[linux-block.git] / security / selinux / include / xfrm.h

/*
 * SELinux support for the XFRM LSM hooks
 *
 * Author : Trent Jaeger, <jaegert@us.ibm.com>
 * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com>
 */
#ifndef _SELINUX_XFRM_H_
#define _SELINUX_XFRM_H_

int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx);
int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new);
void selinux_xfrm_policy_free(struct xfrm_policy *xp);
int selinux_xfrm_policy_delete(struct xfrm_policy *xp);
int selinux_xfrm_state_alloc(struct xfrm_state *x,
	struct xfrm_user_sec_ctx *sec_ctx, struct xfrm_sec_ctx *pol, u32 secid);
void selinux_xfrm_state_free(struct xfrm_state *x);
int selinux_xfrm_state_delete(struct xfrm_state *x);
int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir);
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
			struct xfrm_policy *xp, struct flowi *fl);
int selinux_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm);
int selinux_xfrm_decode_session(struct sk_buff *skb, struct flowi *fl);


/*
 * Extract the security blob from the sock (it's actually on the socket)
 */
static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
{
	if (!sk->sk_socket)
		return NULL;

	return SOCK_INODE(sk->sk_socket)->i_security;
}


static inline u32 selinux_no_sk_sid(struct flowi *fl)
{
	/* NOTE: no sock occurs on ICMP reply, forwards, ... */
	/* icmp_reply: authorize as kernel packet */
	if (fl && fl->proto == IPPROTO_ICMP) {
		return SECINITSID_KERNEL;
	}

	return SECINITSID_ANY_SOCKET;
}

#ifdef CONFIG_SECURITY_NETWORK_XFRM
int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
			struct avc_audit_data *ad);
int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
			struct avc_audit_data *ad);
u32 selinux_socket_getpeer_stream(struct sock *sk);
u32 selinux_socket_getpeer_dgram(struct sk_buff *skb);
#else
static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
			struct avc_audit_data *ad)
{
	return 0;
}

static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
			struct avc_audit_data *ad)
{
	return 0;
}

static inline int selinux_socket_getpeer_stream(struct sock *sk)
{
	return SECSID_NULL;
}

static inline int selinux_socket_getpeer_dgram(struct sk_buff *skb)
{
	return SECSID_NULL;
}
#endif

#endif /* _SELINUX_XFRM_H_ */
Commit	Line	Data
d28d1e08 TJ	1	/*
	2	* SELinux support for the XFRM LSM hooks
	3	*
	4	* Author : Trent Jaeger, <jaegert@us.ibm.com>
e0d1caa7	5	* Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com>
d28d1e08 TJ	6	*/
	7	#ifndef _SELINUX_XFRM_H_
	8	#define _SELINUX_XFRM_H_
	9
	10	int selinux_xfrm_policy_alloc(struct xfrm_policy xp, struct xfrm_user_sec_ctx sec_ctx);
	11	int selinux_xfrm_policy_clone(struct xfrm_policy old, struct xfrm_policy new);
	12	void selinux_xfrm_policy_free(struct xfrm_policy *xp);
c8c05a8e	13	int selinux_xfrm_policy_delete(struct xfrm_policy *xp);
e0d1caa7 VY	14	int selinux_xfrm_state_alloc(struct xfrm_state *x,
e0d1caa7 VY	15	struct xfrm_user_sec_ctx sec_ctx, struct xfrm_sec_ctx pol, u32 secid);
d28d1e08	16	void selinux_xfrm_state_free(struct xfrm_state *x);
c8c05a8e	17	int selinux_xfrm_state_delete(struct xfrm_state *x);
e0d1caa7 VY	18	int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir);
	19	int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
	20	struct xfrm_policy xp, struct flowi fl);
	21	int selinux_xfrm_flow_state_match(struct flowi fl, struct xfrm_state xfrm);
	22	int selinux_xfrm_decode_session(struct sk_buff skb, struct flowi fl);
	23
d28d1e08 TJ	24
	25	/*
	26	* Extract the security blob from the sock (it's actually on the socket)
	27	*/
	28	static inline struct inode_security_struct get_sock_isec(struct sock sk)
	29	{
	30	if (!sk->sk_socket)
	31	return NULL;
	32
	33	return SOCK_INODE(sk->sk_socket)->i_security;
	34	}
	35
	36
	37	static inline u32 selinux_no_sk_sid(struct flowi *fl)
	38	{
	39	/* NOTE: no sock occurs on ICMP reply, forwards, ... */
	40	/* icmp_reply: authorize as kernel packet */
	41	if (fl && fl->proto == IPPROTO_ICMP) {
	42	return SECINITSID_KERNEL;
	43	}
	44
	45	return SECINITSID_ANY_SOCKET;
	46	}
	47
	48	#ifdef CONFIG_SECURITY_NETWORK_XFRM
e0d1caa7 VY	49	int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
	50	struct avc_audit_data *ad);
	51	int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
	52	struct avc_audit_data *ad);
2c7946a7 CZ	53	u32 selinux_socket_getpeer_stream(struct sock *sk);
2c7946a7 CZ	54	u32 selinux_socket_getpeer_dgram(struct sk_buff *skb);
d28d1e08	55	#else
e0d1caa7 VY	56	static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
e0d1caa7 VY	57	struct avc_audit_data *ad)
d28d1e08 TJ	58	{
	59	return 0;
	60	}
	61
e0d1caa7 VY	62	static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
e0d1caa7 VY	63	struct avc_audit_data *ad)
d28d1e08	64	{
4e5ab4cb	65	return 0;
d28d1e08	66	}
e6f50719 CZ	67
	68	static inline int selinux_socket_getpeer_stream(struct sock *sk)
	69	{
	70	return SECSID_NULL;
	71	}
	72
	73	static inline int selinux_socket_getpeer_dgram(struct sk_buff *skb)
	74	{
	75	return SECSID_NULL;
	76	}
d28d1e08 TJ	77	#endif
	78
	79	#endif /* _SELINUX_XFRM_H_ */