18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only 28c2ecf20Sopenharmony_ci/* 38c2ecf20Sopenharmony_ci * Network node table 48c2ecf20Sopenharmony_ci * 58c2ecf20Sopenharmony_ci * SELinux must keep a mapping of network nodes to labels/SIDs. This 68c2ecf20Sopenharmony_ci * mapping is maintained as part of the normal policy but a fast cache is 78c2ecf20Sopenharmony_ci * needed to reduce the lookup overhead since most of these queries happen on 88c2ecf20Sopenharmony_ci * a per-packet basis. 98c2ecf20Sopenharmony_ci * 108c2ecf20Sopenharmony_ci * Author: Paul Moore <paul@paul-moore.com> 118c2ecf20Sopenharmony_ci * 128c2ecf20Sopenharmony_ci * This code is heavily based on the "netif" concept originally developed by 138c2ecf20Sopenharmony_ci * James Morris <jmorris@redhat.com> 148c2ecf20Sopenharmony_ci * (see security/selinux/netif.c for more information) 158c2ecf20Sopenharmony_ci */ 168c2ecf20Sopenharmony_ci 178c2ecf20Sopenharmony_ci/* 188c2ecf20Sopenharmony_ci * (c) Copyright Hewlett-Packard Development Company, L.P., 2007 198c2ecf20Sopenharmony_ci */ 208c2ecf20Sopenharmony_ci 218c2ecf20Sopenharmony_ci#include <linux/types.h> 228c2ecf20Sopenharmony_ci#include <linux/rcupdate.h> 238c2ecf20Sopenharmony_ci#include <linux/list.h> 248c2ecf20Sopenharmony_ci#include <linux/slab.h> 258c2ecf20Sopenharmony_ci#include <linux/spinlock.h> 268c2ecf20Sopenharmony_ci#include <linux/in.h> 278c2ecf20Sopenharmony_ci#include <linux/in6.h> 288c2ecf20Sopenharmony_ci#include <linux/ip.h> 298c2ecf20Sopenharmony_ci#include <linux/ipv6.h> 308c2ecf20Sopenharmony_ci#include <net/ip.h> 318c2ecf20Sopenharmony_ci#include <net/ipv6.h> 328c2ecf20Sopenharmony_ci 338c2ecf20Sopenharmony_ci#include "netnode.h" 348c2ecf20Sopenharmony_ci#include "objsec.h" 358c2ecf20Sopenharmony_ci 368c2ecf20Sopenharmony_ci#define SEL_NETNODE_HASH_SIZE 256 378c2ecf20Sopenharmony_ci#define SEL_NETNODE_HASH_BKT_LIMIT 16 388c2ecf20Sopenharmony_ci 398c2ecf20Sopenharmony_cistruct sel_netnode_bkt { 408c2ecf20Sopenharmony_ci unsigned int size; 418c2ecf20Sopenharmony_ci struct list_head list; 428c2ecf20Sopenharmony_ci}; 438c2ecf20Sopenharmony_ci 448c2ecf20Sopenharmony_cistruct sel_netnode { 458c2ecf20Sopenharmony_ci struct netnode_security_struct nsec; 468c2ecf20Sopenharmony_ci 478c2ecf20Sopenharmony_ci struct list_head list; 488c2ecf20Sopenharmony_ci struct rcu_head rcu; 498c2ecf20Sopenharmony_ci}; 508c2ecf20Sopenharmony_ci 518c2ecf20Sopenharmony_ci/* NOTE: we are using a combined hash table for both IPv4 and IPv6, the reason 528c2ecf20Sopenharmony_ci * for this is that I suspect most users will not make heavy use of both 538c2ecf20Sopenharmony_ci * address families at the same time so one table will usually end up wasted, 548c2ecf20Sopenharmony_ci * if this becomes a problem we can always add a hash table for each address 558c2ecf20Sopenharmony_ci * family later */ 568c2ecf20Sopenharmony_ci 578c2ecf20Sopenharmony_cistatic LIST_HEAD(sel_netnode_list); 588c2ecf20Sopenharmony_cistatic DEFINE_SPINLOCK(sel_netnode_lock); 598c2ecf20Sopenharmony_cistatic struct sel_netnode_bkt sel_netnode_hash[SEL_NETNODE_HASH_SIZE]; 608c2ecf20Sopenharmony_ci 618c2ecf20Sopenharmony_ci/** 628c2ecf20Sopenharmony_ci * sel_netnode_hashfn_ipv4 - IPv4 hashing function for the node table 638c2ecf20Sopenharmony_ci * @addr: IPv4 address 648c2ecf20Sopenharmony_ci * 658c2ecf20Sopenharmony_ci * Description: 668c2ecf20Sopenharmony_ci * This is the IPv4 hashing function for the node interface table, it returns 678c2ecf20Sopenharmony_ci * the bucket number for the given IP address. 688c2ecf20Sopenharmony_ci * 698c2ecf20Sopenharmony_ci */ 708c2ecf20Sopenharmony_cistatic unsigned int sel_netnode_hashfn_ipv4(__be32 addr) 718c2ecf20Sopenharmony_ci{ 728c2ecf20Sopenharmony_ci /* at some point we should determine if the mismatch in byte order 738c2ecf20Sopenharmony_ci * affects the hash function dramatically */ 748c2ecf20Sopenharmony_ci return (addr & (SEL_NETNODE_HASH_SIZE - 1)); 758c2ecf20Sopenharmony_ci} 768c2ecf20Sopenharmony_ci 778c2ecf20Sopenharmony_ci/** 788c2ecf20Sopenharmony_ci * sel_netnode_hashfn_ipv6 - IPv6 hashing function for the node table 798c2ecf20Sopenharmony_ci * @addr: IPv6 address 808c2ecf20Sopenharmony_ci * 818c2ecf20Sopenharmony_ci * Description: 828c2ecf20Sopenharmony_ci * This is the IPv6 hashing function for the node interface table, it returns 838c2ecf20Sopenharmony_ci * the bucket number for the given IP address. 848c2ecf20Sopenharmony_ci * 858c2ecf20Sopenharmony_ci */ 868c2ecf20Sopenharmony_cistatic unsigned int sel_netnode_hashfn_ipv6(const struct in6_addr *addr) 878c2ecf20Sopenharmony_ci{ 888c2ecf20Sopenharmony_ci /* just hash the least significant 32 bits to keep things fast (they 898c2ecf20Sopenharmony_ci * are the most likely to be different anyway), we can revisit this 908c2ecf20Sopenharmony_ci * later if needed */ 918c2ecf20Sopenharmony_ci return (addr->s6_addr32[3] & (SEL_NETNODE_HASH_SIZE - 1)); 928c2ecf20Sopenharmony_ci} 938c2ecf20Sopenharmony_ci 948c2ecf20Sopenharmony_ci/** 958c2ecf20Sopenharmony_ci * sel_netnode_find - Search for a node record 968c2ecf20Sopenharmony_ci * @addr: IP address 978c2ecf20Sopenharmony_ci * @family: address family 988c2ecf20Sopenharmony_ci * 998c2ecf20Sopenharmony_ci * Description: 1008c2ecf20Sopenharmony_ci * Search the network node table and return the record matching @addr. If an 1018c2ecf20Sopenharmony_ci * entry can not be found in the table return NULL. 1028c2ecf20Sopenharmony_ci * 1038c2ecf20Sopenharmony_ci */ 1048c2ecf20Sopenharmony_cistatic struct sel_netnode *sel_netnode_find(const void *addr, u16 family) 1058c2ecf20Sopenharmony_ci{ 1068c2ecf20Sopenharmony_ci unsigned int idx; 1078c2ecf20Sopenharmony_ci struct sel_netnode *node; 1088c2ecf20Sopenharmony_ci 1098c2ecf20Sopenharmony_ci switch (family) { 1108c2ecf20Sopenharmony_ci case PF_INET: 1118c2ecf20Sopenharmony_ci idx = sel_netnode_hashfn_ipv4(*(__be32 *)addr); 1128c2ecf20Sopenharmony_ci break; 1138c2ecf20Sopenharmony_ci case PF_INET6: 1148c2ecf20Sopenharmony_ci idx = sel_netnode_hashfn_ipv6(addr); 1158c2ecf20Sopenharmony_ci break; 1168c2ecf20Sopenharmony_ci default: 1178c2ecf20Sopenharmony_ci BUG(); 1188c2ecf20Sopenharmony_ci return NULL; 1198c2ecf20Sopenharmony_ci } 1208c2ecf20Sopenharmony_ci 1218c2ecf20Sopenharmony_ci list_for_each_entry_rcu(node, &sel_netnode_hash[idx].list, list) 1228c2ecf20Sopenharmony_ci if (node->nsec.family == family) 1238c2ecf20Sopenharmony_ci switch (family) { 1248c2ecf20Sopenharmony_ci case PF_INET: 1258c2ecf20Sopenharmony_ci if (node->nsec.addr.ipv4 == *(__be32 *)addr) 1268c2ecf20Sopenharmony_ci return node; 1278c2ecf20Sopenharmony_ci break; 1288c2ecf20Sopenharmony_ci case PF_INET6: 1298c2ecf20Sopenharmony_ci if (ipv6_addr_equal(&node->nsec.addr.ipv6, 1308c2ecf20Sopenharmony_ci addr)) 1318c2ecf20Sopenharmony_ci return node; 1328c2ecf20Sopenharmony_ci break; 1338c2ecf20Sopenharmony_ci } 1348c2ecf20Sopenharmony_ci 1358c2ecf20Sopenharmony_ci return NULL; 1368c2ecf20Sopenharmony_ci} 1378c2ecf20Sopenharmony_ci 1388c2ecf20Sopenharmony_ci/** 1398c2ecf20Sopenharmony_ci * sel_netnode_insert - Insert a new node into the table 1408c2ecf20Sopenharmony_ci * @node: the new node record 1418c2ecf20Sopenharmony_ci * 1428c2ecf20Sopenharmony_ci * Description: 1438c2ecf20Sopenharmony_ci * Add a new node record to the network address hash table. 1448c2ecf20Sopenharmony_ci * 1458c2ecf20Sopenharmony_ci */ 1468c2ecf20Sopenharmony_cistatic void sel_netnode_insert(struct sel_netnode *node) 1478c2ecf20Sopenharmony_ci{ 1488c2ecf20Sopenharmony_ci unsigned int idx; 1498c2ecf20Sopenharmony_ci 1508c2ecf20Sopenharmony_ci switch (node->nsec.family) { 1518c2ecf20Sopenharmony_ci case PF_INET: 1528c2ecf20Sopenharmony_ci idx = sel_netnode_hashfn_ipv4(node->nsec.addr.ipv4); 1538c2ecf20Sopenharmony_ci break; 1548c2ecf20Sopenharmony_ci case PF_INET6: 1558c2ecf20Sopenharmony_ci idx = sel_netnode_hashfn_ipv6(&node->nsec.addr.ipv6); 1568c2ecf20Sopenharmony_ci break; 1578c2ecf20Sopenharmony_ci default: 1588c2ecf20Sopenharmony_ci BUG(); 1598c2ecf20Sopenharmony_ci return; 1608c2ecf20Sopenharmony_ci } 1618c2ecf20Sopenharmony_ci 1628c2ecf20Sopenharmony_ci /* we need to impose a limit on the growth of the hash table so check 1638c2ecf20Sopenharmony_ci * this bucket to make sure it is within the specified bounds */ 1648c2ecf20Sopenharmony_ci list_add_rcu(&node->list, &sel_netnode_hash[idx].list); 1658c2ecf20Sopenharmony_ci if (sel_netnode_hash[idx].size == SEL_NETNODE_HASH_BKT_LIMIT) { 1668c2ecf20Sopenharmony_ci struct sel_netnode *tail; 1678c2ecf20Sopenharmony_ci tail = list_entry( 1688c2ecf20Sopenharmony_ci rcu_dereference_protected(sel_netnode_hash[idx].list.prev, 1698c2ecf20Sopenharmony_ci lockdep_is_held(&sel_netnode_lock)), 1708c2ecf20Sopenharmony_ci struct sel_netnode, list); 1718c2ecf20Sopenharmony_ci list_del_rcu(&tail->list); 1728c2ecf20Sopenharmony_ci kfree_rcu(tail, rcu); 1738c2ecf20Sopenharmony_ci } else 1748c2ecf20Sopenharmony_ci sel_netnode_hash[idx].size++; 1758c2ecf20Sopenharmony_ci} 1768c2ecf20Sopenharmony_ci 1778c2ecf20Sopenharmony_ci/** 1788c2ecf20Sopenharmony_ci * sel_netnode_sid_slow - Lookup the SID of a network address using the policy 1798c2ecf20Sopenharmony_ci * @addr: the IP address 1808c2ecf20Sopenharmony_ci * @family: the address family 1818c2ecf20Sopenharmony_ci * @sid: node SID 1828c2ecf20Sopenharmony_ci * 1838c2ecf20Sopenharmony_ci * Description: 1848c2ecf20Sopenharmony_ci * This function determines the SID of a network address by querying the 1858c2ecf20Sopenharmony_ci * security policy. The result is added to the network address table to 1868c2ecf20Sopenharmony_ci * speedup future queries. Returns zero on success, negative values on 1878c2ecf20Sopenharmony_ci * failure. 1888c2ecf20Sopenharmony_ci * 1898c2ecf20Sopenharmony_ci */ 1908c2ecf20Sopenharmony_cistatic int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid) 1918c2ecf20Sopenharmony_ci{ 1928c2ecf20Sopenharmony_ci int ret; 1938c2ecf20Sopenharmony_ci struct sel_netnode *node; 1948c2ecf20Sopenharmony_ci struct sel_netnode *new; 1958c2ecf20Sopenharmony_ci 1968c2ecf20Sopenharmony_ci spin_lock_bh(&sel_netnode_lock); 1978c2ecf20Sopenharmony_ci node = sel_netnode_find(addr, family); 1988c2ecf20Sopenharmony_ci if (node != NULL) { 1998c2ecf20Sopenharmony_ci *sid = node->nsec.sid; 2008c2ecf20Sopenharmony_ci spin_unlock_bh(&sel_netnode_lock); 2018c2ecf20Sopenharmony_ci return 0; 2028c2ecf20Sopenharmony_ci } 2038c2ecf20Sopenharmony_ci 2048c2ecf20Sopenharmony_ci new = kzalloc(sizeof(*new), GFP_ATOMIC); 2058c2ecf20Sopenharmony_ci switch (family) { 2068c2ecf20Sopenharmony_ci case PF_INET: 2078c2ecf20Sopenharmony_ci ret = security_node_sid(&selinux_state, PF_INET, 2088c2ecf20Sopenharmony_ci addr, sizeof(struct in_addr), sid); 2098c2ecf20Sopenharmony_ci if (new) 2108c2ecf20Sopenharmony_ci new->nsec.addr.ipv4 = *(__be32 *)addr; 2118c2ecf20Sopenharmony_ci break; 2128c2ecf20Sopenharmony_ci case PF_INET6: 2138c2ecf20Sopenharmony_ci ret = security_node_sid(&selinux_state, PF_INET6, 2148c2ecf20Sopenharmony_ci addr, sizeof(struct in6_addr), sid); 2158c2ecf20Sopenharmony_ci if (new) 2168c2ecf20Sopenharmony_ci new->nsec.addr.ipv6 = *(struct in6_addr *)addr; 2178c2ecf20Sopenharmony_ci break; 2188c2ecf20Sopenharmony_ci default: 2198c2ecf20Sopenharmony_ci BUG(); 2208c2ecf20Sopenharmony_ci ret = -EINVAL; 2218c2ecf20Sopenharmony_ci } 2228c2ecf20Sopenharmony_ci if (ret == 0 && new) { 2238c2ecf20Sopenharmony_ci new->nsec.family = family; 2248c2ecf20Sopenharmony_ci new->nsec.sid = *sid; 2258c2ecf20Sopenharmony_ci sel_netnode_insert(new); 2268c2ecf20Sopenharmony_ci } else 2278c2ecf20Sopenharmony_ci kfree(new); 2288c2ecf20Sopenharmony_ci 2298c2ecf20Sopenharmony_ci spin_unlock_bh(&sel_netnode_lock); 2308c2ecf20Sopenharmony_ci if (unlikely(ret)) 2318c2ecf20Sopenharmony_ci pr_warn("SELinux: failure in %s(), unable to determine network node label\n", 2328c2ecf20Sopenharmony_ci __func__); 2338c2ecf20Sopenharmony_ci return ret; 2348c2ecf20Sopenharmony_ci} 2358c2ecf20Sopenharmony_ci 2368c2ecf20Sopenharmony_ci/** 2378c2ecf20Sopenharmony_ci * sel_netnode_sid - Lookup the SID of a network address 2388c2ecf20Sopenharmony_ci * @addr: the IP address 2398c2ecf20Sopenharmony_ci * @family: the address family 2408c2ecf20Sopenharmony_ci * @sid: node SID 2418c2ecf20Sopenharmony_ci * 2428c2ecf20Sopenharmony_ci * Description: 2438c2ecf20Sopenharmony_ci * This function determines the SID of a network address using the fastest 2448c2ecf20Sopenharmony_ci * method possible. First the address table is queried, but if an entry 2458c2ecf20Sopenharmony_ci * can't be found then the policy is queried and the result is added to the 2468c2ecf20Sopenharmony_ci * table to speedup future queries. Returns zero on success, negative values 2478c2ecf20Sopenharmony_ci * on failure. 2488c2ecf20Sopenharmony_ci * 2498c2ecf20Sopenharmony_ci */ 2508c2ecf20Sopenharmony_ciint sel_netnode_sid(void *addr, u16 family, u32 *sid) 2518c2ecf20Sopenharmony_ci{ 2528c2ecf20Sopenharmony_ci struct sel_netnode *node; 2538c2ecf20Sopenharmony_ci 2548c2ecf20Sopenharmony_ci rcu_read_lock(); 2558c2ecf20Sopenharmony_ci node = sel_netnode_find(addr, family); 2568c2ecf20Sopenharmony_ci if (node != NULL) { 2578c2ecf20Sopenharmony_ci *sid = node->nsec.sid; 2588c2ecf20Sopenharmony_ci rcu_read_unlock(); 2598c2ecf20Sopenharmony_ci return 0; 2608c2ecf20Sopenharmony_ci } 2618c2ecf20Sopenharmony_ci rcu_read_unlock(); 2628c2ecf20Sopenharmony_ci 2638c2ecf20Sopenharmony_ci return sel_netnode_sid_slow(addr, family, sid); 2648c2ecf20Sopenharmony_ci} 2658c2ecf20Sopenharmony_ci 2668c2ecf20Sopenharmony_ci/** 2678c2ecf20Sopenharmony_ci * sel_netnode_flush - Flush the entire network address table 2688c2ecf20Sopenharmony_ci * 2698c2ecf20Sopenharmony_ci * Description: 2708c2ecf20Sopenharmony_ci * Remove all entries from the network address table. 2718c2ecf20Sopenharmony_ci * 2728c2ecf20Sopenharmony_ci */ 2738c2ecf20Sopenharmony_civoid sel_netnode_flush(void) 2748c2ecf20Sopenharmony_ci{ 2758c2ecf20Sopenharmony_ci unsigned int idx; 2768c2ecf20Sopenharmony_ci struct sel_netnode *node, *node_tmp; 2778c2ecf20Sopenharmony_ci 2788c2ecf20Sopenharmony_ci spin_lock_bh(&sel_netnode_lock); 2798c2ecf20Sopenharmony_ci for (idx = 0; idx < SEL_NETNODE_HASH_SIZE; idx++) { 2808c2ecf20Sopenharmony_ci list_for_each_entry_safe(node, node_tmp, 2818c2ecf20Sopenharmony_ci &sel_netnode_hash[idx].list, list) { 2828c2ecf20Sopenharmony_ci list_del_rcu(&node->list); 2838c2ecf20Sopenharmony_ci kfree_rcu(node, rcu); 2848c2ecf20Sopenharmony_ci } 2858c2ecf20Sopenharmony_ci sel_netnode_hash[idx].size = 0; 2868c2ecf20Sopenharmony_ci } 2878c2ecf20Sopenharmony_ci spin_unlock_bh(&sel_netnode_lock); 2888c2ecf20Sopenharmony_ci} 2898c2ecf20Sopenharmony_ci 2908c2ecf20Sopenharmony_cistatic __init int sel_netnode_init(void) 2918c2ecf20Sopenharmony_ci{ 2928c2ecf20Sopenharmony_ci int iter; 2938c2ecf20Sopenharmony_ci 2948c2ecf20Sopenharmony_ci if (!selinux_enabled_boot) 2958c2ecf20Sopenharmony_ci return 0; 2968c2ecf20Sopenharmony_ci 2978c2ecf20Sopenharmony_ci for (iter = 0; iter < SEL_NETNODE_HASH_SIZE; iter++) { 2988c2ecf20Sopenharmony_ci INIT_LIST_HEAD(&sel_netnode_hash[iter].list); 2998c2ecf20Sopenharmony_ci sel_netnode_hash[iter].size = 0; 3008c2ecf20Sopenharmony_ci } 3018c2ecf20Sopenharmony_ci 3028c2ecf20Sopenharmony_ci return 0; 3038c2ecf20Sopenharmony_ci} 3048c2ecf20Sopenharmony_ci 3058c2ecf20Sopenharmony_ci__initcall(sel_netnode_init); 306