1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* |
3 | * Security-Enhanced Linux (SELinux) security module |
4 | * |
5 | * This file contains the SELinux XFRM hook function implementations. |
6 | * |
7 | * Authors: Serge Hallyn <sergeh@us.ibm.com> |
8 | * Trent Jaeger <jaegert@us.ibm.com> |
9 | * |
10 | * Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com> |
11 | * |
12 | * Granular IPSec Associations for use in MLS environments. |
13 | * |
14 | * Copyright (C) 2005 International Business Machines Corporation |
15 | * Copyright (C) 2006 Trusted Computer Solutions, Inc. |
16 | */ |
17 | |
18 | /* |
19 | * USAGE: |
20 | * NOTES: |
21 | * 1. Make sure to enable the following options in your kernel config: |
22 | * CONFIG_SECURITY=y |
23 | * CONFIG_SECURITY_NETWORK=y |
24 | * CONFIG_SECURITY_NETWORK_XFRM=y |
25 | * CONFIG_SECURITY_SELINUX=m/y |
26 | * ISSUES: |
27 | * 1. Caching packets, so they are not dropped during negotiation |
28 | * 2. Emulating a reasonable SO_PEERSEC across machines |
29 | * 3. Testing addition of sk_policy's with security context via setsockopt |
30 | */ |
31 | #include <linux/kernel.h> |
32 | #include <linux/init.h> |
33 | #include <linux/security.h> |
34 | #include <linux/types.h> |
35 | #include <linux/slab.h> |
36 | #include <linux/ip.h> |
37 | #include <linux/tcp.h> |
38 | #include <linux/skbuff.h> |
39 | #include <linux/xfrm.h> |
40 | #include <net/xfrm.h> |
41 | #include <net/checksum.h> |
42 | #include <net/udp.h> |
43 | #include <linux/atomic.h> |
44 | |
45 | #include "avc.h" |
46 | #include "objsec.h" |
47 | #include "xfrm.h" |
48 | |
49 | /* Labeled XFRM instance counter */ |
50 | atomic_t selinux_xfrm_refcount __read_mostly = ATOMIC_INIT(0); |
51 | |
52 | /* |
53 | * Returns true if the context is an LSM/SELinux context. |
54 | */ |
55 | static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx) |
56 | { |
57 | return (ctx && |
58 | (ctx->ctx_doi == XFRM_SC_DOI_LSM) && |
59 | (ctx->ctx_alg == XFRM_SC_ALG_SELINUX)); |
60 | } |
61 | |
62 | /* |
63 | * Returns true if the xfrm contains a security blob for SELinux. |
64 | */ |
65 | static inline int selinux_authorizable_xfrm(struct xfrm_state *x) |
66 | { |
67 | return selinux_authorizable_ctx(ctx: x->security); |
68 | } |
69 | |
70 | /* |
71 | * Allocates a xfrm_sec_state and populates it using the supplied security |
72 | * xfrm_user_sec_ctx context. |
73 | */ |
74 | static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp, |
75 | struct xfrm_user_sec_ctx *uctx, |
76 | gfp_t gfp) |
77 | { |
78 | int rc; |
79 | const struct task_security_struct *tsec = selinux_cred(current_cred()); |
80 | struct xfrm_sec_ctx *ctx = NULL; |
81 | u32 str_len; |
82 | |
83 | if (ctxp == NULL || uctx == NULL || |
84 | uctx->ctx_doi != XFRM_SC_DOI_LSM || |
85 | uctx->ctx_alg != XFRM_SC_ALG_SELINUX) |
86 | return -EINVAL; |
87 | |
88 | str_len = uctx->ctx_len; |
89 | if (str_len >= PAGE_SIZE) |
90 | return -ENOMEM; |
91 | |
92 | ctx = kmalloc(struct_size(ctx, ctx_str, str_len + 1), flags: gfp); |
93 | if (!ctx) |
94 | return -ENOMEM; |
95 | |
96 | ctx->ctx_doi = XFRM_SC_DOI_LSM; |
97 | ctx->ctx_alg = XFRM_SC_ALG_SELINUX; |
98 | ctx->ctx_len = str_len; |
99 | memcpy(ctx->ctx_str, &uctx[1], str_len); |
100 | ctx->ctx_str[str_len] = '\0'; |
101 | rc = security_context_to_sid(ctx->ctx_str, str_len, |
102 | &ctx->ctx_sid, gfp); |
103 | if (rc) |
104 | goto err; |
105 | |
106 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, |
107 | SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL); |
108 | if (rc) |
109 | goto err; |
110 | |
111 | *ctxp = ctx; |
112 | atomic_inc(v: &selinux_xfrm_refcount); |
113 | return 0; |
114 | |
115 | err: |
116 | kfree(objp: ctx); |
117 | return rc; |
118 | } |
119 | |
120 | /* |
121 | * Free the xfrm_sec_ctx structure. |
122 | */ |
123 | static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx) |
124 | { |
125 | if (!ctx) |
126 | return; |
127 | |
128 | atomic_dec(v: &selinux_xfrm_refcount); |
129 | kfree(objp: ctx); |
130 | } |
131 | |
132 | /* |
133 | * Authorize the deletion of a labeled SA or policy rule. |
134 | */ |
135 | static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx) |
136 | { |
137 | const struct task_security_struct *tsec = selinux_cred(current_cred()); |
138 | |
139 | if (!ctx) |
140 | return 0; |
141 | |
142 | return avc_has_perm(tsec->sid, ctx->ctx_sid, |
143 | SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, |
144 | NULL); |
145 | } |
146 | |
147 | /* |
148 | * LSM hook implementation that authorizes that a flow can use a xfrm policy |
149 | * rule. |
150 | */ |
151 | int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid) |
152 | { |
153 | int rc; |
154 | |
155 | /* All flows should be treated as polmatch'ing an otherwise applicable |
156 | * "non-labeled" policy. This would prevent inadvertent "leaks". */ |
157 | if (!ctx) |
158 | return 0; |
159 | |
160 | /* Context sid is either set to label or ANY_ASSOC */ |
161 | if (!selinux_authorizable_ctx(ctx)) |
162 | return -EINVAL; |
163 | |
164 | rc = avc_has_perm(fl_secid, ctx->ctx_sid, |
165 | SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL); |
166 | return (rc == -EACCES ? -ESRCH : rc); |
167 | } |
168 | |
169 | /* |
170 | * LSM hook implementation that authorizes that a state matches |
171 | * the given policy, flow combo. |
172 | */ |
173 | int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, |
174 | struct xfrm_policy *xp, |
175 | const struct flowi_common *flic) |
176 | { |
177 | u32 state_sid; |
178 | u32 flic_sid; |
179 | |
180 | if (!xp->security) |
181 | if (x->security) |
182 | /* unlabeled policy and labeled SA can't match */ |
183 | return 0; |
184 | else |
185 | /* unlabeled policy and unlabeled SA match all flows */ |
186 | return 1; |
187 | else |
188 | if (!x->security) |
189 | /* unlabeled SA and labeled policy can't match */ |
190 | return 0; |
191 | else |
192 | if (!selinux_authorizable_xfrm(x)) |
193 | /* Not a SELinux-labeled SA */ |
194 | return 0; |
195 | |
196 | state_sid = x->security->ctx_sid; |
197 | flic_sid = flic->flowic_secid; |
198 | |
199 | if (flic_sid != state_sid) |
200 | return 0; |
201 | |
202 | /* We don't need a separate SA Vs. policy polmatch check since the SA |
203 | * is now of the same label as the flow and a flow Vs. policy polmatch |
204 | * check had already happened in selinux_xfrm_policy_lookup() above. */ |
205 | return (avc_has_perm(flic_sid, state_sid, |
206 | SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, |
207 | NULL) ? 0 : 1); |
208 | } |
209 | |
210 | static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb) |
211 | { |
212 | struct dst_entry *dst = skb_dst(skb); |
213 | struct xfrm_state *x; |
214 | |
215 | if (dst == NULL) |
216 | return SECSID_NULL; |
217 | x = dst->xfrm; |
218 | if (x == NULL || !selinux_authorizable_xfrm(x)) |
219 | return SECSID_NULL; |
220 | |
221 | return x->security->ctx_sid; |
222 | } |
223 | |
224 | static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb, |
225 | u32 *sid, int ckall) |
226 | { |
227 | u32 sid_session = SECSID_NULL; |
228 | struct sec_path *sp = skb_sec_path(skb); |
229 | |
230 | if (sp) { |
231 | int i; |
232 | |
233 | for (i = sp->len - 1; i >= 0; i--) { |
234 | struct xfrm_state *x = sp->xvec[i]; |
235 | if (selinux_authorizable_xfrm(x)) { |
236 | struct xfrm_sec_ctx *ctx = x->security; |
237 | |
238 | if (sid_session == SECSID_NULL) { |
239 | sid_session = ctx->ctx_sid; |
240 | if (!ckall) |
241 | goto out; |
242 | } else if (sid_session != ctx->ctx_sid) { |
243 | *sid = SECSID_NULL; |
244 | return -EINVAL; |
245 | } |
246 | } |
247 | } |
248 | } |
249 | |
250 | out: |
251 | *sid = sid_session; |
252 | return 0; |
253 | } |
254 | |
255 | /* |
256 | * LSM hook implementation that checks and/or returns the xfrm sid for the |
257 | * incoming packet. |
258 | */ |
259 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) |
260 | { |
261 | if (skb == NULL) { |
262 | *sid = SECSID_NULL; |
263 | return 0; |
264 | } |
265 | return selinux_xfrm_skb_sid_ingress(skb, sid, ckall); |
266 | } |
267 | |
268 | int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid) |
269 | { |
270 | int rc; |
271 | |
272 | rc = selinux_xfrm_skb_sid_ingress(skb, sid, ckall: 0); |
273 | if (rc == 0 && *sid == SECSID_NULL) |
274 | *sid = selinux_xfrm_skb_sid_egress(skb); |
275 | |
276 | return rc; |
277 | } |
278 | |
279 | /* |
280 | * LSM hook implementation that allocs and transfers uctx spec to xfrm_policy. |
281 | */ |
282 | int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, |
283 | struct xfrm_user_sec_ctx *uctx, |
284 | gfp_t gfp) |
285 | { |
286 | return selinux_xfrm_alloc_user(ctxp, uctx, gfp); |
287 | } |
288 | |
289 | /* |
290 | * LSM hook implementation that copies security data structure from old to new |
291 | * for policy cloning. |
292 | */ |
293 | int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, |
294 | struct xfrm_sec_ctx **new_ctxp) |
295 | { |
296 | struct xfrm_sec_ctx *new_ctx; |
297 | |
298 | if (!old_ctx) |
299 | return 0; |
300 | |
301 | new_ctx = kmemdup(p: old_ctx, size: sizeof(*old_ctx) + old_ctx->ctx_len, |
302 | GFP_ATOMIC); |
303 | if (!new_ctx) |
304 | return -ENOMEM; |
305 | atomic_inc(v: &selinux_xfrm_refcount); |
306 | *new_ctxp = new_ctx; |
307 | |
308 | return 0; |
309 | } |
310 | |
311 | /* |
312 | * LSM hook implementation that frees xfrm_sec_ctx security information. |
313 | */ |
314 | void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) |
315 | { |
316 | selinux_xfrm_free(ctx); |
317 | } |
318 | |
319 | /* |
320 | * LSM hook implementation that authorizes deletion of labeled policies. |
321 | */ |
322 | int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) |
323 | { |
324 | return selinux_xfrm_delete(ctx); |
325 | } |
326 | |
327 | /* |
328 | * LSM hook implementation that allocates a xfrm_sec_state, populates it using |
329 | * the supplied security context, and assigns it to the xfrm_state. |
330 | */ |
331 | int selinux_xfrm_state_alloc(struct xfrm_state *x, |
332 | struct xfrm_user_sec_ctx *uctx) |
333 | { |
334 | return selinux_xfrm_alloc_user(ctxp: &x->security, uctx, GFP_KERNEL); |
335 | } |
336 | |
337 | /* |
338 | * LSM hook implementation that allocates a xfrm_sec_state and populates based |
339 | * on a secid. |
340 | */ |
341 | int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, |
342 | struct xfrm_sec_ctx *polsec, u32 secid) |
343 | { |
344 | int rc; |
345 | struct xfrm_sec_ctx *ctx; |
346 | char *ctx_str = NULL; |
347 | u32 str_len; |
348 | |
349 | if (!polsec) |
350 | return 0; |
351 | |
352 | if (secid == 0) |
353 | return -EINVAL; |
354 | |
355 | rc = security_sid_to_context(secid, &ctx_str, |
356 | &str_len); |
357 | if (rc) |
358 | return rc; |
359 | |
360 | ctx = kmalloc(struct_size(ctx, ctx_str, str_len), GFP_ATOMIC); |
361 | if (!ctx) { |
362 | rc = -ENOMEM; |
363 | goto out; |
364 | } |
365 | |
366 | ctx->ctx_doi = XFRM_SC_DOI_LSM; |
367 | ctx->ctx_alg = XFRM_SC_ALG_SELINUX; |
368 | ctx->ctx_sid = secid; |
369 | ctx->ctx_len = str_len; |
370 | memcpy(ctx->ctx_str, ctx_str, str_len); |
371 | |
372 | x->security = ctx; |
373 | atomic_inc(v: &selinux_xfrm_refcount); |
374 | out: |
375 | kfree(objp: ctx_str); |
376 | return rc; |
377 | } |
378 | |
379 | /* |
380 | * LSM hook implementation that frees xfrm_state security information. |
381 | */ |
382 | void selinux_xfrm_state_free(struct xfrm_state *x) |
383 | { |
384 | selinux_xfrm_free(ctx: x->security); |
385 | } |
386 | |
387 | /* |
388 | * LSM hook implementation that authorizes deletion of labeled SAs. |
389 | */ |
390 | int selinux_xfrm_state_delete(struct xfrm_state *x) |
391 | { |
392 | return selinux_xfrm_delete(ctx: x->security); |
393 | } |
394 | |
395 | /* |
396 | * LSM hook that controls access to unlabelled packets. If |
397 | * a xfrm_state is authorizable (defined by macro) then it was |
398 | * already authorized by the IPSec process. If not, then |
399 | * we need to check for unlabelled access since this may not have |
400 | * gone thru the IPSec process. |
401 | */ |
402 | int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb, |
403 | struct common_audit_data *ad) |
404 | { |
405 | int i; |
406 | struct sec_path *sp = skb_sec_path(skb); |
407 | u32 peer_sid = SECINITSID_UNLABELED; |
408 | |
409 | if (sp) { |
410 | for (i = 0; i < sp->len; i++) { |
411 | struct xfrm_state *x = sp->xvec[i]; |
412 | |
413 | if (x && selinux_authorizable_xfrm(x)) { |
414 | struct xfrm_sec_ctx *ctx = x->security; |
415 | peer_sid = ctx->ctx_sid; |
416 | break; |
417 | } |
418 | } |
419 | } |
420 | |
421 | /* This check even when there's no association involved is intended, |
422 | * according to Trent Jaeger, to make sure a process can't engage in |
423 | * non-IPsec communication unless explicitly allowed by policy. */ |
424 | return avc_has_perm(sk_sid, peer_sid, |
425 | SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad); |
426 | } |
427 | |
428 | /* |
429 | * POSTROUTE_LAST hook's XFRM processing: |
430 | * If we have no security association, then we need to determine |
431 | * whether the socket is allowed to send to an unlabelled destination. |
432 | * If we do have a authorizable security association, then it has already been |
433 | * checked in the selinux_xfrm_state_pol_flow_match hook above. |
434 | */ |
435 | int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb, |
436 | struct common_audit_data *ad, u8 proto) |
437 | { |
438 | struct dst_entry *dst; |
439 | |
440 | switch (proto) { |
441 | case IPPROTO_AH: |
442 | case IPPROTO_ESP: |
443 | case IPPROTO_COMP: |
444 | /* We should have already seen this packet once before it |
445 | * underwent xfrm(s). No need to subject it to the unlabeled |
446 | * check. */ |
447 | return 0; |
448 | default: |
449 | break; |
450 | } |
451 | |
452 | dst = skb_dst(skb); |
453 | if (dst) { |
454 | struct dst_entry *iter; |
455 | |
456 | for (iter = dst; iter != NULL; iter = xfrm_dst_child(dst: iter)) { |
457 | struct xfrm_state *x = iter->xfrm; |
458 | |
459 | if (x && selinux_authorizable_xfrm(x)) |
460 | return 0; |
461 | } |
462 | } |
463 | |
464 | /* This check even when there's no association involved is intended, |
465 | * according to Trent Jaeger, to make sure a process can't engage in |
466 | * non-IPsec communication unless explicitly allowed by policy. */ |
467 | return avc_has_perm(sk_sid, SECINITSID_UNLABELED, |
468 | SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad); |
469 | } |
470 | |