aboutsummaryrefslogtreecommitdiffstats
path: root/net/netlabel
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2006-08-03 19:48:59 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-09-22 17:53:35 -0400
commit96cb8e3313c7a12e026c1ed510522ae6f6023875 (patch)
tree35d796afb2365041bc98fdba8f1734419be6b6c8 /net/netlabel
parentd15c345fe3b8dfda0fa5a1d2143a35fffa746a43 (diff)
[NetLabel]: CIPSOv4 and Unlabeled packet integration
Add CIPSO/IPv4 and unlabeled packet management to the NetLabel subsystem. The CIPSO/IPv4 changes allow the configuration of CIPSO/IPv4 within the overall NetLabel framework. The unlabeled packet changes allows NetLabel to pass unlabeled packets without error. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netlabel')
-rw-r--r--net/netlabel/netlabel_cipso_v4.c542
-rw-r--r--net/netlabel/netlabel_unlabeled.c253
2 files changed, 795 insertions, 0 deletions
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
new file mode 100644
index 000000000000..a4f40adc447b
--- /dev/null
+++ b/net/netlabel/netlabel_cipso_v4.c
@@ -0,0 +1,542 @@
1/*
2 * NetLabel CIPSO/IPv4 Support
3 *
4 * This file defines the CIPSO/IPv4 functions for the NetLabel system. The
5 * NetLabel system manages static and dynamic label mappings for network
6 * protocols such as CIPSO and RIPSO.
7 *
8 * Author: Paul Moore <paul.moore@hp.com>
9 *
10 */
11
12/*
13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
14 *
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or
18 * (at your option) any later version.
19 *
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
23 * the GNU General Public License for more details.
24 *
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
28 *
29 */
30
31#include <linux/types.h>
32#include <linux/socket.h>
33#include <linux/string.h>
34#include <linux/skbuff.h>
35#include <net/sock.h>
36#include <net/netlink.h>
37#include <net/genetlink.h>
38#include <net/netlabel.h>
39#include <net/cipso_ipv4.h>
40
41#include "netlabel_user.h"
42#include "netlabel_cipso_v4.h"
43
44/* NetLabel Generic NETLINK CIPSOv4 family */
45static struct genl_family netlbl_cipsov4_gnl_family = {
46 .id = GENL_ID_GENERATE,
47 .hdrsize = 0,
48 .name = NETLBL_NLTYPE_CIPSOV4_NAME,
49 .version = NETLBL_PROTO_VERSION,
50 .maxattr = 0,
51};
52
53
54/*
55 * Helper Functions
56 */
57
58/**
59 * netlbl_cipsov4_doi_free - Frees a CIPSO V4 DOI definition
60 * @entry: the entry's RCU field
61 *
62 * Description:
63 * This function is designed to be used as a callback to the call_rcu()
64 * function so that the memory allocated to the DOI definition can be released
65 * safely.
66 *
67 */
68static void netlbl_cipsov4_doi_free(struct rcu_head *entry)
69{
70 struct cipso_v4_doi *ptr;
71
72 ptr = container_of(entry, struct cipso_v4_doi, rcu);
73 switch (ptr->type) {
74 case CIPSO_V4_MAP_STD:
75 kfree(ptr->map.std->lvl.cipso);
76 kfree(ptr->map.std->lvl.local);
77 kfree(ptr->map.std->cat.cipso);
78 kfree(ptr->map.std->cat.local);
79 break;
80 }
81 kfree(ptr);
82}
83
84
85/*
86 * NetLabel Command Handlers
87 */
88
89/**
90 * netlbl_cipsov4_add_std - Adds a CIPSO V4 DOI definition
91 * @doi: the DOI value
92 * @msg: the ADD message data
93 * @msg_size: the size of the ADD message buffer
94 *
95 * Description:
96 * Create a new CIPSO_V4_MAP_STD DOI definition based on the given ADD message
97 * and add it to the CIPSO V4 engine. Return zero on success and non-zero on
98 * error.
99 *
100 */
101static int netlbl_cipsov4_add_std(u32 doi, struct nlattr *msg, size_t msg_size)
102{
103 int ret_val = -EINVAL;
104 int msg_len = msg_size;
105 u32 num_tags;
106 u32 num_lvls;
107 u32 num_cats;
108 struct cipso_v4_doi *doi_def = NULL;
109 u32 iter;
110 u32 tmp_val_a;
111 u32 tmp_val_b;
112
113 if (msg_len < NETLBL_LEN_U32)
114 goto add_std_failure;
115 num_tags = netlbl_getinc_u32(&msg, &msg_len);
116 if (num_tags == 0 || num_tags > CIPSO_V4_TAG_MAXCNT)
117 goto add_std_failure;
118
119 doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
120 if (doi_def == NULL) {
121 ret_val = -ENOMEM;
122 goto add_std_failure;
123 }
124 doi_def->map.std = kzalloc(sizeof(*doi_def->map.std), GFP_KERNEL);
125 if (doi_def->map.std == NULL) {
126 ret_val = -ENOMEM;
127 goto add_std_failure;
128 }
129 doi_def->type = CIPSO_V4_MAP_STD;
130
131 for (iter = 0; iter < num_tags; iter++) {
132 if (msg_len < NETLBL_LEN_U8)
133 goto add_std_failure;
134 doi_def->tags[iter] = netlbl_getinc_u8(&msg, &msg_len);
135 switch (doi_def->tags[iter]) {
136 case CIPSO_V4_TAG_RBITMAP:
137 break;
138 default:
139 goto add_std_failure;
140 }
141 }
142 if (iter < CIPSO_V4_TAG_MAXCNT)
143 doi_def->tags[iter] = CIPSO_V4_TAG_INVALID;
144
145 if (msg_len < 6 * NETLBL_LEN_U32)
146 goto add_std_failure;
147
148 num_lvls = netlbl_getinc_u32(&msg, &msg_len);
149 if (num_lvls == 0)
150 goto add_std_failure;
151 doi_def->map.std->lvl.local_size = netlbl_getinc_u32(&msg, &msg_len);
152 if (doi_def->map.std->lvl.local_size > CIPSO_V4_MAX_LOC_LVLS)
153 goto add_std_failure;
154 doi_def->map.std->lvl.local = kcalloc(doi_def->map.std->lvl.local_size,
155 sizeof(u32),
156 GFP_KERNEL);
157 if (doi_def->map.std->lvl.local == NULL) {
158 ret_val = -ENOMEM;
159 goto add_std_failure;
160 }
161 doi_def->map.std->lvl.cipso_size = netlbl_getinc_u8(&msg, &msg_len);
162 if (doi_def->map.std->lvl.cipso_size > CIPSO_V4_MAX_REM_LVLS)
163 goto add_std_failure;
164 doi_def->map.std->lvl.cipso = kcalloc(doi_def->map.std->lvl.cipso_size,
165 sizeof(u32),
166 GFP_KERNEL);
167 if (doi_def->map.std->lvl.cipso == NULL) {
168 ret_val = -ENOMEM;
169 goto add_std_failure;
170 }
171
172 num_cats = netlbl_getinc_u32(&msg, &msg_len);
173 doi_def->map.std->cat.local_size = netlbl_getinc_u32(&msg, &msg_len);
174 if (doi_def->map.std->cat.local_size > CIPSO_V4_MAX_LOC_CATS)
175 goto add_std_failure;
176 doi_def->map.std->cat.local = kcalloc(doi_def->map.std->cat.local_size,
177 sizeof(u32),
178 GFP_KERNEL);
179 if (doi_def->map.std->cat.local == NULL) {
180 ret_val = -ENOMEM;
181 goto add_std_failure;
182 }
183 doi_def->map.std->cat.cipso_size = netlbl_getinc_u16(&msg, &msg_len);
184 if (doi_def->map.std->cat.cipso_size > CIPSO_V4_MAX_REM_CATS)
185 goto add_std_failure;
186 doi_def->map.std->cat.cipso = kcalloc(doi_def->map.std->cat.cipso_size,
187 sizeof(u32),
188 GFP_KERNEL);
189 if (doi_def->map.std->cat.cipso == NULL) {
190 ret_val = -ENOMEM;
191 goto add_std_failure;
192 }
193
194 if (msg_len <
195 num_lvls * (NETLBL_LEN_U32 + NETLBL_LEN_U8) +
196 num_cats * (NETLBL_LEN_U32 + NETLBL_LEN_U16))
197 goto add_std_failure;
198
199 for (iter = 0; iter < doi_def->map.std->lvl.cipso_size; iter++)
200 doi_def->map.std->lvl.cipso[iter] = CIPSO_V4_INV_LVL;
201 for (iter = 0; iter < doi_def->map.std->lvl.local_size; iter++)
202 doi_def->map.std->lvl.local[iter] = CIPSO_V4_INV_LVL;
203 for (iter = 0; iter < doi_def->map.std->cat.cipso_size; iter++)
204 doi_def->map.std->cat.cipso[iter] = CIPSO_V4_INV_CAT;
205 for (iter = 0; iter < doi_def->map.std->cat.local_size; iter++)
206 doi_def->map.std->cat.local[iter] = CIPSO_V4_INV_CAT;
207
208 for (iter = 0; iter < num_lvls; iter++) {
209 tmp_val_a = netlbl_getinc_u32(&msg, &msg_len);
210 tmp_val_b = netlbl_getinc_u8(&msg, &msg_len);
211
212 if (tmp_val_a >= doi_def->map.std->lvl.local_size ||
213 tmp_val_b >= doi_def->map.std->lvl.cipso_size)
214 goto add_std_failure;
215
216 doi_def->map.std->lvl.cipso[tmp_val_b] = tmp_val_a;
217 doi_def->map.std->lvl.local[tmp_val_a] = tmp_val_b;
218 }
219
220 for (iter = 0; iter < num_cats; iter++) {
221 tmp_val_a = netlbl_getinc_u32(&msg, &msg_len);
222 tmp_val_b = netlbl_getinc_u16(&msg, &msg_len);
223
224 if (tmp_val_a >= doi_def->map.std->cat.local_size ||
225 tmp_val_b >= doi_def->map.std->cat.cipso_size)
226 goto add_std_failure;
227
228 doi_def->map.std->cat.cipso[tmp_val_b] = tmp_val_a;
229 doi_def->map.std->cat.local[tmp_val_a] = tmp_val_b;
230 }
231
232 doi_def->doi = doi;
233 ret_val = cipso_v4_doi_add(doi_def);
234 if (ret_val != 0)
235 goto add_std_failure;
236 return 0;
237
238add_std_failure:
239 if (doi_def)
240 netlbl_cipsov4_doi_free(&doi_def->rcu);
241 return ret_val;
242}
243
244/**
245 * netlbl_cipsov4_add_pass - Adds a CIPSO V4 DOI definition
246 * @doi: the DOI value
247 * @msg: the ADD message data
248 * @msg_size: the size of the ADD message buffer
249 *
250 * Description:
251 * Create a new CIPSO_V4_MAP_PASS DOI definition based on the given ADD message
252 * and add it to the CIPSO V4 engine. Return zero on success and non-zero on
253 * error.
254 *
255 */
256static int netlbl_cipsov4_add_pass(u32 doi,
257 struct nlattr *msg,
258 size_t msg_size)
259{
260 int ret_val = -EINVAL;
261 int msg_len = msg_size;
262 u32 num_tags;
263 struct cipso_v4_doi *doi_def = NULL;
264 u32 iter;
265
266 if (msg_len < NETLBL_LEN_U32)
267 goto add_pass_failure;
268 num_tags = netlbl_getinc_u32(&msg, &msg_len);
269 if (num_tags == 0 || num_tags > CIPSO_V4_TAG_MAXCNT)
270 goto add_pass_failure;
271
272 doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
273 if (doi_def == NULL) {
274 ret_val = -ENOMEM;
275 goto add_pass_failure;
276 }
277 doi_def->type = CIPSO_V4_MAP_PASS;
278
279 for (iter = 0; iter < num_tags; iter++) {
280 if (msg_len < NETLBL_LEN_U8)
281 goto add_pass_failure;
282 doi_def->tags[iter] = netlbl_getinc_u8(&msg, &msg_len);
283 switch (doi_def->tags[iter]) {
284 case CIPSO_V4_TAG_RBITMAP:
285 break;
286 default:
287 goto add_pass_failure;
288 }
289 }
290 if (iter < CIPSO_V4_TAG_MAXCNT)
291 doi_def->tags[iter] = CIPSO_V4_TAG_INVALID;
292
293 doi_def->doi = doi;
294 ret_val = cipso_v4_doi_add(doi_def);
295 if (ret_val != 0)
296 goto add_pass_failure;
297 return 0;
298
299add_pass_failure:
300 if (doi_def)
301 netlbl_cipsov4_doi_free(&doi_def->rcu);
302 return ret_val;
303}
304
305/**
306 * netlbl_cipsov4_add - Handle an ADD message
307 * @skb: the NETLINK buffer
308 * @info: the Generic NETLINK info block
309 *
310 * Description:
311 * Create a new DOI definition based on the given ADD message and add it to the
312 * CIPSO V4 engine. Returns zero on success, negative values on failure.
313 *
314 */
315static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
316
317{
318 int ret_val = -EINVAL;
319 u32 doi;
320 u32 map_type;
321 int msg_len = netlbl_netlink_payload_len(skb);
322 struct nlattr *msg = netlbl_netlink_payload_data(skb);
323
324 ret_val = netlbl_netlink_cap_check(skb, CAP_NET_ADMIN);
325 if (ret_val != 0)
326 goto add_return;
327
328 if (msg_len < 2 * NETLBL_LEN_U32)
329 goto add_return;
330
331 doi = netlbl_getinc_u32(&msg, &msg_len);
332 map_type = netlbl_getinc_u32(&msg, &msg_len);
333 switch (map_type) {
334 case CIPSO_V4_MAP_STD:
335 ret_val = netlbl_cipsov4_add_std(doi, msg, msg_len);
336 break;
337 case CIPSO_V4_MAP_PASS:
338 ret_val = netlbl_cipsov4_add_pass(doi, msg, msg_len);
339 break;
340 }
341
342add_return:
343 netlbl_netlink_send_ack(info,
344 netlbl_cipsov4_gnl_family.id,
345 NLBL_CIPSOV4_C_ACK,
346 -ret_val);
347 return ret_val;
348}
349
350/**
351 * netlbl_cipsov4_list - Handle a LIST message
352 * @skb: the NETLINK buffer
353 * @info: the Generic NETLINK info block
354 *
355 * Description:
356 * Process a user generated LIST message and respond accordingly. Returns
357 * zero on success and negative values on error.
358 *
359 */
360static int netlbl_cipsov4_list(struct sk_buff *skb, struct genl_info *info)
361{
362 int ret_val = -EINVAL;
363 u32 doi;
364 struct nlattr *msg = netlbl_netlink_payload_data(skb);
365 struct sk_buff *ans_skb;
366
367 if (netlbl_netlink_payload_len(skb) != NETLBL_LEN_U32)
368 goto list_failure;
369
370 doi = nla_get_u32(msg);
371 ans_skb = cipso_v4_doi_dump(doi, NLMSG_SPACE(GENL_HDRLEN));
372 if (ans_skb == NULL) {
373 ret_val = -ENOMEM;
374 goto list_failure;
375 }
376 netlbl_netlink_hdr_push(ans_skb,
377 info->snd_pid,
378 0,
379 netlbl_cipsov4_gnl_family.id,
380 NLBL_CIPSOV4_C_LIST);
381
382 ret_val = netlbl_netlink_snd(ans_skb, info->snd_pid);
383 if (ret_val != 0)
384 goto list_failure;
385
386 return 0;
387
388list_failure:
389 netlbl_netlink_send_ack(info,
390 netlbl_cipsov4_gnl_family.id,
391 NLBL_CIPSOV4_C_ACK,
392 -ret_val);
393 return ret_val;
394}
395
396/**
397 * netlbl_cipsov4_listall - Handle a LISTALL message
398 * @skb: the NETLINK buffer
399 * @info: the Generic NETLINK info block
400 *
401 * Description:
402 * Process a user generated LISTALL message and respond accordingly. Returns
403 * zero on success and negative values on error.
404 *
405 */
406static int netlbl_cipsov4_listall(struct sk_buff *skb, struct genl_info *info)
407{
408 int ret_val = -EINVAL;
409 struct sk_buff *ans_skb;
410
411 ans_skb = cipso_v4_doi_dump_all(NLMSG_SPACE(GENL_HDRLEN));
412 if (ans_skb == NULL) {
413 ret_val = -ENOMEM;
414 goto listall_failure;
415 }
416 netlbl_netlink_hdr_push(ans_skb,
417 info->snd_pid,
418 0,
419 netlbl_cipsov4_gnl_family.id,
420 NLBL_CIPSOV4_C_LISTALL);
421
422 ret_val = netlbl_netlink_snd(ans_skb, info->snd_pid);
423 if (ret_val != 0)
424 goto listall_failure;
425
426 return 0;
427
428listall_failure:
429 netlbl_netlink_send_ack(info,
430 netlbl_cipsov4_gnl_family.id,
431 NLBL_CIPSOV4_C_ACK,
432 -ret_val);
433 return ret_val;
434}
435
436/**
437 * netlbl_cipsov4_remove - Handle a REMOVE message
438 * @skb: the NETLINK buffer
439 * @info: the Generic NETLINK info block
440 *
441 * Description:
442 * Process a user generated REMOVE message and respond accordingly. Returns
443 * zero on success, negative values on failure.
444 *
445 */
446static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info)
447{
448 int ret_val;
449 u32 doi;
450 struct nlattr *msg = netlbl_netlink_payload_data(skb);
451
452 ret_val = netlbl_netlink_cap_check(skb, CAP_NET_ADMIN);
453 if (ret_val != 0)
454 goto remove_return;
455
456 if (netlbl_netlink_payload_len(skb) != NETLBL_LEN_U32) {
457 ret_val = -EINVAL;
458 goto remove_return;
459 }
460
461 doi = nla_get_u32(msg);
462 ret_val = cipso_v4_doi_remove(doi, netlbl_cipsov4_doi_free);
463
464remove_return:
465 netlbl_netlink_send_ack(info,
466 netlbl_cipsov4_gnl_family.id,
467 NLBL_CIPSOV4_C_ACK,
468 -ret_val);
469 return ret_val;
470}
471
472/*
473 * NetLabel Generic NETLINK Command Definitions
474 */
475
476static struct genl_ops netlbl_cipsov4_genl_c_add = {
477 .cmd = NLBL_CIPSOV4_C_ADD,
478 .flags = 0,
479 .doit = netlbl_cipsov4_add,
480 .dumpit = NULL,
481};
482
483static struct genl_ops netlbl_cipsov4_genl_c_remove = {
484 .cmd = NLBL_CIPSOV4_C_REMOVE,
485 .flags = 0,
486 .doit = netlbl_cipsov4_remove,
487 .dumpit = NULL,
488};
489
490static struct genl_ops netlbl_cipsov4_genl_c_list = {
491 .cmd = NLBL_CIPSOV4_C_LIST,
492 .flags = 0,
493 .doit = netlbl_cipsov4_list,
494 .dumpit = NULL,
495};
496
497static struct genl_ops netlbl_cipsov4_genl_c_listall = {
498 .cmd = NLBL_CIPSOV4_C_LISTALL,
499 .flags = 0,
500 .doit = netlbl_cipsov4_listall,
501 .dumpit = NULL,
502};
503
504/*
505 * NetLabel Generic NETLINK Protocol Functions
506 */
507
508/**
509 * netlbl_cipsov4_genl_init - Register the CIPSOv4 NetLabel component
510 *
511 * Description:
512 * Register the CIPSOv4 packet NetLabel component with the Generic NETLINK
513 * mechanism. Returns zero on success, negative values on failure.
514 *
515 */
516int netlbl_cipsov4_genl_init(void)
517{
518 int ret_val;
519
520 ret_val = genl_register_family(&netlbl_cipsov4_gnl_family);
521 if (ret_val != 0)
522 return ret_val;
523
524 ret_val = genl_register_ops(&netlbl_cipsov4_gnl_family,
525 &netlbl_cipsov4_genl_c_add);
526 if (ret_val != 0)
527 return ret_val;
528 ret_val = genl_register_ops(&netlbl_cipsov4_gnl_family,
529 &netlbl_cipsov4_genl_c_remove);
530 if (ret_val != 0)
531 return ret_val;
532 ret_val = genl_register_ops(&netlbl_cipsov4_gnl_family,
533 &netlbl_cipsov4_genl_c_list);
534 if (ret_val != 0)
535 return ret_val;
536 ret_val = genl_register_ops(&netlbl_cipsov4_gnl_family,
537 &netlbl_cipsov4_genl_c_listall);
538 if (ret_val != 0)
539 return ret_val;
540
541 return 0;
542}
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
new file mode 100644
index 000000000000..785f4960e0d3
--- /dev/null
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -0,0 +1,253 @@
1/*
2 * NetLabel Unlabeled Support
3 *
4 * This file defines functions for dealing with unlabeled packets for the
5 * NetLabel system. The NetLabel system manages static and dynamic label
6 * mappings for network protocols such as CIPSO and RIPSO.
7 *
8 * Author: Paul Moore <paul.moore@hp.com>
9 *
10 */
11
12/*
13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
14 *
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or
18 * (at your option) any later version.
19 *
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
23 * the GNU General Public License for more details.
24 *
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
28 *
29 */
30
31#include <linux/types.h>
32#include <linux/rcupdate.h>
33#include <linux/list.h>
34#include <linux/spinlock.h>
35#include <linux/socket.h>
36#include <linux/string.h>
37#include <linux/skbuff.h>
38#include <net/sock.h>
39#include <net/netlink.h>
40#include <net/genetlink.h>
41
42#include <net/netlabel.h>
43#include <asm/bug.h>
44
45#include "netlabel_user.h"
46#include "netlabel_domainhash.h"
47#include "netlabel_unlabeled.h"
48
49/* Accept unlabeled packets flag */
50static atomic_t netlabel_unlabel_accept_flg = ATOMIC_INIT(0);
51
52/* NetLabel Generic NETLINK CIPSOv4 family */
53static struct genl_family netlbl_unlabel_gnl_family = {
54 .id = GENL_ID_GENERATE,
55 .hdrsize = 0,
56 .name = NETLBL_NLTYPE_UNLABELED_NAME,
57 .version = NETLBL_PROTO_VERSION,
58 .maxattr = 0,
59};
60
61
62/*
63 * NetLabel Command Handlers
64 */
65
66/**
67 * netlbl_unlabel_accept - Handle an ACCEPT message
68 * @skb: the NETLINK buffer
69 * @info: the Generic NETLINK info block
70 *
71 * Description:
72 * Process a user generated ACCEPT message and set the accept flag accordingly.
73 * Returns zero on success, negative values on failure.
74 *
75 */
76static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info)
77{
78 int ret_val;
79 struct nlattr *data = netlbl_netlink_payload_data(skb);
80 u32 value;
81
82 ret_val = netlbl_netlink_cap_check(skb, CAP_NET_ADMIN);
83 if (ret_val != 0)
84 return ret_val;
85
86 if (netlbl_netlink_payload_len(skb) == NETLBL_LEN_U32) {
87 value = nla_get_u32(data);
88 if (value == 1 || value == 0) {
89 atomic_set(&netlabel_unlabel_accept_flg, value);
90 netlbl_netlink_send_ack(info,
91 netlbl_unlabel_gnl_family.id,
92 NLBL_UNLABEL_C_ACK,
93 NETLBL_E_OK);
94 return 0;
95 }
96 }
97
98 netlbl_netlink_send_ack(info,
99 netlbl_unlabel_gnl_family.id,
100 NLBL_UNLABEL_C_ACK,
101 EINVAL);
102 return -EINVAL;
103}
104
105/**
106 * netlbl_unlabel_list - Handle a LIST message
107 * @skb: the NETLINK buffer
108 * @info: the Generic NETLINK info block
109 *
110 * Description:
111 * Process a user generated LIST message and respond with the current status.
112 * Returns zero on success, negative values on failure.
113 *
114 */
115static int netlbl_unlabel_list(struct sk_buff *skb, struct genl_info *info)
116{
117 int ret_val = -ENOMEM;
118 struct sk_buff *ans_skb;
119
120 ans_skb = netlbl_netlink_alloc_skb(0,
121 GENL_HDRLEN + NETLBL_LEN_U32,
122 GFP_KERNEL);
123 if (ans_skb == NULL)
124 goto list_failure;
125
126 if (netlbl_netlink_hdr_put(ans_skb,
127 info->snd_pid,
128 0,
129 netlbl_unlabel_gnl_family.id,
130 NLBL_UNLABEL_C_LIST) == NULL)
131 goto list_failure;
132
133 ret_val = nla_put_u32(ans_skb,
134 NLA_U32,
135 atomic_read(&netlabel_unlabel_accept_flg));
136 if (ret_val != 0)
137 goto list_failure;
138
139 ret_val = netlbl_netlink_snd(ans_skb, info->snd_pid);
140 if (ret_val != 0)
141 goto list_failure;
142
143 return 0;
144
145list_failure:
146 netlbl_netlink_send_ack(info,
147 netlbl_unlabel_gnl_family.id,
148 NLBL_UNLABEL_C_ACK,
149 -ret_val);
150 return ret_val;
151}
152
153
154/*
155 * NetLabel Generic NETLINK Command Definitions
156 */
157
158static struct genl_ops netlbl_unlabel_genl_c_accept = {
159 .cmd = NLBL_UNLABEL_C_ACCEPT,
160 .flags = 0,
161 .doit = netlbl_unlabel_accept,
162 .dumpit = NULL,
163};
164
165static struct genl_ops netlbl_unlabel_genl_c_list = {
166 .cmd = NLBL_UNLABEL_C_LIST,
167 .flags = 0,
168 .doit = netlbl_unlabel_list,
169 .dumpit = NULL,
170};
171
172
173/*
174 * NetLabel Generic NETLINK Protocol Functions
175 */
176
177/**
178 * netlbl_unlabel_genl_init - Register the Unlabeled NetLabel component
179 *
180 * Description:
181 * Register the unlabeled packet NetLabel component with the Generic NETLINK
182 * mechanism. Returns zero on success, negative values on failure.
183 *
184 */
185int netlbl_unlabel_genl_init(void)
186{
187 int ret_val;
188
189 ret_val = genl_register_family(&netlbl_unlabel_gnl_family);
190 if (ret_val != 0)
191 return ret_val;
192
193 ret_val = genl_register_ops(&netlbl_unlabel_gnl_family,
194 &netlbl_unlabel_genl_c_accept);
195 if (ret_val != 0)
196 return ret_val;
197
198 ret_val = genl_register_ops(&netlbl_unlabel_gnl_family,
199 &netlbl_unlabel_genl_c_list);
200 if (ret_val != 0)
201 return ret_val;
202
203 return 0;
204}
205
206/*
207 * NetLabel KAPI Hooks
208 */
209
210/**
211 * netlbl_unlabel_getattr - Get the security attributes for an unlabled packet
212 * @secattr: the security attributes
213 *
214 * Description:
215 * Determine the security attributes, if any, for an unlabled packet and return
216 * them in @secattr. Returns zero on success and negative values on failure.
217 *
218 */
219int netlbl_unlabel_getattr(struct netlbl_lsm_secattr *secattr)
220{
221 if (atomic_read(&netlabel_unlabel_accept_flg) == 1) {
222 memset(secattr, 0, sizeof(*secattr));
223 return 0;
224 }
225
226 return -ENOMSG;
227}
228
229/**
230 * netlbl_unlabel_defconf - Set the default config to allow unlabeled packets
231 *
232 * Description:
233 * Set the default NetLabel configuration to allow incoming unlabeled packets
234 * and to send unlabeled network traffic by default.
235 *
236 */
237int netlbl_unlabel_defconf(void)
238{
239 int ret_val;
240 struct netlbl_dom_map *entry;
241
242 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
243 if (entry == NULL)
244 return -ENOMEM;
245 entry->type = NETLBL_NLTYPE_UNLABELED;
246 ret_val = netlbl_domhsh_add_default(entry);
247 if (ret_val != 0)
248 return ret_val;
249
250 atomic_set(&netlabel_unlabel_accept_flg, 1);
251
252 return 0;
253}
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-27 18:41:27 -0500