[GitHub/mt8127/android_kernel_alcatel_ttab.git] / security / selinux / xfrm.c

/*
 *  NSA Security-Enhanced Linux (SELinux) security module
 *
 *  This file contains the SELinux XFRM hook function implementations.
 *
 *  Authors:  Serge Hallyn <sergeh@us.ibm.com>
 *	      Trent Jaeger <jaegert@us.ibm.com>
 *
 *  Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com>
 *
 *           Granular IPSec Associations for use in MLS environments.
 *
 *  Copyright (C) 2005 International Business Machines Corporation
 *  Copyright (C) 2006 Trusted Computer Solutions, Inc.
 *
 *	This program is free software; you can redistribute it and/or modify
 *	it under the terms of the GNU General Public License version 2,
 *	as published by the Free Software Foundation.
 */

/*
 * USAGE:
 * NOTES:
 *   1. Make sure to enable the following options in your kernel config:
 *	CONFIG_SECURITY=y
 *	CONFIG_SECURITY_NETWORK=y
 *	CONFIG_SECURITY_NETWORK_XFRM=y
 *	CONFIG_SECURITY_SELINUX=m/y
 * ISSUES:
 *   1. Caching packets, so they are not dropped during negotiation
 *   2. Emulating a reasonable SO_PEERSEC across machines
 *   3. Testing addition of sk_policy's with security context via setsockopt
 */
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/security.h>
#include <linux/types.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
#include <linux/slab.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/skbuff.h>
#include <linux/xfrm.h>
#include <net/xfrm.h>
#include <net/checksum.h>
#include <net/udp.h>
#include <linux/atomic.h>

#include "avc.h"
#include "objsec.h"
#include "xfrm.h"

/* Labeled XFRM instance counter */
atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0);

/*
 * Returns true if an LSM/SELinux context
 */
static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
{
	return (ctx &&
		(ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
		(ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
}

/*
 * Returns true if the xfrm contains a security blob for SELinux
 */
static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
{
	return selinux_authorizable_ctx(x->security);
}

/*
 * LSM hook implementation that authorizes that a flow can use
 * a xfrm policy rule.
 */
int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
{
	int rc;
	u32 sel_sid;

	/* Context sid is either set to label or ANY_ASSOC */
	if (ctx) {
		if (!selinux_authorizable_ctx(ctx))
			return -EINVAL;

		sel_sid = ctx->ctx_sid;
	} else
		/*
		 * All flows should be treated as polmatch'ing an
		 * otherwise applicable "non-labeled" policy. This
		 * would prevent inadvertent "leaks".
		 */
		return 0;

	rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION,
			  ASSOCIATION__POLMATCH,
			  NULL);

	if (rc == -EACCES)
		return -ESRCH;

	return rc;
}

/*
 * LSM hook implementation that authorizes that a state matches
 * the given policy, flow combo.
 */

int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp,
			const struct flowi *fl)
{
	u32 state_sid;
	int rc;

	if (!xp->security)
		if (x->security)
			/* unlabeled policy and labeled SA can't match */
			return 0;
		else
			/* unlabeled policy and unlabeled SA match all flows */
			return 1;
	else
		if (!x->security)
			/* unlabeled SA and labeled policy can't match */
			return 0;
		else
			if (!selinux_authorizable_xfrm(x))
				/* Not a SELinux-labeled SA */
				return 0;

	state_sid = x->security->ctx_sid;

	if (fl->flowi_secid != state_sid)
		return 0;

	rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION,
			  ASSOCIATION__SENDTO,
			  NULL)? 0:1;

	/*
	 * We don't need a separate SA Vs. policy polmatch check
	 * since the SA is now of the same label as the flow and
	 * a flow Vs. policy polmatch check had already happened
	 * in selinux_xfrm_policy_lookup() above.
	 */

	return rc;
}

static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb,
					u32 *sid, int ckall)
{
	struct sec_path *sp = skb->sp;

	*sid = SECSID_NULL;

	if (sp) {
		int i, sid_set = 0;

		for (i = sp->len-1; i >= 0; i--) {
			struct xfrm_state *x = sp->xvec[i];
			if (selinux_authorizable_xfrm(x)) {
				struct xfrm_sec_ctx *ctx = x->security;

				if (!sid_set) {
					*sid = ctx->ctx_sid;
					sid_set = 1;

					if (!ckall)
						break;
				} else if (*sid != ctx->ctx_sid)
					return -EINVAL;
			}
		}
	}

	return 0;
}

static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb)
{
	struct dst_entry *dst = skb_dst(skb);
	struct xfrm_state *x;

	if (dst == NULL)
		return SECSID_NULL;
	x = dst->xfrm;
	if (x == NULL || !selinux_authorizable_xfrm(x))
		return SECSID_NULL;

	return x->security->ctx_sid;
}

/*
 * LSM hook implementation that checks and/or returns the xfrm sid for the
 * incoming packet.
 */

int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
{
	if (skb == NULL) {
		*sid = SECSID_NULL;
		return 0;
	}
	return selinux_xfrm_skb_sid_ingress(skb, sid, ckall);
}

int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
{
	int rc;

	rc = selinux_xfrm_skb_sid_ingress(skb, sid, 0);
	if (rc == 0 && *sid == SECSID_NULL)
		*sid = selinux_xfrm_skb_sid_egress(skb);

	return rc;
}

/*
 * Security blob allocation for xfrm_policy and xfrm_state
 * CTX does not have a meaningful value on input
 */
static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
	struct xfrm_user_sec_ctx *uctx, u32 sid)
{
	int rc = 0;
	const struct task_security_struct *tsec = current_security();
	struct xfrm_sec_ctx *ctx = NULL;
	char *ctx_str = NULL;
	u32 str_len;

	BUG_ON(uctx && sid);

	if (!uctx)
		goto not_from_user;

	if (uctx->ctx_alg != XFRM_SC_ALG_SELINUX)
		return -EINVAL;

	str_len = uctx->ctx_len;
	if (str_len >= PAGE_SIZE)
		return -ENOMEM;

	*ctxp = ctx = kmalloc(sizeof(*ctx) +
			      str_len + 1,
			      GFP_KERNEL);

	if (!ctx)
		return -ENOMEM;

	ctx->ctx_doi = uctx->ctx_doi;
	ctx->ctx_len = str_len;
	ctx->ctx_alg = uctx->ctx_alg;

	memcpy(ctx->ctx_str,
	       uctx+1,
	       str_len);
	ctx->ctx_str[str_len] = 0;
	rc = security_context_to_sid(ctx->ctx_str,
				     str_len,
				     &ctx->ctx_sid);

	if (rc)
		goto out;

	/*
	 * Does the subject have permission to set security context?
	 */
	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
			  SECCLASS_ASSOCIATION,
			  ASSOCIATION__SETCONTEXT, NULL);
	if (rc)
		goto out;

	return rc;

not_from_user:
	rc = security_sid_to_context(sid, &ctx_str, &str_len);
	if (rc)
		goto out;

	*ctxp = ctx = kmalloc(sizeof(*ctx) +
			      str_len,
			      GFP_ATOMIC);

	if (!ctx) {
		rc = -ENOMEM;
		goto out;
	}

	ctx->ctx_doi = XFRM_SC_DOI_LSM;
	ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
	ctx->ctx_sid = sid;
	ctx->ctx_len = str_len;
	memcpy(ctx->ctx_str,
	       ctx_str,
	       str_len);

	goto out2;

out:
	*ctxp = NULL;
	kfree(ctx);
out2:
	kfree(ctx_str);
	return rc;
}

/*
 * LSM hook implementation that allocs and transfers uctx spec to
 * xfrm_policy.
 */
int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
			      struct xfrm_user_sec_ctx *uctx)
{
	int err;

	BUG_ON(!uctx);

	err = selinux_xfrm_sec_ctx_alloc(ctxp, uctx, 0);
	if (err == 0)
		atomic_inc(&selinux_xfrm_refcount);

	return err;
}


/*
 * LSM hook implementation that copies security data structure from old to
 * new for policy cloning.
 */
int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
			      struct xfrm_sec_ctx **new_ctxp)
{
	struct xfrm_sec_ctx *new_ctx;

	if (old_ctx) {
		new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len,
				  GFP_ATOMIC);
		if (!new_ctx)
			return -ENOMEM;

		memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
		memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
		atomic_inc(&selinux_xfrm_refcount);
		*new_ctxp = new_ctx;
	}
	return 0;
}

/*
 * LSM hook implementation that frees xfrm_sec_ctx security information.
 */
void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
{
	atomic_dec(&selinux_xfrm_refcount);
	kfree(ctx);
}

/*
 * LSM hook implementation that authorizes deletion of labeled policies.
 */
int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
{
	const struct task_security_struct *tsec = current_security();

	if (!ctx)
		return 0;

	return avc_has_perm(tsec->sid, ctx->ctx_sid,
			    SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
			    NULL);
}

/*
 * LSM hook implementation that allocs and transfers sec_ctx spec to
 * xfrm_state.
 */
int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx,
		u32 secid)
{
	int err;

	BUG_ON(!x);

	err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid);
	if (err == 0)
		atomic_inc(&selinux_xfrm_refcount);
	return err;
}

/*
 * LSM hook implementation that frees xfrm_state security information.
 */
void selinux_xfrm_state_free(struct xfrm_state *x)
{
	atomic_dec(&selinux_xfrm_refcount);
	kfree(x->security);
}

 /*
  * LSM hook implementation that authorizes deletion of labeled SAs.
  */
int selinux_xfrm_state_delete(struct xfrm_state *x)
{
	const struct task_security_struct *tsec = current_security();
	struct xfrm_sec_ctx *ctx = x->security;

	if (!ctx)
		return 0;

	return avc_has_perm(tsec->sid, ctx->ctx_sid,
			    SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
			    NULL);
}

/*
 * LSM hook that controls access to unlabelled packets.  If
 * a xfrm_state is authorizable (defined by macro) then it was
 * already authorized by the IPSec process.  If not, then
 * we need to check for unlabelled access since this may not have
 * gone thru the IPSec process.
 */
int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
				struct common_audit_data *ad)
{
	int i, rc = 0;
	struct sec_path *sp;
	u32 sel_sid = SECINITSID_UNLABELED;

	sp = skb->sp;

	if (sp) {
		for (i = 0; i < sp->len; i++) {
			struct xfrm_state *x = sp->xvec[i];

			if (x && selinux_authorizable_xfrm(x)) {
				struct xfrm_sec_ctx *ctx = x->security;
				sel_sid = ctx->ctx_sid;
				break;
			}
		}
	}

	/*
	 * This check even when there's no association involved is
	 * intended, according to Trent Jaeger, to make sure a
	 * process can't engage in non-ipsec communication unless
	 * explicitly allowed by policy.
	 */

	rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION,
			  ASSOCIATION__RECVFROM, ad);

	return rc;
}

/*
 * POSTROUTE_LAST hook's XFRM processing:
 * If we have no security association, then we need to determine
 * whether the socket is allowed to send to an unlabelled destination.
 * If we do have a authorizable security association, then it has already been
 * checked in the selinux_xfrm_state_pol_flow_match hook above.
 */
int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
					struct common_audit_data *ad, u8 proto)
{
	struct dst_entry *dst;
	int rc = 0;

	dst = skb_dst(skb);

	if (dst) {
		struct dst_entry *dst_test;

		for (dst_test = dst; dst_test != NULL;
		     dst_test = dst_test->child) {
			struct xfrm_state *x = dst_test->xfrm;

			if (x && selinux_authorizable_xfrm(x))
				goto out;
		}
	}

	switch (proto) {
	case IPPROTO_AH:
	case IPPROTO_ESP:
	case IPPROTO_COMP:
		/*
		 * We should have already seen this packet once before
		 * it underwent xfrm(s). No need to subject it to the
		 * unlabeled check.
		 */
		goto out;
	default:
		break;
	}

	/*
	 * This check even when there's no association involved is
	 * intended, according to Trent Jaeger, to make sure a
	 * process can't engage in non-ipsec communication unless
	 * explicitly allowed by policy.
	 */

	rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
			  ASSOCIATION__SENDTO, ad);
out:
	return rc;
}
Commit	Line	Data
d28d1e08 TJ	1	/*
	2	* NSA Security-Enhanced Linux (SELinux) security module
	3	*
	4	* This file contains the SELinux XFRM hook function implementations.
	5	*
	6	* Authors: Serge Hallyn <sergeh@us.ibm.com>
	7	* Trent Jaeger <jaegert@us.ibm.com>
	8	*
e0d1caa7 VY	9	* Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com>
	10	*
	11	* Granular IPSec Associations for use in MLS environments.
	12	*
d28d1e08	13	* Copyright (C) 2005 International Business Machines Corporation
e0d1caa7	14	* Copyright (C) 2006 Trusted Computer Solutions, Inc.
d28d1e08 TJ	15	*
	16	* This program is free software; you can redistribute it and/or modify
	17	* it under the terms of the GNU General Public License version 2,
	18	* as published by the Free Software Foundation.
	19	*/
	20
	21	/*
	22	* USAGE:
	23	* NOTES:
	24	* 1. Make sure to enable the following options in your kernel config:
	25	* CONFIG_SECURITY=y
	26	* CONFIG_SECURITY_NETWORK=y
	27	* CONFIG_SECURITY_NETWORK_XFRM=y
	28	* CONFIG_SECURITY_SELINUX=m/y
	29	* ISSUES:
	30	* 1. Caching packets, so they are not dropped during negotiation
	31	* 2. Emulating a reasonable SO_PEERSEC across machines
	32	* 3. Testing addition of sk_policy's with security context via setsockopt
	33	*/
d28d1e08 TJ	34	#include <linux/kernel.h>
	35	#include <linux/init.h>
	36	#include <linux/security.h>
	37	#include <linux/types.h>
	38	#include <linux/netfilter.h>
	39	#include <linux/netfilter_ipv4.h>
	40	#include <linux/netfilter_ipv6.h>
5a0e3ad6	41	#include <linux/slab.h>
d28d1e08 TJ	42	#include <linux/ip.h>
	43	#include <linux/tcp.h>
	44	#include <linux/skbuff.h>
	45	#include <linux/xfrm.h>
	46	#include <net/xfrm.h>
	47	#include <net/checksum.h>
	48	#include <net/udp.h>
60063497	49	#include <linux/atomic.h>
d28d1e08 TJ	50
	51	#include "avc.h"
	52	#include "objsec.h"
	53	#include "xfrm.h"
	54
d621d35e PM	55	/* Labeled XFRM instance counter */
d621d35e PM	56	atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0);
d28d1e08 TJ	57
	58	/*
	59	* Returns true if an LSM/SELinux context
	60	*/
	61	static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
	62	{
	63	return (ctx &&
	64	(ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
	65	(ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
	66	}
	67
	68	/*
	69	* Returns true if the xfrm contains a security blob for SELinux
	70	*/
	71	static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
	72	{
	73	return selinux_authorizable_ctx(x->security);
	74	}
	75
	76	/*
e0d1caa7 VY	77	* LSM hook implementation that authorizes that a flow can use
e0d1caa7 VY	78	* a xfrm policy rule.
d28d1e08	79	*/
03e1ad7b	80	int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
d28d1e08	81	{
5b368e61 VY	82	int rc;
5b368e61 VY	83	u32 sel_sid;
d28d1e08 TJ	84
d28d1e08 TJ	85	/* Context sid is either set to label or ANY_ASSOC */
03e1ad7b	86	if (ctx) {
d28d1e08 TJ	87	if (!selinux_authorizable_ctx(ctx))
	88	return -EINVAL;
	89
	90	sel_sid = ctx->ctx_sid;
03e1ad7b	91	} else
5b368e61 VY	92	/*
	93	* All flows should be treated as polmatch'ing an
	94	* otherwise applicable "non-labeled" policy. This
	95	* would prevent inadvertent "leaks".
	96	*/
	97	return 0;
d28d1e08	98
e0d1caa7 VY	99	rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION,
e0d1caa7 VY	100	ASSOCIATION__POLMATCH,
d28d1e08 TJ	101	NULL);
d28d1e08 TJ	102
5b368e61	103	if (rc == -EACCES)
03e1ad7b	104	return -ESRCH;
5b368e61	105
d28d1e08 TJ	106	return rc;
	107	}
	108
e0d1caa7 VY	109	/*
	110	* LSM hook implementation that authorizes that a state matches
	111	* the given policy, flow combo.
	112	*/
	113
	114	int selinux_xfrm_state_pol_flow_match(struct xfrm_state x, struct xfrm_policy xp,
e33f7704	115	const struct flowi *fl)
e0d1caa7 VY	116	{
e0d1caa7 VY	117	u32 state_sid;
67f83cbf	118	int rc;
e0d1caa7	119
67f83cbf	120	if (!xp->security)
5b368e61 VY	121	if (x->security)
	122	/* unlabeled policy and labeled SA can't match */
	123	return 0;
	124	else
	125	/* unlabeled policy and unlabeled SA match all flows */
	126	return 1;
5b368e61	127	else
67f83cbf VY	128	if (!x->security)
67f83cbf VY	129	/* unlabeled SA and labeled policy can't match */
5b368e61	130	return 0;
67f83cbf VY	131	else
	132	if (!selinux_authorizable_xfrm(x))
	133	/* Not a SELinux-labeled SA */
	134	return 0;
5b368e61	135
67f83cbf	136	state_sid = x->security->ctx_sid;
e0d1caa7	137
1d28f42c	138	if (fl->flowi_secid != state_sid)
67f83cbf	139	return 0;
e0d1caa7	140
1d28f42c	141	rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION,
e0d1caa7 VY	142	ASSOCIATION__SENDTO,
	143	NULL)? 0:1;
	144
67f83cbf VY	145	/*
	146	* We don't need a separate SA Vs. policy polmatch check
	147	* since the SA is now of the same label as the flow and
	148	* a flow Vs. policy polmatch check had already happened
	149	* in selinux_xfrm_policy_lookup() above.
	150	*/
	151
e0d1caa7 VY	152	return rc;
	153	}
	154
07035708 PM	155	static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb,
07035708 PM	156	u32 *sid, int ckall)
e0d1caa7	157	{
07035708	158	struct sec_path *sp = skb->sp;
e0d1caa7	159
beb8d13b	160	*sid = SECSID_NULL;
e0d1caa7	161
e0d1caa7 VY	162	if (sp) {
	163	int i, sid_set = 0;
	164
	165	for (i = sp->len-1; i >= 0; i--) {
	166	struct xfrm_state *x = sp->xvec[i];
	167	if (selinux_authorizable_xfrm(x)) {
	168	struct xfrm_sec_ctx *ctx = x->security;
	169
	170	if (!sid_set) {
beb8d13b	171	*sid = ctx->ctx_sid;
e0d1caa7	172	sid_set = 1;
beb8d13b VY	173
	174	if (!ckall)
	175	break;
3c1c88ab	176	} else if (*sid != ctx->ctx_sid)
e0d1caa7 VY	177	return -EINVAL;
	178	}
	179	}
	180	}
	181
	182	return 0;
	183	}
	184
07035708 PM	185	static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb)
	186	{
	187	struct dst_entry *dst = skb_dst(skb);
	188	struct xfrm_state *x;
	189
	190	if (dst == NULL)
	191	return SECSID_NULL;
	192	x = dst->xfrm;
	193	if (x == NULL \|\| !selinux_authorizable_xfrm(x))
	194	return SECSID_NULL;
	195
	196	return x->security->ctx_sid;
	197	}
	198
	199	/*
	200	* LSM hook implementation that checks and/or returns the xfrm sid for the
	201	* incoming packet.
	202	*/
	203
	204	int selinux_xfrm_decode_session(struct sk_buff skb, u32 sid, int ckall)
	205	{
	206	if (skb == NULL) {
	207	*sid = SECSID_NULL;
	208	return 0;
	209	}
	210	return selinux_xfrm_skb_sid_ingress(skb, sid, ckall);
	211	}
	212
	213	int selinux_xfrm_skb_sid(struct sk_buff skb, u32 sid)
	214	{
	215	int rc;
	216
	217	rc = selinux_xfrm_skb_sid_ingress(skb, sid, 0);
	218	if (rc == 0 && *sid == SECSID_NULL)
	219	*sid = selinux_xfrm_skb_sid_egress(skb);
	220
	221	return rc;
	222	}
	223
d28d1e08 TJ	224	/*
	225	* Security blob allocation for xfrm_policy and xfrm_state
	226	* CTX does not have a meaningful value on input
	227	*/
e0d1caa7	228	static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
c1a856c9	229	struct xfrm_user_sec_ctx *uctx, u32 sid)
d28d1e08 TJ	230	{
d28d1e08 TJ	231	int rc = 0;
86a264ab	232	const struct task_security_struct *tsec = current_security();
e0d1caa7 VY	233	struct xfrm_sec_ctx *ctx = NULL;
	234	char *ctx_str = NULL;
	235	u32 str_len;
e0d1caa7	236
c1a856c9	237	BUG_ON(uctx && sid);
e0d1caa7	238
cb969f07 VY	239	if (!uctx)
cb969f07 VY	240	goto not_from_user;
e0d1caa7	241
8f82a688	242	if (uctx->ctx_alg != XFRM_SC_ALG_SELINUX)
e0d1caa7	243	return -EINVAL;
d28d1e08	244
57002bfb SR	245	str_len = uctx->ctx_len;
57002bfb SR	246	if (str_len >= PAGE_SIZE)
d28d1e08 TJ	247	return -ENOMEM;
	248
	249	ctxp = ctx = kmalloc(sizeof(ctx) +
57002bfb	250	str_len + 1,
d28d1e08 TJ	251	GFP_KERNEL);
	252
	253	if (!ctx)
	254	return -ENOMEM;
	255
	256	ctx->ctx_doi = uctx->ctx_doi;
57002bfb	257	ctx->ctx_len = str_len;
d28d1e08 TJ	258	ctx->ctx_alg = uctx->ctx_alg;
	259
	260	memcpy(ctx->ctx_str,
	261	uctx+1,
57002bfb SR	262	str_len);
57002bfb SR	263	ctx->ctx_str[str_len] = 0;
d28d1e08	264	rc = security_context_to_sid(ctx->ctx_str,
57002bfb	265	str_len,
d28d1e08 TJ	266	&ctx->ctx_sid);
	267
	268	if (rc)
	269	goto out;
	270
	271	/*
c8c05a8e	272	* Does the subject have permission to set security context?
d28d1e08	273	*/
d28d1e08 TJ	274	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
d28d1e08 TJ	275	SECCLASS_ASSOCIATION,
5f8ac64b	276	ASSOCIATION__SETCONTEXT, NULL);
d28d1e08 TJ	277	if (rc)
	278	goto out;
	279
	280	return rc;
	281
cb969f07	282	not_from_user:
c1a856c9	283	rc = security_sid_to_context(sid, &ctx_str, &str_len);
e0d1caa7 VY	284	if (rc)
	285	goto out;
	286
	287	ctxp = ctx = kmalloc(sizeof(ctx) +
	288	str_len,
	289	GFP_ATOMIC);
	290
	291	if (!ctx) {
	292	rc = -ENOMEM;
	293	goto out;
	294	}
	295
e0d1caa7 VY	296	ctx->ctx_doi = XFRM_SC_DOI_LSM;
e0d1caa7 VY	297	ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
c1a856c9	298	ctx->ctx_sid = sid;
e0d1caa7 VY	299	ctx->ctx_len = str_len;
	300	memcpy(ctx->ctx_str,
	301	ctx_str,
	302	str_len);
	303
	304	goto out2;
	305
d28d1e08	306	out:
ee2e6841	307	*ctxp = NULL;
d28d1e08	308	kfree(ctx);
e0d1caa7 VY	309	out2:
e0d1caa7 VY	310	kfree(ctx_str);
d28d1e08 TJ	311	return rc;
	312	}
	313
	314	/*
	315	* LSM hook implementation that allocs and transfers uctx spec to
	316	* xfrm_policy.
	317	*/
03e1ad7b PM	318	int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
03e1ad7b PM	319	struct xfrm_user_sec_ctx *uctx)
d28d1e08 TJ	320	{
	321	int err;
	322
c1a856c9	323	BUG_ON(!uctx);
d28d1e08	324
03e1ad7b	325	err = selinux_xfrm_sec_ctx_alloc(ctxp, uctx, 0);
d621d35e PM	326	if (err == 0)
	327	atomic_inc(&selinux_xfrm_refcount);
	328
d28d1e08 TJ	329	return err;
	330	}
	331
	332
	333	/*
	334	* LSM hook implementation that copies security data structure from old to
	335	* new for policy cloning.
	336	*/
03e1ad7b PM	337	int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
03e1ad7b PM	338	struct xfrm_sec_ctx **new_ctxp)
d28d1e08	339	{
03e1ad7b	340	struct xfrm_sec_ctx *new_ctx;
d28d1e08 TJ	341
d28d1e08 TJ	342	if (old_ctx) {
03e1ad7b	343	new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len,
4502403d	344	GFP_ATOMIC);
d28d1e08 TJ	345	if (!new_ctx)
	346	return -ENOMEM;
	347
	348	memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
	349	memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
e4e8536f	350	atomic_inc(&selinux_xfrm_refcount);
03e1ad7b	351	*new_ctxp = new_ctx;
d28d1e08 TJ	352	}
	353	return 0;
	354	}
	355
	356	/*
03e1ad7b	357	* LSM hook implementation that frees xfrm_sec_ctx security information.
d28d1e08	358	*/
03e1ad7b	359	void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
d28d1e08	360	{
e4e8536f	361	atomic_dec(&selinux_xfrm_refcount);
3c1c88ab	362	kfree(ctx);
d28d1e08 TJ	363	}
d28d1e08 TJ	364
c8c05a8e CZ	365	/*
	366	* LSM hook implementation that authorizes deletion of labeled policies.
	367	*/
03e1ad7b	368	int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
c8c05a8e	369	{
86a264ab	370	const struct task_security_struct *tsec = current_security();
c8c05a8e	371
e4e8536f PM	372	if (!ctx)
e4e8536f PM	373	return 0;
c8c05a8e	374
e4e8536f PM	375	return avc_has_perm(tsec->sid, ctx->ctx_sid,
	376	SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
	377	NULL);
c8c05a8e CZ	378	}
c8c05a8e CZ	379
d28d1e08 TJ	380	/*
	381	* LSM hook implementation that allocs and transfers sec_ctx spec to
	382	* xfrm_state.
	383	*/
e0d1caa7	384	int selinux_xfrm_state_alloc(struct xfrm_state x, struct xfrm_user_sec_ctx uctx,
c1a856c9	385	u32 secid)
d28d1e08 TJ	386	{
	387	int err;
	388
	389	BUG_ON(!x);
	390
c1a856c9	391	err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid);
d621d35e PM	392	if (err == 0)
d621d35e PM	393	atomic_inc(&selinux_xfrm_refcount);
d28d1e08 TJ	394	return err;
	395	}
	396
	397	/*
	398	* LSM hook implementation that frees xfrm_state security information.
	399	*/
	400	void selinux_xfrm_state_free(struct xfrm_state *x)
	401	{
e4e8536f PM	402	atomic_dec(&selinux_xfrm_refcount);
e4e8536f PM	403	kfree(x->security);
d28d1e08 TJ	404	}
d28d1e08 TJ	405
c8c05a8e CZ	406	/*
	407	* LSM hook implementation that authorizes deletion of labeled SAs.
	408	*/
	409	int selinux_xfrm_state_delete(struct xfrm_state *x)
	410	{
86a264ab	411	const struct task_security_struct *tsec = current_security();
c8c05a8e	412	struct xfrm_sec_ctx *ctx = x->security;
c8c05a8e	413
e4e8536f PM	414	if (!ctx)
e4e8536f PM	415	return 0;
c8c05a8e	416
e4e8536f PM	417	return avc_has_perm(tsec->sid, ctx->ctx_sid,
	418	SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
	419	NULL);
c8c05a8e CZ	420	}
c8c05a8e CZ	421
d28d1e08 TJ	422	/*
	423	* LSM hook that controls access to unlabelled packets. If
	424	* a xfrm_state is authorizable (defined by macro) then it was
	425	* already authorized by the IPSec process. If not, then
	426	* we need to check for unlabelled access since this may not have
	427	* gone thru the IPSec process.
	428	*/
e0d1caa7	429	int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
2bf49690	430	struct common_audit_data *ad)
d28d1e08 TJ	431	{
	432	int i, rc = 0;
	433	struct sec_path *sp;
e0d1caa7	434	u32 sel_sid = SECINITSID_UNLABELED;
d28d1e08 TJ	435
	436	sp = skb->sp;
	437
	438	if (sp) {
d28d1e08	439	for (i = 0; i < sp->len; i++) {
67644726	440	struct xfrm_state *x = sp->xvec[i];
d28d1e08	441
e0d1caa7 VY	442	if (x && selinux_authorizable_xfrm(x)) {
	443	struct xfrm_sec_ctx *ctx = x->security;
	444	sel_sid = ctx->ctx_sid;
	445	break;
	446	}
d28d1e08 TJ	447	}
	448	}
	449
67f83cbf VY	450	/*
	451	* This check even when there's no association involved is
	452	* intended, according to Trent Jaeger, to make sure a
	453	* process can't engage in non-ipsec communication unless
	454	* explicitly allowed by policy.
	455	*/
	456
e0d1caa7 VY	457	rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION,
e0d1caa7 VY	458	ASSOCIATION__RECVFROM, ad);
d28d1e08	459
d28d1e08 TJ	460	return rc;
	461	}
	462
	463	/*
	464	* POSTROUTE_LAST hook's XFRM processing:
	465	* If we have no security association, then we need to determine
	466	* whether the socket is allowed to send to an unlabelled destination.
	467	* If we do have a authorizable security association, then it has already been
67f83cbf	468	* checked in the selinux_xfrm_state_pol_flow_match hook above.
d28d1e08	469	*/
e0d1caa7	470	int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
2bf49690	471	struct common_audit_data *ad, u8 proto)
d28d1e08 TJ	472	{
	473	struct dst_entry *dst;
	474	int rc = 0;
	475
adf30907	476	dst = skb_dst(skb);
d28d1e08 TJ	477
	478	if (dst) {
	479	struct dst_entry *dst_test;
	480
c80544dc	481	for (dst_test = dst; dst_test != NULL;
d28d1e08 TJ	482	dst_test = dst_test->child) {
	483	struct xfrm_state *x = dst_test->xfrm;
	484
	485	if (x && selinux_authorizable_xfrm(x))
4e5ab4cb	486	goto out;
d28d1e08 TJ	487	}
	488	}
	489
67f83cbf VY	490	switch (proto) {
	491	case IPPROTO_AH:
	492	case IPPROTO_ESP:
	493	case IPPROTO_COMP:
	494	/*
	495	* We should have already seen this packet once before
	496	* it underwent xfrm(s). No need to subject it to the
	497	* unlabeled check.
	498	*/
	499	goto out;
	500	default:
	501	break;
	502	}
	503
	504	/*
	505	* This check even when there's no association involved is
	506	* intended, according to Trent Jaeger, to make sure a
	507	* process can't engage in non-ipsec communication unless
	508	* explicitly allowed by policy.
	509	*/
	510
d28d1e08	511	rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
e0d1caa7	512	ASSOCIATION__SENDTO, ad);
4e5ab4cb JM	513	out:
4e5ab4cb JM	514	return rc;
d28d1e08	515	}