]>
Commit | Line | Data |
---|---|---|
d28d1e08 TJ |
1 | /* |
2 | * NSA Security-Enhanced Linux (SELinux) security module | |
3 | * | |
4 | * This file contains the SELinux XFRM hook function implementations. | |
5 | * | |
6 | * Authors: Serge Hallyn <sergeh@us.ibm.com> | |
7 | * Trent Jaeger <jaegert@us.ibm.com> | |
8 | * | |
e0d1caa7 VY |
9 | * Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com> |
10 | * | |
11 | * Granular IPSec Associations for use in MLS environments. | |
12 | * | |
d28d1e08 | 13 | * Copyright (C) 2005 International Business Machines Corporation |
e0d1caa7 | 14 | * Copyright (C) 2006 Trusted Computer Solutions, Inc. |
d28d1e08 TJ |
15 | * |
16 | * This program is free software; you can redistribute it and/or modify | |
17 | * it under the terms of the GNU General Public License version 2, | |
18 | * as published by the Free Software Foundation. | |
19 | */ | |
20 | ||
21 | /* | |
22 | * USAGE: | |
23 | * NOTES: | |
24 | * 1. Make sure to enable the following options in your kernel config: | |
25 | * CONFIG_SECURITY=y | |
26 | * CONFIG_SECURITY_NETWORK=y | |
27 | * CONFIG_SECURITY_NETWORK_XFRM=y | |
28 | * CONFIG_SECURITY_SELINUX=m/y | |
29 | * ISSUES: | |
30 | * 1. Caching packets, so they are not dropped during negotiation | |
31 | * 2. Emulating a reasonable SO_PEERSEC across machines | |
32 | * 3. Testing addition of sk_policy's with security context via setsockopt | |
33 | */ | |
d28d1e08 TJ |
34 | #include <linux/module.h> |
35 | #include <linux/kernel.h> | |
36 | #include <linux/init.h> | |
37 | #include <linux/security.h> | |
38 | #include <linux/types.h> | |
39 | #include <linux/netfilter.h> | |
40 | #include <linux/netfilter_ipv4.h> | |
41 | #include <linux/netfilter_ipv6.h> | |
42 | #include <linux/ip.h> | |
43 | #include <linux/tcp.h> | |
44 | #include <linux/skbuff.h> | |
45 | #include <linux/xfrm.h> | |
46 | #include <net/xfrm.h> | |
47 | #include <net/checksum.h> | |
48 | #include <net/udp.h> | |
49 | #include <asm/semaphore.h> | |
50 | ||
51 | #include "avc.h" | |
52 | #include "objsec.h" | |
53 | #include "xfrm.h" | |
54 | ||
55 | ||
56 | /* | |
57 | * Returns true if an LSM/SELinux context | |
58 | */ | |
59 | static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx) | |
60 | { | |
61 | return (ctx && | |
62 | (ctx->ctx_doi == XFRM_SC_DOI_LSM) && | |
63 | (ctx->ctx_alg == XFRM_SC_ALG_SELINUX)); | |
64 | } | |
65 | ||
66 | /* | |
67 | * Returns true if the xfrm contains a security blob for SELinux | |
68 | */ | |
69 | static inline int selinux_authorizable_xfrm(struct xfrm_state *x) | |
70 | { | |
71 | return selinux_authorizable_ctx(x->security); | |
72 | } | |
73 | ||
74 | /* | |
e0d1caa7 VY |
75 | * LSM hook implementation that authorizes that a flow can use |
76 | * a xfrm policy rule. | |
d28d1e08 | 77 | */ |
e0d1caa7 | 78 | int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir) |
d28d1e08 TJ |
79 | { |
80 | int rc = 0; | |
81 | u32 sel_sid = SECINITSID_UNLABELED; | |
82 | struct xfrm_sec_ctx *ctx; | |
83 | ||
84 | /* Context sid is either set to label or ANY_ASSOC */ | |
85 | if ((ctx = xp->security)) { | |
86 | if (!selinux_authorizable_ctx(ctx)) | |
87 | return -EINVAL; | |
88 | ||
89 | sel_sid = ctx->ctx_sid; | |
90 | } | |
91 | ||
e0d1caa7 VY |
92 | rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION, |
93 | ASSOCIATION__POLMATCH, | |
d28d1e08 TJ |
94 | NULL); |
95 | ||
96 | return rc; | |
97 | } | |
98 | ||
e0d1caa7 VY |
99 | /* |
100 | * LSM hook implementation that authorizes that a state matches | |
101 | * the given policy, flow combo. | |
102 | */ | |
103 | ||
104 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp, | |
105 | struct flowi *fl) | |
106 | { | |
107 | u32 state_sid; | |
108 | u32 pol_sid; | |
109 | int err; | |
110 | ||
111 | if (x->security) | |
112 | state_sid = x->security->ctx_sid; | |
113 | else | |
114 | state_sid = SECINITSID_UNLABELED; | |
115 | ||
116 | if (xp->security) | |
117 | pol_sid = xp->security->ctx_sid; | |
118 | else | |
119 | pol_sid = SECINITSID_UNLABELED; | |
120 | ||
121 | err = avc_has_perm(state_sid, pol_sid, SECCLASS_ASSOCIATION, | |
122 | ASSOCIATION__POLMATCH, | |
123 | NULL); | |
124 | ||
125 | if (err) | |
126 | return 0; | |
127 | ||
128 | return selinux_xfrm_flow_state_match(fl, x); | |
129 | } | |
130 | ||
131 | /* | |
132 | * LSM hook implementation that authorizes that a particular outgoing flow | |
133 | * can use a given security association. | |
134 | */ | |
135 | ||
136 | int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm) | |
137 | { | |
138 | int rc = 0; | |
139 | u32 sel_sid = SECINITSID_UNLABELED; | |
140 | struct xfrm_sec_ctx *ctx; | |
141 | ||
142 | /* Context sid is either set to label or ANY_ASSOC */ | |
143 | if ((ctx = xfrm->security)) { | |
144 | if (!selinux_authorizable_ctx(ctx)) | |
145 | return 0; | |
146 | ||
147 | sel_sid = ctx->ctx_sid; | |
148 | } | |
149 | ||
150 | rc = avc_has_perm(fl->secid, sel_sid, SECCLASS_ASSOCIATION, | |
151 | ASSOCIATION__SENDTO, | |
152 | NULL)? 0:1; | |
153 | ||
154 | return rc; | |
155 | } | |
156 | ||
157 | /* | |
158 | * LSM hook implementation that determines the sid for the session. | |
159 | */ | |
160 | ||
beb8d13b | 161 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) |
e0d1caa7 VY |
162 | { |
163 | struct sec_path *sp; | |
164 | ||
beb8d13b | 165 | *sid = SECSID_NULL; |
e0d1caa7 VY |
166 | |
167 | if (skb == NULL) | |
168 | return 0; | |
169 | ||
170 | sp = skb->sp; | |
171 | if (sp) { | |
172 | int i, sid_set = 0; | |
173 | ||
174 | for (i = sp->len-1; i >= 0; i--) { | |
175 | struct xfrm_state *x = sp->xvec[i]; | |
176 | if (selinux_authorizable_xfrm(x)) { | |
177 | struct xfrm_sec_ctx *ctx = x->security; | |
178 | ||
179 | if (!sid_set) { | |
beb8d13b | 180 | *sid = ctx->ctx_sid; |
e0d1caa7 | 181 | sid_set = 1; |
beb8d13b VY |
182 | |
183 | if (!ckall) | |
184 | break; | |
e0d1caa7 | 185 | } |
beb8d13b | 186 | else if (*sid != ctx->ctx_sid) |
e0d1caa7 VY |
187 | return -EINVAL; |
188 | } | |
189 | } | |
190 | } | |
191 | ||
192 | return 0; | |
193 | } | |
194 | ||
d28d1e08 TJ |
195 | /* |
196 | * Security blob allocation for xfrm_policy and xfrm_state | |
197 | * CTX does not have a meaningful value on input | |
198 | */ | |
e0d1caa7 VY |
199 | static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, |
200 | struct xfrm_user_sec_ctx *uctx, struct xfrm_sec_ctx *pol, u32 sid) | |
d28d1e08 TJ |
201 | { |
202 | int rc = 0; | |
203 | struct task_security_struct *tsec = current->security; | |
e0d1caa7 VY |
204 | struct xfrm_sec_ctx *ctx = NULL; |
205 | char *ctx_str = NULL; | |
206 | u32 str_len; | |
207 | u32 ctx_sid; | |
208 | ||
209 | BUG_ON(uctx && pol); | |
210 | ||
cb969f07 VY |
211 | if (!uctx) |
212 | goto not_from_user; | |
e0d1caa7 VY |
213 | |
214 | if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX) | |
215 | return -EINVAL; | |
d28d1e08 TJ |
216 | |
217 | if (uctx->ctx_len >= PAGE_SIZE) | |
218 | return -ENOMEM; | |
219 | ||
220 | *ctxp = ctx = kmalloc(sizeof(*ctx) + | |
221 | uctx->ctx_len, | |
222 | GFP_KERNEL); | |
223 | ||
224 | if (!ctx) | |
225 | return -ENOMEM; | |
226 | ||
227 | ctx->ctx_doi = uctx->ctx_doi; | |
228 | ctx->ctx_len = uctx->ctx_len; | |
229 | ctx->ctx_alg = uctx->ctx_alg; | |
230 | ||
231 | memcpy(ctx->ctx_str, | |
232 | uctx+1, | |
233 | ctx->ctx_len); | |
234 | rc = security_context_to_sid(ctx->ctx_str, | |
235 | ctx->ctx_len, | |
236 | &ctx->ctx_sid); | |
237 | ||
238 | if (rc) | |
239 | goto out; | |
240 | ||
241 | /* | |
c8c05a8e | 242 | * Does the subject have permission to set security context? |
d28d1e08 | 243 | */ |
d28d1e08 TJ |
244 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, |
245 | SECCLASS_ASSOCIATION, | |
5f8ac64b | 246 | ASSOCIATION__SETCONTEXT, NULL); |
d28d1e08 TJ |
247 | if (rc) |
248 | goto out; | |
249 | ||
250 | return rc; | |
251 | ||
cb969f07 VY |
252 | not_from_user: |
253 | if (pol) { | |
254 | rc = security_sid_mls_copy(pol->ctx_sid, sid, &ctx_sid); | |
255 | if (rc) | |
256 | goto out; | |
257 | } | |
258 | else | |
259 | ctx_sid = sid; | |
e0d1caa7 VY |
260 | |
261 | rc = security_sid_to_context(ctx_sid, &ctx_str, &str_len); | |
262 | if (rc) | |
263 | goto out; | |
264 | ||
265 | *ctxp = ctx = kmalloc(sizeof(*ctx) + | |
266 | str_len, | |
267 | GFP_ATOMIC); | |
268 | ||
269 | if (!ctx) { | |
270 | rc = -ENOMEM; | |
271 | goto out; | |
272 | } | |
273 | ||
e0d1caa7 VY |
274 | ctx->ctx_doi = XFRM_SC_DOI_LSM; |
275 | ctx->ctx_alg = XFRM_SC_ALG_SELINUX; | |
276 | ctx->ctx_sid = ctx_sid; | |
277 | ctx->ctx_len = str_len; | |
278 | memcpy(ctx->ctx_str, | |
279 | ctx_str, | |
280 | str_len); | |
281 | ||
282 | goto out2; | |
283 | ||
d28d1e08 | 284 | out: |
ee2e6841 | 285 | *ctxp = NULL; |
d28d1e08 | 286 | kfree(ctx); |
e0d1caa7 VY |
287 | out2: |
288 | kfree(ctx_str); | |
d28d1e08 TJ |
289 | return rc; |
290 | } | |
291 | ||
292 | /* | |
293 | * LSM hook implementation that allocs and transfers uctx spec to | |
294 | * xfrm_policy. | |
295 | */ | |
cb969f07 VY |
296 | int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, |
297 | struct xfrm_user_sec_ctx *uctx, struct sock *sk) | |
d28d1e08 TJ |
298 | { |
299 | int err; | |
cb969f07 | 300 | u32 sid; |
d28d1e08 TJ |
301 | |
302 | BUG_ON(!xp); | |
cb969f07 VY |
303 | BUG_ON(uctx && sk); |
304 | ||
305 | if (sk) { | |
306 | struct sk_security_struct *ssec = sk->sk_security; | |
307 | sid = ssec->sid; | |
308 | } | |
309 | else | |
310 | sid = SECSID_NULL; | |
d28d1e08 | 311 | |
cb969f07 | 312 | err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, NULL, sid); |
d28d1e08 TJ |
313 | return err; |
314 | } | |
315 | ||
316 | ||
317 | /* | |
318 | * LSM hook implementation that copies security data structure from old to | |
319 | * new for policy cloning. | |
320 | */ | |
321 | int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new) | |
322 | { | |
323 | struct xfrm_sec_ctx *old_ctx, *new_ctx; | |
324 | ||
325 | old_ctx = old->security; | |
326 | ||
327 | if (old_ctx) { | |
328 | new_ctx = new->security = kmalloc(sizeof(*new_ctx) + | |
329 | old_ctx->ctx_len, | |
330 | GFP_KERNEL); | |
331 | ||
332 | if (!new_ctx) | |
333 | return -ENOMEM; | |
334 | ||
335 | memcpy(new_ctx, old_ctx, sizeof(*new_ctx)); | |
336 | memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len); | |
337 | } | |
338 | return 0; | |
339 | } | |
340 | ||
341 | /* | |
342 | * LSM hook implementation that frees xfrm_policy security information. | |
343 | */ | |
344 | void selinux_xfrm_policy_free(struct xfrm_policy *xp) | |
345 | { | |
346 | struct xfrm_sec_ctx *ctx = xp->security; | |
347 | if (ctx) | |
348 | kfree(ctx); | |
349 | } | |
350 | ||
c8c05a8e CZ |
351 | /* |
352 | * LSM hook implementation that authorizes deletion of labeled policies. | |
353 | */ | |
354 | int selinux_xfrm_policy_delete(struct xfrm_policy *xp) | |
355 | { | |
356 | struct task_security_struct *tsec = current->security; | |
357 | struct xfrm_sec_ctx *ctx = xp->security; | |
358 | int rc = 0; | |
359 | ||
360 | if (ctx) | |
361 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, | |
362 | SECCLASS_ASSOCIATION, | |
363 | ASSOCIATION__SETCONTEXT, NULL); | |
364 | ||
365 | return rc; | |
366 | } | |
367 | ||
d28d1e08 TJ |
368 | /* |
369 | * LSM hook implementation that allocs and transfers sec_ctx spec to | |
370 | * xfrm_state. | |
371 | */ | |
e0d1caa7 VY |
372 | int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx, |
373 | struct xfrm_sec_ctx *pol, u32 secid) | |
d28d1e08 TJ |
374 | { |
375 | int err; | |
376 | ||
377 | BUG_ON(!x); | |
378 | ||
e0d1caa7 | 379 | err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, pol, secid); |
d28d1e08 TJ |
380 | return err; |
381 | } | |
382 | ||
383 | /* | |
384 | * LSM hook implementation that frees xfrm_state security information. | |
385 | */ | |
386 | void selinux_xfrm_state_free(struct xfrm_state *x) | |
387 | { | |
388 | struct xfrm_sec_ctx *ctx = x->security; | |
389 | if (ctx) | |
390 | kfree(ctx); | |
391 | } | |
392 | ||
2c7946a7 CZ |
393 | /* |
394 | * SELinux internal function to retrieve the context of a connected | |
395 | * (sk->sk_state == TCP_ESTABLISHED) TCP socket based on its security | |
396 | * association used to connect to the remote socket. | |
397 | * | |
398 | * Retrieve via getsockopt SO_PEERSEC. | |
399 | */ | |
400 | u32 selinux_socket_getpeer_stream(struct sock *sk) | |
401 | { | |
402 | struct dst_entry *dst, *dst_test; | |
403 | u32 peer_sid = SECSID_NULL; | |
404 | ||
405 | if (sk->sk_state != TCP_ESTABLISHED) | |
406 | goto out; | |
407 | ||
408 | dst = sk_dst_get(sk); | |
409 | if (!dst) | |
410 | goto out; | |
411 | ||
412 | for (dst_test = dst; dst_test != 0; | |
413 | dst_test = dst_test->child) { | |
414 | struct xfrm_state *x = dst_test->xfrm; | |
415 | ||
416 | if (x && selinux_authorizable_xfrm(x)) { | |
417 | struct xfrm_sec_ctx *ctx = x->security; | |
418 | peer_sid = ctx->ctx_sid; | |
419 | break; | |
420 | } | |
421 | } | |
422 | dst_release(dst); | |
423 | ||
424 | out: | |
425 | return peer_sid; | |
426 | } | |
427 | ||
428 | /* | |
429 | * SELinux internal function to retrieve the context of a UDP packet | |
430 | * based on its security association used to connect to the remote socket. | |
431 | * | |
432 | * Retrieve via setsockopt IP_PASSSEC and recvmsg with control message | |
433 | * type SCM_SECURITY. | |
434 | */ | |
435 | u32 selinux_socket_getpeer_dgram(struct sk_buff *skb) | |
436 | { | |
437 | struct sec_path *sp; | |
438 | ||
439 | if (skb == NULL) | |
440 | return SECSID_NULL; | |
441 | ||
442 | if (skb->sk->sk_protocol != IPPROTO_UDP) | |
443 | return SECSID_NULL; | |
444 | ||
445 | sp = skb->sp; | |
446 | if (sp) { | |
447 | int i; | |
448 | ||
449 | for (i = sp->len-1; i >= 0; i--) { | |
67644726 | 450 | struct xfrm_state *x = sp->xvec[i]; |
2c7946a7 CZ |
451 | if (selinux_authorizable_xfrm(x)) { |
452 | struct xfrm_sec_ctx *ctx = x->security; | |
453 | return ctx->ctx_sid; | |
454 | } | |
455 | } | |
456 | } | |
457 | ||
458 | return SECSID_NULL; | |
459 | } | |
460 | ||
c8c05a8e CZ |
461 | /* |
462 | * LSM hook implementation that authorizes deletion of labeled SAs. | |
463 | */ | |
464 | int selinux_xfrm_state_delete(struct xfrm_state *x) | |
465 | { | |
466 | struct task_security_struct *tsec = current->security; | |
467 | struct xfrm_sec_ctx *ctx = x->security; | |
468 | int rc = 0; | |
469 | ||
470 | if (ctx) | |
471 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, | |
472 | SECCLASS_ASSOCIATION, | |
473 | ASSOCIATION__SETCONTEXT, NULL); | |
474 | ||
475 | return rc; | |
476 | } | |
477 | ||
d28d1e08 TJ |
478 | /* |
479 | * LSM hook that controls access to unlabelled packets. If | |
480 | * a xfrm_state is authorizable (defined by macro) then it was | |
481 | * already authorized by the IPSec process. If not, then | |
482 | * we need to check for unlabelled access since this may not have | |
483 | * gone thru the IPSec process. | |
484 | */ | |
e0d1caa7 VY |
485 | int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, |
486 | struct avc_audit_data *ad) | |
d28d1e08 TJ |
487 | { |
488 | int i, rc = 0; | |
489 | struct sec_path *sp; | |
e0d1caa7 | 490 | u32 sel_sid = SECINITSID_UNLABELED; |
d28d1e08 TJ |
491 | |
492 | sp = skb->sp; | |
493 | ||
494 | if (sp) { | |
d28d1e08 | 495 | for (i = 0; i < sp->len; i++) { |
67644726 | 496 | struct xfrm_state *x = sp->xvec[i]; |
d28d1e08 | 497 | |
e0d1caa7 VY |
498 | if (x && selinux_authorizable_xfrm(x)) { |
499 | struct xfrm_sec_ctx *ctx = x->security; | |
500 | sel_sid = ctx->ctx_sid; | |
501 | break; | |
502 | } | |
d28d1e08 TJ |
503 | } |
504 | } | |
505 | ||
e0d1caa7 VY |
506 | rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION, |
507 | ASSOCIATION__RECVFROM, ad); | |
d28d1e08 | 508 | |
d28d1e08 TJ |
509 | return rc; |
510 | } | |
511 | ||
512 | /* | |
513 | * POSTROUTE_LAST hook's XFRM processing: | |
514 | * If we have no security association, then we need to determine | |
515 | * whether the socket is allowed to send to an unlabelled destination. | |
516 | * If we do have a authorizable security association, then it has already been | |
517 | * checked in xfrm_policy_lookup hook. | |
518 | */ | |
e0d1caa7 VY |
519 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, |
520 | struct avc_audit_data *ad) | |
d28d1e08 TJ |
521 | { |
522 | struct dst_entry *dst; | |
523 | int rc = 0; | |
524 | ||
525 | dst = skb->dst; | |
526 | ||
527 | if (dst) { | |
528 | struct dst_entry *dst_test; | |
529 | ||
530 | for (dst_test = dst; dst_test != 0; | |
531 | dst_test = dst_test->child) { | |
532 | struct xfrm_state *x = dst_test->xfrm; | |
533 | ||
534 | if (x && selinux_authorizable_xfrm(x)) | |
4e5ab4cb | 535 | goto out; |
d28d1e08 TJ |
536 | } |
537 | } | |
538 | ||
539 | rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION, | |
e0d1caa7 | 540 | ASSOCIATION__SENDTO, ad); |
4e5ab4cb JM |
541 | out: |
542 | return rc; | |
d28d1e08 | 543 | } |