2 * NetLabel Unlabeled Support
4 * This file defines functions for dealing with unlabeled packets for the
5 * NetLabel system. The NetLabel system manages static and dynamic label
6 * mappings for network protocols such as CIPSO and RIPSO.
8 * Author: Paul Moore <paul.moore@hp.com>
13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 - 2007
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
23 * the GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
31 #include <linux/types.h>
32 #include <linux/rcupdate.h>
33 #include <linux/list.h>
34 #include <linux/spinlock.h>
35 #include <linux/socket.h>
36 #include <linux/string.h>
37 #include <linux/skbuff.h>
38 #include <linux/audit.h>
40 #include <linux/in6.h>
42 #include <linux/ipv6.h>
43 #include <linux/notifier.h>
44 #include <linux/netdevice.h>
45 #include <linux/security.h>
47 #include <net/netlink.h>
48 #include <net/genetlink.h>
51 #include <net/net_namespace.h>
52 #include <net/netlabel.h>
54 #include <asm/atomic.h>
56 #include "netlabel_user.h"
57 #include "netlabel_domainhash.h"
58 #include "netlabel_unlabeled.h"
59 #include "netlabel_mgmt.h"
61 /* NOTE: at present we always use init's network namespace since we don't
62 * presently support different namespaces even though the majority of
63 * the functions in this file are "namespace safe" */
65 /* The unlabeled connection hash table which we use to map network interfaces
66 * and addresses of unlabeled packets to a user specified secid value for the
67 * LSM. The hash table is used to lookup the network interface entry
68 * (struct netlbl_unlhsh_iface) and then the interface entry is used to
69 * lookup an IP address match from an ordered list. If a network interface
70 * match can not be found in the hash table then the default entry
71 * (netlbl_unlhsh_def) is used. The IP address entry list
72 * (struct netlbl_unlhsh_addr) is ordered such that the entries with a
73 * larger netmask come first.
75 struct netlbl_unlhsh_tbl {
76 struct list_head *tbl;
79 struct netlbl_unlhsh_addr4 {
85 struct list_head list;
88 struct netlbl_unlhsh_addr6 {
94 struct list_head list;
97 struct netlbl_unlhsh_iface {
99 struct list_head addr4_list;
100 struct list_head addr6_list;
103 struct list_head list;
107 /* Argument struct for netlbl_unlhsh_walk() */
108 struct netlbl_unlhsh_walk_arg {
109 struct netlink_callback *nl_cb;
114 /* Unlabeled connection hash table */
115 /* updates should be so rare that having one spinlock for the entire
116 * hash table should be okay */
117 static DEFINE_SPINLOCK(netlbl_unlhsh_lock);
118 static struct netlbl_unlhsh_tbl *netlbl_unlhsh = NULL;
119 static struct netlbl_unlhsh_iface *netlbl_unlhsh_def = NULL;
121 /* Accept unlabeled packets flag */
122 static u8 netlabel_unlabel_acceptflg = 0;
124 /* NetLabel Generic NETLINK unlabeled family */
125 static struct genl_family netlbl_unlabel_gnl_family = {
126 .id = GENL_ID_GENERATE,
128 .name = NETLBL_NLTYPE_UNLABELED_NAME,
129 .version = NETLBL_PROTO_VERSION,
130 .maxattr = NLBL_UNLABEL_A_MAX,
133 /* NetLabel Netlink attribute policy */
134 static const struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
135 [NLBL_UNLABEL_A_ACPTFLG] = { .type = NLA_U8 },
136 [NLBL_UNLABEL_A_IPV6ADDR] = { .type = NLA_BINARY,
137 .len = sizeof(struct in6_addr) },
138 [NLBL_UNLABEL_A_IPV6MASK] = { .type = NLA_BINARY,
139 .len = sizeof(struct in6_addr) },
140 [NLBL_UNLABEL_A_IPV4ADDR] = { .type = NLA_BINARY,
141 .len = sizeof(struct in_addr) },
142 [NLBL_UNLABEL_A_IPV4MASK] = { .type = NLA_BINARY,
143 .len = sizeof(struct in_addr) },
144 [NLBL_UNLABEL_A_IFACE] = { .type = NLA_NUL_STRING,
145 .len = IFNAMSIZ - 1 },
146 [NLBL_UNLABEL_A_SECCTX] = { .type = NLA_BINARY }
150 * Audit Helper Functions
154 * netlbl_unlabel_audit_addr4 - Audit an IPv4 address
155 * @audit_buf: audit buffer
156 * @dev: network interface
158 * @mask: IP address mask
161 * Write the IPv4 address and address mask, if necessary, to @audit_buf.
164 static void netlbl_unlabel_audit_addr4(struct audit_buffer *audit_buf,
166 __be32 addr, __be32 mask)
168 u32 mask_val = ntohl(mask);
171 audit_log_format(audit_buf, " netif=%s", dev);
172 audit_log_format(audit_buf, " src=" NIPQUAD_FMT, NIPQUAD(addr));
173 if (mask_val != 0xffffffff) {
175 while (mask_val > 0) {
179 audit_log_format(audit_buf, " src_prefixlen=%d", mask_len);
184 * netlbl_unlabel_audit_addr6 - Audit an IPv6 address
185 * @audit_buf: audit buffer
186 * @dev: network interface
188 * @mask: IP address mask
191 * Write the IPv6 address and address mask, if necessary, to @audit_buf.
194 static void netlbl_unlabel_audit_addr6(struct audit_buffer *audit_buf,
196 const struct in6_addr *addr,
197 const struct in6_addr *mask)
200 audit_log_format(audit_buf, " netif=%s", dev);
201 audit_log_format(audit_buf, " src=" NIP6_FMT, NIP6(*addr));
202 if (ntohl(mask->s6_addr32[3]) != 0xffffffff) {
206 while (ntohl(mask->s6_addr32[++iter]) == 0xffffffff)
208 mask_val = ntohl(mask->s6_addr32[iter]);
209 while (mask_val > 0) {
213 audit_log_format(audit_buf, " src_prefixlen=%d", mask_len);
218 * Unlabeled Connection Hash Table Functions
222 * netlbl_unlhsh_free_addr4 - Frees an IPv4 address entry from the hash table
223 * @entry: the entry's RCU field
226 * This function is designed to be used as a callback to the call_rcu()
227 * function so that memory allocated to a hash table address entry can be
231 static void netlbl_unlhsh_free_addr4(struct rcu_head *entry)
233 struct netlbl_unlhsh_addr4 *ptr;
235 ptr = container_of(entry, struct netlbl_unlhsh_addr4, rcu);
239 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
241 * netlbl_unlhsh_free_addr6 - Frees an IPv6 address entry from the hash table
242 * @entry: the entry's RCU field
245 * This function is designed to be used as a callback to the call_rcu()
246 * function so that memory allocated to a hash table address entry can be
250 static void netlbl_unlhsh_free_addr6(struct rcu_head *entry)
252 struct netlbl_unlhsh_addr6 *ptr;
254 ptr = container_of(entry, struct netlbl_unlhsh_addr6, rcu);
260 * netlbl_unlhsh_free_iface - Frees an interface entry from the hash table
261 * @entry: the entry's RCU field
264 * This function is designed to be used as a callback to the call_rcu()
265 * function so that memory allocated to a hash table interface entry can be
266 * released safely. It is important to note that this function does not free
267 * the IPv4 and IPv6 address lists contained as part of an interface entry. It
268 * is up to the rest of the code to make sure an interface entry is only freed
269 * once it's address lists are empty.
272 static void netlbl_unlhsh_free_iface(struct rcu_head *entry)
274 struct netlbl_unlhsh_iface *iface;
275 struct netlbl_unlhsh_addr4 *iter4;
276 struct netlbl_unlhsh_addr4 *tmp4;
277 struct netlbl_unlhsh_addr6 *iter6;
278 struct netlbl_unlhsh_addr6 *tmp6;
280 iface = container_of(entry, struct netlbl_unlhsh_iface, rcu);
282 /* no need for locks here since we are the only one with access to this
285 list_for_each_entry_safe(iter4, tmp4, &iface->addr4_list, list)
287 list_del_rcu(&iter4->list);
290 list_for_each_entry_safe(iter6, tmp6, &iface->addr6_list, list)
292 list_del_rcu(&iter6->list);
299 * netlbl_unlhsh_hash - Hashing function for the hash table
300 * @ifindex: the network interface/device to hash
303 * This is the hashing function for the unlabeled hash table, it returns the
304 * bucket number for the given device/interface. The caller is responsible for
305 * calling the rcu_read_[un]lock() functions.
308 static u32 netlbl_unlhsh_hash(int ifindex)
310 /* this is taken _almost_ directly from
311 * security/selinux/netif.c:sel_netif_hasfn() as they do pretty much
313 return ifindex & (rcu_dereference(netlbl_unlhsh)->size - 1);
317 * netlbl_unlhsh_search_addr4 - Search for a matching IPv4 address entry
318 * @addr: IPv4 address
319 * @iface: the network interface entry
322 * Searches the IPv4 address list of the network interface specified by @iface.
323 * If a matching address entry is found it is returned, otherwise NULL is
324 * returned. The caller is responsible for calling the rcu_read_[un]lock()
328 static struct netlbl_unlhsh_addr4 *netlbl_unlhsh_search_addr4(
330 const struct netlbl_unlhsh_iface *iface)
332 struct netlbl_unlhsh_addr4 *iter;
334 list_for_each_entry_rcu(iter, &iface->addr4_list, list)
335 if (iter->valid && (addr & iter->mask) == iter->addr)
341 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
343 * netlbl_unlhsh_search_addr6 - Search for a matching IPv6 address entry
344 * @addr: IPv6 address
345 * @iface: the network interface entry
348 * Searches the IPv6 address list of the network interface specified by @iface.
349 * If a matching address entry is found it is returned, otherwise NULL is
350 * returned. The caller is responsible for calling the rcu_read_[un]lock()
354 static struct netlbl_unlhsh_addr6 *netlbl_unlhsh_search_addr6(
355 const struct in6_addr *addr,
356 const struct netlbl_unlhsh_iface *iface)
358 struct netlbl_unlhsh_addr6 *iter;
360 list_for_each_entry_rcu(iter, &iface->addr6_list, list)
362 ipv6_masked_addr_cmp(&iter->addr, &iter->mask, addr) == 0)
370 * netlbl_unlhsh_search_iface - Search for a matching interface entry
371 * @ifindex: the network interface
374 * Searches the unlabeled connection hash table and returns a pointer to the
375 * interface entry which matches @ifindex, otherwise NULL is returned. The
376 * caller is responsible for calling the rcu_read_[un]lock() functions.
379 static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex)
382 struct netlbl_unlhsh_iface *iter;
384 bkt = netlbl_unlhsh_hash(ifindex);
385 list_for_each_entry_rcu(iter,
386 &rcu_dereference(netlbl_unlhsh)->tbl[bkt],
388 if (iter->valid && iter->ifindex == ifindex)
395 * netlbl_unlhsh_search_iface_def - Search for a matching interface entry
396 * @ifindex: the network interface
399 * Searches the unlabeled connection hash table and returns a pointer to the
400 * interface entry which matches @ifindex. If an exact match can not be found
401 * and there is a valid default entry, the default entry is returned, otherwise
402 * NULL is returned. The caller is responsible for calling the
403 * rcu_read_[un]lock() functions.
406 static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface_def(int ifindex)
408 struct netlbl_unlhsh_iface *entry;
410 entry = netlbl_unlhsh_search_iface(ifindex);
414 entry = rcu_dereference(netlbl_unlhsh_def);
415 if (entry != NULL && entry->valid)
422 * netlbl_unlhsh_add_addr4 - Add a new IPv4 address entry to the hash table
423 * @iface: the associated interface entry
424 * @addr: IPv4 address in network byte order
425 * @mask: IPv4 address mask in network byte order
426 * @secid: LSM secid value for entry
429 * Add a new address entry into the unlabeled connection hash table using the
430 * interface entry specified by @iface. On success zero is returned, otherwise
431 * a negative value is returned. The caller is responsible for calling the
432 * rcu_read_[un]lock() functions.
435 static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface,
436 const struct in_addr *addr,
437 const struct in_addr *mask,
440 struct netlbl_unlhsh_addr4 *entry;
441 struct netlbl_unlhsh_addr4 *iter;
443 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
447 entry->addr = addr->s_addr & mask->s_addr;
448 entry->mask = mask->s_addr;
449 entry->secid = secid;
451 INIT_RCU_HEAD(&entry->rcu);
453 spin_lock(&netlbl_unlhsh_lock);
454 iter = netlbl_unlhsh_search_addr4(entry->addr, iface);
456 iter->addr == addr->s_addr && iter->mask == mask->s_addr) {
457 spin_unlock(&netlbl_unlhsh_lock);
461 /* in order to speed up address searches through the list (the common
462 * case) we need to keep the list in order based on the size of the
463 * address mask such that the entry with the widest mask (smallest
464 * numerical value) appears first in the list */
465 list_for_each_entry_rcu(iter, &iface->addr4_list, list)
467 ntohl(entry->mask) > ntohl(iter->mask)) {
468 __list_add_rcu(&entry->list,
471 spin_unlock(&netlbl_unlhsh_lock);
474 list_add_tail_rcu(&entry->list, &iface->addr4_list);
475 spin_unlock(&netlbl_unlhsh_lock);
479 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
481 * netlbl_unlhsh_add_addr6 - Add a new IPv6 address entry to the hash table
482 * @iface: the associated interface entry
483 * @addr: IPv6 address in network byte order
484 * @mask: IPv6 address mask in network byte order
485 * @secid: LSM secid value for entry
488 * Add a new address entry into the unlabeled connection hash table using the
489 * interface entry specified by @iface. On success zero is returned, otherwise
490 * a negative value is returned. The caller is responsible for calling the
491 * rcu_read_[un]lock() functions.
494 static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface,
495 const struct in6_addr *addr,
496 const struct in6_addr *mask,
499 struct netlbl_unlhsh_addr6 *entry;
500 struct netlbl_unlhsh_addr6 *iter;
502 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
506 ipv6_addr_copy(&entry->addr, addr);
507 entry->addr.s6_addr32[0] &= mask->s6_addr32[0];
508 entry->addr.s6_addr32[1] &= mask->s6_addr32[1];
509 entry->addr.s6_addr32[2] &= mask->s6_addr32[2];
510 entry->addr.s6_addr32[3] &= mask->s6_addr32[3];
511 ipv6_addr_copy(&entry->mask, mask);
512 entry->secid = secid;
514 INIT_RCU_HEAD(&entry->rcu);
516 spin_lock(&netlbl_unlhsh_lock);
517 iter = netlbl_unlhsh_search_addr6(&entry->addr, iface);
519 (ipv6_addr_equal(&iter->addr, addr) &&
520 ipv6_addr_equal(&iter->mask, mask))) {
521 spin_unlock(&netlbl_unlhsh_lock);
525 /* in order to speed up address searches through the list (the common
526 * case) we need to keep the list in order based on the size of the
527 * address mask such that the entry with the widest mask (smallest
528 * numerical value) appears first in the list */
529 list_for_each_entry_rcu(iter, &iface->addr6_list, list)
531 ipv6_addr_cmp(&entry->mask, &iter->mask) > 0) {
532 __list_add_rcu(&entry->list,
535 spin_unlock(&netlbl_unlhsh_lock);
538 list_add_tail_rcu(&entry->list, &iface->addr6_list);
539 spin_unlock(&netlbl_unlhsh_lock);
545 * netlbl_unlhsh_add_iface - Adds a new interface entry to the hash table
546 * @ifindex: network interface
549 * Add a new, empty, interface entry into the unlabeled connection hash table.
550 * On success a pointer to the new interface entry is returned, on failure NULL
551 * is returned. The caller is responsible for calling the rcu_read_[un]lock()
555 static struct netlbl_unlhsh_iface *netlbl_unlhsh_add_iface(int ifindex)
558 struct netlbl_unlhsh_iface *iface;
560 iface = kzalloc(sizeof(*iface), GFP_ATOMIC);
564 iface->ifindex = ifindex;
565 INIT_LIST_HEAD(&iface->addr4_list);
566 INIT_LIST_HEAD(&iface->addr6_list);
568 INIT_RCU_HEAD(&iface->rcu);
570 spin_lock(&netlbl_unlhsh_lock);
572 bkt = netlbl_unlhsh_hash(ifindex);
573 if (netlbl_unlhsh_search_iface(ifindex) != NULL)
574 goto add_iface_failure;
575 list_add_tail_rcu(&iface->list,
576 &rcu_dereference(netlbl_unlhsh)->tbl[bkt]);
578 INIT_LIST_HEAD(&iface->list);
579 if (rcu_dereference(netlbl_unlhsh_def) != NULL)
580 goto add_iface_failure;
581 rcu_assign_pointer(netlbl_unlhsh_def, iface);
583 spin_unlock(&netlbl_unlhsh_lock);
588 spin_unlock(&netlbl_unlhsh_lock);
594 * netlbl_unlhsh_add - Adds a new entry to the unlabeled connection hash table
595 * @net: network namespace
596 * @dev_name: interface name
597 * @addr: IP address in network byte order
598 * @mask: address mask in network byte order
599 * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6)
600 * @secid: LSM secid value for the entry
601 * @audit_info: NetLabel audit information
604 * Adds a new entry to the unlabeled connection hash table. Returns zero on
605 * success, negative values on failure.
608 static int netlbl_unlhsh_add(struct net *net,
609 const char *dev_name,
614 struct netlbl_audit *audit_info)
618 struct net_device *dev;
619 struct netlbl_unlhsh_iface *iface;
620 struct in_addr *addr4, *mask4;
621 struct in6_addr *addr6, *mask6;
622 struct audit_buffer *audit_buf = NULL;
626 if (addr_len != sizeof(struct in_addr) &&
627 addr_len != sizeof(struct in6_addr))
631 if (dev_name != NULL) {
632 dev = dev_get_by_name(net, dev_name);
635 goto unlhsh_add_return;
637 ifindex = dev->ifindex;
639 iface = netlbl_unlhsh_search_iface(ifindex);
642 iface = rcu_dereference(netlbl_unlhsh_def);
645 iface = netlbl_unlhsh_add_iface(ifindex);
648 goto unlhsh_add_return;
651 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCADD,
654 case sizeof(struct in_addr):
655 addr4 = (struct in_addr *)addr;
656 mask4 = (struct in_addr *)mask;
657 ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid);
658 if (audit_buf != NULL)
659 netlbl_unlabel_audit_addr4(audit_buf,
664 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
665 case sizeof(struct in6_addr):
666 addr6 = (struct in6_addr *)addr;
667 mask6 = (struct in6_addr *)mask;
668 ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid);
669 if (audit_buf != NULL)
670 netlbl_unlabel_audit_addr6(audit_buf,
679 atomic_inc(&netlabel_mgmt_protocount);
683 if (audit_buf != NULL) {
684 if (security_secid_to_secctx(secid,
687 audit_log_format(audit_buf, " sec_obj=%s", secctx);
688 security_release_secctx(secctx, secctx_len);
690 audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
691 audit_log_end(audit_buf);
697 * netlbl_unlhsh_remove_addr4 - Remove an IPv4 address entry
698 * @net: network namespace
699 * @iface: interface entry
701 * @mask: IP address mask
702 * @audit_info: NetLabel audit information
705 * Remove an IP address entry from the unlabeled connection hash table.
706 * Returns zero on success, negative values on failure. The caller is
707 * responsible for calling the rcu_read_[un]lock() functions.
710 static int netlbl_unlhsh_remove_addr4(struct net *net,
711 struct netlbl_unlhsh_iface *iface,
712 const struct in_addr *addr,
713 const struct in_addr *mask,
714 struct netlbl_audit *audit_info)
716 int ret_val = -ENOENT;
717 struct netlbl_unlhsh_addr4 *entry;
718 struct audit_buffer *audit_buf = NULL;
719 struct net_device *dev;
723 spin_lock(&netlbl_unlhsh_lock);
724 entry = netlbl_unlhsh_search_addr4(addr->s_addr, iface);
726 entry->addr == addr->s_addr && entry->mask == mask->s_addr) {
728 list_del_rcu(&entry->list);
731 spin_unlock(&netlbl_unlhsh_lock);
733 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL,
735 if (audit_buf != NULL) {
736 dev = dev_get_by_index(net, iface->ifindex);
737 netlbl_unlabel_audit_addr4(audit_buf,
738 (dev != NULL ? dev->name : NULL),
739 entry->addr, entry->mask);
742 if (security_secid_to_secctx(entry->secid,
745 audit_log_format(audit_buf, " sec_obj=%s", secctx);
746 security_release_secctx(secctx, secctx_len);
748 audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
749 audit_log_end(audit_buf);
753 call_rcu(&entry->rcu, netlbl_unlhsh_free_addr4);
757 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
759 * netlbl_unlhsh_remove_addr6 - Remove an IPv6 address entry
760 * @net: network namespace
761 * @iface: interface entry
763 * @mask: IP address mask
764 * @audit_info: NetLabel audit information
767 * Remove an IP address entry from the unlabeled connection hash table.
768 * Returns zero on success, negative values on failure. The caller is
769 * responsible for calling the rcu_read_[un]lock() functions.
772 static int netlbl_unlhsh_remove_addr6(struct net *net,
773 struct netlbl_unlhsh_iface *iface,
774 const struct in6_addr *addr,
775 const struct in6_addr *mask,
776 struct netlbl_audit *audit_info)
778 int ret_val = -ENOENT;
779 struct netlbl_unlhsh_addr6 *entry;
780 struct audit_buffer *audit_buf = NULL;
781 struct net_device *dev;
785 spin_lock(&netlbl_unlhsh_lock);
786 entry = netlbl_unlhsh_search_addr6(addr, iface);
788 (ipv6_addr_equal(&entry->addr, addr) &&
789 ipv6_addr_equal(&entry->mask, mask))) {
791 list_del_rcu(&entry->list);
794 spin_unlock(&netlbl_unlhsh_lock);
796 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL,
798 if (audit_buf != NULL) {
799 dev = dev_get_by_index(net, iface->ifindex);
800 netlbl_unlabel_audit_addr6(audit_buf,
801 (dev != NULL ? dev->name : NULL),
805 if (security_secid_to_secctx(entry->secid,
808 audit_log_format(audit_buf, " sec_obj=%s", secctx);
809 security_release_secctx(secctx, secctx_len);
811 audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
812 audit_log_end(audit_buf);
816 call_rcu(&entry->rcu, netlbl_unlhsh_free_addr6);
822 * netlbl_unlhsh_condremove_iface - Remove an interface entry
823 * @iface: the interface entry
826 * Remove an interface entry from the unlabeled connection hash table if it is
827 * empty. An interface entry is considered to be empty if there are no
828 * address entries assigned to it.
831 static void netlbl_unlhsh_condremove_iface(struct netlbl_unlhsh_iface *iface)
833 struct netlbl_unlhsh_addr4 *iter4;
834 struct netlbl_unlhsh_addr6 *iter6;
836 spin_lock(&netlbl_unlhsh_lock);
837 list_for_each_entry_rcu(iter4, &iface->addr4_list, list)
839 goto unlhsh_condremove_failure;
840 list_for_each_entry_rcu(iter6, &iface->addr6_list, list)
842 goto unlhsh_condremove_failure;
844 if (iface->ifindex > 0)
845 list_del_rcu(&iface->list);
847 rcu_assign_pointer(netlbl_unlhsh_def, NULL);
848 spin_unlock(&netlbl_unlhsh_lock);
850 call_rcu(&iface->rcu, netlbl_unlhsh_free_iface);
853 unlhsh_condremove_failure:
854 spin_unlock(&netlbl_unlhsh_lock);
859 * netlbl_unlhsh_remove - Remove an entry from the unlabeled hash table
860 * @net: network namespace
861 * @dev_name: interface name
862 * @addr: IP address in network byte order
863 * @mask: address mask in network byte order
864 * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6)
865 * @audit_info: NetLabel audit information
868 * Removes and existing entry from the unlabeled connection hash table.
869 * Returns zero on success, negative values on failure.
872 static int netlbl_unlhsh_remove(struct net *net,
873 const char *dev_name,
877 struct netlbl_audit *audit_info)
880 struct net_device *dev;
881 struct netlbl_unlhsh_iface *iface;
883 if (addr_len != sizeof(struct in_addr) &&
884 addr_len != sizeof(struct in6_addr))
888 if (dev_name != NULL) {
889 dev = dev_get_by_name(net, dev_name);
892 goto unlhsh_remove_return;
894 iface = netlbl_unlhsh_search_iface(dev->ifindex);
897 iface = rcu_dereference(netlbl_unlhsh_def);
900 goto unlhsh_remove_return;
903 case sizeof(struct in_addr):
904 ret_val = netlbl_unlhsh_remove_addr4(net,
908 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
909 case sizeof(struct in6_addr):
910 ret_val = netlbl_unlhsh_remove_addr6(net,
919 netlbl_unlhsh_condremove_iface(iface);
920 atomic_dec(&netlabel_mgmt_protocount);
923 unlhsh_remove_return:
929 * General Helper Functions
933 * netlbl_unlhsh_netdev_handler - Network device notification handler
934 * @this: notifier block
936 * @ptr: the network device (cast to void)
939 * Handle network device events, although at present all we care about is a
940 * network device going away. In the case of a device going away we clear any
941 * related entries from the unlabeled connection hash table.
944 static int netlbl_unlhsh_netdev_handler(struct notifier_block *this,
948 struct net_device *dev = ptr;
949 struct netlbl_unlhsh_iface *iface = NULL;
951 if (dev->nd_net != &init_net)
954 /* XXX - should this be a check for NETDEV_DOWN or _UNREGISTER? */
955 if (event == NETDEV_DOWN) {
956 spin_lock(&netlbl_unlhsh_lock);
957 iface = netlbl_unlhsh_search_iface(dev->ifindex);
958 if (iface != NULL && iface->valid) {
960 list_del_rcu(&iface->list);
963 spin_unlock(&netlbl_unlhsh_lock);
967 call_rcu(&iface->rcu, netlbl_unlhsh_free_iface);
973 * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag
974 * @value: desired value
975 * @audit_info: NetLabel audit information
978 * Set the value of the unlabeled accept flag to @value.
981 static void netlbl_unlabel_acceptflg_set(u8 value,
982 struct netlbl_audit *audit_info)
984 struct audit_buffer *audit_buf;
987 old_val = netlabel_unlabel_acceptflg;
988 netlabel_unlabel_acceptflg = value;
989 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW,
991 if (audit_buf != NULL) {
992 audit_log_format(audit_buf,
993 " unlbl_accept=%u old=%u", value, old_val);
994 audit_log_end(audit_buf);
999 * netlbl_unlabel_addrinfo_get - Get the IPv4/6 address information
1000 * @info: the Generic NETLINK info block
1001 * @addr: the IP address
1002 * @mask: the IP address mask
1003 * @len: the address length
1006 * Examine the Generic NETLINK message and extract the IP address information.
1007 * Returns zero on success, negative values on failure.
1010 static int netlbl_unlabel_addrinfo_get(struct genl_info *info,
1017 if (info->attrs[NLBL_UNLABEL_A_IPV4ADDR]) {
1018 addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
1019 if (addr_len != sizeof(struct in_addr) &&
1020 addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV4MASK]))
1023 *addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
1024 *mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4MASK]);
1026 } else if (info->attrs[NLBL_UNLABEL_A_IPV6ADDR]) {
1027 addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]);
1028 if (addr_len != sizeof(struct in6_addr) &&
1029 addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV6MASK]))
1032 *addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]);
1033 *mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6MASK]);
1041 * NetLabel Command Handlers
1045 * netlbl_unlabel_accept - Handle an ACCEPT message
1046 * @skb: the NETLINK buffer
1047 * @info: the Generic NETLINK info block
1050 * Process a user generated ACCEPT message and set the accept flag accordingly.
1051 * Returns zero on success, negative values on failure.
1054 static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info)
1057 struct netlbl_audit audit_info;
1059 if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) {
1060 value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]);
1061 if (value == 1 || value == 0) {
1062 netlbl_netlink_auditinfo(skb, &audit_info);
1063 netlbl_unlabel_acceptflg_set(value, &audit_info);
1072 * netlbl_unlabel_list - Handle a LIST message
1073 * @skb: the NETLINK buffer
1074 * @info: the Generic NETLINK info block
1077 * Process a user generated LIST message and respond with the current status.
1078 * Returns zero on success, negative values on failure.
1081 static int netlbl_unlabel_list(struct sk_buff *skb, struct genl_info *info)
1083 int ret_val = -EINVAL;
1084 struct sk_buff *ans_skb;
1087 ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1088 if (ans_skb == NULL)
1090 data = genlmsg_put_reply(ans_skb, info, &netlbl_unlabel_gnl_family,
1091 0, NLBL_UNLABEL_C_LIST);
1097 ret_val = nla_put_u8(ans_skb,
1098 NLBL_UNLABEL_A_ACPTFLG,
1099 netlabel_unlabel_acceptflg);
1103 genlmsg_end(ans_skb, data);
1105 ret_val = genlmsg_reply(ans_skb, info);
1116 * netlbl_unlabel_staticadd - Handle a STATICADD message
1117 * @skb: the NETLINK buffer
1118 * @info: the Generic NETLINK info block
1121 * Process a user generated STATICADD message and add a new unlabeled
1122 * connection entry to the hash table. Returns zero on success, negative
1123 * values on failure.
1126 static int netlbl_unlabel_staticadd(struct sk_buff *skb,
1127 struct genl_info *info)
1135 struct netlbl_audit audit_info;
1137 /* Don't allow users to add both IPv4 and IPv6 addresses for a
1138 * single entry. However, allow users to create two entries, one each
1139 * for IPv4 and IPv4, with the same LSM security context which should
1140 * achieve the same result. */
1141 if (!info->attrs[NLBL_UNLABEL_A_SECCTX] ||
1142 !info->attrs[NLBL_UNLABEL_A_IFACE] ||
1143 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
1144 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
1145 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
1146 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
1149 netlbl_netlink_auditinfo(skb, &audit_info);
1151 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
1154 dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]);
1155 ret_val = security_secctx_to_secid(
1156 nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
1157 nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
1162 return netlbl_unlhsh_add(&init_net,
1163 dev_name, addr, mask, addr_len, secid,
1168 * netlbl_unlabel_staticadddef - Handle a STATICADDDEF message
1169 * @skb: the NETLINK buffer
1170 * @info: the Generic NETLINK info block
1173 * Process a user generated STATICADDDEF message and add a new default
1174 * unlabeled connection entry. Returns zero on success, negative values on
1178 static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
1179 struct genl_info *info)
1186 struct netlbl_audit audit_info;
1188 /* Don't allow users to add both IPv4 and IPv6 addresses for a
1189 * single entry. However, allow users to create two entries, one each
1190 * for IPv4 and IPv6, with the same LSM security context which should
1191 * achieve the same result. */
1192 if (!info->attrs[NLBL_UNLABEL_A_SECCTX] ||
1193 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
1194 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
1195 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
1196 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
1199 netlbl_netlink_auditinfo(skb, &audit_info);
1201 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
1204 ret_val = security_secctx_to_secid(
1205 nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
1206 nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
1211 return netlbl_unlhsh_add(&init_net,
1212 NULL, addr, mask, addr_len, secid,
1217 * netlbl_unlabel_staticremove - Handle a STATICREMOVE message
1218 * @skb: the NETLINK buffer
1219 * @info: the Generic NETLINK info block
1222 * Process a user generated STATICREMOVE message and remove the specified
1223 * unlabeled connection entry. Returns zero on success, negative values on
1227 static int netlbl_unlabel_staticremove(struct sk_buff *skb,
1228 struct genl_info *info)
1235 struct netlbl_audit audit_info;
1237 /* See the note in netlbl_unlabel_staticadd() about not allowing both
1238 * IPv4 and IPv6 in the same entry. */
1239 if (!info->attrs[NLBL_UNLABEL_A_IFACE] ||
1240 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
1241 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
1242 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
1243 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
1246 netlbl_netlink_auditinfo(skb, &audit_info);
1248 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
1251 dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]);
1253 return netlbl_unlhsh_remove(&init_net,
1254 dev_name, addr, mask, addr_len,
1259 * netlbl_unlabel_staticremovedef - Handle a STATICREMOVEDEF message
1260 * @skb: the NETLINK buffer
1261 * @info: the Generic NETLINK info block
1264 * Process a user generated STATICREMOVEDEF message and remove the default
1265 * unlabeled connection entry. Returns zero on success, negative values on
1269 static int netlbl_unlabel_staticremovedef(struct sk_buff *skb,
1270 struct genl_info *info)
1276 struct netlbl_audit audit_info;
1278 /* See the note in netlbl_unlabel_staticadd() about not allowing both
1279 * IPv4 and IPv6 in the same entry. */
1280 if (!((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
1281 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
1282 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
1283 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
1286 netlbl_netlink_auditinfo(skb, &audit_info);
1288 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
1292 return netlbl_unlhsh_remove(&init_net,
1293 NULL, addr, mask, addr_len,
1299 * netlbl_unlabel_staticlist_gen - Generate messages for STATICLIST[DEF]
1300 * @cmd: command/message
1301 * @iface: the interface entry
1302 * @addr4: the IPv4 address entry
1303 * @addr6: the IPv6 address entry
1304 * @arg: the netlbl_unlhsh_walk_arg structure
1307 * This function is designed to be used to generate a response for a
1308 * STATICLIST or STATICLISTDEF message. When called either @addr4 or @addr6
1309 * can be specified, not both, the other unspecified entry should be set to
1310 * NULL by the caller. Returns the size of the message on success, negative
1311 * values on failure.
1314 static int netlbl_unlabel_staticlist_gen(u32 cmd,
1315 const struct netlbl_unlhsh_iface *iface,
1316 const struct netlbl_unlhsh_addr4 *addr4,
1317 const struct netlbl_unlhsh_addr6 *addr6,
1320 int ret_val = -ENOMEM;
1321 struct netlbl_unlhsh_walk_arg *cb_arg = arg;
1322 struct net_device *dev;
1328 data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).pid,
1329 cb_arg->seq, &netlbl_unlabel_gnl_family,
1332 goto list_cb_failure;
1334 if (iface->ifindex > 0) {
1335 dev = dev_get_by_index(&init_net, iface->ifindex);
1336 ret_val = nla_put_string(cb_arg->skb,
1337 NLBL_UNLABEL_A_IFACE, dev->name);
1340 goto list_cb_failure;
1344 struct in_addr addr_struct;
1346 addr_struct.s_addr = addr4->addr;
1347 ret_val = nla_put(cb_arg->skb,
1348 NLBL_UNLABEL_A_IPV4ADDR,
1349 sizeof(struct in_addr),
1352 goto list_cb_failure;
1354 addr_struct.s_addr = addr4->mask;
1355 ret_val = nla_put(cb_arg->skb,
1356 NLBL_UNLABEL_A_IPV4MASK,
1357 sizeof(struct in_addr),
1360 goto list_cb_failure;
1362 secid = addr4->secid;
1364 ret_val = nla_put(cb_arg->skb,
1365 NLBL_UNLABEL_A_IPV6ADDR,
1366 sizeof(struct in6_addr),
1369 goto list_cb_failure;
1371 ret_val = nla_put(cb_arg->skb,
1372 NLBL_UNLABEL_A_IPV6MASK,
1373 sizeof(struct in6_addr),
1376 goto list_cb_failure;
1378 secid = addr6->secid;
1381 ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len);
1383 goto list_cb_failure;
1384 ret_val = nla_put(cb_arg->skb,
1385 NLBL_UNLABEL_A_SECCTX,
1388 security_release_secctx(secctx, secctx_len);
1390 goto list_cb_failure;
1393 return genlmsg_end(cb_arg->skb, data);
1396 genlmsg_cancel(cb_arg->skb, data);
1401 * netlbl_unlabel_staticlist - Handle a STATICLIST message
1402 * @skb: the NETLINK buffer
1403 * @cb: the NETLINK callback
1406 * Process a user generated STATICLIST message and dump the unlabeled
1407 * connection hash table in a form suitable for use in a kernel generated
1408 * STATICLIST message. Returns the length of @skb.
1411 static int netlbl_unlabel_staticlist(struct sk_buff *skb,
1412 struct netlink_callback *cb)
1414 struct netlbl_unlhsh_walk_arg cb_arg;
1415 u32 skip_bkt = cb->args[0];
1416 u32 skip_chain = cb->args[1];
1417 u32 skip_addr4 = cb->args[2];
1418 u32 skip_addr6 = cb->args[3];
1420 u32 iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0;
1421 struct netlbl_unlhsh_iface *iface;
1422 struct netlbl_unlhsh_addr4 *addr4;
1423 struct netlbl_unlhsh_addr6 *addr6;
1427 cb_arg.seq = cb->nlh->nlmsg_seq;
1430 for (iter_bkt = skip_bkt;
1431 iter_bkt < rcu_dereference(netlbl_unlhsh)->size;
1432 iter_bkt++, iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0) {
1433 list_for_each_entry_rcu(iface,
1434 &rcu_dereference(netlbl_unlhsh)->tbl[iter_bkt],
1436 if (!iface->valid ||
1437 iter_chain++ < skip_chain)
1439 list_for_each_entry_rcu(addr4,
1442 if (!addr4->valid || iter_addr4++ < skip_addr4)
1444 if (netlbl_unlabel_staticlist_gen(
1445 NLBL_UNLABEL_C_STATICLIST,
1452 goto unlabel_staticlist_return;
1455 list_for_each_entry_rcu(addr6,
1458 if (!addr6->valid || iter_addr6++ < skip_addr6)
1460 if (netlbl_unlabel_staticlist_gen(
1461 NLBL_UNLABEL_C_STATICLIST,
1468 goto unlabel_staticlist_return;
1474 unlabel_staticlist_return:
1476 cb->args[0] = skip_bkt;
1477 cb->args[1] = skip_chain;
1478 cb->args[2] = skip_addr4;
1479 cb->args[3] = skip_addr6;
1484 * netlbl_unlabel_staticlistdef - Handle a STATICLISTDEF message
1485 * @skb: the NETLINK buffer
1486 * @cb: the NETLINK callback
1489 * Process a user generated STATICLISTDEF message and dump the default
1490 * unlabeled connection entry in a form suitable for use in a kernel generated
1491 * STATICLISTDEF message. Returns the length of @skb.
1494 static int netlbl_unlabel_staticlistdef(struct sk_buff *skb,
1495 struct netlink_callback *cb)
1497 struct netlbl_unlhsh_walk_arg cb_arg;
1498 struct netlbl_unlhsh_iface *iface;
1499 u32 skip_addr4 = cb->args[0];
1500 u32 skip_addr6 = cb->args[1];
1501 u32 iter_addr4 = 0, iter_addr6 = 0;
1502 struct netlbl_unlhsh_addr4 *addr4;
1503 struct netlbl_unlhsh_addr6 *addr6;
1507 cb_arg.seq = cb->nlh->nlmsg_seq;
1510 iface = rcu_dereference(netlbl_unlhsh_def);
1511 if (iface == NULL || !iface->valid)
1512 goto unlabel_staticlistdef_return;
1514 list_for_each_entry_rcu(addr4, &iface->addr4_list, list) {
1515 if (!addr4->valid || iter_addr4++ < skip_addr4)
1517 if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
1523 goto unlabel_staticlistdef_return;
1526 list_for_each_entry_rcu(addr6, &iface->addr6_list, list) {
1527 if (addr6->valid || iter_addr6++ < skip_addr6)
1529 if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
1535 goto unlabel_staticlistdef_return;
1539 unlabel_staticlistdef_return:
1541 cb->args[0] = skip_addr4;
1542 cb->args[1] = skip_addr6;
1547 * NetLabel Generic NETLINK Command Definitions
1550 static struct genl_ops netlbl_unlabel_genl_c_staticadd = {
1551 .cmd = NLBL_UNLABEL_C_STATICADD,
1552 .flags = GENL_ADMIN_PERM,
1553 .policy = netlbl_unlabel_genl_policy,
1554 .doit = netlbl_unlabel_staticadd,
1558 static struct genl_ops netlbl_unlabel_genl_c_staticremove = {
1559 .cmd = NLBL_UNLABEL_C_STATICREMOVE,
1560 .flags = GENL_ADMIN_PERM,
1561 .policy = netlbl_unlabel_genl_policy,
1562 .doit = netlbl_unlabel_staticremove,
1566 static struct genl_ops netlbl_unlabel_genl_c_staticlist = {
1567 .cmd = NLBL_UNLABEL_C_STATICLIST,
1569 .policy = netlbl_unlabel_genl_policy,
1571 .dumpit = netlbl_unlabel_staticlist,
1574 static struct genl_ops netlbl_unlabel_genl_c_staticadddef = {
1575 .cmd = NLBL_UNLABEL_C_STATICADDDEF,
1576 .flags = GENL_ADMIN_PERM,
1577 .policy = netlbl_unlabel_genl_policy,
1578 .doit = netlbl_unlabel_staticadddef,
1582 static struct genl_ops netlbl_unlabel_genl_c_staticremovedef = {
1583 .cmd = NLBL_UNLABEL_C_STATICREMOVEDEF,
1584 .flags = GENL_ADMIN_PERM,
1585 .policy = netlbl_unlabel_genl_policy,
1586 .doit = netlbl_unlabel_staticremovedef,
1590 static struct genl_ops netlbl_unlabel_genl_c_staticlistdef = {
1591 .cmd = NLBL_UNLABEL_C_STATICLISTDEF,
1593 .policy = netlbl_unlabel_genl_policy,
1595 .dumpit = netlbl_unlabel_staticlistdef,
1598 static struct genl_ops netlbl_unlabel_genl_c_accept = {
1599 .cmd = NLBL_UNLABEL_C_ACCEPT,
1600 .flags = GENL_ADMIN_PERM,
1601 .policy = netlbl_unlabel_genl_policy,
1602 .doit = netlbl_unlabel_accept,
1606 static struct genl_ops netlbl_unlabel_genl_c_list = {
1607 .cmd = NLBL_UNLABEL_C_LIST,
1609 .policy = netlbl_unlabel_genl_policy,
1610 .doit = netlbl_unlabel_list,
1615 * NetLabel Generic NETLINK Protocol Functions
1619 * netlbl_unlabel_genl_init - Register the Unlabeled NetLabel component
1622 * Register the unlabeled packet NetLabel component with the Generic NETLINK
1623 * mechanism. Returns zero on success, negative values on failure.
1626 int netlbl_unlabel_genl_init(void)
1630 ret_val = genl_register_family(&netlbl_unlabel_gnl_family);
1634 ret_val = genl_register_ops(&netlbl_unlabel_gnl_family,
1635 &netlbl_unlabel_genl_c_staticadd);
1639 ret_val = genl_register_ops(&netlbl_unlabel_gnl_family,
1640 &netlbl_unlabel_genl_c_staticremove);
1644 ret_val = genl_register_ops(&netlbl_unlabel_gnl_family,
1645 &netlbl_unlabel_genl_c_staticlist);
1649 ret_val = genl_register_ops(&netlbl_unlabel_gnl_family,
1650 &netlbl_unlabel_genl_c_staticadddef);
1654 ret_val = genl_register_ops(&netlbl_unlabel_gnl_family,
1655 &netlbl_unlabel_genl_c_staticremovedef);
1659 ret_val = genl_register_ops(&netlbl_unlabel_gnl_family,
1660 &netlbl_unlabel_genl_c_staticlistdef);
1664 ret_val = genl_register_ops(&netlbl_unlabel_gnl_family,
1665 &netlbl_unlabel_genl_c_accept);
1669 ret_val = genl_register_ops(&netlbl_unlabel_gnl_family,
1670 &netlbl_unlabel_genl_c_list);
1678 * NetLabel KAPI Hooks
1681 static struct notifier_block netlbl_unlhsh_netdev_notifier = {
1682 .notifier_call = netlbl_unlhsh_netdev_handler,
1686 * netlbl_unlabel_init - Initialize the unlabeled connection hash table
1687 * @size: the number of bits to use for the hash buckets
1690 * Initializes the unlabeled connection hash table and registers a network
1691 * device notification handler. This function should only be called by the
1692 * NetLabel subsystem itself during initialization. Returns zero on success,
1693 * non-zero values on error.
1696 int netlbl_unlabel_init(u32 size)
1699 struct netlbl_unlhsh_tbl *hsh_tbl;
1704 hsh_tbl = kmalloc(sizeof(*hsh_tbl), GFP_KERNEL);
1705 if (hsh_tbl == NULL)
1707 hsh_tbl->size = 1 << size;
1708 hsh_tbl->tbl = kcalloc(hsh_tbl->size,
1709 sizeof(struct list_head),
1711 if (hsh_tbl->tbl == NULL) {
1715 for (iter = 0; iter < hsh_tbl->size; iter++)
1716 INIT_LIST_HEAD(&hsh_tbl->tbl[iter]);
1719 spin_lock(&netlbl_unlhsh_lock);
1720 rcu_assign_pointer(netlbl_unlhsh, hsh_tbl);
1721 spin_unlock(&netlbl_unlhsh_lock);
1724 register_netdevice_notifier(&netlbl_unlhsh_netdev_notifier);
1730 * netlbl_unlabel_getattr - Get the security attributes for an unlabled packet
1732 * @family: protocol family
1733 * @secattr: the security attributes
1736 * Determine the security attributes, if any, for an unlabled packet and return
1737 * them in @secattr. Returns zero on success and negative values on failure.
1740 int netlbl_unlabel_getattr(const struct sk_buff *skb,
1742 struct netlbl_lsm_secattr *secattr)
1745 struct ipv6hdr *hdr6;
1746 struct netlbl_unlhsh_addr4 *addr4;
1747 struct netlbl_unlhsh_addr6 *addr6;
1748 struct netlbl_unlhsh_iface *iface;
1751 iface = netlbl_unlhsh_search_iface_def(skb->iif);
1753 goto unlabel_getattr_nolabel;
1757 addr4 = netlbl_unlhsh_search_addr4(hdr4->saddr, iface);
1759 goto unlabel_getattr_nolabel;
1760 secattr->attr.secid = addr4->secid;
1762 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
1764 hdr6 = ipv6_hdr(skb);
1765 addr6 = netlbl_unlhsh_search_addr6(&hdr6->saddr, iface);
1767 goto unlabel_getattr_nolabel;
1768 secattr->attr.secid = addr6->secid;
1772 goto unlabel_getattr_nolabel;
1776 secattr->flags |= NETLBL_SECATTR_SECID;
1777 secattr->type = NETLBL_NLTYPE_UNLABELED;
1780 unlabel_getattr_nolabel:
1782 if (netlabel_unlabel_acceptflg == 0)
1784 secattr->type = NETLBL_NLTYPE_UNLABELED;
1789 * netlbl_unlabel_defconf - Set the default config to allow unlabeled packets
1792 * Set the default NetLabel configuration to allow incoming unlabeled packets
1793 * and to send unlabeled network traffic by default.
1796 int netlbl_unlabel_defconf(void)
1799 struct netlbl_dom_map *entry;
1800 struct netlbl_audit audit_info;
1802 /* Only the kernel is allowed to call this function and the only time
1803 * it is called is at bootup before the audit subsystem is reporting
1804 * messages so don't worry to much about these values. */
1805 security_task_getsecid(current, &audit_info.secid);
1806 audit_info.loginuid = 0;
1808 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1811 entry->type = NETLBL_NLTYPE_UNLABELED;
1812 ret_val = netlbl_domhsh_add_default(entry, &audit_info);
1816 netlbl_unlabel_acceptflg_set(1, &audit_info);
git://ftp.safe.ca / safe / jmp / linux-2.6 / blob