aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorVenkat Yekkirala <vyekkirala@TrustedCS.com>2006-08-05 02:12:42 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-09-22 17:53:27 -0400
commitbeb8d13bed80f8388f1a9a107d07ddd342e627e8 (patch)
tree19d5763b9b3b8ff3969997565e5ec0edd6e4bd33 /security/selinux
parent4e2ba18eae7f370c7c3ed96eaca747cc9b39f917 (diff)
[MLSXFRM]: Add flow labeling
This labels the flows that could utilize IPSec xfrms at the points the flows are defined so that IPSec policy and SAs at the right label can be used. The following protos are currently not handled, but they should continue to be able to use single-labeled IPSec like they currently do. ipmr ip_gre ipip igmp sit sctp ip6_tunnel (IPv6 over IPv6 tunnel device) decnet Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c8
-rw-r--r--security/selinux/include/xfrm.h14
-rw-r--r--security/selinux/xfrm.c11
3 files changed, 12 insertions, 21 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5c189da07bc9..4e5989d584ce 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3561,14 +3561,14 @@ static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
3561 newssec->peer_sid = ssec->peer_sid; 3561 newssec->peer_sid = ssec->peer_sid;
3562} 3562}
3563 3563
3564static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir) 3564static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
3565{ 3565{
3566 if (!sk) 3566 if (!sk)
3567 return selinux_no_sk_sid(fl); 3567 *secid = SECINITSID_ANY_SOCKET;
3568 else { 3568 else {
3569 struct sk_security_struct *sksec = sk->sk_security; 3569 struct sk_security_struct *sksec = sk->sk_security;
3570 3570
3571 return sksec->sid; 3571 *secid = sksec->sid;
3572 } 3572 }
3573} 3573}
3574 3574
@@ -4622,7 +4622,7 @@ static struct security_operations selinux_ops = {
4622 .sk_alloc_security = selinux_sk_alloc_security, 4622 .sk_alloc_security = selinux_sk_alloc_security,
4623 .sk_free_security = selinux_sk_free_security, 4623 .sk_free_security = selinux_sk_free_security,
4624 .sk_clone_security = selinux_sk_clone_security, 4624 .sk_clone_security = selinux_sk_clone_security,
4625 .sk_getsid = selinux_sk_getsid_security, 4625 .sk_getsecid = selinux_sk_getsecid,
4626 4626
4627#ifdef CONFIG_SECURITY_NETWORK_XFRM 4627#ifdef CONFIG_SECURITY_NETWORK_XFRM
4628 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 4628 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index f51a3e84bd9b..8e45c1d588a8 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -19,7 +19,7 @@ int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir);
19int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, 19int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
20 struct xfrm_policy *xp, struct flowi *fl); 20 struct xfrm_policy *xp, struct flowi *fl);
21int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm); 21int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm);
22int selinux_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl); 22int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall);
23 23
24 24
25/* 25/*
@@ -33,18 +33,6 @@ static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
33 return SOCK_INODE(sk->sk_socket)->i_security; 33 return SOCK_INODE(sk->sk_socket)->i_security;
34} 34}
35 35
36
37static inline u32 selinux_no_sk_sid(struct flowi *fl)
38{
39 /* NOTE: no sock occurs on ICMP reply, forwards, ... */
40 /* icmp_reply: authorize as kernel packet */
41 if (fl && fl->proto == IPPROTO_ICMP) {
42 return SECINITSID_KERNEL;
43 }
44
45 return SECINITSID_ANY_SOCKET;
46}
47
48#ifdef CONFIG_SECURITY_NETWORK_XFRM 36#ifdef CONFIG_SECURITY_NETWORK_XFRM
49int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, 37int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
50 struct avc_audit_data *ad); 38 struct avc_audit_data *ad);
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index a502b0540e3d..c750ef7af66f 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -158,11 +158,11 @@ int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm)
158 * LSM hook implementation that determines the sid for the session. 158 * LSM hook implementation that determines the sid for the session.
159 */ 159 */
160 160
161int selinux_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl) 161int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
162{ 162{
163 struct sec_path *sp; 163 struct sec_path *sp;
164 164
165 fl->secid = SECSID_NULL; 165 *sid = SECSID_NULL;
166 166
167 if (skb == NULL) 167 if (skb == NULL)
168 return 0; 168 return 0;
@@ -177,10 +177,13 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl)
177 struct xfrm_sec_ctx *ctx = x->security; 177 struct xfrm_sec_ctx *ctx = x->security;
178 178
179 if (!sid_set) { 179 if (!sid_set) {
180 fl->secid = ctx->ctx_sid; 180 *sid = ctx->ctx_sid;
181 sid_set = 1; 181 sid_set = 1;
182
183 if (!ckall)
184 break;
182 } 185 }
183 else if (fl->secid != ctx->ctx_sid) 186 else if (*sid != ctx->ctx_sid)
184 return -EINVAL; 187 return -EINVAL;
185 } 188 }
186 } 189 }