1 files changed, 305 insertions, 0 deletions
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
new file mode 100644
index 000000000000..b2af7ca496c1
--- /dev/null
+++ b/security/selinux/xfrm.c
@@ -0,0 +1,305 @@
+/*
+ *  NSA Security-Enhanced Linux (SELinux) security module
+ *
+ *  This file contains the SELinux XFRM hook function implementations.
+ *
+ *  Authors:  Serge Hallyn <sergeh@us.ibm.com>
+ *            Trent Jaeger <jaegert@us.ibm.com>
+ *
+ *  Copyright (C) 2005 International Business Machines Corporation
+ *
+ *      This program is free software; you can redistribute it and/or modify
+ *      it under the terms of the GNU General Public License version 2,
+ *      as published by the Free Software Foundation.
+ */
+/*
+ * USAGE:
+ * NOTES:
+ *   1. Make sure to enable the following options in your kernel config:
+ *      CONFIG_SECURITY=y
+ *      CONFIG_SECURITY_NETWORK=y
+ *      CONFIG_SECURITY_NETWORK_XFRM=y
+ *      CONFIG_SECURITY_SELINUX=m/y
+ * ISSUES:
+ *   1. Caching packets, so they are not dropped during negotiation
+ *   2. Emulating a reasonable SO_PEERSEC across machines
+ *   3. Testing addition of sk_policy's with security context via setsockopt
+ */
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/security.h>
+#include <linux/types.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv6.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/skbuff.h>
+#include <linux/xfrm.h>
+#include <net/xfrm.h>
+#include <net/checksum.h>
+#include <net/udp.h>
+#include <asm/semaphore.h>
+#include "avc.h"
+#include "objsec.h"
+#include "xfrm.h"
+/*
+ * Returns true if an LSM/SELinux context
+ */
+static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
+{
+        return (ctx &&
+                (ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
+                (ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
+}
+/*
+ * Returns true if the xfrm contains a security blob for SELinux
+ */
+static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
+{
+        return selinux_authorizable_ctx(x->security);
+}
+/*
+ * LSM hook implementation that authorizes that a socket can be used
+ * with the corresponding xfrm_sec_ctx and direction.
+ */
+int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)
+{
+        int rc = 0;
+        u32 sel_sid = SECINITSID_UNLABELED;
+        struct xfrm_sec_ctx *ctx;
+        /* Context sid is either set to label or ANY_ASSOC */
+        if ((ctx = xp->security)) {
+                if (!selinux_authorizable_ctx(ctx))
+                        return -EINVAL;
+                sel_sid = ctx->ctx_sid;
+        }
+        rc = avc_has_perm(sk_sid, sel_sid, SECCLASS_ASSOCIATION,
+                          ((dir == FLOW_DIR_IN) ? ASSOCIATION__RECVFROM :
+                           ((dir == FLOW_DIR_OUT) ?  ASSOCIATION__SENDTO :
+                            (ASSOCIATION__SENDTO | ASSOCIATION__RECVFROM))),
+                          NULL);
+        return rc;
+}
+/*
+ * Security blob allocation for xfrm_policy and xfrm_state
+ * CTX does not have a meaningful value on input
+ */
+static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *uctx)
+{
+        int rc = 0;
+        struct task_security_struct *tsec = current->security;
+        struct xfrm_sec_ctx *ctx;
+        BUG_ON(!uctx);
+        BUG_ON(uctx->ctx_doi != XFRM_SC_ALG_SELINUX);
+        if (uctx->ctx_len >= PAGE_SIZE)
+                return -ENOMEM;
+        *ctxp = ctx = kmalloc(sizeof(*ctx) +
+                              uctx->ctx_len,
+                              GFP_KERNEL);
+        if (!ctx)
+                return -ENOMEM;
+        ctx->ctx_doi = uctx->ctx_doi;
+        ctx->ctx_len = uctx->ctx_len;
+        ctx->ctx_alg = uctx->ctx_alg;
+        memcpy(ctx->ctx_str,
+               uctx+1,
+               ctx->ctx_len);
+        rc = security_context_to_sid(ctx->ctx_str,
+                                     ctx->ctx_len,
+                                     &ctx->ctx_sid);
+        if (rc)
+                goto out;
+        /*
+         * Does the subject have permission to set security or permission to
+         * do the relabel?
+         * Must be permitted to relabel from default socket type (process type)
+         * to specified context
+         */
+        rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
+                          SECCLASS_ASSOCIATION,
+                          ASSOCIATION__SETCONTEXT, NULL);
+        if (rc)
+                goto out;
+        return rc;
+out:
+        *ctxp = NULL;
+        kfree(ctx);
+        return rc;
+}
+/*
+ * LSM hook implementation that allocs and transfers uctx spec to
+ * xfrm_policy.
+ */
+int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *uctx)
+{
+        int err;
+        BUG_ON(!xp);
+        err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx);
+        return err;
+}
+/*
+ * LSM hook implementation that copies security data structure from old to
+ * new for policy cloning.
+ */
+int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new)
+{
+        struct xfrm_sec_ctx *old_ctx, *new_ctx;
+        old_ctx = old->security;
+        if (old_ctx) {
+                new_ctx = new->security = kmalloc(sizeof(*new_ctx) +
+                                                  old_ctx->ctx_len,
+                                                  GFP_KERNEL);
+                if (!new_ctx)
+                        return -ENOMEM;
+                memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
+                memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
+        }
+        return 0;
+}
+/*
+ * LSM hook implementation that frees xfrm_policy security information.
+ */
+void selinux_xfrm_policy_free(struct xfrm_policy *xp)
+{
+        struct xfrm_sec_ctx *ctx = xp->security;
+        if (ctx)
+                kfree(ctx);
+}
+/*
+ * LSM hook implementation that allocs and transfers sec_ctx spec to
+ * xfrm_state.
+ */
+int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx)
+{
+        int err;
+        BUG_ON(!x);
+        err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx);
+        return err;
+}
+/*
+ * LSM hook implementation that frees xfrm_state security information.
+ */
+void selinux_xfrm_state_free(struct xfrm_state *x)
+{
+        struct xfrm_sec_ctx *ctx = x->security;
+        if (ctx)
+                kfree(ctx);
+}
+/*
+ * LSM hook that controls access to unlabelled packets.  If
+ * a xfrm_state is authorizable (defined by macro) then it was
+ * already authorized by the IPSec process.  If not, then
+ * we need to check for unlabelled access since this may not have
+ * gone thru the IPSec process.
+ */
+int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb)
+{
+        int i, rc = 0;
+        struct sec_path *sp;
+        sp = skb->sp;
+        if (sp) {
+                /*
+                 * __xfrm_policy_check does not approve unless xfrm_policy_ok
+                 * says that spi's match for policy and the socket.
+                 *
+                 *  Only need to verify the existence of an authorizable sp.
+                 */
+                for (i = 0; i < sp->len; i++) {
+                        struct xfrm_state *x = sp->x[i].xvec;
+                        if (x && selinux_authorizable_xfrm(x))
+                                goto accept;
+                }
+        }
+        /* check SELinux sock for unlabelled access */
+        rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
+                          ASSOCIATION__RECVFROM, NULL);
+        if (rc)
+                goto drop;
+accept:
+        return 0;
+drop:
+        return rc;
+}
+/*
+ * POSTROUTE_LAST hook's XFRM processing:
+ * If we have no security association, then we need to determine
+ * whether the socket is allowed to send to an unlabelled destination.
+ * If we do have a authorizable security association, then it has already been
+ * checked in xfrm_policy_lookup hook.
+ */
+int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb)
+{
+        struct dst_entry *dst;
+        int rc = 0;
+        dst = skb->dst;
+        if (dst) {
+                struct dst_entry *dst_test;
+                for (dst_test = dst; dst_test != 0;
+                     dst_test = dst_test->child) {
+                        struct xfrm_state *x = dst_test->xfrm;
+                        if (x && selinux_authorizable_xfrm(x))
+                                goto accept;
+                }
+        }
+        rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
+                          ASSOCIATION__SENDTO, NULL);
+        if (rc)
+                goto drop;
+accept:
+        return NF_ACCEPT;
+drop:
+        return NF_DROP;
+}

diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c new file mode 100644 index 000000000000..b2af7ca496c1 --- /dev/null +++ b/security/selinux/xfrm.c
@@ -0,0 +1,305 @@
	1	/*
	2	* NSA Security-Enhanced Linux (SELinux) security module
	3	*
	4	* This file contains the SELinux XFRM hook function implementations.
	5	*
	6	* Authors: Serge Hallyn <sergeh@us.ibm.com>
	7	* Trent Jaeger <jaegert@us.ibm.com>
	8	*
	9	* Copyright (C) 2005 International Business Machines Corporation
	10	*
	11	* This program is free software; you can redistribute it and/or modify
	12	* it under the terms of the GNU General Public License version 2,
	13	* as published by the Free Software Foundation.
	14	*/
	15
	16	/*
	17	* USAGE:
	18	* NOTES:
	19	* 1. Make sure to enable the following options in your kernel config:
	20	* CONFIG_SECURITY=y
	21	* CONFIG_SECURITY_NETWORK=y
	22	* CONFIG_SECURITY_NETWORK_XFRM=y
	23	* CONFIG_SECURITY_SELINUX=m/y
	24	* ISSUES:
	25	* 1. Caching packets, so they are not dropped during negotiation
	26	* 2. Emulating a reasonable SO_PEERSEC across machines
	27	* 3. Testing addition of sk_policy's with security context via setsockopt
	28	*/
	29	#include <linux/config.h>
	30	#include <linux/module.h>
	31	#include <linux/kernel.h>
	32	#include <linux/init.h>
	33	#include <linux/security.h>
	34	#include <linux/types.h>
	35	#include <linux/netfilter.h>
	36	#include <linux/netfilter_ipv4.h>
	37	#include <linux/netfilter_ipv6.h>
	38	#include <linux/ip.h>
	39	#include <linux/tcp.h>
	40	#include <linux/skbuff.h>
	41	#include <linux/xfrm.h>
	42	#include <net/xfrm.h>
	43	#include <net/checksum.h>
	44	#include <net/udp.h>
	45	#include <asm/semaphore.h>
	46
	47	#include "avc.h"
	48	#include "objsec.h"
	49	#include "xfrm.h"
	50
	51
	52	/*
	53	* Returns true if an LSM/SELinux context
	54	*/
	55	static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
	56	{
	57	return (ctx &&
	58	(ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
	59	(ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
	60	}
	61
	62	/*
	63	* Returns true if the xfrm contains a security blob for SELinux
	64	*/
	65	static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
	66	{
	67	return selinux_authorizable_ctx(x->security);
	68	}
	69
	70	/*
	71	* LSM hook implementation that authorizes that a socket can be used
	72	* with the corresponding xfrm_sec_ctx and direction.
	73	*/
	74	int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)
	75	{
	76	int rc = 0;
	77	u32 sel_sid = SECINITSID_UNLABELED;
	78	struct xfrm_sec_ctx *ctx;
	79
	80	/* Context sid is either set to label or ANY_ASSOC */
	81	if ((ctx = xp->security)) {
	82	if (!selinux_authorizable_ctx(ctx))
	83	return -EINVAL;
	84
	85	sel_sid = ctx->ctx_sid;
	86	}
	87
	88	rc = avc_has_perm(sk_sid, sel_sid, SECCLASS_ASSOCIATION,
	89	((dir == FLOW_DIR_IN) ? ASSOCIATION__RECVFROM :
	90	((dir == FLOW_DIR_OUT) ? ASSOCIATION__SENDTO :
	91	(ASSOCIATION__SENDTO \| ASSOCIATION__RECVFROM))),
	92	NULL);
	93
	94	return rc;
	95	}
	96
	97	/*
	98	* Security blob allocation for xfrm_policy and xfrm_state
	99	* CTX does not have a meaningful value on input
	100	*/
	101	static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx *ctxp, struct xfrm_user_sec_ctx uctx)
	102	{
	103	int rc = 0;
	104	struct task_security_struct *tsec = current->security;
	105	struct xfrm_sec_ctx *ctx;
	106
	107	BUG_ON(!uctx);
	108	BUG_ON(uctx->ctx_doi != XFRM_SC_ALG_SELINUX);
	109
	110	if (uctx->ctx_len >= PAGE_SIZE)
	111	return -ENOMEM;
	112
	113	ctxp = ctx = kmalloc(sizeof(ctx) +
	114	uctx->ctx_len,
	115	GFP_KERNEL);
	116
	117	if (!ctx)
	118	return -ENOMEM;
	119
	120	ctx->ctx_doi = uctx->ctx_doi;
	121	ctx->ctx_len = uctx->ctx_len;
	122	ctx->ctx_alg = uctx->ctx_alg;
	123
	124	memcpy(ctx->ctx_str,
	125	uctx+1,
	126	ctx->ctx_len);
	127	rc = security_context_to_sid(ctx->ctx_str,
	128	ctx->ctx_len,
	129	&ctx->ctx_sid);
	130
	131	if (rc)
	132	goto out;
	133
	134	/*
	135	* Does the subject have permission to set security or permission to
	136	* do the relabel?
	137	* Must be permitted to relabel from default socket type (process type)
	138	* to specified context
	139	*/
	140	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
	141	SECCLASS_ASSOCIATION,
	142	ASSOCIATION__SETCONTEXT, NULL);
	143	if (rc)
	144	goto out;
	145
	146	return rc;
	147
	148	out:
	149	*ctxp = NULL;
	150	kfree(ctx);
	151	return rc;
	152	}
	153
	154	/*
	155	* LSM hook implementation that allocs and transfers uctx spec to
	156	* xfrm_policy.
	157	*/
	158	int selinux_xfrm_policy_alloc(struct xfrm_policy xp, struct xfrm_user_sec_ctx uctx)
	159	{
	160	int err;
	161
	162	BUG_ON(!xp);
	163
	164	err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx);
	165	return err;
	166	}
	167
	168
	169	/*
	170	* LSM hook implementation that copies security data structure from old to
	171	* new for policy cloning.
	172	*/
	173	int selinux_xfrm_policy_clone(struct xfrm_policy old, struct xfrm_policy new)
	174	{
	175	struct xfrm_sec_ctx old_ctx, new_ctx;
	176
	177	old_ctx = old->security;
	178
	179	if (old_ctx) {
	180	new_ctx = new->security = kmalloc(sizeof(*new_ctx) +
	181	old_ctx->ctx_len,
	182	GFP_KERNEL);
	183
	184	if (!new_ctx)
	185	return -ENOMEM;
	186
	187	memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
	188	memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
	189	}
	190	return 0;
	191	}
	192
	193	/*
	194	* LSM hook implementation that frees xfrm_policy security information.
	195	*/
	196	void selinux_xfrm_policy_free(struct xfrm_policy *xp)
	197	{
	198	struct xfrm_sec_ctx *ctx = xp->security;
	199	if (ctx)
	200	kfree(ctx);
	201	}
	202
	203	/*
	204	* LSM hook implementation that allocs and transfers sec_ctx spec to
	205	* xfrm_state.
	206	*/
	207	int selinux_xfrm_state_alloc(struct xfrm_state x, struct xfrm_user_sec_ctx uctx)
	208	{
	209	int err;
	210
	211	BUG_ON(!x);
	212
	213	err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx);
	214	return err;
	215	}
	216
	217	/*
	218	* LSM hook implementation that frees xfrm_state security information.
	219	*/
	220	void selinux_xfrm_state_free(struct xfrm_state *x)
	221	{
	222	struct xfrm_sec_ctx *ctx = x->security;
	223	if (ctx)
	224	kfree(ctx);
	225	}
	226
	227	/*
	228	* LSM hook that controls access to unlabelled packets. If
	229	* a xfrm_state is authorizable (defined by macro) then it was
	230	* already authorized by the IPSec process. If not, then
	231	* we need to check for unlabelled access since this may not have
	232	* gone thru the IPSec process.
	233	*/
	234	int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb)
	235	{
	236	int i, rc = 0;
	237	struct sec_path *sp;
	238
	239	sp = skb->sp;
	240
	241	if (sp) {
	242	/*
	243	* __xfrm_policy_check does not approve unless xfrm_policy_ok
	244	* says that spi's match for policy and the socket.
	245	*
	246	* Only need to verify the existence of an authorizable sp.
	247	*/
	248	for (i = 0; i < sp->len; i++) {
	249	struct xfrm_state *x = sp->x[i].xvec;
	250
	251	if (x && selinux_authorizable_xfrm(x))
	252	goto accept;
	253	}
	254	}
	255
	256	/* check SELinux sock for unlabelled access */
	257	rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
	258	ASSOCIATION__RECVFROM, NULL);
	259	if (rc)
	260	goto drop;
	261
	262	accept:
	263	return 0;
	264
	265	drop:
	266	return rc;
	267	}
	268
	269	/*
	270	* POSTROUTE_LAST hook's XFRM processing:
	271	* If we have no security association, then we need to determine
	272	* whether the socket is allowed to send to an unlabelled destination.
	273	* If we do have a authorizable security association, then it has already been
	274	* checked in xfrm_policy_lookup hook.
	275	*/
	276	int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb)
	277	{
	278	struct dst_entry *dst;
	279	int rc = 0;
	280
	281	dst = skb->dst;
	282
	283	if (dst) {
	284	struct dst_entry *dst_test;
	285
	286	for (dst_test = dst; dst_test != 0;
	287	dst_test = dst_test->child) {
	288	struct xfrm_state *x = dst_test->xfrm;
	289
	290	if (x && selinux_authorizable_xfrm(x))
	291	goto accept;
	292	}
	293	}
	294
	295	rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
	296	ASSOCIATION__SENDTO, NULL);
	297	if (rc)
	298	goto drop;
	299
	300	accept:
	301	return NF_ACCEPT;
	302
	303	drop:
	304	return NF_DROP;
	305	}