1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux XFRM hook function implementations. 5 * 6 * Authors: Serge Hallyn <sergeh@us.ibm.com> 7 * Trent Jaeger <jaegert@us.ibm.com> 8 * 9 * Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com> 10 * 11 * Granular IPSec Associations for use in MLS environments. 12 * 13 * Copyright (C) 2005 International Business Machines Corporation 14 * Copyright (C) 2006 Trusted Computer Solutions, Inc. 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 /* 22 * USAGE: 23 * NOTES: 24 * 1. Make sure to enable the following options in your kernel config: 25 * CONFIG_SECURITY=y 26 * CONFIG_SECURITY_NETWORK=y 27 * CONFIG_SECURITY_NETWORK_XFRM=y 28 * CONFIG_SECURITY_SELINUX=m/y 29 * ISSUES: 30 * 1. Caching packets, so they are not dropped during negotiation 31 * 2. Emulating a reasonable SO_PEERSEC across machines 32 * 3. Testing addition of sk_policy's with security context via setsockopt 33 */ 34 #include <linux/kernel.h> 35 #include <linux/init.h> 36 #include <linux/security.h> 37 #include <linux/types.h> 38 #include <linux/netfilter.h> 39 #include <linux/netfilter_ipv4.h> 40 #include <linux/netfilter_ipv6.h> 41 #include <linux/ip.h> 42 #include <linux/tcp.h> 43 #include <linux/skbuff.h> 44 #include <linux/xfrm.h> 45 #include <net/xfrm.h> 46 #include <net/checksum.h> 47 #include <net/udp.h> 48 #include <asm/semaphore.h> 49 #include <asm/atomic.h> 50 51 #include "avc.h" 52 #include "objsec.h" 53 #include "xfrm.h" 54 55 /* Labeled XFRM instance counter */ 56 atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0); 57 58 /* 59 * Returns true if an LSM/SELinux context 60 */ 61 static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx) 62 { 63 return (ctx && 64 (ctx->ctx_doi == XFRM_SC_DOI_LSM) && 65 (ctx->ctx_alg == XFRM_SC_ALG_SELINUX)); 66 } 67 68 /* 69 * Returns true if the xfrm contains a security blob for SELinux 70 */ 71 static inline int selinux_authorizable_xfrm(struct xfrm_state *x) 72 { 73 return selinux_authorizable_ctx(x->security); 74 } 75 76 /* 77 * LSM hook implementation that authorizes that a flow can use 78 * a xfrm policy rule. 79 */ 80 int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir) 81 { 82 int rc; 83 u32 sel_sid; 84 struct xfrm_sec_ctx *ctx; 85 86 /* Context sid is either set to label or ANY_ASSOC */ 87 if ((ctx = xp->security)) { 88 if (!selinux_authorizable_ctx(ctx)) 89 return -EINVAL; 90 91 sel_sid = ctx->ctx_sid; 92 } 93 else 94 /* 95 * All flows should be treated as polmatch'ing an 96 * otherwise applicable "non-labeled" policy. This 97 * would prevent inadvertent "leaks". 98 */ 99 return 0; 100 101 rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION, 102 ASSOCIATION__POLMATCH, 103 NULL); 104 105 if (rc == -EACCES) 106 rc = -ESRCH; 107 108 return rc; 109 } 110 111 /* 112 * LSM hook implementation that authorizes that a state matches 113 * the given policy, flow combo. 114 */ 115 116 int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp, 117 struct flowi *fl) 118 { 119 u32 state_sid; 120 int rc; 121 122 if (!xp->security) 123 if (x->security) 124 /* unlabeled policy and labeled SA can't match */ 125 return 0; 126 else 127 /* unlabeled policy and unlabeled SA match all flows */ 128 return 1; 129 else 130 if (!x->security) 131 /* unlabeled SA and labeled policy can't match */ 132 return 0; 133 else 134 if (!selinux_authorizable_xfrm(x)) 135 /* Not a SELinux-labeled SA */ 136 return 0; 137 138 state_sid = x->security->ctx_sid; 139 140 if (fl->secid != state_sid) 141 return 0; 142 143 rc = avc_has_perm(fl->secid, state_sid, SECCLASS_ASSOCIATION, 144 ASSOCIATION__SENDTO, 145 NULL)? 0:1; 146 147 /* 148 * We don't need a separate SA Vs. policy polmatch check 149 * since the SA is now of the same label as the flow and 150 * a flow Vs. policy polmatch check had already happened 151 * in selinux_xfrm_policy_lookup() above. 152 */ 153 154 return rc; 155 } 156 157 /* 158 * LSM hook implementation that checks and/or returns the xfrm sid for the 159 * incoming packet. 160 */ 161 162 int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) 163 { 164 struct sec_path *sp; 165 166 *sid = SECSID_NULL; 167 168 if (skb == NULL) 169 return 0; 170 171 sp = skb->sp; 172 if (sp) { 173 int i, sid_set = 0; 174 175 for (i = sp->len-1; i >= 0; i--) { 176 struct xfrm_state *x = sp->xvec[i]; 177 if (selinux_authorizable_xfrm(x)) { 178 struct xfrm_sec_ctx *ctx = x->security; 179 180 if (!sid_set) { 181 *sid = ctx->ctx_sid; 182 sid_set = 1; 183 184 if (!ckall) 185 break; 186 } 187 else if (*sid != ctx->ctx_sid) 188 return -EINVAL; 189 } 190 } 191 } 192 193 return 0; 194 } 195 196 /* 197 * Security blob allocation for xfrm_policy and xfrm_state 198 * CTX does not have a meaningful value on input 199 */ 200 static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, 201 struct xfrm_user_sec_ctx *uctx, u32 sid) 202 { 203 int rc = 0; 204 struct task_security_struct *tsec = current->security; 205 struct xfrm_sec_ctx *ctx = NULL; 206 char *ctx_str = NULL; 207 u32 str_len; 208 209 BUG_ON(uctx && sid); 210 211 if (!uctx) 212 goto not_from_user; 213 214 if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX) 215 return -EINVAL; 216 217 str_len = uctx->ctx_len; 218 if (str_len >= PAGE_SIZE) 219 return -ENOMEM; 220 221 *ctxp = ctx = kmalloc(sizeof(*ctx) + 222 str_len + 1, 223 GFP_KERNEL); 224 225 if (!ctx) 226 return -ENOMEM; 227 228 ctx->ctx_doi = uctx->ctx_doi; 229 ctx->ctx_len = str_len; 230 ctx->ctx_alg = uctx->ctx_alg; 231 232 memcpy(ctx->ctx_str, 233 uctx+1, 234 str_len); 235 ctx->ctx_str[str_len] = 0; 236 rc = security_context_to_sid(ctx->ctx_str, 237 str_len, 238 &ctx->ctx_sid); 239 240 if (rc) 241 goto out; 242 243 /* 244 * Does the subject have permission to set security context? 245 */ 246 rc = avc_has_perm(tsec->sid, ctx->ctx_sid, 247 SECCLASS_ASSOCIATION, 248 ASSOCIATION__SETCONTEXT, NULL); 249 if (rc) 250 goto out; 251 252 return rc; 253 254 not_from_user: 255 rc = security_sid_to_context(sid, &ctx_str, &str_len); 256 if (rc) 257 goto out; 258 259 *ctxp = ctx = kmalloc(sizeof(*ctx) + 260 str_len, 261 GFP_ATOMIC); 262 263 if (!ctx) { 264 rc = -ENOMEM; 265 goto out; 266 } 267 268 ctx->ctx_doi = XFRM_SC_DOI_LSM; 269 ctx->ctx_alg = XFRM_SC_ALG_SELINUX; 270 ctx->ctx_sid = sid; 271 ctx->ctx_len = str_len; 272 memcpy(ctx->ctx_str, 273 ctx_str, 274 str_len); 275 276 goto out2; 277 278 out: 279 *ctxp = NULL; 280 kfree(ctx); 281 out2: 282 kfree(ctx_str); 283 return rc; 284 } 285 286 /* 287 * LSM hook implementation that allocs and transfers uctx spec to 288 * xfrm_policy. 289 */ 290 int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, 291 struct xfrm_user_sec_ctx *uctx) 292 { 293 int err; 294 295 BUG_ON(!xp); 296 BUG_ON(!uctx); 297 298 err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, 0); 299 if (err == 0) 300 atomic_inc(&selinux_xfrm_refcount); 301 302 return err; 303 } 304 305 306 /* 307 * LSM hook implementation that copies security data structure from old to 308 * new for policy cloning. 309 */ 310 int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new) 311 { 312 struct xfrm_sec_ctx *old_ctx, *new_ctx; 313 314 old_ctx = old->security; 315 316 if (old_ctx) { 317 new_ctx = new->security = kmalloc(sizeof(*new_ctx) + 318 old_ctx->ctx_len, 319 GFP_KERNEL); 320 321 if (!new_ctx) 322 return -ENOMEM; 323 324 memcpy(new_ctx, old_ctx, sizeof(*new_ctx)); 325 memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len); 326 } 327 return 0; 328 } 329 330 /* 331 * LSM hook implementation that frees xfrm_policy security information. 332 */ 333 void selinux_xfrm_policy_free(struct xfrm_policy *xp) 334 { 335 struct xfrm_sec_ctx *ctx = xp->security; 336 if (ctx) 337 kfree(ctx); 338 } 339 340 /* 341 * LSM hook implementation that authorizes deletion of labeled policies. 342 */ 343 int selinux_xfrm_policy_delete(struct xfrm_policy *xp) 344 { 345 struct task_security_struct *tsec = current->security; 346 struct xfrm_sec_ctx *ctx = xp->security; 347 int rc = 0; 348 349 if (ctx) { 350 rc = avc_has_perm(tsec->sid, ctx->ctx_sid, 351 SECCLASS_ASSOCIATION, 352 ASSOCIATION__SETCONTEXT, NULL); 353 if (rc == 0) 354 atomic_dec(&selinux_xfrm_refcount); 355 } 356 357 return rc; 358 } 359 360 /* 361 * LSM hook implementation that allocs and transfers sec_ctx spec to 362 * xfrm_state. 363 */ 364 int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx, 365 u32 secid) 366 { 367 int err; 368 369 BUG_ON(!x); 370 371 err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid); 372 if (err == 0) 373 atomic_inc(&selinux_xfrm_refcount); 374 return err; 375 } 376 377 /* 378 * LSM hook implementation that frees xfrm_state security information. 379 */ 380 void selinux_xfrm_state_free(struct xfrm_state *x) 381 { 382 struct xfrm_sec_ctx *ctx = x->security; 383 if (ctx) 384 kfree(ctx); 385 } 386 387 /* 388 * LSM hook implementation that authorizes deletion of labeled SAs. 389 */ 390 int selinux_xfrm_state_delete(struct xfrm_state *x) 391 { 392 struct task_security_struct *tsec = current->security; 393 struct xfrm_sec_ctx *ctx = x->security; 394 int rc = 0; 395 396 if (ctx) { 397 rc = avc_has_perm(tsec->sid, ctx->ctx_sid, 398 SECCLASS_ASSOCIATION, 399 ASSOCIATION__SETCONTEXT, NULL); 400 if (rc == 0) 401 atomic_dec(&selinux_xfrm_refcount); 402 } 403 404 return rc; 405 } 406 407 /* 408 * LSM hook that controls access to unlabelled packets. If 409 * a xfrm_state is authorizable (defined by macro) then it was 410 * already authorized by the IPSec process. If not, then 411 * we need to check for unlabelled access since this may not have 412 * gone thru the IPSec process. 413 */ 414 int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, 415 struct avc_audit_data *ad) 416 { 417 int i, rc = 0; 418 struct sec_path *sp; 419 u32 sel_sid = SECINITSID_UNLABELED; 420 421 sp = skb->sp; 422 423 if (sp) { 424 for (i = 0; i < sp->len; i++) { 425 struct xfrm_state *x = sp->xvec[i]; 426 427 if (x && selinux_authorizable_xfrm(x)) { 428 struct xfrm_sec_ctx *ctx = x->security; 429 sel_sid = ctx->ctx_sid; 430 break; 431 } 432 } 433 } 434 435 /* 436 * This check even when there's no association involved is 437 * intended, according to Trent Jaeger, to make sure a 438 * process can't engage in non-ipsec communication unless 439 * explicitly allowed by policy. 440 */ 441 442 rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION, 443 ASSOCIATION__RECVFROM, ad); 444 445 return rc; 446 } 447 448 /* 449 * POSTROUTE_LAST hook's XFRM processing: 450 * If we have no security association, then we need to determine 451 * whether the socket is allowed to send to an unlabelled destination. 452 * If we do have a authorizable security association, then it has already been 453 * checked in the selinux_xfrm_state_pol_flow_match hook above. 454 */ 455 int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 456 struct avc_audit_data *ad, u8 proto) 457 { 458 struct dst_entry *dst; 459 int rc = 0; 460 461 dst = skb->dst; 462 463 if (dst) { 464 struct dst_entry *dst_test; 465 466 for (dst_test = dst; dst_test != NULL; 467 dst_test = dst_test->child) { 468 struct xfrm_state *x = dst_test->xfrm; 469 470 if (x && selinux_authorizable_xfrm(x)) 471 goto out; 472 } 473 } 474 475 switch (proto) { 476 case IPPROTO_AH: 477 case IPPROTO_ESP: 478 case IPPROTO_COMP: 479 /* 480 * We should have already seen this packet once before 481 * it underwent xfrm(s). No need to subject it to the 482 * unlabeled check. 483 */ 484 goto out; 485 default: 486 break; 487 } 488 489 /* 490 * This check even when there's no association involved is 491 * intended, according to Trent Jaeger, to make sure a 492 * process can't engage in non-ipsec communication unless 493 * explicitly allowed by policy. 494 */ 495 496 rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION, 497 ASSOCIATION__SENDTO, ad); 498 out: 499 return rc; 500 } 501