1 files changed, 80 insertions, 19 deletions
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 2e5b2f6f9fa0..b3213c7c5309 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -67,7 +67,11 @@
 * NetLabel NETLINK protocol
 */
-#define NETLBL_PROTO_VERSION            1
+/* NetLabel NETLINK protocol version
+ *  1: initial version
+ *  2: added static labels for unlabeled connections
+ */
+#define NETLBL_PROTO_VERSION            2
 /* NetLabel NETLINK types/families */
 #define NETLBL_NLTYPE_NONE              0
@@ -105,17 +109,49 @@ struct netlbl_dom_map;
 /* Domain mapping operations */
 int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info);
-/* LSM security attributes */
+/*
+ * LSM security attributes
+ */
+/**
+ * struct netlbl_lsm_cache - NetLabel LSM security attribute cache
+ * @refcount: atomic reference counter
+ * @free: LSM supplied function to free the cache data
+ * @data: LSM supplied cache data
+ *
+ * Description:
+ * This structure is provided for LSMs which wish to make use of the NetLabel
+ * caching mechanism to store LSM specific data/attributes in the NetLabel
+ * cache.  If the LSM has to perform a lot of translation from the NetLabel
+ * security attributes into it's own internal representation then the cache
+ * mechanism can provide a way to eliminate some or all of that translation
+ * overhead on a cache hit.
+ *
+ */
 struct netlbl_lsm_cache {
        atomic_t refcount;
        void (*free) (const void *data);
        void *data;
 };
-/* The catmap bitmap field MUST be a power of two in length and large
+/**
+ * struct netlbl_lsm_secattr_catmap - NetLabel LSM secattr category bitmap
+ * @startbit: the value of the lowest order bit in the bitmap
+ * @bitmap: the category bitmap
+ * @next: pointer to the next bitmap "node" or NULL
+ *
+ * Description:
+ * This structure is used to represent category bitmaps.  Due to the large
+ * number of categories supported by most labeling protocols it is not
+ * practical to transfer a full bitmap internally so NetLabel adopts a sparse
+ * bitmap structure modeled after SELinux's ebitmap structure.
+ * The catmap bitmap field MUST be a power of two in length and large
 * enough to hold at least 240 bits.  Special care (i.e. check the code!)
 * should be used when changing these values as the LSM implementation
 * probably has functions which rely on the sizes of these types to speed
- * processing. */
+ * processing.
+ *
+ */
 #define NETLBL_CATMAP_MAPTYPE           u64
 #define NETLBL_CATMAP_MAPCNT            4
 #define NETLBL_CATMAP_MAPSIZE           (sizeof(NETLBL_CATMAP_MAPTYPE) * 8)
@@ -127,22 +163,48 @@ struct netlbl_lsm_secattr_catmap {
        NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT];
        struct netlbl_lsm_secattr_catmap *next;
 };
+/**
+ * struct netlbl_lsm_secattr - NetLabel LSM security attributes
+ * @flags: indicate which attributes are contained in this structure
+ * @type: indicate the NLTYPE of the attributes
+ * @domain: the NetLabel LSM domain
+ * @cache: NetLabel LSM specific cache
+ * @attr.mls: MLS sensitivity label
+ * @attr.mls.cat: MLS category bitmap
+ * @attr.mls.lvl: MLS sensitivity level
+ * @attr.secid: LSM specific secid token
+ *
+ * Description:
+ * This structure is used to pass security attributes between NetLabel and the
+ * LSM modules.  The flags field is used to specify which fields within the
+ * struct are valid and valid values can be created by bitwise OR'ing the
+ * NETLBL_SECATTR_* defines.  The domain field is typically set by the LSM to
+ * specify domain specific configuration settings and is not usually used by
+ * NetLabel itself when returning security attributes to the LSM.
+ *
+ */
 #define NETLBL_SECATTR_NONE             0x00000000
 #define NETLBL_SECATTR_DOMAIN           0x00000001
 #define NETLBL_SECATTR_CACHE            0x00000002
 #define NETLBL_SECATTR_MLS_LVL          0x00000004
 #define NETLBL_SECATTR_MLS_CAT          0x00000008
+#define NETLBL_SECATTR_SECID            0x00000010
 #define NETLBL_SECATTR_CACHEABLE        (NETLBL_SECATTR_MLS_LVL | \
-                                         NETLBL_SECATTR_MLS_CAT)
+                                         NETLBL_SECATTR_MLS_CAT | \
+                                         NETLBL_SECATTR_SECID)
 struct netlbl_lsm_secattr {
        u32 flags;
+        u32 type;
        char *domain;
-        u32 mls_lvl;
-        struct netlbl_lsm_secattr_catmap *mls_cat;
        struct netlbl_lsm_cache *cache;
+        union {
+                struct {
+                        struct netlbl_lsm_secattr_catmap *cat;
+                        u32 lvl;
+                } mls;
+                u32 secid;
+        } attr;
 };
 /*
@@ -231,10 +293,7 @@ static inline void netlbl_secattr_catmap_free(
 */
 static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)
 {
-        secattr->flags = 0;
+        memset(secattr, 0, sizeof(*secattr));
-        secattr->domain = NULL;
-        secattr->mls_cat = NULL;
-        secattr->cache = NULL;
 }
 /**
@@ -248,11 +307,11 @@ static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)
 */
 static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr)
 {
-        if (secattr->cache)
-                netlbl_secattr_cache_free(secattr->cache);
        kfree(secattr->domain);
-        if (secattr->mls_cat)
+        if (secattr->flags & NETLBL_SECATTR_CACHE)
-                netlbl_secattr_catmap_free(secattr->mls_cat);
+                netlbl_secattr_cache_free(secattr->cache);
+        if (secattr->flags & NETLBL_SECATTR_MLS_CAT)
+                netlbl_secattr_catmap_free(secattr->attr.mls.cat);
 }
 /**
@@ -300,7 +359,7 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
                                 gfp_t flags);
 /*
- * LSM protocol operations
+ * LSM protocol operations (NetLabel LSM/kernel API)
 */
 int netlbl_enabled(void);
 int netlbl_sock_setattr(struct sock *sk,
@@ -308,6 +367,7 @@ int netlbl_sock_setattr(struct sock *sk,
 int netlbl_sock_getattr(struct sock *sk,
                        struct netlbl_lsm_secattr *secattr);
 int netlbl_skbuff_getattr(const struct sk_buff *skb,
+                          u16 family,
                          struct netlbl_lsm_secattr *secattr);
 void netlbl_skbuff_err(struct sk_buff *skb, int error);
@@ -360,6 +420,7 @@ static inline int netlbl_sock_getattr(struct sock *sk,
        return -ENOSYS;
 }
 static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,
+                                        u16 family,
                                        struct netlbl_lsm_secattr *secattr)
 {
        return -ENOSYS;

diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 2e5b2f6f9fa0..b3213c7c5309 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h
@@ -67,7 +67,11 @@
67	* NetLabel NETLINK protocol	67	* NetLabel NETLINK protocol
68	*/	68	*/
69		69
70	#define NETLBL_PROTO_VERSION 1	70	/* NetLabel NETLINK protocol version
		71	* 1: initial version
		72	* 2: added static labels for unlabeled connections
		73	*/
		74	#define NETLBL_PROTO_VERSION 2
71		75
72	/* NetLabel NETLINK types/families */	76	/* NetLabel NETLINK types/families */
73	#define NETLBL_NLTYPE_NONE 0	77	#define NETLBL_NLTYPE_NONE 0
@@ -105,17 +109,49 @@ struct netlbl_dom_map;
105	/* Domain mapping operations */	109	/* Domain mapping operations */
106	int netlbl_domhsh_remove(const char domain, struct netlbl_audit audit_info);	110	int netlbl_domhsh_remove(const char domain, struct netlbl_audit audit_info);
107		111
108	/* LSM security attributes */	112	/*
		113	* LSM security attributes
		114	*/
		115
		116	/**
		117	* struct netlbl_lsm_cache - NetLabel LSM security attribute cache
		118	* @refcount: atomic reference counter
		119	* @free: LSM supplied function to free the cache data
		120	* @data: LSM supplied cache data
		121	*
		122	* Description:
		123	* This structure is provided for LSMs which wish to make use of the NetLabel
		124	* caching mechanism to store LSM specific data/attributes in the NetLabel
		125	* cache. If the LSM has to perform a lot of translation from the NetLabel
		126	* security attributes into it's own internal representation then the cache
		127	* mechanism can provide a way to eliminate some or all of that translation
		128	* overhead on a cache hit.
		129	*
		130	*/
109	struct netlbl_lsm_cache {	131	struct netlbl_lsm_cache {
110	atomic_t refcount;	132	atomic_t refcount;
111	void (free) (const void data);	133	void (free) (const void data);
112	void *data;	134	void *data;
113	};	135	};
114	/* The catmap bitmap field MUST be a power of two in length and large	136
		137	/**
		138	* struct netlbl_lsm_secattr_catmap - NetLabel LSM secattr category bitmap
		139	* @startbit: the value of the lowest order bit in the bitmap
		140	* @bitmap: the category bitmap
		141	* @next: pointer to the next bitmap "node" or NULL
		142	*
		143	* Description:
		144	* This structure is used to represent category bitmaps. Due to the large
		145	* number of categories supported by most labeling protocols it is not
		146	* practical to transfer a full bitmap internally so NetLabel adopts a sparse
		147	* bitmap structure modeled after SELinux's ebitmap structure.
		148	* The catmap bitmap field MUST be a power of two in length and large
115	* enough to hold at least 240 bits. Special care (i.e. check the code!)	149	* enough to hold at least 240 bits. Special care (i.e. check the code!)
116	* should be used when changing these values as the LSM implementation	150	* should be used when changing these values as the LSM implementation
117	* probably has functions which rely on the sizes of these types to speed	151	* probably has functions which rely on the sizes of these types to speed
118	* processing. */	152	* processing.
		153	*
		154	*/
119	#define NETLBL_CATMAP_MAPTYPE u64	155	#define NETLBL_CATMAP_MAPTYPE u64
120	#define NETLBL_CATMAP_MAPCNT 4	156	#define NETLBL_CATMAP_MAPCNT 4
121	#define NETLBL_CATMAP_MAPSIZE (sizeof(NETLBL_CATMAP_MAPTYPE) * 8)	157	#define NETLBL_CATMAP_MAPSIZE (sizeof(NETLBL_CATMAP_MAPTYPE) * 8)
@@ -127,22 +163,48 @@ struct netlbl_lsm_secattr_catmap {
127	NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT];	163	NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT];
128	struct netlbl_lsm_secattr_catmap *next;	164	struct netlbl_lsm_secattr_catmap *next;
129	};	165	};
		166
		167	/**
		168	* struct netlbl_lsm_secattr - NetLabel LSM security attributes
		169	* @flags: indicate which attributes are contained in this structure
		170	* @type: indicate the NLTYPE of the attributes
		171	* @domain: the NetLabel LSM domain
		172	* @cache: NetLabel LSM specific cache
		173	* @attr.mls: MLS sensitivity label
		174	* @attr.mls.cat: MLS category bitmap
		175	* @attr.mls.lvl: MLS sensitivity level
		176	* @attr.secid: LSM specific secid token
		177	*
		178	* Description:
		179	* This structure is used to pass security attributes between NetLabel and the
		180	* LSM modules. The flags field is used to specify which fields within the
		181	* struct are valid and valid values can be created by bitwise OR'ing the
		182	* NETLBL_SECATTR_* defines. The domain field is typically set by the LSM to
		183	* specify domain specific configuration settings and is not usually used by
		184	* NetLabel itself when returning security attributes to the LSM.
		185	*
		186	*/
130	#define NETLBL_SECATTR_NONE 0x00000000	187	#define NETLBL_SECATTR_NONE 0x00000000
131	#define NETLBL_SECATTR_DOMAIN 0x00000001	188	#define NETLBL_SECATTR_DOMAIN 0x00000001
132	#define NETLBL_SECATTR_CACHE 0x00000002	189	#define NETLBL_SECATTR_CACHE 0x00000002
133	#define NETLBL_SECATTR_MLS_LVL 0x00000004	190	#define NETLBL_SECATTR_MLS_LVL 0x00000004
134	#define NETLBL_SECATTR_MLS_CAT 0x00000008	191	#define NETLBL_SECATTR_MLS_CAT 0x00000008
		192	#define NETLBL_SECATTR_SECID 0x00000010
135	#define NETLBL_SECATTR_CACHEABLE (NETLBL_SECATTR_MLS_LVL \| \	193	#define NETLBL_SECATTR_CACHEABLE (NETLBL_SECATTR_MLS_LVL \| \
136	NETLBL_SECATTR_MLS_CAT)	194	NETLBL_SECATTR_MLS_CAT \| \
		195	NETLBL_SECATTR_SECID)
137	struct netlbl_lsm_secattr {	196	struct netlbl_lsm_secattr {
138	u32 flags;	197	u32 flags;
139		198	u32 type;
140	char *domain;	199	char *domain;
141
142	u32 mls_lvl;
143	struct netlbl_lsm_secattr_catmap *mls_cat;
144
145	struct netlbl_lsm_cache *cache;	200	struct netlbl_lsm_cache *cache;
		201	union {
		202	struct {
		203	struct netlbl_lsm_secattr_catmap *cat;
		204	u32 lvl;
		205	} mls;
		206	u32 secid;
		207	} attr;
146	};	208	};
147		209
148	/*	210	/*
@@ -231,10 +293,7 @@ static inline void netlbl_secattr_catmap_free(
231	*/	293	*/
232	static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)	294	static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)
233	{	295	{
234	secattr->flags = 0;	296	memset(secattr, 0, sizeof(*secattr));
235	secattr->domain = NULL;
236	secattr->mls_cat = NULL;
237	secattr->cache = NULL;
238	}	297	}
239		298
240	/**	299	/**
@@ -248,11 +307,11 @@ static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)
248	*/	307	*/
249	static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr)	308	static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr)
250	{	309	{
251	if (secattr->cache)
252	netlbl_secattr_cache_free(secattr->cache);
253	kfree(secattr->domain);	310	kfree(secattr->domain);
254	if (secattr->mls_cat)	311	if (secattr->flags & NETLBL_SECATTR_CACHE)
255	netlbl_secattr_catmap_free(secattr->mls_cat);	312	netlbl_secattr_cache_free(secattr->cache);
		313	if (secattr->flags & NETLBL_SECATTR_MLS_CAT)
		314	netlbl_secattr_catmap_free(secattr->attr.mls.cat);
256	}	315	}
257		316
258	/**	317	/**
@@ -300,7 +359,7 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
300	gfp_t flags);	359	gfp_t flags);
301		360
302	/*	361	/*
303	* LSM protocol operations	362	* LSM protocol operations (NetLabel LSM/kernel API)
304	*/	363	*/
305	int netlbl_enabled(void);	364	int netlbl_enabled(void);
306	int netlbl_sock_setattr(struct sock *sk,	365	int netlbl_sock_setattr(struct sock *sk,
@@ -308,6 +367,7 @@ int netlbl_sock_setattr(struct sock *sk,
308	int netlbl_sock_getattr(struct sock *sk,	367	int netlbl_sock_getattr(struct sock *sk,
309	struct netlbl_lsm_secattr *secattr);	368	struct netlbl_lsm_secattr *secattr);
310	int netlbl_skbuff_getattr(const struct sk_buff *skb,	369	int netlbl_skbuff_getattr(const struct sk_buff *skb,
		370	u16 family,
311	struct netlbl_lsm_secattr *secattr);	371	struct netlbl_lsm_secattr *secattr);
312	void netlbl_skbuff_err(struct sk_buff *skb, int error);	372	void netlbl_skbuff_err(struct sk_buff *skb, int error);
313		373
@@ -360,6 +420,7 @@ static inline int netlbl_sock_getattr(struct sock *sk,
360	return -ENOSYS;	420	return -ENOSYS;
361	}	421	}
362	static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,	422	static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,
		423	u16 family,
363	struct netlbl_lsm_secattr *secattr)	424	struct netlbl_lsm_secattr *secattr)
364	{	425	{
365	return -ENOSYS;	426	return -ENOSYS;