Blame view
net/ipv4/cipso_ipv4.c
61.3 KB
446fda4f2 [NetLabel]: CIPSO... |
1 2 3 4 5 |
/* * CIPSO - Commercial IP Security Option * * This is an implementation of the CIPSO 2.2 protocol as specified in * draft-ietf-cipso-ipsecurity-01.txt with additional tag types as found in |
586c25003 cipso: Fix docume... |
6 |
* FIPS-188. While CIPSO never became a full IETF RFC standard many vendors |
446fda4f2 [NetLabel]: CIPSO... |
7 8 9 |
* have chosen to adopt the protocol and over the years it has become a * de-facto standard for labeled networking. * |
586c25003 cipso: Fix docume... |
10 11 |
* The CIPSO draft specification can be found in the kernel's Documentation * directory as well as the following URL: |
631dd1a88 Update broken web... |
12 |
* http://tools.ietf.org/id/draft-ietf-cipso-ipsecurity-01.txt |
586c25003 cipso: Fix docume... |
13 14 15 |
* The FIPS-188 specification can be found at the following URL: * http://www.itl.nist.gov/fipspubs/fip188.htm * |
446fda4f2 [NetLabel]: CIPSO... |
16 17 18 19 20 |
* Author: Paul Moore <paul.moore@hp.com> * */ /* |
948bf85c1 netlabel: Add fun... |
21 |
* (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008 |
446fda4f2 [NetLabel]: CIPSO... |
22 23 24 25 26 27 28 29 30 31 32 33 |
* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See * the GNU General Public License for more details. * * You should have received a copy of the GNU General Public License |
a99421d9b ipv4/ipv6: Fix FS... |
34 |
* along with this program; if not, see <http://www.gnu.org/licenses/>. |
446fda4f2 [NetLabel]: CIPSO... |
35 36 37 38 39 40 41 42 43 44 |
* */ #include <linux/init.h> #include <linux/types.h> #include <linux/rcupdate.h> #include <linux/list.h> #include <linux/spinlock.h> #include <linux/string.h> #include <linux/jhash.h> |
6c2e8ac09 netlabel: Update ... |
45 |
#include <linux/audit.h> |
5a0e3ad6a include cleanup: ... |
46 |
#include <linux/slab.h> |
446fda4f2 [NetLabel]: CIPSO... |
47 48 49 50 51 |
#include <net/ip.h> #include <net/icmp.h> #include <net/tcp.h> #include <net/netlabel.h> #include <net/cipso_ipv4.h> |
60063497a atomic: use <linu... |
52 |
#include <linux/atomic.h> |
4c787b162 ipv4: include lin... |
53 |
#include <linux/bug.h> |
50e5d35ce [CIPSO]: Fix seve... |
54 |
#include <asm/unaligned.h> |
446fda4f2 [NetLabel]: CIPSO... |
55 |
|
446fda4f2 [NetLabel]: CIPSO... |
56 |
/* List of available DOI definitions */ |
446fda4f2 [NetLabel]: CIPSO... |
57 58 59 60 |
/* XXX - This currently assumes a minimal number of different DOIs in use, * if in practice there are a lot of different DOIs this list should * probably be turned into a hash table or something similar so we * can do quick lookups. */ |
8ce11e6a9 [NET]: Make code ... |
61 |
static DEFINE_SPINLOCK(cipso_v4_doi_list_lock); |
1596c97aa [IPV4] net/ipv4/c... |
62 |
static LIST_HEAD(cipso_v4_doi_list); |
446fda4f2 [NetLabel]: CIPSO... |
63 64 65 66 67 68 69 70 71 72 73 74 |
/* Label mapping cache */ int cipso_v4_cache_enabled = 1; int cipso_v4_cache_bucketsize = 10; #define CIPSO_V4_CACHE_BUCKETBITS 7 #define CIPSO_V4_CACHE_BUCKETS (1 << CIPSO_V4_CACHE_BUCKETBITS) #define CIPSO_V4_CACHE_REORDERLIMIT 10 struct cipso_v4_map_cache_bkt { spinlock_t lock; u32 size; struct list_head list; }; |
988b13438 cipso: remove NUL... |
75 |
|
446fda4f2 [NetLabel]: CIPSO... |
76 77 78 79 |
struct cipso_v4_map_cache_entry { u32 hash; unsigned char *key; size_t key_len; |
ffb733c65 NetLabel: fix a c... |
80 |
struct netlbl_lsm_cache *lsm_data; |
446fda4f2 [NetLabel]: CIPSO... |
81 82 83 84 |
u32 activity; struct list_head list; }; |
988b13438 cipso: remove NUL... |
85 86 |
static struct cipso_v4_map_cache_bkt *cipso_v4_cache; |
446fda4f2 [NetLabel]: CIPSO... |
87 88 89 90 91 92 |
/* Restricted bitmap (tag #1) flags */ int cipso_v4_rbm_optfmt = 0; int cipso_v4_rbm_strictvalid = 1; /* |
f998e8cb5 NetLabel: cleanup... |
93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 |
* Protocol Constants */ /* Maximum size of the CIPSO IP option, derived from the fact that the maximum * IPv4 header size is 60 bytes and the base IPv4 header is 20 bytes long. */ #define CIPSO_V4_OPT_LEN_MAX 40 /* Length of the base CIPSO option, this includes the option type (1 byte), the * option length (1 byte), and the DOI (4 bytes). */ #define CIPSO_V4_HDR_LEN 6 /* Base length of the restrictive category bitmap tag (tag #1). */ #define CIPSO_V4_TAG_RBM_BLEN 4 /* Base length of the enumerated category tag (tag #2). */ #define CIPSO_V4_TAG_ENUM_BLEN 4 /* Base length of the ranged categories bitmap tag (tag #5). */ #define CIPSO_V4_TAG_RNG_BLEN 4 /* The maximum number of category ranges permitted in the ranged category tag * (tag #5). You may note that the IETF draft states that the maximum number * of category ranges is 7, but if the low end of the last category range is |
25985edce Fix common misspe... |
115 |
* zero then it is possible to fit 8 category ranges because the zero should |
f998e8cb5 NetLabel: cleanup... |
116 117 |
* be omitted. */ #define CIPSO_V4_TAG_RNG_CAT_MAX 8 |
15c45f7b2 cipso: Add suppor... |
118 119 120 121 122 123 124 125 126 127 128 129 |
/* Base length of the local tag (non-standard tag). * Tag definition (may change between kernel versions) * * 0 8 16 24 32 * +----------+----------+----------+----------+ * | 10000000 | 00000110 | 32-bit secid value | * +----------+----------+----------+----------+ * | in (host byte order)| * +----------+----------+ * */ #define CIPSO_V4_TAG_LOC_BLEN 6 |
f998e8cb5 NetLabel: cleanup... |
130 |
/* |
446fda4f2 [NetLabel]: CIPSO... |
131 132 133 134 |
* Helper Functions */ /** |
446fda4f2 [NetLabel]: CIPSO... |
135 136 137 138 |
* cipso_v4_cache_entry_free - Frees a cache entry * @entry: the entry to free * * Description: |
ffb733c65 NetLabel: fix a c... |
139 140 |
* This function frees the memory associated with a cache entry including the * LSM cache data if there are no longer any users, i.e. reference count == 0. |
446fda4f2 [NetLabel]: CIPSO... |
141 142 143 144 |
* */ static void cipso_v4_cache_entry_free(struct cipso_v4_map_cache_entry *entry) { |
ffb733c65 NetLabel: fix a c... |
145 146 |
if (entry->lsm_data) netlbl_secattr_cache_free(entry->lsm_data); |
446fda4f2 [NetLabel]: CIPSO... |
147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 |
kfree(entry->key); kfree(entry); } /** * cipso_v4_map_cache_hash - Hashing function for the CIPSO cache * @key: the hash key * @key_len: the length of the key in bytes * * Description: * The CIPSO tag hashing function. Returns a 32-bit hash value. * */ static u32 cipso_v4_map_cache_hash(const unsigned char *key, u32 key_len) { return jhash(key, key_len, 0); } /* * Label Mapping Cache Functions */ /** * cipso_v4_cache_init - Initialize the CIPSO cache * * Description: * Initializes the CIPSO label mapping cache, this function should be called * before any of the other functions defined in this file. Returns zero on * success, negative values on error. * */ |
cb57659a1 cipso: add __init... |
178 |
static int __init cipso_v4_cache_init(void) |
446fda4f2 [NetLabel]: CIPSO... |
179 180 181 182 183 184 |
{ u32 iter; cipso_v4_cache = kcalloc(CIPSO_V4_CACHE_BUCKETS, sizeof(struct cipso_v4_map_cache_bkt), GFP_KERNEL); |
51456b291 ipv4: coding styl... |
185 |
if (!cipso_v4_cache) |
446fda4f2 [NetLabel]: CIPSO... |
186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 |
return -ENOMEM; for (iter = 0; iter < CIPSO_V4_CACHE_BUCKETS; iter++) { spin_lock_init(&cipso_v4_cache[iter].lock); cipso_v4_cache[iter].size = 0; INIT_LIST_HEAD(&cipso_v4_cache[iter].list); } return 0; } /** * cipso_v4_cache_invalidate - Invalidates the current CIPSO cache * * Description: * Invalidates and frees any entries in the CIPSO cache. Returns zero on * success and negative values on failure. * */ void cipso_v4_cache_invalidate(void) { struct cipso_v4_map_cache_entry *entry, *tmp_entry; u32 iter; for (iter = 0; iter < CIPSO_V4_CACHE_BUCKETS; iter++) { |
609c92fee [NetLabel]: make ... |
211 |
spin_lock_bh(&cipso_v4_cache[iter].lock); |
446fda4f2 [NetLabel]: CIPSO... |
212 213 214 215 216 217 218 |
list_for_each_entry_safe(entry, tmp_entry, &cipso_v4_cache[iter].list, list) { list_del(&entry->list); cipso_v4_cache_entry_free(entry); } cipso_v4_cache[iter].size = 0; |
609c92fee [NetLabel]: make ... |
219 |
spin_unlock_bh(&cipso_v4_cache[iter].lock); |
446fda4f2 [NetLabel]: CIPSO... |
220 |
} |
446fda4f2 [NetLabel]: CIPSO... |
221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 |
} /** * cipso_v4_cache_check - Check the CIPSO cache for a label mapping * @key: the buffer to check * @key_len: buffer length in bytes * @secattr: the security attribute struct to use * * Description: * This function checks the cache to see if a label mapping already exists for * the given key. If there is a match then the cache is adjusted and the * @secattr struct is populated with the correct LSM security attributes. The * cache is adjusted in the following manner if the entry is not already the * first in the cache bucket: * * 1. The cache entry's activity counter is incremented * 2. The previous (higher ranking) entry's activity counter is decremented * 3. If the difference between the two activity counters is geater than * CIPSO_V4_CACHE_REORDERLIMIT the two entries are swapped * * Returns zero on success, -ENOENT for a cache miss, and other negative values * on error. * */ static int cipso_v4_cache_check(const unsigned char *key, u32 key_len, struct netlbl_lsm_secattr *secattr) { u32 bkt; struct cipso_v4_map_cache_entry *entry; struct cipso_v4_map_cache_entry *prev_entry = NULL; u32 hash; if (!cipso_v4_cache_enabled) return -ENOENT; hash = cipso_v4_map_cache_hash(key, key_len); |
5e0f8923f cipso: Relax too ... |
258 |
bkt = hash & (CIPSO_V4_CACHE_BUCKETS - 1); |
609c92fee [NetLabel]: make ... |
259 |
spin_lock_bh(&cipso_v4_cache[bkt].lock); |
446fda4f2 [NetLabel]: CIPSO... |
260 261 262 263 264 |
list_for_each_entry(entry, &cipso_v4_cache[bkt].list, list) { if (entry->hash == hash && entry->key_len == key_len && memcmp(entry->key, key, key_len) == 0) { entry->activity += 1; |
b4217b828 net: convert netl... |
265 |
refcount_inc(&entry->lsm_data->refcount); |
ffb733c65 NetLabel: fix a c... |
266 |
secattr->cache = entry->lsm_data; |
701a90bad NetLabel: make ne... |
267 |
secattr->flags |= NETLBL_SECATTR_CACHE; |
16efd4543 NetLabel: Add sec... |
268 |
secattr->type = NETLBL_NLTYPE_CIPSOV4; |
51456b291 ipv4: coding styl... |
269 |
if (!prev_entry) { |
609c92fee [NetLabel]: make ... |
270 |
spin_unlock_bh(&cipso_v4_cache[bkt].lock); |
446fda4f2 [NetLabel]: CIPSO... |
271 272 273 274 275 276 277 278 279 280 281 282 283 |
return 0; } if (prev_entry->activity > 0) prev_entry->activity -= 1; if (entry->activity > prev_entry->activity && entry->activity - prev_entry->activity > CIPSO_V4_CACHE_REORDERLIMIT) { __list_del(entry->list.prev, entry->list.next); __list_add(&entry->list, prev_entry->list.prev, &prev_entry->list); } |
609c92fee [NetLabel]: make ... |
284 |
spin_unlock_bh(&cipso_v4_cache[bkt].lock); |
446fda4f2 [NetLabel]: CIPSO... |
285 286 287 288 |
return 0; } prev_entry = entry; } |
609c92fee [NetLabel]: make ... |
289 |
spin_unlock_bh(&cipso_v4_cache[bkt].lock); |
446fda4f2 [NetLabel]: CIPSO... |
290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 |
return -ENOENT; } /** * cipso_v4_cache_add - Add an entry to the CIPSO cache * @skb: the packet * @secattr: the packet's security attributes * * Description: * Add a new entry into the CIPSO label mapping cache. Add the new entry to * head of the cache bucket's list, if the cache bucket is out of room remove * the last entry in the list first. It is important to note that there is * currently no checking for duplicate keys. Returns zero on success, * negative values on failure. * */ |
04f81f015 cipso: don't use ... |
307 |
int cipso_v4_cache_add(const unsigned char *cipso_ptr, |
446fda4f2 [NetLabel]: CIPSO... |
308 309 310 311 312 313 |
const struct netlbl_lsm_secattr *secattr) { int ret_val = -EPERM; u32 bkt; struct cipso_v4_map_cache_entry *entry = NULL; struct cipso_v4_map_cache_entry *old_entry = NULL; |
446fda4f2 [NetLabel]: CIPSO... |
314 315 316 317 |
u32 cipso_ptr_len; if (!cipso_v4_cache_enabled || cipso_v4_cache_bucketsize <= 0) return 0; |
446fda4f2 [NetLabel]: CIPSO... |
318 319 320 |
cipso_ptr_len = cipso_ptr[1]; entry = kzalloc(sizeof(*entry), GFP_ATOMIC); |
51456b291 ipv4: coding styl... |
321 |
if (!entry) |
446fda4f2 [NetLabel]: CIPSO... |
322 |
return -ENOMEM; |
fac5d7315 [NETLABEL]: Use k... |
323 |
entry->key = kmemdup(cipso_ptr, cipso_ptr_len, GFP_ATOMIC); |
51456b291 ipv4: coding styl... |
324 |
if (!entry->key) { |
446fda4f2 [NetLabel]: CIPSO... |
325 326 327 |
ret_val = -ENOMEM; goto cache_add_failure; } |
446fda4f2 [NetLabel]: CIPSO... |
328 329 |
entry->key_len = cipso_ptr_len; entry->hash = cipso_v4_map_cache_hash(cipso_ptr, cipso_ptr_len); |
b4217b828 net: convert netl... |
330 |
refcount_inc(&secattr->cache->refcount); |
ffb733c65 NetLabel: fix a c... |
331 |
entry->lsm_data = secattr->cache; |
446fda4f2 [NetLabel]: CIPSO... |
332 |
|
5e0f8923f cipso: Relax too ... |
333 |
bkt = entry->hash & (CIPSO_V4_CACHE_BUCKETS - 1); |
609c92fee [NetLabel]: make ... |
334 |
spin_lock_bh(&cipso_v4_cache[bkt].lock); |
446fda4f2 [NetLabel]: CIPSO... |
335 336 337 338 339 340 341 342 343 344 |
if (cipso_v4_cache[bkt].size < cipso_v4_cache_bucketsize) { list_add(&entry->list, &cipso_v4_cache[bkt].list); cipso_v4_cache[bkt].size += 1; } else { old_entry = list_entry(cipso_v4_cache[bkt].list.prev, struct cipso_v4_map_cache_entry, list); list_del(&old_entry->list); list_add(&entry->list, &cipso_v4_cache[bkt].list); cipso_v4_cache_entry_free(old_entry); } |
609c92fee [NetLabel]: make ... |
345 |
spin_unlock_bh(&cipso_v4_cache[bkt].lock); |
446fda4f2 [NetLabel]: CIPSO... |
346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 |
return 0; cache_add_failure: if (entry) cipso_v4_cache_entry_free(entry); return ret_val; } /* * DOI List Functions */ /** * cipso_v4_doi_search - Searches for a DOI definition * @doi: the DOI to search for * * Description: * Search the DOI definition list for a DOI definition with a DOI value that |
25985edce Fix common misspe... |
365 |
* matches @doi. The caller is responsible for calling rcu_read_[un]lock(). |
446fda4f2 [NetLabel]: CIPSO... |
366 367 368 369 370 371 372 |
* Returns a pointer to the DOI definition on success and NULL on failure. */ static struct cipso_v4_doi *cipso_v4_doi_search(u32 doi) { struct cipso_v4_doi *iter; list_for_each_entry_rcu(iter, &cipso_v4_doi_list, list) |
f6a6fede2 net, ipv4: conver... |
373 |
if (iter->doi == doi && refcount_read(&iter->refcount)) |
446fda4f2 [NetLabel]: CIPSO... |
374 375 376 377 378 379 380 |
return iter; return NULL; } /** * cipso_v4_doi_add - Add a new DOI to the CIPSO protocol engine * @doi_def: the DOI structure |
6c2e8ac09 netlabel: Update ... |
381 |
* @audit_info: NetLabel audit information |
446fda4f2 [NetLabel]: CIPSO... |
382 383 384 385 386 387 388 389 390 |
* * Description: * The caller defines a new DOI for use by the CIPSO engine and calls this * function to add it to the list of acceptable domains. The caller must * ensure that the mapping table specified in @doi_def->map meets all of the * requirements of the mapping type (see cipso_ipv4.h for details). Returns * zero on success and non-zero on failure. * */ |
6c2e8ac09 netlabel: Update ... |
391 392 |
int cipso_v4_doi_add(struct cipso_v4_doi *doi_def, struct netlbl_audit *audit_info) |
446fda4f2 [NetLabel]: CIPSO... |
393 |
{ |
6c2e8ac09 netlabel: Update ... |
394 |
int ret_val = -EINVAL; |
6ce61a7c2 NetLabel: add tag... |
395 |
u32 iter; |
6c2e8ac09 netlabel: Update ... |
396 397 398 399 400 401 |
u32 doi; u32 doi_type; struct audit_buffer *audit_buf; doi = doi_def->doi; doi_type = doi_def->type; |
6ce61a7c2 NetLabel: add tag... |
402 |
|
567559241 cipso: remove an ... |
403 |
if (doi_def->doi == CIPSO_V4_DOI_UNKNOWN) |
6c2e8ac09 netlabel: Update ... |
404 |
goto doi_add_return; |
6ce61a7c2 NetLabel: add tag... |
405 406 407 408 |
for (iter = 0; iter < CIPSO_V4_TAG_MAXCNT; iter++) { switch (doi_def->tags[iter]) { case CIPSO_V4_TAG_RBITMAP: break; |
484b36693 NetLabel: add the... |
409 |
case CIPSO_V4_TAG_RANGE: |
654bbc2a2 NetLabel: add the... |
410 411 |
case CIPSO_V4_TAG_ENUM: if (doi_def->type != CIPSO_V4_MAP_PASS) |
6c2e8ac09 netlabel: Update ... |
412 |
goto doi_add_return; |
654bbc2a2 NetLabel: add the... |
413 |
break; |
15c45f7b2 cipso: Add suppor... |
414 415 |
case CIPSO_V4_TAG_LOCAL: if (doi_def->type != CIPSO_V4_MAP_LOCAL) |
6c2e8ac09 netlabel: Update ... |
416 417 418 419 420 |
goto doi_add_return; break; case CIPSO_V4_TAG_INVALID: if (iter == 0) goto doi_add_return; |
15c45f7b2 cipso: Add suppor... |
421 |
break; |
6ce61a7c2 NetLabel: add tag... |
422 |
default: |
6c2e8ac09 netlabel: Update ... |
423 |
goto doi_add_return; |
6ce61a7c2 NetLabel: add tag... |
424 425 |
} } |
446fda4f2 [NetLabel]: CIPSO... |
426 |
|
f6a6fede2 net, ipv4: conver... |
427 |
refcount_set(&doi_def->refcount, 1); |
446fda4f2 [NetLabel]: CIPSO... |
428 |
|
446fda4f2 [NetLabel]: CIPSO... |
429 |
spin_lock(&cipso_v4_doi_list_lock); |
00db41243 ipv4: coding styl... |
430 |
if (cipso_v4_doi_search(doi_def->doi)) { |
6c2e8ac09 netlabel: Update ... |
431 432 433 434 |
spin_unlock(&cipso_v4_doi_list_lock); ret_val = -EEXIST; goto doi_add_return; } |
446fda4f2 [NetLabel]: CIPSO... |
435 436 |
list_add_tail_rcu(&doi_def->list, &cipso_v4_doi_list); spin_unlock(&cipso_v4_doi_list_lock); |
6c2e8ac09 netlabel: Update ... |
437 438 439 440 |
ret_val = 0; doi_add_return: audit_buf = netlbl_audit_start(AUDIT_MAC_CIPSOV4_ADD, audit_info); |
00db41243 ipv4: coding styl... |
441 |
if (audit_buf) { |
6c2e8ac09 netlabel: Update ... |
442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 |
const char *type_str; switch (doi_type) { case CIPSO_V4_MAP_TRANS: type_str = "trans"; break; case CIPSO_V4_MAP_PASS: type_str = "pass"; break; case CIPSO_V4_MAP_LOCAL: type_str = "local"; break; default: type_str = "(unknown)"; } audit_log_format(audit_buf, " cipso_doi=%u cipso_type=%s res=%u", doi, type_str, ret_val == 0 ? 1 : 0); audit_log_end(audit_buf); } |
446fda4f2 [NetLabel]: CIPSO... |
461 |
|
6c2e8ac09 netlabel: Update ... |
462 |
return ret_val; |
446fda4f2 [NetLabel]: CIPSO... |
463 464 465 |
} /** |
b1edeb102 netlabel: Replace... |
466 |
* cipso_v4_doi_free - Frees a DOI definition |
4973404f8 cipso: kerneldoc ... |
467 |
* @doi_def: the DOI definition |
b1edeb102 netlabel: Replace... |
468 469 470 471 472 473 474 |
* * Description: * This function frees all of the memory associated with a DOI definition. * */ void cipso_v4_doi_free(struct cipso_v4_doi *doi_def) { |
51456b291 ipv4: coding styl... |
475 |
if (!doi_def) |
b1edeb102 netlabel: Replace... |
476 477 478 |
return; switch (doi_def->type) { |
15c45f7b2 cipso: Add suppor... |
479 |
case CIPSO_V4_MAP_TRANS: |
b1edeb102 netlabel: Replace... |
480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 |
kfree(doi_def->map.std->lvl.cipso); kfree(doi_def->map.std->lvl.local); kfree(doi_def->map.std->cat.cipso); kfree(doi_def->map.std->cat.local); break; } kfree(doi_def); } /** * cipso_v4_doi_free_rcu - Frees a DOI definition via the RCU pointer * @entry: the entry's RCU field * * Description: * This function is designed to be used as a callback to the call_rcu() * function so that the memory allocated to the DOI definition can be released * safely. * */ static void cipso_v4_doi_free_rcu(struct rcu_head *entry) { struct cipso_v4_doi *doi_def; doi_def = container_of(entry, struct cipso_v4_doi, rcu); cipso_v4_doi_free(doi_def); } /** |
446fda4f2 [NetLabel]: CIPSO... |
508 509 |
* cipso_v4_doi_remove - Remove an existing DOI from the CIPSO protocol engine * @doi: the DOI value |
32f50cdee [NetLabel]: add a... |
510 |
* @audit_secid: the LSM secid to use in the audit message |
446fda4f2 [NetLabel]: CIPSO... |
511 512 |
* * Description: |
b1edeb102 netlabel: Replace... |
513 514 515 |
* Removes a DOI definition from the CIPSO engine. The NetLabel routines will * be called to release their own LSM domain mappings as well as our own * domain list. Returns zero on success and negative values on failure. |
446fda4f2 [NetLabel]: CIPSO... |
516 517 |
* */ |
b1edeb102 netlabel: Replace... |
518 |
int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info) |
446fda4f2 [NetLabel]: CIPSO... |
519 |
{ |
6c2e8ac09 netlabel: Update ... |
520 |
int ret_val; |
446fda4f2 [NetLabel]: CIPSO... |
521 |
struct cipso_v4_doi *doi_def; |
6c2e8ac09 netlabel: Update ... |
522 |
struct audit_buffer *audit_buf; |
446fda4f2 [NetLabel]: CIPSO... |
523 |
|
4be2700fb [NetLabel]: corre... |
524 525 |
spin_lock(&cipso_v4_doi_list_lock); doi_def = cipso_v4_doi_search(doi); |
51456b291 ipv4: coding styl... |
526 |
if (!doi_def) { |
446fda4f2 [NetLabel]: CIPSO... |
527 |
spin_unlock(&cipso_v4_doi_list_lock); |
6c2e8ac09 netlabel: Update ... |
528 529 |
ret_val = -ENOENT; goto doi_remove_return; |
446fda4f2 [NetLabel]: CIPSO... |
530 |
} |
f6a6fede2 net, ipv4: conver... |
531 |
if (!refcount_dec_and_test(&doi_def->refcount)) { |
b1edeb102 netlabel: Replace... |
532 |
spin_unlock(&cipso_v4_doi_list_lock); |
6c2e8ac09 netlabel: Update ... |
533 534 |
ret_val = -EBUSY; goto doi_remove_return; |
b1edeb102 netlabel: Replace... |
535 536 |
} list_del_rcu(&doi_def->list); |
4be2700fb [NetLabel]: corre... |
537 |
spin_unlock(&cipso_v4_doi_list_lock); |
446fda4f2 [NetLabel]: CIPSO... |
538 |
|
b1edeb102 netlabel: Replace... |
539 540 |
cipso_v4_cache_invalidate(); call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu); |
6c2e8ac09 netlabel: Update ... |
541 542 543 544 |
ret_val = 0; doi_remove_return: audit_buf = netlbl_audit_start(AUDIT_MAC_CIPSOV4_DEL, audit_info); |
00db41243 ipv4: coding styl... |
545 |
if (audit_buf) { |
6c2e8ac09 netlabel: Update ... |
546 547 548 549 550 |
audit_log_format(audit_buf, " cipso_doi=%u res=%u", doi, ret_val == 0 ? 1 : 0); audit_log_end(audit_buf); } |
b1edeb102 netlabel: Replace... |
551 |
|
6c2e8ac09 netlabel: Update ... |
552 |
return ret_val; |
446fda4f2 [NetLabel]: CIPSO... |
553 554 555 |
} /** |
b1edeb102 netlabel: Replace... |
556 |
* cipso_v4_doi_getdef - Returns a reference to a valid DOI definition |
446fda4f2 [NetLabel]: CIPSO... |
557 558 559 560 561 |
* @doi: the DOI value * * Description: * Searches for a valid DOI definition and if one is found it is returned to * the caller. Otherwise NULL is returned. The caller must ensure that |
b1edeb102 netlabel: Replace... |
562 563 |
* rcu_read_lock() is held while accessing the returned definition and the DOI * definition reference count is decremented when the caller is done. |
446fda4f2 [NetLabel]: CIPSO... |
564 565 566 567 |
* */ struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi) { |
b1edeb102 netlabel: Replace... |
568 569 570 571 |
struct cipso_v4_doi *doi_def; rcu_read_lock(); doi_def = cipso_v4_doi_search(doi); |
51456b291 ipv4: coding styl... |
572 |
if (!doi_def) |
b1edeb102 netlabel: Replace... |
573 |
goto doi_getdef_return; |
f6a6fede2 net, ipv4: conver... |
574 |
if (!refcount_inc_not_zero(&doi_def->refcount)) |
b1edeb102 netlabel: Replace... |
575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 |
doi_def = NULL; doi_getdef_return: rcu_read_unlock(); return doi_def; } /** * cipso_v4_doi_putdef - Releases a reference for the given DOI definition * @doi_def: the DOI definition * * Description: * Releases a DOI definition reference obtained from cipso_v4_doi_getdef(). * */ void cipso_v4_doi_putdef(struct cipso_v4_doi *doi_def) { |
51456b291 ipv4: coding styl... |
592 |
if (!doi_def) |
b1edeb102 netlabel: Replace... |
593 |
return; |
f6a6fede2 net, ipv4: conver... |
594 |
if (!refcount_dec_and_test(&doi_def->refcount)) |
b1edeb102 netlabel: Replace... |
595 596 597 598 599 600 601 |
return; spin_lock(&cipso_v4_doi_list_lock); list_del_rcu(&doi_def->list); spin_unlock(&cipso_v4_doi_list_lock); cipso_v4_cache_invalidate(); call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu); |
446fda4f2 [NetLabel]: CIPSO... |
602 603 604 |
} /** |
fcd482806 [NetLabel]: rewor... |
605 606 607 608 |
* cipso_v4_doi_walk - Iterate through the DOI definitions * @skip_cnt: skip past this number of DOI definitions, updated * @callback: callback for each DOI definition * @cb_arg: argument for the callback function |
446fda4f2 [NetLabel]: CIPSO... |
609 610 |
* * Description: |
fcd482806 [NetLabel]: rewor... |
611 612 613 614 |
* Iterate over the DOI definition list, skipping the first @skip_cnt entries. * For each entry call @callback, if @callback returns a negative value stop * 'walking' through the list and return. Updates the value in @skip_cnt upon * return. Returns zero on success, negative values on failure. |
446fda4f2 [NetLabel]: CIPSO... |
615 616 |
* */ |
fcd482806 [NetLabel]: rewor... |
617 618 619 |
int cipso_v4_doi_walk(u32 *skip_cnt, int (*callback) (struct cipso_v4_doi *doi_def, void *arg), void *cb_arg) |
446fda4f2 [NetLabel]: CIPSO... |
620 |
{ |
fcd482806 [NetLabel]: rewor... |
621 |
int ret_val = -ENOENT; |
446fda4f2 [NetLabel]: CIPSO... |
622 |
u32 doi_cnt = 0; |
fcd482806 [NetLabel]: rewor... |
623 |
struct cipso_v4_doi *iter_doi; |
446fda4f2 [NetLabel]: CIPSO... |
624 |
|
446fda4f2 [NetLabel]: CIPSO... |
625 |
rcu_read_lock(); |
fcd482806 [NetLabel]: rewor... |
626 |
list_for_each_entry_rcu(iter_doi, &cipso_v4_doi_list, list) |
f6a6fede2 net, ipv4: conver... |
627 |
if (refcount_read(&iter_doi->refcount) > 0) { |
fcd482806 [NetLabel]: rewor... |
628 629 630 631 632 633 |
if (doi_cnt++ < *skip_cnt) continue; ret_val = callback(iter_doi, cb_arg); if (ret_val < 0) { doi_cnt--; goto doi_walk_return; |
446fda4f2 [NetLabel]: CIPSO... |
634 |
} |
446fda4f2 [NetLabel]: CIPSO... |
635 |
} |
446fda4f2 [NetLabel]: CIPSO... |
636 |
|
fcd482806 [NetLabel]: rewor... |
637 |
doi_walk_return: |
446fda4f2 [NetLabel]: CIPSO... |
638 |
rcu_read_unlock(); |
fcd482806 [NetLabel]: rewor... |
639 640 |
*skip_cnt = doi_cnt; return ret_val; |
446fda4f2 [NetLabel]: CIPSO... |
641 |
} |
446fda4f2 [NetLabel]: CIPSO... |
642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 |
/* * Label Mapping Functions */ /** * cipso_v4_map_lvl_valid - Checks to see if the given level is understood * @doi_def: the DOI definition * @level: the level to check * * Description: * Checks the given level against the given DOI definition and returns a * negative value if the level does not have a valid mapping and a zero value * if the level is defined by the DOI. * */ static int cipso_v4_map_lvl_valid(const struct cipso_v4_doi *doi_def, u8 level) { switch (doi_def->type) { case CIPSO_V4_MAP_PASS: return 0; |
15c45f7b2 cipso: Add suppor... |
662 |
case CIPSO_V4_MAP_TRANS: |
446fda4f2 [NetLabel]: CIPSO... |
663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 |
if (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL) return 0; break; } return -EFAULT; } /** * cipso_v4_map_lvl_hton - Perform a level mapping from the host to the network * @doi_def: the DOI definition * @host_lvl: the host MLS level * @net_lvl: the network/CIPSO MLS level * * Description: * Perform a label mapping to translate a local MLS level to the correct * CIPSO level using the given DOI definition. Returns zero on success, * negative values otherwise. * */ static int cipso_v4_map_lvl_hton(const struct cipso_v4_doi *doi_def, u32 host_lvl, u32 *net_lvl) { switch (doi_def->type) { case CIPSO_V4_MAP_PASS: *net_lvl = host_lvl; return 0; |
15c45f7b2 cipso: Add suppor... |
691 |
case CIPSO_V4_MAP_TRANS: |
c6387a869 [NetLabel]: Verif... |
692 693 |
if (host_lvl < doi_def->map.std->lvl.local_size && doi_def->map.std->lvl.local[host_lvl] < CIPSO_V4_INV_LVL) { |
446fda4f2 [NetLabel]: CIPSO... |
694 695 696 |
*net_lvl = doi_def->map.std->lvl.local[host_lvl]; return 0; } |
c6387a869 [NetLabel]: Verif... |
697 |
return -EPERM; |
446fda4f2 [NetLabel]: CIPSO... |
698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 |
} return -EINVAL; } /** * cipso_v4_map_lvl_ntoh - Perform a level mapping from the network to the host * @doi_def: the DOI definition * @net_lvl: the network/CIPSO MLS level * @host_lvl: the host MLS level * * Description: * Perform a label mapping to translate a CIPSO level to the correct local MLS * level using the given DOI definition. Returns zero on success, negative * values otherwise. * */ static int cipso_v4_map_lvl_ntoh(const struct cipso_v4_doi *doi_def, u32 net_lvl, u32 *host_lvl) { struct cipso_v4_std_map_tbl *map_tbl; switch (doi_def->type) { case CIPSO_V4_MAP_PASS: *host_lvl = net_lvl; return 0; |
15c45f7b2 cipso: Add suppor... |
725 |
case CIPSO_V4_MAP_TRANS: |
446fda4f2 [NetLabel]: CIPSO... |
726 727 728 729 730 731 |
map_tbl = doi_def->map.std; if (net_lvl < map_tbl->lvl.cipso_size && map_tbl->lvl.cipso[net_lvl] < CIPSO_V4_INV_LVL) { *host_lvl = doi_def->map.std->lvl.cipso[net_lvl]; return 0; } |
c6387a869 [NetLabel]: Verif... |
732 |
return -EPERM; |
446fda4f2 [NetLabel]: CIPSO... |
733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 |
} return -EINVAL; } /** * cipso_v4_map_cat_rbm_valid - Checks to see if the category bitmap is valid * @doi_def: the DOI definition * @bitmap: category bitmap * @bitmap_len: bitmap length in bytes * * Description: * Checks the given category bitmap against the given DOI definition and * returns a negative value if any of the categories in the bitmap do not have * a valid mapping and a zero value if all of the categories are valid. * */ static int cipso_v4_map_cat_rbm_valid(const struct cipso_v4_doi *doi_def, const unsigned char *bitmap, u32 bitmap_len) { int cat = -1; u32 bitmap_len_bits = bitmap_len * 8; |
044a68ed8 NetLabel: only de... |
756 757 |
u32 cipso_cat_size; u32 *cipso_array; |
446fda4f2 [NetLabel]: CIPSO... |
758 759 760 761 |
switch (doi_def->type) { case CIPSO_V4_MAP_PASS: return 0; |
15c45f7b2 cipso: Add suppor... |
762 |
case CIPSO_V4_MAP_TRANS: |
044a68ed8 NetLabel: only de... |
763 764 |
cipso_cat_size = doi_def->map.std->cat.cipso_size; cipso_array = doi_def->map.std->cat.cipso; |
446fda4f2 [NetLabel]: CIPSO... |
765 |
for (;;) { |
3faa8f982 netlabel: Move bi... |
766 767 768 769 |
cat = netlbl_bitmap_walk(bitmap, bitmap_len_bits, cat + 1, 1); |
446fda4f2 [NetLabel]: CIPSO... |
770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 |
if (cat < 0) break; if (cat >= cipso_cat_size || cipso_array[cat] >= CIPSO_V4_INV_CAT) return -EFAULT; } if (cat == -1) return 0; break; } return -EFAULT; } /** * cipso_v4_map_cat_rbm_hton - Perform a category mapping from host to network * @doi_def: the DOI definition |
027527603 NetLabel: convert... |
788 |
* @secattr: the security attributes |
446fda4f2 [NetLabel]: CIPSO... |
789 790 791 792 793 794 795 796 797 798 |
* @net_cat: the zero'd out category bitmap in network/CIPSO format * @net_cat_len: the length of the CIPSO bitmap in bytes * * Description: * Perform a label mapping to translate a local MLS category bitmap to the * correct CIPSO bitmap using the given DOI definition. Returns the minimum * size in bytes of the network bitmap on success, negative values otherwise. * */ static int cipso_v4_map_cat_rbm_hton(const struct cipso_v4_doi *doi_def, |
027527603 NetLabel: convert... |
799 |
const struct netlbl_lsm_secattr *secattr, |
446fda4f2 [NetLabel]: CIPSO... |
800 801 802 803 |
unsigned char *net_cat, u32 net_cat_len) { int host_spot = -1; |
027527603 NetLabel: convert... |
804 |
u32 net_spot = CIPSO_V4_INV_CAT; |
446fda4f2 [NetLabel]: CIPSO... |
805 |
u32 net_spot_max = 0; |
446fda4f2 [NetLabel]: CIPSO... |
806 |
u32 net_clen_bits = net_cat_len * 8; |
027527603 NetLabel: convert... |
807 808 |
u32 host_cat_size = 0; u32 *host_cat_array = NULL; |
446fda4f2 [NetLabel]: CIPSO... |
809 |
|
15c45f7b2 cipso: Add suppor... |
810 |
if (doi_def->type == CIPSO_V4_MAP_TRANS) { |
044a68ed8 NetLabel: only de... |
811 812 |
host_cat_size = doi_def->map.std->cat.local_size; host_cat_array = doi_def->map.std->cat.local; |
027527603 NetLabel: convert... |
813 814 815 |
} for (;;) { |
4fbe63d1c netlabel: shorter... |
816 817 |
host_spot = netlbl_catmap_walk(secattr->attr.mls.cat, host_spot + 1); |
027527603 NetLabel: convert... |
818 819 820 821 822 823 824 |
if (host_spot < 0) break; switch (doi_def->type) { case CIPSO_V4_MAP_PASS: net_spot = host_spot; break; |
15c45f7b2 cipso: Add suppor... |
825 |
case CIPSO_V4_MAP_TRANS: |
446fda4f2 [NetLabel]: CIPSO... |
826 827 |
if (host_spot >= host_cat_size) return -EPERM; |
446fda4f2 [NetLabel]: CIPSO... |
828 |
net_spot = host_cat_array[host_spot]; |
9fade4bf8 NetLabel: return ... |
829 830 |
if (net_spot >= CIPSO_V4_INV_CAT) return -EPERM; |
027527603 NetLabel: convert... |
831 |
break; |
446fda4f2 [NetLabel]: CIPSO... |
832 |
} |
027527603 NetLabel: convert... |
833 834 |
if (net_spot >= net_clen_bits) return -ENOSPC; |
3faa8f982 netlabel: Move bi... |
835 |
netlbl_bitmap_setbit(net_cat, net_spot, 1); |
446fda4f2 [NetLabel]: CIPSO... |
836 |
|
027527603 NetLabel: convert... |
837 838 |
if (net_spot > net_spot_max) net_spot_max = net_spot; |
446fda4f2 [NetLabel]: CIPSO... |
839 |
} |
027527603 NetLabel: convert... |
840 841 842 |
if (++net_spot_max % 8) return net_spot_max / 8 + 1; return net_spot_max / 8; |
446fda4f2 [NetLabel]: CIPSO... |
843 844 845 846 847 848 849 |
} /** * cipso_v4_map_cat_rbm_ntoh - Perform a category mapping from network to host * @doi_def: the DOI definition * @net_cat: the category bitmap in network/CIPSO format * @net_cat_len: the length of the CIPSO bitmap in bytes |
027527603 NetLabel: convert... |
850 |
* @secattr: the security attributes |
446fda4f2 [NetLabel]: CIPSO... |
851 852 853 |
* * Description: * Perform a label mapping to translate a CIPSO bitmap to the correct local |
027527603 NetLabel: convert... |
854 855 |
* MLS category bitmap using the given DOI definition. Returns zero on * success, negative values on failure. |
446fda4f2 [NetLabel]: CIPSO... |
856 857 858 859 860 |
* */ static int cipso_v4_map_cat_rbm_ntoh(const struct cipso_v4_doi *doi_def, const unsigned char *net_cat, u32 net_cat_len, |
027527603 NetLabel: convert... |
861 |
struct netlbl_lsm_secattr *secattr) |
446fda4f2 [NetLabel]: CIPSO... |
862 |
{ |
027527603 NetLabel: convert... |
863 |
int ret_val; |
446fda4f2 [NetLabel]: CIPSO... |
864 |
int net_spot = -1; |
027527603 NetLabel: convert... |
865 |
u32 host_spot = CIPSO_V4_INV_CAT; |
446fda4f2 [NetLabel]: CIPSO... |
866 |
u32 net_clen_bits = net_cat_len * 8; |
027527603 NetLabel: convert... |
867 868 |
u32 net_cat_size = 0; u32 *net_cat_array = NULL; |
446fda4f2 [NetLabel]: CIPSO... |
869 |
|
15c45f7b2 cipso: Add suppor... |
870 |
if (doi_def->type == CIPSO_V4_MAP_TRANS) { |
044a68ed8 NetLabel: only de... |
871 872 |
net_cat_size = doi_def->map.std->cat.cipso_size; net_cat_array = doi_def->map.std->cat.cipso; |
027527603 NetLabel: convert... |
873 |
} |
446fda4f2 [NetLabel]: CIPSO... |
874 |
|
027527603 NetLabel: convert... |
875 |
for (;;) { |
3faa8f982 netlabel: Move bi... |
876 877 878 879 |
net_spot = netlbl_bitmap_walk(net_cat, net_clen_bits, net_spot + 1, 1); |
027527603 NetLabel: convert... |
880 881 882 883 884 885 886 887 888 889 |
if (net_spot < 0) { if (net_spot == -2) return -EFAULT; return 0; } switch (doi_def->type) { case CIPSO_V4_MAP_PASS: host_spot = net_spot; break; |
15c45f7b2 cipso: Add suppor... |
890 |
case CIPSO_V4_MAP_TRANS: |
027527603 NetLabel: convert... |
891 892 |
if (net_spot >= net_cat_size) return -EPERM; |
446fda4f2 [NetLabel]: CIPSO... |
893 |
host_spot = net_cat_array[net_spot]; |
9fade4bf8 NetLabel: return ... |
894 895 |
if (host_spot >= CIPSO_V4_INV_CAT) return -EPERM; |
027527603 NetLabel: convert... |
896 |
break; |
446fda4f2 [NetLabel]: CIPSO... |
897 |
} |
4fbe63d1c netlabel: shorter... |
898 |
ret_val = netlbl_catmap_setbit(&secattr->attr.mls.cat, |
027527603 NetLabel: convert... |
899 900 901 902 |
host_spot, GFP_ATOMIC); if (ret_val != 0) return ret_val; |
446fda4f2 [NetLabel]: CIPSO... |
903 904 905 906 |
} return -EINVAL; } |
654bbc2a2 NetLabel: add the... |
907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 |
/** * cipso_v4_map_cat_enum_valid - Checks to see if the categories are valid * @doi_def: the DOI definition * @enumcat: category list * @enumcat_len: length of the category list in bytes * * Description: * Checks the given categories against the given DOI definition and returns a * negative value if any of the categories do not have a valid mapping and a * zero value if all of the categories are valid. * */ static int cipso_v4_map_cat_enum_valid(const struct cipso_v4_doi *doi_def, const unsigned char *enumcat, u32 enumcat_len) { u16 cat; int cat_prev = -1; u32 iter; if (doi_def->type != CIPSO_V4_MAP_PASS || enumcat_len & 0x01) return -EFAULT; for (iter = 0; iter < enumcat_len; iter += 2) { |
d3e2ce3bc net: use get/put_... |
931 |
cat = get_unaligned_be16(&enumcat[iter]); |
654bbc2a2 NetLabel: add the... |
932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 |
if (cat <= cat_prev) return -EFAULT; cat_prev = cat; } return 0; } /** * cipso_v4_map_cat_enum_hton - Perform a category mapping from host to network * @doi_def: the DOI definition * @secattr: the security attributes * @net_cat: the zero'd out category list in network/CIPSO format * @net_cat_len: the length of the CIPSO category list in bytes * * Description: * Perform a label mapping to translate a local MLS category bitmap to the * correct CIPSO category list using the given DOI definition. Returns the * size in bytes of the network category bitmap on success, negative values * otherwise. * */ static int cipso_v4_map_cat_enum_hton(const struct cipso_v4_doi *doi_def, const struct netlbl_lsm_secattr *secattr, unsigned char *net_cat, u32 net_cat_len) { int cat = -1; u32 cat_iter = 0; for (;;) { |
4fbe63d1c netlabel: shorter... |
963 |
cat = netlbl_catmap_walk(secattr->attr.mls.cat, cat + 1); |
654bbc2a2 NetLabel: add the... |
964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 |
if (cat < 0) break; if ((cat_iter + 2) > net_cat_len) return -ENOSPC; *((__be16 *)&net_cat[cat_iter]) = htons(cat); cat_iter += 2; } return cat_iter; } /** * cipso_v4_map_cat_enum_ntoh - Perform a category mapping from network to host * @doi_def: the DOI definition * @net_cat: the category list in network/CIPSO format * @net_cat_len: the length of the CIPSO bitmap in bytes * @secattr: the security attributes * * Description: * Perform a label mapping to translate a CIPSO category list to the correct * local MLS category bitmap using the given DOI definition. Returns zero on * success, negative values on failure. * */ static int cipso_v4_map_cat_enum_ntoh(const struct cipso_v4_doi *doi_def, const unsigned char *net_cat, u32 net_cat_len, struct netlbl_lsm_secattr *secattr) { int ret_val; u32 iter; for (iter = 0; iter < net_cat_len; iter += 2) { |
4fbe63d1c netlabel: shorter... |
998 999 1000 |
ret_val = netlbl_catmap_setbit(&secattr->attr.mls.cat, get_unaligned_be16(&net_cat[iter]), GFP_ATOMIC); |
654bbc2a2 NetLabel: add the... |
1001 1002 1003 1004 1005 1006 |
if (ret_val != 0) return ret_val; } return 0; } |
484b36693 NetLabel: add the... |
1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 |
/** * cipso_v4_map_cat_rng_valid - Checks to see if the categories are valid * @doi_def: the DOI definition * @rngcat: category list * @rngcat_len: length of the category list in bytes * * Description: * Checks the given categories against the given DOI definition and returns a * negative value if any of the categories do not have a valid mapping and a * zero value if all of the categories are valid. * */ static int cipso_v4_map_cat_rng_valid(const struct cipso_v4_doi *doi_def, const unsigned char *rngcat, u32 rngcat_len) { u16 cat_high; u16 cat_low; u32 cat_prev = CIPSO_V4_MAX_REM_CATS + 1; u32 iter; if (doi_def->type != CIPSO_V4_MAP_PASS || rngcat_len & 0x01) return -EFAULT; for (iter = 0; iter < rngcat_len; iter += 4) { |
d3e2ce3bc net: use get/put_... |
1032 |
cat_high = get_unaligned_be16(&rngcat[iter]); |
484b36693 NetLabel: add the... |
1033 |
if ((iter + 4) <= rngcat_len) |
d3e2ce3bc net: use get/put_... |
1034 |
cat_low = get_unaligned_be16(&rngcat[iter + 2]); |
484b36693 NetLabel: add the... |
1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 |
else cat_low = 0; if (cat_high > cat_prev) return -EFAULT; cat_prev = cat_low; } return 0; } /** * cipso_v4_map_cat_rng_hton - Perform a category mapping from host to network * @doi_def: the DOI definition * @secattr: the security attributes * @net_cat: the zero'd out category list in network/CIPSO format * @net_cat_len: the length of the CIPSO category list in bytes * * Description: * Perform a label mapping to translate a local MLS category bitmap to the * correct CIPSO category list using the given DOI definition. Returns the * size in bytes of the network category bitmap on success, negative values * otherwise. * */ static int cipso_v4_map_cat_rng_hton(const struct cipso_v4_doi *doi_def, const struct netlbl_lsm_secattr *secattr, unsigned char *net_cat, u32 net_cat_len) { |
484b36693 NetLabel: add the... |
1066 |
int iter = -1; |
f998e8cb5 NetLabel: cleanup... |
1067 |
u16 array[CIPSO_V4_TAG_RNG_CAT_MAX * 2]; |
484b36693 NetLabel: add the... |
1068 1069 |
u32 array_cnt = 0; u32 cat_size = 0; |
f998e8cb5 NetLabel: cleanup... |
1070 |
/* make sure we don't overflow the 'array[]' variable */ |
128c6b6cb NetLabel: convert... |
1071 1072 1073 |
if (net_cat_len > (CIPSO_V4_OPT_LEN_MAX - CIPSO_V4_HDR_LEN - CIPSO_V4_TAG_RNG_BLEN)) return -ENOSPC; |
484b36693 NetLabel: add the... |
1074 1075 |
for (;;) { |
4fbe63d1c netlabel: shorter... |
1076 |
iter = netlbl_catmap_walk(secattr->attr.mls.cat, iter + 1); |
484b36693 NetLabel: add the... |
1077 1078 1079 1080 1081 1082 |
if (iter < 0) break; cat_size += (iter == 0 ? 0 : sizeof(u16)); if (cat_size > net_cat_len) return -ENOSPC; array[array_cnt++] = iter; |
4fbe63d1c netlabel: shorter... |
1083 |
iter = netlbl_catmap_walkrng(secattr->attr.mls.cat, iter); |
484b36693 NetLabel: add the... |
1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 |
if (iter < 0) return -EFAULT; cat_size += sizeof(u16); if (cat_size > net_cat_len) return -ENOSPC; array[array_cnt++] = iter; } for (iter = 0; array_cnt > 0;) { *((__be16 *)&net_cat[iter]) = htons(array[--array_cnt]); iter += 2; array_cnt--; if (array[array_cnt] != 0) { *((__be16 *)&net_cat[iter]) = htons(array[array_cnt]); iter += 2; } } return cat_size; } /** * cipso_v4_map_cat_rng_ntoh - Perform a category mapping from network to host * @doi_def: the DOI definition * @net_cat: the category list in network/CIPSO format * @net_cat_len: the length of the CIPSO bitmap in bytes * @secattr: the security attributes * * Description: * Perform a label mapping to translate a CIPSO category list to the correct * local MLS category bitmap using the given DOI definition. Returns zero on * success, negative values on failure. * */ static int cipso_v4_map_cat_rng_ntoh(const struct cipso_v4_doi *doi_def, const unsigned char *net_cat, u32 net_cat_len, struct netlbl_lsm_secattr *secattr) { int ret_val; u32 net_iter; u16 cat_low; u16 cat_high; |
132adf546 [IPV4]: cleanup |
1127 |
for (net_iter = 0; net_iter < net_cat_len; net_iter += 4) { |
d3e2ce3bc net: use get/put_... |
1128 |
cat_high = get_unaligned_be16(&net_cat[net_iter]); |
484b36693 NetLabel: add the... |
1129 |
if ((net_iter + 4) <= net_cat_len) |
d3e2ce3bc net: use get/put_... |
1130 |
cat_low = get_unaligned_be16(&net_cat[net_iter + 2]); |
484b36693 NetLabel: add the... |
1131 1132 |
else cat_low = 0; |
4fbe63d1c netlabel: shorter... |
1133 1134 1135 1136 |
ret_val = netlbl_catmap_setrng(&secattr->attr.mls.cat, cat_low, cat_high, GFP_ATOMIC); |
484b36693 NetLabel: add the... |
1137 1138 1139 1140 1141 1142 |
if (ret_val != 0) return ret_val; } return 0; } |
446fda4f2 [NetLabel]: CIPSO... |
1143 1144 1145 |
/* * Protocol Handling Functions */ |
446fda4f2 [NetLabel]: CIPSO... |
1146 1147 1148 |
/** * cipso_v4_gentag_hdr - Generate a CIPSO option header * @doi_def: the DOI definition |
91b1ed0af NetLabel: fixup t... |
1149 |
* @len: the total tag length in bytes, not including this header |
446fda4f2 [NetLabel]: CIPSO... |
1150 1151 1152 |
* @buf: the CIPSO option buffer * * Description: |
91b1ed0af NetLabel: fixup t... |
1153 |
* Write a CIPSO header into the beginning of @buffer. |
446fda4f2 [NetLabel]: CIPSO... |
1154 1155 |
* */ |
91b1ed0af NetLabel: fixup t... |
1156 1157 1158 |
static void cipso_v4_gentag_hdr(const struct cipso_v4_doi *doi_def, unsigned char *buf, u32 len) |
446fda4f2 [NetLabel]: CIPSO... |
1159 |
{ |
446fda4f2 [NetLabel]: CIPSO... |
1160 1161 |
buf[0] = IPOPT_CIPSO; buf[1] = CIPSO_V4_HDR_LEN + len; |
714e85be3 [IPV6]: Assorted ... |
1162 |
*(__be32 *)&buf[2] = htonl(doi_def->doi); |
446fda4f2 [NetLabel]: CIPSO... |
1163 |
} |
446fda4f2 [NetLabel]: CIPSO... |
1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 |
/** * cipso_v4_gentag_rbm - Generate a CIPSO restricted bitmap tag (type #1) * @doi_def: the DOI definition * @secattr: the security attributes * @buffer: the option buffer * @buffer_len: length of buffer in bytes * * Description: * Generate a CIPSO option using the restricted bitmap tag, tag type #1. The * actual buffer length may be larger than the indicated size due to |
91b1ed0af NetLabel: fixup t... |
1174 1175 |
* translation between host and network category bitmaps. Returns the size of * the tag on success, negative values on failure. |
446fda4f2 [NetLabel]: CIPSO... |
1176 1177 1178 1179 |
* */ static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def, const struct netlbl_lsm_secattr *secattr, |
91b1ed0af NetLabel: fixup t... |
1180 1181 |
unsigned char *buffer, u32 buffer_len) |
446fda4f2 [NetLabel]: CIPSO... |
1182 |
{ |
701a90bad NetLabel: make ne... |
1183 |
int ret_val; |
91b1ed0af NetLabel: fixup t... |
1184 |
u32 tag_len; |
446fda4f2 [NetLabel]: CIPSO... |
1185 |
u32 level; |
701a90bad NetLabel: make ne... |
1186 1187 |
if ((secattr->flags & NETLBL_SECATTR_MLS_LVL) == 0) return -EPERM; |
16efd4543 NetLabel: Add sec... |
1188 1189 1190 |
ret_val = cipso_v4_map_lvl_hton(doi_def, secattr->attr.mls.lvl, &level); |
91b1ed0af NetLabel: fixup t... |
1191 1192 |
if (ret_val != 0) return ret_val; |
446fda4f2 [NetLabel]: CIPSO... |
1193 |
|
91b1ed0af NetLabel: fixup t... |
1194 |
if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { |
446fda4f2 [NetLabel]: CIPSO... |
1195 |
ret_val = cipso_v4_map_cat_rbm_hton(doi_def, |
027527603 NetLabel: convert... |
1196 |
secattr, |
91b1ed0af NetLabel: fixup t... |
1197 1198 |
&buffer[4], buffer_len - 4); |
446fda4f2 [NetLabel]: CIPSO... |
1199 |
if (ret_val < 0) |
91b1ed0af NetLabel: fixup t... |
1200 |
return ret_val; |
446fda4f2 [NetLabel]: CIPSO... |
1201 1202 |
/* This will send packets using the "optimized" format when |
25985edce Fix common misspe... |
1203 |
* possible as specified in section 3.4.2.6 of the |
446fda4f2 [NetLabel]: CIPSO... |
1204 |
* CIPSO draft. */ |
701a90bad NetLabel: make ne... |
1205 |
if (cipso_v4_rbm_optfmt && ret_val > 0 && ret_val <= 10) |
91b1ed0af NetLabel: fixup t... |
1206 |
tag_len = 14; |
701a90bad NetLabel: make ne... |
1207 |
else |
91b1ed0af NetLabel: fixup t... |
1208 1209 1210 |
tag_len = 4 + ret_val; } else tag_len = 4; |
446fda4f2 [NetLabel]: CIPSO... |
1211 |
|
15c45f7b2 cipso: Add suppor... |
1212 |
buffer[0] = CIPSO_V4_TAG_RBITMAP; |
91b1ed0af NetLabel: fixup t... |
1213 1214 |
buffer[1] = tag_len; buffer[3] = level; |
446fda4f2 [NetLabel]: CIPSO... |
1215 |
|
91b1ed0af NetLabel: fixup t... |
1216 |
return tag_len; |
446fda4f2 [NetLabel]: CIPSO... |
1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 |
} /** * cipso_v4_parsetag_rbm - Parse a CIPSO restricted bitmap tag * @doi_def: the DOI definition * @tag: the CIPSO tag * @secattr: the security attributes * * Description: * Parse a CIPSO restricted bitmap tag (tag type #1) and return the security * attributes in @secattr. Return zero on success, negatives values on * failure. * */ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def, const unsigned char *tag, struct netlbl_lsm_secattr *secattr) { int ret_val; u8 tag_len = tag[1]; u32 level; ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level); if (ret_val != 0) return ret_val; |
16efd4543 NetLabel: Add sec... |
1242 |
secattr->attr.mls.lvl = level; |
701a90bad NetLabel: make ne... |
1243 |
secattr->flags |= NETLBL_SECATTR_MLS_LVL; |
446fda4f2 [NetLabel]: CIPSO... |
1244 1245 |
if (tag_len > 4) { |
446fda4f2 [NetLabel]: CIPSO... |
1246 1247 1248 |
ret_val = cipso_v4_map_cat_rbm_ntoh(doi_def, &tag[4], tag_len - 4, |
027527603 NetLabel: convert... |
1249 1250 |
secattr); if (ret_val != 0) { |
4fbe63d1c netlabel: shorter... |
1251 |
netlbl_catmap_free(secattr->attr.mls.cat); |
446fda4f2 [NetLabel]: CIPSO... |
1252 1253 |
return ret_val; } |
027527603 NetLabel: convert... |
1254 1255 |
secattr->flags |= NETLBL_SECATTR_MLS_CAT; |
446fda4f2 [NetLabel]: CIPSO... |
1256 1257 1258 1259 1260 1261 |
} return 0; } /** |
654bbc2a2 NetLabel: add the... |
1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 |
* cipso_v4_gentag_enum - Generate a CIPSO enumerated tag (type #2) * @doi_def: the DOI definition * @secattr: the security attributes * @buffer: the option buffer * @buffer_len: length of buffer in bytes * * Description: * Generate a CIPSO option using the enumerated tag, tag type #2. Returns the * size of the tag on success, negative values on failure. * */ static int cipso_v4_gentag_enum(const struct cipso_v4_doi *doi_def, const struct netlbl_lsm_secattr *secattr, unsigned char *buffer, u32 buffer_len) { int ret_val; u32 tag_len; u32 level; if (!(secattr->flags & NETLBL_SECATTR_MLS_LVL)) return -EPERM; |
16efd4543 NetLabel: Add sec... |
1284 1285 1286 |
ret_val = cipso_v4_map_lvl_hton(doi_def, secattr->attr.mls.lvl, &level); |
654bbc2a2 NetLabel: add the... |
1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 |
if (ret_val != 0) return ret_val; if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { ret_val = cipso_v4_map_cat_enum_hton(doi_def, secattr, &buffer[4], buffer_len - 4); if (ret_val < 0) return ret_val; tag_len = 4 + ret_val; } else tag_len = 4; |
15c45f7b2 cipso: Add suppor... |
1301 |
buffer[0] = CIPSO_V4_TAG_ENUM; |
654bbc2a2 NetLabel: add the... |
1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 |
buffer[1] = tag_len; buffer[3] = level; return tag_len; } /** * cipso_v4_parsetag_enum - Parse a CIPSO enumerated tag * @doi_def: the DOI definition * @tag: the CIPSO tag * @secattr: the security attributes * * Description: * Parse a CIPSO enumerated tag (tag type #2) and return the security * attributes in @secattr. Return zero on success, negatives values on * failure. * */ static int cipso_v4_parsetag_enum(const struct cipso_v4_doi *doi_def, const unsigned char *tag, struct netlbl_lsm_secattr *secattr) { int ret_val; u8 tag_len = tag[1]; u32 level; ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level); if (ret_val != 0) return ret_val; |
16efd4543 NetLabel: Add sec... |
1331 |
secattr->attr.mls.lvl = level; |
654bbc2a2 NetLabel: add the... |
1332 1333 1334 |
secattr->flags |= NETLBL_SECATTR_MLS_LVL; if (tag_len > 4) { |
654bbc2a2 NetLabel: add the... |
1335 1336 1337 1338 1339 |
ret_val = cipso_v4_map_cat_enum_ntoh(doi_def, &tag[4], tag_len - 4, secattr); if (ret_val != 0) { |
4fbe63d1c netlabel: shorter... |
1340 |
netlbl_catmap_free(secattr->attr.mls.cat); |
654bbc2a2 NetLabel: add the... |
1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 |
return ret_val; } secattr->flags |= NETLBL_SECATTR_MLS_CAT; } return 0; } /** |
484b36693 NetLabel: add the... |
1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 |
* cipso_v4_gentag_rng - Generate a CIPSO ranged tag (type #5) * @doi_def: the DOI definition * @secattr: the security attributes * @buffer: the option buffer * @buffer_len: length of buffer in bytes * * Description: * Generate a CIPSO option using the ranged tag, tag type #5. Returns the * size of the tag on success, negative values on failure. * */ static int cipso_v4_gentag_rng(const struct cipso_v4_doi *doi_def, const struct netlbl_lsm_secattr *secattr, unsigned char *buffer, u32 buffer_len) { int ret_val; u32 tag_len; u32 level; if (!(secattr->flags & NETLBL_SECATTR_MLS_LVL)) return -EPERM; |
16efd4543 NetLabel: Add sec... |
1373 1374 1375 |
ret_val = cipso_v4_map_lvl_hton(doi_def, secattr->attr.mls.lvl, &level); |
484b36693 NetLabel: add the... |
1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 |
if (ret_val != 0) return ret_val; if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { ret_val = cipso_v4_map_cat_rng_hton(doi_def, secattr, &buffer[4], buffer_len - 4); if (ret_val < 0) return ret_val; tag_len = 4 + ret_val; } else tag_len = 4; |
15c45f7b2 cipso: Add suppor... |
1390 |
buffer[0] = CIPSO_V4_TAG_RANGE; |
484b36693 NetLabel: add the... |
1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 |
buffer[1] = tag_len; buffer[3] = level; return tag_len; } /** * cipso_v4_parsetag_rng - Parse a CIPSO ranged tag * @doi_def: the DOI definition * @tag: the CIPSO tag * @secattr: the security attributes * * Description: * Parse a CIPSO ranged tag (tag type #5) and return the security attributes * in @secattr. Return zero on success, negatives values on failure. * */ static int cipso_v4_parsetag_rng(const struct cipso_v4_doi *doi_def, const unsigned char *tag, struct netlbl_lsm_secattr *secattr) { int ret_val; u8 tag_len = tag[1]; u32 level; ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level); if (ret_val != 0) return ret_val; |
16efd4543 NetLabel: Add sec... |
1419 |
secattr->attr.mls.lvl = level; |
484b36693 NetLabel: add the... |
1420 1421 1422 |
secattr->flags |= NETLBL_SECATTR_MLS_LVL; if (tag_len > 4) { |
484b36693 NetLabel: add the... |
1423 1424 1425 1426 1427 |
ret_val = cipso_v4_map_cat_rng_ntoh(doi_def, &tag[4], tag_len - 4, secattr); if (ret_val != 0) { |
4fbe63d1c netlabel: shorter... |
1428 |
netlbl_catmap_free(secattr->attr.mls.cat); |
484b36693 NetLabel: add the... |
1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 |
return ret_val; } secattr->flags |= NETLBL_SECATTR_MLS_CAT; } return 0; } /** |
15c45f7b2 cipso: Add suppor... |
1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 |
* cipso_v4_gentag_loc - Generate a CIPSO local tag (non-standard) * @doi_def: the DOI definition * @secattr: the security attributes * @buffer: the option buffer * @buffer_len: length of buffer in bytes * * Description: * Generate a CIPSO option using the local tag. Returns the size of the tag * on success, negative values on failure. * */ static int cipso_v4_gentag_loc(const struct cipso_v4_doi *doi_def, const struct netlbl_lsm_secattr *secattr, unsigned char *buffer, u32 buffer_len) { if (!(secattr->flags & NETLBL_SECATTR_SECID)) return -EPERM; buffer[0] = CIPSO_V4_TAG_LOCAL; buffer[1] = CIPSO_V4_TAG_LOC_BLEN; *(u32 *)&buffer[2] = secattr->attr.secid; return CIPSO_V4_TAG_LOC_BLEN; } /** * cipso_v4_parsetag_loc - Parse a CIPSO local tag * @doi_def: the DOI definition * @tag: the CIPSO tag * @secattr: the security attributes * * Description: * Parse a CIPSO local tag and return the security attributes in @secattr. * Return zero on success, negatives values on failure. * */ static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def, const unsigned char *tag, struct netlbl_lsm_secattr *secattr) { secattr->attr.secid = *(u32 *)&tag[2]; secattr->flags |= NETLBL_SECATTR_SECID; return 0; } /** |
04f81f015 cipso: don't use ... |
1487 1488 1489 1490 1491 |
* cipso_v4_optptr - Find the CIPSO option in the packet * @skb: the packet * * Description: * Parse the packet's IP header looking for a CIPSO option. Returns a pointer |
1d982ccf0 net/ipv4: defensi... |
1492 |
* to the start of the CIPSO option on success, NULL if one is not found. |
04f81f015 cipso: don't use ... |
1493 1494 1495 1496 1497 1498 1499 1500 |
* */ unsigned char *cipso_v4_optptr(const struct sk_buff *skb) { const struct iphdr *iph = ip_hdr(skb); unsigned char *optptr = (unsigned char *)&(ip_hdr(skb)[1]); int optlen; int taglen; |
1d982ccf0 net/ipv4: defensi... |
1501 |
for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 1; ) { |
40413955e Cipso: cipso_v4_o... |
1502 |
switch (optptr[0]) { |
40413955e Cipso: cipso_v4_o... |
1503 1504 1505 1506 1507 1508 1509 1510 |
case IPOPT_END: return NULL; case IPOPT_NOOP: taglen = 1; break; default: taglen = optptr[1]; } |
1d982ccf0 net/ipv4: defensi... |
1511 1512 1513 1514 |
if (!taglen || taglen > optlen) return NULL; if (optptr[0] == IPOPT_CIPSO) return optptr; |
04f81f015 cipso: don't use ... |
1515 1516 1517 1518 1519 1520 1521 1522 |
optlen -= taglen; optptr += taglen; } return NULL; } /** |
446fda4f2 [NetLabel]: CIPSO... |
1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 |
* cipso_v4_validate - Validate a CIPSO option * @option: the start of the option, on error it is set to point to the error * * Description: * This routine is called to validate a CIPSO option, it checks all of the * fields to ensure that they are at least valid, see the draft snippet below * for details. If the option is valid then a zero value is returned and * the value of @option is unchanged. If the option is invalid then a * non-zero value is returned and @option is adjusted to point to the * offending portion of the option. From the IETF draft ... * * "If any field within the CIPSO options, such as the DOI identifier, is not * recognized the IP datagram is discarded and an ICMP 'parameter problem' * (type 12) is generated and returned. The ICMP code field is set to 'bad * parameter' (code 0) and the pointer is set to the start of the CIPSO field * that is unrecognized." * */ |
15c45f7b2 cipso: Add suppor... |
1541 |
int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option) |
446fda4f2 [NetLabel]: CIPSO... |
1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 |
{ unsigned char *opt = *option; unsigned char *tag; unsigned char opt_iter; unsigned char err_offset = 0; u8 opt_len; u8 tag_len; struct cipso_v4_doi *doi_def = NULL; u32 tag_iter; /* caller already checks for length values that are too large */ opt_len = opt[1]; if (opt_len < 8) { err_offset = 1; goto validate_return; } rcu_read_lock(); |
d3e2ce3bc net: use get/put_... |
1560 |
doi_def = cipso_v4_doi_search(get_unaligned_be32(&opt[2])); |
51456b291 ipv4: coding styl... |
1561 |
if (!doi_def) { |
446fda4f2 [NetLabel]: CIPSO... |
1562 1563 1564 |
err_offset = 2; goto validate_return_locked; } |
15c45f7b2 cipso: Add suppor... |
1565 |
opt_iter = CIPSO_V4_HDR_LEN; |
446fda4f2 [NetLabel]: CIPSO... |
1566 1567 1568 1569 1570 1571 1572 1573 |
tag = opt + opt_iter; while (opt_iter < opt_len) { for (tag_iter = 0; doi_def->tags[tag_iter] != tag[0];) if (doi_def->tags[tag_iter] == CIPSO_V4_TAG_INVALID || ++tag_iter == CIPSO_V4_TAG_MAXCNT) { err_offset = opt_iter; goto validate_return_locked; } |
d71b78968 netlabel: out of ... |
1574 1575 1576 1577 |
if (opt_iter + 1 == opt_len) { err_offset = opt_iter; goto validate_return_locked; } |
446fda4f2 [NetLabel]: CIPSO... |
1578 1579 1580 1581 1582 1583 1584 1585 |
tag_len = tag[1]; if (tag_len > (opt_len - opt_iter)) { err_offset = opt_iter + 1; goto validate_return_locked; } switch (tag[0]) { case CIPSO_V4_TAG_RBITMAP: |
15c45f7b2 cipso: Add suppor... |
1586 |
if (tag_len < CIPSO_V4_TAG_RBM_BLEN) { |
446fda4f2 [NetLabel]: CIPSO... |
1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 |
err_offset = opt_iter + 1; goto validate_return_locked; } /* We are already going to do all the verification * necessary at the socket layer so from our point of * view it is safe to turn these checks off (and less * work), however, the CIPSO draft says we should do * all the CIPSO validations here but it doesn't * really specify _exactly_ what we need to validate * ... so, just make it a sysctl tunable. */ if (cipso_v4_rbm_strictvalid) { if (cipso_v4_map_lvl_valid(doi_def, tag[3]) < 0) { err_offset = opt_iter + 3; goto validate_return_locked; } |
15c45f7b2 cipso: Add suppor... |
1604 |
if (tag_len > CIPSO_V4_TAG_RBM_BLEN && |
446fda4f2 [NetLabel]: CIPSO... |
1605 1606 1607 1608 1609 1610 1611 1612 |
cipso_v4_map_cat_rbm_valid(doi_def, &tag[4], tag_len - 4) < 0) { err_offset = opt_iter + 4; goto validate_return_locked; } } break; |
654bbc2a2 NetLabel: add the... |
1613 |
case CIPSO_V4_TAG_ENUM: |
15c45f7b2 cipso: Add suppor... |
1614 |
if (tag_len < CIPSO_V4_TAG_ENUM_BLEN) { |
654bbc2a2 NetLabel: add the... |
1615 1616 1617 1618 1619 1620 1621 1622 1623 |
err_offset = opt_iter + 1; goto validate_return_locked; } if (cipso_v4_map_lvl_valid(doi_def, tag[3]) < 0) { err_offset = opt_iter + 3; goto validate_return_locked; } |
15c45f7b2 cipso: Add suppor... |
1624 |
if (tag_len > CIPSO_V4_TAG_ENUM_BLEN && |
654bbc2a2 NetLabel: add the... |
1625 1626 1627 1628 1629 1630 1631 |
cipso_v4_map_cat_enum_valid(doi_def, &tag[4], tag_len - 4) < 0) { err_offset = opt_iter + 4; goto validate_return_locked; } break; |
484b36693 NetLabel: add the... |
1632 |
case CIPSO_V4_TAG_RANGE: |
15c45f7b2 cipso: Add suppor... |
1633 |
if (tag_len < CIPSO_V4_TAG_RNG_BLEN) { |
484b36693 NetLabel: add the... |
1634 1635 1636 1637 1638 1639 1640 1641 1642 |
err_offset = opt_iter + 1; goto validate_return_locked; } if (cipso_v4_map_lvl_valid(doi_def, tag[3]) < 0) { err_offset = opt_iter + 3; goto validate_return_locked; } |
15c45f7b2 cipso: Add suppor... |
1643 |
if (tag_len > CIPSO_V4_TAG_RNG_BLEN && |
484b36693 NetLabel: add the... |
1644 1645 1646 1647 1648 1649 1650 |
cipso_v4_map_cat_rng_valid(doi_def, &tag[4], tag_len - 4) < 0) { err_offset = opt_iter + 4; goto validate_return_locked; } break; |
15c45f7b2 cipso: Add suppor... |
1651 1652 1653 |
case CIPSO_V4_TAG_LOCAL: /* This is a non-standard tag that we only allow for * local connections, so if the incoming interface is |
89d7ae34c cipso: don't foll... |
1654 1655 1656 |
* not the loopback device drop the packet. Further, * there is no legitimate reason for setting this from * userspace so reject it if skb is NULL. */ |
51456b291 ipv4: coding styl... |
1657 |
if (!skb || !(skb->dev->flags & IFF_LOOPBACK)) { |
15c45f7b2 cipso: Add suppor... |
1658 1659 1660 1661 1662 1663 1664 1665 |
err_offset = opt_iter; goto validate_return_locked; } if (tag_len != CIPSO_V4_TAG_LOC_BLEN) { err_offset = opt_iter + 1; goto validate_return_locked; } break; |
446fda4f2 [NetLabel]: CIPSO... |
1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 |
default: err_offset = opt_iter; goto validate_return_locked; } tag += tag_len; opt_iter += tag_len; } validate_return_locked: rcu_read_unlock(); validate_return: *option = opt + err_offset; return err_offset; } /** |
25985edce Fix common misspe... |
1683 |
* cipso_v4_error - Send the correct response for a bad packet |
446fda4f2 [NetLabel]: CIPSO... |
1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 |
* @skb: the packet * @error: the error code * @gateway: CIPSO gateway flag * * Description: * Based on the error code given in @error, send an ICMP error message back to * the originating host. From the IETF draft ... * * "If the contents of the CIPSO [option] are valid but the security label is * outside of the configured host or port label range, the datagram is * discarded and an ICMP 'destination unreachable' (type 3) is generated and * returned. The code field of the ICMP is set to 'communication with * destination network administratively prohibited' (code 9) or to * 'communication with destination host administratively prohibited' * (code 10). The value of the code is dependent on whether the originator * of the ICMP message is acting as a CIPSO host or a CIPSO gateway. The * recipient of the ICMP message MUST be able to handle either value. The * same procedure is performed if a CIPSO [option] can not be added to an * IP packet because it is too large to fit in the IP options area." * * "If the error is triggered by receipt of an ICMP message, the message is * discarded and no response is permitted (consistent with general ICMP * processing rules)." * */ void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway) { |
eddc9ec53 [SK_BUFF]: Introd... |
1711 |
if (ip_hdr(skb)->protocol == IPPROTO_ICMP || error != -EACCES) |
446fda4f2 [NetLabel]: CIPSO... |
1712 1713 1714 1715 1716 1717 1718 1719 1720 |
return; if (gateway) icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0); else icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0); } /** |
948bf85c1 netlabel: Add fun... |
1721 1722 1723 |
* cipso_v4_genopt - Generate a CIPSO option * @buf: the option buffer * @buf_len: the size of opt_buf |
446fda4f2 [NetLabel]: CIPSO... |
1724 |
* @doi_def: the CIPSO DOI to use |
948bf85c1 netlabel: Add fun... |
1725 |
* @secattr: the security attributes |
446fda4f2 [NetLabel]: CIPSO... |
1726 1727 |
* * Description: |
948bf85c1 netlabel: Add fun... |
1728 1729 1730 |
* Generate a CIPSO option using the DOI definition and security attributes * passed to the function. Returns the length of the option on success and * negative values on failure. |
446fda4f2 [NetLabel]: CIPSO... |
1731 1732 |
* */ |
948bf85c1 netlabel: Add fun... |
1733 1734 1735 |
static int cipso_v4_genopt(unsigned char *buf, u32 buf_len, const struct cipso_v4_doi *doi_def, const struct netlbl_lsm_secattr *secattr) |
446fda4f2 [NetLabel]: CIPSO... |
1736 |
{ |
948bf85c1 netlabel: Add fun... |
1737 |
int ret_val; |
446fda4f2 [NetLabel]: CIPSO... |
1738 |
u32 iter; |
446fda4f2 [NetLabel]: CIPSO... |
1739 |
|
948bf85c1 netlabel: Add fun... |
1740 1741 |
if (buf_len <= CIPSO_V4_HDR_LEN) return -ENOSPC; |
91b1ed0af NetLabel: fixup t... |
1742 |
|
446fda4f2 [NetLabel]: CIPSO... |
1743 1744 1745 1746 1747 |
/* XXX - This code assumes only one tag per CIPSO option which isn't * really a good assumption to make but since we only support the MAC * tags right now it is a safe assumption. */ iter = 0; do { |
91b1ed0af NetLabel: fixup t... |
1748 |
memset(buf, 0, buf_len); |
446fda4f2 [NetLabel]: CIPSO... |
1749 1750 1751 |
switch (doi_def->tags[iter]) { case CIPSO_V4_TAG_RBITMAP: ret_val = cipso_v4_gentag_rbm(doi_def, |
91b1ed0af NetLabel: fixup t... |
1752 1753 1754 |
secattr, &buf[CIPSO_V4_HDR_LEN], buf_len - CIPSO_V4_HDR_LEN); |
446fda4f2 [NetLabel]: CIPSO... |
1755 |
break; |
654bbc2a2 NetLabel: add the... |
1756 1757 1758 1759 1760 1761 |
case CIPSO_V4_TAG_ENUM: ret_val = cipso_v4_gentag_enum(doi_def, secattr, &buf[CIPSO_V4_HDR_LEN], buf_len - CIPSO_V4_HDR_LEN); break; |
484b36693 NetLabel: add the... |
1762 1763 1764 1765 1766 1767 |
case CIPSO_V4_TAG_RANGE: ret_val = cipso_v4_gentag_rng(doi_def, secattr, &buf[CIPSO_V4_HDR_LEN], buf_len - CIPSO_V4_HDR_LEN); break; |
15c45f7b2 cipso: Add suppor... |
1768 1769 1770 1771 1772 1773 |
case CIPSO_V4_TAG_LOCAL: ret_val = cipso_v4_gentag_loc(doi_def, secattr, &buf[CIPSO_V4_HDR_LEN], buf_len - CIPSO_V4_HDR_LEN); break; |
446fda4f2 [NetLabel]: CIPSO... |
1774 |
default: |
948bf85c1 netlabel: Add fun... |
1775 |
return -EPERM; |
446fda4f2 [NetLabel]: CIPSO... |
1776 1777 1778 |
} iter++; |
91b1ed0af NetLabel: fixup t... |
1779 |
} while (ret_val < 0 && |
446fda4f2 [NetLabel]: CIPSO... |
1780 1781 |
iter < CIPSO_V4_TAG_MAXCNT && doi_def->tags[iter] != CIPSO_V4_TAG_INVALID); |
91b1ed0af NetLabel: fixup t... |
1782 |
if (ret_val < 0) |
948bf85c1 netlabel: Add fun... |
1783 |
return ret_val; |
91b1ed0af NetLabel: fixup t... |
1784 |
cipso_v4_gentag_hdr(doi_def, buf, ret_val); |
948bf85c1 netlabel: Add fun... |
1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 |
return CIPSO_V4_HDR_LEN + ret_val; } /** * cipso_v4_sock_setattr - Add a CIPSO option to a socket * @sk: the socket * @doi_def: the CIPSO DOI to use * @secattr: the specific security attributes of the socket * * Description: * Set the CIPSO option on the given socket using the DOI definition and * security attributes passed to the function. This function requires * exclusive access to @sk, which means it either needs to be in the * process of being created or locked. Returns zero on success and negative * values on failure. * */ int cipso_v4_sock_setattr(struct sock *sk, const struct cipso_v4_doi *doi_def, const struct netlbl_lsm_secattr *secattr) { int ret_val = -EPERM; unsigned char *buf = NULL; u32 buf_len; u32 opt_len; |
f6d8bd051 inet: add RCU pro... |
1810 |
struct ip_options_rcu *old, *opt = NULL; |
948bf85c1 netlabel: Add fun... |
1811 1812 1813 1814 1815 1816 1817 |
struct inet_sock *sk_inet; struct inet_connection_sock *sk_conn; /* In the case of sock_create_lite(), the sock->sk field is not * defined yet but it is not a problem as the only users of these * "lite" PF_INET sockets are functions which do an accept() call * afterwards so we will label the socket as part of the accept(). */ |
51456b291 ipv4: coding styl... |
1818 |
if (!sk) |
948bf85c1 netlabel: Add fun... |
1819 1820 1821 1822 1823 1824 1825 |
return 0; /* We allocate the maximum CIPSO option size here so we are probably * being a little wasteful, but it makes our life _much_ easier later * on and after all we are only talking about 40 bytes. */ buf_len = CIPSO_V4_OPT_LEN_MAX; buf = kmalloc(buf_len, GFP_ATOMIC); |
51456b291 ipv4: coding styl... |
1826 |
if (!buf) { |
948bf85c1 netlabel: Add fun... |
1827 1828 1829 1830 1831 1832 1833 1834 |
ret_val = -ENOMEM; goto socket_setattr_failure; } ret_val = cipso_v4_genopt(buf, buf_len, doi_def, secattr); if (ret_val < 0) goto socket_setattr_failure; buf_len = ret_val; |
446fda4f2 [NetLabel]: CIPSO... |
1835 1836 1837 |
/* We can't use ip_options_get() directly because it makes a call to * ip_options_get_alloc() which allocates memory with GFP_KERNEL and |
f8687afef [NetLabel]: prote... |
1838 1839 |
* we won't always have CAP_NET_RAW even though we _always_ want to * set the IPOPT_CIPSO option. */ |
446fda4f2 [NetLabel]: CIPSO... |
1840 1841 |
opt_len = (buf_len + 3) & ~3; opt = kzalloc(sizeof(*opt) + opt_len, GFP_ATOMIC); |
51456b291 ipv4: coding styl... |
1842 |
if (!opt) { |
446fda4f2 [NetLabel]: CIPSO... |
1843 1844 1845 |
ret_val = -ENOMEM; goto socket_setattr_failure; } |
f6d8bd051 inet: add RCU pro... |
1846 1847 1848 |
memcpy(opt->opt.__data, buf, buf_len); opt->opt.optlen = opt_len; opt->opt.cipso = sizeof(struct iphdr); |
446fda4f2 [NetLabel]: CIPSO... |
1849 1850 |
kfree(buf); buf = NULL; |
446fda4f2 [NetLabel]: CIPSO... |
1851 1852 |
sk_inet = inet_sk(sk); |
f6d8bd051 inet: add RCU pro... |
1853 |
|
1e1d04e67 net: introduce lo... |
1854 1855 |
old = rcu_dereference_protected(sk_inet->inet_opt, lockdep_sock_is_held(sk)); |
446fda4f2 [NetLabel]: CIPSO... |
1856 1857 |
if (sk_inet->is_icsk) { sk_conn = inet_csk(sk); |
f6d8bd051 inet: add RCU pro... |
1858 1859 1860 |
if (old) sk_conn->icsk_ext_hdr_len -= old->opt.optlen; sk_conn->icsk_ext_hdr_len += opt->opt.optlen; |
446fda4f2 [NetLabel]: CIPSO... |
1861 1862 |
sk_conn->icsk_sync_mss(sk, sk_conn->icsk_pmtu_cookie); } |
f6d8bd051 inet: add RCU pro... |
1863 1864 |
rcu_assign_pointer(sk_inet->inet_opt, opt); if (old) |
4f9c8c1b0 ipv4: Convert cal... |
1865 |
kfree_rcu(old, rcu); |
446fda4f2 [NetLabel]: CIPSO... |
1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 |
return 0; socket_setattr_failure: kfree(buf); kfree(opt); return ret_val; } /** |
389fb800a netlabel: Label i... |
1876 1877 1878 1879 |
* cipso_v4_req_setattr - Add a CIPSO option to a connection request socket * @req: the connection request socket * @doi_def: the CIPSO DOI to use * @secattr: the specific security attributes of the socket |
014ab19a6 selinux: Set sock... |
1880 1881 |
* * Description: |
389fb800a netlabel: Label i... |
1882 1883 1884 |
* Set the CIPSO option on the given socket using the DOI definition and * security attributes passed to the function. Returns zero on success and * negative values on failure. |
014ab19a6 selinux: Set sock... |
1885 1886 |
* */ |
389fb800a netlabel: Label i... |
1887 1888 1889 |
int cipso_v4_req_setattr(struct request_sock *req, const struct cipso_v4_doi *doi_def, const struct netlbl_lsm_secattr *secattr) |
014ab19a6 selinux: Set sock... |
1890 |
{ |
389fb800a netlabel: Label i... |
1891 1892 1893 1894 |
int ret_val = -EPERM; unsigned char *buf = NULL; u32 buf_len; u32 opt_len; |
f6d8bd051 inet: add RCU pro... |
1895 |
struct ip_options_rcu *opt = NULL; |
389fb800a netlabel: Label i... |
1896 |
struct inet_request_sock *req_inet; |
014ab19a6 selinux: Set sock... |
1897 |
|
389fb800a netlabel: Label i... |
1898 1899 1900 1901 1902 |
/* We allocate the maximum CIPSO option size here so we are probably * being a little wasteful, but it makes our life _much_ easier later * on and after all we are only talking about 40 bytes. */ buf_len = CIPSO_V4_OPT_LEN_MAX; buf = kmalloc(buf_len, GFP_ATOMIC); |
51456b291 ipv4: coding styl... |
1903 |
if (!buf) { |
389fb800a netlabel: Label i... |
1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 |
ret_val = -ENOMEM; goto req_setattr_failure; } ret_val = cipso_v4_genopt(buf, buf_len, doi_def, secattr); if (ret_val < 0) goto req_setattr_failure; buf_len = ret_val; /* We can't use ip_options_get() directly because it makes a call to * ip_options_get_alloc() which allocates memory with GFP_KERNEL and * we won't always have CAP_NET_RAW even though we _always_ want to * set the IPOPT_CIPSO option. */ opt_len = (buf_len + 3) & ~3; opt = kzalloc(sizeof(*opt) + opt_len, GFP_ATOMIC); |
51456b291 ipv4: coding styl... |
1919 |
if (!opt) { |
389fb800a netlabel: Label i... |
1920 1921 1922 |
ret_val = -ENOMEM; goto req_setattr_failure; } |
f6d8bd051 inet: add RCU pro... |
1923 1924 1925 |
memcpy(opt->opt.__data, buf, buf_len); opt->opt.optlen = opt_len; opt->opt.cipso = sizeof(struct iphdr); |
389fb800a netlabel: Label i... |
1926 1927 1928 1929 |
kfree(buf); buf = NULL; req_inet = inet_rsk(req); |
c92e8c02f tcp/dccp: fix ire... |
1930 |
opt = xchg((__force struct ip_options_rcu **)&req_inet->ireq_opt, opt); |
f6d8bd051 inet: add RCU pro... |
1931 |
if (opt) |
4f9c8c1b0 ipv4: Convert cal... |
1932 |
kfree_rcu(opt, rcu); |
389fb800a netlabel: Label i... |
1933 1934 1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945 1946 1947 1948 1949 1950 1951 |
return 0; req_setattr_failure: kfree(buf); kfree(opt); return ret_val; } /** * cipso_v4_delopt - Delete the CIPSO option from a set of IP options * @opt_ptr: IP option pointer * * Description: * Deletes the CIPSO IP option from a set of IP options and makes the necessary * adjustments to the IP option structure. Returns zero on success, negative * values on failure. * */ |
c92e8c02f tcp/dccp: fix ire... |
1952 |
static int cipso_v4_delopt(struct ip_options_rcu __rcu **opt_ptr) |
389fb800a netlabel: Label i... |
1953 |
{ |
c92e8c02f tcp/dccp: fix ire... |
1954 |
struct ip_options_rcu *opt = rcu_dereference_protected(*opt_ptr, 1); |
389fb800a netlabel: Label i... |
1955 |
int hdr_delta = 0; |
014ab19a6 selinux: Set sock... |
1956 |
|
c92e8c02f tcp/dccp: fix ire... |
1957 1958 |
if (!opt || opt->opt.cipso == 0) return 0; |
f6d8bd051 inet: add RCU pro... |
1959 |
if (opt->opt.srr || opt->opt.rr || opt->opt.ts || opt->opt.router_alert) { |
014ab19a6 selinux: Set sock... |
1960 1961 1962 1963 1964 |
u8 cipso_len; u8 cipso_off; unsigned char *cipso_ptr; int iter; int optlen_new; |
f6d8bd051 inet: add RCU pro... |
1965 1966 |
cipso_off = opt->opt.cipso - sizeof(struct iphdr); cipso_ptr = &opt->opt.__data[cipso_off]; |
014ab19a6 selinux: Set sock... |
1967 |
cipso_len = cipso_ptr[1]; |
f6d8bd051 inet: add RCU pro... |
1968 1969 1970 1971 1972 1973 1974 1975 1976 |
if (opt->opt.srr > opt->opt.cipso) opt->opt.srr -= cipso_len; if (opt->opt.rr > opt->opt.cipso) opt->opt.rr -= cipso_len; if (opt->opt.ts > opt->opt.cipso) opt->opt.ts -= cipso_len; if (opt->opt.router_alert > opt->opt.cipso) opt->opt.router_alert -= cipso_len; opt->opt.cipso = 0; |
014ab19a6 selinux: Set sock... |
1977 1978 |
memmove(cipso_ptr, cipso_ptr + cipso_len, |
f6d8bd051 inet: add RCU pro... |
1979 |
opt->opt.optlen - cipso_off - cipso_len); |
014ab19a6 selinux: Set sock... |
1980 1981 1982 1983 1984 1985 1986 1987 |
/* determining the new total option length is tricky because of * the padding necessary, the only thing i can think to do at * this point is walk the options one-by-one, skipping the * padding at the end to determine the actual option size and * from there we can determine the new total option length */ iter = 0; optlen_new = 0; |
f6d8bd051 inet: add RCU pro... |
1988 1989 1990 |
while (iter < opt->opt.optlen) if (opt->opt.__data[iter] != IPOPT_NOP) { iter += opt->opt.__data[iter + 1]; |
014ab19a6 selinux: Set sock... |
1991 1992 1993 |
optlen_new = iter; } else iter++; |
f6d8bd051 inet: add RCU pro... |
1994 1995 1996 |
hdr_delta = opt->opt.optlen; opt->opt.optlen = (optlen_new + 3) & ~3; hdr_delta -= opt->opt.optlen; |
014ab19a6 selinux: Set sock... |
1997 1998 1999 |
} else { /* only the cipso option was present on the socket so we can * remove the entire option struct */ |
389fb800a netlabel: Label i... |
2000 |
*opt_ptr = NULL; |
f6d8bd051 inet: add RCU pro... |
2001 |
hdr_delta = opt->opt.optlen; |
4f9c8c1b0 ipv4: Convert cal... |
2002 |
kfree_rcu(opt, rcu); |
014ab19a6 selinux: Set sock... |
2003 |
} |
389fb800a netlabel: Label i... |
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 |
return hdr_delta; } /** * cipso_v4_sock_delattr - Delete the CIPSO option from a socket * @sk: the socket * * Description: * Removes the CIPSO option from a socket, if present. * */ void cipso_v4_sock_delattr(struct sock *sk) { |
389fb800a netlabel: Label i... |
2017 |
struct inet_sock *sk_inet; |
c92e8c02f tcp/dccp: fix ire... |
2018 |
int hdr_delta; |
389fb800a netlabel: Label i... |
2019 2020 |
sk_inet = inet_sk(sk); |
389fb800a netlabel: Label i... |
2021 |
|
f6d8bd051 inet: add RCU pro... |
2022 |
hdr_delta = cipso_v4_delopt(&sk_inet->inet_opt); |
014ab19a6 selinux: Set sock... |
2023 2024 2025 2026 2027 2028 2029 2030 |
if (sk_inet->is_icsk && hdr_delta > 0) { struct inet_connection_sock *sk_conn = inet_csk(sk); sk_conn->icsk_ext_hdr_len -= hdr_delta; sk_conn->icsk_sync_mss(sk, sk_conn->icsk_pmtu_cookie); } } /** |
389fb800a netlabel: Label i... |
2031 2032 2033 2034 2035 2036 2037 2038 2039 |
* cipso_v4_req_delattr - Delete the CIPSO option from a request socket * @reg: the request socket * * Description: * Removes the CIPSO option from a request socket, if present. * */ void cipso_v4_req_delattr(struct request_sock *req) { |
c92e8c02f tcp/dccp: fix ire... |
2040 |
cipso_v4_delopt(&inet_rsk(req)->ireq_opt); |
389fb800a netlabel: Label i... |
2041 2042 2043 |
} /** |
63d804ead [CIPSO]: remove d... |
2044 2045 |
* cipso_v4_getattr - Helper function for the cipso_v4_*_getattr functions * @cipso: the CIPSO v4 option |
446fda4f2 [NetLabel]: CIPSO... |
2046 2047 2048 |
* @secattr: the security attributes * * Description: |
63d804ead [CIPSO]: remove d... |
2049 2050 |
* Inspect @cipso and return the security attributes in @secattr. Returns zero * on success and negative values on failure. |
446fda4f2 [NetLabel]: CIPSO... |
2051 2052 |
* */ |
04f81f015 cipso: don't use ... |
2053 2054 |
int cipso_v4_getattr(const unsigned char *cipso, struct netlbl_lsm_secattr *secattr) |
446fda4f2 [NetLabel]: CIPSO... |
2055 2056 |
{ int ret_val = -ENOMSG; |
446fda4f2 [NetLabel]: CIPSO... |
2057 2058 |
u32 doi; struct cipso_v4_doi *doi_def; |
63d804ead [CIPSO]: remove d... |
2059 2060 |
if (cipso_v4_cache_check(cipso, cipso[1], secattr) == 0) return 0; |
446fda4f2 [NetLabel]: CIPSO... |
2061 |
|
d3e2ce3bc net: use get/put_... |
2062 |
doi = get_unaligned_be32(&cipso[2]); |
446fda4f2 [NetLabel]: CIPSO... |
2063 |
rcu_read_lock(); |
9bb5fd2b0 NetLabel: use cip... |
2064 |
doi_def = cipso_v4_doi_search(doi); |
51456b291 ipv4: coding styl... |
2065 |
if (!doi_def) |
63d804ead [CIPSO]: remove d... |
2066 |
goto getattr_return; |
91b1ed0af NetLabel: fixup t... |
2067 2068 2069 |
/* XXX - This code assumes only one tag per CIPSO option which isn't * really a good assumption to make but since we only support the MAC * tags right now it is a safe assumption. */ |
63d804ead [CIPSO]: remove d... |
2070 |
switch (cipso[6]) { |
446fda4f2 [NetLabel]: CIPSO... |
2071 |
case CIPSO_V4_TAG_RBITMAP: |
63d804ead [CIPSO]: remove d... |
2072 |
ret_val = cipso_v4_parsetag_rbm(doi_def, &cipso[6], secattr); |
446fda4f2 [NetLabel]: CIPSO... |
2073 |
break; |
654bbc2a2 NetLabel: add the... |
2074 |
case CIPSO_V4_TAG_ENUM: |
63d804ead [CIPSO]: remove d... |
2075 |
ret_val = cipso_v4_parsetag_enum(doi_def, &cipso[6], secattr); |
654bbc2a2 NetLabel: add the... |
2076 |
break; |
484b36693 NetLabel: add the... |
2077 |
case CIPSO_V4_TAG_RANGE: |
63d804ead [CIPSO]: remove d... |
2078 |
ret_val = cipso_v4_parsetag_rng(doi_def, &cipso[6], secattr); |
484b36693 NetLabel: add the... |
2079 |
break; |
15c45f7b2 cipso: Add suppor... |
2080 2081 2082 |
case CIPSO_V4_TAG_LOCAL: ret_val = cipso_v4_parsetag_loc(doi_def, &cipso[6], secattr); break; |
446fda4f2 [NetLabel]: CIPSO... |
2083 |
} |
16efd4543 NetLabel: Add sec... |
2084 2085 |
if (ret_val == 0) secattr->type = NETLBL_NLTYPE_CIPSOV4; |
446fda4f2 [NetLabel]: CIPSO... |
2086 |
|
63d804ead [CIPSO]: remove d... |
2087 2088 |
getattr_return: rcu_read_unlock(); |
14a72f53f [NetLabel]: corre... |
2089 2090 2091 2092 |
return ret_val; } /** |
63d804ead [CIPSO]: remove d... |
2093 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 |
* cipso_v4_sock_getattr - Get the security attributes from a sock * @sk: the sock * @secattr: the security attributes * * Description: * Query @sk to see if there is a CIPSO option attached to the sock and if * there is return the CIPSO security attributes in @secattr. This function * requires that @sk be locked, or privately held, but it does not do any * locking itself. Returns zero on success and negative values on failure. * */ int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr) { |
f6d8bd051 inet: add RCU pro... |
2106 2107 |
struct ip_options_rcu *opt; int res = -ENOMSG; |
63d804ead [CIPSO]: remove d... |
2108 |
|
f6d8bd051 inet: add RCU pro... |
2109 2110 2111 2112 2113 2114 2115 2116 2117 |
rcu_read_lock(); opt = rcu_dereference(inet_sk(sk)->inet_opt); if (opt && opt->opt.cipso) res = cipso_v4_getattr(opt->opt.__data + opt->opt.cipso - sizeof(struct iphdr), secattr); rcu_read_unlock(); return res; |
63d804ead [CIPSO]: remove d... |
2118 2119 2120 |
} /** |
948bf85c1 netlabel: Add fun... |
2121 2122 2123 2124 2125 2126 2127 2128 2129 2130 2131 2132 2133 2134 2135 2136 2137 2138 2139 2140 |
* cipso_v4_skbuff_setattr - Set the CIPSO option on a packet * @skb: the packet * @secattr: the security attributes * * Description: * Set the CIPSO option on the given packet based on the security attributes. * Returns a pointer to the IP header on success and NULL on failure. * */ int cipso_v4_skbuff_setattr(struct sk_buff *skb, const struct cipso_v4_doi *doi_def, const struct netlbl_lsm_secattr *secattr) { int ret_val; struct iphdr *iph; struct ip_options *opt = &IPCB(skb)->opt; unsigned char buf[CIPSO_V4_OPT_LEN_MAX]; u32 buf_len = CIPSO_V4_OPT_LEN_MAX; u32 opt_len; int len_delta; |
00af5c695 cipso: unsigned b... |
2141 2142 2143 2144 |
ret_val = cipso_v4_genopt(buf, buf_len, doi_def, secattr); if (ret_val < 0) return ret_val; buf_len = ret_val; |
948bf85c1 netlabel: Add fun... |
2145 2146 2147 2148 2149 2150 2151 2152 2153 2154 2155 2156 2157 2158 2159 2160 2161 2162 2163 2164 2165 2166 2167 2168 2169 2170 2171 2172 2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212 2213 2214 2215 2216 2217 2218 2219 2220 2221 2222 2223 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235 |
opt_len = (buf_len + 3) & ~3; /* we overwrite any existing options to ensure that we have enough * room for the CIPSO option, the reason is that we _need_ to guarantee * that the security label is applied to the packet - we do the same * thing when using the socket options and it hasn't caused a problem, * if we need to we can always revisit this choice later */ len_delta = opt_len - opt->optlen; /* if we don't ensure enough headroom we could panic on the skb_push() * call below so make sure we have enough, we are also "mangling" the * packet so we should probably do a copy-on-write call anyway */ ret_val = skb_cow(skb, skb_headroom(skb) + len_delta); if (ret_val < 0) return ret_val; if (len_delta > 0) { /* we assume that the header + opt->optlen have already been * "pushed" in ip_options_build() or similar */ iph = ip_hdr(skb); skb_push(skb, len_delta); memmove((char *)iph - len_delta, iph, iph->ihl << 2); skb_reset_network_header(skb); iph = ip_hdr(skb); } else if (len_delta < 0) { iph = ip_hdr(skb); memset(iph + 1, IPOPT_NOP, opt->optlen); } else iph = ip_hdr(skb); if (opt->optlen > 0) memset(opt, 0, sizeof(*opt)); opt->optlen = opt_len; opt->cipso = sizeof(struct iphdr); opt->is_changed = 1; /* we have to do the following because we are being called from a * netfilter hook which means the packet already has had the header * fields populated and the checksum calculated - yes this means we * are doing more work than needed but we do it to keep the core * stack clean and tidy */ memcpy(iph + 1, buf, buf_len); if (opt_len > buf_len) memset((char *)(iph + 1) + buf_len, 0, opt_len - buf_len); if (len_delta != 0) { iph->ihl = 5 + (opt_len >> 2); iph->tot_len = htons(skb->len); } ip_send_check(iph); return 0; } /** * cipso_v4_skbuff_delattr - Delete any CIPSO options from a packet * @skb: the packet * * Description: * Removes any and all CIPSO options from the given packet. Returns zero on * success, negative values on failure. * */ int cipso_v4_skbuff_delattr(struct sk_buff *skb) { int ret_val; struct iphdr *iph; struct ip_options *opt = &IPCB(skb)->opt; unsigned char *cipso_ptr; if (opt->cipso == 0) return 0; /* since we are changing the packet we should make a copy */ ret_val = skb_cow(skb, skb_headroom(skb)); if (ret_val < 0) return ret_val; /* the easiest thing to do is just replace the cipso option with noop * options since we don't change the size of the packet, although we * still need to recalculate the checksum */ iph = ip_hdr(skb); cipso_ptr = (unsigned char *)iph + opt->cipso; memset(cipso_ptr, IPOPT_NOOP, cipso_ptr[1]); opt->cipso = 0; opt->is_changed = 1; ip_send_check(iph); return 0; } |
446fda4f2 [NetLabel]: CIPSO... |
2236 2237 2238 2239 2240 2241 2242 2243 2244 2245 2246 2247 2248 2249 2250 2251 2252 2253 2254 2255 2256 2257 2258 2259 2260 2261 |
/* * Setup Functions */ /** * cipso_v4_init - Initialize the CIPSO module * * Description: * Initialize the CIPSO module and prepare it for use. Returns zero on success * and negative values on failure. * */ static int __init cipso_v4_init(void) { int ret_val; ret_val = cipso_v4_cache_init(); if (ret_val != 0) panic("Failed to initialize the CIPSO/IPv4 cache (%d) ", ret_val); return 0; } subsys_initcall(cipso_v4_init); |