diff options
author | Venkat Yekkirala <vyekkirala@TrustedCS.com> | 2006-07-25 02:29:07 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-09-22 17:53:24 -0400 |
commit | e0d1caa7b0d5f02e4f34aa09c695d04251310c6c (patch) | |
tree | bf023c17abf6813f2694ebf5fafff82edd6a1023 /security/selinux/include/xfrm.h | |
parent | b6340fcd761acf9249b3acbc95c4dc555d9beb07 (diff) |
[MLSXFRM]: Flow based matching of xfrm policy and state
This implements a seemless mechanism for xfrm policy selection and
state matching based on the flow sid. This also includes the necessary
SELinux enforcement pieces.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/selinux/include/xfrm.h')
-rw-r--r-- | security/selinux/include/xfrm.h | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index c96498a10eb8..f51a3e84bd9b 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h | |||
@@ -2,6 +2,7 @@ | |||
2 | * SELinux support for the XFRM LSM hooks | 2 | * SELinux support for the XFRM LSM hooks |
3 | * | 3 | * |
4 | * Author : Trent Jaeger, <jaegert@us.ibm.com> | 4 | * Author : Trent Jaeger, <jaegert@us.ibm.com> |
5 | * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com> | ||
5 | */ | 6 | */ |
6 | #ifndef _SELINUX_XFRM_H_ | 7 | #ifndef _SELINUX_XFRM_H_ |
7 | #define _SELINUX_XFRM_H_ | 8 | #define _SELINUX_XFRM_H_ |
@@ -10,10 +11,16 @@ int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx * | |||
10 | int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new); | 11 | int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new); |
11 | void selinux_xfrm_policy_free(struct xfrm_policy *xp); | 12 | void selinux_xfrm_policy_free(struct xfrm_policy *xp); |
12 | int selinux_xfrm_policy_delete(struct xfrm_policy *xp); | 13 | int selinux_xfrm_policy_delete(struct xfrm_policy *xp); |
13 | int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx); | 14 | int selinux_xfrm_state_alloc(struct xfrm_state *x, |
15 | struct xfrm_user_sec_ctx *sec_ctx, struct xfrm_sec_ctx *pol, u32 secid); | ||
14 | void selinux_xfrm_state_free(struct xfrm_state *x); | 16 | void selinux_xfrm_state_free(struct xfrm_state *x); |
15 | int selinux_xfrm_state_delete(struct xfrm_state *x); | 17 | int selinux_xfrm_state_delete(struct xfrm_state *x); |
16 | int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir); | 18 | int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir); |
19 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, | ||
20 | struct xfrm_policy *xp, struct flowi *fl); | ||
21 | int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm); | ||
22 | int selinux_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl); | ||
23 | |||
17 | 24 | ||
18 | /* | 25 | /* |
19 | * Extract the security blob from the sock (it's actually on the socket) | 26 | * Extract the security blob from the sock (it's actually on the socket) |
@@ -39,17 +46,21 @@ static inline u32 selinux_no_sk_sid(struct flowi *fl) | |||
39 | } | 46 | } |
40 | 47 | ||
41 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 48 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
42 | int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb); | 49 | int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, |
43 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb); | 50 | struct avc_audit_data *ad); |
51 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, | ||
52 | struct avc_audit_data *ad); | ||
44 | u32 selinux_socket_getpeer_stream(struct sock *sk); | 53 | u32 selinux_socket_getpeer_stream(struct sock *sk); |
45 | u32 selinux_socket_getpeer_dgram(struct sk_buff *skb); | 54 | u32 selinux_socket_getpeer_dgram(struct sk_buff *skb); |
46 | #else | 55 | #else |
47 | static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb) | 56 | static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, |
57 | struct avc_audit_data *ad) | ||
48 | { | 58 | { |
49 | return 0; | 59 | return 0; |
50 | } | 60 | } |
51 | 61 | ||
52 | static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb) | 62 | static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, |
63 | struct avc_audit_data *ad) | ||
53 | { | 64 | { |
54 | return 0; | 65 | return 0; |
55 | } | 66 | } |