1 files changed, 311 insertions, 0 deletions
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
new file mode 100644
index 000000000000..c4d87d4dca7b
--- /dev/null
+++ b/security/selinux/xfrm.c
@@ -0,0 +1,311 @@
+/*
+ *  NSA Security-Enhanced Linux (SELinux) security module
+ *
+ *  This file contains the SELinux XFRM hook function implementations.
+ *
+ *  Authors:  Serge Hallyn <sergeh@us.ibm.com>
+ *            Trent Jaeger <jaegert@us.ibm.com>
+ *
+ *  Copyright (C) 2005 International Business Machines Corporation
+ *
+ *      This program is free software; you can redistribute it and/or modify
+ *      it under the terms of the GNU General Public License version 2,
+ *      as published by the Free Software Foundation.
+ */
+/*
+ * USAGE:
+ * NOTES:
+ *   1. Make sure to enable the following options in your kernel config:
+ *      CONFIG_SECURITY=y
+ *      CONFIG_SECURITY_NETWORK=y
+ *      CONFIG_SECURITY_NETWORK_XFRM=y
+ *      CONFIG_SECURITY_SELINUX=m/y
+ * ISSUES:
+ *   1. Caching packets, so they are not dropped during negotiation
+ *   2. Emulating a reasonable SO_PEERSEC across machines
+ *   3. Testing addition of sk_policy's with security context via setsockopt
+ */
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/security.h>
+#include <linux/types.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv6.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/skbuff.h>
+#include <linux/xfrm.h>
+#include <net/xfrm.h>
+#include <net/checksum.h>
+#include <net/udp.h>
+#include <asm/semaphore.h>
+#include "avc.h"
+#include "objsec.h"
+#include "xfrm.h"
+/*
+ * Returns true if an LSM/SELinux context
+ */
+static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
+{
+        return (ctx &&
+                (ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
+                (ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
+}
+/*
+ * Returns true if the xfrm contains a security blob for SELinux
+ */
+static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
+{
+        return selinux_authorizable_ctx(x->security);
+}
+/*
+ * LSM hook implementation that authorizes that a socket can be used
+ * with the corresponding xfrm_sec_ctx and direction.
+ */
+int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)
+{
+        int rc = 0;
+        u32 sel_sid = SECINITSID_UNLABELED;
+        struct xfrm_sec_ctx *ctx;
+        /* Context sid is either set to label or ANY_ASSOC */
+        if ((ctx = xp->security)) {
+                if (!selinux_authorizable_ctx(ctx))
+                        return -EINVAL;
+                sel_sid = ctx->ctx_sid;
+        }
+        rc = avc_has_perm(sk_sid, sel_sid, SECCLASS_ASSOCIATION,
+                          ((dir == FLOW_DIR_IN) ? ASSOCIATION__RECVFROM :
+                           ((dir == FLOW_DIR_OUT) ?  ASSOCIATION__SENDTO :
+                            (ASSOCIATION__SENDTO | ASSOCIATION__RECVFROM))),
+                          NULL);
+        return rc;
+}
+/*
+ * Security blob allocation for xfrm_policy and xfrm_state
+ * CTX does not have a meaningful value on input
+ */
+static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *uctx)
+{
+        int rc = 0;
+        struct task_security_struct *tsec = current->security;
+        struct xfrm_sec_ctx *ctx;
+        BUG_ON(!uctx);
+        BUG_ON(uctx->ctx_doi != XFRM_SC_ALG_SELINUX);
+        if (uctx->ctx_len >= PAGE_SIZE)
+                return -ENOMEM;
+        *ctxp = ctx = kmalloc(sizeof(*ctx) +
+                              uctx->ctx_len,
+                              GFP_KERNEL);
+        if (!ctx)
+                return -ENOMEM;
+        ctx->ctx_doi = uctx->ctx_doi;
+        ctx->ctx_len = uctx->ctx_len;
+        ctx->ctx_alg = uctx->ctx_alg;
+        memcpy(ctx->ctx_str,
+               uctx+1,
+               ctx->ctx_len);
+        rc = security_context_to_sid(ctx->ctx_str,
+                                     ctx->ctx_len,
+                                     &ctx->ctx_sid);
+        if (rc)
+                goto out;
+        /*
+         * Does the subject have permission to set security or permission to
+         * do the relabel?
+         * Must be permitted to relabel from default socket type (process type)
+         * to specified context
+         */
+        rc = avc_has_perm(tsec->sid, tsec->sid,
+                          SECCLASS_ASSOCIATION,
+                          ASSOCIATION__RELABELFROM, NULL);
+        if (rc)
+                goto out;
+        rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
+                          SECCLASS_ASSOCIATION,
+                          ASSOCIATION__RELABELTO, NULL);
+        if (rc)
+                goto out;
+        return rc;
+out:
+        *ctxp = 0;
+        kfree(ctx);
+        return rc;
+}
+/*
+ * LSM hook implementation that allocs and transfers uctx spec to
+ * xfrm_policy.
+ */
+int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *uctx)
+{
+        int err;
+        BUG_ON(!xp);
+        err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx);
+        return err;
+}
+/*
+ * LSM hook implementation that copies security data structure from old to
+ * new for policy cloning.
+ */
+int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new)
+{
+        struct xfrm_sec_ctx *old_ctx, *new_ctx;
+        old_ctx = old->security;
+        if (old_ctx) {
+                new_ctx = new->security = kmalloc(sizeof(*new_ctx) +
+                                                  old_ctx->ctx_len,
+                                                  GFP_KERNEL);
+                if (!new_ctx)
+                        return -ENOMEM;
+                memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
+                memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
+        }
+        return 0;
+}
+/*
+ * LSM hook implementation that frees xfrm_policy security information.
+ */
+void selinux_xfrm_policy_free(struct xfrm_policy *xp)
+{
+        struct xfrm_sec_ctx *ctx = xp->security;
+        if (ctx)
+                kfree(ctx);
+}
+/*
+ * LSM hook implementation that allocs and transfers sec_ctx spec to
+ * xfrm_state.
+ */
+int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx)
+{
+        int err;
+        BUG_ON(!x);
+        err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx);
+        return err;
+}
+/*
+ * LSM hook implementation that frees xfrm_state security information.
+ */
+void selinux_xfrm_state_free(struct xfrm_state *x)
+{
+        struct xfrm_sec_ctx *ctx = x->security;
+        if (ctx)
+                kfree(ctx);
+}
+/*
+ * LSM hook that controls access to unlabelled packets.  If
+ * a xfrm_state is authorizable (defined by macro) then it was
+ * already authorized by the IPSec process.  If not, then
+ * we need to check for unlabelled access since this may not have
+ * gone thru the IPSec process.
+ */
+int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb)
+{
+        int i, rc = 0;
+        struct sec_path *sp;
+        sp = skb->sp;
+        if (sp) {
+                /*
+                 * __xfrm_policy_check does not approve unless xfrm_policy_ok
+                 * says that spi's match for policy and the socket.
+                 *
+                 *  Only need to verify the existence of an authorizable sp.
+                 */
+                for (i = 0; i < sp->len; i++) {
+                        struct xfrm_state *x = sp->x[i].xvec;
+                        if (x && selinux_authorizable_xfrm(x))
+                                goto accept;
+                }
+        }
+        /* check SELinux sock for unlabelled access */
+        rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
+                          ASSOCIATION__RECVFROM, NULL);
+        if (rc)
+                goto drop;
+accept:
+        return 0;
+drop:
+        return rc;
+}
+/*
+ * POSTROUTE_LAST hook's XFRM processing:
+ * If we have no security association, then we need to determine
+ * whether the socket is allowed to send to an unlabelled destination.
+ * If we do have a authorizable security association, then it has already been
+ * checked in xfrm_policy_lookup hook.
+ */
+int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb)
+{
+        struct dst_entry *dst;
+        int rc = 0;
+        dst = skb->dst;
+        if (dst) {
+                struct dst_entry *dst_test;
+                for (dst_test = dst; dst_test != 0;
+                     dst_test = dst_test->child) {
+                        struct xfrm_state *x = dst_test->xfrm;
+                        if (x && selinux_authorizable_xfrm(x))
+                                goto accept;
+                }
+        }
+        rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
+                          ASSOCIATION__SENDTO, NULL);
+        if (rc)
+                goto drop;
+accept:
+        return NF_ACCEPT;
+drop:
+        return NF_DROP;
+}

diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c new file mode 100644 index 000000000000..c4d87d4dca7b --- /dev/null +++ b/security/selinux/xfrm.c
@@ -0,0 +1,311 @@
	1	/*
	2	* NSA Security-Enhanced Linux (SELinux) security module
	3	*
	4	* This file contains the SELinux XFRM hook function implementations.
	5	*
	6	* Authors: Serge Hallyn <sergeh@us.ibm.com>
	7	* Trent Jaeger <jaegert@us.ibm.com>
	8	*
	9	* Copyright (C) 2005 International Business Machines Corporation
	10	*
	11	* This program is free software; you can redistribute it and/or modify
	12	* it under the terms of the GNU General Public License version 2,
	13	* as published by the Free Software Foundation.
	14	*/
	15
	16	/*
	17	* USAGE:
	18	* NOTES:
	19	* 1. Make sure to enable the following options in your kernel config:
	20	* CONFIG_SECURITY=y
	21	* CONFIG_SECURITY_NETWORK=y
	22	* CONFIG_SECURITY_NETWORK_XFRM=y
	23	* CONFIG_SECURITY_SELINUX=m/y
	24	* ISSUES:
	25	* 1. Caching packets, so they are not dropped during negotiation
	26	* 2. Emulating a reasonable SO_PEERSEC across machines
	27	* 3. Testing addition of sk_policy's with security context via setsockopt
	28	*/
	29	#include <linux/config.h>
	30	#include <linux/module.h>
	31	#include <linux/kernel.h>
	32	#include <linux/init.h>
	33	#include <linux/security.h>
	34	#include <linux/types.h>
	35	#include <linux/netfilter.h>
	36	#include <linux/netfilter_ipv4.h>
	37	#include <linux/netfilter_ipv6.h>
	38	#include <linux/ip.h>
	39	#include <linux/tcp.h>
	40	#include <linux/skbuff.h>
	41	#include <linux/xfrm.h>
	42	#include <net/xfrm.h>
	43	#include <net/checksum.h>
	44	#include <net/udp.h>
	45	#include <asm/semaphore.h>
	46
	47	#include "avc.h"
	48	#include "objsec.h"
	49	#include "xfrm.h"
	50
	51
	52	/*
	53	* Returns true if an LSM/SELinux context
	54	*/
	55	static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
	56	{
	57	return (ctx &&
	58	(ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
	59	(ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
	60	}
	61
	62	/*
	63	* Returns true if the xfrm contains a security blob for SELinux
	64	*/
	65	static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
	66	{
	67	return selinux_authorizable_ctx(x->security);
	68	}
	69
	70	/*
	71	* LSM hook implementation that authorizes that a socket can be used
	72	* with the corresponding xfrm_sec_ctx and direction.
	73	*/
	74	int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)
	75	{
	76	int rc = 0;
	77	u32 sel_sid = SECINITSID_UNLABELED;
	78	struct xfrm_sec_ctx *ctx;
	79
	80	/* Context sid is either set to label or ANY_ASSOC */
	81	if ((ctx = xp->security)) {
	82	if (!selinux_authorizable_ctx(ctx))
	83	return -EINVAL;
	84
	85	sel_sid = ctx->ctx_sid;
	86	}
	87
	88	rc = avc_has_perm(sk_sid, sel_sid, SECCLASS_ASSOCIATION,
	89	((dir == FLOW_DIR_IN) ? ASSOCIATION__RECVFROM :
	90	((dir == FLOW_DIR_OUT) ? ASSOCIATION__SENDTO :
	91	(ASSOCIATION__SENDTO \| ASSOCIATION__RECVFROM))),
	92	NULL);
	93
	94	return rc;
	95	}
	96
	97	/*
	98	* Security blob allocation for xfrm_policy and xfrm_state
	99	* CTX does not have a meaningful value on input
	100	*/
	101	static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx *ctxp, struct xfrm_user_sec_ctx uctx)
	102	{
	103	int rc = 0;
	104	struct task_security_struct *tsec = current->security;
	105	struct xfrm_sec_ctx *ctx;
	106
	107	BUG_ON(!uctx);
	108	BUG_ON(uctx->ctx_doi != XFRM_SC_ALG_SELINUX);
	109
	110	if (uctx->ctx_len >= PAGE_SIZE)
	111	return -ENOMEM;
	112
	113	ctxp = ctx = kmalloc(sizeof(ctx) +
	114	uctx->ctx_len,
	115	GFP_KERNEL);
	116
	117	if (!ctx)
	118	return -ENOMEM;
	119
	120	ctx->ctx_doi = uctx->ctx_doi;
	121	ctx->ctx_len = uctx->ctx_len;
	122	ctx->ctx_alg = uctx->ctx_alg;
	123
	124	memcpy(ctx->ctx_str,
	125	uctx+1,
	126	ctx->ctx_len);
	127	rc = security_context_to_sid(ctx->ctx_str,
	128	ctx->ctx_len,
	129	&ctx->ctx_sid);
	130
	131	if (rc)
	132	goto out;
	133
	134	/*
	135	* Does the subject have permission to set security or permission to
	136	* do the relabel?
	137	* Must be permitted to relabel from default socket type (process type)
	138	* to specified context
	139	*/
	140	rc = avc_has_perm(tsec->sid, tsec->sid,
	141	SECCLASS_ASSOCIATION,
	142	ASSOCIATION__RELABELFROM, NULL);
	143	if (rc)
	144	goto out;
	145
	146	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
	147	SECCLASS_ASSOCIATION,
	148	ASSOCIATION__RELABELTO, NULL);
	149	if (rc)
	150	goto out;
	151
	152	return rc;
	153
	154	out:
	155	*ctxp = 0;
	156	kfree(ctx);
	157	return rc;
	158	}
	159
	160	/*
	161	* LSM hook implementation that allocs and transfers uctx spec to
	162	* xfrm_policy.
	163	*/
	164	int selinux_xfrm_policy_alloc(struct xfrm_policy xp, struct xfrm_user_sec_ctx uctx)
	165	{
	166	int err;
	167
	168	BUG_ON(!xp);
	169
	170	err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx);
	171	return err;
	172	}
	173
	174
	175	/*
	176	* LSM hook implementation that copies security data structure from old to
	177	* new for policy cloning.
	178	*/
	179	int selinux_xfrm_policy_clone(struct xfrm_policy old, struct xfrm_policy new)
	180	{
	181	struct xfrm_sec_ctx old_ctx, new_ctx;
	182
	183	old_ctx = old->security;
	184
	185	if (old_ctx) {
	186	new_ctx = new->security = kmalloc(sizeof(*new_ctx) +
	187	old_ctx->ctx_len,
	188	GFP_KERNEL);
	189
	190	if (!new_ctx)
	191	return -ENOMEM;
	192
	193	memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
	194	memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
	195	}
	196	return 0;
	197	}
	198
	199	/*
	200	* LSM hook implementation that frees xfrm_policy security information.
	201	*/
	202	void selinux_xfrm_policy_free(struct xfrm_policy *xp)
	203	{
	204	struct xfrm_sec_ctx *ctx = xp->security;
	205	if (ctx)
	206	kfree(ctx);
	207	}
	208
	209	/*
	210	* LSM hook implementation that allocs and transfers sec_ctx spec to
	211	* xfrm_state.
	212	*/
	213	int selinux_xfrm_state_alloc(struct xfrm_state x, struct xfrm_user_sec_ctx uctx)
	214	{
	215	int err;
	216
	217	BUG_ON(!x);
	218
	219	err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx);
	220	return err;
	221	}
	222
	223	/*
	224	* LSM hook implementation that frees xfrm_state security information.
	225	*/
	226	void selinux_xfrm_state_free(struct xfrm_state *x)
	227	{
	228	struct xfrm_sec_ctx *ctx = x->security;
	229	if (ctx)
	230	kfree(ctx);
	231	}
	232
	233	/*
	234	* LSM hook that controls access to unlabelled packets. If
	235	* a xfrm_state is authorizable (defined by macro) then it was
	236	* already authorized by the IPSec process. If not, then
	237	* we need to check for unlabelled access since this may not have
	238	* gone thru the IPSec process.
	239	*/
	240	int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb)
	241	{
	242	int i, rc = 0;
	243	struct sec_path *sp;
	244
	245	sp = skb->sp;
	246
	247	if (sp) {
	248	/*
	249	* __xfrm_policy_check does not approve unless xfrm_policy_ok
	250	* says that spi's match for policy and the socket.
	251	*
	252	* Only need to verify the existence of an authorizable sp.
	253	*/
	254	for (i = 0; i < sp->len; i++) {
	255	struct xfrm_state *x = sp->x[i].xvec;
	256
	257	if (x && selinux_authorizable_xfrm(x))
	258	goto accept;
	259	}
	260	}
	261
	262	/* check SELinux sock for unlabelled access */
	263	rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
	264	ASSOCIATION__RECVFROM, NULL);
	265	if (rc)
	266	goto drop;
	267
	268	accept:
	269	return 0;
	270
	271	drop:
	272	return rc;
	273	}
	274
	275	/*
	276	* POSTROUTE_LAST hook's XFRM processing:
	277	* If we have no security association, then we need to determine
	278	* whether the socket is allowed to send to an unlabelled destination.
	279	* If we do have a authorizable security association, then it has already been
	280	* checked in xfrm_policy_lookup hook.
	281	*/
	282	int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb)
	283	{
	284	struct dst_entry *dst;
	285	int rc = 0;
	286
	287	dst = skb->dst;
	288
	289	if (dst) {
	290	struct dst_entry *dst_test;
	291
	292	for (dst_test = dst; dst_test != 0;
	293	dst_test = dst_test->child) {
	294	struct xfrm_state *x = dst_test->xfrm;
	295
	296	if (x && selinux_authorizable_xfrm(x))
	297	goto accept;
	298	}
	299	}
	300
	301	rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
	302	ASSOCIATION__SENDTO, NULL);
	303	if (rc)
	304	goto drop;
	305
	306	accept:
	307	return NF_ACCEPT;
	308
	309	drop:
	310	return NF_DROP;
	311	}