1 /* 2 * NetLabel Unlabeled Support 3 * 4 * This file defines functions for dealing with unlabeled packets for the 5 * NetLabel system. The NetLabel system manages static and dynamic label 6 * mappings for network protocols such as CIPSO and RIPSO. 7 * 8 * Author: Paul Moore <paul.moore@hp.com> 9 * 10 */ 11 12 /* 13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 - 2007 14 * 15 * This program is free software; you can redistribute it and/or modify 16 * it under the terms of the GNU General Public License as published by 17 * the Free Software Foundation; either version 2 of the License, or 18 * (at your option) any later version. 19 * 20 * This program is distributed in the hope that it will be useful, 21 * but WITHOUT ANY WARRANTY; without even the implied warranty of 22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See 23 * the GNU General Public License for more details. 24 * 25 * You should have received a copy of the GNU General Public License 26 * along with this program; if not, write to the Free Software 27 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 28 * 29 */ 30 31 #include <linux/types.h> 32 #include <linux/rcupdate.h> 33 #include <linux/list.h> 34 #include <linux/spinlock.h> 35 #include <linux/socket.h> 36 #include <linux/string.h> 37 #include <linux/skbuff.h> 38 #include <linux/audit.h> 39 #include <linux/in.h> 40 #include <linux/in6.h> 41 #include <linux/ip.h> 42 #include <linux/ipv6.h> 43 #include <linux/notifier.h> 44 #include <linux/netdevice.h> 45 #include <linux/security.h> 46 #include <net/sock.h> 47 #include <net/netlink.h> 48 #include <net/genetlink.h> 49 #include <net/ip.h> 50 #include <net/ipv6.h> 51 #include <net/net_namespace.h> 52 #include <net/netlabel.h> 53 #include <asm/bug.h> 54 #include <asm/atomic.h> 55 56 #include "netlabel_user.h" 57 #include "netlabel_domainhash.h" 58 #include "netlabel_unlabeled.h" 59 #include "netlabel_mgmt.h" 60 61 /* NOTE: at present we always use init's network namespace since we don't 62 * presently support different namespaces even though the majority of 63 * the functions in this file are "namespace safe" */ 64 65 /* The unlabeled connection hash table which we use to map network interfaces 66 * and addresses of unlabeled packets to a user specified secid value for the 67 * LSM. The hash table is used to lookup the network interface entry 68 * (struct netlbl_unlhsh_iface) and then the interface entry is used to 69 * lookup an IP address match from an ordered list. If a network interface 70 * match can not be found in the hash table then the default entry 71 * (netlbl_unlhsh_def) is used. The IP address entry list 72 * (struct netlbl_unlhsh_addr) is ordered such that the entries with a 73 * larger netmask come first. 74 */ 75 struct netlbl_unlhsh_tbl { 76 struct list_head *tbl; 77 u32 size; 78 }; 79 struct netlbl_unlhsh_addr4 { 80 __be32 addr; 81 __be32 mask; 82 u32 secid; 83 84 u32 valid; 85 struct list_head list; 86 struct rcu_head rcu; 87 }; 88 struct netlbl_unlhsh_addr6 { 89 struct in6_addr addr; 90 struct in6_addr mask; 91 u32 secid; 92 93 u32 valid; 94 struct list_head list; 95 struct rcu_head rcu; 96 }; 97 struct netlbl_unlhsh_iface { 98 int ifindex; 99 struct list_head addr4_list; 100 struct list_head addr6_list; 101 102 u32 valid; 103 struct list_head list; 104 struct rcu_head rcu; 105 }; 106 107 /* Argument struct for netlbl_unlhsh_walk() */ 108 struct netlbl_unlhsh_walk_arg { 109 struct netlink_callback *nl_cb; 110 struct sk_buff *skb; 111 u32 seq; 112 }; 113 114 /* Unlabeled connection hash table */ 115 /* updates should be so rare that having one spinlock for the entire 116 * hash table should be okay */ 117 static DEFINE_SPINLOCK(netlbl_unlhsh_lock); 118 static struct netlbl_unlhsh_tbl *netlbl_unlhsh = NULL; 119 static struct netlbl_unlhsh_iface *netlbl_unlhsh_def = NULL; 120 121 /* Accept unlabeled packets flag */ 122 static u8 netlabel_unlabel_acceptflg = 0; 123 124 /* NetLabel Generic NETLINK unlabeled family */ 125 static struct genl_family netlbl_unlabel_gnl_family = { 126 .id = GENL_ID_GENERATE, 127 .hdrsize = 0, 128 .name = NETLBL_NLTYPE_UNLABELED_NAME, 129 .version = NETLBL_PROTO_VERSION, 130 .maxattr = NLBL_UNLABEL_A_MAX, 131 }; 132 133 /* NetLabel Netlink attribute policy */ 134 static const struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = { 135 [NLBL_UNLABEL_A_ACPTFLG] = { .type = NLA_U8 }, 136 [NLBL_UNLABEL_A_IPV6ADDR] = { .type = NLA_BINARY, 137 .len = sizeof(struct in6_addr) }, 138 [NLBL_UNLABEL_A_IPV6MASK] = { .type = NLA_BINARY, 139 .len = sizeof(struct in6_addr) }, 140 [NLBL_UNLABEL_A_IPV4ADDR] = { .type = NLA_BINARY, 141 .len = sizeof(struct in_addr) }, 142 [NLBL_UNLABEL_A_IPV4MASK] = { .type = NLA_BINARY, 143 .len = sizeof(struct in_addr) }, 144 [NLBL_UNLABEL_A_IFACE] = { .type = NLA_NUL_STRING, 145 .len = IFNAMSIZ - 1 }, 146 [NLBL_UNLABEL_A_SECCTX] = { .type = NLA_BINARY } 147 }; 148 149 /* 150 * Audit Helper Functions 151 */ 152 153 /** 154 * netlbl_unlabel_audit_addr4 - Audit an IPv4 address 155 * @audit_buf: audit buffer 156 * @dev: network interface 157 * @addr: IP address 158 * @mask: IP address mask 159 * 160 * Description: 161 * Write the IPv4 address and address mask, if necessary, to @audit_buf. 162 * 163 */ 164 static void netlbl_unlabel_audit_addr4(struct audit_buffer *audit_buf, 165 const char *dev, 166 __be32 addr, __be32 mask) 167 { 168 u32 mask_val = ntohl(mask); 169 170 if (dev != NULL) 171 audit_log_format(audit_buf, " netif=%s", dev); 172 audit_log_format(audit_buf, " src=" NIPQUAD_FMT, NIPQUAD(addr)); 173 if (mask_val != 0xffffffff) { 174 u32 mask_len = 0; 175 while (mask_val > 0) { 176 mask_val <<= 1; 177 mask_len++; 178 } 179 audit_log_format(audit_buf, " src_prefixlen=%d", mask_len); 180 } 181 } 182 183 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 184 /** 185 * netlbl_unlabel_audit_addr6 - Audit an IPv6 address 186 * @audit_buf: audit buffer 187 * @dev: network interface 188 * @addr: IP address 189 * @mask: IP address mask 190 * 191 * Description: 192 * Write the IPv6 address and address mask, if necessary, to @audit_buf. 193 * 194 */ 195 static void netlbl_unlabel_audit_addr6(struct audit_buffer *audit_buf, 196 const char *dev, 197 const struct in6_addr *addr, 198 const struct in6_addr *mask) 199 { 200 if (dev != NULL) 201 audit_log_format(audit_buf, " netif=%s", dev); 202 audit_log_format(audit_buf, " src=" NIP6_FMT, NIP6(*addr)); 203 if (ntohl(mask->s6_addr32[3]) != 0xffffffff) { 204 u32 mask_len = 0; 205 u32 mask_val; 206 int iter = -1; 207 while (ntohl(mask->s6_addr32[++iter]) == 0xffffffff) 208 mask_len += 32; 209 mask_val = ntohl(mask->s6_addr32[iter]); 210 while (mask_val > 0) { 211 mask_val <<= 1; 212 mask_len++; 213 } 214 audit_log_format(audit_buf, " src_prefixlen=%d", mask_len); 215 } 216 } 217 #endif /* IPv6 */ 218 219 /* 220 * Unlabeled Connection Hash Table Functions 221 */ 222 223 /** 224 * netlbl_unlhsh_free_addr4 - Frees an IPv4 address entry from the hash table 225 * @entry: the entry's RCU field 226 * 227 * Description: 228 * This function is designed to be used as a callback to the call_rcu() 229 * function so that memory allocated to a hash table address entry can be 230 * released safely. 231 * 232 */ 233 static void netlbl_unlhsh_free_addr4(struct rcu_head *entry) 234 { 235 struct netlbl_unlhsh_addr4 *ptr; 236 237 ptr = container_of(entry, struct netlbl_unlhsh_addr4, rcu); 238 kfree(ptr); 239 } 240 241 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 242 /** 243 * netlbl_unlhsh_free_addr6 - Frees an IPv6 address entry from the hash table 244 * @entry: the entry's RCU field 245 * 246 * Description: 247 * This function is designed to be used as a callback to the call_rcu() 248 * function so that memory allocated to a hash table address entry can be 249 * released safely. 250 * 251 */ 252 static void netlbl_unlhsh_free_addr6(struct rcu_head *entry) 253 { 254 struct netlbl_unlhsh_addr6 *ptr; 255 256 ptr = container_of(entry, struct netlbl_unlhsh_addr6, rcu); 257 kfree(ptr); 258 } 259 #endif /* IPv6 */ 260 261 /** 262 * netlbl_unlhsh_free_iface - Frees an interface entry from the hash table 263 * @entry: the entry's RCU field 264 * 265 * Description: 266 * This function is designed to be used as a callback to the call_rcu() 267 * function so that memory allocated to a hash table interface entry can be 268 * released safely. It is important to note that this function does not free 269 * the IPv4 and IPv6 address lists contained as part of an interface entry. It 270 * is up to the rest of the code to make sure an interface entry is only freed 271 * once it's address lists are empty. 272 * 273 */ 274 static void netlbl_unlhsh_free_iface(struct rcu_head *entry) 275 { 276 struct netlbl_unlhsh_iface *iface; 277 struct netlbl_unlhsh_addr4 *iter4; 278 struct netlbl_unlhsh_addr4 *tmp4; 279 struct netlbl_unlhsh_addr6 *iter6; 280 struct netlbl_unlhsh_addr6 *tmp6; 281 282 iface = container_of(entry, struct netlbl_unlhsh_iface, rcu); 283 284 /* no need for locks here since we are the only one with access to this 285 * structure */ 286 287 list_for_each_entry_safe(iter4, tmp4, &iface->addr4_list, list) 288 if (iter4->valid) { 289 list_del_rcu(&iter4->list); 290 kfree(iter4); 291 } 292 list_for_each_entry_safe(iter6, tmp6, &iface->addr6_list, list) 293 if (iter6->valid) { 294 list_del_rcu(&iter6->list); 295 kfree(iter6); 296 } 297 kfree(iface); 298 } 299 300 /** 301 * netlbl_unlhsh_hash - Hashing function for the hash table 302 * @ifindex: the network interface/device to hash 303 * 304 * Description: 305 * This is the hashing function for the unlabeled hash table, it returns the 306 * bucket number for the given device/interface. The caller is responsible for 307 * calling the rcu_read_[un]lock() functions. 308 * 309 */ 310 static u32 netlbl_unlhsh_hash(int ifindex) 311 { 312 /* this is taken _almost_ directly from 313 * security/selinux/netif.c:sel_netif_hasfn() as they do pretty much 314 * the same thing */ 315 return ifindex & (rcu_dereference(netlbl_unlhsh)->size - 1); 316 } 317 318 /** 319 * netlbl_unlhsh_search_addr4 - Search for a matching IPv4 address entry 320 * @addr: IPv4 address 321 * @iface: the network interface entry 322 * 323 * Description: 324 * Searches the IPv4 address list of the network interface specified by @iface. 325 * If a matching address entry is found it is returned, otherwise NULL is 326 * returned. The caller is responsible for calling the rcu_read_[un]lock() 327 * functions. 328 * 329 */ 330 static struct netlbl_unlhsh_addr4 *netlbl_unlhsh_search_addr4( 331 __be32 addr, 332 const struct netlbl_unlhsh_iface *iface) 333 { 334 struct netlbl_unlhsh_addr4 *iter; 335 336 list_for_each_entry_rcu(iter, &iface->addr4_list, list) 337 if (iter->valid && (addr & iter->mask) == iter->addr) 338 return iter; 339 340 return NULL; 341 } 342 343 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 344 /** 345 * netlbl_unlhsh_search_addr6 - Search for a matching IPv6 address entry 346 * @addr: IPv6 address 347 * @iface: the network interface entry 348 * 349 * Description: 350 * Searches the IPv6 address list of the network interface specified by @iface. 351 * If a matching address entry is found it is returned, otherwise NULL is 352 * returned. The caller is responsible for calling the rcu_read_[un]lock() 353 * functions. 354 * 355 */ 356 static struct netlbl_unlhsh_addr6 *netlbl_unlhsh_search_addr6( 357 const struct in6_addr *addr, 358 const struct netlbl_unlhsh_iface *iface) 359 { 360 struct netlbl_unlhsh_addr6 *iter; 361 362 list_for_each_entry_rcu(iter, &iface->addr6_list, list) 363 if (iter->valid && 364 ipv6_masked_addr_cmp(&iter->addr, &iter->mask, addr) == 0) 365 return iter; 366 367 return NULL; 368 } 369 #endif /* IPv6 */ 370 371 /** 372 * netlbl_unlhsh_search_iface - Search for a matching interface entry 373 * @ifindex: the network interface 374 * 375 * Description: 376 * Searches the unlabeled connection hash table and returns a pointer to the 377 * interface entry which matches @ifindex, otherwise NULL is returned. The 378 * caller is responsible for calling the rcu_read_[un]lock() functions. 379 * 380 */ 381 static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex) 382 { 383 u32 bkt; 384 struct netlbl_unlhsh_iface *iter; 385 386 bkt = netlbl_unlhsh_hash(ifindex); 387 list_for_each_entry_rcu(iter, 388 &rcu_dereference(netlbl_unlhsh)->tbl[bkt], 389 list) 390 if (iter->valid && iter->ifindex == ifindex) 391 return iter; 392 393 return NULL; 394 } 395 396 /** 397 * netlbl_unlhsh_search_iface_def - Search for a matching interface entry 398 * @ifindex: the network interface 399 * 400 * Description: 401 * Searches the unlabeled connection hash table and returns a pointer to the 402 * interface entry which matches @ifindex. If an exact match can not be found 403 * and there is a valid default entry, the default entry is returned, otherwise 404 * NULL is returned. The caller is responsible for calling the 405 * rcu_read_[un]lock() functions. 406 * 407 */ 408 static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface_def(int ifindex) 409 { 410 struct netlbl_unlhsh_iface *entry; 411 412 entry = netlbl_unlhsh_search_iface(ifindex); 413 if (entry != NULL) 414 return entry; 415 416 entry = rcu_dereference(netlbl_unlhsh_def); 417 if (entry != NULL && entry->valid) 418 return entry; 419 420 return NULL; 421 } 422 423 /** 424 * netlbl_unlhsh_add_addr4 - Add a new IPv4 address entry to the hash table 425 * @iface: the associated interface entry 426 * @addr: IPv4 address in network byte order 427 * @mask: IPv4 address mask in network byte order 428 * @secid: LSM secid value for entry 429 * 430 * Description: 431 * Add a new address entry into the unlabeled connection hash table using the 432 * interface entry specified by @iface. On success zero is returned, otherwise 433 * a negative value is returned. The caller is responsible for calling the 434 * rcu_read_[un]lock() functions. 435 * 436 */ 437 static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, 438 const struct in_addr *addr, 439 const struct in_addr *mask, 440 u32 secid) 441 { 442 struct netlbl_unlhsh_addr4 *entry; 443 struct netlbl_unlhsh_addr4 *iter; 444 445 entry = kzalloc(sizeof(*entry), GFP_ATOMIC); 446 if (entry == NULL) 447 return -ENOMEM; 448 449 entry->addr = addr->s_addr & mask->s_addr; 450 entry->mask = mask->s_addr; 451 entry->secid = secid; 452 entry->valid = 1; 453 INIT_RCU_HEAD(&entry->rcu); 454 455 spin_lock(&netlbl_unlhsh_lock); 456 iter = netlbl_unlhsh_search_addr4(entry->addr, iface); 457 if (iter != NULL && 458 iter->addr == addr->s_addr && iter->mask == mask->s_addr) { 459 spin_unlock(&netlbl_unlhsh_lock); 460 kfree(entry); 461 return -EEXIST; 462 } 463 /* in order to speed up address searches through the list (the common 464 * case) we need to keep the list in order based on the size of the 465 * address mask such that the entry with the widest mask (smallest 466 * numerical value) appears first in the list */ 467 list_for_each_entry_rcu(iter, &iface->addr4_list, list) 468 if (iter->valid && 469 ntohl(entry->mask) > ntohl(iter->mask)) { 470 __list_add_rcu(&entry->list, 471 iter->list.prev, 472 &iter->list); 473 spin_unlock(&netlbl_unlhsh_lock); 474 return 0; 475 } 476 list_add_tail_rcu(&entry->list, &iface->addr4_list); 477 spin_unlock(&netlbl_unlhsh_lock); 478 return 0; 479 } 480 481 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 482 /** 483 * netlbl_unlhsh_add_addr6 - Add a new IPv6 address entry to the hash table 484 * @iface: the associated interface entry 485 * @addr: IPv6 address in network byte order 486 * @mask: IPv6 address mask in network byte order 487 * @secid: LSM secid value for entry 488 * 489 * Description: 490 * Add a new address entry into the unlabeled connection hash table using the 491 * interface entry specified by @iface. On success zero is returned, otherwise 492 * a negative value is returned. The caller is responsible for calling the 493 * rcu_read_[un]lock() functions. 494 * 495 */ 496 static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface, 497 const struct in6_addr *addr, 498 const struct in6_addr *mask, 499 u32 secid) 500 { 501 struct netlbl_unlhsh_addr6 *entry; 502 struct netlbl_unlhsh_addr6 *iter; 503 504 entry = kzalloc(sizeof(*entry), GFP_ATOMIC); 505 if (entry == NULL) 506 return -ENOMEM; 507 508 ipv6_addr_copy(&entry->addr, addr); 509 entry->addr.s6_addr32[0] &= mask->s6_addr32[0]; 510 entry->addr.s6_addr32[1] &= mask->s6_addr32[1]; 511 entry->addr.s6_addr32[2] &= mask->s6_addr32[2]; 512 entry->addr.s6_addr32[3] &= mask->s6_addr32[3]; 513 ipv6_addr_copy(&entry->mask, mask); 514 entry->secid = secid; 515 entry->valid = 1; 516 INIT_RCU_HEAD(&entry->rcu); 517 518 spin_lock(&netlbl_unlhsh_lock); 519 iter = netlbl_unlhsh_search_addr6(&entry->addr, iface); 520 if (iter != NULL && 521 (ipv6_addr_equal(&iter->addr, addr) && 522 ipv6_addr_equal(&iter->mask, mask))) { 523 spin_unlock(&netlbl_unlhsh_lock); 524 kfree(entry); 525 return -EEXIST; 526 } 527 /* in order to speed up address searches through the list (the common 528 * case) we need to keep the list in order based on the size of the 529 * address mask such that the entry with the widest mask (smallest 530 * numerical value) appears first in the list */ 531 list_for_each_entry_rcu(iter, &iface->addr6_list, list) 532 if (iter->valid && 533 ipv6_addr_cmp(&entry->mask, &iter->mask) > 0) { 534 __list_add_rcu(&entry->list, 535 iter->list.prev, 536 &iter->list); 537 spin_unlock(&netlbl_unlhsh_lock); 538 return 0; 539 } 540 list_add_tail_rcu(&entry->list, &iface->addr6_list); 541 spin_unlock(&netlbl_unlhsh_lock); 542 return 0; 543 } 544 #endif /* IPv6 */ 545 546 /** 547 * netlbl_unlhsh_add_iface - Adds a new interface entry to the hash table 548 * @ifindex: network interface 549 * 550 * Description: 551 * Add a new, empty, interface entry into the unlabeled connection hash table. 552 * On success a pointer to the new interface entry is returned, on failure NULL 553 * is returned. The caller is responsible for calling the rcu_read_[un]lock() 554 * functions. 555 * 556 */ 557 static struct netlbl_unlhsh_iface *netlbl_unlhsh_add_iface(int ifindex) 558 { 559 u32 bkt; 560 struct netlbl_unlhsh_iface *iface; 561 562 iface = kzalloc(sizeof(*iface), GFP_ATOMIC); 563 if (iface == NULL) 564 return NULL; 565 566 iface->ifindex = ifindex; 567 INIT_LIST_HEAD(&iface->addr4_list); 568 INIT_LIST_HEAD(&iface->addr6_list); 569 iface->valid = 1; 570 INIT_RCU_HEAD(&iface->rcu); 571 572 spin_lock(&netlbl_unlhsh_lock); 573 if (ifindex > 0) { 574 bkt = netlbl_unlhsh_hash(ifindex); 575 if (netlbl_unlhsh_search_iface(ifindex) != NULL) 576 goto add_iface_failure; 577 list_add_tail_rcu(&iface->list, 578 &rcu_dereference(netlbl_unlhsh)->tbl[bkt]); 579 } else { 580 INIT_LIST_HEAD(&iface->list); 581 if (rcu_dereference(netlbl_unlhsh_def) != NULL) 582 goto add_iface_failure; 583 rcu_assign_pointer(netlbl_unlhsh_def, iface); 584 } 585 spin_unlock(&netlbl_unlhsh_lock); 586 587 return iface; 588 589 add_iface_failure: 590 spin_unlock(&netlbl_unlhsh_lock); 591 kfree(iface); 592 return NULL; 593 } 594 595 /** 596 * netlbl_unlhsh_add - Adds a new entry to the unlabeled connection hash table 597 * @net: network namespace 598 * @dev_name: interface name 599 * @addr: IP address in network byte order 600 * @mask: address mask in network byte order 601 * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6) 602 * @secid: LSM secid value for the entry 603 * @audit_info: NetLabel audit information 604 * 605 * Description: 606 * Adds a new entry to the unlabeled connection hash table. Returns zero on 607 * success, negative values on failure. 608 * 609 */ 610 static int netlbl_unlhsh_add(struct net *net, 611 const char *dev_name, 612 const void *addr, 613 const void *mask, 614 u32 addr_len, 615 u32 secid, 616 struct netlbl_audit *audit_info) 617 { 618 int ret_val; 619 int ifindex; 620 struct net_device *dev; 621 struct netlbl_unlhsh_iface *iface; 622 struct audit_buffer *audit_buf = NULL; 623 char *secctx = NULL; 624 u32 secctx_len; 625 626 if (addr_len != sizeof(struct in_addr) && 627 addr_len != sizeof(struct in6_addr)) 628 return -EINVAL; 629 630 rcu_read_lock(); 631 if (dev_name != NULL) { 632 dev = dev_get_by_name(net, dev_name); 633 if (dev == NULL) { 634 ret_val = -ENODEV; 635 goto unlhsh_add_return; 636 } 637 ifindex = dev->ifindex; 638 dev_put(dev); 639 iface = netlbl_unlhsh_search_iface(ifindex); 640 } else { 641 ifindex = 0; 642 iface = rcu_dereference(netlbl_unlhsh_def); 643 } 644 if (iface == NULL) { 645 iface = netlbl_unlhsh_add_iface(ifindex); 646 if (iface == NULL) { 647 ret_val = -ENOMEM; 648 goto unlhsh_add_return; 649 } 650 } 651 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCADD, 652 audit_info); 653 switch (addr_len) { 654 case sizeof(struct in_addr): { 655 struct in_addr *addr4, *mask4; 656 657 addr4 = (struct in_addr *)addr; 658 mask4 = (struct in_addr *)mask; 659 ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid); 660 if (audit_buf != NULL) 661 netlbl_unlabel_audit_addr4(audit_buf, 662 dev_name, 663 addr4->s_addr, 664 mask4->s_addr); 665 break; 666 } 667 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 668 case sizeof(struct in6_addr): { 669 struct in6_addr *addr6, *mask6; 670 671 addr6 = (struct in6_addr *)addr; 672 mask6 = (struct in6_addr *)mask; 673 ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid); 674 if (audit_buf != NULL) 675 netlbl_unlabel_audit_addr6(audit_buf, 676 dev_name, 677 addr6, mask6); 678 break; 679 } 680 #endif /* IPv6 */ 681 default: 682 ret_val = -EINVAL; 683 } 684 if (ret_val == 0) 685 atomic_inc(&netlabel_mgmt_protocount); 686 687 unlhsh_add_return: 688 rcu_read_unlock(); 689 if (audit_buf != NULL) { 690 if (security_secid_to_secctx(secid, 691 &secctx, 692 &secctx_len) == 0) { 693 audit_log_format(audit_buf, " sec_obj=%s", secctx); 694 security_release_secctx(secctx, secctx_len); 695 } 696 audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); 697 audit_log_end(audit_buf); 698 } 699 return ret_val; 700 } 701 702 /** 703 * netlbl_unlhsh_remove_addr4 - Remove an IPv4 address entry 704 * @net: network namespace 705 * @iface: interface entry 706 * @addr: IP address 707 * @mask: IP address mask 708 * @audit_info: NetLabel audit information 709 * 710 * Description: 711 * Remove an IP address entry from the unlabeled connection hash table. 712 * Returns zero on success, negative values on failure. The caller is 713 * responsible for calling the rcu_read_[un]lock() functions. 714 * 715 */ 716 static int netlbl_unlhsh_remove_addr4(struct net *net, 717 struct netlbl_unlhsh_iface *iface, 718 const struct in_addr *addr, 719 const struct in_addr *mask, 720 struct netlbl_audit *audit_info) 721 { 722 int ret_val = -ENOENT; 723 struct netlbl_unlhsh_addr4 *entry; 724 struct audit_buffer *audit_buf = NULL; 725 struct net_device *dev; 726 char *secctx = NULL; 727 u32 secctx_len; 728 729 spin_lock(&netlbl_unlhsh_lock); 730 entry = netlbl_unlhsh_search_addr4(addr->s_addr, iface); 731 if (entry != NULL && 732 entry->addr == addr->s_addr && entry->mask == mask->s_addr) { 733 entry->valid = 0; 734 list_del_rcu(&entry->list); 735 ret_val = 0; 736 } 737 spin_unlock(&netlbl_unlhsh_lock); 738 739 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL, 740 audit_info); 741 if (audit_buf != NULL) { 742 dev = dev_get_by_index(net, iface->ifindex); 743 netlbl_unlabel_audit_addr4(audit_buf, 744 (dev != NULL ? dev->name : NULL), 745 entry->addr, entry->mask); 746 if (dev != NULL) 747 dev_put(dev); 748 if (security_secid_to_secctx(entry->secid, 749 &secctx, 750 &secctx_len) == 0) { 751 audit_log_format(audit_buf, " sec_obj=%s", secctx); 752 security_release_secctx(secctx, secctx_len); 753 } 754 audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); 755 audit_log_end(audit_buf); 756 } 757 758 if (ret_val == 0) 759 call_rcu(&entry->rcu, netlbl_unlhsh_free_addr4); 760 return ret_val; 761 } 762 763 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 764 /** 765 * netlbl_unlhsh_remove_addr6 - Remove an IPv6 address entry 766 * @net: network namespace 767 * @iface: interface entry 768 * @addr: IP address 769 * @mask: IP address mask 770 * @audit_info: NetLabel audit information 771 * 772 * Description: 773 * Remove an IP address entry from the unlabeled connection hash table. 774 * Returns zero on success, negative values on failure. The caller is 775 * responsible for calling the rcu_read_[un]lock() functions. 776 * 777 */ 778 static int netlbl_unlhsh_remove_addr6(struct net *net, 779 struct netlbl_unlhsh_iface *iface, 780 const struct in6_addr *addr, 781 const struct in6_addr *mask, 782 struct netlbl_audit *audit_info) 783 { 784 int ret_val = -ENOENT; 785 struct netlbl_unlhsh_addr6 *entry; 786 struct audit_buffer *audit_buf = NULL; 787 struct net_device *dev; 788 char *secctx = NULL; 789 u32 secctx_len; 790 791 spin_lock(&netlbl_unlhsh_lock); 792 entry = netlbl_unlhsh_search_addr6(addr, iface); 793 if (entry != NULL && 794 (ipv6_addr_equal(&entry->addr, addr) && 795 ipv6_addr_equal(&entry->mask, mask))) { 796 entry->valid = 0; 797 list_del_rcu(&entry->list); 798 ret_val = 0; 799 } 800 spin_unlock(&netlbl_unlhsh_lock); 801 802 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL, 803 audit_info); 804 if (audit_buf != NULL) { 805 dev = dev_get_by_index(net, iface->ifindex); 806 netlbl_unlabel_audit_addr6(audit_buf, 807 (dev != NULL ? dev->name : NULL), 808 addr, mask); 809 if (dev != NULL) 810 dev_put(dev); 811 if (security_secid_to_secctx(entry->secid, 812 &secctx, 813 &secctx_len) == 0) { 814 audit_log_format(audit_buf, " sec_obj=%s", secctx); 815 security_release_secctx(secctx, secctx_len); 816 } 817 audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); 818 audit_log_end(audit_buf); 819 } 820 821 if (ret_val == 0) 822 call_rcu(&entry->rcu, netlbl_unlhsh_free_addr6); 823 return ret_val; 824 } 825 #endif /* IPv6 */ 826 827 /** 828 * netlbl_unlhsh_condremove_iface - Remove an interface entry 829 * @iface: the interface entry 830 * 831 * Description: 832 * Remove an interface entry from the unlabeled connection hash table if it is 833 * empty. An interface entry is considered to be empty if there are no 834 * address entries assigned to it. 835 * 836 */ 837 static void netlbl_unlhsh_condremove_iface(struct netlbl_unlhsh_iface *iface) 838 { 839 struct netlbl_unlhsh_addr4 *iter4; 840 struct netlbl_unlhsh_addr6 *iter6; 841 842 spin_lock(&netlbl_unlhsh_lock); 843 list_for_each_entry_rcu(iter4, &iface->addr4_list, list) 844 if (iter4->valid) 845 goto unlhsh_condremove_failure; 846 list_for_each_entry_rcu(iter6, &iface->addr6_list, list) 847 if (iter6->valid) 848 goto unlhsh_condremove_failure; 849 iface->valid = 0; 850 if (iface->ifindex > 0) 851 list_del_rcu(&iface->list); 852 else 853 rcu_assign_pointer(netlbl_unlhsh_def, NULL); 854 spin_unlock(&netlbl_unlhsh_lock); 855 856 call_rcu(&iface->rcu, netlbl_unlhsh_free_iface); 857 return; 858 859 unlhsh_condremove_failure: 860 spin_unlock(&netlbl_unlhsh_lock); 861 return; 862 } 863 864 /** 865 * netlbl_unlhsh_remove - Remove an entry from the unlabeled hash table 866 * @net: network namespace 867 * @dev_name: interface name 868 * @addr: IP address in network byte order 869 * @mask: address mask in network byte order 870 * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6) 871 * @audit_info: NetLabel audit information 872 * 873 * Description: 874 * Removes and existing entry from the unlabeled connection hash table. 875 * Returns zero on success, negative values on failure. 876 * 877 */ 878 static int netlbl_unlhsh_remove(struct net *net, 879 const char *dev_name, 880 const void *addr, 881 const void *mask, 882 u32 addr_len, 883 struct netlbl_audit *audit_info) 884 { 885 int ret_val; 886 struct net_device *dev; 887 struct netlbl_unlhsh_iface *iface; 888 889 if (addr_len != sizeof(struct in_addr) && 890 addr_len != sizeof(struct in6_addr)) 891 return -EINVAL; 892 893 rcu_read_lock(); 894 if (dev_name != NULL) { 895 dev = dev_get_by_name(net, dev_name); 896 if (dev == NULL) { 897 ret_val = -ENODEV; 898 goto unlhsh_remove_return; 899 } 900 iface = netlbl_unlhsh_search_iface(dev->ifindex); 901 dev_put(dev); 902 } else 903 iface = rcu_dereference(netlbl_unlhsh_def); 904 if (iface == NULL) { 905 ret_val = -ENOENT; 906 goto unlhsh_remove_return; 907 } 908 switch (addr_len) { 909 case sizeof(struct in_addr): 910 ret_val = netlbl_unlhsh_remove_addr4(net, 911 iface, addr, mask, 912 audit_info); 913 break; 914 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 915 case sizeof(struct in6_addr): 916 ret_val = netlbl_unlhsh_remove_addr6(net, 917 iface, addr, mask, 918 audit_info); 919 break; 920 #endif /* IPv6 */ 921 default: 922 ret_val = -EINVAL; 923 } 924 if (ret_val == 0) { 925 netlbl_unlhsh_condremove_iface(iface); 926 atomic_dec(&netlabel_mgmt_protocount); 927 } 928 929 unlhsh_remove_return: 930 rcu_read_unlock(); 931 return ret_val; 932 } 933 934 /* 935 * General Helper Functions 936 */ 937 938 /** 939 * netlbl_unlhsh_netdev_handler - Network device notification handler 940 * @this: notifier block 941 * @event: the event 942 * @ptr: the network device (cast to void) 943 * 944 * Description: 945 * Handle network device events, although at present all we care about is a 946 * network device going away. In the case of a device going away we clear any 947 * related entries from the unlabeled connection hash table. 948 * 949 */ 950 static int netlbl_unlhsh_netdev_handler(struct notifier_block *this, 951 unsigned long event, 952 void *ptr) 953 { 954 struct net_device *dev = ptr; 955 struct netlbl_unlhsh_iface *iface = NULL; 956 957 if (!net_eq(dev_net(dev), &init_net)) 958 return NOTIFY_DONE; 959 960 /* XXX - should this be a check for NETDEV_DOWN or _UNREGISTER? */ 961 if (event == NETDEV_DOWN) { 962 spin_lock(&netlbl_unlhsh_lock); 963 iface = netlbl_unlhsh_search_iface(dev->ifindex); 964 if (iface != NULL && iface->valid) { 965 iface->valid = 0; 966 list_del_rcu(&iface->list); 967 } else 968 iface = NULL; 969 spin_unlock(&netlbl_unlhsh_lock); 970 } 971 972 if (iface != NULL) 973 call_rcu(&iface->rcu, netlbl_unlhsh_free_iface); 974 975 return NOTIFY_DONE; 976 } 977 978 /** 979 * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag 980 * @value: desired value 981 * @audit_info: NetLabel audit information 982 * 983 * Description: 984 * Set the value of the unlabeled accept flag to @value. 985 * 986 */ 987 static void netlbl_unlabel_acceptflg_set(u8 value, 988 struct netlbl_audit *audit_info) 989 { 990 struct audit_buffer *audit_buf; 991 u8 old_val; 992 993 old_val = netlabel_unlabel_acceptflg; 994 netlabel_unlabel_acceptflg = value; 995 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW, 996 audit_info); 997 if (audit_buf != NULL) { 998 audit_log_format(audit_buf, 999 " unlbl_accept=%u old=%u", value, old_val); 1000 audit_log_end(audit_buf); 1001 } 1002 } 1003 1004 /** 1005 * netlbl_unlabel_addrinfo_get - Get the IPv4/6 address information 1006 * @info: the Generic NETLINK info block 1007 * @addr: the IP address 1008 * @mask: the IP address mask 1009 * @len: the address length 1010 * 1011 * Description: 1012 * Examine the Generic NETLINK message and extract the IP address information. 1013 * Returns zero on success, negative values on failure. 1014 * 1015 */ 1016 static int netlbl_unlabel_addrinfo_get(struct genl_info *info, 1017 void **addr, 1018 void **mask, 1019 u32 *len) 1020 { 1021 u32 addr_len; 1022 1023 if (info->attrs[NLBL_UNLABEL_A_IPV4ADDR]) { 1024 addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]); 1025 if (addr_len != sizeof(struct in_addr) && 1026 addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV4MASK])) 1027 return -EINVAL; 1028 *len = addr_len; 1029 *addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]); 1030 *mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4MASK]); 1031 return 0; 1032 } else if (info->attrs[NLBL_UNLABEL_A_IPV6ADDR]) { 1033 addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]); 1034 if (addr_len != sizeof(struct in6_addr) && 1035 addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV6MASK])) 1036 return -EINVAL; 1037 *len = addr_len; 1038 *addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]); 1039 *mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6MASK]); 1040 return 0; 1041 } 1042 1043 return -EINVAL; 1044 } 1045 1046 /* 1047 * NetLabel Command Handlers 1048 */ 1049 1050 /** 1051 * netlbl_unlabel_accept - Handle an ACCEPT message 1052 * @skb: the NETLINK buffer 1053 * @info: the Generic NETLINK info block 1054 * 1055 * Description: 1056 * Process a user generated ACCEPT message and set the accept flag accordingly. 1057 * Returns zero on success, negative values on failure. 1058 * 1059 */ 1060 static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info) 1061 { 1062 u8 value; 1063 struct netlbl_audit audit_info; 1064 1065 if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) { 1066 value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]); 1067 if (value == 1 || value == 0) { 1068 netlbl_netlink_auditinfo(skb, &audit_info); 1069 netlbl_unlabel_acceptflg_set(value, &audit_info); 1070 return 0; 1071 } 1072 } 1073 1074 return -EINVAL; 1075 } 1076 1077 /** 1078 * netlbl_unlabel_list - Handle a LIST message 1079 * @skb: the NETLINK buffer 1080 * @info: the Generic NETLINK info block 1081 * 1082 * Description: 1083 * Process a user generated LIST message and respond with the current status. 1084 * Returns zero on success, negative values on failure. 1085 * 1086 */ 1087 static int netlbl_unlabel_list(struct sk_buff *skb, struct genl_info *info) 1088 { 1089 int ret_val = -EINVAL; 1090 struct sk_buff *ans_skb; 1091 void *data; 1092 1093 ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1094 if (ans_skb == NULL) 1095 goto list_failure; 1096 data = genlmsg_put_reply(ans_skb, info, &netlbl_unlabel_gnl_family, 1097 0, NLBL_UNLABEL_C_LIST); 1098 if (data == NULL) { 1099 ret_val = -ENOMEM; 1100 goto list_failure; 1101 } 1102 1103 ret_val = nla_put_u8(ans_skb, 1104 NLBL_UNLABEL_A_ACPTFLG, 1105 netlabel_unlabel_acceptflg); 1106 if (ret_val != 0) 1107 goto list_failure; 1108 1109 genlmsg_end(ans_skb, data); 1110 return genlmsg_reply(ans_skb, info); 1111 1112 list_failure: 1113 kfree_skb(ans_skb); 1114 return ret_val; 1115 } 1116 1117 /** 1118 * netlbl_unlabel_staticadd - Handle a STATICADD message 1119 * @skb: the NETLINK buffer 1120 * @info: the Generic NETLINK info block 1121 * 1122 * Description: 1123 * Process a user generated STATICADD message and add a new unlabeled 1124 * connection entry to the hash table. Returns zero on success, negative 1125 * values on failure. 1126 * 1127 */ 1128 static int netlbl_unlabel_staticadd(struct sk_buff *skb, 1129 struct genl_info *info) 1130 { 1131 int ret_val; 1132 char *dev_name; 1133 void *addr; 1134 void *mask; 1135 u32 addr_len; 1136 u32 secid; 1137 struct netlbl_audit audit_info; 1138 1139 /* Don't allow users to add both IPv4 and IPv6 addresses for a 1140 * single entry. However, allow users to create two entries, one each 1141 * for IPv4 and IPv4, with the same LSM security context which should 1142 * achieve the same result. */ 1143 if (!info->attrs[NLBL_UNLABEL_A_SECCTX] || 1144 !info->attrs[NLBL_UNLABEL_A_IFACE] || 1145 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] || 1146 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^ 1147 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] || 1148 !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) 1149 return -EINVAL; 1150 1151 netlbl_netlink_auditinfo(skb, &audit_info); 1152 1153 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); 1154 if (ret_val != 0) 1155 return ret_val; 1156 dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]); 1157 ret_val = security_secctx_to_secid( 1158 nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]), 1159 nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]), 1160 &secid); 1161 if (ret_val != 0) 1162 return ret_val; 1163 1164 return netlbl_unlhsh_add(&init_net, 1165 dev_name, addr, mask, addr_len, secid, 1166 &audit_info); 1167 } 1168 1169 /** 1170 * netlbl_unlabel_staticadddef - Handle a STATICADDDEF message 1171 * @skb: the NETLINK buffer 1172 * @info: the Generic NETLINK info block 1173 * 1174 * Description: 1175 * Process a user generated STATICADDDEF message and add a new default 1176 * unlabeled connection entry. Returns zero on success, negative values on 1177 * failure. 1178 * 1179 */ 1180 static int netlbl_unlabel_staticadddef(struct sk_buff *skb, 1181 struct genl_info *info) 1182 { 1183 int ret_val; 1184 void *addr; 1185 void *mask; 1186 u32 addr_len; 1187 u32 secid; 1188 struct netlbl_audit audit_info; 1189 1190 /* Don't allow users to add both IPv4 and IPv6 addresses for a 1191 * single entry. However, allow users to create two entries, one each 1192 * for IPv4 and IPv6, with the same LSM security context which should 1193 * achieve the same result. */ 1194 if (!info->attrs[NLBL_UNLABEL_A_SECCTX] || 1195 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] || 1196 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^ 1197 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] || 1198 !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) 1199 return -EINVAL; 1200 1201 netlbl_netlink_auditinfo(skb, &audit_info); 1202 1203 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); 1204 if (ret_val != 0) 1205 return ret_val; 1206 ret_val = security_secctx_to_secid( 1207 nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]), 1208 nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]), 1209 &secid); 1210 if (ret_val != 0) 1211 return ret_val; 1212 1213 return netlbl_unlhsh_add(&init_net, 1214 NULL, addr, mask, addr_len, secid, 1215 &audit_info); 1216 } 1217 1218 /** 1219 * netlbl_unlabel_staticremove - Handle a STATICREMOVE message 1220 * @skb: the NETLINK buffer 1221 * @info: the Generic NETLINK info block 1222 * 1223 * Description: 1224 * Process a user generated STATICREMOVE message and remove the specified 1225 * unlabeled connection entry. Returns zero on success, negative values on 1226 * failure. 1227 * 1228 */ 1229 static int netlbl_unlabel_staticremove(struct sk_buff *skb, 1230 struct genl_info *info) 1231 { 1232 int ret_val; 1233 char *dev_name; 1234 void *addr; 1235 void *mask; 1236 u32 addr_len; 1237 struct netlbl_audit audit_info; 1238 1239 /* See the note in netlbl_unlabel_staticadd() about not allowing both 1240 * IPv4 and IPv6 in the same entry. */ 1241 if (!info->attrs[NLBL_UNLABEL_A_IFACE] || 1242 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] || 1243 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^ 1244 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] || 1245 !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) 1246 return -EINVAL; 1247 1248 netlbl_netlink_auditinfo(skb, &audit_info); 1249 1250 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); 1251 if (ret_val != 0) 1252 return ret_val; 1253 dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]); 1254 1255 return netlbl_unlhsh_remove(&init_net, 1256 dev_name, addr, mask, addr_len, 1257 &audit_info); 1258 } 1259 1260 /** 1261 * netlbl_unlabel_staticremovedef - Handle a STATICREMOVEDEF message 1262 * @skb: the NETLINK buffer 1263 * @info: the Generic NETLINK info block 1264 * 1265 * Description: 1266 * Process a user generated STATICREMOVEDEF message and remove the default 1267 * unlabeled connection entry. Returns zero on success, negative values on 1268 * failure. 1269 * 1270 */ 1271 static int netlbl_unlabel_staticremovedef(struct sk_buff *skb, 1272 struct genl_info *info) 1273 { 1274 int ret_val; 1275 void *addr; 1276 void *mask; 1277 u32 addr_len; 1278 struct netlbl_audit audit_info; 1279 1280 /* See the note in netlbl_unlabel_staticadd() about not allowing both 1281 * IPv4 and IPv6 in the same entry. */ 1282 if (!((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] || 1283 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^ 1284 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] || 1285 !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) 1286 return -EINVAL; 1287 1288 netlbl_netlink_auditinfo(skb, &audit_info); 1289 1290 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); 1291 if (ret_val != 0) 1292 return ret_val; 1293 1294 return netlbl_unlhsh_remove(&init_net, 1295 NULL, addr, mask, addr_len, 1296 &audit_info); 1297 } 1298 1299 1300 /** 1301 * netlbl_unlabel_staticlist_gen - Generate messages for STATICLIST[DEF] 1302 * @cmd: command/message 1303 * @iface: the interface entry 1304 * @addr4: the IPv4 address entry 1305 * @addr6: the IPv6 address entry 1306 * @arg: the netlbl_unlhsh_walk_arg structure 1307 * 1308 * Description: 1309 * This function is designed to be used to generate a response for a 1310 * STATICLIST or STATICLISTDEF message. When called either @addr4 or @addr6 1311 * can be specified, not both, the other unspecified entry should be set to 1312 * NULL by the caller. Returns the size of the message on success, negative 1313 * values on failure. 1314 * 1315 */ 1316 static int netlbl_unlabel_staticlist_gen(u32 cmd, 1317 const struct netlbl_unlhsh_iface *iface, 1318 const struct netlbl_unlhsh_addr4 *addr4, 1319 const struct netlbl_unlhsh_addr6 *addr6, 1320 void *arg) 1321 { 1322 int ret_val = -ENOMEM; 1323 struct netlbl_unlhsh_walk_arg *cb_arg = arg; 1324 struct net_device *dev; 1325 void *data; 1326 u32 secid; 1327 char *secctx; 1328 u32 secctx_len; 1329 1330 data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).pid, 1331 cb_arg->seq, &netlbl_unlabel_gnl_family, 1332 NLM_F_MULTI, cmd); 1333 if (data == NULL) 1334 goto list_cb_failure; 1335 1336 if (iface->ifindex > 0) { 1337 dev = dev_get_by_index(&init_net, iface->ifindex); 1338 if (!dev) { 1339 ret_val = -ENODEV; 1340 goto list_cb_failure; 1341 } 1342 ret_val = nla_put_string(cb_arg->skb, 1343 NLBL_UNLABEL_A_IFACE, dev->name); 1344 dev_put(dev); 1345 if (ret_val != 0) 1346 goto list_cb_failure; 1347 } 1348 1349 if (addr4) { 1350 struct in_addr addr_struct; 1351 1352 addr_struct.s_addr = addr4->addr; 1353 ret_val = nla_put(cb_arg->skb, 1354 NLBL_UNLABEL_A_IPV4ADDR, 1355 sizeof(struct in_addr), 1356 &addr_struct); 1357 if (ret_val != 0) 1358 goto list_cb_failure; 1359 1360 addr_struct.s_addr = addr4->mask; 1361 ret_val = nla_put(cb_arg->skb, 1362 NLBL_UNLABEL_A_IPV4MASK, 1363 sizeof(struct in_addr), 1364 &addr_struct); 1365 if (ret_val != 0) 1366 goto list_cb_failure; 1367 1368 secid = addr4->secid; 1369 } else { 1370 ret_val = nla_put(cb_arg->skb, 1371 NLBL_UNLABEL_A_IPV6ADDR, 1372 sizeof(struct in6_addr), 1373 &addr6->addr); 1374 if (ret_val != 0) 1375 goto list_cb_failure; 1376 1377 ret_val = nla_put(cb_arg->skb, 1378 NLBL_UNLABEL_A_IPV6MASK, 1379 sizeof(struct in6_addr), 1380 &addr6->mask); 1381 if (ret_val != 0) 1382 goto list_cb_failure; 1383 1384 secid = addr6->secid; 1385 } 1386 1387 ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len); 1388 if (ret_val != 0) 1389 goto list_cb_failure; 1390 ret_val = nla_put(cb_arg->skb, 1391 NLBL_UNLABEL_A_SECCTX, 1392 secctx_len, 1393 secctx); 1394 security_release_secctx(secctx, secctx_len); 1395 if (ret_val != 0) 1396 goto list_cb_failure; 1397 1398 cb_arg->seq++; 1399 return genlmsg_end(cb_arg->skb, data); 1400 1401 list_cb_failure: 1402 genlmsg_cancel(cb_arg->skb, data); 1403 return ret_val; 1404 } 1405 1406 /** 1407 * netlbl_unlabel_staticlist - Handle a STATICLIST message 1408 * @skb: the NETLINK buffer 1409 * @cb: the NETLINK callback 1410 * 1411 * Description: 1412 * Process a user generated STATICLIST message and dump the unlabeled 1413 * connection hash table in a form suitable for use in a kernel generated 1414 * STATICLIST message. Returns the length of @skb. 1415 * 1416 */ 1417 static int netlbl_unlabel_staticlist(struct sk_buff *skb, 1418 struct netlink_callback *cb) 1419 { 1420 struct netlbl_unlhsh_walk_arg cb_arg; 1421 u32 skip_bkt = cb->args[0]; 1422 u32 skip_chain = cb->args[1]; 1423 u32 skip_addr4 = cb->args[2]; 1424 u32 skip_addr6 = cb->args[3]; 1425 u32 iter_bkt; 1426 u32 iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0; 1427 struct netlbl_unlhsh_iface *iface; 1428 struct netlbl_unlhsh_addr4 *addr4; 1429 struct netlbl_unlhsh_addr6 *addr6; 1430 1431 cb_arg.nl_cb = cb; 1432 cb_arg.skb = skb; 1433 cb_arg.seq = cb->nlh->nlmsg_seq; 1434 1435 rcu_read_lock(); 1436 for (iter_bkt = skip_bkt; 1437 iter_bkt < rcu_dereference(netlbl_unlhsh)->size; 1438 iter_bkt++, iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0) { 1439 list_for_each_entry_rcu(iface, 1440 &rcu_dereference(netlbl_unlhsh)->tbl[iter_bkt], 1441 list) { 1442 if (!iface->valid || 1443 iter_chain++ < skip_chain) 1444 continue; 1445 list_for_each_entry_rcu(addr4, 1446 &iface->addr4_list, 1447 list) { 1448 if (!addr4->valid || iter_addr4++ < skip_addr4) 1449 continue; 1450 if (netlbl_unlabel_staticlist_gen( 1451 NLBL_UNLABEL_C_STATICLIST, 1452 iface, 1453 addr4, 1454 NULL, 1455 &cb_arg) < 0) { 1456 iter_addr4--; 1457 iter_chain--; 1458 goto unlabel_staticlist_return; 1459 } 1460 } 1461 list_for_each_entry_rcu(addr6, 1462 &iface->addr6_list, 1463 list) { 1464 if (!addr6->valid || iter_addr6++ < skip_addr6) 1465 continue; 1466 if (netlbl_unlabel_staticlist_gen( 1467 NLBL_UNLABEL_C_STATICLIST, 1468 iface, 1469 NULL, 1470 addr6, 1471 &cb_arg) < 0) { 1472 iter_addr6--; 1473 iter_chain--; 1474 goto unlabel_staticlist_return; 1475 } 1476 } 1477 } 1478 } 1479 1480 unlabel_staticlist_return: 1481 rcu_read_unlock(); 1482 cb->args[0] = skip_bkt; 1483 cb->args[1] = skip_chain; 1484 cb->args[2] = skip_addr4; 1485 cb->args[3] = skip_addr6; 1486 return skb->len; 1487 } 1488 1489 /** 1490 * netlbl_unlabel_staticlistdef - Handle a STATICLISTDEF message 1491 * @skb: the NETLINK buffer 1492 * @cb: the NETLINK callback 1493 * 1494 * Description: 1495 * Process a user generated STATICLISTDEF message and dump the default 1496 * unlabeled connection entry in a form suitable for use in a kernel generated 1497 * STATICLISTDEF message. Returns the length of @skb. 1498 * 1499 */ 1500 static int netlbl_unlabel_staticlistdef(struct sk_buff *skb, 1501 struct netlink_callback *cb) 1502 { 1503 struct netlbl_unlhsh_walk_arg cb_arg; 1504 struct netlbl_unlhsh_iface *iface; 1505 u32 skip_addr4 = cb->args[0]; 1506 u32 skip_addr6 = cb->args[1]; 1507 u32 iter_addr4 = 0, iter_addr6 = 0; 1508 struct netlbl_unlhsh_addr4 *addr4; 1509 struct netlbl_unlhsh_addr6 *addr6; 1510 1511 cb_arg.nl_cb = cb; 1512 cb_arg.skb = skb; 1513 cb_arg.seq = cb->nlh->nlmsg_seq; 1514 1515 rcu_read_lock(); 1516 iface = rcu_dereference(netlbl_unlhsh_def); 1517 if (iface == NULL || !iface->valid) 1518 goto unlabel_staticlistdef_return; 1519 1520 list_for_each_entry_rcu(addr4, &iface->addr4_list, list) { 1521 if (!addr4->valid || iter_addr4++ < skip_addr4) 1522 continue; 1523 if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF, 1524 iface, 1525 addr4, 1526 NULL, 1527 &cb_arg) < 0) { 1528 iter_addr4--; 1529 goto unlabel_staticlistdef_return; 1530 } 1531 } 1532 list_for_each_entry_rcu(addr6, &iface->addr6_list, list) { 1533 if (!addr6->valid || iter_addr6++ < skip_addr6) 1534 continue; 1535 if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF, 1536 iface, 1537 NULL, 1538 addr6, 1539 &cb_arg) < 0) { 1540 iter_addr6--; 1541 goto unlabel_staticlistdef_return; 1542 } 1543 } 1544 1545 unlabel_staticlistdef_return: 1546 rcu_read_unlock(); 1547 cb->args[0] = skip_addr4; 1548 cb->args[1] = skip_addr6; 1549 return skb->len; 1550 } 1551 1552 /* 1553 * NetLabel Generic NETLINK Command Definitions 1554 */ 1555 1556 static struct genl_ops netlbl_unlabel_genl_ops[] = { 1557 { 1558 .cmd = NLBL_UNLABEL_C_STATICADD, 1559 .flags = GENL_ADMIN_PERM, 1560 .policy = netlbl_unlabel_genl_policy, 1561 .doit = netlbl_unlabel_staticadd, 1562 .dumpit = NULL, 1563 }, 1564 { 1565 .cmd = NLBL_UNLABEL_C_STATICREMOVE, 1566 .flags = GENL_ADMIN_PERM, 1567 .policy = netlbl_unlabel_genl_policy, 1568 .doit = netlbl_unlabel_staticremove, 1569 .dumpit = NULL, 1570 }, 1571 { 1572 .cmd = NLBL_UNLABEL_C_STATICLIST, 1573 .flags = 0, 1574 .policy = netlbl_unlabel_genl_policy, 1575 .doit = NULL, 1576 .dumpit = netlbl_unlabel_staticlist, 1577 }, 1578 { 1579 .cmd = NLBL_UNLABEL_C_STATICADDDEF, 1580 .flags = GENL_ADMIN_PERM, 1581 .policy = netlbl_unlabel_genl_policy, 1582 .doit = netlbl_unlabel_staticadddef, 1583 .dumpit = NULL, 1584 }, 1585 { 1586 .cmd = NLBL_UNLABEL_C_STATICREMOVEDEF, 1587 .flags = GENL_ADMIN_PERM, 1588 .policy = netlbl_unlabel_genl_policy, 1589 .doit = netlbl_unlabel_staticremovedef, 1590 .dumpit = NULL, 1591 }, 1592 { 1593 .cmd = NLBL_UNLABEL_C_STATICLISTDEF, 1594 .flags = 0, 1595 .policy = netlbl_unlabel_genl_policy, 1596 .doit = NULL, 1597 .dumpit = netlbl_unlabel_staticlistdef, 1598 }, 1599 { 1600 .cmd = NLBL_UNLABEL_C_ACCEPT, 1601 .flags = GENL_ADMIN_PERM, 1602 .policy = netlbl_unlabel_genl_policy, 1603 .doit = netlbl_unlabel_accept, 1604 .dumpit = NULL, 1605 }, 1606 { 1607 .cmd = NLBL_UNLABEL_C_LIST, 1608 .flags = 0, 1609 .policy = netlbl_unlabel_genl_policy, 1610 .doit = netlbl_unlabel_list, 1611 .dumpit = NULL, 1612 }, 1613 }; 1614 1615 /* 1616 * NetLabel Generic NETLINK Protocol Functions 1617 */ 1618 1619 /** 1620 * netlbl_unlabel_genl_init - Register the Unlabeled NetLabel component 1621 * 1622 * Description: 1623 * Register the unlabeled packet NetLabel component with the Generic NETLINK 1624 * mechanism. Returns zero on success, negative values on failure. 1625 * 1626 */ 1627 int __init netlbl_unlabel_genl_init(void) 1628 { 1629 int ret_val, i; 1630 1631 ret_val = genl_register_family(&netlbl_unlabel_gnl_family); 1632 if (ret_val != 0) 1633 return ret_val; 1634 1635 for (i = 0; i < ARRAY_SIZE(netlbl_unlabel_genl_ops); i++) { 1636 ret_val = genl_register_ops(&netlbl_unlabel_gnl_family, 1637 &netlbl_unlabel_genl_ops[i]); 1638 if (ret_val != 0) 1639 return ret_val; 1640 } 1641 1642 return 0; 1643 } 1644 1645 /* 1646 * NetLabel KAPI Hooks 1647 */ 1648 1649 static struct notifier_block netlbl_unlhsh_netdev_notifier = { 1650 .notifier_call = netlbl_unlhsh_netdev_handler, 1651 }; 1652 1653 /** 1654 * netlbl_unlabel_init - Initialize the unlabeled connection hash table 1655 * @size: the number of bits to use for the hash buckets 1656 * 1657 * Description: 1658 * Initializes the unlabeled connection hash table and registers a network 1659 * device notification handler. This function should only be called by the 1660 * NetLabel subsystem itself during initialization. Returns zero on success, 1661 * non-zero values on error. 1662 * 1663 */ 1664 int __init netlbl_unlabel_init(u32 size) 1665 { 1666 u32 iter; 1667 struct netlbl_unlhsh_tbl *hsh_tbl; 1668 1669 if (size == 0) 1670 return -EINVAL; 1671 1672 hsh_tbl = kmalloc(sizeof(*hsh_tbl), GFP_KERNEL); 1673 if (hsh_tbl == NULL) 1674 return -ENOMEM; 1675 hsh_tbl->size = 1 << size; 1676 hsh_tbl->tbl = kcalloc(hsh_tbl->size, 1677 sizeof(struct list_head), 1678 GFP_KERNEL); 1679 if (hsh_tbl->tbl == NULL) { 1680 kfree(hsh_tbl); 1681 return -ENOMEM; 1682 } 1683 for (iter = 0; iter < hsh_tbl->size; iter++) 1684 INIT_LIST_HEAD(&hsh_tbl->tbl[iter]); 1685 1686 rcu_read_lock(); 1687 spin_lock(&netlbl_unlhsh_lock); 1688 rcu_assign_pointer(netlbl_unlhsh, hsh_tbl); 1689 spin_unlock(&netlbl_unlhsh_lock); 1690 rcu_read_unlock(); 1691 1692 register_netdevice_notifier(&netlbl_unlhsh_netdev_notifier); 1693 1694 return 0; 1695 } 1696 1697 /** 1698 * netlbl_unlabel_getattr - Get the security attributes for an unlabled packet 1699 * @skb: the packet 1700 * @family: protocol family 1701 * @secattr: the security attributes 1702 * 1703 * Description: 1704 * Determine the security attributes, if any, for an unlabled packet and return 1705 * them in @secattr. Returns zero on success and negative values on failure. 1706 * 1707 */ 1708 int netlbl_unlabel_getattr(const struct sk_buff *skb, 1709 u16 family, 1710 struct netlbl_lsm_secattr *secattr) 1711 { 1712 struct netlbl_unlhsh_iface *iface; 1713 1714 rcu_read_lock(); 1715 iface = netlbl_unlhsh_search_iface_def(skb->iif); 1716 if (iface == NULL) 1717 goto unlabel_getattr_nolabel; 1718 switch (family) { 1719 case PF_INET: { 1720 struct iphdr *hdr4; 1721 struct netlbl_unlhsh_addr4 *addr4; 1722 1723 hdr4 = ip_hdr(skb); 1724 addr4 = netlbl_unlhsh_search_addr4(hdr4->saddr, iface); 1725 if (addr4 == NULL) 1726 goto unlabel_getattr_nolabel; 1727 secattr->attr.secid = addr4->secid; 1728 break; 1729 } 1730 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 1731 case PF_INET6: { 1732 struct ipv6hdr *hdr6; 1733 struct netlbl_unlhsh_addr6 *addr6; 1734 1735 hdr6 = ipv6_hdr(skb); 1736 addr6 = netlbl_unlhsh_search_addr6(&hdr6->saddr, iface); 1737 if (addr6 == NULL) 1738 goto unlabel_getattr_nolabel; 1739 secattr->attr.secid = addr6->secid; 1740 break; 1741 } 1742 #endif /* IPv6 */ 1743 default: 1744 goto unlabel_getattr_nolabel; 1745 } 1746 rcu_read_unlock(); 1747 1748 secattr->flags |= NETLBL_SECATTR_SECID; 1749 secattr->type = NETLBL_NLTYPE_UNLABELED; 1750 return 0; 1751 1752 unlabel_getattr_nolabel: 1753 rcu_read_unlock(); 1754 if (netlabel_unlabel_acceptflg == 0) 1755 return -ENOMSG; 1756 secattr->type = NETLBL_NLTYPE_UNLABELED; 1757 return 0; 1758 } 1759 1760 /** 1761 * netlbl_unlabel_defconf - Set the default config to allow unlabeled packets 1762 * 1763 * Description: 1764 * Set the default NetLabel configuration to allow incoming unlabeled packets 1765 * and to send unlabeled network traffic by default. 1766 * 1767 */ 1768 int __init netlbl_unlabel_defconf(void) 1769 { 1770 int ret_val; 1771 struct netlbl_dom_map *entry; 1772 struct netlbl_audit audit_info; 1773 1774 /* Only the kernel is allowed to call this function and the only time 1775 * it is called is at bootup before the audit subsystem is reporting 1776 * messages so don't worry to much about these values. */ 1777 security_task_getsecid(current, &audit_info.secid); 1778 audit_info.loginuid = 0; 1779 audit_info.sessionid = 0; 1780 1781 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 1782 if (entry == NULL) 1783 return -ENOMEM; 1784 entry->type = NETLBL_NLTYPE_UNLABELED; 1785 ret_val = netlbl_domhsh_add_default(entry, &audit_info); 1786 if (ret_val != 0) 1787 return ret_val; 1788 1789 netlbl_unlabel_acceptflg_set(1, &audit_info); 1790 1791 return 0; 1792 } 1793