xref: /openbmc/linux/net/netlabel/netlabel_mgmt.c (revision 8dce88fe)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * NetLabel Management Support
4  *
5  * This file defines the management functions for the NetLabel system.  The
6  * NetLabel system manages static and dynamic label mappings for network
7  * protocols such as CIPSO and RIPSO.
8  *
9  * Author: Paul Moore <paul@paul-moore.com>
10  */
11 
12 /*
13  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
14  */
15 
16 #include <linux/types.h>
17 #include <linux/socket.h>
18 #include <linux/string.h>
19 #include <linux/skbuff.h>
20 #include <linux/in.h>
21 #include <linux/in6.h>
22 #include <linux/slab.h>
23 #include <net/sock.h>
24 #include <net/netlink.h>
25 #include <net/genetlink.h>
26 #include <net/ip.h>
27 #include <net/ipv6.h>
28 #include <net/netlabel.h>
29 #include <net/cipso_ipv4.h>
30 #include <net/calipso.h>
31 #include <linux/atomic.h>
32 
33 #include "netlabel_calipso.h"
34 #include "netlabel_domainhash.h"
35 #include "netlabel_user.h"
36 #include "netlabel_mgmt.h"
37 
38 /* NetLabel configured protocol counter */
39 atomic_t netlabel_mgmt_protocount = ATOMIC_INIT(0);
40 
41 /* Argument struct for netlbl_domhsh_walk() */
42 struct netlbl_domhsh_walk_arg {
43 	struct netlink_callback *nl_cb;
44 	struct sk_buff *skb;
45 	u32 seq;
46 };
47 
48 /* NetLabel Generic NETLINK CIPSOv4 family */
49 static struct genl_family netlbl_mgmt_gnl_family;
50 
51 /* NetLabel Netlink attribute policy */
52 static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = {
53 	[NLBL_MGMT_A_DOMAIN] = { .type = NLA_NUL_STRING },
54 	[NLBL_MGMT_A_PROTOCOL] = { .type = NLA_U32 },
55 	[NLBL_MGMT_A_VERSION] = { .type = NLA_U32 },
56 	[NLBL_MGMT_A_CV4DOI] = { .type = NLA_U32 },
57 	[NLBL_MGMT_A_FAMILY] = { .type = NLA_U16 },
58 	[NLBL_MGMT_A_CLPDOI] = { .type = NLA_U32 },
59 };
60 
61 /*
62  * Helper Functions
63  */
64 
65 /**
66  * netlbl_mgmt_add_common - Handle an ADD message
67  * @info: the Generic NETLINK info block
68  * @audit_info: NetLabel audit information
69  *
70  * Description:
71  * Helper function for the ADD and ADDDEF messages to add the domain mappings
72  * from the message to the hash table.  See netlabel.h for a description of the
73  * message format.  Returns zero on success, negative values on failure.
74  *
75  */
76 static int netlbl_mgmt_add_common(struct genl_info *info,
77 				  struct netlbl_audit *audit_info)
78 {
79 	void *pmap = NULL;
80 	int ret_val = -EINVAL;
81 	struct netlbl_domaddr_map *addrmap = NULL;
82 	struct cipso_v4_doi *cipsov4 = NULL;
83 #if IS_ENABLED(CONFIG_IPV6)
84 	struct calipso_doi *calipso = NULL;
85 #endif
86 	u32 tmp_val;
87 	struct netlbl_dom_map *entry = kzalloc(sizeof(*entry), GFP_KERNEL);
88 
89 	if (!entry)
90 		return -ENOMEM;
91 	entry->def.type = nla_get_u32(info->attrs[NLBL_MGMT_A_PROTOCOL]);
92 	if (info->attrs[NLBL_MGMT_A_DOMAIN]) {
93 		size_t tmp_size = nla_len(info->attrs[NLBL_MGMT_A_DOMAIN]);
94 		entry->domain = kmalloc(tmp_size, GFP_KERNEL);
95 		if (entry->domain == NULL) {
96 			ret_val = -ENOMEM;
97 			goto add_free_entry;
98 		}
99 		nla_strscpy(entry->domain,
100 			    info->attrs[NLBL_MGMT_A_DOMAIN], tmp_size);
101 	}
102 
103 	/* NOTE: internally we allow/use a entry->def.type value of
104 	 *       NETLBL_NLTYPE_ADDRSELECT but we don't currently allow users
105 	 *       to pass that as a protocol value because we need to know the
106 	 *       "real" protocol */
107 
108 	switch (entry->def.type) {
109 	case NETLBL_NLTYPE_UNLABELED:
110 		if (info->attrs[NLBL_MGMT_A_FAMILY])
111 			entry->family =
112 				nla_get_u16(info->attrs[NLBL_MGMT_A_FAMILY]);
113 		else
114 			entry->family = AF_UNSPEC;
115 		break;
116 	case NETLBL_NLTYPE_CIPSOV4:
117 		if (!info->attrs[NLBL_MGMT_A_CV4DOI])
118 			goto add_free_domain;
119 
120 		tmp_val = nla_get_u32(info->attrs[NLBL_MGMT_A_CV4DOI]);
121 		cipsov4 = cipso_v4_doi_getdef(tmp_val);
122 		if (cipsov4 == NULL)
123 			goto add_free_domain;
124 		entry->family = AF_INET;
125 		entry->def.cipso = cipsov4;
126 		break;
127 #if IS_ENABLED(CONFIG_IPV6)
128 	case NETLBL_NLTYPE_CALIPSO:
129 		if (!info->attrs[NLBL_MGMT_A_CLPDOI])
130 			goto add_free_domain;
131 
132 		tmp_val = nla_get_u32(info->attrs[NLBL_MGMT_A_CLPDOI]);
133 		calipso = calipso_doi_getdef(tmp_val);
134 		if (calipso == NULL)
135 			goto add_free_domain;
136 		entry->family = AF_INET6;
137 		entry->def.calipso = calipso;
138 		break;
139 #endif /* IPv6 */
140 	default:
141 		goto add_free_domain;
142 	}
143 
144 	if ((entry->family == AF_INET && info->attrs[NLBL_MGMT_A_IPV6ADDR]) ||
145 	    (entry->family == AF_INET6 && info->attrs[NLBL_MGMT_A_IPV4ADDR]))
146 		goto add_doi_put_def;
147 
148 	if (info->attrs[NLBL_MGMT_A_IPV4ADDR]) {
149 		struct in_addr *addr;
150 		struct in_addr *mask;
151 		struct netlbl_domaddr4_map *map;
152 
153 		addrmap = kzalloc(sizeof(*addrmap), GFP_KERNEL);
154 		if (addrmap == NULL) {
155 			ret_val = -ENOMEM;
156 			goto add_doi_put_def;
157 		}
158 		INIT_LIST_HEAD(&addrmap->list4);
159 		INIT_LIST_HEAD(&addrmap->list6);
160 
161 		if (nla_len(info->attrs[NLBL_MGMT_A_IPV4ADDR]) !=
162 		    sizeof(struct in_addr)) {
163 			ret_val = -EINVAL;
164 			goto add_free_addrmap;
165 		}
166 		if (nla_len(info->attrs[NLBL_MGMT_A_IPV4MASK]) !=
167 		    sizeof(struct in_addr)) {
168 			ret_val = -EINVAL;
169 			goto add_free_addrmap;
170 		}
171 		addr = nla_data(info->attrs[NLBL_MGMT_A_IPV4ADDR]);
172 		mask = nla_data(info->attrs[NLBL_MGMT_A_IPV4MASK]);
173 
174 		map = kzalloc(sizeof(*map), GFP_KERNEL);
175 		if (map == NULL) {
176 			ret_val = -ENOMEM;
177 			goto add_free_addrmap;
178 		}
179 		pmap = map;
180 		map->list.addr = addr->s_addr & mask->s_addr;
181 		map->list.mask = mask->s_addr;
182 		map->list.valid = 1;
183 		map->def.type = entry->def.type;
184 		if (cipsov4)
185 			map->def.cipso = cipsov4;
186 
187 		ret_val = netlbl_af4list_add(&map->list, &addrmap->list4);
188 		if (ret_val != 0)
189 			goto add_free_map;
190 
191 		entry->family = AF_INET;
192 		entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
193 		entry->def.addrsel = addrmap;
194 #if IS_ENABLED(CONFIG_IPV6)
195 	} else if (info->attrs[NLBL_MGMT_A_IPV6ADDR]) {
196 		struct in6_addr *addr;
197 		struct in6_addr *mask;
198 		struct netlbl_domaddr6_map *map;
199 
200 		addrmap = kzalloc(sizeof(*addrmap), GFP_KERNEL);
201 		if (addrmap == NULL) {
202 			ret_val = -ENOMEM;
203 			goto add_doi_put_def;
204 		}
205 		INIT_LIST_HEAD(&addrmap->list4);
206 		INIT_LIST_HEAD(&addrmap->list6);
207 
208 		if (nla_len(info->attrs[NLBL_MGMT_A_IPV6ADDR]) !=
209 		    sizeof(struct in6_addr)) {
210 			ret_val = -EINVAL;
211 			goto add_free_addrmap;
212 		}
213 		if (nla_len(info->attrs[NLBL_MGMT_A_IPV6MASK]) !=
214 		    sizeof(struct in6_addr)) {
215 			ret_val = -EINVAL;
216 			goto add_free_addrmap;
217 		}
218 		addr = nla_data(info->attrs[NLBL_MGMT_A_IPV6ADDR]);
219 		mask = nla_data(info->attrs[NLBL_MGMT_A_IPV6MASK]);
220 
221 		map = kzalloc(sizeof(*map), GFP_KERNEL);
222 		if (map == NULL) {
223 			ret_val = -ENOMEM;
224 			goto add_free_addrmap;
225 		}
226 		pmap = map;
227 		map->list.addr = *addr;
228 		map->list.addr.s6_addr32[0] &= mask->s6_addr32[0];
229 		map->list.addr.s6_addr32[1] &= mask->s6_addr32[1];
230 		map->list.addr.s6_addr32[2] &= mask->s6_addr32[2];
231 		map->list.addr.s6_addr32[3] &= mask->s6_addr32[3];
232 		map->list.mask = *mask;
233 		map->list.valid = 1;
234 		map->def.type = entry->def.type;
235 		if (calipso)
236 			map->def.calipso = calipso;
237 
238 		ret_val = netlbl_af6list_add(&map->list, &addrmap->list6);
239 		if (ret_val != 0)
240 			goto add_free_map;
241 
242 		entry->family = AF_INET6;
243 		entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
244 		entry->def.addrsel = addrmap;
245 #endif /* IPv6 */
246 	}
247 
248 	ret_val = netlbl_domhsh_add(entry, audit_info);
249 	if (ret_val != 0)
250 		goto add_free_map;
251 
252 	return 0;
253 
254 add_free_map:
255 	kfree(pmap);
256 add_free_addrmap:
257 	kfree(addrmap);
258 add_doi_put_def:
259 	cipso_v4_doi_putdef(cipsov4);
260 #if IS_ENABLED(CONFIG_IPV6)
261 	calipso_doi_putdef(calipso);
262 #endif
263 add_free_domain:
264 	kfree(entry->domain);
265 add_free_entry:
266 	kfree(entry);
267 	return ret_val;
268 }
269 
270 /**
271  * netlbl_mgmt_listentry - List a NetLabel/LSM domain map entry
272  * @skb: the NETLINK buffer
273  * @entry: the map entry
274  *
275  * Description:
276  * This function is a helper function used by the LISTALL and LISTDEF command
277  * handlers.  The caller is responsible for ensuring that the RCU read lock
278  * is held.  Returns zero on success, negative values on failure.
279  *
280  */
281 static int netlbl_mgmt_listentry(struct sk_buff *skb,
282 				 struct netlbl_dom_map *entry)
283 {
284 	int ret_val = 0;
285 	struct nlattr *nla_a;
286 	struct nlattr *nla_b;
287 	struct netlbl_af4list *iter4;
288 #if IS_ENABLED(CONFIG_IPV6)
289 	struct netlbl_af6list *iter6;
290 #endif
291 
292 	if (entry->domain != NULL) {
293 		ret_val = nla_put_string(skb,
294 					 NLBL_MGMT_A_DOMAIN, entry->domain);
295 		if (ret_val != 0)
296 			return ret_val;
297 	}
298 
299 	ret_val = nla_put_u16(skb, NLBL_MGMT_A_FAMILY, entry->family);
300 	if (ret_val != 0)
301 		return ret_val;
302 
303 	switch (entry->def.type) {
304 	case NETLBL_NLTYPE_ADDRSELECT:
305 		nla_a = nla_nest_start_noflag(skb, NLBL_MGMT_A_SELECTORLIST);
306 		if (nla_a == NULL)
307 			return -ENOMEM;
308 
309 		netlbl_af4list_foreach_rcu(iter4, &entry->def.addrsel->list4) {
310 			struct netlbl_domaddr4_map *map4;
311 			struct in_addr addr_struct;
312 
313 			nla_b = nla_nest_start_noflag(skb,
314 						      NLBL_MGMT_A_ADDRSELECTOR);
315 			if (nla_b == NULL)
316 				return -ENOMEM;
317 
318 			addr_struct.s_addr = iter4->addr;
319 			ret_val = nla_put_in_addr(skb, NLBL_MGMT_A_IPV4ADDR,
320 						  addr_struct.s_addr);
321 			if (ret_val != 0)
322 				return ret_val;
323 			addr_struct.s_addr = iter4->mask;
324 			ret_val = nla_put_in_addr(skb, NLBL_MGMT_A_IPV4MASK,
325 						  addr_struct.s_addr);
326 			if (ret_val != 0)
327 				return ret_val;
328 			map4 = netlbl_domhsh_addr4_entry(iter4);
329 			ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL,
330 					      map4->def.type);
331 			if (ret_val != 0)
332 				return ret_val;
333 			switch (map4->def.type) {
334 			case NETLBL_NLTYPE_CIPSOV4:
335 				ret_val = nla_put_u32(skb, NLBL_MGMT_A_CV4DOI,
336 						      map4->def.cipso->doi);
337 				if (ret_val != 0)
338 					return ret_val;
339 				break;
340 			}
341 
342 			nla_nest_end(skb, nla_b);
343 		}
344 #if IS_ENABLED(CONFIG_IPV6)
345 		netlbl_af6list_foreach_rcu(iter6, &entry->def.addrsel->list6) {
346 			struct netlbl_domaddr6_map *map6;
347 
348 			nla_b = nla_nest_start_noflag(skb,
349 						      NLBL_MGMT_A_ADDRSELECTOR);
350 			if (nla_b == NULL)
351 				return -ENOMEM;
352 
353 			ret_val = nla_put_in6_addr(skb, NLBL_MGMT_A_IPV6ADDR,
354 						   &iter6->addr);
355 			if (ret_val != 0)
356 				return ret_val;
357 			ret_val = nla_put_in6_addr(skb, NLBL_MGMT_A_IPV6MASK,
358 						   &iter6->mask);
359 			if (ret_val != 0)
360 				return ret_val;
361 			map6 = netlbl_domhsh_addr6_entry(iter6);
362 			ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL,
363 					      map6->def.type);
364 			if (ret_val != 0)
365 				return ret_val;
366 
367 			switch (map6->def.type) {
368 			case NETLBL_NLTYPE_CALIPSO:
369 				ret_val = nla_put_u32(skb, NLBL_MGMT_A_CLPDOI,
370 						      map6->def.calipso->doi);
371 				if (ret_val != 0)
372 					return ret_val;
373 				break;
374 			}
375 
376 			nla_nest_end(skb, nla_b);
377 		}
378 #endif /* IPv6 */
379 
380 		nla_nest_end(skb, nla_a);
381 		break;
382 	case NETLBL_NLTYPE_UNLABELED:
383 		ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL,
384 				      entry->def.type);
385 		break;
386 	case NETLBL_NLTYPE_CIPSOV4:
387 		ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL,
388 				      entry->def.type);
389 		if (ret_val != 0)
390 			return ret_val;
391 		ret_val = nla_put_u32(skb, NLBL_MGMT_A_CV4DOI,
392 				      entry->def.cipso->doi);
393 		break;
394 	case NETLBL_NLTYPE_CALIPSO:
395 		ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL,
396 				      entry->def.type);
397 		if (ret_val != 0)
398 			return ret_val;
399 		ret_val = nla_put_u32(skb, NLBL_MGMT_A_CLPDOI,
400 				      entry->def.calipso->doi);
401 		break;
402 	}
403 
404 	return ret_val;
405 }
406 
407 /*
408  * NetLabel Command Handlers
409  */
410 
411 /**
412  * netlbl_mgmt_add - Handle an ADD message
413  * @skb: the NETLINK buffer
414  * @info: the Generic NETLINK info block
415  *
416  * Description:
417  * Process a user generated ADD message and add the domains from the message
418  * to the hash table.  See netlabel.h for a description of the message format.
419  * Returns zero on success, negative values on failure.
420  *
421  */
422 static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info)
423 {
424 	struct netlbl_audit audit_info;
425 
426 	if ((!info->attrs[NLBL_MGMT_A_DOMAIN]) ||
427 	    (!info->attrs[NLBL_MGMT_A_PROTOCOL]) ||
428 	    (info->attrs[NLBL_MGMT_A_IPV4ADDR] &&
429 	     info->attrs[NLBL_MGMT_A_IPV6ADDR]) ||
430 	    (info->attrs[NLBL_MGMT_A_IPV4MASK] &&
431 	     info->attrs[NLBL_MGMT_A_IPV6MASK]) ||
432 	    ((info->attrs[NLBL_MGMT_A_IPV4ADDR] != NULL) ^
433 	     (info->attrs[NLBL_MGMT_A_IPV4MASK] != NULL)) ||
434 	    ((info->attrs[NLBL_MGMT_A_IPV6ADDR] != NULL) ^
435 	     (info->attrs[NLBL_MGMT_A_IPV6MASK] != NULL)))
436 		return -EINVAL;
437 
438 	netlbl_netlink_auditinfo(&audit_info);
439 
440 	return netlbl_mgmt_add_common(info, &audit_info);
441 }
442 
443 /**
444  * netlbl_mgmt_remove - Handle a REMOVE message
445  * @skb: the NETLINK buffer
446  * @info: the Generic NETLINK info block
447  *
448  * Description:
449  * Process a user generated REMOVE message and remove the specified domain
450  * mappings.  Returns zero on success, negative values on failure.
451  *
452  */
453 static int netlbl_mgmt_remove(struct sk_buff *skb, struct genl_info *info)
454 {
455 	char *domain;
456 	struct netlbl_audit audit_info;
457 
458 	if (!info->attrs[NLBL_MGMT_A_DOMAIN])
459 		return -EINVAL;
460 
461 	netlbl_netlink_auditinfo(&audit_info);
462 
463 	domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]);
464 	return netlbl_domhsh_remove(domain, AF_UNSPEC, &audit_info);
465 }
466 
467 /**
468  * netlbl_mgmt_listall_cb - netlbl_domhsh_walk() callback for LISTALL
469  * @entry: the domain mapping hash table entry
470  * @arg: the netlbl_domhsh_walk_arg structure
471  *
472  * Description:
473  * This function is designed to be used as a callback to the
474  * netlbl_domhsh_walk() function for use in generating a response for a LISTALL
475  * message.  Returns the size of the message on success, negative values on
476  * failure.
477  *
478  */
479 static int netlbl_mgmt_listall_cb(struct netlbl_dom_map *entry, void *arg)
480 {
481 	int ret_val = -ENOMEM;
482 	struct netlbl_domhsh_walk_arg *cb_arg = arg;
483 	void *data;
484 
485 	data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid,
486 			   cb_arg->seq, &netlbl_mgmt_gnl_family,
487 			   NLM_F_MULTI, NLBL_MGMT_C_LISTALL);
488 	if (data == NULL)
489 		goto listall_cb_failure;
490 
491 	ret_val = netlbl_mgmt_listentry(cb_arg->skb, entry);
492 	if (ret_val != 0)
493 		goto listall_cb_failure;
494 
495 	cb_arg->seq++;
496 	genlmsg_end(cb_arg->skb, data);
497 	return 0;
498 
499 listall_cb_failure:
500 	genlmsg_cancel(cb_arg->skb, data);
501 	return ret_val;
502 }
503 
504 /**
505  * netlbl_mgmt_listall - Handle a LISTALL message
506  * @skb: the NETLINK buffer
507  * @cb: the NETLINK callback
508  *
509  * Description:
510  * Process a user generated LISTALL message and dumps the domain hash table in
511  * a form suitable for use in a kernel generated LISTALL message.  Returns zero
512  * on success, negative values on failure.
513  *
514  */
515 static int netlbl_mgmt_listall(struct sk_buff *skb,
516 			       struct netlink_callback *cb)
517 {
518 	struct netlbl_domhsh_walk_arg cb_arg;
519 	u32 skip_bkt = cb->args[0];
520 	u32 skip_chain = cb->args[1];
521 
522 	cb_arg.nl_cb = cb;
523 	cb_arg.skb = skb;
524 	cb_arg.seq = cb->nlh->nlmsg_seq;
525 
526 	netlbl_domhsh_walk(&skip_bkt,
527 			   &skip_chain,
528 			   netlbl_mgmt_listall_cb,
529 			   &cb_arg);
530 
531 	cb->args[0] = skip_bkt;
532 	cb->args[1] = skip_chain;
533 	return skb->len;
534 }
535 
536 /**
537  * netlbl_mgmt_adddef - Handle an ADDDEF message
538  * @skb: the NETLINK buffer
539  * @info: the Generic NETLINK info block
540  *
541  * Description:
542  * Process a user generated ADDDEF message and respond accordingly.  Returns
543  * zero on success, negative values on failure.
544  *
545  */
546 static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info)
547 {
548 	struct netlbl_audit audit_info;
549 
550 	if ((!info->attrs[NLBL_MGMT_A_PROTOCOL]) ||
551 	    (info->attrs[NLBL_MGMT_A_IPV4ADDR] &&
552 	     info->attrs[NLBL_MGMT_A_IPV6ADDR]) ||
553 	    (info->attrs[NLBL_MGMT_A_IPV4MASK] &&
554 	     info->attrs[NLBL_MGMT_A_IPV6MASK]) ||
555 	    ((info->attrs[NLBL_MGMT_A_IPV4ADDR] != NULL) ^
556 	     (info->attrs[NLBL_MGMT_A_IPV4MASK] != NULL)) ||
557 	    ((info->attrs[NLBL_MGMT_A_IPV6ADDR] != NULL) ^
558 	     (info->attrs[NLBL_MGMT_A_IPV6MASK] != NULL)))
559 		return -EINVAL;
560 
561 	netlbl_netlink_auditinfo(&audit_info);
562 
563 	return netlbl_mgmt_add_common(info, &audit_info);
564 }
565 
566 /**
567  * netlbl_mgmt_removedef - Handle a REMOVEDEF message
568  * @skb: the NETLINK buffer
569  * @info: the Generic NETLINK info block
570  *
571  * Description:
572  * Process a user generated REMOVEDEF message and remove the default domain
573  * mapping.  Returns zero on success, negative values on failure.
574  *
575  */
576 static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info)
577 {
578 	struct netlbl_audit audit_info;
579 
580 	netlbl_netlink_auditinfo(&audit_info);
581 
582 	return netlbl_domhsh_remove_default(AF_UNSPEC, &audit_info);
583 }
584 
585 /**
586  * netlbl_mgmt_listdef - Handle a LISTDEF message
587  * @skb: the NETLINK buffer
588  * @info: the Generic NETLINK info block
589  *
590  * Description:
591  * Process a user generated LISTDEF message and dumps the default domain
592  * mapping in a form suitable for use in a kernel generated LISTDEF message.
593  * Returns zero on success, negative values on failure.
594  *
595  */
596 static int netlbl_mgmt_listdef(struct sk_buff *skb, struct genl_info *info)
597 {
598 	int ret_val = -ENOMEM;
599 	struct sk_buff *ans_skb = NULL;
600 	void *data;
601 	struct netlbl_dom_map *entry;
602 	u16 family;
603 
604 	if (info->attrs[NLBL_MGMT_A_FAMILY])
605 		family = nla_get_u16(info->attrs[NLBL_MGMT_A_FAMILY]);
606 	else
607 		family = AF_INET;
608 
609 	ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
610 	if (ans_skb == NULL)
611 		return -ENOMEM;
612 	data = genlmsg_put_reply(ans_skb, info, &netlbl_mgmt_gnl_family,
613 				 0, NLBL_MGMT_C_LISTDEF);
614 	if (data == NULL)
615 		goto listdef_failure;
616 
617 	rcu_read_lock();
618 	entry = netlbl_domhsh_getentry(NULL, family);
619 	if (entry == NULL) {
620 		ret_val = -ENOENT;
621 		goto listdef_failure_lock;
622 	}
623 	ret_val = netlbl_mgmt_listentry(ans_skb, entry);
624 	rcu_read_unlock();
625 	if (ret_val != 0)
626 		goto listdef_failure;
627 
628 	genlmsg_end(ans_skb, data);
629 	return genlmsg_reply(ans_skb, info);
630 
631 listdef_failure_lock:
632 	rcu_read_unlock();
633 listdef_failure:
634 	kfree_skb(ans_skb);
635 	return ret_val;
636 }
637 
638 /**
639  * netlbl_mgmt_protocols_cb - Write an individual PROTOCOL message response
640  * @skb: the skb to write to
641  * @cb: the NETLINK callback
642  * @protocol: the NetLabel protocol to use in the message
643  *
644  * Description:
645  * This function is to be used in conjunction with netlbl_mgmt_protocols() to
646  * answer a application's PROTOCOLS message.  Returns the size of the message
647  * on success, negative values on failure.
648  *
649  */
650 static int netlbl_mgmt_protocols_cb(struct sk_buff *skb,
651 				    struct netlink_callback *cb,
652 				    u32 protocol)
653 {
654 	int ret_val = -ENOMEM;
655 	void *data;
656 
657 	data = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
658 			   &netlbl_mgmt_gnl_family, NLM_F_MULTI,
659 			   NLBL_MGMT_C_PROTOCOLS);
660 	if (data == NULL)
661 		goto protocols_cb_failure;
662 
663 	ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL, protocol);
664 	if (ret_val != 0)
665 		goto protocols_cb_failure;
666 
667 	genlmsg_end(skb, data);
668 	return 0;
669 
670 protocols_cb_failure:
671 	genlmsg_cancel(skb, data);
672 	return ret_val;
673 }
674 
675 /**
676  * netlbl_mgmt_protocols - Handle a PROTOCOLS message
677  * @skb: the NETLINK buffer
678  * @cb: the NETLINK callback
679  *
680  * Description:
681  * Process a user generated PROTOCOLS message and respond accordingly.
682  *
683  */
684 static int netlbl_mgmt_protocols(struct sk_buff *skb,
685 				 struct netlink_callback *cb)
686 {
687 	u32 protos_sent = cb->args[0];
688 
689 	if (protos_sent == 0) {
690 		if (netlbl_mgmt_protocols_cb(skb,
691 					     cb,
692 					     NETLBL_NLTYPE_UNLABELED) < 0)
693 			goto protocols_return;
694 		protos_sent++;
695 	}
696 	if (protos_sent == 1) {
697 		if (netlbl_mgmt_protocols_cb(skb,
698 					     cb,
699 					     NETLBL_NLTYPE_CIPSOV4) < 0)
700 			goto protocols_return;
701 		protos_sent++;
702 	}
703 #if IS_ENABLED(CONFIG_IPV6)
704 	if (protos_sent == 2) {
705 		if (netlbl_mgmt_protocols_cb(skb,
706 					     cb,
707 					     NETLBL_NLTYPE_CALIPSO) < 0)
708 			goto protocols_return;
709 		protos_sent++;
710 	}
711 #endif
712 
713 protocols_return:
714 	cb->args[0] = protos_sent;
715 	return skb->len;
716 }
717 
718 /**
719  * netlbl_mgmt_version - Handle a VERSION message
720  * @skb: the NETLINK buffer
721  * @info: the Generic NETLINK info block
722  *
723  * Description:
724  * Process a user generated VERSION message and respond accordingly.  Returns
725  * zero on success, negative values on failure.
726  *
727  */
728 static int netlbl_mgmt_version(struct sk_buff *skb, struct genl_info *info)
729 {
730 	int ret_val = -ENOMEM;
731 	struct sk_buff *ans_skb = NULL;
732 	void *data;
733 
734 	ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
735 	if (ans_skb == NULL)
736 		return -ENOMEM;
737 	data = genlmsg_put_reply(ans_skb, info, &netlbl_mgmt_gnl_family,
738 				 0, NLBL_MGMT_C_VERSION);
739 	if (data == NULL)
740 		goto version_failure;
741 
742 	ret_val = nla_put_u32(ans_skb,
743 			      NLBL_MGMT_A_VERSION,
744 			      NETLBL_PROTO_VERSION);
745 	if (ret_val != 0)
746 		goto version_failure;
747 
748 	genlmsg_end(ans_skb, data);
749 	return genlmsg_reply(ans_skb, info);
750 
751 version_failure:
752 	kfree_skb(ans_skb);
753 	return ret_val;
754 }
755 
756 
757 /*
758  * NetLabel Generic NETLINK Command Definitions
759  */
760 
761 static const struct genl_small_ops netlbl_mgmt_genl_ops[] = {
762 	{
763 	.cmd = NLBL_MGMT_C_ADD,
764 	.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
765 	.flags = GENL_ADMIN_PERM,
766 	.doit = netlbl_mgmt_add,
767 	.dumpit = NULL,
768 	},
769 	{
770 	.cmd = NLBL_MGMT_C_REMOVE,
771 	.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
772 	.flags = GENL_ADMIN_PERM,
773 	.doit = netlbl_mgmt_remove,
774 	.dumpit = NULL,
775 	},
776 	{
777 	.cmd = NLBL_MGMT_C_LISTALL,
778 	.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
779 	.flags = 0,
780 	.doit = NULL,
781 	.dumpit = netlbl_mgmt_listall,
782 	},
783 	{
784 	.cmd = NLBL_MGMT_C_ADDDEF,
785 	.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
786 	.flags = GENL_ADMIN_PERM,
787 	.doit = netlbl_mgmt_adddef,
788 	.dumpit = NULL,
789 	},
790 	{
791 	.cmd = NLBL_MGMT_C_REMOVEDEF,
792 	.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
793 	.flags = GENL_ADMIN_PERM,
794 	.doit = netlbl_mgmt_removedef,
795 	.dumpit = NULL,
796 	},
797 	{
798 	.cmd = NLBL_MGMT_C_LISTDEF,
799 	.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
800 	.flags = 0,
801 	.doit = netlbl_mgmt_listdef,
802 	.dumpit = NULL,
803 	},
804 	{
805 	.cmd = NLBL_MGMT_C_PROTOCOLS,
806 	.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
807 	.flags = 0,
808 	.doit = NULL,
809 	.dumpit = netlbl_mgmt_protocols,
810 	},
811 	{
812 	.cmd = NLBL_MGMT_C_VERSION,
813 	.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
814 	.flags = 0,
815 	.doit = netlbl_mgmt_version,
816 	.dumpit = NULL,
817 	},
818 };
819 
820 static struct genl_family netlbl_mgmt_gnl_family __ro_after_init = {
821 	.hdrsize = 0,
822 	.name = NETLBL_NLTYPE_MGMT_NAME,
823 	.version = NETLBL_PROTO_VERSION,
824 	.maxattr = NLBL_MGMT_A_MAX,
825 	.policy = netlbl_mgmt_genl_policy,
826 	.module = THIS_MODULE,
827 	.small_ops = netlbl_mgmt_genl_ops,
828 	.n_small_ops = ARRAY_SIZE(netlbl_mgmt_genl_ops),
829 };
830 
831 /*
832  * NetLabel Generic NETLINK Protocol Functions
833  */
834 
835 /**
836  * netlbl_mgmt_genl_init - Register the NetLabel management component
837  *
838  * Description:
839  * Register the NetLabel management component with the Generic NETLINK
840  * mechanism.  Returns zero on success, negative values on failure.
841  *
842  */
843 int __init netlbl_mgmt_genl_init(void)
844 {
845 	return genl_register_family(&netlbl_mgmt_gnl_family);
846 }
847