aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorVenkat Yekkirala <vyekkirala@TrustedCS.com>2006-08-05 02:12:42 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-09-22 17:53:27 -0400
commitbeb8d13bed80f8388f1a9a107d07ddd342e627e8 (patch)
tree19d5763b9b3b8ff3969997565e5ec0edd6e4bd33 /include
parent4e2ba18eae7f370c7c3ed96eaca747cc9b39f917 (diff)
[MLSXFRM]: Add flow labeling
This labels the flows that could utilize IPSec xfrms at the points the flows are defined so that IPSec policy and SAs at the right label can be used. The following protos are currently not handled, but they should continue to be able to use single-labeled IPSec like they currently do. ipmr ip_gre ipip igmp sit sctp ip6_tunnel (IPv6 over IPv6 tunnel device) decnet Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r--include/linux/security.h38
-rw-r--r--include/net/route.h3
2 files changed, 28 insertions, 13 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 2c4921d79d19..f3909d189fe0 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -32,6 +32,7 @@
32#include <linux/sched.h> 32#include <linux/sched.h>
33#include <linux/key.h> 33#include <linux/key.h>
34#include <linux/xfrm.h> 34#include <linux/xfrm.h>
35#include <net/flow.h>
35 36
36struct ctl_table; 37struct ctl_table;
37 38
@@ -815,8 +816,8 @@ struct swap_info_struct;
815 * Deallocate security structure. 816 * Deallocate security structure.
816 * @sk_clone_security: 817 * @sk_clone_security:
817 * Clone/copy security structure. 818 * Clone/copy security structure.
818 * @sk_getsid: 819 * @sk_getsecid:
819 * Retrieve the LSM-specific sid for the sock to enable caching of network 820 * Retrieve the LSM-specific secid for the sock to enable caching of network
820 * authorizations. 821 * authorizations.
821 * 822 *
822 * Security hooks for XFRM operations. 823 * Security hooks for XFRM operations.
@@ -882,8 +883,9 @@ struct swap_info_struct;
882 * Return 1 if there is a match. 883 * Return 1 if there is a match.
883 * @xfrm_decode_session: 884 * @xfrm_decode_session:
884 * @skb points to skb to decode. 885 * @skb points to skb to decode.
885 * @fl points to the flow key to set. 886 * @secid points to the flow key secid to set.
886 * Return 0 if successful decoding. 887 * @ckall says if all xfrms used should be checked for same secid.
888 * Return 0 if ckall is zero or all xfrms used have the same secid.
887 * 889 *
888 * Security hooks affecting all Key Management operations 890 * Security hooks affecting all Key Management operations
889 * 891 *
@@ -1353,7 +1355,7 @@ struct security_operations {
1353 int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority); 1355 int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority);
1354 void (*sk_free_security) (struct sock *sk); 1356 void (*sk_free_security) (struct sock *sk);
1355 void (*sk_clone_security) (const struct sock *sk, struct sock *newsk); 1357 void (*sk_clone_security) (const struct sock *sk, struct sock *newsk);
1356 unsigned int (*sk_getsid) (struct sock *sk, struct flowi *fl, u8 dir); 1358 void (*sk_getsecid) (struct sock *sk, u32 *secid);
1357#endif /* CONFIG_SECURITY_NETWORK */ 1359#endif /* CONFIG_SECURITY_NETWORK */
1358 1360
1359#ifdef CONFIG_SECURITY_NETWORK_XFRM 1361#ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -1370,7 +1372,7 @@ struct security_operations {
1370 int (*xfrm_state_pol_flow_match)(struct xfrm_state *x, 1372 int (*xfrm_state_pol_flow_match)(struct xfrm_state *x,
1371 struct xfrm_policy *xp, struct flowi *fl); 1373 struct xfrm_policy *xp, struct flowi *fl);
1372 int (*xfrm_flow_state_match)(struct flowi *fl, struct xfrm_state *xfrm); 1374 int (*xfrm_flow_state_match)(struct flowi *fl, struct xfrm_state *xfrm);
1373 int (*xfrm_decode_session)(struct sk_buff *skb, struct flowi *fl); 1375 int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall);
1374#endif /* CONFIG_SECURITY_NETWORK_XFRM */ 1376#endif /* CONFIG_SECURITY_NETWORK_XFRM */
1375 1377
1376 /* key management security hooks */ 1378 /* key management security hooks */
@@ -2917,9 +2919,9 @@ static inline void security_sk_clone(const struct sock *sk, struct sock *newsk)
2917 return security_ops->sk_clone_security(sk, newsk); 2919 return security_ops->sk_clone_security(sk, newsk);
2918} 2920}
2919 2921
2920static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir) 2922static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
2921{ 2923{
2922 return security_ops->sk_getsid(sk, fl, dir); 2924 security_ops->sk_getsecid(sk, &fl->secid);
2923} 2925}
2924#else /* CONFIG_SECURITY_NETWORK */ 2926#else /* CONFIG_SECURITY_NETWORK */
2925static inline int security_unix_stream_connect(struct socket * sock, 2927static inline int security_unix_stream_connect(struct socket * sock,
@@ -3047,9 +3049,8 @@ static inline void security_sk_clone(const struct sock *sk, struct sock *newsk)
3047{ 3049{
3048} 3050}
3049 3051
3050static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir) 3052static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
3051{ 3053{
3052 return 0;
3053} 3054}
3054#endif /* CONFIG_SECURITY_NETWORK */ 3055#endif /* CONFIG_SECURITY_NETWORK */
3055 3056
@@ -3114,9 +3115,16 @@ static inline int security_xfrm_flow_state_match(struct flowi *fl, struct xfrm_s
3114 return security_ops->xfrm_flow_state_match(fl, xfrm); 3115 return security_ops->xfrm_flow_state_match(fl, xfrm);
3115} 3116}
3116 3117
3117static inline int security_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl) 3118static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
3119{
3120 return security_ops->xfrm_decode_session(skb, secid, 1);
3121}
3122
3123static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
3118{ 3124{
3119 return security_ops->xfrm_decode_session(skb, fl); 3125 int rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0);
3126
3127 BUG_ON(rc);
3120} 3128}
3121#else /* CONFIG_SECURITY_NETWORK_XFRM */ 3129#else /* CONFIG_SECURITY_NETWORK_XFRM */
3122static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) 3130static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
@@ -3176,11 +3184,15 @@ static inline int security_xfrm_flow_state_match(struct flowi *fl,
3176 return 1; 3184 return 1;
3177} 3185}
3178 3186
3179static inline int security_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl) 3187static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
3180{ 3188{
3181 return 0; 3189 return 0;
3182} 3190}
3183 3191
3192static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
3193{
3194}
3195
3184#endif /* CONFIG_SECURITY_NETWORK_XFRM */ 3196#endif /* CONFIG_SECURITY_NETWORK_XFRM */
3185 3197
3186#ifdef CONFIG_KEYS 3198#ifdef CONFIG_KEYS
diff --git a/include/net/route.h b/include/net/route.h
index c4a068692dcc..7f93ac0e0899 100644
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -32,6 +32,7 @@
32#include <linux/route.h> 32#include <linux/route.h>
33#include <linux/ip.h> 33#include <linux/ip.h>
34#include <linux/cache.h> 34#include <linux/cache.h>
35#include <linux/security.h>
35 36
36#ifndef __KERNEL__ 37#ifndef __KERNEL__
37#warning This file is not supposed to be used outside of kernel. 38#warning This file is not supposed to be used outside of kernel.
@@ -166,6 +167,7 @@ static inline int ip_route_connect(struct rtable **rp, u32 dst,
166 ip_rt_put(*rp); 167 ip_rt_put(*rp);
167 *rp = NULL; 168 *rp = NULL;
168 } 169 }
170 security_sk_classify_flow(sk, &fl);
169 return ip_route_output_flow(rp, &fl, sk, 0); 171 return ip_route_output_flow(rp, &fl, sk, 0);
170} 172}
171 173
@@ -182,6 +184,7 @@ static inline int ip_route_newports(struct rtable **rp, u8 protocol,
182 fl.proto = protocol; 184 fl.proto = protocol;
183 ip_rt_put(*rp); 185 ip_rt_put(*rp);
184 *rp = NULL; 186 *rp = NULL;
187 security_sk_classify_flow(sk, &fl);
185 return ip_route_output_flow(rp, &fl, sk, 0); 188 return ip_route_output_flow(rp, &fl, sk, 0);
186 } 189 }
187 return 0; 190 return 0;