Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / ed077bb714816e942ea9b740156659a28a34112f / . / net / netlabel / netlabel_unlabeled.c
blob: 5bc37181662e5e0a51281093c08d590c199cac2e [file] [log] [blame]
/*
* NetLabel Unlabeled Support
*
* This file defines functions for dealing with unlabeled packets for the
* NetLabel system. The NetLabel system manages static and dynamic label
* mappings for network protocols such as CIPSO and RIPSO.
*
* Author: Paul Moore <paul.moore@hp.com>
*
*/
/*
* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
* the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
*/
#include <linux/types.h>
#include <linux/rcupdate.h>
#include <linux/list.h>
#include <linux/spinlock.h>
#include <linux/socket.h>
#include <linux/string.h>
#include <linux/skbuff.h>
#include <linux/audit.h>
#include <net/sock.h>
#include <net/netlink.h>
#include <net/genetlink.h>
#include <net/netlabel.h>
#include <asm/bug.h>
#include "netlabel_user.h"
#include "netlabel_domainhash.h"
#include "netlabel_unlabeled.h"
/* Accept unlabeled packets flag */
static DEFINE_SPINLOCK(netlabel_unlabel_acceptflg_lock);
static u8 netlabel_unlabel_acceptflg = 0;
/* NetLabel Generic NETLINK CIPSOv4 family */
static struct genl_family netlbl_unlabel_gnl_family = {
.id = GENL_ID_GENERATE,
.hdrsize = 0,
.name = NETLBL_NLTYPE_UNLABELED_NAME,
.version = NETLBL_PROTO_VERSION,
.maxattr = NLBL_UNLABEL_A_MAX,
};
/* NetLabel Netlink attribute policy */
static struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
[NLBL_UNLABEL_A_ACPTFLG] = { .type = NLA_U8 },
};
/*
* Helper Functions
*/
/**
* netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag
* @value: desired value
* @audit_info: NetLabel audit information
*
* Description:
* Set the value of the unlabeled accept flag to @value.
*
*/
static void netlbl_unlabel_acceptflg_set(u8 value,
struct netlbl_audit *audit_info)
{
struct audit_buffer *audit_buf;
u8 old_val;
rcu_read_lock();
old_val = netlabel_unlabel_acceptflg;
spin_lock(&netlabel_unlabel_acceptflg_lock);
netlabel_unlabel_acceptflg = value;
spin_unlock(&netlabel_unlabel_acceptflg_lock);
rcu_read_unlock();
audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW,
audit_info);
if (audit_buf != NULL) {
audit_log_format(audit_buf,
" unlbl_accept=%u old=%u", value, old_val);
audit_log_end(audit_buf);
}
}
/*
* NetLabel Command Handlers
*/
/**
* netlbl_unlabel_accept - Handle an ACCEPT message
* @skb: the NETLINK buffer
* @info: the Generic NETLINK info block
*
* Description:
* Process a user generated ACCEPT message and set the accept flag accordingly.
* Returns zero on success, negative values on failure.
*
*/
static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info)
{
u8 value;
struct netlbl_audit audit_info;
if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) {
value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]);
if (value == 1 || value == 0) {
netlbl_netlink_auditinfo(skb, &audit_info);
netlbl_unlabel_acceptflg_set(value, &audit_info);
return 0;
}
}
return -EINVAL;
}
/**
* netlbl_unlabel_list - Handle a LIST message
* @skb: the NETLINK buffer
* @info: the Generic NETLINK info block
*
* Description:
* Process a user generated LIST message and respond with the current status.
* Returns zero on success, negative values on failure.
*
*/
static int netlbl_unlabel_list(struct sk_buff *skb, struct genl_info *info)
{
int ret_val = -EINVAL;
struct sk_buff *ans_skb;
void *data;
ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
if (ans_skb == NULL)
goto list_failure;
data = genlmsg_put_reply(ans_skb, info, &netlbl_unlabel_gnl_family,
0, NLBL_UNLABEL_C_LIST);
if (data == NULL) {
ret_val = -ENOMEM;
goto list_failure;
}
rcu_read_lock();
ret_val = nla_put_u8(ans_skb,
NLBL_UNLABEL_A_ACPTFLG,
netlabel_unlabel_acceptflg);
rcu_read_unlock();
if (ret_val != 0)
goto list_failure;
genlmsg_end(ans_skb, data);
ret_val = genlmsg_reply(ans_skb, info);
if (ret_val != 0)
goto list_failure;
return 0;
list_failure:
kfree(ans_skb);
return ret_val;
}
/*
* NetLabel Generic NETLINK Command Definitions
*/
static struct genl_ops netlbl_unlabel_genl_c_accept = {
.cmd = NLBL_UNLABEL_C_ACCEPT,
.flags = GENL_ADMIN_PERM,
.policy = netlbl_unlabel_genl_policy,
.doit = netlbl_unlabel_accept,
.dumpit = NULL,
};
static struct genl_ops netlbl_unlabel_genl_c_list = {
.cmd = NLBL_UNLABEL_C_LIST,
.flags = 0,
.policy = netlbl_unlabel_genl_policy,
.doit = netlbl_unlabel_list,
.dumpit = NULL,
};
/*
* NetLabel Generic NETLINK Protocol Functions
*/
/**
* netlbl_unlabel_genl_init - Register the Unlabeled NetLabel component
*
* Description:
* Register the unlabeled packet NetLabel component with the Generic NETLINK
* mechanism. Returns zero on success, negative values on failure.
*
*/
int netlbl_unlabel_genl_init(void)
{
int ret_val;
ret_val = genl_register_family(&netlbl_unlabel_gnl_family);
if (ret_val != 0)
return ret_val;
ret_val = genl_register_ops(&netlbl_unlabel_gnl_family,
&netlbl_unlabel_genl_c_accept);
if (ret_val != 0)
return ret_val;
ret_val = genl_register_ops(&netlbl_unlabel_gnl_family,
&netlbl_unlabel_genl_c_list);
if (ret_val != 0)
return ret_val;
return 0;
}
/*
* NetLabel KAPI Hooks
*/
/**
* netlbl_unlabel_getattr - Get the security attributes for an unlabled packet
* @secattr: the security attributes
*
* Description:
* Determine the security attributes, if any, for an unlabled packet and return
* them in @secattr. Returns zero on success and negative values on failure.
*
*/
int netlbl_unlabel_getattr(struct netlbl_lsm_secattr *secattr)
{
int ret_val;
rcu_read_lock();
if (netlabel_unlabel_acceptflg == 1) {
netlbl_secattr_init(secattr);
ret_val = 0;
} else
ret_val = -ENOMSG;
rcu_read_unlock();
return ret_val;
}
/**
* netlbl_unlabel_defconf - Set the default config to allow unlabeled packets
*
* Description:
* Set the default NetLabel configuration to allow incoming unlabeled packets
* and to send unlabeled network traffic by default.
*
*/
int netlbl_unlabel_defconf(void)
{
int ret_val;
struct netlbl_dom_map *entry;
struct netlbl_audit audit_info;
/* Only the kernel is allowed to call this function and the only time
* it is called is at bootup before the audit subsystem is reporting
* messages so don't worry to much about these values. */
security_task_getsecid(current, &audit_info.secid);
audit_info.loginuid = 0;
entry = kzalloc(sizeof(*entry), GFP_KERNEL);
if (entry == NULL)
return -ENOMEM;
entry->type = NETLBL_NLTYPE_UNLABELED;
ret_val = netlbl_domhsh_add_default(entry, &audit_info);
if (ret_val != 0)
return ret_val;
netlbl_unlabel_acceptflg_set(1, &audit_info);
return 0;
}