2 * NetLabel Unlabeled Support
4 * This file defines functions for dealing with unlabeled packets for the
5 * NetLabel system. The NetLabel system manages static and dynamic label
6 * mappings for network protocols such as CIPSO and RIPSO.
8 * Author: Paul Moore <paul.moore@hp.com>
13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 - 2007
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
23 * the GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
31 #include <linux/types.h>
32 #include <linux/rcupdate.h>
33 #include <linux/list.h>
34 #include <linux/spinlock.h>
35 #include <linux/socket.h>
36 #include <linux/string.h>
37 #include <linux/skbuff.h>
38 #include <linux/audit.h>
40 #include <linux/in6.h>
42 #include <linux/ipv6.h>
43 #include <linux/notifier.h>
44 #include <linux/netdevice.h>
45 #include <linux/security.h>
47 #include <net/netlink.h>
48 #include <net/genetlink.h>
51 #include <net/net_namespace.h>
52 #include <net/netlabel.h>
54 #include <asm/atomic.h>
56 #include "netlabel_user.h"
57 #include "netlabel_domainhash.h"
58 #include "netlabel_unlabeled.h"
59 #include "netlabel_mgmt.h"
61 /* NOTE: at present we always use init's network namespace since we don't
62 * presently support different namespaces even though the majority of
63 * the functions in this file are "namespace safe" */
65 /* The unlabeled connection hash table which we use to map network interfaces
66 * and addresses of unlabeled packets to a user specified secid value for the
67 * LSM. The hash table is used to lookup the network interface entry
68 * (struct netlbl_unlhsh_iface) and then the interface entry is used to
69 * lookup an IP address match from an ordered list. If a network interface
70 * match can not be found in the hash table then the default entry
71 * (netlbl_unlhsh_def) is used. The IP address entry list
72 * (struct netlbl_unlhsh_addr) is ordered such that the entries with a
73 * larger netmask come first.
75 struct netlbl_unlhsh_tbl {
76 struct list_head *tbl;
79 struct netlbl_unlhsh_addr4 {
85 struct list_head list;
88 struct netlbl_unlhsh_addr6 {
94 struct list_head list;
97 struct netlbl_unlhsh_iface {
99 struct list_head addr4_list;
100 struct list_head addr6_list;
103 struct list_head list;
107 /* Argument struct for netlbl_unlhsh_walk() */
108 struct netlbl_unlhsh_walk_arg {
109 struct netlink_callback *nl_cb;
114 /* Unlabeled connection hash table */
115 /* updates should be so rare that having one spinlock for the entire
116 * hash table should be okay */
117 static DEFINE_SPINLOCK(netlbl_unlhsh_lock);
118 static struct netlbl_unlhsh_tbl *netlbl_unlhsh = NULL;
119 static struct netlbl_unlhsh_iface *netlbl_unlhsh_def = NULL;
121 /* Accept unlabeled packets flag */
122 static u8 netlabel_unlabel_acceptflg = 0;
124 /* NetLabel Generic NETLINK unlabeled family */
125 static struct genl_family netlbl_unlabel_gnl_family = {
126 .id = GENL_ID_GENERATE,
128 .name = NETLBL_NLTYPE_UNLABELED_NAME,
129 .version = NETLBL_PROTO_VERSION,
130 .maxattr = NLBL_UNLABEL_A_MAX,
133 /* NetLabel Netlink attribute policy */
134 static const struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
135 [NLBL_UNLABEL_A_ACPTFLG] = { .type = NLA_U8 },
136 [NLBL_UNLABEL_A_IPV6ADDR] = { .type = NLA_BINARY,
137 .len = sizeof(struct in6_addr) },
138 [NLBL_UNLABEL_A_IPV6MASK] = { .type = NLA_BINARY,
139 .len = sizeof(struct in6_addr) },
140 [NLBL_UNLABEL_A_IPV4ADDR] = { .type = NLA_BINARY,
141 .len = sizeof(struct in_addr) },
142 [NLBL_UNLABEL_A_IPV4MASK] = { .type = NLA_BINARY,
143 .len = sizeof(struct in_addr) },
144 [NLBL_UNLABEL_A_IFACE] = { .type = NLA_NUL_STRING,
145 .len = IFNAMSIZ - 1 },
146 [NLBL_UNLABEL_A_SECCTX] = { .type = NLA_BINARY }
150 * Audit Helper Functions
154 * netlbl_unlabel_audit_addr4 - Audit an IPv4 address
155 * @audit_buf: audit buffer
156 * @dev: network interface
158 * @mask: IP address mask
161 * Write the IPv4 address and address mask, if necessary, to @audit_buf.
164 static void netlbl_unlabel_audit_addr4(struct audit_buffer *audit_buf,
166 __be32 addr, __be32 mask)
168 u32 mask_val = ntohl(mask);
171 audit_log_format(audit_buf, " netif=%s", dev);
172 audit_log_format(audit_buf, " src=" NIPQUAD_FMT, NIPQUAD(addr));
173 if (mask_val != 0xffffffff) {
175 while (mask_val > 0) {
179 audit_log_format(audit_buf, " src_prefixlen=%d", mask_len);
183 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
185 * netlbl_unlabel_audit_addr6 - Audit an IPv6 address
186 * @audit_buf: audit buffer
187 * @dev: network interface
189 * @mask: IP address mask
192 * Write the IPv6 address and address mask, if necessary, to @audit_buf.
195 static void netlbl_unlabel_audit_addr6(struct audit_buffer *audit_buf,
197 const struct in6_addr *addr,
198 const struct in6_addr *mask)
201 audit_log_format(audit_buf, " netif=%s", dev);
202 audit_log_format(audit_buf, " src=" NIP6_FMT, NIP6(*addr));
203 if (ntohl(mask->s6_addr32[3]) != 0xffffffff) {
207 while (ntohl(mask->s6_addr32[++iter]) == 0xffffffff)
209 mask_val = ntohl(mask->s6_addr32[iter]);
210 while (mask_val > 0) {
214 audit_log_format(audit_buf, " src_prefixlen=%d", mask_len);
220 * Unlabeled Connection Hash Table Functions
224 * netlbl_unlhsh_free_addr4 - Frees an IPv4 address entry from the hash table
225 * @entry: the entry's RCU field
228 * This function is designed to be used as a callback to the call_rcu()
229 * function so that memory allocated to a hash table address entry can be
233 static void netlbl_unlhsh_free_addr4(struct rcu_head *entry)
235 struct netlbl_unlhsh_addr4 *ptr;
237 ptr = container_of(entry, struct netlbl_unlhsh_addr4, rcu);
241 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
243 * netlbl_unlhsh_free_addr6 - Frees an IPv6 address entry from the hash table
244 * @entry: the entry's RCU field
247 * This function is designed to be used as a callback to the call_rcu()
248 * function so that memory allocated to a hash table address entry can be
252 static void netlbl_unlhsh_free_addr6(struct rcu_head *entry)
254 struct netlbl_unlhsh_addr6 *ptr;
256 ptr = container_of(entry, struct netlbl_unlhsh_addr6, rcu);
262 * netlbl_unlhsh_free_iface - Frees an interface entry from the hash table
263 * @entry: the entry's RCU field
266 * This function is designed to be used as a callback to the call_rcu()
267 * function so that memory allocated to a hash table interface entry can be
268 * released safely. It is important to note that this function does not free
269 * the IPv4 and IPv6 address lists contained as part of an interface entry. It
270 * is up to the rest of the code to make sure an interface entry is only freed
271 * once it's address lists are empty.
274 static void netlbl_unlhsh_free_iface(struct rcu_head *entry)
276 struct netlbl_unlhsh_iface *iface;
277 struct netlbl_unlhsh_addr4 *iter4;
278 struct netlbl_unlhsh_addr4 *tmp4;
279 struct netlbl_unlhsh_addr6 *iter6;
280 struct netlbl_unlhsh_addr6 *tmp6;
282 iface = container_of(entry, struct netlbl_unlhsh_iface, rcu);
284 /* no need for locks here since we are the only one with access to this
287 list_for_each_entry_safe(iter4, tmp4, &iface->addr4_list, list)
289 list_del_rcu(&iter4->list);
292 list_for_each_entry_safe(iter6, tmp6, &iface->addr6_list, list)
294 list_del_rcu(&iter6->list);
301 * netlbl_unlhsh_hash - Hashing function for the hash table
302 * @ifindex: the network interface/device to hash
305 * This is the hashing function for the unlabeled hash table, it returns the
306 * bucket number for the given device/interface. The caller is responsible for
307 * calling the rcu_read_[un]lock() functions.
310 static u32 netlbl_unlhsh_hash(int ifindex)
312 /* this is taken _almost_ directly from
313 * security/selinux/netif.c:sel_netif_hasfn() as they do pretty much
315 return ifindex & (rcu_dereference(netlbl_unlhsh)->size - 1);
319 * netlbl_unlhsh_search_addr4 - Search for a matching IPv4 address entry
320 * @addr: IPv4 address
321 * @iface: the network interface entry
324 * Searches the IPv4 address list of the network interface specified by @iface.
325 * If a matching address entry is found it is returned, otherwise NULL is
326 * returned. The caller is responsible for calling the rcu_read_[un]lock()
330 static struct netlbl_unlhsh_addr4 *netlbl_unlhsh_search_addr4(
332 const struct netlbl_unlhsh_iface *iface)
334 struct netlbl_unlhsh_addr4 *iter;
336 list_for_each_entry_rcu(iter, &iface->addr4_list, list)
337 if (iter->valid && (addr & iter->mask) == iter->addr)
343 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
345 * netlbl_unlhsh_search_addr6 - Search for a matching IPv6 address entry
346 * @addr: IPv6 address
347 * @iface: the network interface entry
350 * Searches the IPv6 address list of the network interface specified by @iface.
351 * If a matching address entry is found it is returned, otherwise NULL is
352 * returned. The caller is responsible for calling the rcu_read_[un]lock()
356 static struct netlbl_unlhsh_addr6 *netlbl_unlhsh_search_addr6(
357 const struct in6_addr *addr,
358 const struct netlbl_unlhsh_iface *iface)
360 struct netlbl_unlhsh_addr6 *iter;
362 list_for_each_entry_rcu(iter, &iface->addr6_list, list)
364 ipv6_masked_addr_cmp(&iter->addr, &iter->mask, addr) == 0)
372 * netlbl_unlhsh_search_iface - Search for a matching interface entry
373 * @ifindex: the network interface
376 * Searches the unlabeled connection hash table and returns a pointer to the
377 * interface entry which matches @ifindex, otherwise NULL is returned. The
378 * caller is responsible for calling the rcu_read_[un]lock() functions.
381 static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex)
384 struct netlbl_unlhsh_iface *iter;
386 bkt = netlbl_unlhsh_hash(ifindex);
387 list_for_each_entry_rcu(iter,
388 &rcu_dereference(netlbl_unlhsh)->tbl[bkt],
390 if (iter->valid && iter->ifindex == ifindex)
397 * netlbl_unlhsh_search_iface_def - Search for a matching interface entry
398 * @ifindex: the network interface
401 * Searches the unlabeled connection hash table and returns a pointer to the
402 * interface entry which matches @ifindex. If an exact match can not be found
403 * and there is a valid default entry, the default entry is returned, otherwise
404 * NULL is returned. The caller is responsible for calling the
405 * rcu_read_[un]lock() functions.
408 static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface_def(int ifindex)
410 struct netlbl_unlhsh_iface *entry;
412 entry = netlbl_unlhsh_search_iface(ifindex);
416 entry = rcu_dereference(netlbl_unlhsh_def);
417 if (entry != NULL && entry->valid)
424 * netlbl_unlhsh_add_addr4 - Add a new IPv4 address entry to the hash table
425 * @iface: the associated interface entry
426 * @addr: IPv4 address in network byte order
427 * @mask: IPv4 address mask in network byte order
428 * @secid: LSM secid value for entry
431 * Add a new address entry into the unlabeled connection hash table using the
432 * interface entry specified by @iface. On success zero is returned, otherwise
433 * a negative value is returned. The caller is responsible for calling the
434 * rcu_read_[un]lock() functions.
437 static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface,
438 const struct in_addr *addr,
439 const struct in_addr *mask,
442 struct netlbl_unlhsh_addr4 *entry;
443 struct netlbl_unlhsh_addr4 *iter;
445 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
449 entry->addr = addr->s_addr & mask->s_addr;
450 entry->mask = mask->s_addr;
451 entry->secid = secid;
453 INIT_RCU_HEAD(&entry->rcu);
455 spin_lock(&netlbl_unlhsh_lock);
456 iter = netlbl_unlhsh_search_addr4(entry->addr, iface);
458 iter->addr == addr->s_addr && iter->mask == mask->s_addr) {
459 spin_unlock(&netlbl_unlhsh_lock);
463 /* in order to speed up address searches through the list (the common
464 * case) we need to keep the list in order based on the size of the
465 * address mask such that the entry with the widest mask (smallest
466 * numerical value) appears first in the list */
467 list_for_each_entry_rcu(iter, &iface->addr4_list, list)
469 ntohl(entry->mask) > ntohl(iter->mask)) {
470 __list_add_rcu(&entry->list,
473 spin_unlock(&netlbl_unlhsh_lock);
476 list_add_tail_rcu(&entry->list, &iface->addr4_list);
477 spin_unlock(&netlbl_unlhsh_lock);
481 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
483 * netlbl_unlhsh_add_addr6 - Add a new IPv6 address entry to the hash table
484 * @iface: the associated interface entry
485 * @addr: IPv6 address in network byte order
486 * @mask: IPv6 address mask in network byte order
487 * @secid: LSM secid value for entry
490 * Add a new address entry into the unlabeled connection hash table using the
491 * interface entry specified by @iface. On success zero is returned, otherwise
492 * a negative value is returned. The caller is responsible for calling the
493 * rcu_read_[un]lock() functions.
496 static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface,
497 const struct in6_addr *addr,
498 const struct in6_addr *mask,
501 struct netlbl_unlhsh_addr6 *entry;
502 struct netlbl_unlhsh_addr6 *iter;
504 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
508 ipv6_addr_copy(&entry->addr, addr);
509 entry->addr.s6_addr32[0] &= mask->s6_addr32[0];
510 entry->addr.s6_addr32[1] &= mask->s6_addr32[1];
511 entry->addr.s6_addr32[2] &= mask->s6_addr32[2];
512 entry->addr.s6_addr32[3] &= mask->s6_addr32[3];
513 ipv6_addr_copy(&entry->mask, mask);
514 entry->secid = secid;
516 INIT_RCU_HEAD(&entry->rcu);
518 spin_lock(&netlbl_unlhsh_lock);
519 iter = netlbl_unlhsh_search_addr6(&entry->addr, iface);
521 (ipv6_addr_equal(&iter->addr, addr) &&
522 ipv6_addr_equal(&iter->mask, mask))) {
523 spin_unlock(&netlbl_unlhsh_lock);
527 /* in order to speed up address searches through the list (the common
528 * case) we need to keep the list in order based on the size of the
529 * address mask such that the entry with the widest mask (smallest
530 * numerical value) appears first in the list */
531 list_for_each_entry_rcu(iter, &iface->addr6_list, list)
533 ipv6_addr_cmp(&entry->mask, &iter->mask) > 0) {
534 __list_add_rcu(&entry->list,
537 spin_unlock(&netlbl_unlhsh_lock);
540 list_add_tail_rcu(&entry->list, &iface->addr6_list);
541 spin_unlock(&netlbl_unlhsh_lock);
547 * netlbl_unlhsh_add_iface - Adds a new interface entry to the hash table
548 * @ifindex: network interface
551 * Add a new, empty, interface entry into the unlabeled connection hash table.
552 * On success a pointer to the new interface entry is returned, on failure NULL
553 * is returned. The caller is responsible for calling the rcu_read_[un]lock()
557 static struct netlbl_unlhsh_iface *netlbl_unlhsh_add_iface(int ifindex)
560 struct netlbl_unlhsh_iface *iface;
562 iface = kzalloc(sizeof(*iface), GFP_ATOMIC);
566 iface->ifindex = ifindex;
567 INIT_LIST_HEAD(&iface->addr4_list);
568 INIT_LIST_HEAD(&iface->addr6_list);
570 INIT_RCU_HEAD(&iface->rcu);
572 spin_lock(&netlbl_unlhsh_lock);
574 bkt = netlbl_unlhsh_hash(ifindex);
575 if (netlbl_unlhsh_search_iface(ifindex) != NULL)
576 goto add_iface_failure;
577 list_add_tail_rcu(&iface->list,
578 &rcu_dereference(netlbl_unlhsh)->tbl[bkt]);
580 INIT_LIST_HEAD(&iface->list);
581 if (rcu_dereference(netlbl_unlhsh_def) != NULL)
582 goto add_iface_failure;
583 rcu_assign_pointer(netlbl_unlhsh_def, iface);
585 spin_unlock(&netlbl_unlhsh_lock);
590 spin_unlock(&netlbl_unlhsh_lock);
596 * netlbl_unlhsh_add - Adds a new entry to the unlabeled connection hash table
597 * @net: network namespace
598 * @dev_name: interface name
599 * @addr: IP address in network byte order
600 * @mask: address mask in network byte order
601 * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6)
602 * @secid: LSM secid value for the entry
603 * @audit_info: NetLabel audit information
606 * Adds a new entry to the unlabeled connection hash table. Returns zero on
607 * success, negative values on failure.
610 static int netlbl_unlhsh_add(struct net *net,
611 const char *dev_name,
616 struct netlbl_audit *audit_info)
620 struct net_device *dev;
621 struct netlbl_unlhsh_iface *iface;
622 struct audit_buffer *audit_buf = NULL;
626 if (addr_len != sizeof(struct in_addr) &&
627 addr_len != sizeof(struct in6_addr))
631 if (dev_name != NULL) {
632 dev = dev_get_by_name(net, dev_name);
635 goto unlhsh_add_return;
637 ifindex = dev->ifindex;
639 iface = netlbl_unlhsh_search_iface(ifindex);
642 iface = rcu_dereference(netlbl_unlhsh_def);
645 iface = netlbl_unlhsh_add_iface(ifindex);
648 goto unlhsh_add_return;
651 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCADD,
654 case sizeof(struct in_addr): {
655 struct in_addr *addr4, *mask4;
657 addr4 = (struct in_addr *)addr;
658 mask4 = (struct in_addr *)mask;
659 ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid);
660 if (audit_buf != NULL)
661 netlbl_unlabel_audit_addr4(audit_buf,
667 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
668 case sizeof(struct in6_addr): {
669 struct in6_addr *addr6, *mask6;
671 addr6 = (struct in6_addr *)addr;
672 mask6 = (struct in6_addr *)mask;
673 ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid);
674 if (audit_buf != NULL)
675 netlbl_unlabel_audit_addr6(audit_buf,
685 atomic_inc(&netlabel_mgmt_protocount);
689 if (audit_buf != NULL) {
690 if (security_secid_to_secctx(secid,
693 audit_log_format(audit_buf, " sec_obj=%s", secctx);
694 security_release_secctx(secctx, secctx_len);
696 audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
697 audit_log_end(audit_buf);
703 * netlbl_unlhsh_remove_addr4 - Remove an IPv4 address entry
704 * @net: network namespace
705 * @iface: interface entry
707 * @mask: IP address mask
708 * @audit_info: NetLabel audit information
711 * Remove an IP address entry from the unlabeled connection hash table.
712 * Returns zero on success, negative values on failure. The caller is
713 * responsible for calling the rcu_read_[un]lock() functions.
716 static int netlbl_unlhsh_remove_addr4(struct net *net,
717 struct netlbl_unlhsh_iface *iface,
718 const struct in_addr *addr,
719 const struct in_addr *mask,
720 struct netlbl_audit *audit_info)
722 int ret_val = -ENOENT;
723 struct netlbl_unlhsh_addr4 *entry;
724 struct audit_buffer *audit_buf = NULL;
725 struct net_device *dev;
729 spin_lock(&netlbl_unlhsh_lock);
730 entry = netlbl_unlhsh_search_addr4(addr->s_addr, iface);
732 entry->addr == addr->s_addr && entry->mask == mask->s_addr) {
734 list_del_rcu(&entry->list);
737 spin_unlock(&netlbl_unlhsh_lock);
739 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL,
741 if (audit_buf != NULL) {
742 dev = dev_get_by_index(net, iface->ifindex);
743 netlbl_unlabel_audit_addr4(audit_buf,
744 (dev != NULL ? dev->name : NULL),
745 entry->addr, entry->mask);
748 if (security_secid_to_secctx(entry->secid,
751 audit_log_format(audit_buf, " sec_obj=%s", secctx);
752 security_release_secctx(secctx, secctx_len);
754 audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
755 audit_log_end(audit_buf);
759 call_rcu(&entry->rcu, netlbl_unlhsh_free_addr4);
763 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
765 * netlbl_unlhsh_remove_addr6 - Remove an IPv6 address entry
766 * @net: network namespace
767 * @iface: interface entry
769 * @mask: IP address mask
770 * @audit_info: NetLabel audit information
773 * Remove an IP address entry from the unlabeled connection hash table.
774 * Returns zero on success, negative values on failure. The caller is
775 * responsible for calling the rcu_read_[un]lock() functions.
778 static int netlbl_unlhsh_remove_addr6(struct net *net,
779 struct netlbl_unlhsh_iface *iface,
780 const struct in6_addr *addr,
781 const struct in6_addr *mask,
782 struct netlbl_audit *audit_info)
784 int ret_val = -ENOENT;
785 struct netlbl_unlhsh_addr6 *entry;
786 struct audit_buffer *audit_buf = NULL;
787 struct net_device *dev;
791 spin_lock(&netlbl_unlhsh_lock);
792 entry = netlbl_unlhsh_search_addr6(addr, iface);
794 (ipv6_addr_equal(&entry->addr, addr) &&
795 ipv6_addr_equal(&entry->mask, mask))) {
797 list_del_rcu(&entry->list);
800 spin_unlock(&netlbl_unlhsh_lock);
802 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL,
804 if (audit_buf != NULL) {
805 dev = dev_get_by_index(net, iface->ifindex);
806 netlbl_unlabel_audit_addr6(audit_buf,
807 (dev != NULL ? dev->name : NULL),
811 if (security_secid_to_secctx(entry->secid,
814 audit_log_format(audit_buf, " sec_obj=%s", secctx);
815 security_release_secctx(secctx, secctx_len);
817 audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
818 audit_log_end(audit_buf);
822 call_rcu(&entry->rcu, netlbl_unlhsh_free_addr6);
828 * netlbl_unlhsh_condremove_iface - Remove an interface entry
829 * @iface: the interface entry
832 * Remove an interface entry from the unlabeled connection hash table if it is
833 * empty. An interface entry is considered to be empty if there are no
834 * address entries assigned to it.
837 static void netlbl_unlhsh_condremove_iface(struct netlbl_unlhsh_iface *iface)
839 struct netlbl_unlhsh_addr4 *iter4;
840 struct netlbl_unlhsh_addr6 *iter6;
842 spin_lock(&netlbl_unlhsh_lock);
843 list_for_each_entry_rcu(iter4, &iface->addr4_list, list)
845 goto unlhsh_condremove_failure;
846 list_for_each_entry_rcu(iter6, &iface->addr6_list, list)
848 goto unlhsh_condremove_failure;
850 if (iface->ifindex > 0)
851 list_del_rcu(&iface->list);
853 rcu_assign_pointer(netlbl_unlhsh_def, NULL);
854 spin_unlock(&netlbl_unlhsh_lock);
856 call_rcu(&iface->rcu, netlbl_unlhsh_free_iface);
859 unlhsh_condremove_failure:
860 spin_unlock(&netlbl_unlhsh_lock);
865 * netlbl_unlhsh_remove - Remove an entry from the unlabeled hash table
866 * @net: network namespace
867 * @dev_name: interface name
868 * @addr: IP address in network byte order
869 * @mask: address mask in network byte order
870 * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6)
871 * @audit_info: NetLabel audit information
874 * Removes and existing entry from the unlabeled connection hash table.
875 * Returns zero on success, negative values on failure.
878 static int netlbl_unlhsh_remove(struct net *net,
879 const char *dev_name,
883 struct netlbl_audit *audit_info)
886 struct net_device *dev;
887 struct netlbl_unlhsh_iface *iface;
889 if (addr_len != sizeof(struct in_addr) &&
890 addr_len != sizeof(struct in6_addr))
894 if (dev_name != NULL) {
895 dev = dev_get_by_name(net, dev_name);
898 goto unlhsh_remove_return;
900 iface = netlbl_unlhsh_search_iface(dev->ifindex);
903 iface = rcu_dereference(netlbl_unlhsh_def);
906 goto unlhsh_remove_return;
909 case sizeof(struct in_addr):
910 ret_val = netlbl_unlhsh_remove_addr4(net,
914 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
915 case sizeof(struct in6_addr):
916 ret_val = netlbl_unlhsh_remove_addr6(net,
925 netlbl_unlhsh_condremove_iface(iface);
926 atomic_dec(&netlabel_mgmt_protocount);
929 unlhsh_remove_return:
935 * General Helper Functions
939 * netlbl_unlhsh_netdev_handler - Network device notification handler
940 * @this: notifier block
942 * @ptr: the network device (cast to void)
945 * Handle network device events, although at present all we care about is a
946 * network device going away. In the case of a device going away we clear any
947 * related entries from the unlabeled connection hash table.
950 static int netlbl_unlhsh_netdev_handler(struct notifier_block *this,
954 struct net_device *dev = ptr;
955 struct netlbl_unlhsh_iface *iface = NULL;
957 if (dev->nd_net != &init_net)
960 /* XXX - should this be a check for NETDEV_DOWN or _UNREGISTER? */
961 if (event == NETDEV_DOWN) {
962 spin_lock(&netlbl_unlhsh_lock);
963 iface = netlbl_unlhsh_search_iface(dev->ifindex);
964 if (iface != NULL && iface->valid) {
966 list_del_rcu(&iface->list);
969 spin_unlock(&netlbl_unlhsh_lock);
973 call_rcu(&iface->rcu, netlbl_unlhsh_free_iface);
979 * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag
980 * @value: desired value
981 * @audit_info: NetLabel audit information
984 * Set the value of the unlabeled accept flag to @value.
987 static void netlbl_unlabel_acceptflg_set(u8 value,
988 struct netlbl_audit *audit_info)
990 struct audit_buffer *audit_buf;
993 old_val = netlabel_unlabel_acceptflg;
994 netlabel_unlabel_acceptflg = value;
995 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW,
997 if (audit_buf != NULL) {
998 audit_log_format(audit_buf,
999 " unlbl_accept=%u old=%u", value, old_val);
1000 audit_log_end(audit_buf);
1005 * netlbl_unlabel_addrinfo_get - Get the IPv4/6 address information
1006 * @info: the Generic NETLINK info block
1007 * @addr: the IP address
1008 * @mask: the IP address mask
1009 * @len: the address length
1012 * Examine the Generic NETLINK message and extract the IP address information.
1013 * Returns zero on success, negative values on failure.
1016 static int netlbl_unlabel_addrinfo_get(struct genl_info *info,
1023 if (info->attrs[NLBL_UNLABEL_A_IPV4ADDR]) {
1024 addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
1025 if (addr_len != sizeof(struct in_addr) &&
1026 addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV4MASK]))
1029 *addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
1030 *mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4MASK]);
1032 } else if (info->attrs[NLBL_UNLABEL_A_IPV6ADDR]) {
1033 addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]);
1034 if (addr_len != sizeof(struct in6_addr) &&
1035 addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV6MASK]))
1038 *addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]);
1039 *mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6MASK]);
1047 * NetLabel Command Handlers
1051 * netlbl_unlabel_accept - Handle an ACCEPT message
1052 * @skb: the NETLINK buffer
1053 * @info: the Generic NETLINK info block
1056 * Process a user generated ACCEPT message and set the accept flag accordingly.
1057 * Returns zero on success, negative values on failure.
1060 static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info)
1063 struct netlbl_audit audit_info;
1065 if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) {
1066 value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]);
1067 if (value == 1 || value == 0) {
1068 netlbl_netlink_auditinfo(skb, &audit_info);
1069 netlbl_unlabel_acceptflg_set(value, &audit_info);
1078 * netlbl_unlabel_list - Handle a LIST message
1079 * @skb: the NETLINK buffer
1080 * @info: the Generic NETLINK info block
1083 * Process a user generated LIST message and respond with the current status.
1084 * Returns zero on success, negative values on failure.
1087 static int netlbl_unlabel_list(struct sk_buff *skb, struct genl_info *info)
1089 int ret_val = -EINVAL;
1090 struct sk_buff *ans_skb;
1093 ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1094 if (ans_skb == NULL)
1096 data = genlmsg_put_reply(ans_skb, info, &netlbl_unlabel_gnl_family,
1097 0, NLBL_UNLABEL_C_LIST);
1103 ret_val = nla_put_u8(ans_skb,
1104 NLBL_UNLABEL_A_ACPTFLG,
1105 netlabel_unlabel_acceptflg);
1109 genlmsg_end(ans_skb, data);
1111 ret_val = genlmsg_reply(ans_skb, info);
1122 * netlbl_unlabel_staticadd - Handle a STATICADD message
1123 * @skb: the NETLINK buffer
1124 * @info: the Generic NETLINK info block
1127 * Process a user generated STATICADD message and add a new unlabeled
1128 * connection entry to the hash table. Returns zero on success, negative
1129 * values on failure.
1132 static int netlbl_unlabel_staticadd(struct sk_buff *skb,
1133 struct genl_info *info)
1141 struct netlbl_audit audit_info;
1143 /* Don't allow users to add both IPv4 and IPv6 addresses for a
1144 * single entry. However, allow users to create two entries, one each
1145 * for IPv4 and IPv4, with the same LSM security context which should
1146 * achieve the same result. */
1147 if (!info->attrs[NLBL_UNLABEL_A_SECCTX] ||
1148 !info->attrs[NLBL_UNLABEL_A_IFACE] ||
1149 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
1150 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
1151 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
1152 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
1155 netlbl_netlink_auditinfo(skb, &audit_info);
1157 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
1160 dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]);
1161 ret_val = security_secctx_to_secid(
1162 nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
1163 nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
1168 return netlbl_unlhsh_add(&init_net,
1169 dev_name, addr, mask, addr_len, secid,
1174 * netlbl_unlabel_staticadddef - Handle a STATICADDDEF message
1175 * @skb: the NETLINK buffer
1176 * @info: the Generic NETLINK info block
1179 * Process a user generated STATICADDDEF message and add a new default
1180 * unlabeled connection entry. Returns zero on success, negative values on
1184 static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
1185 struct genl_info *info)
1192 struct netlbl_audit audit_info;
1194 /* Don't allow users to add both IPv4 and IPv6 addresses for a
1195 * single entry. However, allow users to create two entries, one each
1196 * for IPv4 and IPv6, with the same LSM security context which should
1197 * achieve the same result. */
1198 if (!info->attrs[NLBL_UNLABEL_A_SECCTX] ||
1199 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
1200 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
1201 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
1202 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
1205 netlbl_netlink_auditinfo(skb, &audit_info);
1207 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
1210 ret_val = security_secctx_to_secid(
1211 nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
1212 nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
1217 return netlbl_unlhsh_add(&init_net,
1218 NULL, addr, mask, addr_len, secid,
1223 * netlbl_unlabel_staticremove - Handle a STATICREMOVE message
1224 * @skb: the NETLINK buffer
1225 * @info: the Generic NETLINK info block
1228 * Process a user generated STATICREMOVE message and remove the specified
1229 * unlabeled connection entry. Returns zero on success, negative values on
1233 static int netlbl_unlabel_staticremove(struct sk_buff *skb,
1234 struct genl_info *info)
1241 struct netlbl_audit audit_info;
1243 /* See the note in netlbl_unlabel_staticadd() about not allowing both
1244 * IPv4 and IPv6 in the same entry. */
1245 if (!info->attrs[NLBL_UNLABEL_A_IFACE] ||
1246 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
1247 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
1248 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
1249 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
1252 netlbl_netlink_auditinfo(skb, &audit_info);
1254 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
1257 dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]);
1259 return netlbl_unlhsh_remove(&init_net,
1260 dev_name, addr, mask, addr_len,
1265 * netlbl_unlabel_staticremovedef - Handle a STATICREMOVEDEF message
1266 * @skb: the NETLINK buffer
1267 * @info: the Generic NETLINK info block
1270 * Process a user generated STATICREMOVEDEF message and remove the default
1271 * unlabeled connection entry. Returns zero on success, negative values on
1275 static int netlbl_unlabel_staticremovedef(struct sk_buff *skb,
1276 struct genl_info *info)
1282 struct netlbl_audit audit_info;
1284 /* See the note in netlbl_unlabel_staticadd() about not allowing both
1285 * IPv4 and IPv6 in the same entry. */
1286 if (!((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
1287 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
1288 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
1289 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
1292 netlbl_netlink_auditinfo(skb, &audit_info);
1294 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
1298 return netlbl_unlhsh_remove(&init_net,
1299 NULL, addr, mask, addr_len,
1305 * netlbl_unlabel_staticlist_gen - Generate messages for STATICLIST[DEF]
1306 * @cmd: command/message
1307 * @iface: the interface entry
1308 * @addr4: the IPv4 address entry
1309 * @addr6: the IPv6 address entry
1310 * @arg: the netlbl_unlhsh_walk_arg structure
1313 * This function is designed to be used to generate a response for a
1314 * STATICLIST or STATICLISTDEF message. When called either @addr4 or @addr6
1315 * can be specified, not both, the other unspecified entry should be set to
1316 * NULL by the caller. Returns the size of the message on success, negative
1317 * values on failure.
1320 static int netlbl_unlabel_staticlist_gen(u32 cmd,
1321 const struct netlbl_unlhsh_iface *iface,
1322 const struct netlbl_unlhsh_addr4 *addr4,
1323 const struct netlbl_unlhsh_addr6 *addr6,
1326 int ret_val = -ENOMEM;
1327 struct netlbl_unlhsh_walk_arg *cb_arg = arg;
1328 struct net_device *dev;
1334 data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).pid,
1335 cb_arg->seq, &netlbl_unlabel_gnl_family,
1338 goto list_cb_failure;
1340 if (iface->ifindex > 0) {
1341 dev = dev_get_by_index(&init_net, iface->ifindex);
1342 ret_val = nla_put_string(cb_arg->skb,
1343 NLBL_UNLABEL_A_IFACE, dev->name);
1346 goto list_cb_failure;
1350 struct in_addr addr_struct;
1352 addr_struct.s_addr = addr4->addr;
1353 ret_val = nla_put(cb_arg->skb,
1354 NLBL_UNLABEL_A_IPV4ADDR,
1355 sizeof(struct in_addr),
1358 goto list_cb_failure;
1360 addr_struct.s_addr = addr4->mask;
1361 ret_val = nla_put(cb_arg->skb,
1362 NLBL_UNLABEL_A_IPV4MASK,
1363 sizeof(struct in_addr),
1366 goto list_cb_failure;
1368 secid = addr4->secid;
1370 ret_val = nla_put(cb_arg->skb,
1371 NLBL_UNLABEL_A_IPV6ADDR,
1372 sizeof(struct in6_addr),
1375 goto list_cb_failure;
1377 ret_val = nla_put(cb_arg->skb,
1378 NLBL_UNLABEL_A_IPV6MASK,
1379 sizeof(struct in6_addr),
1382 goto list_cb_failure;
1384 secid = addr6->secid;
1387 ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len);
1389 goto list_cb_failure;
1390 ret_val = nla_put(cb_arg->skb,
1391 NLBL_UNLABEL_A_SECCTX,
1394 security_release_secctx(secctx, secctx_len);
1396 goto list_cb_failure;
1399 return genlmsg_end(cb_arg->skb, data);
1402 genlmsg_cancel(cb_arg->skb, data);
1407 * netlbl_unlabel_staticlist - Handle a STATICLIST message
1408 * @skb: the NETLINK buffer
1409 * @cb: the NETLINK callback
1412 * Process a user generated STATICLIST message and dump the unlabeled
1413 * connection hash table in a form suitable for use in a kernel generated
1414 * STATICLIST message. Returns the length of @skb.
1417 static int netlbl_unlabel_staticlist(struct sk_buff *skb,
1418 struct netlink_callback *cb)
1420 struct netlbl_unlhsh_walk_arg cb_arg;
1421 u32 skip_bkt = cb->args[0];
1422 u32 skip_chain = cb->args[1];
1423 u32 skip_addr4 = cb->args[2];
1424 u32 skip_addr6 = cb->args[3];
1426 u32 iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0;
1427 struct netlbl_unlhsh_iface *iface;
1428 struct netlbl_unlhsh_addr4 *addr4;
1429 struct netlbl_unlhsh_addr6 *addr6;
1433 cb_arg.seq = cb->nlh->nlmsg_seq;
1436 for (iter_bkt = skip_bkt;
1437 iter_bkt < rcu_dereference(netlbl_unlhsh)->size;
1438 iter_bkt++, iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0) {
1439 list_for_each_entry_rcu(iface,
1440 &rcu_dereference(netlbl_unlhsh)->tbl[iter_bkt],
1442 if (!iface->valid ||
1443 iter_chain++ < skip_chain)
1445 list_for_each_entry_rcu(addr4,
1448 if (!addr4->valid || iter_addr4++ < skip_addr4)
1450 if (netlbl_unlabel_staticlist_gen(
1451 NLBL_UNLABEL_C_STATICLIST,
1458 goto unlabel_staticlist_return;
1461 list_for_each_entry_rcu(addr6,
1464 if (!addr6->valid || iter_addr6++ < skip_addr6)
1466 if (netlbl_unlabel_staticlist_gen(
1467 NLBL_UNLABEL_C_STATICLIST,
1474 goto unlabel_staticlist_return;
1480 unlabel_staticlist_return:
1482 cb->args[0] = skip_bkt;
1483 cb->args[1] = skip_chain;
1484 cb->args[2] = skip_addr4;
1485 cb->args[3] = skip_addr6;
1490 * netlbl_unlabel_staticlistdef - Handle a STATICLISTDEF message
1491 * @skb: the NETLINK buffer
1492 * @cb: the NETLINK callback
1495 * Process a user generated STATICLISTDEF message and dump the default
1496 * unlabeled connection entry in a form suitable for use in a kernel generated
1497 * STATICLISTDEF message. Returns the length of @skb.
1500 static int netlbl_unlabel_staticlistdef(struct sk_buff *skb,
1501 struct netlink_callback *cb)
1503 struct netlbl_unlhsh_walk_arg cb_arg;
1504 struct netlbl_unlhsh_iface *iface;
1505 u32 skip_addr4 = cb->args[0];
1506 u32 skip_addr6 = cb->args[1];
1507 u32 iter_addr4 = 0, iter_addr6 = 0;
1508 struct netlbl_unlhsh_addr4 *addr4;
1509 struct netlbl_unlhsh_addr6 *addr6;
1513 cb_arg.seq = cb->nlh->nlmsg_seq;
1516 iface = rcu_dereference(netlbl_unlhsh_def);
1517 if (iface == NULL || !iface->valid)
1518 goto unlabel_staticlistdef_return;
1520 list_for_each_entry_rcu(addr4, &iface->addr4_list, list) {
1521 if (!addr4->valid || iter_addr4++ < skip_addr4)
1523 if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
1529 goto unlabel_staticlistdef_return;
1532 list_for_each_entry_rcu(addr6, &iface->addr6_list, list) {
1533 if (addr6->valid || iter_addr6++ < skip_addr6)
1535 if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
1541 goto unlabel_staticlistdef_return;
1545 unlabel_staticlistdef_return:
1547 cb->args[0] = skip_addr4;
1548 cb->args[1] = skip_addr6;
1553 * NetLabel Generic NETLINK Command Definitions
1556 static struct genl_ops netlbl_unlabel_genl_ops[] = {
1558 .cmd = NLBL_UNLABEL_C_STATICADD,
1559 .flags = GENL_ADMIN_PERM,
1560 .policy = netlbl_unlabel_genl_policy,
1561 .doit = netlbl_unlabel_staticadd,
1565 .cmd = NLBL_UNLABEL_C_STATICREMOVE,
1566 .flags = GENL_ADMIN_PERM,
1567 .policy = netlbl_unlabel_genl_policy,
1568 .doit = netlbl_unlabel_staticremove,
1572 .cmd = NLBL_UNLABEL_C_STATICLIST,
1574 .policy = netlbl_unlabel_genl_policy,
1576 .dumpit = netlbl_unlabel_staticlist,
1579 .cmd = NLBL_UNLABEL_C_STATICADDDEF,
1580 .flags = GENL_ADMIN_PERM,
1581 .policy = netlbl_unlabel_genl_policy,
1582 .doit = netlbl_unlabel_staticadddef,
1586 .cmd = NLBL_UNLABEL_C_STATICREMOVEDEF,
1587 .flags = GENL_ADMIN_PERM,
1588 .policy = netlbl_unlabel_genl_policy,
1589 .doit = netlbl_unlabel_staticremovedef,
1593 .cmd = NLBL_UNLABEL_C_STATICLISTDEF,
1595 .policy = netlbl_unlabel_genl_policy,
1597 .dumpit = netlbl_unlabel_staticlistdef,
1600 .cmd = NLBL_UNLABEL_C_ACCEPT,
1601 .flags = GENL_ADMIN_PERM,
1602 .policy = netlbl_unlabel_genl_policy,
1603 .doit = netlbl_unlabel_accept,
1607 .cmd = NLBL_UNLABEL_C_LIST,
1609 .policy = netlbl_unlabel_genl_policy,
1610 .doit = netlbl_unlabel_list,
1616 * NetLabel Generic NETLINK Protocol Functions
1620 * netlbl_unlabel_genl_init - Register the Unlabeled NetLabel component
1623 * Register the unlabeled packet NetLabel component with the Generic NETLINK
1624 * mechanism. Returns zero on success, negative values on failure.
1627 int __init netlbl_unlabel_genl_init(void)
1631 ret_val = genl_register_family(&netlbl_unlabel_gnl_family);
1635 for (i = 0; i < ARRAY_SIZE(netlbl_unlabel_genl_ops); i++) {
1636 ret_val = genl_register_ops(&netlbl_unlabel_gnl_family,
1637 &netlbl_unlabel_genl_ops[i]);
1646 * NetLabel KAPI Hooks
1649 static struct notifier_block netlbl_unlhsh_netdev_notifier = {
1650 .notifier_call = netlbl_unlhsh_netdev_handler,
1654 * netlbl_unlabel_init - Initialize the unlabeled connection hash table
1655 * @size: the number of bits to use for the hash buckets
1658 * Initializes the unlabeled connection hash table and registers a network
1659 * device notification handler. This function should only be called by the
1660 * NetLabel subsystem itself during initialization. Returns zero on success,
1661 * non-zero values on error.
1664 int __init netlbl_unlabel_init(u32 size)
1667 struct netlbl_unlhsh_tbl *hsh_tbl;
1672 hsh_tbl = kmalloc(sizeof(*hsh_tbl), GFP_KERNEL);
1673 if (hsh_tbl == NULL)
1675 hsh_tbl->size = 1 << size;
1676 hsh_tbl->tbl = kcalloc(hsh_tbl->size,
1677 sizeof(struct list_head),
1679 if (hsh_tbl->tbl == NULL) {
1683 for (iter = 0; iter < hsh_tbl->size; iter++)
1684 INIT_LIST_HEAD(&hsh_tbl->tbl[iter]);
1687 spin_lock(&netlbl_unlhsh_lock);
1688 rcu_assign_pointer(netlbl_unlhsh, hsh_tbl);
1689 spin_unlock(&netlbl_unlhsh_lock);
1692 register_netdevice_notifier(&netlbl_unlhsh_netdev_notifier);
1698 * netlbl_unlabel_getattr - Get the security attributes for an unlabled packet
1700 * @family: protocol family
1701 * @secattr: the security attributes
1704 * Determine the security attributes, if any, for an unlabled packet and return
1705 * them in @secattr. Returns zero on success and negative values on failure.
1708 int netlbl_unlabel_getattr(const struct sk_buff *skb,
1710 struct netlbl_lsm_secattr *secattr)
1712 struct netlbl_unlhsh_iface *iface;
1715 iface = netlbl_unlhsh_search_iface_def(skb->iif);
1717 goto unlabel_getattr_nolabel;
1721 struct netlbl_unlhsh_addr4 *addr4;
1724 addr4 = netlbl_unlhsh_search_addr4(hdr4->saddr, iface);
1726 goto unlabel_getattr_nolabel;
1727 secattr->attr.secid = addr4->secid;
1730 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
1732 struct ipv6hdr *hdr6;
1733 struct netlbl_unlhsh_addr6 *addr6;
1735 hdr6 = ipv6_hdr(skb);
1736 addr6 = netlbl_unlhsh_search_addr6(&hdr6->saddr, iface);
1738 goto unlabel_getattr_nolabel;
1739 secattr->attr.secid = addr6->secid;
1744 goto unlabel_getattr_nolabel;
1748 secattr->flags |= NETLBL_SECATTR_SECID;
1749 secattr->type = NETLBL_NLTYPE_UNLABELED;
1752 unlabel_getattr_nolabel:
1754 if (netlabel_unlabel_acceptflg == 0)
1756 secattr->type = NETLBL_NLTYPE_UNLABELED;
1761 * netlbl_unlabel_defconf - Set the default config to allow unlabeled packets
1764 * Set the default NetLabel configuration to allow incoming unlabeled packets
1765 * and to send unlabeled network traffic by default.
1768 int __init netlbl_unlabel_defconf(void)
1771 struct netlbl_dom_map *entry;
1772 struct netlbl_audit audit_info;
1774 /* Only the kernel is allowed to call this function and the only time
1775 * it is called is at bootup before the audit subsystem is reporting
1776 * messages so don't worry to much about these values. */
1777 security_task_getsecid(current, &audit_info.secid);
1778 audit_info.loginuid = 0;
1780 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1783 entry->type = NETLBL_NLTYPE_UNLABELED;
1784 ret_val = netlbl_domhsh_add_default(entry, &audit_info);
1788 netlbl_unlabel_acceptflg_set(1, &audit_info);