~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/netlabel/netlabel_cipso_v4.c

Version: ~ [ linux-5.3 ] ~ [ linux-5.2.15 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.73 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.144 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.193 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.193 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.73 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * NetLabel CIPSO/IPv4 Support
  3  *
  4  * This file defines the CIPSO/IPv4 functions for the NetLabel system.  The
  5  * NetLabel system manages static and dynamic label mappings for network
  6  * protocols such as CIPSO and RIPSO.
  7  *
  8  * Author: Paul Moore <paul@paul-moore.com>
  9  *
 10  */
 11 
 12 /*
 13  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
 14  *
 15  * This program is free software;  you can redistribute it and/or modify
 16  * it under the terms of the GNU General Public License as published by
 17  * the Free Software Foundation; either version 2 of the License, or
 18  * (at your option) any later version.
 19  *
 20  * This program is distributed in the hope that it will be useful,
 21  * but WITHOUT ANY WARRANTY;  without even the implied warranty of
 22  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 23  * the GNU General Public License for more details.
 24  *
 25  * You should have received a copy of the GNU General Public License
 26  * along with this program;  if not, see <http://www.gnu.org/licenses/>.
 27  *
 28  */
 29 
 30 #include <linux/types.h>
 31 #include <linux/socket.h>
 32 #include <linux/string.h>
 33 #include <linux/skbuff.h>
 34 #include <linux/audit.h>
 35 #include <linux/slab.h>
 36 #include <net/sock.h>
 37 #include <net/netlink.h>
 38 #include <net/genetlink.h>
 39 #include <net/netlabel.h>
 40 #include <net/cipso_ipv4.h>
 41 #include <linux/atomic.h>
 42 
 43 #include "netlabel_user.h"
 44 #include "netlabel_cipso_v4.h"
 45 #include "netlabel_mgmt.h"
 46 #include "netlabel_domainhash.h"
 47 
 48 /* Argument struct for cipso_v4_doi_walk() */
 49 struct netlbl_cipsov4_doiwalk_arg {
 50         struct netlink_callback *nl_cb;
 51         struct sk_buff *skb;
 52         u32 seq;
 53 };
 54 
 55 /* Argument struct for netlbl_domhsh_walk() */
 56 struct netlbl_domhsh_walk_arg {
 57         struct netlbl_audit *audit_info;
 58         u32 doi;
 59 };
 60 
 61 /* NetLabel Generic NETLINK CIPSOv4 family */
 62 static struct genl_family netlbl_cipsov4_gnl_family = {
 63         .id = GENL_ID_GENERATE,
 64         .hdrsize = 0,
 65         .name = NETLBL_NLTYPE_CIPSOV4_NAME,
 66         .version = NETLBL_PROTO_VERSION,
 67         .maxattr = NLBL_CIPSOV4_A_MAX,
 68 };
 69 
 70 /* NetLabel Netlink attribute policy */
 71 static const struct nla_policy netlbl_cipsov4_genl_policy[NLBL_CIPSOV4_A_MAX + 1] = {
 72         [NLBL_CIPSOV4_A_DOI] = { .type = NLA_U32 },
 73         [NLBL_CIPSOV4_A_MTYPE] = { .type = NLA_U32 },
 74         [NLBL_CIPSOV4_A_TAG] = { .type = NLA_U8 },
 75         [NLBL_CIPSOV4_A_TAGLST] = { .type = NLA_NESTED },
 76         [NLBL_CIPSOV4_A_MLSLVLLOC] = { .type = NLA_U32 },
 77         [NLBL_CIPSOV4_A_MLSLVLREM] = { .type = NLA_U32 },
 78         [NLBL_CIPSOV4_A_MLSLVL] = { .type = NLA_NESTED },
 79         [NLBL_CIPSOV4_A_MLSLVLLST] = { .type = NLA_NESTED },
 80         [NLBL_CIPSOV4_A_MLSCATLOC] = { .type = NLA_U32 },
 81         [NLBL_CIPSOV4_A_MLSCATREM] = { .type = NLA_U32 },
 82         [NLBL_CIPSOV4_A_MLSCAT] = { .type = NLA_NESTED },
 83         [NLBL_CIPSOV4_A_MLSCATLST] = { .type = NLA_NESTED },
 84 };
 85 
 86 /*
 87  * Helper Functions
 88  */
 89 
 90 /**
 91  * netlbl_cipsov4_add_common - Parse the common sections of a ADD message
 92  * @info: the Generic NETLINK info block
 93  * @doi_def: the CIPSO V4 DOI definition
 94  *
 95  * Description:
 96  * Parse the common sections of a ADD message and fill in the related values
 97  * in @doi_def.  Returns zero on success, negative values on failure.
 98  *
 99  */
100 static int netlbl_cipsov4_add_common(struct genl_info *info,
101                                      struct cipso_v4_doi *doi_def)
102 {
103         struct nlattr *nla;
104         int nla_rem;
105         u32 iter = 0;
106 
107         doi_def->doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
108 
109         if (nla_validate_nested(info->attrs[NLBL_CIPSOV4_A_TAGLST],
110                                 NLBL_CIPSOV4_A_MAX,
111                                 netlbl_cipsov4_genl_policy) != 0)
112                 return -EINVAL;
113 
114         nla_for_each_nested(nla, info->attrs[NLBL_CIPSOV4_A_TAGLST], nla_rem)
115                 if (nla_type(nla) == NLBL_CIPSOV4_A_TAG) {
116                         if (iter >= CIPSO_V4_TAG_MAXCNT)
117                                 return -EINVAL;
118                         doi_def->tags[iter++] = nla_get_u8(nla);
119                 }
120         while (iter < CIPSO_V4_TAG_MAXCNT)
121                 doi_def->tags[iter++] = CIPSO_V4_TAG_INVALID;
122 
123         return 0;
124 }
125 
126 /*
127  * NetLabel Command Handlers
128  */
129 
130 /**
131  * netlbl_cipsov4_add_std - Adds a CIPSO V4 DOI definition
132  * @info: the Generic NETLINK info block
133  * @audit_info: NetLabel audit information
134  *
135  * Description:
136  * Create a new CIPSO_V4_MAP_TRANS DOI definition based on the given ADD
137  * message and add it to the CIPSO V4 engine.  Return zero on success and
138  * non-zero on error.
139  *
140  */
141 static int netlbl_cipsov4_add_std(struct genl_info *info,
142                                   struct netlbl_audit *audit_info)
143 {
144         int ret_val = -EINVAL;
145         struct cipso_v4_doi *doi_def = NULL;
146         struct nlattr *nla_a;
147         struct nlattr *nla_b;
148         int nla_a_rem;
149         int nla_b_rem;
150         u32 iter;
151 
152         if (!info->attrs[NLBL_CIPSOV4_A_TAGLST] ||
153             !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST])
154                 return -EINVAL;
155 
156         if (nla_validate_nested(info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
157                                 NLBL_CIPSOV4_A_MAX,
158                                 netlbl_cipsov4_genl_policy) != 0)
159                 return -EINVAL;
160 
161         doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
162         if (doi_def == NULL)
163                 return -ENOMEM;
164         doi_def->map.std = kzalloc(sizeof(*doi_def->map.std), GFP_KERNEL);
165         if (doi_def->map.std == NULL) {
166                 ret_val = -ENOMEM;
167                 goto add_std_failure;
168         }
169         doi_def->type = CIPSO_V4_MAP_TRANS;
170 
171         ret_val = netlbl_cipsov4_add_common(info, doi_def);
172         if (ret_val != 0)
173                 goto add_std_failure;
174         ret_val = -EINVAL;
175 
176         nla_for_each_nested(nla_a,
177                             info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
178                             nla_a_rem)
179                 if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSLVL) {
180                         if (nla_validate_nested(nla_a,
181                                             NLBL_CIPSOV4_A_MAX,
182                                             netlbl_cipsov4_genl_policy) != 0)
183                                         goto add_std_failure;
184                         nla_for_each_nested(nla_b, nla_a, nla_b_rem)
185                                 switch (nla_type(nla_b)) {
186                                 case NLBL_CIPSOV4_A_MLSLVLLOC:
187                                         if (nla_get_u32(nla_b) >
188                                             CIPSO_V4_MAX_LOC_LVLS)
189                                                 goto add_std_failure;
190                                         if (nla_get_u32(nla_b) >=
191                                             doi_def->map.std->lvl.local_size)
192                                              doi_def->map.std->lvl.local_size =
193                                                      nla_get_u32(nla_b) + 1;
194                                         break;
195                                 case NLBL_CIPSOV4_A_MLSLVLREM:
196                                         if (nla_get_u32(nla_b) >
197                                             CIPSO_V4_MAX_REM_LVLS)
198                                                 goto add_std_failure;
199                                         if (nla_get_u32(nla_b) >=
200                                             doi_def->map.std->lvl.cipso_size)
201                                              doi_def->map.std->lvl.cipso_size =
202                                                      nla_get_u32(nla_b) + 1;
203                                         break;
204                                 }
205                 }
206         doi_def->map.std->lvl.local = kcalloc(doi_def->map.std->lvl.local_size,
207                                               sizeof(u32),
208                                               GFP_KERNEL);
209         if (doi_def->map.std->lvl.local == NULL) {
210                 ret_val = -ENOMEM;
211                 goto add_std_failure;
212         }
213         doi_def->map.std->lvl.cipso = kcalloc(doi_def->map.std->lvl.cipso_size,
214                                               sizeof(u32),
215                                               GFP_KERNEL);
216         if (doi_def->map.std->lvl.cipso == NULL) {
217                 ret_val = -ENOMEM;
218                 goto add_std_failure;
219         }
220         for (iter = 0; iter < doi_def->map.std->lvl.local_size; iter++)
221                 doi_def->map.std->lvl.local[iter] = CIPSO_V4_INV_LVL;
222         for (iter = 0; iter < doi_def->map.std->lvl.cipso_size; iter++)
223                 doi_def->map.std->lvl.cipso[iter] = CIPSO_V4_INV_LVL;
224         nla_for_each_nested(nla_a,
225                             info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
226                             nla_a_rem)
227                 if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSLVL) {
228                         struct nlattr *lvl_loc;
229                         struct nlattr *lvl_rem;
230 
231                         lvl_loc = nla_find_nested(nla_a,
232                                                   NLBL_CIPSOV4_A_MLSLVLLOC);
233                         lvl_rem = nla_find_nested(nla_a,
234                                                   NLBL_CIPSOV4_A_MLSLVLREM);
235                         if (lvl_loc == NULL || lvl_rem == NULL)
236                                 goto add_std_failure;
237                         doi_def->map.std->lvl.local[nla_get_u32(lvl_loc)] =
238                                 nla_get_u32(lvl_rem);
239                         doi_def->map.std->lvl.cipso[nla_get_u32(lvl_rem)] =
240                                 nla_get_u32(lvl_loc);
241                 }
242 
243         if (info->attrs[NLBL_CIPSOV4_A_MLSCATLST]) {
244                 if (nla_validate_nested(info->attrs[NLBL_CIPSOV4_A_MLSCATLST],
245                                         NLBL_CIPSOV4_A_MAX,
246                                         netlbl_cipsov4_genl_policy) != 0)
247                         goto add_std_failure;
248 
249                 nla_for_each_nested(nla_a,
250                                     info->attrs[NLBL_CIPSOV4_A_MLSCATLST],
251                                     nla_a_rem)
252                         if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSCAT) {
253                                 if (nla_validate_nested(nla_a,
254                                               NLBL_CIPSOV4_A_MAX,
255                                               netlbl_cipsov4_genl_policy) != 0)
256                                         goto add_std_failure;
257                                 nla_for_each_nested(nla_b, nla_a, nla_b_rem)
258                                         switch (nla_type(nla_b)) {
259                                         case NLBL_CIPSOV4_A_MLSCATLOC:
260                                                 if (nla_get_u32(nla_b) >
261                                                     CIPSO_V4_MAX_LOC_CATS)
262                                                         goto add_std_failure;
263                                                 if (nla_get_u32(nla_b) >=
264                                               doi_def->map.std->cat.local_size)
265                                              doi_def->map.std->cat.local_size =
266                                                      nla_get_u32(nla_b) + 1;
267                                                 break;
268                                         case NLBL_CIPSOV4_A_MLSCATREM:
269                                                 if (nla_get_u32(nla_b) >
270                                                     CIPSO_V4_MAX_REM_CATS)
271                                                         goto add_std_failure;
272                                                 if (nla_get_u32(nla_b) >=
273                                               doi_def->map.std->cat.cipso_size)
274                                              doi_def->map.std->cat.cipso_size =
275                                                      nla_get_u32(nla_b) + 1;
276                                                 break;
277                                         }
278                         }
279                 doi_def->map.std->cat.local = kcalloc(
280                                               doi_def->map.std->cat.local_size,
281                                               sizeof(u32),
282                                               GFP_KERNEL);
283                 if (doi_def->map.std->cat.local == NULL) {
284                         ret_val = -ENOMEM;
285                         goto add_std_failure;
286                 }
287                 doi_def->map.std->cat.cipso = kcalloc(
288                                               doi_def->map.std->cat.cipso_size,
289                                               sizeof(u32),
290                                               GFP_KERNEL);
291                 if (doi_def->map.std->cat.cipso == NULL) {
292                         ret_val = -ENOMEM;
293                         goto add_std_failure;
294                 }
295                 for (iter = 0; iter < doi_def->map.std->cat.local_size; iter++)
296                         doi_def->map.std->cat.local[iter] = CIPSO_V4_INV_CAT;
297                 for (iter = 0; iter < doi_def->map.std->cat.cipso_size; iter++)
298                         doi_def->map.std->cat.cipso[iter] = CIPSO_V4_INV_CAT;
299                 nla_for_each_nested(nla_a,
300                                     info->attrs[NLBL_CIPSOV4_A_MLSCATLST],
301                                     nla_a_rem)
302                         if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSCAT) {
303                                 struct nlattr *cat_loc;
304                                 struct nlattr *cat_rem;
305 
306                                 cat_loc = nla_find_nested(nla_a,
307                                                      NLBL_CIPSOV4_A_MLSCATLOC);
308                                 cat_rem = nla_find_nested(nla_a,
309                                                      NLBL_CIPSOV4_A_MLSCATREM);
310                                 if (cat_loc == NULL || cat_rem == NULL)
311                                         goto add_std_failure;
312                                 doi_def->map.std->cat.local[
313                                                         nla_get_u32(cat_loc)] =
314                                         nla_get_u32(cat_rem);
315                                 doi_def->map.std->cat.cipso[
316                                                         nla_get_u32(cat_rem)] =
317                                         nla_get_u32(cat_loc);
318                         }
319         }
320 
321         ret_val = cipso_v4_doi_add(doi_def, audit_info);
322         if (ret_val != 0)
323                 goto add_std_failure;
324         return 0;
325 
326 add_std_failure:
327         cipso_v4_doi_free(doi_def);
328         return ret_val;
329 }
330 
331 /**
332  * netlbl_cipsov4_add_pass - Adds a CIPSO V4 DOI definition
333  * @info: the Generic NETLINK info block
334  * @audit_info: NetLabel audit information
335  *
336  * Description:
337  * Create a new CIPSO_V4_MAP_PASS DOI definition based on the given ADD message
338  * and add it to the CIPSO V4 engine.  Return zero on success and non-zero on
339  * error.
340  *
341  */
342 static int netlbl_cipsov4_add_pass(struct genl_info *info,
343                                    struct netlbl_audit *audit_info)
344 {
345         int ret_val;
346         struct cipso_v4_doi *doi_def = NULL;
347 
348         if (!info->attrs[NLBL_CIPSOV4_A_TAGLST])
349                 return -EINVAL;
350 
351         doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
352         if (doi_def == NULL)
353                 return -ENOMEM;
354         doi_def->type = CIPSO_V4_MAP_PASS;
355 
356         ret_val = netlbl_cipsov4_add_common(info, doi_def);
357         if (ret_val != 0)
358                 goto add_pass_failure;
359 
360         ret_val = cipso_v4_doi_add(doi_def, audit_info);
361         if (ret_val != 0)
362                 goto add_pass_failure;
363         return 0;
364 
365 add_pass_failure:
366         cipso_v4_doi_free(doi_def);
367         return ret_val;
368 }
369 
370 /**
371  * netlbl_cipsov4_add_local - Adds a CIPSO V4 DOI definition
372  * @info: the Generic NETLINK info block
373  * @audit_info: NetLabel audit information
374  *
375  * Description:
376  * Create a new CIPSO_V4_MAP_LOCAL DOI definition based on the given ADD
377  * message and add it to the CIPSO V4 engine.  Return zero on success and
378  * non-zero on error.
379  *
380  */
381 static int netlbl_cipsov4_add_local(struct genl_info *info,
382                                     struct netlbl_audit *audit_info)
383 {
384         int ret_val;
385         struct cipso_v4_doi *doi_def = NULL;
386 
387         if (!info->attrs[NLBL_CIPSOV4_A_TAGLST])
388                 return -EINVAL;
389 
390         doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
391         if (doi_def == NULL)
392                 return -ENOMEM;
393         doi_def->type = CIPSO_V4_MAP_LOCAL;
394 
395         ret_val = netlbl_cipsov4_add_common(info, doi_def);
396         if (ret_val != 0)
397                 goto add_local_failure;
398 
399         ret_val = cipso_v4_doi_add(doi_def, audit_info);
400         if (ret_val != 0)
401                 goto add_local_failure;
402         return 0;
403 
404 add_local_failure:
405         cipso_v4_doi_free(doi_def);
406         return ret_val;
407 }
408 
409 /**
410  * netlbl_cipsov4_add - Handle an ADD message
411  * @skb: the NETLINK buffer
412  * @info: the Generic NETLINK info block
413  *
414  * Description:
415  * Create a new DOI definition based on the given ADD message and add it to the
416  * CIPSO V4 engine.  Returns zero on success, negative values on failure.
417  *
418  */
419 static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
420 
421 {
422         int ret_val = -EINVAL;
423         struct netlbl_audit audit_info;
424 
425         if (!info->attrs[NLBL_CIPSOV4_A_DOI] ||
426             !info->attrs[NLBL_CIPSOV4_A_MTYPE])
427                 return -EINVAL;
428 
429         netlbl_netlink_auditinfo(skb, &audit_info);
430         switch (nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE])) {
431         case CIPSO_V4_MAP_TRANS:
432                 ret_val = netlbl_cipsov4_add_std(info, &audit_info);
433                 break;
434         case CIPSO_V4_MAP_PASS:
435                 ret_val = netlbl_cipsov4_add_pass(info, &audit_info);
436                 break;
437         case CIPSO_V4_MAP_LOCAL:
438                 ret_val = netlbl_cipsov4_add_local(info, &audit_info);
439                 break;
440         }
441         if (ret_val == 0)
442                 atomic_inc(&netlabel_mgmt_protocount);
443 
444         return ret_val;
445 }
446 
447 /**
448  * netlbl_cipsov4_list - Handle a LIST message
449  * @skb: the NETLINK buffer
450  * @info: the Generic NETLINK info block
451  *
452  * Description:
453  * Process a user generated LIST message and respond accordingly.  While the
454  * response message generated by the kernel is straightforward, determining
455  * before hand the size of the buffer to allocate is not (we have to generate
456  * the message to know the size).  In order to keep this function sane what we
457  * do is allocate a buffer of NLMSG_GOODSIZE and try to fit the response in
458  * that size, if we fail then we restart with a larger buffer and try again.
459  * We continue in this manner until we hit a limit of failed attempts then we
460  * give up and just send an error message.  Returns zero on success and
461  * negative values on error.
462  *
463  */
464 static int netlbl_cipsov4_list(struct sk_buff *skb, struct genl_info *info)
465 {
466         int ret_val;
467         struct sk_buff *ans_skb = NULL;
468         u32 nlsze_mult = 1;
469         void *data;
470         u32 doi;
471         struct nlattr *nla_a;
472         struct nlattr *nla_b;
473         struct cipso_v4_doi *doi_def;
474         u32 iter;
475 
476         if (!info->attrs[NLBL_CIPSOV4_A_DOI]) {
477                 ret_val = -EINVAL;
478                 goto list_failure;
479         }
480 
481 list_start:
482         ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE * nlsze_mult, GFP_KERNEL);
483         if (ans_skb == NULL) {
484                 ret_val = -ENOMEM;
485                 goto list_failure;
486         }
487         data = genlmsg_put_reply(ans_skb, info, &netlbl_cipsov4_gnl_family,
488                                  0, NLBL_CIPSOV4_C_LIST);
489         if (data == NULL) {
490                 ret_val = -ENOMEM;
491                 goto list_failure;
492         }
493 
494         doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
495 
496         rcu_read_lock();
497         doi_def = cipso_v4_doi_getdef(doi);
498         if (doi_def == NULL) {
499                 ret_val = -EINVAL;
500                 goto list_failure_lock;
501         }
502 
503         ret_val = nla_put_u32(ans_skb, NLBL_CIPSOV4_A_MTYPE, doi_def->type);
504         if (ret_val != 0)
505                 goto list_failure_lock;
506 
507         nla_a = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_TAGLST);
508         if (nla_a == NULL) {
509                 ret_val = -ENOMEM;
510                 goto list_failure_lock;
511         }
512         for (iter = 0;
513              iter < CIPSO_V4_TAG_MAXCNT &&
514                doi_def->tags[iter] != CIPSO_V4_TAG_INVALID;
515              iter++) {
516                 ret_val = nla_put_u8(ans_skb,
517                                      NLBL_CIPSOV4_A_TAG,
518                                      doi_def->tags[iter]);
519                 if (ret_val != 0)
520                         goto list_failure_lock;
521         }
522         nla_nest_end(ans_skb, nla_a);
523 
524         switch (doi_def->type) {
525         case CIPSO_V4_MAP_TRANS:
526                 nla_a = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSLVLLST);
527                 if (nla_a == NULL) {
528                         ret_val = -ENOMEM;
529                         goto list_failure_lock;
530                 }
531                 for (iter = 0;
532                      iter < doi_def->map.std->lvl.local_size;
533                      iter++) {
534                         if (doi_def->map.std->lvl.local[iter] ==
535                             CIPSO_V4_INV_LVL)
536                                 continue;
537 
538                         nla_b = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSLVL);
539                         if (nla_b == NULL) {
540                                 ret_val = -ENOMEM;
541                                 goto list_retry;
542                         }
543                         ret_val = nla_put_u32(ans_skb,
544                                               NLBL_CIPSOV4_A_MLSLVLLOC,
545                                               iter);
546                         if (ret_val != 0)
547                                 goto list_retry;
548                         ret_val = nla_put_u32(ans_skb,
549                                             NLBL_CIPSOV4_A_MLSLVLREM,
550                                             doi_def->map.std->lvl.local[iter]);
551                         if (ret_val != 0)
552                                 goto list_retry;
553                         nla_nest_end(ans_skb, nla_b);
554                 }
555                 nla_nest_end(ans_skb, nla_a);
556 
557                 nla_a = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSCATLST);
558                 if (nla_a == NULL) {
559                         ret_val = -ENOMEM;
560                         goto list_retry;
561                 }
562                 for (iter = 0;
563                      iter < doi_def->map.std->cat.local_size;
564                      iter++) {
565                         if (doi_def->map.std->cat.local[iter] ==
566                             CIPSO_V4_INV_CAT)
567                                 continue;
568 
569                         nla_b = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSCAT);
570                         if (nla_b == NULL) {
571                                 ret_val = -ENOMEM;
572                                 goto list_retry;
573                         }
574                         ret_val = nla_put_u32(ans_skb,
575                                               NLBL_CIPSOV4_A_MLSCATLOC,
576                                               iter);
577                         if (ret_val != 0)
578                                 goto list_retry;
579                         ret_val = nla_put_u32(ans_skb,
580                                             NLBL_CIPSOV4_A_MLSCATREM,
581                                             doi_def->map.std->cat.local[iter]);
582                         if (ret_val != 0)
583                                 goto list_retry;
584                         nla_nest_end(ans_skb, nla_b);
585                 }
586                 nla_nest_end(ans_skb, nla_a);
587 
588                 break;
589         }
590         rcu_read_unlock();
591 
592         genlmsg_end(ans_skb, data);
593         return genlmsg_reply(ans_skb, info);
594 
595 list_retry:
596         /* XXX - this limit is a guesstimate */
597         if (nlsze_mult < 4) {
598                 rcu_read_unlock();
599                 kfree_skb(ans_skb);
600                 nlsze_mult *= 2;
601                 goto list_start;
602         }
603 list_failure_lock:
604         rcu_read_unlock();
605 list_failure:
606         kfree_skb(ans_skb);
607         return ret_val;
608 }
609 
610 /**
611  * netlbl_cipsov4_listall_cb - cipso_v4_doi_walk() callback for LISTALL
612  * @doi_def: the CIPSOv4 DOI definition
613  * @arg: the netlbl_cipsov4_doiwalk_arg structure
614  *
615  * Description:
616  * This function is designed to be used as a callback to the
617  * cipso_v4_doi_walk() function for use in generating a response for a LISTALL
618  * message.  Returns the size of the message on success, negative values on
619  * failure.
620  *
621  */
622 static int netlbl_cipsov4_listall_cb(struct cipso_v4_doi *doi_def, void *arg)
623 {
624         int ret_val = -ENOMEM;
625         struct netlbl_cipsov4_doiwalk_arg *cb_arg = arg;
626         void *data;
627 
628         data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid,
629                            cb_arg->seq, &netlbl_cipsov4_gnl_family,
630                            NLM_F_MULTI, NLBL_CIPSOV4_C_LISTALL);
631         if (data == NULL)
632                 goto listall_cb_failure;
633 
634         ret_val = nla_put_u32(cb_arg->skb, NLBL_CIPSOV4_A_DOI, doi_def->doi);
635         if (ret_val != 0)
636                 goto listall_cb_failure;
637         ret_val = nla_put_u32(cb_arg->skb,
638                               NLBL_CIPSOV4_A_MTYPE,
639                               doi_def->type);
640         if (ret_val != 0)
641                 goto listall_cb_failure;
642 
643         genlmsg_end(cb_arg->skb, data);
644         return 0;
645 
646 listall_cb_failure:
647         genlmsg_cancel(cb_arg->skb, data);
648         return ret_val;
649 }
650 
651 /**
652  * netlbl_cipsov4_listall - Handle a LISTALL message
653  * @skb: the NETLINK buffer
654  * @cb: the NETLINK callback
655  *
656  * Description:
657  * Process a user generated LISTALL message and respond accordingly.  Returns
658  * zero on success and negative values on error.
659  *
660  */
661 static int netlbl_cipsov4_listall(struct sk_buff *skb,
662                                   struct netlink_callback *cb)
663 {
664         struct netlbl_cipsov4_doiwalk_arg cb_arg;
665         u32 doi_skip = cb->args[0];
666 
667         cb_arg.nl_cb = cb;
668         cb_arg.skb = skb;
669         cb_arg.seq = cb->nlh->nlmsg_seq;
670 
671         cipso_v4_doi_walk(&doi_skip, netlbl_cipsov4_listall_cb, &cb_arg);
672 
673         cb->args[0] = doi_skip;
674         return skb->len;
675 }
676 
677 /**
678  * netlbl_cipsov4_remove_cb - netlbl_cipsov4_remove() callback for REMOVE
679  * @entry: LSM domain mapping entry
680  * @arg: the netlbl_domhsh_walk_arg structure
681  *
682  * Description:
683  * This function is intended for use by netlbl_cipsov4_remove() as the callback
684  * for the netlbl_domhsh_walk() function; it removes LSM domain map entries
685  * which are associated with the CIPSO DOI specified in @arg.  Returns zero on
686  * success, negative values on failure.
687  *
688  */
689 static int netlbl_cipsov4_remove_cb(struct netlbl_dom_map *entry, void *arg)
690 {
691         struct netlbl_domhsh_walk_arg *cb_arg = arg;
692 
693         if (entry->def.type == NETLBL_NLTYPE_CIPSOV4 &&
694             entry->def.cipso->doi == cb_arg->doi)
695                 return netlbl_domhsh_remove_entry(entry, cb_arg->audit_info);
696 
697         return 0;
698 }
699 
700 /**
701  * netlbl_cipsov4_remove - Handle a REMOVE message
702  * @skb: the NETLINK buffer
703  * @info: the Generic NETLINK info block
704  *
705  * Description:
706  * Process a user generated REMOVE message and respond accordingly.  Returns
707  * zero on success, negative values on failure.
708  *
709  */
710 static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info)
711 {
712         int ret_val = -EINVAL;
713         struct netlbl_domhsh_walk_arg cb_arg;
714         struct netlbl_audit audit_info;
715         u32 skip_bkt = 0;
716         u32 skip_chain = 0;
717 
718         if (!info->attrs[NLBL_CIPSOV4_A_DOI])
719                 return -EINVAL;
720 
721         netlbl_netlink_auditinfo(skb, &audit_info);
722         cb_arg.doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
723         cb_arg.audit_info = &audit_info;
724         ret_val = netlbl_domhsh_walk(&skip_bkt, &skip_chain,
725                                      netlbl_cipsov4_remove_cb, &cb_arg);
726         if (ret_val == 0 || ret_val == -ENOENT) {
727                 ret_val = cipso_v4_doi_remove(cb_arg.doi, &audit_info);
728                 if (ret_val == 0)
729                         atomic_dec(&netlabel_mgmt_protocount);
730         }
731 
732         return ret_val;
733 }
734 
735 /*
736  * NetLabel Generic NETLINK Command Definitions
737  */
738 
739 static const struct genl_ops netlbl_cipsov4_ops[] = {
740         {
741         .cmd = NLBL_CIPSOV4_C_ADD,
742         .flags = GENL_ADMIN_PERM,
743         .policy = netlbl_cipsov4_genl_policy,
744         .doit = netlbl_cipsov4_add,
745         .dumpit = NULL,
746         },
747         {
748         .cmd = NLBL_CIPSOV4_C_REMOVE,
749         .flags = GENL_ADMIN_PERM,
750         .policy = netlbl_cipsov4_genl_policy,
751         .doit = netlbl_cipsov4_remove,
752         .dumpit = NULL,
753         },
754         {
755         .cmd = NLBL_CIPSOV4_C_LIST,
756         .flags = 0,
757         .policy = netlbl_cipsov4_genl_policy,
758         .doit = netlbl_cipsov4_list,
759         .dumpit = NULL,
760         },
761         {
762         .cmd = NLBL_CIPSOV4_C_LISTALL,
763         .flags = 0,
764         .policy = netlbl_cipsov4_genl_policy,
765         .doit = NULL,
766         .dumpit = netlbl_cipsov4_listall,
767         },
768 };
769 
770 /*
771  * NetLabel Generic NETLINK Protocol Functions
772  */
773 
774 /**
775  * netlbl_cipsov4_genl_init - Register the CIPSOv4 NetLabel component
776  *
777  * Description:
778  * Register the CIPSOv4 packet NetLabel component with the Generic NETLINK
779  * mechanism.  Returns zero on success, negative values on failure.
780  *
781  */
782 int __init netlbl_cipsov4_genl_init(void)
783 {
784         return genl_register_family_with_ops(&netlbl_cipsov4_gnl_family,
785                                              netlbl_cipsov4_ops);
786 }
787 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp