1/* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux XFRM hook function implementations. 5 * 6 * Authors: Serge Hallyn <sergeh@us.ibm.com> 7 * Trent Jaeger <jaegert@us.ibm.com> 8 * 9 * Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com> 10 * 11 * Granular IPSec Associations for use in MLS environments. 12 * 13 * Copyright (C) 2005 International Business Machines Corporation 14 * Copyright (C) 2006 Trusted Computer Solutions, Inc. 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21/* 22 * USAGE: 23 * NOTES: 24 * 1. Make sure to enable the following options in your kernel config: 25 * CONFIG_SECURITY=y 26 * CONFIG_SECURITY_NETWORK=y 27 * CONFIG_SECURITY_NETWORK_XFRM=y 28 * CONFIG_SECURITY_SELINUX=m/y 29 * ISSUES: 30 * 1. Caching packets, so they are not dropped during negotiation 31 * 2. Emulating a reasonable SO_PEERSEC across machines 32 * 3. Testing addition of sk_policy's with security context via setsockopt 33 */ 34#include <linux/kernel.h> 35#include <linux/init.h> 36#include <linux/security.h> 37#include <linux/types.h> 38#include <linux/netfilter.h> 39#include <linux/netfilter_ipv4.h> 40#include <linux/netfilter_ipv6.h> 41#include <linux/slab.h> 42#include <linux/ip.h> 43#include <linux/tcp.h> 44#include <linux/skbuff.h> 45#include <linux/xfrm.h> 46#include <net/xfrm.h> 47#include <net/checksum.h> 48#include <net/udp.h> 49#include <linux/atomic.h> 50 51#include "avc.h" 52#include "objsec.h" 53#include "xfrm.h" 54 55/* Labeled XFRM instance counter */ 56atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0); 57 58/* 59 * Returns true if the context is an LSM/SELinux context. 60 */ 61static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx) 62{ 63 return (ctx && 64 (ctx->ctx_doi == XFRM_SC_DOI_LSM) && 65 (ctx->ctx_alg == XFRM_SC_ALG_SELINUX)); 66} 67 68/* 69 * Returns true if the xfrm contains a security blob for SELinux. 70 */ 71static inline int selinux_authorizable_xfrm(struct xfrm_state *x) 72{ 73 return selinux_authorizable_ctx(x->security); 74} 75 76/* 77 * Allocates a xfrm_sec_state and populates it using the supplied security 78 * xfrm_user_sec_ctx context. 79 */ 80static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp, 81 struct xfrm_user_sec_ctx *uctx, 82 gfp_t gfp) 83{ 84 int rc; 85 const struct task_security_struct *tsec = current_security(); 86 struct xfrm_sec_ctx *ctx = NULL; 87 u32 str_len; 88 89 if (ctxp == NULL || uctx == NULL || 90 uctx->ctx_doi != XFRM_SC_DOI_LSM || 91 uctx->ctx_alg != XFRM_SC_ALG_SELINUX) 92 return -EINVAL; 93 94 str_len = uctx->ctx_len; 95 if (str_len >= PAGE_SIZE) 96 return -ENOMEM; 97 98 ctx = kmalloc(sizeof(*ctx) + str_len + 1, gfp); 99 if (!ctx) 100 return -ENOMEM; 101 102 ctx->ctx_doi = XFRM_SC_DOI_LSM; 103 ctx->ctx_alg = XFRM_SC_ALG_SELINUX; 104 ctx->ctx_len = str_len; 105 memcpy(ctx->ctx_str, &uctx[1], str_len); 106 ctx->ctx_str[str_len] = '\0'; 107 rc = security_context_to_sid(ctx->ctx_str, str_len, &ctx->ctx_sid, gfp); 108 if (rc) 109 goto err; 110 111 rc = avc_has_perm(tsec->sid, ctx->ctx_sid, 112 SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL); 113 if (rc) 114 goto err; 115 116 *ctxp = ctx; 117 atomic_inc(&selinux_xfrm_refcount); 118 return 0; 119 120err: 121 kfree(ctx); 122 return rc; 123} 124 125/* 126 * Free the xfrm_sec_ctx structure. 127 */ 128static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx) 129{ 130 if (!ctx) 131 return; 132 133 atomic_dec(&selinux_xfrm_refcount); 134 kfree(ctx); 135} 136 137/* 138 * Authorize the deletion of a labeled SA or policy rule. 139 */ 140static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx) 141{ 142 const struct task_security_struct *tsec = current_security(); 143 144 if (!ctx) 145 return 0; 146 147 return avc_has_perm(tsec->sid, ctx->ctx_sid, 148 SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, 149 NULL); 150} 151 152/* 153 * LSM hook implementation that authorizes that a flow can use a xfrm policy 154 * rule. 155 */ 156int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) 157{ 158 int rc; 159 160 /* All flows should be treated as polmatch'ing an otherwise applicable 161 * "non-labeled" policy. This would prevent inadvertent "leaks". */ 162 if (!ctx) 163 return 0; 164 165 /* Context sid is either set to label or ANY_ASSOC */ 166 if (!selinux_authorizable_ctx(ctx)) 167 return -EINVAL; 168 169 rc = avc_has_perm(fl_secid, ctx->ctx_sid, 170 SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL); 171 return (rc == -EACCES ? -ESRCH : rc); 172} 173 174/* 175 * LSM hook implementation that authorizes that a state matches 176 * the given policy, flow combo. 177 */ 178int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, 179 struct xfrm_policy *xp, 180 const struct flowi *fl) 181{ 182 u32 state_sid; 183 184 if (!xp->security) 185 if (x->security) 186 /* unlabeled policy and labeled SA can't match */ 187 return 0; 188 else 189 /* unlabeled policy and unlabeled SA match all flows */ 190 return 1; 191 else 192 if (!x->security) 193 /* unlabeled SA and labeled policy can't match */ 194 return 0; 195 else 196 if (!selinux_authorizable_xfrm(x)) 197 /* Not a SELinux-labeled SA */ 198 return 0; 199 200 state_sid = x->security->ctx_sid; 201 202 if (fl->flowi_secid != state_sid) 203 return 0; 204 205 /* We don't need a separate SA Vs. policy polmatch check since the SA 206 * is now of the same label as the flow and a flow Vs. policy polmatch 207 * check had already happened in selinux_xfrm_policy_lookup() above. */ 208 return (avc_has_perm(fl->flowi_secid, state_sid, 209 SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, 210 NULL) ? 0 : 1); 211} 212 213static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb) 214{ 215 struct dst_entry *dst = skb_dst(skb); 216 struct xfrm_state *x; 217 218 if (dst == NULL) 219 return SECSID_NULL; 220 x = dst->xfrm; 221 if (x == NULL || !selinux_authorizable_xfrm(x)) 222 return SECSID_NULL; 223 224 return x->security->ctx_sid; 225} 226 227static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb, 228 u32 *sid, int ckall) 229{ 230 u32 sid_session = SECSID_NULL; 231 struct sec_path *sp = skb->sp; 232 233 if (sp) { 234 int i; 235 236 for (i = sp->len - 1; i >= 0; i--) { 237 struct xfrm_state *x = sp->xvec[i]; 238 if (selinux_authorizable_xfrm(x)) { 239 struct xfrm_sec_ctx *ctx = x->security; 240 241 if (sid_session == SECSID_NULL) { 242 sid_session = ctx->ctx_sid; 243 if (!ckall) 244 goto out; 245 } else if (sid_session != ctx->ctx_sid) { 246 *sid = SECSID_NULL; 247 return -EINVAL; 248 } 249 } 250 } 251 } 252 253out: 254 *sid = sid_session; 255 return 0; 256} 257 258/* 259 * LSM hook implementation that checks and/or returns the xfrm sid for the 260 * incoming packet. 261 */ 262int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) 263{ 264 if (skb == NULL) { 265 *sid = SECSID_NULL; 266 return 0; 267 } 268 return selinux_xfrm_skb_sid_ingress(skb, sid, ckall); 269} 270 271int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid) 272{ 273 int rc; 274 275 rc = selinux_xfrm_skb_sid_ingress(skb, sid, 0); 276 if (rc == 0 && *sid == SECSID_NULL) 277 *sid = selinux_xfrm_skb_sid_egress(skb); 278 279 return rc; 280} 281 282/* 283 * LSM hook implementation that allocs and transfers uctx spec to xfrm_policy. 284 */ 285int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, 286 struct xfrm_user_sec_ctx *uctx, 287 gfp_t gfp) 288{ 289 return selinux_xfrm_alloc_user(ctxp, uctx, gfp); 290} 291 292/* 293 * LSM hook implementation that copies security data structure from old to new 294 * for policy cloning. 295 */ 296int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, 297 struct xfrm_sec_ctx **new_ctxp) 298{ 299 struct xfrm_sec_ctx *new_ctx; 300 301 if (!old_ctx) 302 return 0; 303 304 new_ctx = kmemdup(old_ctx, sizeof(*old_ctx) + old_ctx->ctx_len, 305 GFP_ATOMIC); 306 if (!new_ctx) 307 return -ENOMEM; 308 atomic_inc(&selinux_xfrm_refcount); 309 *new_ctxp = new_ctx; 310 311 return 0; 312} 313 314/* 315 * LSM hook implementation that frees xfrm_sec_ctx security information. 316 */ 317void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) 318{ 319 selinux_xfrm_free(ctx); 320} 321 322/* 323 * LSM hook implementation that authorizes deletion of labeled policies. 324 */ 325int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) 326{ 327 return selinux_xfrm_delete(ctx); 328} 329 330/* 331 * LSM hook implementation that allocates a xfrm_sec_state, populates it using 332 * the supplied security context, and assigns it to the xfrm_state. 333 */ 334int selinux_xfrm_state_alloc(struct xfrm_state *x, 335 struct xfrm_user_sec_ctx *uctx) 336{ 337 return selinux_xfrm_alloc_user(&x->security, uctx, GFP_KERNEL); 338} 339 340/* 341 * LSM hook implementation that allocates a xfrm_sec_state and populates based 342 * on a secid. 343 */ 344int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, 345 struct xfrm_sec_ctx *polsec, u32 secid) 346{ 347 int rc; 348 struct xfrm_sec_ctx *ctx; 349 char *ctx_str = NULL; 350 int str_len; 351 352 if (!polsec) 353 return 0; 354 355 if (secid == 0) 356 return -EINVAL; 357 358 rc = security_sid_to_context(secid, &ctx_str, &str_len); 359 if (rc) 360 return rc; 361 362 ctx = kmalloc(sizeof(*ctx) + str_len, GFP_ATOMIC); 363 if (!ctx) { 364 rc = -ENOMEM; 365 goto out; 366 } 367 368 ctx->ctx_doi = XFRM_SC_DOI_LSM; 369 ctx->ctx_alg = XFRM_SC_ALG_SELINUX; 370 ctx->ctx_sid = secid; 371 ctx->ctx_len = str_len; 372 memcpy(ctx->ctx_str, ctx_str, str_len); 373 374 x->security = ctx; 375 atomic_inc(&selinux_xfrm_refcount); 376out: 377 kfree(ctx_str); 378 return rc; 379} 380 381/* 382 * LSM hook implementation that frees xfrm_state security information. 383 */ 384void selinux_xfrm_state_free(struct xfrm_state *x) 385{ 386 selinux_xfrm_free(x->security); 387} 388 389/* 390 * LSM hook implementation that authorizes deletion of labeled SAs. 391 */ 392int selinux_xfrm_state_delete(struct xfrm_state *x) 393{ 394 return selinux_xfrm_delete(x->security); 395} 396 397/* 398 * LSM hook that controls access to unlabelled packets. If 399 * a xfrm_state is authorizable (defined by macro) then it was 400 * already authorized by the IPSec process. If not, then 401 * we need to check for unlabelled access since this may not have 402 * gone thru the IPSec process. 403 */ 404int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb, 405 struct common_audit_data *ad) 406{ 407 int i; 408 struct sec_path *sp = skb->sp; 409 u32 peer_sid = SECINITSID_UNLABELED; 410 411 if (sp) { 412 for (i = 0; i < sp->len; i++) { 413 struct xfrm_state *x = sp->xvec[i]; 414 415 if (x && selinux_authorizable_xfrm(x)) { 416 struct xfrm_sec_ctx *ctx = x->security; 417 peer_sid = ctx->ctx_sid; 418 break; 419 } 420 } 421 } 422 423 /* This check even when there's no association involved is intended, 424 * according to Trent Jaeger, to make sure a process can't engage in 425 * non-IPsec communication unless explicitly allowed by policy. */ 426 return avc_has_perm(sk_sid, peer_sid, 427 SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad); 428} 429 430/* 431 * POSTROUTE_LAST hook's XFRM processing: 432 * If we have no security association, then we need to determine 433 * whether the socket is allowed to send to an unlabelled destination. 434 * If we do have a authorizable security association, then it has already been 435 * checked in the selinux_xfrm_state_pol_flow_match hook above. 436 */ 437int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb, 438 struct common_audit_data *ad, u8 proto) 439{ 440 struct dst_entry *dst; 441 442 switch (proto) { 443 case IPPROTO_AH: 444 case IPPROTO_ESP: 445 case IPPROTO_COMP: 446 /* We should have already seen this packet once before it 447 * underwent xfrm(s). No need to subject it to the unlabeled 448 * check. */ 449 return 0; 450 default: 451 break; 452 } 453 454 dst = skb_dst(skb); 455 if (dst) { 456 struct dst_entry *iter; 457 458 for (iter = dst; iter != NULL; iter = iter->child) { 459 struct xfrm_state *x = iter->xfrm; 460 461 if (x && selinux_authorizable_xfrm(x)) 462 return 0; 463 } 464 } 465 466 /* This check even when there's no association involved is intended, 467 * according to Trent Jaeger, to make sure a process can't engage in 468 * non-IPsec communication unless explicitly allowed by policy. */ 469 return avc_has_perm(sk_sid, SECINITSID_UNLABELED, 470 SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad); 471} 472