1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0-only
2*4882a593Smuzhiyun /*
3*4882a593Smuzhiyun * Network node table
4*4882a593Smuzhiyun *
5*4882a593Smuzhiyun * SELinux must keep a mapping of network nodes to labels/SIDs. This
6*4882a593Smuzhiyun * mapping is maintained as part of the normal policy but a fast cache is
7*4882a593Smuzhiyun * needed to reduce the lookup overhead since most of these queries happen on
8*4882a593Smuzhiyun * a per-packet basis.
9*4882a593Smuzhiyun *
10*4882a593Smuzhiyun * Author: Paul Moore <paul@paul-moore.com>
11*4882a593Smuzhiyun *
12*4882a593Smuzhiyun * This code is heavily based on the "netif" concept originally developed by
13*4882a593Smuzhiyun * James Morris <jmorris@redhat.com>
14*4882a593Smuzhiyun * (see security/selinux/netif.c for more information)
15*4882a593Smuzhiyun */
16*4882a593Smuzhiyun
17*4882a593Smuzhiyun /*
18*4882a593Smuzhiyun * (c) Copyright Hewlett-Packard Development Company, L.P., 2007
19*4882a593Smuzhiyun */
20*4882a593Smuzhiyun
21*4882a593Smuzhiyun #include <linux/types.h>
22*4882a593Smuzhiyun #include <linux/rcupdate.h>
23*4882a593Smuzhiyun #include <linux/list.h>
24*4882a593Smuzhiyun #include <linux/slab.h>
25*4882a593Smuzhiyun #include <linux/spinlock.h>
26*4882a593Smuzhiyun #include <linux/in.h>
27*4882a593Smuzhiyun #include <linux/in6.h>
28*4882a593Smuzhiyun #include <linux/ip.h>
29*4882a593Smuzhiyun #include <linux/ipv6.h>
30*4882a593Smuzhiyun #include <net/ip.h>
31*4882a593Smuzhiyun #include <net/ipv6.h>
32*4882a593Smuzhiyun
33*4882a593Smuzhiyun #include "netnode.h"
34*4882a593Smuzhiyun #include "objsec.h"
35*4882a593Smuzhiyun
36*4882a593Smuzhiyun #define SEL_NETNODE_HASH_SIZE 256
37*4882a593Smuzhiyun #define SEL_NETNODE_HASH_BKT_LIMIT 16
38*4882a593Smuzhiyun
39*4882a593Smuzhiyun struct sel_netnode_bkt {
40*4882a593Smuzhiyun unsigned int size;
41*4882a593Smuzhiyun struct list_head list;
42*4882a593Smuzhiyun };
43*4882a593Smuzhiyun
44*4882a593Smuzhiyun struct sel_netnode {
45*4882a593Smuzhiyun struct netnode_security_struct nsec;
46*4882a593Smuzhiyun
47*4882a593Smuzhiyun struct list_head list;
48*4882a593Smuzhiyun struct rcu_head rcu;
49*4882a593Smuzhiyun };
50*4882a593Smuzhiyun
51*4882a593Smuzhiyun /* NOTE: we are using a combined hash table for both IPv4 and IPv6, the reason
52*4882a593Smuzhiyun * for this is that I suspect most users will not make heavy use of both
53*4882a593Smuzhiyun * address families at the same time so one table will usually end up wasted,
54*4882a593Smuzhiyun * if this becomes a problem we can always add a hash table for each address
55*4882a593Smuzhiyun * family later */
56*4882a593Smuzhiyun
57*4882a593Smuzhiyun static LIST_HEAD(sel_netnode_list);
58*4882a593Smuzhiyun static DEFINE_SPINLOCK(sel_netnode_lock);
59*4882a593Smuzhiyun static struct sel_netnode_bkt sel_netnode_hash[SEL_NETNODE_HASH_SIZE];
60*4882a593Smuzhiyun
61*4882a593Smuzhiyun /**
62*4882a593Smuzhiyun * sel_netnode_hashfn_ipv4 - IPv4 hashing function for the node table
63*4882a593Smuzhiyun * @addr: IPv4 address
64*4882a593Smuzhiyun *
65*4882a593Smuzhiyun * Description:
66*4882a593Smuzhiyun * This is the IPv4 hashing function for the node interface table, it returns
67*4882a593Smuzhiyun * the bucket number for the given IP address.
68*4882a593Smuzhiyun *
69*4882a593Smuzhiyun */
sel_netnode_hashfn_ipv4(__be32 addr)70*4882a593Smuzhiyun static unsigned int sel_netnode_hashfn_ipv4(__be32 addr)
71*4882a593Smuzhiyun {
72*4882a593Smuzhiyun /* at some point we should determine if the mismatch in byte order
73*4882a593Smuzhiyun * affects the hash function dramatically */
74*4882a593Smuzhiyun return (addr & (SEL_NETNODE_HASH_SIZE - 1));
75*4882a593Smuzhiyun }
76*4882a593Smuzhiyun
77*4882a593Smuzhiyun /**
78*4882a593Smuzhiyun * sel_netnode_hashfn_ipv6 - IPv6 hashing function for the node table
79*4882a593Smuzhiyun * @addr: IPv6 address
80*4882a593Smuzhiyun *
81*4882a593Smuzhiyun * Description:
82*4882a593Smuzhiyun * This is the IPv6 hashing function for the node interface table, it returns
83*4882a593Smuzhiyun * the bucket number for the given IP address.
84*4882a593Smuzhiyun *
85*4882a593Smuzhiyun */
sel_netnode_hashfn_ipv6(const struct in6_addr * addr)86*4882a593Smuzhiyun static unsigned int sel_netnode_hashfn_ipv6(const struct in6_addr *addr)
87*4882a593Smuzhiyun {
88*4882a593Smuzhiyun /* just hash the least significant 32 bits to keep things fast (they
89*4882a593Smuzhiyun * are the most likely to be different anyway), we can revisit this
90*4882a593Smuzhiyun * later if needed */
91*4882a593Smuzhiyun return (addr->s6_addr32[3] & (SEL_NETNODE_HASH_SIZE - 1));
92*4882a593Smuzhiyun }
93*4882a593Smuzhiyun
94*4882a593Smuzhiyun /**
95*4882a593Smuzhiyun * sel_netnode_find - Search for a node record
96*4882a593Smuzhiyun * @addr: IP address
97*4882a593Smuzhiyun * @family: address family
98*4882a593Smuzhiyun *
99*4882a593Smuzhiyun * Description:
100*4882a593Smuzhiyun * Search the network node table and return the record matching @addr. If an
101*4882a593Smuzhiyun * entry can not be found in the table return NULL.
102*4882a593Smuzhiyun *
103*4882a593Smuzhiyun */
sel_netnode_find(const void * addr,u16 family)104*4882a593Smuzhiyun static struct sel_netnode *sel_netnode_find(const void *addr, u16 family)
105*4882a593Smuzhiyun {
106*4882a593Smuzhiyun unsigned int idx;
107*4882a593Smuzhiyun struct sel_netnode *node;
108*4882a593Smuzhiyun
109*4882a593Smuzhiyun switch (family) {
110*4882a593Smuzhiyun case PF_INET:
111*4882a593Smuzhiyun idx = sel_netnode_hashfn_ipv4(*(__be32 *)addr);
112*4882a593Smuzhiyun break;
113*4882a593Smuzhiyun case PF_INET6:
114*4882a593Smuzhiyun idx = sel_netnode_hashfn_ipv6(addr);
115*4882a593Smuzhiyun break;
116*4882a593Smuzhiyun default:
117*4882a593Smuzhiyun BUG();
118*4882a593Smuzhiyun return NULL;
119*4882a593Smuzhiyun }
120*4882a593Smuzhiyun
121*4882a593Smuzhiyun list_for_each_entry_rcu(node, &sel_netnode_hash[idx].list, list)
122*4882a593Smuzhiyun if (node->nsec.family == family)
123*4882a593Smuzhiyun switch (family) {
124*4882a593Smuzhiyun case PF_INET:
125*4882a593Smuzhiyun if (node->nsec.addr.ipv4 == *(__be32 *)addr)
126*4882a593Smuzhiyun return node;
127*4882a593Smuzhiyun break;
128*4882a593Smuzhiyun case PF_INET6:
129*4882a593Smuzhiyun if (ipv6_addr_equal(&node->nsec.addr.ipv6,
130*4882a593Smuzhiyun addr))
131*4882a593Smuzhiyun return node;
132*4882a593Smuzhiyun break;
133*4882a593Smuzhiyun }
134*4882a593Smuzhiyun
135*4882a593Smuzhiyun return NULL;
136*4882a593Smuzhiyun }
137*4882a593Smuzhiyun
138*4882a593Smuzhiyun /**
139*4882a593Smuzhiyun * sel_netnode_insert - Insert a new node into the table
140*4882a593Smuzhiyun * @node: the new node record
141*4882a593Smuzhiyun *
142*4882a593Smuzhiyun * Description:
143*4882a593Smuzhiyun * Add a new node record to the network address hash table.
144*4882a593Smuzhiyun *
145*4882a593Smuzhiyun */
sel_netnode_insert(struct sel_netnode * node)146*4882a593Smuzhiyun static void sel_netnode_insert(struct sel_netnode *node)
147*4882a593Smuzhiyun {
148*4882a593Smuzhiyun unsigned int idx;
149*4882a593Smuzhiyun
150*4882a593Smuzhiyun switch (node->nsec.family) {
151*4882a593Smuzhiyun case PF_INET:
152*4882a593Smuzhiyun idx = sel_netnode_hashfn_ipv4(node->nsec.addr.ipv4);
153*4882a593Smuzhiyun break;
154*4882a593Smuzhiyun case PF_INET6:
155*4882a593Smuzhiyun idx = sel_netnode_hashfn_ipv6(&node->nsec.addr.ipv6);
156*4882a593Smuzhiyun break;
157*4882a593Smuzhiyun default:
158*4882a593Smuzhiyun BUG();
159*4882a593Smuzhiyun return;
160*4882a593Smuzhiyun }
161*4882a593Smuzhiyun
162*4882a593Smuzhiyun /* we need to impose a limit on the growth of the hash table so check
163*4882a593Smuzhiyun * this bucket to make sure it is within the specified bounds */
164*4882a593Smuzhiyun list_add_rcu(&node->list, &sel_netnode_hash[idx].list);
165*4882a593Smuzhiyun if (sel_netnode_hash[idx].size == SEL_NETNODE_HASH_BKT_LIMIT) {
166*4882a593Smuzhiyun struct sel_netnode *tail;
167*4882a593Smuzhiyun tail = list_entry(
168*4882a593Smuzhiyun rcu_dereference_protected(sel_netnode_hash[idx].list.prev,
169*4882a593Smuzhiyun lockdep_is_held(&sel_netnode_lock)),
170*4882a593Smuzhiyun struct sel_netnode, list);
171*4882a593Smuzhiyun list_del_rcu(&tail->list);
172*4882a593Smuzhiyun kfree_rcu(tail, rcu);
173*4882a593Smuzhiyun } else
174*4882a593Smuzhiyun sel_netnode_hash[idx].size++;
175*4882a593Smuzhiyun }
176*4882a593Smuzhiyun
177*4882a593Smuzhiyun /**
178*4882a593Smuzhiyun * sel_netnode_sid_slow - Lookup the SID of a network address using the policy
179*4882a593Smuzhiyun * @addr: the IP address
180*4882a593Smuzhiyun * @family: the address family
181*4882a593Smuzhiyun * @sid: node SID
182*4882a593Smuzhiyun *
183*4882a593Smuzhiyun * Description:
184*4882a593Smuzhiyun * This function determines the SID of a network address by querying the
185*4882a593Smuzhiyun * security policy. The result is added to the network address table to
186*4882a593Smuzhiyun * speedup future queries. Returns zero on success, negative values on
187*4882a593Smuzhiyun * failure.
188*4882a593Smuzhiyun *
189*4882a593Smuzhiyun */
sel_netnode_sid_slow(void * addr,u16 family,u32 * sid)190*4882a593Smuzhiyun static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid)
191*4882a593Smuzhiyun {
192*4882a593Smuzhiyun int ret;
193*4882a593Smuzhiyun struct sel_netnode *node;
194*4882a593Smuzhiyun struct sel_netnode *new;
195*4882a593Smuzhiyun
196*4882a593Smuzhiyun spin_lock_bh(&sel_netnode_lock);
197*4882a593Smuzhiyun node = sel_netnode_find(addr, family);
198*4882a593Smuzhiyun if (node != NULL) {
199*4882a593Smuzhiyun *sid = node->nsec.sid;
200*4882a593Smuzhiyun spin_unlock_bh(&sel_netnode_lock);
201*4882a593Smuzhiyun return 0;
202*4882a593Smuzhiyun }
203*4882a593Smuzhiyun
204*4882a593Smuzhiyun new = kzalloc(sizeof(*new), GFP_ATOMIC);
205*4882a593Smuzhiyun switch (family) {
206*4882a593Smuzhiyun case PF_INET:
207*4882a593Smuzhiyun ret = security_node_sid(&selinux_state, PF_INET,
208*4882a593Smuzhiyun addr, sizeof(struct in_addr), sid);
209*4882a593Smuzhiyun if (new)
210*4882a593Smuzhiyun new->nsec.addr.ipv4 = *(__be32 *)addr;
211*4882a593Smuzhiyun break;
212*4882a593Smuzhiyun case PF_INET6:
213*4882a593Smuzhiyun ret = security_node_sid(&selinux_state, PF_INET6,
214*4882a593Smuzhiyun addr, sizeof(struct in6_addr), sid);
215*4882a593Smuzhiyun if (new)
216*4882a593Smuzhiyun new->nsec.addr.ipv6 = *(struct in6_addr *)addr;
217*4882a593Smuzhiyun break;
218*4882a593Smuzhiyun default:
219*4882a593Smuzhiyun BUG();
220*4882a593Smuzhiyun ret = -EINVAL;
221*4882a593Smuzhiyun }
222*4882a593Smuzhiyun if (ret == 0 && new) {
223*4882a593Smuzhiyun new->nsec.family = family;
224*4882a593Smuzhiyun new->nsec.sid = *sid;
225*4882a593Smuzhiyun sel_netnode_insert(new);
226*4882a593Smuzhiyun } else
227*4882a593Smuzhiyun kfree(new);
228*4882a593Smuzhiyun
229*4882a593Smuzhiyun spin_unlock_bh(&sel_netnode_lock);
230*4882a593Smuzhiyun if (unlikely(ret))
231*4882a593Smuzhiyun pr_warn("SELinux: failure in %s(), unable to determine network node label\n",
232*4882a593Smuzhiyun __func__);
233*4882a593Smuzhiyun return ret;
234*4882a593Smuzhiyun }
235*4882a593Smuzhiyun
236*4882a593Smuzhiyun /**
237*4882a593Smuzhiyun * sel_netnode_sid - Lookup the SID of a network address
238*4882a593Smuzhiyun * @addr: the IP address
239*4882a593Smuzhiyun * @family: the address family
240*4882a593Smuzhiyun * @sid: node SID
241*4882a593Smuzhiyun *
242*4882a593Smuzhiyun * Description:
243*4882a593Smuzhiyun * This function determines the SID of a network address using the fastest
244*4882a593Smuzhiyun * method possible. First the address table is queried, but if an entry
245*4882a593Smuzhiyun * can't be found then the policy is queried and the result is added to the
246*4882a593Smuzhiyun * table to speedup future queries. Returns zero on success, negative values
247*4882a593Smuzhiyun * on failure.
248*4882a593Smuzhiyun *
249*4882a593Smuzhiyun */
sel_netnode_sid(void * addr,u16 family,u32 * sid)250*4882a593Smuzhiyun int sel_netnode_sid(void *addr, u16 family, u32 *sid)
251*4882a593Smuzhiyun {
252*4882a593Smuzhiyun struct sel_netnode *node;
253*4882a593Smuzhiyun
254*4882a593Smuzhiyun rcu_read_lock();
255*4882a593Smuzhiyun node = sel_netnode_find(addr, family);
256*4882a593Smuzhiyun if (node != NULL) {
257*4882a593Smuzhiyun *sid = node->nsec.sid;
258*4882a593Smuzhiyun rcu_read_unlock();
259*4882a593Smuzhiyun return 0;
260*4882a593Smuzhiyun }
261*4882a593Smuzhiyun rcu_read_unlock();
262*4882a593Smuzhiyun
263*4882a593Smuzhiyun return sel_netnode_sid_slow(addr, family, sid);
264*4882a593Smuzhiyun }
265*4882a593Smuzhiyun
266*4882a593Smuzhiyun /**
267*4882a593Smuzhiyun * sel_netnode_flush - Flush the entire network address table
268*4882a593Smuzhiyun *
269*4882a593Smuzhiyun * Description:
270*4882a593Smuzhiyun * Remove all entries from the network address table.
271*4882a593Smuzhiyun *
272*4882a593Smuzhiyun */
sel_netnode_flush(void)273*4882a593Smuzhiyun void sel_netnode_flush(void)
274*4882a593Smuzhiyun {
275*4882a593Smuzhiyun unsigned int idx;
276*4882a593Smuzhiyun struct sel_netnode *node, *node_tmp;
277*4882a593Smuzhiyun
278*4882a593Smuzhiyun spin_lock_bh(&sel_netnode_lock);
279*4882a593Smuzhiyun for (idx = 0; idx < SEL_NETNODE_HASH_SIZE; idx++) {
280*4882a593Smuzhiyun list_for_each_entry_safe(node, node_tmp,
281*4882a593Smuzhiyun &sel_netnode_hash[idx].list, list) {
282*4882a593Smuzhiyun list_del_rcu(&node->list);
283*4882a593Smuzhiyun kfree_rcu(node, rcu);
284*4882a593Smuzhiyun }
285*4882a593Smuzhiyun sel_netnode_hash[idx].size = 0;
286*4882a593Smuzhiyun }
287*4882a593Smuzhiyun spin_unlock_bh(&sel_netnode_lock);
288*4882a593Smuzhiyun }
289*4882a593Smuzhiyun
sel_netnode_init(void)290*4882a593Smuzhiyun static __init int sel_netnode_init(void)
291*4882a593Smuzhiyun {
292*4882a593Smuzhiyun int iter;
293*4882a593Smuzhiyun
294*4882a593Smuzhiyun if (!selinux_enabled_boot)
295*4882a593Smuzhiyun return 0;
296*4882a593Smuzhiyun
297*4882a593Smuzhiyun for (iter = 0; iter < SEL_NETNODE_HASH_SIZE; iter++) {
298*4882a593Smuzhiyun INIT_LIST_HEAD(&sel_netnode_hash[iter].list);
299*4882a593Smuzhiyun sel_netnode_hash[iter].size = 0;
300*4882a593Smuzhiyun }
301*4882a593Smuzhiyun
302*4882a593Smuzhiyun return 0;
303*4882a593Smuzhiyun }
304*4882a593Smuzhiyun
305*4882a593Smuzhiyun __initcall(sel_netnode_init);
306