1 // SPDX-License-Identifier: GPL-2.0-or-later
3 * NetLabel CALIPSO/IPv6 Support
5 * This file defines the CALIPSO/IPv6 functions for the NetLabel system. The
6 * NetLabel system manages static and dynamic label mappings for network
7 * protocols such as CIPSO and CALIPSO.
9 * Authors: Paul Moore <paul@paul-moore.com>
10 * Huw Davies <huw@codeweavers.com>
13 /* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
14 * (c) Copyright Huw Davies <huw@codeweavers.com>, 2015
17 #include <linux/types.h>
18 #include <linux/socket.h>
19 #include <linux/string.h>
20 #include <linux/skbuff.h>
21 #include <linux/audit.h>
22 #include <linux/slab.h>
24 #include <net/netlink.h>
25 #include <net/genetlink.h>
26 #include <net/netlabel.h>
27 #include <net/calipso.h>
28 #include <linux/atomic.h>
30 #include "netlabel_user.h"
31 #include "netlabel_calipso.h"
32 #include "netlabel_mgmt.h"
33 #include "netlabel_domainhash.h"
35 /* Argument struct for calipso_doi_walk() */
36 struct netlbl_calipso_doiwalk_arg {
37 struct netlink_callback *nl_cb;
42 /* Argument struct for netlbl_domhsh_walk() */
43 struct netlbl_domhsh_walk_arg {
44 struct netlbl_audit *audit_info;
48 /* NetLabel Generic NETLINK CALIPSO family */
49 static struct genl_family netlbl_calipso_gnl_family;
51 /* NetLabel Netlink attribute policy */
52 static const struct nla_policy calipso_genl_policy[NLBL_CALIPSO_A_MAX + 1] = {
53 [NLBL_CALIPSO_A_DOI] = { .type = NLA_U32 },
54 [NLBL_CALIPSO_A_MTYPE] = { .type = NLA_U32 },
57 /* NetLabel Command Handlers
60 * netlbl_calipso_add_pass - Adds a CALIPSO pass DOI definition
61 * @info: the Generic NETLINK info block
62 * @audit_info: NetLabel audit information
65 * Create a new CALIPSO_MAP_PASS DOI definition based on the given ADD message
66 * and add it to the CALIPSO engine. Return zero on success and non-zero on
70 static int netlbl_calipso_add_pass(struct genl_info *info,
71 struct netlbl_audit *audit_info)
74 struct calipso_doi *doi_def = NULL;
76 doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
79 doi_def->type = CALIPSO_MAP_PASS;
80 doi_def->doi = nla_get_u32(info->attrs[NLBL_CALIPSO_A_DOI]);
81 ret_val = calipso_doi_add(doi_def, audit_info);
83 calipso_doi_free(doi_def);
89 * netlbl_calipso_add - Handle an ADD message
90 * @skb: the NETLINK buffer
91 * @info: the Generic NETLINK info block
94 * Create a new DOI definition based on the given ADD message and add it to the
95 * CALIPSO engine. Returns zero on success, negative values on failure.
98 static int netlbl_calipso_add(struct sk_buff *skb, struct genl_info *info)
101 int ret_val = -EINVAL;
102 struct netlbl_audit audit_info;
104 if (!info->attrs[NLBL_CALIPSO_A_DOI] ||
105 !info->attrs[NLBL_CALIPSO_A_MTYPE])
108 netlbl_netlink_auditinfo(skb, &audit_info);
109 switch (nla_get_u32(info->attrs[NLBL_CALIPSO_A_MTYPE])) {
110 case CALIPSO_MAP_PASS:
111 ret_val = netlbl_calipso_add_pass(info, &audit_info);
115 atomic_inc(&netlabel_mgmt_protocount);
121 * netlbl_calipso_list - Handle a LIST message
122 * @skb: the NETLINK buffer
123 * @info: the Generic NETLINK info block
126 * Process a user generated LIST message and respond accordingly.
127 * Returns zero on success and negative values on error.
130 static int netlbl_calipso_list(struct sk_buff *skb, struct genl_info *info)
133 struct sk_buff *ans_skb = NULL;
136 struct calipso_doi *doi_def;
138 if (!info->attrs[NLBL_CALIPSO_A_DOI]) {
143 doi = nla_get_u32(info->attrs[NLBL_CALIPSO_A_DOI]);
145 doi_def = calipso_doi_getdef(doi);
151 ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
154 goto list_failure_put;
156 data = genlmsg_put_reply(ans_skb, info, &netlbl_calipso_gnl_family,
157 0, NLBL_CALIPSO_C_LIST);
160 goto list_failure_put;
163 ret_val = nla_put_u32(ans_skb, NLBL_CALIPSO_A_MTYPE, doi_def->type);
165 goto list_failure_put;
167 calipso_doi_putdef(doi_def);
169 genlmsg_end(ans_skb, data);
170 return genlmsg_reply(ans_skb, info);
173 calipso_doi_putdef(doi_def);
180 * netlbl_calipso_listall_cb - calipso_doi_walk() callback for LISTALL
181 * @doi_def: the CALIPSO DOI definition
182 * @arg: the netlbl_calipso_doiwalk_arg structure
185 * This function is designed to be used as a callback to the
186 * calipso_doi_walk() function for use in generating a response for a LISTALL
187 * message. Returns the size of the message on success, negative values on
191 static int netlbl_calipso_listall_cb(struct calipso_doi *doi_def, void *arg)
193 int ret_val = -ENOMEM;
194 struct netlbl_calipso_doiwalk_arg *cb_arg = arg;
197 data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid,
198 cb_arg->seq, &netlbl_calipso_gnl_family,
199 NLM_F_MULTI, NLBL_CALIPSO_C_LISTALL);
201 goto listall_cb_failure;
203 ret_val = nla_put_u32(cb_arg->skb, NLBL_CALIPSO_A_DOI, doi_def->doi);
205 goto listall_cb_failure;
206 ret_val = nla_put_u32(cb_arg->skb,
207 NLBL_CALIPSO_A_MTYPE,
210 goto listall_cb_failure;
212 genlmsg_end(cb_arg->skb, data);
216 genlmsg_cancel(cb_arg->skb, data);
221 * netlbl_calipso_listall - Handle a LISTALL message
222 * @skb: the NETLINK buffer
223 * @cb: the NETLINK callback
226 * Process a user generated LISTALL message and respond accordingly. Returns
227 * zero on success and negative values on error.
230 static int netlbl_calipso_listall(struct sk_buff *skb,
231 struct netlink_callback *cb)
233 struct netlbl_calipso_doiwalk_arg cb_arg;
234 u32 doi_skip = cb->args[0];
238 cb_arg.seq = cb->nlh->nlmsg_seq;
240 calipso_doi_walk(&doi_skip, netlbl_calipso_listall_cb, &cb_arg);
242 cb->args[0] = doi_skip;
247 * netlbl_calipso_remove_cb - netlbl_calipso_remove() callback for REMOVE
248 * @entry: LSM domain mapping entry
249 * @arg: the netlbl_domhsh_walk_arg structure
252 * This function is intended for use by netlbl_calipso_remove() as the callback
253 * for the netlbl_domhsh_walk() function; it removes LSM domain map entries
254 * which are associated with the CALIPSO DOI specified in @arg. Returns zero on
255 * success, negative values on failure.
258 static int netlbl_calipso_remove_cb(struct netlbl_dom_map *entry, void *arg)
260 struct netlbl_domhsh_walk_arg *cb_arg = arg;
262 if (entry->def.type == NETLBL_NLTYPE_CALIPSO &&
263 entry->def.calipso->doi == cb_arg->doi)
264 return netlbl_domhsh_remove_entry(entry, cb_arg->audit_info);
270 * netlbl_calipso_remove - Handle a REMOVE message
271 * @skb: the NETLINK buffer
272 * @info: the Generic NETLINK info block
275 * Process a user generated REMOVE message and respond accordingly. Returns
276 * zero on success, negative values on failure.
279 static int netlbl_calipso_remove(struct sk_buff *skb, struct genl_info *info)
281 int ret_val = -EINVAL;
282 struct netlbl_domhsh_walk_arg cb_arg;
283 struct netlbl_audit audit_info;
287 if (!info->attrs[NLBL_CALIPSO_A_DOI])
290 netlbl_netlink_auditinfo(skb, &audit_info);
291 cb_arg.doi = nla_get_u32(info->attrs[NLBL_CALIPSO_A_DOI]);
292 cb_arg.audit_info = &audit_info;
293 ret_val = netlbl_domhsh_walk(&skip_bkt, &skip_chain,
294 netlbl_calipso_remove_cb, &cb_arg);
295 if (ret_val == 0 || ret_val == -ENOENT) {
296 ret_val = calipso_doi_remove(cb_arg.doi, &audit_info);
298 atomic_dec(&netlabel_mgmt_protocount);
304 /* NetLabel Generic NETLINK Command Definitions
307 static const struct genl_small_ops netlbl_calipso_ops[] = {
309 .cmd = NLBL_CALIPSO_C_ADD,
310 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
311 .flags = GENL_ADMIN_PERM,
312 .doit = netlbl_calipso_add,
316 .cmd = NLBL_CALIPSO_C_REMOVE,
317 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
318 .flags = GENL_ADMIN_PERM,
319 .doit = netlbl_calipso_remove,
323 .cmd = NLBL_CALIPSO_C_LIST,
324 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
326 .doit = netlbl_calipso_list,
330 .cmd = NLBL_CALIPSO_C_LISTALL,
331 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
334 .dumpit = netlbl_calipso_listall,
338 static struct genl_family netlbl_calipso_gnl_family __ro_after_init = {
340 .name = NETLBL_NLTYPE_CALIPSO_NAME,
341 .version = NETLBL_PROTO_VERSION,
342 .maxattr = NLBL_CALIPSO_A_MAX,
343 .policy = calipso_genl_policy,
344 .module = THIS_MODULE,
345 .small_ops = netlbl_calipso_ops,
346 .n_small_ops = ARRAY_SIZE(netlbl_calipso_ops),
349 /* NetLabel Generic NETLINK Protocol Functions
353 * netlbl_calipso_genl_init - Register the CALIPSO NetLabel component
356 * Register the CALIPSO packet NetLabel component with the Generic NETLINK
357 * mechanism. Returns zero on success, negative values on failure.
360 int __init netlbl_calipso_genl_init(void)
362 return genl_register_family(&netlbl_calipso_gnl_family);
365 static const struct netlbl_calipso_ops *calipso_ops;
368 * netlbl_calipso_ops_register - Register the CALIPSO operations
371 * Register the CALIPSO packet engine operations.
374 const struct netlbl_calipso_ops *
375 netlbl_calipso_ops_register(const struct netlbl_calipso_ops *ops)
377 return xchg(&calipso_ops, ops);
379 EXPORT_SYMBOL(netlbl_calipso_ops_register);
381 static const struct netlbl_calipso_ops *netlbl_calipso_ops_get(void)
383 return READ_ONCE(calipso_ops);
387 * calipso_doi_add - Add a new DOI to the CALIPSO protocol engine
388 * @doi_def: the DOI structure
389 * @audit_info: NetLabel audit information
392 * The caller defines a new DOI for use by the CALIPSO engine and calls this
393 * function to add it to the list of acceptable domains. The caller must
394 * ensure that the mapping table specified in @doi_def->map meets all of the
395 * requirements of the mapping type (see calipso.h for details). Returns
396 * zero on success and non-zero on failure.
399 int calipso_doi_add(struct calipso_doi *doi_def,
400 struct netlbl_audit *audit_info)
402 int ret_val = -ENOMSG;
403 const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
406 ret_val = ops->doi_add(doi_def, audit_info);
411 * calipso_doi_free - Frees a DOI definition
412 * @doi_def: the DOI definition
415 * This function frees all of the memory associated with a DOI definition.
418 void calipso_doi_free(struct calipso_doi *doi_def)
420 const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
423 ops->doi_free(doi_def);
427 * calipso_doi_remove - Remove an existing DOI from the CALIPSO protocol engine
428 * @doi: the DOI value
429 * @audit_info: NetLabel audit information
432 * Removes a DOI definition from the CALIPSO engine. The NetLabel routines will
433 * be called to release their own LSM domain mappings as well as our own
434 * domain list. Returns zero on success and negative values on failure.
437 int calipso_doi_remove(u32 doi, struct netlbl_audit *audit_info)
439 int ret_val = -ENOMSG;
440 const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
443 ret_val = ops->doi_remove(doi, audit_info);
448 * calipso_doi_getdef - Returns a reference to a valid DOI definition
449 * @doi: the DOI value
452 * Searches for a valid DOI definition and if one is found it is returned to
453 * the caller. Otherwise NULL is returned. The caller must ensure that
454 * calipso_doi_putdef() is called when the caller is done.
457 struct calipso_doi *calipso_doi_getdef(u32 doi)
459 struct calipso_doi *ret_val = NULL;
460 const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
463 ret_val = ops->doi_getdef(doi);
468 * calipso_doi_putdef - Releases a reference for the given DOI definition
469 * @doi_def: the DOI definition
472 * Releases a DOI definition reference obtained from calipso_doi_getdef().
475 void calipso_doi_putdef(struct calipso_doi *doi_def)
477 const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
480 ops->doi_putdef(doi_def);
484 * calipso_doi_walk - Iterate through the DOI definitions
485 * @skip_cnt: skip past this number of DOI definitions, updated
486 * @callback: callback for each DOI definition
487 * @cb_arg: argument for the callback function
490 * Iterate over the DOI definition list, skipping the first @skip_cnt entries.
491 * For each entry call @callback, if @callback returns a negative value stop
492 * 'walking' through the list and return. Updates the value in @skip_cnt upon
493 * return. Returns zero on success, negative values on failure.
496 int calipso_doi_walk(u32 *skip_cnt,
497 int (*callback)(struct calipso_doi *doi_def, void *arg),
500 int ret_val = -ENOMSG;
501 const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
504 ret_val = ops->doi_walk(skip_cnt, callback, cb_arg);
509 * calipso_sock_getattr - Get the security attributes from a sock
511 * @secattr: the security attributes
514 * Query @sk to see if there is a CALIPSO option attached to the sock and if
515 * there is return the CALIPSO security attributes in @secattr. This function
516 * requires that @sk be locked, or privately held, but it does not do any
517 * locking itself. Returns zero on success and negative values on failure.
520 int calipso_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
522 int ret_val = -ENOMSG;
523 const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
526 ret_val = ops->sock_getattr(sk, secattr);
531 * calipso_sock_setattr - Add a CALIPSO option to a socket
533 * @doi_def: the CALIPSO DOI to use
534 * @secattr: the specific security attributes of the socket
537 * Set the CALIPSO option on the given socket using the DOI definition and
538 * security attributes passed to the function. This function requires
539 * exclusive access to @sk, which means it either needs to be in the
540 * process of being created or locked. Returns zero on success and negative
544 int calipso_sock_setattr(struct sock *sk,
545 const struct calipso_doi *doi_def,
546 const struct netlbl_lsm_secattr *secattr)
548 int ret_val = -ENOMSG;
549 const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
552 ret_val = ops->sock_setattr(sk, doi_def, secattr);
557 * calipso_sock_delattr - Delete the CALIPSO option from a socket
561 * Removes the CALIPSO option from a socket, if present.
564 void calipso_sock_delattr(struct sock *sk)
566 const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
569 ops->sock_delattr(sk);
573 * calipso_req_setattr - Add a CALIPSO option to a connection request socket
574 * @req: the connection request socket
575 * @doi_def: the CALIPSO DOI to use
576 * @secattr: the specific security attributes of the socket
579 * Set the CALIPSO option on the given socket using the DOI definition and
580 * security attributes passed to the function. Returns zero on success and
581 * negative values on failure.
584 int calipso_req_setattr(struct request_sock *req,
585 const struct calipso_doi *doi_def,
586 const struct netlbl_lsm_secattr *secattr)
588 int ret_val = -ENOMSG;
589 const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
592 ret_val = ops->req_setattr(req, doi_def, secattr);
597 * calipso_req_delattr - Delete the CALIPSO option from a request socket
598 * @req: the request socket
601 * Removes the CALIPSO option from a request socket, if present.
604 void calipso_req_delattr(struct request_sock *req)
606 const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
609 ops->req_delattr(req);
613 * calipso_optptr - Find the CALIPSO option in the packet
617 * Parse the packet's IP header looking for a CALIPSO option. Returns a pointer
618 * to the start of the CALIPSO option on success, NULL if one if not found.
621 unsigned char *calipso_optptr(const struct sk_buff *skb)
623 unsigned char *ret_val = NULL;
624 const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
627 ret_val = ops->skbuff_optptr(skb);
632 * calipso_getattr - Get the security attributes from a memory block.
633 * @calipso: the CALIPSO option
634 * @secattr: the security attributes
637 * Inspect @calipso and return the security attributes in @secattr.
638 * Returns zero on success and negative values on failure.
641 int calipso_getattr(const unsigned char *calipso,
642 struct netlbl_lsm_secattr *secattr)
644 int ret_val = -ENOMSG;
645 const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
648 ret_val = ops->opt_getattr(calipso, secattr);
653 * calipso_skbuff_setattr - Set the CALIPSO option on a packet
655 * @doi_def: the CALIPSO DOI to use
656 * @secattr: the security attributes
659 * Set the CALIPSO option on the given packet based on the security attributes.
660 * Returns a pointer to the IP header on success and NULL on failure.
663 int calipso_skbuff_setattr(struct sk_buff *skb,
664 const struct calipso_doi *doi_def,
665 const struct netlbl_lsm_secattr *secattr)
667 int ret_val = -ENOMSG;
668 const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
671 ret_val = ops->skbuff_setattr(skb, doi_def, secattr);
676 * calipso_skbuff_delattr - Delete any CALIPSO options from a packet
680 * Removes any and all CALIPSO options from the given packet. Returns zero on
681 * success, negative values on failure.
684 int calipso_skbuff_delattr(struct sk_buff *skb)
686 int ret_val = -ENOMSG;
687 const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
690 ret_val = ops->skbuff_delattr(skb);
695 * calipso_cache_invalidate - Invalidates the current CALIPSO cache
698 * Invalidates and frees any entries in the CALIPSO cache. Returns zero on
699 * success and negative values on failure.
702 void calipso_cache_invalidate(void)
704 const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
707 ops->cache_invalidate();
711 * calipso_cache_add - Add an entry to the CALIPSO cache
712 * @calipso_ptr: the CALIPSO option
713 * @secattr: the packet's security attributes
716 * Add a new entry into the CALIPSO label mapping cache.
717 * Returns zero on success, negative values on failure.
720 int calipso_cache_add(const unsigned char *calipso_ptr,
721 const struct netlbl_lsm_secattr *secattr)
724 int ret_val = -ENOMSG;
725 const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
728 ret_val = ops->cache_add(calipso_ptr, secattr);
projects / linux-2.6-microblaze.git / blob