5 files changed, 202 insertions, 6 deletions
diff --git a/include/linux/pfkeyv2.h b/include/linux/pfkeyv2.h
index 724066778aff..6351c4055ace 100644
--- a/include/linux/pfkeyv2.h
+++ b/include/linux/pfkeyv2.h
@@ -216,6 +216,16 @@ struct sadb_x_nat_t_port {
 } __attribute__((packed));
 /* sizeof(struct sadb_x_nat_t_port) == 8 */
+/* Generic LSM security context */
+struct sadb_x_sec_ctx {
+        uint16_t        sadb_x_sec_len;
+        uint16_t        sadb_x_sec_exttype;
+        uint8_t         sadb_x_ctx_alg;  /* LSMs: e.g., selinux == 1 */
+        uint8_t         sadb_x_ctx_doi;
+        uint16_t        sadb_x_ctx_len;
+} __attribute__((packed));
+/* sizeof(struct sadb_sec_ctx) = 8 */
 /* Message types */
 #define SADB_RESERVED           0
 #define SADB_GETSPI             1
@@ -325,7 +335,8 @@ struct sadb_x_nat_t_port {
 #define SADB_X_EXT_NAT_T_SPORT          21
 #define SADB_X_EXT_NAT_T_DPORT          22
 #define SADB_X_EXT_NAT_T_OA             23
-#define SADB_EXT_MAX                    23
+#define SADB_X_EXT_SEC_CTX              24
+#define SADB_EXT_MAX                    24
 /* Identity Extension values */
 #define SADB_IDENTTYPE_RESERVED 0
diff --git a/include/linux/security.h b/include/linux/security.h
index f7e0ae018712..ef753654daa5 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -59,6 +59,12 @@ struct sk_buff;
 struct sock;
 struct sockaddr;
 struct socket;
+struct flowi;
+struct dst_entry;
+struct xfrm_selector;
+struct xfrm_policy;
+struct xfrm_state;
+struct xfrm_user_sec_ctx;
 extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
 extern int cap_netlink_recv(struct sk_buff *skb);
@@ -788,6 +794,52 @@ struct swap_info_struct;
 *      which is used to copy security attributes between local stream sockets.
 * @sk_free_security:
 *      Deallocate security structure.
+ * @sk_getsid:
+ *      Retrieve the LSM-specific sid for the sock to enable caching of network
+ *      authorizations.
+ *
+ * Security hooks for XFRM operations.
+ *
+ * @xfrm_policy_alloc_security:
+ *      @xp contains the xfrm_policy being added to Security Policy Database
+ *      used by the XFRM system.
+ *      @sec_ctx contains the security context information being provided by
+ *      the user-level policy update program (e.g., setkey).
+ *      Allocate a security structure to the xp->selector.security field.
+ *      The security field is initialized to NULL when the xfrm_policy is
+ *      allocated.
+ *      Return 0 if operation was successful (memory to allocate, legal context)
+ * @xfrm_policy_clone_security:
+ *      @old contains an existing xfrm_policy in the SPD.
+ *      @new contains a new xfrm_policy being cloned from old.
+ *      Allocate a security structure to the new->selector.security field
+ *      that contains the information from the old->selector.security field.
+ *      Return 0 if operation was successful (memory to allocate).
+ * @xfrm_policy_free_security:
+ *      @xp contains the xfrm_policy
+ *      Deallocate xp->selector.security.
+ * @xfrm_state_alloc_security:
+ *      @x contains the xfrm_state being added to the Security Association
+ *      Database by the XFRM system.
+ *      @sec_ctx contains the security context information being provided by
+ *      the user-level SA generation program (e.g., setkey or racoon).
+ *      Allocate a security structure to the x->sel.security field.  The
+ *      security field is initialized to NULL when the xfrm_state is
+ *      allocated.
+ *      Return 0 if operation was successful (memory to allocate, legal context).
+ * @xfrm_state_free_security:
+ *      @x contains the xfrm_state.
+ *      Deallocate x>sel.security.
+ * @xfrm_policy_lookup:
+ *      @xp contains the xfrm_policy for which the access control is being
+ *      checked.
+ *      @sk_sid contains the sock security label that is used to authorize
+ *      access to the policy xp.
+ *      @dir contains the direction of the flow (input or output).
+ *      Check permission when a sock selects a xfrm_policy for processing
+ *      XFRMs on a packet.  The hook is called when selecting either a
+ *      per-socket policy or a generic xfrm policy.
+ *      Return 0 if permission is granted.
 *
 * Security hooks affecting all Key Management operations
 *
@@ -1237,8 +1289,18 @@ struct security_operations {
        int (*socket_getpeersec) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len);
        int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority);
        void (*sk_free_security) (struct sock *sk);
+        unsigned int (*sk_getsid) (struct sock *sk, struct flowi *fl, u8 dir);
 #endif  /* CONFIG_SECURITY_NETWORK */
+#ifdef CONFIG_SECURITY_NETWORK_XFRM
+        int (*xfrm_policy_alloc_security) (struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx);
+        int (*xfrm_policy_clone_security) (struct xfrm_policy *old, struct xfrm_policy *new);
+        void (*xfrm_policy_free_security) (struct xfrm_policy *xp);
+        int (*xfrm_state_alloc_security) (struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx);
+        void (*xfrm_state_free_security) (struct xfrm_state *x);
+        int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 sk_sid, u8 dir);
+#endif  /* CONFIG_SECURITY_NETWORK_XFRM */
        /* key management security hooks */
 #ifdef CONFIG_KEYS
        int (*key_alloc)(struct key *key);
@@ -2679,6 +2741,11 @@ static inline void security_sk_free(struct sock *sk)
 {
        return security_ops->sk_free_security(sk);
 }
+static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir)
+{
+        return security_ops->sk_getsid(sk, fl, dir);
+}
 #else   /* CONFIG_SECURITY_NETWORK */
 static inline int security_unix_stream_connect(struct socket * sock,
                                               struct socket * other, 
@@ -2795,8 +2862,73 @@ static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
 static inline void security_sk_free(struct sock *sk)
 {
 }
+static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir)
+{
+        return 0;
+}
 #endif  /* CONFIG_SECURITY_NETWORK */
+#ifdef CONFIG_SECURITY_NETWORK_XFRM
+static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
+{
+        return security_ops->xfrm_policy_alloc_security(xp, sec_ctx);
+}
+static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new)
+{
+        return security_ops->xfrm_policy_clone_security(old, new);
+}
+static inline void security_xfrm_policy_free(struct xfrm_policy *xp)
+{
+        security_ops->xfrm_policy_free_security(xp);
+}
+static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx)
+{
+        return security_ops->xfrm_state_alloc_security(x, sec_ctx);
+}
+static inline void security_xfrm_state_free(struct xfrm_state *x)
+{
+        security_ops->xfrm_state_free_security(x);
+}
+static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)
+{
+        return security_ops->xfrm_policy_lookup(xp, sk_sid, dir);
+}
+#else   /* CONFIG_SECURITY_NETWORK_XFRM */
+static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
+{
+        return 0;
+}
+static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new)
+{
+        return 0;
+}
+static inline void security_xfrm_policy_free(struct xfrm_policy *xp)
+{
+}
+static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx)
+{
+        return 0;
+}
+static inline void security_xfrm_state_free(struct xfrm_state *x)
+{
+}
+static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)
+{
+        return 0;
+}
+#endif  /* CONFIG_SECURITY_NETWORK_XFRM */
 #ifdef CONFIG_KEYS
 #ifdef CONFIG_SECURITY
 static inline int security_key_alloc(struct key *key)
diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h
index 0fb077d68441..82fbb758e28f 100644
--- a/include/linux/xfrm.h
+++ b/include/linux/xfrm.h
@@ -27,6 +27,22 @@ struct xfrm_id
        __u8            proto;
 };
+struct xfrm_sec_ctx {
+        __u8    ctx_doi;
+        __u8    ctx_alg;
+        __u16   ctx_len;
+        __u32   ctx_sid;
+        char    ctx_str[0];
+};
+/* Security Context Domains of Interpretation */
+#define XFRM_SC_DOI_RESERVED 0
+#define XFRM_SC_DOI_LSM 1
+/* Security Context Algorithms */
+#define XFRM_SC_ALG_RESERVED 0
+#define XFRM_SC_ALG_SELINUX 1
 /* Selector, used as selector both on policy rules (SPD) and SAs. */
 struct xfrm_selector
@@ -146,6 +162,18 @@ enum {
 #define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE)
+/*
+ * Generic LSM security context for comunicating to user space
+ * NOTE: Same format as sadb_x_sec_ctx
+ */
+struct xfrm_user_sec_ctx {
+        __u16                   len;
+        __u16                   exttype;
+        __u8                    ctx_alg;  /* LSMs: e.g., selinux == 1 */
+        __u8                    ctx_doi;
+        __u16                   ctx_len;
+};
 struct xfrm_user_tmpl {
        struct xfrm_id          id;
        __u16                   family;
@@ -176,6 +204,7 @@ enum xfrm_attr_type_t {
        XFRMA_TMPL,             /* 1 or more struct xfrm_user_tmpl */
        XFRMA_SA,
        XFRMA_POLICY,
+        XFRMA_SEC_CTX,          /* struct xfrm_sec_ctx */
        __XFRMA_MAX
 #define XFRMA_MAX (__XFRMA_MAX - 1)
diff --git a/include/net/flow.h b/include/net/flow.h
index 9a5c94b1a0ec..ec7eb86eb203 100644
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -84,11 +84,12 @@ struct flowi {
 #define FLOW_DIR_OUT    1
 #define FLOW_DIR_FWD    2
-typedef void (*flow_resolve_t)(struct flowi *key, u16 family, u8 dir,
+struct sock;
+typedef void (*flow_resolve_t)(struct flowi *key, u32 sk_sid, u16 family, u8 dir,
                               void **objp, atomic_t **obj_refp);
-extern void *flow_cache_lookup(struct flowi *key, u16 family, u8 dir,
+extern void *flow_cache_lookup(struct flowi *key, u32 sk_sid, u16 family, u8 dir,
-                               flow_resolve_t resolver);
+                               flow_resolve_t resolver);
 extern void flow_cache_flush(void);
 extern atomic_t flow_cache_genid;
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 1cdb87912137..487abca3ca6f 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -144,6 +144,9 @@ struct xfrm_state
         * transformer. */
        struct xfrm_type        *type;
+        /* Security context */
+        struct xfrm_sec_ctx     *security;
        /* Private data of this transformer, format is opaque,
         * interpreted by xfrm_type methods. */
        void                    *data;
@@ -298,6 +301,7 @@ struct xfrm_policy
        __u8                    flags;
        __u8                    dead;
        __u8                    xfrm_nr;
+        struct xfrm_sec_ctx     *security;
        struct xfrm_tmpl        xfrm_vec[XFRM_MAX_DEPTH];
 };
@@ -510,6 +514,25 @@ xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
        return 0;
 }
+#ifdef CONFIG_SECURITY_NETWORK_XFRM
+/*      If neither has a context --> match
+ *      Otherwise, both must have a context and the sids, doi, alg must match
+ */
+static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
+{
+        return ((!s1 && !s2) ||
+                (s1 && s2 &&
+                 (s1->ctx_sid == s2->ctx_sid) &&
+                 (s1->ctx_doi == s2->ctx_doi) &&
+                 (s1->ctx_alg == s2->ctx_alg)));
+}
+#else
+static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
+{
+        return 1;
+}
+#endif
 /* A struct encoding bundle of transformations to apply to some set of flow.
 *
 * dst->child points to the next element of bundle.
@@ -878,8 +901,8 @@ static inline int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsig
 struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp);
 extern int xfrm_policy_walk(int (*func)(struct xfrm_policy *, int, int, void*), void *);
 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
-struct xfrm_policy *xfrm_policy_bysel(int dir, struct xfrm_selector *sel,
+struct xfrm_policy *xfrm_policy_bysel_ctx(int dir, struct xfrm_selector *sel,
-                                      int delete);
+                                          struct xfrm_sec_ctx *ctx, int delete);
 struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete);
 void xfrm_policy_flush(void);
 u32 xfrm_get_acqseq(void);

diff --git a/include/linux/pfkeyv2.h b/include/linux/pfkeyv2.h index 724066778aff..6351c4055ace 100644 --- a/include/linux/pfkeyv2.h +++ b/include/linux/pfkeyv2.h
@@ -216,6 +216,16 @@ struct sadb_x_nat_t_port {
216	} __attribute__((packed));	216	} __attribute__((packed));
217	/* sizeof(struct sadb_x_nat_t_port) == 8 */	217	/* sizeof(struct sadb_x_nat_t_port) == 8 */
218		218
		219	/* Generic LSM security context */
		220	struct sadb_x_sec_ctx {
		221	uint16_t sadb_x_sec_len;
		222	uint16_t sadb_x_sec_exttype;
		223	uint8_t sadb_x_ctx_alg; /* LSMs: e.g., selinux == 1 */
		224	uint8_t sadb_x_ctx_doi;
		225	uint16_t sadb_x_ctx_len;
		226	} __attribute__((packed));
		227	/* sizeof(struct sadb_sec_ctx) = 8 */
		228
219	/* Message types */	229	/* Message types */
220	#define SADB_RESERVED 0	230	#define SADB_RESERVED 0
221	#define SADB_GETSPI 1	231	#define SADB_GETSPI 1
@@ -325,7 +335,8 @@ struct sadb_x_nat_t_port {
325	#define SADB_X_EXT_NAT_T_SPORT 21	335	#define SADB_X_EXT_NAT_T_SPORT 21
326	#define SADB_X_EXT_NAT_T_DPORT 22	336	#define SADB_X_EXT_NAT_T_DPORT 22
327	#define SADB_X_EXT_NAT_T_OA 23	337	#define SADB_X_EXT_NAT_T_OA 23
328	#define SADB_EXT_MAX 23	338	#define SADB_X_EXT_SEC_CTX 24
		339	#define SADB_EXT_MAX 24
329		340
330	/* Identity Extension values */	341	/* Identity Extension values */
331	#define SADB_IDENTTYPE_RESERVED 0	342	#define SADB_IDENTTYPE_RESERVED 0


diff --git a/include/linux/security.h b/include/linux/security.h index f7e0ae018712..ef753654daa5 100644 --- a/include/linux/security.h +++ b/include/linux/security.h
@@ -59,6 +59,12 @@ struct sk_buff;
59	struct sock;	59	struct sock;
60	struct sockaddr;	60	struct sockaddr;
61	struct socket;	61	struct socket;
		62	struct flowi;
		63	struct dst_entry;
		64	struct xfrm_selector;
		65	struct xfrm_policy;
		66	struct xfrm_state;
		67	struct xfrm_user_sec_ctx;
62		68
63	extern int cap_netlink_send(struct sock sk, struct sk_buff skb);	69	extern int cap_netlink_send(struct sock sk, struct sk_buff skb);
64	extern int cap_netlink_recv(struct sk_buff *skb);	70	extern int cap_netlink_recv(struct sk_buff *skb);
@@ -788,6 +794,52 @@ struct swap_info_struct;
788	* which is used to copy security attributes between local stream sockets.	794	* which is used to copy security attributes between local stream sockets.
789	* @sk_free_security:	795	* @sk_free_security:
790	* Deallocate security structure.	796	* Deallocate security structure.
		797	* @sk_getsid:
		798	* Retrieve the LSM-specific sid for the sock to enable caching of network
		799	* authorizations.
		800	*
		801	* Security hooks for XFRM operations.
		802	*
		803	* @xfrm_policy_alloc_security:
		804	* @xp contains the xfrm_policy being added to Security Policy Database
		805	* used by the XFRM system.
		806	* @sec_ctx contains the security context information being provided by
		807	* the user-level policy update program (e.g., setkey).
		808	* Allocate a security structure to the xp->selector.security field.
		809	* The security field is initialized to NULL when the xfrm_policy is
		810	* allocated.
		811	* Return 0 if operation was successful (memory to allocate, legal context)
		812	* @xfrm_policy_clone_security:
		813	* @old contains an existing xfrm_policy in the SPD.
		814	* @new contains a new xfrm_policy being cloned from old.
		815	* Allocate a security structure to the new->selector.security field
		816	* that contains the information from the old->selector.security field.
		817	* Return 0 if operation was successful (memory to allocate).
		818	* @xfrm_policy_free_security:
		819	* @xp contains the xfrm_policy
		820	* Deallocate xp->selector.security.
		821	* @xfrm_state_alloc_security:
		822	* @x contains the xfrm_state being added to the Security Association
		823	* Database by the XFRM system.
		824	* @sec_ctx contains the security context information being provided by
		825	* the user-level SA generation program (e.g., setkey or racoon).
		826	* Allocate a security structure to the x->sel.security field. The
		827	* security field is initialized to NULL when the xfrm_state is
		828	* allocated.
		829	* Return 0 if operation was successful (memory to allocate, legal context).
		830	* @xfrm_state_free_security:
		831	* @x contains the xfrm_state.
		832	* Deallocate x>sel.security.
		833	* @xfrm_policy_lookup:
		834	* @xp contains the xfrm_policy for which the access control is being
		835	* checked.
		836	* @sk_sid contains the sock security label that is used to authorize
		837	* access to the policy xp.
		838	* @dir contains the direction of the flow (input or output).
		839	* Check permission when a sock selects a xfrm_policy for processing
		840	* XFRMs on a packet. The hook is called when selecting either a
		841	* per-socket policy or a generic xfrm policy.
		842	* Return 0 if permission is granted.
791	*	843	*
792	* Security hooks affecting all Key Management operations	844	* Security hooks affecting all Key Management operations
793	*	845	*
@@ -1237,8 +1289,18 @@ struct security_operations {
1237	int (socket_getpeersec) (struct socket sock, char __user optval, int __user optlen, unsigned len);	1289	int (socket_getpeersec) (struct socket sock, char __user optval, int __user optlen, unsigned len);
1238	int (sk_alloc_security) (struct sock sk, int family, gfp_t priority);	1290	int (sk_alloc_security) (struct sock sk, int family, gfp_t priority);
1239	void (sk_free_security) (struct sock sk);	1291	void (sk_free_security) (struct sock sk);
		1292	unsigned int (sk_getsid) (struct sock sk, struct flowi *fl, u8 dir);
1240	#endif /* CONFIG_SECURITY_NETWORK */	1293	#endif /* CONFIG_SECURITY_NETWORK */
1241		1294
		1295	#ifdef CONFIG_SECURITY_NETWORK_XFRM
		1296	int (xfrm_policy_alloc_security) (struct xfrm_policy xp, struct xfrm_user_sec_ctx *sec_ctx);
		1297	int (xfrm_policy_clone_security) (struct xfrm_policy old, struct xfrm_policy *new);
		1298	void (xfrm_policy_free_security) (struct xfrm_policy xp);
		1299	int (xfrm_state_alloc_security) (struct xfrm_state x, struct xfrm_user_sec_ctx *sec_ctx);
		1300	void (xfrm_state_free_security) (struct xfrm_state x);
		1301	int (xfrm_policy_lookup)(struct xfrm_policy xp, u32 sk_sid, u8 dir);
		1302	#endif /* CONFIG_SECURITY_NETWORK_XFRM */
		1303
1242	/* key management security hooks */	1304	/* key management security hooks */
1243	#ifdef CONFIG_KEYS	1305	#ifdef CONFIG_KEYS
1244	int (key_alloc)(struct key key);	1306	int (key_alloc)(struct key key);
@@ -2679,6 +2741,11 @@ static inline void security_sk_free(struct sock *sk)
2679	{	2741	{
2680	return security_ops->sk_free_security(sk);	2742	return security_ops->sk_free_security(sk);
2681	}	2743	}
		2744
		2745	static inline unsigned int security_sk_sid(struct sock sk, struct flowi fl, u8 dir)
		2746	{
		2747	return security_ops->sk_getsid(sk, fl, dir);
		2748	}
2682	#else /* CONFIG_SECURITY_NETWORK */	2749	#else /* CONFIG_SECURITY_NETWORK */
2683	static inline int security_unix_stream_connect(struct socket * sock,	2750	static inline int security_unix_stream_connect(struct socket * sock,
2684	struct socket * other,	2751	struct socket * other,
@@ -2795,8 +2862,73 @@ static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
2795	static inline void security_sk_free(struct sock *sk)	2862	static inline void security_sk_free(struct sock *sk)
2796	{	2863	{
2797	}	2864	}
		2865
		2866	static inline unsigned int security_sk_sid(struct sock sk, struct flowi fl, u8 dir)
		2867	{
		2868	return 0;
		2869	}
2798	#endif /* CONFIG_SECURITY_NETWORK */	2870	#endif /* CONFIG_SECURITY_NETWORK */
2799		2871
		2872	#ifdef CONFIG_SECURITY_NETWORK_XFRM
		2873	static inline int security_xfrm_policy_alloc(struct xfrm_policy xp, struct xfrm_user_sec_ctx sec_ctx)
		2874	{
		2875	return security_ops->xfrm_policy_alloc_security(xp, sec_ctx);
		2876	}
		2877
		2878	static inline int security_xfrm_policy_clone(struct xfrm_policy old, struct xfrm_policy new)
		2879	{
		2880	return security_ops->xfrm_policy_clone_security(old, new);
		2881	}
		2882
		2883	static inline void security_xfrm_policy_free(struct xfrm_policy *xp)
		2884	{
		2885	security_ops->xfrm_policy_free_security(xp);
		2886	}
		2887
		2888	static inline int security_xfrm_state_alloc(struct xfrm_state x, struct xfrm_user_sec_ctx sec_ctx)
		2889	{
		2890	return security_ops->xfrm_state_alloc_security(x, sec_ctx);
		2891	}
		2892
		2893	static inline void security_xfrm_state_free(struct xfrm_state *x)
		2894	{
		2895	security_ops->xfrm_state_free_security(x);
		2896	}
		2897
		2898	static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)
		2899	{
		2900	return security_ops->xfrm_policy_lookup(xp, sk_sid, dir);
		2901	}
		2902	#else /* CONFIG_SECURITY_NETWORK_XFRM */
		2903	static inline int security_xfrm_policy_alloc(struct xfrm_policy xp, struct xfrm_user_sec_ctx sec_ctx)
		2904	{
		2905	return 0;
		2906	}
		2907
		2908	static inline int security_xfrm_policy_clone(struct xfrm_policy old, struct xfrm_policy new)
		2909	{
		2910	return 0;
		2911	}
		2912
		2913	static inline void security_xfrm_policy_free(struct xfrm_policy *xp)
		2914	{
		2915	}
		2916
		2917	static inline int security_xfrm_state_alloc(struct xfrm_state x, struct xfrm_user_sec_ctx sec_ctx)
		2918	{
		2919	return 0;
		2920	}
		2921
		2922	static inline void security_xfrm_state_free(struct xfrm_state *x)
		2923	{
		2924	}
		2925
		2926	static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)
		2927	{
		2928	return 0;
		2929	}
		2930	#endif /* CONFIG_SECURITY_NETWORK_XFRM */
		2931
2800	#ifdef CONFIG_KEYS	2932	#ifdef CONFIG_KEYS
2801	#ifdef CONFIG_SECURITY	2933	#ifdef CONFIG_SECURITY
2802	static inline int security_key_alloc(struct key *key)	2934	static inline int security_key_alloc(struct key *key)


diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h index 0fb077d68441..82fbb758e28f 100644 --- a/include/linux/xfrm.h +++ b/include/linux/xfrm.h
@@ -27,6 +27,22 @@ struct xfrm_id
27	__u8 proto;	27	__u8 proto;
28	};	28	};
29		29
		30	struct xfrm_sec_ctx {
		31	__u8 ctx_doi;
		32	__u8 ctx_alg;
		33	__u16 ctx_len;
		34	__u32 ctx_sid;
		35	char ctx_str[0];
		36	};
		37
		38	/* Security Context Domains of Interpretation */
		39	#define XFRM_SC_DOI_RESERVED 0
		40	#define XFRM_SC_DOI_LSM 1
		41
		42	/* Security Context Algorithms */
		43	#define XFRM_SC_ALG_RESERVED 0
		44	#define XFRM_SC_ALG_SELINUX 1
		45
30	/* Selector, used as selector both on policy rules (SPD) and SAs. */	46	/* Selector, used as selector both on policy rules (SPD) and SAs. */
31		47
32	struct xfrm_selector	48	struct xfrm_selector
@@ -146,6 +162,18 @@ enum {
146		162
147	#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE)	163	#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE)
148		164
		165	/*
		166	* Generic LSM security context for comunicating to user space
		167	* NOTE: Same format as sadb_x_sec_ctx
		168	*/
		169	struct xfrm_user_sec_ctx {
		170	__u16 len;
		171	__u16 exttype;
		172	__u8 ctx_alg; /* LSMs: e.g., selinux == 1 */
		173	__u8 ctx_doi;
		174	__u16 ctx_len;
		175	};
		176
149	struct xfrm_user_tmpl {	177	struct xfrm_user_tmpl {
150	struct xfrm_id id;	178	struct xfrm_id id;
151	__u16 family;	179	__u16 family;
@@ -176,6 +204,7 @@ enum xfrm_attr_type_t {
176	XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */	204	XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */
177	XFRMA_SA,	205	XFRMA_SA,
178	XFRMA_POLICY,	206	XFRMA_POLICY,
		207	XFRMA_SEC_CTX, /* struct xfrm_sec_ctx */
179	__XFRMA_MAX	208	__XFRMA_MAX
180		209
181	#define XFRMA_MAX (__XFRMA_MAX - 1)	210	#define XFRMA_MAX (__XFRMA_MAX - 1)


diff --git a/include/net/flow.h b/include/net/flow.h index 9a5c94b1a0ec..ec7eb86eb203 100644 --- a/include/net/flow.h +++ b/include/net/flow.h
@@ -84,11 +84,12 @@ struct flowi {
84	#define FLOW_DIR_OUT 1	84	#define FLOW_DIR_OUT 1
85	#define FLOW_DIR_FWD 2	85	#define FLOW_DIR_FWD 2
86		86
87	typedef void (flow_resolve_t)(struct flowi key, u16 family, u8 dir,	87	struct sock;
		88	typedef void (flow_resolve_t)(struct flowi key, u32 sk_sid, u16 family, u8 dir,
88	void objp, atomic_t obj_refp);	89	void objp, atomic_t obj_refp);
89		90
90	extern void flow_cache_lookup(struct flowi key, u16 family, u8 dir,	91	extern void flow_cache_lookup(struct flowi key, u32 sk_sid, u16 family, u8 dir,
91	flow_resolve_t resolver);	92	flow_resolve_t resolver);
92	extern void flow_cache_flush(void);	93	extern void flow_cache_flush(void);
93	extern atomic_t flow_cache_genid;	94	extern atomic_t flow_cache_genid;
94		95


diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 1cdb87912137..487abca3ca6f 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h
@@ -144,6 +144,9 @@ struct xfrm_state
144	* transformer. */	144	* transformer. */
145	struct xfrm_type *type;	145	struct xfrm_type *type;
146		146
		147	/* Security context */
		148	struct xfrm_sec_ctx *security;
		149
147	/* Private data of this transformer, format is opaque,	150	/* Private data of this transformer, format is opaque,
148	* interpreted by xfrm_type methods. */	151	* interpreted by xfrm_type methods. */
149	void *data;	152	void *data;
@@ -298,6 +301,7 @@ struct xfrm_policy
298	__u8 flags;	301	__u8 flags;
299	__u8 dead;	302	__u8 dead;
300	__u8 xfrm_nr;	303	__u8 xfrm_nr;
		304	struct xfrm_sec_ctx *security;
301	struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];	305	struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
302	};	306	};
303		307
@@ -510,6 +514,25 @@ xfrm_selector_match(struct xfrm_selector sel, struct flowi fl,
510	return 0;	514	return 0;
511	}	515	}
512		516
		517	#ifdef CONFIG_SECURITY_NETWORK_XFRM
		518	/* If neither has a context --> match
		519	* Otherwise, both must have a context and the sids, doi, alg must match
		520	*/
		521	static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx s1, struct xfrm_sec_ctx s2)
		522	{
		523	return ((!s1 && !s2) \|\|
		524	(s1 && s2 &&
		525	(s1->ctx_sid == s2->ctx_sid) &&
		526	(s1->ctx_doi == s2->ctx_doi) &&
		527	(s1->ctx_alg == s2->ctx_alg)));
		528	}
		529	#else
		530	static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx s1, struct xfrm_sec_ctx s2)
		531	{
		532	return 1;
		533	}
		534	#endif
		535
513	/* A struct encoding bundle of transformations to apply to some set of flow.	536	/* A struct encoding bundle of transformations to apply to some set of flow.
514	*	537	*
515	* dst->child points to the next element of bundle.	538	* dst->child points to the next element of bundle.
@@ -878,8 +901,8 @@ static inline int xfrm_dst_lookup(struct xfrm_dst *dst, struct flowi fl, unsig
878	struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp);	901	struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp);
879	extern int xfrm_policy_walk(int (func)(struct xfrm_policy , int, int, void), void );	902	extern int xfrm_policy_walk(int (func)(struct xfrm_policy , int, int, void), void );
880	int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);	903	int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
881	struct xfrm_policy xfrm_policy_bysel(int dir, struct xfrm_selector sel,	904	struct xfrm_policy xfrm_policy_bysel_ctx(int dir, struct xfrm_selector sel,
882	int delete);	905	struct xfrm_sec_ctx *ctx, int delete);
883	struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete);	906	struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete);
884	void xfrm_policy_flush(void);	907	void xfrm_policy_flush(void);
885	u32 xfrm_get_acqseq(void);	908	u32 xfrm_get_acqseq(void);