1
2
3
4
5
6
7#ifndef _SELINUX_XFRM_H_
8#define _SELINUX_XFRM_H_
9
10#include <net/flow.h>
11
12int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
13 struct xfrm_user_sec_ctx *sec_ctx);
14int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
15 struct xfrm_sec_ctx **new_ctxp);
16void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
17int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
18int selinux_xfrm_state_alloc(struct xfrm_state *x,
19 struct xfrm_user_sec_ctx *sec_ctx, u32 secid);
20void selinux_xfrm_state_free(struct xfrm_state *x);
21int selinux_xfrm_state_delete(struct xfrm_state *x);
22int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
23int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
24 struct xfrm_policy *xp, const struct flowi *fl);
25
26
27
28
29static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
30{
31 if (!sk->sk_socket)
32 return NULL;
33
34 return SOCK_INODE(sk->sk_socket)->i_security;
35}
36
37#ifdef CONFIG_SECURITY_NETWORK_XFRM
38extern atomic_t selinux_xfrm_refcount;
39
40static inline int selinux_xfrm_enabled(void)
41{
42 return (atomic_read(&selinux_xfrm_refcount) > 0);
43}
44
45int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
46 struct common_audit_data *ad);
47int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
48 struct common_audit_data *ad, u8 proto);
49int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
50
51static inline void selinux_xfrm_notify_policyload(void)
52{
53 atomic_inc(&flow_cache_genid);
54 rt_genid_bump(&init_net);
55}
56#else
57static inline int selinux_xfrm_enabled(void)
58{
59 return 0;
60}
61
62static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
63 struct common_audit_data *ad)
64{
65 return 0;
66}
67
68static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
69 struct common_audit_data *ad, u8 proto)
70{
71 return 0;
72}
73
74static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
75{
76 *sid = SECSID_NULL;
77 return 0;
78}
79
80static inline void selinux_xfrm_notify_policyload(void)
81{
82}
83#endif
84
85static inline void selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid)
86{
87 int err = selinux_xfrm_decode_session(skb, sid, 0);
88 BUG_ON(err);
89}
90
91#endif
92