| xfrm.c (c6380ecd8e9bee7aba3d9a5a94b58168244c4a61) | xfrm.c (6b6bc6205d98796361962ee282a063f18ba8dc57) |
|---|---|
| 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux XFRM hook function implementations. 5 * 6 * Authors: Serge Hallyn <sergeh@us.ibm.com> 7 * Trent Jaeger <jaegert@us.ibm.com> 8 * --- 87 unchanged lines hidden (view full) --- 96 if (!ctx) 97 return -ENOMEM; 98 99 ctx->ctx_doi = XFRM_SC_DOI_LSM; 100 ctx->ctx_alg = XFRM_SC_ALG_SELINUX; 101 ctx->ctx_len = str_len; 102 memcpy(ctx->ctx_str, &uctx[1], str_len); 103 ctx->ctx_str[str_len] = '\0'; | 1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux XFRM hook function implementations. 5 * 6 * Authors: Serge Hallyn <sergeh@us.ibm.com> 7 * Trent Jaeger <jaegert@us.ibm.com> 8 * --- 87 unchanged lines hidden (view full) --- 96 if (!ctx) 97 return -ENOMEM; 98 99 ctx->ctx_doi = XFRM_SC_DOI_LSM; 100 ctx->ctx_alg = XFRM_SC_ALG_SELINUX; 101 ctx->ctx_len = str_len; 102 memcpy(ctx->ctx_str, &uctx[1], str_len); 103 ctx->ctx_str[str_len] = '\0'; |
| 104 rc = security_context_to_sid(ctx->ctx_str, str_len, &ctx->ctx_sid, gfp); | 104 rc = security_context_to_sid(&selinux_state, ctx->ctx_str, str_len, 105 &ctx->ctx_sid, gfp); |
| 105 if (rc) 106 goto err; 107 | 106 if (rc) 107 goto err; 108 |
| 108 rc = avc_has_perm(tsec->sid, ctx->ctx_sid, | 109 rc = avc_has_perm(&selinux_state, 110 tsec->sid, ctx->ctx_sid, |
| 109 SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL); 110 if (rc) 111 goto err; 112 113 *ctxp = ctx; 114 atomic_inc(&selinux_xfrm_refcount); 115 return 0; 116 --- 19 unchanged lines hidden (view full) --- 136 */ 137static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx) 138{ 139 const struct task_security_struct *tsec = current_security(); 140 141 if (!ctx) 142 return 0; 143 | 111 SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL); 112 if (rc) 113 goto err; 114 115 *ctxp = ctx; 116 atomic_inc(&selinux_xfrm_refcount); 117 return 0; 118 --- 19 unchanged lines hidden (view full) --- 138 */ 139static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx) 140{ 141 const struct task_security_struct *tsec = current_security(); 142 143 if (!ctx) 144 return 0; 145 |
| 144 return avc_has_perm(tsec->sid, ctx->ctx_sid, | 146 return avc_has_perm(&selinux_state, 147 tsec->sid, ctx->ctx_sid, |
| 145 SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, 146 NULL); 147} 148 149/* 150 * LSM hook implementation that authorizes that a flow can use a xfrm policy 151 * rule. 152 */ --- 5 unchanged lines hidden (view full) --- 158 * "non-labeled" policy. This would prevent inadvertent "leaks". */ 159 if (!ctx) 160 return 0; 161 162 /* Context sid is either set to label or ANY_ASSOC */ 163 if (!selinux_authorizable_ctx(ctx)) 164 return -EINVAL; 165 | 148 SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, 149 NULL); 150} 151 152/* 153 * LSM hook implementation that authorizes that a flow can use a xfrm policy 154 * rule. 155 */ --- 5 unchanged lines hidden (view full) --- 161 * "non-labeled" policy. This would prevent inadvertent "leaks". */ 162 if (!ctx) 163 return 0; 164 165 /* Context sid is either set to label or ANY_ASSOC */ 166 if (!selinux_authorizable_ctx(ctx)) 167 return -EINVAL; 168 |
| 166 rc = avc_has_perm(fl_secid, ctx->ctx_sid, | 169 rc = avc_has_perm(&selinux_state, 170 fl_secid, ctx->ctx_sid, |
| 167 SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL); 168 return (rc == -EACCES ? -ESRCH : rc); 169} 170 171/* 172 * LSM hook implementation that authorizes that a state matches 173 * the given policy, flow combo. 174 */ --- 22 unchanged lines hidden (view full) --- 197 state_sid = x->security->ctx_sid; 198 199 if (fl->flowi_secid != state_sid) 200 return 0; 201 202 /* We don't need a separate SA Vs. policy polmatch check since the SA 203 * is now of the same label as the flow and a flow Vs. policy polmatch 204 * check had already happened in selinux_xfrm_policy_lookup() above. */ | 171 SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL); 172 return (rc == -EACCES ? -ESRCH : rc); 173} 174 175/* 176 * LSM hook implementation that authorizes that a state matches 177 * the given policy, flow combo. 178 */ --- 22 unchanged lines hidden (view full) --- 201 state_sid = x->security->ctx_sid; 202 203 if (fl->flowi_secid != state_sid) 204 return 0; 205 206 /* We don't need a separate SA Vs. policy polmatch check since the SA 207 * is now of the same label as the flow and a flow Vs. policy polmatch 208 * check had already happened in selinux_xfrm_policy_lookup() above. */ |
| 205 return (avc_has_perm(fl->flowi_secid, state_sid, | 209 return (avc_has_perm(&selinux_state, 210 fl->flowi_secid, state_sid, |
| 206 SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, 207 NULL) ? 0 : 1); 208} 209 210static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb) 211{ 212 struct dst_entry *dst = skb_dst(skb); 213 struct xfrm_state *x; --- 133 unchanged lines hidden (view full) --- 347 int str_len; 348 349 if (!polsec) 350 return 0; 351 352 if (secid == 0) 353 return -EINVAL; 354 | 211 SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, 212 NULL) ? 0 : 1); 213} 214 215static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb) 216{ 217 struct dst_entry *dst = skb_dst(skb); 218 struct xfrm_state *x; --- 133 unchanged lines hidden (view full) --- 352 int str_len; 353 354 if (!polsec) 355 return 0; 356 357 if (secid == 0) 358 return -EINVAL; 359 |
| 355 rc = security_sid_to_context(secid, &ctx_str, &str_len); | 360 rc = security_sid_to_context(&selinux_state, secid, &ctx_str, 361 &str_len); |
| 356 if (rc) 357 return rc; 358 359 ctx = kmalloc(sizeof(*ctx) + str_len, GFP_ATOMIC); 360 if (!ctx) { 361 rc = -ENOMEM; 362 goto out; 363 } --- 51 unchanged lines hidden (view full) --- 415 break; 416 } 417 } 418 } 419 420 /* This check even when there's no association involved is intended, 421 * according to Trent Jaeger, to make sure a process can't engage in 422 * non-IPsec communication unless explicitly allowed by policy. */ | 362 if (rc) 363 return rc; 364 365 ctx = kmalloc(sizeof(*ctx) + str_len, GFP_ATOMIC); 366 if (!ctx) { 367 rc = -ENOMEM; 368 goto out; 369 } --- 51 unchanged lines hidden (view full) --- 421 break; 422 } 423 } 424 } 425 426 /* This check even when there's no association involved is intended, 427 * according to Trent Jaeger, to make sure a process can't engage in 428 * non-IPsec communication unless explicitly allowed by policy. */ |
| 423 return avc_has_perm(sk_sid, peer_sid, | 429 return avc_has_perm(&selinux_state, 430 sk_sid, peer_sid, |
| 424 SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad); 425} 426 427/* 428 * POSTROUTE_LAST hook's XFRM processing: 429 * If we have no security association, then we need to determine 430 * whether the socket is allowed to send to an unlabelled destination. 431 * If we do have a authorizable security association, then it has already been --- 26 unchanged lines hidden (view full) --- 458 if (x && selinux_authorizable_xfrm(x)) 459 return 0; 460 } 461 } 462 463 /* This check even when there's no association involved is intended, 464 * according to Trent Jaeger, to make sure a process can't engage in 465 * non-IPsec communication unless explicitly allowed by policy. */ | 431 SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad); 432} 433 434/* 435 * POSTROUTE_LAST hook's XFRM processing: 436 * If we have no security association, then we need to determine 437 * whether the socket is allowed to send to an unlabelled destination. 438 * If we do have a authorizable security association, then it has already been --- 26 unchanged lines hidden (view full) --- 465 if (x && selinux_authorizable_xfrm(x)) 466 return 0; 467 } 468 } 469 470 /* This check even when there's no association involved is intended, 471 * according to Trent Jaeger, to make sure a process can't engage in 472 * non-IPsec communication unless explicitly allowed by policy. */ |
| 466 return avc_has_perm(sk_sid, SECINITSID_UNLABELED, | 473 return avc_has_perm(&selinux_state, sk_sid, SECINITSID_UNLABELED, |
| 467 SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad); 468} | 474 SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad); 475} |