aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to 'include')
-rw-r--r--include/linux/security.h38
-rw-r--r--include/net/route.h3
2 files changed, 28 insertions, 13 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 2c4921d79d19..f3909d189fe0 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -32,6 +32,7 @@
32#include <linux/sched.h> 32#include <linux/sched.h>
33#include <linux/key.h> 33#include <linux/key.h>
34#include <linux/xfrm.h> 34#include <linux/xfrm.h>
35#include <net/flow.h>
35 36
36struct ctl_table; 37struct ctl_table;
37 38
@@ -815,8 +816,8 @@ struct swap_info_struct;
815 * Deallocate security structure. 816 * Deallocate security structure.
816 * @sk_clone_security: 817 * @sk_clone_security:
817 * Clone/copy security structure. 818 * Clone/copy security structure.
818 * @sk_getsid: 819 * @sk_getsecid:
819 * Retrieve the LSM-specific sid for the sock to enable caching of network 820 * Retrieve the LSM-specific secid for the sock to enable caching of network
820 * authorizations. 821 * authorizations.
821 * 822 *
822 * Security hooks for XFRM operations. 823 * Security hooks for XFRM operations.
@@ -882,8 +883,9 @@ struct swap_info_struct;
882 * Return 1 if there is a match. 883 * Return 1 if there is a match.
883 * @xfrm_decode_session: 884 * @xfrm_decode_session:
884 * @skb points to skb to decode. 885 * @skb points to skb to decode.
885 * @fl points to the flow key to set. 886 * @secid points to the flow key secid to set.
886 * Return 0 if successful decoding. 887 * @ckall says if all xfrms used should be checked for same secid.
888 * Return 0 if ckall is zero or all xfrms used have the same secid.
887 * 889 *
888 * Security hooks affecting all Key Management operations 890 * Security hooks affecting all Key Management operations
889 * 891 *
@@ -1353,7 +1355,7 @@ struct security_operations {
1353 int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority); 1355 int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority);
1354 void (*sk_free_security) (struct sock *sk); 1356 void (*sk_free_security) (struct sock *sk);
1355 void (*sk_clone_security) (const struct sock *sk, struct sock *newsk); 1357 void (*sk_clone_security) (const struct sock *sk, struct sock *newsk);
1356 unsigned int (*sk_getsid) (struct sock *sk, struct flowi *fl, u8 dir); 1358 void (*sk_getsecid) (struct sock *sk, u32 *secid);
1357#endif /* CONFIG_SECURITY_NETWORK */ 1359#endif /* CONFIG_SECURITY_NETWORK */
1358 1360
1359#ifdef CONFIG_SECURITY_NETWORK_XFRM 1361#ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -1370,7 +1372,7 @@ struct security_operations {
1370 int (*xfrm_state_pol_flow_match)(struct xfrm_state *x, 1372 int (*xfrm_state_pol_flow_match)(struct xfrm_state *x,
1371 struct xfrm_policy *xp, struct flowi *fl); 1373 struct xfrm_policy *xp, struct flowi *fl);
1372 int (*xfrm_flow_state_match)(struct flowi *fl, struct xfrm_state *xfrm); 1374 int (*xfrm_flow_state_match)(struct flowi *fl, struct xfrm_state *xfrm);
1373 int (*xfrm_decode_session)(struct sk_buff *skb, struct flowi *fl); 1375 int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall);
1374#endif /* CONFIG_SECURITY_NETWORK_XFRM */ 1376#endif /* CONFIG_SECURITY_NETWORK_XFRM */
1375 1377
1376 /* key management security hooks */ 1378 /* key management security hooks */
@@ -2917,9 +2919,9 @@ static inline void security_sk_clone(const struct sock *sk, struct sock *newsk)
2917 return security_ops->sk_clone_security(sk, newsk); 2919 return security_ops->sk_clone_security(sk, newsk);
2918} 2920}
2919 2921
2920static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir) 2922static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
2921{ 2923{
2922 return security_ops->sk_getsid(sk, fl, dir); 2924 security_ops->sk_getsecid(sk, &fl->secid);
2923} 2925}
2924#else /* CONFIG_SECURITY_NETWORK */ 2926#else /* CONFIG_SECURITY_NETWORK */
2925static inline int security_unix_stream_connect(struct socket * sock, 2927static inline int security_unix_stream_connect(struct socket * sock,
@@ -3047,9 +3049,8 @@ static inline void security_sk_clone(const struct sock *sk, struct sock *newsk)
3047{ 3049{
3048} 3050}
3049 3051
3050static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir) 3052static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
3051{ 3053{
3052 return 0;
3053} 3054}
3054#endif /* CONFIG_SECURITY_NETWORK */ 3055#endif /* CONFIG_SECURITY_NETWORK */
3055 3056
@@ -3114,9 +3115,16 @@ static inline int security_xfrm_flow_state_match(struct flowi *fl, struct xfrm_s
3114 return security_ops->xfrm_flow_state_match(fl, xfrm); 3115 return security_ops->xfrm_flow_state_match(fl, xfrm);
3115} 3116}
3116 3117
3117static inline int security_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl) 3118static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
3119{
3120 return security_ops->xfrm_decode_session(skb, secid, 1);
3121}
3122
3123static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
3118{ 3124{
3119 return security_ops->xfrm_decode_session(skb, fl); 3125 int rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0);
3126
3127 BUG_ON(rc);
3120} 3128}
3121#else /* CONFIG_SECURITY_NETWORK_XFRM */ 3129#else /* CONFIG_SECURITY_NETWORK_XFRM */
3122static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) 3130static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
@@ -3176,11 +3184,15 @@ static inline int security_xfrm_flow_state_match(struct flowi *fl,
3176 return 1; 3184 return 1;
3177} 3185}
3178 3186
3179static inline int security_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl) 3187static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
3180{ 3188{
3181 return 0; 3189 return 0;
3182} 3190}
3183 3191
3192static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
3193{
3194}
3195
3184#endif /* CONFIG_SECURITY_NETWORK_XFRM */ 3196#endif /* CONFIG_SECURITY_NETWORK_XFRM */
3185 3197
3186#ifdef CONFIG_KEYS 3198#ifdef CONFIG_KEYS
diff --git a/include/net/route.h b/include/net/route.h
index c4a068692dcc..7f93ac0e0899 100644
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -32,6 +32,7 @@
32#include <linux/route.h> 32#include <linux/route.h>
33#include <linux/ip.h> 33#include <linux/ip.h>
34#include <linux/cache.h> 34#include <linux/cache.h>
35#include <linux/security.h>
35 36
36#ifndef __KERNEL__ 37#ifndef __KERNEL__
37#warning This file is not supposed to be used outside of kernel. 38#warning This file is not supposed to be used outside of kernel.
@@ -166,6 +167,7 @@ static inline int ip_route_connect(struct rtable **rp, u32 dst,
166 ip_rt_put(*rp); 167 ip_rt_put(*rp);
167 *rp = NULL; 168 *rp = NULL;
168 } 169 }
170 security_sk_classify_flow(sk, &fl);
169 return ip_route_output_flow(rp, &fl, sk, 0); 171 return ip_route_output_flow(rp, &fl, sk, 0);
170} 172}
171 173
@@ -182,6 +184,7 @@ static inline int ip_route_newports(struct rtable **rp, u8 protocol,
182 fl.proto = protocol; 184 fl.proto = protocol;
183 ip_rt_put(*rp); 185 ip_rt_put(*rp);
184 *rp = NULL; 186 *rp = NULL;
187 security_sk_classify_flow(sk, &fl);
185 return ip_route_output_flow(rp, &fl, sk, 0); 188 return ip_route_output_flow(rp, &fl, sk, 0);
186 } 189 }
187 return 0; 190 return 0;