Commit | Line | Data |
---|---|---|
d28d1e08 TJ |
1 | /* |
2 | * SELinux support for the XFRM LSM hooks | |
3 | * | |
4 | * Author : Trent Jaeger, <jaegert@us.ibm.com> | |
e0d1caa7 | 5 | * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com> |
d28d1e08 TJ |
6 | */ |
7 | #ifndef _SELINUX_XFRM_H_ | |
8 | #define _SELINUX_XFRM_H_ | |
9 | ||
10 | int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx); | |
11 | int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new); | |
12 | void selinux_xfrm_policy_free(struct xfrm_policy *xp); | |
c8c05a8e | 13 | int selinux_xfrm_policy_delete(struct xfrm_policy *xp); |
e0d1caa7 VY |
14 | int selinux_xfrm_state_alloc(struct xfrm_state *x, |
15 | struct xfrm_user_sec_ctx *sec_ctx, struct xfrm_sec_ctx *pol, u32 secid); | |
d28d1e08 | 16 | void selinux_xfrm_state_free(struct xfrm_state *x); |
c8c05a8e | 17 | int selinux_xfrm_state_delete(struct xfrm_state *x); |
e0d1caa7 VY |
18 | int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir); |
19 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, | |
20 | struct xfrm_policy *xp, struct flowi *fl); | |
21 | int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm); | |
22 | int selinux_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl); | |
23 | ||
d28d1e08 TJ |
24 | |
25 | /* | |
26 | * Extract the security blob from the sock (it's actually on the socket) | |
27 | */ | |
28 | static inline struct inode_security_struct *get_sock_isec(struct sock *sk) | |
29 | { | |
30 | if (!sk->sk_socket) | |
31 | return NULL; | |
32 | ||
33 | return SOCK_INODE(sk->sk_socket)->i_security; | |
34 | } | |
35 | ||
36 | ||
37 | static inline u32 selinux_no_sk_sid(struct flowi *fl) | |
38 | { | |
39 | /* NOTE: no sock occurs on ICMP reply, forwards, ... */ | |
40 | /* icmp_reply: authorize as kernel packet */ | |
41 | if (fl && fl->proto == IPPROTO_ICMP) { | |
42 | return SECINITSID_KERNEL; | |
43 | } | |
44 | ||
45 | return SECINITSID_ANY_SOCKET; | |
46 | } | |
47 | ||
48 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | |
e0d1caa7 VY |
49 | int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, |
50 | struct avc_audit_data *ad); | |
51 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, | |
52 | struct avc_audit_data *ad); | |
2c7946a7 CZ |
53 | u32 selinux_socket_getpeer_stream(struct sock *sk); |
54 | u32 selinux_socket_getpeer_dgram(struct sk_buff *skb); | |
d28d1e08 | 55 | #else |
e0d1caa7 VY |
56 | static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, |
57 | struct avc_audit_data *ad) | |
d28d1e08 TJ |
58 | { |
59 | return 0; | |
60 | } | |
61 | ||
e0d1caa7 VY |
62 | static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, |
63 | struct avc_audit_data *ad) | |
d28d1e08 | 64 | { |
4e5ab4cb | 65 | return 0; |
d28d1e08 | 66 | } |
e6f50719 CZ |
67 | |
68 | static inline int selinux_socket_getpeer_stream(struct sock *sk) | |
69 | { | |
70 | return SECSID_NULL; | |
71 | } | |
72 | ||
73 | static inline int selinux_socket_getpeer_dgram(struct sk_buff *skb) | |
74 | { | |
75 | return SECSID_NULL; | |
76 | } | |
d28d1e08 TJ |
77 | #endif |
78 | ||
79 | #endif /* _SELINUX_XFRM_H_ */ |