2 * CIPSO - Commercial IP Security Option
4 * This is an implementation of the CIPSO 2.2 protocol as specified in
5 * draft-ietf-cipso-ipsecurity-01.txt with additional tag types as found in
6 * FIPS-188, copies of both documents can be found in the Documentation
7 * directory. While CIPSO never became a full IETF RFC standard many vendors
8 * have chosen to adopt the protocol and over the years it has become a
9 * de-facto standard for labeled networking.
11 * Author: Paul Moore <paul.moore@hp.com>
16 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
18 * This program is free software; you can redistribute it and/or modify
19 * it under the terms of the GNU General Public License as published by
20 * the Free Software Foundation; either version 2 of the License, or
21 * (at your option) any later version.
23 * This program is distributed in the hope that it will be useful,
24 * but WITHOUT ANY WARRANTY; without even the implied warranty of
25 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
26 * the GNU General Public License for more details.
28 * You should have received a copy of the GNU General Public License
29 * along with this program; if not, write to the Free Software
30 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
34 #include <linux/init.h>
35 #include <linux/types.h>
36 #include <linux/rcupdate.h>
37 #include <linux/list.h>
38 #include <linux/spinlock.h>
39 #include <linux/string.h>
40 #include <linux/jhash.h>
41 #include <linux/audit.h>
45 #include <net/netlabel.h>
46 #include <net/cipso_ipv4.h>
47 #include <asm/atomic.h>
49 #include <asm/unaligned.h>
51 /* List of available DOI definitions */
52 /* XXX - This currently assumes a minimal number of different DOIs in use,
53 * if in practice there are a lot of different DOIs this list should
54 * probably be turned into a hash table or something similar so we
55 * can do quick lookups. */
56 static DEFINE_SPINLOCK(cipso_v4_doi_list_lock);
57 static LIST_HEAD(cipso_v4_doi_list);
59 /* Label mapping cache */
60 int cipso_v4_cache_enabled = 1;
61 int cipso_v4_cache_bucketsize = 10;
62 #define CIPSO_V4_CACHE_BUCKETBITS 7
63 #define CIPSO_V4_CACHE_BUCKETS (1 << CIPSO_V4_CACHE_BUCKETBITS)
64 #define CIPSO_V4_CACHE_REORDERLIMIT 10
65 struct cipso_v4_map_cache_bkt {
68 struct list_head list;
70 struct cipso_v4_map_cache_entry {
75 struct netlbl_lsm_cache *lsm_data;
78 struct list_head list;
80 static struct cipso_v4_map_cache_bkt *cipso_v4_cache = NULL;
82 /* Restricted bitmap (tag #1) flags */
83 int cipso_v4_rbm_optfmt = 0;
84 int cipso_v4_rbm_strictvalid = 1;
90 /* Maximum size of the CIPSO IP option, derived from the fact that the maximum
91 * IPv4 header size is 60 bytes and the base IPv4 header is 20 bytes long. */
92 #define CIPSO_V4_OPT_LEN_MAX 40
94 /* Length of the base CIPSO option, this includes the option type (1 byte), the
95 * option length (1 byte), and the DOI (4 bytes). */
96 #define CIPSO_V4_HDR_LEN 6
98 /* Base length of the restrictive category bitmap tag (tag #1). */
99 #define CIPSO_V4_TAG_RBM_BLEN 4
101 /* Base length of the enumerated category tag (tag #2). */
102 #define CIPSO_V4_TAG_ENUM_BLEN 4
104 /* Base length of the ranged categories bitmap tag (tag #5). */
105 #define CIPSO_V4_TAG_RNG_BLEN 4
106 /* The maximum number of category ranges permitted in the ranged category tag
107 * (tag #5). You may note that the IETF draft states that the maximum number
108 * of category ranges is 7, but if the low end of the last category range is
109 * zero then it is possibile to fit 8 category ranges because the zero should
111 #define CIPSO_V4_TAG_RNG_CAT_MAX 8
113 /* Base length of the local tag (non-standard tag).
114 * Tag definition (may change between kernel versions)
117 * +----------+----------+----------+----------+
118 * | 10000000 | 00000110 | 32-bit secid value |
119 * +----------+----------+----------+----------+
120 * | in (host byte order)|
121 * +----------+----------+
124 #define CIPSO_V4_TAG_LOC_BLEN 6
131 * cipso_v4_bitmap_walk - Walk a bitmap looking for a bit
132 * @bitmap: the bitmap
133 * @bitmap_len: length in bits
134 * @offset: starting offset
135 * @state: if non-zero, look for a set (1) bit else look for a cleared (0) bit
138 * Starting at @offset, walk the bitmap from left to right until either the
139 * desired bit is found or we reach the end. Return the bit offset, -1 if
140 * not found, or -2 if error.
142 static int cipso_v4_bitmap_walk(const unsigned char *bitmap,
149 unsigned char bitmask;
152 /* gcc always rounds to zero when doing integer division */
153 byte_offset = offset / 8;
154 byte = bitmap[byte_offset];
156 bitmask = 0x80 >> (offset % 8);
158 while (bit_spot < bitmap_len) {
159 if ((state && (byte & bitmask) == bitmask) ||
160 (state == 0 && (byte & bitmask) == 0))
166 byte = bitmap[++byte_offset];
175 * cipso_v4_bitmap_setbit - Sets a single bit in a bitmap
176 * @bitmap: the bitmap
178 * @state: if non-zero, set the bit (1) else clear the bit (0)
181 * Set a single bit in the bitmask. Returns zero on success, negative values
184 static void cipso_v4_bitmap_setbit(unsigned char *bitmap,
191 /* gcc always rounds to zero when doing integer division */
193 bitmask = 0x80 >> (bit % 8);
195 bitmap[byte_spot] |= bitmask;
197 bitmap[byte_spot] &= ~bitmask;
201 * cipso_v4_cache_entry_free - Frees a cache entry
202 * @entry: the entry to free
205 * This function frees the memory associated with a cache entry including the
206 * LSM cache data if there are no longer any users, i.e. reference count == 0.
209 static void cipso_v4_cache_entry_free(struct cipso_v4_map_cache_entry *entry)
212 netlbl_secattr_cache_free(entry->lsm_data);
218 * cipso_v4_map_cache_hash - Hashing function for the CIPSO cache
220 * @key_len: the length of the key in bytes
223 * The CIPSO tag hashing function. Returns a 32-bit hash value.
226 static u32 cipso_v4_map_cache_hash(const unsigned char *key, u32 key_len)
228 return jhash(key, key_len, 0);
232 * Label Mapping Cache Functions
236 * cipso_v4_cache_init - Initialize the CIPSO cache
239 * Initializes the CIPSO label mapping cache, this function should be called
240 * before any of the other functions defined in this file. Returns zero on
241 * success, negative values on error.
244 static int cipso_v4_cache_init(void)
248 cipso_v4_cache = kcalloc(CIPSO_V4_CACHE_BUCKETS,
249 sizeof(struct cipso_v4_map_cache_bkt),
251 if (cipso_v4_cache == NULL)
254 for (iter = 0; iter < CIPSO_V4_CACHE_BUCKETS; iter++) {
255 spin_lock_init(&cipso_v4_cache[iter].lock);
256 cipso_v4_cache[iter].size = 0;
257 INIT_LIST_HEAD(&cipso_v4_cache[iter].list);
264 * cipso_v4_cache_invalidate - Invalidates the current CIPSO cache
267 * Invalidates and frees any entries in the CIPSO cache. Returns zero on
268 * success and negative values on failure.
271 void cipso_v4_cache_invalidate(void)
273 struct cipso_v4_map_cache_entry *entry, *tmp_entry;
276 for (iter = 0; iter < CIPSO_V4_CACHE_BUCKETS; iter++) {
277 spin_lock_bh(&cipso_v4_cache[iter].lock);
278 list_for_each_entry_safe(entry,
280 &cipso_v4_cache[iter].list, list) {
281 list_del(&entry->list);
282 cipso_v4_cache_entry_free(entry);
284 cipso_v4_cache[iter].size = 0;
285 spin_unlock_bh(&cipso_v4_cache[iter].lock);
292 * cipso_v4_cache_check - Check the CIPSO cache for a label mapping
293 * @key: the buffer to check
294 * @key_len: buffer length in bytes
295 * @secattr: the security attribute struct to use
298 * This function checks the cache to see if a label mapping already exists for
299 * the given key. If there is a match then the cache is adjusted and the
300 * @secattr struct is populated with the correct LSM security attributes. The
301 * cache is adjusted in the following manner if the entry is not already the
302 * first in the cache bucket:
304 * 1. The cache entry's activity counter is incremented
305 * 2. The previous (higher ranking) entry's activity counter is decremented
306 * 3. If the difference between the two activity counters is geater than
307 * CIPSO_V4_CACHE_REORDERLIMIT the two entries are swapped
309 * Returns zero on success, -ENOENT for a cache miss, and other negative values
313 static int cipso_v4_cache_check(const unsigned char *key,
315 struct netlbl_lsm_secattr *secattr)
318 struct cipso_v4_map_cache_entry *entry;
319 struct cipso_v4_map_cache_entry *prev_entry = NULL;
322 if (!cipso_v4_cache_enabled)
325 hash = cipso_v4_map_cache_hash(key, key_len);
326 bkt = hash & (CIPSO_V4_CACHE_BUCKETS - 1);
327 spin_lock_bh(&cipso_v4_cache[bkt].lock);
328 list_for_each_entry(entry, &cipso_v4_cache[bkt].list, list) {
329 if (entry->hash == hash &&
330 entry->key_len == key_len &&
331 memcmp(entry->key, key, key_len) == 0) {
332 entry->activity += 1;
333 atomic_inc(&entry->lsm_data->refcount);
334 secattr->cache = entry->lsm_data;
335 secattr->flags |= NETLBL_SECATTR_CACHE;
336 secattr->type = NETLBL_NLTYPE_CIPSOV4;
337 if (prev_entry == NULL) {
338 spin_unlock_bh(&cipso_v4_cache[bkt].lock);
342 if (prev_entry->activity > 0)
343 prev_entry->activity -= 1;
344 if (entry->activity > prev_entry->activity &&
345 entry->activity - prev_entry->activity >
346 CIPSO_V4_CACHE_REORDERLIMIT) {
347 __list_del(entry->list.prev, entry->list.next);
348 __list_add(&entry->list,
349 prev_entry->list.prev,
353 spin_unlock_bh(&cipso_v4_cache[bkt].lock);
358 spin_unlock_bh(&cipso_v4_cache[bkt].lock);
364 * cipso_v4_cache_add - Add an entry to the CIPSO cache
366 * @secattr: the packet's security attributes
369 * Add a new entry into the CIPSO label mapping cache. Add the new entry to
370 * head of the cache bucket's list, if the cache bucket is out of room remove
371 * the last entry in the list first. It is important to note that there is
372 * currently no checking for duplicate keys. Returns zero on success,
373 * negative values on failure.
376 int cipso_v4_cache_add(const struct sk_buff *skb,
377 const struct netlbl_lsm_secattr *secattr)
379 int ret_val = -EPERM;
381 struct cipso_v4_map_cache_entry *entry = NULL;
382 struct cipso_v4_map_cache_entry *old_entry = NULL;
383 unsigned char *cipso_ptr;
386 if (!cipso_v4_cache_enabled || cipso_v4_cache_bucketsize <= 0)
389 cipso_ptr = CIPSO_V4_OPTPTR(skb);
390 cipso_ptr_len = cipso_ptr[1];
392 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
395 entry->key = kmemdup(cipso_ptr, cipso_ptr_len, GFP_ATOMIC);
396 if (entry->key == NULL) {
398 goto cache_add_failure;
400 entry->key_len = cipso_ptr_len;
401 entry->hash = cipso_v4_map_cache_hash(cipso_ptr, cipso_ptr_len);
402 atomic_inc(&secattr->cache->refcount);
403 entry->lsm_data = secattr->cache;
405 bkt = entry->hash & (CIPSO_V4_CACHE_BUCKETS - 1);
406 spin_lock_bh(&cipso_v4_cache[bkt].lock);
407 if (cipso_v4_cache[bkt].size < cipso_v4_cache_bucketsize) {
408 list_add(&entry->list, &cipso_v4_cache[bkt].list);
409 cipso_v4_cache[bkt].size += 1;
411 old_entry = list_entry(cipso_v4_cache[bkt].list.prev,
412 struct cipso_v4_map_cache_entry, list);
413 list_del(&old_entry->list);
414 list_add(&entry->list, &cipso_v4_cache[bkt].list);
415 cipso_v4_cache_entry_free(old_entry);
417 spin_unlock_bh(&cipso_v4_cache[bkt].lock);
423 cipso_v4_cache_entry_free(entry);
432 * cipso_v4_doi_search - Searches for a DOI definition
433 * @doi: the DOI to search for
436 * Search the DOI definition list for a DOI definition with a DOI value that
437 * matches @doi. The caller is responsibile for calling rcu_read_[un]lock().
438 * Returns a pointer to the DOI definition on success and NULL on failure.
440 static struct cipso_v4_doi *cipso_v4_doi_search(u32 doi)
442 struct cipso_v4_doi *iter;
444 list_for_each_entry_rcu(iter, &cipso_v4_doi_list, list)
445 if (iter->doi == doi && atomic_read(&iter->refcount))
451 * cipso_v4_doi_add - Add a new DOI to the CIPSO protocol engine
452 * @doi_def: the DOI structure
453 * @audit_info: NetLabel audit information
456 * The caller defines a new DOI for use by the CIPSO engine and calls this
457 * function to add it to the list of acceptable domains. The caller must
458 * ensure that the mapping table specified in @doi_def->map meets all of the
459 * requirements of the mapping type (see cipso_ipv4.h for details). Returns
460 * zero on success and non-zero on failure.
463 int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,
464 struct netlbl_audit *audit_info)
466 int ret_val = -EINVAL;
470 struct audit_buffer *audit_buf;
473 doi_type = doi_def->type;
475 if (doi_def == NULL || doi_def->doi == CIPSO_V4_DOI_UNKNOWN)
477 for (iter = 0; iter < CIPSO_V4_TAG_MAXCNT; iter++) {
478 switch (doi_def->tags[iter]) {
479 case CIPSO_V4_TAG_RBITMAP:
481 case CIPSO_V4_TAG_RANGE:
482 case CIPSO_V4_TAG_ENUM:
483 if (doi_def->type != CIPSO_V4_MAP_PASS)
486 case CIPSO_V4_TAG_LOCAL:
487 if (doi_def->type != CIPSO_V4_MAP_LOCAL)
490 case CIPSO_V4_TAG_INVALID:
499 atomic_set(&doi_def->refcount, 1);
501 spin_lock(&cipso_v4_doi_list_lock);
502 if (cipso_v4_doi_search(doi_def->doi) != NULL) {
503 spin_unlock(&cipso_v4_doi_list_lock);
507 list_add_tail_rcu(&doi_def->list, &cipso_v4_doi_list);
508 spin_unlock(&cipso_v4_doi_list_lock);
512 audit_buf = netlbl_audit_start(AUDIT_MAC_CIPSOV4_ADD, audit_info);
513 if (audit_buf != NULL) {
514 const char *type_str;
516 case CIPSO_V4_MAP_TRANS:
519 case CIPSO_V4_MAP_PASS:
522 case CIPSO_V4_MAP_LOCAL:
526 type_str = "(unknown)";
528 audit_log_format(audit_buf,
529 " cipso_doi=%u cipso_type=%s res=%u",
530 doi, type_str, ret_val == 0 ? 1 : 0);
531 audit_log_end(audit_buf);
538 * cipso_v4_doi_free - Frees a DOI definition
539 * @entry: the entry's RCU field
542 * This function frees all of the memory associated with a DOI definition.
545 void cipso_v4_doi_free(struct cipso_v4_doi *doi_def)
550 switch (doi_def->type) {
551 case CIPSO_V4_MAP_TRANS:
552 kfree(doi_def->map.std->lvl.cipso);
553 kfree(doi_def->map.std->lvl.local);
554 kfree(doi_def->map.std->cat.cipso);
555 kfree(doi_def->map.std->cat.local);
562 * cipso_v4_doi_free_rcu - Frees a DOI definition via the RCU pointer
563 * @entry: the entry's RCU field
566 * This function is designed to be used as a callback to the call_rcu()
567 * function so that the memory allocated to the DOI definition can be released
571 static void cipso_v4_doi_free_rcu(struct rcu_head *entry)
573 struct cipso_v4_doi *doi_def;
575 doi_def = container_of(entry, struct cipso_v4_doi, rcu);
576 cipso_v4_doi_free(doi_def);
580 * cipso_v4_doi_remove - Remove an existing DOI from the CIPSO protocol engine
581 * @doi: the DOI value
582 * @audit_secid: the LSM secid to use in the audit message
585 * Removes a DOI definition from the CIPSO engine. The NetLabel routines will
586 * be called to release their own LSM domain mappings as well as our own
587 * domain list. Returns zero on success and negative values on failure.
590 int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info)
593 struct cipso_v4_doi *doi_def;
594 struct audit_buffer *audit_buf;
596 spin_lock(&cipso_v4_doi_list_lock);
597 doi_def = cipso_v4_doi_search(doi);
598 if (doi_def == NULL) {
599 spin_unlock(&cipso_v4_doi_list_lock);
601 goto doi_remove_return;
603 if (!atomic_dec_and_test(&doi_def->refcount)) {
604 spin_unlock(&cipso_v4_doi_list_lock);
606 goto doi_remove_return;
608 list_del_rcu(&doi_def->list);
609 spin_unlock(&cipso_v4_doi_list_lock);
611 cipso_v4_cache_invalidate();
612 call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu);
616 audit_buf = netlbl_audit_start(AUDIT_MAC_CIPSOV4_DEL, audit_info);
617 if (audit_buf != NULL) {
618 audit_log_format(audit_buf,
619 " cipso_doi=%u res=%u",
620 doi, ret_val == 0 ? 1 : 0);
621 audit_log_end(audit_buf);
628 * cipso_v4_doi_getdef - Returns a reference to a valid DOI definition
629 * @doi: the DOI value
632 * Searches for a valid DOI definition and if one is found it is returned to
633 * the caller. Otherwise NULL is returned. The caller must ensure that
634 * rcu_read_lock() is held while accessing the returned definition and the DOI
635 * definition reference count is decremented when the caller is done.
638 struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi)
640 struct cipso_v4_doi *doi_def;
643 doi_def = cipso_v4_doi_search(doi);
645 goto doi_getdef_return;
646 if (!atomic_inc_not_zero(&doi_def->refcount))
655 * cipso_v4_doi_putdef - Releases a reference for the given DOI definition
656 * @doi_def: the DOI definition
659 * Releases a DOI definition reference obtained from cipso_v4_doi_getdef().
662 void cipso_v4_doi_putdef(struct cipso_v4_doi *doi_def)
667 if (!atomic_dec_and_test(&doi_def->refcount))
669 spin_lock(&cipso_v4_doi_list_lock);
670 list_del_rcu(&doi_def->list);
671 spin_unlock(&cipso_v4_doi_list_lock);
673 cipso_v4_cache_invalidate();
674 call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu);
678 * cipso_v4_doi_walk - Iterate through the DOI definitions
679 * @skip_cnt: skip past this number of DOI definitions, updated
680 * @callback: callback for each DOI definition
681 * @cb_arg: argument for the callback function
684 * Iterate over the DOI definition list, skipping the first @skip_cnt entries.
685 * For each entry call @callback, if @callback returns a negative value stop
686 * 'walking' through the list and return. Updates the value in @skip_cnt upon
687 * return. Returns zero on success, negative values on failure.
690 int cipso_v4_doi_walk(u32 *skip_cnt,
691 int (*callback) (struct cipso_v4_doi *doi_def, void *arg),
694 int ret_val = -ENOENT;
696 struct cipso_v4_doi *iter_doi;
699 list_for_each_entry_rcu(iter_doi, &cipso_v4_doi_list, list)
700 if (atomic_read(&iter_doi->refcount) > 0) {
701 if (doi_cnt++ < *skip_cnt)
703 ret_val = callback(iter_doi, cb_arg);
706 goto doi_walk_return;
717 * Label Mapping Functions
721 * cipso_v4_map_lvl_valid - Checks to see if the given level is understood
722 * @doi_def: the DOI definition
723 * @level: the level to check
726 * Checks the given level against the given DOI definition and returns a
727 * negative value if the level does not have a valid mapping and a zero value
728 * if the level is defined by the DOI.
731 static int cipso_v4_map_lvl_valid(const struct cipso_v4_doi *doi_def, u8 level)
733 switch (doi_def->type) {
734 case CIPSO_V4_MAP_PASS:
736 case CIPSO_V4_MAP_TRANS:
737 if (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL)
746 * cipso_v4_map_lvl_hton - Perform a level mapping from the host to the network
747 * @doi_def: the DOI definition
748 * @host_lvl: the host MLS level
749 * @net_lvl: the network/CIPSO MLS level
752 * Perform a label mapping to translate a local MLS level to the correct
753 * CIPSO level using the given DOI definition. Returns zero on success,
754 * negative values otherwise.
757 static int cipso_v4_map_lvl_hton(const struct cipso_v4_doi *doi_def,
761 switch (doi_def->type) {
762 case CIPSO_V4_MAP_PASS:
765 case CIPSO_V4_MAP_TRANS:
766 if (host_lvl < doi_def->map.std->lvl.local_size &&
767 doi_def->map.std->lvl.local[host_lvl] < CIPSO_V4_INV_LVL) {
768 *net_lvl = doi_def->map.std->lvl.local[host_lvl];
778 * cipso_v4_map_lvl_ntoh - Perform a level mapping from the network to the host
779 * @doi_def: the DOI definition
780 * @net_lvl: the network/CIPSO MLS level
781 * @host_lvl: the host MLS level
784 * Perform a label mapping to translate a CIPSO level to the correct local MLS
785 * level using the given DOI definition. Returns zero on success, negative
789 static int cipso_v4_map_lvl_ntoh(const struct cipso_v4_doi *doi_def,
793 struct cipso_v4_std_map_tbl *map_tbl;
795 switch (doi_def->type) {
796 case CIPSO_V4_MAP_PASS:
799 case CIPSO_V4_MAP_TRANS:
800 map_tbl = doi_def->map.std;
801 if (net_lvl < map_tbl->lvl.cipso_size &&
802 map_tbl->lvl.cipso[net_lvl] < CIPSO_V4_INV_LVL) {
803 *host_lvl = doi_def->map.std->lvl.cipso[net_lvl];
813 * cipso_v4_map_cat_rbm_valid - Checks to see if the category bitmap is valid
814 * @doi_def: the DOI definition
815 * @bitmap: category bitmap
816 * @bitmap_len: bitmap length in bytes
819 * Checks the given category bitmap against the given DOI definition and
820 * returns a negative value if any of the categories in the bitmap do not have
821 * a valid mapping and a zero value if all of the categories are valid.
824 static int cipso_v4_map_cat_rbm_valid(const struct cipso_v4_doi *doi_def,
825 const unsigned char *bitmap,
829 u32 bitmap_len_bits = bitmap_len * 8;
833 switch (doi_def->type) {
834 case CIPSO_V4_MAP_PASS:
836 case CIPSO_V4_MAP_TRANS:
837 cipso_cat_size = doi_def->map.std->cat.cipso_size;
838 cipso_array = doi_def->map.std->cat.cipso;
840 cat = cipso_v4_bitmap_walk(bitmap,
846 if (cat >= cipso_cat_size ||
847 cipso_array[cat] >= CIPSO_V4_INV_CAT)
860 * cipso_v4_map_cat_rbm_hton - Perform a category mapping from host to network
861 * @doi_def: the DOI definition
862 * @secattr: the security attributes
863 * @net_cat: the zero'd out category bitmap in network/CIPSO format
864 * @net_cat_len: the length of the CIPSO bitmap in bytes
867 * Perform a label mapping to translate a local MLS category bitmap to the
868 * correct CIPSO bitmap using the given DOI definition. Returns the minimum
869 * size in bytes of the network bitmap on success, negative values otherwise.
872 static int cipso_v4_map_cat_rbm_hton(const struct cipso_v4_doi *doi_def,
873 const struct netlbl_lsm_secattr *secattr,
874 unsigned char *net_cat,
878 u32 net_spot = CIPSO_V4_INV_CAT;
879 u32 net_spot_max = 0;
880 u32 net_clen_bits = net_cat_len * 8;
881 u32 host_cat_size = 0;
882 u32 *host_cat_array = NULL;
884 if (doi_def->type == CIPSO_V4_MAP_TRANS) {
885 host_cat_size = doi_def->map.std->cat.local_size;
886 host_cat_array = doi_def->map.std->cat.local;
890 host_spot = netlbl_secattr_catmap_walk(secattr->attr.mls.cat,
895 switch (doi_def->type) {
896 case CIPSO_V4_MAP_PASS:
897 net_spot = host_spot;
899 case CIPSO_V4_MAP_TRANS:
900 if (host_spot >= host_cat_size)
902 net_spot = host_cat_array[host_spot];
903 if (net_spot >= CIPSO_V4_INV_CAT)
907 if (net_spot >= net_clen_bits)
909 cipso_v4_bitmap_setbit(net_cat, net_spot, 1);
911 if (net_spot > net_spot_max)
912 net_spot_max = net_spot;
915 if (++net_spot_max % 8)
916 return net_spot_max / 8 + 1;
917 return net_spot_max / 8;
921 * cipso_v4_map_cat_rbm_ntoh - Perform a category mapping from network to host
922 * @doi_def: the DOI definition
923 * @net_cat: the category bitmap in network/CIPSO format
924 * @net_cat_len: the length of the CIPSO bitmap in bytes
925 * @secattr: the security attributes
928 * Perform a label mapping to translate a CIPSO bitmap to the correct local
929 * MLS category bitmap using the given DOI definition. Returns zero on
930 * success, negative values on failure.
933 static int cipso_v4_map_cat_rbm_ntoh(const struct cipso_v4_doi *doi_def,
934 const unsigned char *net_cat,
936 struct netlbl_lsm_secattr *secattr)
940 u32 host_spot = CIPSO_V4_INV_CAT;
941 u32 net_clen_bits = net_cat_len * 8;
942 u32 net_cat_size = 0;
943 u32 *net_cat_array = NULL;
945 if (doi_def->type == CIPSO_V4_MAP_TRANS) {
946 net_cat_size = doi_def->map.std->cat.cipso_size;
947 net_cat_array = doi_def->map.std->cat.cipso;
951 net_spot = cipso_v4_bitmap_walk(net_cat,
961 switch (doi_def->type) {
962 case CIPSO_V4_MAP_PASS:
963 host_spot = net_spot;
965 case CIPSO_V4_MAP_TRANS:
966 if (net_spot >= net_cat_size)
968 host_spot = net_cat_array[net_spot];
969 if (host_spot >= CIPSO_V4_INV_CAT)
973 ret_val = netlbl_secattr_catmap_setbit(secattr->attr.mls.cat,
984 * cipso_v4_map_cat_enum_valid - Checks to see if the categories are valid
985 * @doi_def: the DOI definition
986 * @enumcat: category list
987 * @enumcat_len: length of the category list in bytes
990 * Checks the given categories against the given DOI definition and returns a
991 * negative value if any of the categories do not have a valid mapping and a
992 * zero value if all of the categories are valid.
995 static int cipso_v4_map_cat_enum_valid(const struct cipso_v4_doi *doi_def,
996 const unsigned char *enumcat,
1003 if (doi_def->type != CIPSO_V4_MAP_PASS || enumcat_len & 0x01)
1006 for (iter = 0; iter < enumcat_len; iter += 2) {
1007 cat = get_unaligned_be16(&enumcat[iter]);
1008 if (cat <= cat_prev)
1017 * cipso_v4_map_cat_enum_hton - Perform a category mapping from host to network
1018 * @doi_def: the DOI definition
1019 * @secattr: the security attributes
1020 * @net_cat: the zero'd out category list in network/CIPSO format
1021 * @net_cat_len: the length of the CIPSO category list in bytes
1024 * Perform a label mapping to translate a local MLS category bitmap to the
1025 * correct CIPSO category list using the given DOI definition. Returns the
1026 * size in bytes of the network category bitmap on success, negative values
1030 static int cipso_v4_map_cat_enum_hton(const struct cipso_v4_doi *doi_def,
1031 const struct netlbl_lsm_secattr *secattr,
1032 unsigned char *net_cat,
1039 cat = netlbl_secattr_catmap_walk(secattr->attr.mls.cat,
1043 if ((cat_iter + 2) > net_cat_len)
1046 *((__be16 *)&net_cat[cat_iter]) = htons(cat);
1054 * cipso_v4_map_cat_enum_ntoh - Perform a category mapping from network to host
1055 * @doi_def: the DOI definition
1056 * @net_cat: the category list in network/CIPSO format
1057 * @net_cat_len: the length of the CIPSO bitmap in bytes
1058 * @secattr: the security attributes
1061 * Perform a label mapping to translate a CIPSO category list to the correct
1062 * local MLS category bitmap using the given DOI definition. Returns zero on
1063 * success, negative values on failure.
1066 static int cipso_v4_map_cat_enum_ntoh(const struct cipso_v4_doi *doi_def,
1067 const unsigned char *net_cat,
1069 struct netlbl_lsm_secattr *secattr)
1074 for (iter = 0; iter < net_cat_len; iter += 2) {
1075 ret_val = netlbl_secattr_catmap_setbit(secattr->attr.mls.cat,
1076 get_unaligned_be16(&net_cat[iter]),
1086 * cipso_v4_map_cat_rng_valid - Checks to see if the categories are valid
1087 * @doi_def: the DOI definition
1088 * @rngcat: category list
1089 * @rngcat_len: length of the category list in bytes
1092 * Checks the given categories against the given DOI definition and returns a
1093 * negative value if any of the categories do not have a valid mapping and a
1094 * zero value if all of the categories are valid.
1097 static int cipso_v4_map_cat_rng_valid(const struct cipso_v4_doi *doi_def,
1098 const unsigned char *rngcat,
1103 u32 cat_prev = CIPSO_V4_MAX_REM_CATS + 1;
1106 if (doi_def->type != CIPSO_V4_MAP_PASS || rngcat_len & 0x01)
1109 for (iter = 0; iter < rngcat_len; iter += 4) {
1110 cat_high = get_unaligned_be16(&rngcat[iter]);
1111 if ((iter + 4) <= rngcat_len)
1112 cat_low = get_unaligned_be16(&rngcat[iter + 2]);
1116 if (cat_high > cat_prev)
1126 * cipso_v4_map_cat_rng_hton - Perform a category mapping from host to network
1127 * @doi_def: the DOI definition
1128 * @secattr: the security attributes
1129 * @net_cat: the zero'd out category list in network/CIPSO format
1130 * @net_cat_len: the length of the CIPSO category list in bytes
1133 * Perform a label mapping to translate a local MLS category bitmap to the
1134 * correct CIPSO category list using the given DOI definition. Returns the
1135 * size in bytes of the network category bitmap on success, negative values
1139 static int cipso_v4_map_cat_rng_hton(const struct cipso_v4_doi *doi_def,
1140 const struct netlbl_lsm_secattr *secattr,
1141 unsigned char *net_cat,
1145 u16 array[CIPSO_V4_TAG_RNG_CAT_MAX * 2];
1149 /* make sure we don't overflow the 'array[]' variable */
1151 (CIPSO_V4_OPT_LEN_MAX - CIPSO_V4_HDR_LEN - CIPSO_V4_TAG_RNG_BLEN))
1155 iter = netlbl_secattr_catmap_walk(secattr->attr.mls.cat,
1159 cat_size += (iter == 0 ? 0 : sizeof(u16));
1160 if (cat_size > net_cat_len)
1162 array[array_cnt++] = iter;
1164 iter = netlbl_secattr_catmap_walk_rng(secattr->attr.mls.cat,
1168 cat_size += sizeof(u16);
1169 if (cat_size > net_cat_len)
1171 array[array_cnt++] = iter;
1174 for (iter = 0; array_cnt > 0;) {
1175 *((__be16 *)&net_cat[iter]) = htons(array[--array_cnt]);
1178 if (array[array_cnt] != 0) {
1179 *((__be16 *)&net_cat[iter]) = htons(array[array_cnt]);
1188 * cipso_v4_map_cat_rng_ntoh - Perform a category mapping from network to host
1189 * @doi_def: the DOI definition
1190 * @net_cat: the category list in network/CIPSO format
1191 * @net_cat_len: the length of the CIPSO bitmap in bytes
1192 * @secattr: the security attributes
1195 * Perform a label mapping to translate a CIPSO category list to the correct
1196 * local MLS category bitmap using the given DOI definition. Returns zero on
1197 * success, negative values on failure.
1200 static int cipso_v4_map_cat_rng_ntoh(const struct cipso_v4_doi *doi_def,
1201 const unsigned char *net_cat,
1203 struct netlbl_lsm_secattr *secattr)
1210 for (net_iter = 0; net_iter < net_cat_len; net_iter += 4) {
1211 cat_high = get_unaligned_be16(&net_cat[net_iter]);
1212 if ((net_iter + 4) <= net_cat_len)
1213 cat_low = get_unaligned_be16(&net_cat[net_iter + 2]);
1217 ret_val = netlbl_secattr_catmap_setrng(secattr->attr.mls.cat,
1229 * Protocol Handling Functions
1233 * cipso_v4_gentag_hdr - Generate a CIPSO option header
1234 * @doi_def: the DOI definition
1235 * @len: the total tag length in bytes, not including this header
1236 * @buf: the CIPSO option buffer
1239 * Write a CIPSO header into the beginning of @buffer.
1242 static void cipso_v4_gentag_hdr(const struct cipso_v4_doi *doi_def,
1246 buf[0] = IPOPT_CIPSO;
1247 buf[1] = CIPSO_V4_HDR_LEN + len;
1248 *(__be32 *)&buf[2] = htonl(doi_def->doi);
1252 * cipso_v4_gentag_rbm - Generate a CIPSO restricted bitmap tag (type #1)
1253 * @doi_def: the DOI definition
1254 * @secattr: the security attributes
1255 * @buffer: the option buffer
1256 * @buffer_len: length of buffer in bytes
1259 * Generate a CIPSO option using the restricted bitmap tag, tag type #1. The
1260 * actual buffer length may be larger than the indicated size due to
1261 * translation between host and network category bitmaps. Returns the size of
1262 * the tag on success, negative values on failure.
1265 static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def,
1266 const struct netlbl_lsm_secattr *secattr,
1267 unsigned char *buffer,
1274 if ((secattr->flags & NETLBL_SECATTR_MLS_LVL) == 0)
1277 ret_val = cipso_v4_map_lvl_hton(doi_def,
1278 secattr->attr.mls.lvl,
1283 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
1284 ret_val = cipso_v4_map_cat_rbm_hton(doi_def,
1291 /* This will send packets using the "optimized" format when
1292 * possibile as specified in section 3.4.2.6 of the
1294 if (cipso_v4_rbm_optfmt && ret_val > 0 && ret_val <= 10)
1297 tag_len = 4 + ret_val;
1301 buffer[0] = CIPSO_V4_TAG_RBITMAP;
1302 buffer[1] = tag_len;
1309 * cipso_v4_parsetag_rbm - Parse a CIPSO restricted bitmap tag
1310 * @doi_def: the DOI definition
1311 * @tag: the CIPSO tag
1312 * @secattr: the security attributes
1315 * Parse a CIPSO restricted bitmap tag (tag type #1) and return the security
1316 * attributes in @secattr. Return zero on success, negatives values on
1320 static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,
1321 const unsigned char *tag,
1322 struct netlbl_lsm_secattr *secattr)
1325 u8 tag_len = tag[1];
1328 ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level);
1331 secattr->attr.mls.lvl = level;
1332 secattr->flags |= NETLBL_SECATTR_MLS_LVL;
1335 secattr->attr.mls.cat =
1336 netlbl_secattr_catmap_alloc(GFP_ATOMIC);
1337 if (secattr->attr.mls.cat == NULL)
1340 ret_val = cipso_v4_map_cat_rbm_ntoh(doi_def,
1345 netlbl_secattr_catmap_free(secattr->attr.mls.cat);
1349 secattr->flags |= NETLBL_SECATTR_MLS_CAT;
1356 * cipso_v4_gentag_enum - Generate a CIPSO enumerated tag (type #2)
1357 * @doi_def: the DOI definition
1358 * @secattr: the security attributes
1359 * @buffer: the option buffer
1360 * @buffer_len: length of buffer in bytes
1363 * Generate a CIPSO option using the enumerated tag, tag type #2. Returns the
1364 * size of the tag on success, negative values on failure.
1367 static int cipso_v4_gentag_enum(const struct cipso_v4_doi *doi_def,
1368 const struct netlbl_lsm_secattr *secattr,
1369 unsigned char *buffer,
1376 if (!(secattr->flags & NETLBL_SECATTR_MLS_LVL))
1379 ret_val = cipso_v4_map_lvl_hton(doi_def,
1380 secattr->attr.mls.lvl,
1385 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
1386 ret_val = cipso_v4_map_cat_enum_hton(doi_def,
1393 tag_len = 4 + ret_val;
1397 buffer[0] = CIPSO_V4_TAG_ENUM;
1398 buffer[1] = tag_len;
1405 * cipso_v4_parsetag_enum - Parse a CIPSO enumerated tag
1406 * @doi_def: the DOI definition
1407 * @tag: the CIPSO tag
1408 * @secattr: the security attributes
1411 * Parse a CIPSO enumerated tag (tag type #2) and return the security
1412 * attributes in @secattr. Return zero on success, negatives values on
1416 static int cipso_v4_parsetag_enum(const struct cipso_v4_doi *doi_def,
1417 const unsigned char *tag,
1418 struct netlbl_lsm_secattr *secattr)
1421 u8 tag_len = tag[1];
1424 ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level);
1427 secattr->attr.mls.lvl = level;
1428 secattr->flags |= NETLBL_SECATTR_MLS_LVL;
1431 secattr->attr.mls.cat =
1432 netlbl_secattr_catmap_alloc(GFP_ATOMIC);
1433 if (secattr->attr.mls.cat == NULL)
1436 ret_val = cipso_v4_map_cat_enum_ntoh(doi_def,
1441 netlbl_secattr_catmap_free(secattr->attr.mls.cat);
1445 secattr->flags |= NETLBL_SECATTR_MLS_CAT;
1452 * cipso_v4_gentag_rng - Generate a CIPSO ranged tag (type #5)
1453 * @doi_def: the DOI definition
1454 * @secattr: the security attributes
1455 * @buffer: the option buffer
1456 * @buffer_len: length of buffer in bytes
1459 * Generate a CIPSO option using the ranged tag, tag type #5. Returns the
1460 * size of the tag on success, negative values on failure.
1463 static int cipso_v4_gentag_rng(const struct cipso_v4_doi *doi_def,
1464 const struct netlbl_lsm_secattr *secattr,
1465 unsigned char *buffer,
1472 if (!(secattr->flags & NETLBL_SECATTR_MLS_LVL))
1475 ret_val = cipso_v4_map_lvl_hton(doi_def,
1476 secattr->attr.mls.lvl,
1481 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
1482 ret_val = cipso_v4_map_cat_rng_hton(doi_def,
1489 tag_len = 4 + ret_val;
1493 buffer[0] = CIPSO_V4_TAG_RANGE;
1494 buffer[1] = tag_len;
1501 * cipso_v4_parsetag_rng - Parse a CIPSO ranged tag
1502 * @doi_def: the DOI definition
1503 * @tag: the CIPSO tag
1504 * @secattr: the security attributes
1507 * Parse a CIPSO ranged tag (tag type #5) and return the security attributes
1508 * in @secattr. Return zero on success, negatives values on failure.
1511 static int cipso_v4_parsetag_rng(const struct cipso_v4_doi *doi_def,
1512 const unsigned char *tag,
1513 struct netlbl_lsm_secattr *secattr)
1516 u8 tag_len = tag[1];
1519 ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level);
1522 secattr->attr.mls.lvl = level;
1523 secattr->flags |= NETLBL_SECATTR_MLS_LVL;
1526 secattr->attr.mls.cat =
1527 netlbl_secattr_catmap_alloc(GFP_ATOMIC);
1528 if (secattr->attr.mls.cat == NULL)
1531 ret_val = cipso_v4_map_cat_rng_ntoh(doi_def,
1536 netlbl_secattr_catmap_free(secattr->attr.mls.cat);
1540 secattr->flags |= NETLBL_SECATTR_MLS_CAT;
1547 * cipso_v4_gentag_loc - Generate a CIPSO local tag (non-standard)
1548 * @doi_def: the DOI definition
1549 * @secattr: the security attributes
1550 * @buffer: the option buffer
1551 * @buffer_len: length of buffer in bytes
1554 * Generate a CIPSO option using the local tag. Returns the size of the tag
1555 * on success, negative values on failure.
1558 static int cipso_v4_gentag_loc(const struct cipso_v4_doi *doi_def,
1559 const struct netlbl_lsm_secattr *secattr,
1560 unsigned char *buffer,
1563 if (!(secattr->flags & NETLBL_SECATTR_SECID))
1566 buffer[0] = CIPSO_V4_TAG_LOCAL;
1567 buffer[1] = CIPSO_V4_TAG_LOC_BLEN;
1568 *(u32 *)&buffer[2] = secattr->attr.secid;
1570 return CIPSO_V4_TAG_LOC_BLEN;
1574 * cipso_v4_parsetag_loc - Parse a CIPSO local tag
1575 * @doi_def: the DOI definition
1576 * @tag: the CIPSO tag
1577 * @secattr: the security attributes
1580 * Parse a CIPSO local tag and return the security attributes in @secattr.
1581 * Return zero on success, negatives values on failure.
1584 static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def,
1585 const unsigned char *tag,
1586 struct netlbl_lsm_secattr *secattr)
1588 secattr->attr.secid = *(u32 *)&tag[2];
1589 secattr->flags |= NETLBL_SECATTR_SECID;
1595 * cipso_v4_validate - Validate a CIPSO option
1596 * @option: the start of the option, on error it is set to point to the error
1599 * This routine is called to validate a CIPSO option, it checks all of the
1600 * fields to ensure that they are at least valid, see the draft snippet below
1601 * for details. If the option is valid then a zero value is returned and
1602 * the value of @option is unchanged. If the option is invalid then a
1603 * non-zero value is returned and @option is adjusted to point to the
1604 * offending portion of the option. From the IETF draft ...
1606 * "If any field within the CIPSO options, such as the DOI identifier, is not
1607 * recognized the IP datagram is discarded and an ICMP 'parameter problem'
1608 * (type 12) is generated and returned. The ICMP code field is set to 'bad
1609 * parameter' (code 0) and the pointer is set to the start of the CIPSO field
1610 * that is unrecognized."
1613 int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option)
1615 unsigned char *opt = *option;
1617 unsigned char opt_iter;
1618 unsigned char err_offset = 0;
1621 struct cipso_v4_doi *doi_def = NULL;
1624 /* caller already checks for length values that are too large */
1628 goto validate_return;
1632 doi_def = cipso_v4_doi_search(get_unaligned_be32(&opt[2]));
1633 if (doi_def == NULL) {
1635 goto validate_return_locked;
1638 opt_iter = CIPSO_V4_HDR_LEN;
1639 tag = opt + opt_iter;
1640 while (opt_iter < opt_len) {
1641 for (tag_iter = 0; doi_def->tags[tag_iter] != tag[0];)
1642 if (doi_def->tags[tag_iter] == CIPSO_V4_TAG_INVALID ||
1643 ++tag_iter == CIPSO_V4_TAG_MAXCNT) {
1644 err_offset = opt_iter;
1645 goto validate_return_locked;
1649 if (tag_len > (opt_len - opt_iter)) {
1650 err_offset = opt_iter + 1;
1651 goto validate_return_locked;
1655 case CIPSO_V4_TAG_RBITMAP:
1656 if (tag_len < CIPSO_V4_TAG_RBM_BLEN) {
1657 err_offset = opt_iter + 1;
1658 goto validate_return_locked;
1661 /* We are already going to do all the verification
1662 * necessary at the socket layer so from our point of
1663 * view it is safe to turn these checks off (and less
1664 * work), however, the CIPSO draft says we should do
1665 * all the CIPSO validations here but it doesn't
1666 * really specify _exactly_ what we need to validate
1667 * ... so, just make it a sysctl tunable. */
1668 if (cipso_v4_rbm_strictvalid) {
1669 if (cipso_v4_map_lvl_valid(doi_def,
1671 err_offset = opt_iter + 3;
1672 goto validate_return_locked;
1674 if (tag_len > CIPSO_V4_TAG_RBM_BLEN &&
1675 cipso_v4_map_cat_rbm_valid(doi_def,
1678 err_offset = opt_iter + 4;
1679 goto validate_return_locked;
1683 case CIPSO_V4_TAG_ENUM:
1684 if (tag_len < CIPSO_V4_TAG_ENUM_BLEN) {
1685 err_offset = opt_iter + 1;
1686 goto validate_return_locked;
1689 if (cipso_v4_map_lvl_valid(doi_def,
1691 err_offset = opt_iter + 3;
1692 goto validate_return_locked;
1694 if (tag_len > CIPSO_V4_TAG_ENUM_BLEN &&
1695 cipso_v4_map_cat_enum_valid(doi_def,
1698 err_offset = opt_iter + 4;
1699 goto validate_return_locked;
1702 case CIPSO_V4_TAG_RANGE:
1703 if (tag_len < CIPSO_V4_TAG_RNG_BLEN) {
1704 err_offset = opt_iter + 1;
1705 goto validate_return_locked;
1708 if (cipso_v4_map_lvl_valid(doi_def,
1710 err_offset = opt_iter + 3;
1711 goto validate_return_locked;
1713 if (tag_len > CIPSO_V4_TAG_RNG_BLEN &&
1714 cipso_v4_map_cat_rng_valid(doi_def,
1717 err_offset = opt_iter + 4;
1718 goto validate_return_locked;
1721 case CIPSO_V4_TAG_LOCAL:
1722 /* This is a non-standard tag that we only allow for
1723 * local connections, so if the incoming interface is
1724 * not the loopback device drop the packet. */
1725 if (!(skb->dev->flags & IFF_LOOPBACK)) {
1726 err_offset = opt_iter;
1727 goto validate_return_locked;
1729 if (tag_len != CIPSO_V4_TAG_LOC_BLEN) {
1730 err_offset = opt_iter + 1;
1731 goto validate_return_locked;
1735 err_offset = opt_iter;
1736 goto validate_return_locked;
1740 opt_iter += tag_len;
1743 validate_return_locked:
1746 *option = opt + err_offset;
1751 * cipso_v4_error - Send the correct reponse for a bad packet
1753 * @error: the error code
1754 * @gateway: CIPSO gateway flag
1757 * Based on the error code given in @error, send an ICMP error message back to
1758 * the originating host. From the IETF draft ...
1760 * "If the contents of the CIPSO [option] are valid but the security label is
1761 * outside of the configured host or port label range, the datagram is
1762 * discarded and an ICMP 'destination unreachable' (type 3) is generated and
1763 * returned. The code field of the ICMP is set to 'communication with
1764 * destination network administratively prohibited' (code 9) or to
1765 * 'communication with destination host administratively prohibited'
1766 * (code 10). The value of the code is dependent on whether the originator
1767 * of the ICMP message is acting as a CIPSO host or a CIPSO gateway. The
1768 * recipient of the ICMP message MUST be able to handle either value. The
1769 * same procedure is performed if a CIPSO [option] can not be added to an
1770 * IP packet because it is too large to fit in the IP options area."
1772 * "If the error is triggered by receipt of an ICMP message, the message is
1773 * discarded and no response is permitted (consistent with general ICMP
1774 * processing rules)."
1777 void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway)
1779 if (ip_hdr(skb)->protocol == IPPROTO_ICMP || error != -EACCES)
1783 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0);
1785 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0);
1789 * cipso_v4_genopt - Generate a CIPSO option
1790 * @buf: the option buffer
1791 * @buf_len: the size of opt_buf
1792 * @doi_def: the CIPSO DOI to use
1793 * @secattr: the security attributes
1796 * Generate a CIPSO option using the DOI definition and security attributes
1797 * passed to the function. Returns the length of the option on success and
1798 * negative values on failure.
1801 static int cipso_v4_genopt(unsigned char *buf, u32 buf_len,
1802 const struct cipso_v4_doi *doi_def,
1803 const struct netlbl_lsm_secattr *secattr)
1808 if (buf_len <= CIPSO_V4_HDR_LEN)
1811 /* XXX - This code assumes only one tag per CIPSO option which isn't
1812 * really a good assumption to make but since we only support the MAC
1813 * tags right now it is a safe assumption. */
1816 memset(buf, 0, buf_len);
1817 switch (doi_def->tags[iter]) {
1818 case CIPSO_V4_TAG_RBITMAP:
1819 ret_val = cipso_v4_gentag_rbm(doi_def,
1821 &buf[CIPSO_V4_HDR_LEN],
1822 buf_len - CIPSO_V4_HDR_LEN);
1824 case CIPSO_V4_TAG_ENUM:
1825 ret_val = cipso_v4_gentag_enum(doi_def,
1827 &buf[CIPSO_V4_HDR_LEN],
1828 buf_len - CIPSO_V4_HDR_LEN);
1830 case CIPSO_V4_TAG_RANGE:
1831 ret_val = cipso_v4_gentag_rng(doi_def,
1833 &buf[CIPSO_V4_HDR_LEN],
1834 buf_len - CIPSO_V4_HDR_LEN);
1836 case CIPSO_V4_TAG_LOCAL:
1837 ret_val = cipso_v4_gentag_loc(doi_def,
1839 &buf[CIPSO_V4_HDR_LEN],
1840 buf_len - CIPSO_V4_HDR_LEN);
1847 } while (ret_val < 0 &&
1848 iter < CIPSO_V4_TAG_MAXCNT &&
1849 doi_def->tags[iter] != CIPSO_V4_TAG_INVALID);
1852 cipso_v4_gentag_hdr(doi_def, buf, ret_val);
1853 return CIPSO_V4_HDR_LEN + ret_val;
1857 * cipso_v4_sock_setattr - Add a CIPSO option to a socket
1859 * @doi_def: the CIPSO DOI to use
1860 * @secattr: the specific security attributes of the socket
1863 * Set the CIPSO option on the given socket using the DOI definition and
1864 * security attributes passed to the function. This function requires
1865 * exclusive access to @sk, which means it either needs to be in the
1866 * process of being created or locked. Returns zero on success and negative
1867 * values on failure.
1870 int cipso_v4_sock_setattr(struct sock *sk,
1871 const struct cipso_v4_doi *doi_def,
1872 const struct netlbl_lsm_secattr *secattr)
1874 int ret_val = -EPERM;
1875 unsigned char *buf = NULL;
1878 struct ip_options *opt = NULL;
1879 struct inet_sock *sk_inet;
1880 struct inet_connection_sock *sk_conn;
1882 /* In the case of sock_create_lite(), the sock->sk field is not
1883 * defined yet but it is not a problem as the only users of these
1884 * "lite" PF_INET sockets are functions which do an accept() call
1885 * afterwards so we will label the socket as part of the accept(). */
1889 /* We allocate the maximum CIPSO option size here so we are probably
1890 * being a little wasteful, but it makes our life _much_ easier later
1891 * on and after all we are only talking about 40 bytes. */
1892 buf_len = CIPSO_V4_OPT_LEN_MAX;
1893 buf = kmalloc(buf_len, GFP_ATOMIC);
1896 goto socket_setattr_failure;
1899 ret_val = cipso_v4_genopt(buf, buf_len, doi_def, secattr);
1901 goto socket_setattr_failure;
1904 /* We can't use ip_options_get() directly because it makes a call to
1905 * ip_options_get_alloc() which allocates memory with GFP_KERNEL and
1906 * we won't always have CAP_NET_RAW even though we _always_ want to
1907 * set the IPOPT_CIPSO option. */
1908 opt_len = (buf_len + 3) & ~3;
1909 opt = kzalloc(sizeof(*opt) + opt_len, GFP_ATOMIC);
1912 goto socket_setattr_failure;
1914 memcpy(opt->__data, buf, buf_len);
1915 opt->optlen = opt_len;
1916 opt->cipso = sizeof(struct iphdr);
1920 sk_inet = inet_sk(sk);
1921 if (sk_inet->is_icsk) {
1922 sk_conn = inet_csk(sk);
1924 sk_conn->icsk_ext_hdr_len -= sk_inet->opt->optlen;
1925 sk_conn->icsk_ext_hdr_len += opt->optlen;
1926 sk_conn->icsk_sync_mss(sk, sk_conn->icsk_pmtu_cookie);
1928 opt = xchg(&sk_inet->opt, opt);
1933 socket_setattr_failure:
1940 * cipso_v4_sock_delattr - Delete the CIPSO option from a socket
1944 * Removes the CIPSO option from a socket, if present.
1947 void cipso_v4_sock_delattr(struct sock *sk)
1950 struct ip_options *opt;
1951 struct inet_sock *sk_inet;
1953 sk_inet = inet_sk(sk);
1955 if (opt == NULL || opt->cipso == 0)
1958 if (opt->srr || opt->rr || opt->ts || opt->router_alert) {
1961 unsigned char *cipso_ptr;
1965 cipso_off = opt->cipso - sizeof(struct iphdr);
1966 cipso_ptr = &opt->__data[cipso_off];
1967 cipso_len = cipso_ptr[1];
1969 if (opt->srr > opt->cipso)
1970 opt->srr -= cipso_len;
1971 if (opt->rr > opt->cipso)
1972 opt->rr -= cipso_len;
1973 if (opt->ts > opt->cipso)
1974 opt->ts -= cipso_len;
1975 if (opt->router_alert > opt->cipso)
1976 opt->router_alert -= cipso_len;
1979 memmove(cipso_ptr, cipso_ptr + cipso_len,
1980 opt->optlen - cipso_off - cipso_len);
1982 /* determining the new total option length is tricky because of
1983 * the padding necessary, the only thing i can think to do at
1984 * this point is walk the options one-by-one, skipping the
1985 * padding at the end to determine the actual option size and
1986 * from there we can determine the new total option length */
1989 while (iter < opt->optlen)
1990 if (opt->__data[iter] != IPOPT_NOP) {
1991 iter += opt->__data[iter + 1];
1995 hdr_delta = opt->optlen;
1996 opt->optlen = (optlen_new + 3) & ~3;
1997 hdr_delta -= opt->optlen;
1999 /* only the cipso option was present on the socket so we can
2000 * remove the entire option struct */
2001 sk_inet->opt = NULL;
2002 hdr_delta = opt->optlen;
2006 if (sk_inet->is_icsk && hdr_delta > 0) {
2007 struct inet_connection_sock *sk_conn = inet_csk(sk);
2008 sk_conn->icsk_ext_hdr_len -= hdr_delta;
2009 sk_conn->icsk_sync_mss(sk, sk_conn->icsk_pmtu_cookie);
2014 * cipso_v4_getattr - Helper function for the cipso_v4_*_getattr functions
2015 * @cipso: the CIPSO v4 option
2016 * @secattr: the security attributes
2019 * Inspect @cipso and return the security attributes in @secattr. Returns zero
2020 * on success and negative values on failure.
2023 static int cipso_v4_getattr(const unsigned char *cipso,
2024 struct netlbl_lsm_secattr *secattr)
2026 int ret_val = -ENOMSG;
2028 struct cipso_v4_doi *doi_def;
2030 if (cipso_v4_cache_check(cipso, cipso[1], secattr) == 0)
2033 doi = get_unaligned_be32(&cipso[2]);
2035 doi_def = cipso_v4_doi_search(doi);
2036 if (doi_def == NULL)
2037 goto getattr_return;
2038 /* XXX - This code assumes only one tag per CIPSO option which isn't
2039 * really a good assumption to make but since we only support the MAC
2040 * tags right now it is a safe assumption. */
2042 case CIPSO_V4_TAG_RBITMAP:
2043 ret_val = cipso_v4_parsetag_rbm(doi_def, &cipso[6], secattr);
2045 case CIPSO_V4_TAG_ENUM:
2046 ret_val = cipso_v4_parsetag_enum(doi_def, &cipso[6], secattr);
2048 case CIPSO_V4_TAG_RANGE:
2049 ret_val = cipso_v4_parsetag_rng(doi_def, &cipso[6], secattr);
2051 case CIPSO_V4_TAG_LOCAL:
2052 ret_val = cipso_v4_parsetag_loc(doi_def, &cipso[6], secattr);
2056 secattr->type = NETLBL_NLTYPE_CIPSOV4;
2064 * cipso_v4_sock_getattr - Get the security attributes from a sock
2066 * @secattr: the security attributes
2069 * Query @sk to see if there is a CIPSO option attached to the sock and if
2070 * there is return the CIPSO security attributes in @secattr. This function
2071 * requires that @sk be locked, or privately held, but it does not do any
2072 * locking itself. Returns zero on success and negative values on failure.
2075 int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
2077 struct ip_options *opt;
2079 opt = inet_sk(sk)->opt;
2080 if (opt == NULL || opt->cipso == 0)
2083 return cipso_v4_getattr(opt->__data + opt->cipso - sizeof(struct iphdr),
2088 * cipso_v4_skbuff_setattr - Set the CIPSO option on a packet
2090 * @secattr: the security attributes
2093 * Set the CIPSO option on the given packet based on the security attributes.
2094 * Returns a pointer to the IP header on success and NULL on failure.
2097 int cipso_v4_skbuff_setattr(struct sk_buff *skb,
2098 const struct cipso_v4_doi *doi_def,
2099 const struct netlbl_lsm_secattr *secattr)
2103 struct ip_options *opt = &IPCB(skb)->opt;
2104 unsigned char buf[CIPSO_V4_OPT_LEN_MAX];
2105 u32 buf_len = CIPSO_V4_OPT_LEN_MAX;
2109 ret_val = cipso_v4_genopt(buf, buf_len, doi_def, secattr);
2113 opt_len = (buf_len + 3) & ~3;
2115 /* we overwrite any existing options to ensure that we have enough
2116 * room for the CIPSO option, the reason is that we _need_ to guarantee
2117 * that the security label is applied to the packet - we do the same
2118 * thing when using the socket options and it hasn't caused a problem,
2119 * if we need to we can always revisit this choice later */
2121 len_delta = opt_len - opt->optlen;
2122 /* if we don't ensure enough headroom we could panic on the skb_push()
2123 * call below so make sure we have enough, we are also "mangling" the
2124 * packet so we should probably do a copy-on-write call anyway */
2125 ret_val = skb_cow(skb, skb_headroom(skb) + len_delta);
2129 if (len_delta > 0) {
2130 /* we assume that the header + opt->optlen have already been
2131 * "pushed" in ip_options_build() or similar */
2133 skb_push(skb, len_delta);
2134 memmove((char *)iph - len_delta, iph, iph->ihl << 2);
2135 skb_reset_network_header(skb);
2137 } else if (len_delta < 0) {
2139 memset(iph + 1, IPOPT_NOP, opt->optlen);
2143 if (opt->optlen > 0)
2144 memset(opt, 0, sizeof(*opt));
2145 opt->optlen = opt_len;
2146 opt->cipso = sizeof(struct iphdr);
2147 opt->is_changed = 1;
2149 /* we have to do the following because we are being called from a
2150 * netfilter hook which means the packet already has had the header
2151 * fields populated and the checksum calculated - yes this means we
2152 * are doing more work than needed but we do it to keep the core
2153 * stack clean and tidy */
2154 memcpy(iph + 1, buf, buf_len);
2155 if (opt_len > buf_len)
2156 memset((char *)(iph + 1) + buf_len, 0, opt_len - buf_len);
2157 if (len_delta != 0) {
2158 iph->ihl = 5 + (opt_len >> 2);
2159 iph->tot_len = htons(skb->len);
2167 * cipso_v4_skbuff_delattr - Delete any CIPSO options from a packet
2171 * Removes any and all CIPSO options from the given packet. Returns zero on
2172 * success, negative values on failure.
2175 int cipso_v4_skbuff_delattr(struct sk_buff *skb)
2179 struct ip_options *opt = &IPCB(skb)->opt;
2180 unsigned char *cipso_ptr;
2182 if (opt->cipso == 0)
2185 /* since we are changing the packet we should make a copy */
2186 ret_val = skb_cow(skb, skb_headroom(skb));
2190 /* the easiest thing to do is just replace the cipso option with noop
2191 * options since we don't change the size of the packet, although we
2192 * still need to recalculate the checksum */
2195 cipso_ptr = (unsigned char *)iph + opt->cipso;
2196 memset(cipso_ptr, IPOPT_NOOP, cipso_ptr[1]);
2198 opt->is_changed = 1;
2206 * cipso_v4_skbuff_getattr - Get the security attributes from the CIPSO option
2208 * @secattr: the security attributes
2211 * Parse the given packet's CIPSO option and return the security attributes.
2212 * Returns zero on success and negative values on failure.
2215 int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
2216 struct netlbl_lsm_secattr *secattr)
2218 return cipso_v4_getattr(CIPSO_V4_OPTPTR(skb), secattr);
2226 * cipso_v4_init - Initialize the CIPSO module
2229 * Initialize the CIPSO module and prepare it for use. Returns zero on success
2230 * and negative values on failure.
2233 static int __init cipso_v4_init(void)
2237 ret_val = cipso_v4_cache_init();
2239 panic("Failed to initialize the CIPSO/IPv4 cache (%d)\n",
2245 subsys_initcall(cipso_v4_init);
git://ftp.safe.ca / safe / jmp / linux-2.6 / blob