2 * CIPSO - Commercial IP Security Option
4 * This is an implementation of the CIPSO 2.2 protocol as specified in
5 * draft-ietf-cipso-ipsecurity-01.txt with additional tag types as found in
6 * FIPS-188. While CIPSO never became a full IETF RFC standard many vendors
7 * have chosen to adopt the protocol and over the years it has become a
8 * de-facto standard for labeled networking.
10 * The CIPSO draft specification can be found in the kernel's Documentation
11 * directory as well as the following URL:
12 * http://tools.ietf.org/id/draft-ietf-cipso-ipsecurity-01.txt
13 * The FIPS-188 specification can be found at the following URL:
14 * http://www.itl.nist.gov/fipspubs/fip188.htm
16 * Author: Paul Moore <paul.moore@hp.com>
21 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
23 * This program is free software; you can redistribute it and/or modify
24 * it under the terms of the GNU General Public License as published by
25 * the Free Software Foundation; either version 2 of the License, or
26 * (at your option) any later version.
28 * This program is distributed in the hope that it will be useful,
29 * but WITHOUT ANY WARRANTY; without even the implied warranty of
30 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
31 * the GNU General Public License for more details.
33 * You should have received a copy of the GNU General Public License
34 * along with this program; if not, see <http://www.gnu.org/licenses/>.
38 #include <linux/init.h>
39 #include <linux/types.h>
40 #include <linux/rcupdate.h>
41 #include <linux/list.h>
42 #include <linux/spinlock.h>
43 #include <linux/string.h>
44 #include <linux/jhash.h>
45 #include <linux/audit.h>
46 #include <linux/slab.h>
50 #include <net/netlabel.h>
51 #include <net/cipso_ipv4.h>
52 #include <linux/atomic.h>
53 #include <linux/bug.h>
54 #include <asm/unaligned.h>
56 /* List of available DOI definitions */
57 /* XXX - This currently assumes a minimal number of different DOIs in use,
58 * if in practice there are a lot of different DOIs this list should
59 * probably be turned into a hash table or something similar so we
60 * can do quick lookups. */
61 static DEFINE_SPINLOCK(cipso_v4_doi_list_lock);
62 static LIST_HEAD(cipso_v4_doi_list);
64 /* Label mapping cache */
65 int cipso_v4_cache_enabled = 1;
66 int cipso_v4_cache_bucketsize = 10;
67 #define CIPSO_V4_CACHE_BUCKETBITS 7
68 #define CIPSO_V4_CACHE_BUCKETS (1 << CIPSO_V4_CACHE_BUCKETBITS)
69 #define CIPSO_V4_CACHE_REORDERLIMIT 10
70 struct cipso_v4_map_cache_bkt {
73 struct list_head list;
76 struct cipso_v4_map_cache_entry {
81 struct netlbl_lsm_cache *lsm_data;
84 struct list_head list;
87 static struct cipso_v4_map_cache_bkt *cipso_v4_cache;
89 /* Restricted bitmap (tag #1) flags */
90 int cipso_v4_rbm_optfmt = 0;
91 int cipso_v4_rbm_strictvalid = 1;
97 /* Maximum size of the CIPSO IP option, derived from the fact that the maximum
98 * IPv4 header size is 60 bytes and the base IPv4 header is 20 bytes long. */
99 #define CIPSO_V4_OPT_LEN_MAX 40
101 /* Length of the base CIPSO option, this includes the option type (1 byte), the
102 * option length (1 byte), and the DOI (4 bytes). */
103 #define CIPSO_V4_HDR_LEN 6
105 /* Base length of the restrictive category bitmap tag (tag #1). */
106 #define CIPSO_V4_TAG_RBM_BLEN 4
108 /* Base length of the enumerated category tag (tag #2). */
109 #define CIPSO_V4_TAG_ENUM_BLEN 4
111 /* Base length of the ranged categories bitmap tag (tag #5). */
112 #define CIPSO_V4_TAG_RNG_BLEN 4
113 /* The maximum number of category ranges permitted in the ranged category tag
114 * (tag #5). You may note that the IETF draft states that the maximum number
115 * of category ranges is 7, but if the low end of the last category range is
116 * zero then it is possible to fit 8 category ranges because the zero should
118 #define CIPSO_V4_TAG_RNG_CAT_MAX 8
120 /* Base length of the local tag (non-standard tag).
121 * Tag definition (may change between kernel versions)
124 * +----------+----------+----------+----------+
125 * | 10000000 | 00000110 | 32-bit secid value |
126 * +----------+----------+----------+----------+
127 * | in (host byte order)|
128 * +----------+----------+
131 #define CIPSO_V4_TAG_LOC_BLEN 6
138 * cipso_v4_cache_entry_free - Frees a cache entry
139 * @entry: the entry to free
142 * This function frees the memory associated with a cache entry including the
143 * LSM cache data if there are no longer any users, i.e. reference count == 0.
146 static void cipso_v4_cache_entry_free(struct cipso_v4_map_cache_entry *entry)
149 netlbl_secattr_cache_free(entry->lsm_data);
155 * cipso_v4_map_cache_hash - Hashing function for the CIPSO cache
157 * @key_len: the length of the key in bytes
160 * The CIPSO tag hashing function. Returns a 32-bit hash value.
163 static u32 cipso_v4_map_cache_hash(const unsigned char *key, u32 key_len)
165 return jhash(key, key_len, 0);
169 * Label Mapping Cache Functions
173 * cipso_v4_cache_init - Initialize the CIPSO cache
176 * Initializes the CIPSO label mapping cache, this function should be called
177 * before any of the other functions defined in this file. Returns zero on
178 * success, negative values on error.
181 static int __init cipso_v4_cache_init(void)
185 cipso_v4_cache = kcalloc(CIPSO_V4_CACHE_BUCKETS,
186 sizeof(struct cipso_v4_map_cache_bkt),
191 for (iter = 0; iter < CIPSO_V4_CACHE_BUCKETS; iter++) {
192 spin_lock_init(&cipso_v4_cache[iter].lock);
193 cipso_v4_cache[iter].size = 0;
194 INIT_LIST_HEAD(&cipso_v4_cache[iter].list);
201 * cipso_v4_cache_invalidate - Invalidates the current CIPSO cache
204 * Invalidates and frees any entries in the CIPSO cache. Returns zero on
205 * success and negative values on failure.
208 void cipso_v4_cache_invalidate(void)
210 struct cipso_v4_map_cache_entry *entry, *tmp_entry;
213 for (iter = 0; iter < CIPSO_V4_CACHE_BUCKETS; iter++) {
214 spin_lock_bh(&cipso_v4_cache[iter].lock);
215 list_for_each_entry_safe(entry,
217 &cipso_v4_cache[iter].list, list) {
218 list_del(&entry->list);
219 cipso_v4_cache_entry_free(entry);
221 cipso_v4_cache[iter].size = 0;
222 spin_unlock_bh(&cipso_v4_cache[iter].lock);
227 * cipso_v4_cache_check - Check the CIPSO cache for a label mapping
228 * @key: the buffer to check
229 * @key_len: buffer length in bytes
230 * @secattr: the security attribute struct to use
233 * This function checks the cache to see if a label mapping already exists for
234 * the given key. If there is a match then the cache is adjusted and the
235 * @secattr struct is populated with the correct LSM security attributes. The
236 * cache is adjusted in the following manner if the entry is not already the
237 * first in the cache bucket:
239 * 1. The cache entry's activity counter is incremented
240 * 2. The previous (higher ranking) entry's activity counter is decremented
241 * 3. If the difference between the two activity counters is geater than
242 * CIPSO_V4_CACHE_REORDERLIMIT the two entries are swapped
244 * Returns zero on success, -ENOENT for a cache miss, and other negative values
248 static int cipso_v4_cache_check(const unsigned char *key,
250 struct netlbl_lsm_secattr *secattr)
253 struct cipso_v4_map_cache_entry *entry;
254 struct cipso_v4_map_cache_entry *prev_entry = NULL;
257 if (!READ_ONCE(cipso_v4_cache_enabled))
260 hash = cipso_v4_map_cache_hash(key, key_len);
261 bkt = hash & (CIPSO_V4_CACHE_BUCKETS - 1);
262 spin_lock_bh(&cipso_v4_cache[bkt].lock);
263 list_for_each_entry(entry, &cipso_v4_cache[bkt].list, list) {
264 if (entry->hash == hash &&
265 entry->key_len == key_len &&
266 memcmp(entry->key, key, key_len) == 0) {
267 entry->activity += 1;
268 refcount_inc(&entry->lsm_data->refcount);
269 secattr->cache = entry->lsm_data;
270 secattr->flags |= NETLBL_SECATTR_CACHE;
271 secattr->type = NETLBL_NLTYPE_CIPSOV4;
273 spin_unlock_bh(&cipso_v4_cache[bkt].lock);
277 if (prev_entry->activity > 0)
278 prev_entry->activity -= 1;
279 if (entry->activity > prev_entry->activity &&
280 entry->activity - prev_entry->activity >
281 CIPSO_V4_CACHE_REORDERLIMIT) {
282 __list_del(entry->list.prev, entry->list.next);
283 __list_add(&entry->list,
284 prev_entry->list.prev,
288 spin_unlock_bh(&cipso_v4_cache[bkt].lock);
293 spin_unlock_bh(&cipso_v4_cache[bkt].lock);
299 * cipso_v4_cache_add - Add an entry to the CIPSO cache
301 * @secattr: the packet's security attributes
304 * Add a new entry into the CIPSO label mapping cache. Add the new entry to
305 * head of the cache bucket's list, if the cache bucket is out of room remove
306 * the last entry in the list first. It is important to note that there is
307 * currently no checking for duplicate keys. Returns zero on success,
308 * negative values on failure.
311 int cipso_v4_cache_add(const unsigned char *cipso_ptr,
312 const struct netlbl_lsm_secattr *secattr)
314 int bkt_size = READ_ONCE(cipso_v4_cache_bucketsize);
315 int ret_val = -EPERM;
317 struct cipso_v4_map_cache_entry *entry = NULL;
318 struct cipso_v4_map_cache_entry *old_entry = NULL;
321 if (!READ_ONCE(cipso_v4_cache_enabled) || bkt_size <= 0)
324 cipso_ptr_len = cipso_ptr[1];
326 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
329 entry->key = kmemdup(cipso_ptr, cipso_ptr_len, GFP_ATOMIC);
332 goto cache_add_failure;
334 entry->key_len = cipso_ptr_len;
335 entry->hash = cipso_v4_map_cache_hash(cipso_ptr, cipso_ptr_len);
336 refcount_inc(&secattr->cache->refcount);
337 entry->lsm_data = secattr->cache;
339 bkt = entry->hash & (CIPSO_V4_CACHE_BUCKETS - 1);
340 spin_lock_bh(&cipso_v4_cache[bkt].lock);
341 if (cipso_v4_cache[bkt].size < bkt_size) {
342 list_add(&entry->list, &cipso_v4_cache[bkt].list);
343 cipso_v4_cache[bkt].size += 1;
345 old_entry = list_entry(cipso_v4_cache[bkt].list.prev,
346 struct cipso_v4_map_cache_entry, list);
347 list_del(&old_entry->list);
348 list_add(&entry->list, &cipso_v4_cache[bkt].list);
349 cipso_v4_cache_entry_free(old_entry);
351 spin_unlock_bh(&cipso_v4_cache[bkt].lock);
357 cipso_v4_cache_entry_free(entry);
366 * cipso_v4_doi_search - Searches for a DOI definition
367 * @doi: the DOI to search for
370 * Search the DOI definition list for a DOI definition with a DOI value that
371 * matches @doi. The caller is responsible for calling rcu_read_[un]lock().
372 * Returns a pointer to the DOI definition on success and NULL on failure.
374 static struct cipso_v4_doi *cipso_v4_doi_search(u32 doi)
376 struct cipso_v4_doi *iter;
378 list_for_each_entry_rcu(iter, &cipso_v4_doi_list, list)
379 if (iter->doi == doi && refcount_read(&iter->refcount))
385 * cipso_v4_doi_add - Add a new DOI to the CIPSO protocol engine
386 * @doi_def: the DOI structure
387 * @audit_info: NetLabel audit information
390 * The caller defines a new DOI for use by the CIPSO engine and calls this
391 * function to add it to the list of acceptable domains. The caller must
392 * ensure that the mapping table specified in @doi_def->map meets all of the
393 * requirements of the mapping type (see cipso_ipv4.h for details). Returns
394 * zero on success and non-zero on failure.
397 int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,
398 struct netlbl_audit *audit_info)
400 int ret_val = -EINVAL;
404 struct audit_buffer *audit_buf;
407 doi_type = doi_def->type;
409 if (doi_def->doi == CIPSO_V4_DOI_UNKNOWN)
411 for (iter = 0; iter < CIPSO_V4_TAG_MAXCNT; iter++) {
412 switch (doi_def->tags[iter]) {
413 case CIPSO_V4_TAG_RBITMAP:
415 case CIPSO_V4_TAG_RANGE:
416 case CIPSO_V4_TAG_ENUM:
417 if (doi_def->type != CIPSO_V4_MAP_PASS)
420 case CIPSO_V4_TAG_LOCAL:
421 if (doi_def->type != CIPSO_V4_MAP_LOCAL)
424 case CIPSO_V4_TAG_INVALID:
433 refcount_set(&doi_def->refcount, 1);
435 spin_lock(&cipso_v4_doi_list_lock);
436 if (cipso_v4_doi_search(doi_def->doi)) {
437 spin_unlock(&cipso_v4_doi_list_lock);
441 list_add_tail_rcu(&doi_def->list, &cipso_v4_doi_list);
442 spin_unlock(&cipso_v4_doi_list_lock);
446 audit_buf = netlbl_audit_start(AUDIT_MAC_CIPSOV4_ADD, audit_info);
448 const char *type_str;
450 case CIPSO_V4_MAP_TRANS:
453 case CIPSO_V4_MAP_PASS:
456 case CIPSO_V4_MAP_LOCAL:
460 type_str = "(unknown)";
462 audit_log_format(audit_buf,
463 " cipso_doi=%u cipso_type=%s res=%u",
464 doi, type_str, ret_val == 0 ? 1 : 0);
465 audit_log_end(audit_buf);
472 * cipso_v4_doi_free - Frees a DOI definition
473 * @doi_def: the DOI definition
476 * This function frees all of the memory associated with a DOI definition.
479 void cipso_v4_doi_free(struct cipso_v4_doi *doi_def)
484 switch (doi_def->type) {
485 case CIPSO_V4_MAP_TRANS:
486 kfree(doi_def->map.std->lvl.cipso);
487 kfree(doi_def->map.std->lvl.local);
488 kfree(doi_def->map.std->cat.cipso);
489 kfree(doi_def->map.std->cat.local);
490 kfree(doi_def->map.std);
497 * cipso_v4_doi_free_rcu - Frees a DOI definition via the RCU pointer
498 * @entry: the entry's RCU field
501 * This function is designed to be used as a callback to the call_rcu()
502 * function so that the memory allocated to the DOI definition can be released
506 static void cipso_v4_doi_free_rcu(struct rcu_head *entry)
508 struct cipso_v4_doi *doi_def;
510 doi_def = container_of(entry, struct cipso_v4_doi, rcu);
511 cipso_v4_doi_free(doi_def);
515 * cipso_v4_doi_remove - Remove an existing DOI from the CIPSO protocol engine
516 * @doi: the DOI value
517 * @audit_secid: the LSM secid to use in the audit message
520 * Removes a DOI definition from the CIPSO engine. The NetLabel routines will
521 * be called to release their own LSM domain mappings as well as our own
522 * domain list. Returns zero on success and negative values on failure.
525 int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info)
528 struct cipso_v4_doi *doi_def;
529 struct audit_buffer *audit_buf;
531 spin_lock(&cipso_v4_doi_list_lock);
532 doi_def = cipso_v4_doi_search(doi);
534 spin_unlock(&cipso_v4_doi_list_lock);
536 goto doi_remove_return;
538 list_del_rcu(&doi_def->list);
539 spin_unlock(&cipso_v4_doi_list_lock);
541 cipso_v4_doi_putdef(doi_def);
545 audit_buf = netlbl_audit_start(AUDIT_MAC_CIPSOV4_DEL, audit_info);
547 audit_log_format(audit_buf,
548 " cipso_doi=%u res=%u",
549 doi, ret_val == 0 ? 1 : 0);
550 audit_log_end(audit_buf);
557 * cipso_v4_doi_getdef - Returns a reference to a valid DOI definition
558 * @doi: the DOI value
561 * Searches for a valid DOI definition and if one is found it is returned to
562 * the caller. Otherwise NULL is returned. The caller must ensure that
563 * rcu_read_lock() is held while accessing the returned definition and the DOI
564 * definition reference count is decremented when the caller is done.
567 struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi)
569 struct cipso_v4_doi *doi_def;
572 doi_def = cipso_v4_doi_search(doi);
574 goto doi_getdef_return;
575 if (!refcount_inc_not_zero(&doi_def->refcount))
584 * cipso_v4_doi_putdef - Releases a reference for the given DOI definition
585 * @doi_def: the DOI definition
588 * Releases a DOI definition reference obtained from cipso_v4_doi_getdef().
591 void cipso_v4_doi_putdef(struct cipso_v4_doi *doi_def)
596 if (!refcount_dec_and_test(&doi_def->refcount))
599 cipso_v4_cache_invalidate();
600 call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu);
604 * cipso_v4_doi_walk - Iterate through the DOI definitions
605 * @skip_cnt: skip past this number of DOI definitions, updated
606 * @callback: callback for each DOI definition
607 * @cb_arg: argument for the callback function
610 * Iterate over the DOI definition list, skipping the first @skip_cnt entries.
611 * For each entry call @callback, if @callback returns a negative value stop
612 * 'walking' through the list and return. Updates the value in @skip_cnt upon
613 * return. Returns zero on success, negative values on failure.
616 int cipso_v4_doi_walk(u32 *skip_cnt,
617 int (*callback) (struct cipso_v4_doi *doi_def, void *arg),
620 int ret_val = -ENOENT;
622 struct cipso_v4_doi *iter_doi;
625 list_for_each_entry_rcu(iter_doi, &cipso_v4_doi_list, list)
626 if (refcount_read(&iter_doi->refcount) > 0) {
627 if (doi_cnt++ < *skip_cnt)
629 ret_val = callback(iter_doi, cb_arg);
632 goto doi_walk_return;
643 * Label Mapping Functions
647 * cipso_v4_map_lvl_valid - Checks to see if the given level is understood
648 * @doi_def: the DOI definition
649 * @level: the level to check
652 * Checks the given level against the given DOI definition and returns a
653 * negative value if the level does not have a valid mapping and a zero value
654 * if the level is defined by the DOI.
657 static int cipso_v4_map_lvl_valid(const struct cipso_v4_doi *doi_def, u8 level)
659 switch (doi_def->type) {
660 case CIPSO_V4_MAP_PASS:
662 case CIPSO_V4_MAP_TRANS:
663 if ((level < doi_def->map.std->lvl.cipso_size) &&
664 (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL))
673 * cipso_v4_map_lvl_hton - Perform a level mapping from the host to the network
674 * @doi_def: the DOI definition
675 * @host_lvl: the host MLS level
676 * @net_lvl: the network/CIPSO MLS level
679 * Perform a label mapping to translate a local MLS level to the correct
680 * CIPSO level using the given DOI definition. Returns zero on success,
681 * negative values otherwise.
684 static int cipso_v4_map_lvl_hton(const struct cipso_v4_doi *doi_def,
688 switch (doi_def->type) {
689 case CIPSO_V4_MAP_PASS:
692 case CIPSO_V4_MAP_TRANS:
693 if (host_lvl < doi_def->map.std->lvl.local_size &&
694 doi_def->map.std->lvl.local[host_lvl] < CIPSO_V4_INV_LVL) {
695 *net_lvl = doi_def->map.std->lvl.local[host_lvl];
705 * cipso_v4_map_lvl_ntoh - Perform a level mapping from the network to the host
706 * @doi_def: the DOI definition
707 * @net_lvl: the network/CIPSO MLS level
708 * @host_lvl: the host MLS level
711 * Perform a label mapping to translate a CIPSO level to the correct local MLS
712 * level using the given DOI definition. Returns zero on success, negative
716 static int cipso_v4_map_lvl_ntoh(const struct cipso_v4_doi *doi_def,
720 struct cipso_v4_std_map_tbl *map_tbl;
722 switch (doi_def->type) {
723 case CIPSO_V4_MAP_PASS:
726 case CIPSO_V4_MAP_TRANS:
727 map_tbl = doi_def->map.std;
728 if (net_lvl < map_tbl->lvl.cipso_size &&
729 map_tbl->lvl.cipso[net_lvl] < CIPSO_V4_INV_LVL) {
730 *host_lvl = doi_def->map.std->lvl.cipso[net_lvl];
740 * cipso_v4_map_cat_rbm_valid - Checks to see if the category bitmap is valid
741 * @doi_def: the DOI definition
742 * @bitmap: category bitmap
743 * @bitmap_len: bitmap length in bytes
746 * Checks the given category bitmap against the given DOI definition and
747 * returns a negative value if any of the categories in the bitmap do not have
748 * a valid mapping and a zero value if all of the categories are valid.
751 static int cipso_v4_map_cat_rbm_valid(const struct cipso_v4_doi *doi_def,
752 const unsigned char *bitmap,
756 u32 bitmap_len_bits = bitmap_len * 8;
760 switch (doi_def->type) {
761 case CIPSO_V4_MAP_PASS:
763 case CIPSO_V4_MAP_TRANS:
764 cipso_cat_size = doi_def->map.std->cat.cipso_size;
765 cipso_array = doi_def->map.std->cat.cipso;
767 cat = netlbl_bitmap_walk(bitmap,
773 if (cat >= cipso_cat_size ||
774 cipso_array[cat] >= CIPSO_V4_INV_CAT)
787 * cipso_v4_map_cat_rbm_hton - Perform a category mapping from host to network
788 * @doi_def: the DOI definition
789 * @secattr: the security attributes
790 * @net_cat: the zero'd out category bitmap in network/CIPSO format
791 * @net_cat_len: the length of the CIPSO bitmap in bytes
794 * Perform a label mapping to translate a local MLS category bitmap to the
795 * correct CIPSO bitmap using the given DOI definition. Returns the minimum
796 * size in bytes of the network bitmap on success, negative values otherwise.
799 static int cipso_v4_map_cat_rbm_hton(const struct cipso_v4_doi *doi_def,
800 const struct netlbl_lsm_secattr *secattr,
801 unsigned char *net_cat,
805 u32 net_spot = CIPSO_V4_INV_CAT;
806 u32 net_spot_max = 0;
807 u32 net_clen_bits = net_cat_len * 8;
808 u32 host_cat_size = 0;
809 u32 *host_cat_array = NULL;
811 if (doi_def->type == CIPSO_V4_MAP_TRANS) {
812 host_cat_size = doi_def->map.std->cat.local_size;
813 host_cat_array = doi_def->map.std->cat.local;
817 host_spot = netlbl_catmap_walk(secattr->attr.mls.cat,
822 switch (doi_def->type) {
823 case CIPSO_V4_MAP_PASS:
824 net_spot = host_spot;
826 case CIPSO_V4_MAP_TRANS:
827 if (host_spot >= host_cat_size)
829 net_spot = host_cat_array[host_spot];
830 if (net_spot >= CIPSO_V4_INV_CAT)
834 if (net_spot >= net_clen_bits)
836 netlbl_bitmap_setbit(net_cat, net_spot, 1);
838 if (net_spot > net_spot_max)
839 net_spot_max = net_spot;
842 if (++net_spot_max % 8)
843 return net_spot_max / 8 + 1;
844 return net_spot_max / 8;
848 * cipso_v4_map_cat_rbm_ntoh - Perform a category mapping from network to host
849 * @doi_def: the DOI definition
850 * @net_cat: the category bitmap in network/CIPSO format
851 * @net_cat_len: the length of the CIPSO bitmap in bytes
852 * @secattr: the security attributes
855 * Perform a label mapping to translate a CIPSO bitmap to the correct local
856 * MLS category bitmap using the given DOI definition. Returns zero on
857 * success, negative values on failure.
860 static int cipso_v4_map_cat_rbm_ntoh(const struct cipso_v4_doi *doi_def,
861 const unsigned char *net_cat,
863 struct netlbl_lsm_secattr *secattr)
867 u32 host_spot = CIPSO_V4_INV_CAT;
868 u32 net_clen_bits = net_cat_len * 8;
869 u32 net_cat_size = 0;
870 u32 *net_cat_array = NULL;
872 if (doi_def->type == CIPSO_V4_MAP_TRANS) {
873 net_cat_size = doi_def->map.std->cat.cipso_size;
874 net_cat_array = doi_def->map.std->cat.cipso;
878 net_spot = netlbl_bitmap_walk(net_cat,
888 switch (doi_def->type) {
889 case CIPSO_V4_MAP_PASS:
890 host_spot = net_spot;
892 case CIPSO_V4_MAP_TRANS:
893 if (net_spot >= net_cat_size)
895 host_spot = net_cat_array[net_spot];
896 if (host_spot >= CIPSO_V4_INV_CAT)
900 ret_val = netlbl_catmap_setbit(&secattr->attr.mls.cat,
911 * cipso_v4_map_cat_enum_valid - Checks to see if the categories are valid
912 * @doi_def: the DOI definition
913 * @enumcat: category list
914 * @enumcat_len: length of the category list in bytes
917 * Checks the given categories against the given DOI definition and returns a
918 * negative value if any of the categories do not have a valid mapping and a
919 * zero value if all of the categories are valid.
922 static int cipso_v4_map_cat_enum_valid(const struct cipso_v4_doi *doi_def,
923 const unsigned char *enumcat,
930 if (doi_def->type != CIPSO_V4_MAP_PASS || enumcat_len & 0x01)
933 for (iter = 0; iter < enumcat_len; iter += 2) {
934 cat = get_unaligned_be16(&enumcat[iter]);
944 * cipso_v4_map_cat_enum_hton - Perform a category mapping from host to network
945 * @doi_def: the DOI definition
946 * @secattr: the security attributes
947 * @net_cat: the zero'd out category list in network/CIPSO format
948 * @net_cat_len: the length of the CIPSO category list in bytes
951 * Perform a label mapping to translate a local MLS category bitmap to the
952 * correct CIPSO category list using the given DOI definition. Returns the
953 * size in bytes of the network category bitmap on success, negative values
957 static int cipso_v4_map_cat_enum_hton(const struct cipso_v4_doi *doi_def,
958 const struct netlbl_lsm_secattr *secattr,
959 unsigned char *net_cat,
966 cat = netlbl_catmap_walk(secattr->attr.mls.cat, cat + 1);
969 if ((cat_iter + 2) > net_cat_len)
972 *((__be16 *)&net_cat[cat_iter]) = htons(cat);
980 * cipso_v4_map_cat_enum_ntoh - Perform a category mapping from network to host
981 * @doi_def: the DOI definition
982 * @net_cat: the category list in network/CIPSO format
983 * @net_cat_len: the length of the CIPSO bitmap in bytes
984 * @secattr: the security attributes
987 * Perform a label mapping to translate a CIPSO category list to the correct
988 * local MLS category bitmap using the given DOI definition. Returns zero on
989 * success, negative values on failure.
992 static int cipso_v4_map_cat_enum_ntoh(const struct cipso_v4_doi *doi_def,
993 const unsigned char *net_cat,
995 struct netlbl_lsm_secattr *secattr)
1000 for (iter = 0; iter < net_cat_len; iter += 2) {
1001 ret_val = netlbl_catmap_setbit(&secattr->attr.mls.cat,
1002 get_unaligned_be16(&net_cat[iter]),
1012 * cipso_v4_map_cat_rng_valid - Checks to see if the categories are valid
1013 * @doi_def: the DOI definition
1014 * @rngcat: category list
1015 * @rngcat_len: length of the category list in bytes
1018 * Checks the given categories against the given DOI definition and returns a
1019 * negative value if any of the categories do not have a valid mapping and a
1020 * zero value if all of the categories are valid.
1023 static int cipso_v4_map_cat_rng_valid(const struct cipso_v4_doi *doi_def,
1024 const unsigned char *rngcat,
1029 u32 cat_prev = CIPSO_V4_MAX_REM_CATS + 1;
1032 if (doi_def->type != CIPSO_V4_MAP_PASS || rngcat_len & 0x01)
1035 for (iter = 0; iter < rngcat_len; iter += 4) {
1036 cat_high = get_unaligned_be16(&rngcat[iter]);
1037 if ((iter + 4) <= rngcat_len)
1038 cat_low = get_unaligned_be16(&rngcat[iter + 2]);
1042 if (cat_high > cat_prev)
1052 * cipso_v4_map_cat_rng_hton - Perform a category mapping from host to network
1053 * @doi_def: the DOI definition
1054 * @secattr: the security attributes
1055 * @net_cat: the zero'd out category list in network/CIPSO format
1056 * @net_cat_len: the length of the CIPSO category list in bytes
1059 * Perform a label mapping to translate a local MLS category bitmap to the
1060 * correct CIPSO category list using the given DOI definition. Returns the
1061 * size in bytes of the network category bitmap on success, negative values
1065 static int cipso_v4_map_cat_rng_hton(const struct cipso_v4_doi *doi_def,
1066 const struct netlbl_lsm_secattr *secattr,
1067 unsigned char *net_cat,
1071 u16 array[CIPSO_V4_TAG_RNG_CAT_MAX * 2];
1075 /* make sure we don't overflow the 'array[]' variable */
1077 (CIPSO_V4_OPT_LEN_MAX - CIPSO_V4_HDR_LEN - CIPSO_V4_TAG_RNG_BLEN))
1081 iter = netlbl_catmap_walk(secattr->attr.mls.cat, iter + 1);
1084 cat_size += (iter == 0 ? 0 : sizeof(u16));
1085 if (cat_size > net_cat_len)
1087 array[array_cnt++] = iter;
1089 iter = netlbl_catmap_walkrng(secattr->attr.mls.cat, iter);
1092 cat_size += sizeof(u16);
1093 if (cat_size > net_cat_len)
1095 array[array_cnt++] = iter;
1098 for (iter = 0; array_cnt > 0;) {
1099 *((__be16 *)&net_cat[iter]) = htons(array[--array_cnt]);
1102 if (array[array_cnt] != 0) {
1103 *((__be16 *)&net_cat[iter]) = htons(array[array_cnt]);
1112 * cipso_v4_map_cat_rng_ntoh - Perform a category mapping from network to host
1113 * @doi_def: the DOI definition
1114 * @net_cat: the category list in network/CIPSO format
1115 * @net_cat_len: the length of the CIPSO bitmap in bytes
1116 * @secattr: the security attributes
1119 * Perform a label mapping to translate a CIPSO category list to the correct
1120 * local MLS category bitmap using the given DOI definition. Returns zero on
1121 * success, negative values on failure.
1124 static int cipso_v4_map_cat_rng_ntoh(const struct cipso_v4_doi *doi_def,
1125 const unsigned char *net_cat,
1127 struct netlbl_lsm_secattr *secattr)
1134 for (net_iter = 0; net_iter < net_cat_len; net_iter += 4) {
1135 cat_high = get_unaligned_be16(&net_cat[net_iter]);
1136 if ((net_iter + 4) <= net_cat_len)
1137 cat_low = get_unaligned_be16(&net_cat[net_iter + 2]);
1141 ret_val = netlbl_catmap_setrng(&secattr->attr.mls.cat,
1153 * Protocol Handling Functions
1157 * cipso_v4_gentag_hdr - Generate a CIPSO option header
1158 * @doi_def: the DOI definition
1159 * @len: the total tag length in bytes, not including this header
1160 * @buf: the CIPSO option buffer
1163 * Write a CIPSO header into the beginning of @buffer.
1166 static void cipso_v4_gentag_hdr(const struct cipso_v4_doi *doi_def,
1170 buf[0] = IPOPT_CIPSO;
1171 buf[1] = CIPSO_V4_HDR_LEN + len;
1172 *(__be32 *)&buf[2] = htonl(doi_def->doi);
1176 * cipso_v4_gentag_rbm - Generate a CIPSO restricted bitmap tag (type #1)
1177 * @doi_def: the DOI definition
1178 * @secattr: the security attributes
1179 * @buffer: the option buffer
1180 * @buffer_len: length of buffer in bytes
1183 * Generate a CIPSO option using the restricted bitmap tag, tag type #1. The
1184 * actual buffer length may be larger than the indicated size due to
1185 * translation between host and network category bitmaps. Returns the size of
1186 * the tag on success, negative values on failure.
1189 static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def,
1190 const struct netlbl_lsm_secattr *secattr,
1191 unsigned char *buffer,
1198 if ((secattr->flags & NETLBL_SECATTR_MLS_LVL) == 0)
1201 ret_val = cipso_v4_map_lvl_hton(doi_def,
1202 secattr->attr.mls.lvl,
1207 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
1208 ret_val = cipso_v4_map_cat_rbm_hton(doi_def,
1215 /* This will send packets using the "optimized" format when
1216 * possible as specified in section 3.4.2.6 of the
1218 if (READ_ONCE(cipso_v4_rbm_optfmt) && ret_val > 0 &&
1222 tag_len = 4 + ret_val;
1226 buffer[0] = CIPSO_V4_TAG_RBITMAP;
1227 buffer[1] = tag_len;
1234 * cipso_v4_parsetag_rbm - Parse a CIPSO restricted bitmap tag
1235 * @doi_def: the DOI definition
1236 * @tag: the CIPSO tag
1237 * @secattr: the security attributes
1240 * Parse a CIPSO restricted bitmap tag (tag type #1) and return the security
1241 * attributes in @secattr. Return zero on success, negatives values on
1245 static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,
1246 const unsigned char *tag,
1247 struct netlbl_lsm_secattr *secattr)
1250 u8 tag_len = tag[1];
1253 ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level);
1256 secattr->attr.mls.lvl = level;
1257 secattr->flags |= NETLBL_SECATTR_MLS_LVL;
1260 ret_val = cipso_v4_map_cat_rbm_ntoh(doi_def,
1265 netlbl_catmap_free(secattr->attr.mls.cat);
1269 if (secattr->attr.mls.cat)
1270 secattr->flags |= NETLBL_SECATTR_MLS_CAT;
1277 * cipso_v4_gentag_enum - Generate a CIPSO enumerated tag (type #2)
1278 * @doi_def: the DOI definition
1279 * @secattr: the security attributes
1280 * @buffer: the option buffer
1281 * @buffer_len: length of buffer in bytes
1284 * Generate a CIPSO option using the enumerated tag, tag type #2. Returns the
1285 * size of the tag on success, negative values on failure.
1288 static int cipso_v4_gentag_enum(const struct cipso_v4_doi *doi_def,
1289 const struct netlbl_lsm_secattr *secattr,
1290 unsigned char *buffer,
1297 if (!(secattr->flags & NETLBL_SECATTR_MLS_LVL))
1300 ret_val = cipso_v4_map_lvl_hton(doi_def,
1301 secattr->attr.mls.lvl,
1306 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
1307 ret_val = cipso_v4_map_cat_enum_hton(doi_def,
1314 tag_len = 4 + ret_val;
1318 buffer[0] = CIPSO_V4_TAG_ENUM;
1319 buffer[1] = tag_len;
1326 * cipso_v4_parsetag_enum - Parse a CIPSO enumerated tag
1327 * @doi_def: the DOI definition
1328 * @tag: the CIPSO tag
1329 * @secattr: the security attributes
1332 * Parse a CIPSO enumerated tag (tag type #2) and return the security
1333 * attributes in @secattr. Return zero on success, negatives values on
1337 static int cipso_v4_parsetag_enum(const struct cipso_v4_doi *doi_def,
1338 const unsigned char *tag,
1339 struct netlbl_lsm_secattr *secattr)
1342 u8 tag_len = tag[1];
1345 ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level);
1348 secattr->attr.mls.lvl = level;
1349 secattr->flags |= NETLBL_SECATTR_MLS_LVL;
1352 ret_val = cipso_v4_map_cat_enum_ntoh(doi_def,
1357 netlbl_catmap_free(secattr->attr.mls.cat);
1361 secattr->flags |= NETLBL_SECATTR_MLS_CAT;
1368 * cipso_v4_gentag_rng - Generate a CIPSO ranged tag (type #5)
1369 * @doi_def: the DOI definition
1370 * @secattr: the security attributes
1371 * @buffer: the option buffer
1372 * @buffer_len: length of buffer in bytes
1375 * Generate a CIPSO option using the ranged tag, tag type #5. Returns the
1376 * size of the tag on success, negative values on failure.
1379 static int cipso_v4_gentag_rng(const struct cipso_v4_doi *doi_def,
1380 const struct netlbl_lsm_secattr *secattr,
1381 unsigned char *buffer,
1388 if (!(secattr->flags & NETLBL_SECATTR_MLS_LVL))
1391 ret_val = cipso_v4_map_lvl_hton(doi_def,
1392 secattr->attr.mls.lvl,
1397 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
1398 ret_val = cipso_v4_map_cat_rng_hton(doi_def,
1405 tag_len = 4 + ret_val;
1409 buffer[0] = CIPSO_V4_TAG_RANGE;
1410 buffer[1] = tag_len;
1417 * cipso_v4_parsetag_rng - Parse a CIPSO ranged tag
1418 * @doi_def: the DOI definition
1419 * @tag: the CIPSO tag
1420 * @secattr: the security attributes
1423 * Parse a CIPSO ranged tag (tag type #5) and return the security attributes
1424 * in @secattr. Return zero on success, negatives values on failure.
1427 static int cipso_v4_parsetag_rng(const struct cipso_v4_doi *doi_def,
1428 const unsigned char *tag,
1429 struct netlbl_lsm_secattr *secattr)
1432 u8 tag_len = tag[1];
1435 ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level);
1438 secattr->attr.mls.lvl = level;
1439 secattr->flags |= NETLBL_SECATTR_MLS_LVL;
1442 ret_val = cipso_v4_map_cat_rng_ntoh(doi_def,
1447 netlbl_catmap_free(secattr->attr.mls.cat);
1451 if (secattr->attr.mls.cat)
1452 secattr->flags |= NETLBL_SECATTR_MLS_CAT;
1459 * cipso_v4_gentag_loc - Generate a CIPSO local tag (non-standard)
1460 * @doi_def: the DOI definition
1461 * @secattr: the security attributes
1462 * @buffer: the option buffer
1463 * @buffer_len: length of buffer in bytes
1466 * Generate a CIPSO option using the local tag. Returns the size of the tag
1467 * on success, negative values on failure.
1470 static int cipso_v4_gentag_loc(const struct cipso_v4_doi *doi_def,
1471 const struct netlbl_lsm_secattr *secattr,
1472 unsigned char *buffer,
1475 if (!(secattr->flags & NETLBL_SECATTR_SECID))
1478 buffer[0] = CIPSO_V4_TAG_LOCAL;
1479 buffer[1] = CIPSO_V4_TAG_LOC_BLEN;
1480 *(u32 *)&buffer[2] = secattr->attr.secid;
1482 return CIPSO_V4_TAG_LOC_BLEN;
1486 * cipso_v4_parsetag_loc - Parse a CIPSO local tag
1487 * @doi_def: the DOI definition
1488 * @tag: the CIPSO tag
1489 * @secattr: the security attributes
1492 * Parse a CIPSO local tag and return the security attributes in @secattr.
1493 * Return zero on success, negatives values on failure.
1496 static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def,
1497 const unsigned char *tag,
1498 struct netlbl_lsm_secattr *secattr)
1500 secattr->attr.secid = *(u32 *)&tag[2];
1501 secattr->flags |= NETLBL_SECATTR_SECID;
1507 * cipso_v4_optptr - Find the CIPSO option in the packet
1511 * Parse the packet's IP header looking for a CIPSO option. Returns a pointer
1512 * to the start of the CIPSO option on success, NULL if one is not found.
1515 unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
1517 const struct iphdr *iph = ip_hdr(skb);
1518 unsigned char *optptr = (unsigned char *)&(ip_hdr(skb)[1]);
1522 for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 1; ) {
1523 switch (optptr[0]) {
1532 if (!taglen || taglen > optlen)
1534 if (optptr[0] == IPOPT_CIPSO)
1545 * cipso_v4_validate - Validate a CIPSO option
1546 * @option: the start of the option, on error it is set to point to the error
1549 * This routine is called to validate a CIPSO option, it checks all of the
1550 * fields to ensure that they are at least valid, see the draft snippet below
1551 * for details. If the option is valid then a zero value is returned and
1552 * the value of @option is unchanged. If the option is invalid then a
1553 * non-zero value is returned and @option is adjusted to point to the
1554 * offending portion of the option. From the IETF draft ...
1556 * "If any field within the CIPSO options, such as the DOI identifier, is not
1557 * recognized the IP datagram is discarded and an ICMP 'parameter problem'
1558 * (type 12) is generated and returned. The ICMP code field is set to 'bad
1559 * parameter' (code 0) and the pointer is set to the start of the CIPSO field
1560 * that is unrecognized."
1563 int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option)
1565 unsigned char *opt = *option;
1567 unsigned char opt_iter;
1568 unsigned char err_offset = 0;
1571 struct cipso_v4_doi *doi_def = NULL;
1574 /* caller already checks for length values that are too large */
1578 goto validate_return;
1582 doi_def = cipso_v4_doi_search(get_unaligned_be32(&opt[2]));
1585 goto validate_return_locked;
1588 opt_iter = CIPSO_V4_HDR_LEN;
1589 tag = opt + opt_iter;
1590 while (opt_iter < opt_len) {
1591 for (tag_iter = 0; doi_def->tags[tag_iter] != tag[0];)
1592 if (doi_def->tags[tag_iter] == CIPSO_V4_TAG_INVALID ||
1593 ++tag_iter == CIPSO_V4_TAG_MAXCNT) {
1594 err_offset = opt_iter;
1595 goto validate_return_locked;
1598 if (opt_iter + 1 == opt_len) {
1599 err_offset = opt_iter;
1600 goto validate_return_locked;
1603 if (tag_len > (opt_len - opt_iter)) {
1604 err_offset = opt_iter + 1;
1605 goto validate_return_locked;
1609 case CIPSO_V4_TAG_RBITMAP:
1610 if (tag_len < CIPSO_V4_TAG_RBM_BLEN) {
1611 err_offset = opt_iter + 1;
1612 goto validate_return_locked;
1615 /* We are already going to do all the verification
1616 * necessary at the socket layer so from our point of
1617 * view it is safe to turn these checks off (and less
1618 * work), however, the CIPSO draft says we should do
1619 * all the CIPSO validations here but it doesn't
1620 * really specify _exactly_ what we need to validate
1621 * ... so, just make it a sysctl tunable. */
1622 if (READ_ONCE(cipso_v4_rbm_strictvalid)) {
1623 if (cipso_v4_map_lvl_valid(doi_def,
1625 err_offset = opt_iter + 3;
1626 goto validate_return_locked;
1628 if (tag_len > CIPSO_V4_TAG_RBM_BLEN &&
1629 cipso_v4_map_cat_rbm_valid(doi_def,
1632 err_offset = opt_iter + 4;
1633 goto validate_return_locked;
1637 case CIPSO_V4_TAG_ENUM:
1638 if (tag_len < CIPSO_V4_TAG_ENUM_BLEN) {
1639 err_offset = opt_iter + 1;
1640 goto validate_return_locked;
1643 if (cipso_v4_map_lvl_valid(doi_def,
1645 err_offset = opt_iter + 3;
1646 goto validate_return_locked;
1648 if (tag_len > CIPSO_V4_TAG_ENUM_BLEN &&
1649 cipso_v4_map_cat_enum_valid(doi_def,
1652 err_offset = opt_iter + 4;
1653 goto validate_return_locked;
1656 case CIPSO_V4_TAG_RANGE:
1657 if (tag_len < CIPSO_V4_TAG_RNG_BLEN) {
1658 err_offset = opt_iter + 1;
1659 goto validate_return_locked;
1662 if (cipso_v4_map_lvl_valid(doi_def,
1664 err_offset = opt_iter + 3;
1665 goto validate_return_locked;
1667 if (tag_len > CIPSO_V4_TAG_RNG_BLEN &&
1668 cipso_v4_map_cat_rng_valid(doi_def,
1671 err_offset = opt_iter + 4;
1672 goto validate_return_locked;
1675 case CIPSO_V4_TAG_LOCAL:
1676 /* This is a non-standard tag that we only allow for
1677 * local connections, so if the incoming interface is
1678 * not the loopback device drop the packet. Further,
1679 * there is no legitimate reason for setting this from
1680 * userspace so reject it if skb is NULL. */
1681 if (!skb || !(skb->dev->flags & IFF_LOOPBACK)) {
1682 err_offset = opt_iter;
1683 goto validate_return_locked;
1685 if (tag_len != CIPSO_V4_TAG_LOC_BLEN) {
1686 err_offset = opt_iter + 1;
1687 goto validate_return_locked;
1691 err_offset = opt_iter;
1692 goto validate_return_locked;
1696 opt_iter += tag_len;
1699 validate_return_locked:
1702 *option = opt + err_offset;
1707 * cipso_v4_error - Send the correct response for a bad packet
1709 * @error: the error code
1710 * @gateway: CIPSO gateway flag
1713 * Based on the error code given in @error, send an ICMP error message back to
1714 * the originating host. From the IETF draft ...
1716 * "If the contents of the CIPSO [option] are valid but the security label is
1717 * outside of the configured host or port label range, the datagram is
1718 * discarded and an ICMP 'destination unreachable' (type 3) is generated and
1719 * returned. The code field of the ICMP is set to 'communication with
1720 * destination network administratively prohibited' (code 9) or to
1721 * 'communication with destination host administratively prohibited'
1722 * (code 10). The value of the code is dependent on whether the originator
1723 * of the ICMP message is acting as a CIPSO host or a CIPSO gateway. The
1724 * recipient of the ICMP message MUST be able to handle either value. The
1725 * same procedure is performed if a CIPSO [option] can not be added to an
1726 * IP packet because it is too large to fit in the IP options area."
1728 * "If the error is triggered by receipt of an ICMP message, the message is
1729 * discarded and no response is permitted (consistent with general ICMP
1730 * processing rules)."
1733 void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway)
1735 unsigned char optbuf[sizeof(struct ip_options) + 40];
1736 struct ip_options *opt = (struct ip_options *)optbuf;
1739 if (ip_hdr(skb)->protocol == IPPROTO_ICMP || error != -EACCES)
1743 * We might be called above the IP layer,
1744 * so we can not use icmp_send and IPCB here.
1747 memset(opt, 0, sizeof(struct ip_options));
1748 opt->optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
1750 res = __ip_options_compile(dev_net(skb->dev), opt, skb, NULL);
1757 __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0, opt);
1759 __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0, opt);
1763 * cipso_v4_genopt - Generate a CIPSO option
1764 * @buf: the option buffer
1765 * @buf_len: the size of opt_buf
1766 * @doi_def: the CIPSO DOI to use
1767 * @secattr: the security attributes
1770 * Generate a CIPSO option using the DOI definition and security attributes
1771 * passed to the function. Returns the length of the option on success and
1772 * negative values on failure.
1775 static int cipso_v4_genopt(unsigned char *buf, u32 buf_len,
1776 const struct cipso_v4_doi *doi_def,
1777 const struct netlbl_lsm_secattr *secattr)
1782 if (buf_len <= CIPSO_V4_HDR_LEN)
1785 /* XXX - This code assumes only one tag per CIPSO option which isn't
1786 * really a good assumption to make but since we only support the MAC
1787 * tags right now it is a safe assumption. */
1790 memset(buf, 0, buf_len);
1791 switch (doi_def->tags[iter]) {
1792 case CIPSO_V4_TAG_RBITMAP:
1793 ret_val = cipso_v4_gentag_rbm(doi_def,
1795 &buf[CIPSO_V4_HDR_LEN],
1796 buf_len - CIPSO_V4_HDR_LEN);
1798 case CIPSO_V4_TAG_ENUM:
1799 ret_val = cipso_v4_gentag_enum(doi_def,
1801 &buf[CIPSO_V4_HDR_LEN],
1802 buf_len - CIPSO_V4_HDR_LEN);
1804 case CIPSO_V4_TAG_RANGE:
1805 ret_val = cipso_v4_gentag_rng(doi_def,
1807 &buf[CIPSO_V4_HDR_LEN],
1808 buf_len - CIPSO_V4_HDR_LEN);
1810 case CIPSO_V4_TAG_LOCAL:
1811 ret_val = cipso_v4_gentag_loc(doi_def,
1813 &buf[CIPSO_V4_HDR_LEN],
1814 buf_len - CIPSO_V4_HDR_LEN);
1821 } while (ret_val < 0 &&
1822 iter < CIPSO_V4_TAG_MAXCNT &&
1823 doi_def->tags[iter] != CIPSO_V4_TAG_INVALID);
1826 cipso_v4_gentag_hdr(doi_def, buf, ret_val);
1827 return CIPSO_V4_HDR_LEN + ret_val;
1831 * cipso_v4_sock_setattr - Add a CIPSO option to a socket
1833 * @doi_def: the CIPSO DOI to use
1834 * @secattr: the specific security attributes of the socket
1837 * Set the CIPSO option on the given socket using the DOI definition and
1838 * security attributes passed to the function. This function requires
1839 * exclusive access to @sk, which means it either needs to be in the
1840 * process of being created or locked. Returns zero on success and negative
1841 * values on failure.
1844 int cipso_v4_sock_setattr(struct sock *sk,
1845 const struct cipso_v4_doi *doi_def,
1846 const struct netlbl_lsm_secattr *secattr)
1848 int ret_val = -EPERM;
1849 unsigned char *buf = NULL;
1852 struct ip_options_rcu *old, *opt = NULL;
1853 struct inet_sock *sk_inet;
1854 struct inet_connection_sock *sk_conn;
1856 /* In the case of sock_create_lite(), the sock->sk field is not
1857 * defined yet but it is not a problem as the only users of these
1858 * "lite" PF_INET sockets are functions which do an accept() call
1859 * afterwards so we will label the socket as part of the accept(). */
1863 /* We allocate the maximum CIPSO option size here so we are probably
1864 * being a little wasteful, but it makes our life _much_ easier later
1865 * on and after all we are only talking about 40 bytes. */
1866 buf_len = CIPSO_V4_OPT_LEN_MAX;
1867 buf = kmalloc(buf_len, GFP_ATOMIC);
1870 goto socket_setattr_failure;
1873 ret_val = cipso_v4_genopt(buf, buf_len, doi_def, secattr);
1875 goto socket_setattr_failure;
1878 /* We can't use ip_options_get() directly because it makes a call to
1879 * ip_options_get_alloc() which allocates memory with GFP_KERNEL and
1880 * we won't always have CAP_NET_RAW even though we _always_ want to
1881 * set the IPOPT_CIPSO option. */
1882 opt_len = (buf_len + 3) & ~3;
1883 opt = kzalloc(sizeof(*opt) + opt_len, GFP_ATOMIC);
1886 goto socket_setattr_failure;
1888 memcpy(opt->opt.__data, buf, buf_len);
1889 opt->opt.optlen = opt_len;
1890 opt->opt.cipso = sizeof(struct iphdr);
1894 sk_inet = inet_sk(sk);
1896 old = rcu_dereference_protected(sk_inet->inet_opt,
1897 lockdep_sock_is_held(sk));
1898 if (sk_inet->is_icsk) {
1899 sk_conn = inet_csk(sk);
1901 sk_conn->icsk_ext_hdr_len -= old->opt.optlen;
1902 sk_conn->icsk_ext_hdr_len += opt->opt.optlen;
1903 sk_conn->icsk_sync_mss(sk, sk_conn->icsk_pmtu_cookie);
1905 rcu_assign_pointer(sk_inet->inet_opt, opt);
1907 kfree_rcu(old, rcu);
1911 socket_setattr_failure:
1918 * cipso_v4_req_setattr - Add a CIPSO option to a connection request socket
1919 * @req: the connection request socket
1920 * @doi_def: the CIPSO DOI to use
1921 * @secattr: the specific security attributes of the socket
1924 * Set the CIPSO option on the given socket using the DOI definition and
1925 * security attributes passed to the function. Returns zero on success and
1926 * negative values on failure.
1929 int cipso_v4_req_setattr(struct request_sock *req,
1930 const struct cipso_v4_doi *doi_def,
1931 const struct netlbl_lsm_secattr *secattr)
1933 int ret_val = -EPERM;
1934 unsigned char *buf = NULL;
1937 struct ip_options_rcu *opt = NULL;
1938 struct inet_request_sock *req_inet;
1940 /* We allocate the maximum CIPSO option size here so we are probably
1941 * being a little wasteful, but it makes our life _much_ easier later
1942 * on and after all we are only talking about 40 bytes. */
1943 buf_len = CIPSO_V4_OPT_LEN_MAX;
1944 buf = kmalloc(buf_len, GFP_ATOMIC);
1947 goto req_setattr_failure;
1950 ret_val = cipso_v4_genopt(buf, buf_len, doi_def, secattr);
1952 goto req_setattr_failure;
1955 /* We can't use ip_options_get() directly because it makes a call to
1956 * ip_options_get_alloc() which allocates memory with GFP_KERNEL and
1957 * we won't always have CAP_NET_RAW even though we _always_ want to
1958 * set the IPOPT_CIPSO option. */
1959 opt_len = (buf_len + 3) & ~3;
1960 opt = kzalloc(sizeof(*opt) + opt_len, GFP_ATOMIC);
1963 goto req_setattr_failure;
1965 memcpy(opt->opt.__data, buf, buf_len);
1966 opt->opt.optlen = opt_len;
1967 opt->opt.cipso = sizeof(struct iphdr);
1971 req_inet = inet_rsk(req);
1972 opt = xchg((__force struct ip_options_rcu **)&req_inet->ireq_opt, opt);
1974 kfree_rcu(opt, rcu);
1978 req_setattr_failure:
1985 * cipso_v4_delopt - Delete the CIPSO option from a set of IP options
1986 * @opt_ptr: IP option pointer
1989 * Deletes the CIPSO IP option from a set of IP options and makes the necessary
1990 * adjustments to the IP option structure. Returns zero on success, negative
1991 * values on failure.
1994 static int cipso_v4_delopt(struct ip_options_rcu __rcu **opt_ptr)
1996 struct ip_options_rcu *opt = rcu_dereference_protected(*opt_ptr, 1);
1999 if (!opt || opt->opt.cipso == 0)
2001 if (opt->opt.srr || opt->opt.rr || opt->opt.ts || opt->opt.router_alert) {
2004 unsigned char *cipso_ptr;
2008 cipso_off = opt->opt.cipso - sizeof(struct iphdr);
2009 cipso_ptr = &opt->opt.__data[cipso_off];
2010 cipso_len = cipso_ptr[1];
2012 if (opt->opt.srr > opt->opt.cipso)
2013 opt->opt.srr -= cipso_len;
2014 if (opt->opt.rr > opt->opt.cipso)
2015 opt->opt.rr -= cipso_len;
2016 if (opt->opt.ts > opt->opt.cipso)
2017 opt->opt.ts -= cipso_len;
2018 if (opt->opt.router_alert > opt->opt.cipso)
2019 opt->opt.router_alert -= cipso_len;
2022 memmove(cipso_ptr, cipso_ptr + cipso_len,
2023 opt->opt.optlen - cipso_off - cipso_len);
2025 /* determining the new total option length is tricky because of
2026 * the padding necessary, the only thing i can think to do at
2027 * this point is walk the options one-by-one, skipping the
2028 * padding at the end to determine the actual option size and
2029 * from there we can determine the new total option length */
2032 while (iter < opt->opt.optlen)
2033 if (opt->opt.__data[iter] != IPOPT_NOP) {
2034 iter += opt->opt.__data[iter + 1];
2038 hdr_delta = opt->opt.optlen;
2039 opt->opt.optlen = (optlen_new + 3) & ~3;
2040 hdr_delta -= opt->opt.optlen;
2042 /* only the cipso option was present on the socket so we can
2043 * remove the entire option struct */
2045 hdr_delta = opt->opt.optlen;
2046 kfree_rcu(opt, rcu);
2053 * cipso_v4_sock_delattr - Delete the CIPSO option from a socket
2057 * Removes the CIPSO option from a socket, if present.
2060 void cipso_v4_sock_delattr(struct sock *sk)
2062 struct inet_sock *sk_inet;
2065 sk_inet = inet_sk(sk);
2067 hdr_delta = cipso_v4_delopt(&sk_inet->inet_opt);
2068 if (sk_inet->is_icsk && hdr_delta > 0) {
2069 struct inet_connection_sock *sk_conn = inet_csk(sk);
2070 sk_conn->icsk_ext_hdr_len -= hdr_delta;
2071 sk_conn->icsk_sync_mss(sk, sk_conn->icsk_pmtu_cookie);
2076 * cipso_v4_req_delattr - Delete the CIPSO option from a request socket
2077 * @reg: the request socket
2080 * Removes the CIPSO option from a request socket, if present.
2083 void cipso_v4_req_delattr(struct request_sock *req)
2085 cipso_v4_delopt(&inet_rsk(req)->ireq_opt);
2089 * cipso_v4_getattr - Helper function for the cipso_v4_*_getattr functions
2090 * @cipso: the CIPSO v4 option
2091 * @secattr: the security attributes
2094 * Inspect @cipso and return the security attributes in @secattr. Returns zero
2095 * on success and negative values on failure.
2098 int cipso_v4_getattr(const unsigned char *cipso,
2099 struct netlbl_lsm_secattr *secattr)
2101 int ret_val = -ENOMSG;
2103 struct cipso_v4_doi *doi_def;
2105 if (cipso_v4_cache_check(cipso, cipso[1], secattr) == 0)
2108 doi = get_unaligned_be32(&cipso[2]);
2110 doi_def = cipso_v4_doi_search(doi);
2112 goto getattr_return;
2113 /* XXX - This code assumes only one tag per CIPSO option which isn't
2114 * really a good assumption to make but since we only support the MAC
2115 * tags right now it is a safe assumption. */
2117 case CIPSO_V4_TAG_RBITMAP:
2118 ret_val = cipso_v4_parsetag_rbm(doi_def, &cipso[6], secattr);
2120 case CIPSO_V4_TAG_ENUM:
2121 ret_val = cipso_v4_parsetag_enum(doi_def, &cipso[6], secattr);
2123 case CIPSO_V4_TAG_RANGE:
2124 ret_val = cipso_v4_parsetag_rng(doi_def, &cipso[6], secattr);
2126 case CIPSO_V4_TAG_LOCAL:
2127 ret_val = cipso_v4_parsetag_loc(doi_def, &cipso[6], secattr);
2131 secattr->type = NETLBL_NLTYPE_CIPSOV4;
2139 * cipso_v4_sock_getattr - Get the security attributes from a sock
2141 * @secattr: the security attributes
2144 * Query @sk to see if there is a CIPSO option attached to the sock and if
2145 * there is return the CIPSO security attributes in @secattr. This function
2146 * requires that @sk be locked, or privately held, but it does not do any
2147 * locking itself. Returns zero on success and negative values on failure.
2150 int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
2152 struct ip_options_rcu *opt;
2156 opt = rcu_dereference(inet_sk(sk)->inet_opt);
2157 if (opt && opt->opt.cipso)
2158 res = cipso_v4_getattr(opt->opt.__data +
2160 sizeof(struct iphdr),
2167 * cipso_v4_skbuff_setattr - Set the CIPSO option on a packet
2169 * @secattr: the security attributes
2172 * Set the CIPSO option on the given packet based on the security attributes.
2173 * Returns a pointer to the IP header on success and NULL on failure.
2176 int cipso_v4_skbuff_setattr(struct sk_buff *skb,
2177 const struct cipso_v4_doi *doi_def,
2178 const struct netlbl_lsm_secattr *secattr)
2182 struct ip_options *opt = &IPCB(skb)->opt;
2183 unsigned char buf[CIPSO_V4_OPT_LEN_MAX];
2184 u32 buf_len = CIPSO_V4_OPT_LEN_MAX;
2188 ret_val = cipso_v4_genopt(buf, buf_len, doi_def, secattr);
2192 opt_len = (buf_len + 3) & ~3;
2194 /* we overwrite any existing options to ensure that we have enough
2195 * room for the CIPSO option, the reason is that we _need_ to guarantee
2196 * that the security label is applied to the packet - we do the same
2197 * thing when using the socket options and it hasn't caused a problem,
2198 * if we need to we can always revisit this choice later */
2200 len_delta = opt_len - opt->optlen;
2201 /* if we don't ensure enough headroom we could panic on the skb_push()
2202 * call below so make sure we have enough, we are also "mangling" the
2203 * packet so we should probably do a copy-on-write call anyway */
2204 ret_val = skb_cow(skb, skb_headroom(skb) + len_delta);
2208 if (len_delta > 0) {
2209 /* we assume that the header + opt->optlen have already been
2210 * "pushed" in ip_options_build() or similar */
2212 skb_push(skb, len_delta);
2213 memmove((char *)iph - len_delta, iph, iph->ihl << 2);
2214 skb_reset_network_header(skb);
2216 } else if (len_delta < 0) {
2218 memset(iph + 1, IPOPT_NOP, opt->optlen);
2222 if (opt->optlen > 0)
2223 memset(opt, 0, sizeof(*opt));
2224 opt->optlen = opt_len;
2225 opt->cipso = sizeof(struct iphdr);
2226 opt->is_changed = 1;
2228 /* we have to do the following because we are being called from a
2229 * netfilter hook which means the packet already has had the header
2230 * fields populated and the checksum calculated - yes this means we
2231 * are doing more work than needed but we do it to keep the core
2232 * stack clean and tidy */
2233 memcpy(iph + 1, buf, buf_len);
2234 if (opt_len > buf_len)
2235 memset((char *)(iph + 1) + buf_len, 0, opt_len - buf_len);
2236 if (len_delta != 0) {
2237 iph->ihl = 5 + (opt_len >> 2);
2238 iph->tot_len = htons(skb->len);
2246 * cipso_v4_skbuff_delattr - Delete any CIPSO options from a packet
2250 * Removes any and all CIPSO options from the given packet. Returns zero on
2251 * success, negative values on failure.
2254 int cipso_v4_skbuff_delattr(struct sk_buff *skb)
2258 struct ip_options *opt = &IPCB(skb)->opt;
2259 unsigned char *cipso_ptr;
2261 if (opt->cipso == 0)
2264 /* since we are changing the packet we should make a copy */
2265 ret_val = skb_cow(skb, skb_headroom(skb));
2269 /* the easiest thing to do is just replace the cipso option with noop
2270 * options since we don't change the size of the packet, although we
2271 * still need to recalculate the checksum */
2274 cipso_ptr = (unsigned char *)iph + opt->cipso;
2275 memset(cipso_ptr, IPOPT_NOOP, cipso_ptr[1]);
2277 opt->is_changed = 1;
2289 * cipso_v4_init - Initialize the CIPSO module
2292 * Initialize the CIPSO module and prepare it for use. Returns zero on success
2293 * and negative values on failure.
2296 static int __init cipso_v4_init(void)
2300 ret_val = cipso_v4_cache_init();
2302 panic("Failed to initialize the CIPSO/IPv4 cache (%d)\n",
2308 subsys_initcall(cipso_v4_init);