Commit d011a4d8 authored by James Morris's avatar James Morris

Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/selinux into next

parents 544e1cea 3f09354a
/*
* CALIPSO - Common Architecture Label IPv6 Security Option
*
* This is an implementation of the CALIPSO protocol as specified in
* RFC 5570.
*
* Authors: Paul Moore <paul@paul-moore.com>
* Huw Davies <huw@codeweavers.com>
*
*/
/*
* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
* (c) Copyright Huw Davies <huw@codeweavers.com>, 2015
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
* the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*
*/
#ifndef _CALIPSO_H
#define _CALIPSO_H
#include <linux/types.h>
#include <linux/rcupdate.h>
#include <linux/list.h>
#include <linux/net.h>
#include <linux/skbuff.h>
#include <net/netlabel.h>
#include <net/request_sock.h>
#include <linux/atomic.h>
#include <asm/unaligned.h>
/* known doi values */
#define CALIPSO_DOI_UNKNOWN 0x00000000
/* doi mapping types */
#define CALIPSO_MAP_UNKNOWN 0
#define CALIPSO_MAP_PASS 2
/*
* CALIPSO DOI definitions
*/
/* DOI definition struct */
struct calipso_doi {
u32 doi;
u32 type;
atomic_t refcount;
struct list_head list;
struct rcu_head rcu;
};
/*
* Sysctl Variables
*/
extern int calipso_cache_enabled;
extern int calipso_cache_bucketsize;
#ifdef CONFIG_NETLABEL
int __init calipso_init(void);
void calipso_exit(void);
bool calipso_validate(const struct sk_buff *skb, const unsigned char *option);
#else
static inline int __init calipso_init(void)
{
return 0;
}
static inline void calipso_exit(void)
{
}
static inline bool calipso_validate(const struct sk_buff *skb,
const unsigned char *option)
{
return true;
}
#endif /* CONFIG_NETLABEL */
#endif /* _CALIPSO_H */
...@@ -97,8 +97,13 @@ struct inet_request_sock { ...@@ -97,8 +97,13 @@ struct inet_request_sock {
u32 ir_mark; u32 ir_mark;
union { union {
struct ip_options_rcu *opt; struct ip_options_rcu *opt;
#if IS_ENABLED(CONFIG_IPV6)
struct {
struct ipv6_txoptions *ipv6_opt;
struct sk_buff *pktopts; struct sk_buff *pktopts;
}; };
#endif
};
}; };
static inline struct inet_request_sock *inet_rsk(const struct request_sock *sk) static inline struct inet_request_sock *inet_rsk(const struct request_sock *sk)
......
...@@ -313,11 +313,19 @@ struct ipv6_txoptions *ipv6_renew_options(struct sock *sk, ...@@ -313,11 +313,19 @@ struct ipv6_txoptions *ipv6_renew_options(struct sock *sk,
int newtype, int newtype,
struct ipv6_opt_hdr __user *newopt, struct ipv6_opt_hdr __user *newopt,
int newoptlen); int newoptlen);
struct ipv6_txoptions *
ipv6_renew_options_kern(struct sock *sk,
struct ipv6_txoptions *opt,
int newtype,
struct ipv6_opt_hdr *newopt,
int newoptlen);
struct ipv6_txoptions *ipv6_fixup_options(struct ipv6_txoptions *opt_space, struct ipv6_txoptions *ipv6_fixup_options(struct ipv6_txoptions *opt_space,
struct ipv6_txoptions *opt); struct ipv6_txoptions *opt);
bool ipv6_opt_accepted(const struct sock *sk, const struct sk_buff *skb, bool ipv6_opt_accepted(const struct sock *sk, const struct sk_buff *skb,
const struct inet6_skb_parm *opt); const struct inet6_skb_parm *opt);
struct ipv6_txoptions *ipv6_update_options(struct sock *sk,
struct ipv6_txoptions *opt);
static inline bool ipv6_accept_ra(struct inet6_dev *idev) static inline bool ipv6_accept_ra(struct inet6_dev *idev)
{ {
...@@ -943,7 +951,7 @@ enum { ...@@ -943,7 +951,7 @@ enum {
int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset, int target, int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset, int target,
unsigned short *fragoff, int *fragflg); unsigned short *fragoff, int *fragflg);
int ipv6_find_tlv(struct sk_buff *skb, int offset, int type); int ipv6_find_tlv(const struct sk_buff *skb, int offset, int type);
struct in6_addr *fl6_update_dst(struct flowi6 *fl6, struct in6_addr *fl6_update_dst(struct flowi6 *fl6,
const struct ipv6_txoptions *opt, const struct ipv6_txoptions *opt,
......
...@@ -40,6 +40,7 @@ ...@@ -40,6 +40,7 @@
#include <linux/atomic.h> #include <linux/atomic.h>
struct cipso_v4_doi; struct cipso_v4_doi;
struct calipso_doi;
/* /*
* NetLabel - A management interface for maintaining network packet label * NetLabel - A management interface for maintaining network packet label
...@@ -94,6 +95,8 @@ struct cipso_v4_doi; ...@@ -94,6 +95,8 @@ struct cipso_v4_doi;
#define NETLBL_NLTYPE_UNLABELED_NAME "NLBL_UNLBL" #define NETLBL_NLTYPE_UNLABELED_NAME "NLBL_UNLBL"
#define NETLBL_NLTYPE_ADDRSELECT 6 #define NETLBL_NLTYPE_ADDRSELECT 6
#define NETLBL_NLTYPE_ADDRSELECT_NAME "NLBL_ADRSEL" #define NETLBL_NLTYPE_ADDRSELECT_NAME "NLBL_ADRSEL"
#define NETLBL_NLTYPE_CALIPSO 7
#define NETLBL_NLTYPE_CALIPSO_NAME "NLBL_CALIPSO"
/* /*
* NetLabel - Kernel API for accessing the network packet label mappings. * NetLabel - Kernel API for accessing the network packet label mappings.
...@@ -216,6 +219,63 @@ struct netlbl_lsm_secattr { ...@@ -216,6 +219,63 @@ struct netlbl_lsm_secattr {
} attr; } attr;
}; };
/**
* struct netlbl_calipso_ops - NetLabel CALIPSO operations
* @doi_add: add a CALIPSO DOI
* @doi_free: free a CALIPSO DOI
* @doi_getdef: returns a reference to a DOI
* @doi_putdef: releases a reference of a DOI
* @doi_walk: enumerate the DOI list
* @sock_getattr: retrieve the socket's attr
* @sock_setattr: set the socket's attr
* @sock_delattr: remove the socket's attr
* @req_setattr: set the req socket's attr
* @req_delattr: remove the req socket's attr
* @opt_getattr: retrieve attr from memory block
* @skbuff_optptr: find option in packet
* @skbuff_setattr: set the skbuff's attr
* @skbuff_delattr: remove the skbuff's attr
* @cache_invalidate: invalidate cache
* @cache_add: add cache entry
*
* Description:
* This structure is filled out by the CALIPSO engine and passed
* to the NetLabel core via a call to netlbl_calipso_ops_register().
* It enables the CALIPSO engine (and hence IPv6) to be compiled
* as a module.
*/
struct netlbl_calipso_ops {
int (*doi_add)(struct calipso_doi *doi_def,
struct netlbl_audit *audit_info);
void (*doi_free)(struct calipso_doi *doi_def);
int (*doi_remove)(u32 doi, struct netlbl_audit *audit_info);
struct calipso_doi *(*doi_getdef)(u32 doi);
void (*doi_putdef)(struct calipso_doi *doi_def);
int (*doi_walk)(u32 *skip_cnt,
int (*callback)(struct calipso_doi *doi_def, void *arg),
void *cb_arg);
int (*sock_getattr)(struct sock *sk,
struct netlbl_lsm_secattr *secattr);
int (*sock_setattr)(struct sock *sk,
const struct calipso_doi *doi_def,
const struct netlbl_lsm_secattr *secattr);
void (*sock_delattr)(struct sock *sk);
int (*req_setattr)(struct request_sock *req,
const struct calipso_doi *doi_def,
const struct netlbl_lsm_secattr *secattr);
void (*req_delattr)(struct request_sock *req);
int (*opt_getattr)(const unsigned char *calipso,
struct netlbl_lsm_secattr *secattr);
unsigned char *(*skbuff_optptr)(const struct sk_buff *skb);
int (*skbuff_setattr)(struct sk_buff *skb,
const struct calipso_doi *doi_def,
const struct netlbl_lsm_secattr *secattr);
int (*skbuff_delattr)(struct sk_buff *skb);
void (*cache_invalidate)(void);
int (*cache_add)(const unsigned char *calipso_ptr,
const struct netlbl_lsm_secattr *secattr);
};
/* /*
* LSM security attribute operations (inline) * LSM security attribute operations (inline)
*/ */
...@@ -385,6 +445,14 @@ int netlbl_cfg_cipsov4_map_add(u32 doi, ...@@ -385,6 +445,14 @@ int netlbl_cfg_cipsov4_map_add(u32 doi,
const struct in_addr *addr, const struct in_addr *addr,
const struct in_addr *mask, const struct in_addr *mask,
struct netlbl_audit *audit_info); struct netlbl_audit *audit_info);
int netlbl_cfg_calipso_add(struct calipso_doi *doi_def,
struct netlbl_audit *audit_info);
void netlbl_cfg_calipso_del(u32 doi, struct netlbl_audit *audit_info);
int netlbl_cfg_calipso_map_add(u32 doi,
const char *domain,
const struct in6_addr *addr,
const struct in6_addr *mask,
struct netlbl_audit *audit_info);
/* /*
* LSM security attribute operations * LSM security attribute operations
*/ */
...@@ -405,6 +473,12 @@ int netlbl_catmap_setlong(struct netlbl_lsm_catmap **catmap, ...@@ -405,6 +473,12 @@ int netlbl_catmap_setlong(struct netlbl_lsm_catmap **catmap,
unsigned long bitmap, unsigned long bitmap,
gfp_t flags); gfp_t flags);
/* Bitmap functions
*/
int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len,
u32 offset, u8 state);
void netlbl_bitmap_setbit(unsigned char *bitmap, u32 bit, u8 state);
/* /*
* LSM protocol operations (NetLabel LSM/kernel API) * LSM protocol operations (NetLabel LSM/kernel API)
*/ */
...@@ -427,13 +501,13 @@ int netlbl_skbuff_setattr(struct sk_buff *skb, ...@@ -427,13 +501,13 @@ int netlbl_skbuff_setattr(struct sk_buff *skb,
int netlbl_skbuff_getattr(const struct sk_buff *skb, int netlbl_skbuff_getattr(const struct sk_buff *skb,
u16 family, u16 family,
struct netlbl_lsm_secattr *secattr); struct netlbl_lsm_secattr *secattr);
void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway); void netlbl_skbuff_err(struct sk_buff *skb, u16 family, int error, int gateway);
/* /*
* LSM label mapping cache operations * LSM label mapping cache operations
*/ */
void netlbl_cache_invalidate(void); void netlbl_cache_invalidate(void);
int netlbl_cache_add(const struct sk_buff *skb, int netlbl_cache_add(const struct sk_buff *skb, u16 family,
const struct netlbl_lsm_secattr *secattr); const struct netlbl_lsm_secattr *secattr);
/* /*
...@@ -495,6 +569,24 @@ static inline int netlbl_cfg_cipsov4_map_add(u32 doi, ...@@ -495,6 +569,24 @@ static inline int netlbl_cfg_cipsov4_map_add(u32 doi,
{ {
return -ENOSYS; return -ENOSYS;
} }
static inline int netlbl_cfg_calipso_add(struct calipso_doi *doi_def,
struct netlbl_audit *audit_info)
{
return -ENOSYS;
}
static inline void netlbl_cfg_calipso_del(u32 doi,
struct netlbl_audit *audit_info)
{
return;
}
static inline int netlbl_cfg_calipso_map_add(u32 doi,
const char *domain,
const struct in6_addr *addr,
const struct in6_addr *mask,
struct netlbl_audit *audit_info)
{
return -ENOSYS;
}
static inline int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap, static inline int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap,
u32 offset) u32 offset)
{ {
...@@ -586,7 +678,7 @@ static inline void netlbl_cache_invalidate(void) ...@@ -586,7 +678,7 @@ static inline void netlbl_cache_invalidate(void)
{ {
return; return;
} }
static inline int netlbl_cache_add(const struct sk_buff *skb, static inline int netlbl_cache_add(const struct sk_buff *skb, u16 family,
const struct netlbl_lsm_secattr *secattr) const struct netlbl_lsm_secattr *secattr)
{ {
return 0; return 0;
...@@ -598,4 +690,7 @@ static inline struct audit_buffer *netlbl_audit_start(int type, ...@@ -598,4 +690,7 @@ static inline struct audit_buffer *netlbl_audit_start(int type,
} }
#endif /* CONFIG_NETLABEL */ #endif /* CONFIG_NETLABEL */
const struct netlbl_calipso_ops *
netlbl_calipso_ops_register(const struct netlbl_calipso_ops *ops);
#endif /* _NETLABEL_H */ #endif /* _NETLABEL_H */
...@@ -130,6 +130,8 @@ ...@@ -130,6 +130,8 @@
#define AUDIT_MAC_IPSEC_EVENT 1415 /* Audit an IPSec event */ #define AUDIT_MAC_IPSEC_EVENT 1415 /* Audit an IPSec event */
#define AUDIT_MAC_UNLBL_STCADD 1416 /* NetLabel: add a static label */ #define AUDIT_MAC_UNLBL_STCADD 1416 /* NetLabel: add a static label */
#define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */ #define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */
#define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */
#define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */
#define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799 #define AUDIT_LAST_KERN_ANOM_MSG 1799
......
...@@ -143,6 +143,7 @@ struct in6_flowlabel_req { ...@@ -143,6 +143,7 @@ struct in6_flowlabel_req {
#define IPV6_TLV_PAD1 0 #define IPV6_TLV_PAD1 0
#define IPV6_TLV_PADN 1 #define IPV6_TLV_PADN 1
#define IPV6_TLV_ROUTERALERT 5 #define IPV6_TLV_ROUTERALERT 5
#define IPV6_TLV_CALIPSO 7 /* RFC 5570 */
#define IPV6_TLV_JUMBO 194 #define IPV6_TLV_JUMBO 194
#define IPV6_TLV_HAO 201 /* home address option */ #define IPV6_TLV_HAO 201 /* home address option */
......
...@@ -216,14 +216,17 @@ static int dccp_v6_send_response(const struct sock *sk, struct request_sock *req ...@@ -216,14 +216,17 @@ static int dccp_v6_send_response(const struct sock *sk, struct request_sock *req
skb = dccp_make_response(sk, dst, req); skb = dccp_make_response(sk, dst, req);
if (skb != NULL) { if (skb != NULL) {
struct dccp_hdr *dh = dccp_hdr(skb); struct dccp_hdr *dh = dccp_hdr(skb);
struct ipv6_txoptions *opt;
dh->dccph_checksum = dccp_v6_csum_finish(skb, dh->dccph_checksum = dccp_v6_csum_finish(skb,
&ireq->ir_v6_loc_addr, &ireq->ir_v6_loc_addr,
&ireq->ir_v6_rmt_addr); &ireq->ir_v6_rmt_addr);
fl6.daddr = ireq->ir_v6_rmt_addr; fl6.daddr = ireq->ir_v6_rmt_addr;
rcu_read_lock(); rcu_read_lock();
err = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt), opt = ireq->ipv6_opt;
np->tclass); if (!opt)
opt = rcu_dereference(np->opt);
err = ip6_xmit(sk, skb, &fl6, opt, np->tclass);
rcu_read_unlock(); rcu_read_unlock();
err = net_xmit_eval(err); err = net_xmit_eval(err);
} }
...@@ -236,6 +239,7 @@ static int dccp_v6_send_response(const struct sock *sk, struct request_sock *req ...@@ -236,6 +239,7 @@ static int dccp_v6_send_response(const struct sock *sk, struct request_sock *req
static void dccp_v6_reqsk_destructor(struct request_sock *req) static void dccp_v6_reqsk_destructor(struct request_sock *req)
{ {
dccp_feat_list_purge(&dccp_rsk(req)->dreq_featneg); dccp_feat_list_purge(&dccp_rsk(req)->dreq_featneg);
kfree(inet_rsk(req)->ipv6_opt);
kfree_skb(inet_rsk(req)->pktopts); kfree_skb(inet_rsk(req)->pktopts);
} }
...@@ -494,6 +498,8 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, ...@@ -494,6 +498,8 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
* Yes, keeping reference count would be much more clever, but we make * Yes, keeping reference count would be much more clever, but we make
* one more one thing there: reattach optmem to newsk. * one more one thing there: reattach optmem to newsk.
*/ */
opt = ireq->ipv6_opt;
if (!opt)
opt = rcu_dereference(np->opt); opt = rcu_dereference(np->opt);
if (opt) { if (opt) {
opt = ipv6_dup_options(newsk, opt); opt = ipv6_dup_options(newsk, opt);
......
...@@ -134,76 +134,6 @@ int cipso_v4_rbm_strictvalid = 1; ...@@ -134,76 +134,6 @@ int cipso_v4_rbm_strictvalid = 1;
* Helper Functions * Helper Functions
*/ */
/**
* cipso_v4_bitmap_walk - Walk a bitmap looking for a bit
* @bitmap: the bitmap
* @bitmap_len: length in bits
* @offset: starting offset
* @state: if non-zero, look for a set (1) bit else look for a cleared (0) bit
*
* Description:
* Starting at @offset, walk the bitmap from left to right until either the
* desired bit is found or we reach the end. Return the bit offset, -1 if
* not found, or -2 if error.
*/
static int cipso_v4_bitmap_walk(const unsigned char *bitmap,
u32 bitmap_len,
u32 offset,
u8 state)
{
u32 bit_spot;
u32 byte_offset;
unsigned char bitmask;
unsigned char byte;
/* gcc always rounds to zero when doing integer division */
byte_offset = offset / 8;
byte = bitmap[byte_offset];
bit_spot = offset;
bitmask = 0x80 >> (offset % 8);
while (bit_spot < bitmap_len) {
if ((state && (byte & bitmask) == bitmask) ||
(state == 0 && (byte & bitmask) == 0))
return bit_spot;
bit_spot++;
bitmask >>= 1;
if (bitmask == 0) {
byte = bitmap[++byte_offset];
bitmask = 0x80;
}
}
return -1;
}
/**
* cipso_v4_bitmap_setbit - Sets a single bit in a bitmap
* @bitmap: the bitmap
* @bit: the bit
* @state: if non-zero, set the bit (1) else clear the bit (0)
*
* Description:
* Set a single bit in the bitmask. Returns zero on success, negative values
* on error.
*/
static void cipso_v4_bitmap_setbit(unsigned char *bitmap,
u32 bit,
u8 state)
{
u32 byte_spot;
u8 bitmask;
/* gcc always rounds to zero when doing integer division */
byte_spot = bit / 8;
bitmask = 0x80 >> (bit % 8);
if (state)
bitmap[byte_spot] |= bitmask;
else
bitmap[byte_spot] &= ~bitmask;
}
/** /**
* cipso_v4_cache_entry_free - Frees a cache entry * cipso_v4_cache_entry_free - Frees a cache entry
* @entry: the entry to free * @entry: the entry to free
...@@ -840,7 +770,7 @@ static int cipso_v4_map_cat_rbm_valid(const struct cipso_v4_doi *doi_def, ...@@ -840,7 +770,7 @@ static int cipso_v4_map_cat_rbm_valid(const struct cipso_v4_doi *doi_def,
cipso_cat_size = doi_def->map.std->cat.cipso_size; cipso_cat_size = doi_def->map.std->cat.cipso_size;
cipso_array = doi_def->map.std->cat.cipso; cipso_array = doi_def->map.std->cat.cipso;
for (;;) { for (;;) {
cat = cipso_v4_bitmap_walk(bitmap, cat = netlbl_bitmap_walk(bitmap,
bitmap_len_bits, bitmap_len_bits,
cat + 1, cat + 1,
1); 1);
...@@ -909,7 +839,7 @@ static int cipso_v4_map_cat_rbm_hton(const struct cipso_v4_doi *doi_def, ...@@ -909,7 +839,7 @@ static int cipso_v4_map_cat_rbm_hton(const struct cipso_v4_doi *doi_def,
} }
if (net_spot >= net_clen_bits) if (net_spot >= net_clen_bits)
return -ENOSPC; return -ENOSPC;
cipso_v4_bitmap_setbit(net_cat, net_spot, 1); netlbl_bitmap_setbit(net_cat, net_spot, 1);
if (net_spot > net_spot_max) if (net_spot > net_spot_max)
net_spot_max = net_spot; net_spot_max = net_spot;
...@@ -951,7 +881,7 @@ static int cipso_v4_map_cat_rbm_ntoh(const struct cipso_v4_doi *doi_def, ...@@ -951,7 +881,7 @@ static int cipso_v4_map_cat_rbm_ntoh(const struct cipso_v4_doi *doi_def,
} }
for (;;) { for (;;) {
net_spot = cipso_v4_bitmap_walk(net_cat, net_spot = netlbl_bitmap_walk(net_cat,
net_clen_bits, net_clen_bits,
net_spot + 1, net_spot + 1,
1); 1);
......
...@@ -6114,6 +6114,9 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops, ...@@ -6114,6 +6114,9 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops,
kmemcheck_annotate_bitfield(ireq, flags); kmemcheck_annotate_bitfield(ireq, flags);
ireq->opt = NULL; ireq->opt = NULL;
#if IS_ENABLED(CONFIG_IPV6)
ireq->pktopts = NULL;
#endif
atomic64_set(&ireq->ir_cookie, 0); atomic64_set(&ireq->ir_cookie, 0);
ireq->ireq_state = TCP_NEW_SYN_RECV; ireq->ireq_state = TCP_NEW_SYN_RECV;
write_pnet(&ireq->ireq_net, sock_net(sk_listener)); write_pnet(&ireq->ireq_net, sock_net(sk_listener));
......
...@@ -22,6 +22,7 @@ ipv6-$(CONFIG_NETFILTER) += netfilter.o ...@@ -22,6 +22,7 @@ ipv6-$(CONFIG_NETFILTER) += netfilter.o
ipv6-$(CONFIG_IPV6_MULTIPLE_TABLES) += fib6_rules.o ipv6-$(CONFIG_IPV6_MULTIPLE_TABLES) += fib6_rules.o
ipv6-$(CONFIG_PROC_FS) += proc.o ipv6-$(CONFIG_PROC_FS) += proc.o
ipv6-$(CONFIG_SYN_COOKIES) += syncookies.o ipv6-$(CONFIG_SYN_COOKIES) += syncookies.o
ipv6-$(CONFIG_NETLABEL) += calipso.o
ipv6-objs += $(ipv6-y) ipv6-objs += $(ipv6-y)
......
...@@ -60,6 +60,7 @@ ...@@ -60,6 +60,7 @@
#ifdef CONFIG_IPV6_TUNNEL #ifdef CONFIG_IPV6_TUNNEL
#include <net/ip6_tunnel.h> #include <net/ip6_tunnel.h>
#endif #endif
#include <net/calipso.h>
#include <asm/uaccess.h> #include <asm/uaccess.h>
#include <linux/mroute6.h> #include <linux/mroute6.h>
...@@ -977,6 +978,10 @@ static int __init inet6_init(void) ...@@ -977,6 +978,10 @@ static int __init inet6_init(void)
if (err) if (err)
goto pingv6_fail; goto pingv6_fail;
err = calipso_init();
if (err)
goto calipso_fail;
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
err = ipv6_sysctl_register(); err = ipv6_sysctl_register();
if (err) if (err)
...@@ -987,8 +992,10 @@ static int __init inet6_init(void) ...@@ -987,8 +992,10 @@ static int __init inet6_init(void)
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
sysctl_fail: sysctl_fail:
pingv6_exit(); calipso_exit();
#endif #endif
calipso_fail:
pingv6_exit();
pingv6_fail: pingv6_fail:
ipv6_packet_cleanup(); ipv6_packet_cleanup();
ipv6_packet_fail: ipv6_packet_fail:
......
This diff is collapsed.
...@@ -43,6 +43,7 @@ ...@@ -43,6 +43,7 @@
#include <net/ndisc.h> #include <net/ndisc.h>
#include <net/ip6_route.h> #include <net/ip6_route.h>
#include <net/addrconf.h> #include <net/addrconf.h>
#include <net/calipso.h>
#if IS_ENABLED(CONFIG_IPV6_MIP6) #if IS_ENABLED(CONFIG_IPV6_MIP6)
#include <net/xfrm.h> #include <net/xfrm.h>
#endif #endif
...@@ -603,6 +604,28 @@ static bool ipv6_hop_jumbo(struct sk_buff *skb, int optoff) ...@@ -603,6 +604,28 @@ static bool ipv6_hop_jumbo(struct sk_buff *skb, int optoff)
return false; return false;
} }
/* CALIPSO RFC 5570 */
static bool ipv6_hop_calipso(struct sk_buff *skb, int optoff)
{
const unsigned char *nh = skb_network_header(skb);
if (nh[optoff + 1] < 8)
goto drop;
if (nh[optoff + 6] * 4 + 8 > nh[optoff + 1])
goto drop;
if (!calipso_validate(skb, nh + optoff))
goto drop;
return true;
drop:
kfree_skb(skb);
return false;
}
static const struct tlvtype_proc tlvprochopopt_lst[] = { static const struct tlvtype_proc tlvprochopopt_lst[] = {
{ {
.type = IPV6_TLV_ROUTERALERT, .type = IPV6_TLV_ROUTERALERT,
...@@ -612,6 +635,10 @@ static const struct tlvtype_proc tlvprochopopt_lst[] = { ...@@ -612,6 +635,10 @@ static const struct tlvtype_proc tlvprochopopt_lst[] = {
.type = IPV6_TLV_JUMBO, .type = IPV6_TLV_JUMBO,
.func = ipv6_hop_jumbo, .func = ipv6_hop_jumbo,
}, },
{
.type = IPV6_TLV_CALIPSO,
.func = ipv6_hop_calipso,
},
{ -1, } { -1, }
}; };
...@@ -758,6 +785,27 @@ static int ipv6_renew_option(void *ohdr, ...@@ -758,6 +785,27 @@ static int ipv6_renew_option(void *ohdr,
return 0; return 0;
} }
/**
* ipv6_renew_options - replace a specific ext hdr with a new one.
*
* @sk: sock from which to allocate memory
* @opt: original options
* @newtype: option type to replace in @opt
* @newopt: new option of type @newtype to replace (user-mem)
* @newoptlen: length of @newopt
*
* Returns a new set of options which is a copy of @opt with the
* option type @newtype replaced with @newopt.
*
* @opt may be NULL, in which case a new set of options is returned
* containing just @newopt.
*
* @newopt may be NULL, in which case the specified option type is
* not copied into the new set of options.
*
* The new set of options is allocated from the socket option memory
* buffer of @sk.
*/
struct ipv6_txoptions * struct ipv6_txoptions *
ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt, ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt,
int newtype, int newtype,
...@@ -830,6 +878,34 @@ ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt, ...@@ -830,6 +878,34 @@ ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt,
return ERR_PTR(err); return ERR_PTR(err);
} }
/**
* ipv6_renew_options_kern - replace a specific ext hdr with a new one.
*
* @sk: sock from which to allocate memory
* @opt: original options
* @newtype: option type to replace in @opt
* @newopt: new option of type @newtype to replace (kernel-mem)
* @newoptlen: length of @newopt
*
* See ipv6_renew_options(). The difference is that @newopt is
* kernel memory, rather than user memory.
*/
struct ipv6_txoptions *
ipv6_renew_options_kern(struct sock *sk, struct ipv6_txoptions *opt,
int newtype, struct ipv6_opt_hdr *newopt,
int newoptlen)
{
struct ipv6_txoptions *ret_val;
const mm_segment_t old_fs = get_fs();
set_fs(KERNEL_DS);
ret_val = ipv6_renew_options(sk, opt, newtype,
(struct ipv6_opt_hdr __user *)newopt,
newoptlen);
set_fs(old_fs);
return ret_val;
}
struct ipv6_txoptions *ipv6_fixup_options(struct ipv6_txoptions *opt_space, struct ipv6_txoptions *ipv6_fixup_options(struct ipv6_txoptions *opt_space,
struct ipv6_txoptions *opt) struct ipv6_txoptions *opt)
{ {
......
...@@ -112,7 +112,7 @@ int ipv6_skip_exthdr(const struct sk_buff *skb, int start, u8 *nexthdrp, ...@@ -112,7 +112,7 @@ int ipv6_skip_exthdr(const struct sk_buff *skb, int start, u8 *nexthdrp,
} }
EXPORT_SYMBOL(ipv6_skip_exthdr); EXPORT_SYMBOL(ipv6_skip_exthdr);
int ipv6_find_tlv(struct sk_buff *skb, int offset, int type) int ipv6_find_tlv(const struct sk_buff *skb, int offset, int type)
{ {
const unsigned char *nh = skb_network_header(skb); const unsigned char *nh = skb_network_header(skb);
int packet_len = skb_tail_pointer(skb) - skb_network_header(skb); int packet_len = skb_tail_pointer(skb) - skb_network_header(skb);
......
...@@ -98,7 +98,6 @@ int ip6_ra_control(struct sock *sk, int sel) ...@@ -98,7 +98,6 @@ int ip6_ra_control(struct sock *sk, int sel)
return 0; return 0;
} }
static
struct ipv6_txoptions *ipv6_update_options(struct sock *sk, struct ipv6_txoptions *ipv6_update_options(struct sock *sk,
struct ipv6_txoptions *opt) struct ipv6_txoptions *opt)
{ {
......
...@@ -15,6 +15,9 @@ ...@@ -15,6 +15,9 @@
#include <net/ipv6.h> #include <net/ipv6.h>
#include <net/addrconf.h> #include <net/addrconf.h>
#include <net/inet_frag.h> #include <net/inet_frag.h>
#ifdef CONFIG_NETLABEL
#include <net/calipso.h>
#endif
static int one = 1; static int one = 1;
static int auto_flowlabels_min; static int auto_flowlabels_min;
...@@ -106,6 +109,22 @@ static struct ctl_table ipv6_rotable[] = { ...@@ -106,6 +109,22 @@ static struct ctl_table ipv6_rotable[] = {
.proc_handler = proc_dointvec_minmax, .proc_handler = proc_dointvec_minmax,
.extra1 = &one .extra1 = &one
}, },
#ifdef CONFIG_NETLABEL
{
.procname = "calipso_cache_enable",
.data = &calipso_cache_enabled,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec,
},
{
.procname = "calipso_cache_bucket_size",
.data = &calipso_cache_bucketsize,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec,
},
#endif /* CONFIG_NETLABEL */
{ } { }
}; };
......
...@@ -443,6 +443,7 @@ static int tcp_v6_send_synack(const struct sock *sk, struct dst_entry *dst, ...@@ -443,6 +443,7 @@ static int tcp_v6_send_synack(const struct sock *sk, struct dst_entry *dst,
{ {
struct inet_request_sock *ireq = inet_rsk(req); struct inet_request_sock *ireq = inet_rsk(req);
struct ipv6_pinfo *np = inet6_sk(sk); struct ipv6_pinfo *np = inet6_sk(sk);
struct ipv6_txoptions *opt;
struct flowi6 *fl6 = &fl->u.ip6; struct flowi6 *fl6 = &fl->u.ip6;
struct sk_buff *skb; struct sk_buff *skb;
int err = -ENOMEM; int err = -ENOMEM;
...@@ -463,8 +464,10 @@ static int tcp_v6_send_synack(const struct sock *sk, struct dst_entry *dst, ...@@ -463,8 +464,10 @@ static int tcp_v6_send_synack(const struct sock *sk, struct dst_entry *dst,
fl6->flowlabel = ip6_flowlabel(ipv6_hdr(ireq->pktopts)); fl6->flowlabel = ip6_flowlabel(ipv6_hdr(ireq->pktopts));
rcu_read_lock(); rcu_read_lock();
err = ip6_xmit(sk, skb, fl6, rcu_dereference(np->opt), opt = ireq->ipv6_opt;
np->tclass); if (!opt)
opt = rcu_dereference(np->opt);
err = ip6_xmit(sk, skb, fl6, opt, np->tclass);
rcu_read_unlock(); rcu_read_unlock();
err = net_xmit_eval(err); err = net_xmit_eval(err);
} }
...@@ -476,6 +479,7 @@ static int tcp_v6_send_synack(const struct sock *sk, struct dst_entry *dst, ...@@ -476,6 +479,7 @@ static int tcp_v6_send_synack(const struct sock *sk, struct dst_entry *dst,
static void tcp_v6_reqsk_destructor(struct request_sock *req) static void tcp_v6_reqsk_destructor(struct request_sock *req)
{ {
kfree(inet_rsk(req)->ipv6_opt);
kfree_skb(inet_rsk(req)->pktopts); kfree_skb(inet_rsk(req)->pktopts);
} }
...@@ -1109,6 +1113,8 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * ...@@ -1109,6 +1113,8 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
but we make one more one thing there: reattach optmem but we make one more one thing there: reattach optmem
to newsk. to newsk.
*/ */
opt = ireq->ipv6_opt;
if (!opt)
opt = rcu_dereference(np->opt); opt = rcu_dereference(np->opt);
if (opt) { if (opt) {
opt = ipv6_dup_options(newsk, opt); opt = ipv6_dup_options(newsk, opt);
......
...@@ -22,6 +22,7 @@ ...@@ -22,6 +22,7 @@
#include <linux/skbuff.h> #include <linux/skbuff.h>
#include <linux/init.h> #include <linux/init.h>
#include <linux/poll.h> #include <linux/poll.h>
#include <linux/security.h>
#include <net/sock.h> #include <net/sock.h>
#include <asm/ebcdic.h> #include <asm/ebcdic.h>
#include <asm/cpcmd.h> #include <asm/cpcmd.h>
...@@ -530,8 +531,10 @@ static void iucv_sock_close(struct sock *sk) ...@@ -530,8 +531,10 @@ static void iucv_sock_close(struct sock *sk)
static void iucv_sock_init(struct sock *sk, struct sock *parent) static void iucv_sock_init(struct sock *sk, struct sock *parent)
{ {
if (parent) if (parent) {
sk->sk_type = parent->sk_type; sk->sk_type = parent->sk_type;
security_sk_clone(parent, sk);
}
} }
static struct sock *iucv_sock_alloc(struct socket *sock, int proto, gfp_t prio, int kern) static struct sock *iucv_sock_alloc(struct socket *sock, int proto, gfp_t prio, int kern)
......
...@@ -5,6 +5,7 @@ ...@@ -5,6 +5,7 @@
config NETLABEL config NETLABEL
bool "NetLabel subsystem support" bool "NetLabel subsystem support"
depends on SECURITY depends on SECURITY
select CRC_CCITT if IPV6
default n default n
---help--- ---help---
NetLabel provides support for explicit network packet labeling NetLabel provides support for explicit network packet labeling
......
...@@ -12,4 +12,4 @@ obj-y += netlabel_mgmt.o ...@@ -12,4 +12,4 @@ obj-y += netlabel_mgmt.o
# protocol modules # protocol modules
obj-y += netlabel_unlabeled.o obj-y += netlabel_unlabeled.o
obj-y += netlabel_cipso_v4.o obj-y += netlabel_cipso_v4.o
obj-$(subst m,y,$(CONFIG_IPV6)) += netlabel_calipso.o
This diff is collapsed.
/*
* NetLabel CALIPSO Support
*
* This file defines the CALIPSO functions for the NetLabel system. The
* NetLabel system manages static and dynamic label mappings for network
* protocols such as CIPSO and RIPSO.
*
* Authors: Paul Moore <paul@paul-moore.com>
* Huw Davies <huw@codeweavers.com>
*
*/
/* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
* (c) Copyright Huw Davies <huw@codeweavers.com>, 2015
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
* the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*
*/
#ifndef _NETLABEL_CALIPSO
#define _NETLABEL_CALIPSO
#include <net/netlabel.h>
#include <net/calipso.h>
/* The following NetLabel payloads are supported by the CALIPSO subsystem.
*
* o ADD:
* Sent by an application to add a new DOI mapping table.
*
* Required attributes:
*
* NLBL_CALIPSO_A_DOI
* NLBL_CALIPSO_A_MTYPE
*
* If using CALIPSO_MAP_PASS no additional attributes are required.
*
* o REMOVE:
* Sent by an application to remove a specific DOI mapping table from the
* CALIPSO system.
*
* Required attributes:
*
* NLBL_CALIPSO_A_DOI
*
* o LIST:
* Sent by an application to list the details of a DOI definition. On
* success the kernel should send a response using the following format.
*
* Required attributes:
*
* NLBL_CALIPSO_A_DOI
*
* The valid response message format depends on the type of the DOI mapping,
* the defined formats are shown below.
*
* Required attributes:
*
* NLBL_CALIPSO_A_MTYPE
*
* If using CALIPSO_MAP_PASS no additional attributes are required.
*
* o LISTALL:
* This message is sent by an application to list the valid DOIs on the
* system. When sent by an application there is no payload and the
* NLM_F_DUMP flag should be set. The kernel should respond with a series of
* the following messages.
*
* Required attributes:
*
* NLBL_CALIPSO_A_DOI
* NLBL_CALIPSO_A_MTYPE
*
*/
/* NetLabel CALIPSO commands */
enum {
NLBL_CALIPSO_C_UNSPEC,
NLBL_CALIPSO_C_ADD,
NLBL_CALIPSO_C_REMOVE,
NLBL_CALIPSO_C_LIST,
NLBL_CALIPSO_C_LISTALL,
__NLBL_CALIPSO_C_MAX,
};
/* NetLabel CALIPSO attributes */
enum {
NLBL_CALIPSO_A_UNSPEC,
NLBL_CALIPSO_A_DOI,
/* (NLA_U32)
* the DOI value */
NLBL_CALIPSO_A_MTYPE,
/* (NLA_U32)
* the mapping table type (defined in the calipso.h header as
* CALIPSO_MAP_*) */
__NLBL_CALIPSO_A_MAX,
};
#define NLBL_CALIPSO_A_MAX (__NLBL_CALIPSO_A_MAX - 1)
/* NetLabel protocol functions */
#if IS_ENABLED(CONFIG_IPV6)
int netlbl_calipso_genl_init(void);
#else
static inline int netlbl_calipso_genl_init(void)
{
return 0;
}
#endif
int calipso_doi_add(struct calipso_doi *doi_def,
struct netlbl_audit *audit_info);
void calipso_doi_free(struct calipso_doi *doi_def);
int calipso_doi_remove(u32 doi, struct netlbl_audit *audit_info);
struct calipso_doi *calipso_doi_getdef(u32 doi);
void calipso_doi_putdef(struct calipso_doi *doi_def);
int calipso_doi_walk(u32 *skip_cnt,
int (*callback)(struct calipso_doi *doi_def, void *arg),
void *cb_arg);
int calipso_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr);
int calipso_sock_setattr(struct sock *sk,
const struct calipso_doi *doi_def,
const struct netlbl_lsm_secattr *secattr);
void calipso_sock_delattr(struct sock *sk);
int calipso_req_setattr(struct request_sock *req,
const struct calipso_doi *doi_def,
const struct netlbl_lsm_secattr *secattr);
void calipso_req_delattr(struct request_sock *req);
unsigned char *calipso_optptr(const struct sk_buff *skb);
int calipso_getattr(const unsigned char *calipso,
struct netlbl_lsm_secattr *secattr);
int calipso_skbuff_setattr(struct sk_buff *skb,
const struct calipso_doi *doi_def,
const struct netlbl_lsm_secattr *secattr);
int calipso_skbuff_delattr(struct sk_buff *skb);
void calipso_cache_invalidate(void);
int calipso_cache_add(const unsigned char *calipso_ptr,
const struct netlbl_lsm_secattr *secattr);
#endif
This diff is collapsed.
...@@ -51,6 +51,7 @@ struct netlbl_dommap_def { ...@@ -51,6 +51,7 @@ struct netlbl_dommap_def {
union { union {
struct netlbl_domaddr_map *addrsel; struct netlbl_domaddr_map *addrsel;
struct cipso_v4_doi *cipso; struct cipso_v4_doi *cipso;
struct calipso_doi *calipso;
}; };
}; };
#define netlbl_domhsh_addr4_entry(iter) \ #define netlbl_domhsh_addr4_entry(iter) \
...@@ -70,6 +71,7 @@ struct netlbl_domaddr6_map { ...@@ -70,6 +71,7 @@ struct netlbl_domaddr6_map {
struct netlbl_dom_map { struct netlbl_dom_map {
char *domain; char *domain;
u16 family;
struct netlbl_dommap_def def; struct netlbl_dommap_def def;
u32 valid; u32 valid;
...@@ -91,14 +93,23 @@ int netlbl_domhsh_remove_af4(const char *domain, ...@@ -91,14 +93,23 @@ int netlbl_domhsh_remove_af4(const char *domain,
const struct in_addr *addr, const struct in_addr *addr,
const struct in_addr *mask, const struct in_addr *mask,
struct netlbl_audit *audit_info); struct netlbl_audit *audit_info);
int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info); int netlbl_domhsh_remove_af6(const char *domain,
int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info); const struct in6_addr *addr,
struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain); const struct in6_addr *mask,
struct netlbl_audit *audit_info);
int netlbl_domhsh_remove(const char *domain, u16 family,
struct netlbl_audit *audit_info);
int netlbl_domhsh_remove_default(u16 family, struct netlbl_audit *audit_info);
struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain, u16 family);
struct netlbl_dommap_def *netlbl_domhsh_getentry_af4(const char *domain, struct netlbl_dommap_def *netlbl_domhsh_getentry_af4(const char *domain,
__be32 addr); __be32 addr);
#if IS_ENABLED(CONFIG_IPV6) #if IS_ENABLED(CONFIG_IPV6)
struct netlbl_dommap_def *netlbl_domhsh_getentry_af6(const char *domain, struct netlbl_dommap_def *netlbl_domhsh_getentry_af6(const char *domain,
const struct in6_addr *addr); const struct in6_addr *addr);
int netlbl_domhsh_remove_af6(const char *domain,
const struct in6_addr *addr,
const struct in6_addr *mask,
struct netlbl_audit *audit_info);
#endif /* IPv6 */ #endif /* IPv6 */
int netlbl_domhsh_walk(u32 *skip_bkt, int netlbl_domhsh_walk(u32 *skip_bkt,
......
This diff is collapsed.
...@@ -41,8 +41,10 @@ ...@@ -41,8 +41,10 @@
#include <net/ipv6.h> #include <net/ipv6.h>
#include <net/netlabel.h> #include <net/netlabel.h>
#include <net/cipso_ipv4.h> #include <net/cipso_ipv4.h>
#include <net/calipso.h>
#include <linux/atomic.h> #include <linux/atomic.h>
#include "netlabel_calipso.h"
#include "netlabel_domainhash.h" #include "netlabel_domainhash.h"
#include "netlabel_user.h" #include "netlabel_user.h"
#include "netlabel_mgmt.h" #include "netlabel_mgmt.h"
...@@ -72,6 +74,8 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = { ...@@ -72,6 +74,8 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = {
[NLBL_MGMT_A_PROTOCOL] = { .type = NLA_U32 }, [NLBL_MGMT_A_PROTOCOL] = { .type = NLA_U32 },
[NLBL_MGMT_A_VERSION] = { .type = NLA_U32 }, [NLBL_MGMT_A_VERSION] = { .type = NLA_U32 },
[NLBL_MGMT_A_CV4DOI] = { .type = NLA_U32 }, [NLBL_MGMT_A_CV4DOI] = { .type = NLA_U32 },
[NLBL_MGMT_A_FAMILY] = { .type = NLA_U16 },
[NLBL_MGMT_A_CLPDOI] = { .type = NLA_U32 },
}; };
/* /*
...@@ -95,6 +99,9 @@ static int netlbl_mgmt_add_common(struct genl_info *info, ...@@ -95,6 +99,9 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
int ret_val = -EINVAL; int ret_val = -EINVAL;
struct netlbl_domaddr_map *addrmap = NULL; struct netlbl_domaddr_map *addrmap = NULL;
struct cipso_v4_doi *cipsov4 = NULL; struct cipso_v4_doi *cipsov4 = NULL;
#if IS_ENABLED(CONFIG_IPV6)
struct calipso_doi *calipso = NULL;
#endif
u32 tmp_val; u32 tmp_val;
struct netlbl_dom_map *entry = kzalloc(sizeof(*entry), GFP_KERNEL); struct netlbl_dom_map *entry = kzalloc(sizeof(*entry), GFP_KERNEL);
...@@ -119,6 +126,11 @@ static int netlbl_mgmt_add_common(struct genl_info *info, ...@@ -119,6 +126,11 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
switch (entry->def.type) { switch (entry->def.type) {
case NETLBL_NLTYPE_UNLABELED: case NETLBL_NLTYPE_UNLABELED:
if (info->attrs[NLBL_MGMT_A_FAMILY])
entry->family =
nla_get_u16(info->attrs[NLBL_MGMT_A_FAMILY]);
else
entry->family = AF_UNSPEC;
break; break;
case NETLBL_NLTYPE_CIPSOV4: case NETLBL_NLTYPE_CIPSOV4:
if (!info->attrs[NLBL_MGMT_A_CV4DOI]) if (!info->attrs[NLBL_MGMT_A_CV4DOI])
...@@ -128,12 +140,30 @@ static int netlbl_mgmt_add_common(struct genl_info *info, ...@@ -128,12 +140,30 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
cipsov4 = cipso_v4_doi_getdef(tmp_val); cipsov4 = cipso_v4_doi_getdef(tmp_val);
if (cipsov4 == NULL) if (cipsov4 == NULL)
goto add_free_domain; goto add_free_domain;
entry->family = AF_INET;
entry->def.cipso = cipsov4; entry->def.cipso = cipsov4;
break; break;
#if IS_ENABLED(CONFIG_IPV6)
case NETLBL_NLTYPE_CALIPSO:
if (!info->attrs[NLBL_MGMT_A_CLPDOI])
goto add_free_domain;
tmp_val = nla_get_u32(info->attrs[NLBL_MGMT_A_CLPDOI]);
calipso = calipso_doi_getdef(tmp_val);
if (calipso == NULL)
goto add_free_domain;
entry->family = AF_INET6;
entry->def.calipso = calipso;
break;
#endif /* IPv6 */
default: default:
goto add_free_domain; goto add_free_domain;
} }
if ((entry->family == AF_INET && info->attrs[NLBL_MGMT_A_IPV6ADDR]) ||
(entry->family == AF_INET6 && info->attrs[NLBL_MGMT_A_IPV4ADDR]))
goto add_doi_put_def;
if (info->attrs[NLBL_MGMT_A_IPV4ADDR]) { if (info->attrs[NLBL_MGMT_A_IPV4ADDR]) {
struct in_addr *addr; struct in_addr *addr;
struct in_addr *mask; struct in_addr *mask;
...@@ -178,6 +208,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info, ...@@ -178,6 +208,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
goto add_free_addrmap; goto add_free_addrmap;
} }
entry->family = AF_INET;
entry->def.type = NETLBL_NLTYPE_ADDRSELECT; entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
entry->def.addrsel = addrmap; entry->def.addrsel = addrmap;
#if IS_ENABLED(CONFIG_IPV6) #if IS_ENABLED(CONFIG_IPV6)
...@@ -220,6 +251,8 @@ static int netlbl_mgmt_add_common(struct genl_info *info, ...@@ -220,6 +251,8 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
map->list.mask = *mask; map->list.mask = *mask;
map->list.valid = 1; map->list.valid = 1;
map->def.type = entry->def.type; map->def.type = entry->def.type;
if (calipso)
map->def.calipso = calipso;
ret_val = netlbl_af6list_add(&map->list, &addrmap->list6); ret_val = netlbl_af6list_add(&map->list, &addrmap->list6);
if (ret_val != 0) { if (ret_val != 0) {
...@@ -227,6 +260,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info, ...@@ -227,6 +260,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
goto add_free_addrmap; goto add_free_addrmap;
} }
entry->family = AF_INET6;
entry->def.type = NETLBL_NLTYPE_ADDRSELECT; entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
entry->def.addrsel = addrmap; entry->def.addrsel = addrmap;
#endif /* IPv6 */ #endif /* IPv6 */
...@@ -242,6 +276,9 @@ static int netlbl_mgmt_add_common(struct genl_info *info, ...@@ -242,6 +276,9 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
kfree(addrmap); kfree(addrmap);
add_doi_put_def: add_doi_put_def:
cipso_v4_doi_putdef(cipsov4); cipso_v4_doi_putdef(cipsov4);
#if IS_ENABLED(CONFIG_IPV6)
calipso_doi_putdef(calipso);
#endif
add_free_domain: add_free_domain:
kfree(entry->domain); kfree(entry->domain);
add_free_entry: add_free_entry:
...@@ -278,6 +315,10 @@ static int netlbl_mgmt_listentry(struct sk_buff *skb, ...@@ -278,6 +315,10 @@ static int netlbl_mgmt_listentry(struct sk_buff *skb,
return ret_val; return ret_val;
} }
ret_val = nla_put_u16(skb, NLBL_MGMT_A_FAMILY, entry->family);
if (ret_val != 0)
return ret_val;
switch (entry->def.type) { switch (entry->def.type) {
case NETLBL_NLTYPE_ADDRSELECT: case NETLBL_NLTYPE_ADDRSELECT:
nla_a = nla_nest_start(skb, NLBL_MGMT_A_SELECTORLIST); nla_a = nla_nest_start(skb, NLBL_MGMT_A_SELECTORLIST);
...@@ -340,6 +381,15 @@ static int netlbl_mgmt_listentry(struct sk_buff *skb, ...@@ -340,6 +381,15 @@ static int netlbl_mgmt_listentry(struct sk_buff *skb,
if (ret_val != 0) if (ret_val != 0)
return ret_val; return ret_val;
switch (map6->def.type) {
case NETLBL_NLTYPE_CALIPSO:
ret_val = nla_put_u32(skb, NLBL_MGMT_A_CLPDOI,
map6->def.calipso->doi);
if (ret_val != 0)
return ret_val;
break;
}
nla_nest_end(skb, nla_b); nla_nest_end(skb, nla_b);
} }
#endif /* IPv6 */ #endif /* IPv6 */
...@@ -347,15 +397,25 @@ static int netlbl_mgmt_listentry(struct sk_buff *skb, ...@@ -347,15 +397,25 @@ static int netlbl_mgmt_listentry(struct sk_buff *skb,
nla_nest_end(skb, nla_a); nla_nest_end(skb, nla_a);
break; break;
case NETLBL_NLTYPE_UNLABELED: case NETLBL_NLTYPE_UNLABELED:
ret_val = nla_put_u32(skb,NLBL_MGMT_A_PROTOCOL,entry->def.type); ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL,
entry->def.type);
break; break;
case NETLBL_NLTYPE_CIPSOV4: case NETLBL_NLTYPE_CIPSOV4:
ret_val = nla_put_u32(skb,NLBL_MGMT_A_PROTOCOL,entry->def.type); ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL,
entry->def.type);
if (ret_val != 0) if (ret_val != 0)
return ret_val; return ret_val;
ret_val = nla_put_u32(skb, NLBL_MGMT_A_CV4DOI, ret_val = nla_put_u32(skb, NLBL_MGMT_A_CV4DOI,
entry->def.cipso->doi); entry->def.cipso->doi);
break; break;
case NETLBL_NLTYPE_CALIPSO:
ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL,
entry->def.type);
if (ret_val != 0)
return ret_val;
ret_val = nla_put_u32(skb, NLBL_MGMT_A_CLPDOI,
entry->def.calipso->doi);
break;
} }
return ret_val; return ret_val;
...@@ -418,7 +478,7 @@ static int netlbl_mgmt_remove(struct sk_buff *skb, struct genl_info *info) ...@@ -418,7 +478,7 @@ static int netlbl_mgmt_remove(struct sk_buff *skb, struct genl_info *info)
netlbl_netlink_auditinfo(skb, &audit_info); netlbl_netlink_auditinfo(skb, &audit_info);
domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]); domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]);
return netlbl_domhsh_remove(domain, &audit_info); return netlbl_domhsh_remove(domain, AF_UNSPEC, &audit_info);
} }
/** /**
...@@ -536,7 +596,7 @@ static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info) ...@@ -536,7 +596,7 @@ static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info)
netlbl_netlink_auditinfo(skb, &audit_info); netlbl_netlink_auditinfo(skb, &audit_info);
return netlbl_domhsh_remove_default(&audit_info); return netlbl_domhsh_remove_default(AF_UNSPEC, &audit_info);
} }
/** /**
...@@ -556,6 +616,12 @@ static int netlbl_mgmt_listdef(struct sk_buff *skb, struct genl_info *info) ...@@ -556,6 +616,12 @@ static int netlbl_mgmt_listdef(struct sk_buff *skb, struct genl_info *info)
struct sk_buff *ans_skb = NULL; struct sk_buff *ans_skb = NULL;
void *data; void *data;
struct netlbl_dom_map *entry; struct netlbl_dom_map *entry;
u16 family;
if (info->attrs[NLBL_MGMT_A_FAMILY])
family = nla_get_u16(info->attrs[NLBL_MGMT_A_FAMILY]);
else
family = AF_INET;
ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
if (ans_skb == NULL) if (ans_skb == NULL)
...@@ -566,7 +632,7 @@ static int netlbl_mgmt_listdef(struct sk_buff *skb, struct genl_info *info) ...@@ -566,7 +632,7 @@ static int netlbl_mgmt_listdef(struct sk_buff *skb, struct genl_info *info)
goto listdef_failure; goto listdef_failure;
rcu_read_lock(); rcu_read_lock();
entry = netlbl_domhsh_getentry(NULL); entry = netlbl_domhsh_getentry(NULL, family);
if (entry == NULL) { if (entry == NULL) {
ret_val = -ENOENT; ret_val = -ENOENT;
goto listdef_failure_lock; goto listdef_failure_lock;
...@@ -651,6 +717,15 @@ static int netlbl_mgmt_protocols(struct sk_buff *skb, ...@@ -651,6 +717,15 @@ static int netlbl_mgmt_protocols(struct sk_buff *skb,
goto protocols_return; goto protocols_return;
protos_sent++; protos_sent++;
} }
#if IS_ENABLED(CONFIG_IPV6)
if (protos_sent == 2) {
if (netlbl_mgmt_protocols_cb(skb,
cb,
NETLBL_NLTYPE_CALIPSO) < 0)
goto protocols_return;
protos_sent++;
}
#endif
protocols_return: protocols_return:
cb->args[0] = protos_sent; cb->args[0] = protos_sent;
......
...@@ -58,7 +58,10 @@ ...@@ -58,7 +58,10 @@
* *
* NLBL_MGMT_A_CV4DOI * NLBL_MGMT_A_CV4DOI
* *
* If using NETLBL_NLTYPE_UNLABELED no other attributes are required. * If using NETLBL_NLTYPE_UNLABELED no other attributes are required,
* however the following attribute may optionally be sent:
*
* NLBL_MGMT_A_FAMILY
* *
* o REMOVE: * o REMOVE:
* Sent by an application to remove a domain mapping from the NetLabel * Sent by an application to remove a domain mapping from the NetLabel
...@@ -77,6 +80,7 @@ ...@@ -77,6 +80,7 @@
* Required attributes: * Required attributes:
* *
* NLBL_MGMT_A_DOMAIN * NLBL_MGMT_A_DOMAIN
* NLBL_MGMT_A_FAMILY
* *
* If the IP address selectors are not used the following attribute is * If the IP address selectors are not used the following attribute is
* required: * required:
...@@ -108,7 +112,10 @@ ...@@ -108,7 +112,10 @@
* *
* NLBL_MGMT_A_CV4DOI * NLBL_MGMT_A_CV4DOI
* *
* If using NETLBL_NLTYPE_UNLABELED no other attributes are required. * If using NETLBL_NLTYPE_UNLABELED no other attributes are required,
* however the following attribute may optionally be sent:
*
* NLBL_MGMT_A_FAMILY
* *
* o REMOVEDEF: * o REMOVEDEF:
* Sent by an application to remove the default domain mapping from the * Sent by an application to remove the default domain mapping from the
...@@ -117,13 +124,17 @@ ...@@ -117,13 +124,17 @@
* o LISTDEF: * o LISTDEF:
* This message can be sent either from an application or by the kernel in * This message can be sent either from an application or by the kernel in
* response to an application generated LISTDEF message. When sent by an * response to an application generated LISTDEF message. When sent by an
* application there is no payload. On success the kernel should send a * application there may be an optional payload.
* response using the following format.
* *
* If the IP address selectors are not used the following attribute is * NLBL_MGMT_A_FAMILY
*
* On success the kernel should send a response using the following format:
*
* If the IP address selectors are not used the following attributes are
* required: * required:
* *
* NLBL_MGMT_A_PROTOCOL * NLBL_MGMT_A_PROTOCOL
* NLBL_MGMT_A_FAMILY
* *
* If the IP address selectors are used then the following attritbute is * If the IP address selectors are used then the following attritbute is
* required: * required:
...@@ -209,6 +220,12 @@ enum { ...@@ -209,6 +220,12 @@ enum {
/* (NLA_NESTED) /* (NLA_NESTED)
* the selector list, there must be at least one * the selector list, there must be at least one
* NLBL_MGMT_A_ADDRSELECTOR attribute */ * NLBL_MGMT_A_ADDRSELECTOR attribute */
NLBL_MGMT_A_FAMILY,
/* (NLA_U16)
* The address family */
NLBL_MGMT_A_CLPDOI,
/* (NLA_U32)
* the CALIPSO DOI value */
__NLBL_MGMT_A_MAX, __NLBL_MGMT_A_MAX,
}; };
#define NLBL_MGMT_A_MAX (__NLBL_MGMT_A_MAX - 1) #define NLBL_MGMT_A_MAX (__NLBL_MGMT_A_MAX - 1)
......
...@@ -116,8 +116,8 @@ struct netlbl_unlhsh_walk_arg { ...@@ -116,8 +116,8 @@ struct netlbl_unlhsh_walk_arg {
static DEFINE_SPINLOCK(netlbl_unlhsh_lock); static DEFINE_SPINLOCK(netlbl_unlhsh_lock);
#define netlbl_unlhsh_rcu_deref(p) \ #define netlbl_unlhsh_rcu_deref(p) \
rcu_dereference_check(p, lockdep_is_held(&netlbl_unlhsh_lock)) rcu_dereference_check(p, lockdep_is_held(&netlbl_unlhsh_lock))
static struct netlbl_unlhsh_tbl *netlbl_unlhsh; static struct netlbl_unlhsh_tbl __rcu *netlbl_unlhsh;
static struct netlbl_unlhsh_iface *netlbl_unlhsh_def; static struct netlbl_unlhsh_iface __rcu *netlbl_unlhsh_def;
/* Accept unlabeled packets flag */ /* Accept unlabeled packets flag */
static u8 netlabel_unlabel_acceptflg; static u8 netlabel_unlabel_acceptflg;
...@@ -1537,6 +1537,7 @@ int __init netlbl_unlabel_defconf(void) ...@@ -1537,6 +1537,7 @@ int __init netlbl_unlabel_defconf(void)
entry = kzalloc(sizeof(*entry), GFP_KERNEL); entry = kzalloc(sizeof(*entry), GFP_KERNEL);
if (entry == NULL) if (entry == NULL)
return -ENOMEM; return -ENOMEM;
entry->family = AF_UNSPEC;
entry->def.type = NETLBL_NLTYPE_UNLABELED; entry->def.type = NETLBL_NLTYPE_UNLABELED;
ret_val = netlbl_domhsh_add_default(entry, &audit_info); ret_val = netlbl_domhsh_add_default(entry, &audit_info);
if (ret_val != 0) if (ret_val != 0)
......
...@@ -44,6 +44,7 @@ ...@@ -44,6 +44,7 @@
#include "netlabel_mgmt.h" #include "netlabel_mgmt.h"
#include "netlabel_unlabeled.h" #include "netlabel_unlabeled.h"
#include "netlabel_cipso_v4.h" #include "netlabel_cipso_v4.h"
#include "netlabel_calipso.h"
#include "netlabel_user.h" #include "netlabel_user.h"
/* /*
...@@ -71,6 +72,10 @@ int __init netlbl_netlink_init(void) ...@@ -71,6 +72,10 @@ int __init netlbl_netlink_init(void)
if (ret_val != 0) if (ret_val != 0)
return ret_val; return ret_val;
ret_val = netlbl_calipso_genl_init();
if (ret_val != 0)
return ret_val;
return netlbl_unlabel_genl_init(); return netlbl_unlabel_genl_init();
} }
......
...@@ -4604,13 +4604,13 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) ...@@ -4604,13 +4604,13 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
addrp, family, peer_sid, &ad); addrp, family, peer_sid, &ad);
if (err) { if (err) {
selinux_netlbl_err(skb, err, 0); selinux_netlbl_err(skb, family, err, 0);
return err; return err;
} }
err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
PEER__RECV, &ad); PEER__RECV, &ad);
if (err) { if (err) {
selinux_netlbl_err(skb, err, 0); selinux_netlbl_err(skb, family, err, 0);
return err; return err;
} }
} }
...@@ -4978,7 +4978,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, ...@@ -4978,7 +4978,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
addrp, family, peer_sid, &ad); addrp, family, peer_sid, &ad);
if (err) { if (err) {
selinux_netlbl_err(skb, err, 1); selinux_netlbl_err(skb, family, err, 1);
return NF_DROP; return NF_DROP;
} }
} }
...@@ -5064,6 +5064,15 @@ static unsigned int selinux_ipv4_output(void *priv, ...@@ -5064,6 +5064,15 @@ static unsigned int selinux_ipv4_output(void *priv,
return selinux_ip_output(skb, PF_INET); return selinux_ip_output(skb, PF_INET);
} }
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
static unsigned int selinux_ipv6_output(void *priv,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
return selinux_ip_output(skb, PF_INET6);
}
#endif /* IPV6 */
static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
int ifindex, int ifindex,
u16 family) u16 family)
...@@ -6298,6 +6307,12 @@ static struct nf_hook_ops selinux_nf_ops[] = { ...@@ -6298,6 +6307,12 @@ static struct nf_hook_ops selinux_nf_ops[] = {
.hooknum = NF_INET_FORWARD, .hooknum = NF_INET_FORWARD,
.priority = NF_IP6_PRI_SELINUX_FIRST, .priority = NF_IP6_PRI_SELINUX_FIRST,
}, },
{
.hook = selinux_ipv6_output,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_SELINUX_FIRST,
},
#endif /* IPV6 */ #endif /* IPV6 */
}; };
......
...@@ -40,7 +40,8 @@ ...@@ -40,7 +40,8 @@
#ifdef CONFIG_NETLABEL #ifdef CONFIG_NETLABEL
void selinux_netlbl_cache_invalidate(void); void selinux_netlbl_cache_invalidate(void);
void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway); void selinux_netlbl_err(struct sk_buff *skb, u16 family, int error,
int gateway);
void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec); void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec);
void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec); void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec);
...@@ -72,6 +73,7 @@ static inline void selinux_netlbl_cache_invalidate(void) ...@@ -72,6 +73,7 @@ static inline void selinux_netlbl_cache_invalidate(void)
} }
static inline void selinux_netlbl_err(struct sk_buff *skb, static inline void selinux_netlbl_err(struct sk_buff *skb,
u16 family,
int error, int error,
int gateway) int gateway)
{ {
......
...@@ -54,6 +54,7 @@ ...@@ -54,6 +54,7 @@
* *
*/ */
static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb, static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
u16 family,
struct netlbl_lsm_secattr *secattr, struct netlbl_lsm_secattr *secattr,
u32 *sid) u32 *sid)
{ {
...@@ -63,7 +64,7 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb, ...@@ -63,7 +64,7 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
if (rc == 0 && if (rc == 0 &&
(secattr->flags & NETLBL_SECATTR_CACHEABLE) && (secattr->flags & NETLBL_SECATTR_CACHEABLE) &&
(secattr->flags & NETLBL_SECATTR_CACHE)) (secattr->flags & NETLBL_SECATTR_CACHE))
netlbl_cache_add(skb, secattr); netlbl_cache_add(skb, family, secattr);
return rc; return rc;
} }
...@@ -151,9 +152,9 @@ void selinux_netlbl_cache_invalidate(void) ...@@ -151,9 +152,9 @@ void selinux_netlbl_cache_invalidate(void)
* present on the packet, NetLabel is smart enough to only act when it should. * present on the packet, NetLabel is smart enough to only act when it should.
* *
*/ */
void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway) void selinux_netlbl_err(struct sk_buff *skb, u16 family, int error, int gateway)
{ {
netlbl_skbuff_err(skb, error, gateway); netlbl_skbuff_err(skb, family, error, gateway);
} }
/** /**
...@@ -214,7 +215,8 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, ...@@ -214,7 +215,8 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
netlbl_secattr_init(&secattr); netlbl_secattr_init(&secattr);
rc = netlbl_skbuff_getattr(skb, family, &secattr); rc = netlbl_skbuff_getattr(skb, family, &secattr);
if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
rc = selinux_netlbl_sidlookup_cached(skb, &secattr, sid); rc = selinux_netlbl_sidlookup_cached(skb, family,
&secattr, sid);
else else
*sid = SECSID_NULL; *sid = SECSID_NULL;
*type = secattr.type; *type = secattr.type;
...@@ -284,7 +286,7 @@ int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family) ...@@ -284,7 +286,7 @@ int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family)
int rc; int rc;
struct netlbl_lsm_secattr secattr; struct netlbl_lsm_secattr secattr;
if (family != PF_INET) if (family != PF_INET && family != PF_INET6)
return 0; return 0;
netlbl_secattr_init(&secattr); netlbl_secattr_init(&secattr);
...@@ -333,7 +335,7 @@ int selinux_netlbl_socket_post_create(struct sock *sk, u16 family) ...@@ -333,7 +335,7 @@ int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)
struct sk_security_struct *sksec = sk->sk_security; struct sk_security_struct *sksec = sk->sk_security;
struct netlbl_lsm_secattr *secattr; struct netlbl_lsm_secattr *secattr;
if (family != PF_INET) if (family != PF_INET && family != PF_INET6)
return 0; return 0;
secattr = selinux_netlbl_sock_genattr(sk); secattr = selinux_netlbl_sock_genattr(sk);
...@@ -382,7 +384,8 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, ...@@ -382,7 +384,8 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
netlbl_secattr_init(&secattr); netlbl_secattr_init(&secattr);
rc = netlbl_skbuff_getattr(skb, family, &secattr); rc = netlbl_skbuff_getattr(skb, family, &secattr);
if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
rc = selinux_netlbl_sidlookup_cached(skb, &secattr, &nlbl_sid); rc = selinux_netlbl_sidlookup_cached(skb, family,
&secattr, &nlbl_sid);
else else
nlbl_sid = SECINITSID_UNLABELED; nlbl_sid = SECINITSID_UNLABELED;
netlbl_secattr_destroy(&secattr); netlbl_secattr_destroy(&secattr);
...@@ -405,10 +408,25 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, ...@@ -405,10 +408,25 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
return 0; return 0;
if (nlbl_sid != SECINITSID_UNLABELED) if (nlbl_sid != SECINITSID_UNLABELED)
netlbl_skbuff_err(skb, rc, 0); netlbl_skbuff_err(skb, family, rc, 0);
return rc; return rc;
} }
/**
* selinux_netlbl_option - Is this a NetLabel option
* @level: the socket level or protocol
* @optname: the socket option name
*
* Description:
* Returns true if @level and @optname refer to a NetLabel option.
* Helper for selinux_netlbl_socket_setsockopt().
*/
static inline int selinux_netlbl_option(int level, int optname)
{
return (level == IPPROTO_IP && optname == IP_OPTIONS) ||
(level == IPPROTO_IPV6 && optname == IPV6_HOPOPTS);
}
/** /**
* selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
* @sock: the socket * @sock: the socket
...@@ -431,7 +449,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock, ...@@ -431,7 +449,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
struct sk_security_struct *sksec = sk->sk_security; struct sk_security_struct *sksec = sk->sk_security;
struct netlbl_lsm_secattr secattr; struct netlbl_lsm_secattr secattr;
if (level == IPPROTO_IP && optname == IP_OPTIONS && if (selinux_netlbl_option(level, optname) &&
(sksec->nlbl_state == NLBL_LABELED || (sksec->nlbl_state == NLBL_LABELED ||
sksec->nlbl_state == NLBL_CONNLABELED)) { sksec->nlbl_state == NLBL_CONNLABELED)) {
netlbl_secattr_init(&secattr); netlbl_secattr_init(&secattr);
......
...@@ -1347,7 +1347,7 @@ static ssize_t sel_write_avc_cache_threshold(struct file *file, ...@@ -1347,7 +1347,7 @@ static ssize_t sel_write_avc_cache_threshold(struct file *file,
{ {
char *page; char *page;
ssize_t ret; ssize_t ret;
int new_value; unsigned int new_value;
ret = task_has_security(current, SECURITY__SETSECPARAM); ret = task_has_security(current, SECURITY__SETSECPARAM);
if (ret) if (ret)
......
...@@ -165,7 +165,7 @@ int ebitmap_netlbl_import(struct ebitmap *ebmap, ...@@ -165,7 +165,7 @@ int ebitmap_netlbl_import(struct ebitmap *ebmap,
e_iter = kzalloc(sizeof(*e_iter), GFP_ATOMIC); e_iter = kzalloc(sizeof(*e_iter), GFP_ATOMIC);
if (e_iter == NULL) if (e_iter == NULL)
goto netlbl_import_failure; goto netlbl_import_failure;
e_iter->startbit = offset & ~(EBITMAP_SIZE - 1); e_iter->startbit = offset - (offset % EBITMAP_SIZE);
if (e_prev == NULL) if (e_prev == NULL)
ebmap->node = e_iter; ebmap->node = e_iter;
else else
......
...@@ -543,7 +543,7 @@ static void type_attribute_bounds_av(struct context *scontext, ...@@ -543,7 +543,7 @@ static void type_attribute_bounds_av(struct context *scontext,
struct av_decision *avd) struct av_decision *avd)
{ {
struct context lo_scontext; struct context lo_scontext;
struct context lo_tcontext; struct context lo_tcontext, *tcontextp = tcontext;
struct av_decision lo_avd; struct av_decision lo_avd;
struct type_datum *source; struct type_datum *source;
struct type_datum *target; struct type_datum *target;
...@@ -553,67 +553,41 @@ static void type_attribute_bounds_av(struct context *scontext, ...@@ -553,67 +553,41 @@ static void type_attribute_bounds_av(struct context *scontext,
scontext->type - 1); scontext->type - 1);
BUG_ON(!source); BUG_ON(!source);
if (!source->bounds)
return;
target = flex_array_get_ptr(policydb.type_val_to_struct_array, target = flex_array_get_ptr(policydb.type_val_to_struct_array,
tcontext->type - 1); tcontext->type - 1);
BUG_ON(!target); BUG_ON(!target);
if (source->bounds) {
memset(&lo_avd, 0, sizeof(lo_avd)); memset(&lo_avd, 0, sizeof(lo_avd));
memcpy(&lo_scontext, scontext, sizeof(lo_scontext)); memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
lo_scontext.type = source->bounds; lo_scontext.type = source->bounds;
context_struct_compute_av(&lo_scontext,
tcontext,
tclass,
&lo_avd,
NULL);
if ((lo_avd.allowed & avd->allowed) == avd->allowed)
return; /* no masked permission */
masked = ~lo_avd.allowed & avd->allowed;
}
if (target->bounds) { if (target->bounds) {
memset(&lo_avd, 0, sizeof(lo_avd));
memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext)); memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
lo_tcontext.type = target->bounds; lo_tcontext.type = target->bounds;
tcontextp = &lo_tcontext;
context_struct_compute_av(scontext,
&lo_tcontext,
tclass,
&lo_avd,
NULL);
if ((lo_avd.allowed & avd->allowed) == avd->allowed)
return; /* no masked permission */
masked = ~lo_avd.allowed & avd->allowed;
} }
if (source->bounds && target->bounds) {
memset(&lo_avd, 0, sizeof(lo_avd));
/*
* lo_scontext and lo_tcontext are already
* set up.
*/
context_struct_compute_av(&lo_scontext, context_struct_compute_av(&lo_scontext,
&lo_tcontext, tcontextp,
tclass, tclass,
&lo_avd, &lo_avd,
NULL); NULL);
if ((lo_avd.allowed & avd->allowed) == avd->allowed)
return; /* no masked permission */
masked = ~lo_avd.allowed & avd->allowed; masked = ~lo_avd.allowed & avd->allowed;
}
if (masked) { if (likely(!masked))
return; /* no masked permission */
/* mask violated permissions */ /* mask violated permissions */
avd->allowed &= ~masked; avd->allowed &= ~masked;
/* audit masked permissions */ /* audit masked permissions */
security_dump_masked_av(scontext, tcontext, security_dump_masked_av(scontext, tcontext,
tclass, masked, "bounds"); tclass, masked, "bounds");
}
} }
/* /*
......
...@@ -3992,7 +3992,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) ...@@ -3992,7 +3992,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in,
MAY_WRITE, rc); MAY_WRITE, rc);
if (rc != 0) if (rc != 0)
netlbl_skbuff_err(skb, rc, 0); netlbl_skbuff_err(skb, sk->sk_family, rc, 0);
break; break;
#if IS_ENABLED(CONFIG_IPV6) #if IS_ENABLED(CONFIG_IPV6)
case PF_INET6: case PF_INET6:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment