diff options
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/security.h | 38 | ||||
-rw-r--r-- | include/net/route.h | 3 |
2 files changed, 28 insertions, 13 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 2c4921d79d19..f3909d189fe0 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -32,6 +32,7 @@ | |||
32 | #include <linux/sched.h> | 32 | #include <linux/sched.h> |
33 | #include <linux/key.h> | 33 | #include <linux/key.h> |
34 | #include <linux/xfrm.h> | 34 | #include <linux/xfrm.h> |
35 | #include <net/flow.h> | ||
35 | 36 | ||
36 | struct ctl_table; | 37 | struct ctl_table; |
37 | 38 | ||
@@ -815,8 +816,8 @@ struct swap_info_struct; | |||
815 | * Deallocate security structure. | 816 | * Deallocate security structure. |
816 | * @sk_clone_security: | 817 | * @sk_clone_security: |
817 | * Clone/copy security structure. | 818 | * Clone/copy security structure. |
818 | * @sk_getsid: | 819 | * @sk_getsecid: |
819 | * Retrieve the LSM-specific sid for the sock to enable caching of network | 820 | * Retrieve the LSM-specific secid for the sock to enable caching of network |
820 | * authorizations. | 821 | * authorizations. |
821 | * | 822 | * |
822 | * Security hooks for XFRM operations. | 823 | * Security hooks for XFRM operations. |
@@ -882,8 +883,9 @@ struct swap_info_struct; | |||
882 | * Return 1 if there is a match. | 883 | * Return 1 if there is a match. |
883 | * @xfrm_decode_session: | 884 | * @xfrm_decode_session: |
884 | * @skb points to skb to decode. | 885 | * @skb points to skb to decode. |
885 | * @fl points to the flow key to set. | 886 | * @secid points to the flow key secid to set. |
886 | * Return 0 if successful decoding. | 887 | * @ckall says if all xfrms used should be checked for same secid. |
888 | * Return 0 if ckall is zero or all xfrms used have the same secid. | ||
887 | * | 889 | * |
888 | * Security hooks affecting all Key Management operations | 890 | * Security hooks affecting all Key Management operations |
889 | * | 891 | * |
@@ -1353,7 +1355,7 @@ struct security_operations { | |||
1353 | int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority); | 1355 | int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority); |
1354 | void (*sk_free_security) (struct sock *sk); | 1356 | void (*sk_free_security) (struct sock *sk); |
1355 | void (*sk_clone_security) (const struct sock *sk, struct sock *newsk); | 1357 | void (*sk_clone_security) (const struct sock *sk, struct sock *newsk); |
1356 | unsigned int (*sk_getsid) (struct sock *sk, struct flowi *fl, u8 dir); | 1358 | void (*sk_getsecid) (struct sock *sk, u32 *secid); |
1357 | #endif /* CONFIG_SECURITY_NETWORK */ | 1359 | #endif /* CONFIG_SECURITY_NETWORK */ |
1358 | 1360 | ||
1359 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 1361 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
@@ -1370,7 +1372,7 @@ struct security_operations { | |||
1370 | int (*xfrm_state_pol_flow_match)(struct xfrm_state *x, | 1372 | int (*xfrm_state_pol_flow_match)(struct xfrm_state *x, |
1371 | struct xfrm_policy *xp, struct flowi *fl); | 1373 | struct xfrm_policy *xp, struct flowi *fl); |
1372 | int (*xfrm_flow_state_match)(struct flowi *fl, struct xfrm_state *xfrm); | 1374 | int (*xfrm_flow_state_match)(struct flowi *fl, struct xfrm_state *xfrm); |
1373 | int (*xfrm_decode_session)(struct sk_buff *skb, struct flowi *fl); | 1375 | int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall); |
1374 | #endif /* CONFIG_SECURITY_NETWORK_XFRM */ | 1376 | #endif /* CONFIG_SECURITY_NETWORK_XFRM */ |
1375 | 1377 | ||
1376 | /* key management security hooks */ | 1378 | /* key management security hooks */ |
@@ -2917,9 +2919,9 @@ static inline void security_sk_clone(const struct sock *sk, struct sock *newsk) | |||
2917 | return security_ops->sk_clone_security(sk, newsk); | 2919 | return security_ops->sk_clone_security(sk, newsk); |
2918 | } | 2920 | } |
2919 | 2921 | ||
2920 | static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir) | 2922 | static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl) |
2921 | { | 2923 | { |
2922 | return security_ops->sk_getsid(sk, fl, dir); | 2924 | security_ops->sk_getsecid(sk, &fl->secid); |
2923 | } | 2925 | } |
2924 | #else /* CONFIG_SECURITY_NETWORK */ | 2926 | #else /* CONFIG_SECURITY_NETWORK */ |
2925 | static inline int security_unix_stream_connect(struct socket * sock, | 2927 | static inline int security_unix_stream_connect(struct socket * sock, |
@@ -3047,9 +3049,8 @@ static inline void security_sk_clone(const struct sock *sk, struct sock *newsk) | |||
3047 | { | 3049 | { |
3048 | } | 3050 | } |
3049 | 3051 | ||
3050 | static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir) | 3052 | static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl) |
3051 | { | 3053 | { |
3052 | return 0; | ||
3053 | } | 3054 | } |
3054 | #endif /* CONFIG_SECURITY_NETWORK */ | 3055 | #endif /* CONFIG_SECURITY_NETWORK */ |
3055 | 3056 | ||
@@ -3114,9 +3115,16 @@ static inline int security_xfrm_flow_state_match(struct flowi *fl, struct xfrm_s | |||
3114 | return security_ops->xfrm_flow_state_match(fl, xfrm); | 3115 | return security_ops->xfrm_flow_state_match(fl, xfrm); |
3115 | } | 3116 | } |
3116 | 3117 | ||
3117 | static inline int security_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl) | 3118 | static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) |
3119 | { | ||
3120 | return security_ops->xfrm_decode_session(skb, secid, 1); | ||
3121 | } | ||
3122 | |||
3123 | static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl) | ||
3118 | { | 3124 | { |
3119 | return security_ops->xfrm_decode_session(skb, fl); | 3125 | int rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0); |
3126 | |||
3127 | BUG_ON(rc); | ||
3120 | } | 3128 | } |
3121 | #else /* CONFIG_SECURITY_NETWORK_XFRM */ | 3129 | #else /* CONFIG_SECURITY_NETWORK_XFRM */ |
3122 | static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) | 3130 | static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) |
@@ -3176,11 +3184,15 @@ static inline int security_xfrm_flow_state_match(struct flowi *fl, | |||
3176 | return 1; | 3184 | return 1; |
3177 | } | 3185 | } |
3178 | 3186 | ||
3179 | static inline int security_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl) | 3187 | static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) |
3180 | { | 3188 | { |
3181 | return 0; | 3189 | return 0; |
3182 | } | 3190 | } |
3183 | 3191 | ||
3192 | static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl) | ||
3193 | { | ||
3194 | } | ||
3195 | |||
3184 | #endif /* CONFIG_SECURITY_NETWORK_XFRM */ | 3196 | #endif /* CONFIG_SECURITY_NETWORK_XFRM */ |
3185 | 3197 | ||
3186 | #ifdef CONFIG_KEYS | 3198 | #ifdef CONFIG_KEYS |
diff --git a/include/net/route.h b/include/net/route.h index c4a068692dcc..7f93ac0e0899 100644 --- a/include/net/route.h +++ b/include/net/route.h | |||
@@ -32,6 +32,7 @@ | |||
32 | #include <linux/route.h> | 32 | #include <linux/route.h> |
33 | #include <linux/ip.h> | 33 | #include <linux/ip.h> |
34 | #include <linux/cache.h> | 34 | #include <linux/cache.h> |
35 | #include <linux/security.h> | ||
35 | 36 | ||
36 | #ifndef __KERNEL__ | 37 | #ifndef __KERNEL__ |
37 | #warning This file is not supposed to be used outside of kernel. | 38 | #warning This file is not supposed to be used outside of kernel. |
@@ -166,6 +167,7 @@ static inline int ip_route_connect(struct rtable **rp, u32 dst, | |||
166 | ip_rt_put(*rp); | 167 | ip_rt_put(*rp); |
167 | *rp = NULL; | 168 | *rp = NULL; |
168 | } | 169 | } |
170 | security_sk_classify_flow(sk, &fl); | ||
169 | return ip_route_output_flow(rp, &fl, sk, 0); | 171 | return ip_route_output_flow(rp, &fl, sk, 0); |
170 | } | 172 | } |
171 | 173 | ||
@@ -182,6 +184,7 @@ static inline int ip_route_newports(struct rtable **rp, u8 protocol, | |||
182 | fl.proto = protocol; | 184 | fl.proto = protocol; |
183 | ip_rt_put(*rp); | 185 | ip_rt_put(*rp); |
184 | *rp = NULL; | 186 | *rp = NULL; |
187 | security_sk_classify_flow(sk, &fl); | ||
185 | return ip_route_output_flow(rp, &fl, sk, 0); | 188 | return ip_route_output_flow(rp, &fl, sk, 0); |
186 | } | 189 | } |
187 | return 0; | 190 | return 0; |