summaryrefslogtreecommitdiff
path: root/security/selinux/netif.c
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@ppc970.osdl.org>2005-04-17 02:20:36 +0400
committerLinus Torvalds <torvalds@ppc970.osdl.org>2005-04-17 02:20:36 +0400
commit1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (patch)
tree0bba044c4ce775e45a88a51686b5d9f90697ea9d /security/selinux/netif.c
downloadlinux-1da177e4c3f41524e886b7f1b8a0c1fc7321cac2.tar.xz
Linux-2.6.12-rc2v2.6.12-rc2
Initial git repository build. I'm not bothering with the full history, even though we have it. We can create a separate "historical" git archive of that later if we want to, and in the meantime it's about 3.2GB when imported into git - space that would just make the early git days unnecessarily complicated, when we don't have a lot of good infrastructure for it. Let it rip!
Diffstat (limited to 'security/selinux/netif.c')
-rw-r--r--security/selinux/netif.c270
1 files changed, 270 insertions, 0 deletions
diff --git a/security/selinux/netif.c b/security/selinux/netif.c
new file mode 100644
index 000000000000..718d7be9f4dd
--- /dev/null
+++ b/security/selinux/netif.c
@@ -0,0 +1,270 @@
+/*
+ * Network interface table.
+ *
+ * Network interfaces (devices) do not have a security field, so we
+ * maintain a table associating each interface with a SID.
+ *
+ * Author: James Morris <jmorris@redhat.com>
+ *
+ * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ */
+#include <linux/init.h>
+#include <linux/types.h>
+#include <linux/stddef.h>
+#include <linux/kernel.h>
+#include <linux/list.h>
+#include <linux/notifier.h>
+#include <linux/netdevice.h>
+#include <linux/rcupdate.h>
+
+#include "security.h"
+#include "objsec.h"
+#include "netif.h"
+
+#define SEL_NETIF_HASH_SIZE 64
+#define SEL_NETIF_HASH_MAX 1024
+
+#undef DEBUG
+
+#ifdef DEBUG
+#define DEBUGP printk
+#else
+#define DEBUGP(format, args...)
+#endif
+
+struct sel_netif
+{
+ struct list_head list;
+ struct netif_security_struct nsec;
+ struct rcu_head rcu_head;
+};
+
+static u32 sel_netif_total;
+static LIST_HEAD(sel_netif_list);
+static DEFINE_SPINLOCK(sel_netif_lock);
+static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE];
+
+static inline u32 sel_netif_hasfn(struct net_device *dev)
+{
+ return (dev->ifindex & (SEL_NETIF_HASH_SIZE - 1));
+}
+
+/*
+ * All of the devices should normally fit in the hash, so we optimize
+ * for that case.
+ */
+static inline struct sel_netif *sel_netif_find(struct net_device *dev)
+{
+ struct list_head *pos;
+ int idx = sel_netif_hasfn(dev);
+
+ __list_for_each_rcu(pos, &sel_netif_hash[idx]) {
+ struct sel_netif *netif = list_entry(pos,
+ struct sel_netif, list);
+ if (likely(netif->nsec.dev == dev))
+ return netif;
+ }
+ return NULL;
+}
+
+static int sel_netif_insert(struct sel_netif *netif)
+{
+ int idx, ret = 0;
+
+ if (sel_netif_total >= SEL_NETIF_HASH_MAX) {
+ ret = -ENOSPC;
+ goto out;
+ }
+
+ idx = sel_netif_hasfn(netif->nsec.dev);
+ list_add_rcu(&netif->list, &sel_netif_hash[idx]);
+ sel_netif_total++;
+out:
+ return ret;
+}
+
+static void sel_netif_free(struct rcu_head *p)
+{
+ struct sel_netif *netif = container_of(p, struct sel_netif, rcu_head);
+
+ DEBUGP("%s: %s\n", __FUNCTION__, netif->nsec.dev->name);
+ kfree(netif);
+}
+
+static void sel_netif_destroy(struct sel_netif *netif)
+{
+ DEBUGP("%s: %s\n", __FUNCTION__, netif->nsec.dev->name);
+
+ list_del_rcu(&netif->list);
+ sel_netif_total--;
+ call_rcu(&netif->rcu_head, sel_netif_free);
+}
+
+static struct sel_netif *sel_netif_lookup(struct net_device *dev)
+{
+ int ret;
+ struct sel_netif *netif, *new;
+ struct netif_security_struct *nsec;
+
+ netif = sel_netif_find(dev);
+ if (likely(netif != NULL))
+ goto out;
+
+ new = kmalloc(sizeof(*new), GFP_ATOMIC);
+ if (!new) {
+ netif = ERR_PTR(-ENOMEM);
+ goto out;
+ }
+
+ memset(new, 0, sizeof(*new));
+ nsec = &new->nsec;
+
+ ret = security_netif_sid(dev->name, &nsec->if_sid, &nsec->msg_sid);
+ if (ret < 0) {
+ kfree(new);
+ netif = ERR_PTR(ret);
+ goto out;
+ }
+
+ nsec->dev = dev;
+
+ spin_lock_bh(&sel_netif_lock);
+
+ netif = sel_netif_find(dev);
+ if (netif) {
+ spin_unlock_bh(&sel_netif_lock);
+ kfree(new);
+ goto out;
+ }
+
+ ret = sel_netif_insert(new);
+ spin_unlock_bh(&sel_netif_lock);
+
+ if (ret) {
+ kfree(new);
+ netif = ERR_PTR(ret);
+ goto out;
+ }
+
+ netif = new;
+
+ DEBUGP("new: ifindex=%u name=%s if_sid=%u msg_sid=%u\n", dev->ifindex, dev->name,
+ nsec->if_sid, nsec->msg_sid);
+out:
+ return netif;
+}
+
+static void sel_netif_assign_sids(u32 if_sid_in, u32 msg_sid_in, u32 *if_sid_out, u32 *msg_sid_out)
+{
+ if (if_sid_out)
+ *if_sid_out = if_sid_in;
+ if (msg_sid_out)
+ *msg_sid_out = msg_sid_in;
+}
+
+static int sel_netif_sids_slow(struct net_device *dev, u32 *if_sid, u32 *msg_sid)
+{
+ int ret = 0;
+ u32 tmp_if_sid, tmp_msg_sid;
+
+ ret = security_netif_sid(dev->name, &tmp_if_sid, &tmp_msg_sid);
+ if (!ret)
+ sel_netif_assign_sids(tmp_if_sid, tmp_msg_sid, if_sid, msg_sid);
+ return ret;
+}
+
+int sel_netif_sids(struct net_device *dev, u32 *if_sid, u32 *msg_sid)
+{
+ int ret = 0;
+ struct sel_netif *netif;
+
+ rcu_read_lock();
+ netif = sel_netif_lookup(dev);
+ if (IS_ERR(netif)) {
+ rcu_read_unlock();
+ ret = sel_netif_sids_slow(dev, if_sid, msg_sid);
+ goto out;
+ }
+ sel_netif_assign_sids(netif->nsec.if_sid, netif->nsec.msg_sid, if_sid, msg_sid);
+ rcu_read_unlock();
+out:
+ return ret;
+}
+
+static void sel_netif_kill(struct net_device *dev)
+{
+ struct sel_netif *netif;
+
+ spin_lock_bh(&sel_netif_lock);
+ netif = sel_netif_find(dev);
+ if (netif)
+ sel_netif_destroy(netif);
+ spin_unlock_bh(&sel_netif_lock);
+}
+
+static void sel_netif_flush(void)
+{
+ int idx;
+
+ spin_lock_bh(&sel_netif_lock);
+ for (idx = 0; idx < SEL_NETIF_HASH_SIZE; idx++) {
+ struct sel_netif *netif;
+
+ list_for_each_entry(netif, &sel_netif_hash[idx], list)
+ sel_netif_destroy(netif);
+ }
+ spin_unlock_bh(&sel_netif_lock);
+}
+
+static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid,
+ u16 class, u32 perms, u32 *retained)
+{
+ if (event == AVC_CALLBACK_RESET) {
+ sel_netif_flush();
+ synchronize_net();
+ }
+ return 0;
+}
+
+static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
+ unsigned long event, void *ptr)
+{
+ struct net_device *dev = ptr;
+
+ if (event == NETDEV_DOWN)
+ sel_netif_kill(dev);
+
+ return NOTIFY_DONE;
+}
+
+static struct notifier_block sel_netif_netdev_notifier = {
+ .notifier_call = sel_netif_netdev_notifier_handler,
+};
+
+static __init int sel_netif_init(void)
+{
+ int i, err = 0;
+
+ if (!selinux_enabled)
+ goto out;
+
+ for (i = 0; i < SEL_NETIF_HASH_SIZE; i++)
+ INIT_LIST_HEAD(&sel_netif_hash[i]);
+
+ register_netdevice_notifier(&sel_netif_netdev_notifier);
+
+ err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET,
+ SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
+ if (err)
+ panic("avc_add_callback() failed, error %d\n", err);
+
+out:
+ return err;
+}
+
+__initcall(sel_netif_init);
+