// SPDX-License-Identifier: GPL-2.0-or-later

  /*
   * SELinux NetLabel Support
   *
   * This file provides the necessary glue to tie NetLabel into the SELinux
   * subsystem.
   *

   * Author: Paul Moore <paul@paul-moore.com>

   */
  
  /*

   * (c) Copyright Hewlett-Packard Development Company, L.P., 2007, 2008

   */
  
  #include <linux/spinlock.h>
  #include <linux/rcupdate.h>

  #include <linux/gfp.h>

  #include <linux/ip.h>
  #include <linux/ipv6.h>

  #include <net/sock.h>
  #include <net/netlabel.h>

  #include <net/ip.h>
  #include <net/ipv6.h>

  
  #include "objsec.h"
  #include "security.h"

  #include "netlabel.h"

  
  /**

   * selinux_netlbl_sidlookup_cached - Cache a SID lookup
   * @skb: the packet
   * @secattr: the NetLabel security attributes
   * @sid: the SID
   *
   * Description:
   * Query the SELinux security server to lookup the correct SID for the given
   * security attributes.  If the query is successful, cache the result to speed
   * up future lookups.  Returns zero on success, negative values on failure.
   *
   */
  static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,

  					   u16 family,

  					   struct netlbl_lsm_secattr *secattr,
  					   u32 *sid)
  {
  	int rc;

  	rc = security_netlbl_secattr_to_sid(&selinux_state, secattr, sid);

  	if (rc == 0 &&
  	    (secattr->flags & NETLBL_SECATTR_CACHEABLE) &&
  	    (secattr->flags & NETLBL_SECATTR_CACHE))

  		netlbl_cache_add(skb, family, secattr);

  
  	return rc;
  }
  
  /**

   * selinux_netlbl_sock_genattr - Generate the NetLabel socket secattr
   * @sk: the socket
   *
   * Description:
   * Generate the NetLabel security attributes for a socket, making full use of
   * the socket's attribute cache.  Returns a pointer to the security attributes
   * on success, NULL on failure.
   *
   */
  static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk)
  {
  	int rc;
  	struct sk_security_struct *sksec = sk->sk_security;
  	struct netlbl_lsm_secattr *secattr;
  
  	if (sksec->nlbl_secattr != NULL)
  		return sksec->nlbl_secattr;
  
  	secattr = netlbl_secattr_alloc(GFP_ATOMIC);
  	if (secattr == NULL)
  		return NULL;

  	rc = security_netlbl_sid_to_secattr(&selinux_state, sksec->sid,
  					    secattr);

  	if (rc != 0) {
  		netlbl_secattr_free(secattr);
  		return NULL;
  	}
  	sksec->nlbl_secattr = secattr;
  
  	return secattr;
  }
  
  /**

   * selinux_netlbl_sock_getattr - Get the cached NetLabel secattr
   * @sk: the socket
   * @sid: the SID
   *
   * Query the socket's cached secattr and if the SID matches the cached value
   * return the cache, otherwise return NULL.
   *
   */
  static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr(
  							const struct sock *sk,
  							u32 sid)
  {
  	struct sk_security_struct *sksec = sk->sk_security;
  	struct netlbl_lsm_secattr *secattr = sksec->nlbl_secattr;
  
  	if (secattr == NULL)
  		return NULL;
  
  	if ((secattr->flags & NETLBL_SECATTR_SECID) &&
  	    (secattr->attr.secid == sid))
  		return secattr;
  
  	return NULL;
  }
  
  /**

   * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
   *
   * Description:
   * Invalidate the NetLabel security attribute mapping cache.
   *
   */
  void selinux_netlbl_cache_invalidate(void)
  {
  	netlbl_cache_invalidate();
  }
  
  /**

   * selinux_netlbl_err - Handle a NetLabel packet error
   * @skb: the packet
   * @error: the error code
   * @gateway: true if host is acting as a gateway, false otherwise
   *
   * Description:
   * When a packet is dropped due to a call to avc_has_perm() pass the error
   * code to the NetLabel subsystem so any protocol specific processing can be
   * done.  This is safe to call even if you are unsure if NetLabel labeling is
   * present on the packet, NetLabel is smart enough to only act when it should.
   *
   */

  void selinux_netlbl_err(struct sk_buff *skb, u16 family, int error, int gateway)

  {

  	netlbl_skbuff_err(skb, family, error, gateway);

  }
  
  /**

   * selinux_netlbl_sk_security_free - Free the NetLabel fields

   * @sksec: the sk_security_struct

   *
   * Description:
   * Free all of the memory in the NetLabel fields of a sk_security_struct.
   *
   */

  void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec)

  {

  	if (sksec->nlbl_secattr != NULL)
  		netlbl_secattr_free(sksec->nlbl_secattr);

  }
  
  /**

   * selinux_netlbl_sk_security_reset - Reset the NetLabel fields

   * @sksec: the sk_security_struct

   * @family: the socket family
   *
   * Description:
   * Called when the NetLabel state of a sk_security_struct needs to be reset.

   * The caller is responsible for all the NetLabel sk_security_struct locking.

   *
   */

  void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec)

  {

  	sksec->nlbl_state = NLBL_UNSET;

  }
  
  /**

   * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
   * @skb: the packet

   * @family: protocol family

   * @type: NetLabel labeling protocol type

   * @sid: the SID
   *
   * Description:
   * Call the NetLabel mechanism to get the security attributes of the given
   * packet and use those attributes to determine the correct context/SID to
   * assign to the packet.  Returns zero on success, negative values on failure.
   *
   */

  int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
  				 u16 family,

  				 u32 *type,

  				 u32 *sid)

  {
  	int rc;
  	struct netlbl_lsm_secattr secattr;

  	if (!netlbl_enabled()) {
  		*sid = SECSID_NULL;
  		return 0;
  	}

  	netlbl_secattr_init(&secattr);

  	rc = netlbl_skbuff_getattr(skb, family, &secattr);

  	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)

  		rc = selinux_netlbl_sidlookup_cached(skb, family,
  						     &secattr, sid);

  	else

  		*sid = SECSID_NULL;

  	*type = secattr.type;

  	netlbl_secattr_destroy(&secattr);
  
  	return rc;
  }
  
  /**

   * selinux_netlbl_skbuff_setsid - Set the NetLabel on a packet given a sid
   * @skb: the packet
   * @family: protocol family
   * @sid: the SID
   *
   * Description
   * Call the NetLabel mechanism to set the label of a packet using @sid.

   * Returns zero on success, negative values on failure.

   *
   */
  int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
  				 u16 family,
  				 u32 sid)
  {
  	int rc;

  	struct netlbl_lsm_secattr secattr_storage;
  	struct netlbl_lsm_secattr *secattr = NULL;

  	struct sock *sk;
  
  	/* if this is a locally generated packet check to see if it is already
  	 * being labeled by it's parent socket, if it is just exit */

  	sk = skb_to_full_sk(skb);

  	if (sk != NULL) {
  		struct sk_security_struct *sksec = sk->sk_security;

  		if (sksec->nlbl_state != NLBL_REQSKB)
  			return 0;

  		secattr = selinux_netlbl_sock_getattr(sk, sid);

  	}
  	if (secattr == NULL) {
  		secattr = &secattr_storage;
  		netlbl_secattr_init(secattr);

  		rc = security_netlbl_sid_to_secattr(&selinux_state, sid,
  						    secattr);

  		if (rc != 0)
  			goto skbuff_setsid_return;

  	}

  	rc = netlbl_skbuff_setattr(skb, family, secattr);

  
  skbuff_setsid_return:

  	if (secattr == &secattr_storage)
  		netlbl_secattr_destroy(secattr);

  	return rc;
  }
  
  /**

   * selinux_netlbl_sctp_assoc_request - Label an incoming sctp association.
   * @ep: incoming association endpoint.
   * @skb: the packet.
   *
   * Description:
   * A new incoming connection is represented by @ep, ......
   * Returns zero on success, negative values on failure.
   *
   */
  int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep,
  				     struct sk_buff *skb)
  {
  	int rc;
  	struct netlbl_lsm_secattr secattr;
  	struct sk_security_struct *sksec = ep->base.sk->sk_security;

  	struct sockaddr_in addr4;

  	struct sockaddr_in6 addr6;

  
  	if (ep->base.sk->sk_family != PF_INET &&
  				ep->base.sk->sk_family != PF_INET6)
  		return 0;
  
  	netlbl_secattr_init(&secattr);

  	rc = security_netlbl_sid_to_secattr(&selinux_state,
  					    ep->secid, &secattr);

  	if (rc != 0)
  		goto assoc_request_return;
  
  	/* Move skb hdr address info to a struct sockaddr and then call
  	 * netlbl_conn_setattr().
  	 */
  	if (ip_hdr(skb)->version == 4) {
  		addr4.sin_family = AF_INET;
  		addr4.sin_addr.s_addr = ip_hdr(skb)->saddr;

  		rc = netlbl_conn_setattr(ep->base.sk, (void *)&addr4, &secattr);
  	} else if (IS_ENABLED(CONFIG_IPV6) && ip_hdr(skb)->version == 6) {

  		addr6.sin6_family = AF_INET6;
  		addr6.sin6_addr = ipv6_hdr(skb)->saddr;

  		rc = netlbl_conn_setattr(ep->base.sk, (void *)&addr6, &secattr);
  	} else {
  		rc = -EAFNOSUPPORT;

  	}

  	if (rc == 0)
  		sksec->nlbl_state = NLBL_LABELED;
  
  assoc_request_return:
  	netlbl_secattr_destroy(&secattr);
  	return rc;
  }
  
  /**

   * selinux_netlbl_inet_conn_request - Label an incoming stream connection
   * @req: incoming connection request socket

   *
   * Description:

   * A new incoming connection request is represented by @req, we need to label
   * the new request_sock here and the stack will ensure the on-the-wire label
   * will get preserved when a full sock is created once the connection handshake
   * is complete.  Returns zero on success, negative values on failure.

   *
   */

  int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family)

  {

  	int rc;

  	struct netlbl_lsm_secattr secattr;

  	if (family != PF_INET && family != PF_INET6)

  		return 0;

  	netlbl_secattr_init(&secattr);

  	rc = security_netlbl_sid_to_secattr(&selinux_state, req->secid,
  					    &secattr);

  	if (rc != 0)
  		goto inet_conn_request_return;
  	rc = netlbl_req_setattr(req, &secattr);
  inet_conn_request_return:
  	netlbl_secattr_destroy(&secattr);
  	return rc;

  }
  
  /**

   * selinux_netlbl_inet_csk_clone - Initialize the newly created sock
   * @sk: the new sock

   *
   * Description:

   * A new connection has been established using @sk, we've already labeled the
   * socket via the request_sock struct in selinux_netlbl_inet_conn_request() but
   * we need to set the NetLabel state here since we now have a sock structure.

   *
   */

  void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)

  {

  	struct sk_security_struct *sksec = sk->sk_security;
  
  	if (family == PF_INET)
  		sksec->nlbl_state = NLBL_LABELED;
  	else
  		sksec->nlbl_state = NLBL_UNSET;

  }
  
  /**

   * selinux_netlbl_sctp_sk_clone - Copy state to the newly created sock
   * @sk: current sock
   * @newsk: the new sock
   *
   * Description:
   * Called whenever a new socket is created by accept(2) or sctp_peeloff(3).
   */
  void selinux_netlbl_sctp_sk_clone(struct sock *sk, struct sock *newsk)
  {
  	struct sk_security_struct *sksec = sk->sk_security;
  	struct sk_security_struct *newsksec = newsk->sk_security;
  
  	newsksec->nlbl_state = sksec->nlbl_state;
  }
  
  /**

   * selinux_netlbl_socket_post_create - Label a socket using NetLabel
   * @sock: the socket to label
   * @family: protocol family

   *
   * Description:

   * Attempt to label a socket using the NetLabel mechanism using the given
   * SID.  Returns zero values on success, negative values on failure.

   *
   */

  int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)

  {
  	int rc;

  	struct sk_security_struct *sksec = sk->sk_security;
  	struct netlbl_lsm_secattr *secattr;

  	if (family != PF_INET && family != PF_INET6)

  		return 0;

  	secattr = selinux_netlbl_sock_genattr(sk);
  	if (secattr == NULL)
  		return -ENOMEM;
  	rc = netlbl_sock_setattr(sk, family, secattr);
  	switch (rc) {
  	case 0:
  		sksec->nlbl_state = NLBL_LABELED;
  		break;
  	case -EDESTADDRREQ:
  		sksec->nlbl_state = NLBL_REQSKB;

  		rc = 0;

  		break;
  	}

  
  	return rc;
  }
  
  /**
   * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
   * @sksec: the sock's sk_security_struct
   * @skb: the packet

   * @family: protocol family

   * @ad: the audit data
   *
   * Description:
   * Fetch the NetLabel security attributes from @skb and perform an access check
   * against the receiving socket.  Returns zero on success, negative values on
   * error.
   *
   */
  int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
  				struct sk_buff *skb,

  				u16 family,

  				struct common_audit_data *ad)

  {
  	int rc;

  	u32 nlbl_sid;
  	u32 perm;
  	struct netlbl_lsm_secattr secattr;

  	if (!netlbl_enabled())
  		return 0;

  	netlbl_secattr_init(&secattr);

  	rc = netlbl_skbuff_getattr(skb, family, &secattr);

  	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)

  		rc = selinux_netlbl_sidlookup_cached(skb, family,
  						     &secattr, &nlbl_sid);

  	else

  		nlbl_sid = SECINITSID_UNLABELED;
  	netlbl_secattr_destroy(&secattr);

  	if (rc != 0)
  		return rc;

  	switch (sksec->sclass) {
  	case SECCLASS_UDP_SOCKET:

  		perm = UDP_SOCKET__RECVFROM;

  		break;
  	case SECCLASS_TCP_SOCKET:

  		perm = TCP_SOCKET__RECVFROM;

  		break;
  	default:

  		perm = RAWIP_SOCKET__RECVFROM;

  	}

  	rc = avc_has_perm(&selinux_state,
  			  sksec->sid, nlbl_sid, sksec->sclass, perm, ad);

  	if (rc == 0)
  		return 0;

  	if (nlbl_sid != SECINITSID_UNLABELED)

  		netlbl_skbuff_err(skb, family, rc, 0);

  	return rc;
  }
  
  /**

   * selinux_netlbl_option - Is this a NetLabel option
   * @level: the socket level or protocol
   * @optname: the socket option name
   *
   * Description:
   * Returns true if @level and @optname refer to a NetLabel option.
   * Helper for selinux_netlbl_socket_setsockopt().
   */
  static inline int selinux_netlbl_option(int level, int optname)
  {
  	return (level == IPPROTO_IP && optname == IP_OPTIONS) ||
  		(level == IPPROTO_IPV6 && optname == IPV6_HOPOPTS);
  }
  
  /**

   * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
   * @sock: the socket
   * @level: the socket level or protocol
   * @optname: the socket option name
   *
   * Description:
   * Check the setsockopt() call and if the user is trying to replace the IP
   * options on a socket and a NetLabel is in place for the socket deny the
   * access; otherwise allow the access.  Returns zero when the access is
   * allowed, -EACCES when denied, and other negative values on error.
   *
   */
  int selinux_netlbl_socket_setsockopt(struct socket *sock,
  				     int level,
  				     int optname)
  {
  	int rc = 0;

  	struct sock *sk = sock->sk;
  	struct sk_security_struct *sksec = sk->sk_security;

  	struct netlbl_lsm_secattr secattr;

  	if (selinux_netlbl_option(level, optname) &&

  	    (sksec->nlbl_state == NLBL_LABELED ||
  	     sksec->nlbl_state == NLBL_CONNLABELED)) {

  		netlbl_secattr_init(&secattr);

  		lock_sock(sk);

  		/* call the netlabel function directly as we want to see the
  		 * on-the-wire label that is assigned via the socket's options
  		 * and not the cached netlabel/lsm attributes */

  		rc = netlbl_sock_getattr(sk, &secattr);
  		release_sock(sk);

  		if (rc == 0)

  			rc = -EACCES;

  		else if (rc == -ENOMSG)
  			rc = 0;

  		netlbl_secattr_destroy(&secattr);
  	}

  
  	return rc;
  }

  
  /**

   * selinux_netlbl_socket_connect_helper - Help label a client-side socket on
   * connect

   * @sk: the socket to label
   * @addr: the destination address
   *
   * Description:
   * Attempt to label a connected socket with NetLabel using the given address.
   * Returns zero values on success, negative values on failure.
   *
   */

  static int selinux_netlbl_socket_connect_helper(struct sock *sk,
  						struct sockaddr *addr)

  {
  	int rc;
  	struct sk_security_struct *sksec = sk->sk_security;

  	struct netlbl_lsm_secattr *secattr;

  	/* connected sockets are allowed to disconnect when the address family
  	 * is set to AF_UNSPEC, if that is what is happening we want to reset
  	 * the socket */
  	if (addr->sa_family == AF_UNSPEC) {
  		netlbl_sock_delattr(sk);
  		sksec->nlbl_state = NLBL_REQSKB;
  		rc = 0;

  		return rc;

  	}

  	secattr = selinux_netlbl_sock_genattr(sk);
  	if (secattr == NULL) {
  		rc = -ENOMEM;

  		return rc;

  	}
  	rc = netlbl_conn_setattr(sk, addr, secattr);
  	if (rc == 0)
  		sksec->nlbl_state = NLBL_CONNLABELED;

  	return rc;
  }
  
  /**
   * selinux_netlbl_socket_connect_locked - Label a client-side socket on
   * connect
   * @sk: the socket to label
   * @addr: the destination address
   *
   * Description:
   * Attempt to label a connected socket that already has the socket locked
   * with NetLabel using the given address.
   * Returns zero values on success, negative values on failure.
   *
   */
  int selinux_netlbl_socket_connect_locked(struct sock *sk,
  					 struct sockaddr *addr)
  {
  	struct sk_security_struct *sksec = sk->sk_security;
  
  	if (sksec->nlbl_state != NLBL_REQSKB &&
  	    sksec->nlbl_state != NLBL_CONNLABELED)
  		return 0;
  
  	return selinux_netlbl_socket_connect_helper(sk, addr);
  }
  
  /**
   * selinux_netlbl_socket_connect - Label a client-side socket on connect
   * @sk: the socket to label
   * @addr: the destination address
   *
   * Description:
   * Attempt to label a connected socket with NetLabel using the given address.
   * Returns zero values on success, negative values on failure.
   *
   */
  int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
  {
  	int rc;
  
  	lock_sock(sk);
  	rc = selinux_netlbl_socket_connect_locked(sk, addr);

  	release_sock(sk);

  	return rc;
  }