~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/netlabel/netlabel_cipso_v4.c

Version: ~ [ linux-5.11-rc3 ] ~ [ linux-5.10.7 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.89 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.167 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.215 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.251 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.251 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.85 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * NetLabel CIPSO/IPv4 Support
  3  *
  4  * This file defines the CIPSO/IPv4 functions for the NetLabel system.  The
  5  * NetLabel system manages static and dynamic label mappings for network
  6  * protocols such as CIPSO and RIPSO.
  7  *
  8  * Author: Paul Moore <paul@paul-moore.com>
  9  *
 10  */
 11 
 12 /*
 13  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
 14  *
 15  * This program is free software;  you can redistribute it and/or modify
 16  * it under the terms of the GNU General Public License as published by
 17  * the Free Software Foundation; either version 2 of the License, or
 18  * (at your option) any later version.
 19  *
 20  * This program is distributed in the hope that it will be useful,
 21  * but WITHOUT ANY WARRANTY;  without even the implied warranty of
 22  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 23  * the GNU General Public License for more details.
 24  *
 25  * You should have received a copy of the GNU General Public License
 26  * along with this program;  if not, see <http://www.gnu.org/licenses/>.
 27  *
 28  */
 29 
 30 #include <linux/types.h>
 31 #include <linux/socket.h>
 32 #include <linux/string.h>
 33 #include <linux/skbuff.h>
 34 #include <linux/audit.h>
 35 #include <linux/slab.h>
 36 #include <net/sock.h>
 37 #include <net/netlink.h>
 38 #include <net/genetlink.h>
 39 #include <net/netlabel.h>
 40 #include <net/cipso_ipv4.h>
 41 #include <linux/atomic.h>
 42 
 43 #include "netlabel_user.h"
 44 #include "netlabel_cipso_v4.h"
 45 #include "netlabel_mgmt.h"
 46 #include "netlabel_domainhash.h"
 47 
 48 /* Argument struct for cipso_v4_doi_walk() */
 49 struct netlbl_cipsov4_doiwalk_arg {
 50         struct netlink_callback *nl_cb;
 51         struct sk_buff *skb;
 52         u32 seq;
 53 };
 54 
 55 /* Argument struct for netlbl_domhsh_walk() */
 56 struct netlbl_domhsh_walk_arg {
 57         struct netlbl_audit *audit_info;
 58         u32 doi;
 59 };
 60 
 61 /* NetLabel Generic NETLINK CIPSOv4 family */
 62 static struct genl_family netlbl_cipsov4_gnl_family;
 63 /* NetLabel Netlink attribute policy */
 64 static const struct nla_policy netlbl_cipsov4_genl_policy[NLBL_CIPSOV4_A_MAX + 1] = {
 65         [NLBL_CIPSOV4_A_DOI] = { .type = NLA_U32 },
 66         [NLBL_CIPSOV4_A_MTYPE] = { .type = NLA_U32 },
 67         [NLBL_CIPSOV4_A_TAG] = { .type = NLA_U8 },
 68         [NLBL_CIPSOV4_A_TAGLST] = { .type = NLA_NESTED },
 69         [NLBL_CIPSOV4_A_MLSLVLLOC] = { .type = NLA_U32 },
 70         [NLBL_CIPSOV4_A_MLSLVLREM] = { .type = NLA_U32 },
 71         [NLBL_CIPSOV4_A_MLSLVL] = { .type = NLA_NESTED },
 72         [NLBL_CIPSOV4_A_MLSLVLLST] = { .type = NLA_NESTED },
 73         [NLBL_CIPSOV4_A_MLSCATLOC] = { .type = NLA_U32 },
 74         [NLBL_CIPSOV4_A_MLSCATREM] = { .type = NLA_U32 },
 75         [NLBL_CIPSOV4_A_MLSCAT] = { .type = NLA_NESTED },
 76         [NLBL_CIPSOV4_A_MLSCATLST] = { .type = NLA_NESTED },
 77 };
 78 
 79 /*
 80  * Helper Functions
 81  */
 82 
 83 /**
 84  * netlbl_cipsov4_add_common - Parse the common sections of a ADD message
 85  * @info: the Generic NETLINK info block
 86  * @doi_def: the CIPSO V4 DOI definition
 87  *
 88  * Description:
 89  * Parse the common sections of a ADD message and fill in the related values
 90  * in @doi_def.  Returns zero on success, negative values on failure.
 91  *
 92  */
 93 static int netlbl_cipsov4_add_common(struct genl_info *info,
 94                                      struct cipso_v4_doi *doi_def)
 95 {
 96         struct nlattr *nla;
 97         int nla_rem;
 98         u32 iter = 0;
 99 
100         doi_def->doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
101 
102         if (nla_validate_nested(info->attrs[NLBL_CIPSOV4_A_TAGLST],
103                                 NLBL_CIPSOV4_A_MAX,
104                                 netlbl_cipsov4_genl_policy, NULL) != 0)
105                 return -EINVAL;
106 
107         nla_for_each_nested(nla, info->attrs[NLBL_CIPSOV4_A_TAGLST], nla_rem)
108                 if (nla_type(nla) == NLBL_CIPSOV4_A_TAG) {
109                         if (iter >= CIPSO_V4_TAG_MAXCNT)
110                                 return -EINVAL;
111                         doi_def->tags[iter++] = nla_get_u8(nla);
112                 }
113         while (iter < CIPSO_V4_TAG_MAXCNT)
114                 doi_def->tags[iter++] = CIPSO_V4_TAG_INVALID;
115 
116         return 0;
117 }
118 
119 /*
120  * NetLabel Command Handlers
121  */
122 
123 /**
124  * netlbl_cipsov4_add_std - Adds a CIPSO V4 DOI definition
125  * @info: the Generic NETLINK info block
126  * @audit_info: NetLabel audit information
127  *
128  * Description:
129  * Create a new CIPSO_V4_MAP_TRANS DOI definition based on the given ADD
130  * message and add it to the CIPSO V4 engine.  Return zero on success and
131  * non-zero on error.
132  *
133  */
134 static int netlbl_cipsov4_add_std(struct genl_info *info,
135                                   struct netlbl_audit *audit_info)
136 {
137         int ret_val = -EINVAL;
138         struct cipso_v4_doi *doi_def = NULL;
139         struct nlattr *nla_a;
140         struct nlattr *nla_b;
141         int nla_a_rem;
142         int nla_b_rem;
143         u32 iter;
144 
145         if (!info->attrs[NLBL_CIPSOV4_A_TAGLST] ||
146             !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST])
147                 return -EINVAL;
148 
149         if (nla_validate_nested(info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
150                                 NLBL_CIPSOV4_A_MAX,
151                                 netlbl_cipsov4_genl_policy, NULL) != 0)
152                 return -EINVAL;
153 
154         doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
155         if (doi_def == NULL)
156                 return -ENOMEM;
157         doi_def->map.std = kzalloc(sizeof(*doi_def->map.std), GFP_KERNEL);
158         if (doi_def->map.std == NULL) {
159                 ret_val = -ENOMEM;
160                 goto add_std_failure;
161         }
162         doi_def->type = CIPSO_V4_MAP_TRANS;
163 
164         ret_val = netlbl_cipsov4_add_common(info, doi_def);
165         if (ret_val != 0)
166                 goto add_std_failure;
167         ret_val = -EINVAL;
168 
169         nla_for_each_nested(nla_a,
170                             info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
171                             nla_a_rem)
172                 if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSLVL) {
173                         if (nla_validate_nested(nla_a, NLBL_CIPSOV4_A_MAX,
174                                                 netlbl_cipsov4_genl_policy,
175                                                 NULL) != 0)
176                                 goto add_std_failure;
177                         nla_for_each_nested(nla_b, nla_a, nla_b_rem)
178                                 switch (nla_type(nla_b)) {
179                                 case NLBL_CIPSOV4_A_MLSLVLLOC:
180                                         if (nla_get_u32(nla_b) >
181                                             CIPSO_V4_MAX_LOC_LVLS)
182                                                 goto add_std_failure;
183                                         if (nla_get_u32(nla_b) >=
184                                             doi_def->map.std->lvl.local_size)
185                                              doi_def->map.std->lvl.local_size =
186                                                      nla_get_u32(nla_b) + 1;
187                                         break;
188                                 case NLBL_CIPSOV4_A_MLSLVLREM:
189                                         if (nla_get_u32(nla_b) >
190                                             CIPSO_V4_MAX_REM_LVLS)
191                                                 goto add_std_failure;
192                                         if (nla_get_u32(nla_b) >=
193                                             doi_def->map.std->lvl.cipso_size)
194                                              doi_def->map.std->lvl.cipso_size =
195                                                      nla_get_u32(nla_b) + 1;
196                                         break;
197                                 }
198                 }
199         doi_def->map.std->lvl.local = kcalloc(doi_def->map.std->lvl.local_size,
200                                               sizeof(u32),
201                                               GFP_KERNEL);
202         if (doi_def->map.std->lvl.local == NULL) {
203                 ret_val = -ENOMEM;
204                 goto add_std_failure;
205         }
206         doi_def->map.std->lvl.cipso = kcalloc(doi_def->map.std->lvl.cipso_size,
207                                               sizeof(u32),
208                                               GFP_KERNEL);
209         if (doi_def->map.std->lvl.cipso == NULL) {
210                 ret_val = -ENOMEM;
211                 goto add_std_failure;
212         }
213         for (iter = 0; iter < doi_def->map.std->lvl.local_size; iter++)
214                 doi_def->map.std->lvl.local[iter] = CIPSO_V4_INV_LVL;
215         for (iter = 0; iter < doi_def->map.std->lvl.cipso_size; iter++)
216                 doi_def->map.std->lvl.cipso[iter] = CIPSO_V4_INV_LVL;
217         nla_for_each_nested(nla_a,
218                             info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
219                             nla_a_rem)
220                 if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSLVL) {
221                         struct nlattr *lvl_loc;
222                         struct nlattr *lvl_rem;
223 
224                         lvl_loc = nla_find_nested(nla_a,
225                                                   NLBL_CIPSOV4_A_MLSLVLLOC);
226                         lvl_rem = nla_find_nested(nla_a,
227                                                   NLBL_CIPSOV4_A_MLSLVLREM);
228                         if (lvl_loc == NULL || lvl_rem == NULL)
229                                 goto add_std_failure;
230                         doi_def->map.std->lvl.local[nla_get_u32(lvl_loc)] =
231                                 nla_get_u32(lvl_rem);
232                         doi_def->map.std->lvl.cipso[nla_get_u32(lvl_rem)] =
233                                 nla_get_u32(lvl_loc);
234                 }
235 
236         if (info->attrs[NLBL_CIPSOV4_A_MLSCATLST]) {
237                 if (nla_validate_nested(info->attrs[NLBL_CIPSOV4_A_MLSCATLST],
238                                         NLBL_CIPSOV4_A_MAX,
239                                         netlbl_cipsov4_genl_policy, NULL) != 0)
240                         goto add_std_failure;
241 
242                 nla_for_each_nested(nla_a,
243                                     info->attrs[NLBL_CIPSOV4_A_MLSCATLST],
244                                     nla_a_rem)
245                         if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSCAT) {
246                                 if (nla_validate_nested(nla_a,
247                                                         NLBL_CIPSOV4_A_MAX,
248                                                         netlbl_cipsov4_genl_policy,
249                                                         NULL) != 0)
250                                         goto add_std_failure;
251                                 nla_for_each_nested(nla_b, nla_a, nla_b_rem)
252                                         switch (nla_type(nla_b)) {
253                                         case NLBL_CIPSOV4_A_MLSCATLOC:
254                                                 if (nla_get_u32(nla_b) >
255                                                     CIPSO_V4_MAX_LOC_CATS)
256                                                         goto add_std_failure;
257                                                 if (nla_get_u32(nla_b) >=
258                                               doi_def->map.std->cat.local_size)
259                                              doi_def->map.std->cat.local_size =
260                                                      nla_get_u32(nla_b) + 1;
261                                                 break;
262                                         case NLBL_CIPSOV4_A_MLSCATREM:
263                                                 if (nla_get_u32(nla_b) >
264                                                     CIPSO_V4_MAX_REM_CATS)
265                                                         goto add_std_failure;
266                                                 if (nla_get_u32(nla_b) >=
267                                               doi_def->map.std->cat.cipso_size)
268                                              doi_def->map.std->cat.cipso_size =
269                                                      nla_get_u32(nla_b) + 1;
270                                                 break;
271                                         }
272                         }
273                 doi_def->map.std->cat.local = kcalloc(
274                                               doi_def->map.std->cat.local_size,
275                                               sizeof(u32),
276                                               GFP_KERNEL);
277                 if (doi_def->map.std->cat.local == NULL) {
278                         ret_val = -ENOMEM;
279                         goto add_std_failure;
280                 }
281                 doi_def->map.std->cat.cipso = kcalloc(
282                                               doi_def->map.std->cat.cipso_size,
283                                               sizeof(u32),
284                                               GFP_KERNEL);
285                 if (doi_def->map.std->cat.cipso == NULL) {
286                         ret_val = -ENOMEM;
287                         goto add_std_failure;
288                 }
289                 for (iter = 0; iter < doi_def->map.std->cat.local_size; iter++)
290                         doi_def->map.std->cat.local[iter] = CIPSO_V4_INV_CAT;
291                 for (iter = 0; iter < doi_def->map.std->cat.cipso_size; iter++)
292                         doi_def->map.std->cat.cipso[iter] = CIPSO_V4_INV_CAT;
293                 nla_for_each_nested(nla_a,
294                                     info->attrs[NLBL_CIPSOV4_A_MLSCATLST],
295                                     nla_a_rem)
296                         if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSCAT) {
297                                 struct nlattr *cat_loc;
298                                 struct nlattr *cat_rem;
299 
300                                 cat_loc = nla_find_nested(nla_a,
301                                                      NLBL_CIPSOV4_A_MLSCATLOC);
302                                 cat_rem = nla_find_nested(nla_a,
303                                                      NLBL_CIPSOV4_A_MLSCATREM);
304                                 if (cat_loc == NULL || cat_rem == NULL)
305                                         goto add_std_failure;
306                                 doi_def->map.std->cat.local[
307                                                         nla_get_u32(cat_loc)] =
308                                         nla_get_u32(cat_rem);
309                                 doi_def->map.std->cat.cipso[
310                                                         nla_get_u32(cat_rem)] =
311                                         nla_get_u32(cat_loc);
312                         }
313         }
314 
315         ret_val = cipso_v4_doi_add(doi_def, audit_info);
316         if (ret_val != 0)
317                 goto add_std_failure;
318         return 0;
319 
320 add_std_failure:
321         cipso_v4_doi_free(doi_def);
322         return ret_val;
323 }
324 
325 /**
326  * netlbl_cipsov4_add_pass - Adds a CIPSO V4 DOI definition
327  * @info: the Generic NETLINK info block
328  * @audit_info: NetLabel audit information
329  *
330  * Description:
331  * Create a new CIPSO_V4_MAP_PASS DOI definition based on the given ADD message
332  * and add it to the CIPSO V4 engine.  Return zero on success and non-zero on
333  * error.
334  *
335  */
336 static int netlbl_cipsov4_add_pass(struct genl_info *info,
337                                    struct netlbl_audit *audit_info)
338 {
339         int ret_val;
340         struct cipso_v4_doi *doi_def = NULL;
341 
342         if (!info->attrs[NLBL_CIPSOV4_A_TAGLST])
343                 return -EINVAL;
344 
345         doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
346         if (doi_def == NULL)
347                 return -ENOMEM;
348         doi_def->type = CIPSO_V4_MAP_PASS;
349 
350         ret_val = netlbl_cipsov4_add_common(info, doi_def);
351         if (ret_val != 0)
352                 goto add_pass_failure;
353 
354         ret_val = cipso_v4_doi_add(doi_def, audit_info);
355         if (ret_val != 0)
356                 goto add_pass_failure;
357         return 0;
358 
359 add_pass_failure:
360         cipso_v4_doi_free(doi_def);
361         return ret_val;
362 }
363 
364 /**
365  * netlbl_cipsov4_add_local - Adds a CIPSO V4 DOI definition
366  * @info: the Generic NETLINK info block
367  * @audit_info: NetLabel audit information
368  *
369  * Description:
370  * Create a new CIPSO_V4_MAP_LOCAL DOI definition based on the given ADD
371  * message and add it to the CIPSO V4 engine.  Return zero on success and
372  * non-zero on error.
373  *
374  */
375 static int netlbl_cipsov4_add_local(struct genl_info *info,
376                                     struct netlbl_audit *audit_info)
377 {
378         int ret_val;
379         struct cipso_v4_doi *doi_def = NULL;
380 
381         if (!info->attrs[NLBL_CIPSOV4_A_TAGLST])
382                 return -EINVAL;
383 
384         doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
385         if (doi_def == NULL)
386                 return -ENOMEM;
387         doi_def->type = CIPSO_V4_MAP_LOCAL;
388 
389         ret_val = netlbl_cipsov4_add_common(info, doi_def);
390         if (ret_val != 0)
391                 goto add_local_failure;
392 
393         ret_val = cipso_v4_doi_add(doi_def, audit_info);
394         if (ret_val != 0)
395                 goto add_local_failure;
396         return 0;
397 
398 add_local_failure:
399         cipso_v4_doi_free(doi_def);
400         return ret_val;
401 }
402 
403 /**
404  * netlbl_cipsov4_add - Handle an ADD message
405  * @skb: the NETLINK buffer
406  * @info: the Generic NETLINK info block
407  *
408  * Description:
409  * Create a new DOI definition based on the given ADD message and add it to the
410  * CIPSO V4 engine.  Returns zero on success, negative values on failure.
411  *
412  */
413 static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
414 
415 {
416         int ret_val = -EINVAL;
417         struct netlbl_audit audit_info;
418 
419         if (!info->attrs[NLBL_CIPSOV4_A_DOI] ||
420             !info->attrs[NLBL_CIPSOV4_A_MTYPE])
421                 return -EINVAL;
422 
423         netlbl_netlink_auditinfo(skb, &audit_info);
424         switch (nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE])) {
425         case CIPSO_V4_MAP_TRANS:
426                 ret_val = netlbl_cipsov4_add_std(info, &audit_info);
427                 break;
428         case CIPSO_V4_MAP_PASS:
429                 ret_val = netlbl_cipsov4_add_pass(info, &audit_info);
430                 break;
431         case CIPSO_V4_MAP_LOCAL:
432                 ret_val = netlbl_cipsov4_add_local(info, &audit_info);
433                 break;
434         }
435         if (ret_val == 0)
436                 atomic_inc(&netlabel_mgmt_protocount);
437 
438         return ret_val;
439 }
440 
441 /**
442  * netlbl_cipsov4_list - Handle a LIST message
443  * @skb: the NETLINK buffer
444  * @info: the Generic NETLINK info block
445  *
446  * Description:
447  * Process a user generated LIST message and respond accordingly.  While the
448  * response message generated by the kernel is straightforward, determining
449  * before hand the size of the buffer to allocate is not (we have to generate
450  * the message to know the size).  In order to keep this function sane what we
451  * do is allocate a buffer of NLMSG_GOODSIZE and try to fit the response in
452  * that size, if we fail then we restart with a larger buffer and try again.
453  * We continue in this manner until we hit a limit of failed attempts then we
454  * give up and just send an error message.  Returns zero on success and
455  * negative values on error.
456  *
457  */
458 static int netlbl_cipsov4_list(struct sk_buff *skb, struct genl_info *info)
459 {
460         int ret_val;
461         struct sk_buff *ans_skb = NULL;
462         u32 nlsze_mult = 1;
463         void *data;
464         u32 doi;
465         struct nlattr *nla_a;
466         struct nlattr *nla_b;
467         struct cipso_v4_doi *doi_def;
468         u32 iter;
469 
470         if (!info->attrs[NLBL_CIPSOV4_A_DOI]) {
471                 ret_val = -EINVAL;
472                 goto list_failure;
473         }
474 
475 list_start:
476         ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE * nlsze_mult, GFP_KERNEL);
477         if (ans_skb == NULL) {
478                 ret_val = -ENOMEM;
479                 goto list_failure;
480         }
481         data = genlmsg_put_reply(ans_skb, info, &netlbl_cipsov4_gnl_family,
482                                  0, NLBL_CIPSOV4_C_LIST);
483         if (data == NULL) {
484                 ret_val = -ENOMEM;
485                 goto list_failure;
486         }
487 
488         doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
489 
490         rcu_read_lock();
491         doi_def = cipso_v4_doi_getdef(doi);
492         if (doi_def == NULL) {
493                 ret_val = -EINVAL;
494                 goto list_failure_lock;
495         }
496 
497         ret_val = nla_put_u32(ans_skb, NLBL_CIPSOV4_A_MTYPE, doi_def->type);
498         if (ret_val != 0)
499                 goto list_failure_lock;
500 
501         nla_a = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_TAGLST);
502         if (nla_a == NULL) {
503                 ret_val = -ENOMEM;
504                 goto list_failure_lock;
505         }
506         for (iter = 0;
507              iter < CIPSO_V4_TAG_MAXCNT &&
508                doi_def->tags[iter] != CIPSO_V4_TAG_INVALID;
509              iter++) {
510                 ret_val = nla_put_u8(ans_skb,
511                                      NLBL_CIPSOV4_A_TAG,
512                                      doi_def->tags[iter]);
513                 if (ret_val != 0)
514                         goto list_failure_lock;
515         }
516         nla_nest_end(ans_skb, nla_a);
517 
518         switch (doi_def->type) {
519         case CIPSO_V4_MAP_TRANS:
520                 nla_a = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSLVLLST);
521                 if (nla_a == NULL) {
522                         ret_val = -ENOMEM;
523                         goto list_failure_lock;
524                 }
525                 for (iter = 0;
526                      iter < doi_def->map.std->lvl.local_size;
527                      iter++) {
528                         if (doi_def->map.std->lvl.local[iter] ==
529                             CIPSO_V4_INV_LVL)
530                                 continue;
531 
532                         nla_b = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSLVL);
533                         if (nla_b == NULL) {
534                                 ret_val = -ENOMEM;
535                                 goto list_retry;
536                         }
537                         ret_val = nla_put_u32(ans_skb,
538                                               NLBL_CIPSOV4_A_MLSLVLLOC,
539                                               iter);
540                         if (ret_val != 0)
541                                 goto list_retry;
542                         ret_val = nla_put_u32(ans_skb,
543                                             NLBL_CIPSOV4_A_MLSLVLREM,
544                                             doi_def->map.std->lvl.local[iter]);
545                         if (ret_val != 0)
546                                 goto list_retry;
547                         nla_nest_end(ans_skb, nla_b);
548                 }
549                 nla_nest_end(ans_skb, nla_a);
550 
551                 nla_a = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSCATLST);
552                 if (nla_a == NULL) {
553                         ret_val = -ENOMEM;
554                         goto list_retry;
555                 }
556                 for (iter = 0;
557                      iter < doi_def->map.std->cat.local_size;
558                      iter++) {
559                         if (doi_def->map.std->cat.local[iter] ==
560                             CIPSO_V4_INV_CAT)
561                                 continue;
562 
563                         nla_b = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSCAT);
564                         if (nla_b == NULL) {
565                                 ret_val = -ENOMEM;
566                                 goto list_retry;
567                         }
568                         ret_val = nla_put_u32(ans_skb,
569                                               NLBL_CIPSOV4_A_MLSCATLOC,
570                                               iter);
571                         if (ret_val != 0)
572                                 goto list_retry;
573                         ret_val = nla_put_u32(ans_skb,
574                                             NLBL_CIPSOV4_A_MLSCATREM,
575                                             doi_def->map.std->cat.local[iter]);
576                         if (ret_val != 0)
577                                 goto list_retry;
578                         nla_nest_end(ans_skb, nla_b);
579                 }
580                 nla_nest_end(ans_skb, nla_a);
581 
582                 break;
583         }
584         rcu_read_unlock();
585 
586         genlmsg_end(ans_skb, data);
587         return genlmsg_reply(ans_skb, info);
588 
589 list_retry:
590         /* XXX - this limit is a guesstimate */
591         if (nlsze_mult < 4) {
592                 rcu_read_unlock();
593                 kfree_skb(ans_skb);
594                 nlsze_mult *= 2;
595                 goto list_start;
596         }
597 list_failure_lock:
598         rcu_read_unlock();
599 list_failure:
600         kfree_skb(ans_skb);
601         return ret_val;
602 }
603 
604 /**
605  * netlbl_cipsov4_listall_cb - cipso_v4_doi_walk() callback for LISTALL
606  * @doi_def: the CIPSOv4 DOI definition
607  * @arg: the netlbl_cipsov4_doiwalk_arg structure
608  *
609  * Description:
610  * This function is designed to be used as a callback to the
611  * cipso_v4_doi_walk() function for use in generating a response for a LISTALL
612  * message.  Returns the size of the message on success, negative values on
613  * failure.
614  *
615  */
616 static int netlbl_cipsov4_listall_cb(struct cipso_v4_doi *doi_def, void *arg)
617 {
618         int ret_val = -ENOMEM;
619         struct netlbl_cipsov4_doiwalk_arg *cb_arg = arg;
620         void *data;
621 
622         data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid,
623                            cb_arg->seq, &netlbl_cipsov4_gnl_family,
624                            NLM_F_MULTI, NLBL_CIPSOV4_C_LISTALL);
625         if (data == NULL)
626                 goto listall_cb_failure;
627 
628         ret_val = nla_put_u32(cb_arg->skb, NLBL_CIPSOV4_A_DOI, doi_def->doi);
629         if (ret_val != 0)
630                 goto listall_cb_failure;
631         ret_val = nla_put_u32(cb_arg->skb,
632                               NLBL_CIPSOV4_A_MTYPE,
633                               doi_def->type);
634         if (ret_val != 0)
635                 goto listall_cb_failure;
636 
637         genlmsg_end(cb_arg->skb, data);
638         return 0;
639 
640 listall_cb_failure:
641         genlmsg_cancel(cb_arg->skb, data);
642         return ret_val;
643 }
644 
645 /**
646  * netlbl_cipsov4_listall - Handle a LISTALL message
647  * @skb: the NETLINK buffer
648  * @cb: the NETLINK callback
649  *
650  * Description:
651  * Process a user generated LISTALL message and respond accordingly.  Returns
652  * zero on success and negative values on error.
653  *
654  */
655 static int netlbl_cipsov4_listall(struct sk_buff *skb,
656                                   struct netlink_callback *cb)
657 {
658         struct netlbl_cipsov4_doiwalk_arg cb_arg;
659         u32 doi_skip = cb->args[0];
660 
661         cb_arg.nl_cb = cb;
662         cb_arg.skb = skb;
663         cb_arg.seq = cb->nlh->nlmsg_seq;
664 
665         cipso_v4_doi_walk(&doi_skip, netlbl_cipsov4_listall_cb, &cb_arg);
666 
667         cb->args[0] = doi_skip;
668         return skb->len;
669 }
670 
671 /**
672  * netlbl_cipsov4_remove_cb - netlbl_cipsov4_remove() callback for REMOVE
673  * @entry: LSM domain mapping entry
674  * @arg: the netlbl_domhsh_walk_arg structure
675  *
676  * Description:
677  * This function is intended for use by netlbl_cipsov4_remove() as the callback
678  * for the netlbl_domhsh_walk() function; it removes LSM domain map entries
679  * which are associated with the CIPSO DOI specified in @arg.  Returns zero on
680  * success, negative values on failure.
681  *
682  */
683 static int netlbl_cipsov4_remove_cb(struct netlbl_dom_map *entry, void *arg)
684 {
685         struct netlbl_domhsh_walk_arg *cb_arg = arg;
686 
687         if (entry->def.type == NETLBL_NLTYPE_CIPSOV4 &&
688             entry->def.cipso->doi == cb_arg->doi)
689                 return netlbl_domhsh_remove_entry(entry, cb_arg->audit_info);
690 
691         return 0;
692 }
693 
694 /**
695  * netlbl_cipsov4_remove - Handle a REMOVE message
696  * @skb: the NETLINK buffer
697  * @info: the Generic NETLINK info block
698  *
699  * Description:
700  * Process a user generated REMOVE message and respond accordingly.  Returns
701  * zero on success, negative values on failure.
702  *
703  */
704 static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info)
705 {
706         int ret_val = -EINVAL;
707         struct netlbl_domhsh_walk_arg cb_arg;
708         struct netlbl_audit audit_info;
709         u32 skip_bkt = 0;
710         u32 skip_chain = 0;
711 
712         if (!info->attrs[NLBL_CIPSOV4_A_DOI])
713                 return -EINVAL;
714 
715         netlbl_netlink_auditinfo(skb, &audit_info);
716         cb_arg.doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
717         cb_arg.audit_info = &audit_info;
718         ret_val = netlbl_domhsh_walk(&skip_bkt, &skip_chain,
719                                      netlbl_cipsov4_remove_cb, &cb_arg);
720         if (ret_val == 0 || ret_val == -ENOENT) {
721                 ret_val = cipso_v4_doi_remove(cb_arg.doi, &audit_info);
722                 if (ret_val == 0)
723                         atomic_dec(&netlabel_mgmt_protocount);
724         }
725 
726         return ret_val;
727 }
728 
729 /*
730  * NetLabel Generic NETLINK Command Definitions
731  */
732 
733 static const struct genl_ops netlbl_cipsov4_ops[] = {
734         {
735         .cmd = NLBL_CIPSOV4_C_ADD,
736         .flags = GENL_ADMIN_PERM,
737         .policy = netlbl_cipsov4_genl_policy,
738         .doit = netlbl_cipsov4_add,
739         .dumpit = NULL,
740         },
741         {
742         .cmd = NLBL_CIPSOV4_C_REMOVE,
743         .flags = GENL_ADMIN_PERM,
744         .policy = netlbl_cipsov4_genl_policy,
745         .doit = netlbl_cipsov4_remove,
746         .dumpit = NULL,
747         },
748         {
749         .cmd = NLBL_CIPSOV4_C_LIST,
750         .flags = 0,
751         .policy = netlbl_cipsov4_genl_policy,
752         .doit = netlbl_cipsov4_list,
753         .dumpit = NULL,
754         },
755         {
756         .cmd = NLBL_CIPSOV4_C_LISTALL,
757         .flags = 0,
758         .policy = netlbl_cipsov4_genl_policy,
759         .doit = NULL,
760         .dumpit = netlbl_cipsov4_listall,
761         },
762 };
763 
764 static struct genl_family netlbl_cipsov4_gnl_family __ro_after_init = {
765         .hdrsize = 0,
766         .name = NETLBL_NLTYPE_CIPSOV4_NAME,
767         .version = NETLBL_PROTO_VERSION,
768         .maxattr = NLBL_CIPSOV4_A_MAX,
769         .module = THIS_MODULE,
770         .ops = netlbl_cipsov4_ops,
771         .n_ops = ARRAY_SIZE(netlbl_cipsov4_ops),
772 };
773 
774 /*
775  * NetLabel Generic NETLINK Protocol Functions
776  */
777 
778 /**
779  * netlbl_cipsov4_genl_init - Register the CIPSOv4 NetLabel component
780  *
781  * Description:
782  * Register the CIPSOv4 packet NetLabel component with the Generic NETLINK
783  * mechanism.  Returns zero on success, negative values on failure.
784  *
785  */
786 int __init netlbl_cipsov4_genl_init(void)
787 {
788         return genl_register_family(&netlbl_cipsov4_gnl_family);
789 }
790 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp