2005-04-16 15:20:36 -07:00
|
|
|
/*
|
|
|
|
* xfrm_policy.c
|
|
|
|
*
|
|
|
|
* Changes:
|
|
|
|
* Mitsuru KANDA @USAGI
|
|
|
|
* Kazunori MIYAZAWA @USAGI
|
|
|
|
* Kunihiro Ishiguro <kunihiro@ipinfusion.com>
|
|
|
|
* IPv6 support
|
|
|
|
* Kazunori MIYAZAWA @USAGI
|
|
|
|
* YOSHIFUJI Hideaki
|
|
|
|
* Split up af-specific portion
|
|
|
|
* Derek Atkins <derek@ihtfp.com> Add the post_input processor
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-13 23:12:27 -08:00
|
|
|
*
|
2005-04-16 15:20:36 -07:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/slab.h>
|
|
|
|
#include <linux/kmod.h>
|
|
|
|
#include <linux/list.h>
|
|
|
|
#include <linux/spinlock.h>
|
|
|
|
#include <linux/workqueue.h>
|
|
|
|
#include <linux/notifier.h>
|
|
|
|
#include <linux/netdevice.h>
|
2006-01-06 23:06:30 -08:00
|
|
|
#include <linux/netfilter.h>
|
2005-04-16 15:20:36 -07:00
|
|
|
#include <linux/module.h>
|
2006-08-24 04:45:07 -07:00
|
|
|
#include <linux/cache.h>
|
2005-04-16 15:20:36 -07:00
|
|
|
#include <net/xfrm.h>
|
|
|
|
#include <net/ip.h>
|
|
|
|
|
2006-08-24 04:50:50 -07:00
|
|
|
#include "xfrm_hash.h"
|
|
|
|
|
2006-03-20 22:33:17 -08:00
|
|
|
DEFINE_MUTEX(xfrm_cfg_mutex);
|
|
|
|
EXPORT_SYMBOL(xfrm_cfg_mutex);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
static DEFINE_RWLOCK(xfrm_policy_lock);
|
|
|
|
|
2006-08-24 04:45:07 -07:00
|
|
|
unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2];
|
|
|
|
EXPORT_SYMBOL(xfrm_policy_count);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
static DEFINE_RWLOCK(xfrm_policy_afinfo_lock);
|
|
|
|
static struct xfrm_policy_afinfo *xfrm_policy_afinfo[NPROTO];
|
|
|
|
|
2005-08-26 12:05:31 -07:00
|
|
|
static kmem_cache_t *xfrm_dst_cache __read_mostly;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
static struct work_struct xfrm_policy_gc_work;
|
2006-08-24 04:45:07 -07:00
|
|
|
static HLIST_HEAD(xfrm_policy_gc_list);
|
2005-04-16 15:20:36 -07:00
|
|
|
static DEFINE_SPINLOCK(xfrm_policy_gc_lock);
|
|
|
|
|
|
|
|
static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family);
|
|
|
|
static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo);
|
2006-05-27 23:03:58 -07:00
|
|
|
static struct xfrm_policy_afinfo *xfrm_policy_lock_afinfo(unsigned int family);
|
|
|
|
static void xfrm_policy_unlock_afinfo(struct xfrm_policy_afinfo *afinfo);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
int xfrm_register_type(struct xfrm_type *type, unsigned short family)
|
|
|
|
{
|
2006-05-27 23:03:58 -07:00
|
|
|
struct xfrm_policy_afinfo *afinfo = xfrm_policy_lock_afinfo(family);
|
|
|
|
struct xfrm_type **typemap;
|
2005-04-16 15:20:36 -07:00
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
if (unlikely(afinfo == NULL))
|
|
|
|
return -EAFNOSUPPORT;
|
|
|
|
typemap = afinfo->type_map;
|
|
|
|
|
2006-05-27 23:03:58 -07:00
|
|
|
if (likely(typemap[type->proto] == NULL))
|
|
|
|
typemap[type->proto] = type;
|
2005-04-16 15:20:36 -07:00
|
|
|
else
|
|
|
|
err = -EEXIST;
|
2006-05-27 23:03:58 -07:00
|
|
|
xfrm_policy_unlock_afinfo(afinfo);
|
2005-04-16 15:20:36 -07:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xfrm_register_type);
|
|
|
|
|
|
|
|
int xfrm_unregister_type(struct xfrm_type *type, unsigned short family)
|
|
|
|
{
|
2006-05-27 23:03:58 -07:00
|
|
|
struct xfrm_policy_afinfo *afinfo = xfrm_policy_lock_afinfo(family);
|
|
|
|
struct xfrm_type **typemap;
|
2005-04-16 15:20:36 -07:00
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
if (unlikely(afinfo == NULL))
|
|
|
|
return -EAFNOSUPPORT;
|
|
|
|
typemap = afinfo->type_map;
|
|
|
|
|
2006-05-27 23:03:58 -07:00
|
|
|
if (unlikely(typemap[type->proto] != type))
|
2005-04-16 15:20:36 -07:00
|
|
|
err = -ENOENT;
|
|
|
|
else
|
2006-05-27 23:03:58 -07:00
|
|
|
typemap[type->proto] = NULL;
|
|
|
|
xfrm_policy_unlock_afinfo(afinfo);
|
2005-04-16 15:20:36 -07:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xfrm_unregister_type);
|
|
|
|
|
|
|
|
struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
|
|
|
|
{
|
|
|
|
struct xfrm_policy_afinfo *afinfo;
|
2006-05-27 23:03:58 -07:00
|
|
|
struct xfrm_type **typemap;
|
2005-04-16 15:20:36 -07:00
|
|
|
struct xfrm_type *type;
|
|
|
|
int modload_attempted = 0;
|
|
|
|
|
|
|
|
retry:
|
|
|
|
afinfo = xfrm_policy_get_afinfo(family);
|
|
|
|
if (unlikely(afinfo == NULL))
|
|
|
|
return NULL;
|
|
|
|
typemap = afinfo->type_map;
|
|
|
|
|
2006-05-27 23:03:58 -07:00
|
|
|
type = typemap[proto];
|
2005-04-16 15:20:36 -07:00
|
|
|
if (unlikely(type && !try_module_get(type->owner)))
|
|
|
|
type = NULL;
|
|
|
|
if (!type && !modload_attempted) {
|
|
|
|
xfrm_policy_put_afinfo(afinfo);
|
|
|
|
request_module("xfrm-type-%d-%d",
|
|
|
|
(int) family, (int) proto);
|
|
|
|
modload_attempted = 1;
|
|
|
|
goto retry;
|
|
|
|
}
|
|
|
|
|
|
|
|
xfrm_policy_put_afinfo(afinfo);
|
|
|
|
return type;
|
|
|
|
}
|
|
|
|
|
|
|
|
int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl,
|
|
|
|
unsigned short family)
|
|
|
|
{
|
|
|
|
struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
if (unlikely(afinfo == NULL))
|
|
|
|
return -EAFNOSUPPORT;
|
|
|
|
|
|
|
|
if (likely(afinfo->dst_lookup != NULL))
|
|
|
|
err = afinfo->dst_lookup(dst, fl);
|
|
|
|
else
|
|
|
|
err = -EINVAL;
|
|
|
|
xfrm_policy_put_afinfo(afinfo);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xfrm_dst_lookup);
|
|
|
|
|
|
|
|
void xfrm_put_type(struct xfrm_type *type)
|
|
|
|
{
|
|
|
|
module_put(type->owner);
|
|
|
|
}
|
|
|
|
|
2006-05-27 23:05:54 -07:00
|
|
|
int xfrm_register_mode(struct xfrm_mode *mode, int family)
|
|
|
|
{
|
|
|
|
struct xfrm_policy_afinfo *afinfo;
|
|
|
|
struct xfrm_mode **modemap;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (unlikely(mode->encap >= XFRM_MODE_MAX))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
afinfo = xfrm_policy_lock_afinfo(family);
|
|
|
|
if (unlikely(afinfo == NULL))
|
|
|
|
return -EAFNOSUPPORT;
|
|
|
|
|
|
|
|
err = -EEXIST;
|
|
|
|
modemap = afinfo->mode_map;
|
|
|
|
if (likely(modemap[mode->encap] == NULL)) {
|
|
|
|
modemap[mode->encap] = mode;
|
|
|
|
err = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
xfrm_policy_unlock_afinfo(afinfo);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xfrm_register_mode);
|
|
|
|
|
|
|
|
int xfrm_unregister_mode(struct xfrm_mode *mode, int family)
|
|
|
|
{
|
|
|
|
struct xfrm_policy_afinfo *afinfo;
|
|
|
|
struct xfrm_mode **modemap;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (unlikely(mode->encap >= XFRM_MODE_MAX))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
afinfo = xfrm_policy_lock_afinfo(family);
|
|
|
|
if (unlikely(afinfo == NULL))
|
|
|
|
return -EAFNOSUPPORT;
|
|
|
|
|
|
|
|
err = -ENOENT;
|
|
|
|
modemap = afinfo->mode_map;
|
|
|
|
if (likely(modemap[mode->encap] == mode)) {
|
|
|
|
modemap[mode->encap] = NULL;
|
|
|
|
err = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
xfrm_policy_unlock_afinfo(afinfo);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xfrm_unregister_mode);
|
|
|
|
|
|
|
|
struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family)
|
|
|
|
{
|
|
|
|
struct xfrm_policy_afinfo *afinfo;
|
|
|
|
struct xfrm_mode *mode;
|
|
|
|
int modload_attempted = 0;
|
|
|
|
|
|
|
|
if (unlikely(encap >= XFRM_MODE_MAX))
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
retry:
|
|
|
|
afinfo = xfrm_policy_get_afinfo(family);
|
|
|
|
if (unlikely(afinfo == NULL))
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
mode = afinfo->mode_map[encap];
|
|
|
|
if (unlikely(mode && !try_module_get(mode->owner)))
|
|
|
|
mode = NULL;
|
|
|
|
if (!mode && !modload_attempted) {
|
|
|
|
xfrm_policy_put_afinfo(afinfo);
|
|
|
|
request_module("xfrm-mode-%d-%d", family, encap);
|
|
|
|
modload_attempted = 1;
|
|
|
|
goto retry;
|
|
|
|
}
|
|
|
|
|
|
|
|
xfrm_policy_put_afinfo(afinfo);
|
|
|
|
return mode;
|
|
|
|
}
|
|
|
|
|
|
|
|
void xfrm_put_mode(struct xfrm_mode *mode)
|
|
|
|
{
|
|
|
|
module_put(mode->owner);
|
|
|
|
}
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
static inline unsigned long make_jiffies(long secs)
|
|
|
|
{
|
|
|
|
if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
|
|
|
|
return MAX_SCHEDULE_TIMEOUT-1;
|
|
|
|
else
|
|
|
|
return secs*HZ;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void xfrm_policy_timer(unsigned long data)
|
|
|
|
{
|
|
|
|
struct xfrm_policy *xp = (struct xfrm_policy*)data;
|
|
|
|
unsigned long now = (unsigned long)xtime.tv_sec;
|
|
|
|
long next = LONG_MAX;
|
|
|
|
int warn = 0;
|
|
|
|
int dir;
|
|
|
|
|
|
|
|
read_lock(&xp->lock);
|
|
|
|
|
|
|
|
if (xp->dead)
|
|
|
|
goto out;
|
|
|
|
|
2005-10-05 12:15:12 -07:00
|
|
|
dir = xfrm_policy_id2dir(xp->index);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
if (xp->lft.hard_add_expires_seconds) {
|
|
|
|
long tmo = xp->lft.hard_add_expires_seconds +
|
|
|
|
xp->curlft.add_time - now;
|
|
|
|
if (tmo <= 0)
|
|
|
|
goto expired;
|
|
|
|
if (tmo < next)
|
|
|
|
next = tmo;
|
|
|
|
}
|
|
|
|
if (xp->lft.hard_use_expires_seconds) {
|
|
|
|
long tmo = xp->lft.hard_use_expires_seconds +
|
|
|
|
(xp->curlft.use_time ? : xp->curlft.add_time) - now;
|
|
|
|
if (tmo <= 0)
|
|
|
|
goto expired;
|
|
|
|
if (tmo < next)
|
|
|
|
next = tmo;
|
|
|
|
}
|
|
|
|
if (xp->lft.soft_add_expires_seconds) {
|
|
|
|
long tmo = xp->lft.soft_add_expires_seconds +
|
|
|
|
xp->curlft.add_time - now;
|
|
|
|
if (tmo <= 0) {
|
|
|
|
warn = 1;
|
|
|
|
tmo = XFRM_KM_TIMEOUT;
|
|
|
|
}
|
|
|
|
if (tmo < next)
|
|
|
|
next = tmo;
|
|
|
|
}
|
|
|
|
if (xp->lft.soft_use_expires_seconds) {
|
|
|
|
long tmo = xp->lft.soft_use_expires_seconds +
|
|
|
|
(xp->curlft.use_time ? : xp->curlft.add_time) - now;
|
|
|
|
if (tmo <= 0) {
|
|
|
|
warn = 1;
|
|
|
|
tmo = XFRM_KM_TIMEOUT;
|
|
|
|
}
|
|
|
|
if (tmo < next)
|
|
|
|
next = tmo;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (warn)
|
2006-03-20 19:17:25 -08:00
|
|
|
km_policy_expired(xp, dir, 0, 0);
|
2005-04-16 15:20:36 -07:00
|
|
|
if (next != LONG_MAX &&
|
|
|
|
!mod_timer(&xp->timer, jiffies + make_jiffies(next)))
|
|
|
|
xfrm_pol_hold(xp);
|
|
|
|
|
|
|
|
out:
|
|
|
|
read_unlock(&xp->lock);
|
|
|
|
xfrm_pol_put(xp);
|
|
|
|
return;
|
|
|
|
|
|
|
|
expired:
|
|
|
|
read_unlock(&xp->lock);
|
2005-06-18 22:43:22 -07:00
|
|
|
if (!xfrm_policy_delete(xp, dir))
|
2006-03-20 19:17:25 -08:00
|
|
|
km_policy_expired(xp, dir, 1, 0);
|
2005-04-16 15:20:36 -07:00
|
|
|
xfrm_pol_put(xp);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2
|
|
|
|
* SPD calls.
|
|
|
|
*/
|
|
|
|
|
2005-10-07 07:46:04 +01:00
|
|
|
struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
|
|
|
struct xfrm_policy *policy;
|
|
|
|
|
2006-07-21 14:51:30 -07:00
|
|
|
policy = kzalloc(sizeof(struct xfrm_policy), gfp);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
if (policy) {
|
2006-08-24 04:45:07 -07:00
|
|
|
INIT_HLIST_NODE(&policy->bydst);
|
|
|
|
INIT_HLIST_NODE(&policy->byidx);
|
2005-04-16 15:20:36 -07:00
|
|
|
rwlock_init(&policy->lock);
|
2006-08-24 04:45:07 -07:00
|
|
|
atomic_set(&policy->refcnt, 1);
|
2005-04-16 15:20:36 -07:00
|
|
|
init_timer(&policy->timer);
|
|
|
|
policy->timer.data = (unsigned long)policy;
|
|
|
|
policy->timer.function = xfrm_policy_timer;
|
|
|
|
}
|
|
|
|
return policy;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xfrm_policy_alloc);
|
|
|
|
|
|
|
|
/* Destroy xfrm_policy: descendant resources must be released to this moment. */
|
|
|
|
|
|
|
|
void __xfrm_policy_destroy(struct xfrm_policy *policy)
|
|
|
|
{
|
2006-01-08 22:24:28 -08:00
|
|
|
BUG_ON(!policy->dead);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2006-01-08 22:24:28 -08:00
|
|
|
BUG_ON(policy->bundles);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
if (del_timer(&policy->timer))
|
|
|
|
BUG();
|
|
|
|
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-13 23:12:27 -08:00
|
|
|
security_xfrm_policy_free(policy);
|
2005-04-16 15:20:36 -07:00
|
|
|
kfree(policy);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(__xfrm_policy_destroy);
|
|
|
|
|
|
|
|
static void xfrm_policy_gc_kill(struct xfrm_policy *policy)
|
|
|
|
{
|
|
|
|
struct dst_entry *dst;
|
|
|
|
|
|
|
|
while ((dst = policy->bundles) != NULL) {
|
|
|
|
policy->bundles = dst->next;
|
|
|
|
dst_free(dst);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (del_timer(&policy->timer))
|
|
|
|
atomic_dec(&policy->refcnt);
|
|
|
|
|
|
|
|
if (atomic_read(&policy->refcnt) > 1)
|
|
|
|
flow_cache_flush();
|
|
|
|
|
|
|
|
xfrm_pol_put(policy);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void xfrm_policy_gc_task(void *data)
|
|
|
|
{
|
|
|
|
struct xfrm_policy *policy;
|
2006-08-24 04:45:07 -07:00
|
|
|
struct hlist_node *entry, *tmp;
|
|
|
|
struct hlist_head gc_list;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
spin_lock_bh(&xfrm_policy_gc_lock);
|
2006-08-24 04:45:07 -07:00
|
|
|
gc_list.first = xfrm_policy_gc_list.first;
|
|
|
|
INIT_HLIST_HEAD(&xfrm_policy_gc_list);
|
2005-04-16 15:20:36 -07:00
|
|
|
spin_unlock_bh(&xfrm_policy_gc_lock);
|
|
|
|
|
2006-08-24 04:45:07 -07:00
|
|
|
hlist_for_each_entry_safe(policy, entry, tmp, &gc_list, bydst)
|
2005-04-16 15:20:36 -07:00
|
|
|
xfrm_policy_gc_kill(policy);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Rule must be locked. Release descentant resources, announce
|
|
|
|
* entry dead. The rule must be unlinked from lists to the moment.
|
|
|
|
*/
|
|
|
|
|
|
|
|
static void xfrm_policy_kill(struct xfrm_policy *policy)
|
|
|
|
{
|
|
|
|
int dead;
|
|
|
|
|
|
|
|
write_lock_bh(&policy->lock);
|
|
|
|
dead = policy->dead;
|
|
|
|
policy->dead = 1;
|
|
|
|
write_unlock_bh(&policy->lock);
|
|
|
|
|
|
|
|
if (unlikely(dead)) {
|
|
|
|
WARN_ON(1);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
spin_lock(&xfrm_policy_gc_lock);
|
2006-08-24 04:45:07 -07:00
|
|
|
hlist_add_head(&policy->bydst, &xfrm_policy_gc_list);
|
2005-04-16 15:20:36 -07:00
|
|
|
spin_unlock(&xfrm_policy_gc_lock);
|
|
|
|
|
|
|
|
schedule_work(&xfrm_policy_gc_work);
|
|
|
|
}
|
|
|
|
|
2006-08-24 04:45:07 -07:00
|
|
|
struct xfrm_policy_hash {
|
|
|
|
struct hlist_head *table;
|
|
|
|
unsigned int hmask;
|
|
|
|
};
|
|
|
|
|
|
|
|
static struct hlist_head xfrm_policy_inexact[XFRM_POLICY_MAX*2];
|
|
|
|
static struct xfrm_policy_hash xfrm_policy_bydst[XFRM_POLICY_MAX*2] __read_mostly;
|
|
|
|
static struct hlist_head *xfrm_policy_byidx __read_mostly;
|
|
|
|
static unsigned int xfrm_idx_hmask __read_mostly;
|
|
|
|
static unsigned int xfrm_policy_hashmax __read_mostly = 1 * 1024 * 1024;
|
|
|
|
|
|
|
|
static inline unsigned int idx_hash(u32 index)
|
|
|
|
{
|
|
|
|
return __idx_hash(index, xfrm_idx_hmask);
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct hlist_head *policy_hash_bysel(struct xfrm_selector *sel, unsigned short family, int dir)
|
|
|
|
{
|
|
|
|
unsigned int hmask = xfrm_policy_bydst[dir].hmask;
|
|
|
|
unsigned int hash = __sel_hash(sel, family, hmask);
|
|
|
|
|
|
|
|
return (hash == hmask + 1 ?
|
|
|
|
&xfrm_policy_inexact[dir] :
|
|
|
|
xfrm_policy_bydst[dir].table + hash);
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct hlist_head *policy_hash_direct(xfrm_address_t *daddr, xfrm_address_t *saddr, unsigned short family, int dir)
|
|
|
|
{
|
|
|
|
unsigned int hmask = xfrm_policy_bydst[dir].hmask;
|
|
|
|
unsigned int hash = __addr_hash(daddr, saddr, family, hmask);
|
|
|
|
|
|
|
|
return xfrm_policy_bydst[dir].table + hash;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void xfrm_dst_hash_transfer(struct hlist_head *list,
|
|
|
|
struct hlist_head *ndsttable,
|
|
|
|
unsigned int nhashmask)
|
|
|
|
{
|
|
|
|
struct hlist_node *entry, *tmp;
|
|
|
|
struct xfrm_policy *pol;
|
|
|
|
|
|
|
|
hlist_for_each_entry_safe(pol, entry, tmp, list, bydst) {
|
|
|
|
unsigned int h;
|
|
|
|
|
|
|
|
h = __addr_hash(&pol->selector.daddr, &pol->selector.saddr,
|
|
|
|
pol->family, nhashmask);
|
|
|
|
hlist_add_head(&pol->bydst, ndsttable+h);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void xfrm_idx_hash_transfer(struct hlist_head *list,
|
|
|
|
struct hlist_head *nidxtable,
|
|
|
|
unsigned int nhashmask)
|
|
|
|
{
|
|
|
|
struct hlist_node *entry, *tmp;
|
|
|
|
struct xfrm_policy *pol;
|
|
|
|
|
|
|
|
hlist_for_each_entry_safe(pol, entry, tmp, list, byidx) {
|
|
|
|
unsigned int h;
|
|
|
|
|
|
|
|
h = __idx_hash(pol->index, nhashmask);
|
|
|
|
hlist_add_head(&pol->byidx, nidxtable+h);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static unsigned long xfrm_new_hash_mask(unsigned int old_hmask)
|
|
|
|
{
|
|
|
|
return ((old_hmask + 1) << 1) - 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void xfrm_bydst_resize(int dir)
|
|
|
|
{
|
|
|
|
unsigned int hmask = xfrm_policy_bydst[dir].hmask;
|
|
|
|
unsigned int nhashmask = xfrm_new_hash_mask(hmask);
|
|
|
|
unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);
|
|
|
|
struct hlist_head *odst = xfrm_policy_bydst[dir].table;
|
2006-08-24 04:50:50 -07:00
|
|
|
struct hlist_head *ndst = xfrm_hash_alloc(nsize);
|
2006-08-24 04:45:07 -07:00
|
|
|
int i;
|
|
|
|
|
|
|
|
if (!ndst)
|
|
|
|
return;
|
|
|
|
|
|
|
|
write_lock_bh(&xfrm_policy_lock);
|
|
|
|
|
|
|
|
for (i = hmask; i >= 0; i--)
|
|
|
|
xfrm_dst_hash_transfer(odst + i, ndst, nhashmask);
|
|
|
|
|
|
|
|
xfrm_policy_bydst[dir].table = ndst;
|
|
|
|
xfrm_policy_bydst[dir].hmask = nhashmask;
|
|
|
|
|
|
|
|
write_unlock_bh(&xfrm_policy_lock);
|
|
|
|
|
2006-08-24 04:50:50 -07:00
|
|
|
xfrm_hash_free(odst, (hmask + 1) * sizeof(struct hlist_head));
|
2006-08-24 04:45:07 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
static void xfrm_byidx_resize(int total)
|
|
|
|
{
|
|
|
|
unsigned int hmask = xfrm_idx_hmask;
|
|
|
|
unsigned int nhashmask = xfrm_new_hash_mask(hmask);
|
|
|
|
unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);
|
|
|
|
struct hlist_head *oidx = xfrm_policy_byidx;
|
2006-08-24 04:50:50 -07:00
|
|
|
struct hlist_head *nidx = xfrm_hash_alloc(nsize);
|
2006-08-24 04:45:07 -07:00
|
|
|
int i;
|
|
|
|
|
|
|
|
if (!nidx)
|
|
|
|
return;
|
|
|
|
|
|
|
|
write_lock_bh(&xfrm_policy_lock);
|
|
|
|
|
|
|
|
for (i = hmask; i >= 0; i--)
|
|
|
|
xfrm_idx_hash_transfer(oidx + i, nidx, nhashmask);
|
|
|
|
|
|
|
|
xfrm_policy_byidx = nidx;
|
|
|
|
xfrm_idx_hmask = nhashmask;
|
|
|
|
|
|
|
|
write_unlock_bh(&xfrm_policy_lock);
|
|
|
|
|
2006-08-24 04:50:50 -07:00
|
|
|
xfrm_hash_free(oidx, (hmask + 1) * sizeof(struct hlist_head));
|
2006-08-24 04:45:07 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
static inline int xfrm_bydst_should_resize(int dir, int *total)
|
|
|
|
{
|
|
|
|
unsigned int cnt = xfrm_policy_count[dir];
|
|
|
|
unsigned int hmask = xfrm_policy_bydst[dir].hmask;
|
|
|
|
|
|
|
|
if (total)
|
|
|
|
*total += cnt;
|
|
|
|
|
|
|
|
if ((hmask + 1) < xfrm_policy_hashmax &&
|
|
|
|
cnt > hmask)
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int xfrm_byidx_should_resize(int total)
|
|
|
|
{
|
|
|
|
unsigned int hmask = xfrm_idx_hmask;
|
|
|
|
|
|
|
|
if ((hmask + 1) < xfrm_policy_hashmax &&
|
|
|
|
total > hmask)
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static DEFINE_MUTEX(hash_resize_mutex);
|
|
|
|
|
|
|
|
static void xfrm_hash_resize(void *__unused)
|
|
|
|
{
|
|
|
|
int dir, total;
|
|
|
|
|
|
|
|
mutex_lock(&hash_resize_mutex);
|
|
|
|
|
|
|
|
total = 0;
|
|
|
|
for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
|
|
|
|
if (xfrm_bydst_should_resize(dir, &total))
|
|
|
|
xfrm_bydst_resize(dir);
|
|
|
|
}
|
|
|
|
if (xfrm_byidx_should_resize(total))
|
|
|
|
xfrm_byidx_resize(total);
|
|
|
|
|
|
|
|
mutex_unlock(&hash_resize_mutex);
|
|
|
|
}
|
|
|
|
|
|
|
|
static DECLARE_WORK(xfrm_hash_work, xfrm_hash_resize, NULL);
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
/* Generate new index... KAME seems to generate them ordered by cost
|
|
|
|
* of an absolute inpredictability of ordering of rules. This will not pass. */
|
2006-08-23 22:43:30 -07:00
|
|
|
static u32 xfrm_gen_index(u8 type, int dir)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
|
|
|
static u32 idx_generator;
|
|
|
|
|
|
|
|
for (;;) {
|
2006-08-24 04:45:07 -07:00
|
|
|
struct hlist_node *entry;
|
|
|
|
struct hlist_head *list;
|
|
|
|
struct xfrm_policy *p;
|
|
|
|
u32 idx;
|
|
|
|
int found;
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
idx = (idx_generator | dir);
|
|
|
|
idx_generator += 8;
|
|
|
|
if (idx == 0)
|
|
|
|
idx = 8;
|
2006-08-24 04:45:07 -07:00
|
|
|
list = xfrm_policy_byidx + idx_hash(idx);
|
|
|
|
found = 0;
|
|
|
|
hlist_for_each_entry(p, entry, list, byidx) {
|
|
|
|
if (p->index == idx) {
|
|
|
|
found = 1;
|
2005-04-16 15:20:36 -07:00
|
|
|
break;
|
2006-08-24 04:45:07 -07:00
|
|
|
}
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
2006-08-24 04:45:07 -07:00
|
|
|
if (!found)
|
2005-04-16 15:20:36 -07:00
|
|
|
return idx;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2006-08-24 04:45:07 -07:00
|
|
|
static inline int selector_cmp(struct xfrm_selector *s1, struct xfrm_selector *s2)
|
|
|
|
{
|
|
|
|
u32 *p1 = (u32 *) s1;
|
|
|
|
u32 *p2 = (u32 *) s2;
|
|
|
|
int len = sizeof(struct xfrm_selector) / sizeof(u32);
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = 0; i < len; i++) {
|
|
|
|
if (p1[i] != p2[i])
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
|
|
|
|
{
|
2006-08-24 04:45:07 -07:00
|
|
|
struct xfrm_policy *pol;
|
|
|
|
struct xfrm_policy *delpol;
|
|
|
|
struct hlist_head *chain;
|
|
|
|
struct hlist_node *entry, *newpos, *last;
|
2005-12-22 07:39:48 -08:00
|
|
|
struct dst_entry *gc_list;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
write_lock_bh(&xfrm_policy_lock);
|
2006-08-24 04:45:07 -07:00
|
|
|
chain = policy_hash_bysel(&policy->selector, policy->family, dir);
|
|
|
|
delpol = NULL;
|
|
|
|
newpos = NULL;
|
|
|
|
last = NULL;
|
|
|
|
hlist_for_each_entry(pol, entry, chain, bydst) {
|
|
|
|
if (!delpol &&
|
|
|
|
pol->type == policy->type &&
|
|
|
|
!selector_cmp(&pol->selector, &policy->selector) &&
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-13 23:12:27 -08:00
|
|
|
xfrm_sec_ctx_match(pol->security, policy->security)) {
|
2005-04-16 15:20:36 -07:00
|
|
|
if (excl) {
|
|
|
|
write_unlock_bh(&xfrm_policy_lock);
|
|
|
|
return -EEXIST;
|
|
|
|
}
|
|
|
|
delpol = pol;
|
|
|
|
if (policy->priority > pol->priority)
|
|
|
|
continue;
|
|
|
|
} else if (policy->priority >= pol->priority) {
|
2006-08-24 04:45:07 -07:00
|
|
|
last = &pol->bydst;
|
2005-04-16 15:20:36 -07:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
if (!newpos)
|
2006-08-24 04:45:07 -07:00
|
|
|
newpos = &pol->bydst;
|
2005-04-16 15:20:36 -07:00
|
|
|
if (delpol)
|
|
|
|
break;
|
2006-08-24 04:45:07 -07:00
|
|
|
last = &pol->bydst;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
2006-08-24 04:45:07 -07:00
|
|
|
if (!newpos)
|
|
|
|
newpos = last;
|
2005-04-16 15:20:36 -07:00
|
|
|
if (newpos)
|
2006-08-24 04:45:07 -07:00
|
|
|
hlist_add_after(newpos, &policy->bydst);
|
|
|
|
else
|
|
|
|
hlist_add_head(&policy->bydst, chain);
|
2005-04-16 15:20:36 -07:00
|
|
|
xfrm_pol_hold(policy);
|
2006-08-24 04:45:07 -07:00
|
|
|
xfrm_policy_count[dir]++;
|
2005-04-16 15:20:36 -07:00
|
|
|
atomic_inc(&flow_cache_genid);
|
2006-08-24 04:45:07 -07:00
|
|
|
if (delpol) {
|
|
|
|
hlist_del(&delpol->bydst);
|
|
|
|
hlist_del(&delpol->byidx);
|
|
|
|
xfrm_policy_count[dir]--;
|
|
|
|
}
|
2006-08-23 22:43:30 -07:00
|
|
|
policy->index = delpol ? delpol->index : xfrm_gen_index(policy->type, dir);
|
2006-08-24 04:45:07 -07:00
|
|
|
hlist_add_head(&policy->byidx, xfrm_policy_byidx+idx_hash(policy->index));
|
2005-04-16 15:20:36 -07:00
|
|
|
policy->curlft.add_time = (unsigned long)xtime.tv_sec;
|
|
|
|
policy->curlft.use_time = 0;
|
|
|
|
if (!mod_timer(&policy->timer, jiffies + HZ))
|
|
|
|
xfrm_pol_hold(policy);
|
|
|
|
write_unlock_bh(&xfrm_policy_lock);
|
|
|
|
|
2005-12-22 07:39:48 -08:00
|
|
|
if (delpol)
|
2005-04-16 15:20:36 -07:00
|
|
|
xfrm_policy_kill(delpol);
|
2006-08-24 04:45:07 -07:00
|
|
|
else if (xfrm_bydst_should_resize(dir, NULL))
|
|
|
|
schedule_work(&xfrm_hash_work);
|
2005-12-22 07:39:48 -08:00
|
|
|
|
|
|
|
read_lock_bh(&xfrm_policy_lock);
|
|
|
|
gc_list = NULL;
|
2006-08-24 04:45:07 -07:00
|
|
|
entry = &policy->bydst;
|
|
|
|
hlist_for_each_entry_continue(policy, entry, bydst) {
|
2005-12-22 07:39:48 -08:00
|
|
|
struct dst_entry *dst;
|
|
|
|
|
|
|
|
write_lock(&policy->lock);
|
|
|
|
dst = policy->bundles;
|
|
|
|
if (dst) {
|
|
|
|
struct dst_entry *tail = dst;
|
|
|
|
while (tail->next)
|
|
|
|
tail = tail->next;
|
|
|
|
tail->next = gc_list;
|
|
|
|
gc_list = dst;
|
|
|
|
|
|
|
|
policy->bundles = NULL;
|
|
|
|
}
|
|
|
|
write_unlock(&policy->lock);
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
2005-12-22 07:39:48 -08:00
|
|
|
read_unlock_bh(&xfrm_policy_lock);
|
|
|
|
|
|
|
|
while (gc_list) {
|
|
|
|
struct dst_entry *dst = gc_list;
|
|
|
|
|
|
|
|
gc_list = dst->next;
|
|
|
|
dst_free(dst);
|
|
|
|
}
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xfrm_policy_insert);
|
|
|
|
|
2006-08-23 22:43:30 -07:00
|
|
|
struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir,
|
|
|
|
struct xfrm_selector *sel,
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-13 23:12:27 -08:00
|
|
|
struct xfrm_sec_ctx *ctx, int delete)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
2006-08-24 04:45:07 -07:00
|
|
|
struct xfrm_policy *pol, *ret;
|
|
|
|
struct hlist_head *chain;
|
|
|
|
struct hlist_node *entry;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
write_lock_bh(&xfrm_policy_lock);
|
2006-08-24 04:45:07 -07:00
|
|
|
chain = policy_hash_bysel(sel, sel->family, dir);
|
|
|
|
ret = NULL;
|
|
|
|
hlist_for_each_entry(pol, entry, chain, bydst) {
|
|
|
|
if (pol->type == type &&
|
|
|
|
!selector_cmp(sel, &pol->selector) &&
|
|
|
|
xfrm_sec_ctx_match(ctx, pol->security)) {
|
2005-04-16 15:20:36 -07:00
|
|
|
xfrm_pol_hold(pol);
|
2006-08-24 04:45:07 -07:00
|
|
|
if (delete) {
|
|
|
|
hlist_del(&pol->bydst);
|
|
|
|
hlist_del(&pol->byidx);
|
|
|
|
xfrm_policy_count[dir]--;
|
|
|
|
}
|
|
|
|
ret = pol;
|
2005-04-16 15:20:36 -07:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
write_unlock_bh(&xfrm_policy_lock);
|
|
|
|
|
2006-08-24 04:45:07 -07:00
|
|
|
if (ret && delete) {
|
2005-04-16 15:20:36 -07:00
|
|
|
atomic_inc(&flow_cache_genid);
|
2006-08-24 04:45:07 -07:00
|
|
|
xfrm_policy_kill(ret);
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
2006-08-24 04:45:07 -07:00
|
|
|
return ret;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-13 23:12:27 -08:00
|
|
|
EXPORT_SYMBOL(xfrm_policy_bysel_ctx);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2006-08-23 22:43:30 -07:00
|
|
|
struct xfrm_policy *xfrm_policy_byid(u8 type, int dir, u32 id, int delete)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
2006-08-24 04:45:07 -07:00
|
|
|
struct xfrm_policy *pol, *ret;
|
|
|
|
struct hlist_head *chain;
|
|
|
|
struct hlist_node *entry;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
write_lock_bh(&xfrm_policy_lock);
|
2006-08-24 04:45:07 -07:00
|
|
|
chain = xfrm_policy_byidx + idx_hash(id);
|
|
|
|
ret = NULL;
|
|
|
|
hlist_for_each_entry(pol, entry, chain, byidx) {
|
|
|
|
if (pol->type == type && pol->index == id) {
|
2005-04-16 15:20:36 -07:00
|
|
|
xfrm_pol_hold(pol);
|
2006-08-24 04:45:07 -07:00
|
|
|
if (delete) {
|
|
|
|
hlist_del(&pol->bydst);
|
|
|
|
hlist_del(&pol->byidx);
|
|
|
|
xfrm_policy_count[dir]--;
|
|
|
|
}
|
|
|
|
ret = pol;
|
2005-04-16 15:20:36 -07:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
write_unlock_bh(&xfrm_policy_lock);
|
|
|
|
|
2006-08-24 04:45:07 -07:00
|
|
|
if (ret && delete) {
|
2005-04-16 15:20:36 -07:00
|
|
|
atomic_inc(&flow_cache_genid);
|
2006-08-24 04:45:07 -07:00
|
|
|
xfrm_policy_kill(ret);
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
2006-08-24 04:45:07 -07:00
|
|
|
return ret;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xfrm_policy_byid);
|
|
|
|
|
2006-08-23 22:43:30 -07:00
|
|
|
void xfrm_policy_flush(u8 type)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
|
|
|
int dir;
|
|
|
|
|
|
|
|
write_lock_bh(&xfrm_policy_lock);
|
|
|
|
for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
|
2006-08-24 04:45:07 -07:00
|
|
|
struct xfrm_policy *pol;
|
|
|
|
struct hlist_node *entry;
|
2006-10-03 16:00:26 -07:00
|
|
|
int i, killed;
|
2006-08-24 04:45:07 -07:00
|
|
|
|
2006-10-03 16:00:26 -07:00
|
|
|
killed = 0;
|
2006-08-24 04:45:07 -07:00
|
|
|
again1:
|
|
|
|
hlist_for_each_entry(pol, entry,
|
|
|
|
&xfrm_policy_inexact[dir], bydst) {
|
|
|
|
if (pol->type != type)
|
|
|
|
continue;
|
|
|
|
hlist_del(&pol->bydst);
|
|
|
|
hlist_del(&pol->byidx);
|
2005-04-16 15:20:36 -07:00
|
|
|
write_unlock_bh(&xfrm_policy_lock);
|
|
|
|
|
2006-08-24 04:45:07 -07:00
|
|
|
xfrm_policy_kill(pol);
|
2006-10-03 16:00:26 -07:00
|
|
|
killed++;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
write_lock_bh(&xfrm_policy_lock);
|
2006-08-24 04:45:07 -07:00
|
|
|
goto again1;
|
|
|
|
}
|
|
|
|
|
|
|
|
for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) {
|
|
|
|
again2:
|
|
|
|
hlist_for_each_entry(pol, entry,
|
|
|
|
xfrm_policy_bydst[dir].table + i,
|
|
|
|
bydst) {
|
|
|
|
if (pol->type != type)
|
|
|
|
continue;
|
|
|
|
hlist_del(&pol->bydst);
|
|
|
|
hlist_del(&pol->byidx);
|
|
|
|
write_unlock_bh(&xfrm_policy_lock);
|
|
|
|
|
|
|
|
xfrm_policy_kill(pol);
|
2006-10-03 16:00:26 -07:00
|
|
|
killed++;
|
2006-08-24 04:45:07 -07:00
|
|
|
|
|
|
|
write_lock_bh(&xfrm_policy_lock);
|
|
|
|
goto again2;
|
|
|
|
}
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
2006-08-24 04:45:07 -07:00
|
|
|
|
2006-10-03 16:00:26 -07:00
|
|
|
xfrm_policy_count[dir] -= killed;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
atomic_inc(&flow_cache_genid);
|
|
|
|
write_unlock_bh(&xfrm_policy_lock);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xfrm_policy_flush);
|
|
|
|
|
2006-08-23 22:43:30 -07:00
|
|
|
int xfrm_policy_walk(u8 type, int (*func)(struct xfrm_policy *, int, int, void*),
|
2005-04-16 15:20:36 -07:00
|
|
|
void *data)
|
|
|
|
{
|
2006-08-24 04:45:07 -07:00
|
|
|
struct xfrm_policy *pol;
|
|
|
|
struct hlist_node *entry;
|
|
|
|
int dir, count, error;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
read_lock_bh(&xfrm_policy_lock);
|
2006-08-24 04:45:07 -07:00
|
|
|
count = 0;
|
2005-04-16 15:20:36 -07:00
|
|
|
for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) {
|
2006-08-24 04:45:07 -07:00
|
|
|
struct hlist_head *table = xfrm_policy_bydst[dir].table;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
hlist_for_each_entry(pol, entry,
|
|
|
|
&xfrm_policy_inexact[dir], bydst) {
|
|
|
|
if (pol->type == type)
|
|
|
|
count++;
|
|
|
|
}
|
|
|
|
for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) {
|
|
|
|
hlist_for_each_entry(pol, entry, table + i, bydst) {
|
|
|
|
if (pol->type == type)
|
|
|
|
count++;
|
|
|
|
}
|
|
|
|
}
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
if (count == 0) {
|
|
|
|
error = -ENOENT;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) {
|
2006-08-24 04:45:07 -07:00
|
|
|
struct hlist_head *table = xfrm_policy_bydst[dir].table;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
hlist_for_each_entry(pol, entry,
|
|
|
|
&xfrm_policy_inexact[dir], bydst) {
|
|
|
|
if (pol->type != type)
|
|
|
|
continue;
|
|
|
|
error = func(pol, dir % XFRM_POLICY_MAX, --count, data);
|
2005-04-16 15:20:36 -07:00
|
|
|
if (error)
|
|
|
|
goto out;
|
|
|
|
}
|
2006-08-24 04:45:07 -07:00
|
|
|
for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) {
|
|
|
|
hlist_for_each_entry(pol, entry, table + i, bydst) {
|
|
|
|
if (pol->type != type)
|
|
|
|
continue;
|
|
|
|
error = func(pol, dir % XFRM_POLICY_MAX, --count, data);
|
|
|
|
if (error)
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
}
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
2006-08-24 04:45:07 -07:00
|
|
|
error = 0;
|
2005-04-16 15:20:36 -07:00
|
|
|
out:
|
|
|
|
read_unlock_bh(&xfrm_policy_lock);
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xfrm_policy_walk);
|
|
|
|
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:27 -05:00
|
|
|
/*
|
|
|
|
* Find policy to apply to this flow.
|
|
|
|
*
|
|
|
|
* Returns 0 if policy found, else an -errno.
|
|
|
|
*/
|
2006-08-24 04:45:07 -07:00
|
|
|
static int xfrm_policy_match(struct xfrm_policy *pol, struct flowi *fl,
|
|
|
|
u8 type, u16 family, int dir)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
2006-08-24 04:45:07 -07:00
|
|
|
struct xfrm_selector *sel = &pol->selector;
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:27 -05:00
|
|
|
int match, ret = -ESRCH;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2006-08-24 04:45:07 -07:00
|
|
|
if (pol->family != family ||
|
|
|
|
pol->type != type)
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:27 -05:00
|
|
|
return ret;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2006-08-24 04:45:07 -07:00
|
|
|
match = xfrm_selector_match(sel, fl, family);
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:27 -05:00
|
|
|
if (match)
|
|
|
|
ret = security_xfrm_policy_lookup(pol, fl->secid, dir);
|
2006-08-24 04:45:07 -07:00
|
|
|
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:27 -05:00
|
|
|
return ret;
|
2006-08-24 04:45:07 -07:00
|
|
|
}
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2006-08-24 04:45:07 -07:00
|
|
|
static struct xfrm_policy *xfrm_policy_lookup_bytype(u8 type, struct flowi *fl,
|
|
|
|
u16 family, u8 dir)
|
|
|
|
{
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:27 -05:00
|
|
|
int err;
|
2006-08-24 04:45:07 -07:00
|
|
|
struct xfrm_policy *pol, *ret;
|
|
|
|
xfrm_address_t *daddr, *saddr;
|
|
|
|
struct hlist_node *entry;
|
|
|
|
struct hlist_head *chain;
|
2006-08-25 15:46:46 -07:00
|
|
|
u32 priority = ~0U;
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-13 23:12:27 -08:00
|
|
|
|
2006-08-24 04:45:07 -07:00
|
|
|
daddr = xfrm_flowi_daddr(fl, family);
|
|
|
|
saddr = xfrm_flowi_saddr(fl, family);
|
|
|
|
if (unlikely(!daddr || !saddr))
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
read_lock_bh(&xfrm_policy_lock);
|
|
|
|
chain = policy_hash_direct(daddr, saddr, family, dir);
|
|
|
|
ret = NULL;
|
|
|
|
hlist_for_each_entry(pol, entry, chain, bydst) {
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:27 -05:00
|
|
|
err = xfrm_policy_match(pol, fl, type, family, dir);
|
|
|
|
if (err) {
|
|
|
|
if (err == -ESRCH)
|
|
|
|
continue;
|
|
|
|
else {
|
|
|
|
ret = ERR_PTR(err);
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
} else {
|
2006-08-24 04:45:07 -07:00
|
|
|
ret = pol;
|
2006-08-25 15:46:46 -07:00
|
|
|
priority = ret->priority;
|
2006-08-24 04:45:07 -07:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
2006-08-25 15:46:46 -07:00
|
|
|
chain = &xfrm_policy_inexact[dir];
|
|
|
|
hlist_for_each_entry(pol, entry, chain, bydst) {
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:27 -05:00
|
|
|
err = xfrm_policy_match(pol, fl, type, family, dir);
|
|
|
|
if (err) {
|
|
|
|
if (err == -ESRCH)
|
|
|
|
continue;
|
|
|
|
else {
|
|
|
|
ret = ERR_PTR(err);
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
} else if (pol->priority < priority) {
|
2006-08-25 15:46:46 -07:00
|
|
|
ret = pol;
|
|
|
|
break;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
}
|
2006-08-25 15:46:46 -07:00
|
|
|
if (ret)
|
|
|
|
xfrm_pol_hold(ret);
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:27 -05:00
|
|
|
fail:
|
2005-04-16 15:20:36 -07:00
|
|
|
read_unlock_bh(&xfrm_policy_lock);
|
2006-08-23 22:43:30 -07:00
|
|
|
|
2006-08-24 04:45:07 -07:00
|
|
|
return ret;
|
2006-08-23 22:43:30 -07:00
|
|
|
}
|
|
|
|
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:27 -05:00
|
|
|
static int xfrm_policy_lookup(struct flowi *fl, u16 family, u8 dir,
|
2006-08-23 22:43:30 -07:00
|
|
|
void **objp, atomic_t **obj_refp)
|
|
|
|
{
|
|
|
|
struct xfrm_policy *pol;
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:27 -05:00
|
|
|
int err = 0;
|
2006-08-23 22:43:30 -07:00
|
|
|
|
|
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
|
|
|
pol = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_SUB, fl, family, dir);
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:27 -05:00
|
|
|
if (IS_ERR(pol)) {
|
|
|
|
err = PTR_ERR(pol);
|
|
|
|
pol = NULL;
|
|
|
|
}
|
|
|
|
if (pol || err)
|
2006-08-23 22:43:30 -07:00
|
|
|
goto end;
|
|
|
|
#endif
|
|
|
|
pol = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_MAIN, fl, family, dir);
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:27 -05:00
|
|
|
if (IS_ERR(pol)) {
|
|
|
|
err = PTR_ERR(pol);
|
|
|
|
pol = NULL;
|
|
|
|
}
|
2006-08-23 22:43:30 -07:00
|
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
2006-08-24 04:45:07 -07:00
|
|
|
end:
|
2006-08-23 22:43:30 -07:00
|
|
|
#endif
|
2005-04-16 15:20:36 -07:00
|
|
|
if ((*objp = (void *) pol) != NULL)
|
|
|
|
*obj_refp = &pol->refcnt;
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:27 -05:00
|
|
|
return err;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-13 23:12:27 -08:00
|
|
|
static inline int policy_to_flow_dir(int dir)
|
|
|
|
{
|
|
|
|
if (XFRM_POLICY_IN == FLOW_DIR_IN &&
|
|
|
|
XFRM_POLICY_OUT == FLOW_DIR_OUT &&
|
|
|
|
XFRM_POLICY_FWD == FLOW_DIR_FWD)
|
|
|
|
return dir;
|
|
|
|
switch (dir) {
|
|
|
|
default:
|
|
|
|
case XFRM_POLICY_IN:
|
|
|
|
return FLOW_DIR_IN;
|
|
|
|
case XFRM_POLICY_OUT:
|
|
|
|
return FLOW_DIR_OUT;
|
|
|
|
case XFRM_POLICY_FWD:
|
|
|
|
return FLOW_DIR_FWD;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
2006-07-24 23:29:07 -07:00
|
|
|
static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struct flowi *fl)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
|
|
|
struct xfrm_policy *pol;
|
|
|
|
|
|
|
|
read_lock_bh(&xfrm_policy_lock);
|
|
|
|
if ((pol = sk->sk_policy[dir]) != NULL) {
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-13 23:12:27 -08:00
|
|
|
int match = xfrm_selector_match(&pol->selector, fl,
|
2005-04-16 15:20:36 -07:00
|
|
|
sk->sk_family);
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-13 23:12:27 -08:00
|
|
|
int err = 0;
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
if (match)
|
2006-07-24 23:29:07 -07:00
|
|
|
err = security_xfrm_policy_lookup(pol, fl->secid, policy_to_flow_dir(dir));
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-13 23:12:27 -08:00
|
|
|
|
|
|
|
if (match && !err)
|
2005-04-16 15:20:36 -07:00
|
|
|
xfrm_pol_hold(pol);
|
|
|
|
else
|
|
|
|
pol = NULL;
|
|
|
|
}
|
|
|
|
read_unlock_bh(&xfrm_policy_lock);
|
|
|
|
return pol;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void __xfrm_policy_link(struct xfrm_policy *pol, int dir)
|
|
|
|
{
|
2006-08-24 04:45:07 -07:00
|
|
|
struct hlist_head *chain = policy_hash_bysel(&pol->selector,
|
|
|
|
pol->family, dir);
|
2006-08-23 22:43:30 -07:00
|
|
|
|
2006-08-24 04:45:07 -07:00
|
|
|
hlist_add_head(&pol->bydst, chain);
|
|
|
|
hlist_add_head(&pol->byidx, xfrm_policy_byidx+idx_hash(pol->index));
|
|
|
|
xfrm_policy_count[dir]++;
|
2005-04-16 15:20:36 -07:00
|
|
|
xfrm_pol_hold(pol);
|
2006-08-24 04:45:07 -07:00
|
|
|
|
|
|
|
if (xfrm_bydst_should_resize(dir, NULL))
|
|
|
|
schedule_work(&xfrm_hash_work);
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
|
|
|
|
int dir)
|
|
|
|
{
|
2006-08-24 04:45:07 -07:00
|
|
|
if (hlist_unhashed(&pol->bydst))
|
|
|
|
return NULL;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2006-08-24 04:45:07 -07:00
|
|
|
hlist_del(&pol->bydst);
|
|
|
|
hlist_del(&pol->byidx);
|
|
|
|
xfrm_policy_count[dir]--;
|
|
|
|
|
|
|
|
return pol;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
2005-06-18 22:43:22 -07:00
|
|
|
int xfrm_policy_delete(struct xfrm_policy *pol, int dir)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
|
|
|
write_lock_bh(&xfrm_policy_lock);
|
|
|
|
pol = __xfrm_policy_unlink(pol, dir);
|
|
|
|
write_unlock_bh(&xfrm_policy_lock);
|
|
|
|
if (pol) {
|
|
|
|
if (dir < XFRM_POLICY_MAX)
|
|
|
|
atomic_inc(&flow_cache_genid);
|
|
|
|
xfrm_policy_kill(pol);
|
2005-06-18 22:43:22 -07:00
|
|
|
return 0;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
2005-06-18 22:43:22 -07:00
|
|
|
return -ENOENT;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
2006-03-20 19:18:52 -08:00
|
|
|
EXPORT_SYMBOL(xfrm_policy_delete);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
|
|
|
|
{
|
|
|
|
struct xfrm_policy *old_pol;
|
|
|
|
|
2006-08-23 22:43:30 -07:00
|
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
|
|
|
if (pol && pol->type != XFRM_POLICY_TYPE_MAIN)
|
|
|
|
return -EINVAL;
|
|
|
|
#endif
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
write_lock_bh(&xfrm_policy_lock);
|
|
|
|
old_pol = sk->sk_policy[dir];
|
|
|
|
sk->sk_policy[dir] = pol;
|
|
|
|
if (pol) {
|
|
|
|
pol->curlft.add_time = (unsigned long)xtime.tv_sec;
|
2006-08-23 22:43:30 -07:00
|
|
|
pol->index = xfrm_gen_index(pol->type, XFRM_POLICY_MAX+dir);
|
2005-04-16 15:20:36 -07:00
|
|
|
__xfrm_policy_link(pol, XFRM_POLICY_MAX+dir);
|
|
|
|
}
|
|
|
|
if (old_pol)
|
|
|
|
__xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir);
|
|
|
|
write_unlock_bh(&xfrm_policy_lock);
|
|
|
|
|
|
|
|
if (old_pol) {
|
|
|
|
xfrm_policy_kill(old_pol);
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct xfrm_policy *clone_policy(struct xfrm_policy *old, int dir)
|
|
|
|
{
|
|
|
|
struct xfrm_policy *newp = xfrm_policy_alloc(GFP_ATOMIC);
|
|
|
|
|
|
|
|
if (newp) {
|
|
|
|
newp->selector = old->selector;
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-13 23:12:27 -08:00
|
|
|
if (security_xfrm_policy_clone(old, newp)) {
|
|
|
|
kfree(newp);
|
|
|
|
return NULL; /* ENOMEM */
|
|
|
|
}
|
2005-04-16 15:20:36 -07:00
|
|
|
newp->lft = old->lft;
|
|
|
|
newp->curlft = old->curlft;
|
|
|
|
newp->action = old->action;
|
|
|
|
newp->flags = old->flags;
|
|
|
|
newp->xfrm_nr = old->xfrm_nr;
|
|
|
|
newp->index = old->index;
|
2006-08-23 22:43:30 -07:00
|
|
|
newp->type = old->type;
|
2005-04-16 15:20:36 -07:00
|
|
|
memcpy(newp->xfrm_vec, old->xfrm_vec,
|
|
|
|
newp->xfrm_nr*sizeof(struct xfrm_tmpl));
|
|
|
|
write_lock_bh(&xfrm_policy_lock);
|
|
|
|
__xfrm_policy_link(newp, XFRM_POLICY_MAX+dir);
|
|
|
|
write_unlock_bh(&xfrm_policy_lock);
|
|
|
|
xfrm_pol_put(newp);
|
|
|
|
}
|
|
|
|
return newp;
|
|
|
|
}
|
|
|
|
|
|
|
|
int __xfrm_sk_clone_policy(struct sock *sk)
|
|
|
|
{
|
|
|
|
struct xfrm_policy *p0 = sk->sk_policy[0],
|
|
|
|
*p1 = sk->sk_policy[1];
|
|
|
|
|
|
|
|
sk->sk_policy[0] = sk->sk_policy[1] = NULL;
|
|
|
|
if (p0 && (sk->sk_policy[0] = clone_policy(p0, 0)) == NULL)
|
|
|
|
return -ENOMEM;
|
|
|
|
if (p1 && (sk->sk_policy[1] = clone_policy(p1, 1)) == NULL)
|
|
|
|
return -ENOMEM;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2006-09-19 12:57:34 -07:00
|
|
|
static int
|
|
|
|
xfrm_get_saddr(xfrm_address_t *local, xfrm_address_t *remote,
|
|
|
|
unsigned short family)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
|
|
|
|
|
|
|
|
if (unlikely(afinfo == NULL))
|
|
|
|
return -EINVAL;
|
|
|
|
err = afinfo->get_saddr(local, remote);
|
|
|
|
xfrm_policy_put_afinfo(afinfo);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
/* Resolve list of templates for the flow, given policy. */
|
|
|
|
|
|
|
|
static int
|
2006-08-23 22:43:30 -07:00
|
|
|
xfrm_tmpl_resolve_one(struct xfrm_policy *policy, struct flowi *fl,
|
|
|
|
struct xfrm_state **xfrm,
|
|
|
|
unsigned short family)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
|
|
|
int nx;
|
|
|
|
int i, error;
|
|
|
|
xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
|
|
|
|
xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
|
2006-09-19 12:57:34 -07:00
|
|
|
xfrm_address_t tmp;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
for (nx=0, i = 0; i < policy->xfrm_nr; i++) {
|
|
|
|
struct xfrm_state *x;
|
|
|
|
xfrm_address_t *remote = daddr;
|
|
|
|
xfrm_address_t *local = saddr;
|
|
|
|
struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
|
|
|
|
|
2006-09-22 15:05:15 -07:00
|
|
|
if (tmpl->mode == XFRM_MODE_TUNNEL) {
|
2005-04-16 15:20:36 -07:00
|
|
|
remote = &tmpl->id.daddr;
|
|
|
|
local = &tmpl->saddr;
|
2006-09-19 12:57:34 -07:00
|
|
|
if (xfrm_addr_any(local, family)) {
|
|
|
|
error = xfrm_get_saddr(&tmp, remote, family);
|
|
|
|
if (error)
|
|
|
|
goto fail;
|
|
|
|
local = &tmp;
|
|
|
|
}
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);
|
|
|
|
|
|
|
|
if (x && x->km.state == XFRM_STATE_VALID) {
|
|
|
|
xfrm[nx++] = x;
|
|
|
|
daddr = remote;
|
|
|
|
saddr = local;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
if (x) {
|
|
|
|
error = (x->km.state == XFRM_STATE_ERROR ?
|
|
|
|
-EINVAL : -EAGAIN);
|
|
|
|
xfrm_state_put(x);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!tmpl->optional)
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
return nx;
|
|
|
|
|
|
|
|
fail:
|
|
|
|
for (nx--; nx>=0; nx--)
|
|
|
|
xfrm_state_put(xfrm[nx]);
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2006-08-23 22:43:30 -07:00
|
|
|
static int
|
|
|
|
xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, struct flowi *fl,
|
|
|
|
struct xfrm_state **xfrm,
|
|
|
|
unsigned short family)
|
|
|
|
{
|
2006-08-23 22:48:31 -07:00
|
|
|
struct xfrm_state *tp[XFRM_MAX_DEPTH];
|
|
|
|
struct xfrm_state **tpp = (npols > 1) ? tp : xfrm;
|
2006-08-23 22:43:30 -07:00
|
|
|
int cnx = 0;
|
|
|
|
int error;
|
|
|
|
int ret;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = 0; i < npols; i++) {
|
|
|
|
if (cnx + pols[i]->xfrm_nr >= XFRM_MAX_DEPTH) {
|
|
|
|
error = -ENOBUFS;
|
|
|
|
goto fail;
|
|
|
|
}
|
2006-08-23 22:48:31 -07:00
|
|
|
|
|
|
|
ret = xfrm_tmpl_resolve_one(pols[i], fl, &tpp[cnx], family);
|
2006-08-23 22:43:30 -07:00
|
|
|
if (ret < 0) {
|
|
|
|
error = ret;
|
|
|
|
goto fail;
|
|
|
|
} else
|
|
|
|
cnx += ret;
|
|
|
|
}
|
|
|
|
|
2006-08-23 22:48:31 -07:00
|
|
|
/* found states are sorted for outbound processing */
|
|
|
|
if (npols > 1)
|
|
|
|
xfrm_state_sort(xfrm, tpp, cnx, family);
|
|
|
|
|
2006-08-23 22:43:30 -07:00
|
|
|
return cnx;
|
|
|
|
|
|
|
|
fail:
|
|
|
|
for (cnx--; cnx>=0; cnx--)
|
2006-08-23 22:48:31 -07:00
|
|
|
xfrm_state_put(tpp[cnx]);
|
2006-08-23 22:43:30 -07:00
|
|
|
return error;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
/* Check that the bundle accepts the flow and its components are
|
|
|
|
* still valid.
|
|
|
|
*/
|
|
|
|
|
|
|
|
static struct dst_entry *
|
|
|
|
xfrm_find_bundle(struct flowi *fl, struct xfrm_policy *policy, unsigned short family)
|
|
|
|
{
|
|
|
|
struct dst_entry *x;
|
|
|
|
struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
|
|
|
|
if (unlikely(afinfo == NULL))
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
x = afinfo->find_bundle(fl, policy);
|
|
|
|
xfrm_policy_put_afinfo(afinfo);
|
|
|
|
return x;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Allocate chain of dst_entry's, attach known xfrm's, calculate
|
|
|
|
* all the metrics... Shortly, bundle a bundle.
|
|
|
|
*/
|
|
|
|
|
|
|
|
static int
|
|
|
|
xfrm_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int nx,
|
|
|
|
struct flowi *fl, struct dst_entry **dst_p,
|
|
|
|
unsigned short family)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
|
|
|
|
if (unlikely(afinfo == NULL))
|
|
|
|
return -EINVAL;
|
|
|
|
err = afinfo->bundle_create(policy, xfrm, nx, fl, dst_p);
|
|
|
|
xfrm_policy_put_afinfo(afinfo);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int stale_bundle(struct dst_entry *dst);
|
|
|
|
|
|
|
|
/* Main function: finds/creates a bundle for given flow.
|
|
|
|
*
|
|
|
|
* At the moment we eat a raw IP route. Mostly to speed up lookups
|
|
|
|
* on interfaces with disabled IPsec.
|
|
|
|
*/
|
|
|
|
int xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl,
|
|
|
|
struct sock *sk, int flags)
|
|
|
|
{
|
|
|
|
struct xfrm_policy *policy;
|
2006-08-23 22:43:30 -07:00
|
|
|
struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
|
|
|
|
int npols;
|
|
|
|
int pol_dead;
|
|
|
|
int xfrm_nr;
|
|
|
|
int pi;
|
2005-04-16 15:20:36 -07:00
|
|
|
struct xfrm_state *xfrm[XFRM_MAX_DEPTH];
|
|
|
|
struct dst_entry *dst, *dst_orig = *dst_p;
|
|
|
|
int nx = 0;
|
|
|
|
int err;
|
|
|
|
u32 genid;
|
2006-02-21 13:37:35 -08:00
|
|
|
u16 family;
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-13 23:12:27 -08:00
|
|
|
u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
|
2006-07-24 23:29:07 -07:00
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
restart:
|
|
|
|
genid = atomic_read(&flow_cache_genid);
|
|
|
|
policy = NULL;
|
2006-08-23 22:43:30 -07:00
|
|
|
for (pi = 0; pi < ARRAY_SIZE(pols); pi++)
|
|
|
|
pols[pi] = NULL;
|
|
|
|
npols = 0;
|
|
|
|
pol_dead = 0;
|
|
|
|
xfrm_nr = 0;
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
if (sk && sk->sk_policy[1])
|
2006-07-24 23:29:07 -07:00
|
|
|
policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
if (!policy) {
|
|
|
|
/* To accelerate a bit... */
|
2006-08-24 04:45:07 -07:00
|
|
|
if ((dst_orig->flags & DST_NOXFRM) ||
|
|
|
|
!xfrm_policy_count[XFRM_POLICY_OUT])
|
2005-04-16 15:20:36 -07:00
|
|
|
return 0;
|
|
|
|
|
2006-07-24 23:29:07 -07:00
|
|
|
policy = flow_cache_lookup(fl, dst_orig->ops->family,
|
2006-02-21 13:37:35 -08:00
|
|
|
dir, xfrm_policy_lookup);
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:27 -05:00
|
|
|
if (IS_ERR(policy))
|
|
|
|
return PTR_ERR(policy);
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
if (!policy)
|
|
|
|
return 0;
|
|
|
|
|
2006-02-21 13:37:35 -08:00
|
|
|
family = dst_orig->ops->family;
|
2005-04-16 15:20:36 -07:00
|
|
|
policy->curlft.use_time = (unsigned long)xtime.tv_sec;
|
2006-08-23 22:43:30 -07:00
|
|
|
pols[0] = policy;
|
|
|
|
npols ++;
|
|
|
|
xfrm_nr += pols[0]->xfrm_nr;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
switch (policy->action) {
|
|
|
|
case XFRM_POLICY_BLOCK:
|
|
|
|
/* Prohibit the flow */
|
2005-09-08 15:11:55 -07:00
|
|
|
err = -EPERM;
|
|
|
|
goto error;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
case XFRM_POLICY_ALLOW:
|
2006-08-23 22:43:30 -07:00
|
|
|
#ifndef CONFIG_XFRM_SUB_POLICY
|
2005-04-16 15:20:36 -07:00
|
|
|
if (policy->xfrm_nr == 0) {
|
|
|
|
/* Flow passes not transformed. */
|
|
|
|
xfrm_pol_put(policy);
|
|
|
|
return 0;
|
|
|
|
}
|
2006-08-23 22:43:30 -07:00
|
|
|
#endif
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
/* Try to find matching bundle.
|
|
|
|
*
|
|
|
|
* LATER: help from flow cache. It is optional, this
|
|
|
|
* is required only for output policy.
|
|
|
|
*/
|
|
|
|
dst = xfrm_find_bundle(fl, policy, family);
|
|
|
|
if (IS_ERR(dst)) {
|
2005-09-08 15:11:55 -07:00
|
|
|
err = PTR_ERR(dst);
|
|
|
|
goto error;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
if (dst)
|
|
|
|
break;
|
|
|
|
|
2006-08-23 22:43:30 -07:00
|
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
|
|
|
if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
|
|
|
|
pols[1] = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_MAIN,
|
|
|
|
fl, family,
|
|
|
|
XFRM_POLICY_OUT);
|
|
|
|
if (pols[1]) {
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:27 -05:00
|
|
|
if (IS_ERR(pols[1])) {
|
|
|
|
err = PTR_ERR(pols[1]);
|
|
|
|
goto error;
|
|
|
|
}
|
2006-08-23 22:43:30 -07:00
|
|
|
if (pols[1]->action == XFRM_POLICY_BLOCK) {
|
|
|
|
err = -EPERM;
|
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
npols ++;
|
|
|
|
xfrm_nr += pols[1]->xfrm_nr;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Because neither flowi nor bundle information knows about
|
|
|
|
* transformation template size. On more than one policy usage
|
|
|
|
* we can realize whether all of them is bypass or not after
|
|
|
|
* they are searched. See above not-transformed bypass
|
|
|
|
* is surrounded by non-sub policy configuration, too.
|
|
|
|
*/
|
|
|
|
if (xfrm_nr == 0) {
|
|
|
|
/* Flow passes not transformed. */
|
|
|
|
xfrm_pols_put(pols, npols);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif
|
|
|
|
nx = xfrm_tmpl_resolve(pols, npols, fl, xfrm, family);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
if (unlikely(nx<0)) {
|
|
|
|
err = nx;
|
|
|
|
if (err == -EAGAIN && flags) {
|
|
|
|
DECLARE_WAITQUEUE(wait, current);
|
|
|
|
|
|
|
|
add_wait_queue(&km_waitq, &wait);
|
|
|
|
set_current_state(TASK_INTERRUPTIBLE);
|
|
|
|
schedule();
|
|
|
|
set_current_state(TASK_RUNNING);
|
|
|
|
remove_wait_queue(&km_waitq, &wait);
|
|
|
|
|
2006-08-23 22:43:30 -07:00
|
|
|
nx = xfrm_tmpl_resolve(pols, npols, fl, xfrm, family);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
if (nx == -EAGAIN && signal_pending(current)) {
|
|
|
|
err = -ERESTART;
|
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
if (nx == -EAGAIN ||
|
|
|
|
genid != atomic_read(&flow_cache_genid)) {
|
2006-08-23 22:43:30 -07:00
|
|
|
xfrm_pols_put(pols, npols);
|
2005-04-16 15:20:36 -07:00
|
|
|
goto restart;
|
|
|
|
}
|
|
|
|
err = nx;
|
|
|
|
}
|
|
|
|
if (err < 0)
|
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
if (nx == 0) {
|
|
|
|
/* Flow passes not transformed. */
|
2006-08-23 22:43:30 -07:00
|
|
|
xfrm_pols_put(pols, npols);
|
2005-04-16 15:20:36 -07:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
dst = dst_orig;
|
|
|
|
err = xfrm_bundle_create(policy, xfrm, nx, fl, &dst, family);
|
|
|
|
|
|
|
|
if (unlikely(err)) {
|
|
|
|
int i;
|
|
|
|
for (i=0; i<nx; i++)
|
|
|
|
xfrm_state_put(xfrm[i]);
|
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
|
2006-08-23 22:43:30 -07:00
|
|
|
for (pi = 0; pi < npols; pi++) {
|
|
|
|
read_lock_bh(&pols[pi]->lock);
|
|
|
|
pol_dead |= pols[pi]->dead;
|
|
|
|
read_unlock_bh(&pols[pi]->lock);
|
|
|
|
}
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
write_lock_bh(&policy->lock);
|
2006-08-23 22:43:30 -07:00
|
|
|
if (unlikely(pol_dead || stale_bundle(dst))) {
|
2005-04-16 15:20:36 -07:00
|
|
|
/* Wow! While we worked on resolving, this
|
|
|
|
* policy has gone. Retry. It is not paranoia,
|
|
|
|
* we just cannot enlist new bundle to dead object.
|
|
|
|
* We can't enlist stable bundles either.
|
|
|
|
*/
|
|
|
|
write_unlock_bh(&policy->lock);
|
|
|
|
if (dst)
|
|
|
|
dst_free(dst);
|
[IPSEC]: Fix strange IPsec freeze.
Problem discovered and initial patch by Olaf Kirch:
there's a problem with IPsec that has been bugging some of our users
for the last couple of kernel revs. Every now and then, IPsec will
freeze the machine completely. This is with openswan user land,
and with kernels up to and including 2.6.16-rc2.
I managed to debug this a little, and what happens is that we end
up looping in xfrm_lookup, and never get out. With a bit of debug
printks added, I can this happening:
ip_route_output_flow calls xfrm_lookup
xfrm_find_bundle returns NULL (apparently we're in the
middle of negotiating a new SA or something)
We therefore call xfrm_tmpl_resolve. This returns EAGAIN
We go to sleep, waiting for a policy update.
Then we loop back to the top
Apparently, the dst_orig that was passed into xfrm_lookup
has been dropped from the routing table (obsolete=2)
This leads to the endless loop, because we now create
a new bundle, check the new bundle and find it's stale
(stale_bundle -> xfrm_bundle_ok -> dst_check() return 0)
People have been testing with the patch below, which seems to fix the
problem partially. They still see connection hangs however (things
only clear up when they start a new ping or new ssh). So the patch
is obvsiouly not sufficient, and something else seems to go wrong.
I'm grateful for any hints you may have...
I suggest that we simply bail out always. If the dst decides to die
on us later on, the packet will be dropped anyway. So there is no
great urgency to retry here. Once we have the proper resolution
queueing, we can then do the retry again.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Olaf Kirch <okir@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-02-13 16:01:27 -08:00
|
|
|
|
|
|
|
err = -EHOSTUNREACH;
|
|
|
|
goto error;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
dst->next = policy->bundles;
|
|
|
|
policy->bundles = dst;
|
|
|
|
dst_hold(dst);
|
|
|
|
write_unlock_bh(&policy->lock);
|
|
|
|
}
|
|
|
|
*dst_p = dst;
|
|
|
|
dst_release(dst_orig);
|
2006-08-23 22:43:30 -07:00
|
|
|
xfrm_pols_put(pols, npols);
|
2005-04-16 15:20:36 -07:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
error:
|
|
|
|
dst_release(dst_orig);
|
2006-08-23 22:43:30 -07:00
|
|
|
xfrm_pols_put(pols, npols);
|
2005-04-16 15:20:36 -07:00
|
|
|
*dst_p = NULL;
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xfrm_lookup);
|
|
|
|
|
2006-08-23 20:41:00 -07:00
|
|
|
static inline int
|
|
|
|
xfrm_secpath_reject(int idx, struct sk_buff *skb, struct flowi *fl)
|
|
|
|
{
|
|
|
|
struct xfrm_state *x;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (!skb->sp || idx < 0 || idx >= skb->sp->len)
|
|
|
|
return 0;
|
|
|
|
x = skb->sp->xvec[idx];
|
|
|
|
if (!x->type->reject)
|
|
|
|
return 0;
|
|
|
|
xfrm_state_hold(x);
|
|
|
|
err = x->type->reject(x, skb, fl);
|
|
|
|
xfrm_state_put(x);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
/* When skb is transformed back to its "native" form, we have to
|
|
|
|
* check policy restrictions. At the moment we make this in maximally
|
|
|
|
* stupid way. Shame on me. :-) Of course, connected sockets must
|
|
|
|
* have policy cached at them.
|
|
|
|
*/
|
|
|
|
|
|
|
|
static inline int
|
|
|
|
xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x,
|
|
|
|
unsigned short family)
|
|
|
|
{
|
|
|
|
if (xfrm_state_kern(x))
|
|
|
|
return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, family);
|
|
|
|
return x->id.proto == tmpl->id.proto &&
|
|
|
|
(x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
|
|
|
|
(x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
|
|
|
|
x->props.mode == tmpl->mode &&
|
2006-08-23 18:00:48 -07:00
|
|
|
((tmpl->aalgos & (1<<x->props.aalgo)) ||
|
|
|
|
!(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
|
2006-09-22 15:05:15 -07:00
|
|
|
!(x->props.mode != XFRM_MODE_TRANSPORT &&
|
|
|
|
xfrm_state_addr_cmp(tmpl, x, family));
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
2006-08-23 20:41:00 -07:00
|
|
|
/*
|
|
|
|
* 0 or more than 0 is returned when validation is succeeded (either bypass
|
|
|
|
* because of optional transport mode, or next index of the mathced secpath
|
|
|
|
* state with the template.
|
|
|
|
* -1 is returned when no matching template is found.
|
|
|
|
* Otherwise "-2 - errored_index" is returned.
|
|
|
|
*/
|
2005-04-16 15:20:36 -07:00
|
|
|
static inline int
|
|
|
|
xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start,
|
|
|
|
unsigned short family)
|
|
|
|
{
|
|
|
|
int idx = start;
|
|
|
|
|
|
|
|
if (tmpl->optional) {
|
2006-09-22 15:05:15 -07:00
|
|
|
if (tmpl->mode == XFRM_MODE_TRANSPORT)
|
2005-04-16 15:20:36 -07:00
|
|
|
return start;
|
|
|
|
} else
|
|
|
|
start = -1;
|
|
|
|
for (; idx < sp->len; idx++) {
|
2006-04-01 00:54:16 -08:00
|
|
|
if (xfrm_state_ok(tmpl, sp->xvec[idx], family))
|
2005-04-16 15:20:36 -07:00
|
|
|
return ++idx;
|
2006-08-23 20:41:00 -07:00
|
|
|
if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) {
|
|
|
|
if (start == -1)
|
|
|
|
start = -2-idx;
|
2005-04-16 15:20:36 -07:00
|
|
|
break;
|
2006-08-23 20:41:00 -07:00
|
|
|
}
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
return start;
|
|
|
|
}
|
|
|
|
|
2006-01-06 23:04:54 -08:00
|
|
|
int
|
|
|
|
xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
|
|
|
struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
|
2006-07-24 23:29:07 -07:00
|
|
|
int err;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
if (unlikely(afinfo == NULL))
|
|
|
|
return -EAFNOSUPPORT;
|
|
|
|
|
|
|
|
afinfo->decode_session(skb, fl);
|
2006-08-04 23:12:42 -07:00
|
|
|
err = security_xfrm_decode_session(skb, &fl->secid);
|
2005-04-16 15:20:36 -07:00
|
|
|
xfrm_policy_put_afinfo(afinfo);
|
2006-07-24 23:29:07 -07:00
|
|
|
return err;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
2006-01-06 23:04:54 -08:00
|
|
|
EXPORT_SYMBOL(xfrm_decode_session);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2006-08-23 20:41:00 -07:00
|
|
|
static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
|
|
|
for (; k < sp->len; k++) {
|
2006-08-23 20:41:00 -07:00
|
|
|
if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) {
|
2006-09-01 00:32:12 -07:00
|
|
|
*idxp = k;
|
2005-04-16 15:20:36 -07:00
|
|
|
return 1;
|
2006-08-23 20:41:00 -07:00
|
|
|
}
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
|
|
|
|
unsigned short family)
|
|
|
|
{
|
|
|
|
struct xfrm_policy *pol;
|
2006-08-23 22:43:30 -07:00
|
|
|
struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
|
|
|
|
int npols = 0;
|
|
|
|
int xfrm_nr;
|
|
|
|
int pi;
|
2005-04-16 15:20:36 -07:00
|
|
|
struct flowi fl;
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-13 23:12:27 -08:00
|
|
|
u8 fl_dir = policy_to_flow_dir(dir);
|
2006-08-23 20:41:00 -07:00
|
|
|
int xerr_idx = -1;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2006-01-06 23:04:54 -08:00
|
|
|
if (xfrm_decode_session(skb, &fl, family) < 0)
|
2005-04-16 15:20:36 -07:00
|
|
|
return 0;
|
2006-01-06 23:06:30 -08:00
|
|
|
nf_nat_decode_session(skb, &fl, family);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
/* First, check used SA against their selectors. */
|
|
|
|
if (skb->sp) {
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i=skb->sp->len-1; i>=0; i--) {
|
2006-04-01 00:54:16 -08:00
|
|
|
struct xfrm_state *x = skb->sp->xvec[i];
|
|
|
|
if (!xfrm_selector_match(&x->sel, &fl, family))
|
2005-04-16 15:20:36 -07:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
pol = NULL;
|
|
|
|
if (sk && sk->sk_policy[dir])
|
2006-07-24 23:29:07 -07:00
|
|
|
pol = xfrm_sk_policy_lookup(sk, dir, &fl);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
if (!pol)
|
2006-07-24 23:29:07 -07:00
|
|
|
pol = flow_cache_lookup(&fl, family, fl_dir,
|
2005-04-16 15:20:36 -07:00
|
|
|
xfrm_policy_lookup);
|
|
|
|
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:27 -05:00
|
|
|
if (IS_ERR(pol))
|
|
|
|
return 0;
|
|
|
|
|
2006-08-23 20:41:00 -07:00
|
|
|
if (!pol) {
|
2006-09-01 00:32:12 -07:00
|
|
|
if (skb->sp && secpath_has_nontransport(skb->sp, 0, &xerr_idx)) {
|
2006-08-23 20:41:00 -07:00
|
|
|
xfrm_secpath_reject(xerr_idx, skb, &fl);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
return 1;
|
|
|
|
}
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
pol->curlft.use_time = (unsigned long)xtime.tv_sec;
|
|
|
|
|
2006-08-23 22:43:30 -07:00
|
|
|
pols[0] = pol;
|
|
|
|
npols ++;
|
|
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
|
|
|
if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
|
|
|
|
pols[1] = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_MAIN,
|
|
|
|
&fl, family,
|
|
|
|
XFRM_POLICY_IN);
|
|
|
|
if (pols[1]) {
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:27 -05:00
|
|
|
if (IS_ERR(pols[1]))
|
|
|
|
return 0;
|
2006-08-23 22:43:30 -07:00
|
|
|
pols[1]->curlft.use_time = (unsigned long)xtime.tv_sec;
|
|
|
|
npols ++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
if (pol->action == XFRM_POLICY_ALLOW) {
|
|
|
|
struct sec_path *sp;
|
|
|
|
static struct sec_path dummy;
|
2006-08-23 22:43:30 -07:00
|
|
|
struct xfrm_tmpl *tp[XFRM_MAX_DEPTH];
|
2006-08-23 22:48:31 -07:00
|
|
|
struct xfrm_tmpl *stp[XFRM_MAX_DEPTH];
|
2006-08-23 22:43:30 -07:00
|
|
|
struct xfrm_tmpl **tpp = tp;
|
|
|
|
int ti = 0;
|
2005-04-16 15:20:36 -07:00
|
|
|
int i, k;
|
|
|
|
|
|
|
|
if ((sp = skb->sp) == NULL)
|
|
|
|
sp = &dummy;
|
|
|
|
|
2006-08-23 22:43:30 -07:00
|
|
|
for (pi = 0; pi < npols; pi++) {
|
|
|
|
if (pols[pi] != pol &&
|
|
|
|
pols[pi]->action != XFRM_POLICY_ALLOW)
|
|
|
|
goto reject;
|
|
|
|
if (ti + pols[pi]->xfrm_nr >= XFRM_MAX_DEPTH)
|
|
|
|
goto reject_error;
|
|
|
|
for (i = 0; i < pols[pi]->xfrm_nr; i++)
|
|
|
|
tpp[ti++] = &pols[pi]->xfrm_vec[i];
|
|
|
|
}
|
|
|
|
xfrm_nr = ti;
|
2006-08-23 22:48:31 -07:00
|
|
|
if (npols > 1) {
|
|
|
|
xfrm_tmpl_sort(stp, tpp, xfrm_nr, family);
|
|
|
|
tpp = stp;
|
|
|
|
}
|
2006-08-23 22:43:30 -07:00
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
/* For each tunnel xfrm, find the first matching tmpl.
|
|
|
|
* For each tmpl before that, find corresponding xfrm.
|
|
|
|
* Order is _important_. Later we will implement
|
|
|
|
* some barriers, but at the moment barriers
|
|
|
|
* are implied between each two transformations.
|
|
|
|
*/
|
2006-08-23 22:43:30 -07:00
|
|
|
for (i = xfrm_nr-1, k = 0; i >= 0; i--) {
|
|
|
|
k = xfrm_policy_ok(tpp[i], sp, k, family);
|
2006-08-23 20:41:00 -07:00
|
|
|
if (k < 0) {
|
2006-09-01 00:32:12 -07:00
|
|
|
if (k < -1)
|
|
|
|
/* "-2 - errored_index" returned */
|
|
|
|
xerr_idx = -(2+k);
|
2005-04-16 15:20:36 -07:00
|
|
|
goto reject;
|
2006-08-23 20:41:00 -07:00
|
|
|
}
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
2006-09-01 00:32:12 -07:00
|
|
|
if (secpath_has_nontransport(sp, k, &xerr_idx))
|
2005-04-16 15:20:36 -07:00
|
|
|
goto reject;
|
|
|
|
|
2006-08-23 22:43:30 -07:00
|
|
|
xfrm_pols_put(pols, npols);
|
2005-04-16 15:20:36 -07:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
reject:
|
2006-08-23 20:41:00 -07:00
|
|
|
xfrm_secpath_reject(xerr_idx, skb, &fl);
|
2006-08-23 22:43:30 -07:00
|
|
|
reject_error:
|
|
|
|
xfrm_pols_put(pols, npols);
|
2005-04-16 15:20:36 -07:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(__xfrm_policy_check);
|
|
|
|
|
|
|
|
int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
|
|
|
|
{
|
|
|
|
struct flowi fl;
|
|
|
|
|
2006-01-06 23:04:54 -08:00
|
|
|
if (xfrm_decode_session(skb, &fl, family) < 0)
|
2005-04-16 15:20:36 -07:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
return xfrm_lookup(&skb->dst, &fl, NULL, 0) == 0;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(__xfrm_route_forward);
|
|
|
|
|
2006-08-13 18:55:53 -07:00
|
|
|
/* Optimize later using cookies and generation ids. */
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
|
|
|
|
{
|
2006-08-13 18:55:53 -07:00
|
|
|
/* Code (such as __xfrm4_bundle_create()) sets dst->obsolete
|
|
|
|
* to "-1" to force all XFRM destinations to get validated by
|
|
|
|
* dst_ops->check on every use. We do this because when a
|
|
|
|
* normal route referenced by an XFRM dst is obsoleted we do
|
|
|
|
* not go looking around for all parent referencing XFRM dsts
|
|
|
|
* so that we can invalidate them. It is just too much work.
|
|
|
|
* Instead we make the checks here on every use. For example:
|
|
|
|
*
|
|
|
|
* XFRM dst A --> IPv4 dst X
|
|
|
|
*
|
|
|
|
* X is the "xdst->route" of A (X is also the "dst->path" of A
|
|
|
|
* in this example). If X is marked obsolete, "A" will not
|
|
|
|
* notice. That's what we are validating here via the
|
|
|
|
* stale_bundle() check.
|
|
|
|
*
|
|
|
|
* When a policy's bundle is pruned, we dst_free() the XFRM
|
|
|
|
* dst which causes it's ->obsolete field to be set to a
|
|
|
|
* positive non-zero integer. If an XFRM dst has been pruned
|
|
|
|
* like this, we want to force a new route lookup.
|
2005-12-19 14:23:23 -08:00
|
|
|
*/
|
2006-08-13 18:55:53 -07:00
|
|
|
if (dst->obsolete < 0 && !stale_bundle(dst))
|
|
|
|
return dst;
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int stale_bundle(struct dst_entry *dst)
|
|
|
|
{
|
IPsec: correct semantics for SELinux policy matching
Currently when an IPSec policy rule doesn't specify a security
context, it is assumed to be "unlabeled" by SELinux, and so
the IPSec policy rule fails to match to a flow that it would
otherwise match to, unless one has explicitly added an SELinux
policy rule allowing the flow to "polmatch" to the "unlabeled"
IPSec policy rules. In the absence of such an explicitly added
SELinux policy rule, the IPSec policy rule fails to match and
so the packet(s) flow in clear text without the otherwise applicable
xfrm(s) applied.
The above SELinux behavior violates the SELinux security notion of
"deny by default" which should actually translate to "encrypt by
default" in the above case.
This was first reported by Evgeniy Polyakov and the way James Morris
was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
With this patch applied, SELinux "polmatching" of flows Vs. IPSec
policy rules will only come into play when there's a explicit context
specified for the IPSec policy rule (which also means there's corresponding
SELinux policy allowing appropriate domains/flows to polmatch to this context).
Secondly, when a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return errors other than access denied,
such as -EINVAL. We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The solution for this is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
This patch: Fix the selinux side of things.
This makes sure SELinux polmatching of flow contexts to IPSec policy
rules comes into play only when an explicit context is associated
with the IPSec policy rule.
Also, this no longer defaults the context of a socket policy to
the context of the socket since the "no explicit context" case
is now handled properly.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:18 -05:00
|
|
|
return !xfrm_bundle_ok(NULL, (struct xfrm_dst *)dst, NULL, AF_UNSPEC, 0);
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
2005-05-03 16:27:10 -07:00
|
|
|
void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
|
|
|
while ((dst = dst->child) && dst->xfrm && dst->dev == dev) {
|
|
|
|
dst->dev = &loopback_dev;
|
|
|
|
dev_hold(&loopback_dev);
|
|
|
|
dev_put(dev);
|
|
|
|
}
|
|
|
|
}
|
2005-05-03 16:27:10 -07:00
|
|
|
EXPORT_SYMBOL(xfrm_dst_ifdown);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
static void xfrm_link_failure(struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
/* Impossible. Such dst must be popped before reaches point of failure. */
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst)
|
|
|
|
{
|
|
|
|
if (dst) {
|
|
|
|
if (dst->obsolete) {
|
|
|
|
dst_release(dst);
|
|
|
|
dst = NULL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return dst;
|
|
|
|
}
|
|
|
|
|
2006-08-24 04:45:07 -07:00
|
|
|
static void prune_one_bundle(struct xfrm_policy *pol, int (*func)(struct dst_entry *), struct dst_entry **gc_list_p)
|
|
|
|
{
|
|
|
|
struct dst_entry *dst, **dstp;
|
|
|
|
|
|
|
|
write_lock(&pol->lock);
|
|
|
|
dstp = &pol->bundles;
|
|
|
|
while ((dst=*dstp) != NULL) {
|
|
|
|
if (func(dst)) {
|
|
|
|
*dstp = dst->next;
|
|
|
|
dst->next = *gc_list_p;
|
|
|
|
*gc_list_p = dst;
|
|
|
|
} else {
|
|
|
|
dstp = &dst->next;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
write_unlock(&pol->lock);
|
|
|
|
}
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
static void xfrm_prune_bundles(int (*func)(struct dst_entry *))
|
|
|
|
{
|
2006-08-24 04:45:07 -07:00
|
|
|
struct dst_entry *gc_list = NULL;
|
|
|
|
int dir;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
read_lock_bh(&xfrm_policy_lock);
|
2006-08-24 04:45:07 -07:00
|
|
|
for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
|
|
|
|
struct xfrm_policy *pol;
|
|
|
|
struct hlist_node *entry;
|
|
|
|
struct hlist_head *table;
|
|
|
|
int i;
|
2006-08-23 22:43:30 -07:00
|
|
|
|
2006-08-24 04:45:07 -07:00
|
|
|
hlist_for_each_entry(pol, entry,
|
|
|
|
&xfrm_policy_inexact[dir], bydst)
|
|
|
|
prune_one_bundle(pol, func, &gc_list);
|
|
|
|
|
|
|
|
table = xfrm_policy_bydst[dir].table;
|
|
|
|
for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) {
|
|
|
|
hlist_for_each_entry(pol, entry, table + i, bydst)
|
|
|
|
prune_one_bundle(pol, func, &gc_list);
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
read_unlock_bh(&xfrm_policy_lock);
|
|
|
|
|
|
|
|
while (gc_list) {
|
2006-08-24 04:45:07 -07:00
|
|
|
struct dst_entry *dst = gc_list;
|
2005-04-16 15:20:36 -07:00
|
|
|
gc_list = dst->next;
|
|
|
|
dst_free(dst);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static int unused_bundle(struct dst_entry *dst)
|
|
|
|
{
|
|
|
|
return !atomic_read(&dst->__refcnt);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void __xfrm_garbage_collect(void)
|
|
|
|
{
|
|
|
|
xfrm_prune_bundles(unused_bundle);
|
|
|
|
}
|
|
|
|
|
2006-08-24 03:30:28 -07:00
|
|
|
static int xfrm_flush_bundles(void)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
|
|
|
xfrm_prune_bundles(stale_bundle);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
void xfrm_init_pmtu(struct dst_entry *dst)
|
|
|
|
{
|
|
|
|
do {
|
|
|
|
struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
|
|
|
|
u32 pmtu, route_mtu_cached;
|
|
|
|
|
|
|
|
pmtu = dst_mtu(dst->child);
|
|
|
|
xdst->child_mtu_cached = pmtu;
|
|
|
|
|
|
|
|
pmtu = xfrm_state_mtu(dst->xfrm, pmtu);
|
|
|
|
|
|
|
|
route_mtu_cached = dst_mtu(xdst->route);
|
|
|
|
xdst->route_mtu_cached = route_mtu_cached;
|
|
|
|
|
|
|
|
if (pmtu > route_mtu_cached)
|
|
|
|
pmtu = route_mtu_cached;
|
|
|
|
|
|
|
|
dst->metrics[RTAX_MTU-1] = pmtu;
|
|
|
|
} while ((dst = dst->next));
|
|
|
|
}
|
|
|
|
|
|
|
|
EXPORT_SYMBOL(xfrm_init_pmtu);
|
|
|
|
|
|
|
|
/* Check that the bundle accepts the flow and its components are
|
|
|
|
* still valid.
|
|
|
|
*/
|
|
|
|
|
IPsec: correct semantics for SELinux policy matching
Currently when an IPSec policy rule doesn't specify a security
context, it is assumed to be "unlabeled" by SELinux, and so
the IPSec policy rule fails to match to a flow that it would
otherwise match to, unless one has explicitly added an SELinux
policy rule allowing the flow to "polmatch" to the "unlabeled"
IPSec policy rules. In the absence of such an explicitly added
SELinux policy rule, the IPSec policy rule fails to match and
so the packet(s) flow in clear text without the otherwise applicable
xfrm(s) applied.
The above SELinux behavior violates the SELinux security notion of
"deny by default" which should actually translate to "encrypt by
default" in the above case.
This was first reported by Evgeniy Polyakov and the way James Morris
was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
With this patch applied, SELinux "polmatching" of flows Vs. IPSec
policy rules will only come into play when there's a explicit context
specified for the IPSec policy rule (which also means there's corresponding
SELinux policy allowing appropriate domains/flows to polmatch to this context).
Secondly, when a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return errors other than access denied,
such as -EINVAL. We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The solution for this is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
This patch: Fix the selinux side of things.
This makes sure SELinux polmatching of flow contexts to IPSec policy
rules comes into play only when an explicit context is associated
with the IPSec policy rule.
Also, this no longer defaults the context of a socket policy to
the context of the socket since the "no explicit context" case
is now handled properly.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:18 -05:00
|
|
|
int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
|
|
|
|
struct flowi *fl, int family, int strict)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
|
|
|
struct dst_entry *dst = &first->u.dst;
|
|
|
|
struct xfrm_dst *last;
|
|
|
|
u32 mtu;
|
|
|
|
|
2005-05-26 12:58:04 -07:00
|
|
|
if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) ||
|
2005-04-16 15:20:36 -07:00
|
|
|
(dst->dev && !netif_running(dst->dev)))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
last = NULL;
|
|
|
|
|
|
|
|
do {
|
|
|
|
struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
|
|
|
|
|
|
|
|
if (fl && !xfrm_selector_match(&dst->xfrm->sel, fl, family))
|
|
|
|
return 0;
|
IPsec: correct semantics for SELinux policy matching
Currently when an IPSec policy rule doesn't specify a security
context, it is assumed to be "unlabeled" by SELinux, and so
the IPSec policy rule fails to match to a flow that it would
otherwise match to, unless one has explicitly added an SELinux
policy rule allowing the flow to "polmatch" to the "unlabeled"
IPSec policy rules. In the absence of such an explicitly added
SELinux policy rule, the IPSec policy rule fails to match and
so the packet(s) flow in clear text without the otherwise applicable
xfrm(s) applied.
The above SELinux behavior violates the SELinux security notion of
"deny by default" which should actually translate to "encrypt by
default" in the above case.
This was first reported by Evgeniy Polyakov and the way James Morris
was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
With this patch applied, SELinux "polmatching" of flows Vs. IPSec
policy rules will only come into play when there's a explicit context
specified for the IPSec policy rule (which also means there's corresponding
SELinux policy allowing appropriate domains/flows to polmatch to this context).
Secondly, when a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return errors other than access denied,
such as -EINVAL. We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The solution for this is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
This patch: Fix the selinux side of things.
This makes sure SELinux polmatching of flow contexts to IPSec policy
rules comes into play only when an explicit context is associated
with the IPSec policy rule.
Also, this no longer defaults the context of a socket policy to
the context of the socket since the "no explicit context" case
is now handled properly.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 15:42:18 -05:00
|
|
|
if (fl && !security_xfrm_flow_state_match(fl, dst->xfrm, pol))
|
2006-07-24 23:29:07 -07:00
|
|
|
return 0;
|
2005-04-16 15:20:36 -07:00
|
|
|
if (dst->xfrm->km.state != XFRM_STATE_VALID)
|
|
|
|
return 0;
|
2006-08-24 03:18:09 -07:00
|
|
|
if (xdst->genid != dst->xfrm->genid)
|
|
|
|
return 0;
|
2006-08-23 19:12:01 -07:00
|
|
|
|
|
|
|
if (strict && fl && dst->xfrm->props.mode != XFRM_MODE_TUNNEL &&
|
|
|
|
!xfrm_state_addr_flow_check(dst->xfrm, fl, family))
|
|
|
|
return 0;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
mtu = dst_mtu(dst->child);
|
|
|
|
if (xdst->child_mtu_cached != mtu) {
|
|
|
|
last = xdst;
|
|
|
|
xdst->child_mtu_cached = mtu;
|
|
|
|
}
|
|
|
|
|
2005-05-26 12:58:04 -07:00
|
|
|
if (!dst_check(xdst->route, xdst->route_cookie))
|
2005-04-16 15:20:36 -07:00
|
|
|
return 0;
|
|
|
|
mtu = dst_mtu(xdst->route);
|
|
|
|
if (xdst->route_mtu_cached != mtu) {
|
|
|
|
last = xdst;
|
|
|
|
xdst->route_mtu_cached = mtu;
|
|
|
|
}
|
|
|
|
|
|
|
|
dst = dst->child;
|
|
|
|
} while (dst->xfrm);
|
|
|
|
|
|
|
|
if (likely(!last))
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
mtu = last->child_mtu_cached;
|
|
|
|
for (;;) {
|
|
|
|
dst = &last->u.dst;
|
|
|
|
|
|
|
|
mtu = xfrm_state_mtu(dst->xfrm, mtu);
|
|
|
|
if (mtu > last->route_mtu_cached)
|
|
|
|
mtu = last->route_mtu_cached;
|
|
|
|
dst->metrics[RTAX_MTU-1] = mtu;
|
|
|
|
|
|
|
|
if (last == first)
|
|
|
|
break;
|
|
|
|
|
|
|
|
last = last->u.next;
|
|
|
|
last->child_mtu_cached = mtu;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
EXPORT_SYMBOL(xfrm_bundle_ok);
|
|
|
|
|
|
|
|
int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
|
|
|
|
{
|
|
|
|
int err = 0;
|
|
|
|
if (unlikely(afinfo == NULL))
|
|
|
|
return -EINVAL;
|
|
|
|
if (unlikely(afinfo->family >= NPROTO))
|
|
|
|
return -EAFNOSUPPORT;
|
2006-04-28 15:32:29 -07:00
|
|
|
write_lock_bh(&xfrm_policy_afinfo_lock);
|
2005-04-16 15:20:36 -07:00
|
|
|
if (unlikely(xfrm_policy_afinfo[afinfo->family] != NULL))
|
|
|
|
err = -ENOBUFS;
|
|
|
|
else {
|
|
|
|
struct dst_ops *dst_ops = afinfo->dst_ops;
|
|
|
|
if (likely(dst_ops->kmem_cachep == NULL))
|
|
|
|
dst_ops->kmem_cachep = xfrm_dst_cache;
|
|
|
|
if (likely(dst_ops->check == NULL))
|
|
|
|
dst_ops->check = xfrm_dst_check;
|
|
|
|
if (likely(dst_ops->negative_advice == NULL))
|
|
|
|
dst_ops->negative_advice = xfrm_negative_advice;
|
|
|
|
if (likely(dst_ops->link_failure == NULL))
|
|
|
|
dst_ops->link_failure = xfrm_link_failure;
|
|
|
|
if (likely(afinfo->garbage_collect == NULL))
|
|
|
|
afinfo->garbage_collect = __xfrm_garbage_collect;
|
|
|
|
xfrm_policy_afinfo[afinfo->family] = afinfo;
|
|
|
|
}
|
2006-04-28 15:32:29 -07:00
|
|
|
write_unlock_bh(&xfrm_policy_afinfo_lock);
|
2005-04-16 15:20:36 -07:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xfrm_policy_register_afinfo);
|
|
|
|
|
|
|
|
int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo)
|
|
|
|
{
|
|
|
|
int err = 0;
|
|
|
|
if (unlikely(afinfo == NULL))
|
|
|
|
return -EINVAL;
|
|
|
|
if (unlikely(afinfo->family >= NPROTO))
|
|
|
|
return -EAFNOSUPPORT;
|
2006-04-28 15:32:29 -07:00
|
|
|
write_lock_bh(&xfrm_policy_afinfo_lock);
|
2005-04-16 15:20:36 -07:00
|
|
|
if (likely(xfrm_policy_afinfo[afinfo->family] != NULL)) {
|
|
|
|
if (unlikely(xfrm_policy_afinfo[afinfo->family] != afinfo))
|
|
|
|
err = -EINVAL;
|
|
|
|
else {
|
|
|
|
struct dst_ops *dst_ops = afinfo->dst_ops;
|
|
|
|
xfrm_policy_afinfo[afinfo->family] = NULL;
|
|
|
|
dst_ops->kmem_cachep = NULL;
|
|
|
|
dst_ops->check = NULL;
|
|
|
|
dst_ops->negative_advice = NULL;
|
|
|
|
dst_ops->link_failure = NULL;
|
|
|
|
afinfo->garbage_collect = NULL;
|
|
|
|
}
|
|
|
|
}
|
2006-04-28 15:32:29 -07:00
|
|
|
write_unlock_bh(&xfrm_policy_afinfo_lock);
|
2005-04-16 15:20:36 -07:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xfrm_policy_unregister_afinfo);
|
|
|
|
|
|
|
|
static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family)
|
|
|
|
{
|
|
|
|
struct xfrm_policy_afinfo *afinfo;
|
|
|
|
if (unlikely(family >= NPROTO))
|
|
|
|
return NULL;
|
|
|
|
read_lock(&xfrm_policy_afinfo_lock);
|
|
|
|
afinfo = xfrm_policy_afinfo[family];
|
2006-05-27 23:03:58 -07:00
|
|
|
if (unlikely(!afinfo))
|
|
|
|
read_unlock(&xfrm_policy_afinfo_lock);
|
2005-04-16 15:20:36 -07:00
|
|
|
return afinfo;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo)
|
|
|
|
{
|
2006-05-27 23:03:58 -07:00
|
|
|
read_unlock(&xfrm_policy_afinfo_lock);
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct xfrm_policy_afinfo *xfrm_policy_lock_afinfo(unsigned int family)
|
|
|
|
{
|
|
|
|
struct xfrm_policy_afinfo *afinfo;
|
|
|
|
if (unlikely(family >= NPROTO))
|
|
|
|
return NULL;
|
|
|
|
write_lock_bh(&xfrm_policy_afinfo_lock);
|
|
|
|
afinfo = xfrm_policy_afinfo[family];
|
|
|
|
if (unlikely(!afinfo))
|
|
|
|
write_unlock_bh(&xfrm_policy_afinfo_lock);
|
|
|
|
return afinfo;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void xfrm_policy_unlock_afinfo(struct xfrm_policy_afinfo *afinfo)
|
|
|
|
{
|
|
|
|
write_unlock_bh(&xfrm_policy_afinfo_lock);
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
static int xfrm_dev_event(struct notifier_block *this, unsigned long event, void *ptr)
|
|
|
|
{
|
|
|
|
switch (event) {
|
|
|
|
case NETDEV_DOWN:
|
|
|
|
xfrm_flush_bundles();
|
|
|
|
}
|
|
|
|
return NOTIFY_DONE;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct notifier_block xfrm_dev_notifier = {
|
|
|
|
xfrm_dev_event,
|
|
|
|
NULL,
|
|
|
|
0
|
|
|
|
};
|
|
|
|
|
|
|
|
static void __init xfrm_policy_init(void)
|
|
|
|
{
|
2006-08-24 04:45:07 -07:00
|
|
|
unsigned int hmask, sz;
|
|
|
|
int dir;
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
xfrm_dst_cache = kmem_cache_create("xfrm_dst_cache",
|
|
|
|
sizeof(struct xfrm_dst),
|
2006-08-26 19:25:52 -07:00
|
|
|
0, SLAB_HWCACHE_ALIGN|SLAB_PANIC,
|
2005-04-16 15:20:36 -07:00
|
|
|
NULL, NULL);
|
|
|
|
|
2006-08-24 04:45:07 -07:00
|
|
|
hmask = 8 - 1;
|
|
|
|
sz = (hmask+1) * sizeof(struct hlist_head);
|
|
|
|
|
2006-08-24 04:50:50 -07:00
|
|
|
xfrm_policy_byidx = xfrm_hash_alloc(sz);
|
2006-08-24 04:45:07 -07:00
|
|
|
xfrm_idx_hmask = hmask;
|
|
|
|
if (!xfrm_policy_byidx)
|
|
|
|
panic("XFRM: failed to allocate byidx hash\n");
|
|
|
|
|
|
|
|
for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
|
|
|
|
struct xfrm_policy_hash *htab;
|
|
|
|
|
|
|
|
INIT_HLIST_HEAD(&xfrm_policy_inexact[dir]);
|
|
|
|
|
|
|
|
htab = &xfrm_policy_bydst[dir];
|
2006-08-24 04:50:50 -07:00
|
|
|
htab->table = xfrm_hash_alloc(sz);
|
2006-08-24 04:45:07 -07:00
|
|
|
htab->hmask = hmask;
|
|
|
|
if (!htab->table)
|
|
|
|
panic("XFRM: failed to allocate bydst hash\n");
|
|
|
|
}
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
INIT_WORK(&xfrm_policy_gc_work, xfrm_policy_gc_task, NULL);
|
|
|
|
register_netdevice_notifier(&xfrm_dev_notifier);
|
|
|
|
}
|
|
|
|
|
|
|
|
void __init xfrm_init(void)
|
|
|
|
{
|
|
|
|
xfrm_state_init();
|
|
|
|
xfrm_policy_init();
|
|
|
|
xfrm_input_init();
|
|
|
|
}
|
|
|
|
|