2 * NetLabel CIPSO/IPv4 Support
4 * This file defines the CIPSO/IPv4 functions for the NetLabel system. The
5 * NetLabel system manages static and dynamic label mappings for network
6 * protocols such as CIPSO and RIPSO.
8 * Author: Paul Moore <paul.moore@hp.com>
13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
23 * the GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
31 #include <linux/types.h>
32 #include <linux/socket.h>
33 #include <linux/string.h>
34 #include <linux/skbuff.h>
35 #include <linux/audit.h>
37 #include <net/netlink.h>
38 #include <net/genetlink.h>
39 #include <net/netlabel.h>
40 #include <net/cipso_ipv4.h>
41 #include <asm/atomic.h>
43 #include "netlabel_user.h"
44 #include "netlabel_cipso_v4.h"
45 #include "netlabel_mgmt.h"
47 /* Argument struct for cipso_v4_doi_walk() */
48 struct netlbl_cipsov4_doiwalk_arg {
49 struct netlink_callback *nl_cb;
54 /* NetLabel Generic NETLINK CIPSOv4 family */
55 static struct genl_family netlbl_cipsov4_gnl_family = {
56 .id = GENL_ID_GENERATE,
58 .name = NETLBL_NLTYPE_CIPSOV4_NAME,
59 .version = NETLBL_PROTO_VERSION,
60 .maxattr = NLBL_CIPSOV4_A_MAX,
63 /* NetLabel Netlink attribute policy */
64 static const struct nla_policy netlbl_cipsov4_genl_policy[NLBL_CIPSOV4_A_MAX + 1] = {
65 [NLBL_CIPSOV4_A_DOI] = { .type = NLA_U32 },
66 [NLBL_CIPSOV4_A_MTYPE] = { .type = NLA_U32 },
67 [NLBL_CIPSOV4_A_TAG] = { .type = NLA_U8 },
68 [NLBL_CIPSOV4_A_TAGLST] = { .type = NLA_NESTED },
69 [NLBL_CIPSOV4_A_MLSLVLLOC] = { .type = NLA_U32 },
70 [NLBL_CIPSOV4_A_MLSLVLREM] = { .type = NLA_U32 },
71 [NLBL_CIPSOV4_A_MLSLVL] = { .type = NLA_NESTED },
72 [NLBL_CIPSOV4_A_MLSLVLLST] = { .type = NLA_NESTED },
73 [NLBL_CIPSOV4_A_MLSCATLOC] = { .type = NLA_U32 },
74 [NLBL_CIPSOV4_A_MLSCATREM] = { .type = NLA_U32 },
75 [NLBL_CIPSOV4_A_MLSCAT] = { .type = NLA_NESTED },
76 [NLBL_CIPSOV4_A_MLSCATLST] = { .type = NLA_NESTED },
84 * netlbl_cipsov4_doi_free - Frees a CIPSO V4 DOI definition
85 * @entry: the entry's RCU field
88 * This function is designed to be used as a callback to the call_rcu()
89 * function so that the memory allocated to the DOI definition can be released
93 void netlbl_cipsov4_doi_free(struct rcu_head *entry)
95 struct cipso_v4_doi *ptr;
97 ptr = container_of(entry, struct cipso_v4_doi, rcu);
99 case CIPSO_V4_MAP_STD:
100 kfree(ptr->map.std->lvl.cipso);
101 kfree(ptr->map.std->lvl.local);
102 kfree(ptr->map.std->cat.cipso);
103 kfree(ptr->map.std->cat.local);
110 * netlbl_cipsov4_add_common - Parse the common sections of a ADD message
111 * @info: the Generic NETLINK info block
112 * @doi_def: the CIPSO V4 DOI definition
115 * Parse the common sections of a ADD message and fill in the related values
116 * in @doi_def. Returns zero on success, negative values on failure.
119 static int netlbl_cipsov4_add_common(struct genl_info *info,
120 struct cipso_v4_doi *doi_def)
126 doi_def->doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
128 if (nla_validate_nested(info->attrs[NLBL_CIPSOV4_A_TAGLST],
130 netlbl_cipsov4_genl_policy) != 0)
133 nla_for_each_nested(nla, info->attrs[NLBL_CIPSOV4_A_TAGLST], nla_rem)
134 if (nla_type(nla) == NLBL_CIPSOV4_A_TAG) {
135 if (iter >= CIPSO_V4_TAG_MAXCNT)
137 doi_def->tags[iter++] = nla_get_u8(nla);
139 while (iter < CIPSO_V4_TAG_MAXCNT)
140 doi_def->tags[iter++] = CIPSO_V4_TAG_INVALID;
146 * NetLabel Command Handlers
150 * netlbl_cipsov4_add_std - Adds a CIPSO V4 DOI definition
151 * @info: the Generic NETLINK info block
154 * Create a new CIPSO_V4_MAP_STD DOI definition based on the given ADD message
155 * and add it to the CIPSO V4 engine. Return zero on success and non-zero on
159 static int netlbl_cipsov4_add_std(struct genl_info *info)
161 int ret_val = -EINVAL;
162 struct cipso_v4_doi *doi_def = NULL;
163 struct nlattr *nla_a;
164 struct nlattr *nla_b;
169 if (!info->attrs[NLBL_CIPSOV4_A_TAGLST] ||
170 !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST])
173 if (nla_validate_nested(info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
175 netlbl_cipsov4_genl_policy) != 0)
178 doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
181 doi_def->map.std = kzalloc(sizeof(*doi_def->map.std), GFP_KERNEL);
182 if (doi_def->map.std == NULL) {
184 goto add_std_failure;
186 doi_def->type = CIPSO_V4_MAP_STD;
188 ret_val = netlbl_cipsov4_add_common(info, doi_def);
190 goto add_std_failure;
193 nla_for_each_nested(nla_a,
194 info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
196 if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSLVL) {
197 if (nla_validate_nested(nla_a,
199 netlbl_cipsov4_genl_policy) != 0)
200 goto add_std_failure;
201 nla_for_each_nested(nla_b, nla_a, nla_b_rem)
202 switch (nla_type(nla_b)) {
203 case NLBL_CIPSOV4_A_MLSLVLLOC:
204 if (nla_get_u32(nla_b) >
205 CIPSO_V4_MAX_LOC_LVLS)
206 goto add_std_failure;
207 if (nla_get_u32(nla_b) >=
208 doi_def->map.std->lvl.local_size)
209 doi_def->map.std->lvl.local_size =
210 nla_get_u32(nla_b) + 1;
212 case NLBL_CIPSOV4_A_MLSLVLREM:
213 if (nla_get_u32(nla_b) >
214 CIPSO_V4_MAX_REM_LVLS)
215 goto add_std_failure;
216 if (nla_get_u32(nla_b) >=
217 doi_def->map.std->lvl.cipso_size)
218 doi_def->map.std->lvl.cipso_size =
219 nla_get_u32(nla_b) + 1;
223 doi_def->map.std->lvl.local = kcalloc(doi_def->map.std->lvl.local_size,
226 if (doi_def->map.std->lvl.local == NULL) {
228 goto add_std_failure;
230 doi_def->map.std->lvl.cipso = kcalloc(doi_def->map.std->lvl.cipso_size,
233 if (doi_def->map.std->lvl.cipso == NULL) {
235 goto add_std_failure;
237 for (iter = 0; iter < doi_def->map.std->lvl.local_size; iter++)
238 doi_def->map.std->lvl.local[iter] = CIPSO_V4_INV_LVL;
239 for (iter = 0; iter < doi_def->map.std->lvl.cipso_size; iter++)
240 doi_def->map.std->lvl.cipso[iter] = CIPSO_V4_INV_LVL;
241 nla_for_each_nested(nla_a,
242 info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
244 if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSLVL) {
245 struct nlattr *lvl_loc;
246 struct nlattr *lvl_rem;
248 lvl_loc = nla_find_nested(nla_a,
249 NLBL_CIPSOV4_A_MLSLVLLOC);
250 lvl_rem = nla_find_nested(nla_a,
251 NLBL_CIPSOV4_A_MLSLVLREM);
252 if (lvl_loc == NULL || lvl_rem == NULL)
253 goto add_std_failure;
254 doi_def->map.std->lvl.local[nla_get_u32(lvl_loc)] =
255 nla_get_u32(lvl_rem);
256 doi_def->map.std->lvl.cipso[nla_get_u32(lvl_rem)] =
257 nla_get_u32(lvl_loc);
260 if (info->attrs[NLBL_CIPSOV4_A_MLSCATLST]) {
261 if (nla_validate_nested(info->attrs[NLBL_CIPSOV4_A_MLSCATLST],
263 netlbl_cipsov4_genl_policy) != 0)
264 goto add_std_failure;
266 nla_for_each_nested(nla_a,
267 info->attrs[NLBL_CIPSOV4_A_MLSCATLST],
269 if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSCAT) {
270 if (nla_validate_nested(nla_a,
272 netlbl_cipsov4_genl_policy) != 0)
273 goto add_std_failure;
274 nla_for_each_nested(nla_b, nla_a, nla_b_rem)
275 switch (nla_type(nla_b)) {
276 case NLBL_CIPSOV4_A_MLSCATLOC:
277 if (nla_get_u32(nla_b) >
278 CIPSO_V4_MAX_LOC_CATS)
279 goto add_std_failure;
280 if (nla_get_u32(nla_b) >=
281 doi_def->map.std->cat.local_size)
282 doi_def->map.std->cat.local_size =
283 nla_get_u32(nla_b) + 1;
285 case NLBL_CIPSOV4_A_MLSCATREM:
286 if (nla_get_u32(nla_b) >
287 CIPSO_V4_MAX_REM_CATS)
288 goto add_std_failure;
289 if (nla_get_u32(nla_b) >=
290 doi_def->map.std->cat.cipso_size)
291 doi_def->map.std->cat.cipso_size =
292 nla_get_u32(nla_b) + 1;
296 doi_def->map.std->cat.local = kcalloc(
297 doi_def->map.std->cat.local_size,
300 if (doi_def->map.std->cat.local == NULL) {
302 goto add_std_failure;
304 doi_def->map.std->cat.cipso = kcalloc(
305 doi_def->map.std->cat.cipso_size,
308 if (doi_def->map.std->cat.cipso == NULL) {
310 goto add_std_failure;
312 for (iter = 0; iter < doi_def->map.std->cat.local_size; iter++)
313 doi_def->map.std->cat.local[iter] = CIPSO_V4_INV_CAT;
314 for (iter = 0; iter < doi_def->map.std->cat.cipso_size; iter++)
315 doi_def->map.std->cat.cipso[iter] = CIPSO_V4_INV_CAT;
316 nla_for_each_nested(nla_a,
317 info->attrs[NLBL_CIPSOV4_A_MLSCATLST],
319 if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSCAT) {
320 struct nlattr *cat_loc;
321 struct nlattr *cat_rem;
323 cat_loc = nla_find_nested(nla_a,
324 NLBL_CIPSOV4_A_MLSCATLOC);
325 cat_rem = nla_find_nested(nla_a,
326 NLBL_CIPSOV4_A_MLSCATREM);
327 if (cat_loc == NULL || cat_rem == NULL)
328 goto add_std_failure;
329 doi_def->map.std->cat.local[
330 nla_get_u32(cat_loc)] =
331 nla_get_u32(cat_rem);
332 doi_def->map.std->cat.cipso[
333 nla_get_u32(cat_rem)] =
334 nla_get_u32(cat_loc);
338 ret_val = cipso_v4_doi_add(doi_def);
340 goto add_std_failure;
345 netlbl_cipsov4_doi_free(&doi_def->rcu);
350 * netlbl_cipsov4_add_pass - Adds a CIPSO V4 DOI definition
351 * @info: the Generic NETLINK info block
354 * Create a new CIPSO_V4_MAP_PASS DOI definition based on the given ADD message
355 * and add it to the CIPSO V4 engine. Return zero on success and non-zero on
359 static int netlbl_cipsov4_add_pass(struct genl_info *info)
362 struct cipso_v4_doi *doi_def = NULL;
364 if (!info->attrs[NLBL_CIPSOV4_A_TAGLST])
367 doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
370 doi_def->type = CIPSO_V4_MAP_PASS;
372 ret_val = netlbl_cipsov4_add_common(info, doi_def);
374 goto add_pass_failure;
376 ret_val = cipso_v4_doi_add(doi_def);
378 goto add_pass_failure;
382 netlbl_cipsov4_doi_free(&doi_def->rcu);
387 * netlbl_cipsov4_add - Handle an ADD message
388 * @skb: the NETLINK buffer
389 * @info: the Generic NETLINK info block
392 * Create a new DOI definition based on the given ADD message and add it to the
393 * CIPSO V4 engine. Returns zero on success, negative values on failure.
396 static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
399 int ret_val = -EINVAL;
402 const char *type_str = "(unknown)";
403 struct audit_buffer *audit_buf;
404 struct netlbl_audit audit_info;
406 if (!info->attrs[NLBL_CIPSOV4_A_DOI] ||
407 !info->attrs[NLBL_CIPSOV4_A_MTYPE])
410 doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
411 netlbl_netlink_auditinfo(skb, &audit_info);
413 type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]);
415 case CIPSO_V4_MAP_STD:
417 ret_val = netlbl_cipsov4_add_std(info);
419 case CIPSO_V4_MAP_PASS:
421 ret_val = netlbl_cipsov4_add_pass(info);
425 atomic_inc(&netlabel_mgmt_protocount);
427 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
429 if (audit_buf != NULL) {
430 audit_log_format(audit_buf,
431 " cipso_doi=%u cipso_type=%s res=%u",
434 ret_val == 0 ? 1 : 0);
435 audit_log_end(audit_buf);
442 * netlbl_cipsov4_list - Handle a LIST message
443 * @skb: the NETLINK buffer
444 * @info: the Generic NETLINK info block
447 * Process a user generated LIST message and respond accordingly. While the
448 * response message generated by the kernel is straightforward, determining
449 * before hand the size of the buffer to allocate is not (we have to generate
450 * the message to know the size). In order to keep this function sane what we
451 * do is allocate a buffer of NLMSG_GOODSIZE and try to fit the response in
452 * that size, if we fail then we restart with a larger buffer and try again.
453 * We continue in this manner until we hit a limit of failed attempts then we
454 * give up and just send an error message. Returns zero on success and
455 * negative values on error.
458 static int netlbl_cipsov4_list(struct sk_buff *skb, struct genl_info *info)
461 struct sk_buff *ans_skb = NULL;
465 struct nlattr *nla_a;
466 struct nlattr *nla_b;
467 struct cipso_v4_doi *doi_def;
470 if (!info->attrs[NLBL_CIPSOV4_A_DOI]) {
476 ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE * nlsze_mult, GFP_KERNEL);
477 if (ans_skb == NULL) {
481 data = genlmsg_put_reply(ans_skb, info, &netlbl_cipsov4_gnl_family,
482 0, NLBL_CIPSOV4_C_LIST);
488 doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
491 doi_def = cipso_v4_doi_getdef(doi);
492 if (doi_def == NULL) {
497 ret_val = nla_put_u32(ans_skb, NLBL_CIPSOV4_A_MTYPE, doi_def->type);
499 goto list_failure_lock;
501 nla_a = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_TAGLST);
504 goto list_failure_lock;
507 iter < CIPSO_V4_TAG_MAXCNT &&
508 doi_def->tags[iter] != CIPSO_V4_TAG_INVALID;
510 ret_val = nla_put_u8(ans_skb,
512 doi_def->tags[iter]);
514 goto list_failure_lock;
516 nla_nest_end(ans_skb, nla_a);
518 switch (doi_def->type) {
519 case CIPSO_V4_MAP_STD:
520 nla_a = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSLVLLST);
523 goto list_failure_lock;
526 iter < doi_def->map.std->lvl.local_size;
528 if (doi_def->map.std->lvl.local[iter] ==
532 nla_b = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSLVL);
537 ret_val = nla_put_u32(ans_skb,
538 NLBL_CIPSOV4_A_MLSLVLLOC,
542 ret_val = nla_put_u32(ans_skb,
543 NLBL_CIPSOV4_A_MLSLVLREM,
544 doi_def->map.std->lvl.local[iter]);
547 nla_nest_end(ans_skb, nla_b);
549 nla_nest_end(ans_skb, nla_a);
551 nla_a = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSCATLST);
557 iter < doi_def->map.std->cat.local_size;
559 if (doi_def->map.std->cat.local[iter] ==
563 nla_b = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSCAT);
568 ret_val = nla_put_u32(ans_skb,
569 NLBL_CIPSOV4_A_MLSCATLOC,
573 ret_val = nla_put_u32(ans_skb,
574 NLBL_CIPSOV4_A_MLSCATREM,
575 doi_def->map.std->cat.local[iter]);
578 nla_nest_end(ans_skb, nla_b);
580 nla_nest_end(ans_skb, nla_a);
586 genlmsg_end(ans_skb, data);
587 return genlmsg_reply(ans_skb, info);
590 /* XXX - this limit is a guesstimate */
591 if (nlsze_mult < 4) {
605 * netlbl_cipsov4_listall_cb - cipso_v4_doi_walk() callback for LISTALL
606 * @doi_def: the CIPSOv4 DOI definition
607 * @arg: the netlbl_cipsov4_doiwalk_arg structure
610 * This function is designed to be used as a callback to the
611 * cipso_v4_doi_walk() function for use in generating a response for a LISTALL
612 * message. Returns the size of the message on success, negative values on
616 static int netlbl_cipsov4_listall_cb(struct cipso_v4_doi *doi_def, void *arg)
618 int ret_val = -ENOMEM;
619 struct netlbl_cipsov4_doiwalk_arg *cb_arg = arg;
622 data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).pid,
623 cb_arg->seq, &netlbl_cipsov4_gnl_family,
624 NLM_F_MULTI, NLBL_CIPSOV4_C_LISTALL);
626 goto listall_cb_failure;
628 ret_val = nla_put_u32(cb_arg->skb, NLBL_CIPSOV4_A_DOI, doi_def->doi);
630 goto listall_cb_failure;
631 ret_val = nla_put_u32(cb_arg->skb,
632 NLBL_CIPSOV4_A_MTYPE,
635 goto listall_cb_failure;
637 return genlmsg_end(cb_arg->skb, data);
640 genlmsg_cancel(cb_arg->skb, data);
645 * netlbl_cipsov4_listall - Handle a LISTALL message
646 * @skb: the NETLINK buffer
647 * @cb: the NETLINK callback
650 * Process a user generated LISTALL message and respond accordingly. Returns
651 * zero on success and negative values on error.
654 static int netlbl_cipsov4_listall(struct sk_buff *skb,
655 struct netlink_callback *cb)
657 struct netlbl_cipsov4_doiwalk_arg cb_arg;
658 int doi_skip = cb->args[0];
662 cb_arg.seq = cb->nlh->nlmsg_seq;
664 cipso_v4_doi_walk(&doi_skip, netlbl_cipsov4_listall_cb, &cb_arg);
666 cb->args[0] = doi_skip;
671 * netlbl_cipsov4_remove - Handle a REMOVE message
672 * @skb: the NETLINK buffer
673 * @info: the Generic NETLINK info block
676 * Process a user generated REMOVE message and respond accordingly. Returns
677 * zero on success, negative values on failure.
680 static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info)
682 int ret_val = -EINVAL;
684 struct audit_buffer *audit_buf;
685 struct netlbl_audit audit_info;
687 if (!info->attrs[NLBL_CIPSOV4_A_DOI])
690 doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
691 netlbl_netlink_auditinfo(skb, &audit_info);
693 ret_val = cipso_v4_doi_remove(doi,
695 netlbl_cipsov4_doi_free);
697 atomic_dec(&netlabel_mgmt_protocount);
699 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,
701 if (audit_buf != NULL) {
702 audit_log_format(audit_buf,
703 " cipso_doi=%u res=%u",
705 ret_val == 0 ? 1 : 0);
706 audit_log_end(audit_buf);
713 * NetLabel Generic NETLINK Command Definitions
716 static struct genl_ops netlbl_cipsov4_ops[] = {
718 .cmd = NLBL_CIPSOV4_C_ADD,
719 .flags = GENL_ADMIN_PERM,
720 .policy = netlbl_cipsov4_genl_policy,
721 .doit = netlbl_cipsov4_add,
725 .cmd = NLBL_CIPSOV4_C_REMOVE,
726 .flags = GENL_ADMIN_PERM,
727 .policy = netlbl_cipsov4_genl_policy,
728 .doit = netlbl_cipsov4_remove,
732 .cmd = NLBL_CIPSOV4_C_LIST,
734 .policy = netlbl_cipsov4_genl_policy,
735 .doit = netlbl_cipsov4_list,
739 .cmd = NLBL_CIPSOV4_C_LISTALL,
741 .policy = netlbl_cipsov4_genl_policy,
743 .dumpit = netlbl_cipsov4_listall,
748 * NetLabel Generic NETLINK Protocol Functions
752 * netlbl_cipsov4_genl_init - Register the CIPSOv4 NetLabel component
755 * Register the CIPSOv4 packet NetLabel component with the Generic NETLINK
756 * mechanism. Returns zero on success, negative values on failure.
759 int __init netlbl_cipsov4_genl_init(void)
763 ret_val = genl_register_family(&netlbl_cipsov4_gnl_family);
767 for (i = 0; i < ARRAY_SIZE(netlbl_cipsov4_ops); i++) {
768 ret_val = genl_register_ops(&netlbl_cipsov4_gnl_family,
769 &netlbl_cipsov4_ops[i]);
projects / linux-2.6 / blob