+79

include/net/calipso.h

reviewed

··· 1 1 + /* 2 2 + * CALIPSO - Common Architecture Label IPv6 Security Option 3 3 + * 4 4 + * This is an implementation of the CALIPSO protocol as specified in 5 5 + * RFC 5570. 6 6 + * 7 7 + * Authors: Paul Moore <paul@paul-moore.com> 8 8 + * Huw Davies <huw@codeweavers.com> 9 9 + * 10 10 + */ 11 11 + 12 12 + /* 13 13 + * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 14 14 + * (c) Copyright Huw Davies <huw@codeweavers.com>, 2015 15 15 + * 16 16 + * This program is free software; you can redistribute it and/or modify 17 17 + * it under the terms of the GNU General Public License as published by 18 18 + * the Free Software Foundation; either version 2 of the License, or 19 19 + * (at your option) any later version. 20 20 + * 21 21 + * This program is distributed in the hope that it will be useful, 22 22 + * but WITHOUT ANY WARRANTY; without even the implied warranty of 23 23 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See 24 24 + * the GNU General Public License for more details. 25 25 + * 26 26 + * You should have received a copy of the GNU General Public License 27 27 + * along with this program; if not, see <http://www.gnu.org/licenses/>. 28 28 + * 29 29 + */ 30 30 + 31 31 + #ifndef _CALIPSO_H 32 32 + #define _CALIPSO_H 33 33 + 34 34 + #include <linux/types.h> 35 35 + #include <linux/rcupdate.h> 36 36 + #include <linux/list.h> 37 37 + #include <linux/net.h> 38 38 + #include <linux/skbuff.h> 39 39 + #include <net/netlabel.h> 40 40 + #include <net/request_sock.h> 41 41 + #include <linux/atomic.h> 42 42 + #include <asm/unaligned.h> 43 43 + 44 44 + /* known doi values */ 45 45 + #define CALIPSO_DOI_UNKNOWN 0x00000000 46 46 + 47 47 + /* doi mapping types */ 48 48 + #define CALIPSO_MAP_UNKNOWN 0 49 49 + #define CALIPSO_MAP_PASS 2 50 50 + 51 51 + /* 52 52 + * CALIPSO DOI definitions 53 53 + */ 54 54 + 55 55 + /* DOI definition struct */ 56 56 + struct calipso_doi { 57 57 + u32 doi; 58 58 + u32 type; 59 59 + 60 60 + atomic_t refcount; 61 61 + struct list_head list; 62 62 + struct rcu_head rcu; 63 63 + }; 64 64 + 65 65 + #ifdef CONFIG_NETLABEL 66 66 + int __init calipso_init(void); 67 67 + void calipso_exit(void); 68 68 + #else 69 69 + static inline int __init calipso_init(void) 70 70 + { 71 71 + return 0; 72 72 + } 73 73 + 74 74 + static inline void calipso_exit(void) 75 75 + { 76 76 + } 77 77 + #endif /* CONFIG_NETLABEL */ 78 78 + 79 79 + #endif /* _CALIPSO_H */

+23

include/net/netlabel.h

reviewed

··· 40 40 #include <linux/atomic.h> 41 41 42 42 struct cipso_v4_doi; 43 43 + struct calipso_doi; 43 44 44 45 /* 45 46 * NetLabel - A management interface for maintaining network packet label ··· 95 94 #define NETLBL_NLTYPE_UNLABELED_NAME "NLBL_UNLBL" 96 95 #define NETLBL_NLTYPE_ADDRSELECT 6 97 96 #define NETLBL_NLTYPE_ADDRSELECT_NAME "NLBL_ADRSEL" 97 97 + #define NETLBL_NLTYPE_CALIPSO 7 98 98 + #define NETLBL_NLTYPE_CALIPSO_NAME "NLBL_CALIPSO" 98 99 99 100 /* 100 101 * NetLabel - Kernel API for accessing the network packet label mappings. ··· 217 214 } mls; 218 215 u32 secid; 219 216 } attr; 217 217 + }; 218 218 + 219 219 + /** 220 220 + * struct netlbl_calipso_ops - NetLabel CALIPSO operations 221 221 + * @doi_add: add a CALIPSO DOI 222 222 + * @doi_free: free a CALIPSO DOI 223 223 + * 224 224 + * Description: 225 225 + * This structure is filled out by the CALIPSO engine and passed 226 226 + * to the NetLabel core via a call to netlbl_calipso_ops_register(). 227 227 + * It enables the CALIPSO engine (and hence IPv6) to be compiled 228 228 + * as a module. 229 229 + */ 230 230 + struct netlbl_calipso_ops { 231 231 + int (*doi_add)(struct calipso_doi *doi_def, 232 232 + struct netlbl_audit *audit_info); 233 233 + void (*doi_free)(struct calipso_doi *doi_def); 220 234 }; 221 235 222 236 /* ··· 617 597 return NULL; 618 598 } 619 599 #endif /* CONFIG_NETLABEL */ 600 600 + 601 601 + const struct netlbl_calipso_ops * 602 602 + netlbl_calipso_ops_register(const struct netlbl_calipso_ops *ops); 620 603 621 604 #endif /* _NETLABEL_H */

+2

include/uapi/linux/audit.h

reviewed

··· 130 130 #define AUDIT_MAC_IPSEC_EVENT 1415 /* Audit an IPSec event */ 131 131 #define AUDIT_MAC_UNLBL_STCADD 1416 /* NetLabel: add a static label */ 132 132 #define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */ 133 133 + #define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */ 134 134 + #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */ 133 135 134 136 #define AUDIT_FIRST_KERN_ANOM_MSG 1700 135 137 #define AUDIT_LAST_KERN_ANOM_MSG 1799

+1

net/ipv6/Makefile

reviewed

··· 21 21 ipv6-$(CONFIG_IPV6_MULTIPLE_TABLES) += fib6_rules.o 22 22 ipv6-$(CONFIG_PROC_FS) += proc.o 23 23 ipv6-$(CONFIG_SYN_COOKIES) += syncookies.o 24 24 + ipv6-$(CONFIG_NETLABEL) += calipso.o 24 25 25 26 ipv6-objs += $(ipv6-y) 26 27

+8 -1

net/ipv6/af_inet6.c

reviewed

··· 60 60 #ifdef CONFIG_IPV6_TUNNEL 61 61 #include <net/ip6_tunnel.h> 62 62 #endif 63 63 + #include <net/calipso.h> 63 64 64 65 #include <asm/uaccess.h> 65 66 #include <linux/mroute6.h> ··· 971 970 if (err) 972 971 goto pingv6_fail; 973 972 973 973 + err = calipso_init(); 974 974 + if (err) 975 975 + goto calipso_fail; 976 976 + 974 977 #ifdef CONFIG_SYSCTL 975 978 err = ipv6_sysctl_register(); 976 979 if (err) ··· 985 980 986 981 #ifdef CONFIG_SYSCTL 987 982 sysctl_fail: 988 988 - pingv6_exit(); 983 983 + calipso_exit(); 989 984 #endif 985 985 + calipso_fail: 986 986 + pingv6_exit(); 990 987 pingv6_fail: 991 988 ipv6_packet_cleanup(); 992 989 ipv6_packet_fail:

+169

net/ipv6/calipso.c

reviewed

··· 1 1 + /* 2 2 + * CALIPSO - Common Architecture Label IPv6 Security Option 3 3 + * 4 4 + * This is an implementation of the CALIPSO protocol as specified in 5 5 + * RFC 5570. 6 6 + * 7 7 + * Authors: Paul Moore <paul.moore@hp.com> 8 8 + * Huw Davies <huw@codeweavers.com> 9 9 + * 10 10 + */ 11 11 + 12 12 + /* (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008 13 13 + * (c) Copyright Huw Davies <huw@codeweavers.com>, 2015 14 14 + * 15 15 + * This program is free software; you can redistribute it and/or modify 16 16 + * it under the terms of the GNU General Public License as published by 17 17 + * the Free Software Foundation; either version 2 of the License, or 18 18 + * (at your option) any later version. 19 19 + * 20 20 + * This program is distributed in the hope that it will be useful, 21 21 + * but WITHOUT ANY WARRANTY; without even the implied warranty of 22 22 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See 23 23 + * the GNU General Public License for more details. 24 24 + * 25 25 + * You should have received a copy of the GNU General Public License 26 26 + * along with this program; if not, see <http://www.gnu.org/licenses/>. 27 27 + * 28 28 + */ 29 29 + 30 30 + #include <linux/init.h> 31 31 + #include <linux/types.h> 32 32 + #include <linux/rcupdate.h> 33 33 + #include <linux/list.h> 34 34 + #include <linux/spinlock.h> 35 35 + #include <linux/string.h> 36 36 + #include <linux/jhash.h> 37 37 + #include <linux/audit.h> 38 38 + #include <linux/slab.h> 39 39 + #include <net/ip.h> 40 40 + #include <net/icmp.h> 41 41 + #include <net/tcp.h> 42 42 + #include <net/netlabel.h> 43 43 + #include <net/calipso.h> 44 44 + #include <linux/atomic.h> 45 45 + #include <linux/bug.h> 46 46 + #include <asm/unaligned.h> 47 47 + 48 48 + /* List of available DOI definitions */ 49 49 + static DEFINE_SPINLOCK(calipso_doi_list_lock); 50 50 + static LIST_HEAD(calipso_doi_list); 51 51 + 52 52 + /* DOI List Functions 53 53 + */ 54 54 + 55 55 + /** 56 56 + * calipso_doi_search - Searches for a DOI definition 57 57 + * @doi: the DOI to search for 58 58 + * 59 59 + * Description: 60 60 + * Search the DOI definition list for a DOI definition with a DOI value that 61 61 + * matches @doi. The caller is responsible for calling rcu_read_[un]lock(). 62 62 + * Returns a pointer to the DOI definition on success and NULL on failure. 63 63 + */ 64 64 + static struct calipso_doi *calipso_doi_search(u32 doi) 65 65 + { 66 66 + struct calipso_doi *iter; 67 67 + 68 68 + list_for_each_entry_rcu(iter, &calipso_doi_list, list) 69 69 + if (iter->doi == doi && atomic_read(&iter->refcount)) 70 70 + return iter; 71 71 + return NULL; 72 72 + } 73 73 + 74 74 + /** 75 75 + * calipso_doi_add - Add a new DOI to the CALIPSO protocol engine 76 76 + * @doi_def: the DOI structure 77 77 + * @audit_info: NetLabel audit information 78 78 + * 79 79 + * Description: 80 80 + * The caller defines a new DOI for use by the CALIPSO engine and calls this 81 81 + * function to add it to the list of acceptable domains. The caller must 82 82 + * ensure that the mapping table specified in @doi_def->map meets all of the 83 83 + * requirements of the mapping type (see calipso.h for details). Returns 84 84 + * zero on success and non-zero on failure. 85 85 + * 86 86 + */ 87 87 + static int calipso_doi_add(struct calipso_doi *doi_def, 88 88 + struct netlbl_audit *audit_info) 89 89 + { 90 90 + int ret_val = -EINVAL; 91 91 + u32 doi; 92 92 + u32 doi_type; 93 93 + struct audit_buffer *audit_buf; 94 94 + 95 95 + doi = doi_def->doi; 96 96 + doi_type = doi_def->type; 97 97 + 98 98 + if (doi_def->doi == CALIPSO_DOI_UNKNOWN) 99 99 + goto doi_add_return; 100 100 + 101 101 + atomic_set(&doi_def->refcount, 1); 102 102 + 103 103 + spin_lock(&calipso_doi_list_lock); 104 104 + if (calipso_doi_search(doi_def->doi)) { 105 105 + spin_unlock(&calipso_doi_list_lock); 106 106 + ret_val = -EEXIST; 107 107 + goto doi_add_return; 108 108 + } 109 109 + list_add_tail_rcu(&doi_def->list, &calipso_doi_list); 110 110 + spin_unlock(&calipso_doi_list_lock); 111 111 + ret_val = 0; 112 112 + 113 113 + doi_add_return: 114 114 + audit_buf = netlbl_audit_start(AUDIT_MAC_CALIPSO_ADD, audit_info); 115 115 + if (audit_buf) { 116 116 + const char *type_str; 117 117 + 118 118 + switch (doi_type) { 119 119 + case CALIPSO_MAP_PASS: 120 120 + type_str = "pass"; 121 121 + break; 122 122 + default: 123 123 + type_str = "(unknown)"; 124 124 + } 125 125 + audit_log_format(audit_buf, 126 126 + " calipso_doi=%u calipso_type=%s res=%u", 127 127 + doi, type_str, ret_val == 0 ? 1 : 0); 128 128 + audit_log_end(audit_buf); 129 129 + } 130 130 + 131 131 + return ret_val; 132 132 + } 133 133 + 134 134 + /** 135 135 + * calipso_doi_free - Frees a DOI definition 136 136 + * @doi_def: the DOI definition 137 137 + * 138 138 + * Description: 139 139 + * This function frees all of the memory associated with a DOI definition. 140 140 + * 141 141 + */ 142 142 + static void calipso_doi_free(struct calipso_doi *doi_def) 143 143 + { 144 144 + kfree(doi_def); 145 145 + } 146 146 + 147 147 + static const struct netlbl_calipso_ops ops = { 148 148 + .doi_add = calipso_doi_add, 149 149 + .doi_free = calipso_doi_free, 150 150 + }; 151 151 + 152 152 + /** 153 153 + * calipso_init - Initialize the CALIPSO module 154 154 + * 155 155 + * Description: 156 156 + * Initialize the CALIPSO module and prepare it for use. Returns zero on 157 157 + * success and negative values on failure. 158 158 + * 159 159 + */ 160 160 + int __init calipso_init(void) 161 161 + { 162 162 + netlbl_calipso_ops_register(&ops); 163 163 + return 0; 164 164 + } 165 165 + 166 166 + void calipso_exit(void) 167 167 + { 168 168 + netlbl_calipso_ops_register(NULL); 169 169 + }

+1 -1

net/netlabel/Makefile

reviewed

··· 12 12 # protocol modules 13 13 obj-y += netlabel_unlabeled.o 14 14 obj-y += netlabel_cipso_v4.o 15 15 - 15 15 + obj-$(subst m,y,$(CONFIG_IPV6)) += netlabel_calipso.o

+216

net/netlabel/netlabel_calipso.c

reviewed

··· 1 1 + /* 2 2 + * NetLabel CALIPSO/IPv6 Support 3 3 + * 4 4 + * This file defines the CALIPSO/IPv6 functions for the NetLabel system. The 5 5 + * NetLabel system manages static and dynamic label mappings for network 6 6 + * protocols such as CIPSO and CALIPSO. 7 7 + * 8 8 + * Authors: Paul Moore <paul@paul-moore.com> 9 9 + * Huw Davies <huw@codeweavers.com> 10 10 + * 11 11 + */ 12 12 + 13 13 + /* (c) Copyright Hewlett-Packard Development Company, L.P., 2006 14 14 + * (c) Copyright Huw Davies <huw@codeweavers.com>, 2015 15 15 + * 16 16 + * This program is free software; you can redistribute it and/or modify 17 17 + * it under the terms of the GNU General Public License as published by 18 18 + * the Free Software Foundation; either version 2 of the License, or 19 19 + * (at your option) any later version. 20 20 + * 21 21 + * This program is distributed in the hope that it will be useful, 22 22 + * but WITHOUT ANY WARRANTY; without even the implied warranty of 23 23 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See 24 24 + * the GNU General Public License for more details. 25 25 + * 26 26 + * You should have received a copy of the GNU General Public License 27 27 + * along with this program; if not, see <http://www.gnu.org/licenses/>. 28 28 + * 29 29 + */ 30 30 + 31 31 + #include <linux/types.h> 32 32 + #include <linux/socket.h> 33 33 + #include <linux/string.h> 34 34 + #include <linux/skbuff.h> 35 35 + #include <linux/audit.h> 36 36 + #include <linux/slab.h> 37 37 + #include <net/sock.h> 38 38 + #include <net/netlink.h> 39 39 + #include <net/genetlink.h> 40 40 + #include <net/netlabel.h> 41 41 + #include <net/calipso.h> 42 42 + #include <linux/atomic.h> 43 43 + 44 44 + #include "netlabel_user.h" 45 45 + #include "netlabel_calipso.h" 46 46 + #include "netlabel_mgmt.h" 47 47 + #include "netlabel_domainhash.h" 48 48 + 49 49 + /* NetLabel Generic NETLINK CALIPSO family */ 50 50 + static struct genl_family netlbl_calipso_gnl_family = { 51 51 + .id = GENL_ID_GENERATE, 52 52 + .hdrsize = 0, 53 53 + .name = NETLBL_NLTYPE_CALIPSO_NAME, 54 54 + .version = NETLBL_PROTO_VERSION, 55 55 + .maxattr = NLBL_CALIPSO_A_MAX, 56 56 + }; 57 57 + 58 58 + /* NetLabel Netlink attribute policy */ 59 59 + static const struct nla_policy calipso_genl_policy[NLBL_CALIPSO_A_MAX + 1] = { 60 60 + [NLBL_CALIPSO_A_DOI] = { .type = NLA_U32 }, 61 61 + [NLBL_CALIPSO_A_MTYPE] = { .type = NLA_U32 }, 62 62 + }; 63 63 + 64 64 + /* NetLabel Command Handlers 65 65 + */ 66 66 + /** 67 67 + * netlbl_calipso_add_pass - Adds a CALIPSO pass DOI definition 68 68 + * @info: the Generic NETLINK info block 69 69 + * @audit_info: NetLabel audit information 70 70 + * 71 71 + * Description: 72 72 + * Create a new CALIPSO_MAP_PASS DOI definition based on the given ADD message 73 73 + * and add it to the CALIPSO engine. Return zero on success and non-zero on 74 74 + * error. 75 75 + * 76 76 + */ 77 77 + static int netlbl_calipso_add_pass(struct genl_info *info, 78 78 + struct netlbl_audit *audit_info) 79 79 + { 80 80 + int ret_val; 81 81 + struct calipso_doi *doi_def = NULL; 82 82 + 83 83 + doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL); 84 84 + if (!doi_def) 85 85 + return -ENOMEM; 86 86 + doi_def->type = CALIPSO_MAP_PASS; 87 87 + doi_def->doi = nla_get_u32(info->attrs[NLBL_CALIPSO_A_DOI]); 88 88 + ret_val = calipso_doi_add(doi_def, audit_info); 89 89 + if (ret_val != 0) 90 90 + calipso_doi_free(doi_def); 91 91 + 92 92 + return ret_val; 93 93 + } 94 94 + 95 95 + /** 96 96 + * netlbl_calipso_add - Handle an ADD message 97 97 + * @skb: the NETLINK buffer 98 98 + * @info: the Generic NETLINK info block 99 99 + * 100 100 + * Description: 101 101 + * Create a new DOI definition based on the given ADD message and add it to the 102 102 + * CALIPSO engine. Returns zero on success, negative values on failure. 103 103 + * 104 104 + */ 105 105 + static int netlbl_calipso_add(struct sk_buff *skb, struct genl_info *info) 106 106 + 107 107 + { 108 108 + int ret_val = -EINVAL; 109 109 + struct netlbl_audit audit_info; 110 110 + 111 111 + if (!info->attrs[NLBL_CALIPSO_A_DOI] || 112 112 + !info->attrs[NLBL_CALIPSO_A_MTYPE]) 113 113 + return -EINVAL; 114 114 + 115 115 + netlbl_netlink_auditinfo(skb, &audit_info); 116 116 + switch (nla_get_u32(info->attrs[NLBL_CALIPSO_A_MTYPE])) { 117 117 + case CALIPSO_MAP_PASS: 118 118 + ret_val = netlbl_calipso_add_pass(info, &audit_info); 119 119 + break; 120 120 + } 121 121 + if (ret_val == 0) 122 122 + atomic_inc(&netlabel_mgmt_protocount); 123 123 + 124 124 + return ret_val; 125 125 + } 126 126 + 127 127 + /* NetLabel Generic NETLINK Command Definitions 128 128 + */ 129 129 + 130 130 + static const struct genl_ops netlbl_calipso_ops[] = { 131 131 + { 132 132 + .cmd = NLBL_CALIPSO_C_ADD, 133 133 + .flags = GENL_ADMIN_PERM, 134 134 + .policy = calipso_genl_policy, 135 135 + .doit = netlbl_calipso_add, 136 136 + .dumpit = NULL, 137 137 + }, 138 138 + }; 139 139 + 140 140 + /* NetLabel Generic NETLINK Protocol Functions 141 141 + */ 142 142 + 143 143 + /** 144 144 + * netlbl_calipso_genl_init - Register the CALIPSO NetLabel component 145 145 + * 146 146 + * Description: 147 147 + * Register the CALIPSO packet NetLabel component with the Generic NETLINK 148 148 + * mechanism. Returns zero on success, negative values on failure. 149 149 + * 150 150 + */ 151 151 + int __init netlbl_calipso_genl_init(void) 152 152 + { 153 153 + return genl_register_family_with_ops(&netlbl_calipso_gnl_family, 154 154 + netlbl_calipso_ops); 155 155 + } 156 156 + 157 157 + static const struct netlbl_calipso_ops *calipso_ops; 158 158 + 159 159 + /** 160 160 + * netlbl_calipso_ops_register - Register the CALIPSO operations 161 161 + * 162 162 + * Description: 163 163 + * Register the CALIPSO packet engine operations. 164 164 + * 165 165 + */ 166 166 + const struct netlbl_calipso_ops * 167 167 + netlbl_calipso_ops_register(const struct netlbl_calipso_ops *ops) 168 168 + { 169 169 + return xchg(&calipso_ops, ops); 170 170 + } 171 171 + EXPORT_SYMBOL(netlbl_calipso_ops_register); 172 172 + 173 173 + static const struct netlbl_calipso_ops *netlbl_calipso_ops_get(void) 174 174 + { 175 175 + return ACCESS_ONCE(calipso_ops); 176 176 + } 177 177 + 178 178 + /** 179 179 + * calipso_doi_add - Add a new DOI to the CALIPSO protocol engine 180 180 + * @doi_def: the DOI structure 181 181 + * @audit_info: NetLabel audit information 182 182 + * 183 183 + * Description: 184 184 + * The caller defines a new DOI for use by the CALIPSO engine and calls this 185 185 + * function to add it to the list of acceptable domains. The caller must 186 186 + * ensure that the mapping table specified in @doi_def->map meets all of the 187 187 + * requirements of the mapping type (see calipso.h for details). Returns 188 188 + * zero on success and non-zero on failure. 189 189 + * 190 190 + */ 191 191 + int calipso_doi_add(struct calipso_doi *doi_def, 192 192 + struct netlbl_audit *audit_info) 193 193 + { 194 194 + int ret_val = -ENOMSG; 195 195 + const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get(); 196 196 + 197 197 + if (ops) 198 198 + ret_val = ops->doi_add(doi_def, audit_info); 199 199 + return ret_val; 200 200 + } 201 201 + 202 202 + /** 203 203 + * calipso_doi_free - Frees a DOI definition 204 204 + * @doi_def: the DOI definition 205 205 + * 206 206 + * Description: 207 207 + * This function frees all of the memory associated with a DOI definition. 208 208 + * 209 209 + */ 210 210 + void calipso_doi_free(struct calipso_doi *doi_def) 211 211 + { 212 212 + const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get(); 213 213 + 214 214 + if (ops) 215 215 + ops->doi_free(doi_def); 216 216 + }

+90

net/netlabel/netlabel_calipso.h

reviewed

··· 1 1 + /* 2 2 + * NetLabel CALIPSO Support 3 3 + * 4 4 + * This file defines the CALIPSO functions for the NetLabel system. The 5 5 + * NetLabel system manages static and dynamic label mappings for network 6 6 + * protocols such as CIPSO and RIPSO. 7 7 + * 8 8 + * Authors: Paul Moore <paul@paul-moore.com> 9 9 + * Huw Davies <huw@codeweavers.com> 10 10 + * 11 11 + */ 12 12 + 13 13 + /* (c) Copyright Hewlett-Packard Development Company, L.P., 2006 14 14 + * (c) Copyright Huw Davies <huw@codeweavers.com>, 2015 15 15 + * 16 16 + * This program is free software; you can redistribute it and/or modify 17 17 + * it under the terms of the GNU General Public License as published by 18 18 + * the Free Software Foundation; either version 2 of the License, or 19 19 + * (at your option) any later version. 20 20 + * 21 21 + * This program is distributed in the hope that it will be useful, 22 22 + * but WITHOUT ANY WARRANTY; without even the implied warranty of 23 23 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See 24 24 + * the GNU General Public License for more details. 25 25 + * 26 26 + * You should have received a copy of the GNU General Public License 27 27 + * along with this program; if not, see <http://www.gnu.org/licenses/>. 28 28 + * 29 29 + */ 30 30 + 31 31 + #ifndef _NETLABEL_CALIPSO 32 32 + #define _NETLABEL_CALIPSO 33 33 + 34 34 + #include <net/netlabel.h> 35 35 + #include <net/calipso.h> 36 36 + 37 37 + /* The following NetLabel payloads are supported by the CALIPSO subsystem. 38 38 + * 39 39 + * o ADD: 40 40 + * Sent by an application to add a new DOI mapping table. 41 41 + * 42 42 + * Required attributes: 43 43 + * 44 44 + * NLBL_CALIPSO_A_DOI 45 45 + * NLBL_CALIPSO_A_MTYPE 46 46 + * 47 47 + * If using CALIPSO_MAP_PASS no additional attributes are required. 48 48 + * 49 49 + */ 50 50 + 51 51 + /* NetLabel CALIPSO commands */ 52 52 + enum { 53 53 + NLBL_CALIPSO_C_UNSPEC, 54 54 + NLBL_CALIPSO_C_ADD, 55 55 + NLBL_CALIPSO_C_REMOVE, 56 56 + NLBL_CALIPSO_C_LIST, 57 57 + NLBL_CALIPSO_C_LISTALL, 58 58 + __NLBL_CALIPSO_C_MAX, 59 59 + }; 60 60 + 61 61 + /* NetLabel CALIPSO attributes */ 62 62 + enum { 63 63 + NLBL_CALIPSO_A_UNSPEC, 64 64 + NLBL_CALIPSO_A_DOI, 65 65 + /* (NLA_U32) 66 66 + * the DOI value */ 67 67 + NLBL_CALIPSO_A_MTYPE, 68 68 + /* (NLA_U32) 69 69 + * the mapping table type (defined in the calipso.h header as 70 70 + * CALIPSO_MAP_*) */ 71 71 + __NLBL_CALIPSO_A_MAX, 72 72 + }; 73 73 + 74 74 + #define NLBL_CALIPSO_A_MAX (__NLBL_CALIPSO_A_MAX - 1) 75 75 + 76 76 + /* NetLabel protocol functions */ 77 77 + #if IS_ENABLED(CONFIG_IPV6) 78 78 + int netlbl_calipso_genl_init(void); 79 79 + #else 80 80 + static inline int netlbl_calipso_genl_init(void) 81 81 + { 82 82 + return 0; 83 83 + } 84 84 + #endif 85 85 + 86 86 + int calipso_doi_add(struct calipso_doi *doi_def, 87 87 + struct netlbl_audit *audit_info); 88 88 + void calipso_doi_free(struct calipso_doi *doi_def); 89 89 + 90 90 + #endif

+1

net/netlabel/netlabel_kapi.c

reviewed

··· 1170 1170 { 1171 1171 return netlbl_audit_start_common(type, audit_info); 1172 1172 } 1173 1173 + EXPORT_SYMBOL(netlbl_audit_start); 1173 1174 1174 1175 /* 1175 1176 * Setup Functions

+9

net/netlabel/netlabel_mgmt.c

reviewed

··· 674 674 goto protocols_return; 675 675 protos_sent++; 676 676 } 677 677 + #if IS_ENABLED(CONFIG_IPV6) 678 678 + if (protos_sent == 2) { 679 679 + if (netlbl_mgmt_protocols_cb(skb, 680 680 + cb, 681 681 + NETLBL_NLTYPE_CALIPSO) < 0) 682 682 + goto protocols_return; 683 683 + protos_sent++; 684 684 + } 685 685 + #endif 677 686 678 687 protocols_return: 679 688 cb->args[0] = protos_sent;

+5

net/netlabel/netlabel_user.c

reviewed

··· 44 44 #include "netlabel_mgmt.h" 45 45 #include "netlabel_unlabeled.h" 46 46 #include "netlabel_cipso_v4.h" 47 47 + #include "netlabel_calipso.h" 47 48 #include "netlabel_user.h" 48 49 49 50 /* ··· 69 68 return ret_val; 70 69 71 70 ret_val = netlbl_cipsov4_genl_init(); 71 71 + if (ret_val != 0) 72 72 + return ret_val; 73 73 + 74 74 + ret_val = netlbl_calipso_genl_init(); 72 75 if (ret_val != 0) 73 76 return ret_val; 74 77