[linux-block.git] / security / selinux / include / xfrm.h

/* SPDX-License-Identifier: GPL-2.0 */
/*
 * SELinux support for the XFRM LSM hooks
 *
 * Author : Trent Jaeger, <jaegert@us.ibm.com>
 * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com>
 */

#ifndef _SELINUX_XFRM_H_
#define _SELINUX_XFRM_H_

#include <linux/lsm_audit.h>
#include <net/flow.h>
#include <net/xfrm.h>

int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
			      struct xfrm_user_sec_ctx *uctx, gfp_t gfp);
int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
			      struct xfrm_sec_ctx **new_ctxp);
void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
int selinux_xfrm_state_alloc(struct xfrm_state *x,
			     struct xfrm_user_sec_ctx *uctx);
int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
				     struct xfrm_sec_ctx *polsec, u32 secid);
void selinux_xfrm_state_free(struct xfrm_state *x);
int selinux_xfrm_state_delete(struct xfrm_state *x);
int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid);
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
				      struct xfrm_policy *xp,
				      const struct flowi_common *flic);

#ifdef CONFIG_SECURITY_NETWORK_XFRM
extern atomic_t selinux_xfrm_refcount;

static inline int selinux_xfrm_enabled(void)
{
	return (atomic_read(&selinux_xfrm_refcount) > 0);
}

int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
			      struct common_audit_data *ad);
int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
				struct common_audit_data *ad, u8 proto);
int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid);

static inline void selinux_xfrm_notify_policyload(void)
{
	struct net *net;

	down_read(&net_rwsem);
	for_each_net(net)
		rt_genid_bump_all(net);
	up_read(&net_rwsem);
}
#else
static inline int selinux_xfrm_enabled(void)
{
	return 0;
}

static inline int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
					    struct common_audit_data *ad)
{
	return 0;
}

static inline int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
					      struct common_audit_data *ad,
					      u8 proto)
{
	return 0;
}

static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid,
					      int ckall)
{
	*sid = SECSID_NULL;
	return 0;
}

static inline void selinux_xfrm_notify_policyload(void)
{
}

static inline int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
{
	*sid = SECSID_NULL;
	return 0;
}
#endif

#endif /* _SELINUX_XFRM_H_ */
Commit	Line	Data
b2441318	1	/* SPDX-License-Identifier: GPL-2.0 */
d28d1e08 TJ	2	/*
	3	* SELinux support for the XFRM LSM hooks
	4	*
	5	* Author : Trent Jaeger, <jaegert@us.ibm.com>
e0d1caa7	6	* Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com>
d28d1e08	7	*/
cea92163	8
d28d1e08 TJ	9	#ifndef _SELINUX_XFRM_H_
	10	#define _SELINUX_XFRM_H_
	11
4ad37de4	12	#include <linux/lsm_audit.h>
778aae84	13	#include <net/flow.h>
4ad37de4	14	#include <net/xfrm.h>
778aae84	15
03e1ad7b	16	int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
cea92163	17	struct xfrm_user_sec_ctx *uctx, gfp_t gfp);
03e1ad7b PM	18	int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
	19	struct xfrm_sec_ctx **new_ctxp);
	20	void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
	21	int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
e0d1caa7	22	int selinux_xfrm_state_alloc(struct xfrm_state *x,
2e5aa866 PM	23	struct xfrm_user_sec_ctx *uctx);
	24	int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
	25	struct xfrm_sec_ctx *polsec, u32 secid);
d28d1e08	26	void selinux_xfrm_state_free(struct xfrm_state *x);
c8c05a8e	27	int selinux_xfrm_state_delete(struct xfrm_state *x);
8a922805	28	int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid);
e0d1caa7	29	int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
d1b17b09	30	struct xfrm_policy *xp,
3df98d79	31	const struct flowi_common *flic);
d28d1e08	32
d28d1e08	33	#ifdef CONFIG_SECURITY_NETWORK_XFRM
d621d35e PM	34	extern atomic_t selinux_xfrm_refcount;
	35
	36	static inline int selinux_xfrm_enabled(void)
	37	{
	38	return (atomic_read(&selinux_xfrm_refcount) > 0);
	39	}
	40
eef9b416 PM	41	int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
	42	struct common_audit_data *ad);
	43	int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
	44	struct common_audit_data *ad, u8 proto);
a51c64f1	45	int selinux_xfrm_decode_session(struct sk_buff skb, u32 sid, int ckall);
817eff71	46	int selinux_xfrm_skb_sid(struct sk_buff skb, u32 sid);
342a0cff VY	47
	48	static inline void selinux_xfrm_notify_policyload(void)
	49	{
ca4c3fc2	50	struct net *net;
ca4c3fc2	51
f0b07bb1	52	down_read(&net_rwsem);
09c75704	53	for_each_net(net)
ca4c3fc2	54	rt_genid_bump_all(net);
f0b07bb1	55	up_read(&net_rwsem);
342a0cff	56	}
d28d1e08	57	#else
d621d35e PM	58	static inline int selinux_xfrm_enabled(void)
	59	{
	60	return 0;
	61	}
	62
eef9b416 PM	63	static inline int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
eef9b416 PM	64	struct common_audit_data *ad)
d28d1e08 TJ	65	{
	66	return 0;
	67	}
	68
eef9b416 PM	69	static inline int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
	70	struct common_audit_data *ad,
	71	u8 proto)
d28d1e08	72	{
4e5ab4cb	73	return 0;
d28d1e08	74	}
e6f50719	75
d1b17b09 PM	76	static inline int selinux_xfrm_decode_session(struct sk_buff skb, u32 sid,
d1b17b09 PM	77	int ckall)
a51c64f1 VY	78	{
	79	*sid = SECSID_NULL;
	80	return 0;
	81	}
342a0cff VY	82
	83	static inline void selinux_xfrm_notify_policyload(void)
	84	{
	85	}
d28d1e08	86
817eff71	87	static inline int selinux_xfrm_skb_sid(struct sk_buff skb, u32 sid)
6b877699	88	{
817eff71 PM	89	*sid = SECSID_NULL;
817eff71 PM	90	return 0;
6b877699	91	}
817eff71	92	#endif
6b877699	93
d28d1e08	94	#endif /* _SELINUX_XFRM_H_ */