aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorVenkat Yekkirala <vyekkirala@TrustedCS.com>2006-07-25 02:29:07 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-09-22 17:53:24 -0400
commite0d1caa7b0d5f02e4f34aa09c695d04251310c6c (patch)
treebf023c17abf6813f2694ebf5fafff82edd6a1023 /include
parentb6340fcd761acf9249b3acbc95c4dc555d9beb07 (diff)
[MLSXFRM]: Flow based matching of xfrm policy and state
This implements a seemless mechanism for xfrm policy selection and state matching based on the flow sid. This also includes the necessary SELinux enforcement pieces. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r--include/linux/security.h106
-rw-r--r--include/net/flow.h4
2 files changed, 92 insertions, 18 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 4d7fb59996b0..2c4921d79d19 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -31,6 +31,7 @@
31#include <linux/msg.h> 31#include <linux/msg.h>
32#include <linux/sched.h> 32#include <linux/sched.h>
33#include <linux/key.h> 33#include <linux/key.h>
34#include <linux/xfrm.h>
34 35
35struct ctl_table; 36struct ctl_table;
36 37
@@ -825,9 +826,8 @@ struct swap_info_struct;
825 * used by the XFRM system. 826 * used by the XFRM system.
826 * @sec_ctx contains the security context information being provided by 827 * @sec_ctx contains the security context information being provided by
827 * the user-level policy update program (e.g., setkey). 828 * the user-level policy update program (e.g., setkey).
828 * Allocate a security structure to the xp->security field. 829 * Allocate a security structure to the xp->security field; the security
829 * The security field is initialized to NULL when the xfrm_policy is 830 * field is initialized to NULL when the xfrm_policy is allocated.
830 * allocated.
831 * Return 0 if operation was successful (memory to allocate, legal context) 831 * Return 0 if operation was successful (memory to allocate, legal context)
832 * @xfrm_policy_clone_security: 832 * @xfrm_policy_clone_security:
833 * @old contains an existing xfrm_policy in the SPD. 833 * @old contains an existing xfrm_policy in the SPD.
@@ -846,9 +846,14 @@ struct swap_info_struct;
846 * Database by the XFRM system. 846 * Database by the XFRM system.
847 * @sec_ctx contains the security context information being provided by 847 * @sec_ctx contains the security context information being provided by
848 * the user-level SA generation program (e.g., setkey or racoon). 848 * the user-level SA generation program (e.g., setkey or racoon).
849 * Allocate a security structure to the x->security field. The 849 * @polsec contains the security context information associated with a xfrm
850 * security field is initialized to NULL when the xfrm_state is 850 * policy rule from which to take the base context. polsec must be NULL
851 * allocated. 851 * when sec_ctx is specified.
852 * @secid contains the secid from which to take the mls portion of the context.
853 * Allocate a security structure to the x->security field; the security
854 * field is initialized to NULL when the xfrm_state is allocated. Set the
855 * context to correspond to either sec_ctx or polsec, with the mls portion
856 * taken from secid in the latter case.
852 * Return 0 if operation was successful (memory to allocate, legal context). 857 * Return 0 if operation was successful (memory to allocate, legal context).
853 * @xfrm_state_free_security: 858 * @xfrm_state_free_security:
854 * @x contains the xfrm_state. 859 * @x contains the xfrm_state.
@@ -859,13 +864,26 @@ struct swap_info_struct;
859 * @xfrm_policy_lookup: 864 * @xfrm_policy_lookup:
860 * @xp contains the xfrm_policy for which the access control is being 865 * @xp contains the xfrm_policy for which the access control is being
861 * checked. 866 * checked.
862 * @sk_sid contains the sock security label that is used to authorize 867 * @fl_secid contains the flow security label that is used to authorize
863 * access to the policy xp. 868 * access to the policy xp.
864 * @dir contains the direction of the flow (input or output). 869 * @dir contains the direction of the flow (input or output).
865 * Check permission when a sock selects a xfrm_policy for processing 870 * Check permission when a flow selects a xfrm_policy for processing
866 * XFRMs on a packet. The hook is called when selecting either a 871 * XFRMs on a packet. The hook is called when selecting either a
867 * per-socket policy or a generic xfrm policy. 872 * per-socket policy or a generic xfrm policy.
868 * Return 0 if permission is granted. 873 * Return 0 if permission is granted.
874 * @xfrm_state_pol_flow_match:
875 * @x contains the state to match.
876 * @xp contains the policy to check for a match.
877 * @fl contains the flow to check for a match.
878 * Return 1 if there is a match.
879 * @xfrm_flow_state_match:
880 * @fl contains the flow key to match.
881 * @xfrm points to the xfrm_state to match.
882 * Return 1 if there is a match.
883 * @xfrm_decode_session:
884 * @skb points to skb to decode.
885 * @fl points to the flow key to set.
886 * Return 0 if successful decoding.
869 * 887 *
870 * Security hooks affecting all Key Management operations 888 * Security hooks affecting all Key Management operations
871 * 889 *
@@ -1343,10 +1361,16 @@ struct security_operations {
1343 int (*xfrm_policy_clone_security) (struct xfrm_policy *old, struct xfrm_policy *new); 1361 int (*xfrm_policy_clone_security) (struct xfrm_policy *old, struct xfrm_policy *new);
1344 void (*xfrm_policy_free_security) (struct xfrm_policy *xp); 1362 void (*xfrm_policy_free_security) (struct xfrm_policy *xp);
1345 int (*xfrm_policy_delete_security) (struct xfrm_policy *xp); 1363 int (*xfrm_policy_delete_security) (struct xfrm_policy *xp);
1346 int (*xfrm_state_alloc_security) (struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx); 1364 int (*xfrm_state_alloc_security) (struct xfrm_state *x,
1365 struct xfrm_user_sec_ctx *sec_ctx, struct xfrm_sec_ctx *polsec,
1366 u32 secid);
1347 void (*xfrm_state_free_security) (struct xfrm_state *x); 1367 void (*xfrm_state_free_security) (struct xfrm_state *x);
1348 int (*xfrm_state_delete_security) (struct xfrm_state *x); 1368 int (*xfrm_state_delete_security) (struct xfrm_state *x);
1349 int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 sk_sid, u8 dir); 1369 int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 fl_secid, u8 dir);
1370 int (*xfrm_state_pol_flow_match)(struct xfrm_state *x,
1371 struct xfrm_policy *xp, struct flowi *fl);
1372 int (*xfrm_flow_state_match)(struct flowi *fl, struct xfrm_state *xfrm);
1373 int (*xfrm_decode_session)(struct sk_buff *skb, struct flowi *fl);
1350#endif /* CONFIG_SECURITY_NETWORK_XFRM */ 1374#endif /* CONFIG_SECURITY_NETWORK_XFRM */
1351 1375
1352 /* key management security hooks */ 1376 /* key management security hooks */
@@ -3050,9 +3074,18 @@ static inline int security_xfrm_policy_delete(struct xfrm_policy *xp)
3050 return security_ops->xfrm_policy_delete_security(xp); 3074 return security_ops->xfrm_policy_delete_security(xp);
3051} 3075}
3052 3076
3053static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) 3077static inline int security_xfrm_state_alloc(struct xfrm_state *x,
3078 struct xfrm_user_sec_ctx *sec_ctx)
3079{
3080 return security_ops->xfrm_state_alloc_security(x, sec_ctx, NULL, 0);
3081}
3082
3083static inline int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
3084 struct xfrm_sec_ctx *polsec, u32 secid)
3054{ 3085{
3055 return security_ops->xfrm_state_alloc_security(x, sec_ctx); 3086 if (!polsec)
3087 return 0;
3088 return security_ops->xfrm_state_alloc_security(x, NULL, polsec, secid);
3056} 3089}
3057 3090
3058static inline int security_xfrm_state_delete(struct xfrm_state *x) 3091static inline int security_xfrm_state_delete(struct xfrm_state *x)
@@ -3065,9 +3098,25 @@ static inline void security_xfrm_state_free(struct xfrm_state *x)
3065 security_ops->xfrm_state_free_security(x); 3098 security_ops->xfrm_state_free_security(x);
3066} 3099}
3067 3100
3068static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir) 3101static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir)
3102{
3103 return security_ops->xfrm_policy_lookup(xp, fl_secid, dir);
3104}
3105
3106static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
3107 struct xfrm_policy *xp, struct flowi *fl)
3108{
3109 return security_ops->xfrm_state_pol_flow_match(x, xp, fl);
3110}
3111
3112static inline int security_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm)
3113{
3114 return security_ops->xfrm_flow_state_match(fl, xfrm);
3115}
3116
3117static inline int security_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl)
3069{ 3118{
3070 return security_ops->xfrm_policy_lookup(xp, sk_sid, dir); 3119 return security_ops->xfrm_decode_session(skb, fl);
3071} 3120}
3072#else /* CONFIG_SECURITY_NETWORK_XFRM */ 3121#else /* CONFIG_SECURITY_NETWORK_XFRM */
3073static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) 3122static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
@@ -3089,7 +3138,14 @@ static inline int security_xfrm_policy_delete(struct xfrm_policy *xp)
3089 return 0; 3138 return 0;
3090} 3139}
3091 3140
3092static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) 3141static inline int security_xfrm_state_alloc(struct xfrm_state *x,
3142 struct xfrm_user_sec_ctx *sec_ctx)
3143{
3144 return 0;
3145}
3146
3147static inline int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
3148 struct xfrm_sec_ctx *polsec, u32 secid)
3093{ 3149{
3094 return 0; 3150 return 0;
3095} 3151}
@@ -3103,10 +3159,28 @@ static inline int security_xfrm_state_delete(struct xfrm_state *x)
3103 return 0; 3159 return 0;
3104} 3160}
3105 3161
3106static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir) 3162static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir)
3107{ 3163{
3108 return 0; 3164 return 0;
3109} 3165}
3166
3167static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
3168 struct xfrm_policy *xp, struct flowi *fl)
3169{
3170 return 1;
3171}
3172
3173static inline int security_xfrm_flow_state_match(struct flowi *fl,
3174 struct xfrm_state *xfrm)
3175{
3176 return 1;
3177}
3178
3179static inline int security_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl)
3180{
3181 return 0;
3182}
3183
3110#endif /* CONFIG_SECURITY_NETWORK_XFRM */ 3184#endif /* CONFIG_SECURITY_NETWORK_XFRM */
3111 3185
3112#ifdef CONFIG_KEYS 3186#ifdef CONFIG_KEYS
diff --git a/include/net/flow.h b/include/net/flow.h
index 1cee5a83433a..21d988b2058a 100644
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -86,10 +86,10 @@ struct flowi {
86#define FLOW_DIR_FWD 2 86#define FLOW_DIR_FWD 2
87 87
88struct sock; 88struct sock;
89typedef void (*flow_resolve_t)(struct flowi *key, u32 sk_sid, u16 family, u8 dir, 89typedef void (*flow_resolve_t)(struct flowi *key, u16 family, u8 dir,
90 void **objp, atomic_t **obj_refp); 90 void **objp, atomic_t **obj_refp);
91 91
92extern void *flow_cache_lookup(struct flowi *key, u32 sk_sid, u16 family, u8 dir, 92extern void *flow_cache_lookup(struct flowi *key, u16 family, u8 dir,
93 flow_resolve_t resolver); 93 flow_resolve_t resolver);
94extern void flow_cache_flush(void); 94extern void flow_cache_flush(void);
95extern atomic_t flow_cache_genid; 95extern atomic_t flow_cache_genid;