162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-or-later 262306a36Sopenharmony_ci/* 362306a36Sopenharmony_ci * NetLabel Unlabeled Support 462306a36Sopenharmony_ci * 562306a36Sopenharmony_ci * This file defines functions for dealing with unlabeled packets for the 662306a36Sopenharmony_ci * NetLabel system. The NetLabel system manages static and dynamic label 762306a36Sopenharmony_ci * mappings for network protocols such as CIPSO and RIPSO. 862306a36Sopenharmony_ci * 962306a36Sopenharmony_ci * Author: Paul Moore <paul@paul-moore.com> 1062306a36Sopenharmony_ci */ 1162306a36Sopenharmony_ci 1262306a36Sopenharmony_ci/* 1362306a36Sopenharmony_ci * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 - 2008 1462306a36Sopenharmony_ci */ 1562306a36Sopenharmony_ci 1662306a36Sopenharmony_ci#include <linux/types.h> 1762306a36Sopenharmony_ci#include <linux/rcupdate.h> 1862306a36Sopenharmony_ci#include <linux/list.h> 1962306a36Sopenharmony_ci#include <linux/spinlock.h> 2062306a36Sopenharmony_ci#include <linux/socket.h> 2162306a36Sopenharmony_ci#include <linux/string.h> 2262306a36Sopenharmony_ci#include <linux/skbuff.h> 2362306a36Sopenharmony_ci#include <linux/audit.h> 2462306a36Sopenharmony_ci#include <linux/in.h> 2562306a36Sopenharmony_ci#include <linux/in6.h> 2662306a36Sopenharmony_ci#include <linux/ip.h> 2762306a36Sopenharmony_ci#include <linux/ipv6.h> 2862306a36Sopenharmony_ci#include <linux/notifier.h> 2962306a36Sopenharmony_ci#include <linux/netdevice.h> 3062306a36Sopenharmony_ci#include <linux/security.h> 3162306a36Sopenharmony_ci#include <linux/slab.h> 3262306a36Sopenharmony_ci#include <net/sock.h> 3362306a36Sopenharmony_ci#include <net/netlink.h> 3462306a36Sopenharmony_ci#include <net/genetlink.h> 3562306a36Sopenharmony_ci#include <net/ip.h> 3662306a36Sopenharmony_ci#include <net/ipv6.h> 3762306a36Sopenharmony_ci#include <net/net_namespace.h> 3862306a36Sopenharmony_ci#include <net/netlabel.h> 3962306a36Sopenharmony_ci#include <asm/bug.h> 4062306a36Sopenharmony_ci#include <linux/atomic.h> 4162306a36Sopenharmony_ci 4262306a36Sopenharmony_ci#include "netlabel_user.h" 4362306a36Sopenharmony_ci#include "netlabel_addrlist.h" 4462306a36Sopenharmony_ci#include "netlabel_domainhash.h" 4562306a36Sopenharmony_ci#include "netlabel_unlabeled.h" 4662306a36Sopenharmony_ci#include "netlabel_mgmt.h" 4762306a36Sopenharmony_ci 4862306a36Sopenharmony_ci/* NOTE: at present we always use init's network namespace since we don't 4962306a36Sopenharmony_ci * presently support different namespaces even though the majority of 5062306a36Sopenharmony_ci * the functions in this file are "namespace safe" */ 5162306a36Sopenharmony_ci 5262306a36Sopenharmony_ci/* The unlabeled connection hash table which we use to map network interfaces 5362306a36Sopenharmony_ci * and addresses of unlabeled packets to a user specified secid value for the 5462306a36Sopenharmony_ci * LSM. The hash table is used to lookup the network interface entry 5562306a36Sopenharmony_ci * (struct netlbl_unlhsh_iface) and then the interface entry is used to 5662306a36Sopenharmony_ci * lookup an IP address match from an ordered list. If a network interface 5762306a36Sopenharmony_ci * match can not be found in the hash table then the default entry 5862306a36Sopenharmony_ci * (netlbl_unlhsh_def) is used. The IP address entry list 5962306a36Sopenharmony_ci * (struct netlbl_unlhsh_addr) is ordered such that the entries with a 6062306a36Sopenharmony_ci * larger netmask come first. 6162306a36Sopenharmony_ci */ 6262306a36Sopenharmony_cistruct netlbl_unlhsh_tbl { 6362306a36Sopenharmony_ci struct list_head *tbl; 6462306a36Sopenharmony_ci u32 size; 6562306a36Sopenharmony_ci}; 6662306a36Sopenharmony_ci#define netlbl_unlhsh_addr4_entry(iter) \ 6762306a36Sopenharmony_ci container_of(iter, struct netlbl_unlhsh_addr4, list) 6862306a36Sopenharmony_cistruct netlbl_unlhsh_addr4 { 6962306a36Sopenharmony_ci u32 secid; 7062306a36Sopenharmony_ci 7162306a36Sopenharmony_ci struct netlbl_af4list list; 7262306a36Sopenharmony_ci struct rcu_head rcu; 7362306a36Sopenharmony_ci}; 7462306a36Sopenharmony_ci#define netlbl_unlhsh_addr6_entry(iter) \ 7562306a36Sopenharmony_ci container_of(iter, struct netlbl_unlhsh_addr6, list) 7662306a36Sopenharmony_cistruct netlbl_unlhsh_addr6 { 7762306a36Sopenharmony_ci u32 secid; 7862306a36Sopenharmony_ci 7962306a36Sopenharmony_ci struct netlbl_af6list list; 8062306a36Sopenharmony_ci struct rcu_head rcu; 8162306a36Sopenharmony_ci}; 8262306a36Sopenharmony_cistruct netlbl_unlhsh_iface { 8362306a36Sopenharmony_ci int ifindex; 8462306a36Sopenharmony_ci struct list_head addr4_list; 8562306a36Sopenharmony_ci struct list_head addr6_list; 8662306a36Sopenharmony_ci 8762306a36Sopenharmony_ci u32 valid; 8862306a36Sopenharmony_ci struct list_head list; 8962306a36Sopenharmony_ci struct rcu_head rcu; 9062306a36Sopenharmony_ci}; 9162306a36Sopenharmony_ci 9262306a36Sopenharmony_ci/* Argument struct for netlbl_unlhsh_walk() */ 9362306a36Sopenharmony_cistruct netlbl_unlhsh_walk_arg { 9462306a36Sopenharmony_ci struct netlink_callback *nl_cb; 9562306a36Sopenharmony_ci struct sk_buff *skb; 9662306a36Sopenharmony_ci u32 seq; 9762306a36Sopenharmony_ci}; 9862306a36Sopenharmony_ci 9962306a36Sopenharmony_ci/* Unlabeled connection hash table */ 10062306a36Sopenharmony_ci/* updates should be so rare that having one spinlock for the entire 10162306a36Sopenharmony_ci * hash table should be okay */ 10262306a36Sopenharmony_cistatic DEFINE_SPINLOCK(netlbl_unlhsh_lock); 10362306a36Sopenharmony_ci#define netlbl_unlhsh_rcu_deref(p) \ 10462306a36Sopenharmony_ci rcu_dereference_check(p, lockdep_is_held(&netlbl_unlhsh_lock)) 10562306a36Sopenharmony_cistatic struct netlbl_unlhsh_tbl __rcu *netlbl_unlhsh; 10662306a36Sopenharmony_cistatic struct netlbl_unlhsh_iface __rcu *netlbl_unlhsh_def; 10762306a36Sopenharmony_ci 10862306a36Sopenharmony_ci/* Accept unlabeled packets flag */ 10962306a36Sopenharmony_cistatic u8 netlabel_unlabel_acceptflg; 11062306a36Sopenharmony_ci 11162306a36Sopenharmony_ci/* NetLabel Generic NETLINK unlabeled family */ 11262306a36Sopenharmony_cistatic struct genl_family netlbl_unlabel_gnl_family; 11362306a36Sopenharmony_ci 11462306a36Sopenharmony_ci/* NetLabel Netlink attribute policy */ 11562306a36Sopenharmony_cistatic const struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = { 11662306a36Sopenharmony_ci [NLBL_UNLABEL_A_ACPTFLG] = { .type = NLA_U8 }, 11762306a36Sopenharmony_ci [NLBL_UNLABEL_A_IPV6ADDR] = { .type = NLA_BINARY, 11862306a36Sopenharmony_ci .len = sizeof(struct in6_addr) }, 11962306a36Sopenharmony_ci [NLBL_UNLABEL_A_IPV6MASK] = { .type = NLA_BINARY, 12062306a36Sopenharmony_ci .len = sizeof(struct in6_addr) }, 12162306a36Sopenharmony_ci [NLBL_UNLABEL_A_IPV4ADDR] = { .type = NLA_BINARY, 12262306a36Sopenharmony_ci .len = sizeof(struct in_addr) }, 12362306a36Sopenharmony_ci [NLBL_UNLABEL_A_IPV4MASK] = { .type = NLA_BINARY, 12462306a36Sopenharmony_ci .len = sizeof(struct in_addr) }, 12562306a36Sopenharmony_ci [NLBL_UNLABEL_A_IFACE] = { .type = NLA_NUL_STRING, 12662306a36Sopenharmony_ci .len = IFNAMSIZ - 1 }, 12762306a36Sopenharmony_ci [NLBL_UNLABEL_A_SECCTX] = { .type = NLA_BINARY } 12862306a36Sopenharmony_ci}; 12962306a36Sopenharmony_ci 13062306a36Sopenharmony_ci/* 13162306a36Sopenharmony_ci * Unlabeled Connection Hash Table Functions 13262306a36Sopenharmony_ci */ 13362306a36Sopenharmony_ci 13462306a36Sopenharmony_ci/** 13562306a36Sopenharmony_ci * netlbl_unlhsh_free_iface - Frees an interface entry from the hash table 13662306a36Sopenharmony_ci * @entry: the entry's RCU field 13762306a36Sopenharmony_ci * 13862306a36Sopenharmony_ci * Description: 13962306a36Sopenharmony_ci * This function is designed to be used as a callback to the call_rcu() 14062306a36Sopenharmony_ci * function so that memory allocated to a hash table interface entry can be 14162306a36Sopenharmony_ci * released safely. It is important to note that this function does not free 14262306a36Sopenharmony_ci * the IPv4 and IPv6 address lists contained as part of an interface entry. It 14362306a36Sopenharmony_ci * is up to the rest of the code to make sure an interface entry is only freed 14462306a36Sopenharmony_ci * once it's address lists are empty. 14562306a36Sopenharmony_ci * 14662306a36Sopenharmony_ci */ 14762306a36Sopenharmony_cistatic void netlbl_unlhsh_free_iface(struct rcu_head *entry) 14862306a36Sopenharmony_ci{ 14962306a36Sopenharmony_ci struct netlbl_unlhsh_iface *iface; 15062306a36Sopenharmony_ci struct netlbl_af4list *iter4; 15162306a36Sopenharmony_ci struct netlbl_af4list *tmp4; 15262306a36Sopenharmony_ci#if IS_ENABLED(CONFIG_IPV6) 15362306a36Sopenharmony_ci struct netlbl_af6list *iter6; 15462306a36Sopenharmony_ci struct netlbl_af6list *tmp6; 15562306a36Sopenharmony_ci#endif /* IPv6 */ 15662306a36Sopenharmony_ci 15762306a36Sopenharmony_ci iface = container_of(entry, struct netlbl_unlhsh_iface, rcu); 15862306a36Sopenharmony_ci 15962306a36Sopenharmony_ci /* no need for locks here since we are the only one with access to this 16062306a36Sopenharmony_ci * structure */ 16162306a36Sopenharmony_ci 16262306a36Sopenharmony_ci netlbl_af4list_foreach_safe(iter4, tmp4, &iface->addr4_list) { 16362306a36Sopenharmony_ci netlbl_af4list_remove_entry(iter4); 16462306a36Sopenharmony_ci kfree(netlbl_unlhsh_addr4_entry(iter4)); 16562306a36Sopenharmony_ci } 16662306a36Sopenharmony_ci#if IS_ENABLED(CONFIG_IPV6) 16762306a36Sopenharmony_ci netlbl_af6list_foreach_safe(iter6, tmp6, &iface->addr6_list) { 16862306a36Sopenharmony_ci netlbl_af6list_remove_entry(iter6); 16962306a36Sopenharmony_ci kfree(netlbl_unlhsh_addr6_entry(iter6)); 17062306a36Sopenharmony_ci } 17162306a36Sopenharmony_ci#endif /* IPv6 */ 17262306a36Sopenharmony_ci kfree(iface); 17362306a36Sopenharmony_ci} 17462306a36Sopenharmony_ci 17562306a36Sopenharmony_ci/** 17662306a36Sopenharmony_ci * netlbl_unlhsh_hash - Hashing function for the hash table 17762306a36Sopenharmony_ci * @ifindex: the network interface/device to hash 17862306a36Sopenharmony_ci * 17962306a36Sopenharmony_ci * Description: 18062306a36Sopenharmony_ci * This is the hashing function for the unlabeled hash table, it returns the 18162306a36Sopenharmony_ci * bucket number for the given device/interface. The caller is responsible for 18262306a36Sopenharmony_ci * ensuring that the hash table is protected with either a RCU read lock or 18362306a36Sopenharmony_ci * the hash table lock. 18462306a36Sopenharmony_ci * 18562306a36Sopenharmony_ci */ 18662306a36Sopenharmony_cistatic u32 netlbl_unlhsh_hash(int ifindex) 18762306a36Sopenharmony_ci{ 18862306a36Sopenharmony_ci return ifindex & (netlbl_unlhsh_rcu_deref(netlbl_unlhsh)->size - 1); 18962306a36Sopenharmony_ci} 19062306a36Sopenharmony_ci 19162306a36Sopenharmony_ci/** 19262306a36Sopenharmony_ci * netlbl_unlhsh_search_iface - Search for a matching interface entry 19362306a36Sopenharmony_ci * @ifindex: the network interface 19462306a36Sopenharmony_ci * 19562306a36Sopenharmony_ci * Description: 19662306a36Sopenharmony_ci * Searches the unlabeled connection hash table and returns a pointer to the 19762306a36Sopenharmony_ci * interface entry which matches @ifindex, otherwise NULL is returned. The 19862306a36Sopenharmony_ci * caller is responsible for ensuring that the hash table is protected with 19962306a36Sopenharmony_ci * either a RCU read lock or the hash table lock. 20062306a36Sopenharmony_ci * 20162306a36Sopenharmony_ci */ 20262306a36Sopenharmony_cistatic struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex) 20362306a36Sopenharmony_ci{ 20462306a36Sopenharmony_ci u32 bkt; 20562306a36Sopenharmony_ci struct list_head *bkt_list; 20662306a36Sopenharmony_ci struct netlbl_unlhsh_iface *iter; 20762306a36Sopenharmony_ci 20862306a36Sopenharmony_ci bkt = netlbl_unlhsh_hash(ifindex); 20962306a36Sopenharmony_ci bkt_list = &netlbl_unlhsh_rcu_deref(netlbl_unlhsh)->tbl[bkt]; 21062306a36Sopenharmony_ci list_for_each_entry_rcu(iter, bkt_list, list, 21162306a36Sopenharmony_ci lockdep_is_held(&netlbl_unlhsh_lock)) 21262306a36Sopenharmony_ci if (iter->valid && iter->ifindex == ifindex) 21362306a36Sopenharmony_ci return iter; 21462306a36Sopenharmony_ci 21562306a36Sopenharmony_ci return NULL; 21662306a36Sopenharmony_ci} 21762306a36Sopenharmony_ci 21862306a36Sopenharmony_ci/** 21962306a36Sopenharmony_ci * netlbl_unlhsh_add_addr4 - Add a new IPv4 address entry to the hash table 22062306a36Sopenharmony_ci * @iface: the associated interface entry 22162306a36Sopenharmony_ci * @addr: IPv4 address in network byte order 22262306a36Sopenharmony_ci * @mask: IPv4 address mask in network byte order 22362306a36Sopenharmony_ci * @secid: LSM secid value for entry 22462306a36Sopenharmony_ci * 22562306a36Sopenharmony_ci * Description: 22662306a36Sopenharmony_ci * Add a new address entry into the unlabeled connection hash table using the 22762306a36Sopenharmony_ci * interface entry specified by @iface. On success zero is returned, otherwise 22862306a36Sopenharmony_ci * a negative value is returned. 22962306a36Sopenharmony_ci * 23062306a36Sopenharmony_ci */ 23162306a36Sopenharmony_cistatic int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface, 23262306a36Sopenharmony_ci const struct in_addr *addr, 23362306a36Sopenharmony_ci const struct in_addr *mask, 23462306a36Sopenharmony_ci u32 secid) 23562306a36Sopenharmony_ci{ 23662306a36Sopenharmony_ci int ret_val; 23762306a36Sopenharmony_ci struct netlbl_unlhsh_addr4 *entry; 23862306a36Sopenharmony_ci 23962306a36Sopenharmony_ci entry = kzalloc(sizeof(*entry), GFP_ATOMIC); 24062306a36Sopenharmony_ci if (entry == NULL) 24162306a36Sopenharmony_ci return -ENOMEM; 24262306a36Sopenharmony_ci 24362306a36Sopenharmony_ci entry->list.addr = addr->s_addr & mask->s_addr; 24462306a36Sopenharmony_ci entry->list.mask = mask->s_addr; 24562306a36Sopenharmony_ci entry->list.valid = 1; 24662306a36Sopenharmony_ci entry->secid = secid; 24762306a36Sopenharmony_ci 24862306a36Sopenharmony_ci spin_lock(&netlbl_unlhsh_lock); 24962306a36Sopenharmony_ci ret_val = netlbl_af4list_add(&entry->list, &iface->addr4_list); 25062306a36Sopenharmony_ci spin_unlock(&netlbl_unlhsh_lock); 25162306a36Sopenharmony_ci 25262306a36Sopenharmony_ci if (ret_val != 0) 25362306a36Sopenharmony_ci kfree(entry); 25462306a36Sopenharmony_ci return ret_val; 25562306a36Sopenharmony_ci} 25662306a36Sopenharmony_ci 25762306a36Sopenharmony_ci#if IS_ENABLED(CONFIG_IPV6) 25862306a36Sopenharmony_ci/** 25962306a36Sopenharmony_ci * netlbl_unlhsh_add_addr6 - Add a new IPv6 address entry to the hash table 26062306a36Sopenharmony_ci * @iface: the associated interface entry 26162306a36Sopenharmony_ci * @addr: IPv6 address in network byte order 26262306a36Sopenharmony_ci * @mask: IPv6 address mask in network byte order 26362306a36Sopenharmony_ci * @secid: LSM secid value for entry 26462306a36Sopenharmony_ci * 26562306a36Sopenharmony_ci * Description: 26662306a36Sopenharmony_ci * Add a new address entry into the unlabeled connection hash table using the 26762306a36Sopenharmony_ci * interface entry specified by @iface. On success zero is returned, otherwise 26862306a36Sopenharmony_ci * a negative value is returned. 26962306a36Sopenharmony_ci * 27062306a36Sopenharmony_ci */ 27162306a36Sopenharmony_cistatic int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface, 27262306a36Sopenharmony_ci const struct in6_addr *addr, 27362306a36Sopenharmony_ci const struct in6_addr *mask, 27462306a36Sopenharmony_ci u32 secid) 27562306a36Sopenharmony_ci{ 27662306a36Sopenharmony_ci int ret_val; 27762306a36Sopenharmony_ci struct netlbl_unlhsh_addr6 *entry; 27862306a36Sopenharmony_ci 27962306a36Sopenharmony_ci entry = kzalloc(sizeof(*entry), GFP_ATOMIC); 28062306a36Sopenharmony_ci if (entry == NULL) 28162306a36Sopenharmony_ci return -ENOMEM; 28262306a36Sopenharmony_ci 28362306a36Sopenharmony_ci entry->list.addr = *addr; 28462306a36Sopenharmony_ci entry->list.addr.s6_addr32[0] &= mask->s6_addr32[0]; 28562306a36Sopenharmony_ci entry->list.addr.s6_addr32[1] &= mask->s6_addr32[1]; 28662306a36Sopenharmony_ci entry->list.addr.s6_addr32[2] &= mask->s6_addr32[2]; 28762306a36Sopenharmony_ci entry->list.addr.s6_addr32[3] &= mask->s6_addr32[3]; 28862306a36Sopenharmony_ci entry->list.mask = *mask; 28962306a36Sopenharmony_ci entry->list.valid = 1; 29062306a36Sopenharmony_ci entry->secid = secid; 29162306a36Sopenharmony_ci 29262306a36Sopenharmony_ci spin_lock(&netlbl_unlhsh_lock); 29362306a36Sopenharmony_ci ret_val = netlbl_af6list_add(&entry->list, &iface->addr6_list); 29462306a36Sopenharmony_ci spin_unlock(&netlbl_unlhsh_lock); 29562306a36Sopenharmony_ci 29662306a36Sopenharmony_ci if (ret_val != 0) 29762306a36Sopenharmony_ci kfree(entry); 29862306a36Sopenharmony_ci return 0; 29962306a36Sopenharmony_ci} 30062306a36Sopenharmony_ci#endif /* IPv6 */ 30162306a36Sopenharmony_ci 30262306a36Sopenharmony_ci/** 30362306a36Sopenharmony_ci * netlbl_unlhsh_add_iface - Adds a new interface entry to the hash table 30462306a36Sopenharmony_ci * @ifindex: network interface 30562306a36Sopenharmony_ci * 30662306a36Sopenharmony_ci * Description: 30762306a36Sopenharmony_ci * Add a new, empty, interface entry into the unlabeled connection hash table. 30862306a36Sopenharmony_ci * On success a pointer to the new interface entry is returned, on failure NULL 30962306a36Sopenharmony_ci * is returned. 31062306a36Sopenharmony_ci * 31162306a36Sopenharmony_ci */ 31262306a36Sopenharmony_cistatic struct netlbl_unlhsh_iface *netlbl_unlhsh_add_iface(int ifindex) 31362306a36Sopenharmony_ci{ 31462306a36Sopenharmony_ci u32 bkt; 31562306a36Sopenharmony_ci struct netlbl_unlhsh_iface *iface; 31662306a36Sopenharmony_ci 31762306a36Sopenharmony_ci iface = kzalloc(sizeof(*iface), GFP_ATOMIC); 31862306a36Sopenharmony_ci if (iface == NULL) 31962306a36Sopenharmony_ci return NULL; 32062306a36Sopenharmony_ci 32162306a36Sopenharmony_ci iface->ifindex = ifindex; 32262306a36Sopenharmony_ci INIT_LIST_HEAD(&iface->addr4_list); 32362306a36Sopenharmony_ci INIT_LIST_HEAD(&iface->addr6_list); 32462306a36Sopenharmony_ci iface->valid = 1; 32562306a36Sopenharmony_ci 32662306a36Sopenharmony_ci spin_lock(&netlbl_unlhsh_lock); 32762306a36Sopenharmony_ci if (ifindex > 0) { 32862306a36Sopenharmony_ci bkt = netlbl_unlhsh_hash(ifindex); 32962306a36Sopenharmony_ci if (netlbl_unlhsh_search_iface(ifindex) != NULL) 33062306a36Sopenharmony_ci goto add_iface_failure; 33162306a36Sopenharmony_ci list_add_tail_rcu(&iface->list, 33262306a36Sopenharmony_ci &netlbl_unlhsh_rcu_deref(netlbl_unlhsh)->tbl[bkt]); 33362306a36Sopenharmony_ci } else { 33462306a36Sopenharmony_ci INIT_LIST_HEAD(&iface->list); 33562306a36Sopenharmony_ci if (netlbl_unlhsh_rcu_deref(netlbl_unlhsh_def) != NULL) 33662306a36Sopenharmony_ci goto add_iface_failure; 33762306a36Sopenharmony_ci rcu_assign_pointer(netlbl_unlhsh_def, iface); 33862306a36Sopenharmony_ci } 33962306a36Sopenharmony_ci spin_unlock(&netlbl_unlhsh_lock); 34062306a36Sopenharmony_ci 34162306a36Sopenharmony_ci return iface; 34262306a36Sopenharmony_ci 34362306a36Sopenharmony_ciadd_iface_failure: 34462306a36Sopenharmony_ci spin_unlock(&netlbl_unlhsh_lock); 34562306a36Sopenharmony_ci kfree(iface); 34662306a36Sopenharmony_ci return NULL; 34762306a36Sopenharmony_ci} 34862306a36Sopenharmony_ci 34962306a36Sopenharmony_ci/** 35062306a36Sopenharmony_ci * netlbl_unlhsh_add - Adds a new entry to the unlabeled connection hash table 35162306a36Sopenharmony_ci * @net: network namespace 35262306a36Sopenharmony_ci * @dev_name: interface name 35362306a36Sopenharmony_ci * @addr: IP address in network byte order 35462306a36Sopenharmony_ci * @mask: address mask in network byte order 35562306a36Sopenharmony_ci * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6) 35662306a36Sopenharmony_ci * @secid: LSM secid value for the entry 35762306a36Sopenharmony_ci * @audit_info: NetLabel audit information 35862306a36Sopenharmony_ci * 35962306a36Sopenharmony_ci * Description: 36062306a36Sopenharmony_ci * Adds a new entry to the unlabeled connection hash table. Returns zero on 36162306a36Sopenharmony_ci * success, negative values on failure. 36262306a36Sopenharmony_ci * 36362306a36Sopenharmony_ci */ 36462306a36Sopenharmony_ciint netlbl_unlhsh_add(struct net *net, 36562306a36Sopenharmony_ci const char *dev_name, 36662306a36Sopenharmony_ci const void *addr, 36762306a36Sopenharmony_ci const void *mask, 36862306a36Sopenharmony_ci u32 addr_len, 36962306a36Sopenharmony_ci u32 secid, 37062306a36Sopenharmony_ci struct netlbl_audit *audit_info) 37162306a36Sopenharmony_ci{ 37262306a36Sopenharmony_ci int ret_val; 37362306a36Sopenharmony_ci int ifindex; 37462306a36Sopenharmony_ci struct net_device *dev; 37562306a36Sopenharmony_ci struct netlbl_unlhsh_iface *iface; 37662306a36Sopenharmony_ci struct audit_buffer *audit_buf = NULL; 37762306a36Sopenharmony_ci char *secctx = NULL; 37862306a36Sopenharmony_ci u32 secctx_len; 37962306a36Sopenharmony_ci 38062306a36Sopenharmony_ci if (addr_len != sizeof(struct in_addr) && 38162306a36Sopenharmony_ci addr_len != sizeof(struct in6_addr)) 38262306a36Sopenharmony_ci return -EINVAL; 38362306a36Sopenharmony_ci 38462306a36Sopenharmony_ci rcu_read_lock(); 38562306a36Sopenharmony_ci if (dev_name != NULL) { 38662306a36Sopenharmony_ci dev = dev_get_by_name_rcu(net, dev_name); 38762306a36Sopenharmony_ci if (dev == NULL) { 38862306a36Sopenharmony_ci ret_val = -ENODEV; 38962306a36Sopenharmony_ci goto unlhsh_add_return; 39062306a36Sopenharmony_ci } 39162306a36Sopenharmony_ci ifindex = dev->ifindex; 39262306a36Sopenharmony_ci iface = netlbl_unlhsh_search_iface(ifindex); 39362306a36Sopenharmony_ci } else { 39462306a36Sopenharmony_ci ifindex = 0; 39562306a36Sopenharmony_ci iface = rcu_dereference(netlbl_unlhsh_def); 39662306a36Sopenharmony_ci } 39762306a36Sopenharmony_ci if (iface == NULL) { 39862306a36Sopenharmony_ci iface = netlbl_unlhsh_add_iface(ifindex); 39962306a36Sopenharmony_ci if (iface == NULL) { 40062306a36Sopenharmony_ci ret_val = -ENOMEM; 40162306a36Sopenharmony_ci goto unlhsh_add_return; 40262306a36Sopenharmony_ci } 40362306a36Sopenharmony_ci } 40462306a36Sopenharmony_ci audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCADD, 40562306a36Sopenharmony_ci audit_info); 40662306a36Sopenharmony_ci switch (addr_len) { 40762306a36Sopenharmony_ci case sizeof(struct in_addr): { 40862306a36Sopenharmony_ci const struct in_addr *addr4 = addr; 40962306a36Sopenharmony_ci const struct in_addr *mask4 = mask; 41062306a36Sopenharmony_ci 41162306a36Sopenharmony_ci ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid); 41262306a36Sopenharmony_ci if (audit_buf != NULL) 41362306a36Sopenharmony_ci netlbl_af4list_audit_addr(audit_buf, 1, 41462306a36Sopenharmony_ci dev_name, 41562306a36Sopenharmony_ci addr4->s_addr, 41662306a36Sopenharmony_ci mask4->s_addr); 41762306a36Sopenharmony_ci break; 41862306a36Sopenharmony_ci } 41962306a36Sopenharmony_ci#if IS_ENABLED(CONFIG_IPV6) 42062306a36Sopenharmony_ci case sizeof(struct in6_addr): { 42162306a36Sopenharmony_ci const struct in6_addr *addr6 = addr; 42262306a36Sopenharmony_ci const struct in6_addr *mask6 = mask; 42362306a36Sopenharmony_ci 42462306a36Sopenharmony_ci ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid); 42562306a36Sopenharmony_ci if (audit_buf != NULL) 42662306a36Sopenharmony_ci netlbl_af6list_audit_addr(audit_buf, 1, 42762306a36Sopenharmony_ci dev_name, 42862306a36Sopenharmony_ci addr6, mask6); 42962306a36Sopenharmony_ci break; 43062306a36Sopenharmony_ci } 43162306a36Sopenharmony_ci#endif /* IPv6 */ 43262306a36Sopenharmony_ci default: 43362306a36Sopenharmony_ci ret_val = -EINVAL; 43462306a36Sopenharmony_ci } 43562306a36Sopenharmony_ci if (ret_val == 0) 43662306a36Sopenharmony_ci atomic_inc(&netlabel_mgmt_protocount); 43762306a36Sopenharmony_ci 43862306a36Sopenharmony_ciunlhsh_add_return: 43962306a36Sopenharmony_ci rcu_read_unlock(); 44062306a36Sopenharmony_ci if (audit_buf != NULL) { 44162306a36Sopenharmony_ci if (security_secid_to_secctx(secid, 44262306a36Sopenharmony_ci &secctx, 44362306a36Sopenharmony_ci &secctx_len) == 0) { 44462306a36Sopenharmony_ci audit_log_format(audit_buf, " sec_obj=%s", secctx); 44562306a36Sopenharmony_ci security_release_secctx(secctx, secctx_len); 44662306a36Sopenharmony_ci } 44762306a36Sopenharmony_ci audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); 44862306a36Sopenharmony_ci audit_log_end(audit_buf); 44962306a36Sopenharmony_ci } 45062306a36Sopenharmony_ci return ret_val; 45162306a36Sopenharmony_ci} 45262306a36Sopenharmony_ci 45362306a36Sopenharmony_ci/** 45462306a36Sopenharmony_ci * netlbl_unlhsh_remove_addr4 - Remove an IPv4 address entry 45562306a36Sopenharmony_ci * @net: network namespace 45662306a36Sopenharmony_ci * @iface: interface entry 45762306a36Sopenharmony_ci * @addr: IP address 45862306a36Sopenharmony_ci * @mask: IP address mask 45962306a36Sopenharmony_ci * @audit_info: NetLabel audit information 46062306a36Sopenharmony_ci * 46162306a36Sopenharmony_ci * Description: 46262306a36Sopenharmony_ci * Remove an IP address entry from the unlabeled connection hash table. 46362306a36Sopenharmony_ci * Returns zero on success, negative values on failure. 46462306a36Sopenharmony_ci * 46562306a36Sopenharmony_ci */ 46662306a36Sopenharmony_cistatic int netlbl_unlhsh_remove_addr4(struct net *net, 46762306a36Sopenharmony_ci struct netlbl_unlhsh_iface *iface, 46862306a36Sopenharmony_ci const struct in_addr *addr, 46962306a36Sopenharmony_ci const struct in_addr *mask, 47062306a36Sopenharmony_ci struct netlbl_audit *audit_info) 47162306a36Sopenharmony_ci{ 47262306a36Sopenharmony_ci struct netlbl_af4list *list_entry; 47362306a36Sopenharmony_ci struct netlbl_unlhsh_addr4 *entry; 47462306a36Sopenharmony_ci struct audit_buffer *audit_buf; 47562306a36Sopenharmony_ci struct net_device *dev; 47662306a36Sopenharmony_ci char *secctx; 47762306a36Sopenharmony_ci u32 secctx_len; 47862306a36Sopenharmony_ci 47962306a36Sopenharmony_ci spin_lock(&netlbl_unlhsh_lock); 48062306a36Sopenharmony_ci list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr, 48162306a36Sopenharmony_ci &iface->addr4_list); 48262306a36Sopenharmony_ci spin_unlock(&netlbl_unlhsh_lock); 48362306a36Sopenharmony_ci if (list_entry != NULL) 48462306a36Sopenharmony_ci entry = netlbl_unlhsh_addr4_entry(list_entry); 48562306a36Sopenharmony_ci else 48662306a36Sopenharmony_ci entry = NULL; 48762306a36Sopenharmony_ci 48862306a36Sopenharmony_ci audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL, 48962306a36Sopenharmony_ci audit_info); 49062306a36Sopenharmony_ci if (audit_buf != NULL) { 49162306a36Sopenharmony_ci dev = dev_get_by_index(net, iface->ifindex); 49262306a36Sopenharmony_ci netlbl_af4list_audit_addr(audit_buf, 1, 49362306a36Sopenharmony_ci (dev != NULL ? dev->name : NULL), 49462306a36Sopenharmony_ci addr->s_addr, mask->s_addr); 49562306a36Sopenharmony_ci dev_put(dev); 49662306a36Sopenharmony_ci if (entry != NULL && 49762306a36Sopenharmony_ci security_secid_to_secctx(entry->secid, 49862306a36Sopenharmony_ci &secctx, &secctx_len) == 0) { 49962306a36Sopenharmony_ci audit_log_format(audit_buf, " sec_obj=%s", secctx); 50062306a36Sopenharmony_ci security_release_secctx(secctx, secctx_len); 50162306a36Sopenharmony_ci } 50262306a36Sopenharmony_ci audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); 50362306a36Sopenharmony_ci audit_log_end(audit_buf); 50462306a36Sopenharmony_ci } 50562306a36Sopenharmony_ci 50662306a36Sopenharmony_ci if (entry == NULL) 50762306a36Sopenharmony_ci return -ENOENT; 50862306a36Sopenharmony_ci 50962306a36Sopenharmony_ci kfree_rcu(entry, rcu); 51062306a36Sopenharmony_ci return 0; 51162306a36Sopenharmony_ci} 51262306a36Sopenharmony_ci 51362306a36Sopenharmony_ci#if IS_ENABLED(CONFIG_IPV6) 51462306a36Sopenharmony_ci/** 51562306a36Sopenharmony_ci * netlbl_unlhsh_remove_addr6 - Remove an IPv6 address entry 51662306a36Sopenharmony_ci * @net: network namespace 51762306a36Sopenharmony_ci * @iface: interface entry 51862306a36Sopenharmony_ci * @addr: IP address 51962306a36Sopenharmony_ci * @mask: IP address mask 52062306a36Sopenharmony_ci * @audit_info: NetLabel audit information 52162306a36Sopenharmony_ci * 52262306a36Sopenharmony_ci * Description: 52362306a36Sopenharmony_ci * Remove an IP address entry from the unlabeled connection hash table. 52462306a36Sopenharmony_ci * Returns zero on success, negative values on failure. 52562306a36Sopenharmony_ci * 52662306a36Sopenharmony_ci */ 52762306a36Sopenharmony_cistatic int netlbl_unlhsh_remove_addr6(struct net *net, 52862306a36Sopenharmony_ci struct netlbl_unlhsh_iface *iface, 52962306a36Sopenharmony_ci const struct in6_addr *addr, 53062306a36Sopenharmony_ci const struct in6_addr *mask, 53162306a36Sopenharmony_ci struct netlbl_audit *audit_info) 53262306a36Sopenharmony_ci{ 53362306a36Sopenharmony_ci struct netlbl_af6list *list_entry; 53462306a36Sopenharmony_ci struct netlbl_unlhsh_addr6 *entry; 53562306a36Sopenharmony_ci struct audit_buffer *audit_buf; 53662306a36Sopenharmony_ci struct net_device *dev; 53762306a36Sopenharmony_ci char *secctx; 53862306a36Sopenharmony_ci u32 secctx_len; 53962306a36Sopenharmony_ci 54062306a36Sopenharmony_ci spin_lock(&netlbl_unlhsh_lock); 54162306a36Sopenharmony_ci list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list); 54262306a36Sopenharmony_ci spin_unlock(&netlbl_unlhsh_lock); 54362306a36Sopenharmony_ci if (list_entry != NULL) 54462306a36Sopenharmony_ci entry = netlbl_unlhsh_addr6_entry(list_entry); 54562306a36Sopenharmony_ci else 54662306a36Sopenharmony_ci entry = NULL; 54762306a36Sopenharmony_ci 54862306a36Sopenharmony_ci audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL, 54962306a36Sopenharmony_ci audit_info); 55062306a36Sopenharmony_ci if (audit_buf != NULL) { 55162306a36Sopenharmony_ci dev = dev_get_by_index(net, iface->ifindex); 55262306a36Sopenharmony_ci netlbl_af6list_audit_addr(audit_buf, 1, 55362306a36Sopenharmony_ci (dev != NULL ? dev->name : NULL), 55462306a36Sopenharmony_ci addr, mask); 55562306a36Sopenharmony_ci dev_put(dev); 55662306a36Sopenharmony_ci if (entry != NULL && 55762306a36Sopenharmony_ci security_secid_to_secctx(entry->secid, 55862306a36Sopenharmony_ci &secctx, &secctx_len) == 0) { 55962306a36Sopenharmony_ci audit_log_format(audit_buf, " sec_obj=%s", secctx); 56062306a36Sopenharmony_ci security_release_secctx(secctx, secctx_len); 56162306a36Sopenharmony_ci } 56262306a36Sopenharmony_ci audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); 56362306a36Sopenharmony_ci audit_log_end(audit_buf); 56462306a36Sopenharmony_ci } 56562306a36Sopenharmony_ci 56662306a36Sopenharmony_ci if (entry == NULL) 56762306a36Sopenharmony_ci return -ENOENT; 56862306a36Sopenharmony_ci 56962306a36Sopenharmony_ci kfree_rcu(entry, rcu); 57062306a36Sopenharmony_ci return 0; 57162306a36Sopenharmony_ci} 57262306a36Sopenharmony_ci#endif /* IPv6 */ 57362306a36Sopenharmony_ci 57462306a36Sopenharmony_ci/** 57562306a36Sopenharmony_ci * netlbl_unlhsh_condremove_iface - Remove an interface entry 57662306a36Sopenharmony_ci * @iface: the interface entry 57762306a36Sopenharmony_ci * 57862306a36Sopenharmony_ci * Description: 57962306a36Sopenharmony_ci * Remove an interface entry from the unlabeled connection hash table if it is 58062306a36Sopenharmony_ci * empty. An interface entry is considered to be empty if there are no 58162306a36Sopenharmony_ci * address entries assigned to it. 58262306a36Sopenharmony_ci * 58362306a36Sopenharmony_ci */ 58462306a36Sopenharmony_cistatic void netlbl_unlhsh_condremove_iface(struct netlbl_unlhsh_iface *iface) 58562306a36Sopenharmony_ci{ 58662306a36Sopenharmony_ci struct netlbl_af4list *iter4; 58762306a36Sopenharmony_ci#if IS_ENABLED(CONFIG_IPV6) 58862306a36Sopenharmony_ci struct netlbl_af6list *iter6; 58962306a36Sopenharmony_ci#endif /* IPv6 */ 59062306a36Sopenharmony_ci 59162306a36Sopenharmony_ci spin_lock(&netlbl_unlhsh_lock); 59262306a36Sopenharmony_ci netlbl_af4list_foreach_rcu(iter4, &iface->addr4_list) 59362306a36Sopenharmony_ci goto unlhsh_condremove_failure; 59462306a36Sopenharmony_ci#if IS_ENABLED(CONFIG_IPV6) 59562306a36Sopenharmony_ci netlbl_af6list_foreach_rcu(iter6, &iface->addr6_list) 59662306a36Sopenharmony_ci goto unlhsh_condremove_failure; 59762306a36Sopenharmony_ci#endif /* IPv6 */ 59862306a36Sopenharmony_ci iface->valid = 0; 59962306a36Sopenharmony_ci if (iface->ifindex > 0) 60062306a36Sopenharmony_ci list_del_rcu(&iface->list); 60162306a36Sopenharmony_ci else 60262306a36Sopenharmony_ci RCU_INIT_POINTER(netlbl_unlhsh_def, NULL); 60362306a36Sopenharmony_ci spin_unlock(&netlbl_unlhsh_lock); 60462306a36Sopenharmony_ci 60562306a36Sopenharmony_ci call_rcu(&iface->rcu, netlbl_unlhsh_free_iface); 60662306a36Sopenharmony_ci return; 60762306a36Sopenharmony_ci 60862306a36Sopenharmony_ciunlhsh_condremove_failure: 60962306a36Sopenharmony_ci spin_unlock(&netlbl_unlhsh_lock); 61062306a36Sopenharmony_ci} 61162306a36Sopenharmony_ci 61262306a36Sopenharmony_ci/** 61362306a36Sopenharmony_ci * netlbl_unlhsh_remove - Remove an entry from the unlabeled hash table 61462306a36Sopenharmony_ci * @net: network namespace 61562306a36Sopenharmony_ci * @dev_name: interface name 61662306a36Sopenharmony_ci * @addr: IP address in network byte order 61762306a36Sopenharmony_ci * @mask: address mask in network byte order 61862306a36Sopenharmony_ci * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6) 61962306a36Sopenharmony_ci * @audit_info: NetLabel audit information 62062306a36Sopenharmony_ci * 62162306a36Sopenharmony_ci * Description: 62262306a36Sopenharmony_ci * Removes and existing entry from the unlabeled connection hash table. 62362306a36Sopenharmony_ci * Returns zero on success, negative values on failure. 62462306a36Sopenharmony_ci * 62562306a36Sopenharmony_ci */ 62662306a36Sopenharmony_ciint netlbl_unlhsh_remove(struct net *net, 62762306a36Sopenharmony_ci const char *dev_name, 62862306a36Sopenharmony_ci const void *addr, 62962306a36Sopenharmony_ci const void *mask, 63062306a36Sopenharmony_ci u32 addr_len, 63162306a36Sopenharmony_ci struct netlbl_audit *audit_info) 63262306a36Sopenharmony_ci{ 63362306a36Sopenharmony_ci int ret_val; 63462306a36Sopenharmony_ci struct net_device *dev; 63562306a36Sopenharmony_ci struct netlbl_unlhsh_iface *iface; 63662306a36Sopenharmony_ci 63762306a36Sopenharmony_ci if (addr_len != sizeof(struct in_addr) && 63862306a36Sopenharmony_ci addr_len != sizeof(struct in6_addr)) 63962306a36Sopenharmony_ci return -EINVAL; 64062306a36Sopenharmony_ci 64162306a36Sopenharmony_ci rcu_read_lock(); 64262306a36Sopenharmony_ci if (dev_name != NULL) { 64362306a36Sopenharmony_ci dev = dev_get_by_name_rcu(net, dev_name); 64462306a36Sopenharmony_ci if (dev == NULL) { 64562306a36Sopenharmony_ci ret_val = -ENODEV; 64662306a36Sopenharmony_ci goto unlhsh_remove_return; 64762306a36Sopenharmony_ci } 64862306a36Sopenharmony_ci iface = netlbl_unlhsh_search_iface(dev->ifindex); 64962306a36Sopenharmony_ci } else 65062306a36Sopenharmony_ci iface = rcu_dereference(netlbl_unlhsh_def); 65162306a36Sopenharmony_ci if (iface == NULL) { 65262306a36Sopenharmony_ci ret_val = -ENOENT; 65362306a36Sopenharmony_ci goto unlhsh_remove_return; 65462306a36Sopenharmony_ci } 65562306a36Sopenharmony_ci switch (addr_len) { 65662306a36Sopenharmony_ci case sizeof(struct in_addr): 65762306a36Sopenharmony_ci ret_val = netlbl_unlhsh_remove_addr4(net, 65862306a36Sopenharmony_ci iface, addr, mask, 65962306a36Sopenharmony_ci audit_info); 66062306a36Sopenharmony_ci break; 66162306a36Sopenharmony_ci#if IS_ENABLED(CONFIG_IPV6) 66262306a36Sopenharmony_ci case sizeof(struct in6_addr): 66362306a36Sopenharmony_ci ret_val = netlbl_unlhsh_remove_addr6(net, 66462306a36Sopenharmony_ci iface, addr, mask, 66562306a36Sopenharmony_ci audit_info); 66662306a36Sopenharmony_ci break; 66762306a36Sopenharmony_ci#endif /* IPv6 */ 66862306a36Sopenharmony_ci default: 66962306a36Sopenharmony_ci ret_val = -EINVAL; 67062306a36Sopenharmony_ci } 67162306a36Sopenharmony_ci if (ret_val == 0) { 67262306a36Sopenharmony_ci netlbl_unlhsh_condremove_iface(iface); 67362306a36Sopenharmony_ci atomic_dec(&netlabel_mgmt_protocount); 67462306a36Sopenharmony_ci } 67562306a36Sopenharmony_ci 67662306a36Sopenharmony_ciunlhsh_remove_return: 67762306a36Sopenharmony_ci rcu_read_unlock(); 67862306a36Sopenharmony_ci return ret_val; 67962306a36Sopenharmony_ci} 68062306a36Sopenharmony_ci 68162306a36Sopenharmony_ci/* 68262306a36Sopenharmony_ci * General Helper Functions 68362306a36Sopenharmony_ci */ 68462306a36Sopenharmony_ci 68562306a36Sopenharmony_ci/** 68662306a36Sopenharmony_ci * netlbl_unlhsh_netdev_handler - Network device notification handler 68762306a36Sopenharmony_ci * @this: notifier block 68862306a36Sopenharmony_ci * @event: the event 68962306a36Sopenharmony_ci * @ptr: the netdevice notifier info (cast to void) 69062306a36Sopenharmony_ci * 69162306a36Sopenharmony_ci * Description: 69262306a36Sopenharmony_ci * Handle network device events, although at present all we care about is a 69362306a36Sopenharmony_ci * network device going away. In the case of a device going away we clear any 69462306a36Sopenharmony_ci * related entries from the unlabeled connection hash table. 69562306a36Sopenharmony_ci * 69662306a36Sopenharmony_ci */ 69762306a36Sopenharmony_cistatic int netlbl_unlhsh_netdev_handler(struct notifier_block *this, 69862306a36Sopenharmony_ci unsigned long event, void *ptr) 69962306a36Sopenharmony_ci{ 70062306a36Sopenharmony_ci struct net_device *dev = netdev_notifier_info_to_dev(ptr); 70162306a36Sopenharmony_ci struct netlbl_unlhsh_iface *iface = NULL; 70262306a36Sopenharmony_ci 70362306a36Sopenharmony_ci if (!net_eq(dev_net(dev), &init_net)) 70462306a36Sopenharmony_ci return NOTIFY_DONE; 70562306a36Sopenharmony_ci 70662306a36Sopenharmony_ci /* XXX - should this be a check for NETDEV_DOWN or _UNREGISTER? */ 70762306a36Sopenharmony_ci if (event == NETDEV_DOWN) { 70862306a36Sopenharmony_ci spin_lock(&netlbl_unlhsh_lock); 70962306a36Sopenharmony_ci iface = netlbl_unlhsh_search_iface(dev->ifindex); 71062306a36Sopenharmony_ci if (iface != NULL && iface->valid) { 71162306a36Sopenharmony_ci iface->valid = 0; 71262306a36Sopenharmony_ci list_del_rcu(&iface->list); 71362306a36Sopenharmony_ci } else 71462306a36Sopenharmony_ci iface = NULL; 71562306a36Sopenharmony_ci spin_unlock(&netlbl_unlhsh_lock); 71662306a36Sopenharmony_ci } 71762306a36Sopenharmony_ci 71862306a36Sopenharmony_ci if (iface != NULL) 71962306a36Sopenharmony_ci call_rcu(&iface->rcu, netlbl_unlhsh_free_iface); 72062306a36Sopenharmony_ci 72162306a36Sopenharmony_ci return NOTIFY_DONE; 72262306a36Sopenharmony_ci} 72362306a36Sopenharmony_ci 72462306a36Sopenharmony_ci/** 72562306a36Sopenharmony_ci * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag 72662306a36Sopenharmony_ci * @value: desired value 72762306a36Sopenharmony_ci * @audit_info: NetLabel audit information 72862306a36Sopenharmony_ci * 72962306a36Sopenharmony_ci * Description: 73062306a36Sopenharmony_ci * Set the value of the unlabeled accept flag to @value. 73162306a36Sopenharmony_ci * 73262306a36Sopenharmony_ci */ 73362306a36Sopenharmony_cistatic void netlbl_unlabel_acceptflg_set(u8 value, 73462306a36Sopenharmony_ci struct netlbl_audit *audit_info) 73562306a36Sopenharmony_ci{ 73662306a36Sopenharmony_ci struct audit_buffer *audit_buf; 73762306a36Sopenharmony_ci u8 old_val; 73862306a36Sopenharmony_ci 73962306a36Sopenharmony_ci old_val = netlabel_unlabel_acceptflg; 74062306a36Sopenharmony_ci netlabel_unlabel_acceptflg = value; 74162306a36Sopenharmony_ci audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW, 74262306a36Sopenharmony_ci audit_info); 74362306a36Sopenharmony_ci if (audit_buf != NULL) { 74462306a36Sopenharmony_ci audit_log_format(audit_buf, 74562306a36Sopenharmony_ci " unlbl_accept=%u old=%u", value, old_val); 74662306a36Sopenharmony_ci audit_log_end(audit_buf); 74762306a36Sopenharmony_ci } 74862306a36Sopenharmony_ci} 74962306a36Sopenharmony_ci 75062306a36Sopenharmony_ci/** 75162306a36Sopenharmony_ci * netlbl_unlabel_addrinfo_get - Get the IPv4/6 address information 75262306a36Sopenharmony_ci * @info: the Generic NETLINK info block 75362306a36Sopenharmony_ci * @addr: the IP address 75462306a36Sopenharmony_ci * @mask: the IP address mask 75562306a36Sopenharmony_ci * @len: the address length 75662306a36Sopenharmony_ci * 75762306a36Sopenharmony_ci * Description: 75862306a36Sopenharmony_ci * Examine the Generic NETLINK message and extract the IP address information. 75962306a36Sopenharmony_ci * Returns zero on success, negative values on failure. 76062306a36Sopenharmony_ci * 76162306a36Sopenharmony_ci */ 76262306a36Sopenharmony_cistatic int netlbl_unlabel_addrinfo_get(struct genl_info *info, 76362306a36Sopenharmony_ci void **addr, 76462306a36Sopenharmony_ci void **mask, 76562306a36Sopenharmony_ci u32 *len) 76662306a36Sopenharmony_ci{ 76762306a36Sopenharmony_ci u32 addr_len; 76862306a36Sopenharmony_ci 76962306a36Sopenharmony_ci if (info->attrs[NLBL_UNLABEL_A_IPV4ADDR] && 77062306a36Sopenharmony_ci info->attrs[NLBL_UNLABEL_A_IPV4MASK]) { 77162306a36Sopenharmony_ci addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]); 77262306a36Sopenharmony_ci if (addr_len != sizeof(struct in_addr) && 77362306a36Sopenharmony_ci addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV4MASK])) 77462306a36Sopenharmony_ci return -EINVAL; 77562306a36Sopenharmony_ci *len = addr_len; 77662306a36Sopenharmony_ci *addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]); 77762306a36Sopenharmony_ci *mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4MASK]); 77862306a36Sopenharmony_ci return 0; 77962306a36Sopenharmony_ci } else if (info->attrs[NLBL_UNLABEL_A_IPV6ADDR]) { 78062306a36Sopenharmony_ci addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]); 78162306a36Sopenharmony_ci if (addr_len != sizeof(struct in6_addr) && 78262306a36Sopenharmony_ci addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV6MASK])) 78362306a36Sopenharmony_ci return -EINVAL; 78462306a36Sopenharmony_ci *len = addr_len; 78562306a36Sopenharmony_ci *addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]); 78662306a36Sopenharmony_ci *mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6MASK]); 78762306a36Sopenharmony_ci return 0; 78862306a36Sopenharmony_ci } 78962306a36Sopenharmony_ci 79062306a36Sopenharmony_ci return -EINVAL; 79162306a36Sopenharmony_ci} 79262306a36Sopenharmony_ci 79362306a36Sopenharmony_ci/* 79462306a36Sopenharmony_ci * NetLabel Command Handlers 79562306a36Sopenharmony_ci */ 79662306a36Sopenharmony_ci 79762306a36Sopenharmony_ci/** 79862306a36Sopenharmony_ci * netlbl_unlabel_accept - Handle an ACCEPT message 79962306a36Sopenharmony_ci * @skb: the NETLINK buffer 80062306a36Sopenharmony_ci * @info: the Generic NETLINK info block 80162306a36Sopenharmony_ci * 80262306a36Sopenharmony_ci * Description: 80362306a36Sopenharmony_ci * Process a user generated ACCEPT message and set the accept flag accordingly. 80462306a36Sopenharmony_ci * Returns zero on success, negative values on failure. 80562306a36Sopenharmony_ci * 80662306a36Sopenharmony_ci */ 80762306a36Sopenharmony_cistatic int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info) 80862306a36Sopenharmony_ci{ 80962306a36Sopenharmony_ci u8 value; 81062306a36Sopenharmony_ci struct netlbl_audit audit_info; 81162306a36Sopenharmony_ci 81262306a36Sopenharmony_ci if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) { 81362306a36Sopenharmony_ci value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]); 81462306a36Sopenharmony_ci if (value == 1 || value == 0) { 81562306a36Sopenharmony_ci netlbl_netlink_auditinfo(&audit_info); 81662306a36Sopenharmony_ci netlbl_unlabel_acceptflg_set(value, &audit_info); 81762306a36Sopenharmony_ci return 0; 81862306a36Sopenharmony_ci } 81962306a36Sopenharmony_ci } 82062306a36Sopenharmony_ci 82162306a36Sopenharmony_ci return -EINVAL; 82262306a36Sopenharmony_ci} 82362306a36Sopenharmony_ci 82462306a36Sopenharmony_ci/** 82562306a36Sopenharmony_ci * netlbl_unlabel_list - Handle a LIST message 82662306a36Sopenharmony_ci * @skb: the NETLINK buffer 82762306a36Sopenharmony_ci * @info: the Generic NETLINK info block 82862306a36Sopenharmony_ci * 82962306a36Sopenharmony_ci * Description: 83062306a36Sopenharmony_ci * Process a user generated LIST message and respond with the current status. 83162306a36Sopenharmony_ci * Returns zero on success, negative values on failure. 83262306a36Sopenharmony_ci * 83362306a36Sopenharmony_ci */ 83462306a36Sopenharmony_cistatic int netlbl_unlabel_list(struct sk_buff *skb, struct genl_info *info) 83562306a36Sopenharmony_ci{ 83662306a36Sopenharmony_ci int ret_val = -EINVAL; 83762306a36Sopenharmony_ci struct sk_buff *ans_skb; 83862306a36Sopenharmony_ci void *data; 83962306a36Sopenharmony_ci 84062306a36Sopenharmony_ci ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 84162306a36Sopenharmony_ci if (ans_skb == NULL) 84262306a36Sopenharmony_ci goto list_failure; 84362306a36Sopenharmony_ci data = genlmsg_put_reply(ans_skb, info, &netlbl_unlabel_gnl_family, 84462306a36Sopenharmony_ci 0, NLBL_UNLABEL_C_LIST); 84562306a36Sopenharmony_ci if (data == NULL) { 84662306a36Sopenharmony_ci ret_val = -ENOMEM; 84762306a36Sopenharmony_ci goto list_failure; 84862306a36Sopenharmony_ci } 84962306a36Sopenharmony_ci 85062306a36Sopenharmony_ci ret_val = nla_put_u8(ans_skb, 85162306a36Sopenharmony_ci NLBL_UNLABEL_A_ACPTFLG, 85262306a36Sopenharmony_ci netlabel_unlabel_acceptflg); 85362306a36Sopenharmony_ci if (ret_val != 0) 85462306a36Sopenharmony_ci goto list_failure; 85562306a36Sopenharmony_ci 85662306a36Sopenharmony_ci genlmsg_end(ans_skb, data); 85762306a36Sopenharmony_ci return genlmsg_reply(ans_skb, info); 85862306a36Sopenharmony_ci 85962306a36Sopenharmony_cilist_failure: 86062306a36Sopenharmony_ci kfree_skb(ans_skb); 86162306a36Sopenharmony_ci return ret_val; 86262306a36Sopenharmony_ci} 86362306a36Sopenharmony_ci 86462306a36Sopenharmony_ci/** 86562306a36Sopenharmony_ci * netlbl_unlabel_staticadd - Handle a STATICADD message 86662306a36Sopenharmony_ci * @skb: the NETLINK buffer 86762306a36Sopenharmony_ci * @info: the Generic NETLINK info block 86862306a36Sopenharmony_ci * 86962306a36Sopenharmony_ci * Description: 87062306a36Sopenharmony_ci * Process a user generated STATICADD message and add a new unlabeled 87162306a36Sopenharmony_ci * connection entry to the hash table. Returns zero on success, negative 87262306a36Sopenharmony_ci * values on failure. 87362306a36Sopenharmony_ci * 87462306a36Sopenharmony_ci */ 87562306a36Sopenharmony_cistatic int netlbl_unlabel_staticadd(struct sk_buff *skb, 87662306a36Sopenharmony_ci struct genl_info *info) 87762306a36Sopenharmony_ci{ 87862306a36Sopenharmony_ci int ret_val; 87962306a36Sopenharmony_ci char *dev_name; 88062306a36Sopenharmony_ci void *addr; 88162306a36Sopenharmony_ci void *mask; 88262306a36Sopenharmony_ci u32 addr_len; 88362306a36Sopenharmony_ci u32 secid; 88462306a36Sopenharmony_ci struct netlbl_audit audit_info; 88562306a36Sopenharmony_ci 88662306a36Sopenharmony_ci /* Don't allow users to add both IPv4 and IPv6 addresses for a 88762306a36Sopenharmony_ci * single entry. However, allow users to create two entries, one each 88862306a36Sopenharmony_ci * for IPv4 and IPv6, with the same LSM security context which should 88962306a36Sopenharmony_ci * achieve the same result. */ 89062306a36Sopenharmony_ci if (!info->attrs[NLBL_UNLABEL_A_SECCTX] || 89162306a36Sopenharmony_ci !info->attrs[NLBL_UNLABEL_A_IFACE] || 89262306a36Sopenharmony_ci !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] || 89362306a36Sopenharmony_ci !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^ 89462306a36Sopenharmony_ci (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] || 89562306a36Sopenharmony_ci !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) 89662306a36Sopenharmony_ci return -EINVAL; 89762306a36Sopenharmony_ci 89862306a36Sopenharmony_ci netlbl_netlink_auditinfo(&audit_info); 89962306a36Sopenharmony_ci 90062306a36Sopenharmony_ci ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); 90162306a36Sopenharmony_ci if (ret_val != 0) 90262306a36Sopenharmony_ci return ret_val; 90362306a36Sopenharmony_ci dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]); 90462306a36Sopenharmony_ci ret_val = security_secctx_to_secid( 90562306a36Sopenharmony_ci nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]), 90662306a36Sopenharmony_ci nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]), 90762306a36Sopenharmony_ci &secid); 90862306a36Sopenharmony_ci if (ret_val != 0) 90962306a36Sopenharmony_ci return ret_val; 91062306a36Sopenharmony_ci 91162306a36Sopenharmony_ci return netlbl_unlhsh_add(&init_net, 91262306a36Sopenharmony_ci dev_name, addr, mask, addr_len, secid, 91362306a36Sopenharmony_ci &audit_info); 91462306a36Sopenharmony_ci} 91562306a36Sopenharmony_ci 91662306a36Sopenharmony_ci/** 91762306a36Sopenharmony_ci * netlbl_unlabel_staticadddef - Handle a STATICADDDEF message 91862306a36Sopenharmony_ci * @skb: the NETLINK buffer 91962306a36Sopenharmony_ci * @info: the Generic NETLINK info block 92062306a36Sopenharmony_ci * 92162306a36Sopenharmony_ci * Description: 92262306a36Sopenharmony_ci * Process a user generated STATICADDDEF message and add a new default 92362306a36Sopenharmony_ci * unlabeled connection entry. Returns zero on success, negative values on 92462306a36Sopenharmony_ci * failure. 92562306a36Sopenharmony_ci * 92662306a36Sopenharmony_ci */ 92762306a36Sopenharmony_cistatic int netlbl_unlabel_staticadddef(struct sk_buff *skb, 92862306a36Sopenharmony_ci struct genl_info *info) 92962306a36Sopenharmony_ci{ 93062306a36Sopenharmony_ci int ret_val; 93162306a36Sopenharmony_ci void *addr; 93262306a36Sopenharmony_ci void *mask; 93362306a36Sopenharmony_ci u32 addr_len; 93462306a36Sopenharmony_ci u32 secid; 93562306a36Sopenharmony_ci struct netlbl_audit audit_info; 93662306a36Sopenharmony_ci 93762306a36Sopenharmony_ci /* Don't allow users to add both IPv4 and IPv6 addresses for a 93862306a36Sopenharmony_ci * single entry. However, allow users to create two entries, one each 93962306a36Sopenharmony_ci * for IPv4 and IPv6, with the same LSM security context which should 94062306a36Sopenharmony_ci * achieve the same result. */ 94162306a36Sopenharmony_ci if (!info->attrs[NLBL_UNLABEL_A_SECCTX] || 94262306a36Sopenharmony_ci !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] || 94362306a36Sopenharmony_ci !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^ 94462306a36Sopenharmony_ci (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] || 94562306a36Sopenharmony_ci !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) 94662306a36Sopenharmony_ci return -EINVAL; 94762306a36Sopenharmony_ci 94862306a36Sopenharmony_ci netlbl_netlink_auditinfo(&audit_info); 94962306a36Sopenharmony_ci 95062306a36Sopenharmony_ci ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); 95162306a36Sopenharmony_ci if (ret_val != 0) 95262306a36Sopenharmony_ci return ret_val; 95362306a36Sopenharmony_ci ret_val = security_secctx_to_secid( 95462306a36Sopenharmony_ci nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]), 95562306a36Sopenharmony_ci nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]), 95662306a36Sopenharmony_ci &secid); 95762306a36Sopenharmony_ci if (ret_val != 0) 95862306a36Sopenharmony_ci return ret_val; 95962306a36Sopenharmony_ci 96062306a36Sopenharmony_ci return netlbl_unlhsh_add(&init_net, 96162306a36Sopenharmony_ci NULL, addr, mask, addr_len, secid, 96262306a36Sopenharmony_ci &audit_info); 96362306a36Sopenharmony_ci} 96462306a36Sopenharmony_ci 96562306a36Sopenharmony_ci/** 96662306a36Sopenharmony_ci * netlbl_unlabel_staticremove - Handle a STATICREMOVE message 96762306a36Sopenharmony_ci * @skb: the NETLINK buffer 96862306a36Sopenharmony_ci * @info: the Generic NETLINK info block 96962306a36Sopenharmony_ci * 97062306a36Sopenharmony_ci * Description: 97162306a36Sopenharmony_ci * Process a user generated STATICREMOVE message and remove the specified 97262306a36Sopenharmony_ci * unlabeled connection entry. Returns zero on success, negative values on 97362306a36Sopenharmony_ci * failure. 97462306a36Sopenharmony_ci * 97562306a36Sopenharmony_ci */ 97662306a36Sopenharmony_cistatic int netlbl_unlabel_staticremove(struct sk_buff *skb, 97762306a36Sopenharmony_ci struct genl_info *info) 97862306a36Sopenharmony_ci{ 97962306a36Sopenharmony_ci int ret_val; 98062306a36Sopenharmony_ci char *dev_name; 98162306a36Sopenharmony_ci void *addr; 98262306a36Sopenharmony_ci void *mask; 98362306a36Sopenharmony_ci u32 addr_len; 98462306a36Sopenharmony_ci struct netlbl_audit audit_info; 98562306a36Sopenharmony_ci 98662306a36Sopenharmony_ci /* See the note in netlbl_unlabel_staticadd() about not allowing both 98762306a36Sopenharmony_ci * IPv4 and IPv6 in the same entry. */ 98862306a36Sopenharmony_ci if (!info->attrs[NLBL_UNLABEL_A_IFACE] || 98962306a36Sopenharmony_ci !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] || 99062306a36Sopenharmony_ci !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^ 99162306a36Sopenharmony_ci (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] || 99262306a36Sopenharmony_ci !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) 99362306a36Sopenharmony_ci return -EINVAL; 99462306a36Sopenharmony_ci 99562306a36Sopenharmony_ci netlbl_netlink_auditinfo(&audit_info); 99662306a36Sopenharmony_ci 99762306a36Sopenharmony_ci ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); 99862306a36Sopenharmony_ci if (ret_val != 0) 99962306a36Sopenharmony_ci return ret_val; 100062306a36Sopenharmony_ci dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]); 100162306a36Sopenharmony_ci 100262306a36Sopenharmony_ci return netlbl_unlhsh_remove(&init_net, 100362306a36Sopenharmony_ci dev_name, addr, mask, addr_len, 100462306a36Sopenharmony_ci &audit_info); 100562306a36Sopenharmony_ci} 100662306a36Sopenharmony_ci 100762306a36Sopenharmony_ci/** 100862306a36Sopenharmony_ci * netlbl_unlabel_staticremovedef - Handle a STATICREMOVEDEF message 100962306a36Sopenharmony_ci * @skb: the NETLINK buffer 101062306a36Sopenharmony_ci * @info: the Generic NETLINK info block 101162306a36Sopenharmony_ci * 101262306a36Sopenharmony_ci * Description: 101362306a36Sopenharmony_ci * Process a user generated STATICREMOVEDEF message and remove the default 101462306a36Sopenharmony_ci * unlabeled connection entry. Returns zero on success, negative values on 101562306a36Sopenharmony_ci * failure. 101662306a36Sopenharmony_ci * 101762306a36Sopenharmony_ci */ 101862306a36Sopenharmony_cistatic int netlbl_unlabel_staticremovedef(struct sk_buff *skb, 101962306a36Sopenharmony_ci struct genl_info *info) 102062306a36Sopenharmony_ci{ 102162306a36Sopenharmony_ci int ret_val; 102262306a36Sopenharmony_ci void *addr; 102362306a36Sopenharmony_ci void *mask; 102462306a36Sopenharmony_ci u32 addr_len; 102562306a36Sopenharmony_ci struct netlbl_audit audit_info; 102662306a36Sopenharmony_ci 102762306a36Sopenharmony_ci /* See the note in netlbl_unlabel_staticadd() about not allowing both 102862306a36Sopenharmony_ci * IPv4 and IPv6 in the same entry. */ 102962306a36Sopenharmony_ci if (!((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] || 103062306a36Sopenharmony_ci !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^ 103162306a36Sopenharmony_ci (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] || 103262306a36Sopenharmony_ci !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) 103362306a36Sopenharmony_ci return -EINVAL; 103462306a36Sopenharmony_ci 103562306a36Sopenharmony_ci netlbl_netlink_auditinfo(&audit_info); 103662306a36Sopenharmony_ci 103762306a36Sopenharmony_ci ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); 103862306a36Sopenharmony_ci if (ret_val != 0) 103962306a36Sopenharmony_ci return ret_val; 104062306a36Sopenharmony_ci 104162306a36Sopenharmony_ci return netlbl_unlhsh_remove(&init_net, 104262306a36Sopenharmony_ci NULL, addr, mask, addr_len, 104362306a36Sopenharmony_ci &audit_info); 104462306a36Sopenharmony_ci} 104562306a36Sopenharmony_ci 104662306a36Sopenharmony_ci 104762306a36Sopenharmony_ci/** 104862306a36Sopenharmony_ci * netlbl_unlabel_staticlist_gen - Generate messages for STATICLIST[DEF] 104962306a36Sopenharmony_ci * @cmd: command/message 105062306a36Sopenharmony_ci * @iface: the interface entry 105162306a36Sopenharmony_ci * @addr4: the IPv4 address entry 105262306a36Sopenharmony_ci * @addr6: the IPv6 address entry 105362306a36Sopenharmony_ci * @arg: the netlbl_unlhsh_walk_arg structure 105462306a36Sopenharmony_ci * 105562306a36Sopenharmony_ci * Description: 105662306a36Sopenharmony_ci * This function is designed to be used to generate a response for a 105762306a36Sopenharmony_ci * STATICLIST or STATICLISTDEF message. When called either @addr4 or @addr6 105862306a36Sopenharmony_ci * can be specified, not both, the other unspecified entry should be set to 105962306a36Sopenharmony_ci * NULL by the caller. Returns the size of the message on success, negative 106062306a36Sopenharmony_ci * values on failure. 106162306a36Sopenharmony_ci * 106262306a36Sopenharmony_ci */ 106362306a36Sopenharmony_cistatic int netlbl_unlabel_staticlist_gen(u32 cmd, 106462306a36Sopenharmony_ci const struct netlbl_unlhsh_iface *iface, 106562306a36Sopenharmony_ci const struct netlbl_unlhsh_addr4 *addr4, 106662306a36Sopenharmony_ci const struct netlbl_unlhsh_addr6 *addr6, 106762306a36Sopenharmony_ci void *arg) 106862306a36Sopenharmony_ci{ 106962306a36Sopenharmony_ci int ret_val = -ENOMEM; 107062306a36Sopenharmony_ci struct netlbl_unlhsh_walk_arg *cb_arg = arg; 107162306a36Sopenharmony_ci struct net_device *dev; 107262306a36Sopenharmony_ci void *data; 107362306a36Sopenharmony_ci u32 secid; 107462306a36Sopenharmony_ci char *secctx; 107562306a36Sopenharmony_ci u32 secctx_len; 107662306a36Sopenharmony_ci 107762306a36Sopenharmony_ci data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid, 107862306a36Sopenharmony_ci cb_arg->seq, &netlbl_unlabel_gnl_family, 107962306a36Sopenharmony_ci NLM_F_MULTI, cmd); 108062306a36Sopenharmony_ci if (data == NULL) 108162306a36Sopenharmony_ci goto list_cb_failure; 108262306a36Sopenharmony_ci 108362306a36Sopenharmony_ci if (iface->ifindex > 0) { 108462306a36Sopenharmony_ci dev = dev_get_by_index(&init_net, iface->ifindex); 108562306a36Sopenharmony_ci if (!dev) { 108662306a36Sopenharmony_ci ret_val = -ENODEV; 108762306a36Sopenharmony_ci goto list_cb_failure; 108862306a36Sopenharmony_ci } 108962306a36Sopenharmony_ci ret_val = nla_put_string(cb_arg->skb, 109062306a36Sopenharmony_ci NLBL_UNLABEL_A_IFACE, dev->name); 109162306a36Sopenharmony_ci dev_put(dev); 109262306a36Sopenharmony_ci if (ret_val != 0) 109362306a36Sopenharmony_ci goto list_cb_failure; 109462306a36Sopenharmony_ci } 109562306a36Sopenharmony_ci 109662306a36Sopenharmony_ci if (addr4) { 109762306a36Sopenharmony_ci struct in_addr addr_struct; 109862306a36Sopenharmony_ci 109962306a36Sopenharmony_ci addr_struct.s_addr = addr4->list.addr; 110062306a36Sopenharmony_ci ret_val = nla_put_in_addr(cb_arg->skb, 110162306a36Sopenharmony_ci NLBL_UNLABEL_A_IPV4ADDR, 110262306a36Sopenharmony_ci addr_struct.s_addr); 110362306a36Sopenharmony_ci if (ret_val != 0) 110462306a36Sopenharmony_ci goto list_cb_failure; 110562306a36Sopenharmony_ci 110662306a36Sopenharmony_ci addr_struct.s_addr = addr4->list.mask; 110762306a36Sopenharmony_ci ret_val = nla_put_in_addr(cb_arg->skb, 110862306a36Sopenharmony_ci NLBL_UNLABEL_A_IPV4MASK, 110962306a36Sopenharmony_ci addr_struct.s_addr); 111062306a36Sopenharmony_ci if (ret_val != 0) 111162306a36Sopenharmony_ci goto list_cb_failure; 111262306a36Sopenharmony_ci 111362306a36Sopenharmony_ci secid = addr4->secid; 111462306a36Sopenharmony_ci } else { 111562306a36Sopenharmony_ci ret_val = nla_put_in6_addr(cb_arg->skb, 111662306a36Sopenharmony_ci NLBL_UNLABEL_A_IPV6ADDR, 111762306a36Sopenharmony_ci &addr6->list.addr); 111862306a36Sopenharmony_ci if (ret_val != 0) 111962306a36Sopenharmony_ci goto list_cb_failure; 112062306a36Sopenharmony_ci 112162306a36Sopenharmony_ci ret_val = nla_put_in6_addr(cb_arg->skb, 112262306a36Sopenharmony_ci NLBL_UNLABEL_A_IPV6MASK, 112362306a36Sopenharmony_ci &addr6->list.mask); 112462306a36Sopenharmony_ci if (ret_val != 0) 112562306a36Sopenharmony_ci goto list_cb_failure; 112662306a36Sopenharmony_ci 112762306a36Sopenharmony_ci secid = addr6->secid; 112862306a36Sopenharmony_ci } 112962306a36Sopenharmony_ci 113062306a36Sopenharmony_ci ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len); 113162306a36Sopenharmony_ci if (ret_val != 0) 113262306a36Sopenharmony_ci goto list_cb_failure; 113362306a36Sopenharmony_ci ret_val = nla_put(cb_arg->skb, 113462306a36Sopenharmony_ci NLBL_UNLABEL_A_SECCTX, 113562306a36Sopenharmony_ci secctx_len, 113662306a36Sopenharmony_ci secctx); 113762306a36Sopenharmony_ci security_release_secctx(secctx, secctx_len); 113862306a36Sopenharmony_ci if (ret_val != 0) 113962306a36Sopenharmony_ci goto list_cb_failure; 114062306a36Sopenharmony_ci 114162306a36Sopenharmony_ci cb_arg->seq++; 114262306a36Sopenharmony_ci genlmsg_end(cb_arg->skb, data); 114362306a36Sopenharmony_ci return 0; 114462306a36Sopenharmony_ci 114562306a36Sopenharmony_cilist_cb_failure: 114662306a36Sopenharmony_ci genlmsg_cancel(cb_arg->skb, data); 114762306a36Sopenharmony_ci return ret_val; 114862306a36Sopenharmony_ci} 114962306a36Sopenharmony_ci 115062306a36Sopenharmony_ci/** 115162306a36Sopenharmony_ci * netlbl_unlabel_staticlist - Handle a STATICLIST message 115262306a36Sopenharmony_ci * @skb: the NETLINK buffer 115362306a36Sopenharmony_ci * @cb: the NETLINK callback 115462306a36Sopenharmony_ci * 115562306a36Sopenharmony_ci * Description: 115662306a36Sopenharmony_ci * Process a user generated STATICLIST message and dump the unlabeled 115762306a36Sopenharmony_ci * connection hash table in a form suitable for use in a kernel generated 115862306a36Sopenharmony_ci * STATICLIST message. Returns the length of @skb. 115962306a36Sopenharmony_ci * 116062306a36Sopenharmony_ci */ 116162306a36Sopenharmony_cistatic int netlbl_unlabel_staticlist(struct sk_buff *skb, 116262306a36Sopenharmony_ci struct netlink_callback *cb) 116362306a36Sopenharmony_ci{ 116462306a36Sopenharmony_ci struct netlbl_unlhsh_walk_arg cb_arg; 116562306a36Sopenharmony_ci u32 skip_bkt = cb->args[0]; 116662306a36Sopenharmony_ci u32 skip_chain = cb->args[1]; 116762306a36Sopenharmony_ci u32 skip_addr4 = cb->args[2]; 116862306a36Sopenharmony_ci u32 iter_bkt, iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0; 116962306a36Sopenharmony_ci struct netlbl_unlhsh_iface *iface; 117062306a36Sopenharmony_ci struct list_head *iter_list; 117162306a36Sopenharmony_ci struct netlbl_af4list *addr4; 117262306a36Sopenharmony_ci#if IS_ENABLED(CONFIG_IPV6) 117362306a36Sopenharmony_ci u32 skip_addr6 = cb->args[3]; 117462306a36Sopenharmony_ci struct netlbl_af6list *addr6; 117562306a36Sopenharmony_ci#endif 117662306a36Sopenharmony_ci 117762306a36Sopenharmony_ci cb_arg.nl_cb = cb; 117862306a36Sopenharmony_ci cb_arg.skb = skb; 117962306a36Sopenharmony_ci cb_arg.seq = cb->nlh->nlmsg_seq; 118062306a36Sopenharmony_ci 118162306a36Sopenharmony_ci rcu_read_lock(); 118262306a36Sopenharmony_ci for (iter_bkt = skip_bkt; 118362306a36Sopenharmony_ci iter_bkt < rcu_dereference(netlbl_unlhsh)->size; 118462306a36Sopenharmony_ci iter_bkt++) { 118562306a36Sopenharmony_ci iter_list = &rcu_dereference(netlbl_unlhsh)->tbl[iter_bkt]; 118662306a36Sopenharmony_ci list_for_each_entry_rcu(iface, iter_list, list) { 118762306a36Sopenharmony_ci if (!iface->valid || 118862306a36Sopenharmony_ci iter_chain++ < skip_chain) 118962306a36Sopenharmony_ci continue; 119062306a36Sopenharmony_ci netlbl_af4list_foreach_rcu(addr4, 119162306a36Sopenharmony_ci &iface->addr4_list) { 119262306a36Sopenharmony_ci if (iter_addr4++ < skip_addr4) 119362306a36Sopenharmony_ci continue; 119462306a36Sopenharmony_ci if (netlbl_unlabel_staticlist_gen( 119562306a36Sopenharmony_ci NLBL_UNLABEL_C_STATICLIST, 119662306a36Sopenharmony_ci iface, 119762306a36Sopenharmony_ci netlbl_unlhsh_addr4_entry(addr4), 119862306a36Sopenharmony_ci NULL, 119962306a36Sopenharmony_ci &cb_arg) < 0) { 120062306a36Sopenharmony_ci iter_addr4--; 120162306a36Sopenharmony_ci iter_chain--; 120262306a36Sopenharmony_ci goto unlabel_staticlist_return; 120362306a36Sopenharmony_ci } 120462306a36Sopenharmony_ci } 120562306a36Sopenharmony_ci iter_addr4 = 0; 120662306a36Sopenharmony_ci skip_addr4 = 0; 120762306a36Sopenharmony_ci#if IS_ENABLED(CONFIG_IPV6) 120862306a36Sopenharmony_ci netlbl_af6list_foreach_rcu(addr6, 120962306a36Sopenharmony_ci &iface->addr6_list) { 121062306a36Sopenharmony_ci if (iter_addr6++ < skip_addr6) 121162306a36Sopenharmony_ci continue; 121262306a36Sopenharmony_ci if (netlbl_unlabel_staticlist_gen( 121362306a36Sopenharmony_ci NLBL_UNLABEL_C_STATICLIST, 121462306a36Sopenharmony_ci iface, 121562306a36Sopenharmony_ci NULL, 121662306a36Sopenharmony_ci netlbl_unlhsh_addr6_entry(addr6), 121762306a36Sopenharmony_ci &cb_arg) < 0) { 121862306a36Sopenharmony_ci iter_addr6--; 121962306a36Sopenharmony_ci iter_chain--; 122062306a36Sopenharmony_ci goto unlabel_staticlist_return; 122162306a36Sopenharmony_ci } 122262306a36Sopenharmony_ci } 122362306a36Sopenharmony_ci iter_addr6 = 0; 122462306a36Sopenharmony_ci skip_addr6 = 0; 122562306a36Sopenharmony_ci#endif /* IPv6 */ 122662306a36Sopenharmony_ci } 122762306a36Sopenharmony_ci iter_chain = 0; 122862306a36Sopenharmony_ci skip_chain = 0; 122962306a36Sopenharmony_ci } 123062306a36Sopenharmony_ci 123162306a36Sopenharmony_ciunlabel_staticlist_return: 123262306a36Sopenharmony_ci rcu_read_unlock(); 123362306a36Sopenharmony_ci cb->args[0] = iter_bkt; 123462306a36Sopenharmony_ci cb->args[1] = iter_chain; 123562306a36Sopenharmony_ci cb->args[2] = iter_addr4; 123662306a36Sopenharmony_ci cb->args[3] = iter_addr6; 123762306a36Sopenharmony_ci return skb->len; 123862306a36Sopenharmony_ci} 123962306a36Sopenharmony_ci 124062306a36Sopenharmony_ci/** 124162306a36Sopenharmony_ci * netlbl_unlabel_staticlistdef - Handle a STATICLISTDEF message 124262306a36Sopenharmony_ci * @skb: the NETLINK buffer 124362306a36Sopenharmony_ci * @cb: the NETLINK callback 124462306a36Sopenharmony_ci * 124562306a36Sopenharmony_ci * Description: 124662306a36Sopenharmony_ci * Process a user generated STATICLISTDEF message and dump the default 124762306a36Sopenharmony_ci * unlabeled connection entry in a form suitable for use in a kernel generated 124862306a36Sopenharmony_ci * STATICLISTDEF message. Returns the length of @skb. 124962306a36Sopenharmony_ci * 125062306a36Sopenharmony_ci */ 125162306a36Sopenharmony_cistatic int netlbl_unlabel_staticlistdef(struct sk_buff *skb, 125262306a36Sopenharmony_ci struct netlink_callback *cb) 125362306a36Sopenharmony_ci{ 125462306a36Sopenharmony_ci struct netlbl_unlhsh_walk_arg cb_arg; 125562306a36Sopenharmony_ci struct netlbl_unlhsh_iface *iface; 125662306a36Sopenharmony_ci u32 iter_addr4 = 0, iter_addr6 = 0; 125762306a36Sopenharmony_ci struct netlbl_af4list *addr4; 125862306a36Sopenharmony_ci#if IS_ENABLED(CONFIG_IPV6) 125962306a36Sopenharmony_ci struct netlbl_af6list *addr6; 126062306a36Sopenharmony_ci#endif 126162306a36Sopenharmony_ci 126262306a36Sopenharmony_ci cb_arg.nl_cb = cb; 126362306a36Sopenharmony_ci cb_arg.skb = skb; 126462306a36Sopenharmony_ci cb_arg.seq = cb->nlh->nlmsg_seq; 126562306a36Sopenharmony_ci 126662306a36Sopenharmony_ci rcu_read_lock(); 126762306a36Sopenharmony_ci iface = rcu_dereference(netlbl_unlhsh_def); 126862306a36Sopenharmony_ci if (iface == NULL || !iface->valid) 126962306a36Sopenharmony_ci goto unlabel_staticlistdef_return; 127062306a36Sopenharmony_ci 127162306a36Sopenharmony_ci netlbl_af4list_foreach_rcu(addr4, &iface->addr4_list) { 127262306a36Sopenharmony_ci if (iter_addr4++ < cb->args[0]) 127362306a36Sopenharmony_ci continue; 127462306a36Sopenharmony_ci if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF, 127562306a36Sopenharmony_ci iface, 127662306a36Sopenharmony_ci netlbl_unlhsh_addr4_entry(addr4), 127762306a36Sopenharmony_ci NULL, 127862306a36Sopenharmony_ci &cb_arg) < 0) { 127962306a36Sopenharmony_ci iter_addr4--; 128062306a36Sopenharmony_ci goto unlabel_staticlistdef_return; 128162306a36Sopenharmony_ci } 128262306a36Sopenharmony_ci } 128362306a36Sopenharmony_ci#if IS_ENABLED(CONFIG_IPV6) 128462306a36Sopenharmony_ci netlbl_af6list_foreach_rcu(addr6, &iface->addr6_list) { 128562306a36Sopenharmony_ci if (iter_addr6++ < cb->args[1]) 128662306a36Sopenharmony_ci continue; 128762306a36Sopenharmony_ci if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF, 128862306a36Sopenharmony_ci iface, 128962306a36Sopenharmony_ci NULL, 129062306a36Sopenharmony_ci netlbl_unlhsh_addr6_entry(addr6), 129162306a36Sopenharmony_ci &cb_arg) < 0) { 129262306a36Sopenharmony_ci iter_addr6--; 129362306a36Sopenharmony_ci goto unlabel_staticlistdef_return; 129462306a36Sopenharmony_ci } 129562306a36Sopenharmony_ci } 129662306a36Sopenharmony_ci#endif /* IPv6 */ 129762306a36Sopenharmony_ci 129862306a36Sopenharmony_ciunlabel_staticlistdef_return: 129962306a36Sopenharmony_ci rcu_read_unlock(); 130062306a36Sopenharmony_ci cb->args[0] = iter_addr4; 130162306a36Sopenharmony_ci cb->args[1] = iter_addr6; 130262306a36Sopenharmony_ci return skb->len; 130362306a36Sopenharmony_ci} 130462306a36Sopenharmony_ci 130562306a36Sopenharmony_ci/* 130662306a36Sopenharmony_ci * NetLabel Generic NETLINK Command Definitions 130762306a36Sopenharmony_ci */ 130862306a36Sopenharmony_ci 130962306a36Sopenharmony_cistatic const struct genl_small_ops netlbl_unlabel_genl_ops[] = { 131062306a36Sopenharmony_ci { 131162306a36Sopenharmony_ci .cmd = NLBL_UNLABEL_C_STATICADD, 131262306a36Sopenharmony_ci .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 131362306a36Sopenharmony_ci .flags = GENL_ADMIN_PERM, 131462306a36Sopenharmony_ci .doit = netlbl_unlabel_staticadd, 131562306a36Sopenharmony_ci .dumpit = NULL, 131662306a36Sopenharmony_ci }, 131762306a36Sopenharmony_ci { 131862306a36Sopenharmony_ci .cmd = NLBL_UNLABEL_C_STATICREMOVE, 131962306a36Sopenharmony_ci .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 132062306a36Sopenharmony_ci .flags = GENL_ADMIN_PERM, 132162306a36Sopenharmony_ci .doit = netlbl_unlabel_staticremove, 132262306a36Sopenharmony_ci .dumpit = NULL, 132362306a36Sopenharmony_ci }, 132462306a36Sopenharmony_ci { 132562306a36Sopenharmony_ci .cmd = NLBL_UNLABEL_C_STATICLIST, 132662306a36Sopenharmony_ci .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 132762306a36Sopenharmony_ci .flags = 0, 132862306a36Sopenharmony_ci .doit = NULL, 132962306a36Sopenharmony_ci .dumpit = netlbl_unlabel_staticlist, 133062306a36Sopenharmony_ci }, 133162306a36Sopenharmony_ci { 133262306a36Sopenharmony_ci .cmd = NLBL_UNLABEL_C_STATICADDDEF, 133362306a36Sopenharmony_ci .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 133462306a36Sopenharmony_ci .flags = GENL_ADMIN_PERM, 133562306a36Sopenharmony_ci .doit = netlbl_unlabel_staticadddef, 133662306a36Sopenharmony_ci .dumpit = NULL, 133762306a36Sopenharmony_ci }, 133862306a36Sopenharmony_ci { 133962306a36Sopenharmony_ci .cmd = NLBL_UNLABEL_C_STATICREMOVEDEF, 134062306a36Sopenharmony_ci .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 134162306a36Sopenharmony_ci .flags = GENL_ADMIN_PERM, 134262306a36Sopenharmony_ci .doit = netlbl_unlabel_staticremovedef, 134362306a36Sopenharmony_ci .dumpit = NULL, 134462306a36Sopenharmony_ci }, 134562306a36Sopenharmony_ci { 134662306a36Sopenharmony_ci .cmd = NLBL_UNLABEL_C_STATICLISTDEF, 134762306a36Sopenharmony_ci .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 134862306a36Sopenharmony_ci .flags = 0, 134962306a36Sopenharmony_ci .doit = NULL, 135062306a36Sopenharmony_ci .dumpit = netlbl_unlabel_staticlistdef, 135162306a36Sopenharmony_ci }, 135262306a36Sopenharmony_ci { 135362306a36Sopenharmony_ci .cmd = NLBL_UNLABEL_C_ACCEPT, 135462306a36Sopenharmony_ci .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 135562306a36Sopenharmony_ci .flags = GENL_ADMIN_PERM, 135662306a36Sopenharmony_ci .doit = netlbl_unlabel_accept, 135762306a36Sopenharmony_ci .dumpit = NULL, 135862306a36Sopenharmony_ci }, 135962306a36Sopenharmony_ci { 136062306a36Sopenharmony_ci .cmd = NLBL_UNLABEL_C_LIST, 136162306a36Sopenharmony_ci .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 136262306a36Sopenharmony_ci .flags = 0, 136362306a36Sopenharmony_ci .doit = netlbl_unlabel_list, 136462306a36Sopenharmony_ci .dumpit = NULL, 136562306a36Sopenharmony_ci }, 136662306a36Sopenharmony_ci}; 136762306a36Sopenharmony_ci 136862306a36Sopenharmony_cistatic struct genl_family netlbl_unlabel_gnl_family __ro_after_init = { 136962306a36Sopenharmony_ci .hdrsize = 0, 137062306a36Sopenharmony_ci .name = NETLBL_NLTYPE_UNLABELED_NAME, 137162306a36Sopenharmony_ci .version = NETLBL_PROTO_VERSION, 137262306a36Sopenharmony_ci .maxattr = NLBL_UNLABEL_A_MAX, 137362306a36Sopenharmony_ci .policy = netlbl_unlabel_genl_policy, 137462306a36Sopenharmony_ci .module = THIS_MODULE, 137562306a36Sopenharmony_ci .small_ops = netlbl_unlabel_genl_ops, 137662306a36Sopenharmony_ci .n_small_ops = ARRAY_SIZE(netlbl_unlabel_genl_ops), 137762306a36Sopenharmony_ci .resv_start_op = NLBL_UNLABEL_C_STATICLISTDEF + 1, 137862306a36Sopenharmony_ci}; 137962306a36Sopenharmony_ci 138062306a36Sopenharmony_ci/* 138162306a36Sopenharmony_ci * NetLabel Generic NETLINK Protocol Functions 138262306a36Sopenharmony_ci */ 138362306a36Sopenharmony_ci 138462306a36Sopenharmony_ci/** 138562306a36Sopenharmony_ci * netlbl_unlabel_genl_init - Register the Unlabeled NetLabel component 138662306a36Sopenharmony_ci * 138762306a36Sopenharmony_ci * Description: 138862306a36Sopenharmony_ci * Register the unlabeled packet NetLabel component with the Generic NETLINK 138962306a36Sopenharmony_ci * mechanism. Returns zero on success, negative values on failure. 139062306a36Sopenharmony_ci * 139162306a36Sopenharmony_ci */ 139262306a36Sopenharmony_ciint __init netlbl_unlabel_genl_init(void) 139362306a36Sopenharmony_ci{ 139462306a36Sopenharmony_ci return genl_register_family(&netlbl_unlabel_gnl_family); 139562306a36Sopenharmony_ci} 139662306a36Sopenharmony_ci 139762306a36Sopenharmony_ci/* 139862306a36Sopenharmony_ci * NetLabel KAPI Hooks 139962306a36Sopenharmony_ci */ 140062306a36Sopenharmony_ci 140162306a36Sopenharmony_cistatic struct notifier_block netlbl_unlhsh_netdev_notifier = { 140262306a36Sopenharmony_ci .notifier_call = netlbl_unlhsh_netdev_handler, 140362306a36Sopenharmony_ci}; 140462306a36Sopenharmony_ci 140562306a36Sopenharmony_ci/** 140662306a36Sopenharmony_ci * netlbl_unlabel_init - Initialize the unlabeled connection hash table 140762306a36Sopenharmony_ci * @size: the number of bits to use for the hash buckets 140862306a36Sopenharmony_ci * 140962306a36Sopenharmony_ci * Description: 141062306a36Sopenharmony_ci * Initializes the unlabeled connection hash table and registers a network 141162306a36Sopenharmony_ci * device notification handler. This function should only be called by the 141262306a36Sopenharmony_ci * NetLabel subsystem itself during initialization. Returns zero on success, 141362306a36Sopenharmony_ci * non-zero values on error. 141462306a36Sopenharmony_ci * 141562306a36Sopenharmony_ci */ 141662306a36Sopenharmony_ciint __init netlbl_unlabel_init(u32 size) 141762306a36Sopenharmony_ci{ 141862306a36Sopenharmony_ci u32 iter; 141962306a36Sopenharmony_ci struct netlbl_unlhsh_tbl *hsh_tbl; 142062306a36Sopenharmony_ci 142162306a36Sopenharmony_ci if (size == 0) 142262306a36Sopenharmony_ci return -EINVAL; 142362306a36Sopenharmony_ci 142462306a36Sopenharmony_ci hsh_tbl = kmalloc(sizeof(*hsh_tbl), GFP_KERNEL); 142562306a36Sopenharmony_ci if (hsh_tbl == NULL) 142662306a36Sopenharmony_ci return -ENOMEM; 142762306a36Sopenharmony_ci hsh_tbl->size = 1 << size; 142862306a36Sopenharmony_ci hsh_tbl->tbl = kcalloc(hsh_tbl->size, 142962306a36Sopenharmony_ci sizeof(struct list_head), 143062306a36Sopenharmony_ci GFP_KERNEL); 143162306a36Sopenharmony_ci if (hsh_tbl->tbl == NULL) { 143262306a36Sopenharmony_ci kfree(hsh_tbl); 143362306a36Sopenharmony_ci return -ENOMEM; 143462306a36Sopenharmony_ci } 143562306a36Sopenharmony_ci for (iter = 0; iter < hsh_tbl->size; iter++) 143662306a36Sopenharmony_ci INIT_LIST_HEAD(&hsh_tbl->tbl[iter]); 143762306a36Sopenharmony_ci 143862306a36Sopenharmony_ci spin_lock(&netlbl_unlhsh_lock); 143962306a36Sopenharmony_ci rcu_assign_pointer(netlbl_unlhsh, hsh_tbl); 144062306a36Sopenharmony_ci spin_unlock(&netlbl_unlhsh_lock); 144162306a36Sopenharmony_ci 144262306a36Sopenharmony_ci register_netdevice_notifier(&netlbl_unlhsh_netdev_notifier); 144362306a36Sopenharmony_ci 144462306a36Sopenharmony_ci return 0; 144562306a36Sopenharmony_ci} 144662306a36Sopenharmony_ci 144762306a36Sopenharmony_ci/** 144862306a36Sopenharmony_ci * netlbl_unlabel_getattr - Get the security attributes for an unlabled packet 144962306a36Sopenharmony_ci * @skb: the packet 145062306a36Sopenharmony_ci * @family: protocol family 145162306a36Sopenharmony_ci * @secattr: the security attributes 145262306a36Sopenharmony_ci * 145362306a36Sopenharmony_ci * Description: 145462306a36Sopenharmony_ci * Determine the security attributes, if any, for an unlabled packet and return 145562306a36Sopenharmony_ci * them in @secattr. Returns zero on success and negative values on failure. 145662306a36Sopenharmony_ci * 145762306a36Sopenharmony_ci */ 145862306a36Sopenharmony_ciint netlbl_unlabel_getattr(const struct sk_buff *skb, 145962306a36Sopenharmony_ci u16 family, 146062306a36Sopenharmony_ci struct netlbl_lsm_secattr *secattr) 146162306a36Sopenharmony_ci{ 146262306a36Sopenharmony_ci struct netlbl_unlhsh_iface *iface; 146362306a36Sopenharmony_ci 146462306a36Sopenharmony_ci rcu_read_lock(); 146562306a36Sopenharmony_ci iface = netlbl_unlhsh_search_iface(skb->skb_iif); 146662306a36Sopenharmony_ci if (iface == NULL) 146762306a36Sopenharmony_ci iface = rcu_dereference(netlbl_unlhsh_def); 146862306a36Sopenharmony_ci if (iface == NULL || !iface->valid) 146962306a36Sopenharmony_ci goto unlabel_getattr_nolabel; 147062306a36Sopenharmony_ci 147162306a36Sopenharmony_ci#if IS_ENABLED(CONFIG_IPV6) 147262306a36Sopenharmony_ci /* When resolving a fallback label, check the sk_buff version as 147362306a36Sopenharmony_ci * it is possible (e.g. SCTP) to have family = PF_INET6 while 147462306a36Sopenharmony_ci * receiving ip_hdr(skb)->version = 4. 147562306a36Sopenharmony_ci */ 147662306a36Sopenharmony_ci if (family == PF_INET6 && ip_hdr(skb)->version == 4) 147762306a36Sopenharmony_ci family = PF_INET; 147862306a36Sopenharmony_ci#endif /* IPv6 */ 147962306a36Sopenharmony_ci 148062306a36Sopenharmony_ci switch (family) { 148162306a36Sopenharmony_ci case PF_INET: { 148262306a36Sopenharmony_ci struct iphdr *hdr4; 148362306a36Sopenharmony_ci struct netlbl_af4list *addr4; 148462306a36Sopenharmony_ci 148562306a36Sopenharmony_ci hdr4 = ip_hdr(skb); 148662306a36Sopenharmony_ci addr4 = netlbl_af4list_search(hdr4->saddr, 148762306a36Sopenharmony_ci &iface->addr4_list); 148862306a36Sopenharmony_ci if (addr4 == NULL) 148962306a36Sopenharmony_ci goto unlabel_getattr_nolabel; 149062306a36Sopenharmony_ci secattr->attr.secid = netlbl_unlhsh_addr4_entry(addr4)->secid; 149162306a36Sopenharmony_ci break; 149262306a36Sopenharmony_ci } 149362306a36Sopenharmony_ci#if IS_ENABLED(CONFIG_IPV6) 149462306a36Sopenharmony_ci case PF_INET6: { 149562306a36Sopenharmony_ci struct ipv6hdr *hdr6; 149662306a36Sopenharmony_ci struct netlbl_af6list *addr6; 149762306a36Sopenharmony_ci 149862306a36Sopenharmony_ci hdr6 = ipv6_hdr(skb); 149962306a36Sopenharmony_ci addr6 = netlbl_af6list_search(&hdr6->saddr, 150062306a36Sopenharmony_ci &iface->addr6_list); 150162306a36Sopenharmony_ci if (addr6 == NULL) 150262306a36Sopenharmony_ci goto unlabel_getattr_nolabel; 150362306a36Sopenharmony_ci secattr->attr.secid = netlbl_unlhsh_addr6_entry(addr6)->secid; 150462306a36Sopenharmony_ci break; 150562306a36Sopenharmony_ci } 150662306a36Sopenharmony_ci#endif /* IPv6 */ 150762306a36Sopenharmony_ci default: 150862306a36Sopenharmony_ci goto unlabel_getattr_nolabel; 150962306a36Sopenharmony_ci } 151062306a36Sopenharmony_ci rcu_read_unlock(); 151162306a36Sopenharmony_ci 151262306a36Sopenharmony_ci secattr->flags |= NETLBL_SECATTR_SECID; 151362306a36Sopenharmony_ci secattr->type = NETLBL_NLTYPE_UNLABELED; 151462306a36Sopenharmony_ci return 0; 151562306a36Sopenharmony_ci 151662306a36Sopenharmony_ciunlabel_getattr_nolabel: 151762306a36Sopenharmony_ci rcu_read_unlock(); 151862306a36Sopenharmony_ci if (netlabel_unlabel_acceptflg == 0) 151962306a36Sopenharmony_ci return -ENOMSG; 152062306a36Sopenharmony_ci secattr->type = NETLBL_NLTYPE_UNLABELED; 152162306a36Sopenharmony_ci return 0; 152262306a36Sopenharmony_ci} 152362306a36Sopenharmony_ci 152462306a36Sopenharmony_ci/** 152562306a36Sopenharmony_ci * netlbl_unlabel_defconf - Set the default config to allow unlabeled packets 152662306a36Sopenharmony_ci * 152762306a36Sopenharmony_ci * Description: 152862306a36Sopenharmony_ci * Set the default NetLabel configuration to allow incoming unlabeled packets 152962306a36Sopenharmony_ci * and to send unlabeled network traffic by default. 153062306a36Sopenharmony_ci * 153162306a36Sopenharmony_ci */ 153262306a36Sopenharmony_ciint __init netlbl_unlabel_defconf(void) 153362306a36Sopenharmony_ci{ 153462306a36Sopenharmony_ci int ret_val; 153562306a36Sopenharmony_ci struct netlbl_dom_map *entry; 153662306a36Sopenharmony_ci struct netlbl_audit audit_info; 153762306a36Sopenharmony_ci 153862306a36Sopenharmony_ci /* Only the kernel is allowed to call this function and the only time 153962306a36Sopenharmony_ci * it is called is at bootup before the audit subsystem is reporting 154062306a36Sopenharmony_ci * messages so don't worry to much about these values. */ 154162306a36Sopenharmony_ci security_current_getsecid_subj(&audit_info.secid); 154262306a36Sopenharmony_ci audit_info.loginuid = GLOBAL_ROOT_UID; 154362306a36Sopenharmony_ci audit_info.sessionid = 0; 154462306a36Sopenharmony_ci 154562306a36Sopenharmony_ci entry = kzalloc(sizeof(*entry), GFP_KERNEL); 154662306a36Sopenharmony_ci if (entry == NULL) 154762306a36Sopenharmony_ci return -ENOMEM; 154862306a36Sopenharmony_ci entry->family = AF_UNSPEC; 154962306a36Sopenharmony_ci entry->def.type = NETLBL_NLTYPE_UNLABELED; 155062306a36Sopenharmony_ci ret_val = netlbl_domhsh_add_default(entry, &audit_info); 155162306a36Sopenharmony_ci if (ret_val != 0) 155262306a36Sopenharmony_ci return ret_val; 155362306a36Sopenharmony_ci 155462306a36Sopenharmony_ci netlbl_unlabel_acceptflg_set(1, &audit_info); 155562306a36Sopenharmony_ci 155662306a36Sopenharmony_ci return 0; 155762306a36Sopenharmony_ci} 1558