162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only 262306a36Sopenharmony_ci/* 362306a36Sopenharmony_ci * Network port table 462306a36Sopenharmony_ci * 562306a36Sopenharmony_ci * SELinux must keep a mapping of network ports to labels/SIDs. This 662306a36Sopenharmony_ci * mapping is maintained as part of the normal policy but a fast cache is 762306a36Sopenharmony_ci * needed to reduce the lookup overhead. 862306a36Sopenharmony_ci * 962306a36Sopenharmony_ci * Author: Paul Moore <paul@paul-moore.com> 1062306a36Sopenharmony_ci * 1162306a36Sopenharmony_ci * This code is heavily based on the "netif" concept originally developed by 1262306a36Sopenharmony_ci * James Morris <jmorris@redhat.com> 1362306a36Sopenharmony_ci * (see security/selinux/netif.c for more information) 1462306a36Sopenharmony_ci */ 1562306a36Sopenharmony_ci 1662306a36Sopenharmony_ci/* 1762306a36Sopenharmony_ci * (c) Copyright Hewlett-Packard Development Company, L.P., 2008 1862306a36Sopenharmony_ci */ 1962306a36Sopenharmony_ci 2062306a36Sopenharmony_ci#include <linux/types.h> 2162306a36Sopenharmony_ci#include <linux/rcupdate.h> 2262306a36Sopenharmony_ci#include <linux/list.h> 2362306a36Sopenharmony_ci#include <linux/slab.h> 2462306a36Sopenharmony_ci#include <linux/spinlock.h> 2562306a36Sopenharmony_ci#include <linux/in.h> 2662306a36Sopenharmony_ci#include <linux/in6.h> 2762306a36Sopenharmony_ci#include <linux/ip.h> 2862306a36Sopenharmony_ci#include <linux/ipv6.h> 2962306a36Sopenharmony_ci#include <net/ip.h> 3062306a36Sopenharmony_ci#include <net/ipv6.h> 3162306a36Sopenharmony_ci 3262306a36Sopenharmony_ci#include "netport.h" 3362306a36Sopenharmony_ci#include "objsec.h" 3462306a36Sopenharmony_ci 3562306a36Sopenharmony_ci#define SEL_NETPORT_HASH_SIZE 256 3662306a36Sopenharmony_ci#define SEL_NETPORT_HASH_BKT_LIMIT 16 3762306a36Sopenharmony_ci 3862306a36Sopenharmony_cistruct sel_netport_bkt { 3962306a36Sopenharmony_ci int size; 4062306a36Sopenharmony_ci struct list_head list; 4162306a36Sopenharmony_ci}; 4262306a36Sopenharmony_ci 4362306a36Sopenharmony_cistruct sel_netport { 4462306a36Sopenharmony_ci struct netport_security_struct psec; 4562306a36Sopenharmony_ci 4662306a36Sopenharmony_ci struct list_head list; 4762306a36Sopenharmony_ci struct rcu_head rcu; 4862306a36Sopenharmony_ci}; 4962306a36Sopenharmony_ci 5062306a36Sopenharmony_ci/* NOTE: we are using a combined hash table for both IPv4 and IPv6, the reason 5162306a36Sopenharmony_ci * for this is that I suspect most users will not make heavy use of both 5262306a36Sopenharmony_ci * address families at the same time so one table will usually end up wasted, 5362306a36Sopenharmony_ci * if this becomes a problem we can always add a hash table for each address 5462306a36Sopenharmony_ci * family later */ 5562306a36Sopenharmony_ci 5662306a36Sopenharmony_cistatic DEFINE_SPINLOCK(sel_netport_lock); 5762306a36Sopenharmony_cistatic struct sel_netport_bkt sel_netport_hash[SEL_NETPORT_HASH_SIZE]; 5862306a36Sopenharmony_ci 5962306a36Sopenharmony_ci/** 6062306a36Sopenharmony_ci * sel_netport_hashfn - Hashing function for the port table 6162306a36Sopenharmony_ci * @pnum: port number 6262306a36Sopenharmony_ci * 6362306a36Sopenharmony_ci * Description: 6462306a36Sopenharmony_ci * This is the hashing function for the port table, it returns the bucket 6562306a36Sopenharmony_ci * number for the given port. 6662306a36Sopenharmony_ci * 6762306a36Sopenharmony_ci */ 6862306a36Sopenharmony_cistatic unsigned int sel_netport_hashfn(u16 pnum) 6962306a36Sopenharmony_ci{ 7062306a36Sopenharmony_ci return (pnum & (SEL_NETPORT_HASH_SIZE - 1)); 7162306a36Sopenharmony_ci} 7262306a36Sopenharmony_ci 7362306a36Sopenharmony_ci/** 7462306a36Sopenharmony_ci * sel_netport_find - Search for a port record 7562306a36Sopenharmony_ci * @protocol: protocol 7662306a36Sopenharmony_ci * @pnum: port 7762306a36Sopenharmony_ci * 7862306a36Sopenharmony_ci * Description: 7962306a36Sopenharmony_ci * Search the network port table and return the matching record. If an entry 8062306a36Sopenharmony_ci * can not be found in the table return NULL. 8162306a36Sopenharmony_ci * 8262306a36Sopenharmony_ci */ 8362306a36Sopenharmony_cistatic struct sel_netport *sel_netport_find(u8 protocol, u16 pnum) 8462306a36Sopenharmony_ci{ 8562306a36Sopenharmony_ci unsigned int idx; 8662306a36Sopenharmony_ci struct sel_netport *port; 8762306a36Sopenharmony_ci 8862306a36Sopenharmony_ci idx = sel_netport_hashfn(pnum); 8962306a36Sopenharmony_ci list_for_each_entry_rcu(port, &sel_netport_hash[idx].list, list) 9062306a36Sopenharmony_ci if (port->psec.port == pnum && port->psec.protocol == protocol) 9162306a36Sopenharmony_ci return port; 9262306a36Sopenharmony_ci 9362306a36Sopenharmony_ci return NULL; 9462306a36Sopenharmony_ci} 9562306a36Sopenharmony_ci 9662306a36Sopenharmony_ci/** 9762306a36Sopenharmony_ci * sel_netport_insert - Insert a new port into the table 9862306a36Sopenharmony_ci * @port: the new port record 9962306a36Sopenharmony_ci * 10062306a36Sopenharmony_ci * Description: 10162306a36Sopenharmony_ci * Add a new port record to the network address hash table. 10262306a36Sopenharmony_ci * 10362306a36Sopenharmony_ci */ 10462306a36Sopenharmony_cistatic void sel_netport_insert(struct sel_netport *port) 10562306a36Sopenharmony_ci{ 10662306a36Sopenharmony_ci unsigned int idx; 10762306a36Sopenharmony_ci 10862306a36Sopenharmony_ci /* we need to impose a limit on the growth of the hash table so check 10962306a36Sopenharmony_ci * this bucket to make sure it is within the specified bounds */ 11062306a36Sopenharmony_ci idx = sel_netport_hashfn(port->psec.port); 11162306a36Sopenharmony_ci list_add_rcu(&port->list, &sel_netport_hash[idx].list); 11262306a36Sopenharmony_ci if (sel_netport_hash[idx].size == SEL_NETPORT_HASH_BKT_LIMIT) { 11362306a36Sopenharmony_ci struct sel_netport *tail; 11462306a36Sopenharmony_ci tail = list_entry( 11562306a36Sopenharmony_ci rcu_dereference_protected( 11662306a36Sopenharmony_ci list_tail_rcu(&sel_netport_hash[idx].list), 11762306a36Sopenharmony_ci lockdep_is_held(&sel_netport_lock)), 11862306a36Sopenharmony_ci struct sel_netport, list); 11962306a36Sopenharmony_ci list_del_rcu(&tail->list); 12062306a36Sopenharmony_ci kfree_rcu(tail, rcu); 12162306a36Sopenharmony_ci } else 12262306a36Sopenharmony_ci sel_netport_hash[idx].size++; 12362306a36Sopenharmony_ci} 12462306a36Sopenharmony_ci 12562306a36Sopenharmony_ci/** 12662306a36Sopenharmony_ci * sel_netport_sid_slow - Lookup the SID of a network address using the policy 12762306a36Sopenharmony_ci * @protocol: protocol 12862306a36Sopenharmony_ci * @pnum: port 12962306a36Sopenharmony_ci * @sid: port SID 13062306a36Sopenharmony_ci * 13162306a36Sopenharmony_ci * Description: 13262306a36Sopenharmony_ci * This function determines the SID of a network port by querying the security 13362306a36Sopenharmony_ci * policy. The result is added to the network port table to speedup future 13462306a36Sopenharmony_ci * queries. Returns zero on success, negative values on failure. 13562306a36Sopenharmony_ci * 13662306a36Sopenharmony_ci */ 13762306a36Sopenharmony_cistatic int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid) 13862306a36Sopenharmony_ci{ 13962306a36Sopenharmony_ci int ret; 14062306a36Sopenharmony_ci struct sel_netport *port; 14162306a36Sopenharmony_ci struct sel_netport *new; 14262306a36Sopenharmony_ci 14362306a36Sopenharmony_ci spin_lock_bh(&sel_netport_lock); 14462306a36Sopenharmony_ci port = sel_netport_find(protocol, pnum); 14562306a36Sopenharmony_ci if (port != NULL) { 14662306a36Sopenharmony_ci *sid = port->psec.sid; 14762306a36Sopenharmony_ci spin_unlock_bh(&sel_netport_lock); 14862306a36Sopenharmony_ci return 0; 14962306a36Sopenharmony_ci } 15062306a36Sopenharmony_ci 15162306a36Sopenharmony_ci ret = security_port_sid(protocol, pnum, sid); 15262306a36Sopenharmony_ci if (ret != 0) 15362306a36Sopenharmony_ci goto out; 15462306a36Sopenharmony_ci new = kzalloc(sizeof(*new), GFP_ATOMIC); 15562306a36Sopenharmony_ci if (new) { 15662306a36Sopenharmony_ci new->psec.port = pnum; 15762306a36Sopenharmony_ci new->psec.protocol = protocol; 15862306a36Sopenharmony_ci new->psec.sid = *sid; 15962306a36Sopenharmony_ci sel_netport_insert(new); 16062306a36Sopenharmony_ci } 16162306a36Sopenharmony_ci 16262306a36Sopenharmony_ciout: 16362306a36Sopenharmony_ci spin_unlock_bh(&sel_netport_lock); 16462306a36Sopenharmony_ci if (unlikely(ret)) 16562306a36Sopenharmony_ci pr_warn("SELinux: failure in %s(), unable to determine network port label\n", 16662306a36Sopenharmony_ci __func__); 16762306a36Sopenharmony_ci return ret; 16862306a36Sopenharmony_ci} 16962306a36Sopenharmony_ci 17062306a36Sopenharmony_ci/** 17162306a36Sopenharmony_ci * sel_netport_sid - Lookup the SID of a network port 17262306a36Sopenharmony_ci * @protocol: protocol 17362306a36Sopenharmony_ci * @pnum: port 17462306a36Sopenharmony_ci * @sid: port SID 17562306a36Sopenharmony_ci * 17662306a36Sopenharmony_ci * Description: 17762306a36Sopenharmony_ci * This function determines the SID of a network port using the fastest method 17862306a36Sopenharmony_ci * possible. First the port table is queried, but if an entry can't be found 17962306a36Sopenharmony_ci * then the policy is queried and the result is added to the table to speedup 18062306a36Sopenharmony_ci * future queries. Returns zero on success, negative values on failure. 18162306a36Sopenharmony_ci * 18262306a36Sopenharmony_ci */ 18362306a36Sopenharmony_ciint sel_netport_sid(u8 protocol, u16 pnum, u32 *sid) 18462306a36Sopenharmony_ci{ 18562306a36Sopenharmony_ci struct sel_netport *port; 18662306a36Sopenharmony_ci 18762306a36Sopenharmony_ci rcu_read_lock(); 18862306a36Sopenharmony_ci port = sel_netport_find(protocol, pnum); 18962306a36Sopenharmony_ci if (port != NULL) { 19062306a36Sopenharmony_ci *sid = port->psec.sid; 19162306a36Sopenharmony_ci rcu_read_unlock(); 19262306a36Sopenharmony_ci return 0; 19362306a36Sopenharmony_ci } 19462306a36Sopenharmony_ci rcu_read_unlock(); 19562306a36Sopenharmony_ci 19662306a36Sopenharmony_ci return sel_netport_sid_slow(protocol, pnum, sid); 19762306a36Sopenharmony_ci} 19862306a36Sopenharmony_ci 19962306a36Sopenharmony_ci/** 20062306a36Sopenharmony_ci * sel_netport_flush - Flush the entire network port table 20162306a36Sopenharmony_ci * 20262306a36Sopenharmony_ci * Description: 20362306a36Sopenharmony_ci * Remove all entries from the network address table. 20462306a36Sopenharmony_ci * 20562306a36Sopenharmony_ci */ 20662306a36Sopenharmony_civoid sel_netport_flush(void) 20762306a36Sopenharmony_ci{ 20862306a36Sopenharmony_ci unsigned int idx; 20962306a36Sopenharmony_ci struct sel_netport *port, *port_tmp; 21062306a36Sopenharmony_ci 21162306a36Sopenharmony_ci spin_lock_bh(&sel_netport_lock); 21262306a36Sopenharmony_ci for (idx = 0; idx < SEL_NETPORT_HASH_SIZE; idx++) { 21362306a36Sopenharmony_ci list_for_each_entry_safe(port, port_tmp, 21462306a36Sopenharmony_ci &sel_netport_hash[idx].list, list) { 21562306a36Sopenharmony_ci list_del_rcu(&port->list); 21662306a36Sopenharmony_ci kfree_rcu(port, rcu); 21762306a36Sopenharmony_ci } 21862306a36Sopenharmony_ci sel_netport_hash[idx].size = 0; 21962306a36Sopenharmony_ci } 22062306a36Sopenharmony_ci spin_unlock_bh(&sel_netport_lock); 22162306a36Sopenharmony_ci} 22262306a36Sopenharmony_ci 22362306a36Sopenharmony_cistatic __init int sel_netport_init(void) 22462306a36Sopenharmony_ci{ 22562306a36Sopenharmony_ci int iter; 22662306a36Sopenharmony_ci 22762306a36Sopenharmony_ci if (!selinux_enabled_boot) 22862306a36Sopenharmony_ci return 0; 22962306a36Sopenharmony_ci 23062306a36Sopenharmony_ci for (iter = 0; iter < SEL_NETPORT_HASH_SIZE; iter++) { 23162306a36Sopenharmony_ci INIT_LIST_HEAD(&sel_netport_hash[iter].list); 23262306a36Sopenharmony_ci sel_netport_hash[iter].size = 0; 23362306a36Sopenharmony_ci } 23462306a36Sopenharmony_ci 23562306a36Sopenharmony_ci return 0; 23662306a36Sopenharmony_ci} 23762306a36Sopenharmony_ci 23862306a36Sopenharmony_ci__initcall(sel_netport_init); 239