selinux/include/xfrm.h

0001 /* SPDX-License-Identifier: GPL-2.0 */
0002 /*
0003  * SELinux support for the XFRM LSM hooks
0004  *
0005  * Author : Trent Jaeger, <jaegert@us.ibm.com>
0006  * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com>
0007  */
0008 #ifndef _SELINUX_XFRM_H_
0009 #define _SELINUX_XFRM_H_
0010
0011 #include <linux/lsm_audit.h>
0012 #include <net/flow.h>
0013 #include <net/xfrm.h>
0014
0015 int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
0016                   struct xfrm_user_sec_ctx *uctx,
0017                   gfp_t gfp);
0018 int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
0019                   struct xfrm_sec_ctx **new_ctxp);
0020 void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
0021 int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
0022 int selinux_xfrm_state_alloc(struct xfrm_state *x,
0023                  struct xfrm_user_sec_ctx *uctx);
0024 int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
0025                      struct xfrm_sec_ctx *polsec, u32 secid);
0026 void selinux_xfrm_state_free(struct xfrm_state *x);
0027 int selinux_xfrm_state_delete(struct xfrm_state *x);
0028 int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid);
0029 int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
0030                       struct xfrm_policy *xp,
0031                       const struct flowi_common *flic);
0032
0033 #ifdef CONFIG_SECURITY_NETWORK_XFRM
0034 extern atomic_t selinux_xfrm_refcount;
0035
0036 static inline int selinux_xfrm_enabled(void)
0037 {
0038     return (atomic_read(&selinux_xfrm_refcount) > 0);
0039 }
0040
0041 int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
0042                   struct common_audit_data *ad);
0043 int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
0044                 struct common_audit_data *ad, u8 proto);
0045 int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
0046 int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid);
0047
0048 static inline void selinux_xfrm_notify_policyload(void)
0049 {
0050     struct net *net;
0051
0052     down_read(&net_rwsem);
0053     for_each_net(net)
0054         rt_genid_bump_all(net);
0055     up_read(&net_rwsem);
0056 }
0057 #else
0058 static inline int selinux_xfrm_enabled(void)
0059 {
0060     return 0;
0061 }
0062
0063 static inline int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
0064                         struct common_audit_data *ad)
0065 {
0066     return 0;
0067 }
0068
0069 static inline int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
0070                           struct common_audit_data *ad,
0071                           u8 proto)
0072 {
0073     return 0;
0074 }
0075
0076 static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid,
0077                           int ckall)
0078 {
0079     *sid = SECSID_NULL;
0080     return 0;
0081 }
0082
0083 static inline void selinux_xfrm_notify_policyload(void)
0084 {
0085 }
0086
0087 static inline int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
0088 {
0089     *sid = SECSID_NULL;
0090     return 0;
0091 }
0092 #endif
0093
0094 #endif /* _SELINUX_XFRM_H_ */