diff options
author | Venkat Yekkirala <vyekkirala@TrustedCS.com> | 2006-07-25 02:29:07 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-09-22 17:53:24 -0400 |
commit | e0d1caa7b0d5f02e4f34aa09c695d04251310c6c (patch) | |
tree | bf023c17abf6813f2694ebf5fafff82edd6a1023 /include | |
parent | b6340fcd761acf9249b3acbc95c4dc555d9beb07 (diff) |
[MLSXFRM]: Flow based matching of xfrm policy and state
This implements a seemless mechanism for xfrm policy selection and
state matching based on the flow sid. This also includes the necessary
SELinux enforcement pieces.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/security.h | 106 | ||||
-rw-r--r-- | include/net/flow.h | 4 |
2 files changed, 92 insertions, 18 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 4d7fb59996b0..2c4921d79d19 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -31,6 +31,7 @@ | |||
31 | #include <linux/msg.h> | 31 | #include <linux/msg.h> |
32 | #include <linux/sched.h> | 32 | #include <linux/sched.h> |
33 | #include <linux/key.h> | 33 | #include <linux/key.h> |
34 | #include <linux/xfrm.h> | ||
34 | 35 | ||
35 | struct ctl_table; | 36 | struct ctl_table; |
36 | 37 | ||
@@ -825,9 +826,8 @@ struct swap_info_struct; | |||
825 | * used by the XFRM system. | 826 | * used by the XFRM system. |
826 | * @sec_ctx contains the security context information being provided by | 827 | * @sec_ctx contains the security context information being provided by |
827 | * the user-level policy update program (e.g., setkey). | 828 | * the user-level policy update program (e.g., setkey). |
828 | * Allocate a security structure to the xp->security field. | 829 | * Allocate a security structure to the xp->security field; the security |
829 | * The security field is initialized to NULL when the xfrm_policy is | 830 | * field is initialized to NULL when the xfrm_policy is allocated. |
830 | * allocated. | ||
831 | * Return 0 if operation was successful (memory to allocate, legal context) | 831 | * Return 0 if operation was successful (memory to allocate, legal context) |
832 | * @xfrm_policy_clone_security: | 832 | * @xfrm_policy_clone_security: |
833 | * @old contains an existing xfrm_policy in the SPD. | 833 | * @old contains an existing xfrm_policy in the SPD. |
@@ -846,9 +846,14 @@ struct swap_info_struct; | |||
846 | * Database by the XFRM system. | 846 | * Database by the XFRM system. |
847 | * @sec_ctx contains the security context information being provided by | 847 | * @sec_ctx contains the security context information being provided by |
848 | * the user-level SA generation program (e.g., setkey or racoon). | 848 | * the user-level SA generation program (e.g., setkey or racoon). |
849 | * Allocate a security structure to the x->security field. The | 849 | * @polsec contains the security context information associated with a xfrm |
850 | * security field is initialized to NULL when the xfrm_state is | 850 | * policy rule from which to take the base context. polsec must be NULL |
851 | * allocated. | 851 | * when sec_ctx is specified. |
852 | * @secid contains the secid from which to take the mls portion of the context. | ||
853 | * Allocate a security structure to the x->security field; the security | ||
854 | * field is initialized to NULL when the xfrm_state is allocated. Set the | ||
855 | * context to correspond to either sec_ctx or polsec, with the mls portion | ||
856 | * taken from secid in the latter case. | ||
852 | * Return 0 if operation was successful (memory to allocate, legal context). | 857 | * Return 0 if operation was successful (memory to allocate, legal context). |
853 | * @xfrm_state_free_security: | 858 | * @xfrm_state_free_security: |
854 | * @x contains the xfrm_state. | 859 | * @x contains the xfrm_state. |
@@ -859,13 +864,26 @@ struct swap_info_struct; | |||
859 | * @xfrm_policy_lookup: | 864 | * @xfrm_policy_lookup: |
860 | * @xp contains the xfrm_policy for which the access control is being | 865 | * @xp contains the xfrm_policy for which the access control is being |
861 | * checked. | 866 | * checked. |
862 | * @sk_sid contains the sock security label that is used to authorize | 867 | * @fl_secid contains the flow security label that is used to authorize |
863 | * access to the policy xp. | 868 | * access to the policy xp. |
864 | * @dir contains the direction of the flow (input or output). | 869 | * @dir contains the direction of the flow (input or output). |
865 | * Check permission when a sock selects a xfrm_policy for processing | 870 | * Check permission when a flow selects a xfrm_policy for processing |
866 | * XFRMs on a packet. The hook is called when selecting either a | 871 | * XFRMs on a packet. The hook is called when selecting either a |
867 | * per-socket policy or a generic xfrm policy. | 872 | * per-socket policy or a generic xfrm policy. |
868 | * Return 0 if permission is granted. | 873 | * Return 0 if permission is granted. |
874 | * @xfrm_state_pol_flow_match: | ||
875 | * @x contains the state to match. | ||
876 | * @xp contains the policy to check for a match. | ||
877 | * @fl contains the flow to check for a match. | ||
878 | * Return 1 if there is a match. | ||
879 | * @xfrm_flow_state_match: | ||
880 | * @fl contains the flow key to match. | ||
881 | * @xfrm points to the xfrm_state to match. | ||
882 | * Return 1 if there is a match. | ||
883 | * @xfrm_decode_session: | ||
884 | * @skb points to skb to decode. | ||
885 | * @fl points to the flow key to set. | ||
886 | * Return 0 if successful decoding. | ||
869 | * | 887 | * |
870 | * Security hooks affecting all Key Management operations | 888 | * Security hooks affecting all Key Management operations |
871 | * | 889 | * |
@@ -1343,10 +1361,16 @@ struct security_operations { | |||
1343 | int (*xfrm_policy_clone_security) (struct xfrm_policy *old, struct xfrm_policy *new); | 1361 | int (*xfrm_policy_clone_security) (struct xfrm_policy *old, struct xfrm_policy *new); |
1344 | void (*xfrm_policy_free_security) (struct xfrm_policy *xp); | 1362 | void (*xfrm_policy_free_security) (struct xfrm_policy *xp); |
1345 | int (*xfrm_policy_delete_security) (struct xfrm_policy *xp); | 1363 | int (*xfrm_policy_delete_security) (struct xfrm_policy *xp); |
1346 | int (*xfrm_state_alloc_security) (struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx); | 1364 | int (*xfrm_state_alloc_security) (struct xfrm_state *x, |
1365 | struct xfrm_user_sec_ctx *sec_ctx, struct xfrm_sec_ctx *polsec, | ||
1366 | u32 secid); | ||
1347 | void (*xfrm_state_free_security) (struct xfrm_state *x); | 1367 | void (*xfrm_state_free_security) (struct xfrm_state *x); |
1348 | int (*xfrm_state_delete_security) (struct xfrm_state *x); | 1368 | int (*xfrm_state_delete_security) (struct xfrm_state *x); |
1349 | int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 sk_sid, u8 dir); | 1369 | int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 fl_secid, u8 dir); |
1370 | int (*xfrm_state_pol_flow_match)(struct xfrm_state *x, | ||
1371 | struct xfrm_policy *xp, struct flowi *fl); | ||
1372 | int (*xfrm_flow_state_match)(struct flowi *fl, struct xfrm_state *xfrm); | ||
1373 | int (*xfrm_decode_session)(struct sk_buff *skb, struct flowi *fl); | ||
1350 | #endif /* CONFIG_SECURITY_NETWORK_XFRM */ | 1374 | #endif /* CONFIG_SECURITY_NETWORK_XFRM */ |
1351 | 1375 | ||
1352 | /* key management security hooks */ | 1376 | /* key management security hooks */ |
@@ -3050,9 +3074,18 @@ static inline int security_xfrm_policy_delete(struct xfrm_policy *xp) | |||
3050 | return security_ops->xfrm_policy_delete_security(xp); | 3074 | return security_ops->xfrm_policy_delete_security(xp); |
3051 | } | 3075 | } |
3052 | 3076 | ||
3053 | static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) | 3077 | static inline int security_xfrm_state_alloc(struct xfrm_state *x, |
3078 | struct xfrm_user_sec_ctx *sec_ctx) | ||
3079 | { | ||
3080 | return security_ops->xfrm_state_alloc_security(x, sec_ctx, NULL, 0); | ||
3081 | } | ||
3082 | |||
3083 | static inline int security_xfrm_state_alloc_acquire(struct xfrm_state *x, | ||
3084 | struct xfrm_sec_ctx *polsec, u32 secid) | ||
3054 | { | 3085 | { |
3055 | return security_ops->xfrm_state_alloc_security(x, sec_ctx); | 3086 | if (!polsec) |
3087 | return 0; | ||
3088 | return security_ops->xfrm_state_alloc_security(x, NULL, polsec, secid); | ||
3056 | } | 3089 | } |
3057 | 3090 | ||
3058 | static inline int security_xfrm_state_delete(struct xfrm_state *x) | 3091 | static inline int security_xfrm_state_delete(struct xfrm_state *x) |
@@ -3065,9 +3098,25 @@ static inline void security_xfrm_state_free(struct xfrm_state *x) | |||
3065 | security_ops->xfrm_state_free_security(x); | 3098 | security_ops->xfrm_state_free_security(x); |
3066 | } | 3099 | } |
3067 | 3100 | ||
3068 | static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir) | 3101 | static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir) |
3102 | { | ||
3103 | return security_ops->xfrm_policy_lookup(xp, fl_secid, dir); | ||
3104 | } | ||
3105 | |||
3106 | static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x, | ||
3107 | struct xfrm_policy *xp, struct flowi *fl) | ||
3108 | { | ||
3109 | return security_ops->xfrm_state_pol_flow_match(x, xp, fl); | ||
3110 | } | ||
3111 | |||
3112 | static inline int security_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm) | ||
3113 | { | ||
3114 | return security_ops->xfrm_flow_state_match(fl, xfrm); | ||
3115 | } | ||
3116 | |||
3117 | static inline int security_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl) | ||
3069 | { | 3118 | { |
3070 | return security_ops->xfrm_policy_lookup(xp, sk_sid, dir); | 3119 | return security_ops->xfrm_decode_session(skb, fl); |
3071 | } | 3120 | } |
3072 | #else /* CONFIG_SECURITY_NETWORK_XFRM */ | 3121 | #else /* CONFIG_SECURITY_NETWORK_XFRM */ |
3073 | static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) | 3122 | static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) |
@@ -3089,7 +3138,14 @@ static inline int security_xfrm_policy_delete(struct xfrm_policy *xp) | |||
3089 | return 0; | 3138 | return 0; |
3090 | } | 3139 | } |
3091 | 3140 | ||
3092 | static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) | 3141 | static inline int security_xfrm_state_alloc(struct xfrm_state *x, |
3142 | struct xfrm_user_sec_ctx *sec_ctx) | ||
3143 | { | ||
3144 | return 0; | ||
3145 | } | ||
3146 | |||
3147 | static inline int security_xfrm_state_alloc_acquire(struct xfrm_state *x, | ||
3148 | struct xfrm_sec_ctx *polsec, u32 secid) | ||
3093 | { | 3149 | { |
3094 | return 0; | 3150 | return 0; |
3095 | } | 3151 | } |
@@ -3103,10 +3159,28 @@ static inline int security_xfrm_state_delete(struct xfrm_state *x) | |||
3103 | return 0; | 3159 | return 0; |
3104 | } | 3160 | } |
3105 | 3161 | ||
3106 | static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir) | 3162 | static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir) |
3107 | { | 3163 | { |
3108 | return 0; | 3164 | return 0; |
3109 | } | 3165 | } |
3166 | |||
3167 | static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x, | ||
3168 | struct xfrm_policy *xp, struct flowi *fl) | ||
3169 | { | ||
3170 | return 1; | ||
3171 | } | ||
3172 | |||
3173 | static inline int security_xfrm_flow_state_match(struct flowi *fl, | ||
3174 | struct xfrm_state *xfrm) | ||
3175 | { | ||
3176 | return 1; | ||
3177 | } | ||
3178 | |||
3179 | static inline int security_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl) | ||
3180 | { | ||
3181 | return 0; | ||
3182 | } | ||
3183 | |||
3110 | #endif /* CONFIG_SECURITY_NETWORK_XFRM */ | 3184 | #endif /* CONFIG_SECURITY_NETWORK_XFRM */ |
3111 | 3185 | ||
3112 | #ifdef CONFIG_KEYS | 3186 | #ifdef CONFIG_KEYS |
diff --git a/include/net/flow.h b/include/net/flow.h index 1cee5a83433a..21d988b2058a 100644 --- a/include/net/flow.h +++ b/include/net/flow.h | |||
@@ -86,10 +86,10 @@ struct flowi { | |||
86 | #define FLOW_DIR_FWD 2 | 86 | #define FLOW_DIR_FWD 2 |
87 | 87 | ||
88 | struct sock; | 88 | struct sock; |
89 | typedef void (*flow_resolve_t)(struct flowi *key, u32 sk_sid, u16 family, u8 dir, | 89 | typedef void (*flow_resolve_t)(struct flowi *key, u16 family, u8 dir, |
90 | void **objp, atomic_t **obj_refp); | 90 | void **objp, atomic_t **obj_refp); |
91 | 91 | ||
92 | extern void *flow_cache_lookup(struct flowi *key, u32 sk_sid, u16 family, u8 dir, | 92 | extern void *flow_cache_lookup(struct flowi *key, u16 family, u8 dir, |
93 | flow_resolve_t resolver); | 93 | flow_resolve_t resolver); |
94 | extern void flow_cache_flush(void); | 94 | extern void flow_cache_flush(void); |
95 | extern atomic_t flow_cache_genid; | 95 | extern atomic_t flow_cache_genid; |