Commit | Line | Data |
---|---|---|
d15c345f PM |
1 | /* |
2 | * NetLabel Domain Hash Table | |
3 | * | |
4 | * This file manages the domain hash table that NetLabel uses to determine | |
5 | * which network labeling protocol to use for a given domain. The NetLabel | |
6 | * system manages static and dynamic label mappings for network protocols such | |
7 | * as CIPSO and RIPSO. | |
8 | * | |
82c21bfa | 9 | * Author: Paul Moore <paul@paul-moore.com> |
d15c345f PM |
10 | * |
11 | */ | |
12 | ||
13 | /* | |
63c41688 | 14 | * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008 |
d15c345f PM |
15 | * |
16 | * This program is free software; you can redistribute it and/or modify | |
17 | * it under the terms of the GNU General Public License as published by | |
18 | * the Free Software Foundation; either version 2 of the License, or | |
19 | * (at your option) any later version. | |
20 | * | |
21 | * This program is distributed in the hope that it will be useful, | |
22 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
23 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See | |
24 | * the GNU General Public License for more details. | |
25 | * | |
26 | * You should have received a copy of the GNU General Public License | |
d484ff15 | 27 | * along with this program; if not, see <http://www.gnu.org/licenses/>. |
d15c345f PM |
28 | * |
29 | */ | |
30 | ||
31 | #include <linux/types.h> | |
82524746 | 32 | #include <linux/rculist.h> |
d15c345f PM |
33 | #include <linux/skbuff.h> |
34 | #include <linux/spinlock.h> | |
35 | #include <linux/string.h> | |
32f50cde | 36 | #include <linux/audit.h> |
5a0e3ad6 | 37 | #include <linux/slab.h> |
d15c345f PM |
38 | #include <net/netlabel.h> |
39 | #include <net/cipso_ipv4.h> | |
40 | #include <asm/bug.h> | |
41 | ||
42 | #include "netlabel_mgmt.h" | |
63c41688 | 43 | #include "netlabel_addrlist.h" |
d15c345f | 44 | #include "netlabel_domainhash.h" |
32f50cde | 45 | #include "netlabel_user.h" |
d15c345f PM |
46 | |
47 | struct netlbl_domhsh_tbl { | |
48 | struct list_head *tbl; | |
49 | u32 size; | |
50 | }; | |
51 | ||
52 | /* Domain hash table */ | |
b914f3a2 PM |
53 | /* updates should be so rare that having one spinlock for the entire hash table |
54 | * should be okay */ | |
8ce11e6a | 55 | static DEFINE_SPINLOCK(netlbl_domhsh_lock); |
b914f3a2 | 56 | #define netlbl_domhsh_rcu_deref(p) \ |
d8bf4ca9 | 57 | rcu_dereference_check(p, lockdep_is_held(&netlbl_domhsh_lock)) |
d15c345f | 58 | static struct netlbl_domhsh_tbl *netlbl_domhsh = NULL; |
d15c345f PM |
59 | static struct netlbl_dom_map *netlbl_domhsh_def = NULL; |
60 | ||
61 | /* | |
62 | * Domain Hash Table Helper Functions | |
63 | */ | |
64 | ||
65 | /** | |
66 | * netlbl_domhsh_free_entry - Frees a domain hash table entry | |
67 | * @entry: the entry's RCU field | |
68 | * | |
69 | * Description: | |
70 | * This function is designed to be used as a callback to the call_rcu() | |
71 | * function so that the memory allocated to a hash table entry can be released | |
72 | * safely. | |
73 | * | |
74 | */ | |
75 | static void netlbl_domhsh_free_entry(struct rcu_head *entry) | |
76 | { | |
77 | struct netlbl_dom_map *ptr; | |
63c41688 PM |
78 | struct netlbl_af4list *iter4; |
79 | struct netlbl_af4list *tmp4; | |
dfd56b8b | 80 | #if IS_ENABLED(CONFIG_IPV6) |
63c41688 PM |
81 | struct netlbl_af6list *iter6; |
82 | struct netlbl_af6list *tmp6; | |
83 | #endif /* IPv6 */ | |
d15c345f PM |
84 | |
85 | ptr = container_of(entry, struct netlbl_dom_map, rcu); | |
6a8b7f0c | 86 | if (ptr->def.type == NETLBL_NLTYPE_ADDRSELECT) { |
63c41688 | 87 | netlbl_af4list_foreach_safe(iter4, tmp4, |
6a8b7f0c | 88 | &ptr->def.addrsel->list4) { |
63c41688 PM |
89 | netlbl_af4list_remove_entry(iter4); |
90 | kfree(netlbl_domhsh_addr4_entry(iter4)); | |
91 | } | |
dfd56b8b | 92 | #if IS_ENABLED(CONFIG_IPV6) |
63c41688 | 93 | netlbl_af6list_foreach_safe(iter6, tmp6, |
6a8b7f0c | 94 | &ptr->def.addrsel->list6) { |
63c41688 PM |
95 | netlbl_af6list_remove_entry(iter6); |
96 | kfree(netlbl_domhsh_addr6_entry(iter6)); | |
97 | } | |
98 | #endif /* IPv6 */ | |
99 | } | |
d15c345f PM |
100 | kfree(ptr->domain); |
101 | kfree(ptr); | |
102 | } | |
103 | ||
104 | /** | |
105 | * netlbl_domhsh_hash - Hashing function for the domain hash table | |
106 | * @domain: the domain name to hash | |
107 | * | |
108 | * Description: | |
109 | * This is the hashing function for the domain hash table, it returns the | |
25985edc | 110 | * correct bucket number for the domain. The caller is responsible for |
b914f3a2 PM |
111 | * ensuring that the hash table is protected with either a RCU read lock or the |
112 | * hash table lock. | |
d15c345f PM |
113 | * |
114 | */ | |
115 | static u32 netlbl_domhsh_hash(const char *key) | |
116 | { | |
117 | u32 iter; | |
118 | u32 val; | |
119 | u32 len; | |
120 | ||
121 | /* This is taken (with slight modification) from | |
122 | * security/selinux/ss/symtab.c:symhash() */ | |
123 | ||
124 | for (iter = 0, val = 0, len = strlen(key); iter < len; iter++) | |
125 | val = (val << 4 | (val >> (8 * sizeof(u32) - 4))) ^ key[iter]; | |
b914f3a2 | 126 | return val & (netlbl_domhsh_rcu_deref(netlbl_domhsh)->size - 1); |
d15c345f PM |
127 | } |
128 | ||
129 | /** | |
130 | * netlbl_domhsh_search - Search for a domain entry | |
131 | * @domain: the domain | |
d15c345f PM |
132 | * |
133 | * Description: | |
134 | * Searches the domain hash table and returns a pointer to the hash table | |
25985edc | 135 | * entry if found, otherwise NULL is returned. The caller is responsible for |
b914f3a2 PM |
136 | * ensuring that the hash table is protected with either a RCU read lock or the |
137 | * hash table lock. | |
d15c345f PM |
138 | * |
139 | */ | |
b64397e0 | 140 | static struct netlbl_dom_map *netlbl_domhsh_search(const char *domain) |
d15c345f PM |
141 | { |
142 | u32 bkt; | |
56196701 | 143 | struct list_head *bkt_list; |
d15c345f PM |
144 | struct netlbl_dom_map *iter; |
145 | ||
146 | if (domain != NULL) { | |
147 | bkt = netlbl_domhsh_hash(domain); | |
b914f3a2 | 148 | bkt_list = &netlbl_domhsh_rcu_deref(netlbl_domhsh)->tbl[bkt]; |
56196701 | 149 | list_for_each_entry_rcu(iter, bkt_list, list) |
d15c345f PM |
150 | if (iter->valid && strcmp(iter->domain, domain) == 0) |
151 | return iter; | |
152 | } | |
153 | ||
b64397e0 PM |
154 | return NULL; |
155 | } | |
156 | ||
157 | /** | |
158 | * netlbl_domhsh_search_def - Search for a domain entry | |
159 | * @domain: the domain | |
160 | * @def: return default if no match is found | |
161 | * | |
162 | * Description: | |
163 | * Searches the domain hash table and returns a pointer to the hash table | |
164 | * entry if an exact match is found, if an exact match is not present in the | |
165 | * hash table then the default entry is returned if valid otherwise NULL is | |
25985edc | 166 | * returned. The caller is responsible ensuring that the hash table is |
b914f3a2 | 167 | * protected with either a RCU read lock or the hash table lock. |
b64397e0 PM |
168 | * |
169 | */ | |
170 | static struct netlbl_dom_map *netlbl_domhsh_search_def(const char *domain) | |
171 | { | |
172 | struct netlbl_dom_map *entry; | |
173 | ||
174 | entry = netlbl_domhsh_search(domain); | |
175 | if (entry == NULL) { | |
b914f3a2 | 176 | entry = netlbl_domhsh_rcu_deref(netlbl_domhsh_def); |
4c3a0a25 PE |
177 | if (entry != NULL && !entry->valid) |
178 | entry = NULL; | |
d15c345f PM |
179 | } |
180 | ||
4c3a0a25 | 181 | return entry; |
d15c345f PM |
182 | } |
183 | ||
63c41688 PM |
184 | /** |
185 | * netlbl_domhsh_audit_add - Generate an audit entry for an add event | |
186 | * @entry: the entry being added | |
187 | * @addr4: the IPv4 address information | |
188 | * @addr6: the IPv6 address information | |
189 | * @result: the result code | |
190 | * @audit_info: NetLabel audit information | |
191 | * | |
192 | * Description: | |
193 | * Generate an audit record for adding a new NetLabel/LSM mapping entry with | |
25985edc | 194 | * the given information. Caller is responsible for holding the necessary |
63c41688 PM |
195 | * locks. |
196 | * | |
197 | */ | |
198 | static void netlbl_domhsh_audit_add(struct netlbl_dom_map *entry, | |
199 | struct netlbl_af4list *addr4, | |
200 | struct netlbl_af6list *addr6, | |
201 | int result, | |
202 | struct netlbl_audit *audit_info) | |
203 | { | |
204 | struct audit_buffer *audit_buf; | |
205 | struct cipso_v4_doi *cipsov4 = NULL; | |
206 | u32 type; | |
207 | ||
208 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info); | |
209 | if (audit_buf != NULL) { | |
210 | audit_log_format(audit_buf, " nlbl_domain=%s", | |
211 | entry->domain ? entry->domain : "(default)"); | |
212 | if (addr4 != NULL) { | |
213 | struct netlbl_domaddr4_map *map4; | |
214 | map4 = netlbl_domhsh_addr4_entry(addr4); | |
6a8b7f0c PM |
215 | type = map4->def.type; |
216 | cipsov4 = map4->def.cipso; | |
63c41688 PM |
217 | netlbl_af4list_audit_addr(audit_buf, 0, NULL, |
218 | addr4->addr, addr4->mask); | |
dfd56b8b | 219 | #if IS_ENABLED(CONFIG_IPV6) |
63c41688 PM |
220 | } else if (addr6 != NULL) { |
221 | struct netlbl_domaddr6_map *map6; | |
222 | map6 = netlbl_domhsh_addr6_entry(addr6); | |
6a8b7f0c | 223 | type = map6->def.type; |
63c41688 PM |
224 | netlbl_af6list_audit_addr(audit_buf, 0, NULL, |
225 | &addr6->addr, &addr6->mask); | |
226 | #endif /* IPv6 */ | |
227 | } else { | |
6a8b7f0c PM |
228 | type = entry->def.type; |
229 | cipsov4 = entry->def.cipso; | |
63c41688 PM |
230 | } |
231 | switch (type) { | |
232 | case NETLBL_NLTYPE_UNLABELED: | |
233 | audit_log_format(audit_buf, " nlbl_protocol=unlbl"); | |
234 | break; | |
235 | case NETLBL_NLTYPE_CIPSOV4: | |
236 | BUG_ON(cipsov4 == NULL); | |
237 | audit_log_format(audit_buf, | |
238 | " nlbl_protocol=cipsov4 cipso_doi=%u", | |
239 | cipsov4->doi); | |
240 | break; | |
241 | } | |
242 | audit_log_format(audit_buf, " res=%u", result == 0 ? 1 : 0); | |
243 | audit_log_end(audit_buf); | |
244 | } | |
245 | } | |
246 | ||
6b21e1b7 PM |
247 | /** |
248 | * netlbl_domhsh_validate - Validate a new domain mapping entry | |
249 | * @entry: the entry to validate | |
250 | * | |
251 | * This function validates the new domain mapping entry to ensure that it is | |
252 | * a valid entry. Returns zero on success, negative values on failure. | |
253 | * | |
254 | */ | |
255 | static int netlbl_domhsh_validate(const struct netlbl_dom_map *entry) | |
256 | { | |
257 | struct netlbl_af4list *iter4; | |
258 | struct netlbl_domaddr4_map *map4; | |
259 | #if IS_ENABLED(CONFIG_IPV6) | |
260 | struct netlbl_af6list *iter6; | |
261 | struct netlbl_domaddr6_map *map6; | |
262 | #endif /* IPv6 */ | |
263 | ||
264 | if (entry == NULL) | |
265 | return -EINVAL; | |
266 | ||
6a8b7f0c | 267 | switch (entry->def.type) { |
6b21e1b7 | 268 | case NETLBL_NLTYPE_UNLABELED: |
6a8b7f0c | 269 | if (entry->def.cipso != NULL || entry->def.addrsel != NULL) |
6b21e1b7 PM |
270 | return -EINVAL; |
271 | break; | |
272 | case NETLBL_NLTYPE_CIPSOV4: | |
6a8b7f0c | 273 | if (entry->def.cipso == NULL) |
6b21e1b7 PM |
274 | return -EINVAL; |
275 | break; | |
276 | case NETLBL_NLTYPE_ADDRSELECT: | |
6a8b7f0c | 277 | netlbl_af4list_foreach(iter4, &entry->def.addrsel->list4) { |
6b21e1b7 | 278 | map4 = netlbl_domhsh_addr4_entry(iter4); |
6a8b7f0c | 279 | switch (map4->def.type) { |
6b21e1b7 | 280 | case NETLBL_NLTYPE_UNLABELED: |
6a8b7f0c | 281 | if (map4->def.cipso != NULL) |
6b21e1b7 PM |
282 | return -EINVAL; |
283 | break; | |
284 | case NETLBL_NLTYPE_CIPSOV4: | |
6a8b7f0c | 285 | if (map4->def.cipso == NULL) |
6b21e1b7 PM |
286 | return -EINVAL; |
287 | break; | |
288 | default: | |
289 | return -EINVAL; | |
290 | } | |
291 | } | |
292 | #if IS_ENABLED(CONFIG_IPV6) | |
6a8b7f0c | 293 | netlbl_af6list_foreach(iter6, &entry->def.addrsel->list6) { |
6b21e1b7 | 294 | map6 = netlbl_domhsh_addr6_entry(iter6); |
6a8b7f0c | 295 | switch (map6->def.type) { |
6b21e1b7 PM |
296 | case NETLBL_NLTYPE_UNLABELED: |
297 | break; | |
298 | default: | |
299 | return -EINVAL; | |
300 | } | |
301 | } | |
302 | #endif /* IPv6 */ | |
303 | break; | |
304 | default: | |
305 | return -EINVAL; | |
306 | } | |
307 | ||
308 | return 0; | |
309 | } | |
310 | ||
d15c345f PM |
311 | /* |
312 | * Domain Hash Table Functions | |
313 | */ | |
314 | ||
315 | /** | |
316 | * netlbl_domhsh_init - Init for the domain hash | |
317 | * @size: the number of bits to use for the hash buckets | |
318 | * | |
319 | * Description: | |
320 | * Initializes the domain hash table, should be called only by | |
321 | * netlbl_user_init() during initialization. Returns zero on success, non-zero | |
322 | * values on error. | |
323 | * | |
324 | */ | |
05705e4e | 325 | int __init netlbl_domhsh_init(u32 size) |
d15c345f PM |
326 | { |
327 | u32 iter; | |
328 | struct netlbl_domhsh_tbl *hsh_tbl; | |
329 | ||
330 | if (size == 0) | |
331 | return -EINVAL; | |
332 | ||
333 | hsh_tbl = kmalloc(sizeof(*hsh_tbl), GFP_KERNEL); | |
334 | if (hsh_tbl == NULL) | |
335 | return -ENOMEM; | |
336 | hsh_tbl->size = 1 << size; | |
337 | hsh_tbl->tbl = kcalloc(hsh_tbl->size, | |
338 | sizeof(struct list_head), | |
339 | GFP_KERNEL); | |
340 | if (hsh_tbl->tbl == NULL) { | |
341 | kfree(hsh_tbl); | |
342 | return -ENOMEM; | |
343 | } | |
344 | for (iter = 0; iter < hsh_tbl->size; iter++) | |
345 | INIT_LIST_HEAD(&hsh_tbl->tbl[iter]); | |
346 | ||
d15c345f | 347 | spin_lock(&netlbl_domhsh_lock); |
cf778b00 | 348 | rcu_assign_pointer(netlbl_domhsh, hsh_tbl); |
d15c345f | 349 | spin_unlock(&netlbl_domhsh_lock); |
d15c345f PM |
350 | |
351 | return 0; | |
352 | } | |
353 | ||
354 | /** | |
355 | * netlbl_domhsh_add - Adds a entry to the domain hash table | |
356 | * @entry: the entry to add | |
95d4e6be | 357 | * @audit_info: NetLabel audit information |
d15c345f PM |
358 | * |
359 | * Description: | |
360 | * Adds a new entry to the domain hash table and handles any updates to the | |
361 | * lower level protocol handler (i.e. CIPSO). Returns zero on success, | |
362 | * negative on failure. | |
363 | * | |
364 | */ | |
95d4e6be PM |
365 | int netlbl_domhsh_add(struct netlbl_dom_map *entry, |
366 | struct netlbl_audit *audit_info) | |
d15c345f | 367 | { |
63c41688 PM |
368 | int ret_val = 0; |
369 | struct netlbl_dom_map *entry_old; | |
370 | struct netlbl_af4list *iter4; | |
371 | struct netlbl_af4list *tmp4; | |
dfd56b8b | 372 | #if IS_ENABLED(CONFIG_IPV6) |
63c41688 PM |
373 | struct netlbl_af6list *iter6; |
374 | struct netlbl_af6list *tmp6; | |
375 | #endif /* IPv6 */ | |
d15c345f | 376 | |
6b21e1b7 PM |
377 | ret_val = netlbl_domhsh_validate(entry); |
378 | if (ret_val != 0) | |
379 | return ret_val; | |
380 | ||
b914f3a2 PM |
381 | /* XXX - we can remove this RCU read lock as the spinlock protects the |
382 | * entire function, but before we do we need to fixup the | |
383 | * netlbl_af[4,6]list RCU functions to do "the right thing" with | |
384 | * respect to rcu_dereference() when only a spinlock is held. */ | |
d15c345f | 385 | rcu_read_lock(); |
1c3fad93 | 386 | spin_lock(&netlbl_domhsh_lock); |
63c41688 PM |
387 | if (entry->domain != NULL) |
388 | entry_old = netlbl_domhsh_search(entry->domain); | |
389 | else | |
390 | entry_old = netlbl_domhsh_search_def(entry->domain); | |
391 | if (entry_old == NULL) { | |
392 | entry->valid = 1; | |
63c41688 PM |
393 | |
394 | if (entry->domain != NULL) { | |
395 | u32 bkt = netlbl_domhsh_hash(entry->domain); | |
d15c345f | 396 | list_add_tail_rcu(&entry->list, |
3482fd90 | 397 | &rcu_dereference(netlbl_domhsh)->tbl[bkt]); |
63c41688 PM |
398 | } else { |
399 | INIT_LIST_HEAD(&entry->list); | |
cf778b00 | 400 | rcu_assign_pointer(netlbl_domhsh_def, entry); |
de64688f | 401 | } |
d15c345f | 402 | |
6a8b7f0c | 403 | if (entry->def.type == NETLBL_NLTYPE_ADDRSELECT) { |
63c41688 | 404 | netlbl_af4list_foreach_rcu(iter4, |
6a8b7f0c | 405 | &entry->def.addrsel->list4) |
63c41688 PM |
406 | netlbl_domhsh_audit_add(entry, iter4, NULL, |
407 | ret_val, audit_info); | |
dfd56b8b | 408 | #if IS_ENABLED(CONFIG_IPV6) |
63c41688 | 409 | netlbl_af6list_foreach_rcu(iter6, |
6a8b7f0c | 410 | &entry->def.addrsel->list6) |
63c41688 PM |
411 | netlbl_domhsh_audit_add(entry, NULL, iter6, |
412 | ret_val, audit_info); | |
413 | #endif /* IPv6 */ | |
414 | } else | |
415 | netlbl_domhsh_audit_add(entry, NULL, NULL, | |
416 | ret_val, audit_info); | |
6a8b7f0c PM |
417 | } else if (entry_old->def.type == NETLBL_NLTYPE_ADDRSELECT && |
418 | entry->def.type == NETLBL_NLTYPE_ADDRSELECT) { | |
63c41688 PM |
419 | struct list_head *old_list4; |
420 | struct list_head *old_list6; | |
421 | ||
6a8b7f0c PM |
422 | old_list4 = &entry_old->def.addrsel->list4; |
423 | old_list6 = &entry_old->def.addrsel->list6; | |
63c41688 PM |
424 | |
425 | /* we only allow the addition of address selectors if all of | |
426 | * the selectors do not exist in the existing domain map */ | |
6a8b7f0c | 427 | netlbl_af4list_foreach_rcu(iter4, &entry->def.addrsel->list4) |
63c41688 PM |
428 | if (netlbl_af4list_search_exact(iter4->addr, |
429 | iter4->mask, | |
430 | old_list4)) { | |
431 | ret_val = -EEXIST; | |
432 | goto add_return; | |
433 | } | |
dfd56b8b | 434 | #if IS_ENABLED(CONFIG_IPV6) |
6a8b7f0c | 435 | netlbl_af6list_foreach_rcu(iter6, &entry->def.addrsel->list6) |
63c41688 PM |
436 | if (netlbl_af6list_search_exact(&iter6->addr, |
437 | &iter6->mask, | |
438 | old_list6)) { | |
439 | ret_val = -EEXIST; | |
440 | goto add_return; | |
441 | } | |
442 | #endif /* IPv6 */ | |
443 | ||
444 | netlbl_af4list_foreach_safe(iter4, tmp4, | |
6a8b7f0c | 445 | &entry->def.addrsel->list4) { |
63c41688 PM |
446 | netlbl_af4list_remove_entry(iter4); |
447 | iter4->valid = 1; | |
448 | ret_val = netlbl_af4list_add(iter4, old_list4); | |
449 | netlbl_domhsh_audit_add(entry_old, iter4, NULL, | |
450 | ret_val, audit_info); | |
451 | if (ret_val != 0) | |
452 | goto add_return; | |
453 | } | |
dfd56b8b | 454 | #if IS_ENABLED(CONFIG_IPV6) |
63c41688 | 455 | netlbl_af6list_foreach_safe(iter6, tmp6, |
6a8b7f0c | 456 | &entry->def.addrsel->list6) { |
63c41688 PM |
457 | netlbl_af6list_remove_entry(iter6); |
458 | iter6->valid = 1; | |
459 | ret_val = netlbl_af6list_add(iter6, old_list6); | |
460 | netlbl_domhsh_audit_add(entry_old, NULL, iter6, | |
461 | ret_val, audit_info); | |
462 | if (ret_val != 0) | |
463 | goto add_return; | |
464 | } | |
465 | #endif /* IPv6 */ | |
466 | } else | |
467 | ret_val = -EINVAL; | |
468 | ||
469 | add_return: | |
470 | spin_unlock(&netlbl_domhsh_lock); | |
471 | rcu_read_unlock(); | |
d15c345f PM |
472 | return ret_val; |
473 | } | |
474 | ||
475 | /** | |
476 | * netlbl_domhsh_add_default - Adds the default entry to the domain hash table | |
477 | * @entry: the entry to add | |
95d4e6be | 478 | * @audit_info: NetLabel audit information |
d15c345f PM |
479 | * |
480 | * Description: | |
481 | * Adds a new default entry to the domain hash table and handles any updates | |
482 | * to the lower level protocol handler (i.e. CIPSO). Returns zero on success, | |
483 | * negative on failure. | |
484 | * | |
485 | */ | |
95d4e6be PM |
486 | int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, |
487 | struct netlbl_audit *audit_info) | |
d15c345f | 488 | { |
95d4e6be | 489 | return netlbl_domhsh_add(entry, audit_info); |
d15c345f PM |
490 | } |
491 | ||
492 | /** | |
b1edeb10 PM |
493 | * netlbl_domhsh_remove_entry - Removes a given entry from the domain table |
494 | * @entry: the entry to remove | |
95d4e6be | 495 | * @audit_info: NetLabel audit information |
d15c345f PM |
496 | * |
497 | * Description: | |
498 | * Removes an entry from the domain hash table and handles any updates to the | |
b1edeb10 PM |
499 | * lower level protocol handler (i.e. CIPSO). Caller is responsible for |
500 | * ensuring that the RCU read lock is held. Returns zero on success, negative | |
501 | * on failure. | |
d15c345f PM |
502 | * |
503 | */ | |
b1edeb10 PM |
504 | int netlbl_domhsh_remove_entry(struct netlbl_dom_map *entry, |
505 | struct netlbl_audit *audit_info) | |
d15c345f | 506 | { |
b1edeb10 | 507 | int ret_val = 0; |
32f50cde | 508 | struct audit_buffer *audit_buf; |
d15c345f | 509 | |
d15c345f | 510 | if (entry == NULL) |
b1edeb10 PM |
511 | return -ENOENT; |
512 | ||
1c3fad93 PM |
513 | spin_lock(&netlbl_domhsh_lock); |
514 | if (entry->valid) { | |
515 | entry->valid = 0; | |
516 | if (entry != rcu_dereference(netlbl_domhsh_def)) | |
d15c345f | 517 | list_del_rcu(&entry->list); |
1c3fad93 | 518 | else |
a9b3cd7f | 519 | RCU_INIT_POINTER(netlbl_domhsh_def, NULL); |
b1edeb10 PM |
520 | } else |
521 | ret_val = -ENOENT; | |
1c3fad93 | 522 | spin_unlock(&netlbl_domhsh_lock); |
32f50cde | 523 | |
95d4e6be | 524 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info); |
de64688f PM |
525 | if (audit_buf != NULL) { |
526 | audit_log_format(audit_buf, | |
527 | " nlbl_domain=%s res=%u", | |
528 | entry->domain ? entry->domain : "(default)", | |
529 | ret_val == 0 ? 1 : 0); | |
530 | audit_log_end(audit_buf); | |
531 | } | |
95d4e6be | 532 | |
b1edeb10 | 533 | if (ret_val == 0) { |
63c41688 PM |
534 | struct netlbl_af4list *iter4; |
535 | struct netlbl_domaddr4_map *map4; | |
536 | ||
6a8b7f0c | 537 | switch (entry->def.type) { |
63c41688 PM |
538 | case NETLBL_NLTYPE_ADDRSELECT: |
539 | netlbl_af4list_foreach_rcu(iter4, | |
6a8b7f0c | 540 | &entry->def.addrsel->list4) { |
63c41688 | 541 | map4 = netlbl_domhsh_addr4_entry(iter4); |
6a8b7f0c | 542 | cipso_v4_doi_putdef(map4->def.cipso); |
63c41688 PM |
543 | } |
544 | /* no need to check the IPv6 list since we currently | |
545 | * support only unlabeled protocols for IPv6 */ | |
546 | break; | |
b1edeb10 | 547 | case NETLBL_NLTYPE_CIPSOV4: |
6a8b7f0c | 548 | cipso_v4_doi_putdef(entry->def.cipso); |
b1edeb10 PM |
549 | break; |
550 | } | |
4be2700f | 551 | call_rcu(&entry->rcu, netlbl_domhsh_free_entry); |
b1edeb10 PM |
552 | } |
553 | ||
554 | return ret_val; | |
555 | } | |
556 | ||
6c2e8ac0 PM |
557 | /** |
558 | * netlbl_domhsh_remove_af4 - Removes an address selector entry | |
559 | * @domain: the domain | |
560 | * @addr: IPv4 address | |
561 | * @mask: IPv4 address mask | |
562 | * @audit_info: NetLabel audit information | |
563 | * | |
564 | * Description: | |
565 | * Removes an individual address selector from a domain mapping and potentially | |
566 | * the entire mapping if it is empty. Returns zero on success, negative values | |
567 | * on failure. | |
568 | * | |
569 | */ | |
570 | int netlbl_domhsh_remove_af4(const char *domain, | |
571 | const struct in_addr *addr, | |
572 | const struct in_addr *mask, | |
573 | struct netlbl_audit *audit_info) | |
574 | { | |
575 | struct netlbl_dom_map *entry_map; | |
576 | struct netlbl_af4list *entry_addr; | |
577 | struct netlbl_af4list *iter4; | |
dfd56b8b | 578 | #if IS_ENABLED(CONFIG_IPV6) |
6c2e8ac0 PM |
579 | struct netlbl_af6list *iter6; |
580 | #endif /* IPv6 */ | |
581 | struct netlbl_domaddr4_map *entry; | |
582 | ||
583 | rcu_read_lock(); | |
584 | ||
585 | if (domain) | |
586 | entry_map = netlbl_domhsh_search(domain); | |
587 | else | |
588 | entry_map = netlbl_domhsh_search_def(domain); | |
6a8b7f0c PM |
589 | if (entry_map == NULL || |
590 | entry_map->def.type != NETLBL_NLTYPE_ADDRSELECT) | |
6c2e8ac0 PM |
591 | goto remove_af4_failure; |
592 | ||
593 | spin_lock(&netlbl_domhsh_lock); | |
594 | entry_addr = netlbl_af4list_remove(addr->s_addr, mask->s_addr, | |
6a8b7f0c | 595 | &entry_map->def.addrsel->list4); |
6c2e8ac0 PM |
596 | spin_unlock(&netlbl_domhsh_lock); |
597 | ||
598 | if (entry_addr == NULL) | |
599 | goto remove_af4_failure; | |
6a8b7f0c | 600 | netlbl_af4list_foreach_rcu(iter4, &entry_map->def.addrsel->list4) |
6c2e8ac0 | 601 | goto remove_af4_single_addr; |
dfd56b8b | 602 | #if IS_ENABLED(CONFIG_IPV6) |
6a8b7f0c | 603 | netlbl_af6list_foreach_rcu(iter6, &entry_map->def.addrsel->list6) |
6c2e8ac0 PM |
604 | goto remove_af4_single_addr; |
605 | #endif /* IPv6 */ | |
606 | /* the domain mapping is empty so remove it from the mapping table */ | |
607 | netlbl_domhsh_remove_entry(entry_map, audit_info); | |
608 | ||
609 | remove_af4_single_addr: | |
610 | rcu_read_unlock(); | |
611 | /* yick, we can't use call_rcu here because we don't have a rcu head | |
612 | * pointer but hopefully this should be a rare case so the pause | |
613 | * shouldn't be a problem */ | |
614 | synchronize_rcu(); | |
615 | entry = netlbl_domhsh_addr4_entry(entry_addr); | |
6a8b7f0c | 616 | cipso_v4_doi_putdef(entry->def.cipso); |
6c2e8ac0 PM |
617 | kfree(entry); |
618 | return 0; | |
619 | ||
620 | remove_af4_failure: | |
621 | rcu_read_unlock(); | |
622 | return -ENOENT; | |
623 | } | |
624 | ||
b1edeb10 PM |
625 | /** |
626 | * netlbl_domhsh_remove - Removes an entry from the domain hash table | |
627 | * @domain: the domain to remove | |
628 | * @audit_info: NetLabel audit information | |
629 | * | |
630 | * Description: | |
631 | * Removes an entry from the domain hash table and handles any updates to the | |
632 | * lower level protocol handler (i.e. CIPSO). Returns zero on success, | |
633 | * negative on failure. | |
634 | * | |
635 | */ | |
636 | int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info) | |
637 | { | |
638 | int ret_val; | |
639 | struct netlbl_dom_map *entry; | |
640 | ||
641 | rcu_read_lock(); | |
642 | if (domain) | |
643 | entry = netlbl_domhsh_search(domain); | |
644 | else | |
645 | entry = netlbl_domhsh_search_def(domain); | |
646 | ret_val = netlbl_domhsh_remove_entry(entry, audit_info); | |
647 | rcu_read_unlock(); | |
648 | ||
d15c345f PM |
649 | return ret_val; |
650 | } | |
651 | ||
652 | /** | |
653 | * netlbl_domhsh_remove_default - Removes the default entry from the table | |
95d4e6be | 654 | * @audit_info: NetLabel audit information |
d15c345f PM |
655 | * |
656 | * Description: | |
657 | * Removes/resets the default entry for the domain hash table and handles any | |
658 | * updates to the lower level protocol handler (i.e. CIPSO). Returns zero on | |
659 | * success, non-zero on failure. | |
660 | * | |
661 | */ | |
95d4e6be | 662 | int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info) |
d15c345f | 663 | { |
95d4e6be | 664 | return netlbl_domhsh_remove(NULL, audit_info); |
d15c345f PM |
665 | } |
666 | ||
667 | /** | |
668 | * netlbl_domhsh_getentry - Get an entry from the domain hash table | |
669 | * @domain: the domain name to search for | |
670 | * | |
671 | * Description: | |
672 | * Look through the domain hash table searching for an entry to match @domain, | |
25985edc | 673 | * return a pointer to a copy of the entry or NULL. The caller is responsible |
d15c345f PM |
674 | * for ensuring that rcu_read_[un]lock() is called. |
675 | * | |
676 | */ | |
677 | struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain) | |
678 | { | |
b64397e0 | 679 | return netlbl_domhsh_search_def(domain); |
d15c345f PM |
680 | } |
681 | ||
63c41688 PM |
682 | /** |
683 | * netlbl_domhsh_getentry_af4 - Get an entry from the domain hash table | |
684 | * @domain: the domain name to search for | |
685 | * @addr: the IP address to search for | |
686 | * | |
687 | * Description: | |
688 | * Look through the domain hash table searching for an entry to match @domain | |
689 | * and @addr, return a pointer to a copy of the entry or NULL. The caller is | |
690 | * responsible for ensuring that rcu_read_[un]lock() is called. | |
691 | * | |
692 | */ | |
6a8b7f0c PM |
693 | struct netlbl_dommap_def *netlbl_domhsh_getentry_af4(const char *domain, |
694 | __be32 addr) | |
63c41688 PM |
695 | { |
696 | struct netlbl_dom_map *dom_iter; | |
697 | struct netlbl_af4list *addr_iter; | |
698 | ||
699 | dom_iter = netlbl_domhsh_search_def(domain); | |
700 | if (dom_iter == NULL) | |
701 | return NULL; | |
63c41688 | 702 | |
6a8b7f0c PM |
703 | if (dom_iter->def.type != NETLBL_NLTYPE_ADDRSELECT) |
704 | return &dom_iter->def; | |
705 | addr_iter = netlbl_af4list_search(addr, &dom_iter->def.addrsel->list4); | |
63c41688 PM |
706 | if (addr_iter == NULL) |
707 | return NULL; | |
6a8b7f0c | 708 | return &(netlbl_domhsh_addr4_entry(addr_iter)->def); |
63c41688 PM |
709 | } |
710 | ||
dfd56b8b | 711 | #if IS_ENABLED(CONFIG_IPV6) |
63c41688 PM |
712 | /** |
713 | * netlbl_domhsh_getentry_af6 - Get an entry from the domain hash table | |
714 | * @domain: the domain name to search for | |
715 | * @addr: the IP address to search for | |
716 | * | |
717 | * Description: | |
718 | * Look through the domain hash table searching for an entry to match @domain | |
719 | * and @addr, return a pointer to a copy of the entry or NULL. The caller is | |
720 | * responsible for ensuring that rcu_read_[un]lock() is called. | |
721 | * | |
722 | */ | |
6a8b7f0c | 723 | struct netlbl_dommap_def *netlbl_domhsh_getentry_af6(const char *domain, |
63c41688 PM |
724 | const struct in6_addr *addr) |
725 | { | |
726 | struct netlbl_dom_map *dom_iter; | |
727 | struct netlbl_af6list *addr_iter; | |
728 | ||
729 | dom_iter = netlbl_domhsh_search_def(domain); | |
730 | if (dom_iter == NULL) | |
731 | return NULL; | |
63c41688 | 732 | |
6a8b7f0c PM |
733 | if (dom_iter->def.type != NETLBL_NLTYPE_ADDRSELECT) |
734 | return &dom_iter->def; | |
735 | addr_iter = netlbl_af6list_search(addr, &dom_iter->def.addrsel->list6); | |
63c41688 PM |
736 | if (addr_iter == NULL) |
737 | return NULL; | |
6a8b7f0c | 738 | return &(netlbl_domhsh_addr6_entry(addr_iter)->def); |
63c41688 PM |
739 | } |
740 | #endif /* IPv6 */ | |
741 | ||
d15c345f | 742 | /** |
fcd48280 PM |
743 | * netlbl_domhsh_walk - Iterate through the domain mapping hash table |
744 | * @skip_bkt: the number of buckets to skip at the start | |
745 | * @skip_chain: the number of entries to skip in the first iterated bucket | |
746 | * @callback: callback for each entry | |
747 | * @cb_arg: argument for the callback function | |
d15c345f PM |
748 | * |
749 | * Description: | |
fcd48280 PM |
750 | * Interate over the domain mapping hash table, skipping the first @skip_bkt |
751 | * buckets and @skip_chain entries. For each entry in the table call | |
752 | * @callback, if @callback returns a negative value stop 'walking' through the | |
753 | * table and return. Updates the values in @skip_bkt and @skip_chain on | |
af901ca1 | 754 | * return. Returns zero on success, negative values on failure. |
d15c345f PM |
755 | * |
756 | */ | |
fcd48280 PM |
757 | int netlbl_domhsh_walk(u32 *skip_bkt, |
758 | u32 *skip_chain, | |
759 | int (*callback) (struct netlbl_dom_map *entry, void *arg), | |
760 | void *cb_arg) | |
d15c345f | 761 | { |
fcd48280 PM |
762 | int ret_val = -ENOENT; |
763 | u32 iter_bkt; | |
56196701 | 764 | struct list_head *iter_list; |
fcd48280 PM |
765 | struct netlbl_dom_map *iter_entry; |
766 | u32 chain_cnt = 0; | |
d15c345f | 767 | |
d15c345f | 768 | rcu_read_lock(); |
fcd48280 PM |
769 | for (iter_bkt = *skip_bkt; |
770 | iter_bkt < rcu_dereference(netlbl_domhsh)->size; | |
771 | iter_bkt++, chain_cnt = 0) { | |
56196701 PM |
772 | iter_list = &rcu_dereference(netlbl_domhsh)->tbl[iter_bkt]; |
773 | list_for_each_entry_rcu(iter_entry, iter_list, list) | |
fcd48280 PM |
774 | if (iter_entry->valid) { |
775 | if (chain_cnt++ < *skip_chain) | |
776 | continue; | |
777 | ret_val = callback(iter_entry, cb_arg); | |
778 | if (ret_val < 0) { | |
779 | chain_cnt--; | |
780 | goto walk_return; | |
781 | } | |
d15c345f | 782 | } |
fcd48280 | 783 | } |
d15c345f | 784 | |
fcd48280 | 785 | walk_return: |
d15c345f | 786 | rcu_read_unlock(); |
fcd48280 PM |
787 | *skip_bkt = iter_bkt; |
788 | *skip_chain = chain_cnt; | |
789 | return ret_val; | |
d15c345f | 790 | } |