4 * This file defines the kernel API for the NetLabel system. The NetLabel
5 * system manages static and dynamic label mappings for network protocols such
8 * Author: Paul Moore <paul@paul-moore.com>
13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
23 * the GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
30 #include <linux/init.h>
31 #include <linux/types.h>
32 #include <linux/slab.h>
33 #include <linux/audit.h>
35 #include <linux/in6.h>
38 #include <net/netlabel.h>
39 #include <net/cipso_ipv4.h>
40 #include <net/calipso.h>
42 #include <linux/atomic.h>
44 #include "netlabel_domainhash.h"
45 #include "netlabel_unlabeled.h"
46 #include "netlabel_cipso_v4.h"
47 #include "netlabel_calipso.h"
48 #include "netlabel_user.h"
49 #include "netlabel_mgmt.h"
50 #include "netlabel_addrlist.h"
53 * Configuration Functions
57 * netlbl_cfg_map_del - Remove a NetLabel/LSM domain mapping
58 * @domain: the domain mapping to remove
59 * @family: address family
61 * @mask: IP address mask
62 * @audit_info: NetLabel audit information
65 * Removes a NetLabel/LSM domain mapping. A @domain value of NULL causes the
66 * default domain mapping to be removed. Returns zero on success, negative
70 int netlbl_cfg_map_del(const char *domain,
74 struct netlbl_audit *audit_info)
76 if (addr == NULL && mask == NULL) {
77 return netlbl_domhsh_remove(domain, family, audit_info);
78 } else if (addr != NULL && mask != NULL) {
81 return netlbl_domhsh_remove_af4(domain, addr, mask,
91 * netlbl_cfg_unlbl_map_add - Add a new unlabeled mapping
92 * @domain: the domain mapping to add
93 * @family: address family
95 * @mask: IP address mask
96 * @audit_info: NetLabel audit information
99 * Adds a new unlabeled NetLabel/LSM domain mapping. A @domain value of NULL
100 * causes a new default domain mapping to be added. Returns zero on success,
101 * negative values on failure.
104 int netlbl_cfg_unlbl_map_add(const char *domain,
108 struct netlbl_audit *audit_info)
110 int ret_val = -ENOMEM;
111 struct netlbl_dom_map *entry;
112 struct netlbl_domaddr_map *addrmap = NULL;
113 struct netlbl_domaddr4_map *map4 = NULL;
114 struct netlbl_domaddr6_map *map6 = NULL;
116 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
119 if (domain != NULL) {
120 entry->domain = kstrdup(domain, GFP_ATOMIC);
121 if (entry->domain == NULL)
122 goto cfg_unlbl_map_add_failure;
124 entry->family = family;
126 if (addr == NULL && mask == NULL)
127 entry->def.type = NETLBL_NLTYPE_UNLABELED;
128 else if (addr != NULL && mask != NULL) {
129 addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC);
131 goto cfg_unlbl_map_add_failure;
132 INIT_LIST_HEAD(&addrmap->list4);
133 INIT_LIST_HEAD(&addrmap->list6);
137 const struct in_addr *addr4 = addr;
138 const struct in_addr *mask4 = mask;
139 map4 = kzalloc(sizeof(*map4), GFP_ATOMIC);
141 goto cfg_unlbl_map_add_failure;
142 map4->def.type = NETLBL_NLTYPE_UNLABELED;
143 map4->list.addr = addr4->s_addr & mask4->s_addr;
144 map4->list.mask = mask4->s_addr;
145 map4->list.valid = 1;
146 ret_val = netlbl_af4list_add(&map4->list,
149 goto cfg_unlbl_map_add_failure;
152 #if IS_ENABLED(CONFIG_IPV6)
154 const struct in6_addr *addr6 = addr;
155 const struct in6_addr *mask6 = mask;
156 map6 = kzalloc(sizeof(*map6), GFP_ATOMIC);
158 goto cfg_unlbl_map_add_failure;
159 map6->def.type = NETLBL_NLTYPE_UNLABELED;
160 map6->list.addr = *addr6;
161 map6->list.addr.s6_addr32[0] &= mask6->s6_addr32[0];
162 map6->list.addr.s6_addr32[1] &= mask6->s6_addr32[1];
163 map6->list.addr.s6_addr32[2] &= mask6->s6_addr32[2];
164 map6->list.addr.s6_addr32[3] &= mask6->s6_addr32[3];
165 map6->list.mask = *mask6;
166 map6->list.valid = 1;
167 ret_val = netlbl_af6list_add(&map6->list,
170 goto cfg_unlbl_map_add_failure;
175 goto cfg_unlbl_map_add_failure;
178 entry->def.addrsel = addrmap;
179 entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
182 goto cfg_unlbl_map_add_failure;
185 ret_val = netlbl_domhsh_add(entry, audit_info);
187 goto cfg_unlbl_map_add_failure;
191 cfg_unlbl_map_add_failure:
192 kfree(entry->domain);
202 * netlbl_cfg_unlbl_static_add - Adds a new static label
203 * @net: network namespace
204 * @dev_name: interface name
205 * @addr: IP address in network byte order (struct in[6]_addr)
206 * @mask: address mask in network byte order (struct in[6]_addr)
207 * @family: address family
208 * @secid: LSM secid value for the entry
209 * @audit_info: NetLabel audit information
212 * Adds a new NetLabel static label to be used when protocol provided labels
213 * are not present on incoming traffic. If @dev_name is NULL then the default
214 * interface will be used. Returns zero on success, negative values on failure.
217 int netlbl_cfg_unlbl_static_add(struct net *net,
218 const char *dev_name,
223 struct netlbl_audit *audit_info)
229 addr_len = sizeof(struct in_addr);
231 #if IS_ENABLED(CONFIG_IPV6)
233 addr_len = sizeof(struct in6_addr);
237 return -EPFNOSUPPORT;
240 return netlbl_unlhsh_add(net,
241 dev_name, addr, mask, addr_len,
246 * netlbl_cfg_unlbl_static_del - Removes an existing static label
247 * @net: network namespace
248 * @dev_name: interface name
249 * @addr: IP address in network byte order (struct in[6]_addr)
250 * @mask: address mask in network byte order (struct in[6]_addr)
251 * @family: address family
252 * @audit_info: NetLabel audit information
255 * Removes an existing NetLabel static label used when protocol provided labels
256 * are not present on incoming traffic. If @dev_name is NULL then the default
257 * interface will be used. Returns zero on success, negative values on failure.
260 int netlbl_cfg_unlbl_static_del(struct net *net,
261 const char *dev_name,
265 struct netlbl_audit *audit_info)
271 addr_len = sizeof(struct in_addr);
273 #if IS_ENABLED(CONFIG_IPV6)
275 addr_len = sizeof(struct in6_addr);
279 return -EPFNOSUPPORT;
282 return netlbl_unlhsh_remove(net,
283 dev_name, addr, mask, addr_len,
288 * netlbl_cfg_cipsov4_add - Add a new CIPSOv4 DOI definition
289 * @doi_def: CIPSO DOI definition
290 * @audit_info: NetLabel audit information
293 * Add a new CIPSO DOI definition as defined by @doi_def. Returns zero on
294 * success and negative values on failure.
297 int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
298 struct netlbl_audit *audit_info)
300 return cipso_v4_doi_add(doi_def, audit_info);
304 * netlbl_cfg_cipsov4_del - Remove an existing CIPSOv4 DOI definition
306 * @audit_info: NetLabel audit information
309 * Remove an existing CIPSO DOI definition matching @doi. Returns zero on
310 * success and negative values on failure.
313 void netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info)
315 cipso_v4_doi_remove(doi, audit_info);
319 * netlbl_cfg_cipsov4_map_add - Add a new CIPSOv4 DOI mapping
320 * @doi: the CIPSO DOI
321 * @domain: the domain mapping to add
323 * @mask: IP address mask
324 * @audit_info: NetLabel audit information
327 * Add a new NetLabel/LSM domain mapping for the given CIPSO DOI to the NetLabel
328 * subsystem. A @domain value of NULL adds a new default domain mapping.
329 * Returns zero on success, negative values on failure.
332 int netlbl_cfg_cipsov4_map_add(u32 doi,
334 const struct in_addr *addr,
335 const struct in_addr *mask,
336 struct netlbl_audit *audit_info)
338 int ret_val = -ENOMEM;
339 struct cipso_v4_doi *doi_def;
340 struct netlbl_dom_map *entry;
341 struct netlbl_domaddr_map *addrmap = NULL;
342 struct netlbl_domaddr4_map *addrinfo = NULL;
344 doi_def = cipso_v4_doi_getdef(doi);
348 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
351 entry->family = AF_INET;
352 if (domain != NULL) {
353 entry->domain = kstrdup(domain, GFP_ATOMIC);
354 if (entry->domain == NULL)
358 if (addr == NULL && mask == NULL) {
359 entry->def.cipso = doi_def;
360 entry->def.type = NETLBL_NLTYPE_CIPSOV4;
361 } else if (addr != NULL && mask != NULL) {
362 addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC);
365 INIT_LIST_HEAD(&addrmap->list4);
366 INIT_LIST_HEAD(&addrmap->list6);
368 addrinfo = kzalloc(sizeof(*addrinfo), GFP_ATOMIC);
369 if (addrinfo == NULL)
371 addrinfo->def.cipso = doi_def;
372 addrinfo->def.type = NETLBL_NLTYPE_CIPSOV4;
373 addrinfo->list.addr = addr->s_addr & mask->s_addr;
374 addrinfo->list.mask = mask->s_addr;
375 addrinfo->list.valid = 1;
376 ret_val = netlbl_af4list_add(&addrinfo->list, &addrmap->list4);
378 goto cfg_cipsov4_map_add_failure;
380 entry->def.addrsel = addrmap;
381 entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
387 ret_val = netlbl_domhsh_add(entry, audit_info);
389 goto cfg_cipsov4_map_add_failure;
393 cfg_cipsov4_map_add_failure:
398 kfree(entry->domain);
402 cipso_v4_doi_putdef(doi_def);
407 * Security Attribute Functions
410 #define _CM_F_NONE 0x00000000
411 #define _CM_F_ALLOC 0x00000001
412 #define _CM_F_WALK 0x00000002
415 * _netlbl_catmap_getnode - Get a individual node from a catmap
416 * @catmap: pointer to the category bitmap
417 * @offset: the requested offset
418 * @cm_flags: catmap flags, see _CM_F_*
419 * @gfp_flags: memory allocation flags
422 * Iterate through the catmap looking for the node associated with @offset.
423 * If the _CM_F_ALLOC flag is set in @cm_flags and there is no associated node,
424 * one will be created and inserted into the catmap. If the _CM_F_WALK flag is
425 * set in @cm_flags and there is no associated node, the next highest node will
426 * be returned. Returns a pointer to the node on success, NULL on failure.
429 static struct netlbl_lsm_catmap *_netlbl_catmap_getnode(
430 struct netlbl_lsm_catmap **catmap,
432 unsigned int cm_flags,
435 struct netlbl_lsm_catmap *iter = *catmap;
436 struct netlbl_lsm_catmap *prev = NULL;
439 goto catmap_getnode_alloc;
440 if (offset < iter->startbit)
441 goto catmap_getnode_walk;
442 while (iter && offset >= (iter->startbit + NETLBL_CATMAP_SIZE)) {
446 if (iter == NULL || offset < iter->startbit)
447 goto catmap_getnode_walk;
452 if (cm_flags & _CM_F_WALK)
454 catmap_getnode_alloc:
455 if (!(cm_flags & _CM_F_ALLOC))
458 iter = netlbl_catmap_alloc(gfp_flags);
461 iter->startbit = offset & ~(NETLBL_CATMAP_SIZE - 1);
464 iter->next = *catmap;
467 iter->next = prev->next;
475 * netlbl_catmap_walk - Walk a LSM secattr catmap looking for a bit
476 * @catmap: the category bitmap
477 * @offset: the offset to start searching at, in bits
480 * This function walks a LSM secattr category bitmap starting at @offset and
481 * returns the spot of the first set bit or -ENOENT if no bits are set.
484 int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap, u32 offset)
486 struct netlbl_lsm_catmap *iter = catmap;
489 NETLBL_CATMAP_MAPTYPE bitmap;
491 iter = _netlbl_catmap_getnode(&catmap, offset, _CM_F_WALK, 0);
494 if (offset > iter->startbit) {
495 offset -= iter->startbit;
496 idx = offset / NETLBL_CATMAP_MAPSIZE;
497 bit = offset % NETLBL_CATMAP_MAPSIZE;
502 bitmap = iter->bitmap[idx] >> bit;
506 while ((bitmap & NETLBL_CATMAP_BIT) == 0) {
510 return iter->startbit +
511 (NETLBL_CATMAP_MAPSIZE * idx) + bit;
513 if (++idx >= NETLBL_CATMAP_MAPCNT) {
514 if (iter->next != NULL) {
520 bitmap = iter->bitmap[idx];
526 EXPORT_SYMBOL(netlbl_catmap_walk);
529 * netlbl_catmap_walkrng - Find the end of a string of set bits
530 * @catmap: the category bitmap
531 * @offset: the offset to start searching at, in bits
534 * This function walks a LSM secattr category bitmap starting at @offset and
535 * returns the spot of the first cleared bit or -ENOENT if the offset is past
536 * the end of the bitmap.
539 int netlbl_catmap_walkrng(struct netlbl_lsm_catmap *catmap, u32 offset)
541 struct netlbl_lsm_catmap *iter;
542 struct netlbl_lsm_catmap *prev = NULL;
545 NETLBL_CATMAP_MAPTYPE bitmask;
546 NETLBL_CATMAP_MAPTYPE bitmap;
548 iter = _netlbl_catmap_getnode(&catmap, offset, _CM_F_WALK, 0);
551 if (offset > iter->startbit) {
552 offset -= iter->startbit;
553 idx = offset / NETLBL_CATMAP_MAPSIZE;
554 bit = offset % NETLBL_CATMAP_MAPSIZE;
559 bitmask = NETLBL_CATMAP_BIT << bit;
562 bitmap = iter->bitmap[idx];
563 while (bitmask != 0 && (bitmap & bitmask) != 0) {
568 if (prev && idx == 0 && bit == 0)
569 return prev->startbit + NETLBL_CATMAP_SIZE - 1;
570 else if (bitmask != 0)
571 return iter->startbit +
572 (NETLBL_CATMAP_MAPSIZE * idx) + bit - 1;
573 else if (++idx >= NETLBL_CATMAP_MAPCNT) {
574 if (iter->next == NULL)
575 return iter->startbit + NETLBL_CATMAP_SIZE - 1;
580 bitmask = NETLBL_CATMAP_BIT;
588 * netlbl_catmap_getlong - Export an unsigned long bitmap
589 * @catmap: pointer to the category bitmap
590 * @offset: pointer to the requested offset
591 * @bitmap: the exported bitmap
594 * Export a bitmap with an offset greater than or equal to @offset and return
595 * it in @bitmap. The @offset must be aligned to an unsigned long and will be
596 * updated on return if different from what was requested; if the catmap is
597 * empty at the requested offset and beyond, the @offset is set to (u32)-1.
598 * Returns zero on sucess, negative values on failure.
601 int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap,
603 unsigned long *bitmap)
605 struct netlbl_lsm_catmap *iter;
609 /* only allow aligned offsets */
610 if ((off & (BITS_PER_LONG - 1)) != 0)
613 if (off < catmap->startbit) {
614 off = catmap->startbit;
617 iter = _netlbl_catmap_getnode(&catmap, off, _CM_F_WALK, 0);
623 if (off < iter->startbit) {
624 *offset = iter->startbit;
627 off -= iter->startbit;
628 idx = off / NETLBL_CATMAP_MAPSIZE;
629 *bitmap = iter->bitmap[idx] >> (off % NETLBL_CATMAP_MAPSIZE);
635 * netlbl_catmap_setbit - Set a bit in a LSM secattr catmap
636 * @catmap: pointer to the category bitmap
637 * @bit: the bit to set
638 * @flags: memory allocation flags
641 * Set the bit specified by @bit in @catmap. Returns zero on success,
642 * negative values on failure.
645 int netlbl_catmap_setbit(struct netlbl_lsm_catmap **catmap,
649 struct netlbl_lsm_catmap *iter;
652 iter = _netlbl_catmap_getnode(catmap, bit, _CM_F_ALLOC, flags);
656 bit -= iter->startbit;
657 idx = bit / NETLBL_CATMAP_MAPSIZE;
658 iter->bitmap[idx] |= NETLBL_CATMAP_BIT << (bit % NETLBL_CATMAP_MAPSIZE);
662 EXPORT_SYMBOL(netlbl_catmap_setbit);
665 * netlbl_catmap_setrng - Set a range of bits in a LSM secattr catmap
666 * @catmap: pointer to the category bitmap
667 * @start: the starting bit
668 * @end: the last bit in the string
669 * @flags: memory allocation flags
672 * Set a range of bits, starting at @start and ending with @end. Returns zero
673 * on success, negative values on failure.
676 int netlbl_catmap_setrng(struct netlbl_lsm_catmap **catmap,
684 while (rc == 0 && spot <= end) {
685 if (((spot & (BITS_PER_LONG - 1)) == 0) &&
686 ((end - spot) > BITS_PER_LONG)) {
687 rc = netlbl_catmap_setlong(catmap,
691 spot += BITS_PER_LONG;
693 rc = netlbl_catmap_setbit(catmap, spot++, flags);
700 * netlbl_catmap_setlong - Import an unsigned long bitmap
701 * @catmap: pointer to the category bitmap
702 * @offset: offset to the start of the imported bitmap
703 * @bitmap: the bitmap to import
704 * @flags: memory allocation flags
707 * Import the bitmap specified in @bitmap into @catmap, using the offset
708 * in @offset. The offset must be aligned to an unsigned long. Returns zero
709 * on success, negative values on failure.
712 int netlbl_catmap_setlong(struct netlbl_lsm_catmap **catmap,
714 unsigned long bitmap,
717 struct netlbl_lsm_catmap *iter;
720 /* only allow aligned offsets */
721 if ((offset & (BITS_PER_LONG - 1)) != 0)
724 iter = _netlbl_catmap_getnode(catmap, offset, _CM_F_ALLOC, flags);
728 offset -= iter->startbit;
729 idx = offset / NETLBL_CATMAP_MAPSIZE;
730 iter->bitmap[idx] |= bitmap << (offset % NETLBL_CATMAP_MAPSIZE);
739 * netlbl_bitmap_walk - Walk a bitmap looking for a bit
740 * @bitmap: the bitmap
741 * @bitmap_len: length in bits
742 * @offset: starting offset
743 * @state: if non-zero, look for a set (1) bit else look for a cleared (0) bit
746 * Starting at @offset, walk the bitmap from left to right until either the
747 * desired bit is found or we reach the end. Return the bit offset, -1 if
748 * not found, or -2 if error.
750 int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len,
751 u32 offset, u8 state)
755 unsigned char bitmask;
758 byte_offset = offset / 8;
759 byte = bitmap[byte_offset];
761 bitmask = 0x80 >> (offset % 8);
763 while (bit_spot < bitmap_len) {
764 if ((state && (byte & bitmask) == bitmask) ||
765 (state == 0 && (byte & bitmask) == 0))
771 byte = bitmap[++byte_offset];
778 EXPORT_SYMBOL(netlbl_bitmap_walk);
781 * netlbl_bitmap_setbit - Sets a single bit in a bitmap
782 * @bitmap: the bitmap
784 * @state: if non-zero, set the bit (1) else clear the bit (0)
787 * Set a single bit in the bitmask. Returns zero on success, negative values
790 void netlbl_bitmap_setbit(unsigned char *bitmap, u32 bit, u8 state)
795 /* gcc always rounds to zero when doing integer division */
797 bitmask = 0x80 >> (bit % 8);
799 bitmap[byte_spot] |= bitmask;
801 bitmap[byte_spot] &= ~bitmask;
803 EXPORT_SYMBOL(netlbl_bitmap_setbit);
810 * netlbl_enabled - Determine if the NetLabel subsystem is enabled
813 * The LSM can use this function to determine if it should use NetLabel
814 * security attributes in it's enforcement mechanism. Currently, NetLabel is
815 * considered to be enabled when it's configuration contains a valid setup for
816 * at least one labeled protocol (i.e. NetLabel can understand incoming
817 * labeled packets of at least one type); otherwise NetLabel is considered to
821 int netlbl_enabled(void)
823 /* At some point we probably want to expose this mechanism to the user
824 * as well so that admins can toggle NetLabel regardless of the
826 return (atomic_read(&netlabel_mgmt_protocount) > 0);
830 * netlbl_sock_setattr - Label a socket using the correct protocol
831 * @sk: the socket to label
832 * @family: protocol family
833 * @secattr: the security attributes
836 * Attach the correct label to the given socket using the security attributes
837 * specified in @secattr. This function requires exclusive access to @sk,
838 * which means it either needs to be in the process of being created or locked.
839 * Returns zero on success, -EDESTADDRREQ if the domain is configured to use
840 * network address selectors (can't blindly label the socket), and negative
841 * values on all other failures.
844 int netlbl_sock_setattr(struct sock *sk,
846 const struct netlbl_lsm_secattr *secattr)
849 struct netlbl_dom_map *dom_entry;
852 dom_entry = netlbl_domhsh_getentry(secattr->domain, family);
853 if (dom_entry == NULL) {
855 goto socket_setattr_return;
859 switch (dom_entry->def.type) {
860 case NETLBL_NLTYPE_ADDRSELECT:
861 ret_val = -EDESTADDRREQ;
863 case NETLBL_NLTYPE_CIPSOV4:
864 ret_val = cipso_v4_sock_setattr(sk,
865 dom_entry->def.cipso,
868 case NETLBL_NLTYPE_UNLABELED:
875 #if IS_ENABLED(CONFIG_IPV6)
877 switch (dom_entry->def.type) {
878 case NETLBL_NLTYPE_ADDRSELECT:
879 ret_val = -EDESTADDRREQ;
881 case NETLBL_NLTYPE_CALIPSO:
882 ret_val = calipso_sock_setattr(sk,
883 dom_entry->def.calipso,
886 case NETLBL_NLTYPE_UNLABELED:
895 ret_val = -EPROTONOSUPPORT;
898 socket_setattr_return:
904 * netlbl_sock_delattr - Delete all the NetLabel labels on a socket
908 * Remove all the NetLabel labeling from @sk. The caller is responsible for
909 * ensuring that @sk is locked.
912 void netlbl_sock_delattr(struct sock *sk)
914 switch (sk->sk_family) {
916 cipso_v4_sock_delattr(sk);
918 #if IS_ENABLED(CONFIG_IPV6)
920 calipso_sock_delattr(sk);
927 * netlbl_sock_getattr - Determine the security attributes of a sock
929 * @secattr: the security attributes
932 * Examines the given sock to see if any NetLabel style labeling has been
933 * applied to the sock, if so it parses the socket label and returns the
934 * security attributes in @secattr. Returns zero on success, negative values
938 int netlbl_sock_getattr(struct sock *sk,
939 struct netlbl_lsm_secattr *secattr)
943 switch (sk->sk_family) {
945 ret_val = cipso_v4_sock_getattr(sk, secattr);
947 #if IS_ENABLED(CONFIG_IPV6)
949 ret_val = calipso_sock_getattr(sk, secattr);
953 ret_val = -EPROTONOSUPPORT;
960 * netlbl_conn_setattr - Label a connected socket using the correct protocol
961 * @sk: the socket to label
962 * @addr: the destination address
963 * @secattr: the security attributes
966 * Attach the correct label to the given connected socket using the security
967 * attributes specified in @secattr. The caller is responsible for ensuring
968 * that @sk is locked. Returns zero on success, negative values on failure.
971 int netlbl_conn_setattr(struct sock *sk,
972 struct sockaddr *addr,
973 const struct netlbl_lsm_secattr *secattr)
976 struct sockaddr_in *addr4;
977 #if IS_ENABLED(CONFIG_IPV6)
978 struct sockaddr_in6 *addr6;
980 struct netlbl_dommap_def *entry;
983 switch (addr->sa_family) {
985 addr4 = (struct sockaddr_in *)addr;
986 entry = netlbl_domhsh_getentry_af4(secattr->domain,
987 addr4->sin_addr.s_addr);
990 goto conn_setattr_return;
992 switch (entry->type) {
993 case NETLBL_NLTYPE_CIPSOV4:
994 ret_val = cipso_v4_sock_setattr(sk,
995 entry->cipso, secattr);
997 case NETLBL_NLTYPE_UNLABELED:
998 /* just delete the protocols we support for right now
999 * but we could remove other protocols if needed */
1000 netlbl_sock_delattr(sk);
1007 #if IS_ENABLED(CONFIG_IPV6)
1009 addr6 = (struct sockaddr_in6 *)addr;
1010 entry = netlbl_domhsh_getentry_af6(secattr->domain,
1012 if (entry == NULL) {
1014 goto conn_setattr_return;
1016 switch (entry->type) {
1017 case NETLBL_NLTYPE_CALIPSO:
1018 ret_val = calipso_sock_setattr(sk,
1019 entry->calipso, secattr);
1021 case NETLBL_NLTYPE_UNLABELED:
1022 /* just delete the protocols we support for right now
1023 * but we could remove other protocols if needed */
1024 netlbl_sock_delattr(sk);
1033 ret_val = -EPROTONOSUPPORT;
1036 conn_setattr_return:
1042 * netlbl_req_setattr - Label a request socket using the correct protocol
1043 * @req: the request socket to label
1044 * @secattr: the security attributes
1047 * Attach the correct label to the given socket using the security attributes
1048 * specified in @secattr. Returns zero on success, negative values on failure.
1051 int netlbl_req_setattr(struct request_sock *req,
1052 const struct netlbl_lsm_secattr *secattr)
1055 struct netlbl_dommap_def *entry;
1056 struct inet_request_sock *ireq = inet_rsk(req);
1059 switch (req->rsk_ops->family) {
1061 entry = netlbl_domhsh_getentry_af4(secattr->domain,
1063 if (entry == NULL) {
1065 goto req_setattr_return;
1067 switch (entry->type) {
1068 case NETLBL_NLTYPE_CIPSOV4:
1069 ret_val = cipso_v4_req_setattr(req,
1070 entry->cipso, secattr);
1072 case NETLBL_NLTYPE_UNLABELED:
1073 netlbl_req_delattr(req);
1080 #if IS_ENABLED(CONFIG_IPV6)
1082 entry = netlbl_domhsh_getentry_af6(secattr->domain,
1083 &ireq->ir_v6_rmt_addr);
1084 if (entry == NULL) {
1086 goto req_setattr_return;
1088 switch (entry->type) {
1089 case NETLBL_NLTYPE_CALIPSO:
1090 ret_val = calipso_req_setattr(req,
1091 entry->calipso, secattr);
1093 case NETLBL_NLTYPE_UNLABELED:
1094 netlbl_req_delattr(req);
1103 ret_val = -EPROTONOSUPPORT;
1112 * netlbl_req_delattr - Delete all the NetLabel labels on a socket
1116 * Remove all the NetLabel labeling from @req.
1119 void netlbl_req_delattr(struct request_sock *req)
1121 switch (req->rsk_ops->family) {
1123 cipso_v4_req_delattr(req);
1125 #if IS_ENABLED(CONFIG_IPV6)
1127 calipso_req_delattr(req);
1134 * netlbl_skbuff_setattr - Label a packet using the correct protocol
1136 * @family: protocol family
1137 * @secattr: the security attributes
1140 * Attach the correct label to the given packet using the security attributes
1141 * specified in @secattr. Returns zero on success, negative values on failure.
1144 int netlbl_skbuff_setattr(struct sk_buff *skb,
1146 const struct netlbl_lsm_secattr *secattr)
1150 #if IS_ENABLED(CONFIG_IPV6)
1151 struct ipv6hdr *hdr6;
1153 struct netlbl_dommap_def *entry;
1159 entry = netlbl_domhsh_getentry_af4(secattr->domain,
1161 if (entry == NULL) {
1163 goto skbuff_setattr_return;
1165 switch (entry->type) {
1166 case NETLBL_NLTYPE_CIPSOV4:
1167 ret_val = cipso_v4_skbuff_setattr(skb, entry->cipso,
1170 case NETLBL_NLTYPE_UNLABELED:
1171 /* just delete the protocols we support for right now
1172 * but we could remove other protocols if needed */
1173 ret_val = cipso_v4_skbuff_delattr(skb);
1179 #if IS_ENABLED(CONFIG_IPV6)
1181 hdr6 = ipv6_hdr(skb);
1182 entry = netlbl_domhsh_getentry_af6(secattr->domain,
1184 if (entry == NULL) {
1186 goto skbuff_setattr_return;
1188 switch (entry->type) {
1189 case NETLBL_NLTYPE_CALIPSO:
1190 ret_val = calipso_skbuff_setattr(skb, entry->calipso,
1193 case NETLBL_NLTYPE_UNLABELED:
1194 /* just delete the protocols we support for right now
1195 * but we could remove other protocols if needed */
1196 ret_val = calipso_skbuff_delattr(skb);
1204 ret_val = -EPROTONOSUPPORT;
1207 skbuff_setattr_return:
1213 * netlbl_skbuff_getattr - Determine the security attributes of a packet
1215 * @family: protocol family
1216 * @secattr: the security attributes
1219 * Examines the given packet to see if a recognized form of packet labeling
1220 * is present, if so it parses the packet label and returns the security
1221 * attributes in @secattr. Returns zero on success, negative values on
1225 int netlbl_skbuff_getattr(const struct sk_buff *skb,
1227 struct netlbl_lsm_secattr *secattr)
1233 ptr = cipso_v4_optptr(skb);
1234 if (ptr && cipso_v4_getattr(ptr, secattr) == 0)
1237 #if IS_ENABLED(CONFIG_IPV6)
1239 ptr = calipso_optptr(skb);
1240 if (ptr && calipso_getattr(ptr, secattr) == 0)
1246 return netlbl_unlabel_getattr(skb, family, secattr);
1250 * netlbl_skbuff_err - Handle a LSM error on a sk_buff
1252 * @family: the family
1253 * @error: the error code
1254 * @gateway: true if host is acting as a gateway, false otherwise
1257 * Deal with a LSM problem when handling the packet in @skb, typically this is
1258 * a permission denied problem (-EACCES). The correct action is determined
1259 * according to the packet's labeling protocol.
1262 void netlbl_skbuff_err(struct sk_buff *skb, u16 family, int error, int gateway)
1266 if (cipso_v4_optptr(skb))
1267 cipso_v4_error(skb, error, gateway);
1273 * netlbl_cache_invalidate - Invalidate all of the NetLabel protocol caches
1276 * For all of the NetLabel protocols that support some form of label mapping
1277 * cache, invalidate the cache. Returns zero on success, negative values on
1281 void netlbl_cache_invalidate(void)
1283 cipso_v4_cache_invalidate();
1287 * netlbl_cache_add - Add an entry to a NetLabel protocol cache
1289 * @secattr: the packet's security attributes
1292 * Add the LSM security attributes for the given packet to the underlying
1293 * NetLabel protocol's label mapping cache. Returns zero on success, negative
1297 int netlbl_cache_add(const struct sk_buff *skb,
1298 const struct netlbl_lsm_secattr *secattr)
1302 if ((secattr->flags & NETLBL_SECATTR_CACHE) == 0)
1305 ptr = cipso_v4_optptr(skb);
1307 return cipso_v4_cache_add(ptr, secattr);
1313 * Protocol Engine Functions
1317 * netlbl_audit_start - Start an audit message
1318 * @type: audit message type
1319 * @audit_info: NetLabel audit information
1322 * Start an audit message using the type specified in @type and fill the audit
1323 * message with some fields common to all NetLabel audit messages. This
1324 * function should only be used by protocol engines, not LSMs. Returns a
1325 * pointer to the audit buffer on success, NULL on failure.
1328 struct audit_buffer *netlbl_audit_start(int type,
1329 struct netlbl_audit *audit_info)
1331 return netlbl_audit_start_common(type, audit_info);
1333 EXPORT_SYMBOL(netlbl_audit_start);
1340 * netlbl_init - Initialize NetLabel
1343 * Perform the required NetLabel initialization before first use.
1346 static int __init netlbl_init(void)
1350 printk(KERN_INFO "NetLabel: Initializing\n");
1351 printk(KERN_INFO "NetLabel: domain hash size = %u\n",
1352 (1 << NETLBL_DOMHSH_BITSIZE));
1353 printk(KERN_INFO "NetLabel: protocols ="
1358 ret_val = netlbl_domhsh_init(NETLBL_DOMHSH_BITSIZE);
1362 ret_val = netlbl_unlabel_init(NETLBL_UNLHSH_BITSIZE);
1366 ret_val = netlbl_netlink_init();
1370 ret_val = netlbl_unlabel_defconf();
1373 printk(KERN_INFO "NetLabel: unlabeled traffic allowed by default\n");
1378 panic("NetLabel: failed to initialize properly (%d)\n", ret_val);
1381 subsys_initcall(netlbl_init);