[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / netlabel / netlabel_kapi.c

/*
 * NetLabel Kernel API
 *
 * This file defines the kernel API for the NetLabel system.  The NetLabel
 * system manages static and dynamic label mappings for network protocols such
 * as CIPSO and RIPSO.
 *
 * Author: Paul Moore <paul.moore@hp.com>
 *
 */

/*
 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
 *
 * This program is free software;  you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY;  without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 * the GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program;  if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 *
 */

#include <linux/init.h>
#include <linux/types.h>
#include <net/ip.h>
#include <net/netlabel.h>
#include <net/cipso_ipv4.h>
#include <asm/bug.h>

#include "netlabel_domainhash.h"
#include "netlabel_unlabeled.h"
#include "netlabel_user.h"

/*
 * LSM Functions
 */

/**
 * netlbl_socket_setattr - Label a socket using the correct protocol
 * @sock: the socket to label
 * @secattr: the security attributes
 *
 * Description:
 * Attach the correct label to the given socket using the security attributes
 * specified in @secattr.  This function requires exclusive access to
 * @sock->sk, which means it either needs to be in the process of being
 * created or locked via lock_sock(sock->sk).  Returns zero on success,
 * negative values on failure.
 *
 */
int netlbl_socket_setattr(const struct socket *sock,
			  const struct netlbl_lsm_secattr *secattr)
{
	int ret_val = -ENOENT;
	struct netlbl_dom_map *dom_entry;

	rcu_read_lock();
	dom_entry = netlbl_domhsh_getentry(secattr->domain);
	if (dom_entry == NULL)
		goto socket_setattr_return;
	switch (dom_entry->type) {
	case NETLBL_NLTYPE_CIPSOV4:
		ret_val = cipso_v4_socket_setattr(sock,
						  dom_entry->type_def.cipsov4,
						  secattr);
		break;
	case NETLBL_NLTYPE_UNLABELED:
		ret_val = 0;
		break;
	default:
		ret_val = -ENOENT;
	}

socket_setattr_return:
	rcu_read_unlock();
	return ret_val;
}

/**
 * netlbl_sock_getattr - Determine the security attributes of a sock
 * @sk: the sock
 * @secattr: the security attributes
 *
 * Description:
 * Examines the given sock to see any NetLabel style labeling has been
 * applied to the sock, if so it parses the socket label and returns the
 * security attributes in @secattr.  Returns zero on success, negative values
 * on failure.
 *
 */
int netlbl_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
{
	int ret_val;

	ret_val = cipso_v4_sock_getattr(sk, secattr);
	if (ret_val == 0)
		return 0;

	return netlbl_unlabel_getattr(secattr);
}

/**
 * netlbl_socket_getattr - Determine the security attributes of a socket
 * @sock: the socket
 * @secattr: the security attributes
 *
 * Description:
 * Examines the given socket to see any NetLabel style labeling has been
 * applied to the socket, if so it parses the socket label and returns the
 * security attributes in @secattr.  Returns zero on success, negative values
 * on failure.
 *
 */
int netlbl_socket_getattr(const struct socket *sock,
			  struct netlbl_lsm_secattr *secattr)
{
	int ret_val;

	ret_val = cipso_v4_socket_getattr(sock, secattr);
	if (ret_val == 0)
		return 0;

	return netlbl_unlabel_getattr(secattr);
}

/**
 * netlbl_skbuff_getattr - Determine the security attributes of a packet
 * @skb: the packet
 * @secattr: the security attributes
 *
 * Description:
 * Examines the given packet to see if a recognized form of packet labeling
 * is present, if so it parses the packet label and returns the security
 * attributes in @secattr.  Returns zero on success, negative values on
 * failure.
 *
 */
int netlbl_skbuff_getattr(const struct sk_buff *skb,
			  struct netlbl_lsm_secattr *secattr)
{
	int ret_val;

	ret_val = cipso_v4_skbuff_getattr(skb, secattr);
	if (ret_val == 0)
		return 0;

	return netlbl_unlabel_getattr(secattr);
}

/**
 * netlbl_skbuff_err - Handle a LSM error on a sk_buff
 * @skb: the packet
 * @error: the error code
 *
 * Description:
 * Deal with a LSM problem when handling the packet in @skb, typically this is
 * a permission denied problem (-EACCES).  The correct action is determined
 * according to the packet's labeling protocol.
 *
 */
void netlbl_skbuff_err(struct sk_buff *skb, int error)
{
	if (CIPSO_V4_OPTEXIST(skb))
		cipso_v4_error(skb, error, 0);
}

/**
 * netlbl_cache_invalidate - Invalidate all of the NetLabel protocol caches
 *
 * Description:
 * For all of the NetLabel protocols that support some form of label mapping
 * cache, invalidate the cache.  Returns zero on success, negative values on
 * error.
 *
 */
void netlbl_cache_invalidate(void)
{
	cipso_v4_cache_invalidate();
}

/**
 * netlbl_cache_add - Add an entry to a NetLabel protocol cache
 * @skb: the packet
 * @secattr: the packet's security attributes
 *
 * Description:
 * Add the LSM security attributes for the given packet to the underlying
 * NetLabel protocol's label mapping cache.  Returns zero on success, negative
 * values on error.
 *
 */
int netlbl_cache_add(const struct sk_buff *skb,
		     const struct netlbl_lsm_secattr *secattr)
{
	if (secattr->cache == NULL)
		return -ENOMSG;

	if (CIPSO_V4_OPTEXIST(skb))
		return cipso_v4_cache_add(skb, secattr);

	return -ENOMSG;
}

/*
 * Setup Functions
 */

/**
 * netlbl_init - Initialize NetLabel
 *
 * Description:
 * Perform the required NetLabel initialization before first use.
 *
 */
static int __init netlbl_init(void)
{
	int ret_val;

	printk(KERN_INFO "NetLabel: Initializing\n");
	printk(KERN_INFO "NetLabel:  domain hash size = %u\n",
	       (1 << NETLBL_DOMHSH_BITSIZE));
	printk(KERN_INFO "NetLabel:  protocols ="
	       " UNLABELED"
	       " CIPSOv4"
	       "\n");

	ret_val = netlbl_domhsh_init(NETLBL_DOMHSH_BITSIZE);
	if (ret_val != 0)
		goto init_failure;

	ret_val = netlbl_netlink_init();
	if (ret_val != 0)
		goto init_failure;

	ret_val = netlbl_unlabel_defconf();
	if (ret_val != 0)
		goto init_failure;
	printk(KERN_INFO "NetLabel:  unlabeled traffic allowed by default\n");

	return 0;

init_failure:
	panic("NetLabel: failed to initialize properly (%d)\n", ret_val);
}

subsys_initcall(netlbl_init);
Commit	Line	Data
d15c345f PM	1	/*
	2	* NetLabel Kernel API
	3	*
	4	* This file defines the kernel API for the NetLabel system. The NetLabel
	5	* system manages static and dynamic label mappings for network protocols such
	6	* as CIPSO and RIPSO.
	7	*
	8	* Author: Paul Moore <paul.moore@hp.com>
	9	*
	10	*/
	11
	12	/*
	13	* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
	14	*
	15	* This program is free software; you can redistribute it and/or modify
	16	* it under the terms of the GNU General Public License as published by
	17	* the Free Software Foundation; either version 2 of the License, or
	18	* (at your option) any later version.
	19	*
	20	* This program is distributed in the hope that it will be useful,
	21	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	22	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
	23	* the GNU General Public License for more details.
	24	*
	25	* You should have received a copy of the GNU General Public License
	26	* along with this program; if not, write to the Free Software
	27	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	28	*
	29	*/
	30
	31	#include <linux/init.h>
	32	#include <linux/types.h>
	33	#include <net/ip.h>
	34	#include <net/netlabel.h>
	35	#include <net/cipso_ipv4.h>
	36	#include <asm/bug.h>
	37
	38	#include "netlabel_domainhash.h"
	39	#include "netlabel_unlabeled.h"
	40	#include "netlabel_user.h"
	41
	42	/*
	43	* LSM Functions
	44	*/
	45
	46	/**
	47	* netlbl_socket_setattr - Label a socket using the correct protocol
	48	* @sock: the socket to label
	49	* @secattr: the security attributes
	50	*
	51	* Description:
	52	* Attach the correct label to the given socket using the security attributes
	53	* specified in @secattr. This function requires exclusive access to
	54	* @sock->sk, which means it either needs to be in the process of being
	55	* created or locked via lock_sock(sock->sk). Returns zero on success,
	56	* negative values on failure.
	57	*
	58	*/
	59	int netlbl_socket_setattr(const struct socket *sock,
	60	const struct netlbl_lsm_secattr *secattr)
	61	{
	62	int ret_val = -ENOENT;
	63	struct netlbl_dom_map *dom_entry;
	64
65	rcu_read_lock();
66	dom_entry = netlbl_domhsh_getentry(secattr->domain);
67	if (dom_entry == NULL)
68	goto socket_setattr_return;
69	switch (dom_entry->type) {
70	case NETLBL_NLTYPE_CIPSOV4:
71	ret_val = cipso_v4_socket_setattr(sock,
72	dom_entry->type_def.cipsov4,
73	secattr);
74	break;
75	case NETLBL_NLTYPE_UNLABELED:
76	ret_val = 0;
77	break;
78	default:
79	ret_val = -ENOENT;
80	}
81
82	socket_setattr_return:
83	rcu_read_unlock();
84	return ret_val;
85	}
86
14a72f53 PM	87	/**
	88	* netlbl_sock_getattr - Determine the security attributes of a sock
	89	* @sk: the sock
	90	* @secattr: the security attributes
	91	*
	92	* Description:
	93	* Examines the given sock to see any NetLabel style labeling has been
	94	* applied to the sock, if so it parses the socket label and returns the
	95	* security attributes in @secattr. Returns zero on success, negative values
	96	* on failure.
	97	*
	98	*/
	99	int netlbl_sock_getattr(struct sock sk, struct netlbl_lsm_secattr secattr)
	100	{
	101	int ret_val;
	102
	103	ret_val = cipso_v4_sock_getattr(sk, secattr);
	104	if (ret_val == 0)
	105	return 0;
	106
	107	return netlbl_unlabel_getattr(secattr);
	108	}
	109
d15c345f PM	110	/**
	111	* netlbl_socket_getattr - Determine the security attributes of a socket
	112	* @sock: the socket
	113	* @secattr: the security attributes
	114	*
	115	* Description:
	116	* Examines the given socket to see any NetLabel style labeling has been
	117	* applied to the socket, if so it parses the socket label and returns the
	118	* security attributes in @secattr. Returns zero on success, negative values
	119	* on failure.
	120	*
	121	*/
	122	int netlbl_socket_getattr(const struct socket *sock,
	123	struct netlbl_lsm_secattr *secattr)
	124	{
	125	int ret_val;
	126
	127	ret_val = cipso_v4_socket_getattr(sock, secattr);
	128	if (ret_val == 0)
	129	return 0;
	130
	131	return netlbl_unlabel_getattr(secattr);
	132	}
	133
	134	/**
	135	* netlbl_skbuff_getattr - Determine the security attributes of a packet
	136	* @skb: the packet
	137	* @secattr: the security attributes
	138	*
	139	* Description:
	140	* Examines the given packet to see if a recognized form of packet labeling
	141	* is present, if so it parses the packet label and returns the security
	142	* attributes in @secattr. Returns zero on success, negative values on
	143	* failure.
	144	*
	145	*/
	146	int netlbl_skbuff_getattr(const struct sk_buff *skb,
	147	struct netlbl_lsm_secattr *secattr)
	148	{
	149	int ret_val;
	150
	151	ret_val = cipso_v4_skbuff_getattr(skb, secattr);
	152	if (ret_val == 0)
	153	return 0;
	154
	155	return netlbl_unlabel_getattr(secattr);
	156	}
	157
	158	/**
	159	* netlbl_skbuff_err - Handle a LSM error on a sk_buff
	160	* @skb: the packet
	161	* @error: the error code
	162	*
	163	* Description:
	164	* Deal with a LSM problem when handling the packet in @skb, typically this is
	165	* a permission denied problem (-EACCES). The correct action is determined
	166	* according to the packet's labeling protocol.
	167	*
	168	*/
	169	void netlbl_skbuff_err(struct sk_buff *skb, int error)
	170	{
	171	if (CIPSO_V4_OPTEXIST(skb))
	172	cipso_v4_error(skb, error, 0);
	173	}
174
175	/**
176	* netlbl_cache_invalidate - Invalidate all of the NetLabel protocol caches
177	*
178	* Description:
179	* For all of the NetLabel protocols that support some form of label mapping
180	* cache, invalidate the cache. Returns zero on success, negative values on
181	* error.
182	*
183	*/
184	void netlbl_cache_invalidate(void)
185	{
186	cipso_v4_cache_invalidate();
187	}
188
189	/**
190	* netlbl_cache_add - Add an entry to a NetLabel protocol cache
191	* @skb: the packet
192	* @secattr: the packet's security attributes
193	*
194	* Description:
195	* Add the LSM security attributes for the given packet to the underlying
196	* NetLabel protocol's label mapping cache. Returns zero on success, negative
197	* values on error.
198	*
199	*/
200	int netlbl_cache_add(const struct sk_buff *skb,
201	const struct netlbl_lsm_secattr *secattr)
202	{
ffb733c6	203	if (secattr->cache == NULL)
d15c345f PM	204	return -ENOMSG;
	205
	206	if (CIPSO_V4_OPTEXIST(skb))
	207	return cipso_v4_cache_add(skb, secattr);
	208
	209	return -ENOMSG;
	210	}
	211
	212	/*
	213	* Setup Functions
	214	*/
	215
	216	/**
	217	* netlbl_init - Initialize NetLabel
	218	*
	219	* Description:
	220	* Perform the required NetLabel initialization before first use.
	221	*
	222	*/
	223	static int __init netlbl_init(void)
	224	{
	225	int ret_val;
	226
	227	printk(KERN_INFO "NetLabel: Initializing\n");
	228	printk(KERN_INFO "NetLabel: domain hash size = %u\n",
	229	(1 << NETLBL_DOMHSH_BITSIZE));
	230	printk(KERN_INFO "NetLabel: protocols ="
	231	" UNLABELED"
	232	" CIPSOv4"
	233	"\n");
	234
	235	ret_val = netlbl_domhsh_init(NETLBL_DOMHSH_BITSIZE);
	236	if (ret_val != 0)
	237	goto init_failure;
	238
	239	ret_val = netlbl_netlink_init();
	240	if (ret_val != 0)
	241	goto init_failure;
	242
	243	ret_val = netlbl_unlabel_defconf();
	244	if (ret_val != 0)
	245	goto init_failure;
	246	printk(KERN_INFO "NetLabel: unlabeled traffic allowed by default\n");
	247
	248	return 0;
	249
	250	init_failure:
	251	panic("NetLabel: failed to initialize properly (%d)\n", ret_val);
	252	}
	253
	254	subsys_initcall(netlbl_init);