2005-04-17 05:20:36 +07:00
|
|
|
#ifndef _LINUX_XFRM_H
|
|
|
|
#define _LINUX_XFRM_H
|
|
|
|
|
|
|
|
#include <linux/types.h>
|
|
|
|
|
|
|
|
/* All of the structures in this file may not change size as they are
|
|
|
|
* passed into the kernel from userspace via netlink sockets.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* Structure to encapsulate addresses. I do not want to use
|
|
|
|
* "standard" structure. My apologies.
|
|
|
|
*/
|
2009-11-05 00:50:58 +07:00
|
|
|
typedef union {
|
2006-09-28 08:46:48 +07:00
|
|
|
__be32 a4;
|
|
|
|
__be32 a6[4];
|
2005-04-17 05:20:36 +07:00
|
|
|
} xfrm_address_t;
|
|
|
|
|
|
|
|
/* Ident of a specific xfrm_state. It is used on input to lookup
|
|
|
|
* the state by (spi,daddr,ah/esp) or to store information about
|
|
|
|
* spi, protocol and tunnel address on output.
|
|
|
|
*/
|
2009-11-05 00:50:58 +07:00
|
|
|
struct xfrm_id {
|
2005-04-17 05:20:36 +07:00
|
|
|
xfrm_address_t daddr;
|
2006-09-28 08:47:40 +07:00
|
|
|
__be32 spi;
|
2005-04-17 05:20:36 +07:00
|
|
|
__u8 proto;
|
|
|
|
};
|
|
|
|
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 14:12:27 +07:00
|
|
|
struct xfrm_sec_ctx {
|
|
|
|
__u8 ctx_doi;
|
|
|
|
__u8 ctx_alg;
|
|
|
|
__u16 ctx_len;
|
|
|
|
__u32 ctx_sid;
|
|
|
|
char ctx_str[0];
|
|
|
|
};
|
|
|
|
|
|
|
|
/* Security Context Domains of Interpretation */
|
|
|
|
#define XFRM_SC_DOI_RESERVED 0
|
|
|
|
#define XFRM_SC_DOI_LSM 1
|
|
|
|
|
|
|
|
/* Security Context Algorithms */
|
|
|
|
#define XFRM_SC_ALG_RESERVED 0
|
|
|
|
#define XFRM_SC_ALG_SELINUX 1
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* Selector, used as selector both on policy rules (SPD) and SAs. */
|
|
|
|
|
2009-11-05 00:50:58 +07:00
|
|
|
struct xfrm_selector {
|
2005-04-17 05:20:36 +07:00
|
|
|
xfrm_address_t daddr;
|
|
|
|
xfrm_address_t saddr;
|
2006-09-28 08:46:11 +07:00
|
|
|
__be16 dport;
|
|
|
|
__be16 dport_mask;
|
|
|
|
__be16 sport;
|
|
|
|
__be16 sport_mask;
|
2005-04-17 05:20:36 +07:00
|
|
|
__u16 family;
|
|
|
|
__u8 prefixlen_d;
|
|
|
|
__u8 prefixlen_s;
|
|
|
|
__u8 proto;
|
|
|
|
int ifindex;
|
make exported headers use strict posix types
A number of standard posix types are used in exported headers, which
is not allowed if __STRICT_KERNEL_NAMES is defined. In order to
get rid of the non-__STRICT_KERNEL_NAMES part and to make sane headers
the default, we have to change them all to safe types.
There are also still some leftovers in reiserfs_fs.h, elfcore.h
and coda.h, but these files have not compiled in user space for
a long time.
This leaves out the various integer types ({u_,u,}int{8,16,32,64}_t),
which we take care of separately.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Cc: David Airlie <airlied@linux.ie>
Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Cc: netdev@vger.kernel.org
Cc: linux-ppp@vger.kernel.org
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2009-02-26 06:51:39 +07:00
|
|
|
__kernel_uid32_t user;
|
2005-04-17 05:20:36 +07:00
|
|
|
};
|
|
|
|
|
|
|
|
#define XFRM_INF (~(__u64)0)
|
|
|
|
|
2009-11-05 00:50:58 +07:00
|
|
|
struct xfrm_lifetime_cfg {
|
2005-04-17 05:20:36 +07:00
|
|
|
__u64 soft_byte_limit;
|
|
|
|
__u64 hard_byte_limit;
|
|
|
|
__u64 soft_packet_limit;
|
|
|
|
__u64 hard_packet_limit;
|
|
|
|
__u64 soft_add_expires_seconds;
|
|
|
|
__u64 hard_add_expires_seconds;
|
|
|
|
__u64 soft_use_expires_seconds;
|
|
|
|
__u64 hard_use_expires_seconds;
|
|
|
|
};
|
|
|
|
|
2009-11-05 00:50:58 +07:00
|
|
|
struct xfrm_lifetime_cur {
|
2005-04-17 05:20:36 +07:00
|
|
|
__u64 bytes;
|
|
|
|
__u64 packets;
|
|
|
|
__u64 add_time;
|
|
|
|
__u64 use_time;
|
|
|
|
};
|
|
|
|
|
2009-11-05 00:50:58 +07:00
|
|
|
struct xfrm_replay_state {
|
2005-04-17 05:20:36 +07:00
|
|
|
__u32 oseq;
|
|
|
|
__u32 seq;
|
|
|
|
__u32 bitmap;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct xfrm_algo {
|
2008-01-13 12:31:29 +07:00
|
|
|
char alg_name[64];
|
2008-01-13 12:30:23 +07:00
|
|
|
unsigned int alg_key_len; /* in bits */
|
2008-01-13 12:31:29 +07:00
|
|
|
char alg_key[0];
|
2005-04-17 05:20:36 +07:00
|
|
|
};
|
|
|
|
|
2009-11-25 07:29:51 +07:00
|
|
|
struct xfrm_algo_auth {
|
|
|
|
char alg_name[64];
|
|
|
|
unsigned int alg_key_len; /* in bits */
|
|
|
|
unsigned int alg_trunc_len; /* in bits */
|
|
|
|
char alg_key[0];
|
|
|
|
};
|
|
|
|
|
2008-01-29 10:37:29 +07:00
|
|
|
struct xfrm_algo_aead {
|
2008-04-25 14:29:00 +07:00
|
|
|
char alg_name[64];
|
|
|
|
unsigned int alg_key_len; /* in bits */
|
|
|
|
unsigned int alg_icv_len; /* in bits */
|
|
|
|
char alg_key[0];
|
2008-01-29 10:37:29 +07:00
|
|
|
};
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
struct xfrm_stats {
|
|
|
|
__u32 replay_window;
|
|
|
|
__u32 replay;
|
|
|
|
__u32 integrity_failed;
|
|
|
|
};
|
|
|
|
|
2009-11-05 00:50:58 +07:00
|
|
|
enum {
|
2006-08-24 12:43:30 +07:00
|
|
|
XFRM_POLICY_TYPE_MAIN = 0,
|
|
|
|
XFRM_POLICY_TYPE_SUB = 1,
|
2008-02-29 12:31:08 +07:00
|
|
|
XFRM_POLICY_TYPE_MAX = 2,
|
|
|
|
XFRM_POLICY_TYPE_ANY = 255
|
2006-08-24 12:43:30 +07:00
|
|
|
};
|
|
|
|
|
2009-11-05 00:50:58 +07:00
|
|
|
enum {
|
2005-04-17 05:20:36 +07:00
|
|
|
XFRM_POLICY_IN = 0,
|
|
|
|
XFRM_POLICY_OUT = 1,
|
|
|
|
XFRM_POLICY_FWD = 2,
|
2007-12-13 01:44:16 +07:00
|
|
|
XFRM_POLICY_MASK = 3,
|
2005-04-17 05:20:36 +07:00
|
|
|
XFRM_POLICY_MAX = 3
|
|
|
|
};
|
|
|
|
|
2009-11-05 00:50:58 +07:00
|
|
|
enum {
|
2005-04-17 05:20:36 +07:00
|
|
|
XFRM_SHARE_ANY, /* No limitations */
|
|
|
|
XFRM_SHARE_SESSION, /* For this session only */
|
|
|
|
XFRM_SHARE_USER, /* For this user only */
|
|
|
|
XFRM_SHARE_UNIQUE /* Use once */
|
|
|
|
};
|
|
|
|
|
2006-05-28 13:05:54 +07:00
|
|
|
#define XFRM_MODE_TRANSPORT 0
|
|
|
|
#define XFRM_MODE_TUNNEL 1
|
2006-09-23 05:05:15 +07:00
|
|
|
#define XFRM_MODE_ROUTEOPTIMIZATION 2
|
|
|
|
#define XFRM_MODE_IN_TRIGGER 3
|
2006-10-04 13:47:05 +07:00
|
|
|
#define XFRM_MODE_BEET 4
|
|
|
|
#define XFRM_MODE_MAX 5
|
2006-05-28 13:05:54 +07:00
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* Netlink configuration messages. */
|
|
|
|
enum {
|
|
|
|
XFRM_MSG_BASE = 0x10,
|
|
|
|
|
|
|
|
XFRM_MSG_NEWSA = 0x10,
|
|
|
|
#define XFRM_MSG_NEWSA XFRM_MSG_NEWSA
|
|
|
|
XFRM_MSG_DELSA,
|
|
|
|
#define XFRM_MSG_DELSA XFRM_MSG_DELSA
|
|
|
|
XFRM_MSG_GETSA,
|
|
|
|
#define XFRM_MSG_GETSA XFRM_MSG_GETSA
|
|
|
|
|
|
|
|
XFRM_MSG_NEWPOLICY,
|
|
|
|
#define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY
|
|
|
|
XFRM_MSG_DELPOLICY,
|
|
|
|
#define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY
|
|
|
|
XFRM_MSG_GETPOLICY,
|
|
|
|
#define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY
|
|
|
|
|
|
|
|
XFRM_MSG_ALLOCSPI,
|
|
|
|
#define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI
|
|
|
|
XFRM_MSG_ACQUIRE,
|
|
|
|
#define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE
|
|
|
|
XFRM_MSG_EXPIRE,
|
|
|
|
#define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE
|
|
|
|
|
|
|
|
XFRM_MSG_UPDPOLICY,
|
|
|
|
#define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY
|
|
|
|
XFRM_MSG_UPDSA,
|
|
|
|
#define XFRM_MSG_UPDSA XFRM_MSG_UPDSA
|
|
|
|
|
|
|
|
XFRM_MSG_POLEXPIRE,
|
|
|
|
#define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE
|
|
|
|
|
|
|
|
XFRM_MSG_FLUSHSA,
|
|
|
|
#define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA
|
|
|
|
XFRM_MSG_FLUSHPOLICY,
|
|
|
|
#define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY
|
|
|
|
|
2006-03-21 10:15:11 +07:00
|
|
|
XFRM_MSG_NEWAE,
|
|
|
|
#define XFRM_MSG_NEWAE XFRM_MSG_NEWAE
|
|
|
|
XFRM_MSG_GETAE,
|
|
|
|
#define XFRM_MSG_GETAE XFRM_MSG_GETAE
|
2006-08-24 10:44:06 +07:00
|
|
|
|
|
|
|
XFRM_MSG_REPORT,
|
|
|
|
#define XFRM_MSG_REPORT XFRM_MSG_REPORT
|
|
|
|
|
2007-02-09 04:11:42 +07:00
|
|
|
XFRM_MSG_MIGRATE,
|
|
|
|
#define XFRM_MSG_MIGRATE XFRM_MSG_MIGRATE
|
|
|
|
|
2007-04-26 14:10:29 +07:00
|
|
|
XFRM_MSG_NEWSADINFO,
|
|
|
|
#define XFRM_MSG_NEWSADINFO XFRM_MSG_NEWSADINFO
|
|
|
|
XFRM_MSG_GETSADINFO,
|
|
|
|
#define XFRM_MSG_GETSADINFO XFRM_MSG_GETSADINFO
|
2007-04-29 11:20:32 +07:00
|
|
|
|
|
|
|
XFRM_MSG_NEWSPDINFO,
|
|
|
|
#define XFRM_MSG_NEWSPDINFO XFRM_MSG_NEWSPDINFO
|
|
|
|
XFRM_MSG_GETSPDINFO,
|
|
|
|
#define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO
|
2008-10-29 06:01:07 +07:00
|
|
|
|
|
|
|
XFRM_MSG_MAPPING,
|
|
|
|
#define XFRM_MSG_MAPPING XFRM_MSG_MAPPING
|
2005-05-04 04:26:01 +07:00
|
|
|
__XFRM_MSG_MAX
|
2005-04-17 05:20:36 +07:00
|
|
|
};
|
2005-05-04 04:26:01 +07:00
|
|
|
#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2005-05-04 04:26:40 +07:00
|
|
|
#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE)
|
|
|
|
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 14:12:27 +07:00
|
|
|
/*
|
|
|
|
* Generic LSM security context for comunicating to user space
|
|
|
|
* NOTE: Same format as sadb_x_sec_ctx
|
|
|
|
*/
|
|
|
|
struct xfrm_user_sec_ctx {
|
|
|
|
__u16 len;
|
|
|
|
__u16 exttype;
|
|
|
|
__u8 ctx_alg; /* LSMs: e.g., selinux == 1 */
|
|
|
|
__u8 ctx_doi;
|
|
|
|
__u16 ctx_len;
|
|
|
|
};
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
struct xfrm_user_tmpl {
|
|
|
|
struct xfrm_id id;
|
|
|
|
__u16 family;
|
|
|
|
xfrm_address_t saddr;
|
|
|
|
__u32 reqid;
|
|
|
|
__u8 mode;
|
|
|
|
__u8 share;
|
|
|
|
__u8 optional;
|
|
|
|
__u32 aalgos;
|
|
|
|
__u32 ealgos;
|
|
|
|
__u32 calgos;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct xfrm_encap_tmpl {
|
|
|
|
__u16 encap_type;
|
2006-11-08 15:23:14 +07:00
|
|
|
__be16 encap_sport;
|
|
|
|
__be16 encap_dport;
|
2005-04-17 05:20:36 +07:00
|
|
|
xfrm_address_t encap_oa;
|
|
|
|
};
|
|
|
|
|
2006-03-21 10:15:11 +07:00
|
|
|
/* AEVENT flags */
|
|
|
|
enum xfrm_ae_ftype_t {
|
|
|
|
XFRM_AE_UNSPEC,
|
|
|
|
XFRM_AE_RTHR=1, /* replay threshold*/
|
|
|
|
XFRM_AE_RVAL=2, /* replay value */
|
|
|
|
XFRM_AE_LVAL=4, /* lifetime value */
|
|
|
|
XFRM_AE_ETHR=8, /* expiry timer threshold */
|
|
|
|
XFRM_AE_CR=16, /* Event cause is replay update */
|
|
|
|
XFRM_AE_CE=32, /* Event cause is timer expiry */
|
|
|
|
XFRM_AE_CU=64, /* Event cause is policy update */
|
|
|
|
__XFRM_AE_MAX
|
|
|
|
|
|
|
|
#define XFRM_AE_MAX (__XFRM_AE_MAX - 1)
|
|
|
|
};
|
|
|
|
|
2006-08-24 12:49:28 +07:00
|
|
|
struct xfrm_userpolicy_type {
|
|
|
|
__u8 type;
|
|
|
|
__u16 reserved1;
|
|
|
|
__u8 reserved2;
|
|
|
|
};
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* Netlink message attributes. */
|
|
|
|
enum xfrm_attr_type_t {
|
|
|
|
XFRMA_UNSPEC,
|
|
|
|
XFRMA_ALG_AUTH, /* struct xfrm_algo */
|
|
|
|
XFRMA_ALG_CRYPT, /* struct xfrm_algo */
|
|
|
|
XFRMA_ALG_COMP, /* struct xfrm_algo */
|
|
|
|
XFRMA_ENCAP, /* struct xfrm_algo + struct xfrm_encap_tmpl */
|
|
|
|
XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */
|
2010-02-22 18:32:54 +07:00
|
|
|
XFRMA_SA, /* struct xfrm_usersa_info */
|
|
|
|
XFRMA_POLICY, /*struct xfrm_userpolicy_info */
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 14:12:27 +07:00
|
|
|
XFRMA_SEC_CTX, /* struct xfrm_sec_ctx */
|
2006-03-21 10:15:11 +07:00
|
|
|
XFRMA_LTIME_VAL,
|
|
|
|
XFRMA_REPLAY_VAL,
|
|
|
|
XFRMA_REPLAY_THRESH,
|
|
|
|
XFRMA_ETIMER_THRESH,
|
2006-08-24 07:56:04 +07:00
|
|
|
XFRMA_SRCADDR, /* xfrm_address_t */
|
2006-08-24 08:18:55 +07:00
|
|
|
XFRMA_COADDR, /* xfrm_address_t */
|
2010-02-22 18:32:54 +07:00
|
|
|
XFRMA_LASTUSED, /* unsigned long */
|
2006-08-24 12:49:28 +07:00
|
|
|
XFRMA_POLICY_TYPE, /* struct xfrm_userpolicy_type */
|
2007-02-09 04:11:42 +07:00
|
|
|
XFRMA_MIGRATE,
|
2008-01-29 10:37:29 +07:00
|
|
|
XFRMA_ALG_AEAD, /* struct xfrm_algo_aead */
|
2008-10-06 03:33:42 +07:00
|
|
|
XFRMA_KMADDRESS, /* struct xfrm_user_kmaddress */
|
2009-11-25 07:29:51 +07:00
|
|
|
XFRMA_ALG_AUTH_TRUNC, /* struct xfrm_algo_auth */
|
2010-02-22 18:32:54 +07:00
|
|
|
XFRMA_MARK, /* struct xfrm_mark */
|
2005-04-17 05:20:36 +07:00
|
|
|
__XFRMA_MAX
|
|
|
|
|
|
|
|
#define XFRMA_MAX (__XFRMA_MAX - 1)
|
|
|
|
};
|
|
|
|
|
2010-02-22 18:32:54 +07:00
|
|
|
struct xfrm_mark {
|
|
|
|
__u32 v; /* value */
|
|
|
|
__u32 m; /* mask */
|
|
|
|
};
|
|
|
|
|
2007-04-26 14:10:29 +07:00
|
|
|
enum xfrm_sadattr_type_t {
|
|
|
|
XFRMA_SAD_UNSPEC,
|
2007-05-05 02:55:13 +07:00
|
|
|
XFRMA_SAD_CNT,
|
|
|
|
XFRMA_SAD_HINFO,
|
2007-04-26 14:10:29 +07:00
|
|
|
__XFRMA_SAD_MAX
|
|
|
|
|
|
|
|
#define XFRMA_SAD_MAX (__XFRMA_SAD_MAX - 1)
|
|
|
|
};
|
|
|
|
|
2007-05-05 02:55:13 +07:00
|
|
|
struct xfrmu_sadhinfo {
|
|
|
|
__u32 sadhcnt; /* current hash bkts */
|
|
|
|
__u32 sadhmcnt; /* max allowed hash bkts */
|
|
|
|
};
|
|
|
|
|
2007-04-29 11:20:32 +07:00
|
|
|
enum xfrm_spdattr_type_t {
|
|
|
|
XFRMA_SPD_UNSPEC,
|
2007-05-05 02:55:39 +07:00
|
|
|
XFRMA_SPD_INFO,
|
|
|
|
XFRMA_SPD_HINFO,
|
2007-04-29 11:20:32 +07:00
|
|
|
__XFRMA_SPD_MAX
|
|
|
|
|
|
|
|
#define XFRMA_SPD_MAX (__XFRMA_SPD_MAX - 1)
|
|
|
|
};
|
|
|
|
|
2007-05-05 02:55:39 +07:00
|
|
|
struct xfrmu_spdinfo {
|
|
|
|
__u32 incnt;
|
|
|
|
__u32 outcnt;
|
|
|
|
__u32 fwdcnt;
|
|
|
|
__u32 inscnt;
|
|
|
|
__u32 outscnt;
|
|
|
|
__u32 fwdscnt;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct xfrmu_spdhinfo {
|
|
|
|
__u32 spdhcnt;
|
|
|
|
__u32 spdhmcnt;
|
|
|
|
};
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
struct xfrm_usersa_info {
|
|
|
|
struct xfrm_selector sel;
|
|
|
|
struct xfrm_id id;
|
|
|
|
xfrm_address_t saddr;
|
|
|
|
struct xfrm_lifetime_cfg lft;
|
|
|
|
struct xfrm_lifetime_cur curlft;
|
|
|
|
struct xfrm_stats stats;
|
|
|
|
__u32 seq;
|
|
|
|
__u32 reqid;
|
|
|
|
__u16 family;
|
2006-09-23 05:05:15 +07:00
|
|
|
__u8 mode; /* XFRM_MODE_xxx */
|
2005-04-17 05:20:36 +07:00
|
|
|
__u8 replay_window;
|
|
|
|
__u8 flags;
|
|
|
|
#define XFRM_STATE_NOECN 1
|
|
|
|
#define XFRM_STATE_DECAP_DSCP 2
|
2005-06-21 03:21:43 +07:00
|
|
|
#define XFRM_STATE_NOPMTUDISC 4
|
2006-08-24 08:08:21 +07:00
|
|
|
#define XFRM_STATE_WILDRECV 8
|
2007-12-13 01:44:43 +07:00
|
|
|
#define XFRM_STATE_ICMP 16
|
2008-07-11 06:55:37 +07:00
|
|
|
#define XFRM_STATE_AF_UNSPEC 32
|
2005-04-17 05:20:36 +07:00
|
|
|
};
|
|
|
|
|
|
|
|
struct xfrm_usersa_id {
|
|
|
|
xfrm_address_t daddr;
|
2006-09-28 08:48:48 +07:00
|
|
|
__be32 spi;
|
2005-04-17 05:20:36 +07:00
|
|
|
__u16 family;
|
|
|
|
__u8 proto;
|
|
|
|
};
|
|
|
|
|
2006-03-21 10:15:11 +07:00
|
|
|
struct xfrm_aevent_id {
|
|
|
|
struct xfrm_usersa_id sa_id;
|
2006-12-03 13:22:25 +07:00
|
|
|
xfrm_address_t saddr;
|
2006-03-21 12:25:50 +07:00
|
|
|
__u32 flags;
|
2006-12-03 13:22:25 +07:00
|
|
|
__u32 reqid;
|
2006-03-21 10:15:11 +07:00
|
|
|
};
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
struct xfrm_userspi_info {
|
|
|
|
struct xfrm_usersa_info info;
|
|
|
|
__u32 min;
|
|
|
|
__u32 max;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct xfrm_userpolicy_info {
|
|
|
|
struct xfrm_selector sel;
|
|
|
|
struct xfrm_lifetime_cfg lft;
|
|
|
|
struct xfrm_lifetime_cur curlft;
|
|
|
|
__u32 priority;
|
|
|
|
__u32 index;
|
|
|
|
__u8 dir;
|
|
|
|
__u8 action;
|
|
|
|
#define XFRM_POLICY_ALLOW 0
|
|
|
|
#define XFRM_POLICY_BLOCK 1
|
|
|
|
__u8 flags;
|
|
|
|
#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */
|
2007-12-13 01:44:43 +07:00
|
|
|
/* Automatically expand selector to include matching ICMP payloads. */
|
|
|
|
#define XFRM_POLICY_ICMP 2
|
2005-04-17 05:20:36 +07:00
|
|
|
__u8 share;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct xfrm_userpolicy_id {
|
|
|
|
struct xfrm_selector sel;
|
|
|
|
__u32 index;
|
|
|
|
__u8 dir;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct xfrm_user_acquire {
|
|
|
|
struct xfrm_id id;
|
|
|
|
xfrm_address_t saddr;
|
|
|
|
struct xfrm_selector sel;
|
|
|
|
struct xfrm_userpolicy_info policy;
|
|
|
|
__u32 aalgos;
|
|
|
|
__u32 ealgos;
|
|
|
|
__u32 calgos;
|
|
|
|
__u32 seq;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct xfrm_user_expire {
|
|
|
|
struct xfrm_usersa_info state;
|
|
|
|
__u8 hard;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct xfrm_user_polexpire {
|
|
|
|
struct xfrm_userpolicy_info pol;
|
|
|
|
__u8 hard;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct xfrm_usersa_flush {
|
|
|
|
__u8 proto;
|
|
|
|
};
|
|
|
|
|
2006-08-24 10:44:06 +07:00
|
|
|
struct xfrm_user_report {
|
|
|
|
__u8 proto;
|
|
|
|
struct xfrm_selector sel;
|
|
|
|
};
|
|
|
|
|
2008-10-06 03:33:42 +07:00
|
|
|
/* Used by MIGRATE to pass addresses IKE should use to perform
|
|
|
|
* SA negotiation with the peer */
|
|
|
|
struct xfrm_user_kmaddress {
|
|
|
|
xfrm_address_t local;
|
|
|
|
xfrm_address_t remote;
|
|
|
|
__u32 reserved;
|
|
|
|
__u16 family;
|
|
|
|
};
|
|
|
|
|
2007-02-09 04:11:42 +07:00
|
|
|
struct xfrm_user_migrate {
|
|
|
|
xfrm_address_t old_daddr;
|
|
|
|
xfrm_address_t old_saddr;
|
|
|
|
xfrm_address_t new_daddr;
|
|
|
|
xfrm_address_t new_saddr;
|
|
|
|
__u8 proto;
|
|
|
|
__u8 mode;
|
|
|
|
__u16 reserved;
|
|
|
|
__u32 reqid;
|
|
|
|
__u16 old_family;
|
|
|
|
__u16 new_family;
|
|
|
|
};
|
|
|
|
|
2008-10-29 06:01:07 +07:00
|
|
|
struct xfrm_user_mapping {
|
|
|
|
struct xfrm_usersa_id id;
|
|
|
|
__u32 reqid;
|
|
|
|
xfrm_address_t old_saddr;
|
|
|
|
xfrm_address_t new_saddr;
|
|
|
|
__be16 old_sport;
|
|
|
|
__be16 new_sport;
|
|
|
|
};
|
|
|
|
|
2005-08-15 09:29:52 +07:00
|
|
|
#ifndef __KERNEL__
|
|
|
|
/* backwards compatibility for userspace */
|
2005-04-17 05:20:36 +07:00
|
|
|
#define XFRMGRP_ACQUIRE 1
|
|
|
|
#define XFRMGRP_EXPIRE 2
|
2005-06-19 12:42:13 +07:00
|
|
|
#define XFRMGRP_SA 4
|
|
|
|
#define XFRMGRP_POLICY 8
|
2006-12-08 15:12:15 +07:00
|
|
|
#define XFRMGRP_REPORT 0x20
|
2005-08-15 09:29:52 +07:00
|
|
|
#endif
|
|
|
|
|
|
|
|
enum xfrm_nlgroups {
|
|
|
|
XFRMNLGRP_NONE,
|
|
|
|
#define XFRMNLGRP_NONE XFRMNLGRP_NONE
|
|
|
|
XFRMNLGRP_ACQUIRE,
|
|
|
|
#define XFRMNLGRP_ACQUIRE XFRMNLGRP_ACQUIRE
|
|
|
|
XFRMNLGRP_EXPIRE,
|
|
|
|
#define XFRMNLGRP_EXPIRE XFRMNLGRP_EXPIRE
|
|
|
|
XFRMNLGRP_SA,
|
|
|
|
#define XFRMNLGRP_SA XFRMNLGRP_SA
|
|
|
|
XFRMNLGRP_POLICY,
|
|
|
|
#define XFRMNLGRP_POLICY XFRMNLGRP_POLICY
|
2006-03-21 10:15:11 +07:00
|
|
|
XFRMNLGRP_AEVENTS,
|
|
|
|
#define XFRMNLGRP_AEVENTS XFRMNLGRP_AEVENTS
|
2006-08-24 10:44:06 +07:00
|
|
|
XFRMNLGRP_REPORT,
|
|
|
|
#define XFRMNLGRP_REPORT XFRMNLGRP_REPORT
|
2007-02-09 04:11:42 +07:00
|
|
|
XFRMNLGRP_MIGRATE,
|
|
|
|
#define XFRMNLGRP_MIGRATE XFRMNLGRP_MIGRATE
|
2008-10-29 06:01:07 +07:00
|
|
|
XFRMNLGRP_MAPPING,
|
|
|
|
#define XFRMNLGRP_MAPPING XFRMNLGRP_MAPPING
|
2005-08-15 09:29:52 +07:00
|
|
|
__XFRMNLGRP_MAX
|
|
|
|
};
|
|
|
|
#define XFRMNLGRP_MAX (__XFRMNLGRP_MAX - 1)
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
#endif /* _LINUX_XFRM_H */
|