| 5 |
* |
* |
| 6 |
* Copyright (C) 2005-2008 NTT DATA CORPORATION |
* Copyright (C) 2005-2008 NTT DATA CORPORATION |
| 7 |
* |
* |
| 8 |
* Version: 1.6.2-rc 2008/06/12 |
* Version: 1.6.5-pre 2008/11/04 |
| 9 |
* |
* |
| 10 |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
| 11 |
* See README.ccs for ChangeLog. |
* See README.ccs for ChangeLog. |
| 23 |
/** |
/** |
| 24 |
* audit_network_log - Audit network log. |
* audit_network_log - Audit network log. |
| 25 |
* |
* |
| 26 |
* @is_ipv6: True if @address is an IPv6 address. |
* @r: Pointer to "struct ccs_request_info". |
| 27 |
* @operation: The name of operation. |
* @operation: The name of operation. |
| 28 |
* @address: An IPv4 or IPv6 address. |
* @address: An IPv4 or IPv6 address. |
| 29 |
* @port: Port number. |
* @port: Port number. |
| 30 |
* @is_granted: True if this is a granted log. |
* @is_granted: True if this is a granted log. |
|
* @profile: Profile number used. |
|
|
* @mode: Access control mode used. |
|
| 31 |
* |
* |
| 32 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
| 33 |
*/ |
*/ |
| 34 |
static int audit_network_log(const bool is_ipv6, const char *operation, |
static int audit_network_log(struct ccs_request_info *r, const char *operation, |
| 35 |
const char *address, const u16 port, |
const char *address, const u16 port, |
| 36 |
const bool is_granted, |
const bool is_granted) |
|
const u8 profile, const u8 mode) |
|
| 37 |
{ |
{ |
| 38 |
char *buf; |
return ccs_write_audit_log(is_granted, r, KEYWORD_ALLOW_NETWORK |
| 39 |
int len = 256; |
"%s %s %u\n", operation, address, port); |
|
int len2; |
|
|
if (ccs_can_save_audit_log(is_granted) < 0) |
|
|
return -ENOMEM; |
|
|
buf = ccs_init_audit_log(&len, profile, mode, NULL); |
|
|
if (!buf) |
|
|
return -ENOMEM; |
|
|
len2 = strlen(buf); |
|
|
snprintf(buf + len2, len - len2 - 1, KEYWORD_ALLOW_NETWORK "%s %s %u\n", |
|
|
operation, address, port); |
|
|
return ccs_write_audit_log(buf, is_granted); |
|
| 40 |
} |
} |
| 41 |
|
|
| 42 |
/** |
/** |
| 52 |
{ |
{ |
| 53 |
static const u8 block_size = 16; |
static const u8 block_size = 16; |
| 54 |
struct addr_list { |
struct addr_list { |
| 55 |
struct in6_addr addr[block_size]; |
/* Workaround for gcc 4.3's bug. */ |
| 56 |
|
struct in6_addr addr[16]; /* = block_size */ |
| 57 |
struct list1_head list; |
struct list1_head list; |
| 58 |
u32 in_use_count; |
u32 in_use_count; |
| 59 |
}; |
}; |
| 187 |
} |
} |
| 188 |
|
|
| 189 |
/** |
/** |
| 190 |
|
* parse_ip_address - Parse an IP address. |
| 191 |
|
* |
| 192 |
|
* @address: String to parse. |
| 193 |
|
* @min: Pointer to store min address. |
| 194 |
|
* @max: Pointer to store max address. |
| 195 |
|
* |
| 196 |
|
* Returns 2 if @address is an IPv6, 1 if @address is an IPv4, 0 otherwise. |
| 197 |
|
*/ |
| 198 |
|
static int parse_ip_address(char *address, u16 *min, u16 *max) |
| 199 |
|
{ |
| 200 |
|
int count = sscanf(address, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx" |
| 201 |
|
"-%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx", |
| 202 |
|
&min[0], &min[1], &min[2], &min[3], |
| 203 |
|
&min[4], &min[5], &min[6], &min[7], |
| 204 |
|
&max[0], &max[1], &max[2], &max[3], |
| 205 |
|
&max[4], &max[5], &max[6], &max[7]); |
| 206 |
|
if (count == 8 || count == 16) { |
| 207 |
|
u8 i; |
| 208 |
|
if (count == 8) |
| 209 |
|
memmove(max, min, sizeof(u16) * 8); |
| 210 |
|
for (i = 0; i < 8; i++) { |
| 211 |
|
min[i] = htons(min[i]); |
| 212 |
|
max[i] = htons(max[i]); |
| 213 |
|
} |
| 214 |
|
return 2; |
| 215 |
|
} |
| 216 |
|
count = sscanf(address, "%hu.%hu.%hu.%hu-%hu.%hu.%hu.%hu", |
| 217 |
|
&min[0], &min[1], &min[2], &min[3], |
| 218 |
|
&max[0], &max[1], &max[2], &max[3]); |
| 219 |
|
if (count == 4 || count == 8) { |
| 220 |
|
u32 ip = htonl((((u8) min[0]) << 24) + (((u8) min[1]) << 16) |
| 221 |
|
+ (((u8) min[2]) << 8) + (u8) min[3]); |
| 222 |
|
memmove(min, &ip, sizeof(ip)); |
| 223 |
|
if (count == 8) |
| 224 |
|
ip = htonl((((u8) max[0]) << 24) + (((u8) max[1]) << 16) |
| 225 |
|
+ (((u8) max[2]) << 8) + (u8) max[3]); |
| 226 |
|
memmove(max, &ip, sizeof(ip)); |
| 227 |
|
return 1; |
| 228 |
|
} |
| 229 |
|
return 0; |
| 230 |
|
} |
| 231 |
|
|
| 232 |
|
/** |
| 233 |
* ccs_write_address_group_policy - Write "struct address_group_entry" list. |
* ccs_write_address_group_policy - Write "struct address_group_entry" list. |
| 234 |
* |
* |
| 235 |
* @data: String to parse. |
* @data: String to parse. |
| 239 |
*/ |
*/ |
| 240 |
int ccs_write_address_group_policy(char *data, const bool is_delete) |
int ccs_write_address_group_policy(char *data, const bool is_delete) |
| 241 |
{ |
{ |
|
u8 count; |
|
| 242 |
bool is_ipv6; |
bool is_ipv6; |
| 243 |
u16 min_address[8]; |
u16 min_address[8]; |
| 244 |
u16 max_address[8]; |
u16 max_address[8]; |
| 246 |
if (!cp) |
if (!cp) |
| 247 |
return -EINVAL; |
return -EINVAL; |
| 248 |
*cp++ = '\0'; |
*cp++ = '\0'; |
| 249 |
count = sscanf(cp, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx" |
switch (parse_ip_address(cp, min_address, max_address)) { |
| 250 |
"-%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx", |
case 2: |
|
&min_address[0], &min_address[1], |
|
|
&min_address[2], &min_address[3], |
|
|
&min_address[4], &min_address[5], |
|
|
&min_address[6], &min_address[7], |
|
|
&max_address[0], &max_address[1], |
|
|
&max_address[2], &max_address[3], |
|
|
&max_address[4], &max_address[5], |
|
|
&max_address[6], &max_address[7]); |
|
|
if (count == 8 || count == 16) { |
|
|
u8 i; |
|
|
for (i = 0; i < 8; i++) { |
|
|
min_address[i] = htons(min_address[i]); |
|
|
max_address[i] = htons(max_address[i]); |
|
|
} |
|
|
if (count == 8) |
|
|
memmove(max_address, min_address, sizeof(min_address)); |
|
| 251 |
is_ipv6 = true; |
is_ipv6 = true; |
| 252 |
goto ok; |
break; |
| 253 |
} |
case 1: |
|
count = sscanf(cp, "%hu.%hu.%hu.%hu-%hu.%hu.%hu.%hu", |
|
|
&min_address[0], &min_address[1], |
|
|
&min_address[2], &min_address[3], |
|
|
&max_address[0], &max_address[1], |
|
|
&max_address[2], &max_address[3]); |
|
|
if (count == 4 || count == 8) { |
|
|
u32 ip = ((((u8) min_address[0]) << 24) |
|
|
+ (((u8) min_address[1]) << 16) |
|
|
+ (((u8) min_address[2]) << 8) |
|
|
+ (u8) min_address[3]); |
|
|
*(u32 *) min_address = ip; |
|
|
if (count == 8) |
|
|
ip = ((((u8) max_address[0]) << 24) |
|
|
+ (((u8) max_address[1]) << 16) |
|
|
+ (((u8) max_address[2]) << 8) |
|
|
+ (u8) max_address[3]); |
|
|
*(u32 *) max_address = ip; |
|
| 254 |
is_ipv6 = false; |
is_ipv6 = false; |
| 255 |
goto ok; |
break; |
| 256 |
|
default: |
| 257 |
|
return -EINVAL; |
| 258 |
} |
} |
|
return -EINVAL; |
|
|
ok: |
|
| 259 |
return update_address_group_entry(data, is_ipv6, |
return update_address_group_entry(data, is_ipv6, |
| 260 |
min_address, max_address, is_delete); |
min_address, max_address, is_delete); |
| 261 |
} |
} |
| 467 |
const struct condition_list *condition, |
const struct condition_list *condition, |
| 468 |
const bool is_delete) |
const bool is_delete) |
| 469 |
{ |
{ |
| 470 |
|
static DEFINE_MUTEX(lock); |
| 471 |
struct acl_info *ptr; |
struct acl_info *ptr; |
| 472 |
struct ip_network_acl_record *acl; |
struct ip_network_acl_record *acl; |
| 473 |
int error = -ENOMEM; |
int error = -ENOMEM; |
| 485 |
if (!saved_min_address || !saved_max_address) |
if (!saved_min_address || !saved_max_address) |
| 486 |
return -ENOMEM; |
return -ENOMEM; |
| 487 |
not_ipv6: |
not_ipv6: |
| 488 |
mutex_lock(&domain_acl_lock); |
mutex_lock(&lock); |
| 489 |
if (is_delete) |
if (is_delete) |
| 490 |
goto delete; |
goto delete; |
| 491 |
list1_for_each_entry(ptr, &domain->acl_info_list, list) { |
list1_for_each_entry(ptr, &domain->acl_info_list, list) { |
| 560 |
break; |
break; |
| 561 |
} |
} |
| 562 |
out: |
out: |
| 563 |
mutex_unlock(&domain_acl_lock); |
mutex_unlock(&lock); |
| 564 |
return error; |
return error; |
| 565 |
} |
} |
| 566 |
|
|
| 577 |
static int check_network_entry(const bool is_ipv6, const u8 operation, |
static int check_network_entry(const bool is_ipv6, const u8 operation, |
| 578 |
const u32 *address, const u16 port) |
const u32 *address, const u16 port) |
| 579 |
{ |
{ |
| 580 |
struct domain_info * const domain = current->domain_info; |
struct ccs_request_info r; |
| 581 |
struct acl_info *ptr; |
struct acl_info *ptr; |
| 582 |
const char *keyword = ccs_net2keyword(operation); |
const char *keyword = ccs_net2keyword(operation); |
| 583 |
const u8 profile = current->domain_info->profile; |
bool is_enforce; |
|
const u8 mode = ccs_check_flags(CCS_TOMOYO_MAC_FOR_NETWORK); |
|
|
const bool is_enforce = (mode == 3); |
|
| 584 |
/* using host byte order to allow u32 comparison than memcmp().*/ |
/* using host byte order to allow u32 comparison than memcmp().*/ |
| 585 |
const u32 ip = ntohl(*address); |
const u32 ip = ntohl(*address); |
| 586 |
bool found = false; |
bool found = false; |
| 587 |
char buf[64]; |
char buf[64]; |
| 588 |
if (!mode) |
if (!ccs_can_sleep()) |
| 589 |
return 0; |
return 0; |
| 590 |
list1_for_each_entry(ptr, &domain->acl_info_list, list) { |
ccs_init_request_info(&r, NULL, CCS_TOMOYO_MAC_FOR_NETWORK); |
| 591 |
|
is_enforce = (r.mode == 3); |
| 592 |
|
if (!r.mode) |
| 593 |
|
return 0; |
| 594 |
|
retry: |
| 595 |
|
list1_for_each_entry(ptr, &r.domain->acl_info_list, list) { |
| 596 |
struct ip_network_acl_record *acl; |
struct ip_network_acl_record *acl; |
| 597 |
if (ccs_acl_type2(ptr) != TYPE_IP_NETWORK_ACL) |
if (ccs_acl_type2(ptr) != TYPE_IP_NETWORK_ACL) |
| 598 |
continue; |
continue; |
| 599 |
acl = container_of(ptr, struct ip_network_acl_record, head); |
acl = container_of(ptr, struct ip_network_acl_record, head); |
| 600 |
if (acl->operation_type != operation || port < acl->min_port || |
if (acl->operation_type != operation || port < acl->min_port || |
| 601 |
acl->max_port < port || !ccs_check_condition(ptr, NULL)) |
acl->max_port < port || !ccs_check_condition(&r, ptr)) |
| 602 |
continue; |
continue; |
| 603 |
if (acl->record_type == IP_RECORD_TYPE_ADDRESS_GROUP) { |
if (acl->record_type == IP_RECORD_TYPE_ADDRESS_GROUP) { |
| 604 |
if (!address_matches_to_group(is_ipv6, address, |
if (!address_matches_to_group(is_ipv6, address, |
| 614 |
memcmp(address, acl->u.ipv6.max, 16) > 0) |
memcmp(address, acl->u.ipv6.max, 16) > 0) |
| 615 |
continue; |
continue; |
| 616 |
} |
} |
| 617 |
ccs_update_condition(ptr); |
r.cond = ccs_get_condition_part(ptr); |
| 618 |
found = true; |
found = true; |
| 619 |
break; |
break; |
| 620 |
} |
} |
| 624 |
(const struct in6_addr *) address); |
(const struct in6_addr *) address); |
| 625 |
else |
else |
| 626 |
snprintf(buf, sizeof(buf) - 1, "%u.%u.%u.%u", HIPQUAD(ip)); |
snprintf(buf, sizeof(buf) - 1, "%u.%u.%u.%u", HIPQUAD(ip)); |
| 627 |
audit_network_log(is_ipv6, keyword, buf, port, found, profile, mode); |
audit_network_log(&r, keyword, buf, port, found); |
| 628 |
if (found) |
if (found) |
| 629 |
return 0; |
return 0; |
| 630 |
if (ccs_verbose_mode()) |
if (ccs_verbose_mode(r.domain)) |
| 631 |
printk(KERN_WARNING "TOMOYO-%s: %s to %s %u denied for %s\n", |
printk(KERN_WARNING "TOMOYO-%s: %s to %s %u denied for %s\n", |
| 632 |
ccs_get_msg(is_enforce), keyword, buf, port, |
ccs_get_msg(is_enforce), keyword, buf, port, |
| 633 |
ccs_get_last_name(domain)); |
ccs_get_last_name(r.domain)); |
| 634 |
if (is_enforce) |
if (is_enforce) { |
| 635 |
return ccs_check_supervisor(NULL, KEYWORD_ALLOW_NETWORK "%s " |
int error = ccs_check_supervisor(&r, KEYWORD_ALLOW_NETWORK |
| 636 |
"%s %u\n", keyword, buf, port); |
"%s %s %u\n", keyword, buf, |
| 637 |
if (mode == 1 && ccs_check_domain_quota(domain)) |
port); |
| 638 |
|
if (error == 1) |
| 639 |
|
goto retry; |
| 640 |
|
return error; |
| 641 |
|
} |
| 642 |
|
if (r.mode == 1 && ccs_check_domain_quota(r.domain)) |
| 643 |
update_network_entry(operation, is_ipv6 ? |
update_network_entry(operation, is_ipv6 ? |
| 644 |
IP_RECORD_TYPE_IPv6 : IP_RECORD_TYPE_IPv4, |
IP_RECORD_TYPE_IPv6 : IP_RECORD_TYPE_IPv4, |
| 645 |
NULL, address, address, port, port, domain, |
NULL, address, address, port, port, |
| 646 |
NULL, 0); |
r.domain, NULL, 0); |
| 647 |
return 0; |
return 0; |
| 648 |
} |
} |
| 649 |
|
|
| 719 |
if (!cp1) |
if (!cp1) |
| 720 |
goto out; |
goto out; |
| 721 |
*cp1++ = '\0'; |
*cp1++ = '\0'; |
| 722 |
count = sscanf(cp2, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx" |
switch (parse_ip_address(cp2, min_address, max_address)) { |
| 723 |
"-%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx", |
case 2: |
|
&min_address[0], &min_address[1], |
|
|
&min_address[2], &min_address[3], |
|
|
&min_address[4], &min_address[5], |
|
|
&min_address[6], &min_address[7], |
|
|
&max_address[0], &max_address[1], |
|
|
&max_address[2], &max_address[3], |
|
|
&max_address[4], &max_address[5], |
|
|
&max_address[6], &max_address[7]); |
|
|
if (count == 8 || count == 16) { |
|
|
u8 i; |
|
|
for (i = 0; i < 8; i++) { |
|
|
min_address[i] = htons(min_address[i]); |
|
|
max_address[i] = htons(max_address[i]); |
|
|
} |
|
|
if (count == 8) |
|
|
memmove(max_address, min_address, sizeof(min_address)); |
|
| 724 |
record_type = IP_RECORD_TYPE_IPv6; |
record_type = IP_RECORD_TYPE_IPv6; |
| 725 |
goto ok; |
break; |
| 726 |
} |
case 1: |
|
count = sscanf(cp2, "%hu.%hu.%hu.%hu-%hu.%hu.%hu.%hu", |
|
|
&min_address[0], &min_address[1], |
|
|
&min_address[2], &min_address[3], |
|
|
&max_address[0], &max_address[1], |
|
|
&max_address[2], &max_address[3]); |
|
|
if (count == 4 || count == 8) { |
|
|
u32 ip = htonl((((u8) min_address[0]) << 24) |
|
|
+ (((u8) min_address[1]) << 16) |
|
|
+ (((u8) min_address[2]) << 8) |
|
|
+ (u8) min_address[3]); |
|
|
*(u32 *) min_address = ip; |
|
|
if (count == 8) |
|
|
ip = htonl((((u8) max_address[0]) << 24) |
|
|
+ (((u8) max_address[1]) << 16) |
|
|
+ (((u8) max_address[2]) << 8) |
|
|
+ (u8) max_address[3]); |
|
|
*(u32 *) max_address = ip; |
|
| 727 |
record_type = IP_RECORD_TYPE_IPv4; |
record_type = IP_RECORD_TYPE_IPv4; |
| 728 |
goto ok; |
break; |
| 729 |
} |
default: |
| 730 |
if (*cp2 == '@') { |
if (*cp2 != '@') |
| 731 |
|
goto out; |
| 732 |
group = find_or_assign_new_address_group(cp2 + 1); |
group = find_or_assign_new_address_group(cp2 + 1); |
| 733 |
if (!group) |
if (!group) |
| 734 |
return -ENOMEM; |
return -ENOMEM; |
| 735 |
record_type = IP_RECORD_TYPE_ADDRESS_GROUP; |
record_type = IP_RECORD_TYPE_ADDRESS_GROUP; |
| 736 |
goto ok; |
break; |
| 737 |
} |
} |
|
out: |
|
|
return -EINVAL; |
|
|
ok: |
|
| 738 |
if (strchr(cp1, ' ')) |
if (strchr(cp1, ' ')) |
| 739 |
goto out; |
goto out; |
| 740 |
count = sscanf(cp1, "%hu-%hu", &min_port, &max_port); |
count = sscanf(cp1, "%hu-%hu", &min_port, &max_port); |
| 746 |
(u32 *) min_address, (u32 *) max_address, |
(u32 *) min_address, (u32 *) max_address, |
| 747 |
min_port, max_port, domain, condition, |
min_port, max_port, domain, condition, |
| 748 |
is_delete); |
is_delete); |
| 749 |
|
out: |
| 750 |
|
return -EINVAL; |
| 751 |
} |
} |
| 752 |
|
|
| 753 |
/** |
/** |
TOMOYO
Parent Directory
Revision Log
Patch