netlabel_kapi.c 38 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532
  1. /*
  2. * NetLabel Kernel API
  3. *
  4. * This file defines the kernel API for the NetLabel system. The NetLabel
  5. * system manages static and dynamic label mappings for network protocols such
  6. * as CIPSO and RIPSO.
  7. *
  8. * Author: Paul Moore <paul@paul-moore.com>
  9. *
  10. */
  11. /*
  12. * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
  13. *
  14. * This program is free software; you can redistribute it and/or modify
  15. * it under the terms of the GNU General Public License as published by
  16. * the Free Software Foundation; either version 2 of the License, or
  17. * (at your option) any later version.
  18. *
  19. * This program is distributed in the hope that it will be useful,
  20. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  21. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
  22. * the GNU General Public License for more details.
  23. *
  24. * You should have received a copy of the GNU General Public License
  25. * along with this program; if not, see <http://www.gnu.org/licenses/>.
  26. *
  27. */
  28. #include <linux/init.h>
  29. #include <linux/types.h>
  30. #include <linux/slab.h>
  31. #include <linux/audit.h>
  32. #include <linux/in.h>
  33. #include <linux/in6.h>
  34. #include <net/ip.h>
  35. #include <net/ipv6.h>
  36. #include <net/netlabel.h>
  37. #include <net/cipso_ipv4.h>
  38. #include <net/calipso.h>
  39. #include <asm/bug.h>
  40. #include <linux/atomic.h>
  41. #include "netlabel_domainhash.h"
  42. #include "netlabel_unlabeled.h"
  43. #include "netlabel_cipso_v4.h"
  44. #include "netlabel_calipso.h"
  45. #include "netlabel_user.h"
  46. #include "netlabel_mgmt.h"
  47. #include "netlabel_addrlist.h"
  48. /*
  49. * Configuration Functions
  50. */
  51. /**
  52. * netlbl_cfg_map_del - Remove a NetLabel/LSM domain mapping
  53. * @domain: the domain mapping to remove
  54. * @family: address family
  55. * @addr: IP address
  56. * @mask: IP address mask
  57. * @audit_info: NetLabel audit information
  58. *
  59. * Description:
  60. * Removes a NetLabel/LSM domain mapping. A @domain value of NULL causes the
  61. * default domain mapping to be removed. Returns zero on success, negative
  62. * values on failure.
  63. *
  64. */
  65. int netlbl_cfg_map_del(const char *domain,
  66. u16 family,
  67. const void *addr,
  68. const void *mask,
  69. struct netlbl_audit *audit_info)
  70. {
  71. if (addr == NULL && mask == NULL) {
  72. return netlbl_domhsh_remove(domain, family, audit_info);
  73. } else if (addr != NULL && mask != NULL) {
  74. switch (family) {
  75. case AF_INET:
  76. return netlbl_domhsh_remove_af4(domain, addr, mask,
  77. audit_info);
  78. #if IS_ENABLED(CONFIG_IPV6)
  79. case AF_INET6:
  80. return netlbl_domhsh_remove_af6(domain, addr, mask,
  81. audit_info);
  82. #endif /* IPv6 */
  83. default:
  84. return -EPFNOSUPPORT;
  85. }
  86. } else
  87. return -EINVAL;
  88. }
  89. /**
  90. * netlbl_cfg_unlbl_map_add - Add a new unlabeled mapping
  91. * @domain: the domain mapping to add
  92. * @family: address family
  93. * @addr: IP address
  94. * @mask: IP address mask
  95. * @audit_info: NetLabel audit information
  96. *
  97. * Description:
  98. * Adds a new unlabeled NetLabel/LSM domain mapping. A @domain value of NULL
  99. * causes a new default domain mapping to be added. Returns zero on success,
  100. * negative values on failure.
  101. *
  102. */
  103. int netlbl_cfg_unlbl_map_add(const char *domain,
  104. u16 family,
  105. const void *addr,
  106. const void *mask,
  107. struct netlbl_audit *audit_info)
  108. {
  109. int ret_val = -ENOMEM;
  110. struct netlbl_dom_map *entry;
  111. struct netlbl_domaddr_map *addrmap = NULL;
  112. struct netlbl_domaddr4_map *map4 = NULL;
  113. struct netlbl_domaddr6_map *map6 = NULL;
  114. entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
  115. if (entry == NULL)
  116. return -ENOMEM;
  117. if (domain != NULL) {
  118. entry->domain = kstrdup(domain, GFP_ATOMIC);
  119. if (entry->domain == NULL)
  120. goto cfg_unlbl_map_add_failure;
  121. }
  122. entry->family = family;
  123. if (addr == NULL && mask == NULL)
  124. entry->def.type = NETLBL_NLTYPE_UNLABELED;
  125. else if (addr != NULL && mask != NULL) {
  126. addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC);
  127. if (addrmap == NULL)
  128. goto cfg_unlbl_map_add_failure;
  129. INIT_LIST_HEAD(&addrmap->list4);
  130. INIT_LIST_HEAD(&addrmap->list6);
  131. switch (family) {
  132. case AF_INET: {
  133. const struct in_addr *addr4 = addr;
  134. const struct in_addr *mask4 = mask;
  135. map4 = kzalloc(sizeof(*map4), GFP_ATOMIC);
  136. if (map4 == NULL)
  137. goto cfg_unlbl_map_add_failure;
  138. map4->def.type = NETLBL_NLTYPE_UNLABELED;
  139. map4->list.addr = addr4->s_addr & mask4->s_addr;
  140. map4->list.mask = mask4->s_addr;
  141. map4->list.valid = 1;
  142. ret_val = netlbl_af4list_add(&map4->list,
  143. &addrmap->list4);
  144. if (ret_val != 0)
  145. goto cfg_unlbl_map_add_failure;
  146. break;
  147. }
  148. #if IS_ENABLED(CONFIG_IPV6)
  149. case AF_INET6: {
  150. const struct in6_addr *addr6 = addr;
  151. const struct in6_addr *mask6 = mask;
  152. map6 = kzalloc(sizeof(*map6), GFP_ATOMIC);
  153. if (map6 == NULL)
  154. goto cfg_unlbl_map_add_failure;
  155. map6->def.type = NETLBL_NLTYPE_UNLABELED;
  156. map6->list.addr = *addr6;
  157. map6->list.addr.s6_addr32[0] &= mask6->s6_addr32[0];
  158. map6->list.addr.s6_addr32[1] &= mask6->s6_addr32[1];
  159. map6->list.addr.s6_addr32[2] &= mask6->s6_addr32[2];
  160. map6->list.addr.s6_addr32[3] &= mask6->s6_addr32[3];
  161. map6->list.mask = *mask6;
  162. map6->list.valid = 1;
  163. ret_val = netlbl_af6list_add(&map6->list,
  164. &addrmap->list6);
  165. if (ret_val != 0)
  166. goto cfg_unlbl_map_add_failure;
  167. break;
  168. }
  169. #endif /* IPv6 */
  170. default:
  171. goto cfg_unlbl_map_add_failure;
  172. }
  173. entry->def.addrsel = addrmap;
  174. entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
  175. } else {
  176. ret_val = -EINVAL;
  177. goto cfg_unlbl_map_add_failure;
  178. }
  179. ret_val = netlbl_domhsh_add(entry, audit_info);
  180. if (ret_val != 0)
  181. goto cfg_unlbl_map_add_failure;
  182. return 0;
  183. cfg_unlbl_map_add_failure:
  184. kfree(entry->domain);
  185. kfree(entry);
  186. kfree(addrmap);
  187. kfree(map4);
  188. kfree(map6);
  189. return ret_val;
  190. }
  191. /**
  192. * netlbl_cfg_unlbl_static_add - Adds a new static label
  193. * @net: network namespace
  194. * @dev_name: interface name
  195. * @addr: IP address in network byte order (struct in[6]_addr)
  196. * @mask: address mask in network byte order (struct in[6]_addr)
  197. * @family: address family
  198. * @secid: LSM secid value for the entry
  199. * @audit_info: NetLabel audit information
  200. *
  201. * Description:
  202. * Adds a new NetLabel static label to be used when protocol provided labels
  203. * are not present on incoming traffic. If @dev_name is NULL then the default
  204. * interface will be used. Returns zero on success, negative values on failure.
  205. *
  206. */
  207. int netlbl_cfg_unlbl_static_add(struct net *net,
  208. const char *dev_name,
  209. const void *addr,
  210. const void *mask,
  211. u16 family,
  212. u32 secid,
  213. struct netlbl_audit *audit_info)
  214. {
  215. u32 addr_len;
  216. switch (family) {
  217. case AF_INET:
  218. addr_len = sizeof(struct in_addr);
  219. break;
  220. #if IS_ENABLED(CONFIG_IPV6)
  221. case AF_INET6:
  222. addr_len = sizeof(struct in6_addr);
  223. break;
  224. #endif /* IPv6 */
  225. default:
  226. return -EPFNOSUPPORT;
  227. }
  228. return netlbl_unlhsh_add(net,
  229. dev_name, addr, mask, addr_len,
  230. secid, audit_info);
  231. }
  232. /**
  233. * netlbl_cfg_unlbl_static_del - Removes an existing static label
  234. * @net: network namespace
  235. * @dev_name: interface name
  236. * @addr: IP address in network byte order (struct in[6]_addr)
  237. * @mask: address mask in network byte order (struct in[6]_addr)
  238. * @family: address family
  239. * @audit_info: NetLabel audit information
  240. *
  241. * Description:
  242. * Removes an existing NetLabel static label used when protocol provided labels
  243. * are not present on incoming traffic. If @dev_name is NULL then the default
  244. * interface will be used. Returns zero on success, negative values on failure.
  245. *
  246. */
  247. int netlbl_cfg_unlbl_static_del(struct net *net,
  248. const char *dev_name,
  249. const void *addr,
  250. const void *mask,
  251. u16 family,
  252. struct netlbl_audit *audit_info)
  253. {
  254. u32 addr_len;
  255. switch (family) {
  256. case AF_INET:
  257. addr_len = sizeof(struct in_addr);
  258. break;
  259. #if IS_ENABLED(CONFIG_IPV6)
  260. case AF_INET6:
  261. addr_len = sizeof(struct in6_addr);
  262. break;
  263. #endif /* IPv6 */
  264. default:
  265. return -EPFNOSUPPORT;
  266. }
  267. return netlbl_unlhsh_remove(net,
  268. dev_name, addr, mask, addr_len,
  269. audit_info);
  270. }
  271. /**
  272. * netlbl_cfg_cipsov4_add - Add a new CIPSOv4 DOI definition
  273. * @doi_def: CIPSO DOI definition
  274. * @audit_info: NetLabel audit information
  275. *
  276. * Description:
  277. * Add a new CIPSO DOI definition as defined by @doi_def. Returns zero on
  278. * success and negative values on failure.
  279. *
  280. */
  281. int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
  282. struct netlbl_audit *audit_info)
  283. {
  284. return cipso_v4_doi_add(doi_def, audit_info);
  285. }
  286. /**
  287. * netlbl_cfg_cipsov4_del - Remove an existing CIPSOv4 DOI definition
  288. * @doi: CIPSO DOI
  289. * @audit_info: NetLabel audit information
  290. *
  291. * Description:
  292. * Remove an existing CIPSO DOI definition matching @doi. Returns zero on
  293. * success and negative values on failure.
  294. *
  295. */
  296. void netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info)
  297. {
  298. cipso_v4_doi_remove(doi, audit_info);
  299. }
  300. /**
  301. * netlbl_cfg_cipsov4_map_add - Add a new CIPSOv4 DOI mapping
  302. * @doi: the CIPSO DOI
  303. * @domain: the domain mapping to add
  304. * @addr: IP address
  305. * @mask: IP address mask
  306. * @audit_info: NetLabel audit information
  307. *
  308. * Description:
  309. * Add a new NetLabel/LSM domain mapping for the given CIPSO DOI to the NetLabel
  310. * subsystem. A @domain value of NULL adds a new default domain mapping.
  311. * Returns zero on success, negative values on failure.
  312. *
  313. */
  314. int netlbl_cfg_cipsov4_map_add(u32 doi,
  315. const char *domain,
  316. const struct in_addr *addr,
  317. const struct in_addr *mask,
  318. struct netlbl_audit *audit_info)
  319. {
  320. int ret_val = -ENOMEM;
  321. struct cipso_v4_doi *doi_def;
  322. struct netlbl_dom_map *entry;
  323. struct netlbl_domaddr_map *addrmap = NULL;
  324. struct netlbl_domaddr4_map *addrinfo = NULL;
  325. doi_def = cipso_v4_doi_getdef(doi);
  326. if (doi_def == NULL)
  327. return -ENOENT;
  328. entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
  329. if (entry == NULL)
  330. goto out_entry;
  331. entry->family = AF_INET;
  332. if (domain != NULL) {
  333. entry->domain = kstrdup(domain, GFP_ATOMIC);
  334. if (entry->domain == NULL)
  335. goto out_domain;
  336. }
  337. if (addr == NULL && mask == NULL) {
  338. entry->def.cipso = doi_def;
  339. entry->def.type = NETLBL_NLTYPE_CIPSOV4;
  340. } else if (addr != NULL && mask != NULL) {
  341. addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC);
  342. if (addrmap == NULL)
  343. goto out_addrmap;
  344. INIT_LIST_HEAD(&addrmap->list4);
  345. INIT_LIST_HEAD(&addrmap->list6);
  346. addrinfo = kzalloc(sizeof(*addrinfo), GFP_ATOMIC);
  347. if (addrinfo == NULL)
  348. goto out_addrinfo;
  349. addrinfo->def.cipso = doi_def;
  350. addrinfo->def.type = NETLBL_NLTYPE_CIPSOV4;
  351. addrinfo->list.addr = addr->s_addr & mask->s_addr;
  352. addrinfo->list.mask = mask->s_addr;
  353. addrinfo->list.valid = 1;
  354. ret_val = netlbl_af4list_add(&addrinfo->list, &addrmap->list4);
  355. if (ret_val != 0)
  356. goto cfg_cipsov4_map_add_failure;
  357. entry->def.addrsel = addrmap;
  358. entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
  359. } else {
  360. ret_val = -EINVAL;
  361. goto out_addrmap;
  362. }
  363. ret_val = netlbl_domhsh_add(entry, audit_info);
  364. if (ret_val != 0)
  365. goto cfg_cipsov4_map_add_failure;
  366. return 0;
  367. cfg_cipsov4_map_add_failure:
  368. kfree(addrinfo);
  369. out_addrinfo:
  370. kfree(addrmap);
  371. out_addrmap:
  372. kfree(entry->domain);
  373. out_domain:
  374. kfree(entry);
  375. out_entry:
  376. cipso_v4_doi_putdef(doi_def);
  377. return ret_val;
  378. }
  379. /**
  380. * netlbl_cfg_calipso_add - Add a new CALIPSO DOI definition
  381. * @doi_def: CALIPSO DOI definition
  382. * @audit_info: NetLabel audit information
  383. *
  384. * Description:
  385. * Add a new CALIPSO DOI definition as defined by @doi_def. Returns zero on
  386. * success and negative values on failure.
  387. *
  388. */
  389. int netlbl_cfg_calipso_add(struct calipso_doi *doi_def,
  390. struct netlbl_audit *audit_info)
  391. {
  392. #if IS_ENABLED(CONFIG_IPV6)
  393. return calipso_doi_add(doi_def, audit_info);
  394. #else /* IPv6 */
  395. return -ENOSYS;
  396. #endif /* IPv6 */
  397. }
  398. /**
  399. * netlbl_cfg_calipso_del - Remove an existing CALIPSO DOI definition
  400. * @doi: CALIPSO DOI
  401. * @audit_info: NetLabel audit information
  402. *
  403. * Description:
  404. * Remove an existing CALIPSO DOI definition matching @doi. Returns zero on
  405. * success and negative values on failure.
  406. *
  407. */
  408. void netlbl_cfg_calipso_del(u32 doi, struct netlbl_audit *audit_info)
  409. {
  410. #if IS_ENABLED(CONFIG_IPV6)
  411. calipso_doi_remove(doi, audit_info);
  412. #endif /* IPv6 */
  413. }
  414. /**
  415. * netlbl_cfg_calipso_map_add - Add a new CALIPSO DOI mapping
  416. * @doi: the CALIPSO DOI
  417. * @domain: the domain mapping to add
  418. * @addr: IP address
  419. * @mask: IP address mask
  420. * @audit_info: NetLabel audit information
  421. *
  422. * Description:
  423. * Add a new NetLabel/LSM domain mapping for the given CALIPSO DOI to the
  424. * NetLabel subsystem. A @domain value of NULL adds a new default domain
  425. * mapping. Returns zero on success, negative values on failure.
  426. *
  427. */
  428. int netlbl_cfg_calipso_map_add(u32 doi,
  429. const char *domain,
  430. const struct in6_addr *addr,
  431. const struct in6_addr *mask,
  432. struct netlbl_audit *audit_info)
  433. {
  434. #if IS_ENABLED(CONFIG_IPV6)
  435. int ret_val = -ENOMEM;
  436. struct calipso_doi *doi_def;
  437. struct netlbl_dom_map *entry;
  438. struct netlbl_domaddr_map *addrmap = NULL;
  439. struct netlbl_domaddr6_map *addrinfo = NULL;
  440. doi_def = calipso_doi_getdef(doi);
  441. if (doi_def == NULL)
  442. return -ENOENT;
  443. entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
  444. if (entry == NULL)
  445. goto out_entry;
  446. entry->family = AF_INET6;
  447. if (domain != NULL) {
  448. entry->domain = kstrdup(domain, GFP_ATOMIC);
  449. if (entry->domain == NULL)
  450. goto out_domain;
  451. }
  452. if (addr == NULL && mask == NULL) {
  453. entry->def.calipso = doi_def;
  454. entry->def.type = NETLBL_NLTYPE_CALIPSO;
  455. } else if (addr != NULL && mask != NULL) {
  456. addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC);
  457. if (addrmap == NULL)
  458. goto out_addrmap;
  459. INIT_LIST_HEAD(&addrmap->list4);
  460. INIT_LIST_HEAD(&addrmap->list6);
  461. addrinfo = kzalloc(sizeof(*addrinfo), GFP_ATOMIC);
  462. if (addrinfo == NULL)
  463. goto out_addrinfo;
  464. addrinfo->def.calipso = doi_def;
  465. addrinfo->def.type = NETLBL_NLTYPE_CALIPSO;
  466. addrinfo->list.addr = *addr;
  467. addrinfo->list.addr.s6_addr32[0] &= mask->s6_addr32[0];
  468. addrinfo->list.addr.s6_addr32[1] &= mask->s6_addr32[1];
  469. addrinfo->list.addr.s6_addr32[2] &= mask->s6_addr32[2];
  470. addrinfo->list.addr.s6_addr32[3] &= mask->s6_addr32[3];
  471. addrinfo->list.mask = *mask;
  472. addrinfo->list.valid = 1;
  473. ret_val = netlbl_af6list_add(&addrinfo->list, &addrmap->list6);
  474. if (ret_val != 0)
  475. goto cfg_calipso_map_add_failure;
  476. entry->def.addrsel = addrmap;
  477. entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
  478. } else {
  479. ret_val = -EINVAL;
  480. goto out_addrmap;
  481. }
  482. ret_val = netlbl_domhsh_add(entry, audit_info);
  483. if (ret_val != 0)
  484. goto cfg_calipso_map_add_failure;
  485. return 0;
  486. cfg_calipso_map_add_failure:
  487. kfree(addrinfo);
  488. out_addrinfo:
  489. kfree(addrmap);
  490. out_addrmap:
  491. kfree(entry->domain);
  492. out_domain:
  493. kfree(entry);
  494. out_entry:
  495. calipso_doi_putdef(doi_def);
  496. return ret_val;
  497. #else /* IPv6 */
  498. return -ENOSYS;
  499. #endif /* IPv6 */
  500. }
  501. /*
  502. * Security Attribute Functions
  503. */
  504. #define _CM_F_NONE 0x00000000
  505. #define _CM_F_ALLOC 0x00000001
  506. #define _CM_F_WALK 0x00000002
  507. /**
  508. * _netlbl_catmap_getnode - Get a individual node from a catmap
  509. * @catmap: pointer to the category bitmap
  510. * @offset: the requested offset
  511. * @cm_flags: catmap flags, see _CM_F_*
  512. * @gfp_flags: memory allocation flags
  513. *
  514. * Description:
  515. * Iterate through the catmap looking for the node associated with @offset.
  516. * If the _CM_F_ALLOC flag is set in @cm_flags and there is no associated node,
  517. * one will be created and inserted into the catmap. If the _CM_F_WALK flag is
  518. * set in @cm_flags and there is no associated node, the next highest node will
  519. * be returned. Returns a pointer to the node on success, NULL on failure.
  520. *
  521. */
  522. static struct netlbl_lsm_catmap *_netlbl_catmap_getnode(
  523. struct netlbl_lsm_catmap **catmap,
  524. u32 offset,
  525. unsigned int cm_flags,
  526. gfp_t gfp_flags)
  527. {
  528. struct netlbl_lsm_catmap *iter = *catmap;
  529. struct netlbl_lsm_catmap *prev = NULL;
  530. if (iter == NULL)
  531. goto catmap_getnode_alloc;
  532. if (offset < iter->startbit)
  533. goto catmap_getnode_walk;
  534. while (iter && offset >= (iter->startbit + NETLBL_CATMAP_SIZE)) {
  535. prev = iter;
  536. iter = iter->next;
  537. }
  538. if (iter == NULL || offset < iter->startbit)
  539. goto catmap_getnode_walk;
  540. return iter;
  541. catmap_getnode_walk:
  542. if (cm_flags & _CM_F_WALK)
  543. return iter;
  544. catmap_getnode_alloc:
  545. if (!(cm_flags & _CM_F_ALLOC))
  546. return NULL;
  547. iter = netlbl_catmap_alloc(gfp_flags);
  548. if (iter == NULL)
  549. return NULL;
  550. iter->startbit = offset & ~(NETLBL_CATMAP_SIZE - 1);
  551. if (prev == NULL) {
  552. iter->next = *catmap;
  553. *catmap = iter;
  554. } else {
  555. iter->next = prev->next;
  556. prev->next = iter;
  557. }
  558. return iter;
  559. }
  560. /**
  561. * netlbl_catmap_walk - Walk a LSM secattr catmap looking for a bit
  562. * @catmap: the category bitmap
  563. * @offset: the offset to start searching at, in bits
  564. *
  565. * Description:
  566. * This function walks a LSM secattr category bitmap starting at @offset and
  567. * returns the spot of the first set bit or -ENOENT if no bits are set.
  568. *
  569. */
  570. int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap, u32 offset)
  571. {
  572. struct netlbl_lsm_catmap *iter = catmap;
  573. u32 idx;
  574. u32 bit;
  575. NETLBL_CATMAP_MAPTYPE bitmap;
  576. iter = _netlbl_catmap_getnode(&catmap, offset, _CM_F_WALK, 0);
  577. if (iter == NULL)
  578. return -ENOENT;
  579. if (offset > iter->startbit) {
  580. offset -= iter->startbit;
  581. idx = offset / NETLBL_CATMAP_MAPSIZE;
  582. bit = offset % NETLBL_CATMAP_MAPSIZE;
  583. } else {
  584. idx = 0;
  585. bit = 0;
  586. }
  587. bitmap = iter->bitmap[idx] >> bit;
  588. for (;;) {
  589. if (bitmap != 0) {
  590. while ((bitmap & NETLBL_CATMAP_BIT) == 0) {
  591. bitmap >>= 1;
  592. bit++;
  593. }
  594. return iter->startbit +
  595. (NETLBL_CATMAP_MAPSIZE * idx) + bit;
  596. }
  597. if (++idx >= NETLBL_CATMAP_MAPCNT) {
  598. if (iter->next != NULL) {
  599. iter = iter->next;
  600. idx = 0;
  601. } else
  602. return -ENOENT;
  603. }
  604. bitmap = iter->bitmap[idx];
  605. bit = 0;
  606. }
  607. return -ENOENT;
  608. }
  609. EXPORT_SYMBOL(netlbl_catmap_walk);
  610. /**
  611. * netlbl_catmap_walkrng - Find the end of a string of set bits
  612. * @catmap: the category bitmap
  613. * @offset: the offset to start searching at, in bits
  614. *
  615. * Description:
  616. * This function walks a LSM secattr category bitmap starting at @offset and
  617. * returns the spot of the first cleared bit or -ENOENT if the offset is past
  618. * the end of the bitmap.
  619. *
  620. */
  621. int netlbl_catmap_walkrng(struct netlbl_lsm_catmap *catmap, u32 offset)
  622. {
  623. struct netlbl_lsm_catmap *iter;
  624. struct netlbl_lsm_catmap *prev = NULL;
  625. u32 idx;
  626. u32 bit;
  627. NETLBL_CATMAP_MAPTYPE bitmask;
  628. NETLBL_CATMAP_MAPTYPE bitmap;
  629. iter = _netlbl_catmap_getnode(&catmap, offset, _CM_F_WALK, 0);
  630. if (iter == NULL)
  631. return -ENOENT;
  632. if (offset > iter->startbit) {
  633. offset -= iter->startbit;
  634. idx = offset / NETLBL_CATMAP_MAPSIZE;
  635. bit = offset % NETLBL_CATMAP_MAPSIZE;
  636. } else {
  637. idx = 0;
  638. bit = 0;
  639. }
  640. bitmask = NETLBL_CATMAP_BIT << bit;
  641. for (;;) {
  642. bitmap = iter->bitmap[idx];
  643. while (bitmask != 0 && (bitmap & bitmask) != 0) {
  644. bitmask <<= 1;
  645. bit++;
  646. }
  647. if (prev && idx == 0 && bit == 0)
  648. return prev->startbit + NETLBL_CATMAP_SIZE - 1;
  649. else if (bitmask != 0)
  650. return iter->startbit +
  651. (NETLBL_CATMAP_MAPSIZE * idx) + bit - 1;
  652. else if (++idx >= NETLBL_CATMAP_MAPCNT) {
  653. if (iter->next == NULL)
  654. return iter->startbit + NETLBL_CATMAP_SIZE - 1;
  655. prev = iter;
  656. iter = iter->next;
  657. idx = 0;
  658. }
  659. bitmask = NETLBL_CATMAP_BIT;
  660. bit = 0;
  661. }
  662. return -ENOENT;
  663. }
  664. /**
  665. * netlbl_catmap_getlong - Export an unsigned long bitmap
  666. * @catmap: pointer to the category bitmap
  667. * @offset: pointer to the requested offset
  668. * @bitmap: the exported bitmap
  669. *
  670. * Description:
  671. * Export a bitmap with an offset greater than or equal to @offset and return
  672. * it in @bitmap. The @offset must be aligned to an unsigned long and will be
  673. * updated on return if different from what was requested; if the catmap is
  674. * empty at the requested offset and beyond, the @offset is set to (u32)-1.
  675. * Returns zero on sucess, negative values on failure.
  676. *
  677. */
  678. int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap,
  679. u32 *offset,
  680. unsigned long *bitmap)
  681. {
  682. struct netlbl_lsm_catmap *iter;
  683. u32 off = *offset;
  684. u32 idx;
  685. /* only allow aligned offsets */
  686. if ((off & (BITS_PER_LONG - 1)) != 0)
  687. return -EINVAL;
  688. if (off < catmap->startbit) {
  689. off = catmap->startbit;
  690. *offset = off;
  691. }
  692. iter = _netlbl_catmap_getnode(&catmap, off, _CM_F_WALK, 0);
  693. if (iter == NULL) {
  694. *offset = (u32)-1;
  695. return 0;
  696. }
  697. if (off < iter->startbit) {
  698. *offset = iter->startbit;
  699. off = 0;
  700. } else
  701. off -= iter->startbit;
  702. idx = off / NETLBL_CATMAP_MAPSIZE;
  703. *bitmap = iter->bitmap[idx] >> (off % NETLBL_CATMAP_MAPSIZE);
  704. return 0;
  705. }
  706. /**
  707. * netlbl_catmap_setbit - Set a bit in a LSM secattr catmap
  708. * @catmap: pointer to the category bitmap
  709. * @bit: the bit to set
  710. * @flags: memory allocation flags
  711. *
  712. * Description:
  713. * Set the bit specified by @bit in @catmap. Returns zero on success,
  714. * negative values on failure.
  715. *
  716. */
  717. int netlbl_catmap_setbit(struct netlbl_lsm_catmap **catmap,
  718. u32 bit,
  719. gfp_t flags)
  720. {
  721. struct netlbl_lsm_catmap *iter;
  722. u32 idx;
  723. iter = _netlbl_catmap_getnode(catmap, bit, _CM_F_ALLOC, flags);
  724. if (iter == NULL)
  725. return -ENOMEM;
  726. bit -= iter->startbit;
  727. idx = bit / NETLBL_CATMAP_MAPSIZE;
  728. iter->bitmap[idx] |= NETLBL_CATMAP_BIT << (bit % NETLBL_CATMAP_MAPSIZE);
  729. return 0;
  730. }
  731. EXPORT_SYMBOL(netlbl_catmap_setbit);
  732. /**
  733. * netlbl_catmap_setrng - Set a range of bits in a LSM secattr catmap
  734. * @catmap: pointer to the category bitmap
  735. * @start: the starting bit
  736. * @end: the last bit in the string
  737. * @flags: memory allocation flags
  738. *
  739. * Description:
  740. * Set a range of bits, starting at @start and ending with @end. Returns zero
  741. * on success, negative values on failure.
  742. *
  743. */
  744. int netlbl_catmap_setrng(struct netlbl_lsm_catmap **catmap,
  745. u32 start,
  746. u32 end,
  747. gfp_t flags)
  748. {
  749. int rc = 0;
  750. u32 spot = start;
  751. while (rc == 0 && spot <= end) {
  752. if (((spot & (BITS_PER_LONG - 1)) == 0) &&
  753. ((end - spot) > BITS_PER_LONG)) {
  754. rc = netlbl_catmap_setlong(catmap,
  755. spot,
  756. (unsigned long)-1,
  757. flags);
  758. spot += BITS_PER_LONG;
  759. } else
  760. rc = netlbl_catmap_setbit(catmap, spot++, flags);
  761. }
  762. return rc;
  763. }
  764. /**
  765. * netlbl_catmap_setlong - Import an unsigned long bitmap
  766. * @catmap: pointer to the category bitmap
  767. * @offset: offset to the start of the imported bitmap
  768. * @bitmap: the bitmap to import
  769. * @flags: memory allocation flags
  770. *
  771. * Description:
  772. * Import the bitmap specified in @bitmap into @catmap, using the offset
  773. * in @offset. The offset must be aligned to an unsigned long. Returns zero
  774. * on success, negative values on failure.
  775. *
  776. */
  777. int netlbl_catmap_setlong(struct netlbl_lsm_catmap **catmap,
  778. u32 offset,
  779. unsigned long bitmap,
  780. gfp_t flags)
  781. {
  782. struct netlbl_lsm_catmap *iter;
  783. u32 idx;
  784. /* only allow aligned offsets */
  785. if ((offset & (BITS_PER_LONG - 1)) != 0)
  786. return -EINVAL;
  787. iter = _netlbl_catmap_getnode(catmap, offset, _CM_F_ALLOC, flags);
  788. if (iter == NULL)
  789. return -ENOMEM;
  790. offset -= iter->startbit;
  791. idx = offset / NETLBL_CATMAP_MAPSIZE;
  792. iter->bitmap[idx] |= bitmap << (offset % NETLBL_CATMAP_MAPSIZE);
  793. return 0;
  794. }
  795. /* Bitmap functions
  796. */
  797. /**
  798. * netlbl_bitmap_walk - Walk a bitmap looking for a bit
  799. * @bitmap: the bitmap
  800. * @bitmap_len: length in bits
  801. * @offset: starting offset
  802. * @state: if non-zero, look for a set (1) bit else look for a cleared (0) bit
  803. *
  804. * Description:
  805. * Starting at @offset, walk the bitmap from left to right until either the
  806. * desired bit is found or we reach the end. Return the bit offset, -1 if
  807. * not found, or -2 if error.
  808. */
  809. int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len,
  810. u32 offset, u8 state)
  811. {
  812. u32 bit_spot;
  813. u32 byte_offset;
  814. unsigned char bitmask;
  815. unsigned char byte;
  816. byte_offset = offset / 8;
  817. byte = bitmap[byte_offset];
  818. bit_spot = offset;
  819. bitmask = 0x80 >> (offset % 8);
  820. while (bit_spot < bitmap_len) {
  821. if ((state && (byte & bitmask) == bitmask) ||
  822. (state == 0 && (byte & bitmask) == 0))
  823. return bit_spot;
  824. if (++bit_spot >= bitmap_len)
  825. return -1;
  826. bitmask >>= 1;
  827. if (bitmask == 0) {
  828. byte = bitmap[++byte_offset];
  829. bitmask = 0x80;
  830. }
  831. }
  832. return -1;
  833. }
  834. EXPORT_SYMBOL(netlbl_bitmap_walk);
  835. /**
  836. * netlbl_bitmap_setbit - Sets a single bit in a bitmap
  837. * @bitmap: the bitmap
  838. * @bit: the bit
  839. * @state: if non-zero, set the bit (1) else clear the bit (0)
  840. *
  841. * Description:
  842. * Set a single bit in the bitmask. Returns zero on success, negative values
  843. * on error.
  844. */
  845. void netlbl_bitmap_setbit(unsigned char *bitmap, u32 bit, u8 state)
  846. {
  847. u32 byte_spot;
  848. u8 bitmask;
  849. /* gcc always rounds to zero when doing integer division */
  850. byte_spot = bit / 8;
  851. bitmask = 0x80 >> (bit % 8);
  852. if (state)
  853. bitmap[byte_spot] |= bitmask;
  854. else
  855. bitmap[byte_spot] &= ~bitmask;
  856. }
  857. EXPORT_SYMBOL(netlbl_bitmap_setbit);
  858. /*
  859. * LSM Functions
  860. */
  861. /**
  862. * netlbl_enabled - Determine if the NetLabel subsystem is enabled
  863. *
  864. * Description:
  865. * The LSM can use this function to determine if it should use NetLabel
  866. * security attributes in it's enforcement mechanism. Currently, NetLabel is
  867. * considered to be enabled when it's configuration contains a valid setup for
  868. * at least one labeled protocol (i.e. NetLabel can understand incoming
  869. * labeled packets of at least one type); otherwise NetLabel is considered to
  870. * be disabled.
  871. *
  872. */
  873. int netlbl_enabled(void)
  874. {
  875. /* At some point we probably want to expose this mechanism to the user
  876. * as well so that admins can toggle NetLabel regardless of the
  877. * configuration */
  878. return (atomic_read(&netlabel_mgmt_protocount) > 0);
  879. }
  880. /**
  881. * netlbl_sock_setattr - Label a socket using the correct protocol
  882. * @sk: the socket to label
  883. * @family: protocol family
  884. * @secattr: the security attributes
  885. *
  886. * Description:
  887. * Attach the correct label to the given socket using the security attributes
  888. * specified in @secattr. This function requires exclusive access to @sk,
  889. * which means it either needs to be in the process of being created or locked.
  890. * Returns zero on success, -EDESTADDRREQ if the domain is configured to use
  891. * network address selectors (can't blindly label the socket), and negative
  892. * values on all other failures.
  893. *
  894. */
  895. int netlbl_sock_setattr(struct sock *sk,
  896. u16 family,
  897. const struct netlbl_lsm_secattr *secattr)
  898. {
  899. int ret_val;
  900. struct netlbl_dom_map *dom_entry;
  901. rcu_read_lock();
  902. dom_entry = netlbl_domhsh_getentry(secattr->domain, family);
  903. if (dom_entry == NULL) {
  904. ret_val = -ENOENT;
  905. goto socket_setattr_return;
  906. }
  907. switch (family) {
  908. case AF_INET:
  909. switch (dom_entry->def.type) {
  910. case NETLBL_NLTYPE_ADDRSELECT:
  911. ret_val = -EDESTADDRREQ;
  912. break;
  913. case NETLBL_NLTYPE_CIPSOV4:
  914. ret_val = cipso_v4_sock_setattr(sk,
  915. dom_entry->def.cipso,
  916. secattr);
  917. break;
  918. case NETLBL_NLTYPE_UNLABELED:
  919. ret_val = 0;
  920. break;
  921. default:
  922. ret_val = -ENOENT;
  923. }
  924. break;
  925. #if IS_ENABLED(CONFIG_IPV6)
  926. case AF_INET6:
  927. switch (dom_entry->def.type) {
  928. case NETLBL_NLTYPE_ADDRSELECT:
  929. ret_val = -EDESTADDRREQ;
  930. break;
  931. case NETLBL_NLTYPE_CALIPSO:
  932. ret_val = calipso_sock_setattr(sk,
  933. dom_entry->def.calipso,
  934. secattr);
  935. break;
  936. case NETLBL_NLTYPE_UNLABELED:
  937. ret_val = 0;
  938. break;
  939. default:
  940. ret_val = -ENOENT;
  941. }
  942. break;
  943. #endif /* IPv6 */
  944. default:
  945. ret_val = -EPROTONOSUPPORT;
  946. }
  947. socket_setattr_return:
  948. rcu_read_unlock();
  949. return ret_val;
  950. }
  951. /**
  952. * netlbl_sock_delattr - Delete all the NetLabel labels on a socket
  953. * @sk: the socket
  954. *
  955. * Description:
  956. * Remove all the NetLabel labeling from @sk. The caller is responsible for
  957. * ensuring that @sk is locked.
  958. *
  959. */
  960. void netlbl_sock_delattr(struct sock *sk)
  961. {
  962. switch (sk->sk_family) {
  963. case AF_INET:
  964. cipso_v4_sock_delattr(sk);
  965. break;
  966. #if IS_ENABLED(CONFIG_IPV6)
  967. case AF_INET6:
  968. calipso_sock_delattr(sk);
  969. break;
  970. #endif /* IPv6 */
  971. }
  972. }
  973. /**
  974. * netlbl_sock_getattr - Determine the security attributes of a sock
  975. * @sk: the sock
  976. * @secattr: the security attributes
  977. *
  978. * Description:
  979. * Examines the given sock to see if any NetLabel style labeling has been
  980. * applied to the sock, if so it parses the socket label and returns the
  981. * security attributes in @secattr. Returns zero on success, negative values
  982. * on failure.
  983. *
  984. */
  985. int netlbl_sock_getattr(struct sock *sk,
  986. struct netlbl_lsm_secattr *secattr)
  987. {
  988. int ret_val;
  989. switch (sk->sk_family) {
  990. case AF_INET:
  991. ret_val = cipso_v4_sock_getattr(sk, secattr);
  992. break;
  993. #if IS_ENABLED(CONFIG_IPV6)
  994. case AF_INET6:
  995. ret_val = calipso_sock_getattr(sk, secattr);
  996. break;
  997. #endif /* IPv6 */
  998. default:
  999. ret_val = -EPROTONOSUPPORT;
  1000. }
  1001. return ret_val;
  1002. }
  1003. /**
  1004. * netlbl_conn_setattr - Label a connected socket using the correct protocol
  1005. * @sk: the socket to label
  1006. * @addr: the destination address
  1007. * @secattr: the security attributes
  1008. *
  1009. * Description:
  1010. * Attach the correct label to the given connected socket using the security
  1011. * attributes specified in @secattr. The caller is responsible for ensuring
  1012. * that @sk is locked. Returns zero on success, negative values on failure.
  1013. *
  1014. */
  1015. int netlbl_conn_setattr(struct sock *sk,
  1016. struct sockaddr *addr,
  1017. const struct netlbl_lsm_secattr *secattr)
  1018. {
  1019. int ret_val;
  1020. struct sockaddr_in *addr4;
  1021. #if IS_ENABLED(CONFIG_IPV6)
  1022. struct sockaddr_in6 *addr6;
  1023. #endif
  1024. struct netlbl_dommap_def *entry;
  1025. rcu_read_lock();
  1026. switch (addr->sa_family) {
  1027. case AF_INET:
  1028. addr4 = (struct sockaddr_in *)addr;
  1029. entry = netlbl_domhsh_getentry_af4(secattr->domain,
  1030. addr4->sin_addr.s_addr);
  1031. if (entry == NULL) {
  1032. ret_val = -ENOENT;
  1033. goto conn_setattr_return;
  1034. }
  1035. switch (entry->type) {
  1036. case NETLBL_NLTYPE_CIPSOV4:
  1037. ret_val = cipso_v4_sock_setattr(sk,
  1038. entry->cipso, secattr);
  1039. break;
  1040. case NETLBL_NLTYPE_UNLABELED:
  1041. /* just delete the protocols we support for right now
  1042. * but we could remove other protocols if needed */
  1043. netlbl_sock_delattr(sk);
  1044. ret_val = 0;
  1045. break;
  1046. default:
  1047. ret_val = -ENOENT;
  1048. }
  1049. break;
  1050. #if IS_ENABLED(CONFIG_IPV6)
  1051. case AF_INET6:
  1052. addr6 = (struct sockaddr_in6 *)addr;
  1053. entry = netlbl_domhsh_getentry_af6(secattr->domain,
  1054. &addr6->sin6_addr);
  1055. if (entry == NULL) {
  1056. ret_val = -ENOENT;
  1057. goto conn_setattr_return;
  1058. }
  1059. switch (entry->type) {
  1060. case NETLBL_NLTYPE_CALIPSO:
  1061. ret_val = calipso_sock_setattr(sk,
  1062. entry->calipso, secattr);
  1063. break;
  1064. case NETLBL_NLTYPE_UNLABELED:
  1065. /* just delete the protocols we support for right now
  1066. * but we could remove other protocols if needed */
  1067. netlbl_sock_delattr(sk);
  1068. ret_val = 0;
  1069. break;
  1070. default:
  1071. ret_val = -ENOENT;
  1072. }
  1073. break;
  1074. #endif /* IPv6 */
  1075. default:
  1076. ret_val = -EPROTONOSUPPORT;
  1077. }
  1078. conn_setattr_return:
  1079. rcu_read_unlock();
  1080. return ret_val;
  1081. }
  1082. /**
  1083. * netlbl_req_setattr - Label a request socket using the correct protocol
  1084. * @req: the request socket to label
  1085. * @secattr: the security attributes
  1086. *
  1087. * Description:
  1088. * Attach the correct label to the given socket using the security attributes
  1089. * specified in @secattr. Returns zero on success, negative values on failure.
  1090. *
  1091. */
  1092. int netlbl_req_setattr(struct request_sock *req,
  1093. const struct netlbl_lsm_secattr *secattr)
  1094. {
  1095. int ret_val;
  1096. struct netlbl_dommap_def *entry;
  1097. struct inet_request_sock *ireq = inet_rsk(req);
  1098. rcu_read_lock();
  1099. switch (req->rsk_ops->family) {
  1100. case AF_INET:
  1101. entry = netlbl_domhsh_getentry_af4(secattr->domain,
  1102. ireq->ir_rmt_addr);
  1103. if (entry == NULL) {
  1104. ret_val = -ENOENT;
  1105. goto req_setattr_return;
  1106. }
  1107. switch (entry->type) {
  1108. case NETLBL_NLTYPE_CIPSOV4:
  1109. ret_val = cipso_v4_req_setattr(req,
  1110. entry->cipso, secattr);
  1111. break;
  1112. case NETLBL_NLTYPE_UNLABELED:
  1113. netlbl_req_delattr(req);
  1114. ret_val = 0;
  1115. break;
  1116. default:
  1117. ret_val = -ENOENT;
  1118. }
  1119. break;
  1120. #if IS_ENABLED(CONFIG_IPV6)
  1121. case AF_INET6:
  1122. entry = netlbl_domhsh_getentry_af6(secattr->domain,
  1123. &ireq->ir_v6_rmt_addr);
  1124. if (entry == NULL) {
  1125. ret_val = -ENOENT;
  1126. goto req_setattr_return;
  1127. }
  1128. switch (entry->type) {
  1129. case NETLBL_NLTYPE_CALIPSO:
  1130. ret_val = calipso_req_setattr(req,
  1131. entry->calipso, secattr);
  1132. break;
  1133. case NETLBL_NLTYPE_UNLABELED:
  1134. netlbl_req_delattr(req);
  1135. ret_val = 0;
  1136. break;
  1137. default:
  1138. ret_val = -ENOENT;
  1139. }
  1140. break;
  1141. #endif /* IPv6 */
  1142. default:
  1143. ret_val = -EPROTONOSUPPORT;
  1144. }
  1145. req_setattr_return:
  1146. rcu_read_unlock();
  1147. return ret_val;
  1148. }
  1149. /**
  1150. * netlbl_req_delattr - Delete all the NetLabel labels on a socket
  1151. * @req: the socket
  1152. *
  1153. * Description:
  1154. * Remove all the NetLabel labeling from @req.
  1155. *
  1156. */
  1157. void netlbl_req_delattr(struct request_sock *req)
  1158. {
  1159. switch (req->rsk_ops->family) {
  1160. case AF_INET:
  1161. cipso_v4_req_delattr(req);
  1162. break;
  1163. #if IS_ENABLED(CONFIG_IPV6)
  1164. case AF_INET6:
  1165. calipso_req_delattr(req);
  1166. break;
  1167. #endif /* IPv6 */
  1168. }
  1169. }
  1170. /**
  1171. * netlbl_skbuff_setattr - Label a packet using the correct protocol
  1172. * @skb: the packet
  1173. * @family: protocol family
  1174. * @secattr: the security attributes
  1175. *
  1176. * Description:
  1177. * Attach the correct label to the given packet using the security attributes
  1178. * specified in @secattr. Returns zero on success, negative values on failure.
  1179. *
  1180. */
  1181. int netlbl_skbuff_setattr(struct sk_buff *skb,
  1182. u16 family,
  1183. const struct netlbl_lsm_secattr *secattr)
  1184. {
  1185. int ret_val;
  1186. struct iphdr *hdr4;
  1187. #if IS_ENABLED(CONFIG_IPV6)
  1188. struct ipv6hdr *hdr6;
  1189. #endif
  1190. struct netlbl_dommap_def *entry;
  1191. rcu_read_lock();
  1192. switch (family) {
  1193. case AF_INET:
  1194. hdr4 = ip_hdr(skb);
  1195. entry = netlbl_domhsh_getentry_af4(secattr->domain,
  1196. hdr4->daddr);
  1197. if (entry == NULL) {
  1198. ret_val = -ENOENT;
  1199. goto skbuff_setattr_return;
  1200. }
  1201. switch (entry->type) {
  1202. case NETLBL_NLTYPE_CIPSOV4:
  1203. ret_val = cipso_v4_skbuff_setattr(skb, entry->cipso,
  1204. secattr);
  1205. break;
  1206. case NETLBL_NLTYPE_UNLABELED:
  1207. /* just delete the protocols we support for right now
  1208. * but we could remove other protocols if needed */
  1209. ret_val = cipso_v4_skbuff_delattr(skb);
  1210. break;
  1211. default:
  1212. ret_val = -ENOENT;
  1213. }
  1214. break;
  1215. #if IS_ENABLED(CONFIG_IPV6)
  1216. case AF_INET6:
  1217. hdr6 = ipv6_hdr(skb);
  1218. entry = netlbl_domhsh_getentry_af6(secattr->domain,
  1219. &hdr6->daddr);
  1220. if (entry == NULL) {
  1221. ret_val = -ENOENT;
  1222. goto skbuff_setattr_return;
  1223. }
  1224. switch (entry->type) {
  1225. case NETLBL_NLTYPE_CALIPSO:
  1226. ret_val = calipso_skbuff_setattr(skb, entry->calipso,
  1227. secattr);
  1228. break;
  1229. case NETLBL_NLTYPE_UNLABELED:
  1230. /* just delete the protocols we support for right now
  1231. * but we could remove other protocols if needed */
  1232. ret_val = calipso_skbuff_delattr(skb);
  1233. break;
  1234. default:
  1235. ret_val = -ENOENT;
  1236. }
  1237. break;
  1238. #endif /* IPv6 */
  1239. default:
  1240. ret_val = -EPROTONOSUPPORT;
  1241. }
  1242. skbuff_setattr_return:
  1243. rcu_read_unlock();
  1244. return ret_val;
  1245. }
  1246. /**
  1247. * netlbl_skbuff_getattr - Determine the security attributes of a packet
  1248. * @skb: the packet
  1249. * @family: protocol family
  1250. * @secattr: the security attributes
  1251. *
  1252. * Description:
  1253. * Examines the given packet to see if a recognized form of packet labeling
  1254. * is present, if so it parses the packet label and returns the security
  1255. * attributes in @secattr. Returns zero on success, negative values on
  1256. * failure.
  1257. *
  1258. */
  1259. int netlbl_skbuff_getattr(const struct sk_buff *skb,
  1260. u16 family,
  1261. struct netlbl_lsm_secattr *secattr)
  1262. {
  1263. unsigned char *ptr;
  1264. switch (family) {
  1265. case AF_INET:
  1266. ptr = cipso_v4_optptr(skb);
  1267. if (ptr && cipso_v4_getattr(ptr, secattr) == 0)
  1268. return 0;
  1269. break;
  1270. #if IS_ENABLED(CONFIG_IPV6)
  1271. case AF_INET6:
  1272. ptr = calipso_optptr(skb);
  1273. if (ptr && calipso_getattr(ptr, secattr) == 0)
  1274. return 0;
  1275. break;
  1276. #endif /* IPv6 */
  1277. }
  1278. return netlbl_unlabel_getattr(skb, family, secattr);
  1279. }
  1280. /**
  1281. * netlbl_skbuff_err - Handle a LSM error on a sk_buff
  1282. * @skb: the packet
  1283. * @family: the family
  1284. * @error: the error code
  1285. * @gateway: true if host is acting as a gateway, false otherwise
  1286. *
  1287. * Description:
  1288. * Deal with a LSM problem when handling the packet in @skb, typically this is
  1289. * a permission denied problem (-EACCES). The correct action is determined
  1290. * according to the packet's labeling protocol.
  1291. *
  1292. */
  1293. void netlbl_skbuff_err(struct sk_buff *skb, u16 family, int error, int gateway)
  1294. {
  1295. switch (family) {
  1296. case AF_INET:
  1297. if (cipso_v4_optptr(skb))
  1298. cipso_v4_error(skb, error, gateway);
  1299. break;
  1300. }
  1301. }
  1302. /**
  1303. * netlbl_cache_invalidate - Invalidate all of the NetLabel protocol caches
  1304. *
  1305. * Description:
  1306. * For all of the NetLabel protocols that support some form of label mapping
  1307. * cache, invalidate the cache. Returns zero on success, negative values on
  1308. * error.
  1309. *
  1310. */
  1311. void netlbl_cache_invalidate(void)
  1312. {
  1313. cipso_v4_cache_invalidate();
  1314. #if IS_ENABLED(CONFIG_IPV6)
  1315. calipso_cache_invalidate();
  1316. #endif /* IPv6 */
  1317. }
  1318. /**
  1319. * netlbl_cache_add - Add an entry to a NetLabel protocol cache
  1320. * @skb: the packet
  1321. * @family: the family
  1322. * @secattr: the packet's security attributes
  1323. *
  1324. * Description:
  1325. * Add the LSM security attributes for the given packet to the underlying
  1326. * NetLabel protocol's label mapping cache. Returns zero on success, negative
  1327. * values on error.
  1328. *
  1329. */
  1330. int netlbl_cache_add(const struct sk_buff *skb, u16 family,
  1331. const struct netlbl_lsm_secattr *secattr)
  1332. {
  1333. unsigned char *ptr;
  1334. if ((secattr->flags & NETLBL_SECATTR_CACHE) == 0)
  1335. return -ENOMSG;
  1336. switch (family) {
  1337. case AF_INET:
  1338. ptr = cipso_v4_optptr(skb);
  1339. if (ptr)
  1340. return cipso_v4_cache_add(ptr, secattr);
  1341. break;
  1342. #if IS_ENABLED(CONFIG_IPV6)
  1343. case AF_INET6:
  1344. ptr = calipso_optptr(skb);
  1345. if (ptr)
  1346. return calipso_cache_add(ptr, secattr);
  1347. break;
  1348. #endif /* IPv6 */
  1349. }
  1350. return -ENOMSG;
  1351. }
  1352. /*
  1353. * Protocol Engine Functions
  1354. */
  1355. /**
  1356. * netlbl_audit_start - Start an audit message
  1357. * @type: audit message type
  1358. * @audit_info: NetLabel audit information
  1359. *
  1360. * Description:
  1361. * Start an audit message using the type specified in @type and fill the audit
  1362. * message with some fields common to all NetLabel audit messages. This
  1363. * function should only be used by protocol engines, not LSMs. Returns a
  1364. * pointer to the audit buffer on success, NULL on failure.
  1365. *
  1366. */
  1367. struct audit_buffer *netlbl_audit_start(int type,
  1368. struct netlbl_audit *audit_info)
  1369. {
  1370. return netlbl_audit_start_common(type, audit_info);
  1371. }
  1372. EXPORT_SYMBOL(netlbl_audit_start);
  1373. /*
  1374. * Setup Functions
  1375. */
  1376. /**
  1377. * netlbl_init - Initialize NetLabel
  1378. *
  1379. * Description:
  1380. * Perform the required NetLabel initialization before first use.
  1381. *
  1382. */
  1383. static int __init netlbl_init(void)
  1384. {
  1385. int ret_val;
  1386. printk(KERN_INFO "NetLabel: Initializing\n");
  1387. printk(KERN_INFO "NetLabel: domain hash size = %u\n",
  1388. (1 << NETLBL_DOMHSH_BITSIZE));
  1389. printk(KERN_INFO "NetLabel: protocols = UNLABELED CIPSOv4 CALIPSO\n");
  1390. ret_val = netlbl_domhsh_init(NETLBL_DOMHSH_BITSIZE);
  1391. if (ret_val != 0)
  1392. goto init_failure;
  1393. ret_val = netlbl_unlabel_init(NETLBL_UNLHSH_BITSIZE);
  1394. if (ret_val != 0)
  1395. goto init_failure;
  1396. ret_val = netlbl_netlink_init();
  1397. if (ret_val != 0)
  1398. goto init_failure;
  1399. ret_val = netlbl_unlabel_defconf();
  1400. if (ret_val != 0)
  1401. goto init_failure;
  1402. printk(KERN_INFO "NetLabel: unlabeled traffic allowed by default\n");
  1403. return 0;
  1404. init_failure:
  1405. panic("NetLabel: failed to initialize properly (%d)\n", ret_val);
  1406. }
  1407. subsys_initcall(netlbl_init);