Skip to main content

Browse the archive

Staging
v0.5.1
swh:1:snp:a902887e4be9191b7c6c4406aa06b31c1ce2c7cc
Raw File
Tip revision: b9a33cebac70d6f67a769ce8d4078fee2b254ada authored by Linus Torvalds on 27 February 2006, 05:09:35 UTC
Linux v2.6.16-rc5
Tip revision: b9a33ce
xfrm.h 
/*
 * SELinux support for the XFRM LSM hooks
 *
 * Author : Trent Jaeger, <jaegert@us.ibm.com>
 */
#ifndef _SELINUX_XFRM_H_
#define _SELINUX_XFRM_H_

int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx);
int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new);
void selinux_xfrm_policy_free(struct xfrm_policy *xp);
int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx);
void selinux_xfrm_state_free(struct xfrm_state *x);
int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir);

/*
 * Extract the security blob from the sock (it's actually on the socket)
 */
static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
{
	if (!sk->sk_socket)
		return NULL;

	return SOCK_INODE(sk->sk_socket)->i_security;
}


static inline u32 selinux_no_sk_sid(struct flowi *fl)
{
	/* NOTE: no sock occurs on ICMP reply, forwards, ... */
	/* icmp_reply: authorize as kernel packet */
	if (fl && fl->proto == IPPROTO_ICMP) {
		return SECINITSID_KERNEL;
	}

	return SECINITSID_ANY_SOCKET;
}

#ifdef CONFIG_SECURITY_NETWORK_XFRM
int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb);
int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb);
#else
static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb)
{
	return 0;
}

static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb)
{
	return NF_ACCEPT;
}
#endif

#endif /* _SELINUX_XFRM_H_ */
back to top