Commit | Line | Data |
---|---|---|
1ccea77e | 1 | // SPDX-License-Identifier: GPL-2.0-or-later |
96cb8e33 PM |
2 | /* |
3 | * NetLabel CIPSO/IPv4 Support | |
4 | * | |
5 | * This file defines the CIPSO/IPv4 functions for the NetLabel system. The | |
6 | * NetLabel system manages static and dynamic label mappings for network | |
7 | * protocols such as CIPSO and RIPSO. | |
8 | * | |
82c21bfa | 9 | * Author: Paul Moore <paul@paul-moore.com> |
96cb8e33 PM |
10 | */ |
11 | ||
12 | /* | |
13 | * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 | |
96cb8e33 PM |
14 | */ |
15 | ||
16 | #include <linux/types.h> | |
17 | #include <linux/socket.h> | |
18 | #include <linux/string.h> | |
19 | #include <linux/skbuff.h> | |
32f50cde | 20 | #include <linux/audit.h> |
5a0e3ad6 | 21 | #include <linux/slab.h> |
96cb8e33 PM |
22 | #include <net/sock.h> |
23 | #include <net/netlink.h> | |
24 | #include <net/genetlink.h> | |
25 | #include <net/netlabel.h> | |
26 | #include <net/cipso_ipv4.h> | |
60063497 | 27 | #include <linux/atomic.h> |
96cb8e33 PM |
28 | |
29 | #include "netlabel_user.h" | |
30 | #include "netlabel_cipso_v4.h" | |
23bcdc1a | 31 | #include "netlabel_mgmt.h" |
b1edeb10 | 32 | #include "netlabel_domainhash.h" |
96cb8e33 | 33 | |
fd385855 PM |
34 | /* Argument struct for cipso_v4_doi_walk() */ |
35 | struct netlbl_cipsov4_doiwalk_arg { | |
36 | struct netlink_callback *nl_cb; | |
37 | struct sk_buff *skb; | |
38 | u32 seq; | |
39 | }; | |
40 | ||
b1edeb10 PM |
41 | /* Argument struct for netlbl_domhsh_walk() */ |
42 | struct netlbl_domhsh_walk_arg { | |
43 | struct netlbl_audit *audit_info; | |
44 | u32 doi; | |
45 | }; | |
46 | ||
96cb8e33 | 47 | /* NetLabel Generic NETLINK CIPSOv4 family */ |
489111e5 | 48 | static struct genl_family netlbl_cipsov4_gnl_family; |
fd385855 | 49 | /* NetLabel Netlink attribute policy */ |
ef7c79ed | 50 | static const struct nla_policy netlbl_cipsov4_genl_policy[NLBL_CIPSOV4_A_MAX + 1] = { |
fd385855 PM |
51 | [NLBL_CIPSOV4_A_DOI] = { .type = NLA_U32 }, |
52 | [NLBL_CIPSOV4_A_MTYPE] = { .type = NLA_U32 }, | |
53 | [NLBL_CIPSOV4_A_TAG] = { .type = NLA_U8 }, | |
54 | [NLBL_CIPSOV4_A_TAGLST] = { .type = NLA_NESTED }, | |
55 | [NLBL_CIPSOV4_A_MLSLVLLOC] = { .type = NLA_U32 }, | |
56 | [NLBL_CIPSOV4_A_MLSLVLREM] = { .type = NLA_U32 }, | |
57 | [NLBL_CIPSOV4_A_MLSLVL] = { .type = NLA_NESTED }, | |
58 | [NLBL_CIPSOV4_A_MLSLVLLST] = { .type = NLA_NESTED }, | |
59 | [NLBL_CIPSOV4_A_MLSCATLOC] = { .type = NLA_U32 }, | |
60 | [NLBL_CIPSOV4_A_MLSCATREM] = { .type = NLA_U32 }, | |
61 | [NLBL_CIPSOV4_A_MLSCAT] = { .type = NLA_NESTED }, | |
62 | [NLBL_CIPSOV4_A_MLSCATLST] = { .type = NLA_NESTED }, | |
63 | }; | |
96cb8e33 PM |
64 | |
65 | /* | |
66 | * Helper Functions | |
67 | */ | |
68 | ||
fd385855 PM |
69 | /** |
70 | * netlbl_cipsov4_add_common - Parse the common sections of a ADD message | |
71 | * @info: the Generic NETLINK info block | |
72 | * @doi_def: the CIPSO V4 DOI definition | |
73 | * | |
74 | * Description: | |
75 | * Parse the common sections of a ADD message and fill in the related values | |
76 | * in @doi_def. Returns zero on success, negative values on failure. | |
77 | * | |
78 | */ | |
79 | static int netlbl_cipsov4_add_common(struct genl_info *info, | |
80 | struct cipso_v4_doi *doi_def) | |
81 | { | |
82 | struct nlattr *nla; | |
83 | int nla_rem; | |
84 | u32 iter = 0; | |
85 | ||
86 | doi_def->doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); | |
87 | ||
8cb08174 JB |
88 | if (nla_validate_nested_deprecated(info->attrs[NLBL_CIPSOV4_A_TAGLST], |
89 | NLBL_CIPSOV4_A_MAX, | |
90 | netlbl_cipsov4_genl_policy, | |
91 | NULL) != 0) | |
fd385855 PM |
92 | return -EINVAL; |
93 | ||
94 | nla_for_each_nested(nla, info->attrs[NLBL_CIPSOV4_A_TAGLST], nla_rem) | |
8f4c1f9b | 95 | if (nla_type(nla) == NLBL_CIPSOV4_A_TAG) { |
2a2f11c2 | 96 | if (iter >= CIPSO_V4_TAG_MAXCNT) |
fd385855 PM |
97 | return -EINVAL; |
98 | doi_def->tags[iter++] = nla_get_u8(nla); | |
99 | } | |
2a2f11c2 PM |
100 | while (iter < CIPSO_V4_TAG_MAXCNT) |
101 | doi_def->tags[iter++] = CIPSO_V4_TAG_INVALID; | |
fd385855 PM |
102 | |
103 | return 0; | |
104 | } | |
96cb8e33 PM |
105 | |
106 | /* | |
107 | * NetLabel Command Handlers | |
108 | */ | |
109 | ||
110 | /** | |
111 | * netlbl_cipsov4_add_std - Adds a CIPSO V4 DOI definition | |
fd385855 | 112 | * @info: the Generic NETLINK info block |
6c2e8ac0 | 113 | * @audit_info: NetLabel audit information |
96cb8e33 PM |
114 | * |
115 | * Description: | |
15c45f7b PM |
116 | * Create a new CIPSO_V4_MAP_TRANS DOI definition based on the given ADD |
117 | * message and add it to the CIPSO V4 engine. Return zero on success and | |
118 | * non-zero on error. | |
96cb8e33 PM |
119 | * |
120 | */ | |
6c2e8ac0 PM |
121 | static int netlbl_cipsov4_add_std(struct genl_info *info, |
122 | struct netlbl_audit *audit_info) | |
96cb8e33 PM |
123 | { |
124 | int ret_val = -EINVAL; | |
96cb8e33 | 125 | struct cipso_v4_doi *doi_def = NULL; |
fd385855 PM |
126 | struct nlattr *nla_a; |
127 | struct nlattr *nla_b; | |
128 | int nla_a_rem; | |
129 | int nla_b_rem; | |
caff5b6a | 130 | u32 iter; |
96cb8e33 | 131 | |
32f50cde | 132 | if (!info->attrs[NLBL_CIPSOV4_A_TAGLST] || |
fd385855 PM |
133 | !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST]) |
134 | return -EINVAL; | |
135 | ||
8cb08174 JB |
136 | if (nla_validate_nested_deprecated(info->attrs[NLBL_CIPSOV4_A_MLSLVLLST], |
137 | NLBL_CIPSOV4_A_MAX, | |
138 | netlbl_cipsov4_genl_policy, | |
139 | NULL) != 0) | |
fd385855 | 140 | return -EINVAL; |
96cb8e33 PM |
141 | |
142 | doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL); | |
fd385855 PM |
143 | if (doi_def == NULL) |
144 | return -ENOMEM; | |
96cb8e33 PM |
145 | doi_def->map.std = kzalloc(sizeof(*doi_def->map.std), GFP_KERNEL); |
146 | if (doi_def->map.std == NULL) { | |
147 | ret_val = -ENOMEM; | |
148 | goto add_std_failure; | |
149 | } | |
15c45f7b | 150 | doi_def->type = CIPSO_V4_MAP_TRANS; |
96cb8e33 | 151 | |
fd385855 PM |
152 | ret_val = netlbl_cipsov4_add_common(info, doi_def); |
153 | if (ret_val != 0) | |
96cb8e33 | 154 | goto add_std_failure; |
1fd2a25b | 155 | ret_val = -EINVAL; |
96cb8e33 | 156 | |
fd385855 PM |
157 | nla_for_each_nested(nla_a, |
158 | info->attrs[NLBL_CIPSOV4_A_MLSLVLLST], | |
159 | nla_a_rem) | |
8f4c1f9b | 160 | if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSLVL) { |
8cb08174 JB |
161 | if (nla_validate_nested_deprecated(nla_a, |
162 | NLBL_CIPSOV4_A_MAX, | |
163 | netlbl_cipsov4_genl_policy, | |
164 | NULL) != 0) | |
fceb6435 | 165 | goto add_std_failure; |
fd385855 | 166 | nla_for_each_nested(nla_b, nla_a, nla_b_rem) |
8f4c1f9b | 167 | switch (nla_type(nla_b)) { |
fd385855 | 168 | case NLBL_CIPSOV4_A_MLSLVLLOC: |
1fd2a25b PM |
169 | if (nla_get_u32(nla_b) > |
170 | CIPSO_V4_MAX_LOC_LVLS) | |
171 | goto add_std_failure; | |
fd385855 PM |
172 | if (nla_get_u32(nla_b) >= |
173 | doi_def->map.std->lvl.local_size) | |
174 | doi_def->map.std->lvl.local_size = | |
175 | nla_get_u32(nla_b) + 1; | |
176 | break; | |
177 | case NLBL_CIPSOV4_A_MLSLVLREM: | |
1fd2a25b PM |
178 | if (nla_get_u32(nla_b) > |
179 | CIPSO_V4_MAX_REM_LVLS) | |
180 | goto add_std_failure; | |
fd385855 PM |
181 | if (nla_get_u32(nla_b) >= |
182 | doi_def->map.std->lvl.cipso_size) | |
183 | doi_def->map.std->lvl.cipso_size = | |
184 | nla_get_u32(nla_b) + 1; | |
185 | break; | |
186 | } | |
187 | } | |
96cb8e33 PM |
188 | doi_def->map.std->lvl.local = kcalloc(doi_def->map.std->lvl.local_size, |
189 | sizeof(u32), | |
190 | GFP_KERNEL); | |
191 | if (doi_def->map.std->lvl.local == NULL) { | |
192 | ret_val = -ENOMEM; | |
193 | goto add_std_failure; | |
194 | } | |
96cb8e33 PM |
195 | doi_def->map.std->lvl.cipso = kcalloc(doi_def->map.std->lvl.cipso_size, |
196 | sizeof(u32), | |
197 | GFP_KERNEL); | |
198 | if (doi_def->map.std->lvl.cipso == NULL) { | |
199 | ret_val = -ENOMEM; | |
200 | goto add_std_failure; | |
201 | } | |
caff5b6a PM |
202 | for (iter = 0; iter < doi_def->map.std->lvl.local_size; iter++) |
203 | doi_def->map.std->lvl.local[iter] = CIPSO_V4_INV_LVL; | |
204 | for (iter = 0; iter < doi_def->map.std->lvl.cipso_size; iter++) | |
205 | doi_def->map.std->lvl.cipso[iter] = CIPSO_V4_INV_LVL; | |
fd385855 PM |
206 | nla_for_each_nested(nla_a, |
207 | info->attrs[NLBL_CIPSOV4_A_MLSLVLLST], | |
208 | nla_a_rem) | |
8f4c1f9b | 209 | if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSLVL) { |
fd385855 PM |
210 | struct nlattr *lvl_loc; |
211 | struct nlattr *lvl_rem; | |
212 | ||
fd385855 PM |
213 | lvl_loc = nla_find_nested(nla_a, |
214 | NLBL_CIPSOV4_A_MLSLVLLOC); | |
215 | lvl_rem = nla_find_nested(nla_a, | |
216 | NLBL_CIPSOV4_A_MLSLVLREM); | |
217 | if (lvl_loc == NULL || lvl_rem == NULL) | |
218 | goto add_std_failure; | |
219 | doi_def->map.std->lvl.local[nla_get_u32(lvl_loc)] = | |
220 | nla_get_u32(lvl_rem); | |
221 | doi_def->map.std->lvl.cipso[nla_get_u32(lvl_rem)] = | |
222 | nla_get_u32(lvl_loc); | |
223 | } | |
96cb8e33 | 224 | |
fd385855 | 225 | if (info->attrs[NLBL_CIPSOV4_A_MLSCATLST]) { |
8cb08174 JB |
226 | if (nla_validate_nested_deprecated(info->attrs[NLBL_CIPSOV4_A_MLSCATLST], |
227 | NLBL_CIPSOV4_A_MAX, | |
228 | netlbl_cipsov4_genl_policy, | |
229 | NULL) != 0) | |
fd385855 PM |
230 | goto add_std_failure; |
231 | ||
232 | nla_for_each_nested(nla_a, | |
233 | info->attrs[NLBL_CIPSOV4_A_MLSCATLST], | |
234 | nla_a_rem) | |
8f4c1f9b | 235 | if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSCAT) { |
8cb08174 JB |
236 | if (nla_validate_nested_deprecated(nla_a, |
237 | NLBL_CIPSOV4_A_MAX, | |
238 | netlbl_cipsov4_genl_policy, | |
239 | NULL) != 0) | |
fd385855 PM |
240 | goto add_std_failure; |
241 | nla_for_each_nested(nla_b, nla_a, nla_b_rem) | |
8f4c1f9b | 242 | switch (nla_type(nla_b)) { |
fd385855 | 243 | case NLBL_CIPSOV4_A_MLSCATLOC: |
1fd2a25b PM |
244 | if (nla_get_u32(nla_b) > |
245 | CIPSO_V4_MAX_LOC_CATS) | |
246 | goto add_std_failure; | |
fd385855 PM |
247 | if (nla_get_u32(nla_b) >= |
248 | doi_def->map.std->cat.local_size) | |
249 | doi_def->map.std->cat.local_size = | |
250 | nla_get_u32(nla_b) + 1; | |
251 | break; | |
252 | case NLBL_CIPSOV4_A_MLSCATREM: | |
1fd2a25b PM |
253 | if (nla_get_u32(nla_b) > |
254 | CIPSO_V4_MAX_REM_CATS) | |
255 | goto add_std_failure; | |
fd385855 PM |
256 | if (nla_get_u32(nla_b) >= |
257 | doi_def->map.std->cat.cipso_size) | |
258 | doi_def->map.std->cat.cipso_size = | |
259 | nla_get_u32(nla_b) + 1; | |
260 | break; | |
261 | } | |
262 | } | |
fd385855 | 263 | doi_def->map.std->cat.local = kcalloc( |
e1a95265 | 264 | doi_def->map.std->cat.local_size, |
96cb8e33 PM |
265 | sizeof(u32), |
266 | GFP_KERNEL); | |
fd385855 PM |
267 | if (doi_def->map.std->cat.local == NULL) { |
268 | ret_val = -ENOMEM; | |
269 | goto add_std_failure; | |
270 | } | |
271 | doi_def->map.std->cat.cipso = kcalloc( | |
e1a95265 | 272 | doi_def->map.std->cat.cipso_size, |
96cb8e33 PM |
273 | sizeof(u32), |
274 | GFP_KERNEL); | |
fd385855 PM |
275 | if (doi_def->map.std->cat.cipso == NULL) { |
276 | ret_val = -ENOMEM; | |
96cb8e33 | 277 | goto add_std_failure; |
fd385855 | 278 | } |
caff5b6a PM |
279 | for (iter = 0; iter < doi_def->map.std->cat.local_size; iter++) |
280 | doi_def->map.std->cat.local[iter] = CIPSO_V4_INV_CAT; | |
281 | for (iter = 0; iter < doi_def->map.std->cat.cipso_size; iter++) | |
282 | doi_def->map.std->cat.cipso[iter] = CIPSO_V4_INV_CAT; | |
fd385855 PM |
283 | nla_for_each_nested(nla_a, |
284 | info->attrs[NLBL_CIPSOV4_A_MLSCATLST], | |
285 | nla_a_rem) | |
8f4c1f9b | 286 | if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSCAT) { |
fd385855 PM |
287 | struct nlattr *cat_loc; |
288 | struct nlattr *cat_rem; | |
289 | ||
290 | cat_loc = nla_find_nested(nla_a, | |
291 | NLBL_CIPSOV4_A_MLSCATLOC); | |
292 | cat_rem = nla_find_nested(nla_a, | |
293 | NLBL_CIPSOV4_A_MLSCATREM); | |
294 | if (cat_loc == NULL || cat_rem == NULL) | |
295 | goto add_std_failure; | |
296 | doi_def->map.std->cat.local[ | |
e1a95265 | 297 | nla_get_u32(cat_loc)] = |
fd385855 PM |
298 | nla_get_u32(cat_rem); |
299 | doi_def->map.std->cat.cipso[ | |
e1a95265 | 300 | nla_get_u32(cat_rem)] = |
fd385855 PM |
301 | nla_get_u32(cat_loc); |
302 | } | |
96cb8e33 PM |
303 | } |
304 | ||
6c2e8ac0 | 305 | ret_val = cipso_v4_doi_add(doi_def, audit_info); |
96cb8e33 PM |
306 | if (ret_val != 0) |
307 | goto add_std_failure; | |
308 | return 0; | |
309 | ||
310 | add_std_failure: | |
7a11b1d3 | 311 | cipso_v4_doi_free(doi_def); |
96cb8e33 PM |
312 | return ret_val; |
313 | } | |
314 | ||
315 | /** | |
316 | * netlbl_cipsov4_add_pass - Adds a CIPSO V4 DOI definition | |
fd385855 | 317 | * @info: the Generic NETLINK info block |
6c2e8ac0 | 318 | * @audit_info: NetLabel audit information |
96cb8e33 PM |
319 | * |
320 | * Description: | |
321 | * Create a new CIPSO_V4_MAP_PASS DOI definition based on the given ADD message | |
322 | * and add it to the CIPSO V4 engine. Return zero on success and non-zero on | |
323 | * error. | |
324 | * | |
325 | */ | |
6c2e8ac0 PM |
326 | static int netlbl_cipsov4_add_pass(struct genl_info *info, |
327 | struct netlbl_audit *audit_info) | |
96cb8e33 | 328 | { |
fd385855 | 329 | int ret_val; |
96cb8e33 | 330 | struct cipso_v4_doi *doi_def = NULL; |
96cb8e33 | 331 | |
32f50cde | 332 | if (!info->attrs[NLBL_CIPSOV4_A_TAGLST]) |
fd385855 | 333 | return -EINVAL; |
96cb8e33 PM |
334 | |
335 | doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL); | |
fd385855 PM |
336 | if (doi_def == NULL) |
337 | return -ENOMEM; | |
96cb8e33 PM |
338 | doi_def->type = CIPSO_V4_MAP_PASS; |
339 | ||
fd385855 PM |
340 | ret_val = netlbl_cipsov4_add_common(info, doi_def); |
341 | if (ret_val != 0) | |
342 | goto add_pass_failure; | |
96cb8e33 | 343 | |
6c2e8ac0 | 344 | ret_val = cipso_v4_doi_add(doi_def, audit_info); |
96cb8e33 PM |
345 | if (ret_val != 0) |
346 | goto add_pass_failure; | |
347 | return 0; | |
348 | ||
349 | add_pass_failure: | |
b1edeb10 | 350 | cipso_v4_doi_free(doi_def); |
96cb8e33 PM |
351 | return ret_val; |
352 | } | |
353 | ||
d91d4079 PM |
354 | /** |
355 | * netlbl_cipsov4_add_local - Adds a CIPSO V4 DOI definition | |
356 | * @info: the Generic NETLINK info block | |
6c2e8ac0 | 357 | * @audit_info: NetLabel audit information |
d91d4079 PM |
358 | * |
359 | * Description: | |
360 | * Create a new CIPSO_V4_MAP_LOCAL DOI definition based on the given ADD | |
361 | * message and add it to the CIPSO V4 engine. Return zero on success and | |
362 | * non-zero on error. | |
363 | * | |
364 | */ | |
6c2e8ac0 PM |
365 | static int netlbl_cipsov4_add_local(struct genl_info *info, |
366 | struct netlbl_audit *audit_info) | |
d91d4079 PM |
367 | { |
368 | int ret_val; | |
369 | struct cipso_v4_doi *doi_def = NULL; | |
370 | ||
371 | if (!info->attrs[NLBL_CIPSOV4_A_TAGLST]) | |
372 | return -EINVAL; | |
373 | ||
374 | doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL); | |
375 | if (doi_def == NULL) | |
376 | return -ENOMEM; | |
377 | doi_def->type = CIPSO_V4_MAP_LOCAL; | |
378 | ||
379 | ret_val = netlbl_cipsov4_add_common(info, doi_def); | |
380 | if (ret_val != 0) | |
381 | goto add_local_failure; | |
382 | ||
6c2e8ac0 | 383 | ret_val = cipso_v4_doi_add(doi_def, audit_info); |
d91d4079 PM |
384 | if (ret_val != 0) |
385 | goto add_local_failure; | |
386 | return 0; | |
387 | ||
388 | add_local_failure: | |
389 | cipso_v4_doi_free(doi_def); | |
390 | return ret_val; | |
391 | } | |
392 | ||
96cb8e33 PM |
393 | /** |
394 | * netlbl_cipsov4_add - Handle an ADD message | |
395 | * @skb: the NETLINK buffer | |
396 | * @info: the Generic NETLINK info block | |
397 | * | |
398 | * Description: | |
399 | * Create a new DOI definition based on the given ADD message and add it to the | |
400 | * CIPSO V4 engine. Returns zero on success, negative values on failure. | |
401 | * | |
402 | */ | |
403 | static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info) | |
404 | ||
405 | { | |
406 | int ret_val = -EINVAL; | |
95d4e6be | 407 | struct netlbl_audit audit_info; |
96cb8e33 | 408 | |
32f50cde PM |
409 | if (!info->attrs[NLBL_CIPSOV4_A_DOI] || |
410 | !info->attrs[NLBL_CIPSOV4_A_MTYPE]) | |
fd385855 | 411 | return -EINVAL; |
96cb8e33 | 412 | |
95d4e6be | 413 | netlbl_netlink_auditinfo(skb, &audit_info); |
6c2e8ac0 | 414 | switch (nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE])) { |
15c45f7b | 415 | case CIPSO_V4_MAP_TRANS: |
6c2e8ac0 | 416 | ret_val = netlbl_cipsov4_add_std(info, &audit_info); |
96cb8e33 PM |
417 | break; |
418 | case CIPSO_V4_MAP_PASS: | |
6c2e8ac0 | 419 | ret_val = netlbl_cipsov4_add_pass(info, &audit_info); |
96cb8e33 | 420 | break; |
d91d4079 | 421 | case CIPSO_V4_MAP_LOCAL: |
6c2e8ac0 | 422 | ret_val = netlbl_cipsov4_add_local(info, &audit_info); |
d91d4079 | 423 | break; |
96cb8e33 | 424 | } |
23bcdc1a | 425 | if (ret_val == 0) |
c783f1ce | 426 | atomic_inc(&netlabel_mgmt_protocount); |
96cb8e33 | 427 | |
96cb8e33 PM |
428 | return ret_val; |
429 | } | |
430 | ||
431 | /** | |
432 | * netlbl_cipsov4_list - Handle a LIST message | |
433 | * @skb: the NETLINK buffer | |
434 | * @info: the Generic NETLINK info block | |
435 | * | |
436 | * Description: | |
fd385855 PM |
437 | * Process a user generated LIST message and respond accordingly. While the |
438 | * response message generated by the kernel is straightforward, determining | |
439 | * before hand the size of the buffer to allocate is not (we have to generate | |
440 | * the message to know the size). In order to keep this function sane what we | |
441 | * do is allocate a buffer of NLMSG_GOODSIZE and try to fit the response in | |
442 | * that size, if we fail then we restart with a larger buffer and try again. | |
443 | * We continue in this manner until we hit a limit of failed attempts then we | |
444 | * give up and just send an error message. Returns zero on success and | |
445 | * negative values on error. | |
96cb8e33 PM |
446 | * |
447 | */ | |
448 | static int netlbl_cipsov4_list(struct sk_buff *skb, struct genl_info *info) | |
449 | { | |
fd385855 PM |
450 | int ret_val; |
451 | struct sk_buff *ans_skb = NULL; | |
452 | u32 nlsze_mult = 1; | |
453 | void *data; | |
96cb8e33 | 454 | u32 doi; |
fd385855 PM |
455 | struct nlattr *nla_a; |
456 | struct nlattr *nla_b; | |
457 | struct cipso_v4_doi *doi_def; | |
458 | u32 iter; | |
96cb8e33 | 459 | |
fd385855 PM |
460 | if (!info->attrs[NLBL_CIPSOV4_A_DOI]) { |
461 | ret_val = -EINVAL; | |
96cb8e33 | 462 | goto list_failure; |
fd385855 | 463 | } |
96cb8e33 | 464 | |
fd385855 | 465 | list_start: |
339bf98f | 466 | ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE * nlsze_mult, GFP_KERNEL); |
96cb8e33 PM |
467 | if (ans_skb == NULL) { |
468 | ret_val = -ENOMEM; | |
469 | goto list_failure; | |
470 | } | |
17c157c8 TG |
471 | data = genlmsg_put_reply(ans_skb, info, &netlbl_cipsov4_gnl_family, |
472 | 0, NLBL_CIPSOV4_C_LIST); | |
fd385855 PM |
473 | if (data == NULL) { |
474 | ret_val = -ENOMEM; | |
475 | goto list_failure; | |
476 | } | |
477 | ||
478 | doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); | |
479 | ||
480 | rcu_read_lock(); | |
481 | doi_def = cipso_v4_doi_getdef(doi); | |
482 | if (doi_def == NULL) { | |
483 | ret_val = -EINVAL; | |
56196701 | 484 | goto list_failure_lock; |
fd385855 PM |
485 | } |
486 | ||
487 | ret_val = nla_put_u32(ans_skb, NLBL_CIPSOV4_A_MTYPE, doi_def->type); | |
488 | if (ret_val != 0) | |
489 | goto list_failure_lock; | |
490 | ||
ae0be8de | 491 | nla_a = nla_nest_start_noflag(ans_skb, NLBL_CIPSOV4_A_TAGLST); |
fd385855 PM |
492 | if (nla_a == NULL) { |
493 | ret_val = -ENOMEM; | |
494 | goto list_failure_lock; | |
495 | } | |
496 | for (iter = 0; | |
497 | iter < CIPSO_V4_TAG_MAXCNT && | |
498 | doi_def->tags[iter] != CIPSO_V4_TAG_INVALID; | |
499 | iter++) { | |
500 | ret_val = nla_put_u8(ans_skb, | |
501 | NLBL_CIPSOV4_A_TAG, | |
502 | doi_def->tags[iter]); | |
503 | if (ret_val != 0) | |
504 | goto list_failure_lock; | |
505 | } | |
506 | nla_nest_end(ans_skb, nla_a); | |
507 | ||
508 | switch (doi_def->type) { | |
15c45f7b | 509 | case CIPSO_V4_MAP_TRANS: |
ae0be8de MK |
510 | nla_a = nla_nest_start_noflag(ans_skb, |
511 | NLBL_CIPSOV4_A_MLSLVLLST); | |
fd385855 PM |
512 | if (nla_a == NULL) { |
513 | ret_val = -ENOMEM; | |
514 | goto list_failure_lock; | |
515 | } | |
516 | for (iter = 0; | |
517 | iter < doi_def->map.std->lvl.local_size; | |
518 | iter++) { | |
519 | if (doi_def->map.std->lvl.local[iter] == | |
520 | CIPSO_V4_INV_LVL) | |
521 | continue; | |
522 | ||
ae0be8de MK |
523 | nla_b = nla_nest_start_noflag(ans_skb, |
524 | NLBL_CIPSOV4_A_MLSLVL); | |
fd385855 PM |
525 | if (nla_b == NULL) { |
526 | ret_val = -ENOMEM; | |
527 | goto list_retry; | |
528 | } | |
529 | ret_val = nla_put_u32(ans_skb, | |
530 | NLBL_CIPSOV4_A_MLSLVLLOC, | |
531 | iter); | |
532 | if (ret_val != 0) | |
533 | goto list_retry; | |
534 | ret_val = nla_put_u32(ans_skb, | |
535 | NLBL_CIPSOV4_A_MLSLVLREM, | |
536 | doi_def->map.std->lvl.local[iter]); | |
537 | if (ret_val != 0) | |
538 | goto list_retry; | |
539 | nla_nest_end(ans_skb, nla_b); | |
540 | } | |
541 | nla_nest_end(ans_skb, nla_a); | |
542 | ||
ae0be8de MK |
543 | nla_a = nla_nest_start_noflag(ans_skb, |
544 | NLBL_CIPSOV4_A_MLSCATLST); | |
fd385855 PM |
545 | if (nla_a == NULL) { |
546 | ret_val = -ENOMEM; | |
547 | goto list_retry; | |
548 | } | |
549 | for (iter = 0; | |
550 | iter < doi_def->map.std->cat.local_size; | |
551 | iter++) { | |
552 | if (doi_def->map.std->cat.local[iter] == | |
553 | CIPSO_V4_INV_CAT) | |
554 | continue; | |
555 | ||
ae0be8de MK |
556 | nla_b = nla_nest_start_noflag(ans_skb, |
557 | NLBL_CIPSOV4_A_MLSCAT); | |
fd385855 PM |
558 | if (nla_b == NULL) { |
559 | ret_val = -ENOMEM; | |
560 | goto list_retry; | |
561 | } | |
562 | ret_val = nla_put_u32(ans_skb, | |
563 | NLBL_CIPSOV4_A_MLSCATLOC, | |
564 | iter); | |
565 | if (ret_val != 0) | |
566 | goto list_retry; | |
567 | ret_val = nla_put_u32(ans_skb, | |
568 | NLBL_CIPSOV4_A_MLSCATREM, | |
569 | doi_def->map.std->cat.local[iter]); | |
570 | if (ret_val != 0) | |
571 | goto list_retry; | |
572 | nla_nest_end(ans_skb, nla_b); | |
573 | } | |
574 | nla_nest_end(ans_skb, nla_a); | |
575 | ||
576 | break; | |
577 | } | |
578 | rcu_read_unlock(); | |
96cb8e33 | 579 | |
fd385855 | 580 | genlmsg_end(ans_skb, data); |
fe785bee | 581 | return genlmsg_reply(ans_skb, info); |
96cb8e33 | 582 | |
fd385855 PM |
583 | list_retry: |
584 | /* XXX - this limit is a guesstimate */ | |
585 | if (nlsze_mult < 4) { | |
586 | rcu_read_unlock(); | |
587 | kfree_skb(ans_skb); | |
83aa2e96 | 588 | nlsze_mult *= 2; |
fd385855 PM |
589 | goto list_start; |
590 | } | |
591 | list_failure_lock: | |
592 | rcu_read_unlock(); | |
96cb8e33 | 593 | list_failure: |
fd385855 PM |
594 | kfree_skb(ans_skb); |
595 | return ret_val; | |
596 | } | |
597 | ||
598 | /** | |
599 | * netlbl_cipsov4_listall_cb - cipso_v4_doi_walk() callback for LISTALL | |
600 | * @doi_def: the CIPSOv4 DOI definition | |
601 | * @arg: the netlbl_cipsov4_doiwalk_arg structure | |
602 | * | |
603 | * Description: | |
604 | * This function is designed to be used as a callback to the | |
605 | * cipso_v4_doi_walk() function for use in generating a response for a LISTALL | |
606 | * message. Returns the size of the message on success, negative values on | |
607 | * failure. | |
608 | * | |
609 | */ | |
610 | static int netlbl_cipsov4_listall_cb(struct cipso_v4_doi *doi_def, void *arg) | |
611 | { | |
612 | int ret_val = -ENOMEM; | |
613 | struct netlbl_cipsov4_doiwalk_arg *cb_arg = arg; | |
614 | void *data; | |
615 | ||
15e47304 | 616 | data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid, |
17c157c8 TG |
617 | cb_arg->seq, &netlbl_cipsov4_gnl_family, |
618 | NLM_F_MULTI, NLBL_CIPSOV4_C_LISTALL); | |
fd385855 PM |
619 | if (data == NULL) |
620 | goto listall_cb_failure; | |
621 | ||
622 | ret_val = nla_put_u32(cb_arg->skb, NLBL_CIPSOV4_A_DOI, doi_def->doi); | |
623 | if (ret_val != 0) | |
624 | goto listall_cb_failure; | |
625 | ret_val = nla_put_u32(cb_arg->skb, | |
626 | NLBL_CIPSOV4_A_MTYPE, | |
627 | doi_def->type); | |
628 | if (ret_val != 0) | |
629 | goto listall_cb_failure; | |
630 | ||
053c095a JB |
631 | genlmsg_end(cb_arg->skb, data); |
632 | return 0; | |
fd385855 PM |
633 | |
634 | listall_cb_failure: | |
635 | genlmsg_cancel(cb_arg->skb, data); | |
96cb8e33 PM |
636 | return ret_val; |
637 | } | |
638 | ||
639 | /** | |
640 | * netlbl_cipsov4_listall - Handle a LISTALL message | |
641 | * @skb: the NETLINK buffer | |
fd385855 | 642 | * @cb: the NETLINK callback |
96cb8e33 PM |
643 | * |
644 | * Description: | |
645 | * Process a user generated LISTALL message and respond accordingly. Returns | |
646 | * zero on success and negative values on error. | |
647 | * | |
648 | */ | |
fd385855 PM |
649 | static int netlbl_cipsov4_listall(struct sk_buff *skb, |
650 | struct netlink_callback *cb) | |
96cb8e33 | 651 | { |
fd385855 | 652 | struct netlbl_cipsov4_doiwalk_arg cb_arg; |
56196701 | 653 | u32 doi_skip = cb->args[0]; |
96cb8e33 | 654 | |
fd385855 PM |
655 | cb_arg.nl_cb = cb; |
656 | cb_arg.skb = skb; | |
657 | cb_arg.seq = cb->nlh->nlmsg_seq; | |
96cb8e33 | 658 | |
fd385855 | 659 | cipso_v4_doi_walk(&doi_skip, netlbl_cipsov4_listall_cb, &cb_arg); |
96cb8e33 | 660 | |
fd385855 PM |
661 | cb->args[0] = doi_skip; |
662 | return skb->len; | |
96cb8e33 PM |
663 | } |
664 | ||
b1edeb10 PM |
665 | /** |
666 | * netlbl_cipsov4_remove_cb - netlbl_cipsov4_remove() callback for REMOVE | |
667 | * @entry: LSM domain mapping entry | |
668 | * @arg: the netlbl_domhsh_walk_arg structure | |
669 | * | |
670 | * Description: | |
671 | * This function is intended for use by netlbl_cipsov4_remove() as the callback | |
672 | * for the netlbl_domhsh_walk() function; it removes LSM domain map entries | |
673 | * which are associated with the CIPSO DOI specified in @arg. Returns zero on | |
674 | * success, negative values on failure. | |
675 | * | |
676 | */ | |
677 | static int netlbl_cipsov4_remove_cb(struct netlbl_dom_map *entry, void *arg) | |
678 | { | |
679 | struct netlbl_domhsh_walk_arg *cb_arg = arg; | |
680 | ||
6a8b7f0c PM |
681 | if (entry->def.type == NETLBL_NLTYPE_CIPSOV4 && |
682 | entry->def.cipso->doi == cb_arg->doi) | |
b1edeb10 PM |
683 | return netlbl_domhsh_remove_entry(entry, cb_arg->audit_info); |
684 | ||
685 | return 0; | |
686 | } | |
687 | ||
96cb8e33 PM |
688 | /** |
689 | * netlbl_cipsov4_remove - Handle a REMOVE message | |
690 | * @skb: the NETLINK buffer | |
691 | * @info: the Generic NETLINK info block | |
692 | * | |
693 | * Description: | |
694 | * Process a user generated REMOVE message and respond accordingly. Returns | |
695 | * zero on success, negative values on failure. | |
696 | * | |
697 | */ | |
698 | static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) | |
699 | { | |
fd385855 | 700 | int ret_val = -EINVAL; |
b1edeb10 | 701 | struct netlbl_domhsh_walk_arg cb_arg; |
95d4e6be | 702 | struct netlbl_audit audit_info; |
b1edeb10 PM |
703 | u32 skip_bkt = 0; |
704 | u32 skip_chain = 0; | |
96cb8e33 | 705 | |
95d4e6be PM |
706 | if (!info->attrs[NLBL_CIPSOV4_A_DOI]) |
707 | return -EINVAL; | |
32f50cde | 708 | |
95d4e6be | 709 | netlbl_netlink_auditinfo(skb, &audit_info); |
6c2e8ac0 | 710 | cb_arg.doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); |
b1edeb10 PM |
711 | cb_arg.audit_info = &audit_info; |
712 | ret_val = netlbl_domhsh_walk(&skip_bkt, &skip_chain, | |
713 | netlbl_cipsov4_remove_cb, &cb_arg); | |
714 | if (ret_val == 0 || ret_val == -ENOENT) { | |
6c2e8ac0 | 715 | ret_val = cipso_v4_doi_remove(cb_arg.doi, &audit_info); |
b1edeb10 PM |
716 | if (ret_val == 0) |
717 | atomic_dec(&netlabel_mgmt_protocount); | |
718 | } | |
95d4e6be | 719 | |
96cb8e33 PM |
720 | return ret_val; |
721 | } | |
722 | ||
723 | /* | |
724 | * NetLabel Generic NETLINK Command Definitions | |
725 | */ | |
726 | ||
4534de83 | 727 | static const struct genl_ops netlbl_cipsov4_ops[] = { |
227c43c3 | 728 | { |
96cb8e33 | 729 | .cmd = NLBL_CIPSOV4_C_ADD, |
ef6243ac | 730 | .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, |
fd385855 | 731 | .flags = GENL_ADMIN_PERM, |
96cb8e33 PM |
732 | .doit = netlbl_cipsov4_add, |
733 | .dumpit = NULL, | |
227c43c3 PE |
734 | }, |
735 | { | |
96cb8e33 | 736 | .cmd = NLBL_CIPSOV4_C_REMOVE, |
ef6243ac | 737 | .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, |
fd385855 | 738 | .flags = GENL_ADMIN_PERM, |
96cb8e33 PM |
739 | .doit = netlbl_cipsov4_remove, |
740 | .dumpit = NULL, | |
227c43c3 PE |
741 | }, |
742 | { | |
96cb8e33 | 743 | .cmd = NLBL_CIPSOV4_C_LIST, |
ef6243ac | 744 | .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, |
96cb8e33 PM |
745 | .flags = 0, |
746 | .doit = netlbl_cipsov4_list, | |
747 | .dumpit = NULL, | |
227c43c3 PE |
748 | }, |
749 | { | |
96cb8e33 | 750 | .cmd = NLBL_CIPSOV4_C_LISTALL, |
ef6243ac | 751 | .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, |
96cb8e33 | 752 | .flags = 0, |
fd385855 PM |
753 | .doit = NULL, |
754 | .dumpit = netlbl_cipsov4_listall, | |
227c43c3 | 755 | }, |
96cb8e33 PM |
756 | }; |
757 | ||
56989f6d | 758 | static struct genl_family netlbl_cipsov4_gnl_family __ro_after_init = { |
489111e5 JB |
759 | .hdrsize = 0, |
760 | .name = NETLBL_NLTYPE_CIPSOV4_NAME, | |
761 | .version = NETLBL_PROTO_VERSION, | |
762 | .maxattr = NLBL_CIPSOV4_A_MAX, | |
3b0f31f2 | 763 | .policy = netlbl_cipsov4_genl_policy, |
489111e5 JB |
764 | .module = THIS_MODULE, |
765 | .ops = netlbl_cipsov4_ops, | |
766 | .n_ops = ARRAY_SIZE(netlbl_cipsov4_ops), | |
767 | }; | |
768 | ||
96cb8e33 PM |
769 | /* |
770 | * NetLabel Generic NETLINK Protocol Functions | |
771 | */ | |
772 | ||
773 | /** | |
774 | * netlbl_cipsov4_genl_init - Register the CIPSOv4 NetLabel component | |
775 | * | |
776 | * Description: | |
777 | * Register the CIPSOv4 packet NetLabel component with the Generic NETLINK | |
778 | * mechanism. Returns zero on success, negative values on failure. | |
779 | * | |
780 | */ | |
05705e4e | 781 | int __init netlbl_cipsov4_genl_init(void) |
96cb8e33 | 782 | { |
489111e5 | 783 | return genl_register_family(&netlbl_cipsov4_gnl_family); |
96cb8e33 | 784 | } |