security/selinux/xfrm.c
Source file repositories/reference/linux-study-clean/security/selinux/xfrm.c
File Facts
- System
- Linux kernel
- Corpus path
security/selinux/xfrm.c- Extension
.c- Size
- 11255 bytes
- Lines
- 467
- Domain
- Core OS
- Bucket
- Security And Isolation
- Inferred role
- Core OS: implementation source
- Status
- source implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Uses kernel synchronization; read lock ordering, sleepability, and interrupt context assumptions before translating.
- Allocates kernel memory; connect allocation flags and lifetime to context constraints.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/kernel.hlinux/init.hlinux/security.hlinux/types.hlinux/slab.hlinux/ip.hlinux/tcp.hlinux/skbuff.hlinux/xfrm.hnet/xfrm.hnet/checksum.hnet/udp.hlinux/atomic.havc.hobjsec.hxfrm.h
Detected Declarations
function selinux_authorizable_ctxfunction selinux_authorizable_xfrmfunction selinux_xfrm_alloc_userfunction selinux_xfrm_freefunction selinux_xfrm_deletefunction selinux_xfrm_policy_lookupfunction selinux_xfrm_state_pol_flow_matchfunction selinux_xfrm_skb_sid_egressfunction selinux_xfrm_skb_sid_ingressfunction selinux_xfrm_decode_sessionfunction selinux_xfrm_skb_sidfunction selinux_xfrm_policy_allocfunction selinux_xfrm_policy_clonefunction selinux_xfrm_policy_freefunction selinux_xfrm_policy_deletefunction selinux_xfrm_state_allocfunction selinux_xfrm_state_alloc_acquirefunction selinux_xfrm_state_freefunction selinux_xfrm_state_deletefunction authorizablefunction selinux_xfrm_postroute_last
Annotated Snippet
if (selinux_authorizable_xfrm(x)) {
struct xfrm_sec_ctx *ctx = x->security;
if (sid_session == SECSID_NULL) {
sid_session = ctx->ctx_sid;
if (!ckall)
goto out;
} else if (sid_session != ctx->ctx_sid) {
*sid = SECSID_NULL;
return -EINVAL;
}
}
}
}
out:
*sid = sid_session;
return 0;
}
/*
* LSM hook implementation that checks and/or returns the xfrm sid for the
* incoming packet.
*/
int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
{
if (skb == NULL) {
*sid = SECSID_NULL;
return 0;
}
return selinux_xfrm_skb_sid_ingress(skb, sid, ckall);
}
int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
{
int rc;
rc = selinux_xfrm_skb_sid_ingress(skb, sid, 0);
if (rc == 0 && *sid == SECSID_NULL)
*sid = selinux_xfrm_skb_sid_egress(skb);
return rc;
}
/*
* LSM hook implementation that allocs and transfers uctx spec to xfrm_policy.
*/
int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
struct xfrm_user_sec_ctx *uctx,
gfp_t gfp)
{
return selinux_xfrm_alloc_user(ctxp, uctx, gfp);
}
/*
* LSM hook implementation that copies security data structure from old to new
* for policy cloning.
*/
int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
struct xfrm_sec_ctx **new_ctxp)
{
struct xfrm_sec_ctx *new_ctx;
if (!old_ctx)
return 0;
new_ctx = kmemdup(old_ctx, sizeof(*old_ctx) + old_ctx->ctx_len,
GFP_ATOMIC);
if (!new_ctx)
return -ENOMEM;
atomic_inc(&selinux_xfrm_refcount);
*new_ctxp = new_ctx;
return 0;
}
/*
* LSM hook implementation that frees xfrm_sec_ctx security information.
*/
void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
{
selinux_xfrm_free(ctx);
}
/*
* LSM hook implementation that authorizes deletion of labeled policies.
*/
int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
{
return selinux_xfrm_delete(ctx);
Annotation
- Immediate include surface: `linux/kernel.h`, `linux/init.h`, `linux/security.h`, `linux/types.h`, `linux/slab.h`, `linux/ip.h`, `linux/tcp.h`, `linux/skbuff.h`.
- Detected declarations: `function selinux_authorizable_ctx`, `function selinux_authorizable_xfrm`, `function selinux_xfrm_alloc_user`, `function selinux_xfrm_free`, `function selinux_xfrm_delete`, `function selinux_xfrm_policy_lookup`, `function selinux_xfrm_state_pol_flow_match`, `function selinux_xfrm_skb_sid_egress`, `function selinux_xfrm_skb_sid_ingress`, `function selinux_xfrm_decode_session`.
- Atlas domain: Core OS / Security And Isolation.
- Implementation status: source implementation candidate.
- Synchronization appears in or near this file; preserve lock ordering, sleepability, and interrupt-context constraints.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.