| 55 |
"%s %s %u\n", operation, address, port); |
"%s %s %u\n", operation, address, port); |
| 56 |
} |
} |
| 57 |
|
|
| 58 |
|
/* The list for "struct ccs_address_group_entry". */ |
| 59 |
|
LIST_HEAD(ccs_address_group_list); |
| 60 |
|
|
| 61 |
/** |
/** |
| 62 |
* ccs_save_ipv6_address - Keep the given IPv6 address on the RAM. |
* ccs_get_address_group - Allocate memory for "struct ccs_address_group_entry". |
|
* |
|
|
* @addr: Pointer to "struct in6_addr". |
|
| 63 |
* |
* |
| 64 |
* Returns pointer to "struct in6_addr" on success, NULL otherwise. |
* @group_name: The name of address group. |
| 65 |
* |
* |
| 66 |
* The RAM is shared, so NEVER try to modify or kfree() the returned address. |
* Returns pointer to "struct ccs_address_group_entry" on success, |
| 67 |
|
* NULL otherwise. |
| 68 |
*/ |
*/ |
| 69 |
static const struct in6_addr *ccs_save_ipv6_address(const struct in6_addr *addr) |
static struct ccs_address_group_entry *ccs_get_address_group(const char * |
| 70 |
{ |
group_name) |
| 71 |
static const u8 ccs_block_size = 16; |
{ |
| 72 |
struct ccs_addr_list { |
struct ccs_address_group_entry *entry = NULL; |
| 73 |
/* Workaround for gcc 4.3's bug. */ |
struct ccs_address_group_entry *group; |
| 74 |
struct in6_addr addr[16]; /* = ccs_block_size */ |
const struct ccs_path_info *saved_group_name; |
| 75 |
struct list1_head list; |
int error = -ENOMEM; |
| 76 |
u32 in_use_count; |
if (!ccs_is_correct_path(group_name, 0, 0, 0, __func__) || |
| 77 |
}; |
!group_name[0]) |
|
static LIST1_HEAD(ccs_address_list); |
|
|
struct ccs_addr_list *ptr; |
|
|
static DEFINE_MUTEX(lock); |
|
|
u8 i = ccs_block_size; |
|
|
if (!addr) |
|
| 78 |
return NULL; |
return NULL; |
| 79 |
mutex_lock(&lock); |
saved_group_name = ccs_get_name(group_name); |
| 80 |
list1_for_each_entry(ptr, &ccs_address_list, list) { |
if (!saved_group_name) |
| 81 |
for (i = 0; i < ptr->in_use_count; i++) { |
return NULL; |
| 82 |
if (!memcmp(&ptr->addr[i], addr, sizeof(*addr))) |
entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
| 83 |
goto ok; |
/***** WRITER SECTION START *****/ |
| 84 |
} |
down_write(&ccs_policy_lock); |
| 85 |
if (i < ccs_block_size) |
list_for_each_entry(group, &ccs_address_group_list, list) { |
| 86 |
break; |
if (saved_group_name != group->group_name) |
| 87 |
|
continue; |
| 88 |
|
atomic_inc(&group->users); |
| 89 |
|
error = 0; |
| 90 |
|
break; |
| 91 |
} |
} |
| 92 |
if (i == ccs_block_size) { |
if (error && ccs_memory_ok(entry)) { |
| 93 |
ptr = ccs_alloc_element(sizeof(*ptr)); |
INIT_LIST_HEAD(&entry->address_group_member_list); |
| 94 |
if (!ptr) |
entry->group_name = saved_group_name; |
| 95 |
goto ok; |
saved_group_name = NULL; |
| 96 |
list1_add_tail_mb(&ptr->list, &ccs_address_list); |
atomic_set(&entry->users, 1); |
| 97 |
i = 0; |
list_add_tail(&entry->list, &ccs_address_group_list); |
| 98 |
} |
group = entry; |
| 99 |
ptr->addr[ptr->in_use_count++] = *addr; |
entry = NULL; |
| 100 |
ok: |
error = 0; |
| 101 |
mutex_unlock(&lock); |
} |
| 102 |
return ptr ? &ptr->addr[i] : NULL; |
up_write(&ccs_policy_lock); |
| 103 |
|
/***** WRITER SECTION END *****/ |
| 104 |
|
ccs_put_name(saved_group_name); |
| 105 |
|
kfree(entry); |
| 106 |
|
return !error ? group : NULL; |
| 107 |
} |
} |
| 108 |
|
|
|
/* The list for "struct ccs_address_group_entry". */ |
|
|
static LIST1_HEAD(ccs_address_group_list); |
|
|
|
|
| 109 |
/** |
/** |
| 110 |
* ccs_update_address_group_entry - Update "struct ccs_address_group_entry" list. |
* ccs_update_address_group_entry - Update "struct ccs_address_group_entry" list. |
| 111 |
* |
* |
| 123 |
const u16 *max_address, |
const u16 *max_address, |
| 124 |
const bool is_delete) |
const bool is_delete) |
| 125 |
{ |
{ |
|
static DEFINE_MUTEX(lock); |
|
|
struct ccs_address_group_entry *new_group; |
|
| 126 |
struct ccs_address_group_entry *group; |
struct ccs_address_group_entry *group; |
| 127 |
struct ccs_address_group_member *new_member; |
struct ccs_address_group_member *entry = NULL; |
| 128 |
struct ccs_address_group_member *member; |
struct ccs_address_group_member *member; |
|
const struct ccs_path_info *saved_group_name; |
|
| 129 |
const struct in6_addr *saved_min_address = NULL; |
const struct in6_addr *saved_min_address = NULL; |
| 130 |
const struct in6_addr *saved_max_address = NULL; |
const struct in6_addr *saved_max_address = NULL; |
| 131 |
int error = -ENOMEM; |
int error = is_delete ? -ENOENT : -ENOMEM; |
|
bool found = false; |
|
| 132 |
const u32 min_ipv4_address = ntohl(*(u32 *) min_address); |
const u32 min_ipv4_address = ntohl(*(u32 *) min_address); |
| 133 |
const u32 max_ipv4_address = ntohl(*(u32 *) max_address); |
const u32 max_ipv4_address = ntohl(*(u32 *) max_address); |
| 134 |
if (!ccs_is_correct_path(group_name, 0, 0, 0, __func__) || |
group = ccs_get_address_group(group_name); |
| 135 |
!group_name[0]) |
if (!group) |
|
return -EINVAL; |
|
|
saved_group_name = ccs_save_name(group_name); |
|
|
if (!saved_group_name) |
|
| 136 |
return -ENOMEM; |
return -ENOMEM; |
| 137 |
if (!is_ipv6) |
if (!is_ipv6) |
| 138 |
goto not_ipv6; |
goto not_ipv6; |
| 139 |
saved_min_address |
saved_min_address |
| 140 |
= ccs_save_ipv6_address((struct in6_addr *) min_address); |
= ccs_get_ipv6_address((struct in6_addr *) min_address); |
| 141 |
saved_max_address |
saved_max_address |
| 142 |
= ccs_save_ipv6_address((struct in6_addr *) max_address); |
= ccs_get_ipv6_address((struct in6_addr *) max_address); |
| 143 |
if (!saved_min_address || !saved_max_address) |
if (!saved_min_address || !saved_max_address) |
| 144 |
return -ENOMEM; |
goto out; |
| 145 |
not_ipv6: |
not_ipv6: |
| 146 |
mutex_lock(&lock); |
if (!is_delete) |
| 147 |
list1_for_each_entry(group, &ccs_address_group_list, list) { |
entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
| 148 |
if (saved_group_name != group->group_name) |
/***** WRITER SECTION START *****/ |
| 149 |
|
down_write(&ccs_policy_lock); |
| 150 |
|
list_for_each_entry(member, &group->address_group_member_list, list) { |
| 151 |
|
if (member->is_ipv6 != is_ipv6) |
| 152 |
continue; |
continue; |
| 153 |
list1_for_each_entry(member, &group->address_group_member_list, |
if (is_ipv6) { |
| 154 |
list) { |
if (member->min.ipv6 != saved_min_address || |
| 155 |
if (member->is_ipv6 != is_ipv6) |
member->max.ipv6 != saved_max_address) |
| 156 |
continue; |
continue; |
| 157 |
if (is_ipv6) { |
} else { |
| 158 |
if (member->min.ipv6 != saved_min_address || |
if (member->min.ipv4 != min_ipv4_address || |
| 159 |
member->max.ipv6 != saved_max_address) |
member->max.ipv4 != max_ipv4_address) |
| 160 |
continue; |
continue; |
|
} else { |
|
|
if (member->min.ipv4 != min_ipv4_address || |
|
|
member->max.ipv4 != max_ipv4_address) |
|
|
continue; |
|
|
} |
|
|
member->is_deleted = is_delete; |
|
|
error = 0; |
|
|
goto out; |
|
| 161 |
} |
} |
| 162 |
found = true; |
member->is_deleted = is_delete; |
| 163 |
|
error = 0; |
| 164 |
break; |
break; |
| 165 |
} |
} |
| 166 |
if (is_delete) { |
if (!is_delete && error && ccs_memory_ok(entry)) { |
| 167 |
error = -ENOENT; |
entry->is_ipv6 = is_ipv6; |
| 168 |
goto out; |
if (is_ipv6) { |
| 169 |
} |
entry->min.ipv6 = saved_min_address; |
| 170 |
if (!found) { |
saved_min_address = NULL; |
| 171 |
new_group = ccs_alloc_element(sizeof(*new_group)); |
entry->max.ipv6 = saved_max_address; |
| 172 |
if (!new_group) |
saved_max_address = NULL; |
| 173 |
goto out; |
} else { |
| 174 |
INIT_LIST1_HEAD(&new_group->address_group_member_list); |
entry->min.ipv4 = min_ipv4_address; |
| 175 |
new_group->group_name = saved_group_name; |
entry->max.ipv4 = max_ipv4_address; |
| 176 |
list1_add_tail_mb(&new_group->list, &ccs_address_group_list); |
} |
| 177 |
group = new_group; |
list_add_tail(&entry->list, &group->address_group_member_list); |
| 178 |
} |
entry = NULL; |
| 179 |
new_member = ccs_alloc_element(sizeof(*new_member)); |
error = 0; |
|
if (!new_member) |
|
|
goto out; |
|
|
new_member->is_ipv6 = is_ipv6; |
|
|
if (is_ipv6) { |
|
|
new_member->min.ipv6 = saved_min_address; |
|
|
new_member->max.ipv6 = saved_max_address; |
|
|
} else { |
|
|
new_member->min.ipv4 = min_ipv4_address; |
|
|
new_member->max.ipv4 = max_ipv4_address; |
|
| 180 |
} |
} |
| 181 |
list1_add_tail_mb(&new_member->list, &group->address_group_member_list); |
up_write(&ccs_policy_lock); |
| 182 |
error = 0; |
/***** WRITER SECTION END *****/ |
| 183 |
out: |
out: |
| 184 |
mutex_unlock(&lock); |
ccs_put_ipv6_address(saved_min_address); |
| 185 |
|
ccs_put_ipv6_address(saved_max_address); |
| 186 |
|
ccs_put_address_group(group); |
| 187 |
ccs_update_counter(CCS_UPDATES_COUNTER_EXCEPTION_POLICY); |
ccs_update_counter(CCS_UPDATES_COUNTER_EXCEPTION_POLICY); |
| 188 |
return error; |
return error; |
| 189 |
} |
} |
| 263 |
} |
} |
| 264 |
|
|
| 265 |
/** |
/** |
|
* ccs_find_or_assign_new_address_group - Create address group. |
|
|
* |
|
|
* @group_name: The name of address group. |
|
|
* |
|
|
* Returns pointer to "struct ccs_address_group_entry" on success, |
|
|
* NULL otherwise. |
|
|
*/ |
|
|
static struct ccs_address_group_entry * |
|
|
ccs_find_or_assign_new_address_group(const char *group_name) |
|
|
{ |
|
|
u8 i; |
|
|
struct ccs_address_group_entry *group; |
|
|
for (i = 0; i <= 1; i++) { |
|
|
list1_for_each_entry(group, &ccs_address_group_list, list) { |
|
|
if (!strcmp(group_name, group->group_name->name)) |
|
|
return group; |
|
|
} |
|
|
if (!i) { |
|
|
const u16 dummy[2] = { 0, 0 }; |
|
|
ccs_update_address_group_entry(group_name, false, |
|
|
dummy, dummy, false); |
|
|
ccs_update_address_group_entry(group_name, false, |
|
|
dummy, dummy, true); |
|
|
} |
|
|
} |
|
|
return NULL; |
|
|
} |
|
|
|
|
|
/** |
|
| 266 |
* ccs_address_matches_group - Check whether the given address matches members of the given address group. |
* ccs_address_matches_group - Check whether the given address matches members of the given address group. |
| 267 |
* |
* |
| 268 |
* @is_ipv6: True if @address is an IPv6 address. |
* @is_ipv6: True if @address is an IPv6 address. |
| 270 |
* @group: Pointer to "struct ccs_address_group_entry". |
* @group: Pointer to "struct ccs_address_group_entry". |
| 271 |
* |
* |
| 272 |
* Returns true if @address matches addresses in @group group, false otherwise. |
* Returns true if @address matches addresses in @group group, false otherwise. |
| 273 |
|
* |
| 274 |
|
* Caller holds ccs_policy_lockfor reading. |
| 275 |
*/ |
*/ |
| 276 |
static bool ccs_address_matches_group(const bool is_ipv6, const u32 *address, |
static bool ccs_address_matches_group(const bool is_ipv6, const u32 *address, |
| 277 |
const struct ccs_address_group_entry * |
const struct ccs_address_group_entry * |
| 279 |
{ |
{ |
| 280 |
struct ccs_address_group_member *member; |
struct ccs_address_group_member *member; |
| 281 |
const u32 ip = ntohl(*address); |
const u32 ip = ntohl(*address); |
| 282 |
list1_for_each_entry(member, &group->address_group_member_list, list) { |
bool matched = false; |
| 283 |
|
list_for_each_entry(member, &group->address_group_member_list, list) { |
| 284 |
if (member->is_deleted) |
if (member->is_deleted) |
| 285 |
continue; |
continue; |
| 286 |
if (member->is_ipv6) { |
if (member->is_ipv6) { |
| 287 |
if (is_ipv6 && |
if (is_ipv6 && |
| 288 |
memcmp(member->min.ipv6, address, 16) <= 0 && |
memcmp(member->min.ipv6, address, 16) <= 0 && |
| 289 |
memcmp(address, member->max.ipv6, 16) <= 0) |
memcmp(address, member->max.ipv6, 16) <= 0) { |
| 290 |
return true; |
matched = true; |
| 291 |
|
break; |
| 292 |
|
} |
| 293 |
} else { |
} else { |
| 294 |
if (!is_ipv6 && |
if (!is_ipv6 && |
| 295 |
member->min.ipv4 <= ip && ip <= member->max.ipv4) |
member->min.ipv4 <= ip && ip <= member->max.ipv4) { |
| 296 |
return true; |
matched = true; |
| 297 |
|
break; |
| 298 |
|
} |
| 299 |
} |
} |
| 300 |
} |
} |
| 301 |
return false; |
return matched; |
| 302 |
} |
} |
| 303 |
|
|
| 304 |
/** |
/** |
| 310 |
*/ |
*/ |
| 311 |
bool ccs_read_address_group_policy(struct ccs_io_buffer *head) |
bool ccs_read_address_group_policy(struct ccs_io_buffer *head) |
| 312 |
{ |
{ |
| 313 |
struct list1_head *gpos; |
struct list_head *gpos; |
| 314 |
struct list1_head *mpos; |
struct list_head *mpos; |
| 315 |
list1_for_each_cookie(gpos, head->read_var1, &ccs_address_group_list) { |
bool done = true; |
| 316 |
|
/***** READER SECTION START *****/ |
| 317 |
|
down_read(&ccs_policy_lock); |
| 318 |
|
list_for_each_cookie(gpos, head->read_var1.u.list, |
| 319 |
|
&ccs_address_group_list) { |
| 320 |
struct ccs_address_group_entry *group; |
struct ccs_address_group_entry *group; |
| 321 |
group = list1_entry(gpos, struct ccs_address_group_entry, list); |
group = list_entry(gpos, struct ccs_address_group_entry, list); |
| 322 |
list1_for_each_cookie(mpos, head->read_var2, |
list_for_each_cookie(mpos, head->read_var2.u.list, |
| 323 |
&group->address_group_member_list) { |
&group->address_group_member_list) { |
| 324 |
char buf[128]; |
char buf[128]; |
| 325 |
struct ccs_address_group_member *member; |
struct ccs_address_group_member *member; |
| 326 |
member = list1_entry(mpos, |
member = list_entry(mpos, |
| 327 |
struct ccs_address_group_member, |
struct ccs_address_group_member, |
| 328 |
list); |
list); |
| 329 |
if (member->is_deleted) |
if (member->is_deleted) |
| 356 |
HIPQUAD(max_address)); |
HIPQUAD(max_address)); |
| 357 |
} |
} |
| 358 |
} |
} |
| 359 |
if (!ccs_io_printf(head, KEYWORD_ADDRESS_GROUP |
done = ccs_io_printf(head, KEYWORD_ADDRESS_GROUP |
| 360 |
"%s %s\n", group->group_name->name, |
"%s %s\n", group->group_name->name, |
| 361 |
buf)) |
buf); |
| 362 |
goto out; |
if (!done) |
| 363 |
|
break; |
| 364 |
} |
} |
| 365 |
|
if (!done) |
| 366 |
|
break; |
| 367 |
} |
} |
| 368 |
return true; |
up_read(&ccs_policy_lock); |
| 369 |
out: |
/***** READER SECTION END *****/ |
| 370 |
return false; |
return done; |
| 371 |
} |
} |
| 372 |
|
|
| 373 |
#if !defined(NIP6) |
#if !defined(NIP6) |
| 438 |
* |
* |
| 439 |
* @operation: Type of operation. |
* @operation: Type of operation. |
| 440 |
* @record_type: Type of address. |
* @record_type: Type of address. |
| 441 |
* @group: Pointer to "struct ccs_address_group_entry". May be NULL. |
* @group: Name of group. May be NULL. |
| 442 |
* @min_address: Start of IPv4 or IPv6 address range. |
* @min_address: Start of IPv4 or IPv6 address range. |
| 443 |
* @max_address: End of IPv4 or IPv6 address range. |
* @max_address: End of IPv4 or IPv6 address range. |
| 444 |
* @min_port: Start of port number range. |
* @min_port: Start of port number range. |
| 450 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
| 451 |
*/ |
*/ |
| 452 |
static int ccs_update_network_entry(const u8 operation, const u8 record_type, |
static int ccs_update_network_entry(const u8 operation, const u8 record_type, |
| 453 |
const struct ccs_address_group_entry *group, |
const char *group_name, |
| 454 |
const u32 *min_address, |
const u32 *min_address, |
| 455 |
const u32 *max_address, |
const u32 *max_address, |
| 456 |
const u16 min_port, const u16 max_port, |
const u16 min_port, const u16 max_port, |
| 458 |
const struct ccs_condition_list *condition, |
const struct ccs_condition_list *condition, |
| 459 |
const bool is_delete) |
const bool is_delete) |
| 460 |
{ |
{ |
| 461 |
static DEFINE_MUTEX(lock); |
struct ccs_ip_network_acl_record *entry = NULL; |
| 462 |
struct ccs_acl_info *ptr; |
struct ccs_acl_info *ptr; |
| 463 |
struct ccs_ip_network_acl_record *acl; |
int error = is_delete ? -ENOENT : -ENOMEM; |
|
int error = -ENOMEM; |
|
| 464 |
/* using host byte order to allow u32 comparison than memcmp().*/ |
/* using host byte order to allow u32 comparison than memcmp().*/ |
| 465 |
const u32 min_ip = ntohl(*min_address); |
const u32 min_ip = ntohl(*min_address); |
| 466 |
const u32 max_ip = ntohl(*max_address); |
const u32 max_ip = ntohl(*max_address); |
| 467 |
const struct in6_addr *saved_min_address = NULL; |
const struct in6_addr *saved_min_address = NULL; |
| 468 |
const struct in6_addr *saved_max_address = NULL; |
const struct in6_addr *saved_max_address = NULL; |
| 469 |
|
struct ccs_address_group_entry *group = NULL; |
| 470 |
if (!domain) |
if (!domain) |
| 471 |
return -EINVAL; |
return -EINVAL; |
| 472 |
if (record_type != IP_RECORD_TYPE_IPv6) |
if (group_name) { |
| 473 |
goto not_ipv6; |
group = ccs_get_address_group(group_name); |
| 474 |
saved_min_address = ccs_save_ipv6_address((struct in6_addr *) |
if (!group) |
| 475 |
min_address); |
return -ENOMEM; |
| 476 |
saved_max_address = ccs_save_ipv6_address((struct in6_addr *) |
} else if (record_type == IP_RECORD_TYPE_IPv6) { |
| 477 |
max_address); |
saved_min_address = ccs_get_ipv6_address((struct in6_addr *) |
| 478 |
if (!saved_min_address || !saved_max_address) |
min_address); |
| 479 |
return -ENOMEM; |
saved_max_address = ccs_get_ipv6_address((struct in6_addr *) |
| 480 |
not_ipv6: |
max_address); |
| 481 |
mutex_lock(&lock); |
if (!saved_min_address || !saved_max_address) |
| 482 |
|
goto out; |
| 483 |
|
} |
| 484 |
if (is_delete) |
if (is_delete) |
| 485 |
goto delete; |
goto delete; |
| 486 |
list1_for_each_entry(ptr, &domain->acl_info_list, list) { |
entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
| 487 |
|
/***** WRITER SECTION START *****/ |
| 488 |
|
down_write(&ccs_policy_lock); |
| 489 |
|
list_for_each_entry(ptr, &domain->acl_info_list, list) { |
| 490 |
|
struct ccs_ip_network_acl_record *acl; |
| 491 |
if (ccs_acl_type1(ptr) != TYPE_IP_NETWORK_ACL) |
if (ccs_acl_type1(ptr) != TYPE_IP_NETWORK_ACL) |
| 492 |
continue; |
continue; |
| 493 |
if (ccs_get_condition_part(ptr) != condition) |
if (ccs_get_condition_part(ptr) != condition) |
| 510 |
continue; |
continue; |
| 511 |
} |
} |
| 512 |
error = ccs_add_domain_acl(NULL, ptr); |
error = ccs_add_domain_acl(NULL, ptr); |
| 513 |
goto out; |
break; |
| 514 |
} |
} |
| 515 |
/* Not found. Append it to the tail. */ |
if (error && ccs_memory_ok(entry)) { |
| 516 |
acl = ccs_alloc_acl_element(TYPE_IP_NETWORK_ACL, condition); |
entry->head.type = TYPE_IP_NETWORK_ACL; |
| 517 |
if (!acl) |
entry->head.cond = condition; |
| 518 |
goto out; |
entry->operation_type = operation; |
| 519 |
acl->operation_type = operation; |
entry->record_type = record_type; |
| 520 |
acl->record_type = record_type; |
if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) { |
| 521 |
if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) { |
entry->u.group = group; |
| 522 |
acl->u.group = group; |
group = NULL; |
| 523 |
} else if (record_type == IP_RECORD_TYPE_IPv4) { |
} else if (record_type == IP_RECORD_TYPE_IPv4) { |
| 524 |
acl->u.ipv4.min = min_ip; |
entry->u.ipv4.min = min_ip; |
| 525 |
acl->u.ipv4.max = max_ip; |
entry->u.ipv4.max = max_ip; |
| 526 |
} else { |
} else { |
| 527 |
acl->u.ipv6.min = saved_min_address; |
entry->u.ipv6.min = saved_min_address; |
| 528 |
acl->u.ipv6.max = saved_max_address; |
saved_min_address = NULL; |
| 529 |
} |
entry->u.ipv6.max = saved_max_address; |
| 530 |
acl->min_port = min_port; |
saved_max_address = NULL; |
| 531 |
acl->max_port = max_port; |
} |
| 532 |
error = ccs_add_domain_acl(domain, &acl->head); |
entry->min_port = min_port; |
| 533 |
|
entry->max_port = max_port; |
| 534 |
|
error = ccs_add_domain_acl(domain, &entry->head); |
| 535 |
|
entry = NULL; |
| 536 |
|
} |
| 537 |
|
up_write(&ccs_policy_lock); |
| 538 |
|
/***** WRITER SECTION END *****/ |
| 539 |
goto out; |
goto out; |
| 540 |
delete: |
delete: |
| 541 |
error = -ENOENT; |
/***** WRITER SECTION START *****/ |
| 542 |
list1_for_each_entry(ptr, &domain->acl_info_list, list) { |
down_write(&ccs_policy_lock); |
| 543 |
|
list_for_each_entry(ptr, &domain->acl_info_list, list) { |
| 544 |
|
struct ccs_ip_network_acl_record *acl; |
| 545 |
if (ccs_acl_type2(ptr) != TYPE_IP_NETWORK_ACL) |
if (ccs_acl_type2(ptr) != TYPE_IP_NETWORK_ACL) |
| 546 |
continue; |
continue; |
| 547 |
if (ccs_get_condition_part(ptr) != condition) |
if (ccs_get_condition_part(ptr) != condition) |
| 566 |
error = ccs_del_domain_acl(ptr); |
error = ccs_del_domain_acl(ptr); |
| 567 |
break; |
break; |
| 568 |
} |
} |
| 569 |
|
up_write(&ccs_policy_lock); |
| 570 |
|
/***** WRITER SECTION END *****/ |
| 571 |
out: |
out: |
| 572 |
mutex_unlock(&lock); |
ccs_put_ipv6_address(saved_min_address); |
| 573 |
|
ccs_put_ipv6_address(saved_max_address); |
| 574 |
|
ccs_put_address_group(group); |
| 575 |
|
kfree(entry); |
| 576 |
return error; |
return error; |
| 577 |
} |
} |
| 578 |
|
|
| 604 |
if (!r.mode) |
if (!r.mode) |
| 605 |
return 0; |
return 0; |
| 606 |
retry: |
retry: |
| 607 |
list1_for_each_entry(ptr, &r.domain->acl_info_list, list) { |
/***** READER SECTION START *****/ |
| 608 |
|
down_read(&ccs_policy_lock); |
| 609 |
|
list_for_each_entry(ptr, &r.cookie.u.domain->acl_info_list, list) { |
| 610 |
struct ccs_ip_network_acl_record *acl; |
struct ccs_ip_network_acl_record *acl; |
| 611 |
if (ccs_acl_type2(ptr) != TYPE_IP_NETWORK_ACL) |
if (ccs_acl_type2(ptr) != TYPE_IP_NETWORK_ACL) |
| 612 |
continue; |
continue; |
| 632 |
found = true; |
found = true; |
| 633 |
break; |
break; |
| 634 |
} |
} |
| 635 |
|
up_read(&ccs_policy_lock); |
| 636 |
|
/***** READER SECTION END *****/ |
| 637 |
memset(buf, 0, sizeof(buf)); |
memset(buf, 0, sizeof(buf)); |
| 638 |
if (is_ipv6) |
if (is_ipv6) |
| 639 |
ccs_print_ipv6(buf, sizeof(buf), |
ccs_print_ipv6(buf, sizeof(buf), |
| 643 |
ccs_audit_network_log(&r, keyword, buf, port, found); |
ccs_audit_network_log(&r, keyword, buf, port, found); |
| 644 |
if (found) |
if (found) |
| 645 |
return 0; |
return 0; |
| 646 |
if (ccs_verbose_mode(r.domain)) |
if (ccs_verbose_mode(r.cookie.u.domain)) |
| 647 |
printk(KERN_WARNING "TOMOYO-%s: %s to %s %u denied for %s\n", |
printk(KERN_WARNING "TOMOYO-%s: %s to %s %u denied for %s\n", |
| 648 |
ccs_get_msg(is_enforce), keyword, buf, port, |
ccs_get_msg(is_enforce), keyword, buf, port, |
| 649 |
ccs_get_last_name(r.domain)); |
ccs_get_last_name(r.cookie.u.domain)); |
| 650 |
if (is_enforce) { |
if (is_enforce) { |
| 651 |
int error = ccs_check_supervisor(&r, KEYWORD_ALLOW_NETWORK |
int error = ccs_check_supervisor(&r, KEYWORD_ALLOW_NETWORK |
| 652 |
"%s %s %u\n", keyword, buf, |
"%s %s %u\n", keyword, buf, |
| 655 |
goto retry; |
goto retry; |
| 656 |
return error; |
return error; |
| 657 |
} |
} |
| 658 |
if (r.mode == 1 && ccs_domain_quota_ok(r.domain)) |
if (r.mode == 1 && ccs_domain_quota_ok(r.cookie.u.domain)) |
| 659 |
ccs_update_network_entry(operation, is_ipv6 ? |
ccs_update_network_entry(operation, is_ipv6 ? |
| 660 |
IP_RECORD_TYPE_IPv6 : |
IP_RECORD_TYPE_IPv6 : |
| 661 |
IP_RECORD_TYPE_IPv4, |
IP_RECORD_TYPE_IPv4, |
| 662 |
NULL, address, address, port, port, |
NULL, address, address, port, port, |
| 663 |
r.domain, ccs_handler_cond(), 0); |
r.cookie.u.domain, ccs_handler_cond(), |
| 664 |
|
false); |
| 665 |
return 0; |
return 0; |
| 666 |
} |
} |
| 667 |
|
|
| 684 |
u8 record_type; |
u8 record_type; |
| 685 |
u16 min_address[8]; |
u16 min_address[8]; |
| 686 |
u16 max_address[8]; |
u16 max_address[8]; |
| 687 |
struct ccs_address_group_entry *group = NULL; |
const char *group_name = NULL; |
| 688 |
u16 min_port; |
u16 min_port; |
| 689 |
u16 max_port; |
u16 max_port; |
| 690 |
u8 count; |
u8 count; |
| 747 |
default: |
default: |
| 748 |
if (*cp2 != '@') |
if (*cp2 != '@') |
| 749 |
goto out; |
goto out; |
| 750 |
group = ccs_find_or_assign_new_address_group(cp2 + 1); |
group_name = cp2 + 1; |
|
if (!group) |
|
|
return -ENOMEM; |
|
| 751 |
record_type = IP_RECORD_TYPE_ADDRESS_GROUP; |
record_type = IP_RECORD_TYPE_ADDRESS_GROUP; |
| 752 |
break; |
break; |
| 753 |
} |
} |
| 758 |
goto out; |
goto out; |
| 759 |
if (count == 1) |
if (count == 1) |
| 760 |
max_port = min_port; |
max_port = min_port; |
| 761 |
return ccs_update_network_entry(operation, record_type, group, |
return ccs_update_network_entry(operation, record_type, group_name, |
| 762 |
(u32 *) min_address, |
(u32 *) min_address, |
| 763 |
(u32 *) max_address, |
(u32 *) max_address, |
| 764 |
min_port, max_port, domain, condition, |
min_port, max_port, domain, condition, |
TOMOYO
Parent Directory
Revision Log
Patch