CoCalc -- netif.c

GitHub Repository: torvalds/linux
Path: blob/master/security/selinux/netif.c
⁵⁰⁷⁰⁸ views
1
// SPDX-License-Identifier: GPL-2.0-only
2
/*
3
 * Network interface table.
4
 *
5
 * Network interfaces (devices) do not have a security field, so we
6
 * maintain a table associating each interface with a SID.
7
 *
8
 * Author: James Morris <[email protected]>
9
 *
10
 * Copyright (C) 2003 Red Hat, Inc., James Morris <[email protected]>
11
 * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
12
 *		      Paul Moore <[email protected]>
13
 */
14
#include <linux/init.h>
15
#include <linux/types.h>
16
#include <linux/slab.h>
17
#include <linux/stddef.h>
18
#include <linux/kernel.h>
19
#include <linux/list.h>
20
#include <linux/notifier.h>
21
#include <linux/netdevice.h>
22
#include <linux/rcupdate.h>
23
#include <net/net_namespace.h>
24

25
#include "initcalls.h"
26
#include "security.h"
27
#include "objsec.h"
28
#include "netif.h"
29

30
#define SEL_NETIF_HASH_SIZE	64
31
#define SEL_NETIF_HASH_MAX	1024
32

33
struct sel_netif {
34
	struct list_head list;
35
	struct netif_security_struct nsec;
36
	struct rcu_head rcu_head;
37
};
38

39
static u32 sel_netif_total;
40
static DEFINE_SPINLOCK(sel_netif_lock);
41
static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE];
42

43
/**
44
 * sel_netif_hashfn - Hashing function for the interface table
45
 * @ns: the network namespace
46
 * @ifindex: the network interface
47
 *
48
 * Description:
49
 * This is the hashing function for the network interface table, it returns the
50
 * bucket number for the given interface.
51
 *
52
 */
53
static inline u32 sel_netif_hashfn(const struct net *ns, int ifindex)
54
{
55
	return (((uintptr_t)ns + ifindex) & (SEL_NETIF_HASH_SIZE - 1));
56
}
57

58
/**
59
 * sel_netif_find - Search for an interface record
60
 * @ns: the network namespace
61
 * @ifindex: the network interface
62
 *
63
 * Description:
64
 * Search the network interface table and return the record matching @ifindex.
65
 * If an entry can not be found in the table return NULL.
66
 *
67
 */
68
static inline struct sel_netif *sel_netif_find(const struct net *ns,
69
					       int ifindex)
70
{
71
	u32 idx = sel_netif_hashfn(ns, ifindex);
72
	struct sel_netif *netif;
73

74
	list_for_each_entry_rcu(netif, &sel_netif_hash[idx], list)
75
		if (net_eq(netif->nsec.ns, ns) &&
76
		    netif->nsec.ifindex == ifindex)
77
			return netif;
78

79
	return NULL;
80
}
81

82
/**
83
 * sel_netif_insert - Insert a new interface into the table
84
 * @netif: the new interface record
85
 *
86
 * Description:
87
 * Add a new interface record to the network interface hash table.  Returns
88
 * zero on success, negative values on failure.
89
 *
90
 */
91
static int sel_netif_insert(struct sel_netif *netif)
92
{
93
	u32 idx;
94

95
	if (sel_netif_total >= SEL_NETIF_HASH_MAX)
96
		return -ENOSPC;
97

98
	idx = sel_netif_hashfn(netif->nsec.ns, netif->nsec.ifindex);
99
	list_add_rcu(&netif->list, &sel_netif_hash[idx]);
100
	sel_netif_total++;
101

102
	return 0;
103
}
104

105
/**
106
 * sel_netif_destroy - Remove an interface record from the table
107
 * @netif: the existing interface record
108
 *
109
 * Description:
110
 * Remove an existing interface record from the network interface table.
111
 *
112
 */
113
static void sel_netif_destroy(struct sel_netif *netif)
114
{
115
	list_del_rcu(&netif->list);
116
	sel_netif_total--;
117
	kfree_rcu(netif, rcu_head);
118
}
119

120
/**
121
 * sel_netif_sid_slow - Lookup the SID of a network interface using the policy
122
 * @ns: the network namespace
123
 * @ifindex: the network interface
124
 * @sid: interface SID
125
 *
126
 * Description:
127
 * This function determines the SID of a network interface by querying the
128
 * security policy.  The result is added to the network interface table to
129
 * speedup future queries.  Returns zero on success, negative values on
130
 * failure.
131
 *
132
 */
133
static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid)
134
{
135
	int ret = 0;
136
	struct sel_netif *netif;
137
	struct sel_netif *new;
138
	struct net_device *dev;
139

140
	/* NOTE: we always use init's network namespace since we don't
141
	 * currently support containers */
142

143
	dev = dev_get_by_index(ns, ifindex);
144
	if (unlikely(dev == NULL)) {
145
		pr_warn("SELinux: failure in %s(), invalid network interface (%d)\n",
146
			__func__, ifindex);
147
		return -ENOENT;
148
	}
149

150
	spin_lock_bh(&sel_netif_lock);
151
	netif = sel_netif_find(ns, ifindex);
152
	if (netif != NULL) {
153
		*sid = netif->nsec.sid;
154
		goto out;
155
	}
156

157
	ret = security_netif_sid(dev->name, sid);
158
	if (ret != 0)
159
		goto out;
160

161
	/* If this memory allocation fails still return 0. The SID
162
	 * is valid, it just won't be added to the cache.
163
	 */
164
	new = kmalloc(sizeof(*new), GFP_ATOMIC);
165
	if (new) {
166
		new->nsec.ns = ns;
167
		new->nsec.ifindex = ifindex;
168
		new->nsec.sid = *sid;
169
		if (sel_netif_insert(new))
170
			kfree(new);
171
	}
172

173
out:
174
	spin_unlock_bh(&sel_netif_lock);
175
	dev_put(dev);
176
	if (unlikely(ret))
177
		pr_warn("SELinux: failure in %s(), unable to determine network interface label (%d)\n",
178
			__func__, ifindex);
179
	return ret;
180
}
181

182
/**
183
 * sel_netif_sid - Lookup the SID of a network interface
184
 * @ns: the network namespace
185
 * @ifindex: the network interface
186
 * @sid: interface SID
187
 *
188
 * Description:
189
 * This function determines the SID of a network interface using the fastest
190
 * method possible.  First the interface table is queried, but if an entry
191
 * can't be found then the policy is queried and the result is added to the
192
 * table to speedup future queries.  Returns zero on success, negative values
193
 * on failure.
194
 *
195
 */
196
int sel_netif_sid(struct net *ns, int ifindex, u32 *sid)
197
{
198
	struct sel_netif *netif;
199

200
	rcu_read_lock();
201
	netif = sel_netif_find(ns, ifindex);
202
	if (likely(netif != NULL)) {
203
		*sid = netif->nsec.sid;
204
		rcu_read_unlock();
205
		return 0;
206
	}
207
	rcu_read_unlock();
208

209
	return sel_netif_sid_slow(ns, ifindex, sid);
210
}
211

212
/**
213
 * sel_netif_kill - Remove an entry from the network interface table
214
 * @ns: the network namespace
215
 * @ifindex: the network interface
216
 *
217
 * Description:
218
 * This function removes the entry matching @ifindex from the network interface
219
 * table if it exists.
220
 *
221
 */
222
static void sel_netif_kill(const struct net *ns, int ifindex)
223
{
224
	struct sel_netif *netif;
225

226
	rcu_read_lock();
227
	spin_lock_bh(&sel_netif_lock);
228
	netif = sel_netif_find(ns, ifindex);
229
	if (netif)
230
		sel_netif_destroy(netif);
231
	spin_unlock_bh(&sel_netif_lock);
232
	rcu_read_unlock();
233
}
234

235
/**
236
 * sel_netif_flush - Flush the entire network interface table
237
 *
238
 * Description:
239
 * Remove all entries from the network interface table.
240
 *
241
 */
242
void sel_netif_flush(void)
243
{
244
	int idx;
245
	struct sel_netif *netif;
246

247
	spin_lock_bh(&sel_netif_lock);
248
	for (idx = 0; idx < SEL_NETIF_HASH_SIZE; idx++)
249
		list_for_each_entry(netif, &sel_netif_hash[idx], list)
250
			sel_netif_destroy(netif);
251
	spin_unlock_bh(&sel_netif_lock);
252
}
253

254
static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
255
					     unsigned long event, void *ptr)
256
{
257
	struct net_device *dev = netdev_notifier_info_to_dev(ptr);
258

259
	if (event == NETDEV_DOWN)
260
		sel_netif_kill(dev_net(dev), dev->ifindex);
261

262
	return NOTIFY_DONE;
263
}
264

265
static struct notifier_block sel_netif_netdev_notifier = {
266
	.notifier_call = sel_netif_netdev_notifier_handler,
267
};
268

269
int __init sel_netif_init(void)
270
{
271
	int i;
272

273
	if (!selinux_enabled_boot)
274
		return 0;
275

276
	for (i = 0; i < SEL_NETIF_HASH_SIZE; i++)
277
		INIT_LIST_HEAD(&sel_netif_hash[i]);
278

279
	register_netdevice_notifier(&sel_netif_netdev_notifier);
280

281
	return 0;
282
}
283

284

285
Product

Resources

Company
