From 67f83cbf081a70426ff667e8d14f94e13ed3bdca Mon Sep 17 00:00:00 2001 From: Venkat Yekkirala Date: Wed, 8 Nov 2006 17:04:26 -0600 Subject: SELinux: Fix SA selection semantics Fix the selection of an SA for an outgoing packet to be at the same context as the originating socket/flow. This eliminates the SELinux policy's ability to use/sendto SAs with contexts other than the socket's. With this patch applied, the SELinux policy will require one or more of the following for a socket to be able to communicate with/without SAs: 1. To enable a socket to communicate without using labeled-IPSec SAs: allow socket_t unlabeled_t:association { sendto recvfrom } 2. To enable a socket to communicate with labeled-IPSec SAs: allow socket_t self:association { sendto }; allow socket_t peer_sa_t:association { recvfrom }; Signed-off-by: Venkat Yekkirala Signed-off-by: James Morris --- net/xfrm/xfrm_policy.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'net/xfrm/xfrm_policy.c') diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 7736b23c3f03..b88b038530c9 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1894,7 +1894,8 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first, if (fl && !xfrm_selector_match(&dst->xfrm->sel, fl, family)) return 0; - if (fl && !security_xfrm_flow_state_match(fl, dst->xfrm, pol)) + if (fl && pol && + !security_xfrm_state_pol_flow_match(dst->xfrm, pol, fl)) return 0; if (dst->xfrm->km.state != XFRM_STATE_VALID) return 0; -- cgit v1.2.3 From 776810217ac558351cdcca01c4c6a9474e4a68c2 Mon Sep 17 00:00:00 2001 From: Andrew Morton Date: Wed, 8 Nov 2006 22:46:26 -0800 Subject: [XFRM]: uninline xfrm_selector_match() Six callsites, huge. Signed-off-by: Andrew Morton Signed-off-by: David S. Miller --- include/net/xfrm.h | 36 ++---------------------------------- net/xfrm/xfrm_policy.c | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 34 deletions(-) (limited to 'net/xfrm/xfrm_policy.c') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index dbcd2922ff3f..81c91e8a328f 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -506,40 +506,8 @@ __be16 xfrm_flowi_dport(struct flowi *fl) return port; } -static inline int -__xfrm4_selector_match(struct xfrm_selector *sel, struct flowi *fl) -{ - return addr_match(&fl->fl4_dst, &sel->daddr, sel->prefixlen_d) && - addr_match(&fl->fl4_src, &sel->saddr, sel->prefixlen_s) && - !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) && - !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) && - (fl->proto == sel->proto || !sel->proto) && - (fl->oif == sel->ifindex || !sel->ifindex); -} - -static inline int -__xfrm6_selector_match(struct xfrm_selector *sel, struct flowi *fl) -{ - return addr_match(&fl->fl6_dst, &sel->daddr, sel->prefixlen_d) && - addr_match(&fl->fl6_src, &sel->saddr, sel->prefixlen_s) && - !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) && - !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) && - (fl->proto == sel->proto || !sel->proto) && - (fl->oif == sel->ifindex || !sel->ifindex); -} - -static inline int -xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl, - unsigned short family) -{ - switch (family) { - case AF_INET: - return __xfrm4_selector_match(sel, fl); - case AF_INET6: - return __xfrm6_selector_match(sel, fl); - } - return 0; -} +extern int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl, + unsigned short family); #ifdef CONFIG_SECURITY_NETWORK_XFRM /* If neither has a context --> match diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index b88b038530c9..e5ea1347a4ff 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -50,6 +50,40 @@ static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo); static struct xfrm_policy_afinfo *xfrm_policy_lock_afinfo(unsigned int family); static void xfrm_policy_unlock_afinfo(struct xfrm_policy_afinfo *afinfo); +static inline int +__xfrm4_selector_match(struct xfrm_selector *sel, struct flowi *fl) +{ + return addr_match(&fl->fl4_dst, &sel->daddr, sel->prefixlen_d) && + addr_match(&fl->fl4_src, &sel->saddr, sel->prefixlen_s) && + !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) && + !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) && + (fl->proto == sel->proto || !sel->proto) && + (fl->oif == sel->ifindex || !sel->ifindex); +} + +static inline int +__xfrm6_selector_match(struct xfrm_selector *sel, struct flowi *fl) +{ + return addr_match(&fl->fl6_dst, &sel->daddr, sel->prefixlen_d) && + addr_match(&fl->fl6_src, &sel->saddr, sel->prefixlen_s) && + !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) && + !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) && + (fl->proto == sel->proto || !sel->proto) && + (fl->oif == sel->ifindex || !sel->ifindex); +} + +int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl, + unsigned short family) +{ + switch (family) { + case AF_INET: + return __xfrm4_selector_match(sel, fl); + case AF_INET6: + return __xfrm6_selector_match(sel, fl); + } + return 0; +} + int xfrm_register_type(struct xfrm_type *type, unsigned short family) { struct xfrm_policy_afinfo *afinfo = xfrm_policy_lock_afinfo(family); -- cgit v1.2.3 From 76b3f055f38954c67dab13844eb92203580038f8 Mon Sep 17 00:00:00 2001 From: Miika Komu Date: Thu, 30 Nov 2006 16:40:43 -0800 Subject: [IPSEC]: Add encapsulation family. Signed-off-by: Miika Komu Signed-off-by: Diego Beltrami Signed-off-by: Kazunori Miyazawa Signed-off-by: David S. Miller --- include/net/xfrm.h | 2 ++ net/xfrm/xfrm_policy.c | 1 + 2 files changed, 3 insertions(+) (limited to 'net/xfrm/xfrm_policy.c') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 984e5c45265c..15ec19dcf9c8 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -310,6 +310,8 @@ struct xfrm_tmpl /* Source address of tunnel. Ignored, if it is not a tunnel. */ xfrm_address_t saddr; + unsigned short encap_family; + __u32 reqid; /* Mode: transport, tunnel etc. */ diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index e5ea1347a4ff..64d3938f74c4 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1211,6 +1211,7 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, struct flowi *fl, if (tmpl->mode == XFRM_MODE_TUNNEL) { remote = &tmpl->id.daddr; local = &tmpl->saddr; + family = tmpl->encap_family; if (xfrm_addr_any(local, family)) { error = xfrm_get_saddr(&tmp, remote, family); if (error) -- cgit v1.2.3