Commit fd385855 authored by Paul Moore's avatar Paul Moore Committed by David S. Miller

[NetLabel]: rework the Netlink attribute handling (part 2)

At the suggestion of Thomas Graf, rewrite NetLabel's use of Netlink attributes
to better follow the common Netlink attribute usage.
Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent fcd48280
This diff is collapsed.
...@@ -34,175 +34,71 @@ ...@@ -34,175 +34,71 @@
#include <net/netlabel.h> #include <net/netlabel.h>
/* /*
* The following NetLabel payloads are supported by the CIPSO subsystem, all * The following NetLabel payloads are supported by the CIPSO subsystem.
* of which are preceeded by the nlmsghdr struct.
* *
* o ACK: * o ADD:
* Sent by the kernel in response to an applications message, applications * Sent by an application to add a new DOI mapping table.
* should never send this message.
* *
* +----------------------+-----------------------+ * Required attributes:
* | seq number (32 bits) | return code (32 bits) |
* +----------------------+-----------------------+
* *
* seq number: the sequence number of the original message, taken from the * NLBL_CIPSOV4_A_DOI
* nlmsghdr structure * NLBL_CIPSOV4_A_MTYPE
* return code: return value, based on errno values * NLBL_CIPSOV4_A_TAGLST
* *
* o ADD: * If using CIPSO_V4_MAP_STD the following attributes are required:
* Sent by an application to add a new DOI mapping table, after completion *
* of the task the kernel should ACK this message. * NLBL_CIPSOV4_A_MLSLVLLST
* * NLBL_CIPSOV4_A_MLSCATLST
* +---------------+--------------------+---------------------+ *
* | DOI (32 bits) | map type (32 bits) | tag count (32 bits) | ... * If using CIPSO_V4_MAP_PASS no additional attributes are required.
* +---------------+--------------------+---------------------+
*
* +-----------------+
* | tag #X (8 bits) | ... repeated
* +-----------------+
*
* +-------------- ---- --- -- -
* | mapping data
* +-------------- ---- --- -- -
*
* DOI: the DOI value
* map type: the mapping table type (defined in the cipso_ipv4.h header
* as CIPSO_V4_MAP_*)
* tag count: the number of tags, must be greater than zero
* tag: the CIPSO tag for the DOI, tags listed first are given
* higher priorirty when sending packets
* mapping data: specific to the map type (see below)
*
* CIPSO_V4_MAP_STD
*
* +------------------+-----------------------+----------------------+
* | levels (32 bits) | max l level (32 bits) | max r level (8 bits) | ...
* +------------------+-----------------------+----------------------+
*
* +----------------------+---------------------+---------------------+
* | categories (32 bits) | max l cat (32 bits) | max r cat (16 bits) | ...
* +----------------------+---------------------+---------------------+
*
* +--------------------------+-------------------------+
* | local level #X (32 bits) | CIPSO level #X (8 bits) | ... repeated
* +--------------------------+-------------------------+
*
* +-----------------------------+-----------------------------+
* | local category #X (32 bits) | CIPSO category #X (16 bits) | ... repeated
* +-----------------------------+-----------------------------+
*
* levels: the number of level mappings
* max l level: the highest local level
* max r level: the highest remote/CIPSO level
* categories: the number of category mappings
* max l cat: the highest local category
* max r cat: the highest remote/CIPSO category
* local level: the local part of a level mapping
* CIPSO level: the remote/CIPSO part of a level mapping
* local category: the local part of a category mapping
* CIPSO category: the remote/CIPSO part of a category mapping
*
* CIPSO_V4_MAP_PASS
*
* No mapping data is needed for this map type.
* *
* o REMOVE: * o REMOVE:
* Sent by an application to remove a specific DOI mapping table from the * Sent by an application to remove a specific DOI mapping table from the
* CIPSO V4 system. The kernel should ACK this message. * CIPSO V4 system.
* *
* +---------------+ * Required attributes:
* | DOI (32 bits) |
* +---------------+
* *
* DOI: the DOI value * NLBL_CIPSOV4_A_DOI
* *
* o LIST: * o LIST:
* Sent by an application to list the details of a DOI definition. The * Sent by an application to list the details of a DOI definition. On
* kernel should send an ACK on error or a response as indicated below. The * success the kernel should send a response using the following format.
* application generated message format is shown below.
* *
* +---------------+ * Required attributes:
* | DOI (32 bits) |
* +---------------+
* *
* DOI: the DOI value * NLBL_CIPSOV4_A_DOI
* *
* The valid response message format depends on the type of the DOI mapping, * The valid response message format depends on the type of the DOI mapping,
* the known formats are shown below. * the defined formats are shown below.
*
* +--------------------+
* | map type (32 bits) | ...
* +--------------------+
*
* map type: the DOI mapping table type (defined in the cipso_ipv4.h
* header as CIPSO_V4_MAP_*)
*
* (map type == CIPSO_V4_MAP_STD)
*
* +----------------+------------------+----------------------+
* | tags (32 bits) | levels (32 bits) | categories (32 bits) | ...
* +----------------+------------------+----------------------+
* *
* +-----------------+ * Required attributes:
* | tag #X (8 bits) | ... repeated
* +-----------------+
* *
* +--------------------------+-------------------------+ * NLBL_CIPSOV4_A_MTYPE
* | local level #X (32 bits) | CIPSO level #X (8 bits) | ... repeated * NLBL_CIPSOV4_A_TAGLST
* +--------------------------+-------------------------+
* *
* +-----------------------------+-----------------------------+ * If using CIPSO_V4_MAP_STD the following attributes are required:
* | local category #X (32 bits) | CIPSO category #X (16 bits) | ... repeated
* +-----------------------------+-----------------------------+
* *
* tags: the number of CIPSO tag types * NLBL_CIPSOV4_A_MLSLVLLST
* levels: the number of level mappings * NLBL_CIPSOV4_A_MLSCATLST
* categories: the number of category mappings
* tag: the tag number, tags listed first are given higher
* priority when sending packets
* local level: the local part of a level mapping
* CIPSO level: the remote/CIPSO part of a level mapping
* local category: the local part of a category mapping
* CIPSO category: the remote/CIPSO part of a category mapping
* *
* (map type == CIPSO_V4_MAP_PASS) * If using CIPSO_V4_MAP_PASS no additional attributes are required.
*
* +----------------+
* | tags (32 bits) | ...
* +----------------+
*
* +-----------------+
* | tag #X (8 bits) | ... repeated
* +-----------------+
*
* tags: the number of CIPSO tag types
* tag: the tag number, tags listed first are given higher
* priority when sending packets
* *
* o LISTALL: * o LISTALL:
* This message is sent by an application to list the valid DOIs on the * This message is sent by an application to list the valid DOIs on the
* system. There is no payload and the kernel should respond with an ACK * system. When sent by an application there is no payload and the
* or the following message. * NLM_F_DUMP flag should be set. The kernel should respond with a series of
* * the following messages.
* +---------------------+------------------+-----------------------+
* | DOI count (32 bits) | DOI #X (32 bits) | map type #X (32 bits) |
* +---------------------+------------------+-----------------------+
* *
* +-----------------------+ * Required attributes:
* | map type #X (32 bits) | ...
* +-----------------------+
* *
* DOI count: the number of DOIs * NLBL_CIPSOV4_A_DOI
* DOI: the DOI value * NLBL_CIPSOV4_A_MTYPE
* map type: the DOI mapping table type (defined in the cipso_ipv4.h
* header as CIPSO_V4_MAP_*)
* *
*/ */
/* NetLabel CIPSOv4 commands */ /* NetLabel CIPSOv4 commands */
enum { enum {
NLBL_CIPSOV4_C_UNSPEC, NLBL_CIPSOV4_C_UNSPEC,
NLBL_CIPSOV4_C_ACK,
NLBL_CIPSOV4_C_ADD, NLBL_CIPSOV4_C_ADD,
NLBL_CIPSOV4_C_REMOVE, NLBL_CIPSOV4_C_REMOVE,
NLBL_CIPSOV4_C_LIST, NLBL_CIPSOV4_C_LIST,
...@@ -211,6 +107,59 @@ enum { ...@@ -211,6 +107,59 @@ enum {
}; };
#define NLBL_CIPSOV4_C_MAX (__NLBL_CIPSOV4_C_MAX - 1) #define NLBL_CIPSOV4_C_MAX (__NLBL_CIPSOV4_C_MAX - 1)
/* NetLabel CIPSOv4 attributes */
enum {
NLBL_CIPSOV4_A_UNSPEC,
NLBL_CIPSOV4_A_DOI,
/* (NLA_U32)
* the DOI value */
NLBL_CIPSOV4_A_MTYPE,
/* (NLA_U32)
* the mapping table type (defined in the cipso_ipv4.h header as
* CIPSO_V4_MAP_*) */
NLBL_CIPSOV4_A_TAG,
/* (NLA_U8)
* a CIPSO tag type, meant to be used within a NLBL_CIPSOV4_A_TAGLST
* attribute */
NLBL_CIPSOV4_A_TAGLST,
/* (NLA_NESTED)
* the CIPSO tag list for the DOI, there must be at least one
* NLBL_CIPSOV4_A_TAG attribute, tags listed first are given higher
* priorirty when sending packets */
NLBL_CIPSOV4_A_MLSLVLLOC,
/* (NLA_U32)
* the local MLS sensitivity level */
NLBL_CIPSOV4_A_MLSLVLREM,
/* (NLA_U32)
* the remote MLS sensitivity level */
NLBL_CIPSOV4_A_MLSLVL,
/* (NLA_NESTED)
* a MLS sensitivity level mapping, must contain only one attribute of
* each of the following types: NLBL_CIPSOV4_A_MLSLVLLOC and
* NLBL_CIPSOV4_A_MLSLVLREM */
NLBL_CIPSOV4_A_MLSLVLLST,
/* (NLA_NESTED)
* the CIPSO level mappings, there must be at least one
* NLBL_CIPSOV4_A_MLSLVL attribute */
NLBL_CIPSOV4_A_MLSCATLOC,
/* (NLA_U32)
* the local MLS category */
NLBL_CIPSOV4_A_MLSCATREM,
/* (NLA_U32)
* the remote MLS category */
NLBL_CIPSOV4_A_MLSCAT,
/* (NLA_NESTED)
* a MLS category mapping, must contain only one attribute of each of
* the following types: NLBL_CIPSOV4_A_MLSCATLOC and
* NLBL_CIPSOV4_A_MLSCATREM */
NLBL_CIPSOV4_A_MLSCATLST,
/* (NLA_NESTED)
* the CIPSO category mappings, there must be at least one
* NLBL_CIPSOV4_A_MLSCAT attribute */
__NLBL_CIPSOV4_A_MAX,
};
#define NLBL_CIPSOV4_A_MAX (__NLBL_CIPSOV4_A_MAX - 1)
/* NetLabel protocol functions */ /* NetLabel protocol functions */
int netlbl_cipsov4_genl_init(void); int netlbl_cipsov4_genl_init(void);
......
This diff is collapsed.
...@@ -34,212 +34,137 @@ ...@@ -34,212 +34,137 @@
#include <net/netlabel.h> #include <net/netlabel.h>
/* /*
* The following NetLabel payloads are supported by the management interface, * The following NetLabel payloads are supported by the management interface.
* all of which are preceeded by the nlmsghdr struct.
*
* o ACK:
* Sent by the kernel in response to an applications message, applications
* should never send this message.
*
* +----------------------+-----------------------+
* | seq number (32 bits) | return code (32 bits) |
* +----------------------+-----------------------+
*
* seq number: the sequence number of the original message, taken from the
* nlmsghdr structure
* return code: return value, based on errno values
* *
* o ADD: * o ADD:
* Sent by an application to add a domain mapping to the NetLabel system. * Sent by an application to add a domain mapping to the NetLabel system.
* The kernel should respond with an ACK.
*
* +-------------------+
* | domains (32 bits) | ...
* +-------------------+
*
* domains: the number of domains in the message
*
* +--------------------------+-------------------------+
* | domain string (variable) | protocol type (32 bits) | ...
* +--------------------------+-------------------------+
* *
* +-------------- ---- --- -- - * Required attributes:
* | mapping data ... repeated
* +-------------- ---- --- -- -
* *
* domain string: the domain string, NULL terminated * NLBL_MGMT_A_DOMAIN
* protocol type: the protocol type (defined by NETLBL_NLTYPE_*) * NLBL_MGMT_A_PROTOCOL
* mapping data: specific to the map type (see below)
* *
* NETLBL_NLTYPE_UNLABELED * If using NETLBL_NLTYPE_CIPSOV4 the following attributes are required:
* *
* No mapping data for this protocol type. * NLBL_MGMT_A_CV4DOI
* *
* NETLBL_NLTYPE_CIPSOV4 * If using NETLBL_NLTYPE_UNLABELED no other attributes are required.
*
* +---------------+
* | doi (32 bits) |
* +---------------+
*
* doi: the CIPSO DOI value
* *
* o REMOVE: * o REMOVE:
* Sent by an application to remove a domain mapping from the NetLabel * Sent by an application to remove a domain mapping from the NetLabel
* system. The kernel should ACK this message. * system.
*
* +-------------------+
* | domains (32 bits) | ...
* +-------------------+
* *
* domains: the number of domains in the message * Required attributes:
* *
* +--------------------------+ * NLBL_MGMT_A_DOMAIN
* | domain string (variable) | ...
* +--------------------------+
* *
* domain string: the domain string, NULL terminated * o LISTALL:
*
* o LIST:
* This message can be sent either from an application or by the kernel in * This message can be sent either from an application or by the kernel in
* response to an application generated LIST message. When sent by an * response to an application generated LISTALL message. When sent by an
* application there is no payload. The kernel should respond to a LIST * application there is no payload and the NLM_F_DUMP flag should be set.
* message either with a LIST message on success or an ACK message on * The kernel should respond with a series of the following messages.
* failure.
*
* +-------------------+
* | domains (32 bits) | ...
* +-------------------+
*
* domains: the number of domains in the message
* *
* +--------------------------+ * Required attributes:
* | domain string (variable) | ...
* +--------------------------+
* *
* +-------------------------+-------------- ---- --- -- - * NLBL_MGMT_A_DOMAIN
* | protocol type (32 bits) | mapping data ... repeated * NLBL_MGMT_A_PROTOCOL
* +-------------------------+-------------- ---- --- -- -
* *
* domain string: the domain string, NULL terminated * If using NETLBL_NLTYPE_CIPSOV4 the following attributes are required:
* protocol type: the protocol type (defined by NETLBL_NLTYPE_*)
* mapping data: specific to the map type (see below)
* *
* NETLBL_NLTYPE_UNLABELED * NLBL_MGMT_A_CV4DOI
* *
* No mapping data for this protocol type. * If using NETLBL_NLTYPE_UNLABELED no other attributes are required.
*
* NETLBL_NLTYPE_CIPSOV4
*
* +----------------+---------------+
* | type (32 bits) | doi (32 bits) |
* +----------------+---------------+
*
* type: the CIPSO mapping table type (defined in the cipso_ipv4.h header
* as CIPSO_V4_MAP_*)
* doi: the CIPSO DOI value
* *
* o ADDDEF: * o ADDDEF:
* Sent by an application to set the default domain mapping for the NetLabel * Sent by an application to set the default domain mapping for the NetLabel
* system. The kernel should respond with an ACK. * system.
* *
* +-------------------------+-------------- ---- --- -- - * Required attributes:
* | protocol type (32 bits) | mapping data ... repeated
* +-------------------------+-------------- ---- --- -- -
* *
* protocol type: the protocol type (defined by NETLBL_NLTYPE_*) * NLBL_MGMT_A_PROTOCOL
* mapping data: specific to the map type (see below)
* *
* NETLBL_NLTYPE_UNLABELED * If using NETLBL_NLTYPE_CIPSOV4 the following attributes are required:
* *
* No mapping data for this protocol type. * NLBL_MGMT_A_CV4DOI
* *
* NETLBL_NLTYPE_CIPSOV4 * If using NETLBL_NLTYPE_UNLABELED no other attributes are required.
*
* +---------------+
* | doi (32 bits) |
* +---------------+
*
* doi: the CIPSO DOI value
* *
* o REMOVEDEF: * o REMOVEDEF:
* Sent by an application to remove the default domain mapping from the * Sent by an application to remove the default domain mapping from the
* NetLabel system, there is no payload. The kernel should ACK this message. * NetLabel system, there is no payload.
* *
* o LISTDEF: * o LISTDEF:
* This message can be sent either from an application or by the kernel in * This message can be sent either from an application or by the kernel in
* response to an application generated LISTDEF message. When sent by an * response to an application generated LISTDEF message. When sent by an
* application there is no payload. The kernel should respond to a * application there is no payload. On success the kernel should send a
* LISTDEF message either with a LISTDEF message on success or an ACK message * response using the following format.
* on failure.
*
* +-------------------------+-------------- ---- --- -- -
* | protocol type (32 bits) | mapping data ... repeated
* +-------------------------+-------------- ---- --- -- -
* *
* protocol type: the protocol type (defined by NETLBL_NLTYPE_*) * Required attributes:
* mapping data: specific to the map type (see below)
* *
* NETLBL_NLTYPE_UNLABELED * NLBL_MGMT_A_PROTOCOL
* *
* No mapping data for this protocol type. * If using NETLBL_NLTYPE_CIPSOV4 the following attributes are required:
* *
* NETLBL_NLTYPE_CIPSOV4 * NLBL_MGMT_A_CV4DOI
* *
* +----------------+---------------+ * If using NETLBL_NLTYPE_UNLABELED no other attributes are required.
* | type (32 bits) | doi (32 bits) |
* +----------------+---------------+
* *
* type: the CIPSO mapping table type (defined in the cipso_ipv4.h header * o PROTOCOLS:
* as CIPSO_V4_MAP_*) * Sent by an application to request a list of configured NetLabel protocols
* doi: the CIPSO DOI value * in the kernel. When sent by an application there is no payload and the
* NLM_F_DUMP flag should be set. The kernel should respond with a series of
* the following messages.
* *
* o MODULES: * Required attributes:
* Sent by an application to request a list of configured NetLabel modules
* in the kernel. When sent by an application there is no payload.
* *
* +-------------------+ * NLBL_MGMT_A_PROTOCOL
* | modules (32 bits) | ...
* +-------------------+
*
* modules: the number of modules in the message, if this is an application
* generated message and the value is zero then return a list of
* the configured modules
*
* +------------------+
* | module (32 bits) | ... repeated
* +------------------+
*
* module: the module number as defined by NETLBL_NLTYPE_*
* *
* o VERSION: * o VERSION:
* Sent by an application to request the NetLabel version string. When sent * Sent by an application to request the NetLabel version. When sent by an
* by an application there is no payload. This message type is also used by * application there is no payload. This message type is also used by the
* the kernel to respond to an VERSION request. * kernel to respond to an VERSION request.
* *
* +-------------------+ * Required attributes:
* | version (32 bits) |
* +-------------------+
* *
* version: the protocol version number * NLBL_MGMT_A_VERSION
* *
*/ */
/* NetLabel Management commands */ /* NetLabel Management commands */
enum { enum {
NLBL_MGMT_C_UNSPEC, NLBL_MGMT_C_UNSPEC,
NLBL_MGMT_C_ACK,
NLBL_MGMT_C_ADD, NLBL_MGMT_C_ADD,
NLBL_MGMT_C_REMOVE, NLBL_MGMT_C_REMOVE,
NLBL_MGMT_C_LIST, NLBL_MGMT_C_LISTALL,
NLBL_MGMT_C_ADDDEF, NLBL_MGMT_C_ADDDEF,
NLBL_MGMT_C_REMOVEDEF, NLBL_MGMT_C_REMOVEDEF,
NLBL_MGMT_C_LISTDEF, NLBL_MGMT_C_LISTDEF,
NLBL_MGMT_C_MODULES, NLBL_MGMT_C_PROTOCOLS,
NLBL_MGMT_C_VERSION, NLBL_MGMT_C_VERSION,
__NLBL_MGMT_C_MAX, __NLBL_MGMT_C_MAX,
}; };
#define NLBL_MGMT_C_MAX (__NLBL_MGMT_C_MAX - 1) #define NLBL_MGMT_C_MAX (__NLBL_MGMT_C_MAX - 1)
/* NetLabel Management attributes */
enum {
NLBL_MGMT_A_UNSPEC,
NLBL_MGMT_A_DOMAIN,
/* (NLA_NUL_STRING)
* the NULL terminated LSM domain string */
NLBL_MGMT_A_PROTOCOL,
/* (NLA_U32)
* the NetLabel protocol type (defined by NETLBL_NLTYPE_*) */
NLBL_MGMT_A_VERSION,
/* (NLA_U32)
* the NetLabel protocol version number (defined by
* NETLBL_PROTO_VERSION) */
NLBL_MGMT_A_CV4DOI,
/* (NLA_U32)
* the CIPSOv4 DOI value */
__NLBL_MGMT_A_MAX,
};
#define NLBL_MGMT_A_MAX (__NLBL_MGMT_A_MAX - 1)
/* NetLabel protocol functions */ /* NetLabel protocol functions */
int netlbl_mgmt_genl_init(void); int netlbl_mgmt_genl_init(void);
......
...@@ -55,9 +55,13 @@ static struct genl_family netlbl_unlabel_gnl_family = { ...@@ -55,9 +55,13 @@ static struct genl_family netlbl_unlabel_gnl_family = {
.hdrsize = 0, .hdrsize = 0,
.name = NETLBL_NLTYPE_UNLABELED_NAME, .name = NETLBL_NLTYPE_UNLABELED_NAME,
.version = NETLBL_PROTO_VERSION, .version = NETLBL_PROTO_VERSION,
.maxattr = 0, .maxattr = NLBL_UNLABEL_A_MAX,
}; };
/* NetLabel Netlink attribute policy */
static struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
[NLBL_UNLABEL_A_ACPTFLG] = { .type = NLA_U8 },
};
/* /*
* NetLabel Command Handlers * NetLabel Command Handlers
...@@ -75,31 +79,18 @@ static struct genl_family netlbl_unlabel_gnl_family = { ...@@ -75,31 +79,18 @@ static struct genl_family netlbl_unlabel_gnl_family = {
*/ */
static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info) static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info)
{ {
int ret_val; int ret_val = -EINVAL;
struct nlattr *data = netlbl_netlink_payload_data(skb); u8 value;
u32 value;
ret_val = netlbl_netlink_cap_check(skb, CAP_NET_ADMIN);
if (ret_val != 0)
return ret_val;
if (netlbl_netlink_payload_len(skb) == NETLBL_LEN_U32) { if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) {
value = nla_get_u32(data); value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]);
if (value == 1 || value == 0) { if (value == 1 || value == 0) {
atomic_set(&netlabel_unlabel_accept_flg, value); atomic_set(&netlabel_unlabel_accept_flg, value);
netlbl_netlink_send_ack(info, ret_val = 0;
netlbl_unlabel_gnl_family.id,
NLBL_UNLABEL_C_ACK,
NETLBL_E_OK);
return 0;
} }
} }
netlbl_netlink_send_ack(info, return ret_val;
netlbl_unlabel_gnl_family.id,
NLBL_UNLABEL_C_ACK,
EINVAL);
return -EINVAL;
} }
/** /**
...@@ -114,39 +105,39 @@ static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info) ...@@ -114,39 +105,39 @@ static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info)
*/ */
static int netlbl_unlabel_list(struct sk_buff *skb, struct genl_info *info) static int netlbl_unlabel_list(struct sk_buff *skb, struct genl_info *info)
{ {
int ret_val = -ENOMEM; int ret_val = -EINVAL;
struct sk_buff *ans_skb; struct sk_buff *ans_skb;
void *data;
ans_skb = netlbl_netlink_alloc_skb(0, ans_skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
GENL_HDRLEN + NETLBL_LEN_U32,
GFP_KERNEL);
if (ans_skb == NULL) if (ans_skb == NULL)
goto list_failure; goto list_failure;
data = netlbl_netlink_hdr_put(ans_skb,
if (netlbl_netlink_hdr_put(ans_skb,
info->snd_pid, info->snd_pid,
0, info->snd_seq,
netlbl_unlabel_gnl_family.id, netlbl_unlabel_gnl_family.id,
NLBL_UNLABEL_C_LIST) == NULL) 0,
NLBL_UNLABEL_C_LIST);
if (data == NULL) {
ret_val = -ENOMEM;
goto list_failure; goto list_failure;
}
ret_val = nla_put_u32(ans_skb, ret_val = nla_put_u8(ans_skb,
NLA_U32, NLBL_UNLABEL_A_ACPTFLG,
atomic_read(&netlabel_unlabel_accept_flg)); atomic_read(&netlabel_unlabel_accept_flg));
if (ret_val != 0) if (ret_val != 0)
goto list_failure; goto list_failure;
ret_val = netlbl_netlink_snd(ans_skb, info->snd_pid); genlmsg_end(ans_skb, data);
ret_val = genlmsg_unicast(ans_skb, info->snd_pid);
if (ret_val != 0) if (ret_val != 0)
goto list_failure; goto list_failure;
return 0; return 0;
list_failure: list_failure:
netlbl_netlink_send_ack(info, kfree(ans_skb);
netlbl_unlabel_gnl_family.id,
NLBL_UNLABEL_C_ACK,
-ret_val);
return ret_val; return ret_val;
} }
...@@ -157,7 +148,8 @@ static int netlbl_unlabel_list(struct sk_buff *skb, struct genl_info *info) ...@@ -157,7 +148,8 @@ static int netlbl_unlabel_list(struct sk_buff *skb, struct genl_info *info)
static struct genl_ops netlbl_unlabel_genl_c_accept = { static struct genl_ops netlbl_unlabel_genl_c_accept = {
.cmd = NLBL_UNLABEL_C_ACCEPT, .cmd = NLBL_UNLABEL_C_ACCEPT,
.flags = 0, .flags = GENL_ADMIN_PERM,
.policy = netlbl_unlabel_genl_policy,
.doit = netlbl_unlabel_accept, .doit = netlbl_unlabel_accept,
.dumpit = NULL, .dumpit = NULL,
}; };
...@@ -165,6 +157,7 @@ static struct genl_ops netlbl_unlabel_genl_c_accept = { ...@@ -165,6 +157,7 @@ static struct genl_ops netlbl_unlabel_genl_c_accept = {
static struct genl_ops netlbl_unlabel_genl_c_list = { static struct genl_ops netlbl_unlabel_genl_c_list = {
.cmd = NLBL_UNLABEL_C_LIST, .cmd = NLBL_UNLABEL_C_LIST,
.flags = 0, .flags = 0,
.policy = netlbl_unlabel_genl_policy,
.doit = netlbl_unlabel_list, .doit = netlbl_unlabel_list,
.dumpit = NULL, .dumpit = NULL,
}; };
...@@ -218,10 +211,8 @@ int netlbl_unlabel_genl_init(void) ...@@ -218,10 +211,8 @@ int netlbl_unlabel_genl_init(void)
*/ */
int netlbl_unlabel_getattr(struct netlbl_lsm_secattr *secattr) int netlbl_unlabel_getattr(struct netlbl_lsm_secattr *secattr)
{ {
if (atomic_read(&netlabel_unlabel_accept_flg) == 1) { if (atomic_read(&netlabel_unlabel_accept_flg) == 1)
memset(secattr, 0, sizeof(*secattr)); return netlbl_secattr_init(secattr);
return 0;
}
return -ENOMSG; return -ENOMSG;
} }
......
...@@ -36,56 +36,47 @@ ...@@ -36,56 +36,47 @@
/* /*
* The following NetLabel payloads are supported by the Unlabeled subsystem. * The following NetLabel payloads are supported by the Unlabeled subsystem.
* *
* o ACK:
* Sent by the kernel in response to an applications message, applications
* should never send this message.
*
* +----------------------+-----------------------+
* | seq number (32 bits) | return code (32 bits) |
* +----------------------+-----------------------+
*
* seq number: the sequence number of the original message, taken from the
* nlmsghdr structure
* return code: return value, based on errno values
*
* o ACCEPT * o ACCEPT
* This message is sent from an application to specify if the kernel should * This message is sent from an application to specify if the kernel should
* allow unlabled packets to pass if they do not match any of the static * allow unlabled packets to pass if they do not match any of the static
* mappings defined in the unlabeled module. * mappings defined in the unlabeled module.
* *
* +-----------------+ * Required attributes:
* | allow (32 bits) |
* +-----------------+
* *
* allow: if true (1) then allow the packets to pass, if false (0) then * NLBL_UNLABEL_A_ACPTFLG
* reject the packets
* *
* o LIST * o LIST
* This message can be sent either from an application or by the kernel in * This message can be sent either from an application or by the kernel in
* response to an application generated LIST message. When sent by an * response to an application generated LIST message. When sent by an
* application there is no payload. The kernel should respond to a LIST * application there is no payload. The kernel should respond to a LIST
* message either with a LIST message on success or an ACK message on * message with a LIST message on success.
* failure.
* *
* +-----------------------+ * Required attributes:
* | accept flag (32 bits) |
* +-----------------------+
* *
* accept flag: if true (1) then unlabeled packets are allowed to pass, * NLBL_UNLABEL_A_ACPTFLG
* if false (0) then unlabeled packets are rejected
* *
*/ */
/* NetLabel Unlabeled commands */ /* NetLabel Unlabeled commands */
enum { enum {
NLBL_UNLABEL_C_UNSPEC, NLBL_UNLABEL_C_UNSPEC,
NLBL_UNLABEL_C_ACK,
NLBL_UNLABEL_C_ACCEPT, NLBL_UNLABEL_C_ACCEPT,
NLBL_UNLABEL_C_LIST, NLBL_UNLABEL_C_LIST,
__NLBL_UNLABEL_C_MAX, __NLBL_UNLABEL_C_MAX,
}; };
#define NLBL_UNLABEL_C_MAX (__NLBL_UNLABEL_C_MAX - 1) #define NLBL_UNLABEL_C_MAX (__NLBL_UNLABEL_C_MAX - 1)
/* NetLabel Unlabeled attributes */
enum {
NLBL_UNLABEL_A_UNSPEC,
NLBL_UNLABEL_A_ACPTFLG,
/* (NLA_U8)
* if true then unlabeled packets are allowed to pass, else unlabeled
* packets are rejected */
__NLBL_UNLABEL_A_MAX,
};
#define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1)
/* NetLabel protocol functions */ /* NetLabel protocol functions */
int netlbl_unlabel_genl_init(void); int netlbl_unlabel_genl_init(void);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment