[mirror_ubuntu-jammy-kernel.git] / security / selinux / xfrm.c

// SPDX-License-Identifier: GPL-2.0-only
/*
 *  NSA Security-Enhanced Linux (SELinux) security module
 *
 *  This file contains the SELinux XFRM hook function implementations.
 *
 *  Authors:  Serge Hallyn <sergeh@us.ibm.com>
 *	      Trent Jaeger <jaegert@us.ibm.com>
 *
 *  Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com>
 *
 *           Granular IPSec Associations for use in MLS environments.
 *
 *  Copyright (C) 2005 International Business Machines Corporation
 *  Copyright (C) 2006 Trusted Computer Solutions, Inc.
 */

/*
 * USAGE:
 * NOTES:
 *   1. Make sure to enable the following options in your kernel config:
 *	CONFIG_SECURITY=y
 *	CONFIG_SECURITY_NETWORK=y
 *	CONFIG_SECURITY_NETWORK_XFRM=y
 *	CONFIG_SECURITY_SELINUX=m/y
 * ISSUES:
 *   1. Caching packets, so they are not dropped during negotiation
 *   2. Emulating a reasonable SO_PEERSEC across machines
 *   3. Testing addition of sk_policy's with security context via setsockopt
 */
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/security.h>
#include <linux/types.h>
#include <linux/slab.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/skbuff.h>
#include <linux/xfrm.h>
#include <net/xfrm.h>
#include <net/checksum.h>
#include <net/udp.h>
#include <linux/atomic.h>

#include "avc.h"
#include "objsec.h"
#include "xfrm.h"

/* Labeled XFRM instance counter */
atomic_t selinux_xfrm_refcount __read_mostly = ATOMIC_INIT(0);

/*
 * Returns true if the context is an LSM/SELinux context.
 */
static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
{
	return (ctx &&
		(ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
		(ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
}

/*
 * Returns true if the xfrm contains a security blob for SELinux.
 */
static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
{
	return selinux_authorizable_ctx(x->security);
}

/*
 * Allocates a xfrm_sec_state and populates it using the supplied security
 * xfrm_user_sec_ctx context.
 */
static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
				   struct xfrm_user_sec_ctx *uctx,
				   gfp_t gfp)
{
	int rc;
	const struct task_security_struct *tsec = selinux_cred(current_cred());
	struct xfrm_sec_ctx *ctx = NULL;
	u32 str_len;

	if (ctxp == NULL || uctx == NULL ||
	    uctx->ctx_doi != XFRM_SC_DOI_LSM ||
	    uctx->ctx_alg != XFRM_SC_ALG_SELINUX)
		return -EINVAL;

	str_len = uctx->ctx_len;
	if (str_len >= PAGE_SIZE)
		return -ENOMEM;

	ctx = kmalloc(sizeof(*ctx) + str_len + 1, gfp);
	if (!ctx)
		return -ENOMEM;

	ctx->ctx_doi = XFRM_SC_DOI_LSM;
	ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
	ctx->ctx_len = str_len;
	memcpy(ctx->ctx_str, &uctx[1], str_len);
	ctx->ctx_str[str_len] = '\0';
	rc = security_context_to_sid(&selinux_state, ctx->ctx_str, str_len,
				     &ctx->ctx_sid, gfp);
	if (rc)
		goto err;

	rc = avc_has_perm(&selinux_state,
			  tsec->sid, ctx->ctx_sid,
			  SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL);
	if (rc)
		goto err;

	*ctxp = ctx;
	atomic_inc(&selinux_xfrm_refcount);
	return 0;

err:
	kfree(ctx);
	return rc;
}

/*
 * Free the xfrm_sec_ctx structure.
 */
static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
{
	if (!ctx)
		return;

	atomic_dec(&selinux_xfrm_refcount);
	kfree(ctx);
}

/*
 * Authorize the deletion of a labeled SA or policy rule.
 */
static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
{
	const struct task_security_struct *tsec = selinux_cred(current_cred());

	if (!ctx)
		return 0;

	return avc_has_perm(&selinux_state,
			    tsec->sid, ctx->ctx_sid,
			    SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
			    NULL);
}

/*
 * LSM hook implementation that authorizes that a flow can use a xfrm policy
 * rule.
 */
int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid)
{
	int rc;

	/* All flows should be treated as polmatch'ing an otherwise applicable
	 * "non-labeled" policy. This would prevent inadvertent "leaks". */
	if (!ctx)
		return 0;

	/* Context sid is either set to label or ANY_ASSOC */
	if (!selinux_authorizable_ctx(ctx))
		return -EINVAL;

	rc = avc_has_perm(&selinux_state,
			  fl_secid, ctx->ctx_sid,
			  SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);
	return (rc == -EACCES ? -ESRCH : rc);
}

/*
 * LSM hook implementation that authorizes that a state matches
 * the given policy, flow combo.
 */
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
				      struct xfrm_policy *xp,
				      const struct flowi_common *flic)
{
	u32 state_sid;
	u32 flic_sid;

	if (!xp->security)
		if (x->security)
			/* unlabeled policy and labeled SA can't match */
			return 0;
		else
			/* unlabeled policy and unlabeled SA match all flows */
			return 1;
	else
		if (!x->security)
			/* unlabeled SA and labeled policy can't match */
			return 0;
		else
			if (!selinux_authorizable_xfrm(x))
				/* Not a SELinux-labeled SA */
				return 0;

	state_sid = x->security->ctx_sid;
	flic_sid = flic->flowic_secid;

	if (flic_sid != state_sid)
		return 0;

	/* We don't need a separate SA Vs. policy polmatch check since the SA
	 * is now of the same label as the flow and a flow Vs. policy polmatch
	 * check had already happened in selinux_xfrm_policy_lookup() above. */
	return (avc_has_perm(&selinux_state, flic_sid, state_sid,
			     SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,
			     NULL) ? 0 : 1);
}

static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb)
{
	struct dst_entry *dst = skb_dst(skb);
	struct xfrm_state *x;

	if (dst == NULL)
		return SECSID_NULL;
	x = dst->xfrm;
	if (x == NULL || !selinux_authorizable_xfrm(x))
		return SECSID_NULL;

	return x->security->ctx_sid;
}

static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb,
					u32 *sid, int ckall)
{
	u32 sid_session = SECSID_NULL;
	struct sec_path *sp = skb_sec_path(skb);

	if (sp) {
		int i;

		for (i = sp->len - 1; i >= 0; i--) {
			struct xfrm_state *x = sp->xvec[i];
			if (selinux_authorizable_xfrm(x)) {
				struct xfrm_sec_ctx *ctx = x->security;

				if (sid_session == SECSID_NULL) {
					sid_session = ctx->ctx_sid;
					if (!ckall)
						goto out;
				} else if (sid_session != ctx->ctx_sid) {
					*sid = SECSID_NULL;
					return -EINVAL;
				}
			}
		}
	}

out:
	*sid = sid_session;
	return 0;
}

/*
 * LSM hook implementation that checks and/or returns the xfrm sid for the
 * incoming packet.
 */
int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
{
	if (skb == NULL) {
		*sid = SECSID_NULL;
		return 0;
	}
	return selinux_xfrm_skb_sid_ingress(skb, sid, ckall);
}

int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
{
	int rc;

	rc = selinux_xfrm_skb_sid_ingress(skb, sid, 0);
	if (rc == 0 && *sid == SECSID_NULL)
		*sid = selinux_xfrm_skb_sid_egress(skb);

	return rc;
}

/*
 * LSM hook implementation that allocs and transfers uctx spec to xfrm_policy.
 */
int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
			      struct xfrm_user_sec_ctx *uctx,
			      gfp_t gfp)
{
	return selinux_xfrm_alloc_user(ctxp, uctx, gfp);
}

/*
 * LSM hook implementation that copies security data structure from old to new
 * for policy cloning.
 */
int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
			      struct xfrm_sec_ctx **new_ctxp)
{
	struct xfrm_sec_ctx *new_ctx;

	if (!old_ctx)
		return 0;

	new_ctx = kmemdup(old_ctx, sizeof(*old_ctx) + old_ctx->ctx_len,
			  GFP_ATOMIC);
	if (!new_ctx)
		return -ENOMEM;
	atomic_inc(&selinux_xfrm_refcount);
	*new_ctxp = new_ctx;

	return 0;
}

/*
 * LSM hook implementation that frees xfrm_sec_ctx security information.
 */
void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
{
	selinux_xfrm_free(ctx);
}

/*
 * LSM hook implementation that authorizes deletion of labeled policies.
 */
int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
{
	return selinux_xfrm_delete(ctx);
}

/*
 * LSM hook implementation that allocates a xfrm_sec_state, populates it using
 * the supplied security context, and assigns it to the xfrm_state.
 */
int selinux_xfrm_state_alloc(struct xfrm_state *x,
			     struct xfrm_user_sec_ctx *uctx)
{
	return selinux_xfrm_alloc_user(&x->security, uctx, GFP_KERNEL);
}

/*
 * LSM hook implementation that allocates a xfrm_sec_state and populates based
 * on a secid.
 */
int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
				     struct xfrm_sec_ctx *polsec, u32 secid)
{
	int rc;
	struct xfrm_sec_ctx *ctx;
	char *ctx_str = NULL;
	int str_len;

	if (!polsec)
		return 0;

	if (secid == 0)
		return -EINVAL;

	rc = security_sid_to_context(&selinux_state, secid, &ctx_str,
				     &str_len);
	if (rc)
		return rc;

	ctx = kmalloc(sizeof(*ctx) + str_len, GFP_ATOMIC);
	if (!ctx) {
		rc = -ENOMEM;
		goto out;
	}

	ctx->ctx_doi = XFRM_SC_DOI_LSM;
	ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
	ctx->ctx_sid = secid;
	ctx->ctx_len = str_len;
	memcpy(ctx->ctx_str, ctx_str, str_len);

	x->security = ctx;
	atomic_inc(&selinux_xfrm_refcount);
out:
	kfree(ctx_str);
	return rc;
}

/*
 * LSM hook implementation that frees xfrm_state security information.
 */
void selinux_xfrm_state_free(struct xfrm_state *x)
{
	selinux_xfrm_free(x->security);
}

/*
 * LSM hook implementation that authorizes deletion of labeled SAs.
 */
int selinux_xfrm_state_delete(struct xfrm_state *x)
{
	return selinux_xfrm_delete(x->security);
}

/*
 * LSM hook that controls access to unlabelled packets.  If
 * a xfrm_state is authorizable (defined by macro) then it was
 * already authorized by the IPSec process.  If not, then
 * we need to check for unlabelled access since this may not have
 * gone thru the IPSec process.
 */
int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
			      struct common_audit_data *ad)
{
	int i;
	struct sec_path *sp = skb_sec_path(skb);
	u32 peer_sid = SECINITSID_UNLABELED;

	if (sp) {
		for (i = 0; i < sp->len; i++) {
			struct xfrm_state *x = sp->xvec[i];

			if (x && selinux_authorizable_xfrm(x)) {
				struct xfrm_sec_ctx *ctx = x->security;
				peer_sid = ctx->ctx_sid;
				break;
			}
		}
	}

	/* This check even when there's no association involved is intended,
	 * according to Trent Jaeger, to make sure a process can't engage in
	 * non-IPsec communication unless explicitly allowed by policy. */
	return avc_has_perm(&selinux_state,
			    sk_sid, peer_sid,
			    SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad);
}

/*
 * POSTROUTE_LAST hook's XFRM processing:
 * If we have no security association, then we need to determine
 * whether the socket is allowed to send to an unlabelled destination.
 * If we do have a authorizable security association, then it has already been
 * checked in the selinux_xfrm_state_pol_flow_match hook above.
 */
int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
				struct common_audit_data *ad, u8 proto)
{
	struct dst_entry *dst;

	switch (proto) {
	case IPPROTO_AH:
	case IPPROTO_ESP:
	case IPPROTO_COMP:
		/* We should have already seen this packet once before it
		 * underwent xfrm(s). No need to subject it to the unlabeled
		 * check. */
		return 0;
	default:
		break;
	}

	dst = skb_dst(skb);
	if (dst) {
		struct dst_entry *iter;

		for (iter = dst; iter != NULL; iter = xfrm_dst_child(iter)) {
			struct xfrm_state *x = iter->xfrm;

			if (x && selinux_authorizable_xfrm(x))
				return 0;
		}
	}

	/* This check even when there's no association involved is intended,
	 * according to Trent Jaeger, to make sure a process can't engage in
	 * non-IPsec communication unless explicitly allowed by policy. */
	return avc_has_perm(&selinux_state, sk_sid, SECINITSID_UNLABELED,
			    SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad);
}
Commit	Line	Data
d2912cb1	1	// SPDX-License-Identifier: GPL-2.0-only
d28d1e08 TJ	2	/*
	3	* NSA Security-Enhanced Linux (SELinux) security module
	4	*
	5	* This file contains the SELinux XFRM hook function implementations.
	6	*
	7	* Authors: Serge Hallyn <sergeh@us.ibm.com>
	8	* Trent Jaeger <jaegert@us.ibm.com>
	9	*
e0d1caa7 VY	10	* Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com>
	11	*
	12	* Granular IPSec Associations for use in MLS environments.
	13	*
d28d1e08	14	* Copyright (C) 2005 International Business Machines Corporation
e0d1caa7	15	* Copyright (C) 2006 Trusted Computer Solutions, Inc.
d28d1e08 TJ	16	*/
	17
	18	/*
	19	* USAGE:
	20	* NOTES:
	21	* 1. Make sure to enable the following options in your kernel config:
	22	* CONFIG_SECURITY=y
	23	* CONFIG_SECURITY_NETWORK=y
	24	* CONFIG_SECURITY_NETWORK_XFRM=y
	25	* CONFIG_SECURITY_SELINUX=m/y
	26	* ISSUES:
	27	* 1. Caching packets, so they are not dropped during negotiation
	28	* 2. Emulating a reasonable SO_PEERSEC across machines
	29	* 3. Testing addition of sk_policy's with security context via setsockopt
	30	*/
d28d1e08 TJ	31	#include <linux/kernel.h>
	32	#include <linux/init.h>
	33	#include <linux/security.h>
	34	#include <linux/types.h>
5a0e3ad6	35	#include <linux/slab.h>
d28d1e08 TJ	36	#include <linux/ip.h>
	37	#include <linux/tcp.h>
	38	#include <linux/skbuff.h>
	39	#include <linux/xfrm.h>
	40	#include <net/xfrm.h>
	41	#include <net/checksum.h>
	42	#include <net/udp.h>
60063497	43	#include <linux/atomic.h>
d28d1e08 TJ	44
	45	#include "avc.h"
	46	#include "objsec.h"
	47	#include "xfrm.h"
	48
d621d35e	49	/* Labeled XFRM instance counter */
e0de8a9a	50	atomic_t selinux_xfrm_refcount __read_mostly = ATOMIC_INIT(0);
d28d1e08 TJ	51
d28d1e08 TJ	52	/*
4baabeec	53	* Returns true if the context is an LSM/SELinux context.
d28d1e08 TJ	54	*/
	55	static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
	56	{
	57	return (ctx &&
	58	(ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
	59	(ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
	60	}
	61
	62	/*
4baabeec	63	* Returns true if the xfrm contains a security blob for SELinux.
d28d1e08 TJ	64	*/
	65	static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
	66	{
	67	return selinux_authorizable_ctx(x->security);
	68	}
	69
2e5aa866 PM	70	/*
	71	* Allocates a xfrm_sec_state and populates it using the supplied security
	72	* xfrm_user_sec_ctx context.
	73	*/
	74	static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
52a4c640 NA	75	struct xfrm_user_sec_ctx *uctx,
52a4c640 NA	76	gfp_t gfp)
2e5aa866 PM	77	{
2e5aa866 PM	78	int rc;
0c6cfa62	79	const struct task_security_struct *tsec = selinux_cred(current_cred());
2e5aa866 PM	80	struct xfrm_sec_ctx *ctx = NULL;
	81	u32 str_len;
	82
	83	if (ctxp == NULL \|\| uctx == NULL \|\|
	84	uctx->ctx_doi != XFRM_SC_DOI_LSM \|\|
	85	uctx->ctx_alg != XFRM_SC_ALG_SELINUX)
	86	return -EINVAL;
	87
	88	str_len = uctx->ctx_len;
	89	if (str_len >= PAGE_SIZE)
	90	return -ENOMEM;
	91
52a4c640	92	ctx = kmalloc(sizeof(*ctx) + str_len + 1, gfp);
2e5aa866 PM	93	if (!ctx)
	94	return -ENOMEM;
	95
	96	ctx->ctx_doi = XFRM_SC_DOI_LSM;
	97	ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
	98	ctx->ctx_len = str_len;
	99	memcpy(ctx->ctx_str, &uctx[1], str_len);
	100	ctx->ctx_str[str_len] = '\0';
aa8e712c SS	101	rc = security_context_to_sid(&selinux_state, ctx->ctx_str, str_len,
aa8e712c SS	102	&ctx->ctx_sid, gfp);
2e5aa866 PM	103	if (rc)
	104	goto err;
	105
6b6bc620 SS	106	rc = avc_has_perm(&selinux_state,
6b6bc620 SS	107	tsec->sid, ctx->ctx_sid,
2e5aa866 PM	108	SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL);
	109	if (rc)
	110	goto err;
	111
	112	*ctxp = ctx;
	113	atomic_inc(&selinux_xfrm_refcount);
	114	return 0;
	115
	116	err:
	117	kfree(ctx);
	118	return rc;
	119	}
	120
ccf17cc4 PM	121	/*
	122	* Free the xfrm_sec_ctx structure.
	123	*/
	124	static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
	125	{
	126	if (!ctx)
	127	return;
	128
	129	atomic_dec(&selinux_xfrm_refcount);
	130	kfree(ctx);
	131	}
	132
	133	/*
	134	* Authorize the deletion of a labeled SA or policy rule.
	135	*/
	136	static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
	137	{
0c6cfa62	138	const struct task_security_struct *tsec = selinux_cred(current_cred());
ccf17cc4 PM	139
	140	if (!ctx)
	141	return 0;
	142
6b6bc620 SS	143	return avc_has_perm(&selinux_state,
6b6bc620 SS	144	tsec->sid, ctx->ctx_sid,
ccf17cc4 PM	145	SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
	146	NULL);
	147	}
	148
d28d1e08	149	/*
4baabeec PM	150	* LSM hook implementation that authorizes that a flow can use a xfrm policy
4baabeec PM	151	* rule.
d28d1e08	152	*/
8a922805	153	int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid)
d28d1e08	154	{
5b368e61	155	int rc;
d28d1e08	156
96484348 PM	157	/* All flows should be treated as polmatch'ing an otherwise applicable
	158	* "non-labeled" policy. This would prevent inadvertent "leaks". */
	159	if (!ctx)
5b368e61	160	return 0;
d28d1e08	161
96484348 PM	162	/* Context sid is either set to label or ANY_ASSOC */
	163	if (!selinux_authorizable_ctx(ctx))
	164	return -EINVAL;
5b368e61	165
6b6bc620 SS	166	rc = avc_has_perm(&selinux_state,
6b6bc620 SS	167	fl_secid, ctx->ctx_sid,
96484348 PM	168	SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);
96484348 PM	169	return (rc == -EACCES ? -ESRCH : rc);
d28d1e08 TJ	170	}
d28d1e08 TJ	171
e0d1caa7 VY	172	/*
	173	* LSM hook implementation that authorizes that a state matches
	174	* the given policy, flow combo.
	175	*/
96484348 PM	176	int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
96484348 PM	177	struct xfrm_policy *xp,
3df98d79	178	const struct flowi_common *flic)
e0d1caa7 VY	179	{
e0d1caa7 VY	180	u32 state_sid;
3df98d79	181	u32 flic_sid;
e0d1caa7	182
67f83cbf	183	if (!xp->security)
5b368e61 VY	184	if (x->security)
	185	/* unlabeled policy and labeled SA can't match */
	186	return 0;
	187	else
	188	/* unlabeled policy and unlabeled SA match all flows */
	189	return 1;
5b368e61	190	else
67f83cbf VY	191	if (!x->security)
67f83cbf VY	192	/* unlabeled SA and labeled policy can't match */
5b368e61	193	return 0;
67f83cbf VY	194	else
	195	if (!selinux_authorizable_xfrm(x))
	196	/* Not a SELinux-labeled SA */
	197	return 0;
5b368e61	198
67f83cbf	199	state_sid = x->security->ctx_sid;
3df98d79	200	flic_sid = flic->flowic_secid;
e0d1caa7	201
3df98d79	202	if (flic_sid != state_sid)
67f83cbf	203	return 0;
e0d1caa7	204
96484348 PM	205	/* We don't need a separate SA Vs. policy polmatch check since the SA
	206	* is now of the same label as the flow and a flow Vs. policy polmatch
	207	* check had already happened in selinux_xfrm_policy_lookup() above. */
3df98d79 PM	208	return (avc_has_perm(&selinux_state, flic_sid, state_sid,
	209	SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,
	210	NULL) ? 0 : 1);
e0d1caa7 VY	211	}
e0d1caa7 VY	212
817eff71	213	static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb)
e0d1caa7	214	{
817eff71 PM	215	struct dst_entry *dst = skb_dst(skb);
	216	struct xfrm_state *x;
	217
	218	if (dst == NULL)
	219	return SECSID_NULL;
	220	x = dst->xfrm;
	221	if (x == NULL \|\| !selinux_authorizable_xfrm(x))
	222	return SECSID_NULL;
e0d1caa7	223
817eff71 PM	224	return x->security->ctx_sid;
	225	}
	226
	227	static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb,
	228	u32 *sid, int ckall)
	229	{
	230	u32 sid_session = SECSID_NULL;
2294be0f	231	struct sec_path *sp = skb_sec_path(skb);
e0d1caa7	232
e0d1caa7	233	if (sp) {
e2193695	234	int i;
e0d1caa7	235
e2193695	236	for (i = sp->len - 1; i >= 0; i--) {
e0d1caa7 VY	237	struct xfrm_state *x = sp->xvec[i];
	238	if (selinux_authorizable_xfrm(x)) {
	239	struct xfrm_sec_ctx *ctx = x->security;
	240
e2193695 PM	241	if (sid_session == SECSID_NULL) {
e2193695 PM	242	sid_session = ctx->ctx_sid;
beb8d13b	243	if (!ckall)
e2193695 PM	244	goto out;
	245	} else if (sid_session != ctx->ctx_sid) {
	246	*sid = SECSID_NULL;
e0d1caa7	247	return -EINVAL;
e2193695	248	}
e0d1caa7 VY	249	}
	250	}
	251	}
	252
e2193695 PM	253	out:
e2193695 PM	254	*sid = sid_session;
e0d1caa7 VY	255	return 0;
	256	}
	257
817eff71 PM	258	/*
	259	* LSM hook implementation that checks and/or returns the xfrm sid for the
	260	* incoming packet.
	261	*/
	262	int selinux_xfrm_decode_session(struct sk_buff skb, u32 sid, int ckall)
	263	{
	264	if (skb == NULL) {
	265	*sid = SECSID_NULL;
	266	return 0;
	267	}
	268	return selinux_xfrm_skb_sid_ingress(skb, sid, ckall);
	269	}
	270
	271	int selinux_xfrm_skb_sid(struct sk_buff skb, u32 sid)
	272	{
	273	int rc;
	274
	275	rc = selinux_xfrm_skb_sid_ingress(skb, sid, 0);
	276	if (rc == 0 && *sid == SECSID_NULL)
	277	*sid = selinux_xfrm_skb_sid_egress(skb);
	278
	279	return rc;
	280	}
	281
d28d1e08	282	/*
4baabeec	283	* LSM hook implementation that allocs and transfers uctx spec to xfrm_policy.
d28d1e08	284	*/
03e1ad7b	285	int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
52a4c640 NA	286	struct xfrm_user_sec_ctx *uctx,
52a4c640 NA	287	gfp_t gfp)
d28d1e08	288	{
52a4c640	289	return selinux_xfrm_alloc_user(ctxp, uctx, gfp);
d28d1e08 TJ	290	}
d28d1e08 TJ	291
d28d1e08	292	/*
4baabeec PM	293	* LSM hook implementation that copies security data structure from old to new
4baabeec PM	294	* for policy cloning.
d28d1e08	295	*/
03e1ad7b PM	296	int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
03e1ad7b PM	297	struct xfrm_sec_ctx **new_ctxp)
d28d1e08	298	{
03e1ad7b	299	struct xfrm_sec_ctx *new_ctx;
d28d1e08	300
ccf17cc4 PM	301	if (!old_ctx)
	302	return 0;
	303
7d1db4b2 DJ	304	new_ctx = kmemdup(old_ctx, sizeof(*old_ctx) + old_ctx->ctx_len,
7d1db4b2 DJ	305	GFP_ATOMIC);
ccf17cc4 PM	306	if (!new_ctx)
ccf17cc4 PM	307	return -ENOMEM;
ccf17cc4 PM	308	atomic_inc(&selinux_xfrm_refcount);
ccf17cc4 PM	309	*new_ctxp = new_ctx;
d28d1e08	310
d28d1e08 TJ	311	return 0;
	312	}
	313
	314	/*
03e1ad7b	315	* LSM hook implementation that frees xfrm_sec_ctx security information.
d28d1e08	316	*/
03e1ad7b	317	void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
d28d1e08	318	{
ccf17cc4	319	selinux_xfrm_free(ctx);
d28d1e08 TJ	320	}
d28d1e08 TJ	321
c8c05a8e CZ	322	/*
	323	* LSM hook implementation that authorizes deletion of labeled policies.
	324	*/
03e1ad7b	325	int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
c8c05a8e	326	{
ccf17cc4	327	return selinux_xfrm_delete(ctx);
c8c05a8e CZ	328	}
c8c05a8e CZ	329
d28d1e08	330	/*
2e5aa866 PM	331	* LSM hook implementation that allocates a xfrm_sec_state, populates it using
2e5aa866 PM	332	* the supplied security context, and assigns it to the xfrm_state.
d28d1e08	333	*/
2e5aa866 PM	334	int selinux_xfrm_state_alloc(struct xfrm_state *x,
2e5aa866 PM	335	struct xfrm_user_sec_ctx *uctx)
d28d1e08	336	{
52a4c640	337	return selinux_xfrm_alloc_user(&x->security, uctx, GFP_KERNEL);
2e5aa866	338	}
d28d1e08	339
2e5aa866 PM	340	/*
	341	* LSM hook implementation that allocates a xfrm_sec_state and populates based
	342	* on a secid.
	343	*/
	344	int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
	345	struct xfrm_sec_ctx *polsec, u32 secid)
	346	{
	347	int rc;
	348	struct xfrm_sec_ctx *ctx;
	349	char *ctx_str = NULL;
	350	int str_len;
d28d1e08	351
2e5aa866 PM	352	if (!polsec)
	353	return 0;
	354
	355	if (secid == 0)
	356	return -EINVAL;
	357
aa8e712c SS	358	rc = security_sid_to_context(&selinux_state, secid, &ctx_str,
aa8e712c SS	359	&str_len);
2e5aa866 PM	360	if (rc)
	361	return rc;
	362
	363	ctx = kmalloc(sizeof(*ctx) + str_len, GFP_ATOMIC);
0af90164 GB	364	if (!ctx) {
	365	rc = -ENOMEM;
	366	goto out;
	367	}
2e5aa866 PM	368
	369	ctx->ctx_doi = XFRM_SC_DOI_LSM;
	370	ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
	371	ctx->ctx_sid = secid;
	372	ctx->ctx_len = str_len;
	373	memcpy(ctx->ctx_str, ctx_str, str_len);
2e5aa866 PM	374
	375	x->security = ctx;
	376	atomic_inc(&selinux_xfrm_refcount);
0af90164 GB	377	out:
	378	kfree(ctx_str);
	379	return rc;
d28d1e08 TJ	380	}
	381
	382	/*
	383	* LSM hook implementation that frees xfrm_state security information.
	384	*/
	385	void selinux_xfrm_state_free(struct xfrm_state *x)
	386	{
ccf17cc4	387	selinux_xfrm_free(x->security);
d28d1e08 TJ	388	}
d28d1e08 TJ	389
4baabeec PM	390	/*
	391	* LSM hook implementation that authorizes deletion of labeled SAs.
	392	*/
c8c05a8e CZ	393	int selinux_xfrm_state_delete(struct xfrm_state *x)
c8c05a8e CZ	394	{
ccf17cc4	395	return selinux_xfrm_delete(x->security);
c8c05a8e CZ	396	}
c8c05a8e CZ	397
d28d1e08 TJ	398	/*
	399	* LSM hook that controls access to unlabelled packets. If
	400	* a xfrm_state is authorizable (defined by macro) then it was
	401	* already authorized by the IPSec process. If not, then
	402	* we need to check for unlabelled access since this may not have
	403	* gone thru the IPSec process.
	404	*/
eef9b416 PM	405	int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
eef9b416 PM	406	struct common_audit_data *ad)
d28d1e08	407	{
eef9b416	408	int i;
2294be0f	409	struct sec_path *sp = skb_sec_path(skb);
eef9b416	410	u32 peer_sid = SECINITSID_UNLABELED;
d28d1e08 TJ	411
d28d1e08 TJ	412	if (sp) {
d28d1e08	413	for (i = 0; i < sp->len; i++) {
67644726	414	struct xfrm_state *x = sp->xvec[i];
d28d1e08	415
e0d1caa7 VY	416	if (x && selinux_authorizable_xfrm(x)) {
e0d1caa7 VY	417	struct xfrm_sec_ctx *ctx = x->security;
eef9b416	418	peer_sid = ctx->ctx_sid;
e0d1caa7 VY	419	break;
e0d1caa7 VY	420	}
d28d1e08 TJ	421	}
	422	}
	423
eef9b416 PM	424	/* This check even when there's no association involved is intended,
	425	* according to Trent Jaeger, to make sure a process can't engage in
	426	* non-IPsec communication unless explicitly allowed by policy. */
6b6bc620 SS	427	return avc_has_perm(&selinux_state,
6b6bc620 SS	428	sk_sid, peer_sid,
eef9b416	429	SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad);
d28d1e08 TJ	430	}
	431
	432	/*
	433	* POSTROUTE_LAST hook's XFRM processing:
	434	* If we have no security association, then we need to determine
	435	* whether the socket is allowed to send to an unlabelled destination.
	436	* If we do have a authorizable security association, then it has already been
67f83cbf	437	* checked in the selinux_xfrm_state_pol_flow_match hook above.
d28d1e08	438	*/
eef9b416 PM	439	int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
eef9b416 PM	440	struct common_audit_data *ad, u8 proto)
d28d1e08 TJ	441	{
d28d1e08 TJ	442	struct dst_entry *dst;
d28d1e08	443
67f83cbf VY	444	switch (proto) {
	445	case IPPROTO_AH:
	446	case IPPROTO_ESP:
	447	case IPPROTO_COMP:
eef9b416 PM	448	/* We should have already seen this packet once before it
	449	* underwent xfrm(s). No need to subject it to the unlabeled
	450	* check. */
	451	return 0;
67f83cbf VY	452	default:
	453	break;
	454	}
	455
eef9b416 PM	456	dst = skb_dst(skb);
	457	if (dst) {
	458	struct dst_entry *iter;
67f83cbf	459
b92cf4aa	460	for (iter = dst; iter != NULL; iter = xfrm_dst_child(iter)) {
eef9b416 PM	461	struct xfrm_state *x = iter->xfrm;
	462
	463	if (x && selinux_authorizable_xfrm(x))
	464	return 0;
	465	}
	466	}
	467
	468	/* This check even when there's no association involved is intended,
	469	* according to Trent Jaeger, to make sure a process can't engage in
	470	* non-IPsec communication unless explicitly allowed by policy. */
6b6bc620	471	return avc_has_perm(&selinux_state, sk_sid, SECINITSID_UNLABELED,
eef9b416	472	SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad);
d28d1e08	473	}