~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/netlabel/netlabel_cipso_v4.c

Version: ~ [ linux-5.11-rc3 ] ~ [ linux-5.10.7 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.89 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.167 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.215 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.251 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.251 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.85 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * NetLabel CIPSO/IPv4 Support
  3  *
  4  * This file defines the CIPSO/IPv4 functions for the NetLabel system.  The
  5  * NetLabel system manages static and dynamic label mappings for network
  6  * protocols such as CIPSO and RIPSO.
  7  *
  8  * Author: Paul Moore <paul@paul-moore.com>
  9  *
 10  */
 11 
 12 /*
 13  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
 14  *
 15  * This program is free software;  you can redistribute it and/or modify
 16  * it under the terms of the GNU General Public License as published by
 17  * the Free Software Foundation; either version 2 of the License, or
 18  * (at your option) any later version.
 19  *
 20  * This program is distributed in the hope that it will be useful,
 21  * but WITHOUT ANY WARRANTY;  without even the implied warranty of
 22  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 23  * the GNU General Public License for more details.
 24  *
 25  * You should have received a copy of the GNU General Public License
 26  * along with this program;  if not, write to the Free Software
 27  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 28  *
 29  */
 30 
 31 #include <linux/types.h>
 32 #include <linux/socket.h>
 33 #include <linux/string.h>
 34 #include <linux/skbuff.h>
 35 #include <linux/audit.h>
 36 #include <linux/slab.h>
 37 #include <net/sock.h>
 38 #include <net/netlink.h>
 39 #include <net/genetlink.h>
 40 #include <net/netlabel.h>
 41 #include <net/cipso_ipv4.h>
 42 #include <linux/atomic.h>
 43 
 44 #include "netlabel_user.h"
 45 #include "netlabel_cipso_v4.h"
 46 #include "netlabel_mgmt.h"
 47 #include "netlabel_domainhash.h"
 48 
 49 /* Argument struct for cipso_v4_doi_walk() */
 50 struct netlbl_cipsov4_doiwalk_arg {
 51         struct netlink_callback *nl_cb;
 52         struct sk_buff *skb;
 53         u32 seq;
 54 };
 55 
 56 /* Argument struct for netlbl_domhsh_walk() */
 57 struct netlbl_domhsh_walk_arg {
 58         struct netlbl_audit *audit_info;
 59         u32 doi;
 60 };
 61 
 62 /* NetLabel Generic NETLINK CIPSOv4 family */
 63 static struct genl_family netlbl_cipsov4_gnl_family = {
 64         .id = GENL_ID_GENERATE,
 65         .hdrsize = 0,
 66         .name = NETLBL_NLTYPE_CIPSOV4_NAME,
 67         .version = NETLBL_PROTO_VERSION,
 68         .maxattr = NLBL_CIPSOV4_A_MAX,
 69 };
 70 
 71 /* NetLabel Netlink attribute policy */
 72 static const struct nla_policy netlbl_cipsov4_genl_policy[NLBL_CIPSOV4_A_MAX + 1] = {
 73         [NLBL_CIPSOV4_A_DOI] = { .type = NLA_U32 },
 74         [NLBL_CIPSOV4_A_MTYPE] = { .type = NLA_U32 },
 75         [NLBL_CIPSOV4_A_TAG] = { .type = NLA_U8 },
 76         [NLBL_CIPSOV4_A_TAGLST] = { .type = NLA_NESTED },
 77         [NLBL_CIPSOV4_A_MLSLVLLOC] = { .type = NLA_U32 },
 78         [NLBL_CIPSOV4_A_MLSLVLREM] = { .type = NLA_U32 },
 79         [NLBL_CIPSOV4_A_MLSLVL] = { .type = NLA_NESTED },
 80         [NLBL_CIPSOV4_A_MLSLVLLST] = { .type = NLA_NESTED },
 81         [NLBL_CIPSOV4_A_MLSCATLOC] = { .type = NLA_U32 },
 82         [NLBL_CIPSOV4_A_MLSCATREM] = { .type = NLA_U32 },
 83         [NLBL_CIPSOV4_A_MLSCAT] = { .type = NLA_NESTED },
 84         [NLBL_CIPSOV4_A_MLSCATLST] = { .type = NLA_NESTED },
 85 };
 86 
 87 /*
 88  * Helper Functions
 89  */
 90 
 91 /**
 92  * netlbl_cipsov4_add_common - Parse the common sections of a ADD message
 93  * @info: the Generic NETLINK info block
 94  * @doi_def: the CIPSO V4 DOI definition
 95  *
 96  * Description:
 97  * Parse the common sections of a ADD message and fill in the related values
 98  * in @doi_def.  Returns zero on success, negative values on failure.
 99  *
100  */
101 static int netlbl_cipsov4_add_common(struct genl_info *info,
102                                      struct cipso_v4_doi *doi_def)
103 {
104         struct nlattr *nla;
105         int nla_rem;
106         u32 iter = 0;
107 
108         doi_def->doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
109 
110         if (nla_validate_nested(info->attrs[NLBL_CIPSOV4_A_TAGLST],
111                                 NLBL_CIPSOV4_A_MAX,
112                                 netlbl_cipsov4_genl_policy) != 0)
113                 return -EINVAL;
114 
115         nla_for_each_nested(nla, info->attrs[NLBL_CIPSOV4_A_TAGLST], nla_rem)
116                 if (nla_type(nla) == NLBL_CIPSOV4_A_TAG) {
117                         if (iter >= CIPSO_V4_TAG_MAXCNT)
118                                 return -EINVAL;
119                         doi_def->tags[iter++] = nla_get_u8(nla);
120                 }
121         while (iter < CIPSO_V4_TAG_MAXCNT)
122                 doi_def->tags[iter++] = CIPSO_V4_TAG_INVALID;
123 
124         return 0;
125 }
126 
127 /*
128  * NetLabel Command Handlers
129  */
130 
131 /**
132  * netlbl_cipsov4_add_std - Adds a CIPSO V4 DOI definition
133  * @info: the Generic NETLINK info block
134  * @audit_info: NetLabel audit information
135  *
136  * Description:
137  * Create a new CIPSO_V4_MAP_TRANS DOI definition based on the given ADD
138  * message and add it to the CIPSO V4 engine.  Return zero on success and
139  * non-zero on error.
140  *
141  */
142 static int netlbl_cipsov4_add_std(struct genl_info *info,
143                                   struct netlbl_audit *audit_info)
144 {
145         int ret_val = -EINVAL;
146         struct cipso_v4_doi *doi_def = NULL;
147         struct nlattr *nla_a;
148         struct nlattr *nla_b;
149         int nla_a_rem;
150         int nla_b_rem;
151         u32 iter;
152 
153         if (!info->attrs[NLBL_CIPSOV4_A_TAGLST] ||
154             !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST])
155                 return -EINVAL;
156 
157         if (nla_validate_nested(info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
158                                 NLBL_CIPSOV4_A_MAX,
159                                 netlbl_cipsov4_genl_policy) != 0)
160                 return -EINVAL;
161 
162         doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
163         if (doi_def == NULL)
164                 return -ENOMEM;
165         doi_def->map.std = kzalloc(sizeof(*doi_def->map.std), GFP_KERNEL);
166         if (doi_def->map.std == NULL) {
167                 ret_val = -ENOMEM;
168                 goto add_std_failure;
169         }
170         doi_def->type = CIPSO_V4_MAP_TRANS;
171 
172         ret_val = netlbl_cipsov4_add_common(info, doi_def);
173         if (ret_val != 0)
174                 goto add_std_failure;
175         ret_val = -EINVAL;
176 
177         nla_for_each_nested(nla_a,
178                             info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
179                             nla_a_rem)
180                 if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSLVL) {
181                         if (nla_validate_nested(nla_a,
182                                             NLBL_CIPSOV4_A_MAX,
183                                             netlbl_cipsov4_genl_policy) != 0)
184                                         goto add_std_failure;
185                         nla_for_each_nested(nla_b, nla_a, nla_b_rem)
186                                 switch (nla_type(nla_b)) {
187                                 case NLBL_CIPSOV4_A_MLSLVLLOC:
188                                         if (nla_get_u32(nla_b) >
189                                             CIPSO_V4_MAX_LOC_LVLS)
190                                                 goto add_std_failure;
191                                         if (nla_get_u32(nla_b) >=
192                                             doi_def->map.std->lvl.local_size)
193                                              doi_def->map.std->lvl.local_size =
194                                                      nla_get_u32(nla_b) + 1;
195                                         break;
196                                 case NLBL_CIPSOV4_A_MLSLVLREM:
197                                         if (nla_get_u32(nla_b) >
198                                             CIPSO_V4_MAX_REM_LVLS)
199                                                 goto add_std_failure;
200                                         if (nla_get_u32(nla_b) >=
201                                             doi_def->map.std->lvl.cipso_size)
202                                              doi_def->map.std->lvl.cipso_size =
203                                                      nla_get_u32(nla_b) + 1;
204                                         break;
205                                 }
206                 }
207         doi_def->map.std->lvl.local = kcalloc(doi_def->map.std->lvl.local_size,
208                                               sizeof(u32),
209                                               GFP_KERNEL);
210         if (doi_def->map.std->lvl.local == NULL) {
211                 ret_val = -ENOMEM;
212                 goto add_std_failure;
213         }
214         doi_def->map.std->lvl.cipso = kcalloc(doi_def->map.std->lvl.cipso_size,
215                                               sizeof(u32),
216                                               GFP_KERNEL);
217         if (doi_def->map.std->lvl.cipso == NULL) {
218                 ret_val = -ENOMEM;
219                 goto add_std_failure;
220         }
221         for (iter = 0; iter < doi_def->map.std->lvl.local_size; iter++)
222                 doi_def->map.std->lvl.local[iter] = CIPSO_V4_INV_LVL;
223         for (iter = 0; iter < doi_def->map.std->lvl.cipso_size; iter++)
224                 doi_def->map.std->lvl.cipso[iter] = CIPSO_V4_INV_LVL;
225         nla_for_each_nested(nla_a,
226                             info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
227                             nla_a_rem)
228                 if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSLVL) {
229                         struct nlattr *lvl_loc;
230                         struct nlattr *lvl_rem;
231 
232                         lvl_loc = nla_find_nested(nla_a,
233                                                   NLBL_CIPSOV4_A_MLSLVLLOC);
234                         lvl_rem = nla_find_nested(nla_a,
235                                                   NLBL_CIPSOV4_A_MLSLVLREM);
236                         if (lvl_loc == NULL || lvl_rem == NULL)
237                                 goto add_std_failure;
238                         doi_def->map.std->lvl.local[nla_get_u32(lvl_loc)] =
239                                 nla_get_u32(lvl_rem);
240                         doi_def->map.std->lvl.cipso[nla_get_u32(lvl_rem)] =
241                                 nla_get_u32(lvl_loc);
242                 }
243 
244         if (info->attrs[NLBL_CIPSOV4_A_MLSCATLST]) {
245                 if (nla_validate_nested(info->attrs[NLBL_CIPSOV4_A_MLSCATLST],
246                                         NLBL_CIPSOV4_A_MAX,
247                                         netlbl_cipsov4_genl_policy) != 0)
248                         goto add_std_failure;
249 
250                 nla_for_each_nested(nla_a,
251                                     info->attrs[NLBL_CIPSOV4_A_MLSCATLST],
252                                     nla_a_rem)
253                         if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSCAT) {
254                                 if (nla_validate_nested(nla_a,
255                                               NLBL_CIPSOV4_A_MAX,
256                                               netlbl_cipsov4_genl_policy) != 0)
257                                         goto add_std_failure;
258                                 nla_for_each_nested(nla_b, nla_a, nla_b_rem)
259                                         switch (nla_type(nla_b)) {
260                                         case NLBL_CIPSOV4_A_MLSCATLOC:
261                                                 if (nla_get_u32(nla_b) >
262                                                     CIPSO_V4_MAX_LOC_CATS)
263                                                         goto add_std_failure;
264                                                 if (nla_get_u32(nla_b) >=
265                                               doi_def->map.std->cat.local_size)
266                                              doi_def->map.std->cat.local_size =
267                                                      nla_get_u32(nla_b) + 1;
268                                                 break;
269                                         case NLBL_CIPSOV4_A_MLSCATREM:
270                                                 if (nla_get_u32(nla_b) >
271                                                     CIPSO_V4_MAX_REM_CATS)
272                                                         goto add_std_failure;
273                                                 if (nla_get_u32(nla_b) >=
274                                               doi_def->map.std->cat.cipso_size)
275                                              doi_def->map.std->cat.cipso_size =
276                                                      nla_get_u32(nla_b) + 1;
277                                                 break;
278                                         }
279                         }
280                 doi_def->map.std->cat.local = kcalloc(
281                                               doi_def->map.std->cat.local_size,
282                                               sizeof(u32),
283                                               GFP_KERNEL);
284                 if (doi_def->map.std->cat.local == NULL) {
285                         ret_val = -ENOMEM;
286                         goto add_std_failure;
287                 }
288                 doi_def->map.std->cat.cipso = kcalloc(
289                                               doi_def->map.std->cat.cipso_size,
290                                               sizeof(u32),
291                                               GFP_KERNEL);
292                 if (doi_def->map.std->cat.cipso == NULL) {
293                         ret_val = -ENOMEM;
294                         goto add_std_failure;
295                 }
296                 for (iter = 0; iter < doi_def->map.std->cat.local_size; iter++)
297                         doi_def->map.std->cat.local[iter] = CIPSO_V4_INV_CAT;
298                 for (iter = 0; iter < doi_def->map.std->cat.cipso_size; iter++)
299                         doi_def->map.std->cat.cipso[iter] = CIPSO_V4_INV_CAT;
300                 nla_for_each_nested(nla_a,
301                                     info->attrs[NLBL_CIPSOV4_A_MLSCATLST],
302                                     nla_a_rem)
303                         if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSCAT) {
304                                 struct nlattr *cat_loc;
305                                 struct nlattr *cat_rem;
306 
307                                 cat_loc = nla_find_nested(nla_a,
308                                                      NLBL_CIPSOV4_A_MLSCATLOC);
309                                 cat_rem = nla_find_nested(nla_a,
310                                                      NLBL_CIPSOV4_A_MLSCATREM);
311                                 if (cat_loc == NULL || cat_rem == NULL)
312                                         goto add_std_failure;
313                                 doi_def->map.std->cat.local[
314                                                         nla_get_u32(cat_loc)] =
315                                         nla_get_u32(cat_rem);
316                                 doi_def->map.std->cat.cipso[
317                                                         nla_get_u32(cat_rem)] =
318                                         nla_get_u32(cat_loc);
319                         }
320         }
321 
322         ret_val = cipso_v4_doi_add(doi_def, audit_info);
323         if (ret_val != 0)
324                 goto add_std_failure;
325         return 0;
326 
327 add_std_failure:
328         if (doi_def)
329                 cipso_v4_doi_free(doi_def);
330         return ret_val;
331 }
332 
333 /**
334  * netlbl_cipsov4_add_pass - Adds a CIPSO V4 DOI definition
335  * @info: the Generic NETLINK info block
336  * @audit_info: NetLabel audit information
337  *
338  * Description:
339  * Create a new CIPSO_V4_MAP_PASS DOI definition based on the given ADD message
340  * and add it to the CIPSO V4 engine.  Return zero on success and non-zero on
341  * error.
342  *
343  */
344 static int netlbl_cipsov4_add_pass(struct genl_info *info,
345                                    struct netlbl_audit *audit_info)
346 {
347         int ret_val;
348         struct cipso_v4_doi *doi_def = NULL;
349 
350         if (!info->attrs[NLBL_CIPSOV4_A_TAGLST])
351                 return -EINVAL;
352 
353         doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
354         if (doi_def == NULL)
355                 return -ENOMEM;
356         doi_def->type = CIPSO_V4_MAP_PASS;
357 
358         ret_val = netlbl_cipsov4_add_common(info, doi_def);
359         if (ret_val != 0)
360                 goto add_pass_failure;
361 
362         ret_val = cipso_v4_doi_add(doi_def, audit_info);
363         if (ret_val != 0)
364                 goto add_pass_failure;
365         return 0;
366 
367 add_pass_failure:
368         cipso_v4_doi_free(doi_def);
369         return ret_val;
370 }
371 
372 /**
373  * netlbl_cipsov4_add_local - Adds a CIPSO V4 DOI definition
374  * @info: the Generic NETLINK info block
375  * @audit_info: NetLabel audit information
376  *
377  * Description:
378  * Create a new CIPSO_V4_MAP_LOCAL DOI definition based on the given ADD
379  * message and add it to the CIPSO V4 engine.  Return zero on success and
380  * non-zero on error.
381  *
382  */
383 static int netlbl_cipsov4_add_local(struct genl_info *info,
384                                     struct netlbl_audit *audit_info)
385 {
386         int ret_val;
387         struct cipso_v4_doi *doi_def = NULL;
388 
389         if (!info->attrs[NLBL_CIPSOV4_A_TAGLST])
390                 return -EINVAL;
391 
392         doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
393         if (doi_def == NULL)
394                 return -ENOMEM;
395         doi_def->type = CIPSO_V4_MAP_LOCAL;
396 
397         ret_val = netlbl_cipsov4_add_common(info, doi_def);
398         if (ret_val != 0)
399                 goto add_local_failure;
400 
401         ret_val = cipso_v4_doi_add(doi_def, audit_info);
402         if (ret_val != 0)
403                 goto add_local_failure;
404         return 0;
405 
406 add_local_failure:
407         cipso_v4_doi_free(doi_def);
408         return ret_val;
409 }
410 
411 /**
412  * netlbl_cipsov4_add - Handle an ADD message
413  * @skb: the NETLINK buffer
414  * @info: the Generic NETLINK info block
415  *
416  * Description:
417  * Create a new DOI definition based on the given ADD message and add it to the
418  * CIPSO V4 engine.  Returns zero on success, negative values on failure.
419  *
420  */
421 static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
422 
423 {
424         int ret_val = -EINVAL;
425         struct netlbl_audit audit_info;
426 
427         if (!info->attrs[NLBL_CIPSOV4_A_DOI] ||
428             !info->attrs[NLBL_CIPSOV4_A_MTYPE])
429                 return -EINVAL;
430 
431         netlbl_netlink_auditinfo(skb, &audit_info);
432         switch (nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE])) {
433         case CIPSO_V4_MAP_TRANS:
434                 ret_val = netlbl_cipsov4_add_std(info, &audit_info);
435                 break;
436         case CIPSO_V4_MAP_PASS:
437                 ret_val = netlbl_cipsov4_add_pass(info, &audit_info);
438                 break;
439         case CIPSO_V4_MAP_LOCAL:
440                 ret_val = netlbl_cipsov4_add_local(info, &audit_info);
441                 break;
442         }
443         if (ret_val == 0)
444                 atomic_inc(&netlabel_mgmt_protocount);
445 
446         return ret_val;
447 }
448 
449 /**
450  * netlbl_cipsov4_list - Handle a LIST message
451  * @skb: the NETLINK buffer
452  * @info: the Generic NETLINK info block
453  *
454  * Description:
455  * Process a user generated LIST message and respond accordingly.  While the
456  * response message generated by the kernel is straightforward, determining
457  * before hand the size of the buffer to allocate is not (we have to generate
458  * the message to know the size).  In order to keep this function sane what we
459  * do is allocate a buffer of NLMSG_GOODSIZE and try to fit the response in
460  * that size, if we fail then we restart with a larger buffer and try again.
461  * We continue in this manner until we hit a limit of failed attempts then we
462  * give up and just send an error message.  Returns zero on success and
463  * negative values on error.
464  *
465  */
466 static int netlbl_cipsov4_list(struct sk_buff *skb, struct genl_info *info)
467 {
468         int ret_val;
469         struct sk_buff *ans_skb = NULL;
470         u32 nlsze_mult = 1;
471         void *data;
472         u32 doi;
473         struct nlattr *nla_a;
474         struct nlattr *nla_b;
475         struct cipso_v4_doi *doi_def;
476         u32 iter;
477 
478         if (!info->attrs[NLBL_CIPSOV4_A_DOI]) {
479                 ret_val = -EINVAL;
480                 goto list_failure;
481         }
482 
483 list_start:
484         ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE * nlsze_mult, GFP_KERNEL);
485         if (ans_skb == NULL) {
486                 ret_val = -ENOMEM;
487                 goto list_failure;
488         }
489         data = genlmsg_put_reply(ans_skb, info, &netlbl_cipsov4_gnl_family,
490                                  0, NLBL_CIPSOV4_C_LIST);
491         if (data == NULL) {
492                 ret_val = -ENOMEM;
493                 goto list_failure;
494         }
495 
496         doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
497 
498         rcu_read_lock();
499         doi_def = cipso_v4_doi_getdef(doi);
500         if (doi_def == NULL) {
501                 ret_val = -EINVAL;
502                 goto list_failure_lock;
503         }
504 
505         ret_val = nla_put_u32(ans_skb, NLBL_CIPSOV4_A_MTYPE, doi_def->type);
506         if (ret_val != 0)
507                 goto list_failure_lock;
508 
509         nla_a = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_TAGLST);
510         if (nla_a == NULL) {
511                 ret_val = -ENOMEM;
512                 goto list_failure_lock;
513         }
514         for (iter = 0;
515              iter < CIPSO_V4_TAG_MAXCNT &&
516                doi_def->tags[iter] != CIPSO_V4_TAG_INVALID;
517              iter++) {
518                 ret_val = nla_put_u8(ans_skb,
519                                      NLBL_CIPSOV4_A_TAG,
520                                      doi_def->tags[iter]);
521                 if (ret_val != 0)
522                         goto list_failure_lock;
523         }
524         nla_nest_end(ans_skb, nla_a);
525 
526         switch (doi_def->type) {
527         case CIPSO_V4_MAP_TRANS:
528                 nla_a = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSLVLLST);
529                 if (nla_a == NULL) {
530                         ret_val = -ENOMEM;
531                         goto list_failure_lock;
532                 }
533                 for (iter = 0;
534                      iter < doi_def->map.std->lvl.local_size;
535                      iter++) {
536                         if (doi_def->map.std->lvl.local[iter] ==
537                             CIPSO_V4_INV_LVL)
538                                 continue;
539 
540                         nla_b = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSLVL);
541                         if (nla_b == NULL) {
542                                 ret_val = -ENOMEM;
543                                 goto list_retry;
544                         }
545                         ret_val = nla_put_u32(ans_skb,
546                                               NLBL_CIPSOV4_A_MLSLVLLOC,
547                                               iter);
548                         if (ret_val != 0)
549                                 goto list_retry;
550                         ret_val = nla_put_u32(ans_skb,
551                                             NLBL_CIPSOV4_A_MLSLVLREM,
552                                             doi_def->map.std->lvl.local[iter]);
553                         if (ret_val != 0)
554                                 goto list_retry;
555                         nla_nest_end(ans_skb, nla_b);
556                 }
557                 nla_nest_end(ans_skb, nla_a);
558 
559                 nla_a = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSCATLST);
560                 if (nla_a == NULL) {
561                         ret_val = -ENOMEM;
562                         goto list_retry;
563                 }
564                 for (iter = 0;
565                      iter < doi_def->map.std->cat.local_size;
566                      iter++) {
567                         if (doi_def->map.std->cat.local[iter] ==
568                             CIPSO_V4_INV_CAT)
569                                 continue;
570 
571                         nla_b = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSCAT);
572                         if (nla_b == NULL) {
573                                 ret_val = -ENOMEM;
574                                 goto list_retry;
575                         }
576                         ret_val = nla_put_u32(ans_skb,
577                                               NLBL_CIPSOV4_A_MLSCATLOC,
578                                               iter);
579                         if (ret_val != 0)
580                                 goto list_retry;
581                         ret_val = nla_put_u32(ans_skb,
582                                             NLBL_CIPSOV4_A_MLSCATREM,
583                                             doi_def->map.std->cat.local[iter]);
584                         if (ret_val != 0)
585                                 goto list_retry;
586                         nla_nest_end(ans_skb, nla_b);
587                 }
588                 nla_nest_end(ans_skb, nla_a);
589 
590                 break;
591         }
592         rcu_read_unlock();
593 
594         genlmsg_end(ans_skb, data);
595         return genlmsg_reply(ans_skb, info);
596 
597 list_retry:
598         /* XXX - this limit is a guesstimate */
599         if (nlsze_mult < 4) {
600                 rcu_read_unlock();
601                 kfree_skb(ans_skb);
602                 nlsze_mult *= 2;
603                 goto list_start;
604         }
605 list_failure_lock:
606         rcu_read_unlock();
607 list_failure:
608         kfree_skb(ans_skb);
609         return ret_val;
610 }
611 
612 /**
613  * netlbl_cipsov4_listall_cb - cipso_v4_doi_walk() callback for LISTALL
614  * @doi_def: the CIPSOv4 DOI definition
615  * @arg: the netlbl_cipsov4_doiwalk_arg structure
616  *
617  * Description:
618  * This function is designed to be used as a callback to the
619  * cipso_v4_doi_walk() function for use in generating a response for a LISTALL
620  * message.  Returns the size of the message on success, negative values on
621  * failure.
622  *
623  */
624 static int netlbl_cipsov4_listall_cb(struct cipso_v4_doi *doi_def, void *arg)
625 {
626         int ret_val = -ENOMEM;
627         struct netlbl_cipsov4_doiwalk_arg *cb_arg = arg;
628         void *data;
629 
630         data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid,
631                            cb_arg->seq, &netlbl_cipsov4_gnl_family,
632                            NLM_F_MULTI, NLBL_CIPSOV4_C_LISTALL);
633         if (data == NULL)
634                 goto listall_cb_failure;
635 
636         ret_val = nla_put_u32(cb_arg->skb, NLBL_CIPSOV4_A_DOI, doi_def->doi);
637         if (ret_val != 0)
638                 goto listall_cb_failure;
639         ret_val = nla_put_u32(cb_arg->skb,
640                               NLBL_CIPSOV4_A_MTYPE,
641                               doi_def->type);
642         if (ret_val != 0)
643                 goto listall_cb_failure;
644 
645         return genlmsg_end(cb_arg->skb, data);
646 
647 listall_cb_failure:
648         genlmsg_cancel(cb_arg->skb, data);
649         return ret_val;
650 }
651 
652 /**
653  * netlbl_cipsov4_listall - Handle a LISTALL message
654  * @skb: the NETLINK buffer
655  * @cb: the NETLINK callback
656  *
657  * Description:
658  * Process a user generated LISTALL message and respond accordingly.  Returns
659  * zero on success and negative values on error.
660  *
661  */
662 static int netlbl_cipsov4_listall(struct sk_buff *skb,
663                                   struct netlink_callback *cb)
664 {
665         struct netlbl_cipsov4_doiwalk_arg cb_arg;
666         u32 doi_skip = cb->args[0];
667 
668         cb_arg.nl_cb = cb;
669         cb_arg.skb = skb;
670         cb_arg.seq = cb->nlh->nlmsg_seq;
671 
672         cipso_v4_doi_walk(&doi_skip, netlbl_cipsov4_listall_cb, &cb_arg);
673 
674         cb->args[0] = doi_skip;
675         return skb->len;
676 }
677 
678 /**
679  * netlbl_cipsov4_remove_cb - netlbl_cipsov4_remove() callback for REMOVE
680  * @entry: LSM domain mapping entry
681  * @arg: the netlbl_domhsh_walk_arg structure
682  *
683  * Description:
684  * This function is intended for use by netlbl_cipsov4_remove() as the callback
685  * for the netlbl_domhsh_walk() function; it removes LSM domain map entries
686  * which are associated with the CIPSO DOI specified in @arg.  Returns zero on
687  * success, negative values on failure.
688  *
689  */
690 static int netlbl_cipsov4_remove_cb(struct netlbl_dom_map *entry, void *arg)
691 {
692         struct netlbl_domhsh_walk_arg *cb_arg = arg;
693 
694         if (entry->def.type == NETLBL_NLTYPE_CIPSOV4 &&
695             entry->def.cipso->doi == cb_arg->doi)
696                 return netlbl_domhsh_remove_entry(entry, cb_arg->audit_info);
697 
698         return 0;
699 }
700 
701 /**
702  * netlbl_cipsov4_remove - Handle a REMOVE message
703  * @skb: the NETLINK buffer
704  * @info: the Generic NETLINK info block
705  *
706  * Description:
707  * Process a user generated REMOVE message and respond accordingly.  Returns
708  * zero on success, negative values on failure.
709  *
710  */
711 static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info)
712 {
713         int ret_val = -EINVAL;
714         struct netlbl_domhsh_walk_arg cb_arg;
715         struct netlbl_audit audit_info;
716         u32 skip_bkt = 0;
717         u32 skip_chain = 0;
718 
719         if (!info->attrs[NLBL_CIPSOV4_A_DOI])
720                 return -EINVAL;
721 
722         netlbl_netlink_auditinfo(skb, &audit_info);
723         cb_arg.doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
724         cb_arg.audit_info = &audit_info;
725         ret_val = netlbl_domhsh_walk(&skip_bkt, &skip_chain,
726                                      netlbl_cipsov4_remove_cb, &cb_arg);
727         if (ret_val == 0 || ret_val == -ENOENT) {
728                 ret_val = cipso_v4_doi_remove(cb_arg.doi, &audit_info);
729                 if (ret_val == 0)
730                         atomic_dec(&netlabel_mgmt_protocount);
731         }
732 
733         return ret_val;
734 }
735 
736 /*
737  * NetLabel Generic NETLINK Command Definitions
738  */
739 
740 static const struct genl_ops netlbl_cipsov4_ops[] = {
741         {
742         .cmd = NLBL_CIPSOV4_C_ADD,
743         .flags = GENL_ADMIN_PERM,
744         .policy = netlbl_cipsov4_genl_policy,
745         .doit = netlbl_cipsov4_add,
746         .dumpit = NULL,
747         },
748         {
749         .cmd = NLBL_CIPSOV4_C_REMOVE,
750         .flags = GENL_ADMIN_PERM,
751         .policy = netlbl_cipsov4_genl_policy,
752         .doit = netlbl_cipsov4_remove,
753         .dumpit = NULL,
754         },
755         {
756         .cmd = NLBL_CIPSOV4_C_LIST,
757         .flags = 0,
758         .policy = netlbl_cipsov4_genl_policy,
759         .doit = netlbl_cipsov4_list,
760         .dumpit = NULL,
761         },
762         {
763         .cmd = NLBL_CIPSOV4_C_LISTALL,
764         .flags = 0,
765         .policy = netlbl_cipsov4_genl_policy,
766         .doit = NULL,
767         .dumpit = netlbl_cipsov4_listall,
768         },
769 };
770 
771 /*
772  * NetLabel Generic NETLINK Protocol Functions
773  */
774 
775 /**
776  * netlbl_cipsov4_genl_init - Register the CIPSOv4 NetLabel component
777  *
778  * Description:
779  * Register the CIPSOv4 packet NetLabel component with the Generic NETLINK
780  * mechanism.  Returns zero on success, negative values on failure.
781  *
782  */
783 int __init netlbl_cipsov4_genl_init(void)
784 {
785         return genl_register_family_with_ops(&netlbl_cipsov4_gnl_family,
786                                              netlbl_cipsov4_ops);
787 }
788 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp