1 /* SPDX-License-Identifier: GPL-2.0 */ <<
2 /* 1 /*
3 * SELinux support for the XFRM LSM hooks 2 * SELinux support for the XFRM LSM hooks
4 * 3 *
5 * Author : Trent Jaeger, <jaegert@us.ibm.com> 4 * Author : Trent Jaeger, <jaegert@us.ibm.com>
6 * Updated : Venkat Yekkirala, <vyekkirala@Tru 5 * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com>
7 */ 6 */
8 <<
9 #ifndef _SELINUX_XFRM_H_ 7 #ifndef _SELINUX_XFRM_H_
10 #define _SELINUX_XFRM_H_ 8 #define _SELINUX_XFRM_H_
11 9
12 #include <linux/lsm_audit.h> <<
13 #include <net/flow.h> 10 #include <net/flow.h>
14 #include <net/xfrm.h> <<
15 11
16 int selinux_xfrm_policy_alloc(struct xfrm_sec_ 12 int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
17 struct xfrm_user !! 13 struct xfrm_user_sec_ctx *sec_ctx);
18 int selinux_xfrm_policy_clone(struct xfrm_sec_ 14 int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
19 struct xfrm_sec_ 15 struct xfrm_sec_ctx **new_ctxp);
20 void selinux_xfrm_policy_free(struct xfrm_sec_ 16 void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
21 int selinux_xfrm_policy_delete(struct xfrm_sec 17 int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
22 int selinux_xfrm_state_alloc(struct xfrm_state 18 int selinux_xfrm_state_alloc(struct xfrm_state *x,
23 struct xfrm_user_ !! 19 struct xfrm_user_sec_ctx *sec_ctx, u32 secid);
24 int selinux_xfrm_state_alloc_acquire(struct xf <<
25 struct xf <<
26 void selinux_xfrm_state_free(struct xfrm_state 20 void selinux_xfrm_state_free(struct xfrm_state *x);
27 int selinux_xfrm_state_delete(struct xfrm_stat 21 int selinux_xfrm_state_delete(struct xfrm_state *x);
28 int selinux_xfrm_policy_lookup(struct xfrm_sec !! 22 int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
29 int selinux_xfrm_state_pol_flow_match(struct x 23 int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
30 struct x !! 24 struct xfrm_policy *xp, const struct flowi *fl);
31 const st !! 25
>> 26 /*
>> 27 * Extract the security blob from the sock (it's actually on the socket)
>> 28 */
>> 29 static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
>> 30 {
>> 31 if (!sk->sk_socket)
>> 32 return NULL;
>> 33
>> 34 return SOCK_INODE(sk->sk_socket)->i_security;
>> 35 }
32 36
33 #ifdef CONFIG_SECURITY_NETWORK_XFRM 37 #ifdef CONFIG_SECURITY_NETWORK_XFRM
34 extern atomic_t selinux_xfrm_refcount; 38 extern atomic_t selinux_xfrm_refcount;
35 39
36 static inline int selinux_xfrm_enabled(void) 40 static inline int selinux_xfrm_enabled(void)
37 { 41 {
38 return (atomic_read(&selinux_xfrm_refc 42 return (atomic_read(&selinux_xfrm_refcount) > 0);
39 } 43 }
40 44
41 int selinux_xfrm_sock_rcv_skb(u32 sk_sid, stru !! 45 int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
42 struct common_au !! 46 struct common_audit_data *ad);
43 int selinux_xfrm_postroute_last(u32 sk_sid, st !! 47 int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
44 struct common_ !! 48 struct common_audit_data *ad, u8 proto);
45 int selinux_xfrm_decode_session(struct sk_buff 49 int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
46 int selinux_xfrm_skb_sid(struct sk_buff *skb, 50 int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid);
47 51
48 static inline void selinux_xfrm_notify_policyl 52 static inline void selinux_xfrm_notify_policyload(void)
49 { 53 {
50 struct net *net; !! 54 atomic_inc(&flow_cache_genid);
51 !! 55 rt_genid_bump(&init_net);
52 down_read(&net_rwsem); <<
53 for_each_net(net) <<
54 rt_genid_bump_all(net); <<
55 up_read(&net_rwsem); <<
56 } 56 }
57 #else 57 #else
58 static inline int selinux_xfrm_enabled(void) 58 static inline int selinux_xfrm_enabled(void)
59 { 59 {
60 return 0; 60 return 0;
61 } 61 }
62 62
63 static inline int selinux_xfrm_sock_rcv_skb(u3 !! 63 static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
64 st !! 64 struct common_audit_data *ad)
65 { 65 {
66 return 0; 66 return 0;
67 } 67 }
68 68
69 static inline int selinux_xfrm_postroute_last( !! 69 static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
70 !! 70 struct common_audit_data *ad, u8 proto)
71 <<
72 { 71 {
73 return 0; 72 return 0;
74 } 73 }
75 74
76 static inline int selinux_xfrm_decode_session( !! 75 static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
77 <<
78 { 76 {
79 *sid = SECSID_NULL; 77 *sid = SECSID_NULL;
80 return 0; 78 return 0;
81 } 79 }
82 80
83 static inline void selinux_xfrm_notify_policyl 81 static inline void selinux_xfrm_notify_policyload(void)
84 { 82 {
85 } 83 }
86 84
87 static inline int selinux_xfrm_skb_sid(struct 85 static inline int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
88 { 86 {
89 *sid = SECSID_NULL; 87 *sid = SECSID_NULL;
90 return 0; 88 return 0;
91 } 89 }
92 #endif 90 #endif
93 91
94 #endif /* _SELINUX_XFRM_H_ */ 92 #endif /* _SELINUX_XFRM_H_ */
95 93
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.