1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * NetLabel Unlabeled Support
4 *
5 * This file defines functions for dealing with unlabeled packets for the
6 * NetLabel system. The NetLabel system manages static and dynamic label
7 * mappings for network protocols such as CIPSO and RIPSO.
8 *
9 * Author: Paul Moore <paul@paul-moore.com>
10 */
11
12 /*
13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 - 2008
14 */
15
16 #include <linux/types.h>
17 #include <linux/rcupdate.h>
18 #include <linux/list.h>
19 #include <linux/spinlock.h>
20 #include <linux/socket.h>
21 #include <linux/string.h>
22 #include <linux/skbuff.h>
23 #include <linux/audit.h>
24 #include <linux/in.h>
25 #include <linux/in6.h>
26 #include <linux/ip.h>
27 #include <linux/ipv6.h>
28 #include <linux/notifier.h>
29 #include <linux/netdevice.h>
30 #include <linux/security.h>
31 #include <linux/slab.h>
32 #include <net/sock.h>
33 #include <net/netlink.h>
34 #include <net/genetlink.h>
35 #include <net/ip.h>
36 #include <net/ipv6.h>
37 #include <net/net_namespace.h>
38 #include <net/netlabel.h>
39 #include <asm/bug.h>
40 #include <linux/atomic.h>
41
42 #include "netlabel_user.h"
43 #include "netlabel_addrlist.h"
44 #include "netlabel_domainhash.h"
45 #include "netlabel_unlabeled.h"
46 #include "netlabel_mgmt.h"
47
48 /* NOTE: at present we always use init's network namespace since we don't
49 * presently support different namespaces even though the majority of
50 * the functions in this file are "namespace safe" */
51
52 /* The unlabeled connection hash table which we use to map network interfaces
53 * and addresses of unlabeled packets to a user specified secid value for the
54 * LSM. The hash table is used to lookup the network interface entry
55 * (struct netlbl_unlhsh_iface) and then the interface entry is used to
56 * lookup an IP address match from an ordered list. If a network interface
57 * match can not be found in the hash table then the default entry
58 * (netlbl_unlhsh_def) is used. The IP address entry list
59 * (struct netlbl_unlhsh_addr) is ordered such that the entries with a
60 * larger netmask come first.
61 */
62 struct netlbl_unlhsh_tbl {
63 struct list_head *tbl;
64 u32 size;
65 };
66 #define netlbl_unlhsh_addr4_entry(iter) \
67 container_of(iter, struct netlbl_unlhsh_addr4, list)
68 struct netlbl_unlhsh_addr4 {
69 u32 secid;
70
71 struct netlbl_af4list list;
72 struct rcu_head rcu;
73 };
74 #define netlbl_unlhsh_addr6_entry(iter) \
75 container_of(iter, struct netlbl_unlhsh_addr6, list)
76 struct netlbl_unlhsh_addr6 {
77 u32 secid;
78
79 struct netlbl_af6list list;
80 struct rcu_head rcu;
81 };
82 struct netlbl_unlhsh_iface {
83 int ifindex;
84 struct list_head addr4_list;
85 struct list_head addr6_list;
86
87 u32 valid;
88 struct list_head list;
89 struct rcu_head rcu;
90 };
91
92 /* Argument struct for netlbl_unlhsh_walk() */
93 struct netlbl_unlhsh_walk_arg {
94 struct netlink_callback *nl_cb;
95 struct sk_buff *skb;
96 u32 seq;
97 };
98
99 /* Unlabeled connection hash table */
100 /* updates should be so rare that having one spinlock for the entire
101 * hash table should be okay */
102 static DEFINE_SPINLOCK(netlbl_unlhsh_lock);
103 #define netlbl_unlhsh_rcu_deref(p) \
104 rcu_dereference_check(p, lockdep_is_held(&netlbl_unlhsh_lock))
105 static struct netlbl_unlhsh_tbl __rcu *netlbl_unlhsh;
106 static struct netlbl_unlhsh_iface __rcu *netlbl_unlhsh_def;
107
108 /* Accept unlabeled packets flag */
109 static u8 netlabel_unlabel_acceptflg;
110
111 /* NetLabel Generic NETLINK unlabeled family */
112 static struct genl_family netlbl_unlabel_gnl_family;
113
114 /* NetLabel Netlink attribute policy */
115 static const struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
116 [NLBL_UNLABEL_A_ACPTFLG] = { .type = NLA_U8 },
117 [NLBL_UNLABEL_A_IPV6ADDR] = { .type = NLA_BINARY,
118 .len = sizeof(struct in6_addr) },
119 [NLBL_UNLABEL_A_IPV6MASK] = { .type = NLA_BINARY,
120 .len = sizeof(struct in6_addr) },
121 [NLBL_UNLABEL_A_IPV4ADDR] = { .type = NLA_BINARY,
122 .len = sizeof(struct in_addr) },
123 [NLBL_UNLABEL_A_IPV4MASK] = { .type = NLA_BINARY,
124 .len = sizeof(struct in_addr) },
125 [NLBL_UNLABEL_A_IFACE] = { .type = NLA_NUL_STRING,
126 .len = IFNAMSIZ - 1 },
127 [NLBL_UNLABEL_A_SECCTX] = { .type = NLA_BINARY }
128 };
129
130 /*
131 * Unlabeled Connection Hash Table Functions
132 */
133
134 /**
135 * netlbl_unlhsh_free_iface - Frees an interface entry from the hash table
136 * @entry: the entry's RCU field
137 *
138 * Description:
139 * This function is designed to be used as a callback to the call_rcu()
140 * function so that memory allocated to a hash table interface entry can be
141 * released safely. It is important to note that this function does not free
142 * the IPv4 and IPv6 address lists contained as part of an interface entry. It
143 * is up to the rest of the code to make sure an interface entry is only freed
144 * once it's address lists are empty.
145 *
146 */
netlbl_unlhsh_free_iface(struct rcu_head * entry)147 static void netlbl_unlhsh_free_iface(struct rcu_head *entry)
148 {
149 struct netlbl_unlhsh_iface *iface;
150 struct netlbl_af4list *iter4;
151 struct netlbl_af4list *tmp4;
152 #if IS_ENABLED(CONFIG_IPV6)
153 struct netlbl_af6list *iter6;
154 struct netlbl_af6list *tmp6;
155 #endif /* IPv6 */
156
157 iface = container_of(entry, struct netlbl_unlhsh_iface, rcu);
158
159 /* no need for locks here since we are the only one with access to this
160 * structure */
161
162 netlbl_af4list_foreach_safe(iter4, tmp4, &iface->addr4_list) {
163 netlbl_af4list_remove_entry(iter4);
164 kfree(netlbl_unlhsh_addr4_entry(iter4));
165 }
166 #if IS_ENABLED(CONFIG_IPV6)
167 netlbl_af6list_foreach_safe(iter6, tmp6, &iface->addr6_list) {
168 netlbl_af6list_remove_entry(iter6);
169 kfree(netlbl_unlhsh_addr6_entry(iter6));
170 }
171 #endif /* IPv6 */
172 kfree(iface);
173 }
174
175 /**
176 * netlbl_unlhsh_hash - Hashing function for the hash table
177 * @ifindex: the network interface/device to hash
178 *
179 * Description:
180 * This is the hashing function for the unlabeled hash table, it returns the
181 * bucket number for the given device/interface. The caller is responsible for
182 * ensuring that the hash table is protected with either a RCU read lock or
183 * the hash table lock.
184 *
185 */
netlbl_unlhsh_hash(int ifindex)186 static u32 netlbl_unlhsh_hash(int ifindex)
187 {
188 return ifindex & (netlbl_unlhsh_rcu_deref(netlbl_unlhsh)->size - 1);
189 }
190
191 /**
192 * netlbl_unlhsh_search_iface - Search for a matching interface entry
193 * @ifindex: the network interface
194 *
195 * Description:
196 * Searches the unlabeled connection hash table and returns a pointer to the
197 * interface entry which matches @ifindex, otherwise NULL is returned. The
198 * caller is responsible for ensuring that the hash table is protected with
199 * either a RCU read lock or the hash table lock.
200 *
201 */
netlbl_unlhsh_search_iface(int ifindex)202 static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex)
203 {
204 u32 bkt;
205 struct list_head *bkt_list;
206 struct netlbl_unlhsh_iface *iter;
207
208 bkt = netlbl_unlhsh_hash(ifindex);
209 bkt_list = &netlbl_unlhsh_rcu_deref(netlbl_unlhsh)->tbl[bkt];
210 list_for_each_entry_rcu(iter, bkt_list, list,
211 lockdep_is_held(&netlbl_unlhsh_lock))
212 if (iter->valid && iter->ifindex == ifindex)
213 return iter;
214
215 return NULL;
216 }
217
218 /**
219 * netlbl_unlhsh_add_addr4 - Add a new IPv4 address entry to the hash table
220 * @iface: the associated interface entry
221 * @addr: IPv4 address in network byte order
222 * @mask: IPv4 address mask in network byte order
223 * @secid: LSM secid value for entry
224 *
225 * Description:
226 * Add a new address entry into the unlabeled connection hash table using the
227 * interface entry specified by @iface. On success zero is returned, otherwise
228 * a negative value is returned.
229 *
230 */
netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface * iface,const struct in_addr * addr,const struct in_addr * mask,u32 secid)231 static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface,
232 const struct in_addr *addr,
233 const struct in_addr *mask,
234 u32 secid)
235 {
236 int ret_val;
237 struct netlbl_unlhsh_addr4 *entry;
238
239 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
240 if (entry == NULL)
241 return -ENOMEM;
242
243 entry->list.addr = addr->s_addr & mask->s_addr;
244 entry->list.mask = mask->s_addr;
245 entry->list.valid = 1;
246 entry->secid = secid;
247
248 spin_lock(&netlbl_unlhsh_lock);
249 ret_val = netlbl_af4list_add(&entry->list, &iface->addr4_list);
250 spin_unlock(&netlbl_unlhsh_lock);
251
252 if (ret_val != 0)
253 kfree(entry);
254 return ret_val;
255 }
256
257 #if IS_ENABLED(CONFIG_IPV6)
258 /**
259 * netlbl_unlhsh_add_addr6 - Add a new IPv6 address entry to the hash table
260 * @iface: the associated interface entry
261 * @addr: IPv6 address in network byte order
262 * @mask: IPv6 address mask in network byte order
263 * @secid: LSM secid value for entry
264 *
265 * Description:
266 * Add a new address entry into the unlabeled connection hash table using the
267 * interface entry specified by @iface. On success zero is returned, otherwise
268 * a negative value is returned.
269 *
270 */
netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface * iface,const struct in6_addr * addr,const struct in6_addr * mask,u32 secid)271 static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface,
272 const struct in6_addr *addr,
273 const struct in6_addr *mask,
274 u32 secid)
275 {
276 int ret_val;
277 struct netlbl_unlhsh_addr6 *entry;
278
279 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
280 if (entry == NULL)
281 return -ENOMEM;
282
283 entry->list.addr = *addr;
284 entry->list.addr.s6_addr32[0] &= mask->s6_addr32[0];
285 entry->list.addr.s6_addr32[1] &= mask->s6_addr32[1];
286 entry->list.addr.s6_addr32[2] &= mask->s6_addr32[2];
287 entry->list.addr.s6_addr32[3] &= mask->s6_addr32[3];
288 entry->list.mask = *mask;
289 entry->list.valid = 1;
290 entry->secid = secid;
291
292 spin_lock(&netlbl_unlhsh_lock);
293 ret_val = netlbl_af6list_add(&entry->list, &iface->addr6_list);
294 spin_unlock(&netlbl_unlhsh_lock);
295
296 if (ret_val != 0)
297 kfree(entry);
298 return 0;
299 }
300 #endif /* IPv6 */
301
302 /**
303 * netlbl_unlhsh_add_iface - Adds a new interface entry to the hash table
304 * @ifindex: network interface
305 *
306 * Description:
307 * Add a new, empty, interface entry into the unlabeled connection hash table.
308 * On success a pointer to the new interface entry is returned, on failure NULL
309 * is returned.
310 *
311 */
netlbl_unlhsh_add_iface(int ifindex)312 static struct netlbl_unlhsh_iface *netlbl_unlhsh_add_iface(int ifindex)
313 {
314 u32 bkt;
315 struct netlbl_unlhsh_iface *iface;
316
317 iface = kzalloc(sizeof(*iface), GFP_ATOMIC);
318 if (iface == NULL)
319 return NULL;
320
321 iface->ifindex = ifindex;
322 INIT_LIST_HEAD(&iface->addr4_list);
323 INIT_LIST_HEAD(&iface->addr6_list);
324 iface->valid = 1;
325
326 spin_lock(&netlbl_unlhsh_lock);
327 if (ifindex > 0) {
328 bkt = netlbl_unlhsh_hash(ifindex);
329 if (netlbl_unlhsh_search_iface(ifindex) != NULL)
330 goto add_iface_failure;
331 list_add_tail_rcu(&iface->list,
332 &netlbl_unlhsh_rcu_deref(netlbl_unlhsh)->tbl[bkt]);
333 } else {
334 INIT_LIST_HEAD(&iface->list);
335 if (netlbl_unlhsh_rcu_deref(netlbl_unlhsh_def) != NULL)
336 goto add_iface_failure;
337 rcu_assign_pointer(netlbl_unlhsh_def, iface);
338 }
339 spin_unlock(&netlbl_unlhsh_lock);
340
341 return iface;
342
343 add_iface_failure:
344 spin_unlock(&netlbl_unlhsh_lock);
345 kfree(iface);
346 return NULL;
347 }
348
349 /**
350 * netlbl_unlhsh_add - Adds a new entry to the unlabeled connection hash table
351 * @net: network namespace
352 * @dev_name: interface name
353 * @addr: IP address in network byte order
354 * @mask: address mask in network byte order
355 * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6)
356 * @secid: LSM secid value for the entry
357 * @audit_info: NetLabel audit information
358 *
359 * Description:
360 * Adds a new entry to the unlabeled connection hash table. Returns zero on
361 * success, negative values on failure.
362 *
363 */
netlbl_unlhsh_add(struct net * net,const char * dev_name,const void * addr,const void * mask,u32 addr_len,u32 secid,struct netlbl_audit * audit_info)364 int netlbl_unlhsh_add(struct net *net,
365 const char *dev_name,
366 const void *addr,
367 const void *mask,
368 u32 addr_len,
369 u32 secid,
370 struct netlbl_audit *audit_info)
371 {
372 int ret_val;
373 int ifindex;
374 struct net_device *dev;
375 struct netlbl_unlhsh_iface *iface;
376 struct audit_buffer *audit_buf = NULL;
377 char *secctx = NULL;
378 u32 secctx_len;
379
380 if (addr_len != sizeof(struct in_addr) &&
381 addr_len != sizeof(struct in6_addr))
382 return -EINVAL;
383
384 rcu_read_lock();
385 if (dev_name != NULL) {
386 dev = dev_get_by_name_rcu(net, dev_name);
387 if (dev == NULL) {
388 ret_val = -ENODEV;
389 goto unlhsh_add_return;
390 }
391 ifindex = dev->ifindex;
392 iface = netlbl_unlhsh_search_iface(ifindex);
393 } else {
394 ifindex = 0;
395 iface = rcu_dereference(netlbl_unlhsh_def);
396 }
397 if (iface == NULL) {
398 iface = netlbl_unlhsh_add_iface(ifindex);
399 if (iface == NULL) {
400 ret_val = -ENOMEM;
401 goto unlhsh_add_return;
402 }
403 }
404 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCADD,
405 audit_info);
406 switch (addr_len) {
407 case sizeof(struct in_addr): {
408 const struct in_addr *addr4 = addr;
409 const struct in_addr *mask4 = mask;
410
411 ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid);
412 if (audit_buf != NULL)
413 netlbl_af4list_audit_addr(audit_buf, 1,
414 dev_name,
415 addr4->s_addr,
416 mask4->s_addr);
417 break;
418 }
419 #if IS_ENABLED(CONFIG_IPV6)
420 case sizeof(struct in6_addr): {
421 const struct in6_addr *addr6 = addr;
422 const struct in6_addr *mask6 = mask;
423
424 ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid);
425 if (audit_buf != NULL)
426 netlbl_af6list_audit_addr(audit_buf, 1,
427 dev_name,
428 addr6, mask6);
429 break;
430 }
431 #endif /* IPv6 */
432 default:
433 ret_val = -EINVAL;
434 }
435 if (ret_val == 0)
436 atomic_inc(&netlabel_mgmt_protocount);
437
438 unlhsh_add_return:
439 rcu_read_unlock();
440 if (audit_buf != NULL) {
441 if (security_secid_to_secctx(secid,
442 &secctx,
443 &secctx_len) == 0) {
444 audit_log_format(audit_buf, " sec_obj=%s", secctx);
445 security_release_secctx(secctx, secctx_len);
446 }
447 audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
448 audit_log_end(audit_buf);
449 }
450 return ret_val;
451 }
452
453 /**
454 * netlbl_unlhsh_remove_addr4 - Remove an IPv4 address entry
455 * @net: network namespace
456 * @iface: interface entry
457 * @addr: IP address
458 * @mask: IP address mask
459 * @audit_info: NetLabel audit information
460 *
461 * Description:
462 * Remove an IP address entry from the unlabeled connection hash table.
463 * Returns zero on success, negative values on failure.
464 *
465 */
netlbl_unlhsh_remove_addr4(struct net * net,struct netlbl_unlhsh_iface * iface,const struct in_addr * addr,const struct in_addr * mask,struct netlbl_audit * audit_info)466 static int netlbl_unlhsh_remove_addr4(struct net *net,
467 struct netlbl_unlhsh_iface *iface,
468 const struct in_addr *addr,
469 const struct in_addr *mask,
470 struct netlbl_audit *audit_info)
471 {
472 struct netlbl_af4list *list_entry;
473 struct netlbl_unlhsh_addr4 *entry;
474 struct audit_buffer *audit_buf;
475 struct net_device *dev;
476 char *secctx;
477 u32 secctx_len;
478
479 spin_lock(&netlbl_unlhsh_lock);
480 list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr,
481 &iface->addr4_list);
482 spin_unlock(&netlbl_unlhsh_lock);
483 if (list_entry != NULL)
484 entry = netlbl_unlhsh_addr4_entry(list_entry);
485 else
486 entry = NULL;
487
488 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL,
489 audit_info);
490 if (audit_buf != NULL) {
491 dev = dev_get_by_index(net, iface->ifindex);
492 netlbl_af4list_audit_addr(audit_buf, 1,
493 (dev != NULL ? dev->name : NULL),
494 addr->s_addr, mask->s_addr);
495 if (dev != NULL)
496 dev_put(dev);
497 if (entry != NULL &&
498 security_secid_to_secctx(entry->secid,
499 &secctx, &secctx_len) == 0) {
500 audit_log_format(audit_buf, " sec_obj=%s", secctx);
501 security_release_secctx(secctx, secctx_len);
502 }
503 audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
504 audit_log_end(audit_buf);
505 }
506
507 if (entry == NULL)
508 return -ENOENT;
509
510 kfree_rcu(entry, rcu);
511 return 0;
512 }
513
514 #if IS_ENABLED(CONFIG_IPV6)
515 /**
516 * netlbl_unlhsh_remove_addr6 - Remove an IPv6 address entry
517 * @net: network namespace
518 * @iface: interface entry
519 * @addr: IP address
520 * @mask: IP address mask
521 * @audit_info: NetLabel audit information
522 *
523 * Description:
524 * Remove an IP address entry from the unlabeled connection hash table.
525 * Returns zero on success, negative values on failure.
526 *
527 */
netlbl_unlhsh_remove_addr6(struct net * net,struct netlbl_unlhsh_iface * iface,const struct in6_addr * addr,const struct in6_addr * mask,struct netlbl_audit * audit_info)528 static int netlbl_unlhsh_remove_addr6(struct net *net,
529 struct netlbl_unlhsh_iface *iface,
530 const struct in6_addr *addr,
531 const struct in6_addr *mask,
532 struct netlbl_audit *audit_info)
533 {
534 struct netlbl_af6list *list_entry;
535 struct netlbl_unlhsh_addr6 *entry;
536 struct audit_buffer *audit_buf;
537 struct net_device *dev;
538 char *secctx;
539 u32 secctx_len;
540
541 spin_lock(&netlbl_unlhsh_lock);
542 list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list);
543 spin_unlock(&netlbl_unlhsh_lock);
544 if (list_entry != NULL)
545 entry = netlbl_unlhsh_addr6_entry(list_entry);
546 else
547 entry = NULL;
548
549 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL,
550 audit_info);
551 if (audit_buf != NULL) {
552 dev = dev_get_by_index(net, iface->ifindex);
553 netlbl_af6list_audit_addr(audit_buf, 1,
554 (dev != NULL ? dev->name : NULL),
555 addr, mask);
556 if (dev != NULL)
557 dev_put(dev);
558 if (entry != NULL &&
559 security_secid_to_secctx(entry->secid,
560 &secctx, &secctx_len) == 0) {
561 audit_log_format(audit_buf, " sec_obj=%s", secctx);
562 security_release_secctx(secctx, secctx_len);
563 }
564 audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
565 audit_log_end(audit_buf);
566 }
567
568 if (entry == NULL)
569 return -ENOENT;
570
571 kfree_rcu(entry, rcu);
572 return 0;
573 }
574 #endif /* IPv6 */
575
576 /**
577 * netlbl_unlhsh_condremove_iface - Remove an interface entry
578 * @iface: the interface entry
579 *
580 * Description:
581 * Remove an interface entry from the unlabeled connection hash table if it is
582 * empty. An interface entry is considered to be empty if there are no
583 * address entries assigned to it.
584 *
585 */
netlbl_unlhsh_condremove_iface(struct netlbl_unlhsh_iface * iface)586 static void netlbl_unlhsh_condremove_iface(struct netlbl_unlhsh_iface *iface)
587 {
588 struct netlbl_af4list *iter4;
589 #if IS_ENABLED(CONFIG_IPV6)
590 struct netlbl_af6list *iter6;
591 #endif /* IPv6 */
592
593 spin_lock(&netlbl_unlhsh_lock);
594 netlbl_af4list_foreach_rcu(iter4, &iface->addr4_list)
595 goto unlhsh_condremove_failure;
596 #if IS_ENABLED(CONFIG_IPV6)
597 netlbl_af6list_foreach_rcu(iter6, &iface->addr6_list)
598 goto unlhsh_condremove_failure;
599 #endif /* IPv6 */
600 iface->valid = 0;
601 if (iface->ifindex > 0)
602 list_del_rcu(&iface->list);
603 else
604 RCU_INIT_POINTER(netlbl_unlhsh_def, NULL);
605 spin_unlock(&netlbl_unlhsh_lock);
606
607 call_rcu(&iface->rcu, netlbl_unlhsh_free_iface);
608 return;
609
610 unlhsh_condremove_failure:
611 spin_unlock(&netlbl_unlhsh_lock);
612 }
613
614 /**
615 * netlbl_unlhsh_remove - Remove an entry from the unlabeled hash table
616 * @net: network namespace
617 * @dev_name: interface name
618 * @addr: IP address in network byte order
619 * @mask: address mask in network byte order
620 * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6)
621 * @audit_info: NetLabel audit information
622 *
623 * Description:
624 * Removes and existing entry from the unlabeled connection hash table.
625 * Returns zero on success, negative values on failure.
626 *
627 */
netlbl_unlhsh_remove(struct net * net,const char * dev_name,const void * addr,const void * mask,u32 addr_len,struct netlbl_audit * audit_info)628 int netlbl_unlhsh_remove(struct net *net,
629 const char *dev_name,
630 const void *addr,
631 const void *mask,
632 u32 addr_len,
633 struct netlbl_audit *audit_info)
634 {
635 int ret_val;
636 struct net_device *dev;
637 struct netlbl_unlhsh_iface *iface;
638
639 if (addr_len != sizeof(struct in_addr) &&
640 addr_len != sizeof(struct in6_addr))
641 return -EINVAL;
642
643 rcu_read_lock();
644 if (dev_name != NULL) {
645 dev = dev_get_by_name_rcu(net, dev_name);
646 if (dev == NULL) {
647 ret_val = -ENODEV;
648 goto unlhsh_remove_return;
649 }
650 iface = netlbl_unlhsh_search_iface(dev->ifindex);
651 } else
652 iface = rcu_dereference(netlbl_unlhsh_def);
653 if (iface == NULL) {
654 ret_val = -ENOENT;
655 goto unlhsh_remove_return;
656 }
657 switch (addr_len) {
658 case sizeof(struct in_addr):
659 ret_val = netlbl_unlhsh_remove_addr4(net,
660 iface, addr, mask,
661 audit_info);
662 break;
663 #if IS_ENABLED(CONFIG_IPV6)
664 case sizeof(struct in6_addr):
665 ret_val = netlbl_unlhsh_remove_addr6(net,
666 iface, addr, mask,
667 audit_info);
668 break;
669 #endif /* IPv6 */
670 default:
671 ret_val = -EINVAL;
672 }
673 if (ret_val == 0) {
674 netlbl_unlhsh_condremove_iface(iface);
675 atomic_dec(&netlabel_mgmt_protocount);
676 }
677
678 unlhsh_remove_return:
679 rcu_read_unlock();
680 return ret_val;
681 }
682
683 /*
684 * General Helper Functions
685 */
686
687 /**
688 * netlbl_unlhsh_netdev_handler - Network device notification handler
689 * @this: notifier block
690 * @event: the event
691 * @ptr: the netdevice notifier info (cast to void)
692 *
693 * Description:
694 * Handle network device events, although at present all we care about is a
695 * network device going away. In the case of a device going away we clear any
696 * related entries from the unlabeled connection hash table.
697 *
698 */
netlbl_unlhsh_netdev_handler(struct notifier_block * this,unsigned long event,void * ptr)699 static int netlbl_unlhsh_netdev_handler(struct notifier_block *this,
700 unsigned long event, void *ptr)
701 {
702 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
703 struct netlbl_unlhsh_iface *iface = NULL;
704
705 if (!net_eq(dev_net(dev), &init_net))
706 return NOTIFY_DONE;
707
708 /* XXX - should this be a check for NETDEV_DOWN or _UNREGISTER? */
709 if (event == NETDEV_DOWN) {
710 spin_lock(&netlbl_unlhsh_lock);
711 iface = netlbl_unlhsh_search_iface(dev->ifindex);
712 if (iface != NULL && iface->valid) {
713 iface->valid = 0;
714 list_del_rcu(&iface->list);
715 } else
716 iface = NULL;
717 spin_unlock(&netlbl_unlhsh_lock);
718 }
719
720 if (iface != NULL)
721 call_rcu(&iface->rcu, netlbl_unlhsh_free_iface);
722
723 return NOTIFY_DONE;
724 }
725
726 /**
727 * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag
728 * @value: desired value
729 * @audit_info: NetLabel audit information
730 *
731 * Description:
732 * Set the value of the unlabeled accept flag to @value.
733 *
734 */
netlbl_unlabel_acceptflg_set(u8 value,struct netlbl_audit * audit_info)735 static void netlbl_unlabel_acceptflg_set(u8 value,
736 struct netlbl_audit *audit_info)
737 {
738 struct audit_buffer *audit_buf;
739 u8 old_val;
740
741 old_val = netlabel_unlabel_acceptflg;
742 netlabel_unlabel_acceptflg = value;
743 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW,
744 audit_info);
745 if (audit_buf != NULL) {
746 audit_log_format(audit_buf,
747 " unlbl_accept=%u old=%u", value, old_val);
748 audit_log_end(audit_buf);
749 }
750 }
751
752 /**
753 * netlbl_unlabel_addrinfo_get - Get the IPv4/6 address information
754 * @info: the Generic NETLINK info block
755 * @addr: the IP address
756 * @mask: the IP address mask
757 * @len: the address length
758 *
759 * Description:
760 * Examine the Generic NETLINK message and extract the IP address information.
761 * Returns zero on success, negative values on failure.
762 *
763 */
netlbl_unlabel_addrinfo_get(struct genl_info * info,void ** addr,void ** mask,u32 * len)764 static int netlbl_unlabel_addrinfo_get(struct genl_info *info,
765 void **addr,
766 void **mask,
767 u32 *len)
768 {
769 u32 addr_len;
770
771 if (info->attrs[NLBL_UNLABEL_A_IPV4ADDR] &&
772 info->attrs[NLBL_UNLABEL_A_IPV4MASK]) {
773 addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
774 if (addr_len != sizeof(struct in_addr) &&
775 addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV4MASK]))
776 return -EINVAL;
777 *len = addr_len;
778 *addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
779 *mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4MASK]);
780 return 0;
781 } else if (info->attrs[NLBL_UNLABEL_A_IPV6ADDR]) {
782 addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]);
783 if (addr_len != sizeof(struct in6_addr) &&
784 addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV6MASK]))
785 return -EINVAL;
786 *len = addr_len;
787 *addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]);
788 *mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6MASK]);
789 return 0;
790 }
791
792 return -EINVAL;
793 }
794
795 /*
796 * NetLabel Command Handlers
797 */
798
799 /**
800 * netlbl_unlabel_accept - Handle an ACCEPT message
801 * @skb: the NETLINK buffer
802 * @info: the Generic NETLINK info block
803 *
804 * Description:
805 * Process a user generated ACCEPT message and set the accept flag accordingly.
806 * Returns zero on success, negative values on failure.
807 *
808 */
netlbl_unlabel_accept(struct sk_buff * skb,struct genl_info * info)809 static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info)
810 {
811 u8 value;
812 struct netlbl_audit audit_info;
813
814 if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) {
815 value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]);
816 if (value == 1 || value == 0) {
817 netlbl_netlink_auditinfo(skb, &audit_info);
818 netlbl_unlabel_acceptflg_set(value, &audit_info);
819 return 0;
820 }
821 }
822
823 return -EINVAL;
824 }
825
826 /**
827 * netlbl_unlabel_list - Handle a LIST message
828 * @skb: the NETLINK buffer
829 * @info: the Generic NETLINK info block
830 *
831 * Description:
832 * Process a user generated LIST message and respond with the current status.
833 * Returns zero on success, negative values on failure.
834 *
835 */
netlbl_unlabel_list(struct sk_buff * skb,struct genl_info * info)836 static int netlbl_unlabel_list(struct sk_buff *skb, struct genl_info *info)
837 {
838 int ret_val = -EINVAL;
839 struct sk_buff *ans_skb;
840 void *data;
841
842 ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
843 if (ans_skb == NULL)
844 goto list_failure;
845 data = genlmsg_put_reply(ans_skb, info, &netlbl_unlabel_gnl_family,
846 0, NLBL_UNLABEL_C_LIST);
847 if (data == NULL) {
848 ret_val = -ENOMEM;
849 goto list_failure;
850 }
851
852 ret_val = nla_put_u8(ans_skb,
853 NLBL_UNLABEL_A_ACPTFLG,
854 netlabel_unlabel_acceptflg);
855 if (ret_val != 0)
856 goto list_failure;
857
858 genlmsg_end(ans_skb, data);
859 return genlmsg_reply(ans_skb, info);
860
861 list_failure:
862 kfree_skb(ans_skb);
863 return ret_val;
864 }
865
866 /**
867 * netlbl_unlabel_staticadd - Handle a STATICADD message
868 * @skb: the NETLINK buffer
869 * @info: the Generic NETLINK info block
870 *
871 * Description:
872 * Process a user generated STATICADD message and add a new unlabeled
873 * connection entry to the hash table. Returns zero on success, negative
874 * values on failure.
875 *
876 */
netlbl_unlabel_staticadd(struct sk_buff * skb,struct genl_info * info)877 static int netlbl_unlabel_staticadd(struct sk_buff *skb,
878 struct genl_info *info)
879 {
880 int ret_val;
881 char *dev_name;
882 void *addr;
883 void *mask;
884 u32 addr_len;
885 u32 secid;
886 struct netlbl_audit audit_info;
887
888 /* Don't allow users to add both IPv4 and IPv6 addresses for a
889 * single entry. However, allow users to create two entries, one each
890 * for IPv4 and IPv4, with the same LSM security context which should
891 * achieve the same result. */
892 if (!info->attrs[NLBL_UNLABEL_A_SECCTX] ||
893 !info->attrs[NLBL_UNLABEL_A_IFACE] ||
894 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
895 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
896 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
897 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
898 return -EINVAL;
899
900 netlbl_netlink_auditinfo(skb, &audit_info);
901
902 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
903 if (ret_val != 0)
904 return ret_val;
905 dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]);
906 ret_val = security_secctx_to_secid(
907 nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
908 nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
909 &secid);
910 if (ret_val != 0)
911 return ret_val;
912
913 return netlbl_unlhsh_add(&init_net,
914 dev_name, addr, mask, addr_len, secid,
915 &audit_info);
916 }
917
918 /**
919 * netlbl_unlabel_staticadddef - Handle a STATICADDDEF message
920 * @skb: the NETLINK buffer
921 * @info: the Generic NETLINK info block
922 *
923 * Description:
924 * Process a user generated STATICADDDEF message and add a new default
925 * unlabeled connection entry. Returns zero on success, negative values on
926 * failure.
927 *
928 */
netlbl_unlabel_staticadddef(struct sk_buff * skb,struct genl_info * info)929 static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
930 struct genl_info *info)
931 {
932 int ret_val;
933 void *addr;
934 void *mask;
935 u32 addr_len;
936 u32 secid;
937 struct netlbl_audit audit_info;
938
939 /* Don't allow users to add both IPv4 and IPv6 addresses for a
940 * single entry. However, allow users to create two entries, one each
941 * for IPv4 and IPv6, with the same LSM security context which should
942 * achieve the same result. */
943 if (!info->attrs[NLBL_UNLABEL_A_SECCTX] ||
944 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
945 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
946 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
947 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
948 return -EINVAL;
949
950 netlbl_netlink_auditinfo(skb, &audit_info);
951
952 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
953 if (ret_val != 0)
954 return ret_val;
955 ret_val = security_secctx_to_secid(
956 nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
957 nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
958 &secid);
959 if (ret_val != 0)
960 return ret_val;
961
962 return netlbl_unlhsh_add(&init_net,
963 NULL, addr, mask, addr_len, secid,
964 &audit_info);
965 }
966
967 /**
968 * netlbl_unlabel_staticremove - Handle a STATICREMOVE message
969 * @skb: the NETLINK buffer
970 * @info: the Generic NETLINK info block
971 *
972 * Description:
973 * Process a user generated STATICREMOVE message and remove the specified
974 * unlabeled connection entry. Returns zero on success, negative values on
975 * failure.
976 *
977 */
netlbl_unlabel_staticremove(struct sk_buff * skb,struct genl_info * info)978 static int netlbl_unlabel_staticremove(struct sk_buff *skb,
979 struct genl_info *info)
980 {
981 int ret_val;
982 char *dev_name;
983 void *addr;
984 void *mask;
985 u32 addr_len;
986 struct netlbl_audit audit_info;
987
988 /* See the note in netlbl_unlabel_staticadd() about not allowing both
989 * IPv4 and IPv6 in the same entry. */
990 if (!info->attrs[NLBL_UNLABEL_A_IFACE] ||
991 !((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
992 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
993 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
994 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
995 return -EINVAL;
996
997 netlbl_netlink_auditinfo(skb, &audit_info);
998
999 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
1000 if (ret_val != 0)
1001 return ret_val;
1002 dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]);
1003
1004 return netlbl_unlhsh_remove(&init_net,
1005 dev_name, addr, mask, addr_len,
1006 &audit_info);
1007 }
1008
1009 /**
1010 * netlbl_unlabel_staticremovedef - Handle a STATICREMOVEDEF message
1011 * @skb: the NETLINK buffer
1012 * @info: the Generic NETLINK info block
1013 *
1014 * Description:
1015 * Process a user generated STATICREMOVEDEF message and remove the default
1016 * unlabeled connection entry. Returns zero on success, negative values on
1017 * failure.
1018 *
1019 */
netlbl_unlabel_staticremovedef(struct sk_buff * skb,struct genl_info * info)1020 static int netlbl_unlabel_staticremovedef(struct sk_buff *skb,
1021 struct genl_info *info)
1022 {
1023 int ret_val;
1024 void *addr;
1025 void *mask;
1026 u32 addr_len;
1027 struct netlbl_audit audit_info;
1028
1029 /* See the note in netlbl_unlabel_staticadd() about not allowing both
1030 * IPv4 and IPv6 in the same entry. */
1031 if (!((!info->attrs[NLBL_UNLABEL_A_IPV4ADDR] ||
1032 !info->attrs[NLBL_UNLABEL_A_IPV4MASK]) ^
1033 (!info->attrs[NLBL_UNLABEL_A_IPV6ADDR] ||
1034 !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
1035 return -EINVAL;
1036
1037 netlbl_netlink_auditinfo(skb, &audit_info);
1038
1039 ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
1040 if (ret_val != 0)
1041 return ret_val;
1042
1043 return netlbl_unlhsh_remove(&init_net,
1044 NULL, addr, mask, addr_len,
1045 &audit_info);
1046 }
1047
1048
1049 /**
1050 * netlbl_unlabel_staticlist_gen - Generate messages for STATICLIST[DEF]
1051 * @cmd: command/message
1052 * @iface: the interface entry
1053 * @addr4: the IPv4 address entry
1054 * @addr6: the IPv6 address entry
1055 * @arg: the netlbl_unlhsh_walk_arg structure
1056 *
1057 * Description:
1058 * This function is designed to be used to generate a response for a
1059 * STATICLIST or STATICLISTDEF message. When called either @addr4 or @addr6
1060 * can be specified, not both, the other unspecified entry should be set to
1061 * NULL by the caller. Returns the size of the message on success, negative
1062 * values on failure.
1063 *
1064 */
netlbl_unlabel_staticlist_gen(u32 cmd,const struct netlbl_unlhsh_iface * iface,const struct netlbl_unlhsh_addr4 * addr4,const struct netlbl_unlhsh_addr6 * addr6,void * arg)1065 static int netlbl_unlabel_staticlist_gen(u32 cmd,
1066 const struct netlbl_unlhsh_iface *iface,
1067 const struct netlbl_unlhsh_addr4 *addr4,
1068 const struct netlbl_unlhsh_addr6 *addr6,
1069 void *arg)
1070 {
1071 int ret_val = -ENOMEM;
1072 struct netlbl_unlhsh_walk_arg *cb_arg = arg;
1073 struct net_device *dev;
1074 void *data;
1075 u32 secid;
1076 char *secctx;
1077 u32 secctx_len;
1078
1079 data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid,
1080 cb_arg->seq, &netlbl_unlabel_gnl_family,
1081 NLM_F_MULTI, cmd);
1082 if (data == NULL)
1083 goto list_cb_failure;
1084
1085 if (iface->ifindex > 0) {
1086 dev = dev_get_by_index(&init_net, iface->ifindex);
1087 if (!dev) {
1088 ret_val = -ENODEV;
1089 goto list_cb_failure;
1090 }
1091 ret_val = nla_put_string(cb_arg->skb,
1092 NLBL_UNLABEL_A_IFACE, dev->name);
1093 dev_put(dev);
1094 if (ret_val != 0)
1095 goto list_cb_failure;
1096 }
1097
1098 if (addr4) {
1099 struct in_addr addr_struct;
1100
1101 addr_struct.s_addr = addr4->list.addr;
1102 ret_val = nla_put_in_addr(cb_arg->skb,
1103 NLBL_UNLABEL_A_IPV4ADDR,
1104 addr_struct.s_addr);
1105 if (ret_val != 0)
1106 goto list_cb_failure;
1107
1108 addr_struct.s_addr = addr4->list.mask;
1109 ret_val = nla_put_in_addr(cb_arg->skb,
1110 NLBL_UNLABEL_A_IPV4MASK,
1111 addr_struct.s_addr);
1112 if (ret_val != 0)
1113 goto list_cb_failure;
1114
1115 secid = addr4->secid;
1116 } else {
1117 ret_val = nla_put_in6_addr(cb_arg->skb,
1118 NLBL_UNLABEL_A_IPV6ADDR,
1119 &addr6->list.addr);
1120 if (ret_val != 0)
1121 goto list_cb_failure;
1122
1123 ret_val = nla_put_in6_addr(cb_arg->skb,
1124 NLBL_UNLABEL_A_IPV6MASK,
1125 &addr6->list.mask);
1126 if (ret_val != 0)
1127 goto list_cb_failure;
1128
1129 secid = addr6->secid;
1130 }
1131
1132 ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len);
1133 if (ret_val != 0)
1134 goto list_cb_failure;
1135 ret_val = nla_put(cb_arg->skb,
1136 NLBL_UNLABEL_A_SECCTX,
1137 secctx_len,
1138 secctx);
1139 security_release_secctx(secctx, secctx_len);
1140 if (ret_val != 0)
1141 goto list_cb_failure;
1142
1143 cb_arg->seq++;
1144 genlmsg_end(cb_arg->skb, data);
1145 return 0;
1146
1147 list_cb_failure:
1148 genlmsg_cancel(cb_arg->skb, data);
1149 return ret_val;
1150 }
1151
1152 /**
1153 * netlbl_unlabel_staticlist - Handle a STATICLIST message
1154 * @skb: the NETLINK buffer
1155 * @cb: the NETLINK callback
1156 *
1157 * Description:
1158 * Process a user generated STATICLIST message and dump the unlabeled
1159 * connection hash table in a form suitable for use in a kernel generated
1160 * STATICLIST message. Returns the length of @skb.
1161 *
1162 */
netlbl_unlabel_staticlist(struct sk_buff * skb,struct netlink_callback * cb)1163 static int netlbl_unlabel_staticlist(struct sk_buff *skb,
1164 struct netlink_callback *cb)
1165 {
1166 struct netlbl_unlhsh_walk_arg cb_arg;
1167 u32 skip_bkt = cb->args[0];
1168 u32 skip_chain = cb->args[1];
1169 u32 skip_addr4 = cb->args[2];
1170 u32 iter_bkt, iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0;
1171 struct netlbl_unlhsh_iface *iface;
1172 struct list_head *iter_list;
1173 struct netlbl_af4list *addr4;
1174 #if IS_ENABLED(CONFIG_IPV6)
1175 u32 skip_addr6 = cb->args[3];
1176 struct netlbl_af6list *addr6;
1177 #endif
1178
1179 cb_arg.nl_cb = cb;
1180 cb_arg.skb = skb;
1181 cb_arg.seq = cb->nlh->nlmsg_seq;
1182
1183 rcu_read_lock();
1184 for (iter_bkt = skip_bkt;
1185 iter_bkt < rcu_dereference(netlbl_unlhsh)->size;
1186 iter_bkt++) {
1187 iter_list = &rcu_dereference(netlbl_unlhsh)->tbl[iter_bkt];
1188 list_for_each_entry_rcu(iface, iter_list, list) {
1189 if (!iface->valid ||
1190 iter_chain++ < skip_chain)
1191 continue;
1192 netlbl_af4list_foreach_rcu(addr4,
1193 &iface->addr4_list) {
1194 if (iter_addr4++ < skip_addr4)
1195 continue;
1196 if (netlbl_unlabel_staticlist_gen(
1197 NLBL_UNLABEL_C_STATICLIST,
1198 iface,
1199 netlbl_unlhsh_addr4_entry(addr4),
1200 NULL,
1201 &cb_arg) < 0) {
1202 iter_addr4--;
1203 iter_chain--;
1204 goto unlabel_staticlist_return;
1205 }
1206 }
1207 iter_addr4 = 0;
1208 skip_addr4 = 0;
1209 #if IS_ENABLED(CONFIG_IPV6)
1210 netlbl_af6list_foreach_rcu(addr6,
1211 &iface->addr6_list) {
1212 if (iter_addr6++ < skip_addr6)
1213 continue;
1214 if (netlbl_unlabel_staticlist_gen(
1215 NLBL_UNLABEL_C_STATICLIST,
1216 iface,
1217 NULL,
1218 netlbl_unlhsh_addr6_entry(addr6),
1219 &cb_arg) < 0) {
1220 iter_addr6--;
1221 iter_chain--;
1222 goto unlabel_staticlist_return;
1223 }
1224 }
1225 iter_addr6 = 0;
1226 skip_addr6 = 0;
1227 #endif /* IPv6 */
1228 }
1229 iter_chain = 0;
1230 skip_chain = 0;
1231 }
1232
1233 unlabel_staticlist_return:
1234 rcu_read_unlock();
1235 cb->args[0] = iter_bkt;
1236 cb->args[1] = iter_chain;
1237 cb->args[2] = iter_addr4;
1238 cb->args[3] = iter_addr6;
1239 return skb->len;
1240 }
1241
1242 /**
1243 * netlbl_unlabel_staticlistdef - Handle a STATICLISTDEF message
1244 * @skb: the NETLINK buffer
1245 * @cb: the NETLINK callback
1246 *
1247 * Description:
1248 * Process a user generated STATICLISTDEF message and dump the default
1249 * unlabeled connection entry in a form suitable for use in a kernel generated
1250 * STATICLISTDEF message. Returns the length of @skb.
1251 *
1252 */
netlbl_unlabel_staticlistdef(struct sk_buff * skb,struct netlink_callback * cb)1253 static int netlbl_unlabel_staticlistdef(struct sk_buff *skb,
1254 struct netlink_callback *cb)
1255 {
1256 struct netlbl_unlhsh_walk_arg cb_arg;
1257 struct netlbl_unlhsh_iface *iface;
1258 u32 iter_addr4 = 0, iter_addr6 = 0;
1259 struct netlbl_af4list *addr4;
1260 #if IS_ENABLED(CONFIG_IPV6)
1261 struct netlbl_af6list *addr6;
1262 #endif
1263
1264 cb_arg.nl_cb = cb;
1265 cb_arg.skb = skb;
1266 cb_arg.seq = cb->nlh->nlmsg_seq;
1267
1268 rcu_read_lock();
1269 iface = rcu_dereference(netlbl_unlhsh_def);
1270 if (iface == NULL || !iface->valid)
1271 goto unlabel_staticlistdef_return;
1272
1273 netlbl_af4list_foreach_rcu(addr4, &iface->addr4_list) {
1274 if (iter_addr4++ < cb->args[0])
1275 continue;
1276 if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
1277 iface,
1278 netlbl_unlhsh_addr4_entry(addr4),
1279 NULL,
1280 &cb_arg) < 0) {
1281 iter_addr4--;
1282 goto unlabel_staticlistdef_return;
1283 }
1284 }
1285 #if IS_ENABLED(CONFIG_IPV6)
1286 netlbl_af6list_foreach_rcu(addr6, &iface->addr6_list) {
1287 if (iter_addr6++ < cb->args[1])
1288 continue;
1289 if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
1290 iface,
1291 NULL,
1292 netlbl_unlhsh_addr6_entry(addr6),
1293 &cb_arg) < 0) {
1294 iter_addr6--;
1295 goto unlabel_staticlistdef_return;
1296 }
1297 }
1298 #endif /* IPv6 */
1299
1300 unlabel_staticlistdef_return:
1301 rcu_read_unlock();
1302 cb->args[0] = iter_addr4;
1303 cb->args[1] = iter_addr6;
1304 return skb->len;
1305 }
1306
1307 /*
1308 * NetLabel Generic NETLINK Command Definitions
1309 */
1310
1311 static const struct genl_small_ops netlbl_unlabel_genl_ops[] = {
1312 {
1313 .cmd = NLBL_UNLABEL_C_STATICADD,
1314 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1315 .flags = GENL_ADMIN_PERM,
1316 .doit = netlbl_unlabel_staticadd,
1317 .dumpit = NULL,
1318 },
1319 {
1320 .cmd = NLBL_UNLABEL_C_STATICREMOVE,
1321 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1322 .flags = GENL_ADMIN_PERM,
1323 .doit = netlbl_unlabel_staticremove,
1324 .dumpit = NULL,
1325 },
1326 {
1327 .cmd = NLBL_UNLABEL_C_STATICLIST,
1328 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1329 .flags = 0,
1330 .doit = NULL,
1331 .dumpit = netlbl_unlabel_staticlist,
1332 },
1333 {
1334 .cmd = NLBL_UNLABEL_C_STATICADDDEF,
1335 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1336 .flags = GENL_ADMIN_PERM,
1337 .doit = netlbl_unlabel_staticadddef,
1338 .dumpit = NULL,
1339 },
1340 {
1341 .cmd = NLBL_UNLABEL_C_STATICREMOVEDEF,
1342 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1343 .flags = GENL_ADMIN_PERM,
1344 .doit = netlbl_unlabel_staticremovedef,
1345 .dumpit = NULL,
1346 },
1347 {
1348 .cmd = NLBL_UNLABEL_C_STATICLISTDEF,
1349 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1350 .flags = 0,
1351 .doit = NULL,
1352 .dumpit = netlbl_unlabel_staticlistdef,
1353 },
1354 {
1355 .cmd = NLBL_UNLABEL_C_ACCEPT,
1356 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1357 .flags = GENL_ADMIN_PERM,
1358 .doit = netlbl_unlabel_accept,
1359 .dumpit = NULL,
1360 },
1361 {
1362 .cmd = NLBL_UNLABEL_C_LIST,
1363 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
1364 .flags = 0,
1365 .doit = netlbl_unlabel_list,
1366 .dumpit = NULL,
1367 },
1368 };
1369
1370 static struct genl_family netlbl_unlabel_gnl_family __ro_after_init = {
1371 .hdrsize = 0,
1372 .name = NETLBL_NLTYPE_UNLABELED_NAME,
1373 .version = NETLBL_PROTO_VERSION,
1374 .maxattr = NLBL_UNLABEL_A_MAX,
1375 .policy = netlbl_unlabel_genl_policy,
1376 .module = THIS_MODULE,
1377 .small_ops = netlbl_unlabel_genl_ops,
1378 .n_small_ops = ARRAY_SIZE(netlbl_unlabel_genl_ops),
1379 };
1380
1381 /*
1382 * NetLabel Generic NETLINK Protocol Functions
1383 */
1384
1385 /**
1386 * netlbl_unlabel_genl_init - Register the Unlabeled NetLabel component
1387 *
1388 * Description:
1389 * Register the unlabeled packet NetLabel component with the Generic NETLINK
1390 * mechanism. Returns zero on success, negative values on failure.
1391 *
1392 */
netlbl_unlabel_genl_init(void)1393 int __init netlbl_unlabel_genl_init(void)
1394 {
1395 return genl_register_family(&netlbl_unlabel_gnl_family);
1396 }
1397
1398 /*
1399 * NetLabel KAPI Hooks
1400 */
1401
1402 static struct notifier_block netlbl_unlhsh_netdev_notifier = {
1403 .notifier_call = netlbl_unlhsh_netdev_handler,
1404 };
1405
1406 /**
1407 * netlbl_unlabel_init - Initialize the unlabeled connection hash table
1408 * @size: the number of bits to use for the hash buckets
1409 *
1410 * Description:
1411 * Initializes the unlabeled connection hash table and registers a network
1412 * device notification handler. This function should only be called by the
1413 * NetLabel subsystem itself during initialization. Returns zero on success,
1414 * non-zero values on error.
1415 *
1416 */
netlbl_unlabel_init(u32 size)1417 int __init netlbl_unlabel_init(u32 size)
1418 {
1419 u32 iter;
1420 struct netlbl_unlhsh_tbl *hsh_tbl;
1421
1422 if (size == 0)
1423 return -EINVAL;
1424
1425 hsh_tbl = kmalloc(sizeof(*hsh_tbl), GFP_KERNEL);
1426 if (hsh_tbl == NULL)
1427 return -ENOMEM;
1428 hsh_tbl->size = 1 << size;
1429 hsh_tbl->tbl = kcalloc(hsh_tbl->size,
1430 sizeof(struct list_head),
1431 GFP_KERNEL);
1432 if (hsh_tbl->tbl == NULL) {
1433 kfree(hsh_tbl);
1434 return -ENOMEM;
1435 }
1436 for (iter = 0; iter < hsh_tbl->size; iter++)
1437 INIT_LIST_HEAD(&hsh_tbl->tbl[iter]);
1438
1439 spin_lock(&netlbl_unlhsh_lock);
1440 rcu_assign_pointer(netlbl_unlhsh, hsh_tbl);
1441 spin_unlock(&netlbl_unlhsh_lock);
1442
1443 register_netdevice_notifier(&netlbl_unlhsh_netdev_notifier);
1444
1445 return 0;
1446 }
1447
1448 /**
1449 * netlbl_unlabel_getattr - Get the security attributes for an unlabled packet
1450 * @skb: the packet
1451 * @family: protocol family
1452 * @secattr: the security attributes
1453 *
1454 * Description:
1455 * Determine the security attributes, if any, for an unlabled packet and return
1456 * them in @secattr. Returns zero on success and negative values on failure.
1457 *
1458 */
netlbl_unlabel_getattr(const struct sk_buff * skb,u16 family,struct netlbl_lsm_secattr * secattr)1459 int netlbl_unlabel_getattr(const struct sk_buff *skb,
1460 u16 family,
1461 struct netlbl_lsm_secattr *secattr)
1462 {
1463 struct netlbl_unlhsh_iface *iface;
1464
1465 rcu_read_lock();
1466 iface = netlbl_unlhsh_search_iface(skb->skb_iif);
1467 if (iface == NULL)
1468 iface = rcu_dereference(netlbl_unlhsh_def);
1469 if (iface == NULL || !iface->valid)
1470 goto unlabel_getattr_nolabel;
1471
1472 #if IS_ENABLED(CONFIG_IPV6)
1473 /* When resolving a fallback label, check the sk_buff version as
1474 * it is possible (e.g. SCTP) to have family = PF_INET6 while
1475 * receiving ip_hdr(skb)->version = 4.
1476 */
1477 if (family == PF_INET6 && ip_hdr(skb)->version == 4)
1478 family = PF_INET;
1479 #endif /* IPv6 */
1480
1481 switch (family) {
1482 case PF_INET: {
1483 struct iphdr *hdr4;
1484 struct netlbl_af4list *addr4;
1485
1486 hdr4 = ip_hdr(skb);
1487 addr4 = netlbl_af4list_search(hdr4->saddr,
1488 &iface->addr4_list);
1489 if (addr4 == NULL)
1490 goto unlabel_getattr_nolabel;
1491 secattr->attr.secid = netlbl_unlhsh_addr4_entry(addr4)->secid;
1492 break;
1493 }
1494 #if IS_ENABLED(CONFIG_IPV6)
1495 case PF_INET6: {
1496 struct ipv6hdr *hdr6;
1497 struct netlbl_af6list *addr6;
1498
1499 hdr6 = ipv6_hdr(skb);
1500 addr6 = netlbl_af6list_search(&hdr6->saddr,
1501 &iface->addr6_list);
1502 if (addr6 == NULL)
1503 goto unlabel_getattr_nolabel;
1504 secattr->attr.secid = netlbl_unlhsh_addr6_entry(addr6)->secid;
1505 break;
1506 }
1507 #endif /* IPv6 */
1508 default:
1509 goto unlabel_getattr_nolabel;
1510 }
1511 rcu_read_unlock();
1512
1513 secattr->flags |= NETLBL_SECATTR_SECID;
1514 secattr->type = NETLBL_NLTYPE_UNLABELED;
1515 return 0;
1516
1517 unlabel_getattr_nolabel:
1518 rcu_read_unlock();
1519 if (netlabel_unlabel_acceptflg == 0)
1520 return -ENOMSG;
1521 secattr->type = NETLBL_NLTYPE_UNLABELED;
1522 return 0;
1523 }
1524
1525 /**
1526 * netlbl_unlabel_defconf - Set the default config to allow unlabeled packets
1527 *
1528 * Description:
1529 * Set the default NetLabel configuration to allow incoming unlabeled packets
1530 * and to send unlabeled network traffic by default.
1531 *
1532 */
netlbl_unlabel_defconf(void)1533 int __init netlbl_unlabel_defconf(void)
1534 {
1535 int ret_val;
1536 struct netlbl_dom_map *entry;
1537 struct netlbl_audit audit_info;
1538
1539 /* Only the kernel is allowed to call this function and the only time
1540 * it is called is at bootup before the audit subsystem is reporting
1541 * messages so don't worry to much about these values. */
1542 security_task_getsecid(current, &audit_info.secid);
1543 audit_info.loginuid = GLOBAL_ROOT_UID;
1544 audit_info.sessionid = 0;
1545
1546 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1547 if (entry == NULL)
1548 return -ENOMEM;
1549 entry->family = AF_UNSPEC;
1550 entry->def.type = NETLBL_NLTYPE_UNLABELED;
1551 ret_val = netlbl_domhsh_add_default(entry, &audit_info);
1552 if (ret_val != 0)
1553 return ret_val;
1554
1555 netlbl_unlabel_acceptflg_set(1, &audit_info);
1556
1557 return 0;
1558 }
1559