// SPDX-License-Identifier: GPL-2.0-only1/*2* Network node table3*4* SELinux must keep a mapping of network nodes to labels/SIDs. This5* mapping is maintained as part of the normal policy but a fast cache is6* needed to reduce the lookup overhead since most of these queries happen on7* a per-packet basis.8*9* Author: Paul Moore <[email protected]>10*11* This code is heavily based on the "netif" concept originally developed by12* James Morris <[email protected]>13* (see security/selinux/netif.c for more information)14*/1516/*17* (c) Copyright Hewlett-Packard Development Company, L.P., 200718*/1920#include <linux/types.h>21#include <linux/rcupdate.h>22#include <linux/list.h>23#include <linux/slab.h>24#include <linux/spinlock.h>25#include <linux/in.h>26#include <linux/in6.h>27#include <linux/ip.h>28#include <linux/ipv6.h>29#include <net/ip.h>30#include <net/ipv6.h>3132#include "netnode.h"33#include "objsec.h"3435#define SEL_NETNODE_HASH_SIZE 25636#define SEL_NETNODE_HASH_BKT_LIMIT 163738struct sel_netnode_bkt {39unsigned int size;40struct list_head list;41};4243struct sel_netnode {44struct netnode_security_struct nsec;4546struct list_head list;47struct rcu_head rcu;48};4950/* NOTE: we are using a combined hash table for both IPv4 and IPv6, the reason51* for this is that I suspect most users will not make heavy use of both52* address families at the same time so one table will usually end up wasted,53* if this becomes a problem we can always add a hash table for each address54* family later */5556static DEFINE_SPINLOCK(sel_netnode_lock);57static struct sel_netnode_bkt sel_netnode_hash[SEL_NETNODE_HASH_SIZE];5859/**60* sel_netnode_hashfn_ipv4 - IPv4 hashing function for the node table61* @addr: IPv4 address62*63* Description:64* This is the IPv4 hashing function for the node interface table, it returns65* the bucket number for the given IP address.66*67*/68static unsigned int sel_netnode_hashfn_ipv4(__be32 addr)69{70/* at some point we should determine if the mismatch in byte order71* affects the hash function dramatically */72return (addr & (SEL_NETNODE_HASH_SIZE - 1));73}7475/**76* sel_netnode_hashfn_ipv6 - IPv6 hashing function for the node table77* @addr: IPv6 address78*79* Description:80* This is the IPv6 hashing function for the node interface table, it returns81* the bucket number for the given IP address.82*83*/84static unsigned int sel_netnode_hashfn_ipv6(const struct in6_addr *addr)85{86/* just hash the least significant 32 bits to keep things fast (they87* are the most likely to be different anyway), we can revisit this88* later if needed */89return (addr->s6_addr32[3] & (SEL_NETNODE_HASH_SIZE - 1));90}9192/**93* sel_netnode_find - Search for a node record94* @addr: IP address95* @family: address family96*97* Description:98* Search the network node table and return the record matching @addr. If an99* entry can not be found in the table return NULL.100*101*/102static struct sel_netnode *sel_netnode_find(const void *addr, u16 family)103{104unsigned int idx;105struct sel_netnode *node;106107switch (family) {108case PF_INET:109idx = sel_netnode_hashfn_ipv4(*(const __be32 *)addr);110break;111case PF_INET6:112idx = sel_netnode_hashfn_ipv6(addr);113break;114default:115BUG();116return NULL;117}118119list_for_each_entry_rcu(node, &sel_netnode_hash[idx].list, list)120if (node->nsec.family == family)121switch (family) {122case PF_INET:123if (node->nsec.addr.ipv4 == *(const __be32 *)addr)124return node;125break;126case PF_INET6:127if (ipv6_addr_equal(&node->nsec.addr.ipv6,128addr))129return node;130break;131}132133return NULL;134}135136/**137* sel_netnode_insert - Insert a new node into the table138* @node: the new node record139*140* Description:141* Add a new node record to the network address hash table.142*143*/144static void sel_netnode_insert(struct sel_netnode *node)145{146unsigned int idx;147148switch (node->nsec.family) {149case PF_INET:150idx = sel_netnode_hashfn_ipv4(node->nsec.addr.ipv4);151break;152case PF_INET6:153idx = sel_netnode_hashfn_ipv6(&node->nsec.addr.ipv6);154break;155default:156BUG();157return;158}159160/* we need to impose a limit on the growth of the hash table so check161* this bucket to make sure it is within the specified bounds */162list_add_rcu(&node->list, &sel_netnode_hash[idx].list);163if (sel_netnode_hash[idx].size == SEL_NETNODE_HASH_BKT_LIMIT) {164struct sel_netnode *tail;165tail = list_entry(166rcu_dereference_protected(167list_tail_rcu(&sel_netnode_hash[idx].list),168lockdep_is_held(&sel_netnode_lock)),169struct sel_netnode, list);170list_del_rcu(&tail->list);171kfree_rcu(tail, rcu);172} else173sel_netnode_hash[idx].size++;174}175176/**177* sel_netnode_sid_slow - Lookup the SID of a network address using the policy178* @addr: the IP address179* @family: the address family180* @sid: node SID181*182* Description:183* This function determines the SID of a network address by querying the184* security policy. The result is added to the network address table to185* speedup future queries. Returns zero on success, negative values on186* failure.187*188*/189static int sel_netnode_sid_slow(const void *addr, u16 family, u32 *sid)190{191int ret;192struct sel_netnode *node;193struct sel_netnode *new;194195spin_lock_bh(&sel_netnode_lock);196node = sel_netnode_find(addr, family);197if (node != NULL) {198*sid = node->nsec.sid;199spin_unlock_bh(&sel_netnode_lock);200return 0;201}202203/* If this memory allocation fails still return 0. The SID204* is valid, it just won't be added to the cache.205*/206new = kmalloc(sizeof(*new), GFP_ATOMIC);207switch (family) {208case PF_INET:209ret = security_node_sid(PF_INET,210addr, sizeof(struct in_addr), sid);211if (new)212new->nsec.addr.ipv4 = *(const __be32 *)addr;213break;214case PF_INET6:215ret = security_node_sid(PF_INET6,216addr, sizeof(struct in6_addr), sid);217if (new)218new->nsec.addr.ipv6 = *(const struct in6_addr *)addr;219break;220default:221BUG();222ret = -EINVAL;223}224if (ret == 0 && new) {225new->nsec.family = family;226new->nsec.sid = *sid;227sel_netnode_insert(new);228} else229kfree(new);230231spin_unlock_bh(&sel_netnode_lock);232if (unlikely(ret))233pr_warn("SELinux: failure in %s(), unable to determine network node label\n",234__func__);235return ret;236}237238/**239* sel_netnode_sid - Lookup the SID of a network address240* @addr: the IP address241* @family: the address family242* @sid: node SID243*244* Description:245* This function determines the SID of a network address using the fastest246* method possible. First the address table is queried, but if an entry247* can't be found then the policy is queried and the result is added to the248* table to speedup future queries. Returns zero on success, negative values249* on failure.250*251*/252int sel_netnode_sid(const void *addr, u16 family, u32 *sid)253{254struct sel_netnode *node;255256rcu_read_lock();257node = sel_netnode_find(addr, family);258if (likely(node != NULL)) {259*sid = node->nsec.sid;260rcu_read_unlock();261return 0;262}263rcu_read_unlock();264265return sel_netnode_sid_slow(addr, family, sid);266}267268/**269* sel_netnode_flush - Flush the entire network address table270*271* Description:272* Remove all entries from the network address table.273*274*/275void sel_netnode_flush(void)276{277unsigned int idx;278struct sel_netnode *node, *node_tmp;279280spin_lock_bh(&sel_netnode_lock);281for (idx = 0; idx < SEL_NETNODE_HASH_SIZE; idx++) {282list_for_each_entry_safe(node, node_tmp,283&sel_netnode_hash[idx].list, list) {284list_del_rcu(&node->list);285kfree_rcu(node, rcu);286}287sel_netnode_hash[idx].size = 0;288}289spin_unlock_bh(&sel_netnode_lock);290}291292static __init int sel_netnode_init(void)293{294int iter;295296if (!selinux_enabled_boot)297return 0;298299for (iter = 0; iter < SEL_NETNODE_HASH_SIZE; iter++) {300INIT_LIST_HEAD(&sel_netnode_hash[iter].list);301sel_netnode_hash[iter].size = 0;302}303304return 0;305}306307__initcall(sel_netnode_init);308309310