search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
MOXA linux-2.6.x / linux-2.6.9-uc0 from sdlinux-moxaart.tgz
[linux-2.6.9-moxart.git] / security / selinux / netif.c
blobd23bd7e6345e5d561c65925bb18b5964a5e8e0de
1 /*
2 * Network interface table.
3 *
4 * Network interfaces (devices) do not have a security field, so we
5 * maintain a table associating each interface with a SID.
6 *
7 * Author: James Morris <jmorris@redhat.com>
8 *
9 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2,
13 * as published by the Free Software Foundation.
14 */
15 #include <linux/init.h>
16 #include <linux/types.h>
17 #include <linux/stddef.h>
18 #include <linux/kernel.h>
19 #include <linux/list.h>
20 #include <linux/notifier.h>
21 #include <linux/netdevice.h>
22 #include <linux/rcupdate.h>
23
24 #include "security.h"
25 #include "objsec.h"
26 #include "netif.h"
27
28 #define SEL_NETIF_HASH_SIZE 64
29 #define SEL_NETIF_HASH_MAX 1024
30
31 #undef DEBUG
32
33 #ifdef DEBUG
34 #define DEBUGP printk
35 #else
36 #define DEBUGP(format, args...)
37 #endif
38
39 static u32 sel_netif_total;
40 static LIST_HEAD(sel_netif_list);
41 static spinlock_t sel_netif_lock = SPIN_LOCK_UNLOCKED;
42 static struct sel_netif sel_netif_hash[SEL_NETIF_HASH_SIZE];
43
44 static inline u32 sel_netif_hasfn(struct net_device *dev)
45 {
46 return (dev->ifindex & (SEL_NETIF_HASH_SIZE - 1));
47 }
48
49 /*
50 * All of the devices should normally fit in the hash, so we optimize
51 * for that case.
52 */
53 static struct sel_netif *sel_netif_find(struct net_device *dev)
54 {
55 struct list_head *pos;
56 int idx = sel_netif_hasfn(dev);
57
58 __list_for_each_rcu(pos, &sel_netif_hash[idx].list) {
59 struct sel_netif *netif = list_entry(pos,
60 struct sel_netif, list);
61 if (likely(netif->nsec.dev == dev))
62 return netif;
63 }
64 return NULL;
65 }
66
67 static int sel_netif_insert(struct sel_netif *netif)
68 {
69 int idx, ret = 0;
70
71 if (sel_netif_total >= SEL_NETIF_HASH_MAX) {
72 ret = -ENOSPC;
73 goto out;
74 }
75
76 idx = sel_netif_hasfn(netif->nsec.dev);
77 list_add_rcu(&netif->list, &sel_netif_hash[idx].list);
78 atomic_set(&netif->users, 1);
79 sel_netif_total++;
80 out:
81 return ret;
82 }
83
84 struct sel_netif *sel_netif_lookup(struct net_device *dev)
85 {
86 int ret;
87 struct sel_netif *netif, *new;
88 struct netif_security_struct *nsec;
89
90 rcu_read_lock();
91 netif = sel_netif_find(dev);
92 rcu_read_unlock();
93
94 if (likely(netif != NULL))
95 goto out_hold;
96
97 new = kmalloc(sizeof(*new), GFP_ATOMIC);
98 if (!new) {
99 netif = ERR_PTR(-ENOMEM);
100 goto out;
101 }
102
103 memset(new, 0, sizeof(*new));
104 nsec = &new->nsec;
105
106 ret = security_netif_sid(dev->name, &nsec->if_sid, &nsec->msg_sid);
107 if (ret < 0) {
108 kfree(new);
109 netif = ERR_PTR(ret);
110 goto out;
111 }
112
113 nsec->dev = dev;
114
115 spin_lock_bh(&sel_netif_lock);
116
117 netif = sel_netif_find(dev);
118 if (netif) {
119 spin_unlock_bh(&sel_netif_lock);
120 kfree(new);
121 goto out_hold;
122 }
123
124 sel_netif_insert(new);
125 spin_unlock_bh(&sel_netif_lock);
126
127 netif = new;
128
129 DEBUGP("new: ifindex=%u name=%s if_sid=%u msg_sid=%u\n", dev->ifindex, dev->name,
130 nsec->if_sid, nsec->msg_sid);
131 out_hold:
132 atomic_inc(&netif->users);
133 out:
134 return netif;
135 }
136
137 static void sel_netif_free(struct rcu_head *p)
138 {
139 struct sel_netif *netif = container_of(p, struct sel_netif, rcu_head);
140
141 DEBUGP("%s: %s\n", __FUNCTION__, netif->nsec.dev->name);
142 kfree(netif);
143 }
144
145 static void sel_netif_destroy(struct sel_netif *netif)
146 {
147 DEBUGP("%s: %s\n", __FUNCTION__, netif->nsec.dev->name);
148
149 spin_lock_bh(&sel_netif_lock);
150 list_del_rcu(&netif->list);
151 sel_netif_total--;
152 spin_unlock_bh(&sel_netif_lock);
153
154 call_rcu(&netif->rcu_head, sel_netif_free);
155 }
156
157 void sel_netif_put(struct sel_netif *netif)
158 {
159 if (atomic_dec_and_test(&netif->users))
160 sel_netif_destroy(netif);
161 }
162
163 static void sel_netif_kill(struct net_device *dev)
164 {
165 struct sel_netif *netif;
166
167 rcu_read_lock();
168 netif = sel_netif_find(dev);
169 rcu_read_unlock();
170
171 /* Drop internal reference */
172 if (netif)
173 sel_netif_put(netif);
174 }
175
176 static void sel_netif_flush(void)
177 {
178 int idx;
179
180 for (idx = 0; idx < SEL_NETIF_HASH_SIZE; idx++) {
181 struct list_head *pos;
182
183 list_for_each_rcu(pos, &sel_netif_hash[idx].list) {
184 struct sel_netif *netif;
185
186 netif = list_entry(pos, struct sel_netif, list);
187 if (netif)
188 sel_netif_put(netif);
189 }
190 }
191 }
192
193 static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid,
194 u16 class, u32 perms, u32 *retained)
195 {
196 if (event == AVC_CALLBACK_RESET) {
197 sel_netif_flush();
198 synchronize_net();
199 }
200 return 0;
201 }
202
203 static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
204 unsigned long event, void *ptr)
205 {
206 struct net_device *dev = ptr;
207
208 if (event == NETDEV_DOWN)
209 sel_netif_kill(dev);
210
211 return NOTIFY_DONE;
212 }
213
214 static struct notifier_block sel_netif_netdev_notifier = {
215 .notifier_call = sel_netif_netdev_notifier_handler,
216 };
217
218 static __init int sel_netif_init(void)
219 {
220 int i, err = 0;
221
222 if (!selinux_enabled)
223 goto out;
224
225 for (i = 0; i < SEL_NETIF_HASH_SIZE; i++)
226 INIT_LIST_HEAD(&sel_netif_hash[i].list);
227
228 register_netdevice_notifier(&sel_netif_netdev_notifier);
229
230 err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET,
231 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
232 if (err)
233 panic("avc_add_callback() failed, error %d\n", err);
234
235 out:
236 return err;
237 }
238
239 __initcall(sel_netif_init);
240
MOXA 2.6.9 from sdlinux-moxaart.tgz