NetLabel: introduce a new kernel configuration API for NetLabel

Add a new set of configuration functions to the NetLabel/LSM API so that LSMs can perform their own configuration of the NetLabel subsystem without relying on assistance from userspace. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: James Morris <jmorris@namei.org> Cc: Chris Wright <chrisw@sous-sol.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Paul Moore <paul.moore@hp.com> 2008-02-05 01:29:47 -0500
committer: Linus Torvalds <torvalds@woody.linux-foundation.org> 2008-02-05 12:44:20 -0500
commit: eda61d32e8ad1d9102872f9a0abf3344bf9c5e67 (patch)
tree: d1c11a47c97b3f29d54021cd4aa9c0b8963ed0c8 /net/netlabel
parent: 97829955ad291acec1d8b94e9911b3ceb1118bb1 (diff)
4 files changed, 182 insertions, 1 deletions
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
index becf91a952ae..c7ad64d664ad 100644
--- a/net/netlabel/netlabel_cipso_v4.c
+++ b/net/netlabel/netlabel_cipso_v4.c
@@ -90,7 +90,7 @@ static const struct nla_policy netlbl_cipsov4_genl_policy[NLBL_CIPSOV4_A_MAX + 1
 * safely.
 *
 */
-static void netlbl_cipsov4_doi_free(struct rcu_head *entry)
+void netlbl_cipsov4_doi_free(struct rcu_head *entry)
 {
        struct cipso_v4_doi *ptr;
diff --git a/net/netlabel/netlabel_cipso_v4.h b/net/netlabel/netlabel_cipso_v4.h
index f03cf9b78286..220cb9d06b49 100644
--- a/net/netlabel/netlabel_cipso_v4.h
+++ b/net/netlabel/netlabel_cipso_v4.h
@@ -163,4 +163,7 @@ enum {
 /* NetLabel protocol functions */
 int netlbl_cipsov4_genl_init(void);
+/* Free the memory associated with a CIPSOv4 DOI definition */
+void netlbl_cipsov4_doi_free(struct rcu_head *entry);
 #endif
diff --git a/net/netlabel/netlabel_domainhash.h b/net/netlabel/netlabel_domainhash.h
index 3689956c3436..8220990ceb96 100644
--- a/net/netlabel/netlabel_domainhash.h
+++ b/net/netlabel/netlabel_domainhash.h
@@ -61,6 +61,7 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry,
                      struct netlbl_audit *audit_info);
 int netlbl_domhsh_add_default(struct netlbl_dom_map *entry,
                              struct netlbl_audit *audit_info);
+int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info);
 int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info);
 struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain);
 int netlbl_domhsh_walk(u32 *skip_bkt,
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index c69e3e1f05c3..39793a1a93aa 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -30,6 +30,7 @@
 #include <linux/init.h>
 #include <linux/types.h>
+#include <linux/audit.h>
 #include <net/ip.h>
 #include <net/netlabel.h>
 #include <net/cipso_ipv4.h>
@@ -38,10 +39,186 @@
 #include "netlabel_domainhash.h"
 #include "netlabel_unlabeled.h"
+#include "netlabel_cipso_v4.h"
 #include "netlabel_user.h"
 #include "netlabel_mgmt.h"
 /*
+ * Configuration Functions
+ */
+/**
+ * netlbl_cfg_map_del - Remove a NetLabel/LSM domain mapping
+ * @domain: the domain mapping to remove
+ * @audit_info: NetLabel audit information
+ *
+ * Description:
+ * Removes a NetLabel/LSM domain mapping.  A @domain value of NULL causes the
+ * default domain mapping to be removed.  Returns zero on success, negative
+ * values on failure.
+ *
+ */
+int netlbl_cfg_map_del(const char *domain, struct netlbl_audit *audit_info)
+{
+        return netlbl_domhsh_remove(domain, audit_info);
+}
+/**
+ * netlbl_cfg_unlbl_add_map - Add an unlabeled NetLabel/LSM domain mapping
+ * @domain: the domain mapping to add
+ * @audit_info: NetLabel audit information
+ *
+ * Description:
+ * Adds a new unlabeled NetLabel/LSM domain mapping.  A @domain value of NULL
+ * causes a new default domain mapping to be added.  Returns zero on success,
+ * negative values on failure.
+ *
+ */
+int netlbl_cfg_unlbl_add_map(const char *domain,
+                             struct netlbl_audit *audit_info)
+{
+        int ret_val = -ENOMEM;
+        struct netlbl_dom_map *entry;
+        entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
+        if (entry == NULL)
+                goto cfg_unlbl_add_map_failure;
+        if (domain != NULL) {
+                entry->domain = kstrdup(domain, GFP_ATOMIC);
+                if (entry->domain == NULL)
+                        goto cfg_unlbl_add_map_failure;
+        }
+        entry->type = NETLBL_NLTYPE_UNLABELED;
+        ret_val = netlbl_domhsh_add(entry, audit_info);
+        if (ret_val != 0)
+                goto cfg_unlbl_add_map_failure;
+        return 0;
+cfg_unlbl_add_map_failure:
+        if (entry != NULL)
+                kfree(entry->domain);
+        kfree(entry);
+        return ret_val;
+}
+/**
+ * netlbl_cfg_cipsov4_add - Add a new CIPSOv4 DOI definition
+ * @doi_def: the DOI definition
+ * @audit_info: NetLabel audit information
+ *
+ * Description:
+ * Add a new CIPSOv4 DOI definition to the NetLabel subsystem.  Returns zero on
+ * success, negative values on failure.
+ *
+ */
+int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
+                           struct netlbl_audit *audit_info)
+{
+        int ret_val;
+        const char *type_str;
+        struct audit_buffer *audit_buf;
+        ret_val = cipso_v4_doi_add(doi_def);
+        audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
+                                              audit_info);
+        if (audit_buf != NULL) {
+                switch (doi_def->type) {
+                case CIPSO_V4_MAP_STD:
+                        type_str = "std";
+                        break;
+                case CIPSO_V4_MAP_PASS:
+                        type_str = "pass";
+                        break;
+                default:
+                        type_str = "(unknown)";
+                }
+                audit_log_format(audit_buf,
+                                 " cipso_doi=%u cipso_type=%s res=%u",
+                                 doi_def->doi,
+                                 type_str,
+                                 ret_val == 0 ? 1 : 0);
+                audit_log_end(audit_buf);
+        }
+        return ret_val;
+}
+/**
+ * netlbl_cfg_cipsov4_add_map - Add a new CIPSOv4 DOI definition and mapping
+ * @doi_def: the DOI definition
+ * @domain: the domain mapping to add
+ * @audit_info: NetLabel audit information
+ *
+ * Description:
+ * Add a new CIPSOv4 DOI definition and NetLabel/LSM domain mapping for this
+ * new DOI definition to the NetLabel subsystem.  A @domain value of NULL adds
+ * a new default domain mapping.  Returns zero on success, negative values on
+ * failure.
+ *
+ */
+int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def,
+                               const char *domain,
+                               struct netlbl_audit *audit_info)
+{
+        int ret_val = -ENOMEM;
+        struct netlbl_dom_map *entry;
+        entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
+        if (entry == NULL)
+                goto cfg_cipsov4_add_map_failure;
+        if (domain != NULL) {
+                entry->domain = kstrdup(domain, GFP_ATOMIC);
+                if (entry->domain == NULL)
+                        goto cfg_cipsov4_add_map_failure;
+        }
+        entry->type = NETLBL_NLTYPE_CIPSOV4;
+        entry->type_def.cipsov4 = doi_def;
+        /* Grab a RCU read lock here so nothing happens to the doi_def variable
+         * between adding it to the CIPSOv4 protocol engine and adding a
+         * domain mapping for it. */
+        rcu_read_lock();
+        ret_val = netlbl_cfg_cipsov4_add(doi_def, audit_info);
+        if (ret_val != 0)
+                goto cfg_cipsov4_add_map_failure_unlock;
+        ret_val = netlbl_domhsh_add(entry, audit_info);
+        if (ret_val != 0)
+                goto cfg_cipsov4_add_map_failure_remove_doi;
+        rcu_read_unlock();
+        return 0;
+cfg_cipsov4_add_map_failure_remove_doi:
+        cipso_v4_doi_remove(doi_def->doi, audit_info, netlbl_cipsov4_doi_free);
+cfg_cipsov4_add_map_failure_unlock:
+        rcu_read_unlock();
+cfg_cipsov4_add_map_failure:
+        if (entry != NULL)
+                kfree(entry->domain);
+        kfree(entry);
+        return ret_val;
+}
+/**
+ * netlbl_cfg_cipsov4_del - Removean existing CIPSOv4 DOI definition
+ * @doi: the CIPSO DOI value
+ * @audit_info: NetLabel audit information
+ *
+ * Description:
+ * Removes an existing CIPSOv4 DOI definition from the NetLabel subsystem.
+ * Returns zero on success, negative values on failure.
+ *
+ */
+int netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info)
+{
+        return cipso_v4_doi_remove(doi, audit_info, netlbl_cipsov4_doi_free);
+}
+/*
 * Security Attribute Functions
 */
author	Paul Moore <paul.moore@hp.com>	2008-02-05 01:29:47 -0500
committer	Linus Torvalds <torvalds@woody.linux-foundation.org>	2008-02-05 12:44:20 -0500
commit	eda61d32e8ad1d9102872f9a0abf3344bf9c5e67 (patch)
tree	d1c11a47c97b3f29d54021cd4aa9c0b8963ed0c8 /net/netlabel
parent	97829955ad291acec1d8b94e9911b3ceb1118bb1 (diff)

diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c index becf91a952ae..c7ad64d664ad 100644 --- a/net/netlabel/netlabel_cipso_v4.c +++ b/net/netlabel/netlabel_cipso_v4.c
@@ -90,7 +90,7 @@ static const struct nla_policy netlbl_cipsov4_genl_policy[NLBL_CIPSOV4_A_MAX + 1
90	* safely.	90	* safely.
91	*	91	*
92	*/	92	*/
93	static void netlbl_cipsov4_doi_free(struct rcu_head *entry)	93	void netlbl_cipsov4_doi_free(struct rcu_head *entry)
94	{	94	{
95	struct cipso_v4_doi *ptr;	95	struct cipso_v4_doi *ptr;
96		96


diff --git a/net/netlabel/netlabel_cipso_v4.h b/net/netlabel/netlabel_cipso_v4.h index f03cf9b78286..220cb9d06b49 100644 --- a/net/netlabel/netlabel_cipso_v4.h +++ b/net/netlabel/netlabel_cipso_v4.h
@@ -163,4 +163,7 @@ enum {
163	/* NetLabel protocol functions */	163	/* NetLabel protocol functions */
164	int netlbl_cipsov4_genl_init(void);	164	int netlbl_cipsov4_genl_init(void);
165		165
		166	/* Free the memory associated with a CIPSOv4 DOI definition */
		167	void netlbl_cipsov4_doi_free(struct rcu_head *entry);
		168
166	#endif	169	#endif


diff --git a/net/netlabel/netlabel_domainhash.h b/net/netlabel/netlabel_domainhash.h index 3689956c3436..8220990ceb96 100644 --- a/net/netlabel/netlabel_domainhash.h +++ b/net/netlabel/netlabel_domainhash.h
@@ -61,6 +61,7 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry,
61	struct netlbl_audit *audit_info);	61	struct netlbl_audit *audit_info);
62	int netlbl_domhsh_add_default(struct netlbl_dom_map *entry,	62	int netlbl_domhsh_add_default(struct netlbl_dom_map *entry,
63	struct netlbl_audit *audit_info);	63	struct netlbl_audit *audit_info);
		64	int netlbl_domhsh_remove(const char domain, struct netlbl_audit audit_info);
64	int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info);	65	int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info);
65	struct netlbl_dom_map netlbl_domhsh_getentry(const char domain);	66	struct netlbl_dom_map netlbl_domhsh_getentry(const char domain);
66	int netlbl_domhsh_walk(u32 *skip_bkt,	67	int netlbl_domhsh_walk(u32 *skip_bkt,


diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index c69e3e1f05c3..39793a1a93aa 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c
@@ -30,6 +30,7 @@
30		30
31	#include <linux/init.h>	31	#include <linux/init.h>
32	#include <linux/types.h>	32	#include <linux/types.h>
		33	#include <linux/audit.h>
33	#include <net/ip.h>	34	#include <net/ip.h>
34	#include <net/netlabel.h>	35	#include <net/netlabel.h>
35	#include <net/cipso_ipv4.h>	36	#include <net/cipso_ipv4.h>
@@ -38,10 +39,186 @@
38		39
39	#include "netlabel_domainhash.h"	40	#include "netlabel_domainhash.h"
40	#include "netlabel_unlabeled.h"	41	#include "netlabel_unlabeled.h"
		42	#include "netlabel_cipso_v4.h"
41	#include "netlabel_user.h"	43	#include "netlabel_user.h"
42	#include "netlabel_mgmt.h"	44	#include "netlabel_mgmt.h"
43		45
44	/*	46	/*
		47	* Configuration Functions
		48	*/
		49
		50	/**
		51	* netlbl_cfg_map_del - Remove a NetLabel/LSM domain mapping
		52	* @domain: the domain mapping to remove
		53	* @audit_info: NetLabel audit information
		54	*
		55	* Description:
		56	* Removes a NetLabel/LSM domain mapping. A @domain value of NULL causes the
		57	* default domain mapping to be removed. Returns zero on success, negative
		58	* values on failure.
		59	*
		60	*/
		61	int netlbl_cfg_map_del(const char domain, struct netlbl_audit audit_info)
		62	{
		63	return netlbl_domhsh_remove(domain, audit_info);
		64	}
		65
		66	/**
		67	* netlbl_cfg_unlbl_add_map - Add an unlabeled NetLabel/LSM domain mapping
		68	* @domain: the domain mapping to add
		69	* @audit_info: NetLabel audit information
		70	*
		71	* Description:
		72	* Adds a new unlabeled NetLabel/LSM domain mapping. A @domain value of NULL
		73	* causes a new default domain mapping to be added. Returns zero on success,
		74	* negative values on failure.
		75	*
		76	*/
		77	int netlbl_cfg_unlbl_add_map(const char *domain,
		78	struct netlbl_audit *audit_info)
		79	{
		80	int ret_val = -ENOMEM;
		81	struct netlbl_dom_map *entry;
		82
		83	entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
		84	if (entry == NULL)
		85	goto cfg_unlbl_add_map_failure;
		86	if (domain != NULL) {
		87	entry->domain = kstrdup(domain, GFP_ATOMIC);
		88	if (entry->domain == NULL)
		89	goto cfg_unlbl_add_map_failure;
		90	}
		91	entry->type = NETLBL_NLTYPE_UNLABELED;
		92
		93	ret_val = netlbl_domhsh_add(entry, audit_info);
		94	if (ret_val != 0)
		95	goto cfg_unlbl_add_map_failure;
		96
		97	return 0;
		98
		99	cfg_unlbl_add_map_failure:
		100	if (entry != NULL)
		101	kfree(entry->domain);
		102	kfree(entry);
		103	return ret_val;
		104	}
		105
		106	/**
		107	* netlbl_cfg_cipsov4_add - Add a new CIPSOv4 DOI definition
		108	* @doi_def: the DOI definition
		109	* @audit_info: NetLabel audit information
		110	*
		111	* Description:
		112	* Add a new CIPSOv4 DOI definition to the NetLabel subsystem. Returns zero on
		113	* success, negative values on failure.
		114	*
		115	*/
		116	int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
		117	struct netlbl_audit *audit_info)
		118	{
		119	int ret_val;
		120	const char *type_str;
		121	struct audit_buffer *audit_buf;
		122
		123	ret_val = cipso_v4_doi_add(doi_def);
		124
		125	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
		126	audit_info);
		127	if (audit_buf != NULL) {
		128	switch (doi_def->type) {
		129	case CIPSO_V4_MAP_STD:
		130	type_str = "std";
		131	break;
		132	case CIPSO_V4_MAP_PASS:
		133	type_str = "pass";
		134	break;
		135	default:
		136	type_str = "(unknown)";
		137	}
		138	audit_log_format(audit_buf,
		139	" cipso_doi=%u cipso_type=%s res=%u",
		140	doi_def->doi,
		141	type_str,
		142	ret_val == 0 ? 1 : 0);
		143	audit_log_end(audit_buf);
		144	}
		145
		146	return ret_val;
		147	}
		148
		149	/**
		150	* netlbl_cfg_cipsov4_add_map - Add a new CIPSOv4 DOI definition and mapping
		151	* @doi_def: the DOI definition
		152	* @domain: the domain mapping to add
		153	* @audit_info: NetLabel audit information
		154	*
		155	* Description:
		156	* Add a new CIPSOv4 DOI definition and NetLabel/LSM domain mapping for this
		157	* new DOI definition to the NetLabel subsystem. A @domain value of NULL adds
		158	* a new default domain mapping. Returns zero on success, negative values on
		159	* failure.
		160	*
		161	*/
		162	int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def,
		163	const char *domain,
		164	struct netlbl_audit *audit_info)
		165	{
		166	int ret_val = -ENOMEM;
		167	struct netlbl_dom_map *entry;
		168
		169	entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
		170	if (entry == NULL)
		171	goto cfg_cipsov4_add_map_failure;
		172	if (domain != NULL) {
		173	entry->domain = kstrdup(domain, GFP_ATOMIC);
		174	if (entry->domain == NULL)
		175	goto cfg_cipsov4_add_map_failure;
		176	}
		177	entry->type = NETLBL_NLTYPE_CIPSOV4;
		178	entry->type_def.cipsov4 = doi_def;
		179
		180	/* Grab a RCU read lock here so nothing happens to the doi_def variable
		181	* between adding it to the CIPSOv4 protocol engine and adding a
		182	* domain mapping for it. */
		183
		184	rcu_read_lock();
		185	ret_val = netlbl_cfg_cipsov4_add(doi_def, audit_info);
		186	if (ret_val != 0)
		187	goto cfg_cipsov4_add_map_failure_unlock;
		188	ret_val = netlbl_domhsh_add(entry, audit_info);
		189	if (ret_val != 0)
		190	goto cfg_cipsov4_add_map_failure_remove_doi;
		191	rcu_read_unlock();
		192
		193	return 0;
		194
		195	cfg_cipsov4_add_map_failure_remove_doi:
		196	cipso_v4_doi_remove(doi_def->doi, audit_info, netlbl_cipsov4_doi_free);
		197	cfg_cipsov4_add_map_failure_unlock:
		198	rcu_read_unlock();
		199	cfg_cipsov4_add_map_failure:
		200	if (entry != NULL)
		201	kfree(entry->domain);
		202	kfree(entry);
		203	return ret_val;
		204	}
		205
		206	/**
		207	* netlbl_cfg_cipsov4_del - Removean existing CIPSOv4 DOI definition
		208	* @doi: the CIPSO DOI value
		209	* @audit_info: NetLabel audit information
		210	*
		211	* Description:
		212	* Removes an existing CIPSOv4 DOI definition from the NetLabel subsystem.
		213	* Returns zero on success, negative values on failure.
		214	*
		215	*/
		216	int netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info)
		217	{
		218	return cipso_v4_doi_remove(doi, audit_info, netlbl_cipsov4_doi_free);
		219	}
		220
		221	/*
45	* Security Attribute Functions	222	* Security Attribute Functions
46	*/	223	*/
47		224