4 files changed, 210 insertions, 42 deletions
diff --git a/security/dummy.c b/security/dummy.c
index bd3bc5faa9a8..c1f10654871e 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -835,7 +835,8 @@ static int dummy_xfrm_policy_delete_security(struct xfrm_policy *xp)
        return 0;
 }
-static int dummy_xfrm_state_alloc_security(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx)
+static int dummy_xfrm_state_alloc_security(struct xfrm_state *x,
+        struct xfrm_user_sec_ctx *sec_ctx, struct xfrm_sec_ctx *pol, u32 secid)
 {
        return 0;
 }
@@ -853,6 +854,23 @@ static int dummy_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)
 {
        return 0;
 }
+static int dummy_xfrm_state_pol_flow_match(struct xfrm_state *x,
+                                struct xfrm_policy *xp, struct flowi *fl)
+{
+        return 1;
+}
+static int dummy_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm)
+{
+        return 1;
+}
+static int dummy_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl)
+{
+        return 0;
+}
 #endif /* CONFIG_SECURITY_NETWORK_XFRM */
 static int dummy_register_security (const char *name, struct security_operations *ops)
 {
@@ -1076,6 +1094,9 @@ void security_fixup_ops (struct security_operations *ops)
        set_to_dummy_if_null(ops, xfrm_state_free_security);
        set_to_dummy_if_null(ops, xfrm_state_delete_security);
        set_to_dummy_if_null(ops, xfrm_policy_lookup);
+        set_to_dummy_if_null(ops, xfrm_state_pol_flow_match);
+        set_to_dummy_if_null(ops, xfrm_flow_state_match);
+        set_to_dummy_if_null(ops, xfrm_decode_session);
 #endif  /* CONFIG_SECURITY_NETWORK_XFRM */
 #ifdef CONFIG_KEYS
        set_to_dummy_if_null(ops, key_alloc);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d67abf77584a..5c189da07bc9 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3468,7 +3468,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
        if (err)
                goto out;
-        err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
+        err = selinux_xfrm_sock_rcv_skb(sock_sid, skb, &ad);
 out:    
        return err;
 }
@@ -3720,7 +3720,7 @@ static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
        if (err)
                goto out;
-        err = selinux_xfrm_postroute_last(isec->sid, skb);
+        err = selinux_xfrm_postroute_last(isec->sid, skb, &ad);
 out:
        return err ? NF_DROP : NF_ACCEPT;
 }
@@ -4633,6 +4633,9 @@ static struct security_operations selinux_ops = {
        .xfrm_state_free_security =     selinux_xfrm_state_free,
        .xfrm_state_delete_security =   selinux_xfrm_state_delete,
        .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
+        .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
+        .xfrm_flow_state_match =        selinux_xfrm_flow_state_match,
+        .xfrm_decode_session =          selinux_xfrm_decode_session,
 #endif
 #ifdef CONFIG_KEYS
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index c96498a10eb8..f51a3e84bd9b 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -2,6 +2,7 @@
 * SELinux support for the XFRM LSM hooks
 *
 * Author : Trent Jaeger, <jaegert@us.ibm.com>
+ * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com>
 */
 #ifndef _SELINUX_XFRM_H_
 #define _SELINUX_XFRM_H_
@@ -10,10 +11,16 @@ int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *
 int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new);
 void selinux_xfrm_policy_free(struct xfrm_policy *xp);
 int selinux_xfrm_policy_delete(struct xfrm_policy *xp);
-int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx);
+int selinux_xfrm_state_alloc(struct xfrm_state *x,
+        struct xfrm_user_sec_ctx *sec_ctx, struct xfrm_sec_ctx *pol, u32 secid);
 void selinux_xfrm_state_free(struct xfrm_state *x);
 int selinux_xfrm_state_delete(struct xfrm_state *x);
-int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir);
+int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir);
+int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
+                        struct xfrm_policy *xp, struct flowi *fl);
+int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm);
+int selinux_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl);
 /*
 * Extract the security blob from the sock (it's actually on the socket)
@@ -39,17 +46,21 @@ static inline u32 selinux_no_sk_sid(struct flowi *fl)
 }
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
-int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb);
+int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
-int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb);
+                        struct avc_audit_data *ad);
+int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
+                        struct avc_audit_data *ad);
 u32 selinux_socket_getpeer_stream(struct sock *sk);
 u32 selinux_socket_getpeer_dgram(struct sk_buff *skb);
 #else
-static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb)
+static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
+                        struct avc_audit_data *ad)
 {
        return 0;
 }
-static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb)
+static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
+                        struct avc_audit_data *ad)
 {
        return 0;
 }
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 6c985ced8102..a502b0540e3d 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -6,7 +6,12 @@
 *  Authors:  Serge Hallyn <sergeh@us.ibm.com>
 *            Trent Jaeger <jaegert@us.ibm.com>
 *
+ *  Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com>
+ *
+ *           Granular IPSec Associations for use in MLS environments.
+ *
 *  Copyright (C) 2005 International Business Machines Corporation
+ *  Copyright (C) 2006 Trusted Computer Solutions, Inc.
 *
 *      This program is free software; you can redistribute it and/or modify
 *      it under the terms of the GNU General Public License version 2,
@@ -67,10 +72,10 @@ static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
 }
 /*
- * LSM hook implementation that authorizes that a socket can be used
+ * LSM hook implementation that authorizes that a flow can use
- * with the corresponding xfrm_sec_ctx and direction.
+ * a xfrm policy rule.
 */
-int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)
+int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir)
 {
        int rc = 0;
        u32 sel_sid = SECINITSID_UNLABELED;
@@ -84,27 +89,129 @@ int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)
                sel_sid = ctx->ctx_sid;
        }
-        rc = avc_has_perm(sk_sid, sel_sid, SECCLASS_ASSOCIATION,
+        rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION,
-                          ((dir == FLOW_DIR_IN) ? ASSOCIATION__RECVFROM :
+                          ASSOCIATION__POLMATCH,
-                           ((dir == FLOW_DIR_OUT) ?  ASSOCIATION__SENDTO :
-                            (ASSOCIATION__SENDTO | ASSOCIATION__RECVFROM))),
                          NULL);
        return rc;
 }
 /*
+ * LSM hook implementation that authorizes that a state matches
+ * the given policy, flow combo.
+ */
+int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp,
+                        struct flowi *fl)
+{
+        u32 state_sid;
+        u32 pol_sid;
+        int err;
+        if (x->security)
+                state_sid = x->security->ctx_sid;
+        else
+                state_sid = SECINITSID_UNLABELED;
+        if (xp->security)
+                pol_sid = xp->security->ctx_sid;
+        else
+                pol_sid = SECINITSID_UNLABELED;
+        err = avc_has_perm(state_sid, pol_sid, SECCLASS_ASSOCIATION,
+                          ASSOCIATION__POLMATCH,
+                          NULL);
+        if (err)
+                return 0;
+        return selinux_xfrm_flow_state_match(fl, x);
+}
+/*
+ * LSM hook implementation that authorizes that a particular outgoing flow
+ * can use a given security association.
+ */
+int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm)
+{
+        int rc = 0;
+        u32 sel_sid = SECINITSID_UNLABELED;
+        struct xfrm_sec_ctx *ctx;
+        /* Context sid is either set to label or ANY_ASSOC */
+        if ((ctx = xfrm->security)) {
+                if (!selinux_authorizable_ctx(ctx))
+                        return 0;
+                sel_sid = ctx->ctx_sid;
+        }
+        rc = avc_has_perm(fl->secid, sel_sid, SECCLASS_ASSOCIATION,
+                          ASSOCIATION__SENDTO,
+                          NULL)? 0:1;
+        return rc;
+}
+/*
+ * LSM hook implementation that determines the sid for the session.
+ */
+int selinux_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl)
+{
+        struct sec_path *sp;
+        fl->secid = SECSID_NULL;
+        if (skb == NULL)
+                return 0;
+        sp = skb->sp;
+        if (sp) {
+                int i, sid_set = 0;
+                for (i = sp->len-1; i >= 0; i--) {
+                        struct xfrm_state *x = sp->xvec[i];
+                        if (selinux_authorizable_xfrm(x)) {
+                                struct xfrm_sec_ctx *ctx = x->security;
+                                if (!sid_set) {
+                                        fl->secid = ctx->ctx_sid;
+                                        sid_set = 1;
+                                }
+                                else if (fl->secid != ctx->ctx_sid)
+                                        return -EINVAL;
+                        }
+                }
+        }
+        return 0;
+}
+/*
 * Security blob allocation for xfrm_policy and xfrm_state
 * CTX does not have a meaningful value on input
 */
-static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *uctx)
+static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
+        struct xfrm_user_sec_ctx *uctx, struct xfrm_sec_ctx *pol, u32 sid)
 {
        int rc = 0;
        struct task_security_struct *tsec = current->security;
-        struct xfrm_sec_ctx *ctx;
+        struct xfrm_sec_ctx *ctx = NULL;
+        char *ctx_str = NULL;
+        u32 str_len;
+        u32 ctx_sid;
+        BUG_ON(uctx && pol);
+        if (pol)
+                goto from_policy;
        BUG_ON(!uctx);
-        BUG_ON(uctx->ctx_doi != XFRM_SC_ALG_SELINUX);
+        if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX)
+                return -EINVAL;
        if (uctx->ctx_len >= PAGE_SIZE)
                return -ENOMEM;
@@ -141,9 +248,41 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_us
        return rc;
+from_policy:
+        BUG_ON(!pol);
+        rc = security_sid_mls_copy(pol->ctx_sid, sid, &ctx_sid);
+        if (rc)
+                goto out;
+        rc = security_sid_to_context(ctx_sid, &ctx_str, &str_len);
+        if (rc)
+                goto out;
+        *ctxp = ctx = kmalloc(sizeof(*ctx) +
+                              str_len,
+                              GFP_ATOMIC);
+        if (!ctx) {
+                rc = -ENOMEM;
+                goto out;
+        }
+        ctx->ctx_doi = XFRM_SC_DOI_LSM;
+        ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
+        ctx->ctx_sid = ctx_sid;
+        ctx->ctx_len = str_len;
+        memcpy(ctx->ctx_str,
+               ctx_str,
+               str_len);
+        goto out2;
 out:
        *ctxp = NULL;
        kfree(ctx);
+out2:
+        kfree(ctx_str);
        return rc;
 }
@@ -157,7 +296,7 @@ int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *
        BUG_ON(!xp);
-        err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx);
+        err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, NULL, 0);
        return err;
 }
@@ -217,13 +356,14 @@ int selinux_xfrm_policy_delete(struct xfrm_policy *xp)
 * LSM hook implementation that allocs and transfers sec_ctx spec to
 * xfrm_state.
 */
-int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx)
+int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx,
+                struct xfrm_sec_ctx *pol, u32 secid)
 {
        int err;
        BUG_ON(!x);
-        err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx);
+        err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, pol, secid);
        return err;
 }
@@ -329,38 +469,30 @@ int selinux_xfrm_state_delete(struct xfrm_state *x)
 * we need to check for unlabelled access since this may not have
 * gone thru the IPSec process.
 */
-int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb)
+int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
+                                struct avc_audit_data *ad)
 {
        int i, rc = 0;
        struct sec_path *sp;
+        u32 sel_sid = SECINITSID_UNLABELED;
        sp = skb->sp;
        if (sp) {
-                /*
-                 * __xfrm_policy_check does not approve unless xfrm_policy_ok
-                 * says that spi's match for policy and the socket.
-                 *
-                 *  Only need to verify the existence of an authorizable sp.
-                 */
                for (i = 0; i < sp->len; i++) {
                        struct xfrm_state *x = sp->xvec[i];
-                        if (x && selinux_authorizable_xfrm(x))
+                        if (x && selinux_authorizable_xfrm(x)) {
-                                goto accept;
+                                struct xfrm_sec_ctx *ctx = x->security;
+                                sel_sid = ctx->ctx_sid;
+                                break;
+                        }
                }
        }
-        /* check SELinux sock for unlabelled access */
+        rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION,
-        rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
+                          ASSOCIATION__RECVFROM, ad);
-                          ASSOCIATION__RECVFROM, NULL);
-        if (rc)
-                goto drop;
-accept:
-        return 0;
-drop:
        return rc;
 }
@@ -371,7 +503,8 @@ drop:
 * If we do have a authorizable security association, then it has already been
 * checked in xfrm_policy_lookup hook.
 */
-int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb)
+int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
+                                        struct avc_audit_data *ad)
 {
        struct dst_entry *dst;
        int rc = 0;
@@ -391,7 +524,7 @@ int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb)
        }
        rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
-                          ASSOCIATION__SENDTO, NULL);
+                          ASSOCIATION__SENDTO, ad);
 out:
        return rc;
 }

diff --git a/security/dummy.c b/security/dummy.c index bd3bc5faa9a8..c1f10654871e 100644 --- a/security/dummy.c +++ b/security/dummy.c
@@ -835,7 +835,8 @@ static int dummy_xfrm_policy_delete_security(struct xfrm_policy *xp)
835	return 0;	835	return 0;
836	}	836	}
837		837
838	static int dummy_xfrm_state_alloc_security(struct xfrm_state x, struct xfrm_user_sec_ctx sec_ctx)	838	static int dummy_xfrm_state_alloc_security(struct xfrm_state *x,
		839	struct xfrm_user_sec_ctx sec_ctx, struct xfrm_sec_ctx pol, u32 secid)
839	{	840	{
840	return 0;	841	return 0;
841	}	842	}
@@ -853,6 +854,23 @@ static int dummy_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)
853	{	854	{
854	return 0;	855	return 0;
855	}	856	}
		857
		858	static int dummy_xfrm_state_pol_flow_match(struct xfrm_state *x,
		859	struct xfrm_policy xp, struct flowi fl)
		860	{
		861	return 1;
		862	}
		863
		864	static int dummy_xfrm_flow_state_match(struct flowi fl, struct xfrm_state xfrm)
		865	{
		866	return 1;
		867	}
		868
		869	static int dummy_xfrm_decode_session(struct sk_buff skb, struct flowi fl)
		870	{
		871	return 0;
		872	}
		873
856	#endif /* CONFIG_SECURITY_NETWORK_XFRM */	874	#endif /* CONFIG_SECURITY_NETWORK_XFRM */
857	static int dummy_register_security (const char name, struct security_operations ops)	875	static int dummy_register_security (const char name, struct security_operations ops)
858	{	876	{
@@ -1076,6 +1094,9 @@ void security_fixup_ops (struct security_operations *ops)
1076	set_to_dummy_if_null(ops, xfrm_state_free_security);	1094	set_to_dummy_if_null(ops, xfrm_state_free_security);
1077	set_to_dummy_if_null(ops, xfrm_state_delete_security);	1095	set_to_dummy_if_null(ops, xfrm_state_delete_security);
1078	set_to_dummy_if_null(ops, xfrm_policy_lookup);	1096	set_to_dummy_if_null(ops, xfrm_policy_lookup);
		1097	set_to_dummy_if_null(ops, xfrm_state_pol_flow_match);
		1098	set_to_dummy_if_null(ops, xfrm_flow_state_match);
		1099	set_to_dummy_if_null(ops, xfrm_decode_session);
1079	#endif /* CONFIG_SECURITY_NETWORK_XFRM */	1100	#endif /* CONFIG_SECURITY_NETWORK_XFRM */
1080	#ifdef CONFIG_KEYS	1101	#ifdef CONFIG_KEYS
1081	set_to_dummy_if_null(ops, key_alloc);	1102	set_to_dummy_if_null(ops, key_alloc);


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d67abf77584a..5c189da07bc9 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -3468,7 +3468,7 @@ static int selinux_socket_sock_rcv_skb(struct sock sk, struct sk_buff skb)
3468	if (err)	3468	if (err)
3469	goto out;	3469	goto out;
3470		3470
3471	err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);	3471	err = selinux_xfrm_sock_rcv_skb(sock_sid, skb, &ad);
3472	out:	3472	out:
3473	return err;	3473	return err;
3474	}	3474	}
@@ -3720,7 +3720,7 @@ static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3720	if (err)	3720	if (err)
3721	goto out;	3721	goto out;
3722		3722
3723	err = selinux_xfrm_postroute_last(isec->sid, skb);	3723	err = selinux_xfrm_postroute_last(isec->sid, skb, &ad);
3724	out:	3724	out:
3725	return err ? NF_DROP : NF_ACCEPT;	3725	return err ? NF_DROP : NF_ACCEPT;
3726	}	3726	}
@@ -4633,6 +4633,9 @@ static struct security_operations selinux_ops = {
4633	.xfrm_state_free_security = selinux_xfrm_state_free,	4633	.xfrm_state_free_security = selinux_xfrm_state_free,
4634	.xfrm_state_delete_security = selinux_xfrm_state_delete,	4634	.xfrm_state_delete_security = selinux_xfrm_state_delete,
4635	.xfrm_policy_lookup = selinux_xfrm_policy_lookup,	4635	.xfrm_policy_lookup = selinux_xfrm_policy_lookup,
		4636	.xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
		4637	.xfrm_flow_state_match = selinux_xfrm_flow_state_match,
		4638	.xfrm_decode_session = selinux_xfrm_decode_session,
4636	#endif	4639	#endif
4637		4640
4638	#ifdef CONFIG_KEYS	4641	#ifdef CONFIG_KEYS


diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index c96498a10eb8..f51a3e84bd9b 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h
@@ -2,6 +2,7 @@
2	* SELinux support for the XFRM LSM hooks	2	* SELinux support for the XFRM LSM hooks
3	*	3	*
4	* Author : Trent Jaeger, <jaegert@us.ibm.com>	4	* Author : Trent Jaeger, <jaegert@us.ibm.com>
		5	* Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com>
5	*/	6	*/
6	#ifndef _SELINUX_XFRM_H_	7	#ifndef _SELINUX_XFRM_H_
7	#define _SELINUX_XFRM_H_	8	#define _SELINUX_XFRM_H_
@@ -10,10 +11,16 @@ int selinux_xfrm_policy_alloc(struct xfrm_policy xp, struct xfrm_user_sec_ctx
10	int selinux_xfrm_policy_clone(struct xfrm_policy old, struct xfrm_policy new);	11	int selinux_xfrm_policy_clone(struct xfrm_policy old, struct xfrm_policy new);
11	void selinux_xfrm_policy_free(struct xfrm_policy *xp);	12	void selinux_xfrm_policy_free(struct xfrm_policy *xp);
12	int selinux_xfrm_policy_delete(struct xfrm_policy *xp);	13	int selinux_xfrm_policy_delete(struct xfrm_policy *xp);
13	int selinux_xfrm_state_alloc(struct xfrm_state x, struct xfrm_user_sec_ctx sec_ctx);	14	int selinux_xfrm_state_alloc(struct xfrm_state *x,
		15	struct xfrm_user_sec_ctx sec_ctx, struct xfrm_sec_ctx pol, u32 secid);
14	void selinux_xfrm_state_free(struct xfrm_state *x);	16	void selinux_xfrm_state_free(struct xfrm_state *x);
15	int selinux_xfrm_state_delete(struct xfrm_state *x);	17	int selinux_xfrm_state_delete(struct xfrm_state *x);
16	int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir);	18	int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir);
		19	int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
		20	struct xfrm_policy xp, struct flowi fl);
		21	int selinux_xfrm_flow_state_match(struct flowi fl, struct xfrm_state xfrm);
		22	int selinux_xfrm_decode_session(struct sk_buff skb, struct flowi fl);
		23
17		24
18	/*	25	/*
19	* Extract the security blob from the sock (it's actually on the socket)	26	* Extract the security blob from the sock (it's actually on the socket)
@@ -39,17 +46,21 @@ static inline u32 selinux_no_sk_sid(struct flowi *fl)
39	}	46	}
40		47
41	#ifdef CONFIG_SECURITY_NETWORK_XFRM	48	#ifdef CONFIG_SECURITY_NETWORK_XFRM
42	int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb);	49	int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
43	int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb);	50	struct avc_audit_data *ad);
		51	int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
		52	struct avc_audit_data *ad);
44	u32 selinux_socket_getpeer_stream(struct sock *sk);	53	u32 selinux_socket_getpeer_stream(struct sock *sk);
45	u32 selinux_socket_getpeer_dgram(struct sk_buff *skb);	54	u32 selinux_socket_getpeer_dgram(struct sk_buff *skb);
46	#else	55	#else
47	static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb)	56	static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
		57	struct avc_audit_data *ad)
48	{	58	{
49	return 0;	59	return 0;
50	}	60	}
51		61
52	static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb)	62	static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
		63	struct avc_audit_data *ad)
53	{	64	{
54	return 0;	65	return 0;
55	}	66	}


diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 6c985ced8102..a502b0540e3d 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c
@@ -6,7 +6,12 @@
6	* Authors: Serge Hallyn <sergeh@us.ibm.com>	6	* Authors: Serge Hallyn <sergeh@us.ibm.com>
7	* Trent Jaeger <jaegert@us.ibm.com>	7	* Trent Jaeger <jaegert@us.ibm.com>
8	*	8	*
		9	* Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com>
		10	*
		11	* Granular IPSec Associations for use in MLS environments.
		12	*
9	* Copyright (C) 2005 International Business Machines Corporation	13	* Copyright (C) 2005 International Business Machines Corporation
		14	* Copyright (C) 2006 Trusted Computer Solutions, Inc.
10	*	15	*
11	* This program is free software; you can redistribute it and/or modify	16	* This program is free software; you can redistribute it and/or modify
12	* it under the terms of the GNU General Public License version 2,	17	* it under the terms of the GNU General Public License version 2,
@@ -67,10 +72,10 @@ static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
67	}	72	}
68		73
69	/*	74	/*
70	* LSM hook implementation that authorizes that a socket can be used	75	* LSM hook implementation that authorizes that a flow can use
71	* with the corresponding xfrm_sec_ctx and direction.	76	* a xfrm policy rule.
72	*/	77	*/
73	int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)	78	int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir)
74	{	79	{
75	int rc = 0;	80	int rc = 0;
76	u32 sel_sid = SECINITSID_UNLABELED;	81	u32 sel_sid = SECINITSID_UNLABELED;
@@ -84,27 +89,129 @@ int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)
84	sel_sid = ctx->ctx_sid;	89	sel_sid = ctx->ctx_sid;
85	}	90	}
86		91
87	rc = avc_has_perm(sk_sid, sel_sid, SECCLASS_ASSOCIATION,	92	rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION,
88	((dir == FLOW_DIR_IN) ? ASSOCIATION__RECVFROM :	93	ASSOCIATION__POLMATCH,
89	((dir == FLOW_DIR_OUT) ? ASSOCIATION__SENDTO :
90	(ASSOCIATION__SENDTO \| ASSOCIATION__RECVFROM))),
91	NULL);	94	NULL);
92		95
93	return rc;	96	return rc;
94	}	97	}
95		98
96	/*	99	/*
		100	* LSM hook implementation that authorizes that a state matches
		101	* the given policy, flow combo.
		102	*/
		103
		104	int selinux_xfrm_state_pol_flow_match(struct xfrm_state x, struct xfrm_policy xp,
		105	struct flowi *fl)
		106	{
		107	u32 state_sid;
		108	u32 pol_sid;
		109	int err;
		110
		111	if (x->security)
		112	state_sid = x->security->ctx_sid;
		113	else
		114	state_sid = SECINITSID_UNLABELED;
		115
		116	if (xp->security)
		117	pol_sid = xp->security->ctx_sid;
		118	else
		119	pol_sid = SECINITSID_UNLABELED;
		120
		121	err = avc_has_perm(state_sid, pol_sid, SECCLASS_ASSOCIATION,
		122	ASSOCIATION__POLMATCH,
		123	NULL);
		124
		125	if (err)
		126	return 0;
		127
		128	return selinux_xfrm_flow_state_match(fl, x);
		129	}
		130
		131	/*
		132	* LSM hook implementation that authorizes that a particular outgoing flow
		133	* can use a given security association.
		134	*/
		135
		136	int selinux_xfrm_flow_state_match(struct flowi fl, struct xfrm_state xfrm)
		137	{
		138	int rc = 0;
		139	u32 sel_sid = SECINITSID_UNLABELED;
		140	struct xfrm_sec_ctx *ctx;
		141
		142	/* Context sid is either set to label or ANY_ASSOC */
		143	if ((ctx = xfrm->security)) {
		144	if (!selinux_authorizable_ctx(ctx))
		145	return 0;
		146
		147	sel_sid = ctx->ctx_sid;
		148	}
		149
		150	rc = avc_has_perm(fl->secid, sel_sid, SECCLASS_ASSOCIATION,
		151	ASSOCIATION__SENDTO,
		152	NULL)? 0:1;
		153
		154	return rc;
		155	}
		156
		157	/*
		158	* LSM hook implementation that determines the sid for the session.
		159	*/
		160
		161	int selinux_xfrm_decode_session(struct sk_buff skb, struct flowi fl)
		162	{
		163	struct sec_path *sp;
		164
		165	fl->secid = SECSID_NULL;
		166
		167	if (skb == NULL)
		168	return 0;
		169
		170	sp = skb->sp;
		171	if (sp) {
		172	int i, sid_set = 0;
		173
		174	for (i = sp->len-1; i >= 0; i--) {
		175	struct xfrm_state *x = sp->xvec[i];
		176	if (selinux_authorizable_xfrm(x)) {
		177	struct xfrm_sec_ctx *ctx = x->security;
		178
		179	if (!sid_set) {
		180	fl->secid = ctx->ctx_sid;
		181	sid_set = 1;
		182	}
		183	else if (fl->secid != ctx->ctx_sid)
		184	return -EINVAL;
		185	}
		186	}
		187	}
		188
		189	return 0;
		190	}
		191
		192	/*
97	* Security blob allocation for xfrm_policy and xfrm_state	193	* Security blob allocation for xfrm_policy and xfrm_state
98	* CTX does not have a meaningful value on input	194	* CTX does not have a meaningful value on input
99	*/	195	*/
100	static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx *ctxp, struct xfrm_user_sec_ctx uctx)	196	static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
		197	struct xfrm_user_sec_ctx uctx, struct xfrm_sec_ctx pol, u32 sid)
101	{	198	{
102	int rc = 0;	199	int rc = 0;
103	struct task_security_struct *tsec = current->security;	200	struct task_security_struct *tsec = current->security;
104	struct xfrm_sec_ctx *ctx;	201	struct xfrm_sec_ctx *ctx = NULL;
		202	char *ctx_str = NULL;
		203	u32 str_len;
		204	u32 ctx_sid;
		205
		206	BUG_ON(uctx && pol);
		207
		208	if (pol)
		209	goto from_policy;
105		210
106	BUG_ON(!uctx);	211	BUG_ON(!uctx);
107	BUG_ON(uctx->ctx_doi != XFRM_SC_ALG_SELINUX);	212
		213	if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX)
		214	return -EINVAL;
108		215
109	if (uctx->ctx_len >= PAGE_SIZE)	216	if (uctx->ctx_len >= PAGE_SIZE)
110	return -ENOMEM;	217	return -ENOMEM;
@@ -141,9 +248,41 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_us
141		248
142	return rc;	249	return rc;
143		250
		251	from_policy:
		252	BUG_ON(!pol);
		253	rc = security_sid_mls_copy(pol->ctx_sid, sid, &ctx_sid);
		254	if (rc)
		255	goto out;
		256
		257	rc = security_sid_to_context(ctx_sid, &ctx_str, &str_len);
		258	if (rc)
		259	goto out;
		260
		261	ctxp = ctx = kmalloc(sizeof(ctx) +
		262	str_len,
		263	GFP_ATOMIC);
		264
		265	if (!ctx) {
		266	rc = -ENOMEM;
		267	goto out;
		268	}
		269
		270
		271	ctx->ctx_doi = XFRM_SC_DOI_LSM;
		272	ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
		273	ctx->ctx_sid = ctx_sid;
		274	ctx->ctx_len = str_len;
		275	memcpy(ctx->ctx_str,
		276	ctx_str,
		277	str_len);
		278
		279	goto out2;
		280
144	out:	281	out:
145	*ctxp = NULL;	282	*ctxp = NULL;
146	kfree(ctx);	283	kfree(ctx);
		284	out2:
		285	kfree(ctx_str);
147	return rc;	286	return rc;
148	}	287	}
149		288
@@ -157,7 +296,7 @@ int selinux_xfrm_policy_alloc(struct xfrm_policy xp, struct xfrm_user_sec_ctx
157		296
158	BUG_ON(!xp);	297	BUG_ON(!xp);
159		298
160	err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx);	299	err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, NULL, 0);
161	return err;	300	return err;
162	}	301	}
163		302
@@ -217,13 +356,14 @@ int selinux_xfrm_policy_delete(struct xfrm_policy *xp)
217	* LSM hook implementation that allocs and transfers sec_ctx spec to	356	* LSM hook implementation that allocs and transfers sec_ctx spec to
218	* xfrm_state.	357	* xfrm_state.
219	*/	358	*/
220	int selinux_xfrm_state_alloc(struct xfrm_state x, struct xfrm_user_sec_ctx uctx)	359	int selinux_xfrm_state_alloc(struct xfrm_state x, struct xfrm_user_sec_ctx uctx,
		360	struct xfrm_sec_ctx *pol, u32 secid)
221	{	361	{
222	int err;	362	int err;
223		363
224	BUG_ON(!x);	364	BUG_ON(!x);
225		365
226	err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx);	366	err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, pol, secid);
227	return err;	367	return err;
228	}	368	}
229		369
@@ -329,38 +469,30 @@ int selinux_xfrm_state_delete(struct xfrm_state *x)
329	* we need to check for unlabelled access since this may not have	469	* we need to check for unlabelled access since this may not have
330	* gone thru the IPSec process.	470	* gone thru the IPSec process.
331	*/	471	*/
332	int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb)	472	int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
		473	struct avc_audit_data *ad)
333	{	474	{
334	int i, rc = 0;	475	int i, rc = 0;
335	struct sec_path *sp;	476	struct sec_path *sp;
		477	u32 sel_sid = SECINITSID_UNLABELED;
336		478
337	sp = skb->sp;	479	sp = skb->sp;
338		480
339	if (sp) {	481	if (sp) {
340	/*
341	* __xfrm_policy_check does not approve unless xfrm_policy_ok
342	* says that spi's match for policy and the socket.
343	*
344	* Only need to verify the existence of an authorizable sp.
345	*/
346	for (i = 0; i < sp->len; i++) {	482	for (i = 0; i < sp->len; i++) {
347	struct xfrm_state *x = sp->xvec[i];	483	struct xfrm_state *x = sp->xvec[i];
348		484
349	if (x && selinux_authorizable_xfrm(x))	485	if (x && selinux_authorizable_xfrm(x)) {
350	goto accept;	486	struct xfrm_sec_ctx *ctx = x->security;
		487	sel_sid = ctx->ctx_sid;
		488	break;
		489	}
351	}	490	}
352	}	491	}
353		492
354	/* check SELinux sock for unlabelled access */	493	rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION,
355	rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,	494	ASSOCIATION__RECVFROM, ad);
356	ASSOCIATION__RECVFROM, NULL);
357	if (rc)
358	goto drop;
359
360	accept:
361	return 0;
362		495
363	drop:
364	return rc;	496	return rc;
365	}	497	}
366		498
@@ -371,7 +503,8 @@ drop:
371	* If we do have a authorizable security association, then it has already been	503	* If we do have a authorizable security association, then it has already been
372	* checked in xfrm_policy_lookup hook.	504	* checked in xfrm_policy_lookup hook.
373	*/	505	*/
374	int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb)	506	int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
		507	struct avc_audit_data *ad)
375	{	508	{
376	struct dst_entry *dst;	509	struct dst_entry *dst;
377	int rc = 0;	510	int rc = 0;
@@ -391,7 +524,7 @@ int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb)
391	}	524	}
392		525
393	rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,	526	rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
394	ASSOCIATION__SENDTO, NULL);	527	ASSOCIATION__SENDTO, ad);
395	out:	528	out:
396	return rc;	529	return rc;
397	}	530	}