aboutsummaryrefslogtreecommitdiffstats
path: root/net/netlabel
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-02-05 01:29:47 -0500
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2008-02-05 12:44:20 -0500
commiteda61d32e8ad1d9102872f9a0abf3344bf9c5e67 (patch)
treed1c11a47c97b3f29d54021cd4aa9c0b8963ed0c8 /net/netlabel
parent97829955ad291acec1d8b94e9911b3ceb1118bb1 (diff)
NetLabel: introduce a new kernel configuration API for NetLabel
Add a new set of configuration functions to the NetLabel/LSM API so that LSMs can perform their own configuration of the NetLabel subsystem without relying on assistance from userspace. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: James Morris <jmorris@namei.org> Cc: Chris Wright <chrisw@sous-sol.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'net/netlabel')
-rw-r--r--net/netlabel/netlabel_cipso_v4.c2
-rw-r--r--net/netlabel/netlabel_cipso_v4.h3
-rw-r--r--net/netlabel/netlabel_domainhash.h1
-rw-r--r--net/netlabel/netlabel_kapi.c177
4 files changed, 182 insertions, 1 deletions
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
index becf91a952a..c7ad64d664a 100644
--- a/net/netlabel/netlabel_cipso_v4.c
+++ b/net/netlabel/netlabel_cipso_v4.c
@@ -90,7 +90,7 @@ static const struct nla_policy netlbl_cipsov4_genl_policy[NLBL_CIPSOV4_A_MAX + 1
90 * safely. 90 * safely.
91 * 91 *
92 */ 92 */
93static void netlbl_cipsov4_doi_free(struct rcu_head *entry) 93void netlbl_cipsov4_doi_free(struct rcu_head *entry)
94{ 94{
95 struct cipso_v4_doi *ptr; 95 struct cipso_v4_doi *ptr;
96 96
diff --git a/net/netlabel/netlabel_cipso_v4.h b/net/netlabel/netlabel_cipso_v4.h
index f03cf9b7828..220cb9d06b4 100644
--- a/net/netlabel/netlabel_cipso_v4.h
+++ b/net/netlabel/netlabel_cipso_v4.h
@@ -163,4 +163,7 @@ enum {
163/* NetLabel protocol functions */ 163/* NetLabel protocol functions */
164int netlbl_cipsov4_genl_init(void); 164int netlbl_cipsov4_genl_init(void);
165 165
166/* Free the memory associated with a CIPSOv4 DOI definition */
167void netlbl_cipsov4_doi_free(struct rcu_head *entry);
168
166#endif 169#endif
diff --git a/net/netlabel/netlabel_domainhash.h b/net/netlabel/netlabel_domainhash.h
index 3689956c343..8220990ceb9 100644
--- a/net/netlabel/netlabel_domainhash.h
+++ b/net/netlabel/netlabel_domainhash.h
@@ -61,6 +61,7 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry,
61 struct netlbl_audit *audit_info); 61 struct netlbl_audit *audit_info);
62int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, 62int netlbl_domhsh_add_default(struct netlbl_dom_map *entry,
63 struct netlbl_audit *audit_info); 63 struct netlbl_audit *audit_info);
64int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info);
64int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info); 65int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info);
65struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain); 66struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain);
66int netlbl_domhsh_walk(u32 *skip_bkt, 67int netlbl_domhsh_walk(u32 *skip_bkt,
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index c69e3e1f05c..39793a1a93a 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -30,6 +30,7 @@
30 30
31#include <linux/init.h> 31#include <linux/init.h>
32#include <linux/types.h> 32#include <linux/types.h>
33#include <linux/audit.h>
33#include <net/ip.h> 34#include <net/ip.h>
34#include <net/netlabel.h> 35#include <net/netlabel.h>
35#include <net/cipso_ipv4.h> 36#include <net/cipso_ipv4.h>
@@ -38,10 +39,186 @@
38 39
39#include "netlabel_domainhash.h" 40#include "netlabel_domainhash.h"
40#include "netlabel_unlabeled.h" 41#include "netlabel_unlabeled.h"
42#include "netlabel_cipso_v4.h"
41#include "netlabel_user.h" 43#include "netlabel_user.h"
42#include "netlabel_mgmt.h" 44#include "netlabel_mgmt.h"
43 45
44/* 46/*
47 * Configuration Functions
48 */
49
50/**
51 * netlbl_cfg_map_del - Remove a NetLabel/LSM domain mapping
52 * @domain: the domain mapping to remove
53 * @audit_info: NetLabel audit information
54 *
55 * Description:
56 * Removes a NetLabel/LSM domain mapping. A @domain value of NULL causes the
57 * default domain mapping to be removed. Returns zero on success, negative
58 * values on failure.
59 *
60 */
61int netlbl_cfg_map_del(const char *domain, struct netlbl_audit *audit_info)
62{
63 return netlbl_domhsh_remove(domain, audit_info);
64}
65
66/**
67 * netlbl_cfg_unlbl_add_map - Add an unlabeled NetLabel/LSM domain mapping
68 * @domain: the domain mapping to add
69 * @audit_info: NetLabel audit information
70 *
71 * Description:
72 * Adds a new unlabeled NetLabel/LSM domain mapping. A @domain value of NULL
73 * causes a new default domain mapping to be added. Returns zero on success,
74 * negative values on failure.
75 *
76 */
77int netlbl_cfg_unlbl_add_map(const char *domain,
78 struct netlbl_audit *audit_info)
79{
80 int ret_val = -ENOMEM;
81 struct netlbl_dom_map *entry;
82
83 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
84 if (entry == NULL)
85 goto cfg_unlbl_add_map_failure;
86 if (domain != NULL) {
87 entry->domain = kstrdup(domain, GFP_ATOMIC);
88 if (entry->domain == NULL)
89 goto cfg_unlbl_add_map_failure;
90 }
91 entry->type = NETLBL_NLTYPE_UNLABELED;
92
93 ret_val = netlbl_domhsh_add(entry, audit_info);
94 if (ret_val != 0)
95 goto cfg_unlbl_add_map_failure;
96
97 return 0;
98
99cfg_unlbl_add_map_failure:
100 if (entry != NULL)
101 kfree(entry->domain);
102 kfree(entry);
103 return ret_val;
104}
105
106/**
107 * netlbl_cfg_cipsov4_add - Add a new CIPSOv4 DOI definition
108 * @doi_def: the DOI definition
109 * @audit_info: NetLabel audit information
110 *
111 * Description:
112 * Add a new CIPSOv4 DOI definition to the NetLabel subsystem. Returns zero on
113 * success, negative values on failure.
114 *
115 */
116int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
117 struct netlbl_audit *audit_info)
118{
119 int ret_val;
120 const char *type_str;
121 struct audit_buffer *audit_buf;
122
123 ret_val = cipso_v4_doi_add(doi_def);
124
125 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
126 audit_info);
127 if (audit_buf != NULL) {
128 switch (doi_def->type) {
129 case CIPSO_V4_MAP_STD:
130 type_str = "std";
131 break;
132 case CIPSO_V4_MAP_PASS:
133 type_str = "pass";
134 break;
135 default:
136 type_str = "(unknown)";
137 }
138 audit_log_format(audit_buf,
139 " cipso_doi=%u cipso_type=%s res=%u",
140 doi_def->doi,
141 type_str,
142 ret_val == 0 ? 1 : 0);
143 audit_log_end(audit_buf);
144 }
145
146 return ret_val;
147}
148
149/**
150 * netlbl_cfg_cipsov4_add_map - Add a new CIPSOv4 DOI definition and mapping
151 * @doi_def: the DOI definition
152 * @domain: the domain mapping to add
153 * @audit_info: NetLabel audit information
154 *
155 * Description:
156 * Add a new CIPSOv4 DOI definition and NetLabel/LSM domain mapping for this
157 * new DOI definition to the NetLabel subsystem. A @domain value of NULL adds
158 * a new default domain mapping. Returns zero on success, negative values on
159 * failure.
160 *
161 */
162int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def,
163 const char *domain,
164 struct netlbl_audit *audit_info)
165{
166 int ret_val = -ENOMEM;
167 struct netlbl_dom_map *entry;
168
169 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
170 if (entry == NULL)
171 goto cfg_cipsov4_add_map_failure;
172 if (domain != NULL) {
173 entry->domain = kstrdup(domain, GFP_ATOMIC);
174 if (entry->domain == NULL)
175 goto cfg_cipsov4_add_map_failure;
176 }
177 entry->type = NETLBL_NLTYPE_CIPSOV4;
178 entry->type_def.cipsov4 = doi_def;
179
180 /* Grab a RCU read lock here so nothing happens to the doi_def variable
181 * between adding it to the CIPSOv4 protocol engine and adding a
182 * domain mapping for it. */
183
184 rcu_read_lock();
185 ret_val = netlbl_cfg_cipsov4_add(doi_def, audit_info);
186 if (ret_val != 0)
187 goto cfg_cipsov4_add_map_failure_unlock;
188 ret_val = netlbl_domhsh_add(entry, audit_info);
189 if (ret_val != 0)
190 goto cfg_cipsov4_add_map_failure_remove_doi;
191 rcu_read_unlock();
192
193 return 0;
194
195cfg_cipsov4_add_map_failure_remove_doi:
196 cipso_v4_doi_remove(doi_def->doi, audit_info, netlbl_cipsov4_doi_free);
197cfg_cipsov4_add_map_failure_unlock:
198 rcu_read_unlock();
199cfg_cipsov4_add_map_failure:
200 if (entry != NULL)
201 kfree(entry->domain);
202 kfree(entry);
203 return ret_val;
204}
205
206/**
207 * netlbl_cfg_cipsov4_del - Removean existing CIPSOv4 DOI definition
208 * @doi: the CIPSO DOI value
209 * @audit_info: NetLabel audit information
210 *
211 * Description:
212 * Removes an existing CIPSOv4 DOI definition from the NetLabel subsystem.
213 * Returns zero on success, negative values on failure.
214 *
215 */
216int netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info)
217{
218 return cipso_v4_doi_remove(doi, audit_info, netlbl_cipsov4_doi_free);
219}
220
221/*
45 * Security Attribute Functions 222 * Security Attribute Functions
46 */ 223 */
47 224