1 /* 2 * NetLabel Unlabeled Support 3 * 4 * This file defines functions for dealing with unlabeled packets for the 5 * NetLabel system. The NetLabel system manages static and dynamic label 6 * mappings for network protocols such as CIPSO and RIPSO. 7 * 8 * Author: Paul Moore <paul.moore@hp.com> 9 * 10 */ 11 12 /* 13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 - 2008 14 * 15 * This program is free software; you can redistribute it and/or modify 16 * it under the terms of the GNU General Public License as published by 17 * the Free Software Foundation; either version 2 of the License, or 18 * (at your option) any later version. 19 * 20 * This program is distributed in the hope that it will be useful, 21 * but WITHOUT ANY WARRANTY; without even the implied warranty of 22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See 23 * the GNU General Public License for more details. 24 * 25 * You should have received a copy of the GNU General Public License 26 * along with this program; if not, write to the Free Software 27 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 28 * 29 */ 30 31 #include <linux/types.h> 32 #include <linux/rcupdate.h> 33 #include <linux/list.h> 34 #include <linux/spinlock.h> 35 #include <linux/socket.h> 36 #include <linux/string.h> 37 #include <linux/skbuff.h> 38 #include <linux/audit.h> 39 #include <linux/in.h> 40 #include <linux/in6.h> 41 #include <linux/ip.h> 42 #include <linux/ipv6.h> 43 #include <linux/notifier.h> 44 #include <linux/netdevice.h> 45 #include <linux/security.h> 46 #include <net/sock.h> 47 #include <net/netlink.h> 48 #include <net/genetlink.h> 49 #include <net/ip.h> 50 #include <net/ipv6.h> 51 #include <net/net_namespace.h> 52 #include <net/netlabel.h> 53 #include <asm/bug.h> 54 #include <asm/atomic.h> 55 56 #include "netlabel_user.h" 57 #include "netlabel_addrlist.h" 58 #include "netlabel_domainhash.h" 59 #include "netlabel_unlabeled.h" 60 #include "netlabel_mgmt.h" 61 62 /* NOTE: at present we always use init's network namespace since we don't 63 * presently support different namespaces even though the majority of 64 * the functions in this file are "namespace safe" */ 65 66 /* The unlabeled connection hash table which we use to map network interfaces 67 * and addresses of unlabeled packets to a user specified secid value for the 68 * LSM. The hash table is used to lookup the network interface entry 69 * (struct netlbl_unlhsh_iface) and then the interface entry is used to 70 * lookup an IP address match from an ordered list. If a network interface 71 * match can not be found in the hash table then the default entry 72 * (netlbl_unlhsh_def) is used. The IP address entry list 73 * (struct netlbl_unlhsh_addr) is ordered such that the entries with a 74 * larger netmask come first. 75 */ 76 struct netlbl_unlhsh_tbl { 77 struct list_head *tbl; 78 u32 size; 79 }; 80 #define netlbl_unlhsh_addr4_entry(iter) \ 81 container_of(iter, struct netlbl_unlhsh_addr4, list) 82 struct netlbl_unlhsh_addr4 { 83 u32 secid; 84 85 struct netlbl_af4list list; 86 struct rcu_head rcu; 87 }; 88 #define netlbl_unlhsh_addr6_entry(iter) \ 89 container_of(iter, struct netlbl_unlhsh_addr6, list) 90 struct netlbl_unlhsh_addr6 { 91 u32 secid; 92 93 struct netlbl_af6list list; 94 struct rcu_head rcu; 95 }; 96 struct netlbl_unlhsh_iface { 97 int ifindex; 98 struct list_head addr4_list; 99 struct list_head addr6_list; 100 101 u32 valid; 102 struct list_head list; 103 struct rcu_head rcu; 104 }; 105 106 /* Argument struct for netlbl_unlhsh_walk() */ 107 struct netlbl_unlhsh_walk_arg { 108 struct netlink_callback *nl_cb; 109 struct sk_buff *skb; 110 u32 seq; 111 }; 112 113 /* Unlabeled connection hash table */ 114 /* updates should be so rare that having one spinlock for the entire 115 * hash table should be okay */ 116 static DEFINE_SPINLOCK(netlbl_unlhsh_lock); 117 static struct netlbl_unlhsh_tbl *netlbl_unlhsh = NULL; 118 static struct netlbl_unlhsh_iface *netlbl_unlhsh_def = NULL; 119 120 /* Accept unlabeled packets flag */ 121 static u8 netlabel_unlabel_acceptflg = 0; 122 123 /* NetLabel Generic NETLINK unlabeled family */ 124 static struct genl_family netlbl_unlabel_gnl_family = { 125 .id = GENL_ID_GENERATE, 126 .hdrsize = 0, 127 .name = NETLBL_NLTYPE_UNLABELED_NAME, 128 .version = NETLBL_PROTO_VERSION, 129 .maxattr = NLBL_UNLABEL_A_MAX, 130 }; 131 132 /* NetLabel Netlink attribute policy */ 133 static const struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = { 134 [NLBL_UNLABEL_A_ACPTFLG] = { .type = NLA_U8 }, 135 [NLBL_UNLABEL_A_IPV6ADDR] = { .type = NLA_BINARY, 136 .len = sizeof(struct in6_addr) }, 137 [NLBL_UNLABEL_A_IPV6MASK] = { .type = NLA_BINARY, 138 .len = sizeof(struct in6_addr) }, 139 [NLBL_UNLABEL_A_IPV4ADDR] = { .type = NLA_BINARY, 140 .len = sizeof(struct in_addr) }, 141 [NLBL_UNLABEL_A_IPV4MASK] = { .type = NLA_BINARY, 142 .len = sizeof(struct in_addr) }, 143 [NLBL_UNLABEL_A_IFACE] = { .type = NLA_NUL_STRING, 144 .len = IFNAMSIZ - 1 }, 145 [NLBL_UNLABEL_A_SECCTX] = { .type = NLA_BINARY } 146 }; 147 148 /* 149 * Unlabeled Connection Hash Table Functions 150 */ 151 152 /** 153 * netlbl_unlhsh_free_addr4 - Frees an IPv4 address entry from the hash table 154 * @entry: the entry's RCU field 155 * 156 * Description: 157 * This function is designed to be used as a callback to the call_rcu() 158 * function so that memory allocated to a hash table address entry can be 159 * released safely. 160 * 161 */ 162 static void netlbl_unlhsh_free_addr4(struct rcu_head *entry) 163 { 164 struct netlbl_unlhsh_addr4 *ptr; 165 166 ptr = container_of(entry, struct netlbl_unlhsh_addr4, rcu); 167 kfree(ptr); 168 } 169 170 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 171 /** 172 * netlbl_unlhsh_free_addr6 - Frees an IPv6 address entry from the hash table 173 * @entry: the entry's RCU field 174 * 175 * Description: 176 * This function is designed to be used as a callback to the call_rcu() 177 * function so that memory allocated to a hash table address entry can be 178 * released safely. 179 * 180 */ 181 static void netlbl_unlhsh_free_addr6(struct rcu_head *entry) 182 { 183 struct netlbl_unlhsh_addr6 *ptr; 184 185 ptr = container_of(entry, struct netlbl_unlhsh_addr6, rcu); 186 kfree(ptr); 187 } 188 #endif /* IPv6 */ 189 190 /** 191 * netlbl_unlhsh_free_iface - Frees an interface entry from the hash table 192 * @entry: the entry's RCU field 193 * 194 * Description: 195 * This function is designed to be used as a callback to the call_rcu() 196 * function so that memory allocated to a hash table interface entry can be 197 * released safely. It is important to note that this function does not free 198 * the IPv4 and IPv6 address lists contained as part of an interface entry. It 199 * is up to the rest of the code to make sure an interface entry is only freed 200 * once it's address lists are empty. 201 * 202 */ 203 static void netlbl_unlhsh_free_iface(struct rcu_head *entry) 204 { 205 struct netlbl_unlhsh_iface *iface; 206 struct netlbl_af4list *iter4; 207 struct netlbl_af4list *tmp4; 208 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 209 struct netlbl_af6list *iter6; 210 struct netlbl_af6list *tmp6; 211 #endif /* IPv6 */ 212 213 iface = container_of(entry, struct netlbl_unlhsh_iface, rcu); 214 215 /* no need for locks here since we are the only one with access to this 216 * structure */ 217 218 netlbl_af4list_foreach_safe(iter4, tmp4, &iface->addr4_list) { 219 netlbl_af4list_remove_entry(iter4); 220 kfree(netlbl_unlhsh_addr4_entry(iter4)); 221 } 222 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 223 netlbl_af6list_foreach_safe(iter6, tmp6, &iface->addr6_list) { 224 netlbl_af6list_remove_entry(iter6); 225 kfree(netlbl_unlhsh_addr6_entry(iter6)); 226 } 227 #endif /* IPv6 */ 228 kfree(iface); 229 } 230 231 /** 232 * netlbl_unlhsh_hash - Hashing function for the hash table 233 * @ifindex: the network interface/device to hash 234 * 235 * Description: 236 * This is the hashing function for the unlabeled hash table, it returns the 237 * bucket number for the given device/interface. The caller is responsible for 238 * calling the rcu_read_[un]lock() functions. 239 * 240 */ 241 static u32 netlbl_unlhsh_hash(int ifindex) 242 { 243 /* this is taken _almost_ directly from 244 * security/selinux/netif.c:sel_netif_hasfn() as they do pretty much 245 * the same thing */ 246 return ifindex & (rcu_dereference(netlbl_unlhsh)->size - 1); 247 } 248 249 /** 250 * netlbl_unlhsh_search_iface - Search for a matching interface entry 251 * @ifindex: the network interface 252 * 253 * Description: 254 * Searches the unlabeled connection hash table and returns a pointer to the 255 * interface entry which matches @ifindex, otherwise NULL is returned. The 256 * caller is responsible for calling the rcu_read_[un]lock() functions. 257 * 258 */ 259 static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex) 260 { 261 u32 bkt; 262 struct list_head *bkt_list; 263 struct netlbl_unlhsh_iface *iter; 264 265 bkt = netlbl_unlhsh_hash(ifindex); 266 bkt_list = &rcu_dereference(netlbl_unlhsh)->tbl[bkt]; 267 list_for_each_entry_rcu(iter, bkt_list, list) 268 if (iter->valid && iter->ifindex == ifindex) 269 return iter; 270 271 return NULL; 272 } 273 274 /** 275 * netlbl_unlhsh_search_iface_def - Search for a matching interface entry 276 * @ifindex: the network interface 277 * 278 * Description: 279 * Searches the unlabeled connection hash table and returns a pointer to the 280 * interface entry which matches @ifindex. If an exact match can not be found 281 * and there is a valid default entry, the default entry is returned, otherwise 282 * NULL is returned. The caller is responsible for calling the 283 * rcu_read_[un]lock() functions. 284 * 285 */ 286 static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface_def(int ifindex) 287 { 288 struct netlbl_unlhsh_iface *entry; 289 290 entry = netlbl_unlhsh_search_iface(ifindex); 291 if (entry != NULL) 292 return entry; 293 294 entry = rcu_dereference(netlbl_unlhsh_def); 295 if (entry != NULL && entry->valid) 296 return entry; 297 298 return NULL; 299 } 300 301 /** 302 * netlbl_unlhsh_add_addr4 - Add a new IPv4 address entry to the hash table 303 * @iface: the associated interface entry 304 * @addr: IPv4 address in network byte order 305 * @mask: IPv4 address mask in network byte order 306 * @secid: LSM secid value for entry 307 * 308 * Description: 309 * Add a new address entry into the unlabeled connection hash table using the 310 * interface entry specified by @iface. On success zero is returned, otherwise 311 * a negative value is returned. The caller is responsible for calling the 312 * rcu_read_[un]lock() functions. 313 * 314 */ 315 static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, 316 const struct in_addr *addr, 317 const struct in_addr *mask, 318 u32 secid) 319 { 320 int ret_val; 321 struct netlbl_unlhsh_addr4 *entry; 322 323 entry = kzalloc(sizeof(*entry), GFP_ATOMIC); 324 if (entry == NULL) 325 return -ENOMEM; 326 327 entry->list.addr = addr->s_addr & mask->s_addr; 328 entry->list.mask = mask->s_addr; 329 entry->list.valid = 1; 330 INIT_RCU_HEAD(&entry->rcu); 331 entry->secid = secid; 332 333 spin_lock(&netlbl_unlhsh_lock); 334 ret_val = netlbl_af4list_add(&entry->list, &iface->addr4_list); 335 spin_unlock(&netlbl_unlhsh_lock); 336 337 if (ret_val != 0) 338 kfree(entry); 339 return ret_val; 340 } 341 342 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 343 /** 344 * netlbl_unlhsh_add_addr6 - Add a new IPv6 address entry to the hash table 345 * @iface: the associated interface entry 346 * @addr: IPv6 address in network byte order 347 * @mask: IPv6 address mask in network byte order 348 * @secid: LSM secid value for entry 349 * 350 * Description: 351 * Add a new address entry into the unlabeled connection hash table using the 352 * interface entry specified by @iface. On success zero is returned, otherwise 353 * a negative value is returned. The caller is responsible for calling the 354 * rcu_read_[un]lock() functions. 355 * 356 */ 357 static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface, 358 const struct in6_addr *addr, 359 const struct in6_addr *mask, 360 u32 secid) 361 { 362 int ret_val; 363 struct netlbl_unlhsh_addr6 *entry; 364 365 entry = kzalloc(sizeof(*entry), GFP_ATOMIC); 366 if (entry == NULL) 367 return -ENOMEM; 368 369 ipv6_addr_copy(&entry->list.addr, addr); 370 entry->list.addr.s6_addr32[0] &= mask->s6_addr32[0]; 371 entry->list.addr.s6_addr32[1] &= mask->s6_addr32[1]; 372 entry->list.addr.s6_addr32[2] &= mask->s6_addr32[2]; 373 entry->list.addr.s6_addr32[3] &= mask->s6_addr32[3]; 374 ipv6_addr_copy(&entry->list.mask, mask); 375 entry->list.valid = 1; 376 INIT_RCU_HEAD(&entry->rcu); 377 entry->secid = secid; 378 379 spin_lock(&netlbl_unlhsh_lock); 380 ret_val = netlbl_af6list_add(&entry->list, &iface->addr6_list); 381 spin_unlock(&netlbl_unlhsh_lock); 382 383 if (ret_val != 0) 384 kfree(entry); 385 return 0; 386 } 387 #endif /* IPv6 */ 388 389 /** 390 * netlbl_unlhsh_add_iface - Adds a new interface entry to the hash table 391 * @ifindex: network interface 392 * 393 * Description: 394 * Add a new, empty, interface entry into the unlabeled connection hash table. 395 * On success a pointer to the new interface entry is returned, on failure NULL 396 * is returned. The caller is responsible for calling the rcu_read_[un]lock() 397 * functions. 398 * 399 */ 400 static struct netlbl_unlhsh_iface *netlbl_unlhsh_add_iface(int ifindex) 401 { 402 u32 bkt; 403 struct netlbl_unlhsh_iface *iface; 404 405 iface = kzalloc(sizeof(*iface), GFP_ATOMIC); 406 if (iface == NULL) 407 return NULL; 408 409 iface->ifindex = ifindex; 410 INIT_LIST_HEAD(&iface->addr4_list); 411 INIT_LIST_HEAD(&iface->addr6_list); 412 iface->valid = 1; 413 INIT_RCU_HEAD(&iface->rcu); 414 415 spin_lock(&netlbl_unlhsh_lock); 416 if (ifindex > 0) { 417 bkt = netlbl_unlhsh_hash(ifindex); 418 if (netlbl_unlhsh_search_iface(ifindex) != NULL) 419 goto add_iface_failure; 420 list_add_tail_rcu(&iface->list, 421 &rcu_dereference(netlbl_unlhsh)->tbl[bkt]); 422 } else { 423 INIT_LIST_HEAD(&iface->list); 424 if (rcu_dereference(netlbl_unlhsh_def) != NULL) 425 goto add_iface_failure; 426 rcu_assign_pointer(netlbl_unlhsh_def, iface); 427 } 428 spin_unlock(&netlbl_unlhsh_lock); 429 430 return iface; 431 432 add_iface_failure: 433 spin_unlock(&netlbl_unlhsh_lock); 434 kfree(iface); 435 return NULL; 436 } 437 438 /** 439 * netlbl_unlhsh_add - Adds a new entry to the unlabeled connection hash table 440 * @net: network namespace 441 * @dev_name: interface name 442 * @addr: IP address in network byte order 443 * @mask: address mask in network byte order 444 * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6) 445 * @secid: LSM secid value for the entry 446 * @audit_info: NetLabel audit information 447 * 448 * Description: 449 * Adds a new entry to the unlabeled connection hash table. Returns zero on 450 * success, negative values on failure. 451 * 452 */ 453 int netlbl_unlhsh_add(struct net *net, 454 const char *dev_name, 455 const void *addr, 456 const void *mask, 457 u32 addr_len, 458 u32 secid, 459 struct netlbl_audit *audit_info) 460 { 461 int ret_val; 462 int ifindex; 463 struct net_device *dev; 464 struct netlbl_unlhsh_iface *iface; 465 struct audit_buffer *audit_buf = NULL; 466 char *secctx = NULL; 467 u32 secctx_len; 468 469 if (addr_len != sizeof(struct in_addr) && 470 addr_len != sizeof(struct in6_addr)) 471 return -EINVAL; 472 473 rcu_read_lock(); 474 if (dev_name != NULL) { 475 dev = dev_get_by_name_rcu(net, dev_name); 476 if (dev == NULL) { 477 ret_val = -ENODEV; 478 goto unlhsh_add_return; 479 } 480 ifindex = dev->ifindex; 481 iface = netlbl_unlhsh_search_iface(ifindex); 482 } else { 483 ifindex = 0; 484 iface = rcu_dereference(netlbl_unlhsh_def); 485 } 486 if (iface == NULL) { 487 iface = netlbl_unlhsh_add_iface(ifindex); 488 if (iface == NULL) { 489 ret_val = -ENOMEM; 490 goto unlhsh_add_return; 491 } 492 } 493 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCADD, 494 audit_info); 495 switch (addr_len) { 496 case sizeof(struct in_addr): { 497 struct in_addr *addr4, *mask4; 498 499 addr4 = (struct in_addr *)addr; 500 mask4 = (struct in_addr *)mask; 501 ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid); 502 if (audit_buf != NULL) 503 netlbl_af4list_audit_addr(audit_buf, 1, 504 dev_name, 505 addr4->s_addr, 506 mask4->s_addr); 507 break; 508 } 509 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 510 case sizeof(struct in6_addr): { 511 struct in6_addr *addr6, *mask6; 512 513 addr6 = (struct in6_addr *)addr; 514 mask6 = (struct in6_addr *)mask; 515 ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid); 516 if (audit_buf != NULL) 517 netlbl_af6list_audit_addr(audit_buf, 1, 518 dev_name, 519 addr6, mask6); 520 break; 521 } 522 #endif /* IPv6 */ 523 default: 524 ret_val = -EINVAL; 525 } 526 if (ret_val == 0) 527 atomic_inc(&netlabel_mgmt_protocount); 528 529 unlhsh_add_return: 530 rcu_read_unlock(); 531 if (audit_buf != NULL) { 532 if (security_secid_to_secctx(secid, 533 &secctx, 534 &secctx_len) == 0) { 535 audit_log_format(audit_buf, " sec_obj=%s", secctx); 536 security_release_secctx(secctx, secctx_len); 537 } 538 audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); 539 audit_log_end(audit_buf); 540 } 541 return ret_val; 542 } 543 544 /** 545 * netlbl_unlhsh_remove_addr4 - Remove an IPv4 address entry 546 * @net: network namespace 547 * @iface: interface entry 548 * @addr: IP address 549 * @mask: IP address mask 550 * @audit_info: NetLabel audit information 551 * 552 * Description: 553 * Remove an IP address entry from the unlabeled connection hash table. 554 * Returns zero on success, negative values on failure. The caller is 555 * responsible for calling the rcu_read_[un]lock() functions. 556 * 557 */ 558 static int netlbl_unlhsh_remove_addr4(struct net *net, 559 struct netlbl_unlhsh_iface *iface, 560 const struct in_addr *addr, 561 const struct in_addr *mask, 562 struct netlbl_audit *audit_info) 563 { 564 struct netlbl_af4list *list_entry; 565 struct netlbl_unlhsh_addr4 *entry; 566 struct audit_buffer *audit_buf; 567 struct net_device *dev; 568 char *secctx; 569 u32 secctx_len; 570 571 spin_lock(&netlbl_unlhsh_lock); 572 list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr, 573 &iface->addr4_list); 574 spin_unlock(&netlbl_unlhsh_lock); 575 if (list_entry != NULL) 576 entry = netlbl_unlhsh_addr4_entry(list_entry); 577 else 578 entry = NULL; 579 580 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL, 581 audit_info); 582 if (audit_buf != NULL) { 583 dev = dev_get_by_index(net, iface->ifindex); 584 netlbl_af4list_audit_addr(audit_buf, 1, 585 (dev != NULL ? dev->name : NULL), 586 addr->s_addr, mask->s_addr); 587 if (dev != NULL) 588 dev_put(dev); 589 if (entry != NULL && 590 security_secid_to_secctx(entry->secid, 591 &secctx, &secctx_len) == 0) { 592 audit_log_format(audit_buf, " sec_obj=%s", secctx); 593 security_release_secctx(secctx, secctx_len); 594 } 595 audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); 596 audit_log_end(audit_buf); 597 } 598 599 if (entry == NULL) 600 return -ENOENT; 601 602 call_rcu(&entry->rcu, netlbl_unlhsh_free_addr4); 603 return 0; 604 } 605 606 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 607 /** 608 * netlbl_unlhsh_remove_addr6 - Remove an IPv6 address entry 609 * @net: network namespace 610 * @iface: interface entry 611 * @addr: IP address 612 * @mask: IP address mask 613 * @audit_info: NetLabel audit information 614 * 615 * Description: 616 * Remove an IP address entry from the unlabeled connection hash table. 617 * Returns zero on success, negative values on failure. The caller is 618 * responsible for calling the rcu_read_[un]lock() functions. 619 * 620 */ 621 static int netlbl_unlhsh_remove_addr6(struct net *net, 622 struct netlbl_unlhsh_iface *iface, 623 const struct in6_addr *addr, 624 const struct in6_addr *mask, 625 struct netlbl_audit *audit_info) 626 { 627 struct netlbl_af6list *list_entry; 628 struct netlbl_unlhsh_addr6 *entry; 629 struct audit_buffer *audit_buf; 630 struct net_device *dev; 631 char *secctx; 632 u32 secctx_len; 633 634 spin_lock(&netlbl_unlhsh_lock); 635 list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list); 636 spin_unlock(&netlbl_unlhsh_lock); 637 if (list_entry != NULL) 638 entry = netlbl_unlhsh_addr6_entry(list_entry); 639 else 640 entry = NULL; 641 642 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL, 643 audit_info); 644 if (audit_buf != NULL) { 645 dev = dev_get_by_index(net, iface->ifindex); 646 netlbl_af6list_audit_addr(audit_buf, 1, 647 (dev != NULL ? dev->name : NULL), 648 addr, mask); 649 if (dev != NULL) 650 dev_put(dev); 651 if (entry != NULL && 652 security_secid_to_secctx(entry->secid, 653 &secctx, &secctx_len) == 0) { 654 audit_log_format(audit_buf, " sec_obj=%s", secctx); 655 security_release_secctx(secctx, secctx_len); 656 } 657 audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); 658 audit_log_end(audit_buf); 659 } 660 661 if (entry == NULL) 662 return -ENOENT; 663 664 call_rcu(&entry->rcu, netlbl_unlhsh_free_addr6); 665 return 0; 666 } 667 #endif /* IPv6 */ 668 669 /** 670 * netlbl_unlhsh_condremove_iface - Remove an interface entry 671 * @iface: the interface entry 672 * 673 * Description: 674 * Remove an interface entry from the unlabeled connection hash table if it is 675 * empty. An interface entry is considered to be empty if there are no 676 * address entries assigned to it. 677 * 678 */ 679 static void netlbl_unlhsh_condremove_iface(struct netlbl_unlhsh_iface *iface) 680 { 681 struct netlbl_af4list *iter4; 682 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 683 struct netlbl_af6list *iter6; 684 #endif /* IPv6 */ 685 686 spin_lock(&netlbl_unlhsh_lock); 687 netlbl_af4list_foreach_rcu(iter4, &iface->addr4_list) 688 goto unlhsh_condremove_failure; 689 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 690 netlbl_af6list_foreach_rcu(iter6, &iface->addr6_list) 691 goto unlhsh_condremove_failure; 692 #endif /* IPv6 */ 693 iface->valid = 0; 694 if (iface->ifindex > 0) 695 list_del_rcu(&iface->list); 696 else 697 rcu_assign_pointer(netlbl_unlhsh_def, NULL); 698 spin_unlock(&netlbl_unlhsh_lock); 699 700 call_rcu(&iface->rcu, netlbl_unlhsh_free_iface); 701 return; 702 703 unlhsh_condremove_failure: 704 spin_unlock(&netlbl_unlhsh_lock); 705 return; 706 } 707 708 /** 709 * netlbl_unlhsh_remove - Remove an entry from the unlabeled hash table 710 * @net: network namespace 711 * @dev_name: interface name 712 * @addr: IP address in network byte order 713 * @mask: address mask in network byte order 714 * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6) 715 * @audit_info: NetLabel audit information 716 * 717 * Description: 718 * Removes and existing entry from the unlabeled connection hash table. 719 * Returns zero on success, negative values on failure. 720 * 721 */ 722 int netlbl_unlhsh_remove(struct net *net, 723 const char *dev_name, 724 const void *addr, 725 const void *mask, 726 u32 addr_len, 727 struct netlbl_audit *audit_info) 728 { 729 int ret_val; 730 struct net_device *dev; 731 struct netlbl_unlhsh_iface *iface; 732 733 if (addr_len != sizeof(struct in_addr) && 734 addr_len != sizeof(struct in6_addr)) 735 return -EINVAL; 736 737 rcu_read_lock(); 738 if (dev_name != NULL) { 739 dev = dev_get_by_name_rcu(net, dev_name); 740 if (dev == NULL) { 741 ret_val = -ENODEV; 742 goto unlhsh_remove_return; 743 } 744 iface = netlbl_unlhsh_search_iface(dev->ifindex); 745 } else 746 iface = rcu_dereference(netlbl_unlhsh_def); 747 if (iface == NULL) { 748 ret_val = -ENOENT; 749 goto unlhsh_remove_return; 750 } 751 switch (addr_len) { 752 case sizeof(struct in_addr): 753 ret_val = netlbl_unlhsh_remove_addr4(net, 754 iface, addr, mask, 755 audit_info); 756 break; 757 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 758 case sizeof(struct in6_addr): 759 ret_val = netlbl_unlhsh_remove_addr6(net, 760 iface, addr, mask, 761 audit_info); 762 break; 763 #endif /* IPv6 */ 764 default: 765 ret_val = -EINVAL; 766 } 767 if (ret_val == 0) { 768 netlbl_unlhsh_condremove_iface(iface); 769 atomic_dec(&netlabel_mgmt_protocount); 770 } 771 772 unlhsh_remove_return: 773 rcu_read_unlock(); 774 return ret_val; 775 } 776 777 /* 778 * General Helper Functions 779 */ 780 781 /** 782 * netlbl_unlhsh_netdev_handler - Network device notification handler 783 * @this: notifier block 784 * @event: the event 785 * @ptr: the network device (cast to void) 786 * 787 * Description: 788 * Handle network device events, although at present all we care about is a 789 * network device going away. In the case of a device going away we clear any 790 * related entries from the unlabeled connection hash table. 791 * 792 */ 793 static int netlbl_unlhsh_netdev_handler(struct notifier_block *this, 794 unsigned long event, 795 void *ptr) 796 { 797 struct net_device *dev = ptr; 798 struct netlbl_unlhsh_iface *iface = NULL; 799 800 if (!net_eq(dev_net(dev), &init_net)) 801 return NOTIFY_DONE; 802 803 /* XXX - should this be a check for NETDEV_DOWN or _UNREGISTER? */ 804 if (event == NETDEV_DOWN) { 805 spin_lock(&netlbl_unlhsh_lock); 806 iface = netlbl_unlhsh_search_iface(dev->ifindex); 807 if (iface != NULL && iface->valid) { 808 iface->valid = 0; 809 list_del_rcu(&iface->list); 810 } else 811 iface = NULL; 812 spin_unlock(&netlbl_unlhsh_lock); 813 } 814 815 if (iface != NULL) 816 call_rcu(&iface->rcu, netlbl_unlhsh_free_iface); 817 818 return NOTIFY_DONE; 819 } 820 821 /** 822 * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag 823 * @value: desired value 824 * @audit_info: NetLabel audit information 825 * 826 * Description: 827 * Set the value of the unlabeled accept flag to @value. 828 * 829 */ 830 static void netlbl_unlabel_acceptflg_set(u8 value, 831 struct netlbl_audit *audit_info) 832 { 833 struct audit_buffer *audit_buf; 834 u8 old_val; 835 836 old_val = netlabel_unlabel_acceptflg; 837 netlabel_unlabel_acceptflg = value; 838 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW, 839 audit_info); 840 if (audit_buf != NULL) { 841 audit_log_format(audit_buf, 842 " unlbl_accept=%u old=%u", value, old_val); 843 audit_log_end(audit_buf); 844 } 845 } 846 847 /** 848 * netlbl_unlabel_addrinfo_get - Get the IPv4/6 address information 849 * @info: the Generic NETLINK info block 850 * @addr: the IP address 851 * @mask: the IP address mask 852 * @len: the address length 853 * 854 * Description: 855 * Examine the Generic NETLINK message and extract the IP address information. 856 * Returns zero on success, negative values on failure. 857 * 858 */ 859 static int netlbl_unlabel_addrinfo_get(struct genl_info *info, 860 void **addr, 861 void **mask, 862 u32 *len) 863 { 864 u32 addr_len; 865 866 if (info->attrs[NLBL_UNLABEL_A_IPV4ADDR]) { 867 addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]); 868 if (addr_len != sizeof(struct in_addr) && 869 addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV4MASK])) 870 return -EINVAL; 871 *len = addr_len; 872 *addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]); 873 *mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4MASK]); 874 return 0; 875 } else if (info->attrs[NLBL_UNLABEL_A_IPV6ADDR]) { 876 addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]); 877 if (addr_len != sizeof(struct in6_addr) && 878 addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV6MASK])) 879 return -EINVAL; 880 *len = addr_len; 881 *addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]); 882 *mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6MASK]); 883 return 0; 884 } 885 886 return -EINVAL; 887 } 888 889 /* 890 * NetLabel Command Handlers 891 */ 892 893 /** 894 * netlbl_unlabel_accept - Handle an ACCEPT message 895 * @skb: the NETLINK buffer 896 * @info: the Generic NETLINK info block 897 * 898 * Description: 899 * Process a user generated ACCEPT message and set the accept flag accordingly. 900 * Returns zero on success, negative values on failure. 901 * 902 */ 903 static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info) 904 { 905 u8 value; 906 struct netlbl_audit audit_info; 907 908 if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) { 909 value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]); 910 if (value == 1 || value == 0) { 911 netlbl_netlink_auditinfo(skb, &audit_info); 912 netlbl_unlabel_acceptflg_set(value, &audit_info); 913 return 0; 914 } 915 } 916 917 return -EINVAL; 918 } 919 920 /** 921 * netlbl_unlabel_list - Handle a LIST message 922 * @skb: the NETLINK buffer 923 * @info: the Generic NETLINK info block 924 * 925 * Description: 926 * Process a user generated LIST message and respond with the current status. 927 * Returns zero on success, negative values on failure. 928 * 929 */ 930 static int netlbl_unlabel_list(struct sk_buff *skb, struct genl_info *info) 931 { 932 int ret_val = -EINVAL; 933 struct sk_buff *ans_skb; 934 void *data; 935 936 ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 937 if (ans_skb == NULL) 938 goto list_failure; 939 data = genlmsg_put_reply(ans_skb, info, &netlbl_unlabel_gnl_family, 940 0, NLBL_UNLABEL_C_LIST); 941 if (data == NULL) { 942 ret_val = -ENOMEM; 943 goto list_failure; 944 } 945 946 ret_val = nla_put_u8(ans_skb, 947 NLBL_UNLABEL_A_ACPTFLG, 948 netlabel_unlabel_acceptflg); 949 if (ret_val != 0) 950 goto list_failure; 951 952 genlmsg_end(ans_skb, data); 953 return genlmsg_reply(ans_skb, info); 954 955 list_failure: 956 kfree_skb(ans_skb); 957 return ret_val; 958 } 959 960 /** 961 * netlbl_unlabel_staticadd - Handle a STATICADD message 962 * @skb: the NETLINK buffer 963 * @info: the Generic NETLINK info block 964 * 965 * Description: 966 * Process a user generated STATICADD message and add a new unlabeled 967 * connection entry to the hash table. Returns zero on success, negative 968 * values on failure. 969 * 970 */ 971 static int netlbl_unlabel_staticadd(struct sk_buff *skb, 972 struct genl_info *info) 973 { 974 int ret_val; 975 char *dev_name; 976 void *addr; 977 void *mask; 978 u32 addr_len; 979 u32 secid; 980 struct netlbl_audit audit_info; 981 982 /* Don't allow users to add both IPv4 and IPv6 addresses for a 983 * single entry. However, allow users to create two entries, one each 984 * for IPv4 and IPv4, with the same LSM security context which should 985 * achieve the same result. */ 986 if (!info->attrs[NLBL_UNLABEL_A_SECCTX] || 987 !info->attrs[NLBL_UNLABEL_A_IFACE] || 988 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] || 989 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^ 990 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] || 991 !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) 992 return -EINVAL; 993 994 netlbl_netlink_auditinfo(skb, &audit_info); 995 996 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); 997 if (ret_val != 0) 998 return ret_val; 999 dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]); 1000 ret_val = security_secctx_to_secid( 1001 nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]), 1002 nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]), 1003 &secid); 1004 if (ret_val != 0) 1005 return ret_val; 1006 1007 return netlbl_unlhsh_add(&init_net, 1008 dev_name, addr, mask, addr_len, secid, 1009 &audit_info); 1010 } 1011 1012 /** 1013 * netlbl_unlabel_staticadddef - Handle a STATICADDDEF message 1014 * @skb: the NETLINK buffer 1015 * @info: the Generic NETLINK info block 1016 * 1017 * Description: 1018 * Process a user generated STATICADDDEF message and add a new default 1019 * unlabeled connection entry. Returns zero on success, negative values on 1020 * failure. 1021 * 1022 */ 1023 static int netlbl_unlabel_staticadddef(struct sk_buff *skb, 1024 struct genl_info *info) 1025 { 1026 int ret_val; 1027 void *addr; 1028 void *mask; 1029 u32 addr_len; 1030 u32 secid; 1031 struct netlbl_audit audit_info; 1032 1033 /* Don't allow users to add both IPv4 and IPv6 addresses for a 1034 * single entry. However, allow users to create two entries, one each 1035 * for IPv4 and IPv6, with the same LSM security context which should 1036 * achieve the same result. */ 1037 if (!info->attrs[NLBL_UNLABEL_A_SECCTX] || 1038 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] || 1039 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^ 1040 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] || 1041 !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) 1042 return -EINVAL; 1043 1044 netlbl_netlink_auditinfo(skb, &audit_info); 1045 1046 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); 1047 if (ret_val != 0) 1048 return ret_val; 1049 ret_val = security_secctx_to_secid( 1050 nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]), 1051 nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]), 1052 &secid); 1053 if (ret_val != 0) 1054 return ret_val; 1055 1056 return netlbl_unlhsh_add(&init_net, 1057 NULL, addr, mask, addr_len, secid, 1058 &audit_info); 1059 } 1060 1061 /** 1062 * netlbl_unlabel_staticremove - Handle a STATICREMOVE message 1063 * @skb: the NETLINK buffer 1064 * @info: the Generic NETLINK info block 1065 * 1066 * Description: 1067 * Process a user generated STATICREMOVE message and remove the specified 1068 * unlabeled connection entry. Returns zero on success, negative values on 1069 * failure. 1070 * 1071 */ 1072 static int netlbl_unlabel_staticremove(struct sk_buff *skb, 1073 struct genl_info *info) 1074 { 1075 int ret_val; 1076 char *dev_name; 1077 void *addr; 1078 void *mask; 1079 u32 addr_len; 1080 struct netlbl_audit audit_info; 1081 1082 /* See the note in netlbl_unlabel_staticadd() about not allowing both 1083 * IPv4 and IPv6 in the same entry. */ 1084 if (!info->attrs[NLBL_UNLABEL_A_IFACE] || 1085 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] || 1086 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^ 1087 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] || 1088 !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) 1089 return -EINVAL; 1090 1091 netlbl_netlink_auditinfo(skb, &audit_info); 1092 1093 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); 1094 if (ret_val != 0) 1095 return ret_val; 1096 dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]); 1097 1098 return netlbl_unlhsh_remove(&init_net, 1099 dev_name, addr, mask, addr_len, 1100 &audit_info); 1101 } 1102 1103 /** 1104 * netlbl_unlabel_staticremovedef - Handle a STATICREMOVEDEF message 1105 * @skb: the NETLINK buffer 1106 * @info: the Generic NETLINK info block 1107 * 1108 * Description: 1109 * Process a user generated STATICREMOVEDEF message and remove the default 1110 * unlabeled connection entry. Returns zero on success, negative values on 1111 * failure. 1112 * 1113 */ 1114 static int netlbl_unlabel_staticremovedef(struct sk_buff *skb, 1115 struct genl_info *info) 1116 { 1117 int ret_val; 1118 void *addr; 1119 void *mask; 1120 u32 addr_len; 1121 struct netlbl_audit audit_info; 1122 1123 /* See the note in netlbl_unlabel_staticadd() about not allowing both 1124 * IPv4 and IPv6 in the same entry. */ 1125 if (!((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] || 1126 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^ 1127 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] || 1128 !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) 1129 return -EINVAL; 1130 1131 netlbl_netlink_auditinfo(skb, &audit_info); 1132 1133 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); 1134 if (ret_val != 0) 1135 return ret_val; 1136 1137 return netlbl_unlhsh_remove(&init_net, 1138 NULL, addr, mask, addr_len, 1139 &audit_info); 1140 } 1141 1142 1143 /** 1144 * netlbl_unlabel_staticlist_gen - Generate messages for STATICLIST[DEF] 1145 * @cmd: command/message 1146 * @iface: the interface entry 1147 * @addr4: the IPv4 address entry 1148 * @addr6: the IPv6 address entry 1149 * @arg: the netlbl_unlhsh_walk_arg structure 1150 * 1151 * Description: 1152 * This function is designed to be used to generate a response for a 1153 * STATICLIST or STATICLISTDEF message. When called either @addr4 or @addr6 1154 * can be specified, not both, the other unspecified entry should be set to 1155 * NULL by the caller. Returns the size of the message on success, negative 1156 * values on failure. 1157 * 1158 */ 1159 static int netlbl_unlabel_staticlist_gen(u32 cmd, 1160 const struct netlbl_unlhsh_iface *iface, 1161 const struct netlbl_unlhsh_addr4 *addr4, 1162 const struct netlbl_unlhsh_addr6 *addr6, 1163 void *arg) 1164 { 1165 int ret_val = -ENOMEM; 1166 struct netlbl_unlhsh_walk_arg *cb_arg = arg; 1167 struct net_device *dev; 1168 void *data; 1169 u32 secid; 1170 char *secctx; 1171 u32 secctx_len; 1172 1173 data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).pid, 1174 cb_arg->seq, &netlbl_unlabel_gnl_family, 1175 NLM_F_MULTI, cmd); 1176 if (data == NULL) 1177 goto list_cb_failure; 1178 1179 if (iface->ifindex > 0) { 1180 dev = dev_get_by_index(&init_net, iface->ifindex); 1181 if (!dev) { 1182 ret_val = -ENODEV; 1183 goto list_cb_failure; 1184 } 1185 ret_val = nla_put_string(cb_arg->skb, 1186 NLBL_UNLABEL_A_IFACE, dev->name); 1187 dev_put(dev); 1188 if (ret_val != 0) 1189 goto list_cb_failure; 1190 } 1191 1192 if (addr4) { 1193 struct in_addr addr_struct; 1194 1195 addr_struct.s_addr = addr4->list.addr; 1196 ret_val = nla_put(cb_arg->skb, 1197 NLBL_UNLABEL_A_IPV4ADDR, 1198 sizeof(struct in_addr), 1199 &addr_struct); 1200 if (ret_val != 0) 1201 goto list_cb_failure; 1202 1203 addr_struct.s_addr = addr4->list.mask; 1204 ret_val = nla_put(cb_arg->skb, 1205 NLBL_UNLABEL_A_IPV4MASK, 1206 sizeof(struct in_addr), 1207 &addr_struct); 1208 if (ret_val != 0) 1209 goto list_cb_failure; 1210 1211 secid = addr4->secid; 1212 } else { 1213 ret_val = nla_put(cb_arg->skb, 1214 NLBL_UNLABEL_A_IPV6ADDR, 1215 sizeof(struct in6_addr), 1216 &addr6->list.addr); 1217 if (ret_val != 0) 1218 goto list_cb_failure; 1219 1220 ret_val = nla_put(cb_arg->skb, 1221 NLBL_UNLABEL_A_IPV6MASK, 1222 sizeof(struct in6_addr), 1223 &addr6->list.mask); 1224 if (ret_val != 0) 1225 goto list_cb_failure; 1226 1227 secid = addr6->secid; 1228 } 1229 1230 ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len); 1231 if (ret_val != 0) 1232 goto list_cb_failure; 1233 ret_val = nla_put(cb_arg->skb, 1234 NLBL_UNLABEL_A_SECCTX, 1235 secctx_len, 1236 secctx); 1237 security_release_secctx(secctx, secctx_len); 1238 if (ret_val != 0) 1239 goto list_cb_failure; 1240 1241 cb_arg->seq++; 1242 return genlmsg_end(cb_arg->skb, data); 1243 1244 list_cb_failure: 1245 genlmsg_cancel(cb_arg->skb, data); 1246 return ret_val; 1247 } 1248 1249 /** 1250 * netlbl_unlabel_staticlist - Handle a STATICLIST message 1251 * @skb: the NETLINK buffer 1252 * @cb: the NETLINK callback 1253 * 1254 * Description: 1255 * Process a user generated STATICLIST message and dump the unlabeled 1256 * connection hash table in a form suitable for use in a kernel generated 1257 * STATICLIST message. Returns the length of @skb. 1258 * 1259 */ 1260 static int netlbl_unlabel_staticlist(struct sk_buff *skb, 1261 struct netlink_callback *cb) 1262 { 1263 struct netlbl_unlhsh_walk_arg cb_arg; 1264 u32 skip_bkt = cb->args[0]; 1265 u32 skip_chain = cb->args[1]; 1266 u32 skip_addr4 = cb->args[2]; 1267 u32 skip_addr6 = cb->args[3]; 1268 u32 iter_bkt; 1269 u32 iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0; 1270 struct netlbl_unlhsh_iface *iface; 1271 struct list_head *iter_list; 1272 struct netlbl_af4list *addr4; 1273 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 1274 struct netlbl_af6list *addr6; 1275 #endif 1276 1277 cb_arg.nl_cb = cb; 1278 cb_arg.skb = skb; 1279 cb_arg.seq = cb->nlh->nlmsg_seq; 1280 1281 rcu_read_lock(); 1282 for (iter_bkt = skip_bkt; 1283 iter_bkt < rcu_dereference(netlbl_unlhsh)->size; 1284 iter_bkt++, iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0) { 1285 iter_list = &rcu_dereference(netlbl_unlhsh)->tbl[iter_bkt]; 1286 list_for_each_entry_rcu(iface, iter_list, list) { 1287 if (!iface->valid || 1288 iter_chain++ < skip_chain) 1289 continue; 1290 netlbl_af4list_foreach_rcu(addr4, 1291 &iface->addr4_list) { 1292 if (iter_addr4++ < skip_addr4) 1293 continue; 1294 if (netlbl_unlabel_staticlist_gen( 1295 NLBL_UNLABEL_C_STATICLIST, 1296 iface, 1297 netlbl_unlhsh_addr4_entry(addr4), 1298 NULL, 1299 &cb_arg) < 0) { 1300 iter_addr4--; 1301 iter_chain--; 1302 goto unlabel_staticlist_return; 1303 } 1304 } 1305 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 1306 netlbl_af6list_foreach_rcu(addr6, 1307 &iface->addr6_list) { 1308 if (iter_addr6++ < skip_addr6) 1309 continue; 1310 if (netlbl_unlabel_staticlist_gen( 1311 NLBL_UNLABEL_C_STATICLIST, 1312 iface, 1313 NULL, 1314 netlbl_unlhsh_addr6_entry(addr6), 1315 &cb_arg) < 0) { 1316 iter_addr6--; 1317 iter_chain--; 1318 goto unlabel_staticlist_return; 1319 } 1320 } 1321 #endif /* IPv6 */ 1322 } 1323 } 1324 1325 unlabel_staticlist_return: 1326 rcu_read_unlock(); 1327 cb->args[0] = skip_bkt; 1328 cb->args[1] = skip_chain; 1329 cb->args[2] = skip_addr4; 1330 cb->args[3] = skip_addr6; 1331 return skb->len; 1332 } 1333 1334 /** 1335 * netlbl_unlabel_staticlistdef - Handle a STATICLISTDEF message 1336 * @skb: the NETLINK buffer 1337 * @cb: the NETLINK callback 1338 * 1339 * Description: 1340 * Process a user generated STATICLISTDEF message and dump the default 1341 * unlabeled connection entry in a form suitable for use in a kernel generated 1342 * STATICLISTDEF message. Returns the length of @skb. 1343 * 1344 */ 1345 static int netlbl_unlabel_staticlistdef(struct sk_buff *skb, 1346 struct netlink_callback *cb) 1347 { 1348 struct netlbl_unlhsh_walk_arg cb_arg; 1349 struct netlbl_unlhsh_iface *iface; 1350 u32 skip_addr4 = cb->args[0]; 1351 u32 skip_addr6 = cb->args[1]; 1352 u32 iter_addr4 = 0; 1353 struct netlbl_af4list *addr4; 1354 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 1355 u32 iter_addr6 = 0; 1356 struct netlbl_af6list *addr6; 1357 #endif 1358 1359 cb_arg.nl_cb = cb; 1360 cb_arg.skb = skb; 1361 cb_arg.seq = cb->nlh->nlmsg_seq; 1362 1363 rcu_read_lock(); 1364 iface = rcu_dereference(netlbl_unlhsh_def); 1365 if (iface == NULL || !iface->valid) 1366 goto unlabel_staticlistdef_return; 1367 1368 netlbl_af4list_foreach_rcu(addr4, &iface->addr4_list) { 1369 if (iter_addr4++ < skip_addr4) 1370 continue; 1371 if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF, 1372 iface, 1373 netlbl_unlhsh_addr4_entry(addr4), 1374 NULL, 1375 &cb_arg) < 0) { 1376 iter_addr4--; 1377 goto unlabel_staticlistdef_return; 1378 } 1379 } 1380 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 1381 netlbl_af6list_foreach_rcu(addr6, &iface->addr6_list) { 1382 if (iter_addr6++ < skip_addr6) 1383 continue; 1384 if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF, 1385 iface, 1386 NULL, 1387 netlbl_unlhsh_addr6_entry(addr6), 1388 &cb_arg) < 0) { 1389 iter_addr6--; 1390 goto unlabel_staticlistdef_return; 1391 } 1392 } 1393 #endif /* IPv6 */ 1394 1395 unlabel_staticlistdef_return: 1396 rcu_read_unlock(); 1397 cb->args[0] = skip_addr4; 1398 cb->args[1] = skip_addr6; 1399 return skb->len; 1400 } 1401 1402 /* 1403 * NetLabel Generic NETLINK Command Definitions 1404 */ 1405 1406 static struct genl_ops netlbl_unlabel_genl_ops[] = { 1407 { 1408 .cmd = NLBL_UNLABEL_C_STATICADD, 1409 .flags = GENL_ADMIN_PERM, 1410 .policy = netlbl_unlabel_genl_policy, 1411 .doit = netlbl_unlabel_staticadd, 1412 .dumpit = NULL, 1413 }, 1414 { 1415 .cmd = NLBL_UNLABEL_C_STATICREMOVE, 1416 .flags = GENL_ADMIN_PERM, 1417 .policy = netlbl_unlabel_genl_policy, 1418 .doit = netlbl_unlabel_staticremove, 1419 .dumpit = NULL, 1420 }, 1421 { 1422 .cmd = NLBL_UNLABEL_C_STATICLIST, 1423 .flags = 0, 1424 .policy = netlbl_unlabel_genl_policy, 1425 .doit = NULL, 1426 .dumpit = netlbl_unlabel_staticlist, 1427 }, 1428 { 1429 .cmd = NLBL_UNLABEL_C_STATICADDDEF, 1430 .flags = GENL_ADMIN_PERM, 1431 .policy = netlbl_unlabel_genl_policy, 1432 .doit = netlbl_unlabel_staticadddef, 1433 .dumpit = NULL, 1434 }, 1435 { 1436 .cmd = NLBL_UNLABEL_C_STATICREMOVEDEF, 1437 .flags = GENL_ADMIN_PERM, 1438 .policy = netlbl_unlabel_genl_policy, 1439 .doit = netlbl_unlabel_staticremovedef, 1440 .dumpit = NULL, 1441 }, 1442 { 1443 .cmd = NLBL_UNLABEL_C_STATICLISTDEF, 1444 .flags = 0, 1445 .policy = netlbl_unlabel_genl_policy, 1446 .doit = NULL, 1447 .dumpit = netlbl_unlabel_staticlistdef, 1448 }, 1449 { 1450 .cmd = NLBL_UNLABEL_C_ACCEPT, 1451 .flags = GENL_ADMIN_PERM, 1452 .policy = netlbl_unlabel_genl_policy, 1453 .doit = netlbl_unlabel_accept, 1454 .dumpit = NULL, 1455 }, 1456 { 1457 .cmd = NLBL_UNLABEL_C_LIST, 1458 .flags = 0, 1459 .policy = netlbl_unlabel_genl_policy, 1460 .doit = netlbl_unlabel_list, 1461 .dumpit = NULL, 1462 }, 1463 }; 1464 1465 /* 1466 * NetLabel Generic NETLINK Protocol Functions 1467 */ 1468 1469 /** 1470 * netlbl_unlabel_genl_init - Register the Unlabeled NetLabel component 1471 * 1472 * Description: 1473 * Register the unlabeled packet NetLabel component with the Generic NETLINK 1474 * mechanism. Returns zero on success, negative values on failure. 1475 * 1476 */ 1477 int __init netlbl_unlabel_genl_init(void) 1478 { 1479 return genl_register_family_with_ops(&netlbl_unlabel_gnl_family, 1480 netlbl_unlabel_genl_ops, ARRAY_SIZE(netlbl_unlabel_genl_ops)); 1481 } 1482 1483 /* 1484 * NetLabel KAPI Hooks 1485 */ 1486 1487 static struct notifier_block netlbl_unlhsh_netdev_notifier = { 1488 .notifier_call = netlbl_unlhsh_netdev_handler, 1489 }; 1490 1491 /** 1492 * netlbl_unlabel_init - Initialize the unlabeled connection hash table 1493 * @size: the number of bits to use for the hash buckets 1494 * 1495 * Description: 1496 * Initializes the unlabeled connection hash table and registers a network 1497 * device notification handler. This function should only be called by the 1498 * NetLabel subsystem itself during initialization. Returns zero on success, 1499 * non-zero values on error. 1500 * 1501 */ 1502 int __init netlbl_unlabel_init(u32 size) 1503 { 1504 u32 iter; 1505 struct netlbl_unlhsh_tbl *hsh_tbl; 1506 1507 if (size == 0) 1508 return -EINVAL; 1509 1510 hsh_tbl = kmalloc(sizeof(*hsh_tbl), GFP_KERNEL); 1511 if (hsh_tbl == NULL) 1512 return -ENOMEM; 1513 hsh_tbl->size = 1 << size; 1514 hsh_tbl->tbl = kcalloc(hsh_tbl->size, 1515 sizeof(struct list_head), 1516 GFP_KERNEL); 1517 if (hsh_tbl->tbl == NULL) { 1518 kfree(hsh_tbl); 1519 return -ENOMEM; 1520 } 1521 for (iter = 0; iter < hsh_tbl->size; iter++) 1522 INIT_LIST_HEAD(&hsh_tbl->tbl[iter]); 1523 1524 rcu_read_lock(); 1525 spin_lock(&netlbl_unlhsh_lock); 1526 rcu_assign_pointer(netlbl_unlhsh, hsh_tbl); 1527 spin_unlock(&netlbl_unlhsh_lock); 1528 rcu_read_unlock(); 1529 1530 register_netdevice_notifier(&netlbl_unlhsh_netdev_notifier); 1531 1532 return 0; 1533 } 1534 1535 /** 1536 * netlbl_unlabel_getattr - Get the security attributes for an unlabled packet 1537 * @skb: the packet 1538 * @family: protocol family 1539 * @secattr: the security attributes 1540 * 1541 * Description: 1542 * Determine the security attributes, if any, for an unlabled packet and return 1543 * them in @secattr. Returns zero on success and negative values on failure. 1544 * 1545 */ 1546 int netlbl_unlabel_getattr(const struct sk_buff *skb, 1547 u16 family, 1548 struct netlbl_lsm_secattr *secattr) 1549 { 1550 struct netlbl_unlhsh_iface *iface; 1551 1552 rcu_read_lock(); 1553 iface = netlbl_unlhsh_search_iface_def(skb->skb_iif); 1554 if (iface == NULL) 1555 goto unlabel_getattr_nolabel; 1556 switch (family) { 1557 case PF_INET: { 1558 struct iphdr *hdr4; 1559 struct netlbl_af4list *addr4; 1560 1561 hdr4 = ip_hdr(skb); 1562 addr4 = netlbl_af4list_search(hdr4->saddr, 1563 &iface->addr4_list); 1564 if (addr4 == NULL) 1565 goto unlabel_getattr_nolabel; 1566 secattr->attr.secid = netlbl_unlhsh_addr4_entry(addr4)->secid; 1567 break; 1568 } 1569 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 1570 case PF_INET6: { 1571 struct ipv6hdr *hdr6; 1572 struct netlbl_af6list *addr6; 1573 1574 hdr6 = ipv6_hdr(skb); 1575 addr6 = netlbl_af6list_search(&hdr6->saddr, 1576 &iface->addr6_list); 1577 if (addr6 == NULL) 1578 goto unlabel_getattr_nolabel; 1579 secattr->attr.secid = netlbl_unlhsh_addr6_entry(addr6)->secid; 1580 break; 1581 } 1582 #endif /* IPv6 */ 1583 default: 1584 goto unlabel_getattr_nolabel; 1585 } 1586 rcu_read_unlock(); 1587 1588 secattr->flags |= NETLBL_SECATTR_SECID; 1589 secattr->type = NETLBL_NLTYPE_UNLABELED; 1590 return 0; 1591 1592 unlabel_getattr_nolabel: 1593 rcu_read_unlock(); 1594 if (netlabel_unlabel_acceptflg == 0) 1595 return -ENOMSG; 1596 secattr->type = NETLBL_NLTYPE_UNLABELED; 1597 return 0; 1598 } 1599 1600 /** 1601 * netlbl_unlabel_defconf - Set the default config to allow unlabeled packets 1602 * 1603 * Description: 1604 * Set the default NetLabel configuration to allow incoming unlabeled packets 1605 * and to send unlabeled network traffic by default. 1606 * 1607 */ 1608 int __init netlbl_unlabel_defconf(void) 1609 { 1610 int ret_val; 1611 struct netlbl_dom_map *entry; 1612 struct netlbl_audit audit_info; 1613 1614 /* Only the kernel is allowed to call this function and the only time 1615 * it is called is at bootup before the audit subsystem is reporting 1616 * messages so don't worry to much about these values. */ 1617 security_task_getsecid(current, &audit_info.secid); 1618 audit_info.loginuid = 0; 1619 audit_info.sessionid = 0; 1620 1621 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 1622 if (entry == NULL) 1623 return -ENOMEM; 1624 entry->type = NETLBL_NLTYPE_UNLABELED; 1625 ret_val = netlbl_domhsh_add_default(entry, &audit_info); 1626 if (ret_val != 0) 1627 return ret_val; 1628 1629 netlbl_unlabel_acceptflg_set(1, &audit_info); 1630 1631 return 0; 1632 } 1633