55 lines
1.5 KiB
C
55 lines
1.5 KiB
C
|
/*
|
||
|
* SELinux support for the XFRM LSM hooks
|
||
|
*
|
||
|
* Author : Trent Jaeger, <jaegert@us.ibm.com>
|
||
|
*/
|
||
|
#ifndef _SELINUX_XFRM_H_
|
||
|
#define _SELINUX_XFRM_H_
|
||
|
|
||
|
int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx);
|
||
|
int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new);
|
||
|
void selinux_xfrm_policy_free(struct xfrm_policy *xp);
|
||
|
int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx);
|
||
|
void selinux_xfrm_state_free(struct xfrm_state *x);
|
||
|
int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir);
|
||
|
|
||
|
/*
|
||
|
* Extract the security blob from the sock (it's actually on the socket)
|
||
|
*/
|
||
|
static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
|
||
|
{
|
||
|
if (!sk->sk_socket)
|
||
|
return NULL;
|
||
|
|
||
|
return SOCK_INODE(sk->sk_socket)->i_security;
|
||
|
}
|
||
|
|
||
|
|
||
|
static inline u32 selinux_no_sk_sid(struct flowi *fl)
|
||
|
{
|
||
|
/* NOTE: no sock occurs on ICMP reply, forwards, ... */
|
||
|
/* icmp_reply: authorize as kernel packet */
|
||
|
if (fl && fl->proto == IPPROTO_ICMP) {
|
||
|
return SECINITSID_KERNEL;
|
||
|
}
|
||
|
|
||
|
return SECINITSID_ANY_SOCKET;
|
||
|
}
|
||
|
|
||
|
#ifdef CONFIG_SECURITY_NETWORK_XFRM
|
||
|
int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb);
|
||
|
int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb);
|
||
|
#else
|
||
|
static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb)
|
||
|
{
|
||
|
return 0;
|
||
|
}
|
||
|
|
||
|
static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb)
|
||
|
{
|
||
|
return NF_ACCEPT;
|
||
|
}
|
||
|
#endif
|
||
|
|
||
|
#endif /* _SELINUX_XFRM_H_ */
|