2 * NetLabel Unlabeled Support
4 * This file defines functions for dealing with unlabeled packets for the
5 * NetLabel system. The NetLabel system manages static and dynamic label
6 * mappings for network protocols such as CIPSO and RIPSO.
8 * Author: Paul Moore <paul.moore@hp.com>
13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 - 2008
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
23 * the GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
31 #include <linux/types.h>
32 #include <linux/rcupdate.h>
33 #include <linux/list.h>
34 #include <linux/spinlock.h>
35 #include <linux/socket.h>
36 #include <linux/string.h>
37 #include <linux/skbuff.h>
38 #include <linux/audit.h>
40 #include <linux/in6.h>
42 #include <linux/ipv6.h>
43 #include <linux/notifier.h>
44 #include <linux/netdevice.h>
45 #include <linux/security.h>
46 #include <linux/slab.h>
48 #include <net/netlink.h>
49 #include <net/genetlink.h>
52 #include <net/net_namespace.h>
53 #include <net/netlabel.h>
55 #include <asm/atomic.h>
57 #include "netlabel_user.h"
58 #include "netlabel_addrlist.h"
59 #include "netlabel_domainhash.h"
60 #include "netlabel_unlabeled.h"
61 #include "netlabel_mgmt.h"
63 /* NOTE: at present we always use init's network namespace since we don't
64 * presently support different namespaces even though the majority of
65 * the functions in this file are "namespace safe" */
67 /* The unlabeled connection hash table which we use to map network interfaces
68 * and addresses of unlabeled packets to a user specified secid value for the
69 * LSM. The hash table is used to lookup the network interface entry
70 * (struct netlbl_unlhsh_iface) and then the interface entry is used to
71 * lookup an IP address match from an ordered list. If a network interface
72 * match can not be found in the hash table then the default entry
73 * (netlbl_unlhsh_def) is used. The IP address entry list
74 * (struct netlbl_unlhsh_addr) is ordered such that the entries with a
75 * larger netmask come first.
77 struct netlbl_unlhsh_tbl {
78 struct list_head *tbl;
81 #define netlbl_unlhsh_addr4_entry(iter) \
82 container_of(iter, struct netlbl_unlhsh_addr4, list)
83 struct netlbl_unlhsh_addr4 {
86 struct netlbl_af4list list;
89 #define netlbl_unlhsh_addr6_entry(iter) \
90 container_of(iter, struct netlbl_unlhsh_addr6, list)
91 struct netlbl_unlhsh_addr6 {
94 struct netlbl_af6list list;
97 struct netlbl_unlhsh_iface {
99 struct list_head addr4_list;
100 struct list_head addr6_list;
103 struct list_head list;
107 /* Argument struct for netlbl_unlhsh_walk() */
108 struct netlbl_unlhsh_walk_arg {
109 struct netlink_callback *nl_cb;
114 /* Unlabeled connection hash table */
115 /* updates should be so rare that having one spinlock for the entire
116 * hash table should be okay */
117 static DEFINE_SPINLOCK(netlbl_unlhsh_lock);
118 #define netlbl_unlhsh_rcu_deref(p) \
119 rcu_dereference_check(p, rcu_read_lock_held() || \
120 lockdep_is_held(&netlbl_unlhsh_lock))
121 static struct netlbl_unlhsh_tbl *netlbl_unlhsh = NULL;
122 static struct netlbl_unlhsh_iface *netlbl_unlhsh_def = NULL;
124 /* Accept unlabeled packets flag */
125 static u8 netlabel_unlabel_acceptflg = 0;
127 /* NetLabel Generic NETLINK unlabeled family */
128 static struct genl_family netlbl_unlabel_gnl_family = {
129 .id = GENL_ID_GENERATE,
131 .name = NETLBL_NLTYPE_UNLABELED_NAME,
132 .version = NETLBL_PROTO_VERSION,
133 .maxattr = NLBL_UNLABEL_A_MAX,
136 /* NetLabel Netlink attribute policy */
137 static const struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
138 [NLBL_UNLABEL_A_ACPTFLG] = { .type = NLA_U8 },
139 [NLBL_UNLABEL_A_IPV6ADDR] = { .type = NLA_BINARY,
140 .len = sizeof(struct in6_addr) },
141 [NLBL_UNLABEL_A_IPV6MASK] = { .type = NLA_BINARY,
142 .len = sizeof(struct in6_addr) },
143 [NLBL_UNLABEL_A_IPV4ADDR] = { .type = NLA_BINARY,
144 .len = sizeof(struct in_addr) },
145 [NLBL_UNLABEL_A_IPV4MASK] = { .type = NLA_BINARY,
146 .len = sizeof(struct in_addr) },
147 [NLBL_UNLABEL_A_IFACE] = { .type = NLA_NUL_STRING,
148 .len = IFNAMSIZ - 1 },
149 [NLBL_UNLABEL_A_SECCTX] = { .type = NLA_BINARY }
153 * Unlabeled Connection Hash Table Functions
157 * netlbl_unlhsh_free_iface - Frees an interface entry from the hash table
158 * @entry: the entry's RCU field
161 * This function is designed to be used as a callback to the call_rcu()
162 * function so that memory allocated to a hash table interface entry can be
163 * released safely. It is important to note that this function does not free
164 * the IPv4 and IPv6 address lists contained as part of an interface entry. It
165 * is up to the rest of the code to make sure an interface entry is only freed
166 * once it's address lists are empty.
169 static void netlbl_unlhsh_free_iface(struct rcu_head *entry)
171 struct netlbl_unlhsh_iface *iface;
172 struct netlbl_af4list *iter4;
173 struct netlbl_af4list *tmp4;
174 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
175 struct netlbl_af6list *iter6;
176 struct netlbl_af6list *tmp6;
179 iface = container_of(entry, struct netlbl_unlhsh_iface, rcu);
181 /* no need for locks here since we are the only one with access to this
184 netlbl_af4list_foreach_safe(iter4, tmp4, &iface->addr4_list) {
185 netlbl_af4list_remove_entry(iter4);
186 kfree(netlbl_unlhsh_addr4_entry(iter4));
188 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
189 netlbl_af6list_foreach_safe(iter6, tmp6, &iface->addr6_list) {
190 netlbl_af6list_remove_entry(iter6);
191 kfree(netlbl_unlhsh_addr6_entry(iter6));
198 * netlbl_unlhsh_hash - Hashing function for the hash table
199 * @ifindex: the network interface/device to hash
202 * This is the hashing function for the unlabeled hash table, it returns the
203 * bucket number for the given device/interface. The caller is responsible for
204 * ensuring that the hash table is protected with either a RCU read lock or
205 * the hash table lock.
208 static u32 netlbl_unlhsh_hash(int ifindex)
210 return ifindex & (netlbl_unlhsh_rcu_deref(netlbl_unlhsh)->size - 1);
214 * netlbl_unlhsh_search_iface - Search for a matching interface entry
215 * @ifindex: the network interface
218 * Searches the unlabeled connection hash table and returns a pointer to the
219 * interface entry which matches @ifindex, otherwise NULL is returned. The
220 * caller is responsible for ensuring that the hash table is protected with
221 * either a RCU read lock or the hash table lock.
224 static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex)
227 struct list_head *bkt_list;
228 struct netlbl_unlhsh_iface *iter;
230 bkt = netlbl_unlhsh_hash(ifindex);
231 bkt_list = &netlbl_unlhsh_rcu_deref(netlbl_unlhsh)->tbl[bkt];
232 list_for_each_entry_rcu(iter, bkt_list, list)
233 if (iter->valid && iter->ifindex == ifindex)
240 * netlbl_unlhsh_add_addr4 - Add a new IPv4 address entry to the hash table
241 * @iface: the associated interface entry
242 * @addr: IPv4 address in network byte order
243 * @mask: IPv4 address mask in network byte order
244 * @secid: LSM secid value for entry
247 * Add a new address entry into the unlabeled connection hash table using the
248 * interface entry specified by @iface. On success zero is returned, otherwise
249 * a negative value is returned.
252 static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface,
253 const struct in_addr *addr,
254 const struct in_addr *mask,
258 struct netlbl_unlhsh_addr4 *entry;
260 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
264 entry->list.addr = addr->s_addr & mask->s_addr;
265 entry->list.mask = mask->s_addr;
266 entry->list.valid = 1;
267 entry->secid = secid;
269 spin_lock(&netlbl_unlhsh_lock);
270 ret_val = netlbl_af4list_add(&entry->list, &iface->addr4_list);
271 spin_unlock(&netlbl_unlhsh_lock);
278 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
280 * netlbl_unlhsh_add_addr6 - Add a new IPv6 address entry to the hash table
281 * @iface: the associated interface entry
282 * @addr: IPv6 address in network byte order
283 * @mask: IPv6 address mask in network byte order
284 * @secid: LSM secid value for entry
287 * Add a new address entry into the unlabeled connection hash table using the
288 * interface entry specified by @iface. On success zero is returned, otherwise
289 * a negative value is returned.
292 static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface,
293 const struct in6_addr *addr,
294 const struct in6_addr *mask,
298 struct netlbl_unlhsh_addr6 *entry;
300 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
304 ipv6_addr_copy(&entry->list.addr, addr);
305 entry->list.addr.s6_addr32[0] &= mask->s6_addr32[0];
306 entry->list.addr.s6_addr32[1] &= mask->s6_addr32[1];
307 entry->list.addr.s6_addr32[2] &= mask->s6_addr32[2];
308 entry->list.addr.s6_addr32[3] &= mask->s6_addr32[3];
309 ipv6_addr_copy(&entry->list.mask, mask);
310 entry->list.valid = 1;
311 entry->secid = secid;
313 spin_lock(&netlbl_unlhsh_lock);
314 ret_val = netlbl_af6list_add(&entry->list, &iface->addr6_list);
315 spin_unlock(&netlbl_unlhsh_lock);
324 * netlbl_unlhsh_add_iface - Adds a new interface entry to the hash table
325 * @ifindex: network interface
328 * Add a new, empty, interface entry into the unlabeled connection hash table.
329 * On success a pointer to the new interface entry is returned, on failure NULL
333 static struct netlbl_unlhsh_iface *netlbl_unlhsh_add_iface(int ifindex)
336 struct netlbl_unlhsh_iface *iface;
338 iface = kzalloc(sizeof(*iface), GFP_ATOMIC);
342 iface->ifindex = ifindex;
343 INIT_LIST_HEAD(&iface->addr4_list);
344 INIT_LIST_HEAD(&iface->addr6_list);
347 spin_lock(&netlbl_unlhsh_lock);
349 bkt = netlbl_unlhsh_hash(ifindex);
350 if (netlbl_unlhsh_search_iface(ifindex) != NULL)
351 goto add_iface_failure;
352 list_add_tail_rcu(&iface->list,
353 &netlbl_unlhsh_rcu_deref(netlbl_unlhsh)->tbl[bkt]);
355 INIT_LIST_HEAD(&iface->list);
356 if (netlbl_unlhsh_rcu_deref(netlbl_unlhsh_def) != NULL)
357 goto add_iface_failure;
358 rcu_assign_pointer(netlbl_unlhsh_def, iface);
360 spin_unlock(&netlbl_unlhsh_lock);
365 spin_unlock(&netlbl_unlhsh_lock);
371 * netlbl_unlhsh_add - Adds a new entry to the unlabeled connection hash table
372 * @net: network namespace
373 * @dev_name: interface name
374 * @addr: IP address in network byte order
375 * @mask: address mask in network byte order
376 * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6)
377 * @secid: LSM secid value for the entry
378 * @audit_info: NetLabel audit information
381 * Adds a new entry to the unlabeled connection hash table. Returns zero on
382 * success, negative values on failure.
385 int netlbl_unlhsh_add(struct net *net,
386 const char *dev_name,
391 struct netlbl_audit *audit_info)
395 struct net_device *dev;
396 struct netlbl_unlhsh_iface *iface;
397 struct audit_buffer *audit_buf = NULL;
401 if (addr_len != sizeof(struct in_addr) &&
402 addr_len != sizeof(struct in6_addr))
406 if (dev_name != NULL) {
407 dev = dev_get_by_name_rcu(net, dev_name);
410 goto unlhsh_add_return;
412 ifindex = dev->ifindex;
413 iface = netlbl_unlhsh_search_iface(ifindex);
416 iface = rcu_dereference(netlbl_unlhsh_def);
419 iface = netlbl_unlhsh_add_iface(ifindex);
422 goto unlhsh_add_return;
425 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCADD,
428 case sizeof(struct in_addr): {
429 struct in_addr *addr4, *mask4;
431 addr4 = (struct in_addr *)addr;
432 mask4 = (struct in_addr *)mask;
433 ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid);
434 if (audit_buf != NULL)
435 netlbl_af4list_audit_addr(audit_buf, 1,
441 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
442 case sizeof(struct in6_addr): {
443 struct in6_addr *addr6, *mask6;
445 addr6 = (struct in6_addr *)addr;
446 mask6 = (struct in6_addr *)mask;
447 ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid);
448 if (audit_buf != NULL)
449 netlbl_af6list_audit_addr(audit_buf, 1,
459 atomic_inc(&netlabel_mgmt_protocount);
463 if (audit_buf != NULL) {
464 if (security_secid_to_secctx(secid,
467 audit_log_format(audit_buf, " sec_obj=%s", secctx);
468 security_release_secctx(secctx, secctx_len);
470 audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
471 audit_log_end(audit_buf);
477 * netlbl_unlhsh_remove_addr4 - Remove an IPv4 address entry
478 * @net: network namespace
479 * @iface: interface entry
481 * @mask: IP address mask
482 * @audit_info: NetLabel audit information
485 * Remove an IP address entry from the unlabeled connection hash table.
486 * Returns zero on success, negative values on failure.
489 static int netlbl_unlhsh_remove_addr4(struct net *net,
490 struct netlbl_unlhsh_iface *iface,
491 const struct in_addr *addr,
492 const struct in_addr *mask,
493 struct netlbl_audit *audit_info)
495 struct netlbl_af4list *list_entry;
496 struct netlbl_unlhsh_addr4 *entry;
497 struct audit_buffer *audit_buf;
498 struct net_device *dev;
502 spin_lock(&netlbl_unlhsh_lock);
503 list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr,
505 spin_unlock(&netlbl_unlhsh_lock);
506 if (list_entry != NULL)
507 entry = netlbl_unlhsh_addr4_entry(list_entry);
511 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL,
513 if (audit_buf != NULL) {
514 dev = dev_get_by_index(net, iface->ifindex);
515 netlbl_af4list_audit_addr(audit_buf, 1,
516 (dev != NULL ? dev->name : NULL),
517 addr->s_addr, mask->s_addr);
521 security_secid_to_secctx(entry->secid,
522 &secctx, &secctx_len) == 0) {
523 audit_log_format(audit_buf, " sec_obj=%s", secctx);
524 security_release_secctx(secctx, secctx_len);
526 audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
527 audit_log_end(audit_buf);
533 kfree_rcu(entry, rcu);
537 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
539 * netlbl_unlhsh_remove_addr6 - Remove an IPv6 address entry
540 * @net: network namespace
541 * @iface: interface entry
543 * @mask: IP address mask
544 * @audit_info: NetLabel audit information
547 * Remove an IP address entry from the unlabeled connection hash table.
548 * Returns zero on success, negative values on failure.
551 static int netlbl_unlhsh_remove_addr6(struct net *net,
552 struct netlbl_unlhsh_iface *iface,
553 const struct in6_addr *addr,
554 const struct in6_addr *mask,
555 struct netlbl_audit *audit_info)
557 struct netlbl_af6list *list_entry;
558 struct netlbl_unlhsh_addr6 *entry;
559 struct audit_buffer *audit_buf;
560 struct net_device *dev;
564 spin_lock(&netlbl_unlhsh_lock);
565 list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list);
566 spin_unlock(&netlbl_unlhsh_lock);
567 if (list_entry != NULL)
568 entry = netlbl_unlhsh_addr6_entry(list_entry);
572 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL,
574 if (audit_buf != NULL) {
575 dev = dev_get_by_index(net, iface->ifindex);
576 netlbl_af6list_audit_addr(audit_buf, 1,
577 (dev != NULL ? dev->name : NULL),
582 security_secid_to_secctx(entry->secid,
583 &secctx, &secctx_len) == 0) {
584 audit_log_format(audit_buf, " sec_obj=%s", secctx);
585 security_release_secctx(secctx, secctx_len);
587 audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
588 audit_log_end(audit_buf);
594 kfree_rcu(entry, rcu);
600 * netlbl_unlhsh_condremove_iface - Remove an interface entry
601 * @iface: the interface entry
604 * Remove an interface entry from the unlabeled connection hash table if it is
605 * empty. An interface entry is considered to be empty if there are no
606 * address entries assigned to it.
609 static void netlbl_unlhsh_condremove_iface(struct netlbl_unlhsh_iface *iface)
611 struct netlbl_af4list *iter4;
612 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
613 struct netlbl_af6list *iter6;
616 spin_lock(&netlbl_unlhsh_lock);
617 netlbl_af4list_foreach_rcu(iter4, &iface->addr4_list)
618 goto unlhsh_condremove_failure;
619 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
620 netlbl_af6list_foreach_rcu(iter6, &iface->addr6_list)
621 goto unlhsh_condremove_failure;
624 if (iface->ifindex > 0)
625 list_del_rcu(&iface->list);
627 rcu_assign_pointer(netlbl_unlhsh_def, NULL);
628 spin_unlock(&netlbl_unlhsh_lock);
630 call_rcu(&iface->rcu, netlbl_unlhsh_free_iface);
633 unlhsh_condremove_failure:
634 spin_unlock(&netlbl_unlhsh_lock);
638 * netlbl_unlhsh_remove - Remove an entry from the unlabeled hash table
639 * @net: network namespace
640 * @dev_name: interface name
641 * @addr: IP address in network byte order
642 * @mask: address mask in network byte order
643 * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6)
644 * @audit_info: NetLabel audit information
647 * Removes and existing entry from the unlabeled connection hash table.
648 * Returns zero on success, negative values on failure.
651 int netlbl_unlhsh_remove(struct net *net,
652 const char *dev_name,
656 struct netlbl_audit *audit_info)
659 struct net_device *dev;
660 struct netlbl_unlhsh_iface *iface;
662 if (addr_len != sizeof(struct in_addr) &&
663 addr_len != sizeof(struct in6_addr))
667 if (dev_name != NULL) {
668 dev = dev_get_by_name_rcu(net, dev_name);
671 goto unlhsh_remove_return;
673 iface = netlbl_unlhsh_search_iface(dev->ifindex);
675 iface = rcu_dereference(netlbl_unlhsh_def);
678 goto unlhsh_remove_return;
681 case sizeof(struct in_addr):
682 ret_val = netlbl_unlhsh_remove_addr4(net,
686 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
687 case sizeof(struct in6_addr):
688 ret_val = netlbl_unlhsh_remove_addr6(net,
697 netlbl_unlhsh_condremove_iface(iface);
698 atomic_dec(&netlabel_mgmt_protocount);
701 unlhsh_remove_return:
707 * General Helper Functions
711 * netlbl_unlhsh_netdev_handler - Network device notification handler
712 * @this: notifier block
714 * @ptr: the network device (cast to void)
717 * Handle network device events, although at present all we care about is a
718 * network device going away. In the case of a device going away we clear any
719 * related entries from the unlabeled connection hash table.
722 static int netlbl_unlhsh_netdev_handler(struct notifier_block *this,
726 struct net_device *dev = ptr;
727 struct netlbl_unlhsh_iface *iface = NULL;
729 if (!net_eq(dev_net(dev), &init_net))
732 /* XXX - should this be a check for NETDEV_DOWN or _UNREGISTER? */
733 if (event == NETDEV_DOWN) {
734 spin_lock(&netlbl_unlhsh_lock);
735 iface = netlbl_unlhsh_search_iface(dev->ifindex);
736 if (iface != NULL && iface->valid) {
738 list_del_rcu(&iface->list);
741 spin_unlock(&netlbl_unlhsh_lock);
745 call_rcu(&iface->rcu, netlbl_unlhsh_free_iface);
751 * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag
752 * @value: desired value
753 * @audit_info: NetLabel audit information
756 * Set the value of the unlabeled accept flag to @value.
759 static void netlbl_unlabel_acceptflg_set(u8 value,
760 struct netlbl_audit *audit_info)
762 struct audit_buffer *audit_buf;
765 old_val = netlabel_unlabel_acceptflg;
766 netlabel_unlabel_acceptflg = value;
767 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW,
769 if (audit_buf != NULL) {
770 audit_log_format(audit_buf,
771 " unlbl_accept=%u old=%u", value, old_val);
772 audit_log_end(audit_buf);
777 * netlbl_unlabel_addrinfo_get - Get the IPv4/6 address information
778 * @info: the Generic NETLINK info block
779 * @addr: the IP address
780 * @mask: the IP address mask
781 * @len: the address length
784 * Examine the Generic NETLINK message and extract the IP address information.
785 * Returns zero on success, negative values on failure.
788 static int netlbl_unlabel_addrinfo_get(struct genl_info *info,
795 if (info->attrs[NLBL_UNLABEL_A_IPV4ADDR]) {
796 addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
797 if (addr_len != sizeof(struct in_addr) &&
798 addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV4MASK]))
801 *addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
802 *mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4MASK]);
804 } else if (info->attrs[NLBL_UNLABEL_A_IPV6ADDR]) {
805 addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]);
806 if (addr_len != sizeof(struct in6_addr) &&
807 addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV6MASK]))
810 *addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]);
811 *mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6MASK]);
819 * NetLabel Command Handlers
823 * netlbl_unlabel_accept - Handle an ACCEPT message
824 * @skb: the NETLINK buffer
825 * @info: the Generic NETLINK info block
828 * Process a user generated ACCEPT message and set the accept flag accordingly.
829 * Returns zero on success, negative values on failure.
832 static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info)
835 struct netlbl_audit audit_info;
837 if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) {
838 value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]);
839 if (value == 1 || value == 0) {
840 netlbl_netlink_auditinfo(skb, &audit_info);
841 netlbl_unlabel_acceptflg_set(value, &audit_info);
850 * netlbl_unlabel_list - Handle a LIST message
851 * @skb: the NETLINK buffer
852 * @info: the Generic NETLINK info block
855 * Process a user generated LIST message and respond with the current status.
856 * Returns zero on success, negative values on failure.
859 static int netlbl_unlabel_list(struct sk_buff *skb, struct genl_info *info)
861 int ret_val = -EINVAL;
862 struct sk_buff *ans_skb;
865 ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
868 data = genlmsg_put_reply(ans_skb, info, &netlbl_unlabel_gnl_family,
869 0, NLBL_UNLABEL_C_LIST);
875 ret_val = nla_put_u8(ans_skb,
876 NLBL_UNLABEL_A_ACPTFLG,
877 netlabel_unlabel_acceptflg);
881 genlmsg_end(ans_skb, data);
882 return genlmsg_reply(ans_skb, info);
890 * netlbl_unlabel_staticadd - Handle a STATICADD message
891 * @skb: the NETLINK buffer
892 * @info: the Generic NETLINK info block
895 * Process a user generated STATICADD message and add a new unlabeled
896 * connection entry to the hash table. Returns zero on success, negative
900 static int netlbl_unlabel_staticadd(struct sk_buff *skb,
901 struct genl_info *info)
909 struct netlbl_audit audit_info;
911 /* Don't allow users to add both IPv4 and IPv6 addresses for a
912 * single entry. However, allow users to create two entries, one each
913 * for IPv4 and IPv4, with the same LSM security context which should
914 * achieve the same result. */
915 if (!info->attrs[NLBL_UNLABEL_A_SECCTX] ||
916 !info->attrs[NLBL_UNLABEL_A_IFACE] ||
917 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
918 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
919 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
920 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
923 netlbl_netlink_auditinfo(skb, &audit_info);
925 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
928 dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]);
929 ret_val = security_secctx_to_secid(
930 nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
931 nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
936 return netlbl_unlhsh_add(&init_net,
937 dev_name, addr, mask, addr_len, secid,
942 * netlbl_unlabel_staticadddef - Handle a STATICADDDEF message
943 * @skb: the NETLINK buffer
944 * @info: the Generic NETLINK info block
947 * Process a user generated STATICADDDEF message and add a new default
948 * unlabeled connection entry. Returns zero on success, negative values on
952 static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
953 struct genl_info *info)
960 struct netlbl_audit audit_info;
962 /* Don't allow users to add both IPv4 and IPv6 addresses for a
963 * single entry. However, allow users to create two entries, one each
964 * for IPv4 and IPv6, with the same LSM security context which should
965 * achieve the same result. */
966 if (!info->attrs[NLBL_UNLABEL_A_SECCTX] ||
967 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
968 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
969 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
970 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
973 netlbl_netlink_auditinfo(skb, &audit_info);
975 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
978 ret_val = security_secctx_to_secid(
979 nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
980 nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
985 return netlbl_unlhsh_add(&init_net,
986 NULL, addr, mask, addr_len, secid,
991 * netlbl_unlabel_staticremove - Handle a STATICREMOVE message
992 * @skb: the NETLINK buffer
993 * @info: the Generic NETLINK info block
996 * Process a user generated STATICREMOVE message and remove the specified
997 * unlabeled connection entry. Returns zero on success, negative values on
1001 static int netlbl_unlabel_staticremove(struct sk_buff *skb,
1002 struct genl_info *info)
1009 struct netlbl_audit audit_info;
1011 /* See the note in netlbl_unlabel_staticadd() about not allowing both
1012 * IPv4 and IPv6 in the same entry. */
1013 if (!info->attrs[NLBL_UNLABEL_A_IFACE] ||
1014 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
1015 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
1016 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
1017 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
1020 netlbl_netlink_auditinfo(skb, &audit_info);
1022 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
1025 dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]);
1027 return netlbl_unlhsh_remove(&init_net,
1028 dev_name, addr, mask, addr_len,
1033 * netlbl_unlabel_staticremovedef - Handle a STATICREMOVEDEF message
1034 * @skb: the NETLINK buffer
1035 * @info: the Generic NETLINK info block
1038 * Process a user generated STATICREMOVEDEF message and remove the default
1039 * unlabeled connection entry. Returns zero on success, negative values on
1043 static int netlbl_unlabel_staticremovedef(struct sk_buff *skb,
1044 struct genl_info *info)
1050 struct netlbl_audit audit_info;
1052 /* See the note in netlbl_unlabel_staticadd() about not allowing both
1053 * IPv4 and IPv6 in the same entry. */
1054 if (!((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
1055 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
1056 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
1057 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
1060 netlbl_netlink_auditinfo(skb, &audit_info);
1062 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
1066 return netlbl_unlhsh_remove(&init_net,
1067 NULL, addr, mask, addr_len,
1073 * netlbl_unlabel_staticlist_gen - Generate messages for STATICLIST[DEF]
1074 * @cmd: command/message
1075 * @iface: the interface entry
1076 * @addr4: the IPv4 address entry
1077 * @addr6: the IPv6 address entry
1078 * @arg: the netlbl_unlhsh_walk_arg structure
1081 * This function is designed to be used to generate a response for a
1082 * STATICLIST or STATICLISTDEF message. When called either @addr4 or @addr6
1083 * can be specified, not both, the other unspecified entry should be set to
1084 * NULL by the caller. Returns the size of the message on success, negative
1085 * values on failure.
1088 static int netlbl_unlabel_staticlist_gen(u32 cmd,
1089 const struct netlbl_unlhsh_iface *iface,
1090 const struct netlbl_unlhsh_addr4 *addr4,
1091 const struct netlbl_unlhsh_addr6 *addr6,
1094 int ret_val = -ENOMEM;
1095 struct netlbl_unlhsh_walk_arg *cb_arg = arg;
1096 struct net_device *dev;
1102 data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).pid,
1103 cb_arg->seq, &netlbl_unlabel_gnl_family,
1106 goto list_cb_failure;
1108 if (iface->ifindex > 0) {
1109 dev = dev_get_by_index(&init_net, iface->ifindex);
1112 goto list_cb_failure;
1114 ret_val = nla_put_string(cb_arg->skb,
1115 NLBL_UNLABEL_A_IFACE, dev->name);
1118 goto list_cb_failure;
1122 struct in_addr addr_struct;
1124 addr_struct.s_addr = addr4->list.addr;
1125 ret_val = nla_put(cb_arg->skb,
1126 NLBL_UNLABEL_A_IPV4ADDR,
1127 sizeof(struct in_addr),
1130 goto list_cb_failure;
1132 addr_struct.s_addr = addr4->list.mask;
1133 ret_val = nla_put(cb_arg->skb,
1134 NLBL_UNLABEL_A_IPV4MASK,
1135 sizeof(struct in_addr),
1138 goto list_cb_failure;
1140 secid = addr4->secid;
1142 ret_val = nla_put(cb_arg->skb,
1143 NLBL_UNLABEL_A_IPV6ADDR,
1144 sizeof(struct in6_addr),
1147 goto list_cb_failure;
1149 ret_val = nla_put(cb_arg->skb,
1150 NLBL_UNLABEL_A_IPV6MASK,
1151 sizeof(struct in6_addr),
1154 goto list_cb_failure;
1156 secid = addr6->secid;
1159 ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len);
1161 goto list_cb_failure;
1162 ret_val = nla_put(cb_arg->skb,
1163 NLBL_UNLABEL_A_SECCTX,
1166 security_release_secctx(secctx, secctx_len);
1168 goto list_cb_failure;
1171 return genlmsg_end(cb_arg->skb, data);
1174 genlmsg_cancel(cb_arg->skb, data);
1179 * netlbl_unlabel_staticlist - Handle a STATICLIST message
1180 * @skb: the NETLINK buffer
1181 * @cb: the NETLINK callback
1184 * Process a user generated STATICLIST message and dump the unlabeled
1185 * connection hash table in a form suitable for use in a kernel generated
1186 * STATICLIST message. Returns the length of @skb.
1189 static int netlbl_unlabel_staticlist(struct sk_buff *skb,
1190 struct netlink_callback *cb)
1192 struct netlbl_unlhsh_walk_arg cb_arg;
1193 u32 skip_bkt = cb->args[0];
1194 u32 skip_chain = cb->args[1];
1195 u32 skip_addr4 = cb->args[2];
1196 u32 skip_addr6 = cb->args[3];
1198 u32 iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0;
1199 struct netlbl_unlhsh_iface *iface;
1200 struct list_head *iter_list;
1201 struct netlbl_af4list *addr4;
1202 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
1203 struct netlbl_af6list *addr6;
1208 cb_arg.seq = cb->nlh->nlmsg_seq;
1211 for (iter_bkt = skip_bkt;
1212 iter_bkt < rcu_dereference(netlbl_unlhsh)->size;
1213 iter_bkt++, iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0) {
1214 iter_list = &rcu_dereference(netlbl_unlhsh)->tbl[iter_bkt];
1215 list_for_each_entry_rcu(iface, iter_list, list) {
1216 if (!iface->valid ||
1217 iter_chain++ < skip_chain)
1219 netlbl_af4list_foreach_rcu(addr4,
1220 &iface->addr4_list) {
1221 if (iter_addr4++ < skip_addr4)
1223 if (netlbl_unlabel_staticlist_gen(
1224 NLBL_UNLABEL_C_STATICLIST,
1226 netlbl_unlhsh_addr4_entry(addr4),
1231 goto unlabel_staticlist_return;
1234 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
1235 netlbl_af6list_foreach_rcu(addr6,
1236 &iface->addr6_list) {
1237 if (iter_addr6++ < skip_addr6)
1239 if (netlbl_unlabel_staticlist_gen(
1240 NLBL_UNLABEL_C_STATICLIST,
1243 netlbl_unlhsh_addr6_entry(addr6),
1247 goto unlabel_staticlist_return;
1254 unlabel_staticlist_return:
1256 cb->args[0] = skip_bkt;
1257 cb->args[1] = skip_chain;
1258 cb->args[2] = skip_addr4;
1259 cb->args[3] = skip_addr6;
1264 * netlbl_unlabel_staticlistdef - Handle a STATICLISTDEF message
1265 * @skb: the NETLINK buffer
1266 * @cb: the NETLINK callback
1269 * Process a user generated STATICLISTDEF message and dump the default
1270 * unlabeled connection entry in a form suitable for use in a kernel generated
1271 * STATICLISTDEF message. Returns the length of @skb.
1274 static int netlbl_unlabel_staticlistdef(struct sk_buff *skb,
1275 struct netlink_callback *cb)
1277 struct netlbl_unlhsh_walk_arg cb_arg;
1278 struct netlbl_unlhsh_iface *iface;
1279 u32 skip_addr4 = cb->args[0];
1280 u32 skip_addr6 = cb->args[1];
1282 struct netlbl_af4list *addr4;
1283 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
1285 struct netlbl_af6list *addr6;
1290 cb_arg.seq = cb->nlh->nlmsg_seq;
1293 iface = rcu_dereference(netlbl_unlhsh_def);
1294 if (iface == NULL || !iface->valid)
1295 goto unlabel_staticlistdef_return;
1297 netlbl_af4list_foreach_rcu(addr4, &iface->addr4_list) {
1298 if (iter_addr4++ < skip_addr4)
1300 if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
1302 netlbl_unlhsh_addr4_entry(addr4),
1306 goto unlabel_staticlistdef_return;
1309 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
1310 netlbl_af6list_foreach_rcu(addr6, &iface->addr6_list) {
1311 if (iter_addr6++ < skip_addr6)
1313 if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
1316 netlbl_unlhsh_addr6_entry(addr6),
1319 goto unlabel_staticlistdef_return;
1324 unlabel_staticlistdef_return:
1326 cb->args[0] = skip_addr4;
1327 cb->args[1] = skip_addr6;
1332 * NetLabel Generic NETLINK Command Definitions
1335 static struct genl_ops netlbl_unlabel_genl_ops[] = {
1337 .cmd = NLBL_UNLABEL_C_STATICADD,
1338 .flags = GENL_ADMIN_PERM,
1339 .policy = netlbl_unlabel_genl_policy,
1340 .doit = netlbl_unlabel_staticadd,
1344 .cmd = NLBL_UNLABEL_C_STATICREMOVE,
1345 .flags = GENL_ADMIN_PERM,
1346 .policy = netlbl_unlabel_genl_policy,
1347 .doit = netlbl_unlabel_staticremove,
1351 .cmd = NLBL_UNLABEL_C_STATICLIST,
1353 .policy = netlbl_unlabel_genl_policy,
1355 .dumpit = netlbl_unlabel_staticlist,
1358 .cmd = NLBL_UNLABEL_C_STATICADDDEF,
1359 .flags = GENL_ADMIN_PERM,
1360 .policy = netlbl_unlabel_genl_policy,
1361 .doit = netlbl_unlabel_staticadddef,
1365 .cmd = NLBL_UNLABEL_C_STATICREMOVEDEF,
1366 .flags = GENL_ADMIN_PERM,
1367 .policy = netlbl_unlabel_genl_policy,
1368 .doit = netlbl_unlabel_staticremovedef,
1372 .cmd = NLBL_UNLABEL_C_STATICLISTDEF,
1374 .policy = netlbl_unlabel_genl_policy,
1376 .dumpit = netlbl_unlabel_staticlistdef,
1379 .cmd = NLBL_UNLABEL_C_ACCEPT,
1380 .flags = GENL_ADMIN_PERM,
1381 .policy = netlbl_unlabel_genl_policy,
1382 .doit = netlbl_unlabel_accept,
1386 .cmd = NLBL_UNLABEL_C_LIST,
1388 .policy = netlbl_unlabel_genl_policy,
1389 .doit = netlbl_unlabel_list,
1395 * NetLabel Generic NETLINK Protocol Functions
1399 * netlbl_unlabel_genl_init - Register the Unlabeled NetLabel component
1402 * Register the unlabeled packet NetLabel component with the Generic NETLINK
1403 * mechanism. Returns zero on success, negative values on failure.
1406 int __init netlbl_unlabel_genl_init(void)
1408 return genl_register_family_with_ops(&netlbl_unlabel_gnl_family,
1409 netlbl_unlabel_genl_ops, ARRAY_SIZE(netlbl_unlabel_genl_ops));
1413 * NetLabel KAPI Hooks
1416 static struct notifier_block netlbl_unlhsh_netdev_notifier = {
1417 .notifier_call = netlbl_unlhsh_netdev_handler,
1421 * netlbl_unlabel_init - Initialize the unlabeled connection hash table
1422 * @size: the number of bits to use for the hash buckets
1425 * Initializes the unlabeled connection hash table and registers a network
1426 * device notification handler. This function should only be called by the
1427 * NetLabel subsystem itself during initialization. Returns zero on success,
1428 * non-zero values on error.
1431 int __init netlbl_unlabel_init(u32 size)
1434 struct netlbl_unlhsh_tbl *hsh_tbl;
1439 hsh_tbl = kmalloc(sizeof(*hsh_tbl), GFP_KERNEL);
1440 if (hsh_tbl == NULL)
1442 hsh_tbl->size = 1 << size;
1443 hsh_tbl->tbl = kcalloc(hsh_tbl->size,
1444 sizeof(struct list_head),
1446 if (hsh_tbl->tbl == NULL) {
1450 for (iter = 0; iter < hsh_tbl->size; iter++)
1451 INIT_LIST_HEAD(&hsh_tbl->tbl[iter]);
1454 spin_lock(&netlbl_unlhsh_lock);
1455 rcu_assign_pointer(netlbl_unlhsh, hsh_tbl);
1456 spin_unlock(&netlbl_unlhsh_lock);
1459 register_netdevice_notifier(&netlbl_unlhsh_netdev_notifier);
1465 * netlbl_unlabel_getattr - Get the security attributes for an unlabled packet
1467 * @family: protocol family
1468 * @secattr: the security attributes
1471 * Determine the security attributes, if any, for an unlabled packet and return
1472 * them in @secattr. Returns zero on success and negative values on failure.
1475 int netlbl_unlabel_getattr(const struct sk_buff *skb,
1477 struct netlbl_lsm_secattr *secattr)
1479 struct netlbl_unlhsh_iface *iface;
1482 iface = netlbl_unlhsh_search_iface(skb->skb_iif);
1484 iface = rcu_dereference(netlbl_unlhsh_def);
1485 if (iface == NULL || !iface->valid)
1486 goto unlabel_getattr_nolabel;
1490 struct netlbl_af4list *addr4;
1493 addr4 = netlbl_af4list_search(hdr4->saddr,
1494 &iface->addr4_list);
1496 goto unlabel_getattr_nolabel;
1497 secattr->attr.secid = netlbl_unlhsh_addr4_entry(addr4)->secid;
1500 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
1502 struct ipv6hdr *hdr6;
1503 struct netlbl_af6list *addr6;
1505 hdr6 = ipv6_hdr(skb);
1506 addr6 = netlbl_af6list_search(&hdr6->saddr,
1507 &iface->addr6_list);
1509 goto unlabel_getattr_nolabel;
1510 secattr->attr.secid = netlbl_unlhsh_addr6_entry(addr6)->secid;
1515 goto unlabel_getattr_nolabel;
1519 secattr->flags |= NETLBL_SECATTR_SECID;
1520 secattr->type = NETLBL_NLTYPE_UNLABELED;
1523 unlabel_getattr_nolabel:
1525 if (netlabel_unlabel_acceptflg == 0)
1527 secattr->type = NETLBL_NLTYPE_UNLABELED;
1532 * netlbl_unlabel_defconf - Set the default config to allow unlabeled packets
1535 * Set the default NetLabel configuration to allow incoming unlabeled packets
1536 * and to send unlabeled network traffic by default.
1539 int __init netlbl_unlabel_defconf(void)
1542 struct netlbl_dom_map *entry;
1543 struct netlbl_audit audit_info;
1545 /* Only the kernel is allowed to call this function and the only time
1546 * it is called is at bootup before the audit subsystem is reporting
1547 * messages so don't worry to much about these values. */
1548 security_task_getsecid(current, &audit_info.secid);
1549 audit_info.loginuid = 0;
1550 audit_info.sessionid = 0;
1552 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1555 entry->type = NETLBL_NLTYPE_UNLABELED;
1556 ret_val = netlbl_domhsh_add_default(entry, &audit_info);
1560 netlbl_unlabel_acceptflg_set(1, &audit_info);
git.openpandora.org / pandora-kernel.git / blob