2 * NetLabel CIPSO/IPv4 Support
4 * This file defines the CIPSO/IPv4 functions for the NetLabel system. The
5 * NetLabel system manages static and dynamic label mappings for network
6 * protocols such as CIPSO and RIPSO.
8 * Author: Paul Moore <paul.moore@hp.com>
13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
23 * the GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
31 #include <linux/types.h>
32 #include <linux/socket.h>
33 #include <linux/string.h>
34 #include <linux/skbuff.h>
35 #include <linux/audit.h>
37 #include <net/netlink.h>
38 #include <net/genetlink.h>
39 #include <net/netlabel.h>
40 #include <net/cipso_ipv4.h>
42 #include "netlabel_user.h"
43 #include "netlabel_cipso_v4.h"
45 /* Argument struct for cipso_v4_doi_walk() */
46 struct netlbl_cipsov4_doiwalk_arg {
47 struct netlink_callback *nl_cb;
52 /* NetLabel Generic NETLINK CIPSOv4 family */
53 static struct genl_family netlbl_cipsov4_gnl_family = {
54 .id = GENL_ID_GENERATE,
56 .name = NETLBL_NLTYPE_CIPSOV4_NAME,
57 .version = NETLBL_PROTO_VERSION,
58 .maxattr = NLBL_CIPSOV4_A_MAX,
61 /* NetLabel Netlink attribute policy */
62 static struct nla_policy netlbl_cipsov4_genl_policy[NLBL_CIPSOV4_A_MAX + 1] = {
63 [NLBL_CIPSOV4_A_DOI] = { .type = NLA_U32 },
64 [NLBL_CIPSOV4_A_MTYPE] = { .type = NLA_U32 },
65 [NLBL_CIPSOV4_A_TAG] = { .type = NLA_U8 },
66 [NLBL_CIPSOV4_A_TAGLST] = { .type = NLA_NESTED },
67 [NLBL_CIPSOV4_A_MLSLVLLOC] = { .type = NLA_U32 },
68 [NLBL_CIPSOV4_A_MLSLVLREM] = { .type = NLA_U32 },
69 [NLBL_CIPSOV4_A_MLSLVL] = { .type = NLA_NESTED },
70 [NLBL_CIPSOV4_A_MLSLVLLST] = { .type = NLA_NESTED },
71 [NLBL_CIPSOV4_A_MLSCATLOC] = { .type = NLA_U32 },
72 [NLBL_CIPSOV4_A_MLSCATREM] = { .type = NLA_U32 },
73 [NLBL_CIPSOV4_A_MLSCAT] = { .type = NLA_NESTED },
74 [NLBL_CIPSOV4_A_MLSCATLST] = { .type = NLA_NESTED },
82 * netlbl_cipsov4_doi_free - Frees a CIPSO V4 DOI definition
83 * @entry: the entry's RCU field
86 * This function is designed to be used as a callback to the call_rcu()
87 * function so that the memory allocated to the DOI definition can be released
91 static void netlbl_cipsov4_doi_free(struct rcu_head *entry)
93 struct cipso_v4_doi *ptr;
95 ptr = container_of(entry, struct cipso_v4_doi, rcu);
97 case CIPSO_V4_MAP_STD:
98 kfree(ptr->map.std->lvl.cipso);
99 kfree(ptr->map.std->lvl.local);
100 kfree(ptr->map.std->cat.cipso);
101 kfree(ptr->map.std->cat.local);
108 * netlbl_cipsov4_add_common - Parse the common sections of a ADD message
109 * @info: the Generic NETLINK info block
110 * @doi_def: the CIPSO V4 DOI definition
113 * Parse the common sections of a ADD message and fill in the related values
114 * in @doi_def. Returns zero on success, negative values on failure.
117 static int netlbl_cipsov4_add_common(struct genl_info *info,
118 struct cipso_v4_doi *doi_def)
124 doi_def->doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
126 if (nla_validate_nested(info->attrs[NLBL_CIPSOV4_A_TAGLST],
128 netlbl_cipsov4_genl_policy) != 0)
131 nla_for_each_nested(nla, info->attrs[NLBL_CIPSOV4_A_TAGLST], nla_rem)
132 if (nla->nla_type == NLBL_CIPSOV4_A_TAG) {
133 if (iter > CIPSO_V4_TAG_MAXCNT)
135 doi_def->tags[iter++] = nla_get_u8(nla);
137 if (iter < CIPSO_V4_TAG_MAXCNT)
138 doi_def->tags[iter] = CIPSO_V4_TAG_INVALID;
144 * NetLabel Command Handlers
148 * netlbl_cipsov4_add_std - Adds a CIPSO V4 DOI definition
149 * @info: the Generic NETLINK info block
152 * Create a new CIPSO_V4_MAP_STD DOI definition based on the given ADD message
153 * and add it to the CIPSO V4 engine. Return zero on success and non-zero on
157 static int netlbl_cipsov4_add_std(struct genl_info *info)
159 int ret_val = -EINVAL;
160 struct cipso_v4_doi *doi_def = NULL;
161 struct nlattr *nla_a;
162 struct nlattr *nla_b;
166 if (!info->attrs[NLBL_CIPSOV4_A_TAGLST] ||
167 !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST])
170 if (nla_validate_nested(info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
172 netlbl_cipsov4_genl_policy) != 0)
175 doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
178 doi_def->map.std = kzalloc(sizeof(*doi_def->map.std), GFP_KERNEL);
179 if (doi_def->map.std == NULL) {
181 goto add_std_failure;
183 doi_def->type = CIPSO_V4_MAP_STD;
185 ret_val = netlbl_cipsov4_add_common(info, doi_def);
187 goto add_std_failure;
189 nla_for_each_nested(nla_a,
190 info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
192 if (nla_a->nla_type == NLBL_CIPSOV4_A_MLSLVL) {
193 nla_for_each_nested(nla_b, nla_a, nla_b_rem)
194 switch (nla_b->nla_type) {
195 case NLBL_CIPSOV4_A_MLSLVLLOC:
196 if (nla_get_u32(nla_b) >=
197 doi_def->map.std->lvl.local_size)
198 doi_def->map.std->lvl.local_size =
199 nla_get_u32(nla_b) + 1;
201 case NLBL_CIPSOV4_A_MLSLVLREM:
202 if (nla_get_u32(nla_b) >=
203 doi_def->map.std->lvl.cipso_size)
204 doi_def->map.std->lvl.cipso_size =
205 nla_get_u32(nla_b) + 1;
209 if (doi_def->map.std->lvl.local_size > CIPSO_V4_MAX_LOC_LVLS ||
210 doi_def->map.std->lvl.cipso_size > CIPSO_V4_MAX_REM_LVLS)
211 goto add_std_failure;
212 doi_def->map.std->lvl.local = kcalloc(doi_def->map.std->lvl.local_size,
215 if (doi_def->map.std->lvl.local == NULL) {
217 goto add_std_failure;
219 doi_def->map.std->lvl.cipso = kcalloc(doi_def->map.std->lvl.cipso_size,
222 if (doi_def->map.std->lvl.cipso == NULL) {
224 goto add_std_failure;
226 nla_for_each_nested(nla_a,
227 info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
229 if (nla_a->nla_type == NLBL_CIPSOV4_A_MLSLVL) {
230 struct nlattr *lvl_loc;
231 struct nlattr *lvl_rem;
233 if (nla_validate_nested(nla_a,
235 netlbl_cipsov4_genl_policy) != 0)
236 goto add_std_failure;
238 lvl_loc = nla_find_nested(nla_a,
239 NLBL_CIPSOV4_A_MLSLVLLOC);
240 lvl_rem = nla_find_nested(nla_a,
241 NLBL_CIPSOV4_A_MLSLVLREM);
242 if (lvl_loc == NULL || lvl_rem == NULL)
243 goto add_std_failure;
244 doi_def->map.std->lvl.local[nla_get_u32(lvl_loc)] =
245 nla_get_u32(lvl_rem);
246 doi_def->map.std->lvl.cipso[nla_get_u32(lvl_rem)] =
247 nla_get_u32(lvl_loc);
250 if (info->attrs[NLBL_CIPSOV4_A_MLSCATLST]) {
251 if (nla_validate_nested(info->attrs[NLBL_CIPSOV4_A_MLSCATLST],
253 netlbl_cipsov4_genl_policy) != 0)
254 goto add_std_failure;
256 nla_for_each_nested(nla_a,
257 info->attrs[NLBL_CIPSOV4_A_MLSCATLST],
259 if (nla_a->nla_type == NLBL_CIPSOV4_A_MLSCAT) {
260 if (nla_validate_nested(nla_a,
262 netlbl_cipsov4_genl_policy) != 0)
263 goto add_std_failure;
264 nla_for_each_nested(nla_b, nla_a, nla_b_rem)
265 switch (nla_b->nla_type) {
266 case NLBL_CIPSOV4_A_MLSCATLOC:
267 if (nla_get_u32(nla_b) >=
268 doi_def->map.std->cat.local_size)
269 doi_def->map.std->cat.local_size =
270 nla_get_u32(nla_b) + 1;
272 case NLBL_CIPSOV4_A_MLSCATREM:
273 if (nla_get_u32(nla_b) >=
274 doi_def->map.std->cat.cipso_size)
275 doi_def->map.std->cat.cipso_size =
276 nla_get_u32(nla_b) + 1;
280 if (doi_def->map.std->cat.local_size > CIPSO_V4_MAX_LOC_CATS ||
281 doi_def->map.std->cat.cipso_size > CIPSO_V4_MAX_REM_CATS)
282 goto add_std_failure;
283 doi_def->map.std->cat.local = kcalloc(
284 doi_def->map.std->cat.local_size,
287 if (doi_def->map.std->cat.local == NULL) {
289 goto add_std_failure;
291 doi_def->map.std->cat.cipso = kcalloc(
292 doi_def->map.std->cat.cipso_size,
295 if (doi_def->map.std->cat.cipso == NULL) {
297 goto add_std_failure;
299 nla_for_each_nested(nla_a,
300 info->attrs[NLBL_CIPSOV4_A_MLSCATLST],
302 if (nla_a->nla_type == NLBL_CIPSOV4_A_MLSCAT) {
303 struct nlattr *cat_loc;
304 struct nlattr *cat_rem;
306 cat_loc = nla_find_nested(nla_a,
307 NLBL_CIPSOV4_A_MLSCATLOC);
308 cat_rem = nla_find_nested(nla_a,
309 NLBL_CIPSOV4_A_MLSCATREM);
310 if (cat_loc == NULL || cat_rem == NULL)
311 goto add_std_failure;
312 doi_def->map.std->cat.local[
313 nla_get_u32(cat_loc)] =
314 nla_get_u32(cat_rem);
315 doi_def->map.std->cat.cipso[
316 nla_get_u32(cat_rem)] =
317 nla_get_u32(cat_loc);
321 ret_val = cipso_v4_doi_add(doi_def);
323 goto add_std_failure;
328 netlbl_cipsov4_doi_free(&doi_def->rcu);
333 * netlbl_cipsov4_add_pass - Adds a CIPSO V4 DOI definition
334 * @info: the Generic NETLINK info block
337 * Create a new CIPSO_V4_MAP_PASS DOI definition based on the given ADD message
338 * and add it to the CIPSO V4 engine. Return zero on success and non-zero on
342 static int netlbl_cipsov4_add_pass(struct genl_info *info)
345 struct cipso_v4_doi *doi_def = NULL;
347 if (!info->attrs[NLBL_CIPSOV4_A_TAGLST])
350 doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
353 doi_def->type = CIPSO_V4_MAP_PASS;
355 ret_val = netlbl_cipsov4_add_common(info, doi_def);
357 goto add_pass_failure;
359 ret_val = cipso_v4_doi_add(doi_def);
361 goto add_pass_failure;
365 netlbl_cipsov4_doi_free(&doi_def->rcu);
370 * netlbl_cipsov4_add - Handle an ADD message
371 * @skb: the NETLINK buffer
372 * @info: the Generic NETLINK info block
375 * Create a new DOI definition based on the given ADD message and add it to the
376 * CIPSO V4 engine. Returns zero on success, negative values on failure.
379 static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
382 int ret_val = -EINVAL;
385 const char *type_str = "(unknown)";
386 struct audit_buffer *audit_buf;
387 struct netlbl_audit audit_info;
389 if (!info->attrs[NLBL_CIPSOV4_A_DOI] ||
390 !info->attrs[NLBL_CIPSOV4_A_MTYPE])
393 doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
394 netlbl_netlink_auditinfo(skb, &audit_info);
396 type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]);
398 case CIPSO_V4_MAP_STD:
400 ret_val = netlbl_cipsov4_add_std(info);
402 case CIPSO_V4_MAP_PASS:
404 ret_val = netlbl_cipsov4_add_pass(info);
408 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
410 audit_log_format(audit_buf,
411 " cipso_doi=%u cipso_type=%s res=%u",
414 ret_val == 0 ? 1 : 0);
415 audit_log_end(audit_buf);
421 * netlbl_cipsov4_list - Handle a LIST message
422 * @skb: the NETLINK buffer
423 * @info: the Generic NETLINK info block
426 * Process a user generated LIST message and respond accordingly. While the
427 * response message generated by the kernel is straightforward, determining
428 * before hand the size of the buffer to allocate is not (we have to generate
429 * the message to know the size). In order to keep this function sane what we
430 * do is allocate a buffer of NLMSG_GOODSIZE and try to fit the response in
431 * that size, if we fail then we restart with a larger buffer and try again.
432 * We continue in this manner until we hit a limit of failed attempts then we
433 * give up and just send an error message. Returns zero on success and
434 * negative values on error.
437 static int netlbl_cipsov4_list(struct sk_buff *skb, struct genl_info *info)
440 struct sk_buff *ans_skb = NULL;
444 struct nlattr *nla_a;
445 struct nlattr *nla_b;
446 struct cipso_v4_doi *doi_def;
449 if (!info->attrs[NLBL_CIPSOV4_A_DOI]) {
455 ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE * nlsze_mult, GFP_KERNEL);
456 if (ans_skb == NULL) {
460 data = genlmsg_put_reply(ans_skb, info, &netlbl_cipsov4_gnl_family,
461 0, NLBL_CIPSOV4_C_LIST);
467 doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
470 doi_def = cipso_v4_doi_getdef(doi);
471 if (doi_def == NULL) {
476 ret_val = nla_put_u32(ans_skb, NLBL_CIPSOV4_A_MTYPE, doi_def->type);
478 goto list_failure_lock;
480 nla_a = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_TAGLST);
483 goto list_failure_lock;
486 iter < CIPSO_V4_TAG_MAXCNT &&
487 doi_def->tags[iter] != CIPSO_V4_TAG_INVALID;
489 ret_val = nla_put_u8(ans_skb,
491 doi_def->tags[iter]);
493 goto list_failure_lock;
495 nla_nest_end(ans_skb, nla_a);
497 switch (doi_def->type) {
498 case CIPSO_V4_MAP_STD:
499 nla_a = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSLVLLST);
502 goto list_failure_lock;
505 iter < doi_def->map.std->lvl.local_size;
507 if (doi_def->map.std->lvl.local[iter] ==
511 nla_b = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSLVL);
516 ret_val = nla_put_u32(ans_skb,
517 NLBL_CIPSOV4_A_MLSLVLLOC,
521 ret_val = nla_put_u32(ans_skb,
522 NLBL_CIPSOV4_A_MLSLVLREM,
523 doi_def->map.std->lvl.local[iter]);
526 nla_nest_end(ans_skb, nla_b);
528 nla_nest_end(ans_skb, nla_a);
530 nla_a = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSCATLST);
536 iter < doi_def->map.std->cat.local_size;
538 if (doi_def->map.std->cat.local[iter] ==
542 nla_b = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSCAT);
547 ret_val = nla_put_u32(ans_skb,
548 NLBL_CIPSOV4_A_MLSCATLOC,
552 ret_val = nla_put_u32(ans_skb,
553 NLBL_CIPSOV4_A_MLSCATREM,
554 doi_def->map.std->cat.local[iter]);
557 nla_nest_end(ans_skb, nla_b);
559 nla_nest_end(ans_skb, nla_a);
565 genlmsg_end(ans_skb, data);
567 ret_val = genlmsg_reply(ans_skb, info);
574 /* XXX - this limit is a guesstimate */
575 if (nlsze_mult < 4) {
589 * netlbl_cipsov4_listall_cb - cipso_v4_doi_walk() callback for LISTALL
590 * @doi_def: the CIPSOv4 DOI definition
591 * @arg: the netlbl_cipsov4_doiwalk_arg structure
594 * This function is designed to be used as a callback to the
595 * cipso_v4_doi_walk() function for use in generating a response for a LISTALL
596 * message. Returns the size of the message on success, negative values on
600 static int netlbl_cipsov4_listall_cb(struct cipso_v4_doi *doi_def, void *arg)
602 int ret_val = -ENOMEM;
603 struct netlbl_cipsov4_doiwalk_arg *cb_arg = arg;
606 data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).pid,
607 cb_arg->seq, &netlbl_cipsov4_gnl_family,
608 NLM_F_MULTI, NLBL_CIPSOV4_C_LISTALL);
610 goto listall_cb_failure;
612 ret_val = nla_put_u32(cb_arg->skb, NLBL_CIPSOV4_A_DOI, doi_def->doi);
614 goto listall_cb_failure;
615 ret_val = nla_put_u32(cb_arg->skb,
616 NLBL_CIPSOV4_A_MTYPE,
619 goto listall_cb_failure;
621 return genlmsg_end(cb_arg->skb, data);
624 genlmsg_cancel(cb_arg->skb, data);
629 * netlbl_cipsov4_listall - Handle a LISTALL message
630 * @skb: the NETLINK buffer
631 * @cb: the NETLINK callback
634 * Process a user generated LISTALL message and respond accordingly. Returns
635 * zero on success and negative values on error.
638 static int netlbl_cipsov4_listall(struct sk_buff *skb,
639 struct netlink_callback *cb)
641 struct netlbl_cipsov4_doiwalk_arg cb_arg;
642 int doi_skip = cb->args[0];
646 cb_arg.seq = cb->nlh->nlmsg_seq;
648 cipso_v4_doi_walk(&doi_skip, netlbl_cipsov4_listall_cb, &cb_arg);
650 cb->args[0] = doi_skip;
655 * netlbl_cipsov4_remove - Handle a REMOVE message
656 * @skb: the NETLINK buffer
657 * @info: the Generic NETLINK info block
660 * Process a user generated REMOVE message and respond accordingly. Returns
661 * zero on success, negative values on failure.
664 static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info)
666 int ret_val = -EINVAL;
668 struct audit_buffer *audit_buf;
669 struct netlbl_audit audit_info;
671 if (!info->attrs[NLBL_CIPSOV4_A_DOI])
674 doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
675 netlbl_netlink_auditinfo(skb, &audit_info);
677 ret_val = cipso_v4_doi_remove(doi,
679 netlbl_cipsov4_doi_free);
681 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,
683 audit_log_format(audit_buf,
684 " cipso_doi=%u res=%u",
686 ret_val == 0 ? 1 : 0);
687 audit_log_end(audit_buf);
693 * NetLabel Generic NETLINK Command Definitions
696 static struct genl_ops netlbl_cipsov4_genl_c_add = {
697 .cmd = NLBL_CIPSOV4_C_ADD,
698 .flags = GENL_ADMIN_PERM,
699 .policy = netlbl_cipsov4_genl_policy,
700 .doit = netlbl_cipsov4_add,
704 static struct genl_ops netlbl_cipsov4_genl_c_remove = {
705 .cmd = NLBL_CIPSOV4_C_REMOVE,
706 .flags = GENL_ADMIN_PERM,
707 .policy = netlbl_cipsov4_genl_policy,
708 .doit = netlbl_cipsov4_remove,
712 static struct genl_ops netlbl_cipsov4_genl_c_list = {
713 .cmd = NLBL_CIPSOV4_C_LIST,
715 .policy = netlbl_cipsov4_genl_policy,
716 .doit = netlbl_cipsov4_list,
720 static struct genl_ops netlbl_cipsov4_genl_c_listall = {
721 .cmd = NLBL_CIPSOV4_C_LISTALL,
723 .policy = netlbl_cipsov4_genl_policy,
725 .dumpit = netlbl_cipsov4_listall,
729 * NetLabel Generic NETLINK Protocol Functions
733 * netlbl_cipsov4_genl_init - Register the CIPSOv4 NetLabel component
736 * Register the CIPSOv4 packet NetLabel component with the Generic NETLINK
737 * mechanism. Returns zero on success, negative values on failure.
740 int netlbl_cipsov4_genl_init(void)
744 ret_val = genl_register_family(&netlbl_cipsov4_gnl_family);
748 ret_val = genl_register_ops(&netlbl_cipsov4_gnl_family,
749 &netlbl_cipsov4_genl_c_add);
752 ret_val = genl_register_ops(&netlbl_cipsov4_gnl_family,
753 &netlbl_cipsov4_genl_c_remove);
756 ret_val = genl_register_ops(&netlbl_cipsov4_gnl_family,
757 &netlbl_cipsov4_genl_c_list);
760 ret_val = genl_register_ops(&netlbl_cipsov4_gnl_family,
761 &netlbl_cipsov4_genl_c_listall);
git://bbs.cooldavid.org / net-next-2.6.git / blob