fedora core 6 1.2949 + vserver 2.2.0

[linux-2.6.git] / security / selinux / include / xfrm.h

diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 8e87996..31929e3 100644 (file)
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -2,16 +2,23 @@
  * SELinux support for the XFRM LSM hooks
  *
  * Author : Trent Jaeger, <jaegert@us.ibm.com>
+ * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com>
  */
 #ifndef _SELINUX_XFRM_H_
 #define _SELINUX_XFRM_H_
 
-int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx);
+int selinux_xfrm_policy_alloc(struct xfrm_policy *xp,
+               struct xfrm_user_sec_ctx *sec_ctx);
 int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new);
 void selinux_xfrm_policy_free(struct xfrm_policy *xp);
-int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx);
+int selinux_xfrm_policy_delete(struct xfrm_policy *xp);
+int selinux_xfrm_state_alloc(struct xfrm_state *x,
+       struct xfrm_user_sec_ctx *sec_ctx, u32 secid);
 void selinux_xfrm_state_free(struct xfrm_state *x);
-int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir);
+int selinux_xfrm_state_delete(struct xfrm_state *x);
+int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir);
+int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
+                       struct xfrm_policy *xp, struct flowi *fl);
 
 /*
  * Extract the security blob from the sock (it's actually on the socket)
@@ -24,31 +31,45 @@ static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
        return SOCK_INODE(sk->sk_socket)->i_security;
 }
 
+#ifdef CONFIG_SECURITY_NETWORK_XFRM
+int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
+                       struct avc_audit_data *ad);
+int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
+                       struct avc_audit_data *ad, u8 proto);
+int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
 
-static inline u32 selinux_no_sk_sid(struct flowi *fl)
+static inline void selinux_xfrm_notify_policyload(void)
+{
+       atomic_inc(&flow_cache_genid);
+}
+#else
+static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
+                       struct avc_audit_data *ad)
 {
-       /* NOTE: no sock occurs on ICMP reply, forwards, ... */
-       /* icmp_reply: authorize as kernel packet */
-       if (fl && fl->proto == IPPROTO_ICMP) {
-               return SECINITSID_KERNEL;
-       }
+       return 0;
+}
 
-       return SECINITSID_ANY_SOCKET;
+static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
+                       struct avc_audit_data *ad, u8 proto)
+{
+       return 0;
 }
 
-#ifdef CONFIG_SECURITY_NETWORK_XFRM
-int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb);
-int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb);
-#else
-static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb)
+static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
 {
+       *sid = SECSID_NULL;
        return 0;
 }
 
-static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb)
+static inline void selinux_xfrm_notify_policyload(void)
 {
-       return NF_ACCEPT;
 }
 #endif
 
+static inline void selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid)
+{
+       int err = selinux_xfrm_decode_session(skb, sid, 0);
+       BUG_ON(err);
+}
+
 #endif /* _SELINUX_XFRM_H_ */