55 |
"%s %s %u\n", operation, address, port); |
"%s %s %u\n", operation, address, port); |
56 |
} |
} |
57 |
|
|
58 |
|
/* The list for "struct ccs_address_group_entry". */ |
59 |
|
LIST_HEAD(ccs_address_group_list); |
60 |
|
|
61 |
/** |
/** |
62 |
* ccs_save_ipv6_address - Keep the given IPv6 address on the RAM. |
* ccs_get_address_group - Allocate memory for "struct ccs_address_group_entry". |
|
* |
|
|
* @addr: Pointer to "struct in6_addr". |
|
63 |
* |
* |
64 |
* Returns pointer to "struct in6_addr" on success, NULL otherwise. |
* @group_name: The name of address group. |
65 |
* |
* |
66 |
* The RAM is shared, so NEVER try to modify or kfree() the returned address. |
* Returns pointer to "struct ccs_address_group_entry" on success, |
67 |
|
* NULL otherwise. |
68 |
*/ |
*/ |
69 |
static const struct in6_addr *ccs_save_ipv6_address(const struct in6_addr *addr) |
static struct ccs_address_group_entry *ccs_get_address_group(const char * |
70 |
{ |
group_name) |
71 |
static const u8 ccs_block_size = 16; |
{ |
72 |
struct ccs_addr_list { |
struct ccs_address_group_entry *entry = NULL; |
73 |
/* Workaround for gcc 4.3's bug. */ |
struct ccs_address_group_entry *group; |
74 |
struct in6_addr addr[16]; /* = ccs_block_size */ |
const struct ccs_path_info *saved_group_name; |
75 |
struct list1_head list; |
int error = -ENOMEM; |
76 |
u32 in_use_count; |
if (!ccs_is_correct_path(group_name, 0, 0, 0, __func__) || |
77 |
}; |
!group_name[0]) |
|
static LIST1_HEAD(ccs_address_list); |
|
|
struct ccs_addr_list *ptr; |
|
|
static DEFINE_MUTEX(lock); |
|
|
u8 i = ccs_block_size; |
|
|
if (!addr) |
|
78 |
return NULL; |
return NULL; |
79 |
mutex_lock(&lock); |
saved_group_name = ccs_get_name(group_name); |
80 |
list1_for_each_entry(ptr, &ccs_address_list, list) { |
if (!saved_group_name) |
81 |
for (i = 0; i < ptr->in_use_count; i++) { |
return NULL; |
82 |
if (!memcmp(&ptr->addr[i], addr, sizeof(*addr))) |
entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
83 |
goto ok; |
/***** WRITER SECTION START *****/ |
84 |
} |
down_write(&ccs_policy_lock); |
85 |
if (i < ccs_block_size) |
list_for_each_entry(group, &ccs_address_group_list, list) { |
86 |
break; |
if (saved_group_name != group->group_name) |
87 |
|
continue; |
88 |
|
atomic_inc(&group->users); |
89 |
|
error = 0; |
90 |
|
break; |
91 |
} |
} |
92 |
if (i == ccs_block_size) { |
if (error && ccs_memory_ok(entry)) { |
93 |
ptr = ccs_alloc_element(sizeof(*ptr)); |
INIT_LIST_HEAD(&entry->address_group_member_list); |
94 |
if (!ptr) |
entry->group_name = saved_group_name; |
95 |
goto ok; |
saved_group_name = NULL; |
96 |
list1_add_tail_mb(&ptr->list, &ccs_address_list); |
atomic_set(&entry->users, 1); |
97 |
i = 0; |
list_add_tail(&entry->list, &ccs_address_group_list); |
98 |
} |
group = entry; |
99 |
ptr->addr[ptr->in_use_count++] = *addr; |
entry = NULL; |
100 |
ok: |
error = 0; |
101 |
mutex_unlock(&lock); |
} |
102 |
return ptr ? &ptr->addr[i] : NULL; |
up_write(&ccs_policy_lock); |
103 |
|
/***** WRITER SECTION END *****/ |
104 |
|
ccs_put_name(saved_group_name); |
105 |
|
kfree(entry); |
106 |
|
return !error ? group : NULL; |
107 |
} |
} |
108 |
|
|
|
/* The list for "struct ccs_address_group_entry". */ |
|
|
static LIST1_HEAD(ccs_address_group_list); |
|
|
|
|
109 |
/** |
/** |
110 |
* ccs_update_address_group_entry - Update "struct ccs_address_group_entry" list. |
* ccs_update_address_group_entry - Update "struct ccs_address_group_entry" list. |
111 |
* |
* |
123 |
const u16 *max_address, |
const u16 *max_address, |
124 |
const bool is_delete) |
const bool is_delete) |
125 |
{ |
{ |
|
static DEFINE_MUTEX(lock); |
|
|
struct ccs_address_group_entry *new_group; |
|
126 |
struct ccs_address_group_entry *group; |
struct ccs_address_group_entry *group; |
127 |
struct ccs_address_group_member *new_member; |
struct ccs_address_group_member *entry = NULL; |
128 |
struct ccs_address_group_member *member; |
struct ccs_address_group_member *member; |
|
const struct ccs_path_info *saved_group_name; |
|
129 |
const struct in6_addr *saved_min_address = NULL; |
const struct in6_addr *saved_min_address = NULL; |
130 |
const struct in6_addr *saved_max_address = NULL; |
const struct in6_addr *saved_max_address = NULL; |
131 |
int error = -ENOMEM; |
int error = is_delete ? -ENOENT : -ENOMEM; |
|
bool found = false; |
|
132 |
const u32 min_ipv4_address = ntohl(*(u32 *) min_address); |
const u32 min_ipv4_address = ntohl(*(u32 *) min_address); |
133 |
const u32 max_ipv4_address = ntohl(*(u32 *) max_address); |
const u32 max_ipv4_address = ntohl(*(u32 *) max_address); |
134 |
if (!ccs_is_correct_path(group_name, 0, 0, 0, __func__) || |
group = ccs_get_address_group(group_name); |
135 |
!group_name[0]) |
if (!group) |
|
return -EINVAL; |
|
|
saved_group_name = ccs_save_name(group_name); |
|
|
if (!saved_group_name) |
|
136 |
return -ENOMEM; |
return -ENOMEM; |
137 |
if (!is_ipv6) |
if (!is_ipv6) |
138 |
goto not_ipv6; |
goto not_ipv6; |
139 |
saved_min_address |
saved_min_address |
140 |
= ccs_save_ipv6_address((struct in6_addr *) min_address); |
= ccs_get_ipv6_address((struct in6_addr *) min_address); |
141 |
saved_max_address |
saved_max_address |
142 |
= ccs_save_ipv6_address((struct in6_addr *) max_address); |
= ccs_get_ipv6_address((struct in6_addr *) max_address); |
143 |
if (!saved_min_address || !saved_max_address) |
if (!saved_min_address || !saved_max_address) |
144 |
return -ENOMEM; |
goto out; |
145 |
not_ipv6: |
not_ipv6: |
146 |
mutex_lock(&lock); |
if (!is_delete) |
147 |
list1_for_each_entry(group, &ccs_address_group_list, list) { |
entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
148 |
if (saved_group_name != group->group_name) |
/***** WRITER SECTION START *****/ |
149 |
|
down_write(&ccs_policy_lock); |
150 |
|
list_for_each_entry(member, &group->address_group_member_list, list) { |
151 |
|
if (member->is_ipv6 != is_ipv6) |
152 |
continue; |
continue; |
153 |
list1_for_each_entry(member, &group->address_group_member_list, |
if (is_ipv6) { |
154 |
list) { |
if (member->min.ipv6 != saved_min_address || |
155 |
if (member->is_ipv6 != is_ipv6) |
member->max.ipv6 != saved_max_address) |
156 |
continue; |
continue; |
157 |
if (is_ipv6) { |
} else { |
158 |
if (member->min.ipv6 != saved_min_address || |
if (member->min.ipv4 != min_ipv4_address || |
159 |
member->max.ipv6 != saved_max_address) |
member->max.ipv4 != max_ipv4_address) |
160 |
continue; |
continue; |
|
} else { |
|
|
if (member->min.ipv4 != min_ipv4_address || |
|
|
member->max.ipv4 != max_ipv4_address) |
|
|
continue; |
|
|
} |
|
|
member->is_deleted = is_delete; |
|
|
error = 0; |
|
|
goto out; |
|
161 |
} |
} |
162 |
found = true; |
member->is_deleted = is_delete; |
163 |
|
error = 0; |
164 |
break; |
break; |
165 |
} |
} |
166 |
if (is_delete) { |
if (!is_delete && error && ccs_memory_ok(entry)) { |
167 |
error = -ENOENT; |
entry->is_ipv6 = is_ipv6; |
168 |
goto out; |
if (is_ipv6) { |
169 |
} |
entry->min.ipv6 = saved_min_address; |
170 |
if (!found) { |
saved_min_address = NULL; |
171 |
new_group = ccs_alloc_element(sizeof(*new_group)); |
entry->max.ipv6 = saved_max_address; |
172 |
if (!new_group) |
saved_max_address = NULL; |
173 |
goto out; |
} else { |
174 |
INIT_LIST1_HEAD(&new_group->address_group_member_list); |
entry->min.ipv4 = min_ipv4_address; |
175 |
new_group->group_name = saved_group_name; |
entry->max.ipv4 = max_ipv4_address; |
176 |
list1_add_tail_mb(&new_group->list, &ccs_address_group_list); |
} |
177 |
group = new_group; |
list_add_tail(&entry->list, &group->address_group_member_list); |
178 |
} |
entry = NULL; |
179 |
new_member = ccs_alloc_element(sizeof(*new_member)); |
error = 0; |
|
if (!new_member) |
|
|
goto out; |
|
|
new_member->is_ipv6 = is_ipv6; |
|
|
if (is_ipv6) { |
|
|
new_member->min.ipv6 = saved_min_address; |
|
|
new_member->max.ipv6 = saved_max_address; |
|
|
} else { |
|
|
new_member->min.ipv4 = min_ipv4_address; |
|
|
new_member->max.ipv4 = max_ipv4_address; |
|
180 |
} |
} |
181 |
list1_add_tail_mb(&new_member->list, &group->address_group_member_list); |
up_write(&ccs_policy_lock); |
182 |
error = 0; |
/***** WRITER SECTION END *****/ |
183 |
out: |
out: |
184 |
mutex_unlock(&lock); |
ccs_put_ipv6_address(saved_min_address); |
185 |
|
ccs_put_ipv6_address(saved_max_address); |
186 |
|
ccs_put_address_group(group); |
187 |
ccs_update_counter(CCS_UPDATES_COUNTER_EXCEPTION_POLICY); |
ccs_update_counter(CCS_UPDATES_COUNTER_EXCEPTION_POLICY); |
188 |
return error; |
return error; |
189 |
} |
} |
263 |
} |
} |
264 |
|
|
265 |
/** |
/** |
|
* ccs_find_or_assign_new_address_group - Create address group. |
|
|
* |
|
|
* @group_name: The name of address group. |
|
|
* |
|
|
* Returns pointer to "struct ccs_address_group_entry" on success, |
|
|
* NULL otherwise. |
|
|
*/ |
|
|
static struct ccs_address_group_entry * |
|
|
ccs_find_or_assign_new_address_group(const char *group_name) |
|
|
{ |
|
|
u8 i; |
|
|
struct ccs_address_group_entry *group; |
|
|
for (i = 0; i <= 1; i++) { |
|
|
list1_for_each_entry(group, &ccs_address_group_list, list) { |
|
|
if (!strcmp(group_name, group->group_name->name)) |
|
|
return group; |
|
|
} |
|
|
if (!i) { |
|
|
const u16 dummy[2] = { 0, 0 }; |
|
|
ccs_update_address_group_entry(group_name, false, |
|
|
dummy, dummy, false); |
|
|
ccs_update_address_group_entry(group_name, false, |
|
|
dummy, dummy, true); |
|
|
} |
|
|
} |
|
|
return NULL; |
|
|
} |
|
|
|
|
|
/** |
|
266 |
* ccs_address_matches_group - Check whether the given address matches members of the given address group. |
* ccs_address_matches_group - Check whether the given address matches members of the given address group. |
267 |
* |
* |
268 |
* @is_ipv6: True if @address is an IPv6 address. |
* @is_ipv6: True if @address is an IPv6 address. |
270 |
* @group: Pointer to "struct ccs_address_group_entry". |
* @group: Pointer to "struct ccs_address_group_entry". |
271 |
* |
* |
272 |
* Returns true if @address matches addresses in @group group, false otherwise. |
* Returns true if @address matches addresses in @group group, false otherwise. |
273 |
|
* |
274 |
|
* Caller holds ccs_policy_lockfor reading. |
275 |
*/ |
*/ |
276 |
static bool ccs_address_matches_group(const bool is_ipv6, const u32 *address, |
static bool ccs_address_matches_group(const bool is_ipv6, const u32 *address, |
277 |
const struct ccs_address_group_entry * |
const struct ccs_address_group_entry * |
279 |
{ |
{ |
280 |
struct ccs_address_group_member *member; |
struct ccs_address_group_member *member; |
281 |
const u32 ip = ntohl(*address); |
const u32 ip = ntohl(*address); |
282 |
list1_for_each_entry(member, &group->address_group_member_list, list) { |
bool matched = false; |
283 |
|
list_for_each_entry(member, &group->address_group_member_list, list) { |
284 |
if (member->is_deleted) |
if (member->is_deleted) |
285 |
continue; |
continue; |
286 |
if (member->is_ipv6) { |
if (member->is_ipv6) { |
287 |
if (is_ipv6 && |
if (is_ipv6 && |
288 |
memcmp(member->min.ipv6, address, 16) <= 0 && |
memcmp(member->min.ipv6, address, 16) <= 0 && |
289 |
memcmp(address, member->max.ipv6, 16) <= 0) |
memcmp(address, member->max.ipv6, 16) <= 0) { |
290 |
return true; |
matched = true; |
291 |
|
break; |
292 |
|
} |
293 |
} else { |
} else { |
294 |
if (!is_ipv6 && |
if (!is_ipv6 && |
295 |
member->min.ipv4 <= ip && ip <= member->max.ipv4) |
member->min.ipv4 <= ip && ip <= member->max.ipv4) { |
296 |
return true; |
matched = true; |
297 |
|
break; |
298 |
|
} |
299 |
} |
} |
300 |
} |
} |
301 |
return false; |
return matched; |
302 |
} |
} |
303 |
|
|
304 |
/** |
/** |
310 |
*/ |
*/ |
311 |
bool ccs_read_address_group_policy(struct ccs_io_buffer *head) |
bool ccs_read_address_group_policy(struct ccs_io_buffer *head) |
312 |
{ |
{ |
313 |
struct list1_head *gpos; |
struct list_head *gpos; |
314 |
struct list1_head *mpos; |
struct list_head *mpos; |
315 |
list1_for_each_cookie(gpos, head->read_var1, &ccs_address_group_list) { |
bool done = true; |
316 |
|
/***** READER SECTION START *****/ |
317 |
|
down_read(&ccs_policy_lock); |
318 |
|
list_for_each_cookie(gpos, head->read_var1.u.list, |
319 |
|
&ccs_address_group_list) { |
320 |
struct ccs_address_group_entry *group; |
struct ccs_address_group_entry *group; |
321 |
group = list1_entry(gpos, struct ccs_address_group_entry, list); |
group = list_entry(gpos, struct ccs_address_group_entry, list); |
322 |
list1_for_each_cookie(mpos, head->read_var2, |
list_for_each_cookie(mpos, head->read_var2.u.list, |
323 |
&group->address_group_member_list) { |
&group->address_group_member_list) { |
324 |
char buf[128]; |
char buf[128]; |
325 |
struct ccs_address_group_member *member; |
struct ccs_address_group_member *member; |
326 |
member = list1_entry(mpos, |
member = list_entry(mpos, |
327 |
struct ccs_address_group_member, |
struct ccs_address_group_member, |
328 |
list); |
list); |
329 |
if (member->is_deleted) |
if (member->is_deleted) |
356 |
HIPQUAD(max_address)); |
HIPQUAD(max_address)); |
357 |
} |
} |
358 |
} |
} |
359 |
if (!ccs_io_printf(head, KEYWORD_ADDRESS_GROUP |
done = ccs_io_printf(head, KEYWORD_ADDRESS_GROUP |
360 |
"%s %s\n", group->group_name->name, |
"%s %s\n", group->group_name->name, |
361 |
buf)) |
buf); |
362 |
goto out; |
if (!done) |
363 |
|
break; |
364 |
} |
} |
365 |
|
if (!done) |
366 |
|
break; |
367 |
} |
} |
368 |
return true; |
up_read(&ccs_policy_lock); |
369 |
out: |
/***** READER SECTION END *****/ |
370 |
return false; |
return done; |
371 |
} |
} |
372 |
|
|
373 |
#if !defined(NIP6) |
#if !defined(NIP6) |
438 |
* |
* |
439 |
* @operation: Type of operation. |
* @operation: Type of operation. |
440 |
* @record_type: Type of address. |
* @record_type: Type of address. |
441 |
* @group: Pointer to "struct ccs_address_group_entry". May be NULL. |
* @group: Name of group. May be NULL. |
442 |
* @min_address: Start of IPv4 or IPv6 address range. |
* @min_address: Start of IPv4 or IPv6 address range. |
443 |
* @max_address: End of IPv4 or IPv6 address range. |
* @max_address: End of IPv4 or IPv6 address range. |
444 |
* @min_port: Start of port number range. |
* @min_port: Start of port number range. |
450 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
451 |
*/ |
*/ |
452 |
static int ccs_update_network_entry(const u8 operation, const u8 record_type, |
static int ccs_update_network_entry(const u8 operation, const u8 record_type, |
453 |
const struct ccs_address_group_entry *group, |
const char *group_name, |
454 |
const u32 *min_address, |
const u32 *min_address, |
455 |
const u32 *max_address, |
const u32 *max_address, |
456 |
const u16 min_port, const u16 max_port, |
const u16 min_port, const u16 max_port, |
458 |
const struct ccs_condition_list *condition, |
const struct ccs_condition_list *condition, |
459 |
const bool is_delete) |
const bool is_delete) |
460 |
{ |
{ |
461 |
static DEFINE_MUTEX(lock); |
struct ccs_ip_network_acl_record *entry = NULL; |
462 |
struct ccs_acl_info *ptr; |
struct ccs_acl_info *ptr; |
463 |
struct ccs_ip_network_acl_record *acl; |
int error = is_delete ? -ENOENT : -ENOMEM; |
|
int error = -ENOMEM; |
|
464 |
/* using host byte order to allow u32 comparison than memcmp().*/ |
/* using host byte order to allow u32 comparison than memcmp().*/ |
465 |
const u32 min_ip = ntohl(*min_address); |
const u32 min_ip = ntohl(*min_address); |
466 |
const u32 max_ip = ntohl(*max_address); |
const u32 max_ip = ntohl(*max_address); |
467 |
const struct in6_addr *saved_min_address = NULL; |
const struct in6_addr *saved_min_address = NULL; |
468 |
const struct in6_addr *saved_max_address = NULL; |
const struct in6_addr *saved_max_address = NULL; |
469 |
|
struct ccs_address_group_entry *group = NULL; |
470 |
if (!domain) |
if (!domain) |
471 |
return -EINVAL; |
return -EINVAL; |
472 |
if (record_type != IP_RECORD_TYPE_IPv6) |
if (group_name) { |
473 |
goto not_ipv6; |
group = ccs_get_address_group(group_name); |
474 |
saved_min_address = ccs_save_ipv6_address((struct in6_addr *) |
if (!group) |
475 |
min_address); |
return -ENOMEM; |
476 |
saved_max_address = ccs_save_ipv6_address((struct in6_addr *) |
} else if (record_type == IP_RECORD_TYPE_IPv6) { |
477 |
max_address); |
saved_min_address = ccs_get_ipv6_address((struct in6_addr *) |
478 |
if (!saved_min_address || !saved_max_address) |
min_address); |
479 |
return -ENOMEM; |
saved_max_address = ccs_get_ipv6_address((struct in6_addr *) |
480 |
not_ipv6: |
max_address); |
481 |
mutex_lock(&lock); |
if (!saved_min_address || !saved_max_address) |
482 |
|
goto out; |
483 |
|
} |
484 |
if (is_delete) |
if (is_delete) |
485 |
goto delete; |
goto delete; |
486 |
list1_for_each_entry(ptr, &domain->acl_info_list, list) { |
entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
487 |
|
/***** WRITER SECTION START *****/ |
488 |
|
down_write(&ccs_policy_lock); |
489 |
|
list_for_each_entry(ptr, &domain->acl_info_list, list) { |
490 |
|
struct ccs_ip_network_acl_record *acl; |
491 |
if (ccs_acl_type1(ptr) != TYPE_IP_NETWORK_ACL) |
if (ccs_acl_type1(ptr) != TYPE_IP_NETWORK_ACL) |
492 |
continue; |
continue; |
493 |
if (ccs_get_condition_part(ptr) != condition) |
if (ccs_get_condition_part(ptr) != condition) |
510 |
continue; |
continue; |
511 |
} |
} |
512 |
error = ccs_add_domain_acl(NULL, ptr); |
error = ccs_add_domain_acl(NULL, ptr); |
513 |
goto out; |
break; |
514 |
} |
} |
515 |
/* Not found. Append it to the tail. */ |
if (error && ccs_memory_ok(entry)) { |
516 |
acl = ccs_alloc_acl_element(TYPE_IP_NETWORK_ACL, condition); |
entry->head.type = TYPE_IP_NETWORK_ACL; |
517 |
if (!acl) |
entry->head.cond = condition; |
518 |
goto out; |
entry->operation_type = operation; |
519 |
acl->operation_type = operation; |
entry->record_type = record_type; |
520 |
acl->record_type = record_type; |
if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) { |
521 |
if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) { |
entry->u.group = group; |
522 |
acl->u.group = group; |
group = NULL; |
523 |
} else if (record_type == IP_RECORD_TYPE_IPv4) { |
} else if (record_type == IP_RECORD_TYPE_IPv4) { |
524 |
acl->u.ipv4.min = min_ip; |
entry->u.ipv4.min = min_ip; |
525 |
acl->u.ipv4.max = max_ip; |
entry->u.ipv4.max = max_ip; |
526 |
} else { |
} else { |
527 |
acl->u.ipv6.min = saved_min_address; |
entry->u.ipv6.min = saved_min_address; |
528 |
acl->u.ipv6.max = saved_max_address; |
saved_min_address = NULL; |
529 |
} |
entry->u.ipv6.max = saved_max_address; |
530 |
acl->min_port = min_port; |
saved_max_address = NULL; |
531 |
acl->max_port = max_port; |
} |
532 |
error = ccs_add_domain_acl(domain, &acl->head); |
entry->min_port = min_port; |
533 |
|
entry->max_port = max_port; |
534 |
|
error = ccs_add_domain_acl(domain, &entry->head); |
535 |
|
entry = NULL; |
536 |
|
} |
537 |
|
up_write(&ccs_policy_lock); |
538 |
|
/***** WRITER SECTION END *****/ |
539 |
goto out; |
goto out; |
540 |
delete: |
delete: |
541 |
error = -ENOENT; |
/***** WRITER SECTION START *****/ |
542 |
list1_for_each_entry(ptr, &domain->acl_info_list, list) { |
down_write(&ccs_policy_lock); |
543 |
|
list_for_each_entry(ptr, &domain->acl_info_list, list) { |
544 |
|
struct ccs_ip_network_acl_record *acl; |
545 |
if (ccs_acl_type2(ptr) != TYPE_IP_NETWORK_ACL) |
if (ccs_acl_type2(ptr) != TYPE_IP_NETWORK_ACL) |
546 |
continue; |
continue; |
547 |
if (ccs_get_condition_part(ptr) != condition) |
if (ccs_get_condition_part(ptr) != condition) |
566 |
error = ccs_del_domain_acl(ptr); |
error = ccs_del_domain_acl(ptr); |
567 |
break; |
break; |
568 |
} |
} |
569 |
|
up_write(&ccs_policy_lock); |
570 |
|
/***** WRITER SECTION END *****/ |
571 |
out: |
out: |
572 |
mutex_unlock(&lock); |
ccs_put_ipv6_address(saved_min_address); |
573 |
|
ccs_put_ipv6_address(saved_max_address); |
574 |
|
ccs_put_address_group(group); |
575 |
|
kfree(entry); |
576 |
return error; |
return error; |
577 |
} |
} |
578 |
|
|
604 |
if (!r.mode) |
if (!r.mode) |
605 |
return 0; |
return 0; |
606 |
retry: |
retry: |
607 |
list1_for_each_entry(ptr, &r.domain->acl_info_list, list) { |
/***** READER SECTION START *****/ |
608 |
|
down_read(&ccs_policy_lock); |
609 |
|
list_for_each_entry(ptr, &r.cookie.u.domain->acl_info_list, list) { |
610 |
struct ccs_ip_network_acl_record *acl; |
struct ccs_ip_network_acl_record *acl; |
611 |
if (ccs_acl_type2(ptr) != TYPE_IP_NETWORK_ACL) |
if (ccs_acl_type2(ptr) != TYPE_IP_NETWORK_ACL) |
612 |
continue; |
continue; |
632 |
found = true; |
found = true; |
633 |
break; |
break; |
634 |
} |
} |
635 |
|
up_read(&ccs_policy_lock); |
636 |
|
/***** READER SECTION END *****/ |
637 |
memset(buf, 0, sizeof(buf)); |
memset(buf, 0, sizeof(buf)); |
638 |
if (is_ipv6) |
if (is_ipv6) |
639 |
ccs_print_ipv6(buf, sizeof(buf), |
ccs_print_ipv6(buf, sizeof(buf), |
643 |
ccs_audit_network_log(&r, keyword, buf, port, found); |
ccs_audit_network_log(&r, keyword, buf, port, found); |
644 |
if (found) |
if (found) |
645 |
return 0; |
return 0; |
646 |
if (ccs_verbose_mode(r.domain)) |
if (ccs_verbose_mode(r.cookie.u.domain)) |
647 |
printk(KERN_WARNING "TOMOYO-%s: %s to %s %u denied for %s\n", |
printk(KERN_WARNING "TOMOYO-%s: %s to %s %u denied for %s\n", |
648 |
ccs_get_msg(is_enforce), keyword, buf, port, |
ccs_get_msg(is_enforce), keyword, buf, port, |
649 |
ccs_get_last_name(r.domain)); |
ccs_get_last_name(r.cookie.u.domain)); |
650 |
if (is_enforce) { |
if (is_enforce) { |
651 |
int error = ccs_check_supervisor(&r, KEYWORD_ALLOW_NETWORK |
int error = ccs_check_supervisor(&r, KEYWORD_ALLOW_NETWORK |
652 |
"%s %s %u\n", keyword, buf, |
"%s %s %u\n", keyword, buf, |
655 |
goto retry; |
goto retry; |
656 |
return error; |
return error; |
657 |
} |
} |
658 |
if (r.mode == 1 && ccs_domain_quota_ok(r.domain)) |
if (r.mode == 1 && ccs_domain_quota_ok(r.cookie.u.domain)) |
659 |
ccs_update_network_entry(operation, is_ipv6 ? |
ccs_update_network_entry(operation, is_ipv6 ? |
660 |
IP_RECORD_TYPE_IPv6 : |
IP_RECORD_TYPE_IPv6 : |
661 |
IP_RECORD_TYPE_IPv4, |
IP_RECORD_TYPE_IPv4, |
662 |
NULL, address, address, port, port, |
NULL, address, address, port, port, |
663 |
r.domain, ccs_handler_cond(), 0); |
r.cookie.u.domain, ccs_handler_cond(), |
664 |
|
false); |
665 |
return 0; |
return 0; |
666 |
} |
} |
667 |
|
|
684 |
u8 record_type; |
u8 record_type; |
685 |
u16 min_address[8]; |
u16 min_address[8]; |
686 |
u16 max_address[8]; |
u16 max_address[8]; |
687 |
struct ccs_address_group_entry *group = NULL; |
const char *group_name = NULL; |
688 |
u16 min_port; |
u16 min_port; |
689 |
u16 max_port; |
u16 max_port; |
690 |
u8 count; |
u8 count; |
747 |
default: |
default: |
748 |
if (*cp2 != '@') |
if (*cp2 != '@') |
749 |
goto out; |
goto out; |
750 |
group = ccs_find_or_assign_new_address_group(cp2 + 1); |
group_name = cp2 + 1; |
|
if (!group) |
|
|
return -ENOMEM; |
|
751 |
record_type = IP_RECORD_TYPE_ADDRESS_GROUP; |
record_type = IP_RECORD_TYPE_ADDRESS_GROUP; |
752 |
break; |
break; |
753 |
} |
} |
758 |
goto out; |
goto out; |
759 |
if (count == 1) |
if (count == 1) |
760 |
max_port = min_port; |
max_port = min_port; |
761 |
return ccs_update_network_entry(operation, record_type, group, |
return ccs_update_network_entry(operation, record_type, group_name, |
762 |
(u32 *) min_address, |
(u32 *) min_address, |
763 |
(u32 *) max_address, |
(u32 *) max_address, |
764 |
min_port, max_port, domain, condition, |
min_port, max_port, domain, condition, |