2019-05-19 13:51:43 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2006-08-03 23:48:37 +00:00
|
|
|
/*
|
|
|
|
* NetLabel Kernel API
|
|
|
|
*
|
|
|
|
* This file defines the kernel API for the NetLabel system. The NetLabel
|
|
|
|
* system manages static and dynamic label mappings for network protocols such
|
|
|
|
* as CIPSO and RIPSO.
|
|
|
|
*
|
2011-08-01 11:10:33 +00:00
|
|
|
* Author: Paul Moore <paul@paul-moore.com>
|
2006-08-03 23:48:37 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
2008-10-10 14:16:33 +00:00
|
|
|
* (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
|
2006-08-03 23:48:37 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/init.h>
|
|
|
|
#include <linux/types.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 08:04:11 +00:00
|
|
|
#include <linux/slab.h>
|
2008-02-05 06:29:47 +00:00
|
|
|
#include <linux/audit.h>
|
2008-12-31 17:54:11 +00:00
|
|
|
#include <linux/in.h>
|
|
|
|
#include <linux/in6.h>
|
2006-08-03 23:48:37 +00:00
|
|
|
#include <net/ip.h>
|
2008-12-31 17:54:11 +00:00
|
|
|
#include <net/ipv6.h>
|
2006-08-03 23:48:37 +00:00
|
|
|
#include <net/netlabel.h>
|
|
|
|
#include <net/cipso_ipv4.h>
|
2016-06-27 19:02:51 +00:00
|
|
|
#include <net/calipso.h>
|
2006-08-03 23:48:37 +00:00
|
|
|
#include <asm/bug.h>
|
2011-07-26 23:09:06 +00:00
|
|
|
#include <linux/atomic.h>
|
2006-08-03 23:48:37 +00:00
|
|
|
|
|
|
|
#include "netlabel_domainhash.h"
|
|
|
|
#include "netlabel_unlabeled.h"
|
2008-02-05 06:29:47 +00:00
|
|
|
#include "netlabel_cipso_v4.h"
|
2016-06-27 19:02:51 +00:00
|
|
|
#include "netlabel_calipso.h"
|
2006-08-03 23:48:37 +00:00
|
|
|
#include "netlabel_user.h"
|
2007-07-18 16:28:45 +00:00
|
|
|
#include "netlabel_mgmt.h"
|
2008-12-31 17:54:11 +00:00
|
|
|
#include "netlabel_addrlist.h"
|
2006-08-03 23:48:37 +00:00
|
|
|
|
2008-02-05 06:29:47 +00:00
|
|
|
/*
|
|
|
|
* Configuration Functions
|
|
|
|
*/
|
|
|
|
|
|
|
|
/**
|
|
|
|
* netlbl_cfg_map_del - Remove a NetLabel/LSM domain mapping
|
|
|
|
* @domain: the domain mapping to remove
|
2008-12-31 17:54:11 +00:00
|
|
|
* @family: address family
|
|
|
|
* @addr: IP address
|
|
|
|
* @mask: IP address mask
|
2008-02-05 06:29:47 +00:00
|
|
|
* @audit_info: NetLabel audit information
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Removes a NetLabel/LSM domain mapping. A @domain value of NULL causes the
|
|
|
|
* default domain mapping to be removed. Returns zero on success, negative
|
|
|
|
* values on failure.
|
|
|
|
*
|
|
|
|
*/
|
2008-12-31 17:54:11 +00:00
|
|
|
int netlbl_cfg_map_del(const char *domain,
|
|
|
|
u16 family,
|
|
|
|
const void *addr,
|
|
|
|
const void *mask,
|
|
|
|
struct netlbl_audit *audit_info)
|
2008-02-05 06:29:47 +00:00
|
|
|
{
|
2008-12-31 17:54:11 +00:00
|
|
|
if (addr == NULL && mask == NULL) {
|
2016-06-27 19:02:46 +00:00
|
|
|
return netlbl_domhsh_remove(domain, family, audit_info);
|
2008-12-31 17:54:11 +00:00
|
|
|
} else if (addr != NULL && mask != NULL) {
|
|
|
|
switch (family) {
|
|
|
|
case AF_INET:
|
|
|
|
return netlbl_domhsh_remove_af4(domain, addr, mask,
|
|
|
|
audit_info);
|
2016-06-27 19:06:18 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
case AF_INET6:
|
|
|
|
return netlbl_domhsh_remove_af6(domain, addr, mask,
|
|
|
|
audit_info);
|
|
|
|
#endif /* IPv6 */
|
2008-12-31 17:54:11 +00:00
|
|
|
default:
|
|
|
|
return -EPFNOSUPPORT;
|
|
|
|
}
|
|
|
|
} else
|
|
|
|
return -EINVAL;
|
2008-02-05 06:29:47 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2008-12-31 17:54:11 +00:00
|
|
|
* netlbl_cfg_unlbl_map_add - Add a new unlabeled mapping
|
2008-02-05 06:29:47 +00:00
|
|
|
* @domain: the domain mapping to add
|
2008-12-31 17:54:11 +00:00
|
|
|
* @family: address family
|
|
|
|
* @addr: IP address
|
|
|
|
* @mask: IP address mask
|
2008-02-05 06:29:47 +00:00
|
|
|
* @audit_info: NetLabel audit information
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Adds a new unlabeled NetLabel/LSM domain mapping. A @domain value of NULL
|
|
|
|
* causes a new default domain mapping to be added. Returns zero on success,
|
|
|
|
* negative values on failure.
|
|
|
|
*
|
|
|
|
*/
|
2008-12-31 17:54:11 +00:00
|
|
|
int netlbl_cfg_unlbl_map_add(const char *domain,
|
|
|
|
u16 family,
|
|
|
|
const void *addr,
|
|
|
|
const void *mask,
|
2008-02-05 06:29:47 +00:00
|
|
|
struct netlbl_audit *audit_info)
|
|
|
|
{
|
|
|
|
int ret_val = -ENOMEM;
|
|
|
|
struct netlbl_dom_map *entry;
|
2008-12-31 17:54:11 +00:00
|
|
|
struct netlbl_domaddr_map *addrmap = NULL;
|
|
|
|
struct netlbl_domaddr4_map *map4 = NULL;
|
|
|
|
struct netlbl_domaddr6_map *map6 = NULL;
|
2008-02-05 06:29:47 +00:00
|
|
|
|
|
|
|
entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
|
|
|
|
if (entry == NULL)
|
2008-10-10 14:16:30 +00:00
|
|
|
return -ENOMEM;
|
2008-02-05 06:29:47 +00:00
|
|
|
if (domain != NULL) {
|
|
|
|
entry->domain = kstrdup(domain, GFP_ATOMIC);
|
|
|
|
if (entry->domain == NULL)
|
2008-12-31 17:54:11 +00:00
|
|
|
goto cfg_unlbl_map_add_failure;
|
|
|
|
}
|
2016-06-27 19:02:46 +00:00
|
|
|
entry->family = family;
|
2008-12-31 17:54:11 +00:00
|
|
|
|
|
|
|
if (addr == NULL && mask == NULL)
|
2013-08-02 18:45:08 +00:00
|
|
|
entry->def.type = NETLBL_NLTYPE_UNLABELED;
|
2008-12-31 17:54:11 +00:00
|
|
|
else if (addr != NULL && mask != NULL) {
|
|
|
|
addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC);
|
|
|
|
if (addrmap == NULL)
|
|
|
|
goto cfg_unlbl_map_add_failure;
|
|
|
|
INIT_LIST_HEAD(&addrmap->list4);
|
|
|
|
INIT_LIST_HEAD(&addrmap->list6);
|
|
|
|
|
|
|
|
switch (family) {
|
2011-11-29 10:10:54 +00:00
|
|
|
case AF_INET: {
|
|
|
|
const struct in_addr *addr4 = addr;
|
|
|
|
const struct in_addr *mask4 = mask;
|
2008-12-31 17:54:11 +00:00
|
|
|
map4 = kzalloc(sizeof(*map4), GFP_ATOMIC);
|
|
|
|
if (map4 == NULL)
|
|
|
|
goto cfg_unlbl_map_add_failure;
|
2013-08-02 18:45:08 +00:00
|
|
|
map4->def.type = NETLBL_NLTYPE_UNLABELED;
|
2008-12-31 17:54:11 +00:00
|
|
|
map4->list.addr = addr4->s_addr & mask4->s_addr;
|
|
|
|
map4->list.mask = mask4->s_addr;
|
|
|
|
map4->list.valid = 1;
|
|
|
|
ret_val = netlbl_af4list_add(&map4->list,
|
|
|
|
&addrmap->list4);
|
|
|
|
if (ret_val != 0)
|
|
|
|
goto cfg_unlbl_map_add_failure;
|
|
|
|
break;
|
2011-11-29 10:10:54 +00:00
|
|
|
}
|
2011-12-10 09:48:31 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2011-11-29 10:10:54 +00:00
|
|
|
case AF_INET6: {
|
|
|
|
const struct in6_addr *addr6 = addr;
|
|
|
|
const struct in6_addr *mask6 = mask;
|
2008-12-31 17:54:11 +00:00
|
|
|
map6 = kzalloc(sizeof(*map6), GFP_ATOMIC);
|
2009-07-30 04:38:19 +00:00
|
|
|
if (map6 == NULL)
|
2008-12-31 17:54:11 +00:00
|
|
|
goto cfg_unlbl_map_add_failure;
|
2013-08-02 18:45:08 +00:00
|
|
|
map6->def.type = NETLBL_NLTYPE_UNLABELED;
|
2011-11-21 03:39:03 +00:00
|
|
|
map6->list.addr = *addr6;
|
2008-12-31 17:54:11 +00:00
|
|
|
map6->list.addr.s6_addr32[0] &= mask6->s6_addr32[0];
|
|
|
|
map6->list.addr.s6_addr32[1] &= mask6->s6_addr32[1];
|
|
|
|
map6->list.addr.s6_addr32[2] &= mask6->s6_addr32[2];
|
|
|
|
map6->list.addr.s6_addr32[3] &= mask6->s6_addr32[3];
|
2011-11-21 03:39:03 +00:00
|
|
|
map6->list.mask = *mask6;
|
2008-12-31 17:54:11 +00:00
|
|
|
map6->list.valid = 1;
|
2011-11-23 21:18:20 +00:00
|
|
|
ret_val = netlbl_af6list_add(&map6->list,
|
|
|
|
&addrmap->list6);
|
2008-12-31 17:54:11 +00:00
|
|
|
if (ret_val != 0)
|
|
|
|
goto cfg_unlbl_map_add_failure;
|
|
|
|
break;
|
2011-11-29 10:10:54 +00:00
|
|
|
}
|
|
|
|
#endif /* IPv6 */
|
2008-12-31 17:54:11 +00:00
|
|
|
default:
|
|
|
|
goto cfg_unlbl_map_add_failure;
|
|
|
|
}
|
|
|
|
|
2013-08-02 18:45:08 +00:00
|
|
|
entry->def.addrsel = addrmap;
|
|
|
|
entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
|
2008-12-31 17:54:11 +00:00
|
|
|
} else {
|
|
|
|
ret_val = -EINVAL;
|
|
|
|
goto cfg_unlbl_map_add_failure;
|
2008-02-05 06:29:47 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
ret_val = netlbl_domhsh_add(entry, audit_info);
|
|
|
|
if (ret_val != 0)
|
2008-12-31 17:54:11 +00:00
|
|
|
goto cfg_unlbl_map_add_failure;
|
2008-02-05 06:29:47 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
2008-12-31 17:54:11 +00:00
|
|
|
cfg_unlbl_map_add_failure:
|
2009-07-27 06:15:43 +00:00
|
|
|
kfree(entry->domain);
|
2008-02-05 06:29:47 +00:00
|
|
|
kfree(entry);
|
2008-12-31 17:54:11 +00:00
|
|
|
kfree(addrmap);
|
|
|
|
kfree(map4);
|
|
|
|
kfree(map6);
|
2008-02-05 06:29:47 +00:00
|
|
|
return ret_val;
|
|
|
|
}
|
|
|
|
|
2008-12-31 17:54:11 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* netlbl_cfg_unlbl_static_add - Adds a new static label
|
|
|
|
* @net: network namespace
|
|
|
|
* @dev_name: interface name
|
|
|
|
* @addr: IP address in network byte order (struct in[6]_addr)
|
|
|
|
* @mask: address mask in network byte order (struct in[6]_addr)
|
|
|
|
* @family: address family
|
|
|
|
* @secid: LSM secid value for the entry
|
|
|
|
* @audit_info: NetLabel audit information
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Adds a new NetLabel static label to be used when protocol provided labels
|
|
|
|
* are not present on incoming traffic. If @dev_name is NULL then the default
|
|
|
|
* interface will be used. Returns zero on success, negative values on failure.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
int netlbl_cfg_unlbl_static_add(struct net *net,
|
|
|
|
const char *dev_name,
|
|
|
|
const void *addr,
|
|
|
|
const void *mask,
|
|
|
|
u16 family,
|
|
|
|
u32 secid,
|
|
|
|
struct netlbl_audit *audit_info)
|
|
|
|
{
|
|
|
|
u32 addr_len;
|
|
|
|
|
|
|
|
switch (family) {
|
|
|
|
case AF_INET:
|
|
|
|
addr_len = sizeof(struct in_addr);
|
|
|
|
break;
|
2011-12-10 09:48:31 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2008-12-31 17:54:11 +00:00
|
|
|
case AF_INET6:
|
|
|
|
addr_len = sizeof(struct in6_addr);
|
|
|
|
break;
|
2011-11-29 10:10:54 +00:00
|
|
|
#endif /* IPv6 */
|
2008-12-31 17:54:11 +00:00
|
|
|
default:
|
|
|
|
return -EPFNOSUPPORT;
|
|
|
|
}
|
|
|
|
|
|
|
|
return netlbl_unlhsh_add(net,
|
|
|
|
dev_name, addr, mask, addr_len,
|
|
|
|
secid, audit_info);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* netlbl_cfg_unlbl_static_del - Removes an existing static label
|
|
|
|
* @net: network namespace
|
|
|
|
* @dev_name: interface name
|
|
|
|
* @addr: IP address in network byte order (struct in[6]_addr)
|
|
|
|
* @mask: address mask in network byte order (struct in[6]_addr)
|
|
|
|
* @family: address family
|
|
|
|
* @audit_info: NetLabel audit information
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Removes an existing NetLabel static label used when protocol provided labels
|
|
|
|
* are not present on incoming traffic. If @dev_name is NULL then the default
|
|
|
|
* interface will be used. Returns zero on success, negative values on failure.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
int netlbl_cfg_unlbl_static_del(struct net *net,
|
|
|
|
const char *dev_name,
|
|
|
|
const void *addr,
|
|
|
|
const void *mask,
|
|
|
|
u16 family,
|
|
|
|
struct netlbl_audit *audit_info)
|
|
|
|
{
|
|
|
|
u32 addr_len;
|
|
|
|
|
|
|
|
switch (family) {
|
|
|
|
case AF_INET:
|
|
|
|
addr_len = sizeof(struct in_addr);
|
|
|
|
break;
|
2011-12-10 09:48:31 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2008-12-31 17:54:11 +00:00
|
|
|
case AF_INET6:
|
|
|
|
addr_len = sizeof(struct in6_addr);
|
|
|
|
break;
|
2011-11-29 10:10:54 +00:00
|
|
|
#endif /* IPv6 */
|
2008-12-31 17:54:11 +00:00
|
|
|
default:
|
|
|
|
return -EPFNOSUPPORT;
|
|
|
|
}
|
|
|
|
|
|
|
|
return netlbl_unlhsh_remove(net,
|
|
|
|
dev_name, addr, mask, addr_len,
|
|
|
|
audit_info);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* netlbl_cfg_cipsov4_add - Add a new CIPSOv4 DOI definition
|
|
|
|
* @doi_def: CIPSO DOI definition
|
|
|
|
* @audit_info: NetLabel audit information
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Add a new CIPSO DOI definition as defined by @doi_def. Returns zero on
|
|
|
|
* success and negative values on failure.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
|
|
|
|
struct netlbl_audit *audit_info)
|
|
|
|
{
|
|
|
|
return cipso_v4_doi_add(doi_def, audit_info);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* netlbl_cfg_cipsov4_del - Remove an existing CIPSOv4 DOI definition
|
|
|
|
* @doi: CIPSO DOI
|
|
|
|
* @audit_info: NetLabel audit information
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Remove an existing CIPSO DOI definition matching @doi. Returns zero on
|
|
|
|
* success and negative values on failure.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
void netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info)
|
|
|
|
{
|
|
|
|
cipso_v4_doi_remove(doi, audit_info);
|
|
|
|
}
|
|
|
|
|
2008-02-05 06:29:47 +00:00
|
|
|
/**
|
2008-12-31 17:54:11 +00:00
|
|
|
* netlbl_cfg_cipsov4_map_add - Add a new CIPSOv4 DOI mapping
|
|
|
|
* @doi: the CIPSO DOI
|
2008-02-05 06:29:47 +00:00
|
|
|
* @domain: the domain mapping to add
|
2008-12-31 17:54:11 +00:00
|
|
|
* @addr: IP address
|
|
|
|
* @mask: IP address mask
|
2008-02-05 06:29:47 +00:00
|
|
|
* @audit_info: NetLabel audit information
|
|
|
|
*
|
|
|
|
* Description:
|
2008-12-31 17:54:11 +00:00
|
|
|
* Add a new NetLabel/LSM domain mapping for the given CIPSO DOI to the NetLabel
|
|
|
|
* subsystem. A @domain value of NULL adds a new default domain mapping.
|
|
|
|
* Returns zero on success, negative values on failure.
|
2008-02-05 06:29:47 +00:00
|
|
|
*
|
|
|
|
*/
|
2008-12-31 17:54:11 +00:00
|
|
|
int netlbl_cfg_cipsov4_map_add(u32 doi,
|
2008-02-05 06:29:47 +00:00
|
|
|
const char *domain,
|
2008-12-31 17:54:11 +00:00
|
|
|
const struct in_addr *addr,
|
|
|
|
const struct in_addr *mask,
|
2008-02-05 06:29:47 +00:00
|
|
|
struct netlbl_audit *audit_info)
|
|
|
|
{
|
|
|
|
int ret_val = -ENOMEM;
|
2008-12-31 17:54:11 +00:00
|
|
|
struct cipso_v4_doi *doi_def;
|
2008-02-05 06:29:47 +00:00
|
|
|
struct netlbl_dom_map *entry;
|
2008-12-31 17:54:11 +00:00
|
|
|
struct netlbl_domaddr_map *addrmap = NULL;
|
|
|
|
struct netlbl_domaddr4_map *addrinfo = NULL;
|
2008-02-05 06:29:47 +00:00
|
|
|
|
2008-12-31 17:54:11 +00:00
|
|
|
doi_def = cipso_v4_doi_getdef(doi);
|
|
|
|
if (doi_def == NULL)
|
|
|
|
return -ENOENT;
|
2008-10-10 14:16:31 +00:00
|
|
|
|
2008-02-05 06:29:47 +00:00
|
|
|
entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
|
|
|
|
if (entry == NULL)
|
2011-08-11 00:06:04 +00:00
|
|
|
goto out_entry;
|
2016-06-27 19:02:46 +00:00
|
|
|
entry->family = AF_INET;
|
2008-02-05 06:29:47 +00:00
|
|
|
if (domain != NULL) {
|
|
|
|
entry->domain = kstrdup(domain, GFP_ATOMIC);
|
|
|
|
if (entry->domain == NULL)
|
2011-08-11 00:06:04 +00:00
|
|
|
goto out_domain;
|
2008-02-05 06:29:47 +00:00
|
|
|
}
|
|
|
|
|
2008-12-31 17:54:11 +00:00
|
|
|
if (addr == NULL && mask == NULL) {
|
2013-08-02 18:45:08 +00:00
|
|
|
entry->def.cipso = doi_def;
|
|
|
|
entry->def.type = NETLBL_NLTYPE_CIPSOV4;
|
2008-12-31 17:54:11 +00:00
|
|
|
} else if (addr != NULL && mask != NULL) {
|
|
|
|
addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC);
|
|
|
|
if (addrmap == NULL)
|
2011-08-11 00:06:04 +00:00
|
|
|
goto out_addrmap;
|
2008-12-31 17:54:11 +00:00
|
|
|
INIT_LIST_HEAD(&addrmap->list4);
|
|
|
|
INIT_LIST_HEAD(&addrmap->list6);
|
|
|
|
|
|
|
|
addrinfo = kzalloc(sizeof(*addrinfo), GFP_ATOMIC);
|
|
|
|
if (addrinfo == NULL)
|
2011-08-11 00:06:04 +00:00
|
|
|
goto out_addrinfo;
|
2013-08-02 18:45:08 +00:00
|
|
|
addrinfo->def.cipso = doi_def;
|
|
|
|
addrinfo->def.type = NETLBL_NLTYPE_CIPSOV4;
|
2008-12-31 17:54:11 +00:00
|
|
|
addrinfo->list.addr = addr->s_addr & mask->s_addr;
|
|
|
|
addrinfo->list.mask = mask->s_addr;
|
|
|
|
addrinfo->list.valid = 1;
|
|
|
|
ret_val = netlbl_af4list_add(&addrinfo->list, &addrmap->list4);
|
|
|
|
if (ret_val != 0)
|
|
|
|
goto cfg_cipsov4_map_add_failure;
|
|
|
|
|
2013-08-02 18:45:08 +00:00
|
|
|
entry->def.addrsel = addrmap;
|
|
|
|
entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
|
2008-12-31 17:54:11 +00:00
|
|
|
} else {
|
|
|
|
ret_val = -EINVAL;
|
2011-08-11 00:06:04 +00:00
|
|
|
goto out_addrmap;
|
2008-10-10 14:16:31 +00:00
|
|
|
}
|
2008-12-31 17:54:11 +00:00
|
|
|
|
2008-02-05 06:29:47 +00:00
|
|
|
ret_val = netlbl_domhsh_add(entry, audit_info);
|
|
|
|
if (ret_val != 0)
|
2008-12-31 17:54:11 +00:00
|
|
|
goto cfg_cipsov4_map_add_failure;
|
2008-10-10 14:16:31 +00:00
|
|
|
|
2008-12-31 17:54:11 +00:00
|
|
|
return 0;
|
2008-10-10 14:16:31 +00:00
|
|
|
|
2008-12-31 17:54:11 +00:00
|
|
|
cfg_cipsov4_map_add_failure:
|
2011-08-11 00:06:04 +00:00
|
|
|
kfree(addrinfo);
|
|
|
|
out_addrinfo:
|
|
|
|
kfree(addrmap);
|
|
|
|
out_addrmap:
|
2009-07-27 06:15:43 +00:00
|
|
|
kfree(entry->domain);
|
2011-08-11 00:06:04 +00:00
|
|
|
out_domain:
|
2008-02-05 06:29:47 +00:00
|
|
|
kfree(entry);
|
2011-08-11 00:06:04 +00:00
|
|
|
out_entry:
|
|
|
|
cipso_v4_doi_putdef(doi_def);
|
2008-12-31 17:54:11 +00:00
|
|
|
return ret_val;
|
2008-02-05 06:29:47 +00:00
|
|
|
}
|
|
|
|
|
2016-06-27 19:06:18 +00:00
|
|
|
/**
|
|
|
|
* netlbl_cfg_calipso_add - Add a new CALIPSO DOI definition
|
|
|
|
* @doi_def: CALIPSO DOI definition
|
|
|
|
* @audit_info: NetLabel audit information
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Add a new CALIPSO DOI definition as defined by @doi_def. Returns zero on
|
|
|
|
* success and negative values on failure.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
int netlbl_cfg_calipso_add(struct calipso_doi *doi_def,
|
|
|
|
struct netlbl_audit *audit_info)
|
|
|
|
{
|
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
return calipso_doi_add(doi_def, audit_info);
|
|
|
|
#else /* IPv6 */
|
|
|
|
return -ENOSYS;
|
|
|
|
#endif /* IPv6 */
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* netlbl_cfg_calipso_del - Remove an existing CALIPSO DOI definition
|
|
|
|
* @doi: CALIPSO DOI
|
|
|
|
* @audit_info: NetLabel audit information
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Remove an existing CALIPSO DOI definition matching @doi. Returns zero on
|
|
|
|
* success and negative values on failure.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
void netlbl_cfg_calipso_del(u32 doi, struct netlbl_audit *audit_info)
|
|
|
|
{
|
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
calipso_doi_remove(doi, audit_info);
|
|
|
|
#endif /* IPv6 */
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* netlbl_cfg_calipso_map_add - Add a new CALIPSO DOI mapping
|
|
|
|
* @doi: the CALIPSO DOI
|
|
|
|
* @domain: the domain mapping to add
|
|
|
|
* @addr: IP address
|
|
|
|
* @mask: IP address mask
|
|
|
|
* @audit_info: NetLabel audit information
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Add a new NetLabel/LSM domain mapping for the given CALIPSO DOI to the
|
|
|
|
* NetLabel subsystem. A @domain value of NULL adds a new default domain
|
|
|
|
* mapping. Returns zero on success, negative values on failure.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
int netlbl_cfg_calipso_map_add(u32 doi,
|
|
|
|
const char *domain,
|
|
|
|
const struct in6_addr *addr,
|
|
|
|
const struct in6_addr *mask,
|
|
|
|
struct netlbl_audit *audit_info)
|
|
|
|
{
|
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
int ret_val = -ENOMEM;
|
|
|
|
struct calipso_doi *doi_def;
|
|
|
|
struct netlbl_dom_map *entry;
|
|
|
|
struct netlbl_domaddr_map *addrmap = NULL;
|
|
|
|
struct netlbl_domaddr6_map *addrinfo = NULL;
|
|
|
|
|
|
|
|
doi_def = calipso_doi_getdef(doi);
|
|
|
|
if (doi_def == NULL)
|
|
|
|
return -ENOENT;
|
|
|
|
|
|
|
|
entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
|
|
|
|
if (entry == NULL)
|
|
|
|
goto out_entry;
|
|
|
|
entry->family = AF_INET6;
|
|
|
|
if (domain != NULL) {
|
|
|
|
entry->domain = kstrdup(domain, GFP_ATOMIC);
|
|
|
|
if (entry->domain == NULL)
|
|
|
|
goto out_domain;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (addr == NULL && mask == NULL) {
|
|
|
|
entry->def.calipso = doi_def;
|
|
|
|
entry->def.type = NETLBL_NLTYPE_CALIPSO;
|
|
|
|
} else if (addr != NULL && mask != NULL) {
|
|
|
|
addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC);
|
|
|
|
if (addrmap == NULL)
|
|
|
|
goto out_addrmap;
|
|
|
|
INIT_LIST_HEAD(&addrmap->list4);
|
|
|
|
INIT_LIST_HEAD(&addrmap->list6);
|
|
|
|
|
|
|
|
addrinfo = kzalloc(sizeof(*addrinfo), GFP_ATOMIC);
|
|
|
|
if (addrinfo == NULL)
|
|
|
|
goto out_addrinfo;
|
|
|
|
addrinfo->def.calipso = doi_def;
|
|
|
|
addrinfo->def.type = NETLBL_NLTYPE_CALIPSO;
|
|
|
|
addrinfo->list.addr = *addr;
|
|
|
|
addrinfo->list.addr.s6_addr32[0] &= mask->s6_addr32[0];
|
|
|
|
addrinfo->list.addr.s6_addr32[1] &= mask->s6_addr32[1];
|
|
|
|
addrinfo->list.addr.s6_addr32[2] &= mask->s6_addr32[2];
|
|
|
|
addrinfo->list.addr.s6_addr32[3] &= mask->s6_addr32[3];
|
|
|
|
addrinfo->list.mask = *mask;
|
|
|
|
addrinfo->list.valid = 1;
|
|
|
|
ret_val = netlbl_af6list_add(&addrinfo->list, &addrmap->list6);
|
|
|
|
if (ret_val != 0)
|
|
|
|
goto cfg_calipso_map_add_failure;
|
|
|
|
|
|
|
|
entry->def.addrsel = addrmap;
|
|
|
|
entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
|
|
|
|
} else {
|
|
|
|
ret_val = -EINVAL;
|
|
|
|
goto out_addrmap;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret_val = netlbl_domhsh_add(entry, audit_info);
|
|
|
|
if (ret_val != 0)
|
|
|
|
goto cfg_calipso_map_add_failure;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
cfg_calipso_map_add_failure:
|
|
|
|
kfree(addrinfo);
|
|
|
|
out_addrinfo:
|
|
|
|
kfree(addrmap);
|
|
|
|
out_addrmap:
|
|
|
|
kfree(entry->domain);
|
|
|
|
out_domain:
|
|
|
|
kfree(entry);
|
|
|
|
out_entry:
|
|
|
|
calipso_doi_putdef(doi_def);
|
|
|
|
return ret_val;
|
|
|
|
#else /* IPv6 */
|
|
|
|
return -ENOSYS;
|
|
|
|
#endif /* IPv6 */
|
|
|
|
}
|
|
|
|
|
2006-11-29 18:18:18 +00:00
|
|
|
/*
|
|
|
|
* Security Attribute Functions
|
|
|
|
*/
|
|
|
|
|
2014-08-01 15:17:17 +00:00
|
|
|
#define _CM_F_NONE 0x00000000
|
|
|
|
#define _CM_F_ALLOC 0x00000001
|
2014-08-01 15:17:29 +00:00
|
|
|
#define _CM_F_WALK 0x00000002
|
2014-08-01 15:17:17 +00:00
|
|
|
|
|
|
|
/**
|
2014-08-01 15:17:37 +00:00
|
|
|
* _netlbl_catmap_getnode - Get a individual node from a catmap
|
2014-08-01 15:17:17 +00:00
|
|
|
* @catmap: pointer to the category bitmap
|
|
|
|
* @offset: the requested offset
|
|
|
|
* @cm_flags: catmap flags, see _CM_F_*
|
|
|
|
* @gfp_flags: memory allocation flags
|
|
|
|
*
|
|
|
|
* Description:
|
2014-08-01 15:17:29 +00:00
|
|
|
* Iterate through the catmap looking for the node associated with @offset.
|
|
|
|
* If the _CM_F_ALLOC flag is set in @cm_flags and there is no associated node,
|
|
|
|
* one will be created and inserted into the catmap. If the _CM_F_WALK flag is
|
|
|
|
* set in @cm_flags and there is no associated node, the next highest node will
|
|
|
|
* be returned. Returns a pointer to the node on success, NULL on failure.
|
2014-08-01 15:17:17 +00:00
|
|
|
*
|
|
|
|
*/
|
2014-08-01 15:17:37 +00:00
|
|
|
static struct netlbl_lsm_catmap *_netlbl_catmap_getnode(
|
|
|
|
struct netlbl_lsm_catmap **catmap,
|
|
|
|
u32 offset,
|
|
|
|
unsigned int cm_flags,
|
|
|
|
gfp_t gfp_flags)
|
2014-08-01 15:17:17 +00:00
|
|
|
{
|
2014-08-01 15:17:37 +00:00
|
|
|
struct netlbl_lsm_catmap *iter = *catmap;
|
|
|
|
struct netlbl_lsm_catmap *prev = NULL;
|
2014-08-01 15:17:17 +00:00
|
|
|
|
2014-08-01 15:17:29 +00:00
|
|
|
if (iter == NULL)
|
2014-08-01 15:17:37 +00:00
|
|
|
goto catmap_getnode_alloc;
|
2014-08-01 15:17:29 +00:00
|
|
|
if (offset < iter->startbit)
|
2014-08-01 15:17:37 +00:00
|
|
|
goto catmap_getnode_walk;
|
2014-08-01 15:17:17 +00:00
|
|
|
while (iter && offset >= (iter->startbit + NETLBL_CATMAP_SIZE)) {
|
|
|
|
prev = iter;
|
|
|
|
iter = iter->next;
|
|
|
|
}
|
|
|
|
if (iter == NULL || offset < iter->startbit)
|
2014-08-01 15:17:37 +00:00
|
|
|
goto catmap_getnode_walk;
|
2014-08-01 15:17:17 +00:00
|
|
|
|
|
|
|
return iter;
|
|
|
|
|
2014-08-01 15:17:37 +00:00
|
|
|
catmap_getnode_walk:
|
2014-08-01 15:17:29 +00:00
|
|
|
if (cm_flags & _CM_F_WALK)
|
|
|
|
return iter;
|
2014-08-01 15:17:37 +00:00
|
|
|
catmap_getnode_alloc:
|
2014-08-01 15:17:17 +00:00
|
|
|
if (!(cm_flags & _CM_F_ALLOC))
|
|
|
|
return NULL;
|
|
|
|
|
2014-08-01 15:17:37 +00:00
|
|
|
iter = netlbl_catmap_alloc(gfp_flags);
|
2014-08-01 15:17:17 +00:00
|
|
|
if (iter == NULL)
|
|
|
|
return NULL;
|
|
|
|
iter->startbit = offset & ~(NETLBL_CATMAP_SIZE - 1);
|
|
|
|
|
|
|
|
if (prev == NULL) {
|
|
|
|
iter->next = *catmap;
|
|
|
|
*catmap = iter;
|
|
|
|
} else {
|
|
|
|
iter->next = prev->next;
|
|
|
|
prev->next = iter;
|
|
|
|
}
|
|
|
|
|
|
|
|
return iter;
|
|
|
|
}
|
|
|
|
|
2006-11-29 18:18:18 +00:00
|
|
|
/**
|
2014-08-01 15:17:37 +00:00
|
|
|
* netlbl_catmap_walk - Walk a LSM secattr catmap looking for a bit
|
2006-11-29 18:18:18 +00:00
|
|
|
* @catmap: the category bitmap
|
|
|
|
* @offset: the offset to start searching at, in bits
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* This function walks a LSM secattr category bitmap starting at @offset and
|
|
|
|
* returns the spot of the first set bit or -ENOENT if no bits are set.
|
|
|
|
*
|
|
|
|
*/
|
2014-08-01 15:17:37 +00:00
|
|
|
int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap, u32 offset)
|
2006-11-29 18:18:18 +00:00
|
|
|
{
|
2019-09-01 15:52:05 +00:00
|
|
|
struct netlbl_lsm_catmap *iter;
|
2014-08-01 15:17:29 +00:00
|
|
|
u32 idx;
|
|
|
|
u32 bit;
|
2024-02-04 02:35:31 +00:00
|
|
|
u64 bitmap;
|
2006-11-29 18:18:18 +00:00
|
|
|
|
2014-08-01 15:17:37 +00:00
|
|
|
iter = _netlbl_catmap_getnode(&catmap, offset, _CM_F_WALK, 0);
|
2014-08-01 15:17:29 +00:00
|
|
|
if (iter == NULL)
|
|
|
|
return -ENOENT;
|
2006-11-29 18:18:18 +00:00
|
|
|
if (offset > iter->startbit) {
|
2014-08-01 15:17:29 +00:00
|
|
|
offset -= iter->startbit;
|
|
|
|
idx = offset / NETLBL_CATMAP_MAPSIZE;
|
|
|
|
bit = offset % NETLBL_CATMAP_MAPSIZE;
|
2006-11-29 18:18:18 +00:00
|
|
|
} else {
|
2014-08-01 15:17:29 +00:00
|
|
|
idx = 0;
|
|
|
|
bit = 0;
|
2006-11-29 18:18:18 +00:00
|
|
|
}
|
2014-08-01 15:17:29 +00:00
|
|
|
bitmap = iter->bitmap[idx] >> bit;
|
2006-11-29 18:18:18 +00:00
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
if (bitmap != 0) {
|
|
|
|
while ((bitmap & NETLBL_CATMAP_BIT) == 0) {
|
|
|
|
bitmap >>= 1;
|
2014-08-01 15:17:29 +00:00
|
|
|
bit++;
|
2006-11-29 18:18:18 +00:00
|
|
|
}
|
|
|
|
return iter->startbit +
|
2014-08-01 15:17:29 +00:00
|
|
|
(NETLBL_CATMAP_MAPSIZE * idx) + bit;
|
2006-11-29 18:18:18 +00:00
|
|
|
}
|
2014-08-01 15:17:29 +00:00
|
|
|
if (++idx >= NETLBL_CATMAP_MAPCNT) {
|
2006-11-29 18:18:18 +00:00
|
|
|
if (iter->next != NULL) {
|
|
|
|
iter = iter->next;
|
2014-08-01 15:17:29 +00:00
|
|
|
idx = 0;
|
2006-11-29 18:18:18 +00:00
|
|
|
} else
|
|
|
|
return -ENOENT;
|
|
|
|
}
|
2014-08-01 15:17:29 +00:00
|
|
|
bitmap = iter->bitmap[idx];
|
|
|
|
bit = 0;
|
2006-11-29 18:18:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return -ENOENT;
|
|
|
|
}
|
2016-06-27 19:02:51 +00:00
|
|
|
EXPORT_SYMBOL(netlbl_catmap_walk);
|
2006-11-29 18:18:18 +00:00
|
|
|
|
|
|
|
/**
|
2014-08-01 15:17:37 +00:00
|
|
|
* netlbl_catmap_walkrng - Find the end of a string of set bits
|
2006-11-29 18:18:18 +00:00
|
|
|
* @catmap: the category bitmap
|
|
|
|
* @offset: the offset to start searching at, in bits
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* This function walks a LSM secattr category bitmap starting at @offset and
|
|
|
|
* returns the spot of the first cleared bit or -ENOENT if the offset is past
|
|
|
|
* the end of the bitmap.
|
|
|
|
*
|
|
|
|
*/
|
2014-08-01 15:17:37 +00:00
|
|
|
int netlbl_catmap_walkrng(struct netlbl_lsm_catmap *catmap, u32 offset)
|
2006-11-29 18:18:18 +00:00
|
|
|
{
|
2014-08-01 15:17:37 +00:00
|
|
|
struct netlbl_lsm_catmap *iter;
|
|
|
|
struct netlbl_lsm_catmap *prev = NULL;
|
2014-08-01 15:17:29 +00:00
|
|
|
u32 idx;
|
|
|
|
u32 bit;
|
2024-02-04 02:35:31 +00:00
|
|
|
u64 bitmask;
|
|
|
|
u64 bitmap;
|
2006-11-29 18:18:18 +00:00
|
|
|
|
2014-08-01 15:17:37 +00:00
|
|
|
iter = _netlbl_catmap_getnode(&catmap, offset, _CM_F_WALK, 0);
|
2014-08-01 15:17:29 +00:00
|
|
|
if (iter == NULL)
|
|
|
|
return -ENOENT;
|
2006-11-29 18:18:18 +00:00
|
|
|
if (offset > iter->startbit) {
|
2014-08-01 15:17:29 +00:00
|
|
|
offset -= iter->startbit;
|
|
|
|
idx = offset / NETLBL_CATMAP_MAPSIZE;
|
|
|
|
bit = offset % NETLBL_CATMAP_MAPSIZE;
|
2006-11-29 18:18:18 +00:00
|
|
|
} else {
|
2014-08-01 15:17:29 +00:00
|
|
|
idx = 0;
|
|
|
|
bit = 0;
|
2006-11-29 18:18:18 +00:00
|
|
|
}
|
2014-08-01 15:17:29 +00:00
|
|
|
bitmask = NETLBL_CATMAP_BIT << bit;
|
2006-11-29 18:18:18 +00:00
|
|
|
|
|
|
|
for (;;) {
|
2014-08-01 15:17:29 +00:00
|
|
|
bitmap = iter->bitmap[idx];
|
2006-11-29 18:18:18 +00:00
|
|
|
while (bitmask != 0 && (bitmap & bitmask) != 0) {
|
|
|
|
bitmask <<= 1;
|
2014-08-01 15:17:29 +00:00
|
|
|
bit++;
|
2006-11-29 18:18:18 +00:00
|
|
|
}
|
|
|
|
|
2014-08-01 15:17:29 +00:00
|
|
|
if (prev && idx == 0 && bit == 0)
|
|
|
|
return prev->startbit + NETLBL_CATMAP_SIZE - 1;
|
|
|
|
else if (bitmask != 0)
|
2006-11-29 18:18:18 +00:00
|
|
|
return iter->startbit +
|
2014-08-01 15:17:29 +00:00
|
|
|
(NETLBL_CATMAP_MAPSIZE * idx) + bit - 1;
|
|
|
|
else if (++idx >= NETLBL_CATMAP_MAPCNT) {
|
2006-11-29 18:18:18 +00:00
|
|
|
if (iter->next == NULL)
|
2014-08-01 15:17:29 +00:00
|
|
|
return iter->startbit + NETLBL_CATMAP_SIZE - 1;
|
|
|
|
prev = iter;
|
2006-11-29 18:18:18 +00:00
|
|
|
iter = iter->next;
|
2014-08-01 15:17:29 +00:00
|
|
|
idx = 0;
|
2006-11-29 18:18:18 +00:00
|
|
|
}
|
|
|
|
bitmask = NETLBL_CATMAP_BIT;
|
2014-08-01 15:17:29 +00:00
|
|
|
bit = 0;
|
2006-11-29 18:18:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return -ENOENT;
|
|
|
|
}
|
|
|
|
|
2014-08-01 15:17:17 +00:00
|
|
|
/**
|
2014-08-01 15:17:37 +00:00
|
|
|
* netlbl_catmap_getlong - Export an unsigned long bitmap
|
2014-08-01 15:17:17 +00:00
|
|
|
* @catmap: pointer to the category bitmap
|
|
|
|
* @offset: pointer to the requested offset
|
|
|
|
* @bitmap: the exported bitmap
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Export a bitmap with an offset greater than or equal to @offset and return
|
|
|
|
* it in @bitmap. The @offset must be aligned to an unsigned long and will be
|
|
|
|
* updated on return if different from what was requested; if the catmap is
|
|
|
|
* empty at the requested offset and beyond, the @offset is set to (u32)-1.
|
2021-06-07 15:01:00 +00:00
|
|
|
* Returns zero on success, negative values on failure.
|
2014-08-01 15:17:17 +00:00
|
|
|
*
|
|
|
|
*/
|
2014-08-01 15:17:37 +00:00
|
|
|
int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap,
|
|
|
|
u32 *offset,
|
|
|
|
unsigned long *bitmap)
|
2014-08-01 15:17:17 +00:00
|
|
|
{
|
2014-08-01 15:17:37 +00:00
|
|
|
struct netlbl_lsm_catmap *iter;
|
2014-08-01 15:17:17 +00:00
|
|
|
u32 off = *offset;
|
|
|
|
u32 idx;
|
|
|
|
|
|
|
|
/* only allow aligned offsets */
|
|
|
|
if ((off & (BITS_PER_LONG - 1)) != 0)
|
|
|
|
return -EINVAL;
|
|
|
|
|
2020-05-12 12:43:14 +00:00
|
|
|
/* a null catmap is equivalent to an empty one */
|
|
|
|
if (!catmap) {
|
|
|
|
*offset = (u32)-1;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-08-01 15:17:17 +00:00
|
|
|
if (off < catmap->startbit) {
|
|
|
|
off = catmap->startbit;
|
|
|
|
*offset = off;
|
|
|
|
}
|
2016-06-09 14:56:02 +00:00
|
|
|
iter = _netlbl_catmap_getnode(&catmap, off, _CM_F_WALK, 0);
|
2014-08-01 15:17:17 +00:00
|
|
|
if (iter == NULL) {
|
|
|
|
*offset = (u32)-1;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (off < iter->startbit) {
|
2016-06-09 14:56:02 +00:00
|
|
|
*offset = iter->startbit;
|
|
|
|
off = 0;
|
2014-08-01 15:17:17 +00:00
|
|
|
} else
|
|
|
|
off -= iter->startbit;
|
|
|
|
idx = off / NETLBL_CATMAP_MAPSIZE;
|
2016-06-09 14:56:02 +00:00
|
|
|
*bitmap = iter->bitmap[idx] >> (off % NETLBL_CATMAP_MAPSIZE);
|
2014-08-01 15:17:17 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2006-11-29 18:18:18 +00:00
|
|
|
/**
|
2014-08-01 15:17:37 +00:00
|
|
|
* netlbl_catmap_setbit - Set a bit in a LSM secattr catmap
|
2014-08-01 15:17:03 +00:00
|
|
|
* @catmap: pointer to the category bitmap
|
2006-11-29 18:18:18 +00:00
|
|
|
* @bit: the bit to set
|
|
|
|
* @flags: memory allocation flags
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Set the bit specified by @bit in @catmap. Returns zero on success,
|
|
|
|
* negative values on failure.
|
|
|
|
*
|
|
|
|
*/
|
2014-08-01 15:17:37 +00:00
|
|
|
int netlbl_catmap_setbit(struct netlbl_lsm_catmap **catmap,
|
|
|
|
u32 bit,
|
|
|
|
gfp_t flags)
|
2006-11-29 18:18:18 +00:00
|
|
|
{
|
2014-08-01 15:17:37 +00:00
|
|
|
struct netlbl_lsm_catmap *iter;
|
2014-08-01 15:17:17 +00:00
|
|
|
u32 idx;
|
2006-11-29 18:18:18 +00:00
|
|
|
|
2014-08-01 15:17:37 +00:00
|
|
|
iter = _netlbl_catmap_getnode(catmap, bit, _CM_F_ALLOC, flags);
|
2014-08-01 15:17:17 +00:00
|
|
|
if (iter == NULL)
|
|
|
|
return -ENOMEM;
|
2006-11-29 18:18:18 +00:00
|
|
|
|
2014-08-01 15:17:17 +00:00
|
|
|
bit -= iter->startbit;
|
|
|
|
idx = bit / NETLBL_CATMAP_MAPSIZE;
|
|
|
|
iter->bitmap[idx] |= NETLBL_CATMAP_BIT << (bit % NETLBL_CATMAP_MAPSIZE);
|
2006-11-29 18:18:18 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
2016-06-27 19:02:51 +00:00
|
|
|
EXPORT_SYMBOL(netlbl_catmap_setbit);
|
2006-11-29 18:18:18 +00:00
|
|
|
|
|
|
|
/**
|
2014-08-01 15:17:37 +00:00
|
|
|
* netlbl_catmap_setrng - Set a range of bits in a LSM secattr catmap
|
2014-08-01 15:17:03 +00:00
|
|
|
* @catmap: pointer to the category bitmap
|
2006-11-29 18:18:18 +00:00
|
|
|
* @start: the starting bit
|
|
|
|
* @end: the last bit in the string
|
|
|
|
* @flags: memory allocation flags
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Set a range of bits, starting at @start and ending with @end. Returns zero
|
|
|
|
* on success, negative values on failure.
|
|
|
|
*
|
|
|
|
*/
|
2014-08-01 15:17:37 +00:00
|
|
|
int netlbl_catmap_setrng(struct netlbl_lsm_catmap **catmap,
|
|
|
|
u32 start,
|
|
|
|
u32 end,
|
|
|
|
gfp_t flags)
|
2006-11-29 18:18:18 +00:00
|
|
|
{
|
2014-08-01 15:17:17 +00:00
|
|
|
int rc = 0;
|
|
|
|
u32 spot = start;
|
|
|
|
|
|
|
|
while (rc == 0 && spot <= end) {
|
2016-03-28 15:09:46 +00:00
|
|
|
if (((spot & (BITS_PER_LONG - 1)) == 0) &&
|
2014-08-01 15:17:17 +00:00
|
|
|
((end - spot) > BITS_PER_LONG)) {
|
2014-08-01 15:17:37 +00:00
|
|
|
rc = netlbl_catmap_setlong(catmap,
|
|
|
|
spot,
|
|
|
|
(unsigned long)-1,
|
|
|
|
flags);
|
2014-08-01 15:17:17 +00:00
|
|
|
spot += BITS_PER_LONG;
|
|
|
|
} else
|
2014-08-01 15:17:37 +00:00
|
|
|
rc = netlbl_catmap_setbit(catmap, spot++, flags);
|
2006-11-29 18:18:18 +00:00
|
|
|
}
|
|
|
|
|
2014-08-01 15:17:17 +00:00
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2014-08-01 15:17:37 +00:00
|
|
|
* netlbl_catmap_setlong - Import an unsigned long bitmap
|
2014-08-01 15:17:17 +00:00
|
|
|
* @catmap: pointer to the category bitmap
|
|
|
|
* @offset: offset to the start of the imported bitmap
|
|
|
|
* @bitmap: the bitmap to import
|
|
|
|
* @flags: memory allocation flags
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Import the bitmap specified in @bitmap into @catmap, using the offset
|
|
|
|
* in @offset. The offset must be aligned to an unsigned long. Returns zero
|
|
|
|
* on success, negative values on failure.
|
|
|
|
*
|
|
|
|
*/
|
2014-08-01 15:17:37 +00:00
|
|
|
int netlbl_catmap_setlong(struct netlbl_lsm_catmap **catmap,
|
|
|
|
u32 offset,
|
|
|
|
unsigned long bitmap,
|
|
|
|
gfp_t flags)
|
2014-08-01 15:17:17 +00:00
|
|
|
{
|
2014-08-01 15:17:37 +00:00
|
|
|
struct netlbl_lsm_catmap *iter;
|
2014-08-01 15:17:17 +00:00
|
|
|
u32 idx;
|
|
|
|
|
|
|
|
/* only allow aligned offsets */
|
|
|
|
if ((offset & (BITS_PER_LONG - 1)) != 0)
|
|
|
|
return -EINVAL;
|
|
|
|
|
2014-08-01 15:17:37 +00:00
|
|
|
iter = _netlbl_catmap_getnode(catmap, offset, _CM_F_ALLOC, flags);
|
2014-08-01 15:17:17 +00:00
|
|
|
if (iter == NULL)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
offset -= iter->startbit;
|
|
|
|
idx = offset / NETLBL_CATMAP_MAPSIZE;
|
2024-02-04 02:35:31 +00:00
|
|
|
iter->bitmap[idx] |= (u64)bitmap
|
2023-06-08 13:57:54 +00:00
|
|
|
<< (offset % NETLBL_CATMAP_MAPSIZE);
|
2014-08-01 15:17:17 +00:00
|
|
|
|
|
|
|
return 0;
|
2006-11-29 18:18:18 +00:00
|
|
|
}
|
|
|
|
|
2016-06-27 19:02:51 +00:00
|
|
|
/* Bitmap functions
|
|
|
|
*/
|
|
|
|
|
|
|
|
/**
|
|
|
|
* netlbl_bitmap_walk - Walk a bitmap looking for a bit
|
|
|
|
* @bitmap: the bitmap
|
|
|
|
* @bitmap_len: length in bits
|
|
|
|
* @offset: starting offset
|
|
|
|
* @state: if non-zero, look for a set (1) bit else look for a cleared (0) bit
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Starting at @offset, walk the bitmap from left to right until either the
|
|
|
|
* desired bit is found or we reach the end. Return the bit offset, -1 if
|
2024-02-27 09:36:04 +00:00
|
|
|
* not found.
|
2016-06-27 19:02:51 +00:00
|
|
|
*/
|
|
|
|
int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len,
|
|
|
|
u32 offset, u8 state)
|
|
|
|
{
|
|
|
|
u32 bit_spot;
|
|
|
|
u32 byte_offset;
|
|
|
|
unsigned char bitmask;
|
|
|
|
unsigned char byte;
|
|
|
|
|
2022-03-18 06:35:08 +00:00
|
|
|
if (offset >= bitmap_len)
|
|
|
|
return -1;
|
2016-06-27 19:02:51 +00:00
|
|
|
byte_offset = offset / 8;
|
|
|
|
byte = bitmap[byte_offset];
|
|
|
|
bit_spot = offset;
|
|
|
|
bitmask = 0x80 >> (offset % 8);
|
|
|
|
|
|
|
|
while (bit_spot < bitmap_len) {
|
|
|
|
if ((state && (byte & bitmask) == bitmask) ||
|
|
|
|
(state == 0 && (byte & bitmask) == 0))
|
|
|
|
return bit_spot;
|
|
|
|
|
2019-02-26 00:06:06 +00:00
|
|
|
if (++bit_spot >= bitmap_len)
|
|
|
|
return -1;
|
2016-06-27 19:02:51 +00:00
|
|
|
bitmask >>= 1;
|
|
|
|
if (bitmask == 0) {
|
|
|
|
byte = bitmap[++byte_offset];
|
|
|
|
bitmask = 0x80;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(netlbl_bitmap_walk);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* netlbl_bitmap_setbit - Sets a single bit in a bitmap
|
|
|
|
* @bitmap: the bitmap
|
|
|
|
* @bit: the bit
|
|
|
|
* @state: if non-zero, set the bit (1) else clear the bit (0)
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Set a single bit in the bitmask. Returns zero on success, negative values
|
|
|
|
* on error.
|
|
|
|
*/
|
|
|
|
void netlbl_bitmap_setbit(unsigned char *bitmap, u32 bit, u8 state)
|
|
|
|
{
|
|
|
|
u32 byte_spot;
|
|
|
|
u8 bitmask;
|
|
|
|
|
|
|
|
/* gcc always rounds to zero when doing integer division */
|
|
|
|
byte_spot = bit / 8;
|
|
|
|
bitmask = 0x80 >> (bit % 8);
|
|
|
|
if (state)
|
|
|
|
bitmap[byte_spot] |= bitmask;
|
|
|
|
else
|
|
|
|
bitmap[byte_spot] &= ~bitmask;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(netlbl_bitmap_setbit);
|
|
|
|
|
2006-08-03 23:48:37 +00:00
|
|
|
/*
|
|
|
|
* LSM Functions
|
|
|
|
*/
|
|
|
|
|
2007-07-18 16:28:45 +00:00
|
|
|
/**
|
|
|
|
* netlbl_enabled - Determine if the NetLabel subsystem is enabled
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* The LSM can use this function to determine if it should use NetLabel
|
|
|
|
* security attributes in it's enforcement mechanism. Currently, NetLabel is
|
|
|
|
* considered to be enabled when it's configuration contains a valid setup for
|
|
|
|
* at least one labeled protocol (i.e. NetLabel can understand incoming
|
|
|
|
* labeled packets of at least one type); otherwise NetLabel is considered to
|
|
|
|
* be disabled.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
int netlbl_enabled(void)
|
|
|
|
{
|
|
|
|
/* At some point we probably want to expose this mechanism to the user
|
|
|
|
* as well so that admins can toggle NetLabel regardless of the
|
|
|
|
* configuration */
|
2008-01-29 13:37:52 +00:00
|
|
|
return (atomic_read(&netlabel_mgmt_protocount) > 0);
|
2007-07-18 16:28:45 +00:00
|
|
|
}
|
|
|
|
|
2006-08-03 23:48:37 +00:00
|
|
|
/**
|
2009-03-27 21:10:34 +00:00
|
|
|
* netlbl_sock_setattr - Label a socket using the correct protocol
|
2007-06-08 01:37:15 +00:00
|
|
|
* @sk: the socket to label
|
2009-03-27 21:10:34 +00:00
|
|
|
* @family: protocol family
|
2006-08-03 23:48:37 +00:00
|
|
|
* @secattr: the security attributes
|
2024-05-10 17:19:12 +00:00
|
|
|
* @sk_locked: true if caller holds the socket lock
|
2006-08-03 23:48:37 +00:00
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Attach the correct label to the given socket using the security attributes
|
2007-06-08 01:37:15 +00:00
|
|
|
* specified in @secattr. This function requires exclusive access to @sk,
|
|
|
|
* which means it either needs to be in the process of being created or locked.
|
2008-10-10 14:16:32 +00:00
|
|
|
* Returns zero on success, -EDESTADDRREQ if the domain is configured to use
|
|
|
|
* network address selectors (can't blindly label the socket), and negative
|
|
|
|
* values on all other failures.
|
2006-08-03 23:48:37 +00:00
|
|
|
*
|
|
|
|
*/
|
2007-06-08 01:37:15 +00:00
|
|
|
int netlbl_sock_setattr(struct sock *sk,
|
2009-03-27 21:10:34 +00:00
|
|
|
u16 family,
|
2024-05-10 17:19:12 +00:00
|
|
|
const struct netlbl_lsm_secattr *secattr,
|
|
|
|
bool sk_locked)
|
2006-08-03 23:48:37 +00:00
|
|
|
{
|
2009-03-27 21:10:34 +00:00
|
|
|
int ret_val;
|
2006-08-03 23:48:37 +00:00
|
|
|
struct netlbl_dom_map *dom_entry;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
2016-06-27 19:02:46 +00:00
|
|
|
dom_entry = netlbl_domhsh_getentry(secattr->domain, family);
|
2009-03-27 21:10:34 +00:00
|
|
|
if (dom_entry == NULL) {
|
|
|
|
ret_val = -ENOENT;
|
2006-08-03 23:48:37 +00:00
|
|
|
goto socket_setattr_return;
|
2009-03-27 21:10:34 +00:00
|
|
|
}
|
|
|
|
switch (family) {
|
|
|
|
case AF_INET:
|
2013-08-02 18:45:08 +00:00
|
|
|
switch (dom_entry->def.type) {
|
2009-03-27 21:10:34 +00:00
|
|
|
case NETLBL_NLTYPE_ADDRSELECT:
|
|
|
|
ret_val = -EDESTADDRREQ;
|
|
|
|
break;
|
|
|
|
case NETLBL_NLTYPE_CIPSOV4:
|
|
|
|
ret_val = cipso_v4_sock_setattr(sk,
|
2013-08-02 18:45:08 +00:00
|
|
|
dom_entry->def.cipso,
|
2024-05-10 17:19:12 +00:00
|
|
|
secattr, sk_locked);
|
2009-03-27 21:10:34 +00:00
|
|
|
break;
|
|
|
|
case NETLBL_NLTYPE_UNLABELED:
|
|
|
|
ret_val = 0;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
ret_val = -ENOENT;
|
|
|
|
}
|
2006-08-03 23:48:37 +00:00
|
|
|
break;
|
2011-12-10 09:48:31 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2009-03-27 21:10:34 +00:00
|
|
|
case AF_INET6:
|
2016-06-27 19:02:51 +00:00
|
|
|
switch (dom_entry->def.type) {
|
|
|
|
case NETLBL_NLTYPE_ADDRSELECT:
|
|
|
|
ret_val = -EDESTADDRREQ;
|
|
|
|
break;
|
|
|
|
case NETLBL_NLTYPE_CALIPSO:
|
|
|
|
ret_val = calipso_sock_setattr(sk,
|
|
|
|
dom_entry->def.calipso,
|
|
|
|
secattr);
|
|
|
|
break;
|
|
|
|
case NETLBL_NLTYPE_UNLABELED:
|
|
|
|
ret_val = 0;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
ret_val = -ENOENT;
|
|
|
|
}
|
2006-08-03 23:48:37 +00:00
|
|
|
break;
|
2009-03-27 21:10:34 +00:00
|
|
|
#endif /* IPv6 */
|
2006-08-03 23:48:37 +00:00
|
|
|
default:
|
2009-03-27 21:10:34 +00:00
|
|
|
ret_val = -EPROTONOSUPPORT;
|
2006-08-03 23:48:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
socket_setattr_return:
|
|
|
|
rcu_read_unlock();
|
|
|
|
return ret_val;
|
|
|
|
}
|
|
|
|
|
2008-10-10 14:16:33 +00:00
|
|
|
/**
|
|
|
|
* netlbl_sock_delattr - Delete all the NetLabel labels on a socket
|
|
|
|
* @sk: the socket
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Remove all the NetLabel labeling from @sk. The caller is responsible for
|
|
|
|
* ensuring that @sk is locked.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
void netlbl_sock_delattr(struct sock *sk)
|
|
|
|
{
|
2016-06-06 19:17:20 +00:00
|
|
|
switch (sk->sk_family) {
|
|
|
|
case AF_INET:
|
|
|
|
cipso_v4_sock_delattr(sk);
|
|
|
|
break;
|
2016-06-27 19:02:51 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
case AF_INET6:
|
|
|
|
calipso_sock_delattr(sk);
|
|
|
|
break;
|
|
|
|
#endif /* IPv6 */
|
2016-06-06 19:17:20 +00:00
|
|
|
}
|
2008-10-10 14:16:33 +00:00
|
|
|
}
|
|
|
|
|
2006-09-25 22:52:01 +00:00
|
|
|
/**
|
|
|
|
* netlbl_sock_getattr - Determine the security attributes of a sock
|
|
|
|
* @sk: the sock
|
|
|
|
* @secattr: the security attributes
|
|
|
|
*
|
|
|
|
* Description:
|
2008-01-29 13:44:21 +00:00
|
|
|
* Examines the given sock to see if any NetLabel style labeling has been
|
2006-09-25 22:52:01 +00:00
|
|
|
* applied to the sock, if so it parses the socket label and returns the
|
|
|
|
* security attributes in @secattr. Returns zero on success, negative values
|
|
|
|
* on failure.
|
|
|
|
*
|
|
|
|
*/
|
2009-03-27 21:10:34 +00:00
|
|
|
int netlbl_sock_getattr(struct sock *sk,
|
|
|
|
struct netlbl_lsm_secattr *secattr)
|
2006-09-25 22:52:01 +00:00
|
|
|
{
|
2009-03-27 21:10:34 +00:00
|
|
|
int ret_val;
|
|
|
|
|
|
|
|
switch (sk->sk_family) {
|
|
|
|
case AF_INET:
|
|
|
|
ret_val = cipso_v4_sock_getattr(sk, secattr);
|
|
|
|
break;
|
2011-12-10 09:48:31 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2009-03-27 21:10:34 +00:00
|
|
|
case AF_INET6:
|
2016-06-27 19:02:51 +00:00
|
|
|
ret_val = calipso_sock_getattr(sk, secattr);
|
2009-03-27 21:10:34 +00:00
|
|
|
break;
|
|
|
|
#endif /* IPv6 */
|
|
|
|
default:
|
|
|
|
ret_val = -EPROTONOSUPPORT;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret_val;
|
2006-09-25 22:52:01 +00:00
|
|
|
}
|
|
|
|
|
2024-05-10 17:19:12 +00:00
|
|
|
/**
|
|
|
|
* netlbl_sk_lock_check - Check if the socket lock has been acquired.
|
|
|
|
* @sk: the socket to be checked
|
|
|
|
*
|
|
|
|
* Return: true if socket @sk is locked or if lock debugging is disabled at
|
|
|
|
* runtime or compile-time; false otherwise
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
#ifdef CONFIG_LOCKDEP
|
|
|
|
bool netlbl_sk_lock_check(struct sock *sk)
|
|
|
|
{
|
|
|
|
if (debug_locks)
|
|
|
|
return lockdep_sock_is_held(sk);
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
bool netlbl_sk_lock_check(struct sock *sk)
|
|
|
|
{
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2008-10-10 14:16:33 +00:00
|
|
|
/**
|
|
|
|
* netlbl_conn_setattr - Label a connected socket using the correct protocol
|
|
|
|
* @sk: the socket to label
|
|
|
|
* @addr: the destination address
|
|
|
|
* @secattr: the security attributes
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Attach the correct label to the given connected socket using the security
|
|
|
|
* attributes specified in @secattr. The caller is responsible for ensuring
|
|
|
|
* that @sk is locked. Returns zero on success, negative values on failure.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
int netlbl_conn_setattr(struct sock *sk,
|
|
|
|
struct sockaddr *addr,
|
|
|
|
const struct netlbl_lsm_secattr *secattr)
|
|
|
|
{
|
|
|
|
int ret_val;
|
|
|
|
struct sockaddr_in *addr4;
|
2016-06-27 19:02:51 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
struct sockaddr_in6 *addr6;
|
|
|
|
#endif
|
2013-08-02 18:45:08 +00:00
|
|
|
struct netlbl_dommap_def *entry;
|
2008-10-10 14:16:33 +00:00
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
switch (addr->sa_family) {
|
|
|
|
case AF_INET:
|
|
|
|
addr4 = (struct sockaddr_in *)addr;
|
2013-08-02 18:45:08 +00:00
|
|
|
entry = netlbl_domhsh_getentry_af4(secattr->domain,
|
|
|
|
addr4->sin_addr.s_addr);
|
|
|
|
if (entry == NULL) {
|
2008-10-10 14:16:33 +00:00
|
|
|
ret_val = -ENOENT;
|
|
|
|
goto conn_setattr_return;
|
|
|
|
}
|
2013-08-02 18:45:08 +00:00
|
|
|
switch (entry->type) {
|
2008-10-10 14:16:33 +00:00
|
|
|
case NETLBL_NLTYPE_CIPSOV4:
|
|
|
|
ret_val = cipso_v4_sock_setattr(sk,
|
2024-05-10 17:19:12 +00:00
|
|
|
entry->cipso, secattr,
|
|
|
|
netlbl_sk_lock_check(sk));
|
2008-10-10 14:16:33 +00:00
|
|
|
break;
|
|
|
|
case NETLBL_NLTYPE_UNLABELED:
|
|
|
|
/* just delete the protocols we support for right now
|
|
|
|
* but we could remove other protocols if needed */
|
2016-06-27 19:02:51 +00:00
|
|
|
netlbl_sock_delattr(sk);
|
2008-10-10 14:16:33 +00:00
|
|
|
ret_val = 0;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
ret_val = -ENOENT;
|
|
|
|
}
|
|
|
|
break;
|
2011-12-10 09:48:31 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2008-10-10 14:16:33 +00:00
|
|
|
case AF_INET6:
|
2016-06-27 19:02:51 +00:00
|
|
|
addr6 = (struct sockaddr_in6 *)addr;
|
|
|
|
entry = netlbl_domhsh_getentry_af6(secattr->domain,
|
|
|
|
&addr6->sin6_addr);
|
|
|
|
if (entry == NULL) {
|
|
|
|
ret_val = -ENOENT;
|
|
|
|
goto conn_setattr_return;
|
|
|
|
}
|
|
|
|
switch (entry->type) {
|
|
|
|
case NETLBL_NLTYPE_CALIPSO:
|
|
|
|
ret_val = calipso_sock_setattr(sk,
|
|
|
|
entry->calipso, secattr);
|
|
|
|
break;
|
|
|
|
case NETLBL_NLTYPE_UNLABELED:
|
|
|
|
/* just delete the protocols we support for right now
|
|
|
|
* but we could remove other protocols if needed */
|
|
|
|
netlbl_sock_delattr(sk);
|
|
|
|
ret_val = 0;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
ret_val = -ENOENT;
|
|
|
|
}
|
2008-10-10 14:16:33 +00:00
|
|
|
break;
|
|
|
|
#endif /* IPv6 */
|
|
|
|
default:
|
2009-03-27 21:10:34 +00:00
|
|
|
ret_val = -EPROTONOSUPPORT;
|
2008-10-10 14:16:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
conn_setattr_return:
|
|
|
|
rcu_read_unlock();
|
|
|
|
return ret_val;
|
|
|
|
}
|
|
|
|
|
2009-03-27 21:10:34 +00:00
|
|
|
/**
|
|
|
|
* netlbl_req_setattr - Label a request socket using the correct protocol
|
|
|
|
* @req: the request socket to label
|
|
|
|
* @secattr: the security attributes
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Attach the correct label to the given socket using the security attributes
|
|
|
|
* specified in @secattr. Returns zero on success, negative values on failure.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
int netlbl_req_setattr(struct request_sock *req,
|
|
|
|
const struct netlbl_lsm_secattr *secattr)
|
|
|
|
{
|
|
|
|
int ret_val;
|
2013-08-02 18:45:08 +00:00
|
|
|
struct netlbl_dommap_def *entry;
|
2016-06-27 19:05:29 +00:00
|
|
|
struct inet_request_sock *ireq = inet_rsk(req);
|
2009-03-27 21:10:34 +00:00
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
switch (req->rsk_ops->family) {
|
|
|
|
case AF_INET:
|
2013-08-02 18:45:08 +00:00
|
|
|
entry = netlbl_domhsh_getentry_af4(secattr->domain,
|
2016-06-27 19:05:29 +00:00
|
|
|
ireq->ir_rmt_addr);
|
2013-08-02 18:45:08 +00:00
|
|
|
if (entry == NULL) {
|
|
|
|
ret_val = -ENOENT;
|
|
|
|
goto req_setattr_return;
|
2009-03-27 21:10:34 +00:00
|
|
|
}
|
2013-08-02 18:45:08 +00:00
|
|
|
switch (entry->type) {
|
2009-03-27 21:10:34 +00:00
|
|
|
case NETLBL_NLTYPE_CIPSOV4:
|
2013-08-02 18:45:08 +00:00
|
|
|
ret_val = cipso_v4_req_setattr(req,
|
|
|
|
entry->cipso, secattr);
|
2009-03-27 21:10:34 +00:00
|
|
|
break;
|
|
|
|
case NETLBL_NLTYPE_UNLABELED:
|
2016-06-27 19:05:29 +00:00
|
|
|
netlbl_req_delattr(req);
|
2009-03-27 21:10:34 +00:00
|
|
|
ret_val = 0;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
ret_val = -ENOENT;
|
|
|
|
}
|
|
|
|
break;
|
2011-12-10 09:48:31 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2009-03-27 21:10:34 +00:00
|
|
|
case AF_INET6:
|
2016-06-27 19:05:29 +00:00
|
|
|
entry = netlbl_domhsh_getentry_af6(secattr->domain,
|
|
|
|
&ireq->ir_v6_rmt_addr);
|
|
|
|
if (entry == NULL) {
|
|
|
|
ret_val = -ENOENT;
|
|
|
|
goto req_setattr_return;
|
|
|
|
}
|
|
|
|
switch (entry->type) {
|
|
|
|
case NETLBL_NLTYPE_CALIPSO:
|
|
|
|
ret_val = calipso_req_setattr(req,
|
|
|
|
entry->calipso, secattr);
|
|
|
|
break;
|
|
|
|
case NETLBL_NLTYPE_UNLABELED:
|
|
|
|
netlbl_req_delattr(req);
|
|
|
|
ret_val = 0;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
ret_val = -ENOENT;
|
|
|
|
}
|
2009-03-27 21:10:34 +00:00
|
|
|
break;
|
|
|
|
#endif /* IPv6 */
|
|
|
|
default:
|
|
|
|
ret_val = -EPROTONOSUPPORT;
|
|
|
|
}
|
|
|
|
|
|
|
|
req_setattr_return:
|
|
|
|
rcu_read_unlock();
|
|
|
|
return ret_val;
|
|
|
|
}
|
|
|
|
|
2009-03-27 21:10:54 +00:00
|
|
|
/**
|
|
|
|
* netlbl_req_delattr - Delete all the NetLabel labels on a socket
|
|
|
|
* @req: the socket
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Remove all the NetLabel labeling from @req.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
void netlbl_req_delattr(struct request_sock *req)
|
|
|
|
{
|
2016-06-06 19:17:20 +00:00
|
|
|
switch (req->rsk_ops->family) {
|
|
|
|
case AF_INET:
|
|
|
|
cipso_v4_req_delattr(req);
|
|
|
|
break;
|
2016-06-27 19:05:29 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
case AF_INET6:
|
|
|
|
calipso_req_delattr(req);
|
|
|
|
break;
|
|
|
|
#endif /* IPv6 */
|
2016-06-06 19:17:20 +00:00
|
|
|
}
|
2009-03-27 21:10:54 +00:00
|
|
|
}
|
|
|
|
|
2008-10-10 14:16:32 +00:00
|
|
|
/**
|
|
|
|
* netlbl_skbuff_setattr - Label a packet using the correct protocol
|
|
|
|
* @skb: the packet
|
|
|
|
* @family: protocol family
|
|
|
|
* @secattr: the security attributes
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Attach the correct label to the given packet using the security attributes
|
|
|
|
* specified in @secattr. Returns zero on success, negative values on failure.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
int netlbl_skbuff_setattr(struct sk_buff *skb,
|
|
|
|
u16 family,
|
|
|
|
const struct netlbl_lsm_secattr *secattr)
|
|
|
|
{
|
|
|
|
int ret_val;
|
|
|
|
struct iphdr *hdr4;
|
2016-06-27 19:06:15 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
struct ipv6hdr *hdr6;
|
|
|
|
#endif
|
2013-08-02 18:45:08 +00:00
|
|
|
struct netlbl_dommap_def *entry;
|
2008-10-10 14:16:32 +00:00
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
switch (family) {
|
|
|
|
case AF_INET:
|
|
|
|
hdr4 = ip_hdr(skb);
|
2016-06-27 19:06:15 +00:00
|
|
|
entry = netlbl_domhsh_getentry_af4(secattr->domain,
|
|
|
|
hdr4->daddr);
|
2013-08-02 18:45:08 +00:00
|
|
|
if (entry == NULL) {
|
2008-10-10 14:16:32 +00:00
|
|
|
ret_val = -ENOENT;
|
|
|
|
goto skbuff_setattr_return;
|
|
|
|
}
|
2013-08-02 18:45:08 +00:00
|
|
|
switch (entry->type) {
|
2008-10-10 14:16:32 +00:00
|
|
|
case NETLBL_NLTYPE_CIPSOV4:
|
2013-08-02 18:45:08 +00:00
|
|
|
ret_val = cipso_v4_skbuff_setattr(skb, entry->cipso,
|
|
|
|
secattr);
|
2008-10-10 14:16:32 +00:00
|
|
|
break;
|
|
|
|
case NETLBL_NLTYPE_UNLABELED:
|
|
|
|
/* just delete the protocols we support for right now
|
|
|
|
* but we could remove other protocols if needed */
|
|
|
|
ret_val = cipso_v4_skbuff_delattr(skb);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
ret_val = -ENOENT;
|
|
|
|
}
|
|
|
|
break;
|
2011-12-10 09:48:31 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2008-10-10 14:16:32 +00:00
|
|
|
case AF_INET6:
|
2016-06-27 19:06:15 +00:00
|
|
|
hdr6 = ipv6_hdr(skb);
|
|
|
|
entry = netlbl_domhsh_getentry_af6(secattr->domain,
|
|
|
|
&hdr6->daddr);
|
|
|
|
if (entry == NULL) {
|
|
|
|
ret_val = -ENOENT;
|
|
|
|
goto skbuff_setattr_return;
|
|
|
|
}
|
|
|
|
switch (entry->type) {
|
|
|
|
case NETLBL_NLTYPE_CALIPSO:
|
|
|
|
ret_val = calipso_skbuff_setattr(skb, entry->calipso,
|
|
|
|
secattr);
|
|
|
|
break;
|
|
|
|
case NETLBL_NLTYPE_UNLABELED:
|
|
|
|
/* just delete the protocols we support for right now
|
|
|
|
* but we could remove other protocols if needed */
|
|
|
|
ret_val = calipso_skbuff_delattr(skb);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
ret_val = -ENOENT;
|
|
|
|
}
|
2008-10-10 14:16:32 +00:00
|
|
|
break;
|
|
|
|
#endif /* IPv6 */
|
|
|
|
default:
|
2009-03-27 21:10:34 +00:00
|
|
|
ret_val = -EPROTONOSUPPORT;
|
2008-10-10 14:16:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
skbuff_setattr_return:
|
|
|
|
rcu_read_unlock();
|
|
|
|
return ret_val;
|
|
|
|
}
|
|
|
|
|
2006-08-03 23:48:37 +00:00
|
|
|
/**
|
|
|
|
* netlbl_skbuff_getattr - Determine the security attributes of a packet
|
|
|
|
* @skb: the packet
|
2008-01-29 13:38:04 +00:00
|
|
|
* @family: protocol family
|
2006-08-03 23:48:37 +00:00
|
|
|
* @secattr: the security attributes
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Examines the given packet to see if a recognized form of packet labeling
|
|
|
|
* is present, if so it parses the packet label and returns the security
|
|
|
|
* attributes in @secattr. Returns zero on success, negative values on
|
|
|
|
* failure.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
int netlbl_skbuff_getattr(const struct sk_buff *skb,
|
2008-01-29 13:38:04 +00:00
|
|
|
u16 family,
|
2006-08-03 23:48:37 +00:00
|
|
|
struct netlbl_lsm_secattr *secattr)
|
|
|
|
{
|
2015-02-11 19:46:37 +00:00
|
|
|
unsigned char *ptr;
|
|
|
|
|
2009-03-27 21:10:34 +00:00
|
|
|
switch (family) {
|
|
|
|
case AF_INET:
|
2015-02-11 19:46:37 +00:00
|
|
|
ptr = cipso_v4_optptr(skb);
|
|
|
|
if (ptr && cipso_v4_getattr(ptr, secattr) == 0)
|
2009-03-27 21:10:34 +00:00
|
|
|
return 0;
|
|
|
|
break;
|
2011-12-10 09:48:31 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2009-03-27 21:10:34 +00:00
|
|
|
case AF_INET6:
|
2016-06-27 19:06:15 +00:00
|
|
|
ptr = calipso_optptr(skb);
|
|
|
|
if (ptr && calipso_getattr(ptr, secattr) == 0)
|
|
|
|
return 0;
|
2009-03-27 21:10:34 +00:00
|
|
|
break;
|
|
|
|
#endif /* IPv6 */
|
|
|
|
}
|
2006-08-03 23:48:37 +00:00
|
|
|
|
2008-01-29 13:44:21 +00:00
|
|
|
return netlbl_unlabel_getattr(skb, family, secattr);
|
2006-08-03 23:48:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* netlbl_skbuff_err - Handle a LSM error on a sk_buff
|
|
|
|
* @skb: the packet
|
2016-06-27 19:06:16 +00:00
|
|
|
* @family: the family
|
2006-08-03 23:48:37 +00:00
|
|
|
* @error: the error code
|
2008-10-10 14:16:31 +00:00
|
|
|
* @gateway: true if host is acting as a gateway, false otherwise
|
2006-08-03 23:48:37 +00:00
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Deal with a LSM problem when handling the packet in @skb, typically this is
|
|
|
|
* a permission denied problem (-EACCES). The correct action is determined
|
|
|
|
* according to the packet's labeling protocol.
|
|
|
|
*
|
|
|
|
*/
|
2016-06-27 19:06:16 +00:00
|
|
|
void netlbl_skbuff_err(struct sk_buff *skb, u16 family, int error, int gateway)
|
2006-08-03 23:48:37 +00:00
|
|
|
{
|
2016-06-27 19:06:16 +00:00
|
|
|
switch (family) {
|
|
|
|
case AF_INET:
|
|
|
|
if (cipso_v4_optptr(skb))
|
|
|
|
cipso_v4_error(skb, error, gateway);
|
|
|
|
break;
|
|
|
|
}
|
2006-08-03 23:48:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* netlbl_cache_invalidate - Invalidate all of the NetLabel protocol caches
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* For all of the NetLabel protocols that support some form of label mapping
|
|
|
|
* cache, invalidate the cache. Returns zero on success, negative values on
|
|
|
|
* error.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
void netlbl_cache_invalidate(void)
|
|
|
|
{
|
|
|
|
cipso_v4_cache_invalidate();
|
2016-06-27 19:06:17 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
calipso_cache_invalidate();
|
|
|
|
#endif /* IPv6 */
|
2006-08-03 23:48:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* netlbl_cache_add - Add an entry to a NetLabel protocol cache
|
|
|
|
* @skb: the packet
|
2016-06-27 19:06:17 +00:00
|
|
|
* @family: the family
|
2006-08-03 23:48:37 +00:00
|
|
|
* @secattr: the packet's security attributes
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Add the LSM security attributes for the given packet to the underlying
|
|
|
|
* NetLabel protocol's label mapping cache. Returns zero on success, negative
|
|
|
|
* values on error.
|
|
|
|
*
|
|
|
|
*/
|
2016-06-27 19:06:17 +00:00
|
|
|
int netlbl_cache_add(const struct sk_buff *skb, u16 family,
|
2006-08-03 23:48:37 +00:00
|
|
|
const struct netlbl_lsm_secattr *secattr)
|
|
|
|
{
|
2015-02-11 19:46:37 +00:00
|
|
|
unsigned char *ptr;
|
|
|
|
|
2006-11-17 22:38:46 +00:00
|
|
|
if ((secattr->flags & NETLBL_SECATTR_CACHE) == 0)
|
2006-08-03 23:48:37 +00:00
|
|
|
return -ENOMSG;
|
|
|
|
|
2016-06-27 19:06:17 +00:00
|
|
|
switch (family) {
|
|
|
|
case AF_INET:
|
|
|
|
ptr = cipso_v4_optptr(skb);
|
|
|
|
if (ptr)
|
|
|
|
return cipso_v4_cache_add(ptr, secattr);
|
|
|
|
break;
|
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
case AF_INET6:
|
|
|
|
ptr = calipso_optptr(skb);
|
|
|
|
if (ptr)
|
|
|
|
return calipso_cache_add(ptr, secattr);
|
|
|
|
break;
|
|
|
|
#endif /* IPv6 */
|
|
|
|
}
|
2006-08-03 23:48:37 +00:00
|
|
|
return -ENOMSG;
|
|
|
|
}
|
|
|
|
|
2008-12-31 17:54:11 +00:00
|
|
|
/*
|
|
|
|
* Protocol Engine Functions
|
|
|
|
*/
|
|
|
|
|
|
|
|
/**
|
|
|
|
* netlbl_audit_start - Start an audit message
|
|
|
|
* @type: audit message type
|
|
|
|
* @audit_info: NetLabel audit information
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Start an audit message using the type specified in @type and fill the audit
|
|
|
|
* message with some fields common to all NetLabel audit messages. This
|
|
|
|
* function should only be used by protocol engines, not LSMs. Returns a
|
|
|
|
* pointer to the audit buffer on success, NULL on failure.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
struct audit_buffer *netlbl_audit_start(int type,
|
|
|
|
struct netlbl_audit *audit_info)
|
|
|
|
{
|
|
|
|
return netlbl_audit_start_common(type, audit_info);
|
|
|
|
}
|
2016-06-27 19:02:46 +00:00
|
|
|
EXPORT_SYMBOL(netlbl_audit_start);
|
2008-12-31 17:54:11 +00:00
|
|
|
|
2006-08-03 23:48:37 +00:00
|
|
|
/*
|
|
|
|
* Setup Functions
|
|
|
|
*/
|
|
|
|
|
|
|
|
/**
|
|
|
|
* netlbl_init - Initialize NetLabel
|
|
|
|
*
|
|
|
|
* Description:
|
|
|
|
* Perform the required NetLabel initialization before first use.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
static int __init netlbl_init(void)
|
|
|
|
{
|
|
|
|
int ret_val;
|
|
|
|
|
|
|
|
printk(KERN_INFO "NetLabel: Initializing\n");
|
|
|
|
printk(KERN_INFO "NetLabel: domain hash size = %u\n",
|
|
|
|
(1 << NETLBL_DOMHSH_BITSIZE));
|
2017-01-06 19:26:54 +00:00
|
|
|
printk(KERN_INFO "NetLabel: protocols = UNLABELED CIPSOv4 CALIPSO\n");
|
2006-08-03 23:48:37 +00:00
|
|
|
|
|
|
|
ret_val = netlbl_domhsh_init(NETLBL_DOMHSH_BITSIZE);
|
|
|
|
if (ret_val != 0)
|
|
|
|
goto init_failure;
|
|
|
|
|
2008-01-29 13:44:21 +00:00
|
|
|
ret_val = netlbl_unlabel_init(NETLBL_UNLHSH_BITSIZE);
|
|
|
|
if (ret_val != 0)
|
|
|
|
goto init_failure;
|
|
|
|
|
2006-08-03 23:48:37 +00:00
|
|
|
ret_val = netlbl_netlink_init();
|
|
|
|
if (ret_val != 0)
|
|
|
|
goto init_failure;
|
|
|
|
|
|
|
|
ret_val = netlbl_unlabel_defconf();
|
|
|
|
if (ret_val != 0)
|
|
|
|
goto init_failure;
|
|
|
|
printk(KERN_INFO "NetLabel: unlabeled traffic allowed by default\n");
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
init_failure:
|
|
|
|
panic("NetLabel: failed to initialize properly (%d)\n", ret_val);
|
|
|
|
}
|
|
|
|
|
|
|
|
subsys_initcall(netlbl_init);
|