aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorTrent Jaeger <tjaeger@cse.psu.edu>2005-12-14 02:12:27 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2006-01-03 16:10:24 -0500
commitdf71837d5024e2524cd51c93621e558aa7dd9f3f (patch)
tree58938f1d46f3c6713b63e5a785e82fdbb10121a1 /include
parent88026842b0a760145aa71d69e74fbc9ec118ca44 (diff)
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the extension of the Linux Security Modules (LSM) interface by hooks in the XFRM and pfkey subsystems that leverage IPSec security associations to label packets. Extensions to the SELinux LSM are included that leverage the patch for this purpose. This patch implements the changes necessary to the XFRM subsystem, pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a socket to use only authorized security associations (or no security association) to send/receive network packets. Patch purpose: The patch is designed to enable access control per packets based on the strongly authenticated IPSec security association. Such access controls augment the existing ones based on network interface and IP address. The former are very coarse-grained, and the latter can be spoofed. By using IPSec, the system can control access to remote hosts based on cryptographic keys generated using the IPSec mechanism. This enables access control on a per-machine basis or per-application if the remote machine is running the same mechanism and trusted to enforce the access control policy. Patch design approach: The overall approach is that policy (xfrm_policy) entries set by user-level programs (e.g., setkey for ipsec-tools) are extended with a security context that is used at policy selection time in the XFRM subsystem to restrict the sockets that can send/receive packets via security associations (xfrm_states) that are built from those policies. A presentation available at www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf from the SELinux symposium describes the overall approach. Patch implementation details: On output, the policy retrieved (via xfrm_policy_lookup or xfrm_sk_policy_lookup) must be authorized for the security context of the socket and the same security context is required for resultant security association (retrieved or negotiated via racoon in ipsec-tools). This is enforced in xfrm_state_find. On input, the policy retrieved must also be authorized for the socket (at __xfrm_policy_check), and the security context of the policy must also match the security association being used. The patch has virtually no impact on packets that do not use IPSec. The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as before. Also, if IPSec is used without security contexts, the impact is minimal. The LSM must allow such policies to be selected for the combination of socket and remote machine, but subsequent IPSec processing proceeds as in the original case. Testing: The pfkey interface is tested using the ipsec-tools. ipsec-tools have been modified (a separate ipsec-tools patch is available for version 0.5) that supports assignment of xfrm_policy entries and security associations with security contexts via setkey and the negotiation using the security contexts via racoon. The xfrm_user interface is tested via ad hoc programs that set security contexts. These programs are also available from me, and contain programs for setting, getting, and deleting policy for testing this interface. Testing of sa functions was done by tracing kernel behavior. Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r--include/linux/pfkeyv2.h13
-rw-r--r--include/linux/security.h132
-rw-r--r--include/linux/xfrm.h29
-rw-r--r--include/net/flow.h7
-rw-r--r--include/net/xfrm.h27
5 files changed, 202 insertions, 6 deletions
diff --git a/include/linux/pfkeyv2.h b/include/linux/pfkeyv2.h
index 724066778aff..6351c4055ace 100644
--- a/include/linux/pfkeyv2.h
+++ b/include/linux/pfkeyv2.h
@@ -216,6 +216,16 @@ struct sadb_x_nat_t_port {
216} __attribute__((packed)); 216} __attribute__((packed));
217/* sizeof(struct sadb_x_nat_t_port) == 8 */ 217/* sizeof(struct sadb_x_nat_t_port) == 8 */
218 218
219/* Generic LSM security context */
220struct sadb_x_sec_ctx {
221 uint16_t sadb_x_sec_len;
222 uint16_t sadb_x_sec_exttype;
223 uint8_t sadb_x_ctx_alg; /* LSMs: e.g., selinux == 1 */
224 uint8_t sadb_x_ctx_doi;
225 uint16_t sadb_x_ctx_len;
226} __attribute__((packed));
227/* sizeof(struct sadb_sec_ctx) = 8 */
228
219/* Message types */ 229/* Message types */
220#define SADB_RESERVED 0 230#define SADB_RESERVED 0
221#define SADB_GETSPI 1 231#define SADB_GETSPI 1
@@ -325,7 +335,8 @@ struct sadb_x_nat_t_port {
325#define SADB_X_EXT_NAT_T_SPORT 21 335#define SADB_X_EXT_NAT_T_SPORT 21
326#define SADB_X_EXT_NAT_T_DPORT 22 336#define SADB_X_EXT_NAT_T_DPORT 22
327#define SADB_X_EXT_NAT_T_OA 23 337#define SADB_X_EXT_NAT_T_OA 23
328#define SADB_EXT_MAX 23 338#define SADB_X_EXT_SEC_CTX 24
339#define SADB_EXT_MAX 24
329 340
330/* Identity Extension values */ 341/* Identity Extension values */
331#define SADB_IDENTTYPE_RESERVED 0 342#define SADB_IDENTTYPE_RESERVED 0
diff --git a/include/linux/security.h b/include/linux/security.h
index f7e0ae018712..ef753654daa5 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -59,6 +59,12 @@ struct sk_buff;
59struct sock; 59struct sock;
60struct sockaddr; 60struct sockaddr;
61struct socket; 61struct socket;
62struct flowi;
63struct dst_entry;
64struct xfrm_selector;
65struct xfrm_policy;
66struct xfrm_state;
67struct xfrm_user_sec_ctx;
62 68
63extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb); 69extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
64extern int cap_netlink_recv(struct sk_buff *skb); 70extern int cap_netlink_recv(struct sk_buff *skb);
@@ -788,6 +794,52 @@ struct swap_info_struct;
788 * which is used to copy security attributes between local stream sockets. 794 * which is used to copy security attributes between local stream sockets.
789 * @sk_free_security: 795 * @sk_free_security:
790 * Deallocate security structure. 796 * Deallocate security structure.
797 * @sk_getsid:
798 * Retrieve the LSM-specific sid for the sock to enable caching of network
799 * authorizations.
800 *
801 * Security hooks for XFRM operations.
802 *
803 * @xfrm_policy_alloc_security:
804 * @xp contains the xfrm_policy being added to Security Policy Database
805 * used by the XFRM system.
806 * @sec_ctx contains the security context information being provided by
807 * the user-level policy update program (e.g., setkey).
808 * Allocate a security structure to the xp->selector.security field.
809 * The security field is initialized to NULL when the xfrm_policy is
810 * allocated.
811 * Return 0 if operation was successful (memory to allocate, legal context)
812 * @xfrm_policy_clone_security:
813 * @old contains an existing xfrm_policy in the SPD.
814 * @new contains a new xfrm_policy being cloned from old.
815 * Allocate a security structure to the new->selector.security field
816 * that contains the information from the old->selector.security field.
817 * Return 0 if operation was successful (memory to allocate).
818 * @xfrm_policy_free_security:
819 * @xp contains the xfrm_policy
820 * Deallocate xp->selector.security.
821 * @xfrm_state_alloc_security:
822 * @x contains the xfrm_state being added to the Security Association
823 * Database by the XFRM system.
824 * @sec_ctx contains the security context information being provided by
825 * the user-level SA generation program (e.g., setkey or racoon).
826 * Allocate a security structure to the x->sel.security field. The
827 * security field is initialized to NULL when the xfrm_state is
828 * allocated.
829 * Return 0 if operation was successful (memory to allocate, legal context).
830 * @xfrm_state_free_security:
831 * @x contains the xfrm_state.
832 * Deallocate x>sel.security.
833 * @xfrm_policy_lookup:
834 * @xp contains the xfrm_policy for which the access control is being
835 * checked.
836 * @sk_sid contains the sock security label that is used to authorize
837 * access to the policy xp.
838 * @dir contains the direction of the flow (input or output).
839 * Check permission when a sock selects a xfrm_policy for processing
840 * XFRMs on a packet. The hook is called when selecting either a
841 * per-socket policy or a generic xfrm policy.
842 * Return 0 if permission is granted.
791 * 843 *
792 * Security hooks affecting all Key Management operations 844 * Security hooks affecting all Key Management operations
793 * 845 *
@@ -1237,8 +1289,18 @@ struct security_operations {
1237 int (*socket_getpeersec) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len); 1289 int (*socket_getpeersec) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len);
1238 int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority); 1290 int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority);
1239 void (*sk_free_security) (struct sock *sk); 1291 void (*sk_free_security) (struct sock *sk);
1292 unsigned int (*sk_getsid) (struct sock *sk, struct flowi *fl, u8 dir);
1240#endif /* CONFIG_SECURITY_NETWORK */ 1293#endif /* CONFIG_SECURITY_NETWORK */
1241 1294
1295#ifdef CONFIG_SECURITY_NETWORK_XFRM
1296 int (*xfrm_policy_alloc_security) (struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx);
1297 int (*xfrm_policy_clone_security) (struct xfrm_policy *old, struct xfrm_policy *new);
1298 void (*xfrm_policy_free_security) (struct xfrm_policy *xp);
1299 int (*xfrm_state_alloc_security) (struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx);
1300 void (*xfrm_state_free_security) (struct xfrm_state *x);
1301 int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 sk_sid, u8 dir);
1302#endif /* CONFIG_SECURITY_NETWORK_XFRM */
1303
1242 /* key management security hooks */ 1304 /* key management security hooks */
1243#ifdef CONFIG_KEYS 1305#ifdef CONFIG_KEYS
1244 int (*key_alloc)(struct key *key); 1306 int (*key_alloc)(struct key *key);
@@ -2679,6 +2741,11 @@ static inline void security_sk_free(struct sock *sk)
2679{ 2741{
2680 return security_ops->sk_free_security(sk); 2742 return security_ops->sk_free_security(sk);
2681} 2743}
2744
2745static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir)
2746{
2747 return security_ops->sk_getsid(sk, fl, dir);
2748}
2682#else /* CONFIG_SECURITY_NETWORK */ 2749#else /* CONFIG_SECURITY_NETWORK */
2683static inline int security_unix_stream_connect(struct socket * sock, 2750static inline int security_unix_stream_connect(struct socket * sock,
2684 struct socket * other, 2751 struct socket * other,
@@ -2795,8 +2862,73 @@ static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
2795static inline void security_sk_free(struct sock *sk) 2862static inline void security_sk_free(struct sock *sk)
2796{ 2863{
2797} 2864}
2865
2866static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir)
2867{
2868 return 0;
2869}
2798#endif /* CONFIG_SECURITY_NETWORK */ 2870#endif /* CONFIG_SECURITY_NETWORK */
2799 2871
2872#ifdef CONFIG_SECURITY_NETWORK_XFRM
2873static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
2874{
2875 return security_ops->xfrm_policy_alloc_security(xp, sec_ctx);
2876}
2877
2878static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new)
2879{
2880 return security_ops->xfrm_policy_clone_security(old, new);
2881}
2882
2883static inline void security_xfrm_policy_free(struct xfrm_policy *xp)
2884{
2885 security_ops->xfrm_policy_free_security(xp);
2886}
2887
2888static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx)
2889{
2890 return security_ops->xfrm_state_alloc_security(x, sec_ctx);
2891}
2892
2893static inline void security_xfrm_state_free(struct xfrm_state *x)
2894{
2895 security_ops->xfrm_state_free_security(x);
2896}
2897
2898static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)
2899{
2900 return security_ops->xfrm_policy_lookup(xp, sk_sid, dir);
2901}
2902#else /* CONFIG_SECURITY_NETWORK_XFRM */
2903static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
2904{
2905 return 0;
2906}
2907
2908static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new)
2909{
2910 return 0;
2911}
2912
2913static inline void security_xfrm_policy_free(struct xfrm_policy *xp)
2914{
2915}
2916
2917static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx)
2918{
2919 return 0;
2920}
2921
2922static inline void security_xfrm_state_free(struct xfrm_state *x)
2923{
2924}
2925
2926static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)
2927{
2928 return 0;
2929}
2930#endif /* CONFIG_SECURITY_NETWORK_XFRM */
2931
2800#ifdef CONFIG_KEYS 2932#ifdef CONFIG_KEYS
2801#ifdef CONFIG_SECURITY 2933#ifdef CONFIG_SECURITY
2802static inline int security_key_alloc(struct key *key) 2934static inline int security_key_alloc(struct key *key)
diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h
index 0fb077d68441..82fbb758e28f 100644
--- a/include/linux/xfrm.h
+++ b/include/linux/xfrm.h
@@ -27,6 +27,22 @@ struct xfrm_id
27 __u8 proto; 27 __u8 proto;
28}; 28};
29 29
30struct xfrm_sec_ctx {
31 __u8 ctx_doi;
32 __u8 ctx_alg;
33 __u16 ctx_len;
34 __u32 ctx_sid;
35 char ctx_str[0];
36};
37
38/* Security Context Domains of Interpretation */
39#define XFRM_SC_DOI_RESERVED 0
40#define XFRM_SC_DOI_LSM 1
41
42/* Security Context Algorithms */
43#define XFRM_SC_ALG_RESERVED 0
44#define XFRM_SC_ALG_SELINUX 1
45
30/* Selector, used as selector both on policy rules (SPD) and SAs. */ 46/* Selector, used as selector both on policy rules (SPD) and SAs. */
31 47
32struct xfrm_selector 48struct xfrm_selector
@@ -146,6 +162,18 @@ enum {
146 162
147#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE) 163#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE)
148 164
165/*
166 * Generic LSM security context for comunicating to user space
167 * NOTE: Same format as sadb_x_sec_ctx
168 */
169struct xfrm_user_sec_ctx {
170 __u16 len;
171 __u16 exttype;
172 __u8 ctx_alg; /* LSMs: e.g., selinux == 1 */
173 __u8 ctx_doi;
174 __u16 ctx_len;
175};
176
149struct xfrm_user_tmpl { 177struct xfrm_user_tmpl {
150 struct xfrm_id id; 178 struct xfrm_id id;
151 __u16 family; 179 __u16 family;
@@ -176,6 +204,7 @@ enum xfrm_attr_type_t {
176 XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */ 204 XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */
177 XFRMA_SA, 205 XFRMA_SA,
178 XFRMA_POLICY, 206 XFRMA_POLICY,
207 XFRMA_SEC_CTX, /* struct xfrm_sec_ctx */
179 __XFRMA_MAX 208 __XFRMA_MAX
180 209
181#define XFRMA_MAX (__XFRMA_MAX - 1) 210#define XFRMA_MAX (__XFRMA_MAX - 1)
diff --git a/include/net/flow.h b/include/net/flow.h
index 9a5c94b1a0ec..ec7eb86eb203 100644
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -84,11 +84,12 @@ struct flowi {
84#define FLOW_DIR_OUT 1 84#define FLOW_DIR_OUT 1
85#define FLOW_DIR_FWD 2 85#define FLOW_DIR_FWD 2
86 86
87typedef void (*flow_resolve_t)(struct flowi *key, u16 family, u8 dir, 87struct sock;
88typedef void (*flow_resolve_t)(struct flowi *key, u32 sk_sid, u16 family, u8 dir,
88 void **objp, atomic_t **obj_refp); 89 void **objp, atomic_t **obj_refp);
89 90
90extern void *flow_cache_lookup(struct flowi *key, u16 family, u8 dir, 91extern void *flow_cache_lookup(struct flowi *key, u32 sk_sid, u16 family, u8 dir,
91 flow_resolve_t resolver); 92 flow_resolve_t resolver);
92extern void flow_cache_flush(void); 93extern void flow_cache_flush(void);
93extern atomic_t flow_cache_genid; 94extern atomic_t flow_cache_genid;
94 95
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 1cdb87912137..487abca3ca6f 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -144,6 +144,9 @@ struct xfrm_state
144 * transformer. */ 144 * transformer. */
145 struct xfrm_type *type; 145 struct xfrm_type *type;
146 146
147 /* Security context */
148 struct xfrm_sec_ctx *security;
149
147 /* Private data of this transformer, format is opaque, 150 /* Private data of this transformer, format is opaque,
148 * interpreted by xfrm_type methods. */ 151 * interpreted by xfrm_type methods. */
149 void *data; 152 void *data;
@@ -298,6 +301,7 @@ struct xfrm_policy
298 __u8 flags; 301 __u8 flags;
299 __u8 dead; 302 __u8 dead;
300 __u8 xfrm_nr; 303 __u8 xfrm_nr;
304 struct xfrm_sec_ctx *security;
301 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH]; 305 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
302}; 306};
303 307
@@ -510,6 +514,25 @@ xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
510 return 0; 514 return 0;
511} 515}
512 516
517#ifdef CONFIG_SECURITY_NETWORK_XFRM
518/* If neither has a context --> match
519 * Otherwise, both must have a context and the sids, doi, alg must match
520 */
521static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
522{
523 return ((!s1 && !s2) ||
524 (s1 && s2 &&
525 (s1->ctx_sid == s2->ctx_sid) &&
526 (s1->ctx_doi == s2->ctx_doi) &&
527 (s1->ctx_alg == s2->ctx_alg)));
528}
529#else
530static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
531{
532 return 1;
533}
534#endif
535
513/* A struct encoding bundle of transformations to apply to some set of flow. 536/* A struct encoding bundle of transformations to apply to some set of flow.
514 * 537 *
515 * dst->child points to the next element of bundle. 538 * dst->child points to the next element of bundle.
@@ -878,8 +901,8 @@ static inline int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsig
878struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp); 901struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp);
879extern int xfrm_policy_walk(int (*func)(struct xfrm_policy *, int, int, void*), void *); 902extern int xfrm_policy_walk(int (*func)(struct xfrm_policy *, int, int, void*), void *);
880int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl); 903int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
881struct xfrm_policy *xfrm_policy_bysel(int dir, struct xfrm_selector *sel, 904struct xfrm_policy *xfrm_policy_bysel_ctx(int dir, struct xfrm_selector *sel,
882 int delete); 905 struct xfrm_sec_ctx *ctx, int delete);
883struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete); 906struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete);
884void xfrm_policy_flush(void); 907void xfrm_policy_flush(void);
885u32 xfrm_get_acqseq(void); 908u32 xfrm_get_acqseq(void);