^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0-only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * NSA Security-Enhanced Linux (SELinux) security module
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * This file contains the SELinux XFRM hook function implementations.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) * Authors: Serge Hallyn <sergeh@us.ibm.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) * Trent Jaeger <jaegert@us.ibm.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) * Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) * Granular IPSec Associations for use in MLS environments.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) * Copyright (C) 2005 International Business Machines Corporation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) * Copyright (C) 2006 Trusted Computer Solutions, Inc.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) * USAGE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) * NOTES:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) * 1. Make sure to enable the following options in your kernel config:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) * CONFIG_SECURITY=y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) * CONFIG_SECURITY_NETWORK=y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) * CONFIG_SECURITY_NETWORK_XFRM=y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) * CONFIG_SECURITY_SELINUX=m/y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) * ISSUES:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) * 1. Caching packets, so they are not dropped during negotiation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) * 2. Emulating a reasonable SO_PEERSEC across machines
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) * 3. Testing addition of sk_policy's with security context via setsockopt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) #include <linux/kernel.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) #include <linux/init.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) #include <linux/security.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) #include <linux/types.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) #include <linux/slab.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) #include <linux/ip.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) #include <linux/tcp.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) #include <linux/skbuff.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) #include <linux/xfrm.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) #include <net/xfrm.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) #include <net/checksum.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) #include <net/udp.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) #include <linux/atomic.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) #include "avc.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) #include "objsec.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) #include "xfrm.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) /* Labeled XFRM instance counter */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) * Returns true if the context is an LSM/SELinux context.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) return (ctx &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) (ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) (ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) * Returns true if the xfrm contains a security blob for SELinux.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) return selinux_authorizable_ctx(x->security);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) * Allocates a xfrm_sec_state and populates it using the supplied security
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) * xfrm_user_sec_ctx context.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) struct xfrm_user_sec_ctx *uctx,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) gfp_t gfp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) const struct task_security_struct *tsec = selinux_cred(current_cred());
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) struct xfrm_sec_ctx *ctx = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) u32 str_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) if (ctxp == NULL || uctx == NULL ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) uctx->ctx_doi != XFRM_SC_DOI_LSM ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) uctx->ctx_alg != XFRM_SC_ALG_SELINUX)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) str_len = uctx->ctx_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) if (str_len >= PAGE_SIZE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) ctx = kmalloc(sizeof(*ctx) + str_len + 1, gfp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) if (!ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) ctx->ctx_doi = XFRM_SC_DOI_LSM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) ctx->ctx_len = str_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) memcpy(ctx->ctx_str, &uctx[1], str_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) ctx->ctx_str[str_len] = '\0';
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) rc = security_context_to_sid(&selinux_state, ctx->ctx_str, str_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) &ctx->ctx_sid, gfp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) rc = avc_has_perm(&selinux_state,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) tsec->sid, ctx->ctx_sid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) *ctxp = ctx;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) atomic_inc(&selinux_xfrm_refcount);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) err:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) kfree(ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) * Free the xfrm_sec_ctx structure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) if (!ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) atomic_dec(&selinux_xfrm_refcount);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) kfree(ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) * Authorize the deletion of a labeled SA or policy rule.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) const struct task_security_struct *tsec = selinux_cred(current_cred());
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) if (!ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) return avc_has_perm(&selinux_state,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) tsec->sid, ctx->ctx_sid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) * LSM hook implementation that authorizes that a flow can use a xfrm policy
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) * rule.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) /* All flows should be treated as polmatch'ing an otherwise applicable
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) * "non-labeled" policy. This would prevent inadvertent "leaks". */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) if (!ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) /* Context sid is either set to label or ANY_ASSOC */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) if (!selinux_authorizable_ctx(ctx))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) rc = avc_has_perm(&selinux_state,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) fl_secid, ctx->ctx_sid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) return (rc == -EACCES ? -ESRCH : rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) * LSM hook implementation that authorizes that a state matches
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) * the given policy, flow combo.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) struct xfrm_policy *xp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) const struct flowi *fl)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) u32 state_sid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) if (!xp->security)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) if (x->security)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) /* unlabeled policy and labeled SA can't match */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) /* unlabeled policy and unlabeled SA match all flows */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) if (!x->security)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) /* unlabeled SA and labeled policy can't match */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) if (!selinux_authorizable_xfrm(x))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) /* Not a SELinux-labeled SA */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) state_sid = x->security->ctx_sid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) if (fl->flowi_secid != state_sid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) /* We don't need a separate SA Vs. policy polmatch check since the SA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) * is now of the same label as the flow and a flow Vs. policy polmatch
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) * check had already happened in selinux_xfrm_policy_lookup() above. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) return (avc_has_perm(&selinux_state,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) fl->flowi_secid, state_sid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) NULL) ? 0 : 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) struct dst_entry *dst = skb_dst(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) struct xfrm_state *x;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) if (dst == NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) return SECSID_NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) x = dst->xfrm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) if (x == NULL || !selinux_authorizable_xfrm(x))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) return SECSID_NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) return x->security->ctx_sid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) u32 *sid, int ckall)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) u32 sid_session = SECSID_NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) struct sec_path *sp = skb_sec_path(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) if (sp) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) int i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) for (i = sp->len - 1; i >= 0; i--) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) struct xfrm_state *x = sp->xvec[i];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) if (selinux_authorizable_xfrm(x)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) struct xfrm_sec_ctx *ctx = x->security;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) if (sid_session == SECSID_NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) sid_session = ctx->ctx_sid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) if (!ckall)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) } else if (sid_session != ctx->ctx_sid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) *sid = SECSID_NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) *sid = sid_session;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) * LSM hook implementation that checks and/or returns the xfrm sid for the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) * incoming packet.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) if (skb == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) *sid = SECSID_NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) return selinux_xfrm_skb_sid_ingress(skb, sid, ckall);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) rc = selinux_xfrm_skb_sid_ingress(skb, sid, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) if (rc == 0 && *sid == SECSID_NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) *sid = selinux_xfrm_skb_sid_egress(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) * LSM hook implementation that allocs and transfers uctx spec to xfrm_policy.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) struct xfrm_user_sec_ctx *uctx,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) gfp_t gfp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) return selinux_xfrm_alloc_user(ctxp, uctx, gfp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) * LSM hook implementation that copies security data structure from old to new
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) * for policy cloning.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) struct xfrm_sec_ctx **new_ctxp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) struct xfrm_sec_ctx *new_ctx;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) if (!old_ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) new_ctx = kmemdup(old_ctx, sizeof(*old_ctx) + old_ctx->ctx_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) GFP_ATOMIC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) if (!new_ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) atomic_inc(&selinux_xfrm_refcount);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) *new_ctxp = new_ctx;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) * LSM hook implementation that frees xfrm_sec_ctx security information.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) selinux_xfrm_free(ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) * LSM hook implementation that authorizes deletion of labeled policies.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) return selinux_xfrm_delete(ctx);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) * LSM hook implementation that allocates a xfrm_sec_state, populates it using
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) * the supplied security context, and assigns it to the xfrm_state.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) int selinux_xfrm_state_alloc(struct xfrm_state *x,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) struct xfrm_user_sec_ctx *uctx)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) return selinux_xfrm_alloc_user(&x->security, uctx, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) * LSM hook implementation that allocates a xfrm_sec_state and populates based
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) * on a secid.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) struct xfrm_sec_ctx *polsec, u32 secid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) struct xfrm_sec_ctx *ctx;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) char *ctx_str = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) u32 str_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) if (!polsec)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) if (secid == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) rc = security_sid_to_context(&selinux_state, secid, &ctx_str,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) &str_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) ctx = kmalloc(sizeof(*ctx) + str_len, GFP_ATOMIC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) if (!ctx) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) rc = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) ctx->ctx_doi = XFRM_SC_DOI_LSM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) ctx->ctx_sid = secid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) ctx->ctx_len = str_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) memcpy(ctx->ctx_str, ctx_str, str_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) x->security = ctx;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) atomic_inc(&selinux_xfrm_refcount);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) kfree(ctx_str);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) * LSM hook implementation that frees xfrm_state security information.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) void selinux_xfrm_state_free(struct xfrm_state *x)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) selinux_xfrm_free(x->security);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) * LSM hook implementation that authorizes deletion of labeled SAs.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) int selinux_xfrm_state_delete(struct xfrm_state *x)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) return selinux_xfrm_delete(x->security);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) * LSM hook that controls access to unlabelled packets. If
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) * a xfrm_state is authorizable (defined by macro) then it was
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) * already authorized by the IPSec process. If not, then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) * we need to check for unlabelled access since this may not have
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) * gone thru the IPSec process.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) struct common_audit_data *ad)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) int i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) struct sec_path *sp = skb_sec_path(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) u32 peer_sid = SECINITSID_UNLABELED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) if (sp) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) for (i = 0; i < sp->len; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) struct xfrm_state *x = sp->xvec[i];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) if (x && selinux_authorizable_xfrm(x)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) struct xfrm_sec_ctx *ctx = x->security;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) peer_sid = ctx->ctx_sid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) /* This check even when there's no association involved is intended,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) * according to Trent Jaeger, to make sure a process can't engage in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425) * non-IPsec communication unless explicitly allowed by policy. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426) return avc_has_perm(&selinux_state,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) sk_sid, peer_sid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) * POSTROUTE_LAST hook's XFRM processing:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) * If we have no security association, then we need to determine
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434) * whether the socket is allowed to send to an unlabelled destination.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) * If we do have a authorizable security association, then it has already been
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) * checked in the selinux_xfrm_state_pol_flow_match hook above.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) struct common_audit_data *ad, u8 proto)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) struct dst_entry *dst;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) switch (proto) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) case IPPROTO_AH:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) case IPPROTO_ESP:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) case IPPROTO_COMP:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) /* We should have already seen this packet once before it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) * underwent xfrm(s). No need to subject it to the unlabeled
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) * check. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) dst = skb_dst(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456) if (dst) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457) struct dst_entry *iter;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459) for (iter = dst; iter != NULL; iter = xfrm_dst_child(iter)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) struct xfrm_state *x = iter->xfrm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) if (x && selinux_authorizable_xfrm(x))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) /* This check even when there's no association involved is intended,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) * according to Trent Jaeger, to make sure a process can't engage in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469) * non-IPsec communication unless explicitly allowed by policy. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470) return avc_has_perm(&selinux_state, sk_sid, SECINITSID_UNLABELED,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) }
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags