1/* 2 * NetLabel CIPSO/IPv4 Support 3 * 4 * This file defines the CIPSO/IPv4 functions for the NetLabel system. The 5 * NetLabel system manages static and dynamic label mappings for network 6 * protocols such as CIPSO and RIPSO. 7 * 8 * Author: Paul Moore <paul@paul-moore.com> 9 * 10 */ 11 12/* 13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 14 * 15 * This program is free software; you can redistribute it and/or modify 16 * it under the terms of the GNU General Public License as published by 17 * the Free Software Foundation; either version 2 of the License, or 18 * (at your option) any later version. 19 * 20 * This program is distributed in the hope that it will be useful, 21 * but WITHOUT ANY WARRANTY; without even the implied warranty of 22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See 23 * the GNU General Public License for more details. 24 * 25 * You should have received a copy of the GNU General Public License 26 * along with this program; if not, see <http://www.gnu.org/licenses/>. 27 * 28 */ 29 30#include <linux/types.h> 31#include <linux/socket.h> 32#include <linux/string.h> 33#include <linux/skbuff.h> 34#include <linux/audit.h> 35#include <linux/slab.h> 36#include <net/sock.h> 37#include <net/netlink.h> 38#include <net/genetlink.h> 39#include <net/netlabel.h> 40#include <net/cipso_ipv4.h> 41#include <linux/atomic.h> 42 43#include "netlabel_user.h" 44#include "netlabel_cipso_v4.h" 45#include "netlabel_mgmt.h" 46#include "netlabel_domainhash.h" 47 48/* Argument struct for cipso_v4_doi_walk() */ 49struct netlbl_cipsov4_doiwalk_arg { 50 struct netlink_callback *nl_cb; 51 struct sk_buff *skb; 52 u32 seq; 53}; 54 55/* Argument struct for netlbl_domhsh_walk() */ 56struct netlbl_domhsh_walk_arg { 57 struct netlbl_audit *audit_info; 58 u32 doi; 59}; 60 61/* NetLabel Generic NETLINK CIPSOv4 family */ 62static struct genl_family netlbl_cipsov4_gnl_family = { 63 .id = GENL_ID_GENERATE, 64 .hdrsize = 0, 65 .name = NETLBL_NLTYPE_CIPSOV4_NAME, 66 .version = NETLBL_PROTO_VERSION, 67 .maxattr = NLBL_CIPSOV4_A_MAX, 68}; 69 70/* NetLabel Netlink attribute policy */ 71static const struct nla_policy netlbl_cipsov4_genl_policy[NLBL_CIPSOV4_A_MAX + 1] = { 72 [NLBL_CIPSOV4_A_DOI] = { .type = NLA_U32 }, 73 [NLBL_CIPSOV4_A_MTYPE] = { .type = NLA_U32 }, 74 [NLBL_CIPSOV4_A_TAG] = { .type = NLA_U8 }, 75 [NLBL_CIPSOV4_A_TAGLST] = { .type = NLA_NESTED }, 76 [NLBL_CIPSOV4_A_MLSLVLLOC] = { .type = NLA_U32 }, 77 [NLBL_CIPSOV4_A_MLSLVLREM] = { .type = NLA_U32 }, 78 [NLBL_CIPSOV4_A_MLSLVL] = { .type = NLA_NESTED }, 79 [NLBL_CIPSOV4_A_MLSLVLLST] = { .type = NLA_NESTED }, 80 [NLBL_CIPSOV4_A_MLSCATLOC] = { .type = NLA_U32 }, 81 [NLBL_CIPSOV4_A_MLSCATREM] = { .type = NLA_U32 }, 82 [NLBL_CIPSOV4_A_MLSCAT] = { .type = NLA_NESTED }, 83 [NLBL_CIPSOV4_A_MLSCATLST] = { .type = NLA_NESTED }, 84}; 85 86/* 87 * Helper Functions 88 */ 89 90/** 91 * netlbl_cipsov4_add_common - Parse the common sections of a ADD message 92 * @info: the Generic NETLINK info block 93 * @doi_def: the CIPSO V4 DOI definition 94 * 95 * Description: 96 * Parse the common sections of a ADD message and fill in the related values 97 * in @doi_def. Returns zero on success, negative values on failure. 98 * 99 */ 100static int netlbl_cipsov4_add_common(struct genl_info *info, 101 struct cipso_v4_doi *doi_def) 102{ 103 struct nlattr *nla; 104 int nla_rem; 105 u32 iter = 0; 106 107 doi_def->doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); 108 109 if (nla_validate_nested(info->attrs[NLBL_CIPSOV4_A_TAGLST], 110 NLBL_CIPSOV4_A_MAX, 111 netlbl_cipsov4_genl_policy) != 0) 112 return -EINVAL; 113 114 nla_for_each_nested(nla, info->attrs[NLBL_CIPSOV4_A_TAGLST], nla_rem) 115 if (nla_type(nla) == NLBL_CIPSOV4_A_TAG) { 116 if (iter >= CIPSO_V4_TAG_MAXCNT) 117 return -EINVAL; 118 doi_def->tags[iter++] = nla_get_u8(nla); 119 } 120 while (iter < CIPSO_V4_TAG_MAXCNT) 121 doi_def->tags[iter++] = CIPSO_V4_TAG_INVALID; 122 123 return 0; 124} 125 126/* 127 * NetLabel Command Handlers 128 */ 129 130/** 131 * netlbl_cipsov4_add_std - Adds a CIPSO V4 DOI definition 132 * @info: the Generic NETLINK info block 133 * @audit_info: NetLabel audit information 134 * 135 * Description: 136 * Create a new CIPSO_V4_MAP_TRANS DOI definition based on the given ADD 137 * message and add it to the CIPSO V4 engine. Return zero on success and 138 * non-zero on error. 139 * 140 */ 141static int netlbl_cipsov4_add_std(struct genl_info *info, 142 struct netlbl_audit *audit_info) 143{ 144 int ret_val = -EINVAL; 145 struct cipso_v4_doi *doi_def = NULL; 146 struct nlattr *nla_a; 147 struct nlattr *nla_b; 148 int nla_a_rem; 149 int nla_b_rem; 150 u32 iter; 151 152 if (!info->attrs[NLBL_CIPSOV4_A_TAGLST] || 153 !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST]) 154 return -EINVAL; 155 156 if (nla_validate_nested(info->attrs[NLBL_CIPSOV4_A_MLSLVLLST], 157 NLBL_CIPSOV4_A_MAX, 158 netlbl_cipsov4_genl_policy) != 0) 159 return -EINVAL; 160 161 doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL); 162 if (doi_def == NULL) 163 return -ENOMEM; 164 doi_def->map.std = kzalloc(sizeof(*doi_def->map.std), GFP_KERNEL); 165 if (doi_def->map.std == NULL) { 166 ret_val = -ENOMEM; 167 goto add_std_failure; 168 } 169 doi_def->type = CIPSO_V4_MAP_TRANS; 170 171 ret_val = netlbl_cipsov4_add_common(info, doi_def); 172 if (ret_val != 0) 173 goto add_std_failure; 174 ret_val = -EINVAL; 175 176 nla_for_each_nested(nla_a, 177 info->attrs[NLBL_CIPSOV4_A_MLSLVLLST], 178 nla_a_rem) 179 if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSLVL) { 180 if (nla_validate_nested(nla_a, 181 NLBL_CIPSOV4_A_MAX, 182 netlbl_cipsov4_genl_policy) != 0) 183 goto add_std_failure; 184 nla_for_each_nested(nla_b, nla_a, nla_b_rem) 185 switch (nla_type(nla_b)) { 186 case NLBL_CIPSOV4_A_MLSLVLLOC: 187 if (nla_get_u32(nla_b) > 188 CIPSO_V4_MAX_LOC_LVLS) 189 goto add_std_failure; 190 if (nla_get_u32(nla_b) >= 191 doi_def->map.std->lvl.local_size) 192 doi_def->map.std->lvl.local_size = 193 nla_get_u32(nla_b) + 1; 194 break; 195 case NLBL_CIPSOV4_A_MLSLVLREM: 196 if (nla_get_u32(nla_b) > 197 CIPSO_V4_MAX_REM_LVLS) 198 goto add_std_failure; 199 if (nla_get_u32(nla_b) >= 200 doi_def->map.std->lvl.cipso_size) 201 doi_def->map.std->lvl.cipso_size = 202 nla_get_u32(nla_b) + 1; 203 break; 204 } 205 } 206 doi_def->map.std->lvl.local = kcalloc(doi_def->map.std->lvl.local_size, 207 sizeof(u32), 208 GFP_KERNEL); 209 if (doi_def->map.std->lvl.local == NULL) { 210 ret_val = -ENOMEM; 211 goto add_std_failure; 212 } 213 doi_def->map.std->lvl.cipso = kcalloc(doi_def->map.std->lvl.cipso_size, 214 sizeof(u32), 215 GFP_KERNEL); 216 if (doi_def->map.std->lvl.cipso == NULL) { 217 ret_val = -ENOMEM; 218 goto add_std_failure; 219 } 220 for (iter = 0; iter < doi_def->map.std->lvl.local_size; iter++) 221 doi_def->map.std->lvl.local[iter] = CIPSO_V4_INV_LVL; 222 for (iter = 0; iter < doi_def->map.std->lvl.cipso_size; iter++) 223 doi_def->map.std->lvl.cipso[iter] = CIPSO_V4_INV_LVL; 224 nla_for_each_nested(nla_a, 225 info->attrs[NLBL_CIPSOV4_A_MLSLVLLST], 226 nla_a_rem) 227 if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSLVL) { 228 struct nlattr *lvl_loc; 229 struct nlattr *lvl_rem; 230 231 lvl_loc = nla_find_nested(nla_a, 232 NLBL_CIPSOV4_A_MLSLVLLOC); 233 lvl_rem = nla_find_nested(nla_a, 234 NLBL_CIPSOV4_A_MLSLVLREM); 235 if (lvl_loc == NULL || lvl_rem == NULL) 236 goto add_std_failure; 237 doi_def->map.std->lvl.local[nla_get_u32(lvl_loc)] = 238 nla_get_u32(lvl_rem); 239 doi_def->map.std->lvl.cipso[nla_get_u32(lvl_rem)] = 240 nla_get_u32(lvl_loc); 241 } 242 243 if (info->attrs[NLBL_CIPSOV4_A_MLSCATLST]) { 244 if (nla_validate_nested(info->attrs[NLBL_CIPSOV4_A_MLSCATLST], 245 NLBL_CIPSOV4_A_MAX, 246 netlbl_cipsov4_genl_policy) != 0) 247 goto add_std_failure; 248 249 nla_for_each_nested(nla_a, 250 info->attrs[NLBL_CIPSOV4_A_MLSCATLST], 251 nla_a_rem) 252 if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSCAT) { 253 if (nla_validate_nested(nla_a, 254 NLBL_CIPSOV4_A_MAX, 255 netlbl_cipsov4_genl_policy) != 0) 256 goto add_std_failure; 257 nla_for_each_nested(nla_b, nla_a, nla_b_rem) 258 switch (nla_type(nla_b)) { 259 case NLBL_CIPSOV4_A_MLSCATLOC: 260 if (nla_get_u32(nla_b) > 261 CIPSO_V4_MAX_LOC_CATS) 262 goto add_std_failure; 263 if (nla_get_u32(nla_b) >= 264 doi_def->map.std->cat.local_size) 265 doi_def->map.std->cat.local_size = 266 nla_get_u32(nla_b) + 1; 267 break; 268 case NLBL_CIPSOV4_A_MLSCATREM: 269 if (nla_get_u32(nla_b) > 270 CIPSO_V4_MAX_REM_CATS) 271 goto add_std_failure; 272 if (nla_get_u32(nla_b) >= 273 doi_def->map.std->cat.cipso_size) 274 doi_def->map.std->cat.cipso_size = 275 nla_get_u32(nla_b) + 1; 276 break; 277 } 278 } 279 doi_def->map.std->cat.local = kcalloc( 280 doi_def->map.std->cat.local_size, 281 sizeof(u32), 282 GFP_KERNEL); 283 if (doi_def->map.std->cat.local == NULL) { 284 ret_val = -ENOMEM; 285 goto add_std_failure; 286 } 287 doi_def->map.std->cat.cipso = kcalloc( 288 doi_def->map.std->cat.cipso_size, 289 sizeof(u32), 290 GFP_KERNEL); 291 if (doi_def->map.std->cat.cipso == NULL) { 292 ret_val = -ENOMEM; 293 goto add_std_failure; 294 } 295 for (iter = 0; iter < doi_def->map.std->cat.local_size; iter++) 296 doi_def->map.std->cat.local[iter] = CIPSO_V4_INV_CAT; 297 for (iter = 0; iter < doi_def->map.std->cat.cipso_size; iter++) 298 doi_def->map.std->cat.cipso[iter] = CIPSO_V4_INV_CAT; 299 nla_for_each_nested(nla_a, 300 info->attrs[NLBL_CIPSOV4_A_MLSCATLST], 301 nla_a_rem) 302 if (nla_type(nla_a) == NLBL_CIPSOV4_A_MLSCAT) { 303 struct nlattr *cat_loc; 304 struct nlattr *cat_rem; 305 306 cat_loc = nla_find_nested(nla_a, 307 NLBL_CIPSOV4_A_MLSCATLOC); 308 cat_rem = nla_find_nested(nla_a, 309 NLBL_CIPSOV4_A_MLSCATREM); 310 if (cat_loc == NULL || cat_rem == NULL) 311 goto add_std_failure; 312 doi_def->map.std->cat.local[ 313 nla_get_u32(cat_loc)] = 314 nla_get_u32(cat_rem); 315 doi_def->map.std->cat.cipso[ 316 nla_get_u32(cat_rem)] = 317 nla_get_u32(cat_loc); 318 } 319 } 320 321 ret_val = cipso_v4_doi_add(doi_def, audit_info); 322 if (ret_val != 0) 323 goto add_std_failure; 324 return 0; 325 326add_std_failure: 327 cipso_v4_doi_free(doi_def); 328 return ret_val; 329} 330 331/** 332 * netlbl_cipsov4_add_pass - Adds a CIPSO V4 DOI definition 333 * @info: the Generic NETLINK info block 334 * @audit_info: NetLabel audit information 335 * 336 * Description: 337 * Create a new CIPSO_V4_MAP_PASS DOI definition based on the given ADD message 338 * and add it to the CIPSO V4 engine. Return zero on success and non-zero on 339 * error. 340 * 341 */ 342static int netlbl_cipsov4_add_pass(struct genl_info *info, 343 struct netlbl_audit *audit_info) 344{ 345 int ret_val; 346 struct cipso_v4_doi *doi_def = NULL; 347 348 if (!info->attrs[NLBL_CIPSOV4_A_TAGLST]) 349 return -EINVAL; 350 351 doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL); 352 if (doi_def == NULL) 353 return -ENOMEM; 354 doi_def->type = CIPSO_V4_MAP_PASS; 355 356 ret_val = netlbl_cipsov4_add_common(info, doi_def); 357 if (ret_val != 0) 358 goto add_pass_failure; 359 360 ret_val = cipso_v4_doi_add(doi_def, audit_info); 361 if (ret_val != 0) 362 goto add_pass_failure; 363 return 0; 364 365add_pass_failure: 366 cipso_v4_doi_free(doi_def); 367 return ret_val; 368} 369 370/** 371 * netlbl_cipsov4_add_local - Adds a CIPSO V4 DOI definition 372 * @info: the Generic NETLINK info block 373 * @audit_info: NetLabel audit information 374 * 375 * Description: 376 * Create a new CIPSO_V4_MAP_LOCAL DOI definition based on the given ADD 377 * message and add it to the CIPSO V4 engine. Return zero on success and 378 * non-zero on error. 379 * 380 */ 381static int netlbl_cipsov4_add_local(struct genl_info *info, 382 struct netlbl_audit *audit_info) 383{ 384 int ret_val; 385 struct cipso_v4_doi *doi_def = NULL; 386 387 if (!info->attrs[NLBL_CIPSOV4_A_TAGLST]) 388 return -EINVAL; 389 390 doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL); 391 if (doi_def == NULL) 392 return -ENOMEM; 393 doi_def->type = CIPSO_V4_MAP_LOCAL; 394 395 ret_val = netlbl_cipsov4_add_common(info, doi_def); 396 if (ret_val != 0) 397 goto add_local_failure; 398 399 ret_val = cipso_v4_doi_add(doi_def, audit_info); 400 if (ret_val != 0) 401 goto add_local_failure; 402 return 0; 403 404add_local_failure: 405 cipso_v4_doi_free(doi_def); 406 return ret_val; 407} 408 409/** 410 * netlbl_cipsov4_add - Handle an ADD message 411 * @skb: the NETLINK buffer 412 * @info: the Generic NETLINK info block 413 * 414 * Description: 415 * Create a new DOI definition based on the given ADD message and add it to the 416 * CIPSO V4 engine. Returns zero on success, negative values on failure. 417 * 418 */ 419static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info) 420 421{ 422 int ret_val = -EINVAL; 423 struct netlbl_audit audit_info; 424 425 if (!info->attrs[NLBL_CIPSOV4_A_DOI] || 426 !info->attrs[NLBL_CIPSOV4_A_MTYPE]) 427 return -EINVAL; 428 429 netlbl_netlink_auditinfo(skb, &audit_info); 430 switch (nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE])) { 431 case CIPSO_V4_MAP_TRANS: 432 ret_val = netlbl_cipsov4_add_std(info, &audit_info); 433 break; 434 case CIPSO_V4_MAP_PASS: 435 ret_val = netlbl_cipsov4_add_pass(info, &audit_info); 436 break; 437 case CIPSO_V4_MAP_LOCAL: 438 ret_val = netlbl_cipsov4_add_local(info, &audit_info); 439 break; 440 } 441 if (ret_val == 0) 442 atomic_inc(&netlabel_mgmt_protocount); 443 444 return ret_val; 445} 446 447/** 448 * netlbl_cipsov4_list - Handle a LIST message 449 * @skb: the NETLINK buffer 450 * @info: the Generic NETLINK info block 451 * 452 * Description: 453 * Process a user generated LIST message and respond accordingly. While the 454 * response message generated by the kernel is straightforward, determining 455 * before hand the size of the buffer to allocate is not (we have to generate 456 * the message to know the size). In order to keep this function sane what we 457 * do is allocate a buffer of NLMSG_GOODSIZE and try to fit the response in 458 * that size, if we fail then we restart with a larger buffer and try again. 459 * We continue in this manner until we hit a limit of failed attempts then we 460 * give up and just send an error message. Returns zero on success and 461 * negative values on error. 462 * 463 */ 464static int netlbl_cipsov4_list(struct sk_buff *skb, struct genl_info *info) 465{ 466 int ret_val; 467 struct sk_buff *ans_skb = NULL; 468 u32 nlsze_mult = 1; 469 void *data; 470 u32 doi; 471 struct nlattr *nla_a; 472 struct nlattr *nla_b; 473 struct cipso_v4_doi *doi_def; 474 u32 iter; 475 476 if (!info->attrs[NLBL_CIPSOV4_A_DOI]) { 477 ret_val = -EINVAL; 478 goto list_failure; 479 } 480 481list_start: 482 ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE * nlsze_mult, GFP_KERNEL); 483 if (ans_skb == NULL) { 484 ret_val = -ENOMEM; 485 goto list_failure; 486 } 487 data = genlmsg_put_reply(ans_skb, info, &netlbl_cipsov4_gnl_family, 488 0, NLBL_CIPSOV4_C_LIST); 489 if (data == NULL) { 490 ret_val = -ENOMEM; 491 goto list_failure; 492 } 493 494 doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); 495 496 rcu_read_lock(); 497 doi_def = cipso_v4_doi_getdef(doi); 498 if (doi_def == NULL) { 499 ret_val = -EINVAL; 500 goto list_failure_lock; 501 } 502 503 ret_val = nla_put_u32(ans_skb, NLBL_CIPSOV4_A_MTYPE, doi_def->type); 504 if (ret_val != 0) 505 goto list_failure_lock; 506 507 nla_a = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_TAGLST); 508 if (nla_a == NULL) { 509 ret_val = -ENOMEM; 510 goto list_failure_lock; 511 } 512 for (iter = 0; 513 iter < CIPSO_V4_TAG_MAXCNT && 514 doi_def->tags[iter] != CIPSO_V4_TAG_INVALID; 515 iter++) { 516 ret_val = nla_put_u8(ans_skb, 517 NLBL_CIPSOV4_A_TAG, 518 doi_def->tags[iter]); 519 if (ret_val != 0) 520 goto list_failure_lock; 521 } 522 nla_nest_end(ans_skb, nla_a); 523 524 switch (doi_def->type) { 525 case CIPSO_V4_MAP_TRANS: 526 nla_a = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSLVLLST); 527 if (nla_a == NULL) { 528 ret_val = -ENOMEM; 529 goto list_failure_lock; 530 } 531 for (iter = 0; 532 iter < doi_def->map.std->lvl.local_size; 533 iter++) { 534 if (doi_def->map.std->lvl.local[iter] == 535 CIPSO_V4_INV_LVL) 536 continue; 537 538 nla_b = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSLVL); 539 if (nla_b == NULL) { 540 ret_val = -ENOMEM; 541 goto list_retry; 542 } 543 ret_val = nla_put_u32(ans_skb, 544 NLBL_CIPSOV4_A_MLSLVLLOC, 545 iter); 546 if (ret_val != 0) 547 goto list_retry; 548 ret_val = nla_put_u32(ans_skb, 549 NLBL_CIPSOV4_A_MLSLVLREM, 550 doi_def->map.std->lvl.local[iter]); 551 if (ret_val != 0) 552 goto list_retry; 553 nla_nest_end(ans_skb, nla_b); 554 } 555 nla_nest_end(ans_skb, nla_a); 556 557 nla_a = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSCATLST); 558 if (nla_a == NULL) { 559 ret_val = -ENOMEM; 560 goto list_retry; 561 } 562 for (iter = 0; 563 iter < doi_def->map.std->cat.local_size; 564 iter++) { 565 if (doi_def->map.std->cat.local[iter] == 566 CIPSO_V4_INV_CAT) 567 continue; 568 569 nla_b = nla_nest_start(ans_skb, NLBL_CIPSOV4_A_MLSCAT); 570 if (nla_b == NULL) { 571 ret_val = -ENOMEM; 572 goto list_retry; 573 } 574 ret_val = nla_put_u32(ans_skb, 575 NLBL_CIPSOV4_A_MLSCATLOC, 576 iter); 577 if (ret_val != 0) 578 goto list_retry; 579 ret_val = nla_put_u32(ans_skb, 580 NLBL_CIPSOV4_A_MLSCATREM, 581 doi_def->map.std->cat.local[iter]); 582 if (ret_val != 0) 583 goto list_retry; 584 nla_nest_end(ans_skb, nla_b); 585 } 586 nla_nest_end(ans_skb, nla_a); 587 588 break; 589 } 590 rcu_read_unlock(); 591 592 genlmsg_end(ans_skb, data); 593 return genlmsg_reply(ans_skb, info); 594 595list_retry: 596 /* XXX - this limit is a guesstimate */ 597 if (nlsze_mult < 4) { 598 rcu_read_unlock(); 599 kfree_skb(ans_skb); 600 nlsze_mult *= 2; 601 goto list_start; 602 } 603list_failure_lock: 604 rcu_read_unlock(); 605list_failure: 606 kfree_skb(ans_skb); 607 return ret_val; 608} 609 610/** 611 * netlbl_cipsov4_listall_cb - cipso_v4_doi_walk() callback for LISTALL 612 * @doi_def: the CIPSOv4 DOI definition 613 * @arg: the netlbl_cipsov4_doiwalk_arg structure 614 * 615 * Description: 616 * This function is designed to be used as a callback to the 617 * cipso_v4_doi_walk() function for use in generating a response for a LISTALL 618 * message. Returns the size of the message on success, negative values on 619 * failure. 620 * 621 */ 622static int netlbl_cipsov4_listall_cb(struct cipso_v4_doi *doi_def, void *arg) 623{ 624 int ret_val = -ENOMEM; 625 struct netlbl_cipsov4_doiwalk_arg *cb_arg = arg; 626 void *data; 627 628 data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid, 629 cb_arg->seq, &netlbl_cipsov4_gnl_family, 630 NLM_F_MULTI, NLBL_CIPSOV4_C_LISTALL); 631 if (data == NULL) 632 goto listall_cb_failure; 633 634 ret_val = nla_put_u32(cb_arg->skb, NLBL_CIPSOV4_A_DOI, doi_def->doi); 635 if (ret_val != 0) 636 goto listall_cb_failure; 637 ret_val = nla_put_u32(cb_arg->skb, 638 NLBL_CIPSOV4_A_MTYPE, 639 doi_def->type); 640 if (ret_val != 0) 641 goto listall_cb_failure; 642 643 genlmsg_end(cb_arg->skb, data); 644 return 0; 645 646listall_cb_failure: 647 genlmsg_cancel(cb_arg->skb, data); 648 return ret_val; 649} 650 651/** 652 * netlbl_cipsov4_listall - Handle a LISTALL message 653 * @skb: the NETLINK buffer 654 * @cb: the NETLINK callback 655 * 656 * Description: 657 * Process a user generated LISTALL message and respond accordingly. Returns 658 * zero on success and negative values on error. 659 * 660 */ 661static int netlbl_cipsov4_listall(struct sk_buff *skb, 662 struct netlink_callback *cb) 663{ 664 struct netlbl_cipsov4_doiwalk_arg cb_arg; 665 u32 doi_skip = cb->args[0]; 666 667 cb_arg.nl_cb = cb; 668 cb_arg.skb = skb; 669 cb_arg.seq = cb->nlh->nlmsg_seq; 670 671 cipso_v4_doi_walk(&doi_skip, netlbl_cipsov4_listall_cb, &cb_arg); 672 673 cb->args[0] = doi_skip; 674 return skb->len; 675} 676 677/** 678 * netlbl_cipsov4_remove_cb - netlbl_cipsov4_remove() callback for REMOVE 679 * @entry: LSM domain mapping entry 680 * @arg: the netlbl_domhsh_walk_arg structure 681 * 682 * Description: 683 * This function is intended for use by netlbl_cipsov4_remove() as the callback 684 * for the netlbl_domhsh_walk() function; it removes LSM domain map entries 685 * which are associated with the CIPSO DOI specified in @arg. Returns zero on 686 * success, negative values on failure. 687 * 688 */ 689static int netlbl_cipsov4_remove_cb(struct netlbl_dom_map *entry, void *arg) 690{ 691 struct netlbl_domhsh_walk_arg *cb_arg = arg; 692 693 if (entry->def.type == NETLBL_NLTYPE_CIPSOV4 && 694 entry->def.cipso->doi == cb_arg->doi) 695 return netlbl_domhsh_remove_entry(entry, cb_arg->audit_info); 696 697 return 0; 698} 699 700/** 701 * netlbl_cipsov4_remove - Handle a REMOVE message 702 * @skb: the NETLINK buffer 703 * @info: the Generic NETLINK info block 704 * 705 * Description: 706 * Process a user generated REMOVE message and respond accordingly. Returns 707 * zero on success, negative values on failure. 708 * 709 */ 710static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) 711{ 712 int ret_val = -EINVAL; 713 struct netlbl_domhsh_walk_arg cb_arg; 714 struct netlbl_audit audit_info; 715 u32 skip_bkt = 0; 716 u32 skip_chain = 0; 717 718 if (!info->attrs[NLBL_CIPSOV4_A_DOI]) 719 return -EINVAL; 720 721 netlbl_netlink_auditinfo(skb, &audit_info); 722 cb_arg.doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); 723 cb_arg.audit_info = &audit_info; 724 ret_val = netlbl_domhsh_walk(&skip_bkt, &skip_chain, 725 netlbl_cipsov4_remove_cb, &cb_arg); 726 if (ret_val == 0 || ret_val == -ENOENT) { 727 ret_val = cipso_v4_doi_remove(cb_arg.doi, &audit_info); 728 if (ret_val == 0) 729 atomic_dec(&netlabel_mgmt_protocount); 730 } 731 732 return ret_val; 733} 734 735/* 736 * NetLabel Generic NETLINK Command Definitions 737 */ 738 739static const struct genl_ops netlbl_cipsov4_ops[] = { 740 { 741 .cmd = NLBL_CIPSOV4_C_ADD, 742 .flags = GENL_ADMIN_PERM, 743 .policy = netlbl_cipsov4_genl_policy, 744 .doit = netlbl_cipsov4_add, 745 .dumpit = NULL, 746 }, 747 { 748 .cmd = NLBL_CIPSOV4_C_REMOVE, 749 .flags = GENL_ADMIN_PERM, 750 .policy = netlbl_cipsov4_genl_policy, 751 .doit = netlbl_cipsov4_remove, 752 .dumpit = NULL, 753 }, 754 { 755 .cmd = NLBL_CIPSOV4_C_LIST, 756 .flags = 0, 757 .policy = netlbl_cipsov4_genl_policy, 758 .doit = netlbl_cipsov4_list, 759 .dumpit = NULL, 760 }, 761 { 762 .cmd = NLBL_CIPSOV4_C_LISTALL, 763 .flags = 0, 764 .policy = netlbl_cipsov4_genl_policy, 765 .doit = NULL, 766 .dumpit = netlbl_cipsov4_listall, 767 }, 768}; 769 770/* 771 * NetLabel Generic NETLINK Protocol Functions 772 */ 773 774/** 775 * netlbl_cipsov4_genl_init - Register the CIPSOv4 NetLabel component 776 * 777 * Description: 778 * Register the CIPSOv4 packet NetLabel component with the Generic NETLINK 779 * mechanism. Returns zero on success, negative values on failure. 780 * 781 */ 782int __init netlbl_cipsov4_genl_init(void) 783{ 784 return genl_register_family_with_ops(&netlbl_cipsov4_gnl_family, 785 netlbl_cipsov4_ops); 786} 787