1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * NetLabel Unlabeled Support
4 *
5 * This file defines functions for dealing with unlabeled packets for the
6 * NetLabel system. The NetLabel system manages static and dynamic label
7 * mappings for network protocols such as CIPSO and RIPSO.
8 *
9 * Author: Paul Moore <paul@paul-moore.com>
10 */
11
12 /*
13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 - 2008
14 */
15
16 #include <linux/types.h>
17 #include <linux/rcupdate.h>
18 #include <linux/list.h>
19 #include <linux/spinlock.h>
20 #include <linux/socket.h>
21 #include <linux/string.h>
22 #include <linux/skbuff.h>
23 #include <linux/audit.h>
24 #include <linux/in.h>
25 #include <linux/in6.h>
26 #include <linux/ip.h>
27 #include <linux/ipv6.h>
28 #include <linux/notifier.h>
29 #include <linux/netdevice.h>
30 #include <linux/security.h>
31 #include <linux/slab.h>
32 #include <net/sock.h>
33 #include <net/netlink.h>
34 #include <net/genetlink.h>
35 #include <net/ip.h>
36 #include <net/ipv6.h>
37 #include <net/net_namespace.h>
38 #include <net/netlabel.h>
39 #include <asm/bug.h>
40 #include <linux/atomic.h>
41
42 #include "netlabel_user.h"
43 #include "netlabel_addrlist.h"
44 #include "netlabel_domainhash.h"
45 #include "netlabel_unlabeled.h"
46 #include "netlabel_mgmt.h"
47
48 /* NOTE: at present we always use init's network namespace since we don't
49 * presently support different namespaces even though the majority of
50 * the functions in this file are "namespace safe" */
51
52 /* The unlabeled connection hash table which we use to map network interfaces
53 * and addresses of unlabeled packets to a user specified secid value for the
54 * LSM. The hash table is used to lookup the network interface entry
55 * (struct netlbl_unlhsh_iface) and then the interface entry is used to
56 * lookup an IP address match from an ordered list. If a network interface
57 * match can not be found in the hash table then the default entry
58 * (netlbl_unlhsh_def) is used. The IP address entry list
59 * (struct netlbl_unlhsh_addr) is ordered such that the entries with a
60 * larger netmask come first.
61 */
62 struct netlbl_unlhsh_tbl {
63 struct list_head *tbl;
64 u32 size;
65 };
66 #define netlbl_unlhsh_addr4_entry(iter) \
67 container_of(iter, struct netlbl_unlhsh_addr4, list)
68 struct netlbl_unlhsh_addr4 {
69 u32 secid;
70
71 struct netlbl_af4list list;
72 struct rcu_head rcu;
73 };
74 #define netlbl_unlhsh_addr6_entry(iter) \
75 container_of(iter, struct netlbl_unlhsh_addr6, list)
76 struct netlbl_unlhsh_addr6 {
77 u32 secid;
78
79 struct netlbl_af6list list;
80 struct rcu_head rcu;
81 };
82 struct netlbl_unlhsh_iface {
83 int ifindex;
84 struct list_head addr4_list;
85 struct list_head addr6_list;
86
87 u32 valid;
88 struct list_head list;
89 struct rcu_head rcu;
90 };
91
92 /* Argument struct for netlbl_unlhsh_walk() */
93 struct netlbl_unlhsh_walk_arg {
94 struct netlink_callback *nl_cb;
95 struct sk_buff *skb;
96 u32 seq;
97 };
98
99 /* Unlabeled connection hash table */
100 /* updates should be so rare that having one spinlock for the entire
101 * hash table should be okay */
102 static DEFINE_SPINLOCK(netlbl_unlhsh_lock);
103 #define netlbl_unlhsh_rcu_deref(p) \
104 rcu_dereference_check(p, lockdep_is_held(&netlbl_unlhsh_lock))
105 static struct netlbl_unlhsh_tbl __rcu *netlbl_unlhsh;
106 static struct netlbl_unlhsh_iface __rcu *netlbl_unlhsh_def;
107
108 /* Accept unlabeled packets flag */
109 static u8 netlabel_unlabel_acceptflg;
110
111 /* NetLabel Generic NETLINK unlabeled family */
112 static struct genl_family netlbl_unlabel_gnl_family;
113
114 /* NetLabel Netlink attribute policy */
115 static const struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
116 [NLBL_UNLABEL_A_ACPTFLG] = { .type = NLA_U8 },
117 [NLBL_UNLABEL_A_IPV6ADDR] = { .type = NLA_BINARY,
118 .len = sizeof(struct in6_addr) },
119 [NLBL_UNLABEL_A_IPV6MASK] = { .type = NLA_BINARY,
120 .len = sizeof(struct in6_addr) },
121 [NLBL_UNLABEL_A_IPV4ADDR] = { .type = NLA_BINARY,
122 .len = sizeof(struct in_addr) },
123 [NLBL_UNLABEL_A_IPV4MASK] = { .type = NLA_BINARY,
124 .len = sizeof(struct in_addr) },
125 [NLBL_UNLABEL_A_IFACE] = { .type = NLA_NUL_STRING,
126 .len = IFNAMSIZ - 1 },
127 [NLBL_UNLABEL_A_SECCTX] = { .type = NLA_BINARY }
128 };
129
130 /*
131 * Unlabeled Connection Hash Table Functions
132 */
133
134 /**
135 * netlbl_unlhsh_free_iface - Frees an interface entry from the hash table
136 * @entry: the entry's RCU field
137 *
138 * Description:
139 * This function is designed to be used as a callback to the call_rcu()
140 * function so that memory allocated to a hash table interface entry can be
141 * released safely. It is important to note that this function does not free
142 * the IPv4 and IPv6 address lists contained as part of an interface entry. It
143 * is up to the rest of the code to make sure an interface entry is only freed
144 * once it's address lists are empty.
145 *
146 */
netlbl_unlhsh_free_iface(struct rcu_head * entry)147 static void netlbl_unlhsh_free_iface(struct rcu_head *entry)
148 {
149 struct netlbl_unlhsh_iface *iface;
150 struct netlbl_af4list *iter4;
151 struct netlbl_af4list *tmp4;
152 #if IS_ENABLED(CONFIG_IPV6)
153 struct netlbl_af6list *iter6;
154 struct netlbl_af6list *tmp6;
155 #endif /* IPv6 */
156
157 iface = container_of(entry, struct netlbl_unlhsh_iface, rcu);
158
159 /* no need for locks here since we are the only one with access to this
160 * structure */
161
162 netlbl_af4list_foreach_safe(iter4, tmp4, &iface->addr4_list) {
163 netlbl_af4list_remove_entry(iter4);
164 kfree(netlbl_unlhsh_addr4_entry(iter4));
165 }
166 #if IS_ENABLED(CONFIG_IPV6)
167 netlbl_af6list_foreach_safe(iter6, tmp6, &iface->addr6_list) {
168 netlbl_af6list_remove_entry(iter6);
169 kfree(netlbl_unlhsh_addr6_entry(iter6));
170 }
171 #endif /* IPv6 */
172 kfree(iface);
173 }
174
175 /**
176 * netlbl_unlhsh_hash - Hashing function for the hash table
177 * @ifindex: the network interface/device to hash
178 *
179 * Description:
180 * This is the hashing function for the unlabeled hash table, it returns the
181 * bucket number for the given device/interface. The caller is responsible for
182 * ensuring that the hash table is protected with either a RCU read lock or
183 * the hash table lock.
184 *
185 */
netlbl_unlhsh_hash(int ifindex)186 static u32 netlbl_unlhsh_hash(int ifindex)
187 {
188 return ifindex & (netlbl_unlhsh_rcu_deref(netlbl_unlhsh)->size - 1);
189 }
190
191 /**
192 * netlbl_unlhsh_search_iface - Search for a matching interface entry
193 * @ifindex: the network interface
194 *
195 * Description:
196 * Searches the unlabeled connection hash table and returns a pointer to the
197 * interface entry which matches @ifindex, otherwise NULL is returned. The
198 * caller is responsible for ensuring that the hash table is protected with
199 * either a RCU read lock or the hash table lock.
200 *
201 */
netlbl_unlhsh_search_iface(int ifindex)202 static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex)
203 {
204 u32 bkt;
205 struct list_head *bkt_list;
206 struct netlbl_unlhsh_iface *iter;
207
208 bkt = netlbl_unlhsh_hash(ifindex);
209 bkt_list = &netlbl_unlhsh_rcu_deref(netlbl_unlhsh)->tbl[bkt];
210 list_for_each_entry_rcu(iter, bkt_list, list,
211 lockdep_is_held(&netlbl_unlhsh_lock))
212 if (iter->valid && iter->ifindex == ifindex)
213 return iter;
214
215 return NULL;
216 }
217
218 /**
219 * netlbl_unlhsh_add_addr4 - Add a new IPv4 address entry to the hash table
220 * @iface: the associated interface entry
221 * @addr: IPv4 address in network byte order
222 * @mask: IPv4 address mask in network byte order
223 * @secid: LSM secid value for entry
224 *
225 * Description:
226 * Add a new address entry into the unlabeled connection hash table using the
227 * interface entry specified by @iface. On success zero is returned, otherwise
228 * a negative value is returned.
229 *
230 */
netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface * iface,const struct in_addr * addr,const struct in_addr * mask,u32 secid)231 static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface,
232 const struct in_addr *addr,
233 const struct in_addr *mask,
234 u32 secid)
235 {
236 int ret_val;
237 struct netlbl_unlhsh_addr4 *entry;
238
239 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
240 if (entry == NULL)
241 return -ENOMEM;
242
243 entry->list.addr = addr->s_addr & mask->s_addr;
244 entry->list.mask = mask->s_addr;
245 entry->list.valid = 1;
246 entry->secid = secid;
247
248 spin_lock(&netlbl_unlhsh_lock);
249 ret_val = netlbl_af4list_add(&entry->list, &iface->addr4_list);
250 spin_unlock(&netlbl_unlhsh_lock);
251
252 if (ret_val != 0)
253 kfree(entry);
254 return ret_val;
255 }
256
257 #if IS_ENABLED(CONFIG_IPV6)
258 /**
259 * netlbl_unlhsh_add_addr6 - Add a new IPv6 address entry to the hash table
260 * @iface: the associated interface entry
261 * @addr: IPv6 address in network byte order
262 * @mask: IPv6 address mask in network byte order
263 * @secid: LSM secid value for entry
264 *
265 * Description:
266 * Add a new address entry into the unlabeled connection hash table using the
267 * interface entry specified by @iface. On success zero is returned, otherwise
268 * a negative value is returned.
269 *
270 */
netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface * iface,const struct in6_addr * addr,const struct in6_addr * mask,u32 secid)271 static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface,
272 const struct in6_addr *addr,
273 const struct in6_addr *mask,
274 u32 secid)
275 {
276 int ret_val;
277 struct netlbl_unlhsh_addr6 *entry;
278
279 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
280 if (entry == NULL)
281 return -ENOMEM;
282
283 entry->list.addr = *addr;
284 entry->list.addr.s6_addr32[0] &= mask->s6_addr32[0];
285 entry->list.addr.s6_addr32[1] &= mask->s6_addr32[1];
286 entry->list.addr.s6_addr32[2] &= mask->s6_addr32[2];
287 entry->list.addr.s6_addr32[3] &= mask->s6_addr32[3];
288 entry->list.mask = *mask;
289 entry->list.valid = 1;
290 entry->secid = secid;
291
292 spin_lock(&netlbl_unlhsh_lock);
293 ret_val = netlbl_af6list_add(&entry->list, &iface->addr6_list);
294 spin_unlock(&netlbl_unlhsh_lock);
295
296 if (ret_val != 0)
297 kfree(entry);
298 return 0;
299 }
300 #endif /* IPv6 */
301
302 /**
303 * netlbl_unlhsh_add_iface - Adds a new interface entry to the hash table
304 * @ifindex: network interface
305 *
306 * Description:
307 * Add a new, empty, interface entry into the unlabeled connection hash table.
308 * On success a pointer to the new interface entry is returned, on failure NULL
309 * is returned.
310 *
311 */
netlbl_unlhsh_add_iface(int ifindex)312 static struct netlbl_unlhsh_iface *netlbl_unlhsh_add_iface(int ifindex)
313 {
314 u32 bkt;
315 struct netlbl_unlhsh_iface *iface;
316
317 iface = kzalloc(sizeof(*iface), GFP_ATOMIC);
318 if (iface == NULL)
319 return NULL;
320
321 iface->ifindex = ifindex;
322 INIT_LIST_HEAD(&iface->addr4_list);
323 INIT_LIST_HEAD(&iface->addr6_list);
324 iface->valid = 1;
325
326 spin_lock(&netlbl_unlhsh_lock);
327 if (ifindex > 0) {
328 bkt = netlbl_unlhsh_hash(ifindex);
329 if (netlbl_unlhsh_search_iface(ifindex) != NULL)
330 goto add_iface_failure;
331 list_add_tail_rcu(&iface->list,
332 &netlbl_unlhsh_rcu_deref(netlbl_unlhsh)->tbl[bkt]);
333 } else {
334 INIT_LIST_HEAD(&iface->list);
335 if (netlbl_unlhsh_rcu_deref(netlbl_unlhsh_def) != NULL)
336 goto add_iface_failure;
337 rcu_assign_pointer(netlbl_unlhsh_def, iface);
338 }
339 spin_unlock(&netlbl_unlhsh_lock);
340
341 return iface;
342
343 add_iface_failure:
344 spin_unlock(&netlbl_unlhsh_lock);
345 kfree(iface);
346 return NULL;
347 }
348
349 /**
350 * netlbl_unlhsh_add - Adds a new entry to the unlabeled connection hash table
351 * @net: network namespace
352 * @dev_name: interface name
353 * @addr: IP address in network byte order
354 * @mask: address mask in network byte order
355 * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6)
356 * @secid: LSM secid value for the entry
357 * @audit_info: NetLabel audit information
358 *
359 * Description:
360 * Adds a new entry to the unlabeled connection hash table. Returns zero on
361 * success, negative values on failure.
362 *
363 */
netlbl_unlhsh_add(struct net * net,const char * dev_name,const void * addr,const void * mask,u32 addr_len,u32 secid,struct netlbl_audit * audit_info)364 int netlbl_unlhsh_add(struct net *net,
365 const char *dev_name,
366 const void *addr,
367 const void *mask,
368 u32 addr_len,
369 u32 secid,
370 struct netlbl_audit *audit_info)
371 {
372 int ret_val;
373 int ifindex;
374 struct net_device *dev;
375 struct netlbl_unlhsh_iface *iface;
376 struct audit_buffer *audit_buf = NULL;
377 char *secctx = NULL;
378 u32 secctx_len;
379
380 if (addr_len != sizeof(struct in_addr) &&
381 addr_len != sizeof(struct in6_addr))
382 return -EINVAL;
383
384 rcu_read_lock();
385 if (dev_name != NULL) {
386 dev = dev_get_by_name_rcu(net, dev_name);
387 if (dev == NULL) {
388 ret_val = -ENODEV;
389 goto unlhsh_add_return;
390 }
391 ifindex = dev->ifindex;
392 iface = netlbl_unlhsh_search_iface(ifindex);
393 } else {
394 ifindex = 0;
395 iface = rcu_dereference(netlbl_unlhsh_def);
396 }
397 if (iface == NULL) {
398 iface = netlbl_unlhsh_add_iface(ifindex);
399 if (iface == NULL) {
400 ret_val = -ENOMEM;
401 goto unlhsh_add_return;
402 }
403 }
404 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCADD,
405 audit_info);
406 switch (addr_len) {
407 case sizeof(struct in_addr): {
408 const struct in_addr *addr4 = addr;
409 const struct in_addr *mask4 = mask;
410
411 ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid);
412 if (audit_buf != NULL)
413 netlbl_af4list_audit_addr(audit_buf, 1,
414 dev_name,
415 addr4->s_addr,
416 mask4->s_addr);
417 break;
418 }
419 #if IS_ENABLED(CONFIG_IPV6)
420 case sizeof(struct in6_addr): {
421 const struct in6_addr *addr6 = addr;
422 const struct in6_addr *mask6 = mask;
423
424 ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid);
425 if (audit_buf != NULL)
426 netlbl_af6list_audit_addr(audit_buf, 1,
427 dev_name,
428 addr6, mask6);
429 break;
430 }
431 #endif /* IPv6 */
432 default:
433 ret_val = -EINVAL;
434 }
435 if (ret_val == 0)
436 atomic_inc(&netlabel_mgmt_protocount);
437
438 unlhsh_add_return:
439 rcu_read_unlock();
440 if (audit_buf != NULL) {
441 if (security_secid_to_secctx(secid,
442 &secctx,
443 &secctx_len) == 0) {
444 audit_log_format(audit_buf, " sec_obj=%s", secctx);
445 security_release_secctx(secctx, secctx_len);
446 }
447 audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
448 audit_log_end(audit_buf);
449 }
450 return ret_val;
451 }
452
453 /**
454 * netlbl_unlhsh_remove_addr4 - Remove an IPv4 address entry
455 * @net: network namespace
456 * @iface: interface entry
457 * @addr: IP address
458 * @mask: IP address mask
459 * @audit_info: NetLabel audit information
460 *
461 * Description:
462 * Remove an IP address entry from the unlabeled connection hash table.
463 * Returns zero on success, negative values on failure.
464 *
465 */
netlbl_unlhsh_remove_addr4(struct net * net,struct netlbl_unlhsh_iface * iface,const struct in_addr * addr,const struct in_addr * mask,struct netlbl_audit * audit_info)466 static int netlbl_unlhsh_remove_addr4(struct net *net,
467 struct netlbl_unlhsh_iface *iface,
468 const struct in_addr *addr,
469 const struct in_addr *mask,
470 struct netlbl_audit *audit_info)
471 {
472 struct netlbl_af4list *list_entry;
473 struct netlbl_unlhsh_addr4 *entry;
474 struct audit_buffer *audit_buf;
475 struct net_device *dev;
476 char *secctx;
477 u32 secctx_len;
478
479 spin_lock(&netlbl_unlhsh_lock);
480 list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr,
481 &iface->addr4_list);
482 spin_unlock(&netlbl_unlhsh_lock);
483 if (list_entry != NULL)
484 entry = netlbl_unlhsh_addr4_entry(list_entry);
485 else
486 entry = NULL;
487
488 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL,
489 audit_info);
490 if (audit_buf != NULL) {
491 dev = dev_get_by_index(net, iface->ifindex);
492 netlbl_af4list_audit_addr(audit_buf, 1,
493 (dev != NULL ? dev->name : NULL),
494 addr->s_addr, mask->s_addr);
495 dev_put(dev);
496 if (entry != NULL &&
497 security_secid_to_secctx(entry->secid,
498 &secctx, &secctx_len) == 0) {
499 audit_log_format(audit_buf, " sec_obj=%s", secctx);
500 security_release_secctx(secctx, secctx_len);
501 }
502 audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
503 audit_log_end(audit_buf);
504 }
505
506 if (entry == NULL)
507 return -ENOENT;
508
509 kfree_rcu(entry, rcu);
510 return 0;
511 }
512
513 #if IS_ENABLED(CONFIG_IPV6)
514 /**
515 * netlbl_unlhsh_remove_addr6 - Remove an IPv6 address entry
516 * @net: network namespace
517 * @iface: interface entry
518 * @addr: IP address
519 * @mask: IP address mask
520 * @audit_info: NetLabel audit information
521 *
522 * Description:
523 * Remove an IP address entry from the unlabeled connection hash table.
524 * Returns zero on success, negative values on failure.
525 *
526 */
netlbl_unlhsh_remove_addr6(struct net * net,struct netlbl_unlhsh_iface * iface,const struct in6_addr * addr,const struct in6_addr * mask,struct netlbl_audit * audit_info)527 static int netlbl_unlhsh_remove_addr6(struct net *net,
528 struct netlbl_unlhsh_iface *iface,
529 const struct in6_addr *addr,
530 const struct in6_addr *mask,
531 struct netlbl_audit *audit_info)
532 {
533 struct netlbl_af6list *list_entry;
534 struct netlbl_unlhsh_addr6 *entry;
535 struct audit_buffer *audit_buf;
536 struct net_device *dev;
537 char *secctx;
538 u32 secctx_len;
539
540 spin_lock(&netlbl_unlhsh_lock);
541 list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list);
542 spin_unlock(&netlbl_unlhsh_lock);
543 if (list_entry != NULL)
544 entry = netlbl_unlhsh_addr6_entry(list_entry);
545 else
546 entry = NULL;
547
548 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL,
549 audit_info);
550 if (audit_buf != NULL) {
551 dev = dev_get_by_index(net, iface->ifindex);
552 netlbl_af6list_audit_addr(audit_buf, 1,
553 (dev != NULL ? dev->name : NULL),
554 addr, mask);
555 dev_put(dev);
556 if (entry != NULL &&
557 security_secid_to_secctx(entry->secid,
558 &secctx, &secctx_len) == 0) {
559 audit_log_format(audit_buf, " sec_obj=%s", secctx);
560 security_release_secctx(secctx, secctx_len);
561 }
562 audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
563 audit_log_end(audit_buf);
564 }
565
566 if (entry == NULL)
567 return -ENOENT;
568
569 kfree_rcu(entry, rcu);
570 return 0;
571 }
572 #endif /* IPv6 */
573
574 /**
575 * netlbl_unlhsh_condremove_iface - Remove an interface entry
576 * @iface: the interface entry
577 *
578 * Description:
579 * Remove an interface entry from the unlabeled connection hash table if it is
580 * empty. An interface entry is considered to be empty if there are no
581 * address entries assigned to it.
582 *
583 */
netlbl_unlhsh_condremove_iface(struct netlbl_unlhsh_iface * iface)584 static void netlbl_unlhsh_condremove_iface(struct netlbl_unlhsh_iface *iface)
585 {
586 struct netlbl_af4list *iter4;
587 #if IS_ENABLED(CONFIG_IPV6)
588 struct netlbl_af6list *iter6;
589 #endif /* IPv6 */
590
591 spin_lock(&netlbl_unlhsh_lock);
592 netlbl_af4list_foreach_rcu(iter4, &iface->addr4_list)
593 goto unlhsh_condremove_failure;
594 #if IS_ENABLED(CONFIG_IPV6)
595 netlbl_af6list_foreach_rcu(iter6, &iface->addr6_list)
596 goto unlhsh_condremove_failure;
597 #endif /* IPv6 */
598 iface->valid = 0;
599 if (iface->ifindex > 0)
600 list_del_rcu(&iface->list);
601 else
602 RCU_INIT_POINTER(netlbl_unlhsh_def, NULL);
603 spin_unlock(&netlbl_unlhsh_lock);
604
605 call_rcu(&iface->rcu, netlbl_unlhsh_free_iface);
606 return;
607
608 unlhsh_condremove_failure:
609 spin_unlock(&netlbl_unlhsh_lock);
610 }
611
612 /**
613 * netlbl_unlhsh_remove - Remove an entry from the unlabeled hash table
614 * @net: network namespace
615 * @dev_name: interface name
616 * @addr: IP address in network byte order
617 * @mask: address mask in network byte order
618 * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6)
619 * @audit_info: NetLabel audit information
620 *
621 * Description:
622 * Removes and existing entry from the unlabeled connection hash table.
623 * Returns zero on success, negative values on failure.
624 *
625 */
netlbl_unlhsh_remove(struct net * net,const char * dev_name,const void * addr,const void * mask,u32 addr_len,struct netlbl_audit * audit_info)626 int netlbl_unlhsh_remove(struct net *net,
627 const char *dev_name,
628 const void *addr,
629 const void *mask,
630 u32 addr_len,
631 struct netlbl_audit *audit_info)
632 {
633 int ret_val;
634 struct net_device *dev;
635 struct netlbl_unlhsh_iface *iface;
636
637 if (addr_len != sizeof(struct in_addr) &&
638 addr_len != sizeof(struct in6_addr))
639 return -EINVAL;
640
641 rcu_read_lock();
642 if (dev_name != NULL) {
643 dev = dev_get_by_name_rcu(net, dev_name);
644 if (dev == NULL) {
645 ret_val = -ENODEV;
646 goto unlhsh_remove_return;
647 }
648 iface = netlbl_unlhsh_search_iface(dev->ifindex);
649 } else
650 iface = rcu_dereference(netlbl_unlhsh_def);
651 if (iface == NULL) {
652 ret_val = -ENOENT;
653 goto unlhsh_remove_return;
654 }
655 switch (addr_len) {
656 case sizeof(struct in_addr):
657 ret_val = netlbl_unlhsh_remove_addr4(net,
658 iface, addr, mask,
659 audit_info);
660 break;
661 #if IS_ENABLED(CONFIG_IPV6)
662 case sizeof(struct in6_addr):
663 ret_val = netlbl_unlhsh_remove_addr6(net,
664 iface, addr, mask,
665 audit_info);
666 break;
667 #endif /* IPv6 */
668 default:
669 ret_val = -EINVAL;
670 }
671 if (ret_val == 0) {
672 netlbl_unlhsh_condremove_iface(iface);
673 atomic_dec(&netlabel_mgmt_protocount);
674 }
675
676 unlhsh_remove_return:
677 rcu_read_unlock();
678 return ret_val;
679 }
680
681 /*
682 * General Helper Functions
683 */
684
685 /**
686 * netlbl_unlhsh_netdev_handler - Network device notification handler
687 * @this: notifier block
688 * @event: the event
689 * @ptr: the netdevice notifier info (cast to void)
690 *
691 * Description:
692 * Handle network device events, although at present all we care about is a
693 * network device going away. In the case of a device going away we clear any
694 * related entries from the unlabeled connection hash table.
695 *
696 */
netlbl_unlhsh_netdev_handler(struct notifier_block * this,unsigned long event,void * ptr)697 static int netlbl_unlhsh_netdev_handler(struct notifier_block *this,
698 unsigned long event, void *ptr)
699 {
700 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
701 struct netlbl_unlhsh_iface *iface = NULL;
702
703 if (!net_eq(dev_net(dev), &init_net))
704 return NOTIFY_DONE;
705
706 /* XXX - should this be a check for NETDEV_DOWN or _UNREGISTER? */
707 if (event == NETDEV_DOWN) {
708 spin_lock(&netlbl_unlhsh_lock);
709 iface = netlbl_unlhsh_search_iface(dev->ifindex);
710 if (iface != NULL && iface->valid) {
711 iface->valid = 0;
712 list_del_rcu(&iface->list);
713 } else
714 iface = NULL;
715 spin_unlock(&netlbl_unlhsh_lock);
716 }
717
718 if (iface != NULL)
719 call_rcu(&iface->rcu, netlbl_unlhsh_free_iface);
720
721 return NOTIFY_DONE;
722 }
723
724 /**
725 * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag
726 * @value: desired value
727 * @audit_info: NetLabel audit information
728 *
729 * Description:
730 * Set the value of the unlabeled accept flag to @value.
731 *
732 */
netlbl_unlabel_acceptflg_set(u8 value,struct netlbl_audit * audit_info)733 static void netlbl_unlabel_acceptflg_set(u8 value,
734 struct netlbl_audit *audit_info)
735 {
736 struct audit_buffer *audit_buf;
737 u8 old_val;
738
739 old_val = netlabel_unlabel_acceptflg;
740 netlabel_unlabel_acceptflg = value;
741 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW,
742 audit_info);
743 if (audit_buf != NULL) {
744 audit_log_format(audit_buf,
745 " unlbl_accept=%u old=%u", value, old_val);
746 audit_log_end(audit_buf);
747 }
748 }
749
750 /**
751 * netlbl_unlabel_addrinfo_get - Get the IPv4/6 address information
752 * @info: the Generic NETLINK info block
753 * @addr: the IP address
754 * @mask: the IP address mask
755 * @len: the address length
756 *
757 * Description:
758 * Examine the Generic NETLINK message and extract the IP address information.
759 * Returns zero on success, negative values on failure.
760 *
761 */
netlbl_unlabel_addrinfo_get(struct genl_info * info,void ** addr,void ** mask,u32 * len)762 static int netlbl_unlabel_addrinfo_get(struct genl_info *info,
763 void **addr,
764 void **mask,
765 u32 *len)
766 {
767 u32 addr_len;
768
769 if (info->attrs[NLBL_UNLABEL_A_IPV4ADDR] &&
770 info->attrs[NLBL_UNLABEL_A_IPV4MASK]) {
771 addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
772 if (addr_len != sizeof(struct in_addr) &&
773 addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV4MASK]))
774 return -EINVAL;
775 *len = addr_len;
776 *addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
777 *mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4MASK]);
778 return 0;
779 } else if (info->attrs[NLBL_UNLABEL_A_IPV6ADDR]) {
780 addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]);
781 if (addr_len != sizeof(struct in6_addr) &&
782 addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV6MASK]))
783 return -EINVAL;
784 *len = addr_len;
785 *addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]);
786 *mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6MASK]);
787 return 0;
788 }
789
790 return -EINVAL;
791 }
792
793 /*
794 * NetLabel Command Handlers
795 */
796
797 /**
798 * netlbl_unlabel_accept - Handle an ACCEPT message
799 * @skb: the NETLINK buffer
800 * @info: the Generic NETLINK info block
801 *
802 * Description:
803 * Process a user generated ACCEPT message and set the accept flag accordingly.
804 * Returns zero on success, negative values on failure.
805 *
806 */
netlbl_unlabel_accept(struct sk_buff * skb,struct genl_info * info)807 static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info)
808 {
809 u8 value;
810 struct netlbl_audit audit_info;
811
812 if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) {
813 value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]);
814 if (value == 1 || value == 0) {
815 netlbl_netlink_auditinfo(&audit_info);
816 netlbl_unlabel_acceptflg_set(value, &audit_info);
817 return 0;
818 }
819 }
820
821 return -EINVAL;
822 }
823
824 /**
825 * netlbl_unlabel_list - Handle a LIST message
826 * @skb: the NETLINK buffer
827 * @info: the Generic NETLINK info block
828 *
829 * Description:
830 * Process a user generated LIST message and respond with the current status.
831 * Returns zero on success, negative values on failure.
832 *
833 */
netlbl_unlabel_list(struct sk_buff * skb,struct genl_info * info)834 static int netlbl_unlabel_list(struct sk_buff *skb, struct genl_info *info)
835 {
836 int ret_val = -EINVAL;
837 struct sk_buff *ans_skb;
838 void *data;
839
840 ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
841 if (ans_skb == NULL)
842 goto list_failure;
843 data = genlmsg_put_reply(ans_skb, info, &netlbl_unlabel_gnl_family,
844 0, NLBL_UNLABEL_C_LIST);
845 if (data == NULL) {
846 ret_val = -ENOMEM;
847 goto list_failure;
848 }
849
850 ret_val = nla_put_u8(ans_skb,
851 NLBL_UNLABEL_A_ACPTFLG,
852 netlabel_unlabel_acceptflg);
853 if (ret_val != 0)
854 goto list_failure;
855
856 genlmsg_end(ans_skb, data);
857 return genlmsg_reply(ans_skb, info);
858
859 list_failure:
860 kfree_skb(ans_skb);
861 return ret_val;
862 }
863
864 /**
865 * netlbl_unlabel_staticadd - Handle a STATICADD message
866 * @skb: the NETLINK buffer
867 * @info: the Generic NETLINK info block
868 *
869 * Description:
870 * Process a user generated STATICADD message and add a new unlabeled
871 * connection entry to the hash table. Returns zero on success, negative
872 * values on failure.
873 *
874 */
netlbl_unlabel_staticadd(struct sk_buff * skb,struct genl_info * info)875 static int netlbl_unlabel_staticadd(struct sk_buff *skb,
876 struct genl_info *info)
877 {
878 int ret_val;
879 char *dev_name;
880 void *addr;
881 void *mask;
882 u32 addr_len;
883 u32 secid;
884 struct netlbl_audit audit_info;
885
886 /* Don't allow users to add both IPv4 and IPv6 addresses for a
887 * single entry. However, allow users to create two entries, one each
888 * for IPv4 and IPv6, with the same LSM security context which should
889 * achieve the same result. */
890 if (!info->attrs[NLBL_UNLABEL_A_SECCTX] ||
891 !info->attrs[NLBL_UNLABEL_A_IFACE] ||
892 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
893 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
894 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
895 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
896 return -EINVAL;
897
898 netlbl_netlink_auditinfo(&audit_info);
899
900 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
901 if (ret_val != 0)
902 return ret_val;
903 dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]);
904 ret_val = security_secctx_to_secid(
905 nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
906 nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
907 &secid);
908 if (ret_val != 0)
909 return ret_val;
910
911 return netlbl_unlhsh_add(&init_net,
912 dev_name, addr, mask, addr_len, secid,
913 &audit_info);
914 }
915
916 /**
917 * netlbl_unlabel_staticadddef - Handle a STATICADDDEF message
918 * @skb: the NETLINK buffer
919 * @info: the Generic NETLINK info block
920 *
921 * Description:
922 * Process a user generated STATICADDDEF message and add a new default
923 * unlabeled connection entry. Returns zero on success, negative values on
924 * failure.
925 *
926 */
netlbl_unlabel_staticadddef(struct sk_buff * skb,struct genl_info * info)927 static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
928 struct genl_info *info)
929 {
930 int ret_val;
931 void *addr;
932 void *mask;
933 u32 addr_len;
934 u32 secid;
935 struct netlbl_audit audit_info;
936
937 /* Don't allow users to add both IPv4 and IPv6 addresses for a
938 * single entry. However, allow users to create two entries, one each
939 * for IPv4 and IPv6, with the same LSM security context which should
940 * achieve the same result. */
941 if (!info->attrs[NLBL_UNLABEL_A_SECCTX] ||
942 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
943 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
944 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
945 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
946 return -EINVAL;
947
948 netlbl_netlink_auditinfo(&audit_info);
949
950 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
951 if (ret_val != 0)
952 return ret_val;
953 ret_val = security_secctx_to_secid(
954 nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
955 nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
956 &secid);
957 if (ret_val != 0)
958 return ret_val;
959
960 return netlbl_unlhsh_add(&init_net,
961 NULL, addr, mask, addr_len, secid,
962 &audit_info);
963 }
964
965 /**
966 * netlbl_unlabel_staticremove - Handle a STATICREMOVE message
967 * @skb: the NETLINK buffer
968 * @info: the Generic NETLINK info block
969 *
970 * Description:
971 * Process a user generated STATICREMOVE message and remove the specified
972 * unlabeled connection entry. Returns zero on success, negative values on
973 * failure.
974 *
975 */
netlbl_unlabel_staticremove(struct sk_buff * skb,struct genl_info * info)976 static int netlbl_unlabel_staticremove(struct sk_buff *skb,
977 struct genl_info *info)
978 {
979 int ret_val;
980 char *dev_name;
981 void *addr;
982 void *mask;
983 u32 addr_len;
984 struct netlbl_audit audit_info;
985
986 /* See the note in netlbl_unlabel_staticadd() about not allowing both
987 * IPv4 and IPv6 in the same entry. */
988 if (!info->attrs[NLBL_UNLABEL_A_IFACE] ||
989 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
990 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
991 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
992 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
993 return -EINVAL;
994
995 netlbl_netlink_auditinfo(&audit_info);
996
997 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
998 if (ret_val != 0)
999 return ret_val;
1000 dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]);
1001
1002 return netlbl_unlhsh_remove(&init_net,
1003 dev_name, addr, mask, addr_len,
1004 &audit_info);
1005 }
1006
1007 /**
1008 * netlbl_unlabel_staticremovedef - Handle a STATICREMOVEDEF message
1009 * @skb: the NETLINK buffer
1010 * @info: the Generic NETLINK info block
1011 *
1012 * Description:
1013 * Process a user generated STATICREMOVEDEF message and remove the default
1014 * unlabeled connection entry. Returns zero on success, negative values on
1015 * failure.
1016 *
1017 */
netlbl_unlabel_staticremovedef(struct sk_buff * skb,struct genl_info * info)1018 static int netlbl_unlabel_staticremovedef(struct sk_buff *skb,
1019 struct genl_info *info)
1020 {
1021 int ret_val;
1022 void *addr;
1023 void *mask;
1024 u32 addr_len;
1025 struct netlbl_audit audit_info;
1026
1027 /* See the note in netlbl_unlabel_staticadd() about not allowing both
1028 * IPv4 and IPv6 in the same entry. */
1029 if (!((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
1030 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
1031 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
1032 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
1033 return -EINVAL;
1034
1035 netlbl_netlink_auditinfo(&audit_info);
1036
1037 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
1038 if (ret_val != 0)
1039 return ret_val;
1040
1041 return netlbl_unlhsh_remove(&init_net,
1042 NULL, addr, mask, addr_len,
1043 &audit_info);
1044 }
1045
1046
1047 /**
1048 * netlbl_unlabel_staticlist_gen - Generate messages for STATICLIST[DEF]
1049 * @cmd: command/message
1050 * @iface: the interface entry
1051 * @addr4: the IPv4 address entry
1052 * @addr6: the IPv6 address entry
1053 * @arg: the netlbl_unlhsh_walk_arg structure
1054 *
1055 * Description:
1056 * This function is designed to be used to generate a response for a
1057 * STATICLIST or STATICLISTDEF message. When called either @addr4 or @addr6
1058 * can be specified, not both, the other unspecified entry should be set to
1059 * NULL by the caller. Returns the size of the message on success, negative
1060 * values on failure.
1061 *
1062 */
netlbl_unlabel_staticlist_gen(u32 cmd,const struct netlbl_unlhsh_iface * iface,const struct netlbl_unlhsh_addr4 * addr4,const struct netlbl_unlhsh_addr6 * addr6,void * arg)1063 static int netlbl_unlabel_staticlist_gen(u32 cmd,
1064 const struct netlbl_unlhsh_iface *iface,
1065 const struct netlbl_unlhsh_addr4 *addr4,
1066 const struct netlbl_unlhsh_addr6 *addr6,
1067 void *arg)
1068 {
1069 int ret_val = -ENOMEM;
1070 struct netlbl_unlhsh_walk_arg *cb_arg = arg;
1071 struct net_device *dev;
1072 void *data;
1073 u32 secid;
1074 char *secctx;
1075 u32 secctx_len;
1076
1077 data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid,
1078 cb_arg->seq, &netlbl_unlabel_gnl_family,
1079 NLM_F_MULTI, cmd);
1080 if (data == NULL)
1081 goto list_cb_failure;
1082
1083 if (iface->ifindex > 0) {
1084 dev = dev_get_by_index(&init_net, iface->ifindex);
1085 if (!dev) {
1086 ret_val = -ENODEV;
1087 goto list_cb_failure;
1088 }
1089 ret_val = nla_put_string(cb_arg->skb,
1090 NLBL_UNLABEL_A_IFACE, dev->name);
1091 dev_put(dev);
1092 if (ret_val != 0)
1093 goto list_cb_failure;
1094 }
1095
1096 if (addr4) {
1097 struct in_addr addr_struct;
1098
1099 addr_struct.s_addr = addr4->list.addr;
1100 ret_val = nla_put_in_addr(cb_arg->skb,
1101 NLBL_UNLABEL_A_IPV4ADDR,
1102 addr_struct.s_addr);
1103 if (ret_val != 0)
1104 goto list_cb_failure;
1105
1106 addr_struct.s_addr = addr4->list.mask;
1107 ret_val = nla_put_in_addr(cb_arg->skb,
1108 NLBL_UNLABEL_A_IPV4MASK,
1109 addr_struct.s_addr);
1110 if (ret_val != 0)
1111 goto list_cb_failure;
1112
1113 secid = addr4->secid;
1114 } else {
1115 ret_val = nla_put_in6_addr(cb_arg->skb,
1116 NLBL_UNLABEL_A_IPV6ADDR,
1117 &addr6->list.addr);
1118 if (ret_val != 0)
1119 goto list_cb_failure;
1120
1121 ret_val = nla_put_in6_addr(cb_arg->skb,
1122 NLBL_UNLABEL_A_IPV6MASK,
1123 &addr6->list.mask);
1124 if (ret_val != 0)
1125 goto list_cb_failure;
1126
1127 secid = addr6->secid;
1128 }
1129
1130 ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len);
1131 if (ret_val != 0)
1132 goto list_cb_failure;
1133 ret_val = nla_put(cb_arg->skb,
1134 NLBL_UNLABEL_A_SECCTX,
1135 secctx_len,
1136 secctx);
1137 security_release_secctx(secctx, secctx_len);
1138 if (ret_val != 0)
1139 goto list_cb_failure;
1140
1141 cb_arg->seq++;
1142 genlmsg_end(cb_arg->skb, data);
1143 return 0;
1144
1145 list_cb_failure:
1146 genlmsg_cancel(cb_arg->skb, data);
1147 return ret_val;
1148 }
1149
1150 /**
1151 * netlbl_unlabel_staticlist - Handle a STATICLIST message
1152 * @skb: the NETLINK buffer
1153 * @cb: the NETLINK callback
1154 *
1155 * Description:
1156 * Process a user generated STATICLIST message and dump the unlabeled
1157 * connection hash table in a form suitable for use in a kernel generated
1158 * STATICLIST message. Returns the length of @skb.
1159 *
1160 */
netlbl_unlabel_staticlist(struct sk_buff * skb,struct netlink_callback * cb)1161 static int netlbl_unlabel_staticlist(struct sk_buff *skb,
1162 struct netlink_callback *cb)
1163 {
1164 struct netlbl_unlhsh_walk_arg cb_arg;
1165 u32 skip_bkt = cb->args[0];
1166 u32 skip_chain = cb->args[1];
1167 u32 skip_addr4 = cb->args[2];
1168 u32 iter_bkt, iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0;
1169 struct netlbl_unlhsh_iface *iface;
1170 struct list_head *iter_list;
1171 struct netlbl_af4list *addr4;
1172 #if IS_ENABLED(CONFIG_IPV6)
1173 u32 skip_addr6 = cb->args[3];
1174 struct netlbl_af6list *addr6;
1175 #endif
1176
1177 cb_arg.nl_cb = cb;
1178 cb_arg.skb = skb;
1179 cb_arg.seq = cb->nlh->nlmsg_seq;
1180
1181 rcu_read_lock();
1182 for (iter_bkt = skip_bkt;
1183 iter_bkt < rcu_dereference(netlbl_unlhsh)->size;
1184 iter_bkt++) {
1185 iter_list = &rcu_dereference(netlbl_unlhsh)->tbl[iter_bkt];
1186 list_for_each_entry_rcu(iface, iter_list, list) {
1187 if (!iface->valid ||
1188 iter_chain++ < skip_chain)
1189 continue;
1190 netlbl_af4list_foreach_rcu(addr4,
1191 &iface->addr4_list) {
1192 if (iter_addr4++ < skip_addr4)
1193 continue;
1194 if (netlbl_unlabel_staticlist_gen(
1195 NLBL_UNLABEL_C_STATICLIST,
1196 iface,
1197 netlbl_unlhsh_addr4_entry(addr4),
1198 NULL,
1199 &cb_arg) < 0) {
1200 iter_addr4--;
1201 iter_chain--;
1202 goto unlabel_staticlist_return;
1203 }
1204 }
1205 iter_addr4 = 0;
1206 skip_addr4 = 0;
1207 #if IS_ENABLED(CONFIG_IPV6)
1208 netlbl_af6list_foreach_rcu(addr6,
1209 &iface->addr6_list) {
1210 if (iter_addr6++ < skip_addr6)
1211 continue;
1212 if (netlbl_unlabel_staticlist_gen(
1213 NLBL_UNLABEL_C_STATICLIST,
1214 iface,
1215 NULL,
1216 netlbl_unlhsh_addr6_entry(addr6),
1217 &cb_arg) < 0) {
1218 iter_addr6--;
1219 iter_chain--;
1220 goto unlabel_staticlist_return;
1221 }
1222 }
1223 iter_addr6 = 0;
1224 skip_addr6 = 0;
1225 #endif /* IPv6 */
1226 }
1227 iter_chain = 0;
1228 skip_chain = 0;
1229 }
1230
1231 unlabel_staticlist_return:
1232 rcu_read_unlock();
1233 cb->args[0] = iter_bkt;
1234 cb->args[1] = iter_chain;
1235 cb->args[2] = iter_addr4;
1236 cb->args[3] = iter_addr6;
1237 return skb->len;
1238 }
1239
1240 /**
1241 * netlbl_unlabel_staticlistdef - Handle a STATICLISTDEF message
1242 * @skb: the NETLINK buffer
1243 * @cb: the NETLINK callback
1244 *
1245 * Description:
1246 * Process a user generated STATICLISTDEF message and dump the default
1247 * unlabeled connection entry in a form suitable for use in a kernel generated
1248 * STATICLISTDEF message. Returns the length of @skb.
1249 *
1250 */
netlbl_unlabel_staticlistdef(struct sk_buff * skb,struct netlink_callback * cb)1251 static int netlbl_unlabel_staticlistdef(struct sk_buff *skb,
1252 struct netlink_callback *cb)
1253 {
1254 struct netlbl_unlhsh_walk_arg cb_arg;
1255 struct netlbl_unlhsh_iface *iface;
1256 u32 iter_addr4 = 0, iter_addr6 = 0;
1257 struct netlbl_af4list *addr4;
1258 #if IS_ENABLED(CONFIG_IPV6)
1259 struct netlbl_af6list *addr6;
1260 #endif
1261
1262 cb_arg.nl_cb = cb;
1263 cb_arg.skb = skb;
1264 cb_arg.seq = cb->nlh->nlmsg_seq;
1265
1266 rcu_read_lock();
1267 iface = rcu_dereference(netlbl_unlhsh_def);
1268 if (iface == NULL || !iface->valid)
1269 goto unlabel_staticlistdef_return;
1270
1271 netlbl_af4list_foreach_rcu(addr4, &iface->addr4_list) {
1272 if (iter_addr4++ < cb->args[0])
1273 continue;
1274 if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
1275 iface,
1276 netlbl_unlhsh_addr4_entry(addr4),
1277 NULL,
1278 &cb_arg) < 0) {
1279 iter_addr4--;
1280 goto unlabel_staticlistdef_return;
1281 }
1282 }
1283 #if IS_ENABLED(CONFIG_IPV6)
1284 netlbl_af6list_foreach_rcu(addr6, &iface->addr6_list) {
1285 if (iter_addr6++ < cb->args[1])
1286 continue;
1287 if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
1288 iface,
1289 NULL,
1290 netlbl_unlhsh_addr6_entry(addr6),
1291 &cb_arg) < 0) {
1292 iter_addr6--;
1293 goto unlabel_staticlistdef_return;
1294 }
1295 }
1296 #endif /* IPv6 */
1297
1298 unlabel_staticlistdef_return:
1299 rcu_read_unlock();
1300 cb->args[0] = iter_addr4;
1301 cb->args[1] = iter_addr6;
1302 return skb->len;
1303 }
1304
1305 /*
1306 * NetLabel Generic NETLINK Command Definitions
1307 */
1308
1309 static const struct genl_small_ops netlbl_unlabel_genl_ops[] = {
1310 {
1311 .cmd = NLBL_UNLABEL_C_STATICADD,
1312 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1313 .flags = GENL_ADMIN_PERM,
1314 .doit = netlbl_unlabel_staticadd,
1315 .dumpit = NULL,
1316 },
1317 {
1318 .cmd = NLBL_UNLABEL_C_STATICREMOVE,
1319 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1320 .flags = GENL_ADMIN_PERM,
1321 .doit = netlbl_unlabel_staticremove,
1322 .dumpit = NULL,
1323 },
1324 {
1325 .cmd = NLBL_UNLABEL_C_STATICLIST,
1326 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1327 .flags = 0,
1328 .doit = NULL,
1329 .dumpit = netlbl_unlabel_staticlist,
1330 },
1331 {
1332 .cmd = NLBL_UNLABEL_C_STATICADDDEF,
1333 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1334 .flags = GENL_ADMIN_PERM,
1335 .doit = netlbl_unlabel_staticadddef,
1336 .dumpit = NULL,
1337 },
1338 {
1339 .cmd = NLBL_UNLABEL_C_STATICREMOVEDEF,
1340 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1341 .flags = GENL_ADMIN_PERM,
1342 .doit = netlbl_unlabel_staticremovedef,
1343 .dumpit = NULL,
1344 },
1345 {
1346 .cmd = NLBL_UNLABEL_C_STATICLISTDEF,
1347 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1348 .flags = 0,
1349 .doit = NULL,
1350 .dumpit = netlbl_unlabel_staticlistdef,
1351 },
1352 {
1353 .cmd = NLBL_UNLABEL_C_ACCEPT,
1354 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1355 .flags = GENL_ADMIN_PERM,
1356 .doit = netlbl_unlabel_accept,
1357 .dumpit = NULL,
1358 },
1359 {
1360 .cmd = NLBL_UNLABEL_C_LIST,
1361 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1362 .flags = 0,
1363 .doit = netlbl_unlabel_list,
1364 .dumpit = NULL,
1365 },
1366 };
1367
1368 static struct genl_family netlbl_unlabel_gnl_family __ro_after_init = {
1369 .hdrsize = 0,
1370 .name = NETLBL_NLTYPE_UNLABELED_NAME,
1371 .version = NETLBL_PROTO_VERSION,
1372 .maxattr = NLBL_UNLABEL_A_MAX,
1373 .policy = netlbl_unlabel_genl_policy,
1374 .module = THIS_MODULE,
1375 .small_ops = netlbl_unlabel_genl_ops,
1376 .n_small_ops = ARRAY_SIZE(netlbl_unlabel_genl_ops),
1377 .resv_start_op = NLBL_UNLABEL_C_STATICLISTDEF + 1,
1378 };
1379
1380 /*
1381 * NetLabel Generic NETLINK Protocol Functions
1382 */
1383
1384 /**
1385 * netlbl_unlabel_genl_init - Register the Unlabeled NetLabel component
1386 *
1387 * Description:
1388 * Register the unlabeled packet NetLabel component with the Generic NETLINK
1389 * mechanism. Returns zero on success, negative values on failure.
1390 *
1391 */
netlbl_unlabel_genl_init(void)1392 int __init netlbl_unlabel_genl_init(void)
1393 {
1394 return genl_register_family(&netlbl_unlabel_gnl_family);
1395 }
1396
1397 /*
1398 * NetLabel KAPI Hooks
1399 */
1400
1401 static struct notifier_block netlbl_unlhsh_netdev_notifier = {
1402 .notifier_call = netlbl_unlhsh_netdev_handler,
1403 };
1404
1405 /**
1406 * netlbl_unlabel_init - Initialize the unlabeled connection hash table
1407 * @size: the number of bits to use for the hash buckets
1408 *
1409 * Description:
1410 * Initializes the unlabeled connection hash table and registers a network
1411 * device notification handler. This function should only be called by the
1412 * NetLabel subsystem itself during initialization. Returns zero on success,
1413 * non-zero values on error.
1414 *
1415 */
netlbl_unlabel_init(u32 size)1416 int __init netlbl_unlabel_init(u32 size)
1417 {
1418 u32 iter;
1419 struct netlbl_unlhsh_tbl *hsh_tbl;
1420
1421 if (size == 0)
1422 return -EINVAL;
1423
1424 hsh_tbl = kmalloc(sizeof(*hsh_tbl), GFP_KERNEL);
1425 if (hsh_tbl == NULL)
1426 return -ENOMEM;
1427 hsh_tbl->size = 1 << size;
1428 hsh_tbl->tbl = kcalloc(hsh_tbl->size,
1429 sizeof(struct list_head),
1430 GFP_KERNEL);
1431 if (hsh_tbl->tbl == NULL) {
1432 kfree(hsh_tbl);
1433 return -ENOMEM;
1434 }
1435 for (iter = 0; iter < hsh_tbl->size; iter++)
1436 INIT_LIST_HEAD(&hsh_tbl->tbl[iter]);
1437
1438 spin_lock(&netlbl_unlhsh_lock);
1439 rcu_assign_pointer(netlbl_unlhsh, hsh_tbl);
1440 spin_unlock(&netlbl_unlhsh_lock);
1441
1442 register_netdevice_notifier(&netlbl_unlhsh_netdev_notifier);
1443
1444 return 0;
1445 }
1446
1447 /**
1448 * netlbl_unlabel_getattr - Get the security attributes for an unlabled packet
1449 * @skb: the packet
1450 * @family: protocol family
1451 * @secattr: the security attributes
1452 *
1453 * Description:
1454 * Determine the security attributes, if any, for an unlabled packet and return
1455 * them in @secattr. Returns zero on success and negative values on failure.
1456 *
1457 */
netlbl_unlabel_getattr(const struct sk_buff * skb,u16 family,struct netlbl_lsm_secattr * secattr)1458 int netlbl_unlabel_getattr(const struct sk_buff *skb,
1459 u16 family,
1460 struct netlbl_lsm_secattr *secattr)
1461 {
1462 struct netlbl_unlhsh_iface *iface;
1463
1464 rcu_read_lock();
1465 iface = netlbl_unlhsh_search_iface(skb->skb_iif);
1466 if (iface == NULL)
1467 iface = rcu_dereference(netlbl_unlhsh_def);
1468 if (iface == NULL || !iface->valid)
1469 goto unlabel_getattr_nolabel;
1470
1471 #if IS_ENABLED(CONFIG_IPV6)
1472 /* When resolving a fallback label, check the sk_buff version as
1473 * it is possible (e.g. SCTP) to have family = PF_INET6 while
1474 * receiving ip_hdr(skb)->version = 4.
1475 */
1476 if (family == PF_INET6 && ip_hdr(skb)->version == 4)
1477 family = PF_INET;
1478 #endif /* IPv6 */
1479
1480 switch (family) {
1481 case PF_INET: {
1482 struct iphdr *hdr4;
1483 struct netlbl_af4list *addr4;
1484
1485 hdr4 = ip_hdr(skb);
1486 addr4 = netlbl_af4list_search(hdr4->saddr,
1487 &iface->addr4_list);
1488 if (addr4 == NULL)
1489 goto unlabel_getattr_nolabel;
1490 secattr->attr.secid = netlbl_unlhsh_addr4_entry(addr4)->secid;
1491 break;
1492 }
1493 #if IS_ENABLED(CONFIG_IPV6)
1494 case PF_INET6: {
1495 struct ipv6hdr *hdr6;
1496 struct netlbl_af6list *addr6;
1497
1498 hdr6 = ipv6_hdr(skb);
1499 addr6 = netlbl_af6list_search(&hdr6->saddr,
1500 &iface->addr6_list);
1501 if (addr6 == NULL)
1502 goto unlabel_getattr_nolabel;
1503 secattr->attr.secid = netlbl_unlhsh_addr6_entry(addr6)->secid;
1504 break;
1505 }
1506 #endif /* IPv6 */
1507 default:
1508 goto unlabel_getattr_nolabel;
1509 }
1510 rcu_read_unlock();
1511
1512 secattr->flags |= NETLBL_SECATTR_SECID;
1513 secattr->type = NETLBL_NLTYPE_UNLABELED;
1514 return 0;
1515
1516 unlabel_getattr_nolabel:
1517 rcu_read_unlock();
1518 if (netlabel_unlabel_acceptflg == 0)
1519 return -ENOMSG;
1520 secattr->type = NETLBL_NLTYPE_UNLABELED;
1521 return 0;
1522 }
1523
1524 /**
1525 * netlbl_unlabel_defconf - Set the default config to allow unlabeled packets
1526 *
1527 * Description:
1528 * Set the default NetLabel configuration to allow incoming unlabeled packets
1529 * and to send unlabeled network traffic by default.
1530 *
1531 */
netlbl_unlabel_defconf(void)1532 int __init netlbl_unlabel_defconf(void)
1533 {
1534 int ret_val;
1535 struct netlbl_dom_map *entry;
1536 struct netlbl_audit audit_info;
1537
1538 /* Only the kernel is allowed to call this function and the only time
1539 * it is called is at bootup before the audit subsystem is reporting
1540 * messages so don't worry to much about these values. */
1541 security_current_getsecid_subj(&audit_info.secid);
1542 audit_info.loginuid = GLOBAL_ROOT_UID;
1543 audit_info.sessionid = 0;
1544
1545 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1546 if (entry == NULL)
1547 return -ENOMEM;
1548 entry->family = AF_UNSPEC;
1549 entry->def.type = NETLBL_NLTYPE_UNLABELED;
1550 ret_val = netlbl_domhsh_add_default(entry, &audit_info);
1551 if (ret_val != 0)
1552 return ret_val;
1553
1554 netlbl_unlabel_acceptflg_set(1, &audit_info);
1555
1556 return 0;
1557 }
1558