| blob | 2ec93c5e77bb07ce82ccb4d1ff8418660960d06c |
1 /*
2 * NetLabel CALIPSO/IPv6 Support
3 *
4 * This file defines the CALIPSO/IPv6 functions for the NetLabel system. The
5 * NetLabel system manages static and dynamic label mappings for network
6 * protocols such as CIPSO and CALIPSO.
7 *
8 * Authors: Paul Moore <paul@paul-moore.com>
9 * Huw Davies <huw@codeweavers.com>
10 *
11 */
13 /* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
14 * (c) Copyright Huw Davies <huw@codeweavers.com>, 2015
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 2 of the License, or
19 * (at your option) any later version.
20 *
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
24 * the GNU General Public License for more details.
25 *
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, see <http://www.gnu.org/licenses/>.
28 *
29 */
31 #include <linux/types.h>
32 #include <linux/socket.h>
33 #include <linux/string.h>
34 #include <linux/skbuff.h>
35 #include <linux/audit.h>
36 #include <linux/slab.h>
37 #include <net/sock.h>
38 #include <net/netlink.h>
39 #include <net/genetlink.h>
40 #include <net/netlabel.h>
41 #include <net/calipso.h>
42 #include <linux/atomic.h>
49 /* Argument struct for calipso_doi_walk() */
53 u32 seq;
54 };
56 /* Argument struct for netlbl_domhsh_walk() */
59 u32 doi;
60 };
62 /* NetLabel Generic NETLINK CALIPSO family */
69 };
71 /* NetLabel Netlink attribute policy */
75 };
77 /* NetLabel Command Handlers
78 */
79 /**
80 * netlbl_calipso_add_pass - Adds a CALIPSO pass DOI definition
81 * @info: the Generic NETLINK info block
82 * @audit_info: NetLabel audit information
83 *
84 * Description:
85 * Create a new CALIPSO_MAP_PASS DOI definition based on the given ADD message
86 * and add it to the CALIPSO engine. Return zero on success and non-zero on
87 * error.
88 *
89 */
92 {
106 }
108 /**
109 * netlbl_calipso_add - Handle an ADD message
110 * @skb: the NETLINK buffer
111 * @info: the Generic NETLINK info block
112 *
113 * Description:
114 * Create a new DOI definition based on the given ADD message and add it to the
115 * CALIPSO engine. Returns zero on success, negative values on failure.
116 *
117 */
120 {
133 }
138 }
140 /**
141 * netlbl_calipso_list - Handle a LIST message
142 * @skb: the NETLINK buffer
143 * @info: the Generic NETLINK info block
144 *
145 * Description:
146 * Process a user generated LIST message and respond accordingly.
147 * Returns zero on success and negative values on error.
148 *
149 */
151 {
155 u32 doi;
161 }
169 }
175 }
181 }
192 list_failure_put:
194 list_failure:
197 }
199 /**
200 * netlbl_calipso_listall_cb - calipso_doi_walk() callback for LISTALL
201 * @doi_def: the CALIPSO DOI definition
202 * @arg: the netlbl_calipso_doiwalk_arg structure
203 *
204 * Description:
205 * This function is designed to be used as a callback to the
206 * calipso_doi_walk() function for use in generating a response for a LISTALL
207 * message. Returns the size of the message on success, negative values on
208 * failure.
209 *
210 */
212 {
227 NLBL_CALIPSO_A_MTYPE,
235 listall_cb_failure:
238 }
240 /**
241 * netlbl_calipso_listall - Handle a LISTALL message
242 * @skb: the NETLINK buffer
243 * @cb: the NETLINK callback
244 *
245 * Description:
246 * Process a user generated LISTALL message and respond accordingly. Returns
247 * zero on success and negative values on error.
248 *
249 */
252 {
264 }
266 /**
267 * netlbl_calipso_remove_cb - netlbl_calipso_remove() callback for REMOVE
268 * @entry: LSM domain mapping entry
269 * @arg: the netlbl_domhsh_walk_arg structure
270 *
271 * Description:
272 * This function is intended for use by netlbl_calipso_remove() as the callback
273 * for the netlbl_domhsh_walk() function; it removes LSM domain map entries
274 * which are associated with the CALIPSO DOI specified in @arg. Returns zero on
275 * success, negative values on failure.
276 *
277 */
279 {
287 }
289 /**
290 * netlbl_calipso_remove - Handle a REMOVE message
291 * @skb: the NETLINK buffer
292 * @info: the Generic NETLINK info block
293 *
294 * Description:
295 * Process a user generated REMOVE message and respond accordingly. Returns
296 * zero on success, negative values on failure.
297 *
298 */
300 {
319 }
322 }
324 /* NetLabel Generic NETLINK Command Definitions
325 */
328 {
334 },
335 {
341 },
342 {
348 },
349 {
355 },
356 };
358 /* NetLabel Generic NETLINK Protocol Functions
359 */
361 /**
362 * netlbl_calipso_genl_init - Register the CALIPSO NetLabel component
363 *
364 * Description:
365 * Register the CALIPSO packet NetLabel component with the Generic NETLINK
366 * mechanism. Returns zero on success, negative values on failure.
367 *
368 */
370 {
372 netlbl_calipso_ops);
373 }
377 /**
378 * netlbl_calipso_ops_register - Register the CALIPSO operations
379 *
380 * Description:
381 * Register the CALIPSO packet engine operations.
382 *
383 */
386 {
388 }
392 {
394 }
396 /**
397 * calipso_doi_add - Add a new DOI to the CALIPSO protocol engine
398 * @doi_def: the DOI structure
399 * @audit_info: NetLabel audit information
400 *
401 * Description:
402 * The caller defines a new DOI for use by the CALIPSO engine and calls this
403 * function to add it to the list of acceptable domains. The caller must
404 * ensure that the mapping table specified in @doi_def->map meets all of the
405 * requirements of the mapping type (see calipso.h for details). Returns
406 * zero on success and non-zero on failure.
407 *
408 */
411 {
418 }
420 /**
421 * calipso_doi_free - Frees a DOI definition
422 * @doi_def: the DOI definition
423 *
424 * Description:
425 * This function frees all of the memory associated with a DOI definition.
426 *
427 */
429 {
434 }
436 /**
437 * calipso_doi_remove - Remove an existing DOI from the CALIPSO protocol engine
438 * @doi: the DOI value
439 * @audit_secid: the LSM secid to use in the audit message
440 *
441 * Description:
442 * Removes a DOI definition from the CALIPSO engine. The NetLabel routines will
443 * be called to release their own LSM domain mappings as well as our own
444 * domain list. Returns zero on success and negative values on failure.
445 *
446 */
448 {
455 }
457 /**
458 * calipso_doi_getdef - Returns a reference to a valid DOI definition
459 * @doi: the DOI value
460 *
461 * Description:
462 * Searches for a valid DOI definition and if one is found it is returned to
463 * the caller. Otherwise NULL is returned. The caller must ensure that
464 * calipso_doi_putdef() is called when the caller is done.
465 *
466 */
468 {
475 }
477 /**
478 * calipso_doi_putdef - Releases a reference for the given DOI definition
479 * @doi_def: the DOI definition
480 *
481 * Description:
482 * Releases a DOI definition reference obtained from calipso_doi_getdef().
483 *
484 */
486 {
491 }
493 /**
494 * calipso_doi_walk - Iterate through the DOI definitions
495 * @skip_cnt: skip past this number of DOI definitions, updated
496 * @callback: callback for each DOI definition
497 * @cb_arg: argument for the callback function
498 *
499 * Description:
500 * Iterate over the DOI definition list, skipping the first @skip_cnt entries.
501 * For each entry call @callback, if @callback returns a negative value stop
502 * 'walking' through the list and return. Updates the value in @skip_cnt upon
503 * return. Returns zero on success, negative values on failure.
504 *
505 */
509 {
516 }
518 /**
519 * calipso_sock_getattr - Get the security attributes from a sock
520 * @sk: the sock
521 * @secattr: the security attributes
522 *
523 * Description:
524 * Query @sk to see if there is a CALIPSO option attached to the sock and if
525 * there is return the CALIPSO security attributes in @secattr. This function
526 * requires that @sk be locked, or privately held, but it does not do any
527 * locking itself. Returns zero on success and negative values on failure.
528 *
529 */
531 {
538 }
540 /**
541 * calipso_sock_setattr - Add a CALIPSO option to a socket
542 * @sk: the socket
543 * @doi_def: the CALIPSO DOI to use
544 * @secattr: the specific security attributes of the socket
545 *
546 * Description:
547 * Set the CALIPSO option on the given socket using the DOI definition and
548 * security attributes passed to the function. This function requires
549 * exclusive access to @sk, which means it either needs to be in the
550 * process of being created or locked. Returns zero on success and negative
551 * values on failure.
552 *
553 */
557 {
564 }
566 /**
567 * calipso_sock_delattr - Delete the CALIPSO option from a socket
568 * @sk: the socket
569 *
570 * Description:
571 * Removes the CALIPSO option from a socket, if present.
572 *
573 */
575 {
580 }
582 /**
583 * calipso_req_setattr - Add a CALIPSO option to a connection request socket
584 * @req: the connection request socket
585 * @doi_def: the CALIPSO DOI to use
586 * @secattr: the specific security attributes of the socket
587 *
588 * Description:
589 * Set the CALIPSO option on the given socket using the DOI definition and
590 * security attributes passed to the function. Returns zero on success and
591 * negative values on failure.
592 *
593 */
597 {
604 }
606 /**
607 * calipso_req_delattr - Delete the CALIPSO option from a request socket
608 * @reg: the request socket
609 *
610 * Description:
611 * Removes the CALIPSO option from a request socket, if present.
612 *
613 */
615 {
620 }
622 /**
623 * calipso_optptr - Find the CALIPSO option in the packet
624 * @skb: the packet
625 *
626 * Description:
627 * Parse the packet's IP header looking for a CALIPSO option. Returns a pointer
628 * to the start of the CALIPSO option on success, NULL if one if not found.
629 *
630 */
632 {
639 }
641 /**
642 * calipso_getattr - Get the security attributes from a memory block.
643 * @calipso: the CALIPSO option
644 * @secattr: the security attributes
645 *
646 * Description:
647 * Inspect @calipso and return the security attributes in @secattr.
648 * Returns zero on success and negative values on failure.
649 *
650 */
653 {
660 }
662 /**
663 * calipso_skbuff_setattr - Set the CALIPSO option on a packet
664 * @skb: the packet
665 * @doi_def: the CALIPSO DOI to use
666 * @secattr: the security attributes
667 *
668 * Description:
669 * Set the CALIPSO option on the given packet based on the security attributes.
670 * Returns a pointer to the IP header on success and NULL on failure.
671 *
672 */
676 {
683 }
685 /**
686 * calipso_skbuff_delattr - Delete any CALIPSO options from a packet
687 * @skb: the packet
688 *
689 * Description:
690 * Removes any and all CALIPSO options from the given packet. Returns zero on
691 * success, negative values on failure.
692 *
693 */
695 {
702 }
704 /**
705 * calipso_cache_invalidate - Invalidates the current CALIPSO cache
706 *
707 * Description:
708 * Invalidates and frees any entries in the CALIPSO cache. Returns zero on
709 * success and negative values on failure.
710 *
711 */
713 {
718 }
720 /**
721 * calipso_cache_add - Add an entry to the CALIPSO cache
722 * @calipso_ptr: the CALIPSO option
723 * @secattr: the packet's security attributes
724 *
725 * Description:
726 * Add a new entry into the CALIPSO label mapping cache.
727 * Returns zero on success, negative values on failure.
728 *
729 */
733 {
740 }