[LSM-IPsec]: SELinux Authorize

 *	used by the XFRM system.

 *	@sec_ctx contains the security context information being provided by

 *	the user-level policy update program (e.g., setkey).

 *	Allocate a security structure to the xp->selector.security field.

 *	Allocate a security structure to the xp->security field.

 *	The security field is initialized to NULL when the xfrm_policy is

 *	allocated.

 *	Return 0 if operation was successful (memory to allocate, legal context)

 * @xfrm_policy_clone_security:

 *	@old contains an existing xfrm_policy in the SPD.

 *	@new contains a new xfrm_policy being cloned from old.

 *	Allocate a security structure to the new->selector.security field

 *	that contains the information from the old->selector.security field.

 *	Allocate a security structure to the new->security field

 *	that contains the information from the old->security field.

 *	Return 0 if operation was successful (memory to allocate).

 * @xfrm_policy_free_security:

 *	@xp contains the xfrm_policy

 *	Deallocate xp->selector.security.

 *	Deallocate xp->security.

 * @xfrm_policy_delete_security:

 *	@xp contains the xfrm_policy.

 *	Authorize deletion of xp->security.

 * @xfrm_state_alloc_security:

 *	@x contains the xfrm_state being added to the Security Association

 *	Database by the XFRM system.

 *	@sec_ctx contains the security context information being provided by

 *	the user-level SA generation program (e.g., setkey or racoon).

 *	Allocate a security structure to the x->sel.security field.  The

 *	Allocate a security structure to the x->security field.  The

 *	security field is initialized to NULL when the xfrm_state is

 *	allocated.

 *	Return 0 if operation was successful (memory to allocate, legal context).

 * @xfrm_state_free_security:

 *	@x contains the xfrm_state.

 *	Deallocate x>sel.security.

 *	Deallocate x->security.

 * @xfrm_state_delete_security:

 *	@x contains the xfrm_state.

 *	Authorize deletion of x->security.

 * @xfrm_policy_lookup:

 *	@xp contains the xfrm_policy for which the access control is being

 *	checked.

	int (*xfrm_policy_alloc_security) (struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx);

	int (*xfrm_policy_clone_security) (struct xfrm_policy *old, struct xfrm_policy *new);

	void (*xfrm_policy_free_security) (struct xfrm_policy *xp);

	int (*xfrm_policy_delete_security) (struct xfrm_policy *xp);

	int (*xfrm_state_alloc_security) (struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx);

	void (*xfrm_state_free_security) (struct xfrm_state *x);

	int (*xfrm_state_delete_security) (struct xfrm_state *x);

	int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 sk_sid, u8 dir);

#endif	/* CONFIG_SECURITY_NETWORK_XFRM */

	security_ops->xfrm_policy_free_security(xp);

}

static inline int security_xfrm_policy_delete(struct xfrm_policy *xp)

{

	return security_ops->xfrm_policy_delete_security(xp);

}

static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx)

{

	return security_ops->xfrm_state_alloc_security(x, sec_ctx);

}

static inline int security_xfrm_state_delete(struct xfrm_state *x)

{

	return security_ops->xfrm_state_delete_security(x);

}

static inline void security_xfrm_state_free(struct xfrm_state *x)

{

	security_ops->xfrm_state_free_security(x);

{

}

static inline int security_xfrm_policy_delete(struct xfrm_policy *xp)

{

	return 0;

}

static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx)

{

	return 0;

{

}

static inline int security_xfrm_state_delete(struct xfrm_policy *xp)

{

	return 0;

}

static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)

{

	return 0;

	if (x == NULL)

		return -ESRCH;

	if ((err = security_xfrm_state_delete(x)))

		goto out;

	if (xfrm_state_kern(x)) {

		xfrm_state_put(x);

		return -EPERM;

		err = -EPERM;

		goto out;

	}

	err = xfrm_state_delete(x);

	if (err < 0) {

		xfrm_state_put(x);

		return err;

	}

	if (err < 0)

		goto out;

	c.seq = hdr->sadb_msg_seq;

	c.pid = hdr->sadb_msg_pid;

	c.event = XFRM_MSG_DELSA;

	km_state_notify(x, &c);

out:

	xfrm_state_put(x);

	return err;

	err = 0;

	if ((err = security_xfrm_policy_delete(xp)))

		goto out;

	c.seq = hdr->sadb_msg_seq;

	c.pid = hdr->sadb_msg_pid;

	c.event = XFRM_MSG_DELPOLICY;

	km_policy_notify(xp, pol->sadb_x_policy_dir-1, &c);

out:

	xfrm_pol_put(xp);

	return err;

}

	if (x == NULL)

		return -ESRCH;

	if (err = security_xfrm_state_delete(x))

		goto out;

	if (xfrm_state_kern(x)) {

		xfrm_state_put(x);

		return -EPERM;

		err = -EPERM;

		goto out;

	}

	err = xfrm_state_delete(x);

	if (err < 0) {

		xfrm_state_put(x);

		return err;

	}

	if (err < 0)

		goto out;

	c.seq = nlh->nlmsg_seq;

	c.pid = nlh->nlmsg_pid;

	c.event = nlh->nlmsg_type;

	km_state_notify(x, &c);

	xfrm_state_put(x);

out:

	xfrm_state_put(x);

	return err;

}

					      MSG_DONTWAIT);

		}

	} else {

		if (err = security_xfrm_policy_delete(xp))

			goto out;

		c.data.byid = p->index;

		c.event = nlh->nlmsg_type;

		c.seq = nlh->nlmsg_seq;

	xfrm_pol_put(xp);

out:

	return err;

}

{

}

static int dummy_xfrm_policy_delete_security(struct xfrm_policy *xp)

{

	return 0;

}

static int dummy_xfrm_state_alloc_security(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx)

{

	return 0;

{

}

static int dummy_xfrm_state_delete_security(struct xfrm_state *x)

{

	return 0;

}

static int dummy_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir)

{

	return 0;

	set_to_dummy_if_null(ops, xfrm_policy_alloc_security);

	set_to_dummy_if_null(ops, xfrm_policy_clone_security);

	set_to_dummy_if_null(ops, xfrm_policy_free_security);

	set_to_dummy_if_null(ops, xfrm_policy_delete_security);

	set_to_dummy_if_null(ops, xfrm_state_alloc_security);

	set_to_dummy_if_null(ops, xfrm_state_free_security);

	set_to_dummy_if_null(ops, xfrm_state_delete_security);

	set_to_dummy_if_null(ops, xfrm_policy_lookup);

#endif	/* CONFIG_SECURITY_NETWORK_XFRM */

#ifdef CONFIG_KEYS

	.xfrm_policy_alloc_security =	selinux_xfrm_policy_alloc,

	.xfrm_policy_clone_security =	selinux_xfrm_policy_clone,

	.xfrm_policy_free_security =	selinux_xfrm_policy_free,

	.xfrm_policy_delete_security =	selinux_xfrm_policy_delete,

	.xfrm_state_alloc_security =	selinux_xfrm_state_alloc,

	.xfrm_state_free_security =	selinux_xfrm_state_free,

	.xfrm_state_delete_security =	selinux_xfrm_state_delete,

	.xfrm_policy_lookup = 		selinux_xfrm_policy_lookup,

#endif

};