Commit | Line | Data |
---|---|---|
d28d1e08 TJ |
1 | /* |
2 | * NSA Security-Enhanced Linux (SELinux) security module | |
3 | * | |
4 | * This file contains the SELinux XFRM hook function implementations. | |
5 | * | |
6 | * Authors: Serge Hallyn <sergeh@us.ibm.com> | |
7 | * Trent Jaeger <jaegert@us.ibm.com> | |
8 | * | |
e0d1caa7 VY |
9 | * Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com> |
10 | * | |
11 | * Granular IPSec Associations for use in MLS environments. | |
12 | * | |
d28d1e08 | 13 | * Copyright (C) 2005 International Business Machines Corporation |
e0d1caa7 | 14 | * Copyright (C) 2006 Trusted Computer Solutions, Inc. |
d28d1e08 TJ |
15 | * |
16 | * This program is free software; you can redistribute it and/or modify | |
17 | * it under the terms of the GNU General Public License version 2, | |
18 | * as published by the Free Software Foundation. | |
19 | */ | |
20 | ||
21 | /* | |
22 | * USAGE: | |
23 | * NOTES: | |
24 | * 1. Make sure to enable the following options in your kernel config: | |
25 | * CONFIG_SECURITY=y | |
26 | * CONFIG_SECURITY_NETWORK=y | |
27 | * CONFIG_SECURITY_NETWORK_XFRM=y | |
28 | * CONFIG_SECURITY_SELINUX=m/y | |
29 | * ISSUES: | |
30 | * 1. Caching packets, so they are not dropped during negotiation | |
31 | * 2. Emulating a reasonable SO_PEERSEC across machines | |
32 | * 3. Testing addition of sk_policy's with security context via setsockopt | |
33 | */ | |
d28d1e08 TJ |
34 | #include <linux/kernel.h> |
35 | #include <linux/init.h> | |
36 | #include <linux/security.h> | |
37 | #include <linux/types.h> | |
38 | #include <linux/netfilter.h> | |
39 | #include <linux/netfilter_ipv4.h> | |
40 | #include <linux/netfilter_ipv6.h> | |
5a0e3ad6 | 41 | #include <linux/slab.h> |
d28d1e08 TJ |
42 | #include <linux/ip.h> |
43 | #include <linux/tcp.h> | |
44 | #include <linux/skbuff.h> | |
45 | #include <linux/xfrm.h> | |
46 | #include <net/xfrm.h> | |
47 | #include <net/checksum.h> | |
48 | #include <net/udp.h> | |
60063497 | 49 | #include <linux/atomic.h> |
d28d1e08 TJ |
50 | |
51 | #include "avc.h" | |
52 | #include "objsec.h" | |
53 | #include "xfrm.h" | |
54 | ||
d621d35e PM |
55 | /* Labeled XFRM instance counter */ |
56 | atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0); | |
d28d1e08 TJ |
57 | |
58 | /* | |
59 | * Returns true if an LSM/SELinux context | |
60 | */ | |
61 | static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx) | |
62 | { | |
63 | return (ctx && | |
64 | (ctx->ctx_doi == XFRM_SC_DOI_LSM) && | |
65 | (ctx->ctx_alg == XFRM_SC_ALG_SELINUX)); | |
66 | } | |
67 | ||
68 | /* | |
69 | * Returns true if the xfrm contains a security blob for SELinux | |
70 | */ | |
71 | static inline int selinux_authorizable_xfrm(struct xfrm_state *x) | |
72 | { | |
73 | return selinux_authorizable_ctx(x->security); | |
74 | } | |
75 | ||
76 | /* | |
e0d1caa7 VY |
77 | * LSM hook implementation that authorizes that a flow can use |
78 | * a xfrm policy rule. | |
d28d1e08 | 79 | */ |
03e1ad7b | 80 | int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) |
d28d1e08 | 81 | { |
5b368e61 VY |
82 | int rc; |
83 | u32 sel_sid; | |
d28d1e08 TJ |
84 | |
85 | /* Context sid is either set to label or ANY_ASSOC */ | |
03e1ad7b | 86 | if (ctx) { |
d28d1e08 TJ |
87 | if (!selinux_authorizable_ctx(ctx)) |
88 | return -EINVAL; | |
89 | ||
90 | sel_sid = ctx->ctx_sid; | |
03e1ad7b | 91 | } else |
5b368e61 VY |
92 | /* |
93 | * All flows should be treated as polmatch'ing an | |
94 | * otherwise applicable "non-labeled" policy. This | |
95 | * would prevent inadvertent "leaks". | |
96 | */ | |
97 | return 0; | |
d28d1e08 | 98 | |
e0d1caa7 VY |
99 | rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION, |
100 | ASSOCIATION__POLMATCH, | |
d28d1e08 TJ |
101 | NULL); |
102 | ||
5b368e61 | 103 | if (rc == -EACCES) |
03e1ad7b | 104 | return -ESRCH; |
5b368e61 | 105 | |
d28d1e08 TJ |
106 | return rc; |
107 | } | |
108 | ||
e0d1caa7 VY |
109 | /* |
110 | * LSM hook implementation that authorizes that a state matches | |
111 | * the given policy, flow combo. | |
112 | */ | |
113 | ||
114 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp, | |
e33f7704 | 115 | const struct flowi *fl) |
e0d1caa7 VY |
116 | { |
117 | u32 state_sid; | |
67f83cbf | 118 | int rc; |
e0d1caa7 | 119 | |
67f83cbf | 120 | if (!xp->security) |
5b368e61 VY |
121 | if (x->security) |
122 | /* unlabeled policy and labeled SA can't match */ | |
123 | return 0; | |
124 | else | |
125 | /* unlabeled policy and unlabeled SA match all flows */ | |
126 | return 1; | |
5b368e61 | 127 | else |
67f83cbf VY |
128 | if (!x->security) |
129 | /* unlabeled SA and labeled policy can't match */ | |
5b368e61 | 130 | return 0; |
67f83cbf VY |
131 | else |
132 | if (!selinux_authorizable_xfrm(x)) | |
133 | /* Not a SELinux-labeled SA */ | |
134 | return 0; | |
5b368e61 | 135 | |
67f83cbf | 136 | state_sid = x->security->ctx_sid; |
e0d1caa7 | 137 | |
1d28f42c | 138 | if (fl->flowi_secid != state_sid) |
67f83cbf | 139 | return 0; |
e0d1caa7 | 140 | |
1d28f42c | 141 | rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION, |
e0d1caa7 VY |
142 | ASSOCIATION__SENDTO, |
143 | NULL)? 0:1; | |
144 | ||
67f83cbf VY |
145 | /* |
146 | * We don't need a separate SA Vs. policy polmatch check | |
147 | * since the SA is now of the same label as the flow and | |
148 | * a flow Vs. policy polmatch check had already happened | |
149 | * in selinux_xfrm_policy_lookup() above. | |
150 | */ | |
151 | ||
e0d1caa7 VY |
152 | return rc; |
153 | } | |
154 | ||
07035708 PM |
155 | static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb, |
156 | u32 *sid, int ckall) | |
e0d1caa7 | 157 | { |
07035708 | 158 | struct sec_path *sp = skb->sp; |
e0d1caa7 | 159 | |
beb8d13b | 160 | *sid = SECSID_NULL; |
e0d1caa7 | 161 | |
e0d1caa7 VY |
162 | if (sp) { |
163 | int i, sid_set = 0; | |
164 | ||
165 | for (i = sp->len-1; i >= 0; i--) { | |
166 | struct xfrm_state *x = sp->xvec[i]; | |
167 | if (selinux_authorizable_xfrm(x)) { | |
168 | struct xfrm_sec_ctx *ctx = x->security; | |
169 | ||
170 | if (!sid_set) { | |
beb8d13b | 171 | *sid = ctx->ctx_sid; |
e0d1caa7 | 172 | sid_set = 1; |
beb8d13b VY |
173 | |
174 | if (!ckall) | |
175 | break; | |
3c1c88ab | 176 | } else if (*sid != ctx->ctx_sid) |
e0d1caa7 VY |
177 | return -EINVAL; |
178 | } | |
179 | } | |
180 | } | |
181 | ||
182 | return 0; | |
183 | } | |
184 | ||
07035708 PM |
185 | static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb) |
186 | { | |
187 | struct dst_entry *dst = skb_dst(skb); | |
188 | struct xfrm_state *x; | |
189 | ||
190 | if (dst == NULL) | |
191 | return SECSID_NULL; | |
192 | x = dst->xfrm; | |
193 | if (x == NULL || !selinux_authorizable_xfrm(x)) | |
194 | return SECSID_NULL; | |
195 | ||
196 | return x->security->ctx_sid; | |
197 | } | |
198 | ||
199 | /* | |
200 | * LSM hook implementation that checks and/or returns the xfrm sid for the | |
201 | * incoming packet. | |
202 | */ | |
203 | ||
204 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) | |
205 | { | |
206 | if (skb == NULL) { | |
207 | *sid = SECSID_NULL; | |
208 | return 0; | |
209 | } | |
210 | return selinux_xfrm_skb_sid_ingress(skb, sid, ckall); | |
211 | } | |
212 | ||
213 | int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid) | |
214 | { | |
215 | int rc; | |
216 | ||
217 | rc = selinux_xfrm_skb_sid_ingress(skb, sid, 0); | |
218 | if (rc == 0 && *sid == SECSID_NULL) | |
219 | *sid = selinux_xfrm_skb_sid_egress(skb); | |
220 | ||
221 | return rc; | |
222 | } | |
223 | ||
d28d1e08 TJ |
224 | /* |
225 | * Security blob allocation for xfrm_policy and xfrm_state | |
226 | * CTX does not have a meaningful value on input | |
227 | */ | |
e0d1caa7 | 228 | static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, |
c1a856c9 | 229 | struct xfrm_user_sec_ctx *uctx, u32 sid) |
d28d1e08 TJ |
230 | { |
231 | int rc = 0; | |
86a264ab | 232 | const struct task_security_struct *tsec = current_security(); |
e0d1caa7 VY |
233 | struct xfrm_sec_ctx *ctx = NULL; |
234 | char *ctx_str = NULL; | |
235 | u32 str_len; | |
e0d1caa7 | 236 | |
c1a856c9 | 237 | BUG_ON(uctx && sid); |
e0d1caa7 | 238 | |
cb969f07 VY |
239 | if (!uctx) |
240 | goto not_from_user; | |
e0d1caa7 | 241 | |
8f82a688 | 242 | if (uctx->ctx_alg != XFRM_SC_ALG_SELINUX) |
e0d1caa7 | 243 | return -EINVAL; |
d28d1e08 | 244 | |
57002bfb SR |
245 | str_len = uctx->ctx_len; |
246 | if (str_len >= PAGE_SIZE) | |
d28d1e08 TJ |
247 | return -ENOMEM; |
248 | ||
249 | *ctxp = ctx = kmalloc(sizeof(*ctx) + | |
57002bfb | 250 | str_len + 1, |
d28d1e08 TJ |
251 | GFP_KERNEL); |
252 | ||
253 | if (!ctx) | |
254 | return -ENOMEM; | |
255 | ||
256 | ctx->ctx_doi = uctx->ctx_doi; | |
57002bfb | 257 | ctx->ctx_len = str_len; |
d28d1e08 TJ |
258 | ctx->ctx_alg = uctx->ctx_alg; |
259 | ||
260 | memcpy(ctx->ctx_str, | |
261 | uctx+1, | |
57002bfb SR |
262 | str_len); |
263 | ctx->ctx_str[str_len] = 0; | |
d28d1e08 | 264 | rc = security_context_to_sid(ctx->ctx_str, |
57002bfb | 265 | str_len, |
d28d1e08 TJ |
266 | &ctx->ctx_sid); |
267 | ||
268 | if (rc) | |
269 | goto out; | |
270 | ||
271 | /* | |
c8c05a8e | 272 | * Does the subject have permission to set security context? |
d28d1e08 | 273 | */ |
d28d1e08 TJ |
274 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, |
275 | SECCLASS_ASSOCIATION, | |
5f8ac64b | 276 | ASSOCIATION__SETCONTEXT, NULL); |
d28d1e08 TJ |
277 | if (rc) |
278 | goto out; | |
279 | ||
280 | return rc; | |
281 | ||
cb969f07 | 282 | not_from_user: |
c1a856c9 | 283 | rc = security_sid_to_context(sid, &ctx_str, &str_len); |
e0d1caa7 VY |
284 | if (rc) |
285 | goto out; | |
286 | ||
287 | *ctxp = ctx = kmalloc(sizeof(*ctx) + | |
288 | str_len, | |
289 | GFP_ATOMIC); | |
290 | ||
291 | if (!ctx) { | |
292 | rc = -ENOMEM; | |
293 | goto out; | |
294 | } | |
295 | ||
e0d1caa7 VY |
296 | ctx->ctx_doi = XFRM_SC_DOI_LSM; |
297 | ctx->ctx_alg = XFRM_SC_ALG_SELINUX; | |
c1a856c9 | 298 | ctx->ctx_sid = sid; |
e0d1caa7 VY |
299 | ctx->ctx_len = str_len; |
300 | memcpy(ctx->ctx_str, | |
301 | ctx_str, | |
302 | str_len); | |
303 | ||
304 | goto out2; | |
305 | ||
d28d1e08 | 306 | out: |
ee2e6841 | 307 | *ctxp = NULL; |
d28d1e08 | 308 | kfree(ctx); |
e0d1caa7 VY |
309 | out2: |
310 | kfree(ctx_str); | |
d28d1e08 TJ |
311 | return rc; |
312 | } | |
313 | ||
314 | /* | |
315 | * LSM hook implementation that allocs and transfers uctx spec to | |
316 | * xfrm_policy. | |
317 | */ | |
03e1ad7b PM |
318 | int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, |
319 | struct xfrm_user_sec_ctx *uctx) | |
d28d1e08 TJ |
320 | { |
321 | int err; | |
322 | ||
c1a856c9 | 323 | BUG_ON(!uctx); |
d28d1e08 | 324 | |
03e1ad7b | 325 | err = selinux_xfrm_sec_ctx_alloc(ctxp, uctx, 0); |
d621d35e PM |
326 | if (err == 0) |
327 | atomic_inc(&selinux_xfrm_refcount); | |
328 | ||
d28d1e08 TJ |
329 | return err; |
330 | } | |
331 | ||
332 | ||
333 | /* | |
334 | * LSM hook implementation that copies security data structure from old to | |
335 | * new for policy cloning. | |
336 | */ | |
03e1ad7b PM |
337 | int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, |
338 | struct xfrm_sec_ctx **new_ctxp) | |
d28d1e08 | 339 | { |
03e1ad7b | 340 | struct xfrm_sec_ctx *new_ctx; |
d28d1e08 TJ |
341 | |
342 | if (old_ctx) { | |
03e1ad7b | 343 | new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len, |
4502403d | 344 | GFP_ATOMIC); |
d28d1e08 TJ |
345 | if (!new_ctx) |
346 | return -ENOMEM; | |
347 | ||
348 | memcpy(new_ctx, old_ctx, sizeof(*new_ctx)); | |
349 | memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len); | |
e4e8536f | 350 | atomic_inc(&selinux_xfrm_refcount); |
03e1ad7b | 351 | *new_ctxp = new_ctx; |
d28d1e08 TJ |
352 | } |
353 | return 0; | |
354 | } | |
355 | ||
356 | /* | |
03e1ad7b | 357 | * LSM hook implementation that frees xfrm_sec_ctx security information. |
d28d1e08 | 358 | */ |
03e1ad7b | 359 | void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) |
d28d1e08 | 360 | { |
e4e8536f | 361 | atomic_dec(&selinux_xfrm_refcount); |
3c1c88ab | 362 | kfree(ctx); |
d28d1e08 TJ |
363 | } |
364 | ||
c8c05a8e CZ |
365 | /* |
366 | * LSM hook implementation that authorizes deletion of labeled policies. | |
367 | */ | |
03e1ad7b | 368 | int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) |
c8c05a8e | 369 | { |
86a264ab | 370 | const struct task_security_struct *tsec = current_security(); |
c8c05a8e | 371 | |
e4e8536f PM |
372 | if (!ctx) |
373 | return 0; | |
c8c05a8e | 374 | |
e4e8536f PM |
375 | return avc_has_perm(tsec->sid, ctx->ctx_sid, |
376 | SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, | |
377 | NULL); | |
c8c05a8e CZ |
378 | } |
379 | ||
d28d1e08 TJ |
380 | /* |
381 | * LSM hook implementation that allocs and transfers sec_ctx spec to | |
382 | * xfrm_state. | |
383 | */ | |
e0d1caa7 | 384 | int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx, |
c1a856c9 | 385 | u32 secid) |
d28d1e08 TJ |
386 | { |
387 | int err; | |
388 | ||
389 | BUG_ON(!x); | |
390 | ||
c1a856c9 | 391 | err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid); |
d621d35e PM |
392 | if (err == 0) |
393 | atomic_inc(&selinux_xfrm_refcount); | |
d28d1e08 TJ |
394 | return err; |
395 | } | |
396 | ||
397 | /* | |
398 | * LSM hook implementation that frees xfrm_state security information. | |
399 | */ | |
400 | void selinux_xfrm_state_free(struct xfrm_state *x) | |
401 | { | |
e4e8536f PM |
402 | atomic_dec(&selinux_xfrm_refcount); |
403 | kfree(x->security); | |
d28d1e08 TJ |
404 | } |
405 | ||
c8c05a8e CZ |
406 | /* |
407 | * LSM hook implementation that authorizes deletion of labeled SAs. | |
408 | */ | |
409 | int selinux_xfrm_state_delete(struct xfrm_state *x) | |
410 | { | |
86a264ab | 411 | const struct task_security_struct *tsec = current_security(); |
c8c05a8e | 412 | struct xfrm_sec_ctx *ctx = x->security; |
c8c05a8e | 413 | |
e4e8536f PM |
414 | if (!ctx) |
415 | return 0; | |
c8c05a8e | 416 | |
e4e8536f PM |
417 | return avc_has_perm(tsec->sid, ctx->ctx_sid, |
418 | SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, | |
419 | NULL); | |
c8c05a8e CZ |
420 | } |
421 | ||
d28d1e08 TJ |
422 | /* |
423 | * LSM hook that controls access to unlabelled packets. If | |
424 | * a xfrm_state is authorizable (defined by macro) then it was | |
425 | * already authorized by the IPSec process. If not, then | |
426 | * we need to check for unlabelled access since this may not have | |
427 | * gone thru the IPSec process. | |
428 | */ | |
e0d1caa7 | 429 | int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, |
2bf49690 | 430 | struct common_audit_data *ad) |
d28d1e08 TJ |
431 | { |
432 | int i, rc = 0; | |
433 | struct sec_path *sp; | |
e0d1caa7 | 434 | u32 sel_sid = SECINITSID_UNLABELED; |
d28d1e08 TJ |
435 | |
436 | sp = skb->sp; | |
437 | ||
438 | if (sp) { | |
d28d1e08 | 439 | for (i = 0; i < sp->len; i++) { |
67644726 | 440 | struct xfrm_state *x = sp->xvec[i]; |
d28d1e08 | 441 | |
e0d1caa7 VY |
442 | if (x && selinux_authorizable_xfrm(x)) { |
443 | struct xfrm_sec_ctx *ctx = x->security; | |
444 | sel_sid = ctx->ctx_sid; | |
445 | break; | |
446 | } | |
d28d1e08 TJ |
447 | } |
448 | } | |
449 | ||
67f83cbf VY |
450 | /* |
451 | * This check even when there's no association involved is | |
452 | * intended, according to Trent Jaeger, to make sure a | |
453 | * process can't engage in non-ipsec communication unless | |
454 | * explicitly allowed by policy. | |
455 | */ | |
456 | ||
e0d1caa7 VY |
457 | rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION, |
458 | ASSOCIATION__RECVFROM, ad); | |
d28d1e08 | 459 | |
d28d1e08 TJ |
460 | return rc; |
461 | } | |
462 | ||
463 | /* | |
464 | * POSTROUTE_LAST hook's XFRM processing: | |
465 | * If we have no security association, then we need to determine | |
466 | * whether the socket is allowed to send to an unlabelled destination. | |
467 | * If we do have a authorizable security association, then it has already been | |
67f83cbf | 468 | * checked in the selinux_xfrm_state_pol_flow_match hook above. |
d28d1e08 | 469 | */ |
e0d1caa7 | 470 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, |
2bf49690 | 471 | struct common_audit_data *ad, u8 proto) |
d28d1e08 TJ |
472 | { |
473 | struct dst_entry *dst; | |
474 | int rc = 0; | |
475 | ||
adf30907 | 476 | dst = skb_dst(skb); |
d28d1e08 TJ |
477 | |
478 | if (dst) { | |
479 | struct dst_entry *dst_test; | |
480 | ||
c80544dc | 481 | for (dst_test = dst; dst_test != NULL; |
d28d1e08 TJ |
482 | dst_test = dst_test->child) { |
483 | struct xfrm_state *x = dst_test->xfrm; | |
484 | ||
485 | if (x && selinux_authorizable_xfrm(x)) | |
4e5ab4cb | 486 | goto out; |
d28d1e08 TJ |
487 | } |
488 | } | |
489 | ||
67f83cbf VY |
490 | switch (proto) { |
491 | case IPPROTO_AH: | |
492 | case IPPROTO_ESP: | |
493 | case IPPROTO_COMP: | |
494 | /* | |
495 | * We should have already seen this packet once before | |
496 | * it underwent xfrm(s). No need to subject it to the | |
497 | * unlabeled check. | |
498 | */ | |
499 | goto out; | |
500 | default: | |
501 | break; | |
502 | } | |
503 | ||
504 | /* | |
505 | * This check even when there's no association involved is | |
506 | * intended, according to Trent Jaeger, to make sure a | |
507 | * process can't engage in non-ipsec communication unless | |
508 | * explicitly allowed by policy. | |
509 | */ | |
510 | ||
d28d1e08 | 511 | rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION, |
e0d1caa7 | 512 | ASSOCIATION__SENDTO, ad); |
4e5ab4cb JM |
513 | out: |
514 | return rc; | |
d28d1e08 | 515 | } |