Lines Matching +full:state +full:- +full:labels
1 // SPDX-License-Identifier: GPL-2.0-or-later
9 * Author: Paul Moore <paul@paul-moore.com>
13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
43 * netlbl_cfg_map_del - Remove a NetLabel/LSM domain mapping
75 return -EPFNOSUPPORT; in netlbl_cfg_map_del()
78 return -EINVAL; in netlbl_cfg_map_del()
82 * netlbl_cfg_unlbl_map_add - Add a new unlabeled mapping
101 int ret_val = -ENOMEM; in netlbl_cfg_unlbl_map_add()
109 return -ENOMEM; in netlbl_cfg_unlbl_map_add()
111 entry->domain = kstrdup(domain, GFP_ATOMIC); in netlbl_cfg_unlbl_map_add()
112 if (entry->domain == NULL) in netlbl_cfg_unlbl_map_add()
115 entry->family = family; in netlbl_cfg_unlbl_map_add()
118 entry->def.type = NETLBL_NLTYPE_UNLABELED; in netlbl_cfg_unlbl_map_add()
123 INIT_LIST_HEAD(&addrmap->list4); in netlbl_cfg_unlbl_map_add()
124 INIT_LIST_HEAD(&addrmap->list6); in netlbl_cfg_unlbl_map_add()
133 map4->def.type = NETLBL_NLTYPE_UNLABELED; in netlbl_cfg_unlbl_map_add()
134 map4->list.addr = addr4->s_addr & mask4->s_addr; in netlbl_cfg_unlbl_map_add()
135 map4->list.mask = mask4->s_addr; in netlbl_cfg_unlbl_map_add()
136 map4->list.valid = 1; in netlbl_cfg_unlbl_map_add()
137 ret_val = netlbl_af4list_add(&map4->list, in netlbl_cfg_unlbl_map_add()
138 &addrmap->list4); in netlbl_cfg_unlbl_map_add()
150 map6->def.type = NETLBL_NLTYPE_UNLABELED; in netlbl_cfg_unlbl_map_add()
151 map6->list.addr = *addr6; in netlbl_cfg_unlbl_map_add()
152 map6->list.addr.s6_addr32[0] &= mask6->s6_addr32[0]; in netlbl_cfg_unlbl_map_add()
153 map6->list.addr.s6_addr32[1] &= mask6->s6_addr32[1]; in netlbl_cfg_unlbl_map_add()
154 map6->list.addr.s6_addr32[2] &= mask6->s6_addr32[2]; in netlbl_cfg_unlbl_map_add()
155 map6->list.addr.s6_addr32[3] &= mask6->s6_addr32[3]; in netlbl_cfg_unlbl_map_add()
156 map6->list.mask = *mask6; in netlbl_cfg_unlbl_map_add()
157 map6->list.valid = 1; in netlbl_cfg_unlbl_map_add()
158 ret_val = netlbl_af6list_add(&map6->list, in netlbl_cfg_unlbl_map_add()
159 &addrmap->list6); in netlbl_cfg_unlbl_map_add()
169 entry->def.addrsel = addrmap; in netlbl_cfg_unlbl_map_add()
170 entry->def.type = NETLBL_NLTYPE_ADDRSELECT; in netlbl_cfg_unlbl_map_add()
172 ret_val = -EINVAL; in netlbl_cfg_unlbl_map_add()
183 kfree(entry->domain); in netlbl_cfg_unlbl_map_add()
193 * netlbl_cfg_unlbl_static_add - Adds a new static label
203 * Adds a new NetLabel static label to be used when protocol provided labels
228 return -EPFNOSUPPORT; in netlbl_cfg_unlbl_static_add()
237 * netlbl_cfg_unlbl_static_del - Removes an existing static label
246 * Removes an existing NetLabel static label used when protocol provided labels
270 return -EPFNOSUPPORT; in netlbl_cfg_unlbl_static_del()
279 * netlbl_cfg_cipsov4_add - Add a new CIPSOv4 DOI definition
295 * netlbl_cfg_cipsov4_del - Remove an existing CIPSOv4 DOI definition
310 * netlbl_cfg_cipsov4_map_add - Add a new CIPSOv4 DOI mapping
329 int ret_val = -ENOMEM; in netlbl_cfg_cipsov4_map_add()
337 return -ENOENT; in netlbl_cfg_cipsov4_map_add()
342 entry->family = AF_INET; in netlbl_cfg_cipsov4_map_add()
344 entry->domain = kstrdup(domain, GFP_ATOMIC); in netlbl_cfg_cipsov4_map_add()
345 if (entry->domain == NULL) in netlbl_cfg_cipsov4_map_add()
350 entry->def.cipso = doi_def; in netlbl_cfg_cipsov4_map_add()
351 entry->def.type = NETLBL_NLTYPE_CIPSOV4; in netlbl_cfg_cipsov4_map_add()
356 INIT_LIST_HEAD(&addrmap->list4); in netlbl_cfg_cipsov4_map_add()
357 INIT_LIST_HEAD(&addrmap->list6); in netlbl_cfg_cipsov4_map_add()
362 addrinfo->def.cipso = doi_def; in netlbl_cfg_cipsov4_map_add()
363 addrinfo->def.type = NETLBL_NLTYPE_CIPSOV4; in netlbl_cfg_cipsov4_map_add()
364 addrinfo->list.addr = addr->s_addr & mask->s_addr; in netlbl_cfg_cipsov4_map_add()
365 addrinfo->list.mask = mask->s_addr; in netlbl_cfg_cipsov4_map_add()
366 addrinfo->list.valid = 1; in netlbl_cfg_cipsov4_map_add()
367 ret_val = netlbl_af4list_add(&addrinfo->list, &addrmap->list4); in netlbl_cfg_cipsov4_map_add()
371 entry->def.addrsel = addrmap; in netlbl_cfg_cipsov4_map_add()
372 entry->def.type = NETLBL_NLTYPE_ADDRSELECT; in netlbl_cfg_cipsov4_map_add()
374 ret_val = -EINVAL; in netlbl_cfg_cipsov4_map_add()
389 kfree(entry->domain); in netlbl_cfg_cipsov4_map_add()
398 * netlbl_cfg_calipso_add - Add a new CALIPSO DOI definition
413 return -ENOSYS; in netlbl_cfg_calipso_add()
418 * netlbl_cfg_calipso_del - Remove an existing CALIPSO DOI definition
435 * netlbl_cfg_calipso_map_add - Add a new CALIPSO DOI mapping
455 int ret_val = -ENOMEM; in netlbl_cfg_calipso_map_add()
463 return -ENOENT; in netlbl_cfg_calipso_map_add()
468 entry->family = AF_INET6; in netlbl_cfg_calipso_map_add()
470 entry->domain = kstrdup(domain, GFP_ATOMIC); in netlbl_cfg_calipso_map_add()
471 if (entry->domain == NULL) in netlbl_cfg_calipso_map_add()
476 entry->def.calipso = doi_def; in netlbl_cfg_calipso_map_add()
477 entry->def.type = NETLBL_NLTYPE_CALIPSO; in netlbl_cfg_calipso_map_add()
482 INIT_LIST_HEAD(&addrmap->list4); in netlbl_cfg_calipso_map_add()
483 INIT_LIST_HEAD(&addrmap->list6); in netlbl_cfg_calipso_map_add()
488 addrinfo->def.calipso = doi_def; in netlbl_cfg_calipso_map_add()
489 addrinfo->def.type = NETLBL_NLTYPE_CALIPSO; in netlbl_cfg_calipso_map_add()
490 addrinfo->list.addr = *addr; in netlbl_cfg_calipso_map_add()
491 addrinfo->list.addr.s6_addr32[0] &= mask->s6_addr32[0]; in netlbl_cfg_calipso_map_add()
492 addrinfo->list.addr.s6_addr32[1] &= mask->s6_addr32[1]; in netlbl_cfg_calipso_map_add()
493 addrinfo->list.addr.s6_addr32[2] &= mask->s6_addr32[2]; in netlbl_cfg_calipso_map_add()
494 addrinfo->list.addr.s6_addr32[3] &= mask->s6_addr32[3]; in netlbl_cfg_calipso_map_add()
495 addrinfo->list.mask = *mask; in netlbl_cfg_calipso_map_add()
496 addrinfo->list.valid = 1; in netlbl_cfg_calipso_map_add()
497 ret_val = netlbl_af6list_add(&addrinfo->list, &addrmap->list6); in netlbl_cfg_calipso_map_add()
501 entry->def.addrsel = addrmap; in netlbl_cfg_calipso_map_add()
502 entry->def.type = NETLBL_NLTYPE_ADDRSELECT; in netlbl_cfg_calipso_map_add()
504 ret_val = -EINVAL; in netlbl_cfg_calipso_map_add()
519 kfree(entry->domain); in netlbl_cfg_calipso_map_add()
526 return -ENOSYS; in netlbl_cfg_calipso_map_add()
539 * _netlbl_catmap_getnode - Get a individual node from a catmap
564 if (offset < iter->startbit) in _netlbl_catmap_getnode()
566 while (iter && offset >= (iter->startbit + NETLBL_CATMAP_SIZE)) { in _netlbl_catmap_getnode()
568 iter = iter->next; in _netlbl_catmap_getnode()
570 if (iter == NULL || offset < iter->startbit) in _netlbl_catmap_getnode()
585 iter->startbit = offset & ~(NETLBL_CATMAP_SIZE - 1); in _netlbl_catmap_getnode()
588 iter->next = *catmap; in _netlbl_catmap_getnode()
591 iter->next = prev->next; in _netlbl_catmap_getnode()
592 prev->next = iter; in _netlbl_catmap_getnode()
599 * netlbl_catmap_walk - Walk a LSM secattr catmap looking for a bit
605 * returns the spot of the first set bit or -ENOENT if no bits are set.
617 return -ENOENT; in netlbl_catmap_walk()
618 if (offset > iter->startbit) { in netlbl_catmap_walk()
619 offset -= iter->startbit; in netlbl_catmap_walk()
626 bitmap = iter->bitmap[idx] >> bit; in netlbl_catmap_walk()
634 return iter->startbit + in netlbl_catmap_walk()
638 if (iter->next != NULL) { in netlbl_catmap_walk()
639 iter = iter->next; in netlbl_catmap_walk()
642 return -ENOENT; in netlbl_catmap_walk()
644 bitmap = iter->bitmap[idx]; in netlbl_catmap_walk()
648 return -ENOENT; in netlbl_catmap_walk()
653 * netlbl_catmap_walkrng - Find the end of a string of set bits
659 * returns the spot of the first cleared bit or -ENOENT if the offset is past
674 return -ENOENT; in netlbl_catmap_walkrng()
675 if (offset > iter->startbit) { in netlbl_catmap_walkrng()
676 offset -= iter->startbit; in netlbl_catmap_walkrng()
686 bitmap = iter->bitmap[idx]; in netlbl_catmap_walkrng()
693 return prev->startbit + NETLBL_CATMAP_SIZE - 1; in netlbl_catmap_walkrng()
695 return iter->startbit + in netlbl_catmap_walkrng()
696 (NETLBL_CATMAP_MAPSIZE * idx) + bit - 1; in netlbl_catmap_walkrng()
698 if (iter->next == NULL) in netlbl_catmap_walkrng()
699 return iter->startbit + NETLBL_CATMAP_SIZE - 1; in netlbl_catmap_walkrng()
701 iter = iter->next; in netlbl_catmap_walkrng()
708 return -ENOENT; in netlbl_catmap_walkrng()
712 * netlbl_catmap_getlong - Export an unsigned long bitmap
721 * empty at the requested offset and beyond, the @offset is set to (u32)-1.
734 if ((off & (BITS_PER_LONG - 1)) != 0) in netlbl_catmap_getlong()
735 return -EINVAL; in netlbl_catmap_getlong()
739 *offset = (u32)-1; in netlbl_catmap_getlong()
743 if (off < catmap->startbit) { in netlbl_catmap_getlong()
744 off = catmap->startbit; in netlbl_catmap_getlong()
749 *offset = (u32)-1; in netlbl_catmap_getlong()
753 if (off < iter->startbit) { in netlbl_catmap_getlong()
754 *offset = iter->startbit; in netlbl_catmap_getlong()
757 off -= iter->startbit; in netlbl_catmap_getlong()
759 *bitmap = iter->bitmap[idx] >> (off % NETLBL_CATMAP_MAPSIZE); in netlbl_catmap_getlong()
765 * netlbl_catmap_setbit - Set a bit in a LSM secattr catmap
784 return -ENOMEM; in netlbl_catmap_setbit()
786 bit -= iter->startbit; in netlbl_catmap_setbit()
788 iter->bitmap[idx] |= NETLBL_CATMAP_BIT << (bit % NETLBL_CATMAP_MAPSIZE); in netlbl_catmap_setbit()
795 * netlbl_catmap_setrng - Set a range of bits in a LSM secattr catmap
815 if (((spot & (BITS_PER_LONG - 1)) == 0) && in netlbl_catmap_setrng()
816 ((end - spot) > BITS_PER_LONG)) { in netlbl_catmap_setrng()
819 (unsigned long)-1, in netlbl_catmap_setrng()
830 * netlbl_catmap_setlong - Import an unsigned long bitmap
851 if ((offset & (BITS_PER_LONG - 1)) != 0) in netlbl_catmap_setlong()
852 return -EINVAL; in netlbl_catmap_setlong()
856 return -ENOMEM; in netlbl_catmap_setlong()
858 offset -= iter->startbit; in netlbl_catmap_setlong()
860 iter->bitmap[idx] |= (u64)bitmap in netlbl_catmap_setlong()
870 * netlbl_bitmap_walk - Walk a bitmap looking for a bit
874 * @state: if non-zero, look for a set (1) bit else look for a cleared (0) bit
878 * desired bit is found or we reach the end. Return the bit offset, -1 if
882 u32 offset, u8 state) in netlbl_bitmap_walk() argument
890 return -1; in netlbl_bitmap_walk()
897 if ((state && (byte & bitmask) == bitmask) || in netlbl_bitmap_walk()
898 (state == 0 && (byte & bitmask) == 0)) in netlbl_bitmap_walk()
902 return -1; in netlbl_bitmap_walk()
910 return -1; in netlbl_bitmap_walk()
915 * netlbl_bitmap_setbit - Sets a single bit in a bitmap
918 * @state: if non-zero, set the bit (1) else clear the bit (0)
924 void netlbl_bitmap_setbit(unsigned char *bitmap, u32 bit, u8 state) in netlbl_bitmap_setbit() argument
932 if (state) in netlbl_bitmap_setbit()
944 * netlbl_enabled - Determine if the NetLabel subsystem is enabled
964 * netlbl_sock_setattr - Label a socket using the correct protocol
974 * Returns zero on success, -EDESTADDRREQ if the domain is configured to use
988 dom_entry = netlbl_domhsh_getentry(secattr->domain, family); in netlbl_sock_setattr()
990 ret_val = -ENOENT; in netlbl_sock_setattr()
995 switch (dom_entry->def.type) { in netlbl_sock_setattr()
997 ret_val = -EDESTADDRREQ; in netlbl_sock_setattr()
1001 dom_entry->def.cipso, in netlbl_sock_setattr()
1008 ret_val = -ENOENT; in netlbl_sock_setattr()
1013 switch (dom_entry->def.type) { in netlbl_sock_setattr()
1015 ret_val = -EDESTADDRREQ; in netlbl_sock_setattr()
1019 dom_entry->def.calipso, in netlbl_sock_setattr()
1026 ret_val = -ENOENT; in netlbl_sock_setattr()
1031 ret_val = -EPROTONOSUPPORT; in netlbl_sock_setattr()
1040 * netlbl_sock_delattr - Delete all the NetLabel labels on a socket
1050 switch (sk->sk_family) { in netlbl_sock_delattr()
1063 * netlbl_sock_getattr - Determine the security attributes of a sock
1079 switch (sk->sk_family) { in netlbl_sock_getattr()
1089 ret_val = -EPROTONOSUPPORT; in netlbl_sock_getattr()
1096 * netlbl_sk_lock_check - Check if the socket lock has been acquired.
1100 * runtime or compile-time; false otherwise
1118 * netlbl_conn_setattr - Label a connected socket using the correct protocol
1141 switch (addr->sa_family) { in netlbl_conn_setattr()
1144 entry = netlbl_domhsh_getentry_af4(secattr->domain, in netlbl_conn_setattr()
1145 addr4->sin_addr.s_addr); in netlbl_conn_setattr()
1147 ret_val = -ENOENT; in netlbl_conn_setattr()
1150 switch (entry->type) { in netlbl_conn_setattr()
1153 entry->cipso, secattr, in netlbl_conn_setattr()
1163 ret_val = -ENOENT; in netlbl_conn_setattr()
1168 if (sk->sk_family != AF_INET6) { in netlbl_conn_setattr()
1169 ret_val = -EAFNOSUPPORT; in netlbl_conn_setattr()
1174 entry = netlbl_domhsh_getentry_af6(secattr->domain, in netlbl_conn_setattr()
1175 &addr6->sin6_addr); in netlbl_conn_setattr()
1177 ret_val = -ENOENT; in netlbl_conn_setattr()
1180 switch (entry->type) { in netlbl_conn_setattr()
1183 entry->calipso, secattr); in netlbl_conn_setattr()
1192 ret_val = -ENOENT; in netlbl_conn_setattr()
1197 ret_val = -EPROTONOSUPPORT; in netlbl_conn_setattr()
1206 * netlbl_req_setattr - Label a request socket using the correct protocol
1223 switch (req->rsk_ops->family) { in netlbl_req_setattr()
1225 entry = netlbl_domhsh_getentry_af4(secattr->domain, in netlbl_req_setattr()
1226 ireq->ir_rmt_addr); in netlbl_req_setattr()
1228 ret_val = -ENOENT; in netlbl_req_setattr()
1231 switch (entry->type) { in netlbl_req_setattr()
1234 entry->cipso, secattr); in netlbl_req_setattr()
1241 ret_val = -ENOENT; in netlbl_req_setattr()
1246 entry = netlbl_domhsh_getentry_af6(secattr->domain, in netlbl_req_setattr()
1247 &ireq->ir_v6_rmt_addr); in netlbl_req_setattr()
1249 ret_val = -ENOENT; in netlbl_req_setattr()
1252 switch (entry->type) { in netlbl_req_setattr()
1255 entry->calipso, secattr); in netlbl_req_setattr()
1262 ret_val = -ENOENT; in netlbl_req_setattr()
1267 ret_val = -EPROTONOSUPPORT; in netlbl_req_setattr()
1276 * netlbl_req_delattr - Delete all the NetLabel labels on a socket
1285 switch (req->rsk_ops->family) { in netlbl_req_delattr()
1298 * netlbl_skbuff_setattr - Label a packet using the correct protocol
1323 entry = netlbl_domhsh_getentry_af4(secattr->domain, in netlbl_skbuff_setattr()
1324 hdr4->daddr); in netlbl_skbuff_setattr()
1326 ret_val = -ENOENT; in netlbl_skbuff_setattr()
1329 switch (entry->type) { in netlbl_skbuff_setattr()
1331 ret_val = cipso_v4_skbuff_setattr(skb, entry->cipso, in netlbl_skbuff_setattr()
1340 ret_val = -ENOENT; in netlbl_skbuff_setattr()
1346 entry = netlbl_domhsh_getentry_af6(secattr->domain, in netlbl_skbuff_setattr()
1347 &hdr6->daddr); in netlbl_skbuff_setattr()
1349 ret_val = -ENOENT; in netlbl_skbuff_setattr()
1352 switch (entry->type) { in netlbl_skbuff_setattr()
1354 ret_val = calipso_skbuff_setattr(skb, entry->calipso, in netlbl_skbuff_setattr()
1363 ret_val = -ENOENT; in netlbl_skbuff_setattr()
1368 ret_val = -EPROTONOSUPPORT; in netlbl_skbuff_setattr()
1377 * netlbl_skbuff_getattr - Determine the security attributes of a packet
1414 * netlbl_skbuff_err - Handle a LSM error on a sk_buff
1422 * a permission denied problem (-EACCES). The correct action is determined
1437 * netlbl_cache_invalidate - Invalidate all of the NetLabel protocol caches
1454 * netlbl_cache_add - Add an entry to a NetLabel protocol cache
1470 if ((secattr->flags & NETLBL_SECATTR_CACHE) == 0) in netlbl_cache_add()
1471 return -ENOMSG; in netlbl_cache_add()
1487 return -ENOMSG; in netlbl_cache_add()
1495 * netlbl_audit_start - Start an audit message
1518 * netlbl_init - Initialize NetLabel