Commit 8f18e675 authored by Huw Davies's avatar Huw Davies Committed by Paul Moore

netlabel: Add an address family to domain hash entries.

The reason is to allow different labelling protocols for
different address families with the same domain.

This requires the addition of an address family attribute
in the netlink communication protocol.  It is used in several
messages:

NLBL_MGMT_C_ADD and NLBL_MGMT_C_ADDDEF take it as an optional
attribute for the unlabelled protocol.  It may be one of AF_INET,
AF_INET6 or AF_UNSPEC (to specify both address families).  If it
is missing, it defaults to AF_UNSPEC.

NLBL_MGMT_C_LISTALL and NLBL_MGMT_C_LISTDEF return it as part of
the enumeration of each item.  Addtionally, it may be sent to
LISTDEF to specify which address family to return.
Signed-off-by: default avatarHuw Davies <huw@codeweavers.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 96a8f7f8
This diff is collapsed.
...@@ -70,6 +70,7 @@ struct netlbl_domaddr6_map { ...@@ -70,6 +70,7 @@ struct netlbl_domaddr6_map {
struct netlbl_dom_map { struct netlbl_dom_map {
char *domain; char *domain;
u16 family;
struct netlbl_dommap_def def; struct netlbl_dommap_def def;
u32 valid; u32 valid;
...@@ -91,9 +92,10 @@ int netlbl_domhsh_remove_af4(const char *domain, ...@@ -91,9 +92,10 @@ int netlbl_domhsh_remove_af4(const char *domain,
const struct in_addr *addr, const struct in_addr *addr,
const struct in_addr *mask, const struct in_addr *mask,
struct netlbl_audit *audit_info); struct netlbl_audit *audit_info);
int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info); int netlbl_domhsh_remove(const char *domain, u16 family,
int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info); struct netlbl_audit *audit_info);
struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain); int netlbl_domhsh_remove_default(u16 family, struct netlbl_audit *audit_info);
struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain, u16 family);
struct netlbl_dommap_def *netlbl_domhsh_getentry_af4(const char *domain, struct netlbl_dommap_def *netlbl_domhsh_getentry_af4(const char *domain,
__be32 addr); __be32 addr);
#if IS_ENABLED(CONFIG_IPV6) #if IS_ENABLED(CONFIG_IPV6)
......
...@@ -72,7 +72,7 @@ int netlbl_cfg_map_del(const char *domain, ...@@ -72,7 +72,7 @@ int netlbl_cfg_map_del(const char *domain,
struct netlbl_audit *audit_info) struct netlbl_audit *audit_info)
{ {
if (addr == NULL && mask == NULL) { if (addr == NULL && mask == NULL) {
return netlbl_domhsh_remove(domain, audit_info); return netlbl_domhsh_remove(domain, family, audit_info);
} else if (addr != NULL && mask != NULL) { } else if (addr != NULL && mask != NULL) {
switch (family) { switch (family) {
case AF_INET: case AF_INET:
...@@ -119,6 +119,7 @@ int netlbl_cfg_unlbl_map_add(const char *domain, ...@@ -119,6 +119,7 @@ int netlbl_cfg_unlbl_map_add(const char *domain,
if (entry->domain == NULL) if (entry->domain == NULL)
goto cfg_unlbl_map_add_failure; goto cfg_unlbl_map_add_failure;
} }
entry->family = family;
if (addr == NULL && mask == NULL) if (addr == NULL && mask == NULL)
entry->def.type = NETLBL_NLTYPE_UNLABELED; entry->def.type = NETLBL_NLTYPE_UNLABELED;
...@@ -345,6 +346,7 @@ int netlbl_cfg_cipsov4_map_add(u32 doi, ...@@ -345,6 +346,7 @@ int netlbl_cfg_cipsov4_map_add(u32 doi,
entry = kzalloc(sizeof(*entry), GFP_ATOMIC); entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
if (entry == NULL) if (entry == NULL)
goto out_entry; goto out_entry;
entry->family = AF_INET;
if (domain != NULL) { if (domain != NULL) {
entry->domain = kstrdup(domain, GFP_ATOMIC); entry->domain = kstrdup(domain, GFP_ATOMIC);
if (entry->domain == NULL) if (entry->domain == NULL)
...@@ -773,7 +775,7 @@ int netlbl_sock_setattr(struct sock *sk, ...@@ -773,7 +775,7 @@ int netlbl_sock_setattr(struct sock *sk,
struct netlbl_dom_map *dom_entry; struct netlbl_dom_map *dom_entry;
rcu_read_lock(); rcu_read_lock();
dom_entry = netlbl_domhsh_getentry(secattr->domain); dom_entry = netlbl_domhsh_getentry(secattr->domain, family);
if (dom_entry == NULL) { if (dom_entry == NULL) {
ret_val = -ENOENT; ret_val = -ENOENT;
goto socket_setattr_return; goto socket_setattr_return;
......
...@@ -72,6 +72,7 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = { ...@@ -72,6 +72,7 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = {
[NLBL_MGMT_A_PROTOCOL] = { .type = NLA_U32 }, [NLBL_MGMT_A_PROTOCOL] = { .type = NLA_U32 },
[NLBL_MGMT_A_VERSION] = { .type = NLA_U32 }, [NLBL_MGMT_A_VERSION] = { .type = NLA_U32 },
[NLBL_MGMT_A_CV4DOI] = { .type = NLA_U32 }, [NLBL_MGMT_A_CV4DOI] = { .type = NLA_U32 },
[NLBL_MGMT_A_FAMILY] = { .type = NLA_U16 },
}; };
/* /*
...@@ -119,6 +120,11 @@ static int netlbl_mgmt_add_common(struct genl_info *info, ...@@ -119,6 +120,11 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
switch (entry->def.type) { switch (entry->def.type) {
case NETLBL_NLTYPE_UNLABELED: case NETLBL_NLTYPE_UNLABELED:
if (info->attrs[NLBL_MGMT_A_FAMILY])
entry->family =
nla_get_u16(info->attrs[NLBL_MGMT_A_FAMILY]);
else
entry->family = AF_UNSPEC;
break; break;
case NETLBL_NLTYPE_CIPSOV4: case NETLBL_NLTYPE_CIPSOV4:
if (!info->attrs[NLBL_MGMT_A_CV4DOI]) if (!info->attrs[NLBL_MGMT_A_CV4DOI])
...@@ -128,12 +134,17 @@ static int netlbl_mgmt_add_common(struct genl_info *info, ...@@ -128,12 +134,17 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
cipsov4 = cipso_v4_doi_getdef(tmp_val); cipsov4 = cipso_v4_doi_getdef(tmp_val);
if (cipsov4 == NULL) if (cipsov4 == NULL)
goto add_free_domain; goto add_free_domain;
entry->family = AF_INET;
entry->def.cipso = cipsov4; entry->def.cipso = cipsov4;
break; break;
default: default:
goto add_free_domain; goto add_free_domain;
} }
if ((entry->family == AF_INET && info->attrs[NLBL_MGMT_A_IPV6ADDR]) ||
(entry->family == AF_INET6 && info->attrs[NLBL_MGMT_A_IPV4ADDR]))
goto add_doi_put_def;
if (info->attrs[NLBL_MGMT_A_IPV4ADDR]) { if (info->attrs[NLBL_MGMT_A_IPV4ADDR]) {
struct in_addr *addr; struct in_addr *addr;
struct in_addr *mask; struct in_addr *mask;
...@@ -178,6 +189,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info, ...@@ -178,6 +189,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
goto add_free_addrmap; goto add_free_addrmap;
} }
entry->family = AF_INET;
entry->def.type = NETLBL_NLTYPE_ADDRSELECT; entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
entry->def.addrsel = addrmap; entry->def.addrsel = addrmap;
#if IS_ENABLED(CONFIG_IPV6) #if IS_ENABLED(CONFIG_IPV6)
...@@ -227,6 +239,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info, ...@@ -227,6 +239,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
goto add_free_addrmap; goto add_free_addrmap;
} }
entry->family = AF_INET6;
entry->def.type = NETLBL_NLTYPE_ADDRSELECT; entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
entry->def.addrsel = addrmap; entry->def.addrsel = addrmap;
#endif /* IPv6 */ #endif /* IPv6 */
...@@ -278,6 +291,10 @@ static int netlbl_mgmt_listentry(struct sk_buff *skb, ...@@ -278,6 +291,10 @@ static int netlbl_mgmt_listentry(struct sk_buff *skb,
return ret_val; return ret_val;
} }
ret_val = nla_put_u16(skb, NLBL_MGMT_A_FAMILY, entry->family);
if (ret_val != 0)
return ret_val;
switch (entry->def.type) { switch (entry->def.type) {
case NETLBL_NLTYPE_ADDRSELECT: case NETLBL_NLTYPE_ADDRSELECT:
nla_a = nla_nest_start(skb, NLBL_MGMT_A_SELECTORLIST); nla_a = nla_nest_start(skb, NLBL_MGMT_A_SELECTORLIST);
...@@ -418,7 +435,7 @@ static int netlbl_mgmt_remove(struct sk_buff *skb, struct genl_info *info) ...@@ -418,7 +435,7 @@ static int netlbl_mgmt_remove(struct sk_buff *skb, struct genl_info *info)
netlbl_netlink_auditinfo(skb, &audit_info); netlbl_netlink_auditinfo(skb, &audit_info);
domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]); domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]);
return netlbl_domhsh_remove(domain, &audit_info); return netlbl_domhsh_remove(domain, AF_UNSPEC, &audit_info);
} }
/** /**
...@@ -536,7 +553,7 @@ static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info) ...@@ -536,7 +553,7 @@ static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info)
netlbl_netlink_auditinfo(skb, &audit_info); netlbl_netlink_auditinfo(skb, &audit_info);
return netlbl_domhsh_remove_default(&audit_info); return netlbl_domhsh_remove_default(AF_UNSPEC, &audit_info);
} }
/** /**
...@@ -556,6 +573,12 @@ static int netlbl_mgmt_listdef(struct sk_buff *skb, struct genl_info *info) ...@@ -556,6 +573,12 @@ static int netlbl_mgmt_listdef(struct sk_buff *skb, struct genl_info *info)
struct sk_buff *ans_skb = NULL; struct sk_buff *ans_skb = NULL;
void *data; void *data;
struct netlbl_dom_map *entry; struct netlbl_dom_map *entry;
u16 family;
if (info->attrs[NLBL_MGMT_A_FAMILY])
family = nla_get_u16(info->attrs[NLBL_MGMT_A_FAMILY]);
else
family = AF_INET;
ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
if (ans_skb == NULL) if (ans_skb == NULL)
...@@ -566,7 +589,7 @@ static int netlbl_mgmt_listdef(struct sk_buff *skb, struct genl_info *info) ...@@ -566,7 +589,7 @@ static int netlbl_mgmt_listdef(struct sk_buff *skb, struct genl_info *info)
goto listdef_failure; goto listdef_failure;
rcu_read_lock(); rcu_read_lock();
entry = netlbl_domhsh_getentry(NULL); entry = netlbl_domhsh_getentry(NULL, family);
if (entry == NULL) { if (entry == NULL) {
ret_val = -ENOENT; ret_val = -ENOENT;
goto listdef_failure_lock; goto listdef_failure_lock;
......
...@@ -58,7 +58,10 @@ ...@@ -58,7 +58,10 @@
* *
* NLBL_MGMT_A_CV4DOI * NLBL_MGMT_A_CV4DOI
* *
* If using NETLBL_NLTYPE_UNLABELED no other attributes are required. * If using NETLBL_NLTYPE_UNLABELED no other attributes are required,
* however the following attribute may optionally be sent:
*
* NLBL_MGMT_A_FAMILY
* *
* o REMOVE: * o REMOVE:
* Sent by an application to remove a domain mapping from the NetLabel * Sent by an application to remove a domain mapping from the NetLabel
...@@ -77,6 +80,7 @@ ...@@ -77,6 +80,7 @@
* Required attributes: * Required attributes:
* *
* NLBL_MGMT_A_DOMAIN * NLBL_MGMT_A_DOMAIN
* NLBL_MGMT_A_FAMILY
* *
* If the IP address selectors are not used the following attribute is * If the IP address selectors are not used the following attribute is
* required: * required:
...@@ -108,7 +112,10 @@ ...@@ -108,7 +112,10 @@
* *
* NLBL_MGMT_A_CV4DOI * NLBL_MGMT_A_CV4DOI
* *
* If using NETLBL_NLTYPE_UNLABELED no other attributes are required. * If using NETLBL_NLTYPE_UNLABELED no other attributes are required,
* however the following attribute may optionally be sent:
*
* NLBL_MGMT_A_FAMILY
* *
* o REMOVEDEF: * o REMOVEDEF:
* Sent by an application to remove the default domain mapping from the * Sent by an application to remove the default domain mapping from the
...@@ -117,13 +124,17 @@ ...@@ -117,13 +124,17 @@
* o LISTDEF: * o LISTDEF:
* This message can be sent either from an application or by the kernel in * This message can be sent either from an application or by the kernel in
* response to an application generated LISTDEF message. When sent by an * response to an application generated LISTDEF message. When sent by an
* application there is no payload. On success the kernel should send a * application there may be an optional payload.
* response using the following format.
* *
* If the IP address selectors are not used the following attribute is * NLBL_MGMT_A_FAMILY
*
* On success the kernel should send a response using the following format:
*
* If the IP address selectors are not used the following attributes are
* required: * required:
* *
* NLBL_MGMT_A_PROTOCOL * NLBL_MGMT_A_PROTOCOL
* NLBL_MGMT_A_FAMILY
* *
* If the IP address selectors are used then the following attritbute is * If the IP address selectors are used then the following attritbute is
* required: * required:
...@@ -209,6 +220,9 @@ enum { ...@@ -209,6 +220,9 @@ enum {
/* (NLA_NESTED) /* (NLA_NESTED)
* the selector list, there must be at least one * the selector list, there must be at least one
* NLBL_MGMT_A_ADDRSELECTOR attribute */ * NLBL_MGMT_A_ADDRSELECTOR attribute */
NLBL_MGMT_A_FAMILY,
/* (NLA_U16)
* The address family */
__NLBL_MGMT_A_MAX, __NLBL_MGMT_A_MAX,
}; };
#define NLBL_MGMT_A_MAX (__NLBL_MGMT_A_MAX - 1) #define NLBL_MGMT_A_MAX (__NLBL_MGMT_A_MAX - 1)
......
...@@ -1537,6 +1537,7 @@ int __init netlbl_unlabel_defconf(void) ...@@ -1537,6 +1537,7 @@ int __init netlbl_unlabel_defconf(void)
entry = kzalloc(sizeof(*entry), GFP_KERNEL); entry = kzalloc(sizeof(*entry), GFP_KERNEL);
if (entry == NULL) if (entry == NULL)
return -ENOMEM; return -ENOMEM;
entry->family = AF_UNSPEC;
entry->def.type = NETLBL_NLTYPE_UNLABELED; entry->def.type = NETLBL_NLTYPE_UNLABELED;
ret_val = netlbl_domhsh_add_default(entry, &audit_info); ret_val = netlbl_domhsh_add_default(entry, &audit_info);
if (ret_val != 0) if (ret_val != 0)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment