1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0-or-later
2*4882a593Smuzhiyun /*
3*4882a593Smuzhiyun * NetLabel Unlabeled Support
4*4882a593Smuzhiyun *
5*4882a593Smuzhiyun * This file defines functions for dealing with unlabeled packets for the
6*4882a593Smuzhiyun * NetLabel system. The NetLabel system manages static and dynamic label
7*4882a593Smuzhiyun * mappings for network protocols such as CIPSO and RIPSO.
8*4882a593Smuzhiyun *
9*4882a593Smuzhiyun * Author: Paul Moore <paul@paul-moore.com>
10*4882a593Smuzhiyun */
11*4882a593Smuzhiyun
12*4882a593Smuzhiyun /*
13*4882a593Smuzhiyun * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 - 2008
14*4882a593Smuzhiyun */
15*4882a593Smuzhiyun
16*4882a593Smuzhiyun #include <linux/types.h>
17*4882a593Smuzhiyun #include <linux/rcupdate.h>
18*4882a593Smuzhiyun #include <linux/list.h>
19*4882a593Smuzhiyun #include <linux/spinlock.h>
20*4882a593Smuzhiyun #include <linux/socket.h>
21*4882a593Smuzhiyun #include <linux/string.h>
22*4882a593Smuzhiyun #include <linux/skbuff.h>
23*4882a593Smuzhiyun #include <linux/audit.h>
24*4882a593Smuzhiyun #include <linux/in.h>
25*4882a593Smuzhiyun #include <linux/in6.h>
26*4882a593Smuzhiyun #include <linux/ip.h>
27*4882a593Smuzhiyun #include <linux/ipv6.h>
28*4882a593Smuzhiyun #include <linux/notifier.h>
29*4882a593Smuzhiyun #include <linux/netdevice.h>
30*4882a593Smuzhiyun #include <linux/security.h>
31*4882a593Smuzhiyun #include <linux/slab.h>
32*4882a593Smuzhiyun #include <net/sock.h>
33*4882a593Smuzhiyun #include <net/netlink.h>
34*4882a593Smuzhiyun #include <net/genetlink.h>
35*4882a593Smuzhiyun #include <net/ip.h>
36*4882a593Smuzhiyun #include <net/ipv6.h>
37*4882a593Smuzhiyun #include <net/net_namespace.h>
38*4882a593Smuzhiyun #include <net/netlabel.h>
39*4882a593Smuzhiyun #include <asm/bug.h>
40*4882a593Smuzhiyun #include <linux/atomic.h>
41*4882a593Smuzhiyun
42*4882a593Smuzhiyun #include "netlabel_user.h"
43*4882a593Smuzhiyun #include "netlabel_addrlist.h"
44*4882a593Smuzhiyun #include "netlabel_domainhash.h"
45*4882a593Smuzhiyun #include "netlabel_unlabeled.h"
46*4882a593Smuzhiyun #include "netlabel_mgmt.h"
47*4882a593Smuzhiyun
48*4882a593Smuzhiyun /* NOTE: at present we always use init's network namespace since we don't
49*4882a593Smuzhiyun * presently support different namespaces even though the majority of
50*4882a593Smuzhiyun * the functions in this file are "namespace safe" */
51*4882a593Smuzhiyun
52*4882a593Smuzhiyun /* The unlabeled connection hash table which we use to map network interfaces
53*4882a593Smuzhiyun * and addresses of unlabeled packets to a user specified secid value for the
54*4882a593Smuzhiyun * LSM. The hash table is used to lookup the network interface entry
55*4882a593Smuzhiyun * (struct netlbl_unlhsh_iface) and then the interface entry is used to
56*4882a593Smuzhiyun * lookup an IP address match from an ordered list. If a network interface
57*4882a593Smuzhiyun * match can not be found in the hash table then the default entry
58*4882a593Smuzhiyun * (netlbl_unlhsh_def) is used. The IP address entry list
59*4882a593Smuzhiyun * (struct netlbl_unlhsh_addr) is ordered such that the entries with a
60*4882a593Smuzhiyun * larger netmask come first.
61*4882a593Smuzhiyun */
62*4882a593Smuzhiyun struct netlbl_unlhsh_tbl {
63*4882a593Smuzhiyun struct list_head *tbl;
64*4882a593Smuzhiyun u32 size;
65*4882a593Smuzhiyun };
66*4882a593Smuzhiyun #define netlbl_unlhsh_addr4_entry(iter) \
67*4882a593Smuzhiyun container_of(iter, struct netlbl_unlhsh_addr4, list)
68*4882a593Smuzhiyun struct netlbl_unlhsh_addr4 {
69*4882a593Smuzhiyun u32 secid;
70*4882a593Smuzhiyun
71*4882a593Smuzhiyun struct netlbl_af4list list;
72*4882a593Smuzhiyun struct rcu_head rcu;
73*4882a593Smuzhiyun };
74*4882a593Smuzhiyun #define netlbl_unlhsh_addr6_entry(iter) \
75*4882a593Smuzhiyun container_of(iter, struct netlbl_unlhsh_addr6, list)
76*4882a593Smuzhiyun struct netlbl_unlhsh_addr6 {
77*4882a593Smuzhiyun u32 secid;
78*4882a593Smuzhiyun
79*4882a593Smuzhiyun struct netlbl_af6list list;
80*4882a593Smuzhiyun struct rcu_head rcu;
81*4882a593Smuzhiyun };
82*4882a593Smuzhiyun struct netlbl_unlhsh_iface {
83*4882a593Smuzhiyun int ifindex;
84*4882a593Smuzhiyun struct list_head addr4_list;
85*4882a593Smuzhiyun struct list_head addr6_list;
86*4882a593Smuzhiyun
87*4882a593Smuzhiyun u32 valid;
88*4882a593Smuzhiyun struct list_head list;
89*4882a593Smuzhiyun struct rcu_head rcu;
90*4882a593Smuzhiyun };
91*4882a593Smuzhiyun
92*4882a593Smuzhiyun /* Argument struct for netlbl_unlhsh_walk() */
93*4882a593Smuzhiyun struct netlbl_unlhsh_walk_arg {
94*4882a593Smuzhiyun struct netlink_callback *nl_cb;
95*4882a593Smuzhiyun struct sk_buff *skb;
96*4882a593Smuzhiyun u32 seq;
97*4882a593Smuzhiyun };
98*4882a593Smuzhiyun
99*4882a593Smuzhiyun /* Unlabeled connection hash table */
100*4882a593Smuzhiyun /* updates should be so rare that having one spinlock for the entire
101*4882a593Smuzhiyun * hash table should be okay */
102*4882a593Smuzhiyun static DEFINE_SPINLOCK(netlbl_unlhsh_lock);
103*4882a593Smuzhiyun #define netlbl_unlhsh_rcu_deref(p) \
104*4882a593Smuzhiyun rcu_dereference_check(p, lockdep_is_held(&netlbl_unlhsh_lock))
105*4882a593Smuzhiyun static struct netlbl_unlhsh_tbl __rcu *netlbl_unlhsh;
106*4882a593Smuzhiyun static struct netlbl_unlhsh_iface __rcu *netlbl_unlhsh_def;
107*4882a593Smuzhiyun
108*4882a593Smuzhiyun /* Accept unlabeled packets flag */
109*4882a593Smuzhiyun static u8 netlabel_unlabel_acceptflg;
110*4882a593Smuzhiyun
111*4882a593Smuzhiyun /* NetLabel Generic NETLINK unlabeled family */
112*4882a593Smuzhiyun static struct genl_family netlbl_unlabel_gnl_family;
113*4882a593Smuzhiyun
114*4882a593Smuzhiyun /* NetLabel Netlink attribute policy */
115*4882a593Smuzhiyun static const struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
116*4882a593Smuzhiyun [NLBL_UNLABEL_A_ACPTFLG] = { .type = NLA_U8 },
117*4882a593Smuzhiyun [NLBL_UNLABEL_A_IPV6ADDR] = { .type = NLA_BINARY,
118*4882a593Smuzhiyun .len = sizeof(struct in6_addr) },
119*4882a593Smuzhiyun [NLBL_UNLABEL_A_IPV6MASK] = { .type = NLA_BINARY,
120*4882a593Smuzhiyun .len = sizeof(struct in6_addr) },
121*4882a593Smuzhiyun [NLBL_UNLABEL_A_IPV4ADDR] = { .type = NLA_BINARY,
122*4882a593Smuzhiyun .len = sizeof(struct in_addr) },
123*4882a593Smuzhiyun [NLBL_UNLABEL_A_IPV4MASK] = { .type = NLA_BINARY,
124*4882a593Smuzhiyun .len = sizeof(struct in_addr) },
125*4882a593Smuzhiyun [NLBL_UNLABEL_A_IFACE] = { .type = NLA_NUL_STRING,
126*4882a593Smuzhiyun .len = IFNAMSIZ - 1 },
127*4882a593Smuzhiyun [NLBL_UNLABEL_A_SECCTX] = { .type = NLA_BINARY }
128*4882a593Smuzhiyun };
129*4882a593Smuzhiyun
130*4882a593Smuzhiyun /*
131*4882a593Smuzhiyun * Unlabeled Connection Hash Table Functions
132*4882a593Smuzhiyun */
133*4882a593Smuzhiyun
134*4882a593Smuzhiyun /**
135*4882a593Smuzhiyun * netlbl_unlhsh_free_iface - Frees an interface entry from the hash table
136*4882a593Smuzhiyun * @entry: the entry's RCU field
137*4882a593Smuzhiyun *
138*4882a593Smuzhiyun * Description:
139*4882a593Smuzhiyun * This function is designed to be used as a callback to the call_rcu()
140*4882a593Smuzhiyun * function so that memory allocated to a hash table interface entry can be
141*4882a593Smuzhiyun * released safely. It is important to note that this function does not free
142*4882a593Smuzhiyun * the IPv4 and IPv6 address lists contained as part of an interface entry. It
143*4882a593Smuzhiyun * is up to the rest of the code to make sure an interface entry is only freed
144*4882a593Smuzhiyun * once it's address lists are empty.
145*4882a593Smuzhiyun *
146*4882a593Smuzhiyun */
netlbl_unlhsh_free_iface(struct rcu_head * entry)147*4882a593Smuzhiyun static void netlbl_unlhsh_free_iface(struct rcu_head *entry)
148*4882a593Smuzhiyun {
149*4882a593Smuzhiyun struct netlbl_unlhsh_iface *iface;
150*4882a593Smuzhiyun struct netlbl_af4list *iter4;
151*4882a593Smuzhiyun struct netlbl_af4list *tmp4;
152*4882a593Smuzhiyun #if IS_ENABLED(CONFIG_IPV6)
153*4882a593Smuzhiyun struct netlbl_af6list *iter6;
154*4882a593Smuzhiyun struct netlbl_af6list *tmp6;
155*4882a593Smuzhiyun #endif /* IPv6 */
156*4882a593Smuzhiyun
157*4882a593Smuzhiyun iface = container_of(entry, struct netlbl_unlhsh_iface, rcu);
158*4882a593Smuzhiyun
159*4882a593Smuzhiyun /* no need for locks here since we are the only one with access to this
160*4882a593Smuzhiyun * structure */
161*4882a593Smuzhiyun
162*4882a593Smuzhiyun netlbl_af4list_foreach_safe(iter4, tmp4, &iface->addr4_list) {
163*4882a593Smuzhiyun netlbl_af4list_remove_entry(iter4);
164*4882a593Smuzhiyun kfree(netlbl_unlhsh_addr4_entry(iter4));
165*4882a593Smuzhiyun }
166*4882a593Smuzhiyun #if IS_ENABLED(CONFIG_IPV6)
167*4882a593Smuzhiyun netlbl_af6list_foreach_safe(iter6, tmp6, &iface->addr6_list) {
168*4882a593Smuzhiyun netlbl_af6list_remove_entry(iter6);
169*4882a593Smuzhiyun kfree(netlbl_unlhsh_addr6_entry(iter6));
170*4882a593Smuzhiyun }
171*4882a593Smuzhiyun #endif /* IPv6 */
172*4882a593Smuzhiyun kfree(iface);
173*4882a593Smuzhiyun }
174*4882a593Smuzhiyun
175*4882a593Smuzhiyun /**
176*4882a593Smuzhiyun * netlbl_unlhsh_hash - Hashing function for the hash table
177*4882a593Smuzhiyun * @ifindex: the network interface/device to hash
178*4882a593Smuzhiyun *
179*4882a593Smuzhiyun * Description:
180*4882a593Smuzhiyun * This is the hashing function for the unlabeled hash table, it returns the
181*4882a593Smuzhiyun * bucket number for the given device/interface. The caller is responsible for
182*4882a593Smuzhiyun * ensuring that the hash table is protected with either a RCU read lock or
183*4882a593Smuzhiyun * the hash table lock.
184*4882a593Smuzhiyun *
185*4882a593Smuzhiyun */
netlbl_unlhsh_hash(int ifindex)186*4882a593Smuzhiyun static u32 netlbl_unlhsh_hash(int ifindex)
187*4882a593Smuzhiyun {
188*4882a593Smuzhiyun return ifindex & (netlbl_unlhsh_rcu_deref(netlbl_unlhsh)->size - 1);
189*4882a593Smuzhiyun }
190*4882a593Smuzhiyun
191*4882a593Smuzhiyun /**
192*4882a593Smuzhiyun * netlbl_unlhsh_search_iface - Search for a matching interface entry
193*4882a593Smuzhiyun * @ifindex: the network interface
194*4882a593Smuzhiyun *
195*4882a593Smuzhiyun * Description:
196*4882a593Smuzhiyun * Searches the unlabeled connection hash table and returns a pointer to the
197*4882a593Smuzhiyun * interface entry which matches @ifindex, otherwise NULL is returned. The
198*4882a593Smuzhiyun * caller is responsible for ensuring that the hash table is protected with
199*4882a593Smuzhiyun * either a RCU read lock or the hash table lock.
200*4882a593Smuzhiyun *
201*4882a593Smuzhiyun */
netlbl_unlhsh_search_iface(int ifindex)202*4882a593Smuzhiyun static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex)
203*4882a593Smuzhiyun {
204*4882a593Smuzhiyun u32 bkt;
205*4882a593Smuzhiyun struct list_head *bkt_list;
206*4882a593Smuzhiyun struct netlbl_unlhsh_iface *iter;
207*4882a593Smuzhiyun
208*4882a593Smuzhiyun bkt = netlbl_unlhsh_hash(ifindex);
209*4882a593Smuzhiyun bkt_list = &netlbl_unlhsh_rcu_deref(netlbl_unlhsh)->tbl[bkt];
210*4882a593Smuzhiyun list_for_each_entry_rcu(iter, bkt_list, list,
211*4882a593Smuzhiyun lockdep_is_held(&netlbl_unlhsh_lock))
212*4882a593Smuzhiyun if (iter->valid && iter->ifindex == ifindex)
213*4882a593Smuzhiyun return iter;
214*4882a593Smuzhiyun
215*4882a593Smuzhiyun return NULL;
216*4882a593Smuzhiyun }
217*4882a593Smuzhiyun
218*4882a593Smuzhiyun /**
219*4882a593Smuzhiyun * netlbl_unlhsh_add_addr4 - Add a new IPv4 address entry to the hash table
220*4882a593Smuzhiyun * @iface: the associated interface entry
221*4882a593Smuzhiyun * @addr: IPv4 address in network byte order
222*4882a593Smuzhiyun * @mask: IPv4 address mask in network byte order
223*4882a593Smuzhiyun * @secid: LSM secid value for entry
224*4882a593Smuzhiyun *
225*4882a593Smuzhiyun * Description:
226*4882a593Smuzhiyun * Add a new address entry into the unlabeled connection hash table using the
227*4882a593Smuzhiyun * interface entry specified by @iface. On success zero is returned, otherwise
228*4882a593Smuzhiyun * a negative value is returned.
229*4882a593Smuzhiyun *
230*4882a593Smuzhiyun */
netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface * iface,const struct in_addr * addr,const struct in_addr * mask,u32 secid)231*4882a593Smuzhiyun static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface,
232*4882a593Smuzhiyun const struct in_addr *addr,
233*4882a593Smuzhiyun const struct in_addr *mask,
234*4882a593Smuzhiyun u32 secid)
235*4882a593Smuzhiyun {
236*4882a593Smuzhiyun int ret_val;
237*4882a593Smuzhiyun struct netlbl_unlhsh_addr4 *entry;
238*4882a593Smuzhiyun
239*4882a593Smuzhiyun entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
240*4882a593Smuzhiyun if (entry == NULL)
241*4882a593Smuzhiyun return -ENOMEM;
242*4882a593Smuzhiyun
243*4882a593Smuzhiyun entry->list.addr = addr->s_addr & mask->s_addr;
244*4882a593Smuzhiyun entry->list.mask = mask->s_addr;
245*4882a593Smuzhiyun entry->list.valid = 1;
246*4882a593Smuzhiyun entry->secid = secid;
247*4882a593Smuzhiyun
248*4882a593Smuzhiyun spin_lock(&netlbl_unlhsh_lock);
249*4882a593Smuzhiyun ret_val = netlbl_af4list_add(&entry->list, &iface->addr4_list);
250*4882a593Smuzhiyun spin_unlock(&netlbl_unlhsh_lock);
251*4882a593Smuzhiyun
252*4882a593Smuzhiyun if (ret_val != 0)
253*4882a593Smuzhiyun kfree(entry);
254*4882a593Smuzhiyun return ret_val;
255*4882a593Smuzhiyun }
256*4882a593Smuzhiyun
257*4882a593Smuzhiyun #if IS_ENABLED(CONFIG_IPV6)
258*4882a593Smuzhiyun /**
259*4882a593Smuzhiyun * netlbl_unlhsh_add_addr6 - Add a new IPv6 address entry to the hash table
260*4882a593Smuzhiyun * @iface: the associated interface entry
261*4882a593Smuzhiyun * @addr: IPv6 address in network byte order
262*4882a593Smuzhiyun * @mask: IPv6 address mask in network byte order
263*4882a593Smuzhiyun * @secid: LSM secid value for entry
264*4882a593Smuzhiyun *
265*4882a593Smuzhiyun * Description:
266*4882a593Smuzhiyun * Add a new address entry into the unlabeled connection hash table using the
267*4882a593Smuzhiyun * interface entry specified by @iface. On success zero is returned, otherwise
268*4882a593Smuzhiyun * a negative value is returned.
269*4882a593Smuzhiyun *
270*4882a593Smuzhiyun */
netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface * iface,const struct in6_addr * addr,const struct in6_addr * mask,u32 secid)271*4882a593Smuzhiyun static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface,
272*4882a593Smuzhiyun const struct in6_addr *addr,
273*4882a593Smuzhiyun const struct in6_addr *mask,
274*4882a593Smuzhiyun u32 secid)
275*4882a593Smuzhiyun {
276*4882a593Smuzhiyun int ret_val;
277*4882a593Smuzhiyun struct netlbl_unlhsh_addr6 *entry;
278*4882a593Smuzhiyun
279*4882a593Smuzhiyun entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
280*4882a593Smuzhiyun if (entry == NULL)
281*4882a593Smuzhiyun return -ENOMEM;
282*4882a593Smuzhiyun
283*4882a593Smuzhiyun entry->list.addr = *addr;
284*4882a593Smuzhiyun entry->list.addr.s6_addr32[0] &= mask->s6_addr32[0];
285*4882a593Smuzhiyun entry->list.addr.s6_addr32[1] &= mask->s6_addr32[1];
286*4882a593Smuzhiyun entry->list.addr.s6_addr32[2] &= mask->s6_addr32[2];
287*4882a593Smuzhiyun entry->list.addr.s6_addr32[3] &= mask->s6_addr32[3];
288*4882a593Smuzhiyun entry->list.mask = *mask;
289*4882a593Smuzhiyun entry->list.valid = 1;
290*4882a593Smuzhiyun entry->secid = secid;
291*4882a593Smuzhiyun
292*4882a593Smuzhiyun spin_lock(&netlbl_unlhsh_lock);
293*4882a593Smuzhiyun ret_val = netlbl_af6list_add(&entry->list, &iface->addr6_list);
294*4882a593Smuzhiyun spin_unlock(&netlbl_unlhsh_lock);
295*4882a593Smuzhiyun
296*4882a593Smuzhiyun if (ret_val != 0)
297*4882a593Smuzhiyun kfree(entry);
298*4882a593Smuzhiyun return 0;
299*4882a593Smuzhiyun }
300*4882a593Smuzhiyun #endif /* IPv6 */
301*4882a593Smuzhiyun
302*4882a593Smuzhiyun /**
303*4882a593Smuzhiyun * netlbl_unlhsh_add_iface - Adds a new interface entry to the hash table
304*4882a593Smuzhiyun * @ifindex: network interface
305*4882a593Smuzhiyun *
306*4882a593Smuzhiyun * Description:
307*4882a593Smuzhiyun * Add a new, empty, interface entry into the unlabeled connection hash table.
308*4882a593Smuzhiyun * On success a pointer to the new interface entry is returned, on failure NULL
309*4882a593Smuzhiyun * is returned.
310*4882a593Smuzhiyun *
311*4882a593Smuzhiyun */
netlbl_unlhsh_add_iface(int ifindex)312*4882a593Smuzhiyun static struct netlbl_unlhsh_iface *netlbl_unlhsh_add_iface(int ifindex)
313*4882a593Smuzhiyun {
314*4882a593Smuzhiyun u32 bkt;
315*4882a593Smuzhiyun struct netlbl_unlhsh_iface *iface;
316*4882a593Smuzhiyun
317*4882a593Smuzhiyun iface = kzalloc(sizeof(*iface), GFP_ATOMIC);
318*4882a593Smuzhiyun if (iface == NULL)
319*4882a593Smuzhiyun return NULL;
320*4882a593Smuzhiyun
321*4882a593Smuzhiyun iface->ifindex = ifindex;
322*4882a593Smuzhiyun INIT_LIST_HEAD(&iface->addr4_list);
323*4882a593Smuzhiyun INIT_LIST_HEAD(&iface->addr6_list);
324*4882a593Smuzhiyun iface->valid = 1;
325*4882a593Smuzhiyun
326*4882a593Smuzhiyun spin_lock(&netlbl_unlhsh_lock);
327*4882a593Smuzhiyun if (ifindex > 0) {
328*4882a593Smuzhiyun bkt = netlbl_unlhsh_hash(ifindex);
329*4882a593Smuzhiyun if (netlbl_unlhsh_search_iface(ifindex) != NULL)
330*4882a593Smuzhiyun goto add_iface_failure;
331*4882a593Smuzhiyun list_add_tail_rcu(&iface->list,
332*4882a593Smuzhiyun &netlbl_unlhsh_rcu_deref(netlbl_unlhsh)->tbl[bkt]);
333*4882a593Smuzhiyun } else {
334*4882a593Smuzhiyun INIT_LIST_HEAD(&iface->list);
335*4882a593Smuzhiyun if (netlbl_unlhsh_rcu_deref(netlbl_unlhsh_def) != NULL)
336*4882a593Smuzhiyun goto add_iface_failure;
337*4882a593Smuzhiyun rcu_assign_pointer(netlbl_unlhsh_def, iface);
338*4882a593Smuzhiyun }
339*4882a593Smuzhiyun spin_unlock(&netlbl_unlhsh_lock);
340*4882a593Smuzhiyun
341*4882a593Smuzhiyun return iface;
342*4882a593Smuzhiyun
343*4882a593Smuzhiyun add_iface_failure:
344*4882a593Smuzhiyun spin_unlock(&netlbl_unlhsh_lock);
345*4882a593Smuzhiyun kfree(iface);
346*4882a593Smuzhiyun return NULL;
347*4882a593Smuzhiyun }
348*4882a593Smuzhiyun
349*4882a593Smuzhiyun /**
350*4882a593Smuzhiyun * netlbl_unlhsh_add - Adds a new entry to the unlabeled connection hash table
351*4882a593Smuzhiyun * @net: network namespace
352*4882a593Smuzhiyun * @dev_name: interface name
353*4882a593Smuzhiyun * @addr: IP address in network byte order
354*4882a593Smuzhiyun * @mask: address mask in network byte order
355*4882a593Smuzhiyun * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6)
356*4882a593Smuzhiyun * @secid: LSM secid value for the entry
357*4882a593Smuzhiyun * @audit_info: NetLabel audit information
358*4882a593Smuzhiyun *
359*4882a593Smuzhiyun * Description:
360*4882a593Smuzhiyun * Adds a new entry to the unlabeled connection hash table. Returns zero on
361*4882a593Smuzhiyun * success, negative values on failure.
362*4882a593Smuzhiyun *
363*4882a593Smuzhiyun */
netlbl_unlhsh_add(struct net * net,const char * dev_name,const void * addr,const void * mask,u32 addr_len,u32 secid,struct netlbl_audit * audit_info)364*4882a593Smuzhiyun int netlbl_unlhsh_add(struct net *net,
365*4882a593Smuzhiyun const char *dev_name,
366*4882a593Smuzhiyun const void *addr,
367*4882a593Smuzhiyun const void *mask,
368*4882a593Smuzhiyun u32 addr_len,
369*4882a593Smuzhiyun u32 secid,
370*4882a593Smuzhiyun struct netlbl_audit *audit_info)
371*4882a593Smuzhiyun {
372*4882a593Smuzhiyun int ret_val;
373*4882a593Smuzhiyun int ifindex;
374*4882a593Smuzhiyun struct net_device *dev;
375*4882a593Smuzhiyun struct netlbl_unlhsh_iface *iface;
376*4882a593Smuzhiyun struct audit_buffer *audit_buf = NULL;
377*4882a593Smuzhiyun char *secctx = NULL;
378*4882a593Smuzhiyun u32 secctx_len;
379*4882a593Smuzhiyun
380*4882a593Smuzhiyun if (addr_len != sizeof(struct in_addr) &&
381*4882a593Smuzhiyun addr_len != sizeof(struct in6_addr))
382*4882a593Smuzhiyun return -EINVAL;
383*4882a593Smuzhiyun
384*4882a593Smuzhiyun rcu_read_lock();
385*4882a593Smuzhiyun if (dev_name != NULL) {
386*4882a593Smuzhiyun dev = dev_get_by_name_rcu(net, dev_name);
387*4882a593Smuzhiyun if (dev == NULL) {
388*4882a593Smuzhiyun ret_val = -ENODEV;
389*4882a593Smuzhiyun goto unlhsh_add_return;
390*4882a593Smuzhiyun }
391*4882a593Smuzhiyun ifindex = dev->ifindex;
392*4882a593Smuzhiyun iface = netlbl_unlhsh_search_iface(ifindex);
393*4882a593Smuzhiyun } else {
394*4882a593Smuzhiyun ifindex = 0;
395*4882a593Smuzhiyun iface = rcu_dereference(netlbl_unlhsh_def);
396*4882a593Smuzhiyun }
397*4882a593Smuzhiyun if (iface == NULL) {
398*4882a593Smuzhiyun iface = netlbl_unlhsh_add_iface(ifindex);
399*4882a593Smuzhiyun if (iface == NULL) {
400*4882a593Smuzhiyun ret_val = -ENOMEM;
401*4882a593Smuzhiyun goto unlhsh_add_return;
402*4882a593Smuzhiyun }
403*4882a593Smuzhiyun }
404*4882a593Smuzhiyun audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCADD,
405*4882a593Smuzhiyun audit_info);
406*4882a593Smuzhiyun switch (addr_len) {
407*4882a593Smuzhiyun case sizeof(struct in_addr): {
408*4882a593Smuzhiyun const struct in_addr *addr4 = addr;
409*4882a593Smuzhiyun const struct in_addr *mask4 = mask;
410*4882a593Smuzhiyun
411*4882a593Smuzhiyun ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid);
412*4882a593Smuzhiyun if (audit_buf != NULL)
413*4882a593Smuzhiyun netlbl_af4list_audit_addr(audit_buf, 1,
414*4882a593Smuzhiyun dev_name,
415*4882a593Smuzhiyun addr4->s_addr,
416*4882a593Smuzhiyun mask4->s_addr);
417*4882a593Smuzhiyun break;
418*4882a593Smuzhiyun }
419*4882a593Smuzhiyun #if IS_ENABLED(CONFIG_IPV6)
420*4882a593Smuzhiyun case sizeof(struct in6_addr): {
421*4882a593Smuzhiyun const struct in6_addr *addr6 = addr;
422*4882a593Smuzhiyun const struct in6_addr *mask6 = mask;
423*4882a593Smuzhiyun
424*4882a593Smuzhiyun ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid);
425*4882a593Smuzhiyun if (audit_buf != NULL)
426*4882a593Smuzhiyun netlbl_af6list_audit_addr(audit_buf, 1,
427*4882a593Smuzhiyun dev_name,
428*4882a593Smuzhiyun addr6, mask6);
429*4882a593Smuzhiyun break;
430*4882a593Smuzhiyun }
431*4882a593Smuzhiyun #endif /* IPv6 */
432*4882a593Smuzhiyun default:
433*4882a593Smuzhiyun ret_val = -EINVAL;
434*4882a593Smuzhiyun }
435*4882a593Smuzhiyun if (ret_val == 0)
436*4882a593Smuzhiyun atomic_inc(&netlabel_mgmt_protocount);
437*4882a593Smuzhiyun
438*4882a593Smuzhiyun unlhsh_add_return:
439*4882a593Smuzhiyun rcu_read_unlock();
440*4882a593Smuzhiyun if (audit_buf != NULL) {
441*4882a593Smuzhiyun if (security_secid_to_secctx(secid,
442*4882a593Smuzhiyun &secctx,
443*4882a593Smuzhiyun &secctx_len) == 0) {
444*4882a593Smuzhiyun audit_log_format(audit_buf, " sec_obj=%s", secctx);
445*4882a593Smuzhiyun security_release_secctx(secctx, secctx_len);
446*4882a593Smuzhiyun }
447*4882a593Smuzhiyun audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
448*4882a593Smuzhiyun audit_log_end(audit_buf);
449*4882a593Smuzhiyun }
450*4882a593Smuzhiyun return ret_val;
451*4882a593Smuzhiyun }
452*4882a593Smuzhiyun
453*4882a593Smuzhiyun /**
454*4882a593Smuzhiyun * netlbl_unlhsh_remove_addr4 - Remove an IPv4 address entry
455*4882a593Smuzhiyun * @net: network namespace
456*4882a593Smuzhiyun * @iface: interface entry
457*4882a593Smuzhiyun * @addr: IP address
458*4882a593Smuzhiyun * @mask: IP address mask
459*4882a593Smuzhiyun * @audit_info: NetLabel audit information
460*4882a593Smuzhiyun *
461*4882a593Smuzhiyun * Description:
462*4882a593Smuzhiyun * Remove an IP address entry from the unlabeled connection hash table.
463*4882a593Smuzhiyun * Returns zero on success, negative values on failure.
464*4882a593Smuzhiyun *
465*4882a593Smuzhiyun */
netlbl_unlhsh_remove_addr4(struct net * net,struct netlbl_unlhsh_iface * iface,const struct in_addr * addr,const struct in_addr * mask,struct netlbl_audit * audit_info)466*4882a593Smuzhiyun static int netlbl_unlhsh_remove_addr4(struct net *net,
467*4882a593Smuzhiyun struct netlbl_unlhsh_iface *iface,
468*4882a593Smuzhiyun const struct in_addr *addr,
469*4882a593Smuzhiyun const struct in_addr *mask,
470*4882a593Smuzhiyun struct netlbl_audit *audit_info)
471*4882a593Smuzhiyun {
472*4882a593Smuzhiyun struct netlbl_af4list *list_entry;
473*4882a593Smuzhiyun struct netlbl_unlhsh_addr4 *entry;
474*4882a593Smuzhiyun struct audit_buffer *audit_buf;
475*4882a593Smuzhiyun struct net_device *dev;
476*4882a593Smuzhiyun char *secctx;
477*4882a593Smuzhiyun u32 secctx_len;
478*4882a593Smuzhiyun
479*4882a593Smuzhiyun spin_lock(&netlbl_unlhsh_lock);
480*4882a593Smuzhiyun list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr,
481*4882a593Smuzhiyun &iface->addr4_list);
482*4882a593Smuzhiyun spin_unlock(&netlbl_unlhsh_lock);
483*4882a593Smuzhiyun if (list_entry != NULL)
484*4882a593Smuzhiyun entry = netlbl_unlhsh_addr4_entry(list_entry);
485*4882a593Smuzhiyun else
486*4882a593Smuzhiyun entry = NULL;
487*4882a593Smuzhiyun
488*4882a593Smuzhiyun audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL,
489*4882a593Smuzhiyun audit_info);
490*4882a593Smuzhiyun if (audit_buf != NULL) {
491*4882a593Smuzhiyun dev = dev_get_by_index(net, iface->ifindex);
492*4882a593Smuzhiyun netlbl_af4list_audit_addr(audit_buf, 1,
493*4882a593Smuzhiyun (dev != NULL ? dev->name : NULL),
494*4882a593Smuzhiyun addr->s_addr, mask->s_addr);
495*4882a593Smuzhiyun if (dev != NULL)
496*4882a593Smuzhiyun dev_put(dev);
497*4882a593Smuzhiyun if (entry != NULL &&
498*4882a593Smuzhiyun security_secid_to_secctx(entry->secid,
499*4882a593Smuzhiyun &secctx, &secctx_len) == 0) {
500*4882a593Smuzhiyun audit_log_format(audit_buf, " sec_obj=%s", secctx);
501*4882a593Smuzhiyun security_release_secctx(secctx, secctx_len);
502*4882a593Smuzhiyun }
503*4882a593Smuzhiyun audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
504*4882a593Smuzhiyun audit_log_end(audit_buf);
505*4882a593Smuzhiyun }
506*4882a593Smuzhiyun
507*4882a593Smuzhiyun if (entry == NULL)
508*4882a593Smuzhiyun return -ENOENT;
509*4882a593Smuzhiyun
510*4882a593Smuzhiyun kfree_rcu(entry, rcu);
511*4882a593Smuzhiyun return 0;
512*4882a593Smuzhiyun }
513*4882a593Smuzhiyun
514*4882a593Smuzhiyun #if IS_ENABLED(CONFIG_IPV6)
515*4882a593Smuzhiyun /**
516*4882a593Smuzhiyun * netlbl_unlhsh_remove_addr6 - Remove an IPv6 address entry
517*4882a593Smuzhiyun * @net: network namespace
518*4882a593Smuzhiyun * @iface: interface entry
519*4882a593Smuzhiyun * @addr: IP address
520*4882a593Smuzhiyun * @mask: IP address mask
521*4882a593Smuzhiyun * @audit_info: NetLabel audit information
522*4882a593Smuzhiyun *
523*4882a593Smuzhiyun * Description:
524*4882a593Smuzhiyun * Remove an IP address entry from the unlabeled connection hash table.
525*4882a593Smuzhiyun * Returns zero on success, negative values on failure.
526*4882a593Smuzhiyun *
527*4882a593Smuzhiyun */
netlbl_unlhsh_remove_addr6(struct net * net,struct netlbl_unlhsh_iface * iface,const struct in6_addr * addr,const struct in6_addr * mask,struct netlbl_audit * audit_info)528*4882a593Smuzhiyun static int netlbl_unlhsh_remove_addr6(struct net *net,
529*4882a593Smuzhiyun struct netlbl_unlhsh_iface *iface,
530*4882a593Smuzhiyun const struct in6_addr *addr,
531*4882a593Smuzhiyun const struct in6_addr *mask,
532*4882a593Smuzhiyun struct netlbl_audit *audit_info)
533*4882a593Smuzhiyun {
534*4882a593Smuzhiyun struct netlbl_af6list *list_entry;
535*4882a593Smuzhiyun struct netlbl_unlhsh_addr6 *entry;
536*4882a593Smuzhiyun struct audit_buffer *audit_buf;
537*4882a593Smuzhiyun struct net_device *dev;
538*4882a593Smuzhiyun char *secctx;
539*4882a593Smuzhiyun u32 secctx_len;
540*4882a593Smuzhiyun
541*4882a593Smuzhiyun spin_lock(&netlbl_unlhsh_lock);
542*4882a593Smuzhiyun list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list);
543*4882a593Smuzhiyun spin_unlock(&netlbl_unlhsh_lock);
544*4882a593Smuzhiyun if (list_entry != NULL)
545*4882a593Smuzhiyun entry = netlbl_unlhsh_addr6_entry(list_entry);
546*4882a593Smuzhiyun else
547*4882a593Smuzhiyun entry = NULL;
548*4882a593Smuzhiyun
549*4882a593Smuzhiyun audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL,
550*4882a593Smuzhiyun audit_info);
551*4882a593Smuzhiyun if (audit_buf != NULL) {
552*4882a593Smuzhiyun dev = dev_get_by_index(net, iface->ifindex);
553*4882a593Smuzhiyun netlbl_af6list_audit_addr(audit_buf, 1,
554*4882a593Smuzhiyun (dev != NULL ? dev->name : NULL),
555*4882a593Smuzhiyun addr, mask);
556*4882a593Smuzhiyun if (dev != NULL)
557*4882a593Smuzhiyun dev_put(dev);
558*4882a593Smuzhiyun if (entry != NULL &&
559*4882a593Smuzhiyun security_secid_to_secctx(entry->secid,
560*4882a593Smuzhiyun &secctx, &secctx_len) == 0) {
561*4882a593Smuzhiyun audit_log_format(audit_buf, " sec_obj=%s", secctx);
562*4882a593Smuzhiyun security_release_secctx(secctx, secctx_len);
563*4882a593Smuzhiyun }
564*4882a593Smuzhiyun audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
565*4882a593Smuzhiyun audit_log_end(audit_buf);
566*4882a593Smuzhiyun }
567*4882a593Smuzhiyun
568*4882a593Smuzhiyun if (entry == NULL)
569*4882a593Smuzhiyun return -ENOENT;
570*4882a593Smuzhiyun
571*4882a593Smuzhiyun kfree_rcu(entry, rcu);
572*4882a593Smuzhiyun return 0;
573*4882a593Smuzhiyun }
574*4882a593Smuzhiyun #endif /* IPv6 */
575*4882a593Smuzhiyun
576*4882a593Smuzhiyun /**
577*4882a593Smuzhiyun * netlbl_unlhsh_condremove_iface - Remove an interface entry
578*4882a593Smuzhiyun * @iface: the interface entry
579*4882a593Smuzhiyun *
580*4882a593Smuzhiyun * Description:
581*4882a593Smuzhiyun * Remove an interface entry from the unlabeled connection hash table if it is
582*4882a593Smuzhiyun * empty. An interface entry is considered to be empty if there are no
583*4882a593Smuzhiyun * address entries assigned to it.
584*4882a593Smuzhiyun *
585*4882a593Smuzhiyun */
netlbl_unlhsh_condremove_iface(struct netlbl_unlhsh_iface * iface)586*4882a593Smuzhiyun static void netlbl_unlhsh_condremove_iface(struct netlbl_unlhsh_iface *iface)
587*4882a593Smuzhiyun {
588*4882a593Smuzhiyun struct netlbl_af4list *iter4;
589*4882a593Smuzhiyun #if IS_ENABLED(CONFIG_IPV6)
590*4882a593Smuzhiyun struct netlbl_af6list *iter6;
591*4882a593Smuzhiyun #endif /* IPv6 */
592*4882a593Smuzhiyun
593*4882a593Smuzhiyun spin_lock(&netlbl_unlhsh_lock);
594*4882a593Smuzhiyun netlbl_af4list_foreach_rcu(iter4, &iface->addr4_list)
595*4882a593Smuzhiyun goto unlhsh_condremove_failure;
596*4882a593Smuzhiyun #if IS_ENABLED(CONFIG_IPV6)
597*4882a593Smuzhiyun netlbl_af6list_foreach_rcu(iter6, &iface->addr6_list)
598*4882a593Smuzhiyun goto unlhsh_condremove_failure;
599*4882a593Smuzhiyun #endif /* IPv6 */
600*4882a593Smuzhiyun iface->valid = 0;
601*4882a593Smuzhiyun if (iface->ifindex > 0)
602*4882a593Smuzhiyun list_del_rcu(&iface->list);
603*4882a593Smuzhiyun else
604*4882a593Smuzhiyun RCU_INIT_POINTER(netlbl_unlhsh_def, NULL);
605*4882a593Smuzhiyun spin_unlock(&netlbl_unlhsh_lock);
606*4882a593Smuzhiyun
607*4882a593Smuzhiyun call_rcu(&iface->rcu, netlbl_unlhsh_free_iface);
608*4882a593Smuzhiyun return;
609*4882a593Smuzhiyun
610*4882a593Smuzhiyun unlhsh_condremove_failure:
611*4882a593Smuzhiyun spin_unlock(&netlbl_unlhsh_lock);
612*4882a593Smuzhiyun }
613*4882a593Smuzhiyun
614*4882a593Smuzhiyun /**
615*4882a593Smuzhiyun * netlbl_unlhsh_remove - Remove an entry from the unlabeled hash table
616*4882a593Smuzhiyun * @net: network namespace
617*4882a593Smuzhiyun * @dev_name: interface name
618*4882a593Smuzhiyun * @addr: IP address in network byte order
619*4882a593Smuzhiyun * @mask: address mask in network byte order
620*4882a593Smuzhiyun * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6)
621*4882a593Smuzhiyun * @audit_info: NetLabel audit information
622*4882a593Smuzhiyun *
623*4882a593Smuzhiyun * Description:
624*4882a593Smuzhiyun * Removes and existing entry from the unlabeled connection hash table.
625*4882a593Smuzhiyun * Returns zero on success, negative values on failure.
626*4882a593Smuzhiyun *
627*4882a593Smuzhiyun */
netlbl_unlhsh_remove(struct net * net,const char * dev_name,const void * addr,const void * mask,u32 addr_len,struct netlbl_audit * audit_info)628*4882a593Smuzhiyun int netlbl_unlhsh_remove(struct net *net,
629*4882a593Smuzhiyun const char *dev_name,
630*4882a593Smuzhiyun const void *addr,
631*4882a593Smuzhiyun const void *mask,
632*4882a593Smuzhiyun u32 addr_len,
633*4882a593Smuzhiyun struct netlbl_audit *audit_info)
634*4882a593Smuzhiyun {
635*4882a593Smuzhiyun int ret_val;
636*4882a593Smuzhiyun struct net_device *dev;
637*4882a593Smuzhiyun struct netlbl_unlhsh_iface *iface;
638*4882a593Smuzhiyun
639*4882a593Smuzhiyun if (addr_len != sizeof(struct in_addr) &&
640*4882a593Smuzhiyun addr_len != sizeof(struct in6_addr))
641*4882a593Smuzhiyun return -EINVAL;
642*4882a593Smuzhiyun
643*4882a593Smuzhiyun rcu_read_lock();
644*4882a593Smuzhiyun if (dev_name != NULL) {
645*4882a593Smuzhiyun dev = dev_get_by_name_rcu(net, dev_name);
646*4882a593Smuzhiyun if (dev == NULL) {
647*4882a593Smuzhiyun ret_val = -ENODEV;
648*4882a593Smuzhiyun goto unlhsh_remove_return;
649*4882a593Smuzhiyun }
650*4882a593Smuzhiyun iface = netlbl_unlhsh_search_iface(dev->ifindex);
651*4882a593Smuzhiyun } else
652*4882a593Smuzhiyun iface = rcu_dereference(netlbl_unlhsh_def);
653*4882a593Smuzhiyun if (iface == NULL) {
654*4882a593Smuzhiyun ret_val = -ENOENT;
655*4882a593Smuzhiyun goto unlhsh_remove_return;
656*4882a593Smuzhiyun }
657*4882a593Smuzhiyun switch (addr_len) {
658*4882a593Smuzhiyun case sizeof(struct in_addr):
659*4882a593Smuzhiyun ret_val = netlbl_unlhsh_remove_addr4(net,
660*4882a593Smuzhiyun iface, addr, mask,
661*4882a593Smuzhiyun audit_info);
662*4882a593Smuzhiyun break;
663*4882a593Smuzhiyun #if IS_ENABLED(CONFIG_IPV6)
664*4882a593Smuzhiyun case sizeof(struct in6_addr):
665*4882a593Smuzhiyun ret_val = netlbl_unlhsh_remove_addr6(net,
666*4882a593Smuzhiyun iface, addr, mask,
667*4882a593Smuzhiyun audit_info);
668*4882a593Smuzhiyun break;
669*4882a593Smuzhiyun #endif /* IPv6 */
670*4882a593Smuzhiyun default:
671*4882a593Smuzhiyun ret_val = -EINVAL;
672*4882a593Smuzhiyun }
673*4882a593Smuzhiyun if (ret_val == 0) {
674*4882a593Smuzhiyun netlbl_unlhsh_condremove_iface(iface);
675*4882a593Smuzhiyun atomic_dec(&netlabel_mgmt_protocount);
676*4882a593Smuzhiyun }
677*4882a593Smuzhiyun
678*4882a593Smuzhiyun unlhsh_remove_return:
679*4882a593Smuzhiyun rcu_read_unlock();
680*4882a593Smuzhiyun return ret_val;
681*4882a593Smuzhiyun }
682*4882a593Smuzhiyun
683*4882a593Smuzhiyun /*
684*4882a593Smuzhiyun * General Helper Functions
685*4882a593Smuzhiyun */
686*4882a593Smuzhiyun
687*4882a593Smuzhiyun /**
688*4882a593Smuzhiyun * netlbl_unlhsh_netdev_handler - Network device notification handler
689*4882a593Smuzhiyun * @this: notifier block
690*4882a593Smuzhiyun * @event: the event
691*4882a593Smuzhiyun * @ptr: the netdevice notifier info (cast to void)
692*4882a593Smuzhiyun *
693*4882a593Smuzhiyun * Description:
694*4882a593Smuzhiyun * Handle network device events, although at present all we care about is a
695*4882a593Smuzhiyun * network device going away. In the case of a device going away we clear any
696*4882a593Smuzhiyun * related entries from the unlabeled connection hash table.
697*4882a593Smuzhiyun *
698*4882a593Smuzhiyun */
netlbl_unlhsh_netdev_handler(struct notifier_block * this,unsigned long event,void * ptr)699*4882a593Smuzhiyun static int netlbl_unlhsh_netdev_handler(struct notifier_block *this,
700*4882a593Smuzhiyun unsigned long event, void *ptr)
701*4882a593Smuzhiyun {
702*4882a593Smuzhiyun struct net_device *dev = netdev_notifier_info_to_dev(ptr);
703*4882a593Smuzhiyun struct netlbl_unlhsh_iface *iface = NULL;
704*4882a593Smuzhiyun
705*4882a593Smuzhiyun if (!net_eq(dev_net(dev), &init_net))
706*4882a593Smuzhiyun return NOTIFY_DONE;
707*4882a593Smuzhiyun
708*4882a593Smuzhiyun /* XXX - should this be a check for NETDEV_DOWN or _UNREGISTER? */
709*4882a593Smuzhiyun if (event == NETDEV_DOWN) {
710*4882a593Smuzhiyun spin_lock(&netlbl_unlhsh_lock);
711*4882a593Smuzhiyun iface = netlbl_unlhsh_search_iface(dev->ifindex);
712*4882a593Smuzhiyun if (iface != NULL && iface->valid) {
713*4882a593Smuzhiyun iface->valid = 0;
714*4882a593Smuzhiyun list_del_rcu(&iface->list);
715*4882a593Smuzhiyun } else
716*4882a593Smuzhiyun iface = NULL;
717*4882a593Smuzhiyun spin_unlock(&netlbl_unlhsh_lock);
718*4882a593Smuzhiyun }
719*4882a593Smuzhiyun
720*4882a593Smuzhiyun if (iface != NULL)
721*4882a593Smuzhiyun call_rcu(&iface->rcu, netlbl_unlhsh_free_iface);
722*4882a593Smuzhiyun
723*4882a593Smuzhiyun return NOTIFY_DONE;
724*4882a593Smuzhiyun }
725*4882a593Smuzhiyun
726*4882a593Smuzhiyun /**
727*4882a593Smuzhiyun * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag
728*4882a593Smuzhiyun * @value: desired value
729*4882a593Smuzhiyun * @audit_info: NetLabel audit information
730*4882a593Smuzhiyun *
731*4882a593Smuzhiyun * Description:
732*4882a593Smuzhiyun * Set the value of the unlabeled accept flag to @value.
733*4882a593Smuzhiyun *
734*4882a593Smuzhiyun */
netlbl_unlabel_acceptflg_set(u8 value,struct netlbl_audit * audit_info)735*4882a593Smuzhiyun static void netlbl_unlabel_acceptflg_set(u8 value,
736*4882a593Smuzhiyun struct netlbl_audit *audit_info)
737*4882a593Smuzhiyun {
738*4882a593Smuzhiyun struct audit_buffer *audit_buf;
739*4882a593Smuzhiyun u8 old_val;
740*4882a593Smuzhiyun
741*4882a593Smuzhiyun old_val = netlabel_unlabel_acceptflg;
742*4882a593Smuzhiyun netlabel_unlabel_acceptflg = value;
743*4882a593Smuzhiyun audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW,
744*4882a593Smuzhiyun audit_info);
745*4882a593Smuzhiyun if (audit_buf != NULL) {
746*4882a593Smuzhiyun audit_log_format(audit_buf,
747*4882a593Smuzhiyun " unlbl_accept=%u old=%u", value, old_val);
748*4882a593Smuzhiyun audit_log_end(audit_buf);
749*4882a593Smuzhiyun }
750*4882a593Smuzhiyun }
751*4882a593Smuzhiyun
752*4882a593Smuzhiyun /**
753*4882a593Smuzhiyun * netlbl_unlabel_addrinfo_get - Get the IPv4/6 address information
754*4882a593Smuzhiyun * @info: the Generic NETLINK info block
755*4882a593Smuzhiyun * @addr: the IP address
756*4882a593Smuzhiyun * @mask: the IP address mask
757*4882a593Smuzhiyun * @len: the address length
758*4882a593Smuzhiyun *
759*4882a593Smuzhiyun * Description:
760*4882a593Smuzhiyun * Examine the Generic NETLINK message and extract the IP address information.
761*4882a593Smuzhiyun * Returns zero on success, negative values on failure.
762*4882a593Smuzhiyun *
763*4882a593Smuzhiyun */
netlbl_unlabel_addrinfo_get(struct genl_info * info,void ** addr,void ** mask,u32 * len)764*4882a593Smuzhiyun static int netlbl_unlabel_addrinfo_get(struct genl_info *info,
765*4882a593Smuzhiyun void **addr,
766*4882a593Smuzhiyun void **mask,
767*4882a593Smuzhiyun u32 *len)
768*4882a593Smuzhiyun {
769*4882a593Smuzhiyun u32 addr_len;
770*4882a593Smuzhiyun
771*4882a593Smuzhiyun if (info->attrs[NLBL_UNLABEL_A_IPV4ADDR] &&
772*4882a593Smuzhiyun info->attrs[NLBL_UNLABEL_A_IPV4MASK]) {
773*4882a593Smuzhiyun addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
774*4882a593Smuzhiyun if (addr_len != sizeof(struct in_addr) &&
775*4882a593Smuzhiyun addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV4MASK]))
776*4882a593Smuzhiyun return -EINVAL;
777*4882a593Smuzhiyun *len = addr_len;
778*4882a593Smuzhiyun *addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
779*4882a593Smuzhiyun *mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4MASK]);
780*4882a593Smuzhiyun return 0;
781*4882a593Smuzhiyun } else if (info->attrs[NLBL_UNLABEL_A_IPV6ADDR]) {
782*4882a593Smuzhiyun addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]);
783*4882a593Smuzhiyun if (addr_len != sizeof(struct in6_addr) &&
784*4882a593Smuzhiyun addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV6MASK]))
785*4882a593Smuzhiyun return -EINVAL;
786*4882a593Smuzhiyun *len = addr_len;
787*4882a593Smuzhiyun *addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]);
788*4882a593Smuzhiyun *mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6MASK]);
789*4882a593Smuzhiyun return 0;
790*4882a593Smuzhiyun }
791*4882a593Smuzhiyun
792*4882a593Smuzhiyun return -EINVAL;
793*4882a593Smuzhiyun }
794*4882a593Smuzhiyun
795*4882a593Smuzhiyun /*
796*4882a593Smuzhiyun * NetLabel Command Handlers
797*4882a593Smuzhiyun */
798*4882a593Smuzhiyun
799*4882a593Smuzhiyun /**
800*4882a593Smuzhiyun * netlbl_unlabel_accept - Handle an ACCEPT message
801*4882a593Smuzhiyun * @skb: the NETLINK buffer
802*4882a593Smuzhiyun * @info: the Generic NETLINK info block
803*4882a593Smuzhiyun *
804*4882a593Smuzhiyun * Description:
805*4882a593Smuzhiyun * Process a user generated ACCEPT message and set the accept flag accordingly.
806*4882a593Smuzhiyun * Returns zero on success, negative values on failure.
807*4882a593Smuzhiyun *
808*4882a593Smuzhiyun */
netlbl_unlabel_accept(struct sk_buff * skb,struct genl_info * info)809*4882a593Smuzhiyun static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info)
810*4882a593Smuzhiyun {
811*4882a593Smuzhiyun u8 value;
812*4882a593Smuzhiyun struct netlbl_audit audit_info;
813*4882a593Smuzhiyun
814*4882a593Smuzhiyun if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) {
815*4882a593Smuzhiyun value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]);
816*4882a593Smuzhiyun if (value == 1 || value == 0) {
817*4882a593Smuzhiyun netlbl_netlink_auditinfo(skb, &audit_info);
818*4882a593Smuzhiyun netlbl_unlabel_acceptflg_set(value, &audit_info);
819*4882a593Smuzhiyun return 0;
820*4882a593Smuzhiyun }
821*4882a593Smuzhiyun }
822*4882a593Smuzhiyun
823*4882a593Smuzhiyun return -EINVAL;
824*4882a593Smuzhiyun }
825*4882a593Smuzhiyun
826*4882a593Smuzhiyun /**
827*4882a593Smuzhiyun * netlbl_unlabel_list - Handle a LIST message
828*4882a593Smuzhiyun * @skb: the NETLINK buffer
829*4882a593Smuzhiyun * @info: the Generic NETLINK info block
830*4882a593Smuzhiyun *
831*4882a593Smuzhiyun * Description:
832*4882a593Smuzhiyun * Process a user generated LIST message and respond with the current status.
833*4882a593Smuzhiyun * Returns zero on success, negative values on failure.
834*4882a593Smuzhiyun *
835*4882a593Smuzhiyun */
netlbl_unlabel_list(struct sk_buff * skb,struct genl_info * info)836*4882a593Smuzhiyun static int netlbl_unlabel_list(struct sk_buff *skb, struct genl_info *info)
837*4882a593Smuzhiyun {
838*4882a593Smuzhiyun int ret_val = -EINVAL;
839*4882a593Smuzhiyun struct sk_buff *ans_skb;
840*4882a593Smuzhiyun void *data;
841*4882a593Smuzhiyun
842*4882a593Smuzhiyun ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
843*4882a593Smuzhiyun if (ans_skb == NULL)
844*4882a593Smuzhiyun goto list_failure;
845*4882a593Smuzhiyun data = genlmsg_put_reply(ans_skb, info, &netlbl_unlabel_gnl_family,
846*4882a593Smuzhiyun 0, NLBL_UNLABEL_C_LIST);
847*4882a593Smuzhiyun if (data == NULL) {
848*4882a593Smuzhiyun ret_val = -ENOMEM;
849*4882a593Smuzhiyun goto list_failure;
850*4882a593Smuzhiyun }
851*4882a593Smuzhiyun
852*4882a593Smuzhiyun ret_val = nla_put_u8(ans_skb,
853*4882a593Smuzhiyun NLBL_UNLABEL_A_ACPTFLG,
854*4882a593Smuzhiyun netlabel_unlabel_acceptflg);
855*4882a593Smuzhiyun if (ret_val != 0)
856*4882a593Smuzhiyun goto list_failure;
857*4882a593Smuzhiyun
858*4882a593Smuzhiyun genlmsg_end(ans_skb, data);
859*4882a593Smuzhiyun return genlmsg_reply(ans_skb, info);
860*4882a593Smuzhiyun
861*4882a593Smuzhiyun list_failure:
862*4882a593Smuzhiyun kfree_skb(ans_skb);
863*4882a593Smuzhiyun return ret_val;
864*4882a593Smuzhiyun }
865*4882a593Smuzhiyun
866*4882a593Smuzhiyun /**
867*4882a593Smuzhiyun * netlbl_unlabel_staticadd - Handle a STATICADD message
868*4882a593Smuzhiyun * @skb: the NETLINK buffer
869*4882a593Smuzhiyun * @info: the Generic NETLINK info block
870*4882a593Smuzhiyun *
871*4882a593Smuzhiyun * Description:
872*4882a593Smuzhiyun * Process a user generated STATICADD message and add a new unlabeled
873*4882a593Smuzhiyun * connection entry to the hash table. Returns zero on success, negative
874*4882a593Smuzhiyun * values on failure.
875*4882a593Smuzhiyun *
876*4882a593Smuzhiyun */
netlbl_unlabel_staticadd(struct sk_buff * skb,struct genl_info * info)877*4882a593Smuzhiyun static int netlbl_unlabel_staticadd(struct sk_buff *skb,
878*4882a593Smuzhiyun struct genl_info *info)
879*4882a593Smuzhiyun {
880*4882a593Smuzhiyun int ret_val;
881*4882a593Smuzhiyun char *dev_name;
882*4882a593Smuzhiyun void *addr;
883*4882a593Smuzhiyun void *mask;
884*4882a593Smuzhiyun u32 addr_len;
885*4882a593Smuzhiyun u32 secid;
886*4882a593Smuzhiyun struct netlbl_audit audit_info;
887*4882a593Smuzhiyun
888*4882a593Smuzhiyun /* Don't allow users to add both IPv4 and IPv6 addresses for a
889*4882a593Smuzhiyun * single entry. However, allow users to create two entries, one each
890*4882a593Smuzhiyun * for IPv4 and IPv4, with the same LSM security context which should
891*4882a593Smuzhiyun * achieve the same result. */
892*4882a593Smuzhiyun if (!info->attrs[NLBL_UNLABEL_A_SECCTX] ||
893*4882a593Smuzhiyun !info->attrs[NLBL_UNLABEL_A_IFACE] ||
894*4882a593Smuzhiyun !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
895*4882a593Smuzhiyun !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
896*4882a593Smuzhiyun (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
897*4882a593Smuzhiyun !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
898*4882a593Smuzhiyun return -EINVAL;
899*4882a593Smuzhiyun
900*4882a593Smuzhiyun netlbl_netlink_auditinfo(skb, &audit_info);
901*4882a593Smuzhiyun
902*4882a593Smuzhiyun ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
903*4882a593Smuzhiyun if (ret_val != 0)
904*4882a593Smuzhiyun return ret_val;
905*4882a593Smuzhiyun dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]);
906*4882a593Smuzhiyun ret_val = security_secctx_to_secid(
907*4882a593Smuzhiyun nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
908*4882a593Smuzhiyun nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
909*4882a593Smuzhiyun &secid);
910*4882a593Smuzhiyun if (ret_val != 0)
911*4882a593Smuzhiyun return ret_val;
912*4882a593Smuzhiyun
913*4882a593Smuzhiyun return netlbl_unlhsh_add(&init_net,
914*4882a593Smuzhiyun dev_name, addr, mask, addr_len, secid,
915*4882a593Smuzhiyun &audit_info);
916*4882a593Smuzhiyun }
917*4882a593Smuzhiyun
918*4882a593Smuzhiyun /**
919*4882a593Smuzhiyun * netlbl_unlabel_staticadddef - Handle a STATICADDDEF message
920*4882a593Smuzhiyun * @skb: the NETLINK buffer
921*4882a593Smuzhiyun * @info: the Generic NETLINK info block
922*4882a593Smuzhiyun *
923*4882a593Smuzhiyun * Description:
924*4882a593Smuzhiyun * Process a user generated STATICADDDEF message and add a new default
925*4882a593Smuzhiyun * unlabeled connection entry. Returns zero on success, negative values on
926*4882a593Smuzhiyun * failure.
927*4882a593Smuzhiyun *
928*4882a593Smuzhiyun */
netlbl_unlabel_staticadddef(struct sk_buff * skb,struct genl_info * info)929*4882a593Smuzhiyun static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
930*4882a593Smuzhiyun struct genl_info *info)
931*4882a593Smuzhiyun {
932*4882a593Smuzhiyun int ret_val;
933*4882a593Smuzhiyun void *addr;
934*4882a593Smuzhiyun void *mask;
935*4882a593Smuzhiyun u32 addr_len;
936*4882a593Smuzhiyun u32 secid;
937*4882a593Smuzhiyun struct netlbl_audit audit_info;
938*4882a593Smuzhiyun
939*4882a593Smuzhiyun /* Don't allow users to add both IPv4 and IPv6 addresses for a
940*4882a593Smuzhiyun * single entry. However, allow users to create two entries, one each
941*4882a593Smuzhiyun * for IPv4 and IPv6, with the same LSM security context which should
942*4882a593Smuzhiyun * achieve the same result. */
943*4882a593Smuzhiyun if (!info->attrs[NLBL_UNLABEL_A_SECCTX] ||
944*4882a593Smuzhiyun !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
945*4882a593Smuzhiyun !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
946*4882a593Smuzhiyun (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
947*4882a593Smuzhiyun !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
948*4882a593Smuzhiyun return -EINVAL;
949*4882a593Smuzhiyun
950*4882a593Smuzhiyun netlbl_netlink_auditinfo(skb, &audit_info);
951*4882a593Smuzhiyun
952*4882a593Smuzhiyun ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
953*4882a593Smuzhiyun if (ret_val != 0)
954*4882a593Smuzhiyun return ret_val;
955*4882a593Smuzhiyun ret_val = security_secctx_to_secid(
956*4882a593Smuzhiyun nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
957*4882a593Smuzhiyun nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
958*4882a593Smuzhiyun &secid);
959*4882a593Smuzhiyun if (ret_val != 0)
960*4882a593Smuzhiyun return ret_val;
961*4882a593Smuzhiyun
962*4882a593Smuzhiyun return netlbl_unlhsh_add(&init_net,
963*4882a593Smuzhiyun NULL, addr, mask, addr_len, secid,
964*4882a593Smuzhiyun &audit_info);
965*4882a593Smuzhiyun }
966*4882a593Smuzhiyun
967*4882a593Smuzhiyun /**
968*4882a593Smuzhiyun * netlbl_unlabel_staticremove - Handle a STATICREMOVE message
969*4882a593Smuzhiyun * @skb: the NETLINK buffer
970*4882a593Smuzhiyun * @info: the Generic NETLINK info block
971*4882a593Smuzhiyun *
972*4882a593Smuzhiyun * Description:
973*4882a593Smuzhiyun * Process a user generated STATICREMOVE message and remove the specified
974*4882a593Smuzhiyun * unlabeled connection entry. Returns zero on success, negative values on
975*4882a593Smuzhiyun * failure.
976*4882a593Smuzhiyun *
977*4882a593Smuzhiyun */
netlbl_unlabel_staticremove(struct sk_buff * skb,struct genl_info * info)978*4882a593Smuzhiyun static int netlbl_unlabel_staticremove(struct sk_buff *skb,
979*4882a593Smuzhiyun struct genl_info *info)
980*4882a593Smuzhiyun {
981*4882a593Smuzhiyun int ret_val;
982*4882a593Smuzhiyun char *dev_name;
983*4882a593Smuzhiyun void *addr;
984*4882a593Smuzhiyun void *mask;
985*4882a593Smuzhiyun u32 addr_len;
986*4882a593Smuzhiyun struct netlbl_audit audit_info;
987*4882a593Smuzhiyun
988*4882a593Smuzhiyun /* See the note in netlbl_unlabel_staticadd() about not allowing both
989*4882a593Smuzhiyun * IPv4 and IPv6 in the same entry. */
990*4882a593Smuzhiyun if (!info->attrs[NLBL_UNLABEL_A_IFACE] ||
991*4882a593Smuzhiyun !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
992*4882a593Smuzhiyun !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
993*4882a593Smuzhiyun (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
994*4882a593Smuzhiyun !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
995*4882a593Smuzhiyun return -EINVAL;
996*4882a593Smuzhiyun
997*4882a593Smuzhiyun netlbl_netlink_auditinfo(skb, &audit_info);
998*4882a593Smuzhiyun
999*4882a593Smuzhiyun ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
1000*4882a593Smuzhiyun if (ret_val != 0)
1001*4882a593Smuzhiyun return ret_val;
1002*4882a593Smuzhiyun dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]);
1003*4882a593Smuzhiyun
1004*4882a593Smuzhiyun return netlbl_unlhsh_remove(&init_net,
1005*4882a593Smuzhiyun dev_name, addr, mask, addr_len,
1006*4882a593Smuzhiyun &audit_info);
1007*4882a593Smuzhiyun }
1008*4882a593Smuzhiyun
1009*4882a593Smuzhiyun /**
1010*4882a593Smuzhiyun * netlbl_unlabel_staticremovedef - Handle a STATICREMOVEDEF message
1011*4882a593Smuzhiyun * @skb: the NETLINK buffer
1012*4882a593Smuzhiyun * @info: the Generic NETLINK info block
1013*4882a593Smuzhiyun *
1014*4882a593Smuzhiyun * Description:
1015*4882a593Smuzhiyun * Process a user generated STATICREMOVEDEF message and remove the default
1016*4882a593Smuzhiyun * unlabeled connection entry. Returns zero on success, negative values on
1017*4882a593Smuzhiyun * failure.
1018*4882a593Smuzhiyun *
1019*4882a593Smuzhiyun */
netlbl_unlabel_staticremovedef(struct sk_buff * skb,struct genl_info * info)1020*4882a593Smuzhiyun static int netlbl_unlabel_staticremovedef(struct sk_buff *skb,
1021*4882a593Smuzhiyun struct genl_info *info)
1022*4882a593Smuzhiyun {
1023*4882a593Smuzhiyun int ret_val;
1024*4882a593Smuzhiyun void *addr;
1025*4882a593Smuzhiyun void *mask;
1026*4882a593Smuzhiyun u32 addr_len;
1027*4882a593Smuzhiyun struct netlbl_audit audit_info;
1028*4882a593Smuzhiyun
1029*4882a593Smuzhiyun /* See the note in netlbl_unlabel_staticadd() about not allowing both
1030*4882a593Smuzhiyun * IPv4 and IPv6 in the same entry. */
1031*4882a593Smuzhiyun if (!((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
1032*4882a593Smuzhiyun !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
1033*4882a593Smuzhiyun (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
1034*4882a593Smuzhiyun !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
1035*4882a593Smuzhiyun return -EINVAL;
1036*4882a593Smuzhiyun
1037*4882a593Smuzhiyun netlbl_netlink_auditinfo(skb, &audit_info);
1038*4882a593Smuzhiyun
1039*4882a593Smuzhiyun ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
1040*4882a593Smuzhiyun if (ret_val != 0)
1041*4882a593Smuzhiyun return ret_val;
1042*4882a593Smuzhiyun
1043*4882a593Smuzhiyun return netlbl_unlhsh_remove(&init_net,
1044*4882a593Smuzhiyun NULL, addr, mask, addr_len,
1045*4882a593Smuzhiyun &audit_info);
1046*4882a593Smuzhiyun }
1047*4882a593Smuzhiyun
1048*4882a593Smuzhiyun
1049*4882a593Smuzhiyun /**
1050*4882a593Smuzhiyun * netlbl_unlabel_staticlist_gen - Generate messages for STATICLIST[DEF]
1051*4882a593Smuzhiyun * @cmd: command/message
1052*4882a593Smuzhiyun * @iface: the interface entry
1053*4882a593Smuzhiyun * @addr4: the IPv4 address entry
1054*4882a593Smuzhiyun * @addr6: the IPv6 address entry
1055*4882a593Smuzhiyun * @arg: the netlbl_unlhsh_walk_arg structure
1056*4882a593Smuzhiyun *
1057*4882a593Smuzhiyun * Description:
1058*4882a593Smuzhiyun * This function is designed to be used to generate a response for a
1059*4882a593Smuzhiyun * STATICLIST or STATICLISTDEF message. When called either @addr4 or @addr6
1060*4882a593Smuzhiyun * can be specified, not both, the other unspecified entry should be set to
1061*4882a593Smuzhiyun * NULL by the caller. Returns the size of the message on success, negative
1062*4882a593Smuzhiyun * values on failure.
1063*4882a593Smuzhiyun *
1064*4882a593Smuzhiyun */
netlbl_unlabel_staticlist_gen(u32 cmd,const struct netlbl_unlhsh_iface * iface,const struct netlbl_unlhsh_addr4 * addr4,const struct netlbl_unlhsh_addr6 * addr6,void * arg)1065*4882a593Smuzhiyun static int netlbl_unlabel_staticlist_gen(u32 cmd,
1066*4882a593Smuzhiyun const struct netlbl_unlhsh_iface *iface,
1067*4882a593Smuzhiyun const struct netlbl_unlhsh_addr4 *addr4,
1068*4882a593Smuzhiyun const struct netlbl_unlhsh_addr6 *addr6,
1069*4882a593Smuzhiyun void *arg)
1070*4882a593Smuzhiyun {
1071*4882a593Smuzhiyun int ret_val = -ENOMEM;
1072*4882a593Smuzhiyun struct netlbl_unlhsh_walk_arg *cb_arg = arg;
1073*4882a593Smuzhiyun struct net_device *dev;
1074*4882a593Smuzhiyun void *data;
1075*4882a593Smuzhiyun u32 secid;
1076*4882a593Smuzhiyun char *secctx;
1077*4882a593Smuzhiyun u32 secctx_len;
1078*4882a593Smuzhiyun
1079*4882a593Smuzhiyun data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid,
1080*4882a593Smuzhiyun cb_arg->seq, &netlbl_unlabel_gnl_family,
1081*4882a593Smuzhiyun NLM_F_MULTI, cmd);
1082*4882a593Smuzhiyun if (data == NULL)
1083*4882a593Smuzhiyun goto list_cb_failure;
1084*4882a593Smuzhiyun
1085*4882a593Smuzhiyun if (iface->ifindex > 0) {
1086*4882a593Smuzhiyun dev = dev_get_by_index(&init_net, iface->ifindex);
1087*4882a593Smuzhiyun if (!dev) {
1088*4882a593Smuzhiyun ret_val = -ENODEV;
1089*4882a593Smuzhiyun goto list_cb_failure;
1090*4882a593Smuzhiyun }
1091*4882a593Smuzhiyun ret_val = nla_put_string(cb_arg->skb,
1092*4882a593Smuzhiyun NLBL_UNLABEL_A_IFACE, dev->name);
1093*4882a593Smuzhiyun dev_put(dev);
1094*4882a593Smuzhiyun if (ret_val != 0)
1095*4882a593Smuzhiyun goto list_cb_failure;
1096*4882a593Smuzhiyun }
1097*4882a593Smuzhiyun
1098*4882a593Smuzhiyun if (addr4) {
1099*4882a593Smuzhiyun struct in_addr addr_struct;
1100*4882a593Smuzhiyun
1101*4882a593Smuzhiyun addr_struct.s_addr = addr4->list.addr;
1102*4882a593Smuzhiyun ret_val = nla_put_in_addr(cb_arg->skb,
1103*4882a593Smuzhiyun NLBL_UNLABEL_A_IPV4ADDR,
1104*4882a593Smuzhiyun addr_struct.s_addr);
1105*4882a593Smuzhiyun if (ret_val != 0)
1106*4882a593Smuzhiyun goto list_cb_failure;
1107*4882a593Smuzhiyun
1108*4882a593Smuzhiyun addr_struct.s_addr = addr4->list.mask;
1109*4882a593Smuzhiyun ret_val = nla_put_in_addr(cb_arg->skb,
1110*4882a593Smuzhiyun NLBL_UNLABEL_A_IPV4MASK,
1111*4882a593Smuzhiyun addr_struct.s_addr);
1112*4882a593Smuzhiyun if (ret_val != 0)
1113*4882a593Smuzhiyun goto list_cb_failure;
1114*4882a593Smuzhiyun
1115*4882a593Smuzhiyun secid = addr4->secid;
1116*4882a593Smuzhiyun } else {
1117*4882a593Smuzhiyun ret_val = nla_put_in6_addr(cb_arg->skb,
1118*4882a593Smuzhiyun NLBL_UNLABEL_A_IPV6ADDR,
1119*4882a593Smuzhiyun &addr6->list.addr);
1120*4882a593Smuzhiyun if (ret_val != 0)
1121*4882a593Smuzhiyun goto list_cb_failure;
1122*4882a593Smuzhiyun
1123*4882a593Smuzhiyun ret_val = nla_put_in6_addr(cb_arg->skb,
1124*4882a593Smuzhiyun NLBL_UNLABEL_A_IPV6MASK,
1125*4882a593Smuzhiyun &addr6->list.mask);
1126*4882a593Smuzhiyun if (ret_val != 0)
1127*4882a593Smuzhiyun goto list_cb_failure;
1128*4882a593Smuzhiyun
1129*4882a593Smuzhiyun secid = addr6->secid;
1130*4882a593Smuzhiyun }
1131*4882a593Smuzhiyun
1132*4882a593Smuzhiyun ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len);
1133*4882a593Smuzhiyun if (ret_val != 0)
1134*4882a593Smuzhiyun goto list_cb_failure;
1135*4882a593Smuzhiyun ret_val = nla_put(cb_arg->skb,
1136*4882a593Smuzhiyun NLBL_UNLABEL_A_SECCTX,
1137*4882a593Smuzhiyun secctx_len,
1138*4882a593Smuzhiyun secctx);
1139*4882a593Smuzhiyun security_release_secctx(secctx, secctx_len);
1140*4882a593Smuzhiyun if (ret_val != 0)
1141*4882a593Smuzhiyun goto list_cb_failure;
1142*4882a593Smuzhiyun
1143*4882a593Smuzhiyun cb_arg->seq++;
1144*4882a593Smuzhiyun genlmsg_end(cb_arg->skb, data);
1145*4882a593Smuzhiyun return 0;
1146*4882a593Smuzhiyun
1147*4882a593Smuzhiyun list_cb_failure:
1148*4882a593Smuzhiyun genlmsg_cancel(cb_arg->skb, data);
1149*4882a593Smuzhiyun return ret_val;
1150*4882a593Smuzhiyun }
1151*4882a593Smuzhiyun
1152*4882a593Smuzhiyun /**
1153*4882a593Smuzhiyun * netlbl_unlabel_staticlist - Handle a STATICLIST message
1154*4882a593Smuzhiyun * @skb: the NETLINK buffer
1155*4882a593Smuzhiyun * @cb: the NETLINK callback
1156*4882a593Smuzhiyun *
1157*4882a593Smuzhiyun * Description:
1158*4882a593Smuzhiyun * Process a user generated STATICLIST message and dump the unlabeled
1159*4882a593Smuzhiyun * connection hash table in a form suitable for use in a kernel generated
1160*4882a593Smuzhiyun * STATICLIST message. Returns the length of @skb.
1161*4882a593Smuzhiyun *
1162*4882a593Smuzhiyun */
netlbl_unlabel_staticlist(struct sk_buff * skb,struct netlink_callback * cb)1163*4882a593Smuzhiyun static int netlbl_unlabel_staticlist(struct sk_buff *skb,
1164*4882a593Smuzhiyun struct netlink_callback *cb)
1165*4882a593Smuzhiyun {
1166*4882a593Smuzhiyun struct netlbl_unlhsh_walk_arg cb_arg;
1167*4882a593Smuzhiyun u32 skip_bkt = cb->args[0];
1168*4882a593Smuzhiyun u32 skip_chain = cb->args[1];
1169*4882a593Smuzhiyun u32 skip_addr4 = cb->args[2];
1170*4882a593Smuzhiyun u32 iter_bkt, iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0;
1171*4882a593Smuzhiyun struct netlbl_unlhsh_iface *iface;
1172*4882a593Smuzhiyun struct list_head *iter_list;
1173*4882a593Smuzhiyun struct netlbl_af4list *addr4;
1174*4882a593Smuzhiyun #if IS_ENABLED(CONFIG_IPV6)
1175*4882a593Smuzhiyun u32 skip_addr6 = cb->args[3];
1176*4882a593Smuzhiyun struct netlbl_af6list *addr6;
1177*4882a593Smuzhiyun #endif
1178*4882a593Smuzhiyun
1179*4882a593Smuzhiyun cb_arg.nl_cb = cb;
1180*4882a593Smuzhiyun cb_arg.skb = skb;
1181*4882a593Smuzhiyun cb_arg.seq = cb->nlh->nlmsg_seq;
1182*4882a593Smuzhiyun
1183*4882a593Smuzhiyun rcu_read_lock();
1184*4882a593Smuzhiyun for (iter_bkt = skip_bkt;
1185*4882a593Smuzhiyun iter_bkt < rcu_dereference(netlbl_unlhsh)->size;
1186*4882a593Smuzhiyun iter_bkt++) {
1187*4882a593Smuzhiyun iter_list = &rcu_dereference(netlbl_unlhsh)->tbl[iter_bkt];
1188*4882a593Smuzhiyun list_for_each_entry_rcu(iface, iter_list, list) {
1189*4882a593Smuzhiyun if (!iface->valid ||
1190*4882a593Smuzhiyun iter_chain++ < skip_chain)
1191*4882a593Smuzhiyun continue;
1192*4882a593Smuzhiyun netlbl_af4list_foreach_rcu(addr4,
1193*4882a593Smuzhiyun &iface->addr4_list) {
1194*4882a593Smuzhiyun if (iter_addr4++ < skip_addr4)
1195*4882a593Smuzhiyun continue;
1196*4882a593Smuzhiyun if (netlbl_unlabel_staticlist_gen(
1197*4882a593Smuzhiyun NLBL_UNLABEL_C_STATICLIST,
1198*4882a593Smuzhiyun iface,
1199*4882a593Smuzhiyun netlbl_unlhsh_addr4_entry(addr4),
1200*4882a593Smuzhiyun NULL,
1201*4882a593Smuzhiyun &cb_arg) < 0) {
1202*4882a593Smuzhiyun iter_addr4--;
1203*4882a593Smuzhiyun iter_chain--;
1204*4882a593Smuzhiyun goto unlabel_staticlist_return;
1205*4882a593Smuzhiyun }
1206*4882a593Smuzhiyun }
1207*4882a593Smuzhiyun iter_addr4 = 0;
1208*4882a593Smuzhiyun skip_addr4 = 0;
1209*4882a593Smuzhiyun #if IS_ENABLED(CONFIG_IPV6)
1210*4882a593Smuzhiyun netlbl_af6list_foreach_rcu(addr6,
1211*4882a593Smuzhiyun &iface->addr6_list) {
1212*4882a593Smuzhiyun if (iter_addr6++ < skip_addr6)
1213*4882a593Smuzhiyun continue;
1214*4882a593Smuzhiyun if (netlbl_unlabel_staticlist_gen(
1215*4882a593Smuzhiyun NLBL_UNLABEL_C_STATICLIST,
1216*4882a593Smuzhiyun iface,
1217*4882a593Smuzhiyun NULL,
1218*4882a593Smuzhiyun netlbl_unlhsh_addr6_entry(addr6),
1219*4882a593Smuzhiyun &cb_arg) < 0) {
1220*4882a593Smuzhiyun iter_addr6--;
1221*4882a593Smuzhiyun iter_chain--;
1222*4882a593Smuzhiyun goto unlabel_staticlist_return;
1223*4882a593Smuzhiyun }
1224*4882a593Smuzhiyun }
1225*4882a593Smuzhiyun iter_addr6 = 0;
1226*4882a593Smuzhiyun skip_addr6 = 0;
1227*4882a593Smuzhiyun #endif /* IPv6 */
1228*4882a593Smuzhiyun }
1229*4882a593Smuzhiyun iter_chain = 0;
1230*4882a593Smuzhiyun skip_chain = 0;
1231*4882a593Smuzhiyun }
1232*4882a593Smuzhiyun
1233*4882a593Smuzhiyun unlabel_staticlist_return:
1234*4882a593Smuzhiyun rcu_read_unlock();
1235*4882a593Smuzhiyun cb->args[0] = iter_bkt;
1236*4882a593Smuzhiyun cb->args[1] = iter_chain;
1237*4882a593Smuzhiyun cb->args[2] = iter_addr4;
1238*4882a593Smuzhiyun cb->args[3] = iter_addr6;
1239*4882a593Smuzhiyun return skb->len;
1240*4882a593Smuzhiyun }
1241*4882a593Smuzhiyun
1242*4882a593Smuzhiyun /**
1243*4882a593Smuzhiyun * netlbl_unlabel_staticlistdef - Handle a STATICLISTDEF message
1244*4882a593Smuzhiyun * @skb: the NETLINK buffer
1245*4882a593Smuzhiyun * @cb: the NETLINK callback
1246*4882a593Smuzhiyun *
1247*4882a593Smuzhiyun * Description:
1248*4882a593Smuzhiyun * Process a user generated STATICLISTDEF message and dump the default
1249*4882a593Smuzhiyun * unlabeled connection entry in a form suitable for use in a kernel generated
1250*4882a593Smuzhiyun * STATICLISTDEF message. Returns the length of @skb.
1251*4882a593Smuzhiyun *
1252*4882a593Smuzhiyun */
netlbl_unlabel_staticlistdef(struct sk_buff * skb,struct netlink_callback * cb)1253*4882a593Smuzhiyun static int netlbl_unlabel_staticlistdef(struct sk_buff *skb,
1254*4882a593Smuzhiyun struct netlink_callback *cb)
1255*4882a593Smuzhiyun {
1256*4882a593Smuzhiyun struct netlbl_unlhsh_walk_arg cb_arg;
1257*4882a593Smuzhiyun struct netlbl_unlhsh_iface *iface;
1258*4882a593Smuzhiyun u32 iter_addr4 = 0, iter_addr6 = 0;
1259*4882a593Smuzhiyun struct netlbl_af4list *addr4;
1260*4882a593Smuzhiyun #if IS_ENABLED(CONFIG_IPV6)
1261*4882a593Smuzhiyun struct netlbl_af6list *addr6;
1262*4882a593Smuzhiyun #endif
1263*4882a593Smuzhiyun
1264*4882a593Smuzhiyun cb_arg.nl_cb = cb;
1265*4882a593Smuzhiyun cb_arg.skb = skb;
1266*4882a593Smuzhiyun cb_arg.seq = cb->nlh->nlmsg_seq;
1267*4882a593Smuzhiyun
1268*4882a593Smuzhiyun rcu_read_lock();
1269*4882a593Smuzhiyun iface = rcu_dereference(netlbl_unlhsh_def);
1270*4882a593Smuzhiyun if (iface == NULL || !iface->valid)
1271*4882a593Smuzhiyun goto unlabel_staticlistdef_return;
1272*4882a593Smuzhiyun
1273*4882a593Smuzhiyun netlbl_af4list_foreach_rcu(addr4, &iface->addr4_list) {
1274*4882a593Smuzhiyun if (iter_addr4++ < cb->args[0])
1275*4882a593Smuzhiyun continue;
1276*4882a593Smuzhiyun if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
1277*4882a593Smuzhiyun iface,
1278*4882a593Smuzhiyun netlbl_unlhsh_addr4_entry(addr4),
1279*4882a593Smuzhiyun NULL,
1280*4882a593Smuzhiyun &cb_arg) < 0) {
1281*4882a593Smuzhiyun iter_addr4--;
1282*4882a593Smuzhiyun goto unlabel_staticlistdef_return;
1283*4882a593Smuzhiyun }
1284*4882a593Smuzhiyun }
1285*4882a593Smuzhiyun #if IS_ENABLED(CONFIG_IPV6)
1286*4882a593Smuzhiyun netlbl_af6list_foreach_rcu(addr6, &iface->addr6_list) {
1287*4882a593Smuzhiyun if (iter_addr6++ < cb->args[1])
1288*4882a593Smuzhiyun continue;
1289*4882a593Smuzhiyun if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
1290*4882a593Smuzhiyun iface,
1291*4882a593Smuzhiyun NULL,
1292*4882a593Smuzhiyun netlbl_unlhsh_addr6_entry(addr6),
1293*4882a593Smuzhiyun &cb_arg) < 0) {
1294*4882a593Smuzhiyun iter_addr6--;
1295*4882a593Smuzhiyun goto unlabel_staticlistdef_return;
1296*4882a593Smuzhiyun }
1297*4882a593Smuzhiyun }
1298*4882a593Smuzhiyun #endif /* IPv6 */
1299*4882a593Smuzhiyun
1300*4882a593Smuzhiyun unlabel_staticlistdef_return:
1301*4882a593Smuzhiyun rcu_read_unlock();
1302*4882a593Smuzhiyun cb->args[0] = iter_addr4;
1303*4882a593Smuzhiyun cb->args[1] = iter_addr6;
1304*4882a593Smuzhiyun return skb->len;
1305*4882a593Smuzhiyun }
1306*4882a593Smuzhiyun
1307*4882a593Smuzhiyun /*
1308*4882a593Smuzhiyun * NetLabel Generic NETLINK Command Definitions
1309*4882a593Smuzhiyun */
1310*4882a593Smuzhiyun
1311*4882a593Smuzhiyun static const struct genl_small_ops netlbl_unlabel_genl_ops[] = {
1312*4882a593Smuzhiyun {
1313*4882a593Smuzhiyun .cmd = NLBL_UNLABEL_C_STATICADD,
1314*4882a593Smuzhiyun .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1315*4882a593Smuzhiyun .flags = GENL_ADMIN_PERM,
1316*4882a593Smuzhiyun .doit = netlbl_unlabel_staticadd,
1317*4882a593Smuzhiyun .dumpit = NULL,
1318*4882a593Smuzhiyun },
1319*4882a593Smuzhiyun {
1320*4882a593Smuzhiyun .cmd = NLBL_UNLABEL_C_STATICREMOVE,
1321*4882a593Smuzhiyun .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1322*4882a593Smuzhiyun .flags = GENL_ADMIN_PERM,
1323*4882a593Smuzhiyun .doit = netlbl_unlabel_staticremove,
1324*4882a593Smuzhiyun .dumpit = NULL,
1325*4882a593Smuzhiyun },
1326*4882a593Smuzhiyun {
1327*4882a593Smuzhiyun .cmd = NLBL_UNLABEL_C_STATICLIST,
1328*4882a593Smuzhiyun .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1329*4882a593Smuzhiyun .flags = 0,
1330*4882a593Smuzhiyun .doit = NULL,
1331*4882a593Smuzhiyun .dumpit = netlbl_unlabel_staticlist,
1332*4882a593Smuzhiyun },
1333*4882a593Smuzhiyun {
1334*4882a593Smuzhiyun .cmd = NLBL_UNLABEL_C_STATICADDDEF,
1335*4882a593Smuzhiyun .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1336*4882a593Smuzhiyun .flags = GENL_ADMIN_PERM,
1337*4882a593Smuzhiyun .doit = netlbl_unlabel_staticadddef,
1338*4882a593Smuzhiyun .dumpit = NULL,
1339*4882a593Smuzhiyun },
1340*4882a593Smuzhiyun {
1341*4882a593Smuzhiyun .cmd = NLBL_UNLABEL_C_STATICREMOVEDEF,
1342*4882a593Smuzhiyun .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1343*4882a593Smuzhiyun .flags = GENL_ADMIN_PERM,
1344*4882a593Smuzhiyun .doit = netlbl_unlabel_staticremovedef,
1345*4882a593Smuzhiyun .dumpit = NULL,
1346*4882a593Smuzhiyun },
1347*4882a593Smuzhiyun {
1348*4882a593Smuzhiyun .cmd = NLBL_UNLABEL_C_STATICLISTDEF,
1349*4882a593Smuzhiyun .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1350*4882a593Smuzhiyun .flags = 0,
1351*4882a593Smuzhiyun .doit = NULL,
1352*4882a593Smuzhiyun .dumpit = netlbl_unlabel_staticlistdef,
1353*4882a593Smuzhiyun },
1354*4882a593Smuzhiyun {
1355*4882a593Smuzhiyun .cmd = NLBL_UNLABEL_C_ACCEPT,
1356*4882a593Smuzhiyun .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1357*4882a593Smuzhiyun .flags = GENL_ADMIN_PERM,
1358*4882a593Smuzhiyun .doit = netlbl_unlabel_accept,
1359*4882a593Smuzhiyun .dumpit = NULL,
1360*4882a593Smuzhiyun },
1361*4882a593Smuzhiyun {
1362*4882a593Smuzhiyun .cmd = NLBL_UNLABEL_C_LIST,
1363*4882a593Smuzhiyun .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1364*4882a593Smuzhiyun .flags = 0,
1365*4882a593Smuzhiyun .doit = netlbl_unlabel_list,
1366*4882a593Smuzhiyun .dumpit = NULL,
1367*4882a593Smuzhiyun },
1368*4882a593Smuzhiyun };
1369*4882a593Smuzhiyun
1370*4882a593Smuzhiyun static struct genl_family netlbl_unlabel_gnl_family __ro_after_init = {
1371*4882a593Smuzhiyun .hdrsize = 0,
1372*4882a593Smuzhiyun .name = NETLBL_NLTYPE_UNLABELED_NAME,
1373*4882a593Smuzhiyun .version = NETLBL_PROTO_VERSION,
1374*4882a593Smuzhiyun .maxattr = NLBL_UNLABEL_A_MAX,
1375*4882a593Smuzhiyun .policy = netlbl_unlabel_genl_policy,
1376*4882a593Smuzhiyun .module = THIS_MODULE,
1377*4882a593Smuzhiyun .small_ops = netlbl_unlabel_genl_ops,
1378*4882a593Smuzhiyun .n_small_ops = ARRAY_SIZE(netlbl_unlabel_genl_ops),
1379*4882a593Smuzhiyun };
1380*4882a593Smuzhiyun
1381*4882a593Smuzhiyun /*
1382*4882a593Smuzhiyun * NetLabel Generic NETLINK Protocol Functions
1383*4882a593Smuzhiyun */
1384*4882a593Smuzhiyun
1385*4882a593Smuzhiyun /**
1386*4882a593Smuzhiyun * netlbl_unlabel_genl_init - Register the Unlabeled NetLabel component
1387*4882a593Smuzhiyun *
1388*4882a593Smuzhiyun * Description:
1389*4882a593Smuzhiyun * Register the unlabeled packet NetLabel component with the Generic NETLINK
1390*4882a593Smuzhiyun * mechanism. Returns zero on success, negative values on failure.
1391*4882a593Smuzhiyun *
1392*4882a593Smuzhiyun */
netlbl_unlabel_genl_init(void)1393*4882a593Smuzhiyun int __init netlbl_unlabel_genl_init(void)
1394*4882a593Smuzhiyun {
1395*4882a593Smuzhiyun return genl_register_family(&netlbl_unlabel_gnl_family);
1396*4882a593Smuzhiyun }
1397*4882a593Smuzhiyun
1398*4882a593Smuzhiyun /*
1399*4882a593Smuzhiyun * NetLabel KAPI Hooks
1400*4882a593Smuzhiyun */
1401*4882a593Smuzhiyun
1402*4882a593Smuzhiyun static struct notifier_block netlbl_unlhsh_netdev_notifier = {
1403*4882a593Smuzhiyun .notifier_call = netlbl_unlhsh_netdev_handler,
1404*4882a593Smuzhiyun };
1405*4882a593Smuzhiyun
1406*4882a593Smuzhiyun /**
1407*4882a593Smuzhiyun * netlbl_unlabel_init - Initialize the unlabeled connection hash table
1408*4882a593Smuzhiyun * @size: the number of bits to use for the hash buckets
1409*4882a593Smuzhiyun *
1410*4882a593Smuzhiyun * Description:
1411*4882a593Smuzhiyun * Initializes the unlabeled connection hash table and registers a network
1412*4882a593Smuzhiyun * device notification handler. This function should only be called by the
1413*4882a593Smuzhiyun * NetLabel subsystem itself during initialization. Returns zero on success,
1414*4882a593Smuzhiyun * non-zero values on error.
1415*4882a593Smuzhiyun *
1416*4882a593Smuzhiyun */
netlbl_unlabel_init(u32 size)1417*4882a593Smuzhiyun int __init netlbl_unlabel_init(u32 size)
1418*4882a593Smuzhiyun {
1419*4882a593Smuzhiyun u32 iter;
1420*4882a593Smuzhiyun struct netlbl_unlhsh_tbl *hsh_tbl;
1421*4882a593Smuzhiyun
1422*4882a593Smuzhiyun if (size == 0)
1423*4882a593Smuzhiyun return -EINVAL;
1424*4882a593Smuzhiyun
1425*4882a593Smuzhiyun hsh_tbl = kmalloc(sizeof(*hsh_tbl), GFP_KERNEL);
1426*4882a593Smuzhiyun if (hsh_tbl == NULL)
1427*4882a593Smuzhiyun return -ENOMEM;
1428*4882a593Smuzhiyun hsh_tbl->size = 1 << size;
1429*4882a593Smuzhiyun hsh_tbl->tbl = kcalloc(hsh_tbl->size,
1430*4882a593Smuzhiyun sizeof(struct list_head),
1431*4882a593Smuzhiyun GFP_KERNEL);
1432*4882a593Smuzhiyun if (hsh_tbl->tbl == NULL) {
1433*4882a593Smuzhiyun kfree(hsh_tbl);
1434*4882a593Smuzhiyun return -ENOMEM;
1435*4882a593Smuzhiyun }
1436*4882a593Smuzhiyun for (iter = 0; iter < hsh_tbl->size; iter++)
1437*4882a593Smuzhiyun INIT_LIST_HEAD(&hsh_tbl->tbl[iter]);
1438*4882a593Smuzhiyun
1439*4882a593Smuzhiyun spin_lock(&netlbl_unlhsh_lock);
1440*4882a593Smuzhiyun rcu_assign_pointer(netlbl_unlhsh, hsh_tbl);
1441*4882a593Smuzhiyun spin_unlock(&netlbl_unlhsh_lock);
1442*4882a593Smuzhiyun
1443*4882a593Smuzhiyun register_netdevice_notifier(&netlbl_unlhsh_netdev_notifier);
1444*4882a593Smuzhiyun
1445*4882a593Smuzhiyun return 0;
1446*4882a593Smuzhiyun }
1447*4882a593Smuzhiyun
1448*4882a593Smuzhiyun /**
1449*4882a593Smuzhiyun * netlbl_unlabel_getattr - Get the security attributes for an unlabled packet
1450*4882a593Smuzhiyun * @skb: the packet
1451*4882a593Smuzhiyun * @family: protocol family
1452*4882a593Smuzhiyun * @secattr: the security attributes
1453*4882a593Smuzhiyun *
1454*4882a593Smuzhiyun * Description:
1455*4882a593Smuzhiyun * Determine the security attributes, if any, for an unlabled packet and return
1456*4882a593Smuzhiyun * them in @secattr. Returns zero on success and negative values on failure.
1457*4882a593Smuzhiyun *
1458*4882a593Smuzhiyun */
netlbl_unlabel_getattr(const struct sk_buff * skb,u16 family,struct netlbl_lsm_secattr * secattr)1459*4882a593Smuzhiyun int netlbl_unlabel_getattr(const struct sk_buff *skb,
1460*4882a593Smuzhiyun u16 family,
1461*4882a593Smuzhiyun struct netlbl_lsm_secattr *secattr)
1462*4882a593Smuzhiyun {
1463*4882a593Smuzhiyun struct netlbl_unlhsh_iface *iface;
1464*4882a593Smuzhiyun
1465*4882a593Smuzhiyun rcu_read_lock();
1466*4882a593Smuzhiyun iface = netlbl_unlhsh_search_iface(skb->skb_iif);
1467*4882a593Smuzhiyun if (iface == NULL)
1468*4882a593Smuzhiyun iface = rcu_dereference(netlbl_unlhsh_def);
1469*4882a593Smuzhiyun if (iface == NULL || !iface->valid)
1470*4882a593Smuzhiyun goto unlabel_getattr_nolabel;
1471*4882a593Smuzhiyun
1472*4882a593Smuzhiyun #if IS_ENABLED(CONFIG_IPV6)
1473*4882a593Smuzhiyun /* When resolving a fallback label, check the sk_buff version as
1474*4882a593Smuzhiyun * it is possible (e.g. SCTP) to have family = PF_INET6 while
1475*4882a593Smuzhiyun * receiving ip_hdr(skb)->version = 4.
1476*4882a593Smuzhiyun */
1477*4882a593Smuzhiyun if (family == PF_INET6 && ip_hdr(skb)->version == 4)
1478*4882a593Smuzhiyun family = PF_INET;
1479*4882a593Smuzhiyun #endif /* IPv6 */
1480*4882a593Smuzhiyun
1481*4882a593Smuzhiyun switch (family) {
1482*4882a593Smuzhiyun case PF_INET: {
1483*4882a593Smuzhiyun struct iphdr *hdr4;
1484*4882a593Smuzhiyun struct netlbl_af4list *addr4;
1485*4882a593Smuzhiyun
1486*4882a593Smuzhiyun hdr4 = ip_hdr(skb);
1487*4882a593Smuzhiyun addr4 = netlbl_af4list_search(hdr4->saddr,
1488*4882a593Smuzhiyun &iface->addr4_list);
1489*4882a593Smuzhiyun if (addr4 == NULL)
1490*4882a593Smuzhiyun goto unlabel_getattr_nolabel;
1491*4882a593Smuzhiyun secattr->attr.secid = netlbl_unlhsh_addr4_entry(addr4)->secid;
1492*4882a593Smuzhiyun break;
1493*4882a593Smuzhiyun }
1494*4882a593Smuzhiyun #if IS_ENABLED(CONFIG_IPV6)
1495*4882a593Smuzhiyun case PF_INET6: {
1496*4882a593Smuzhiyun struct ipv6hdr *hdr6;
1497*4882a593Smuzhiyun struct netlbl_af6list *addr6;
1498*4882a593Smuzhiyun
1499*4882a593Smuzhiyun hdr6 = ipv6_hdr(skb);
1500*4882a593Smuzhiyun addr6 = netlbl_af6list_search(&hdr6->saddr,
1501*4882a593Smuzhiyun &iface->addr6_list);
1502*4882a593Smuzhiyun if (addr6 == NULL)
1503*4882a593Smuzhiyun goto unlabel_getattr_nolabel;
1504*4882a593Smuzhiyun secattr->attr.secid = netlbl_unlhsh_addr6_entry(addr6)->secid;
1505*4882a593Smuzhiyun break;
1506*4882a593Smuzhiyun }
1507*4882a593Smuzhiyun #endif /* IPv6 */
1508*4882a593Smuzhiyun default:
1509*4882a593Smuzhiyun goto unlabel_getattr_nolabel;
1510*4882a593Smuzhiyun }
1511*4882a593Smuzhiyun rcu_read_unlock();
1512*4882a593Smuzhiyun
1513*4882a593Smuzhiyun secattr->flags |= NETLBL_SECATTR_SECID;
1514*4882a593Smuzhiyun secattr->type = NETLBL_NLTYPE_UNLABELED;
1515*4882a593Smuzhiyun return 0;
1516*4882a593Smuzhiyun
1517*4882a593Smuzhiyun unlabel_getattr_nolabel:
1518*4882a593Smuzhiyun rcu_read_unlock();
1519*4882a593Smuzhiyun if (netlabel_unlabel_acceptflg == 0)
1520*4882a593Smuzhiyun return -ENOMSG;
1521*4882a593Smuzhiyun secattr->type = NETLBL_NLTYPE_UNLABELED;
1522*4882a593Smuzhiyun return 0;
1523*4882a593Smuzhiyun }
1524*4882a593Smuzhiyun
1525*4882a593Smuzhiyun /**
1526*4882a593Smuzhiyun * netlbl_unlabel_defconf - Set the default config to allow unlabeled packets
1527*4882a593Smuzhiyun *
1528*4882a593Smuzhiyun * Description:
1529*4882a593Smuzhiyun * Set the default NetLabel configuration to allow incoming unlabeled packets
1530*4882a593Smuzhiyun * and to send unlabeled network traffic by default.
1531*4882a593Smuzhiyun *
1532*4882a593Smuzhiyun */
netlbl_unlabel_defconf(void)1533*4882a593Smuzhiyun int __init netlbl_unlabel_defconf(void)
1534*4882a593Smuzhiyun {
1535*4882a593Smuzhiyun int ret_val;
1536*4882a593Smuzhiyun struct netlbl_dom_map *entry;
1537*4882a593Smuzhiyun struct netlbl_audit audit_info;
1538*4882a593Smuzhiyun
1539*4882a593Smuzhiyun /* Only the kernel is allowed to call this function and the only time
1540*4882a593Smuzhiyun * it is called is at bootup before the audit subsystem is reporting
1541*4882a593Smuzhiyun * messages so don't worry to much about these values. */
1542*4882a593Smuzhiyun security_task_getsecid(current, &audit_info.secid);
1543*4882a593Smuzhiyun audit_info.loginuid = GLOBAL_ROOT_UID;
1544*4882a593Smuzhiyun audit_info.sessionid = 0;
1545*4882a593Smuzhiyun
1546*4882a593Smuzhiyun entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1547*4882a593Smuzhiyun if (entry == NULL)
1548*4882a593Smuzhiyun return -ENOMEM;
1549*4882a593Smuzhiyun entry->family = AF_UNSPEC;
1550*4882a593Smuzhiyun entry->def.type = NETLBL_NLTYPE_UNLABELED;
1551*4882a593Smuzhiyun ret_val = netlbl_domhsh_add_default(entry, &audit_info);
1552*4882a593Smuzhiyun if (ret_val != 0)
1553*4882a593Smuzhiyun return ret_val;
1554*4882a593Smuzhiyun
1555*4882a593Smuzhiyun netlbl_unlabel_acceptflg_set(1, &audit_info);
1556*4882a593Smuzhiyun
1557*4882a593Smuzhiyun return 0;
1558*4882a593Smuzhiyun }
1559