old. 814 * @new contains a new xfrm_policy being cloned from old.
815 * Allocate a security structure to the new->selector.security field 815 * Allocate a security structure to the new->security field
816 * that contains the information from the old->selector.security field. 816 * that contains the information from the old->security field.
817 * Return 0 if operation was successful (memory to allocate). 817 * Return 0 if operation was successful (memory to allocate).
818 * @xfrm_policy_free_security: 818 * @xfrm_policy_free_security:
819 * @xp contains the xfrm_policy 819 * @xp contains the xfrm_policy
820 * Deallocate xp->selector.security. 820 * Deallocate xp->security.
821 * @xfrm_policy_delete_security:
822 * @xp contains the xfrm_policy.
823 * Authorize deletion of xp->security.
821 * @xfrm_state_alloc_security: 824 * @xfrm_state_alloc_security:
822 * @x contains the xfrm_state being added to the Security Association 825 * @x contains the xfrm_state being added to the Security Association
823 * Database by the XFRM system. 826 * Database by the XFRM system.
824 * @sec_ctx contains the security context information being provided by 827 * @sec_ctx contains the security context information being provided by
825 * the user-level SA generation program (e.g., setkey or racoon). 828 * the user-level SA generation program (e.g., setkey or racoon).
826 * Allocate a security structure to the x->sel.security field. The 829 * Allocate a security structure to the x->security field. The
827 * security field is initialized to NULL when the xfrm_state is 830 * security field is initialized to NULL when the xfrm_state is
828 * allocated. 831 * allocated.
829 * Return 0 if operation was successful (memory to allocate, legal context). 832 * Return 0 if operation was successful (memory to allocate, legal context).
830 * @xfrm_state_free_security: 833 * @xfrm_state_free_security:
831 * @x contains the xfrm_state. 834 * @x contains the xfrm_state.
832 * Deallocate x>sel.security. 835 * Deallocate x->security.
836 * @xfrm_state_delete_security:
837 * @x contains the xfrm_state.
838 * Authorize deletion of x->security.
833 * @xfrm_policy_lookup: 839 * @xfrm_policy_lookup:
834 * @xp contains the xfrm_policy for which the access control is being 840 * @xp contains the xfrm_policy for which the access control is being
835 * checked. 841 * checked.
@@ -1298,8 +1304,10 @@ struct security_operations {
1298 int (*xfrm_policy_alloc_security) (struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx); 1304 int (*xfrm_policy_alloc_security) (struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx);
1299 int (*xfrm_policy_clone_security) (struct xfrm_policy *old, struct xfrm_policy *new); 1305 int (*xfrm_policy_clone_security) (struct xfrm_policy *old, struct xfrm_policy *new);
1300 void (*xfrm_policy_free_security) (struct xfrm_policy *xp); 1306 void (*xfrm_policy_free_security) (struct xfrm_policy *xp);
1307 int (*xfrm_policy_delete_security) (struct xfrm_policy *xp);
1301 int (*xfrm_state_alloc_security) (struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx); 1308 int (*xfrm_state_alloc_security) (struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx);
1302 void (*xfrm_state_free_security) (struct xfrm_state *x); 1309 void (*xfrm_state_free_security) (struct xfrm_state *x);
1310 int (*xfrm_state_delete_security) (struct xfrm_state *x);
1303 int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 sk_sid, u8 dir); 1311 int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 sk_sid, u8 dir);
1304#endif /* CONFIG_SECURITY_NETWORK_XFRM */ 1312#endif /* CONFIG_SECURITY_NETWORK_XFRM */
1305 1313
@@ -2934,11 +2942,21 @@ static inline void security_xfrm_policy_free(struct xfrm_policy *xp)
2934 security_ops->xfrm_policy_free_security(xp); 2942 security_ops->xfrm_policy_free_security(xp);
2935} 2943}
2936 2944
2945static inline int security_xfrm_policy_delete(struct xfrm_policy *xp)
2946{
2947 return security_ops->xfrm_policy_delete_security(xp);
2948}
2949
2937static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) 2950static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx)
2938{ 2951{
2939 return security_ops->xfrm_state_alloc_security(x, sec_ctx); 2952 return security_ops->xfrm_state_alloc_security(x, sec_ctx);
2940} 2953}
2941 2954
2955static inline int security_xfrm_state_delete(struct xfrm_state *x)
2956{
2957 return security_ops->xfrm_state_delete_security(x);
2958}
2959
2942static inline void security_xfrm_state_free(struct xfrm_state *x) 2960static inline void security_xfrm_state_free(struct xfrm_state *x)
2943{ 2961{
2944 security_ops->xfrm_state_free_security(x); 2962 security_ops->xfrm_state_free_security(x);
@@ -2963,6 +2981,11 @@ static inline void security_xfrm_policy_free(struct xfrm_policy *xp)
2963{ 2981{
2964} 2982}
2965 2983
2984static inline int security_xfrm_policy_delete(struct xfrm_policy *xp)
2985{
2986 return 0;
2987}
2988
2966static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) 2989static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx)
2967{ 2990{
2968 return 0; 2991 return 0;
@@ -2972,6 +2995,11 @@ static inline void security_xfrm_state_free(struct xfrm_state *x)
2972{ 2995{
2973} 2996}
2974 2997
2998static inline int security_xfrm_state_delete(struct xfrm_policy *xp)
2999{
3000 return 0;
3001}
3002
2975static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir) 3003static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)
2976{ 3004{
2977 return 0; 3005 return 0;