Commit | Line | Data |
---|---|---|
d2912cb1 | 1 | // SPDX-License-Identifier: GPL-2.0-only |
d28d1e08 TJ |
2 | /* |
3 | * NSA Security-Enhanced Linux (SELinux) security module | |
4 | * | |
5 | * This file contains the SELinux XFRM hook function implementations. | |
6 | * | |
7 | * Authors: Serge Hallyn <sergeh@us.ibm.com> | |
8 | * Trent Jaeger <jaegert@us.ibm.com> | |
9 | * | |
e0d1caa7 VY |
10 | * Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com> |
11 | * | |
12 | * Granular IPSec Associations for use in MLS environments. | |
13 | * | |
d28d1e08 | 14 | * Copyright (C) 2005 International Business Machines Corporation |
e0d1caa7 | 15 | * Copyright (C) 2006 Trusted Computer Solutions, Inc. |
d28d1e08 TJ |
16 | */ |
17 | ||
18 | /* | |
19 | * USAGE: | |
20 | * NOTES: | |
21 | * 1. Make sure to enable the following options in your kernel config: | |
22 | * CONFIG_SECURITY=y | |
23 | * CONFIG_SECURITY_NETWORK=y | |
24 | * CONFIG_SECURITY_NETWORK_XFRM=y | |
25 | * CONFIG_SECURITY_SELINUX=m/y | |
26 | * ISSUES: | |
27 | * 1. Caching packets, so they are not dropped during negotiation | |
28 | * 2. Emulating a reasonable SO_PEERSEC across machines | |
29 | * 3. Testing addition of sk_policy's with security context via setsockopt | |
30 | */ | |
d28d1e08 TJ |
31 | #include <linux/kernel.h> |
32 | #include <linux/init.h> | |
33 | #include <linux/security.h> | |
34 | #include <linux/types.h> | |
5a0e3ad6 | 35 | #include <linux/slab.h> |
d28d1e08 TJ |
36 | #include <linux/ip.h> |
37 | #include <linux/tcp.h> | |
38 | #include <linux/skbuff.h> | |
39 | #include <linux/xfrm.h> | |
40 | #include <net/xfrm.h> | |
41 | #include <net/checksum.h> | |
42 | #include <net/udp.h> | |
60063497 | 43 | #include <linux/atomic.h> |
d28d1e08 TJ |
44 | |
45 | #include "avc.h" | |
46 | #include "objsec.h" | |
47 | #include "xfrm.h" | |
48 | ||
d621d35e | 49 | /* Labeled XFRM instance counter */ |
e0de8a9a | 50 | atomic_t selinux_xfrm_refcount __read_mostly = ATOMIC_INIT(0); |
d28d1e08 TJ |
51 | |
52 | /* | |
4baabeec | 53 | * Returns true if the context is an LSM/SELinux context. |
d28d1e08 TJ |
54 | */ |
55 | static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx) | |
56 | { | |
57 | return (ctx && | |
58 | (ctx->ctx_doi == XFRM_SC_DOI_LSM) && | |
59 | (ctx->ctx_alg == XFRM_SC_ALG_SELINUX)); | |
60 | } | |
61 | ||
62 | /* | |
4baabeec | 63 | * Returns true if the xfrm contains a security blob for SELinux. |
d28d1e08 TJ |
64 | */ |
65 | static inline int selinux_authorizable_xfrm(struct xfrm_state *x) | |
66 | { | |
67 | return selinux_authorizable_ctx(x->security); | |
68 | } | |
69 | ||
2e5aa866 PM |
70 | /* |
71 | * Allocates a xfrm_sec_state and populates it using the supplied security | |
72 | * xfrm_user_sec_ctx context. | |
73 | */ | |
74 | static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp, | |
52a4c640 NA |
75 | struct xfrm_user_sec_ctx *uctx, |
76 | gfp_t gfp) | |
2e5aa866 PM |
77 | { |
78 | int rc; | |
0c6cfa62 | 79 | const struct task_security_struct *tsec = selinux_cred(current_cred()); |
2e5aa866 PM |
80 | struct xfrm_sec_ctx *ctx = NULL; |
81 | u32 str_len; | |
82 | ||
83 | if (ctxp == NULL || uctx == NULL || | |
84 | uctx->ctx_doi != XFRM_SC_DOI_LSM || | |
85 | uctx->ctx_alg != XFRM_SC_ALG_SELINUX) | |
86 | return -EINVAL; | |
87 | ||
88 | str_len = uctx->ctx_len; | |
89 | if (str_len >= PAGE_SIZE) | |
90 | return -ENOMEM; | |
91 | ||
5fe37572 | 92 | ctx = kmalloc(struct_size(ctx, ctx_str, str_len + 1), gfp); |
2e5aa866 PM |
93 | if (!ctx) |
94 | return -ENOMEM; | |
95 | ||
96 | ctx->ctx_doi = XFRM_SC_DOI_LSM; | |
97 | ctx->ctx_alg = XFRM_SC_ALG_SELINUX; | |
98 | ctx->ctx_len = str_len; | |
99 | memcpy(ctx->ctx_str, &uctx[1], str_len); | |
100 | ctx->ctx_str[str_len] = '\0'; | |
aa8e712c SS |
101 | rc = security_context_to_sid(&selinux_state, ctx->ctx_str, str_len, |
102 | &ctx->ctx_sid, gfp); | |
2e5aa866 PM |
103 | if (rc) |
104 | goto err; | |
105 | ||
6b6bc620 SS |
106 | rc = avc_has_perm(&selinux_state, |
107 | tsec->sid, ctx->ctx_sid, | |
2e5aa866 PM |
108 | SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL); |
109 | if (rc) | |
110 | goto err; | |
111 | ||
112 | *ctxp = ctx; | |
113 | atomic_inc(&selinux_xfrm_refcount); | |
114 | return 0; | |
115 | ||
116 | err: | |
117 | kfree(ctx); | |
118 | return rc; | |
119 | } | |
120 | ||
ccf17cc4 PM |
121 | /* |
122 | * Free the xfrm_sec_ctx structure. | |
123 | */ | |
124 | static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx) | |
125 | { | |
126 | if (!ctx) | |
127 | return; | |
128 | ||
129 | atomic_dec(&selinux_xfrm_refcount); | |
130 | kfree(ctx); | |
131 | } | |
132 | ||
133 | /* | |
134 | * Authorize the deletion of a labeled SA or policy rule. | |
135 | */ | |
136 | static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx) | |
137 | { | |
0c6cfa62 | 138 | const struct task_security_struct *tsec = selinux_cred(current_cred()); |
ccf17cc4 PM |
139 | |
140 | if (!ctx) | |
141 | return 0; | |
142 | ||
6b6bc620 SS |
143 | return avc_has_perm(&selinux_state, |
144 | tsec->sid, ctx->ctx_sid, | |
ccf17cc4 PM |
145 | SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, |
146 | NULL); | |
147 | } | |
148 | ||
d28d1e08 | 149 | /* |
4baabeec PM |
150 | * LSM hook implementation that authorizes that a flow can use a xfrm policy |
151 | * rule. | |
d28d1e08 | 152 | */ |
8a922805 | 153 | int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid) |
d28d1e08 | 154 | { |
5b368e61 | 155 | int rc; |
d28d1e08 | 156 | |
96484348 PM |
157 | /* All flows should be treated as polmatch'ing an otherwise applicable |
158 | * "non-labeled" policy. This would prevent inadvertent "leaks". */ | |
159 | if (!ctx) | |
5b368e61 | 160 | return 0; |
d28d1e08 | 161 | |
96484348 PM |
162 | /* Context sid is either set to label or ANY_ASSOC */ |
163 | if (!selinux_authorizable_ctx(ctx)) | |
164 | return -EINVAL; | |
5b368e61 | 165 | |
6b6bc620 SS |
166 | rc = avc_has_perm(&selinux_state, |
167 | fl_secid, ctx->ctx_sid, | |
96484348 PM |
168 | SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL); |
169 | return (rc == -EACCES ? -ESRCH : rc); | |
d28d1e08 TJ |
170 | } |
171 | ||
e0d1caa7 VY |
172 | /* |
173 | * LSM hook implementation that authorizes that a state matches | |
174 | * the given policy, flow combo. | |
175 | */ | |
96484348 PM |
176 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, |
177 | struct xfrm_policy *xp, | |
3df98d79 | 178 | const struct flowi_common *flic) |
e0d1caa7 VY |
179 | { |
180 | u32 state_sid; | |
3df98d79 | 181 | u32 flic_sid; |
e0d1caa7 | 182 | |
67f83cbf | 183 | if (!xp->security) |
5b368e61 VY |
184 | if (x->security) |
185 | /* unlabeled policy and labeled SA can't match */ | |
186 | return 0; | |
187 | else | |
188 | /* unlabeled policy and unlabeled SA match all flows */ | |
189 | return 1; | |
5b368e61 | 190 | else |
67f83cbf VY |
191 | if (!x->security) |
192 | /* unlabeled SA and labeled policy can't match */ | |
5b368e61 | 193 | return 0; |
67f83cbf VY |
194 | else |
195 | if (!selinux_authorizable_xfrm(x)) | |
196 | /* Not a SELinux-labeled SA */ | |
197 | return 0; | |
5b368e61 | 198 | |
67f83cbf | 199 | state_sid = x->security->ctx_sid; |
3df98d79 | 200 | flic_sid = flic->flowic_secid; |
e0d1caa7 | 201 | |
3df98d79 | 202 | if (flic_sid != state_sid) |
67f83cbf | 203 | return 0; |
e0d1caa7 | 204 | |
96484348 PM |
205 | /* We don't need a separate SA Vs. policy polmatch check since the SA |
206 | * is now of the same label as the flow and a flow Vs. policy polmatch | |
207 | * check had already happened in selinux_xfrm_policy_lookup() above. */ | |
3df98d79 PM |
208 | return (avc_has_perm(&selinux_state, flic_sid, state_sid, |
209 | SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, | |
210 | NULL) ? 0 : 1); | |
e0d1caa7 VY |
211 | } |
212 | ||
817eff71 | 213 | static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb) |
e0d1caa7 | 214 | { |
817eff71 PM |
215 | struct dst_entry *dst = skb_dst(skb); |
216 | struct xfrm_state *x; | |
217 | ||
218 | if (dst == NULL) | |
219 | return SECSID_NULL; | |
220 | x = dst->xfrm; | |
221 | if (x == NULL || !selinux_authorizable_xfrm(x)) | |
222 | return SECSID_NULL; | |
e0d1caa7 | 223 | |
817eff71 PM |
224 | return x->security->ctx_sid; |
225 | } | |
226 | ||
227 | static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb, | |
228 | u32 *sid, int ckall) | |
229 | { | |
230 | u32 sid_session = SECSID_NULL; | |
2294be0f | 231 | struct sec_path *sp = skb_sec_path(skb); |
e0d1caa7 | 232 | |
e0d1caa7 | 233 | if (sp) { |
e2193695 | 234 | int i; |
e0d1caa7 | 235 | |
e2193695 | 236 | for (i = sp->len - 1; i >= 0; i--) { |
e0d1caa7 VY |
237 | struct xfrm_state *x = sp->xvec[i]; |
238 | if (selinux_authorizable_xfrm(x)) { | |
239 | struct xfrm_sec_ctx *ctx = x->security; | |
240 | ||
e2193695 PM |
241 | if (sid_session == SECSID_NULL) { |
242 | sid_session = ctx->ctx_sid; | |
beb8d13b | 243 | if (!ckall) |
e2193695 PM |
244 | goto out; |
245 | } else if (sid_session != ctx->ctx_sid) { | |
246 | *sid = SECSID_NULL; | |
e0d1caa7 | 247 | return -EINVAL; |
e2193695 | 248 | } |
e0d1caa7 VY |
249 | } |
250 | } | |
251 | } | |
252 | ||
e2193695 PM |
253 | out: |
254 | *sid = sid_session; | |
e0d1caa7 VY |
255 | return 0; |
256 | } | |
257 | ||
817eff71 PM |
258 | /* |
259 | * LSM hook implementation that checks and/or returns the xfrm sid for the | |
260 | * incoming packet. | |
261 | */ | |
262 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) | |
263 | { | |
264 | if (skb == NULL) { | |
265 | *sid = SECSID_NULL; | |
266 | return 0; | |
267 | } | |
268 | return selinux_xfrm_skb_sid_ingress(skb, sid, ckall); | |
269 | } | |
270 | ||
271 | int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid) | |
272 | { | |
273 | int rc; | |
274 | ||
275 | rc = selinux_xfrm_skb_sid_ingress(skb, sid, 0); | |
276 | if (rc == 0 && *sid == SECSID_NULL) | |
277 | *sid = selinux_xfrm_skb_sid_egress(skb); | |
278 | ||
279 | return rc; | |
280 | } | |
281 | ||
d28d1e08 | 282 | /* |
4baabeec | 283 | * LSM hook implementation that allocs and transfers uctx spec to xfrm_policy. |
d28d1e08 | 284 | */ |
03e1ad7b | 285 | int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, |
52a4c640 NA |
286 | struct xfrm_user_sec_ctx *uctx, |
287 | gfp_t gfp) | |
d28d1e08 | 288 | { |
52a4c640 | 289 | return selinux_xfrm_alloc_user(ctxp, uctx, gfp); |
d28d1e08 TJ |
290 | } |
291 | ||
d28d1e08 | 292 | /* |
4baabeec PM |
293 | * LSM hook implementation that copies security data structure from old to new |
294 | * for policy cloning. | |
d28d1e08 | 295 | */ |
03e1ad7b PM |
296 | int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, |
297 | struct xfrm_sec_ctx **new_ctxp) | |
d28d1e08 | 298 | { |
03e1ad7b | 299 | struct xfrm_sec_ctx *new_ctx; |
d28d1e08 | 300 | |
ccf17cc4 PM |
301 | if (!old_ctx) |
302 | return 0; | |
303 | ||
7d1db4b2 DJ |
304 | new_ctx = kmemdup(old_ctx, sizeof(*old_ctx) + old_ctx->ctx_len, |
305 | GFP_ATOMIC); | |
ccf17cc4 PM |
306 | if (!new_ctx) |
307 | return -ENOMEM; | |
ccf17cc4 PM |
308 | atomic_inc(&selinux_xfrm_refcount); |
309 | *new_ctxp = new_ctx; | |
d28d1e08 | 310 | |
d28d1e08 TJ |
311 | return 0; |
312 | } | |
313 | ||
314 | /* | |
03e1ad7b | 315 | * LSM hook implementation that frees xfrm_sec_ctx security information. |
d28d1e08 | 316 | */ |
03e1ad7b | 317 | void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) |
d28d1e08 | 318 | { |
ccf17cc4 | 319 | selinux_xfrm_free(ctx); |
d28d1e08 TJ |
320 | } |
321 | ||
c8c05a8e CZ |
322 | /* |
323 | * LSM hook implementation that authorizes deletion of labeled policies. | |
324 | */ | |
03e1ad7b | 325 | int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) |
c8c05a8e | 326 | { |
ccf17cc4 | 327 | return selinux_xfrm_delete(ctx); |
c8c05a8e CZ |
328 | } |
329 | ||
d28d1e08 | 330 | /* |
2e5aa866 PM |
331 | * LSM hook implementation that allocates a xfrm_sec_state, populates it using |
332 | * the supplied security context, and assigns it to the xfrm_state. | |
d28d1e08 | 333 | */ |
2e5aa866 PM |
334 | int selinux_xfrm_state_alloc(struct xfrm_state *x, |
335 | struct xfrm_user_sec_ctx *uctx) | |
d28d1e08 | 336 | { |
52a4c640 | 337 | return selinux_xfrm_alloc_user(&x->security, uctx, GFP_KERNEL); |
2e5aa866 | 338 | } |
d28d1e08 | 339 | |
2e5aa866 PM |
340 | /* |
341 | * LSM hook implementation that allocates a xfrm_sec_state and populates based | |
342 | * on a secid. | |
343 | */ | |
344 | int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, | |
345 | struct xfrm_sec_ctx *polsec, u32 secid) | |
346 | { | |
347 | int rc; | |
348 | struct xfrm_sec_ctx *ctx; | |
349 | char *ctx_str = NULL; | |
b97df7c0 | 350 | u32 str_len; |
d28d1e08 | 351 | |
2e5aa866 PM |
352 | if (!polsec) |
353 | return 0; | |
354 | ||
355 | if (secid == 0) | |
356 | return -EINVAL; | |
357 | ||
aa8e712c SS |
358 | rc = security_sid_to_context(&selinux_state, secid, &ctx_str, |
359 | &str_len); | |
2e5aa866 PM |
360 | if (rc) |
361 | return rc; | |
362 | ||
5fe37572 | 363 | ctx = kmalloc(struct_size(ctx, ctx_str, str_len), GFP_ATOMIC); |
0af90164 GB |
364 | if (!ctx) { |
365 | rc = -ENOMEM; | |
366 | goto out; | |
367 | } | |
2e5aa866 PM |
368 | |
369 | ctx->ctx_doi = XFRM_SC_DOI_LSM; | |
370 | ctx->ctx_alg = XFRM_SC_ALG_SELINUX; | |
371 | ctx->ctx_sid = secid; | |
372 | ctx->ctx_len = str_len; | |
373 | memcpy(ctx->ctx_str, ctx_str, str_len); | |
2e5aa866 PM |
374 | |
375 | x->security = ctx; | |
376 | atomic_inc(&selinux_xfrm_refcount); | |
0af90164 GB |
377 | out: |
378 | kfree(ctx_str); | |
379 | return rc; | |
d28d1e08 TJ |
380 | } |
381 | ||
382 | /* | |
383 | * LSM hook implementation that frees xfrm_state security information. | |
384 | */ | |
385 | void selinux_xfrm_state_free(struct xfrm_state *x) | |
386 | { | |
ccf17cc4 | 387 | selinux_xfrm_free(x->security); |
d28d1e08 TJ |
388 | } |
389 | ||
4baabeec PM |
390 | /* |
391 | * LSM hook implementation that authorizes deletion of labeled SAs. | |
392 | */ | |
c8c05a8e CZ |
393 | int selinux_xfrm_state_delete(struct xfrm_state *x) |
394 | { | |
ccf17cc4 | 395 | return selinux_xfrm_delete(x->security); |
c8c05a8e CZ |
396 | } |
397 | ||
d28d1e08 TJ |
398 | /* |
399 | * LSM hook that controls access to unlabelled packets. If | |
400 | * a xfrm_state is authorizable (defined by macro) then it was | |
401 | * already authorized by the IPSec process. If not, then | |
402 | * we need to check for unlabelled access since this may not have | |
403 | * gone thru the IPSec process. | |
404 | */ | |
eef9b416 PM |
405 | int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb, |
406 | struct common_audit_data *ad) | |
d28d1e08 | 407 | { |
eef9b416 | 408 | int i; |
2294be0f | 409 | struct sec_path *sp = skb_sec_path(skb); |
eef9b416 | 410 | u32 peer_sid = SECINITSID_UNLABELED; |
d28d1e08 TJ |
411 | |
412 | if (sp) { | |
d28d1e08 | 413 | for (i = 0; i < sp->len; i++) { |
67644726 | 414 | struct xfrm_state *x = sp->xvec[i]; |
d28d1e08 | 415 | |
e0d1caa7 VY |
416 | if (x && selinux_authorizable_xfrm(x)) { |
417 | struct xfrm_sec_ctx *ctx = x->security; | |
eef9b416 | 418 | peer_sid = ctx->ctx_sid; |
e0d1caa7 VY |
419 | break; |
420 | } | |
d28d1e08 TJ |
421 | } |
422 | } | |
423 | ||
eef9b416 PM |
424 | /* This check even when there's no association involved is intended, |
425 | * according to Trent Jaeger, to make sure a process can't engage in | |
426 | * non-IPsec communication unless explicitly allowed by policy. */ | |
6b6bc620 SS |
427 | return avc_has_perm(&selinux_state, |
428 | sk_sid, peer_sid, | |
eef9b416 | 429 | SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad); |
d28d1e08 TJ |
430 | } |
431 | ||
432 | /* | |
433 | * POSTROUTE_LAST hook's XFRM processing: | |
434 | * If we have no security association, then we need to determine | |
435 | * whether the socket is allowed to send to an unlabelled destination. | |
436 | * If we do have a authorizable security association, then it has already been | |
67f83cbf | 437 | * checked in the selinux_xfrm_state_pol_flow_match hook above. |
d28d1e08 | 438 | */ |
eef9b416 PM |
439 | int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb, |
440 | struct common_audit_data *ad, u8 proto) | |
d28d1e08 TJ |
441 | { |
442 | struct dst_entry *dst; | |
d28d1e08 | 443 | |
67f83cbf VY |
444 | switch (proto) { |
445 | case IPPROTO_AH: | |
446 | case IPPROTO_ESP: | |
447 | case IPPROTO_COMP: | |
eef9b416 PM |
448 | /* We should have already seen this packet once before it |
449 | * underwent xfrm(s). No need to subject it to the unlabeled | |
450 | * check. */ | |
451 | return 0; | |
67f83cbf VY |
452 | default: |
453 | break; | |
454 | } | |
455 | ||
eef9b416 PM |
456 | dst = skb_dst(skb); |
457 | if (dst) { | |
458 | struct dst_entry *iter; | |
67f83cbf | 459 | |
b92cf4aa | 460 | for (iter = dst; iter != NULL; iter = xfrm_dst_child(iter)) { |
eef9b416 PM |
461 | struct xfrm_state *x = iter->xfrm; |
462 | ||
463 | if (x && selinux_authorizable_xfrm(x)) | |
464 | return 0; | |
465 | } | |
466 | } | |
467 | ||
468 | /* This check even when there's no association involved is intended, | |
469 | * according to Trent Jaeger, to make sure a process can't engage in | |
470 | * non-IPsec communication unless explicitly allowed by policy. */ | |
6b6bc620 | 471 | return avc_has_perm(&selinux_state, sk_sid, SECINITSID_UNLABELED, |
eef9b416 | 472 | SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad); |
d28d1e08 | 473 | } |