オープンソース・ソフトウェアの開発とダウンロード

TOMOYO

Subversion リポジトリの参照

/[tomoyo]/trunk/1.8.x/ccs-patch/security/ccsecurity/network.c

Annotation of /trunk/1.8.x/ccs-patch/security/ccsecurity/network.c

Parent Directory Parent Directory | Revision Log Revision Log

Revision 708 - (hide annotations) (download) (as text)
Mon Nov 19 08:44:45 2007 UTC (16 years, 6 months ago) by kumaneko
Original Path: trunk/1.5.x/ccs-patch/fs/tomoyo_network.c
File MIME type: text/x-csrc
File size: 18805 byte(s) 
Use "struct list_head". Not tested.
1 kumaneko 111 /*
2     * fs/tomoyo_network.c
3     *
4     * Implementation of the Domain-Based Mandatory Access Control.
5     *
6     * Copyright (C) 2005-2007 NTT DATA CORPORATION
7     *
8 kumaneko 708 * Version: 1.5.2-pre 2007/11/19
9 kumaneko 111 *
10     * This file is applicable to both 2.4.30 and 2.6.11 and later.
11     * See README.ccs for ChangeLog.
12     *
13     */
14     /***** TOMOYO Linux start. *****/
15    
16     #include <linux/ccs_common.h>
17     #include <linux/tomoyo.h>
18     #include <linux/realpath.h>
19     #include <net/ip.h>
20    
21     /************************* VARIABLES *************************/
22    
23 kumaneko 652 extern struct mutex domain_acl_lock;
24 kumaneko 111
25     /************************* AUDIT FUNCTIONS *************************/
26    
27 kumaneko 621 static int AuditNetworkLog(const bool is_ipv6, const char *operation, const u32 *address, const u16 port, const bool is_granted)
28 kumaneko 111 {
29     char *buf;
30     int len = 256;
31     if (CanSaveAuditLog(is_granted) < 0) return -ENOMEM;
32     if ((buf = InitAuditLog(&len)) == NULL) return -ENOMEM;
33     snprintf(buf + strlen(buf), len - strlen(buf) - 1, KEYWORD_ALLOW_NETWORK "%s ", operation);
34     if (is_ipv6) {
35     print_ipv6(buf + strlen(buf), len - strlen(buf), (const u16 *) address);
36     } else {
37     u32 ip = *address;
38     snprintf(buf + strlen(buf), len - strlen(buf) - 1, "%u.%u.%u.%u", NIPQUAD(ip));
39     }
40     snprintf(buf + strlen(buf), len - strlen(buf) - 1, " %u\n", port);
41     return WriteAuditLog(buf, is_granted);
42     }
43    
44     /************************* ADDRESS GROUP HANDLER *************************/
45    
46 kumaneko 708 static LIST_HEAD(address_group_list);
47 kumaneko 111
48 kumaneko 621 static int AddAddressGroupEntry(const char *group_name, const bool is_ipv6, const u16 *min_address, const u16 *max_address, const bool is_delete)
49 kumaneko 111 {
50 kumaneko 652 static DEFINE_MUTEX(lock);
51 kumaneko 214 struct address_group_entry *new_group, *group;
52     struct address_group_member *new_member, *member;
53 kumaneko 111 const struct path_info *saved_group_name;
54     int error = -ENOMEM;
55 kumaneko 708 bool found = 0;
56 kumaneko 111 if (!IsCorrectPath(group_name, 0, 0, 0, __FUNCTION__) || !group_name[0]) return -EINVAL;
57     if ((saved_group_name = SaveName(group_name)) == NULL) return -ENOMEM;
58 kumaneko 652 mutex_lock(&lock);
59 kumaneko 708 list_for_each_entry(group, &address_group_list, list) {
60 kumaneko 111 if (saved_group_name != group->group_name) continue;
61 kumaneko 708 list_for_each_entry(member, &group->address_group_member_list, list) {
62 kumaneko 111 if (member->is_ipv6 != is_ipv6) continue;
63     if (is_ipv6) {
64     if (memcmp(member->min.ipv6, min_address, 16) || memcmp(member->max.ipv6, max_address, 16)) continue;
65     } else {
66     if (member->min.ipv4 != * (u32 *) min_address || member->max.ipv4 != * (u32 *) max_address) continue;
67     }
68     member->is_deleted = is_delete;
69     error = 0;
70     goto out;
71     }
72 kumaneko 708 found = 1;
73 kumaneko 111 break;
74     }
75     if (is_delete) {
76     error = -ENOENT;
77     goto out;
78     }
79 kumaneko 708 if (!found) {
80 kumaneko 214 if ((new_group = alloc_element(sizeof(*new_group))) == NULL) goto out;
81 kumaneko 708 INIT_LIST_HEAD(&new_group->address_group_member_list);
82 kumaneko 111 new_group->group_name = saved_group_name;
83 kumaneko 708 list_add_tail_mb(&new_group->list, &address_group_list);
84 kumaneko 111 group = new_group;
85     }
86 kumaneko 214 if ((new_member = alloc_element(sizeof(*new_member))) == NULL) goto out;
87 kumaneko 111 new_member->is_ipv6 = is_ipv6;
88     if (is_ipv6) {
89     memmove(new_member->min.ipv6, min_address, 16);
90     memmove(new_member->max.ipv6, max_address, 16);
91     } else {
92     new_member->min.ipv4 = * (u32 *) min_address;
93     new_member->max.ipv4 = * (u32 *) max_address;
94     }
95 kumaneko 708 list_add_tail_mb(&new_member->list, &group->address_group_member_list);
96 kumaneko 111 error = 0;
97     out:
98 kumaneko 652 mutex_unlock(&lock);
99 kumaneko 111 return error;
100     }
101    
102 kumaneko 621 int AddAddressGroupPolicy(char *data, const bool is_delete)
103 kumaneko 111 {
104     int count, is_ipv6;
105     u16 min_address[8], max_address[8];
106     char *cp = strchr(data, ' ');
107     if (!cp) return -EINVAL;
108     *cp++ = '\0';
109     if ((count = sscanf(cp, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx-%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx",
110     &min_address[0], &min_address[1], &min_address[2], &min_address[3],
111     &min_address[4], &min_address[5], &min_address[6], &min_address[7],
112     &max_address[0], &max_address[1], &max_address[2], &max_address[3],
113     &max_address[4], &max_address[5], &max_address[6], &max_address[7])) == 8 || count == 16) {
114     int i;
115     for (i = 0; i < 8; i++) {
116     min_address[i] = htons(min_address[i]);
117     max_address[i] = htons(max_address[i]);
118     }
119     if (count == 8) memmove(max_address, min_address, sizeof(min_address));
120     is_ipv6 = 1;
121     } else if ((count = sscanf(cp, "%hu.%hu.%hu.%hu-%hu.%hu.%hu.%hu",
122     &min_address[0], &min_address[1], &min_address[2], &min_address[3],
123     &max_address[0], &max_address[1], &max_address[2], &max_address[3])) == 4 || count == 8) {
124     u32 ip = ((((u8) min_address[0]) << 24) + (((u8) min_address[1]) << 16) + (((u8) min_address[2]) << 8) + (u8) min_address[3]);
125     * (u32 *) min_address = ip;
126     if (count == 8) ip = ((((u8) max_address[0]) << 24) + (((u8) max_address[1]) << 16) + (((u8) max_address[2]) << 8) + (u8) max_address[3]);
127     * (u32 *) max_address = ip;
128     is_ipv6 = 0;
129     } else {
130     return -EINVAL;
131     }
132     return AddAddressGroupEntry(data, is_ipv6, min_address, max_address, is_delete);
133     }
134    
135 kumaneko 214 static struct address_group_entry *FindOrAssignNewAddressGroup(const char *group_name)
136 kumaneko 111 {
137     int i;
138 kumaneko 214 struct address_group_entry *group;
139 kumaneko 111 for (i = 0; i <= 1; i++) {
140 kumaneko 708 list_for_each_entry(group, &address_group_list, list) {
141 kumaneko 111 if (strcmp(group_name, group->group_name->name) == 0) return group;
142     }
143     if (i == 0) {
144     const u16 dummy[2] = { 0, 0 };
145     AddAddressGroupEntry(group_name, 0, dummy, dummy, 0);
146     AddAddressGroupEntry(group_name, 0, dummy, dummy, 1);
147     }
148     }
149     return NULL;
150     }
151    
152 kumaneko 621 static int AddressMatchesToGroup(const bool is_ipv6, const u32 *address, const struct address_group_entry *group)
153 kumaneko 111 {
154 kumaneko 214 struct address_group_member *member;
155 kumaneko 111 const u32 ip = ntohl(*address);
156 kumaneko 708 list_for_each_entry(member, &group->address_group_member_list, list) {
157 kumaneko 111 if (member->is_deleted) continue;
158     if (member->is_ipv6) {
159 kumaneko 141 if (is_ipv6 && memcmp(member->min.ipv6, address, 16) <= 0 && memcmp(address, member->max.ipv6, 16) <= 0) return 1;
160 kumaneko 111 } else {
161 kumaneko 141 if (!is_ipv6 && member->min.ipv4 <= ip && ip <= member->max.ipv4) return 1;
162 kumaneko 111 }
163     }
164     return 0;
165     }
166    
167 kumaneko 214 int ReadAddressGroupPolicy(struct io_buffer *head)
168 kumaneko 111 {
169 kumaneko 708 struct list_head *gpos;
170     struct list_head *mpos;
171     list_for_each_cookie(gpos, head->read_var1, &address_group_list) {
172     struct address_group_entry *group;
173     group = list_entry(gpos, struct address_group_entry, list);
174     list_for_each_cookie(mpos, head->read_var2, &group->address_group_member_list) {
175     char buf[128];
176     struct address_group_member *member;
177     member = list_entry(mpos, struct address_group_member, list);
178     if (member->is_deleted) continue;
179     if (member->is_ipv6) {
180     const u16 *min_address = member->min.ipv6, *max_address = member->max.ipv6;
181     print_ipv6(buf, sizeof(buf), min_address);
182     if (memcmp(min_address, max_address, 16)) {
183     char *cp = strchr(buf, '\0');
184     *cp++ = '-';
185     print_ipv6(cp, sizeof(buf) - strlen(buf), max_address);
186 kumaneko 111 }
187 kumaneko 708 } else {
188     const u32 min_address = member->min.ipv4, max_address = member->max.ipv4;
189     memset(buf, 0, sizeof(buf));
190     snprintf(buf, sizeof(buf) - 1, "%u.%u.%u.%u", HIPQUAD(min_address));
191     if (min_address != max_address) {
192     const int len = strlen(buf);
193     snprintf(buf + len, sizeof(buf) - 1 - len, "-%u.%u.%u.%u", HIPQUAD(max_address));
194     }
195 kumaneko 111 }
196 kumaneko 708 if (io_printf(head, KEYWORD_ADDRESS_GROUP "%s %s\n", group->group_name->name, buf)) return -ENOMEM;
197 kumaneko 111 }
198     }
199 kumaneko 708 return 0;
200 kumaneko 111 }
201    
202     /************************* NETWORK NETWORK ACL HANDLER *************************/
203    
204     char *print_ipv6(char *buffer, const int buffer_len, const u16 *ip)
205     {
206     memset(buffer, 0, buffer_len);
207     snprintf(buffer, buffer_len - 1, "%x:%x:%x:%x:%x:%x:%x:%x", ntohs(ip[0]), ntohs(ip[1]), ntohs(ip[2]), ntohs(ip[3]), ntohs(ip[4]), ntohs(ip[5]), ntohs(ip[6]), ntohs(ip[7]));
208     return buffer;
209     }
210    
211     const char *network2keyword(const unsigned int operation)
212     {
213     const char *keyword = "unknown";
214     switch (operation) {
215     case NETWORK_ACL_UDP_BIND:
216     keyword = "UDP bind";
217     break;
218     case NETWORK_ACL_UDP_CONNECT:
219     keyword = "UDP connect";
220     break;
221     case NETWORK_ACL_TCP_BIND:
222     keyword = "TCP bind";
223     break;
224     case NETWORK_ACL_TCP_LISTEN:
225     keyword = "TCP listen";
226     break;
227     case NETWORK_ACL_TCP_CONNECT:
228     keyword = "TCP connect";
229     break;
230     case NETWORK_ACL_TCP_ACCEPT:
231     keyword = "TCP accept";
232     break;
233     case NETWORK_ACL_RAW_BIND:
234     keyword = "RAW bind";
235     break;
236     case NETWORK_ACL_RAW_CONNECT:
237     keyword = "RAW connect";
238     break;
239     }
240     return keyword;
241     }
242    
243 kumaneko 621 static int AddNetworkEntry(const u8 operation, const u8 record_type, const struct address_group_entry *group, const u32 *min_address, const u32 *max_address, const u16 min_port, const u16 max_port, struct domain_info *domain, const struct condition_list *condition, const bool is_delete)
244 kumaneko 111 {
245     struct acl_info *ptr;
246 kumaneko 708 struct ip_network_acl_record *acl;
247 kumaneko 111 int error = -ENOMEM;
248     const u32 min_ip = ntohl(*min_address), max_ip = ntohl(*max_address); /* using host byte order to allow u32 comparison than memcmp().*/
249     if (!domain) return -EINVAL;
250 kumaneko 652 mutex_lock(&domain_acl_lock);
251 kumaneko 514 if (!is_delete) {
252 kumaneko 708 list_for_each_entry(ptr, &domain->acl_info_list, list) {
253     acl = list_entry(ptr, struct ip_network_acl_record, head);
254     if (ptr->type == TYPE_IP_NETWORK_ACL && acl->operation_type == operation && acl->record_type == record_type && ptr->cond == condition && acl->min_port == min_port && max_port == acl->max_port) {
255 kumaneko 111 if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) {
256 kumaneko 708 if (acl->u.group == group) {
257 kumaneko 111 ptr->is_deleted = 0;
258     /* Found. Nothing to do. */
259     error = 0;
260 kumaneko 708 goto out;
261 kumaneko 111 }
262     } else if (record_type == IP_RECORD_TYPE_IPv4) {
263 kumaneko 708 if (acl->u.ipv4.min == min_ip && max_ip == acl->u.ipv4.max) {
264 kumaneko 111 ptr->is_deleted = 0;
265     /* Found. Nothing to do. */
266     error = 0;
267 kumaneko 708 goto out;
268 kumaneko 111 }
269     } else if (record_type == IP_RECORD_TYPE_IPv6) {
270 kumaneko 708 if (memcmp(acl->u.ipv6.min, min_address, 16) == 0 && memcmp(max_address, acl->u.ipv6.max, 16) == 0) {
271 kumaneko 111 ptr->is_deleted = 0;
272     /* Found. Nothing to do. */
273     error = 0;
274 kumaneko 708 goto out;
275 kumaneko 111 }
276     }
277     }
278     }
279 kumaneko 708 /* Not found. Append it to the tail. */
280     if ((acl = alloc_element(sizeof(*acl))) == NULL) goto out;
281     acl->head.type = TYPE_IP_NETWORK_ACL;
282     acl->operation_type = operation;
283     acl->record_type = record_type;
284     acl->head.cond = condition;
285     if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) {
286     acl->u.group = group;
287     } else if (record_type == IP_RECORD_TYPE_IPv4) {
288     acl->u.ipv4.min = min_ip;
289     acl->u.ipv4.max = max_ip;
290     } else {
291     memmove(acl->u.ipv6.min, min_address, 16);
292     memmove(acl->u.ipv6.max, max_address, 16);
293     }
294     acl->min_port = min_port;
295     acl->max_port = max_port;
296     error = AddDomainACL(domain, &acl->head);
297 kumaneko 111 } else {
298     error = -ENOENT;
299 kumaneko 708 list_for_each_entry(ptr, &domain->acl_info_list, list) {
300     acl = list_entry(ptr, struct ip_network_acl_record, head);
301     if (ptr->type != TYPE_IP_NETWORK_ACL || ptr->is_deleted || acl->operation_type != operation || acl->record_type != record_type || ptr->cond != condition || acl->min_port != min_port || acl->max_port != max_port) continue;
302 kumaneko 111 if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) {
303 kumaneko 708 if (acl->u.group != group) continue;
304 kumaneko 111 } else if (record_type == IP_RECORD_TYPE_IPv4) {
305 kumaneko 708 if (acl->u.ipv4.min != min_ip || max_ip != acl->u.ipv4.max) continue;
306 kumaneko 111 } else if (record_type == IP_RECORD_TYPE_IPv6) {
307 kumaneko 708 if (memcmp(acl->u.ipv6.min, min_address, 16) || memcmp(max_address, acl->u.ipv6.max, 16)) continue;
308 kumaneko 111 }
309     error = DelDomainACL(ptr);
310     break;
311     }
312     }
313 kumaneko 708 out: ;
314 kumaneko 652 mutex_unlock(&domain_acl_lock);
315 kumaneko 111 return error;
316     }
317    
318 kumaneko 621 static int CheckNetworkEntry(const bool is_ipv6, const int operation, const u32 *address, const u16 port)
319 kumaneko 111 {
320     struct domain_info * const domain = current->domain_info;
321     struct acl_info *ptr;
322     const char *keyword = network2keyword(operation);
323 kumaneko 621 const bool is_enforce = CheckCCSEnforce(CCS_TOMOYO_MAC_FOR_NETWORK);
324 kumaneko 111 const u32 ip = ntohl(*address); /* using host byte order to allow u32 comparison than memcmp().*/
325 kumaneko 708 bool found = 0;
326 kumaneko 111 if (!CheckCCSFlags(CCS_TOMOYO_MAC_FOR_NETWORK)) return 0;
327 kumaneko 708 list_for_each_entry(ptr, &domain->acl_info_list, list) {
328     struct ip_network_acl_record *acl;
329     acl = list_entry(ptr, struct ip_network_acl_record, head);
330     if (ptr->type != TYPE_IP_NETWORK_ACL || ptr->is_deleted || acl->operation_type != operation || port < acl->min_port || acl->max_port < port || CheckCondition(ptr->cond, NULL)) continue;
331     if (acl->record_type == IP_RECORD_TYPE_ADDRESS_GROUP) {
332     if (!AddressMatchesToGroup(is_ipv6, address, acl->u.group)) continue;
333     } else if (acl->record_type == IP_RECORD_TYPE_IPv4) {
334     if (is_ipv6 || ip < acl->u.ipv4.min || acl->u.ipv4.max < ip) continue;
335 kumaneko 111 } else {
336 kumaneko 708 if (!is_ipv6 || memcmp(acl->u.ipv6.min, address, 16) > 0 || memcmp(address, acl->u.ipv6.max, 16) > 0) continue;
337 kumaneko 111 }
338 kumaneko 708 found = 1;
339     break;
340    
341 kumaneko 111 }
342 kumaneko 708 AuditNetworkLog(is_ipv6, keyword, address, port, found);
343     if (found) return 0;
344 kumaneko 111 if (TomoyoVerboseMode()) {
345     if (is_ipv6) {
346     char buf[64];
347     print_ipv6(buf, sizeof(buf), (const u16 *) address);
348     printk("TOMOYO-%s: %s to %s %u denied for %s\n", GetMSG(is_enforce), keyword, buf, port, GetLastName(domain));
349     } else {
350     printk("TOMOYO-%s: %s to %u.%u.%u.%u %u denied for %s\n", GetMSG(is_enforce), keyword, HIPQUAD(ip), port, GetLastName(domain));
351     }
352     }
353     AuditNetworkLog(is_ipv6, keyword, address, port, 0);
354     if (is_enforce) {
355     if (is_ipv6) {
356     char buf[64];
357     print_ipv6(buf, sizeof(buf), (const u16 *) address);
358     return CheckSupervisor("%s\n" KEYWORD_ALLOW_NETWORK "%s %s %u\n", domain->domainname->name, keyword, buf, port);
359     }
360     return CheckSupervisor("%s\n" KEYWORD_ALLOW_NETWORK "%s %u.%u.%u.%u %u\n", domain->domainname->name, keyword, HIPQUAD(ip), port);
361     }
362 kumaneko 596 if (CheckCCSAccept(CCS_TOMOYO_MAC_FOR_NETWORK, domain)) AddNetworkEntry(operation, is_ipv6 ? IP_RECORD_TYPE_IPv6 : IP_RECORD_TYPE_IPv4, NULL, address, address, port, port, domain, NULL, 0);
363 kumaneko 111 return 0;
364     }
365    
366 kumaneko 621 int AddNetworkPolicy(char *data, struct domain_info *domain, const struct condition_list *condition, const bool is_delete)
367 kumaneko 111 {
368     u8 sock_type, operation, record_type;
369     u16 min_address[8], max_address[8];
370     struct address_group_entry *group = NULL;
371     u16 min_port, max_port;
372     int count;
373     char *cp1 = NULL, *cp2 = NULL;
374     if ((cp1 = strchr(data, ' ')) == NULL) goto out; cp1++;
375     if (strncmp(data, "TCP ", 4) == 0) sock_type = SOCK_STREAM;
376     else if (strncmp(data, "UDP ", 4) == 0) sock_type = SOCK_DGRAM;
377     else if (strncmp(data, "RAW ", 4) == 0) sock_type = SOCK_RAW;
378     else goto out;
379     if ((cp2 = strchr(cp1, ' ')) == NULL) goto out; cp2++;
380     if (strncmp(cp1, "bind ", 5) == 0) {
381     operation = (sock_type == SOCK_STREAM) ? NETWORK_ACL_TCP_BIND : (sock_type == SOCK_DGRAM) ? NETWORK_ACL_UDP_BIND : NETWORK_ACL_RAW_BIND;
382     } else if (strncmp(cp1, "connect ", 8) == 0) {
383     operation = (sock_type == SOCK_STREAM) ? NETWORK_ACL_TCP_CONNECT : (sock_type == SOCK_DGRAM) ? NETWORK_ACL_UDP_CONNECT : NETWORK_ACL_RAW_CONNECT;
384     } else if (sock_type == SOCK_STREAM && strncmp(cp1, "listen ", 7) == 0) {
385     operation = NETWORK_ACL_TCP_LISTEN;
386     } else if (sock_type == SOCK_STREAM && strncmp(cp1, "accept ", 7) == 0) {
387     operation = NETWORK_ACL_TCP_ACCEPT;
388     } else {
389     goto out;
390     }
391     if ((cp1 = strchr(cp2, ' ')) == NULL) goto out; *cp1++ = '\0';
392     if ((count = sscanf(cp2, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx-%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx",
393     &min_address[0], &min_address[1], &min_address[2], &min_address[3],
394     &min_address[4], &min_address[5], &min_address[6], &min_address[7],
395     &max_address[0], &max_address[1], &max_address[2], &max_address[3],
396     &max_address[4], &max_address[5], &max_address[6], &max_address[7])) == 8 || count == 16) {
397     int i;
398     for (i = 0; i < 8; i++) {
399     min_address[i] = htons(min_address[i]);
400     max_address[i] = htons(max_address[i]);
401     }
402     if (count == 8) memmove(max_address, min_address, sizeof(min_address));
403     record_type = IP_RECORD_TYPE_IPv6;
404     } else if ((count = sscanf(cp2, "%hu.%hu.%hu.%hu-%hu.%hu.%hu.%hu",
405     &min_address[0], &min_address[1], &min_address[2], &min_address[3],
406     &max_address[0], &max_address[1], &max_address[2], &max_address[3])) == 4 || count == 8) {
407     u32 ip = htonl((((u8) min_address[0]) << 24) + (((u8) min_address[1]) << 16) + (((u8) min_address[2]) << 8) + (u8) min_address[3]);
408     * (u32 *) min_address = ip;
409     if (count == 8) ip = htonl((((u8) max_address[0]) << 24) + (((u8) max_address[1]) << 16) + (((u8) max_address[2]) << 8) + (u8) max_address[3]);
410     * (u32 *) max_address = ip;
411     record_type = IP_RECORD_TYPE_IPv4;
412     } else if (*cp2 == '@') {
413     if ((group = FindOrAssignNewAddressGroup(cp2 + 1)) == NULL) return -ENOMEM;
414     record_type = IP_RECORD_TYPE_ADDRESS_GROUP;
415     } else {
416     goto out;
417     }
418     if (strchr(cp1, ' ')) goto out;
419     if ((count = sscanf(cp1, "%hu-%hu", &min_port, &max_port)) == 1 || count == 2) {
420     if (count == 1) max_port = min_port;
421 kumaneko 514 return AddNetworkEntry(operation, record_type, group, (u32 *) min_address, (u32 *) max_address, min_port, max_port, domain, condition, is_delete);
422 kumaneko 111 }
423     out: ;
424     return -EINVAL;
425     }
426    
427 kumaneko 652 int CheckNetworkListenACL(const _Bool is_ipv6, const u8 *address, const u16 port)
428 kumaneko 111 {
429     return CheckNetworkEntry(is_ipv6, NETWORK_ACL_TCP_LISTEN, (const u32 *) address, ntohs(port));
430     }
431 kumaneko 223 EXPORT_SYMBOL(CheckNetworkListenACL);
432 kumaneko 111
433 kumaneko 652 int CheckNetworkConnectACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port)
434 kumaneko 111 {
435     return CheckNetworkEntry(is_ipv6, sock_type == SOCK_STREAM ? NETWORK_ACL_TCP_CONNECT : (sock_type == SOCK_DGRAM ? NETWORK_ACL_UDP_CONNECT : NETWORK_ACL_RAW_CONNECT), (const u32 *) address, ntohs(port));
436     }
437 kumaneko 223 EXPORT_SYMBOL(CheckNetworkConnectACL);
438 kumaneko 111
439 kumaneko 652 int CheckNetworkBindACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port)
440 kumaneko 111 {
441     return CheckNetworkEntry(is_ipv6, sock_type == SOCK_STREAM ? NETWORK_ACL_TCP_BIND : (sock_type == SOCK_DGRAM ? NETWORK_ACL_UDP_BIND : NETWORK_ACL_RAW_BIND), (const u32 *) address, ntohs(port));
442     }
443 kumaneko 223 EXPORT_SYMBOL(CheckNetworkBindACL);
444 kumaneko 111
445 kumaneko 652 int CheckNetworkAcceptACL(const _Bool is_ipv6, const u8 *address, const u16 port)
446 kumaneko 111 {
447 kumaneko 708 int retval;
448     current->tomoyo_flags |= CCS_DONT_SLEEP_ON_ENFORCE_ERROR;
449     retval = CheckNetworkEntry(is_ipv6, NETWORK_ACL_TCP_ACCEPT, (const u32 *) address, ntohs(port));
450     current->tomoyo_flags &= ~CCS_DONT_SLEEP_ON_ENFORCE_ERROR;
451     return retval;
452 kumaneko 111 }
453 kumaneko 223 EXPORT_SYMBOL(CheckNetworkAcceptACL);
454 kumaneko 111
455 kumaneko 652 int CheckNetworkSendMsgACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port)
456 kumaneko 111 {
457     return CheckNetworkEntry(is_ipv6, sock_type == SOCK_DGRAM ? NETWORK_ACL_UDP_CONNECT : NETWORK_ACL_RAW_CONNECT, (const u32 *) address, ntohs(port));
458     }
459 kumaneko 223 EXPORT_SYMBOL(CheckNetworkSendMsgACL);
460 kumaneko 111
461 kumaneko 652 int CheckNetworkRecvMsgACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port)
462 kumaneko 111 {
463 kumaneko 708 int retval;
464     current->tomoyo_flags |= CCS_DONT_SLEEP_ON_ENFORCE_ERROR;
465     retval = CheckNetworkEntry(is_ipv6, sock_type == SOCK_DGRAM ? NETWORK_ACL_UDP_CONNECT : NETWORK_ACL_RAW_CONNECT, (const u32 *) address, ntohs(port));
466     current->tomoyo_flags &= ~CCS_DONT_SLEEP_ON_ENFORCE_ERROR;
467     return retval;
468 kumaneko 111 }
469     EXPORT_SYMBOL(CheckNetworkRecvMsgACL);
470    
471     /***** TOMOYO Linux end. *****/
Back to OSDN">Back to OSDN
 ViewVC Help
Powered by ViewVC 1.1.26  
サイト情報
ソフトウェアを探す
ソフトウェアを作る
コミュニティ
ヘルプ