5 |
* |
* |
6 |
* Copyright (C) 2005-2009 NTT DATA CORPORATION |
* Copyright (C) 2005-2009 NTT DATA CORPORATION |
7 |
* |
* |
8 |
* Version: 1.6.7 2009/04/01 |
* Version: 1.6.8-pre 2009/05/08 |
9 |
* |
* |
10 |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
11 |
* See README.ccs for ChangeLog. |
* See README.ccs for ChangeLog. |
55 |
"%s %s %u\n", operation, address, port); |
"%s %s %u\n", operation, address, port); |
56 |
} |
} |
57 |
|
|
58 |
|
/* The list for "struct ccs_address_group_entry". */ |
59 |
|
LIST_HEAD(ccs_address_group_list); |
60 |
|
|
61 |
/** |
/** |
62 |
* ccs_save_ipv6_address - Keep the given IPv6 address on the RAM. |
* ccs_get_address_group - Allocate memory for "struct ccs_address_group_entry". |
|
* |
|
|
* @addr: Pointer to "struct in6_addr". |
|
63 |
* |
* |
64 |
* Returns pointer to "struct in6_addr" on success, NULL otherwise. |
* @group_name: The name of address group. |
65 |
* |
* |
66 |
* The RAM is shared, so NEVER try to modify or kfree() the returned address. |
* Returns pointer to "struct ccs_address_group_entry" on success, |
67 |
|
* NULL otherwise. |
68 |
*/ |
*/ |
69 |
static const struct in6_addr *ccs_save_ipv6_address(const struct in6_addr *addr) |
static struct ccs_address_group_entry *ccs_get_address_group(const char * |
70 |
{ |
group_name) |
71 |
static const u8 ccs_block_size = 16; |
{ |
72 |
struct ccs_addr_list { |
struct ccs_address_group_entry *entry = NULL; |
73 |
/* Workaround for gcc 4.3's bug. */ |
struct ccs_address_group_entry *group; |
74 |
struct in6_addr addr[16]; /* = ccs_block_size */ |
const struct ccs_path_info *saved_group_name; |
75 |
struct list1_head list; |
int error = -ENOMEM; |
76 |
u32 in_use_count; |
if (!ccs_is_correct_path(group_name, 0, 0, 0, __func__) || |
77 |
}; |
!group_name[0]) |
|
static LIST1_HEAD(ccs_address_list); |
|
|
struct ccs_addr_list *ptr; |
|
|
static DEFINE_MUTEX(lock); |
|
|
u8 i = ccs_block_size; |
|
|
if (!addr) |
|
78 |
return NULL; |
return NULL; |
79 |
mutex_lock(&lock); |
saved_group_name = ccs_get_name(group_name); |
80 |
list1_for_each_entry(ptr, &ccs_address_list, list) { |
if (!saved_group_name) |
81 |
for (i = 0; i < ptr->in_use_count; i++) { |
return NULL; |
82 |
if (!memcmp(&ptr->addr[i], addr, sizeof(*addr))) |
entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
83 |
goto ok; |
/***** WRITER SECTION START *****/ |
84 |
} |
down_write(&ccs_policy_lock); |
85 |
if (i < ccs_block_size) |
list_for_each_entry(group, &ccs_address_group_list, list) { |
86 |
break; |
if (saved_group_name != group->group_name) |
87 |
|
continue; |
88 |
|
atomic_inc(&group->users); |
89 |
|
error = 0; |
90 |
|
break; |
91 |
} |
} |
92 |
if (i == ccs_block_size) { |
if (error && ccs_memory_ok(entry)) { |
93 |
ptr = ccs_alloc_element(sizeof(*ptr)); |
INIT_LIST_HEAD(&entry->address_group_member_list); |
94 |
if (!ptr) |
entry->group_name = saved_group_name; |
95 |
goto ok; |
saved_group_name = NULL; |
96 |
list1_add_tail_mb(&ptr->list, &ccs_address_list); |
atomic_set(&entry->users, 1); |
97 |
i = 0; |
list_add_tail(&entry->list, &ccs_address_group_list); |
98 |
} |
group = entry; |
99 |
ptr->addr[ptr->in_use_count++] = *addr; |
entry = NULL; |
100 |
ok: |
error = 0; |
101 |
mutex_unlock(&lock); |
} |
102 |
return ptr ? &ptr->addr[i] : NULL; |
up_write(&ccs_policy_lock); |
103 |
|
/***** WRITER SECTION END *****/ |
104 |
|
ccs_put_name(saved_group_name); |
105 |
|
kfree(entry); |
106 |
|
return !error ? group : NULL; |
107 |
} |
} |
108 |
|
|
|
/* The list for "struct ccs_address_group_entry". */ |
|
|
static LIST1_HEAD(ccs_address_group_list); |
|
|
|
|
109 |
/** |
/** |
110 |
* ccs_update_address_group_entry - Update "struct ccs_address_group_entry" list. |
* ccs_update_address_group_entry - Update "struct ccs_address_group_entry" list. |
111 |
* |
* |
123 |
const u16 *max_address, |
const u16 *max_address, |
124 |
const bool is_delete) |
const bool is_delete) |
125 |
{ |
{ |
|
static DEFINE_MUTEX(lock); |
|
|
struct ccs_address_group_entry *new_group; |
|
126 |
struct ccs_address_group_entry *group; |
struct ccs_address_group_entry *group; |
127 |
struct ccs_address_group_member *new_member; |
struct ccs_address_group_member *entry = NULL; |
128 |
struct ccs_address_group_member *member; |
struct ccs_address_group_member *member; |
|
const struct ccs_path_info *saved_group_name; |
|
129 |
const struct in6_addr *saved_min_address = NULL; |
const struct in6_addr *saved_min_address = NULL; |
130 |
const struct in6_addr *saved_max_address = NULL; |
const struct in6_addr *saved_max_address = NULL; |
131 |
int error = -ENOMEM; |
int error = is_delete ? -ENOENT : -ENOMEM; |
132 |
bool found = false; |
const u32 min_ipv4_address = ntohl(*(u32 *) min_address); |
133 |
if (!ccs_is_correct_path(group_name, 0, 0, 0, __func__) || |
const u32 max_ipv4_address = ntohl(*(u32 *) max_address); |
134 |
!group_name[0]) |
group = ccs_get_address_group(group_name); |
135 |
return -EINVAL; |
if (!group) |
|
saved_group_name = ccs_save_name(group_name); |
|
|
if (!saved_group_name) |
|
|
return -ENOMEM; |
|
|
if (!is_ipv6) |
|
|
goto not_ipv6; |
|
|
saved_min_address |
|
|
= ccs_save_ipv6_address((struct in6_addr *) min_address); |
|
|
saved_max_address |
|
|
= ccs_save_ipv6_address((struct in6_addr *) max_address); |
|
|
if (!saved_min_address || !saved_max_address) |
|
136 |
return -ENOMEM; |
return -ENOMEM; |
137 |
not_ipv6: |
if (is_ipv6) { |
138 |
mutex_lock(&lock); |
saved_min_address |
139 |
list1_for_each_entry(group, &ccs_address_group_list, list) { |
= ccs_get_ipv6_address((struct in6_addr *) |
140 |
if (saved_group_name != group->group_name) |
min_address); |
141 |
|
saved_max_address |
142 |
|
= ccs_get_ipv6_address((struct in6_addr *) |
143 |
|
max_address); |
144 |
|
if (!saved_min_address || !saved_max_address) |
145 |
|
goto out; |
146 |
|
} |
147 |
|
if (!is_delete) |
148 |
|
entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
149 |
|
/***** WRITER SECTION START *****/ |
150 |
|
down_write(&ccs_policy_lock); |
151 |
|
list_for_each_entry(member, &group->address_group_member_list, list) { |
152 |
|
if (member->is_ipv6 != is_ipv6) |
153 |
continue; |
continue; |
154 |
list1_for_each_entry(member, &group->address_group_member_list, |
if (is_ipv6) { |
155 |
list) { |
if (member->min.ipv6 != saved_min_address || |
156 |
if (member->is_ipv6 != is_ipv6) |
member->max.ipv6 != saved_max_address) |
157 |
|
continue; |
158 |
|
} else { |
159 |
|
if (member->min.ipv4 != min_ipv4_address || |
160 |
|
member->max.ipv4 != max_ipv4_address) |
161 |
continue; |
continue; |
|
if (is_ipv6) { |
|
|
if (member->min.ipv6 != saved_min_address || |
|
|
member->max.ipv6 != saved_max_address) |
|
|
continue; |
|
|
} else { |
|
|
if (member->min.ipv4 != *(u32 *) min_address || |
|
|
member->max.ipv4 != *(u32 *) max_address) |
|
|
continue; |
|
|
} |
|
|
member->is_deleted = is_delete; |
|
|
error = 0; |
|
|
goto out; |
|
162 |
} |
} |
163 |
found = true; |
member->is_deleted = is_delete; |
164 |
|
error = 0; |
165 |
break; |
break; |
166 |
} |
} |
167 |
if (is_delete) { |
if (!is_delete && error && ccs_memory_ok(entry)) { |
168 |
error = -ENOENT; |
entry->is_ipv6 = is_ipv6; |
169 |
goto out; |
if (is_ipv6) { |
170 |
} |
entry->min.ipv6 = saved_min_address; |
171 |
if (!found) { |
saved_min_address = NULL; |
172 |
new_group = ccs_alloc_element(sizeof(*new_group)); |
entry->max.ipv6 = saved_max_address; |
173 |
if (!new_group) |
saved_max_address = NULL; |
174 |
goto out; |
} else { |
175 |
INIT_LIST1_HEAD(&new_group->address_group_member_list); |
entry->min.ipv4 = min_ipv4_address; |
176 |
new_group->group_name = saved_group_name; |
entry->max.ipv4 = max_ipv4_address; |
177 |
list1_add_tail_mb(&new_group->list, &ccs_address_group_list); |
} |
178 |
group = new_group; |
list_add_tail(&entry->list, &group->address_group_member_list); |
179 |
} |
entry = NULL; |
180 |
new_member = ccs_alloc_element(sizeof(*new_member)); |
atomic_inc(&group->users); |
181 |
if (!new_member) |
error = 0; |
|
goto out; |
|
|
new_member->is_ipv6 = is_ipv6; |
|
|
if (is_ipv6) { |
|
|
new_member->min.ipv6 = saved_min_address; |
|
|
new_member->max.ipv6 = saved_max_address; |
|
|
} else { |
|
|
new_member->min.ipv4 = *(u32 *) min_address; |
|
|
new_member->max.ipv4 = *(u32 *) max_address; |
|
182 |
} |
} |
183 |
list1_add_tail_mb(&new_member->list, &group->address_group_member_list); |
up_write(&ccs_policy_lock); |
184 |
error = 0; |
/***** WRITER SECTION END *****/ |
185 |
out: |
out: |
186 |
mutex_unlock(&lock); |
ccs_put_ipv6_address(saved_min_address); |
187 |
|
ccs_put_ipv6_address(saved_max_address); |
188 |
|
ccs_put_address_group(group); |
189 |
ccs_update_counter(CCS_UPDATES_COUNTER_EXCEPTION_POLICY); |
ccs_update_counter(CCS_UPDATES_COUNTER_EXCEPTION_POLICY); |
190 |
return error; |
return error; |
191 |
} |
} |
265 |
} |
} |
266 |
|
|
267 |
/** |
/** |
|
* ccs_find_or_assign_new_address_group - Create address group. |
|
|
* |
|
|
* @group_name: The name of address group. |
|
|
* |
|
|
* Returns pointer to "struct ccs_address_group_entry" on success, |
|
|
* NULL otherwise. |
|
|
*/ |
|
|
static struct ccs_address_group_entry * |
|
|
ccs_find_or_assign_new_address_group(const char *group_name) |
|
|
{ |
|
|
u8 i; |
|
|
struct ccs_address_group_entry *group; |
|
|
for (i = 0; i <= 1; i++) { |
|
|
list1_for_each_entry(group, &ccs_address_group_list, list) { |
|
|
if (!strcmp(group_name, group->group_name->name)) |
|
|
return group; |
|
|
} |
|
|
if (!i) { |
|
|
const u16 dummy[2] = { 0, 0 }; |
|
|
ccs_update_address_group_entry(group_name, false, |
|
|
dummy, dummy, false); |
|
|
ccs_update_address_group_entry(group_name, false, |
|
|
dummy, dummy, true); |
|
|
} |
|
|
} |
|
|
return NULL; |
|
|
} |
|
|
|
|
|
/** |
|
268 |
* ccs_address_matches_group - Check whether the given address matches members of the given address group. |
* ccs_address_matches_group - Check whether the given address matches members of the given address group. |
269 |
* |
* |
270 |
* @is_ipv6: True if @address is an IPv6 address. |
* @is_ipv6: True if @address is an IPv6 address. |
272 |
* @group: Pointer to "struct ccs_address_group_entry". |
* @group: Pointer to "struct ccs_address_group_entry". |
273 |
* |
* |
274 |
* Returns true if @address matches addresses in @group group, false otherwise. |
* Returns true if @address matches addresses in @group group, false otherwise. |
275 |
|
* |
276 |
|
* Caller holds ccs_policy_lockfor reading. |
277 |
*/ |
*/ |
278 |
static bool ccs_address_matches_group(const bool is_ipv6, const u32 *address, |
static bool ccs_address_matches_group(const bool is_ipv6, const u32 *address, |
279 |
const struct ccs_address_group_entry * |
const struct ccs_address_group_entry * |
281 |
{ |
{ |
282 |
struct ccs_address_group_member *member; |
struct ccs_address_group_member *member; |
283 |
const u32 ip = ntohl(*address); |
const u32 ip = ntohl(*address); |
284 |
list1_for_each_entry(member, &group->address_group_member_list, list) { |
bool matched = false; |
285 |
|
list_for_each_entry(member, &group->address_group_member_list, list) { |
286 |
if (member->is_deleted) |
if (member->is_deleted) |
287 |
continue; |
continue; |
288 |
if (member->is_ipv6) { |
if (member->is_ipv6) { |
289 |
if (is_ipv6 && |
if (is_ipv6 && |
290 |
memcmp(member->min.ipv6, address, 16) <= 0 && |
memcmp(member->min.ipv6, address, 16) <= 0 && |
291 |
memcmp(address, member->max.ipv6, 16) <= 0) |
memcmp(address, member->max.ipv6, 16) <= 0) { |
292 |
return true; |
matched = true; |
293 |
|
break; |
294 |
|
} |
295 |
} else { |
} else { |
296 |
if (!is_ipv6 && |
if (!is_ipv6 && |
297 |
member->min.ipv4 <= ip && ip <= member->max.ipv4) |
member->min.ipv4 <= ip && ip <= member->max.ipv4) { |
298 |
return true; |
matched = true; |
299 |
|
break; |
300 |
|
} |
301 |
} |
} |
302 |
} |
} |
303 |
return false; |
return matched; |
304 |
} |
} |
305 |
|
|
306 |
/** |
/** |
312 |
*/ |
*/ |
313 |
bool ccs_read_address_group_policy(struct ccs_io_buffer *head) |
bool ccs_read_address_group_policy(struct ccs_io_buffer *head) |
314 |
{ |
{ |
315 |
struct list1_head *gpos; |
struct list_head *gpos; |
316 |
struct list1_head *mpos; |
struct list_head *mpos; |
317 |
list1_for_each_cookie(gpos, head->read_var1, &ccs_address_group_list) { |
bool done = true; |
318 |
|
/***** READER SECTION START *****/ |
319 |
|
down_read(&ccs_policy_lock); |
320 |
|
list_for_each_cookie(gpos, head->read_var1.u.list, |
321 |
|
&ccs_address_group_list) { |
322 |
struct ccs_address_group_entry *group; |
struct ccs_address_group_entry *group; |
323 |
group = list1_entry(gpos, struct ccs_address_group_entry, list); |
group = list_entry(gpos, struct ccs_address_group_entry, list); |
324 |
list1_for_each_cookie(mpos, head->read_var2, |
list_for_each_cookie(mpos, head->read_var2.u.list, |
325 |
&group->address_group_member_list) { |
&group->address_group_member_list) { |
326 |
char buf[128]; |
char buf[128]; |
327 |
struct ccs_address_group_member *member; |
struct ccs_address_group_member *member; |
328 |
member = list1_entry(mpos, |
member = list_entry(mpos, |
329 |
struct ccs_address_group_member, |
struct ccs_address_group_member, |
330 |
list); |
list); |
331 |
if (member->is_deleted) |
if (member->is_deleted) |
358 |
HIPQUAD(max_address)); |
HIPQUAD(max_address)); |
359 |
} |
} |
360 |
} |
} |
361 |
if (!ccs_io_printf(head, KEYWORD_ADDRESS_GROUP |
done = ccs_io_printf(head, KEYWORD_ADDRESS_GROUP |
362 |
"%s %s\n", group->group_name->name, |
"%s %s\n", group->group_name->name, |
363 |
buf)) |
buf); |
364 |
goto out; |
if (!done) |
365 |
|
break; |
366 |
} |
} |
367 |
|
if (!done) |
368 |
|
break; |
369 |
} |
} |
370 |
return true; |
up_read(&ccs_policy_lock); |
371 |
out: |
/***** READER SECTION END *****/ |
372 |
return false; |
return done; |
373 |
} |
} |
374 |
|
|
375 |
#if !defined(NIP6) |
#if !defined(NIP6) |
440 |
* |
* |
441 |
* @operation: Type of operation. |
* @operation: Type of operation. |
442 |
* @record_type: Type of address. |
* @record_type: Type of address. |
443 |
* @group: Pointer to "struct ccs_address_group_entry". May be NULL. |
* @group: Name of group. May be NULL. |
444 |
* @min_address: Start of IPv4 or IPv6 address range. |
* @min_address: Start of IPv4 or IPv6 address range. |
445 |
* @max_address: End of IPv4 or IPv6 address range. |
* @max_address: End of IPv4 or IPv6 address range. |
446 |
* @min_port: Start of port number range. |
* @min_port: Start of port number range. |
452 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
453 |
*/ |
*/ |
454 |
static int ccs_update_network_entry(const u8 operation, const u8 record_type, |
static int ccs_update_network_entry(const u8 operation, const u8 record_type, |
455 |
const struct ccs_address_group_entry *group, |
const char *group_name, |
456 |
const u32 *min_address, |
const u32 *min_address, |
457 |
const u32 *max_address, |
const u32 *max_address, |
458 |
const u16 min_port, const u16 max_port, |
const u16 min_port, const u16 max_port, |
459 |
struct ccs_domain_info *domain, |
struct ccs_domain_info *domain, |
460 |
const struct ccs_condition_list *condition, |
struct ccs_condition_list *condition, |
461 |
const bool is_delete) |
const bool is_delete) |
462 |
{ |
{ |
463 |
static DEFINE_MUTEX(lock); |
struct ccs_ip_network_acl_record *entry = NULL; |
464 |
struct ccs_acl_info *ptr; |
struct ccs_acl_info *ptr; |
465 |
struct ccs_ip_network_acl_record *acl; |
int error = is_delete ? -ENOENT : -ENOMEM; |
|
int error = -ENOMEM; |
|
466 |
/* using host byte order to allow u32 comparison than memcmp().*/ |
/* using host byte order to allow u32 comparison than memcmp().*/ |
467 |
const u32 min_ip = ntohl(*min_address); |
const u32 min_ip = ntohl(*min_address); |
468 |
const u32 max_ip = ntohl(*max_address); |
const u32 max_ip = ntohl(*max_address); |
469 |
const struct in6_addr *saved_min_address = NULL; |
const struct in6_addr *saved_min_address = NULL; |
470 |
const struct in6_addr *saved_max_address = NULL; |
const struct in6_addr *saved_max_address = NULL; |
471 |
|
struct ccs_address_group_entry *group = NULL; |
472 |
if (!domain) |
if (!domain) |
473 |
return -EINVAL; |
return -EINVAL; |
474 |
if (record_type != IP_RECORD_TYPE_IPv6) |
if (group_name) { |
475 |
goto not_ipv6; |
group = ccs_get_address_group(group_name); |
476 |
saved_min_address = ccs_save_ipv6_address((struct in6_addr *) |
if (!group) |
477 |
min_address); |
return -ENOMEM; |
478 |
saved_max_address = ccs_save_ipv6_address((struct in6_addr *) |
} else if (record_type == IP_RECORD_TYPE_IPv6) { |
479 |
max_address); |
saved_min_address = ccs_get_ipv6_address((struct in6_addr *) |
480 |
if (!saved_min_address || !saved_max_address) |
min_address); |
481 |
return -ENOMEM; |
saved_max_address = ccs_get_ipv6_address((struct in6_addr *) |
482 |
not_ipv6: |
max_address); |
483 |
mutex_lock(&lock); |
if (!saved_min_address || !saved_max_address) |
484 |
|
goto out; |
485 |
|
} |
486 |
if (is_delete) |
if (is_delete) |
487 |
goto delete; |
goto delete; |
488 |
list1_for_each_entry(ptr, &domain->acl_info_list, list) { |
entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
489 |
|
/***** WRITER SECTION START *****/ |
490 |
|
down_write(&ccs_policy_lock); |
491 |
|
list_for_each_entry(ptr, &domain->acl_info_list, list) { |
492 |
|
struct ccs_ip_network_acl_record *acl; |
493 |
if (ccs_acl_type1(ptr) != TYPE_IP_NETWORK_ACL) |
if (ccs_acl_type1(ptr) != TYPE_IP_NETWORK_ACL) |
494 |
continue; |
continue; |
495 |
if (ccs_get_condition_part(ptr) != condition) |
if (ptr->cond != condition) |
496 |
continue; |
continue; |
497 |
acl = container_of(ptr, struct ccs_ip_network_acl_record, head); |
acl = container_of(ptr, struct ccs_ip_network_acl_record, head); |
498 |
if (acl->operation_type != operation || |
if (acl->operation_type != operation || |
512 |
continue; |
continue; |
513 |
} |
} |
514 |
error = ccs_add_domain_acl(NULL, ptr); |
error = ccs_add_domain_acl(NULL, ptr); |
515 |
goto out; |
break; |
516 |
} |
} |
517 |
/* Not found. Append it to the tail. */ |
if (error && ccs_memory_ok(entry)) { |
518 |
acl = ccs_alloc_acl_element(TYPE_IP_NETWORK_ACL, condition); |
entry->head.type = TYPE_IP_NETWORK_ACL; |
519 |
if (!acl) |
entry->head.cond = condition; |
520 |
goto out; |
entry->operation_type = operation; |
521 |
acl->operation_type = operation; |
entry->record_type = record_type; |
522 |
acl->record_type = record_type; |
if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) { |
523 |
if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) { |
entry->u.group = group; |
524 |
acl->u.group = group; |
group = NULL; |
525 |
} else if (record_type == IP_RECORD_TYPE_IPv4) { |
} else if (record_type == IP_RECORD_TYPE_IPv4) { |
526 |
acl->u.ipv4.min = min_ip; |
entry->u.ipv4.min = min_ip; |
527 |
acl->u.ipv4.max = max_ip; |
entry->u.ipv4.max = max_ip; |
528 |
} else { |
} else { |
529 |
acl->u.ipv6.min = saved_min_address; |
entry->u.ipv6.min = saved_min_address; |
530 |
acl->u.ipv6.max = saved_max_address; |
saved_min_address = NULL; |
531 |
} |
entry->u.ipv6.max = saved_max_address; |
532 |
acl->min_port = min_port; |
saved_max_address = NULL; |
533 |
acl->max_port = max_port; |
} |
534 |
error = ccs_add_domain_acl(domain, &acl->head); |
entry->min_port = min_port; |
535 |
|
entry->max_port = max_port; |
536 |
|
error = ccs_add_domain_acl(domain, &entry->head); |
537 |
|
entry = NULL; |
538 |
|
} |
539 |
|
up_write(&ccs_policy_lock); |
540 |
|
/***** WRITER SECTION END *****/ |
541 |
goto out; |
goto out; |
542 |
delete: |
delete: |
543 |
error = -ENOENT; |
/***** WRITER SECTION START *****/ |
544 |
list1_for_each_entry(ptr, &domain->acl_info_list, list) { |
down_write(&ccs_policy_lock); |
545 |
|
list_for_each_entry(ptr, &domain->acl_info_list, list) { |
546 |
|
struct ccs_ip_network_acl_record *acl; |
547 |
if (ccs_acl_type2(ptr) != TYPE_IP_NETWORK_ACL) |
if (ccs_acl_type2(ptr) != TYPE_IP_NETWORK_ACL) |
548 |
continue; |
continue; |
549 |
if (ccs_get_condition_part(ptr) != condition) |
if (ptr->cond != condition) |
550 |
continue; |
continue; |
551 |
acl = container_of(ptr, struct ccs_ip_network_acl_record, head); |
acl = container_of(ptr, struct ccs_ip_network_acl_record, head); |
552 |
if (acl->operation_type != operation || |
if (acl->operation_type != operation || |
568 |
error = ccs_del_domain_acl(ptr); |
error = ccs_del_domain_acl(ptr); |
569 |
break; |
break; |
570 |
} |
} |
571 |
|
up_write(&ccs_policy_lock); |
572 |
|
/***** WRITER SECTION END *****/ |
573 |
out: |
out: |
574 |
mutex_unlock(&lock); |
ccs_put_ipv6_address(saved_min_address); |
575 |
|
ccs_put_ipv6_address(saved_max_address); |
576 |
|
ccs_put_address_group(group); |
577 |
|
kfree(entry); |
578 |
return error; |
return error; |
579 |
} |
} |
580 |
|
|
598 |
/* using host byte order to allow u32 comparison than memcmp().*/ |
/* using host byte order to allow u32 comparison than memcmp().*/ |
599 |
const u32 ip = ntohl(*address); |
const u32 ip = ntohl(*address); |
600 |
bool found = false; |
bool found = false; |
601 |
|
int error = -EPERM; |
602 |
char buf[64]; |
char buf[64]; |
603 |
if (!ccs_can_sleep()) |
if (!ccs_can_sleep()) |
604 |
return 0; |
return 0; |
605 |
ccs_init_request_info(&r, NULL, CCS_MAC_FOR_NETWORK); |
ccs_init_request_info(&r, NULL, CCS_MAC_FOR_NETWORK); |
606 |
is_enforce = (r.mode == 3); |
is_enforce = (r.mode == 3); |
607 |
if (!r.mode) |
if (!r.mode) { |
608 |
return 0; |
error = 0; |
609 |
|
goto done; |
610 |
|
} |
611 |
retry: |
retry: |
612 |
list1_for_each_entry(ptr, &r.domain->acl_info_list, list) { |
/***** READER SECTION START *****/ |
613 |
|
down_read(&ccs_policy_lock); |
614 |
|
list_for_each_entry(ptr, &r.cookie.u.domain->acl_info_list, list) { |
615 |
struct ccs_ip_network_acl_record *acl; |
struct ccs_ip_network_acl_record *acl; |
616 |
if (ccs_acl_type2(ptr) != TYPE_IP_NETWORK_ACL) |
if (ccs_acl_type2(ptr) != TYPE_IP_NETWORK_ACL) |
617 |
continue; |
continue; |
633 |
memcmp(address, acl->u.ipv6.max, 16) > 0) |
memcmp(address, acl->u.ipv6.max, 16) > 0) |
634 |
continue; |
continue; |
635 |
} |
} |
636 |
r.cond = ccs_get_condition_part(ptr); |
r.condition_cookie.u.cond = ptr->cond; |
637 |
found = true; |
found = true; |
638 |
break; |
break; |
639 |
} |
} |
640 |
|
up_read(&ccs_policy_lock); |
641 |
|
/***** READER SECTION END *****/ |
642 |
memset(buf, 0, sizeof(buf)); |
memset(buf, 0, sizeof(buf)); |
643 |
if (is_ipv6) |
if (is_ipv6) |
644 |
ccs_print_ipv6(buf, sizeof(buf), |
ccs_print_ipv6(buf, sizeof(buf), |
646 |
else |
else |
647 |
snprintf(buf, sizeof(buf) - 1, "%u.%u.%u.%u", HIPQUAD(ip)); |
snprintf(buf, sizeof(buf) - 1, "%u.%u.%u.%u", HIPQUAD(ip)); |
648 |
ccs_audit_network_log(&r, keyword, buf, port, found); |
ccs_audit_network_log(&r, keyword, buf, port, found); |
649 |
if (found) |
if (found) { |
650 |
return 0; |
error = 0; |
651 |
if (ccs_verbose_mode(r.domain)) |
goto done; |
652 |
|
} |
653 |
|
if (ccs_verbose_mode(r.cookie.u.domain)) |
654 |
printk(KERN_WARNING "TOMOYO-%s: %s to %s %u denied for %s\n", |
printk(KERN_WARNING "TOMOYO-%s: %s to %s %u denied for %s\n", |
655 |
ccs_get_msg(is_enforce), keyword, buf, port, |
ccs_get_msg(is_enforce), keyword, buf, port, |
656 |
ccs_get_last_name(r.domain)); |
ccs_get_last_name(r.cookie.u.domain)); |
657 |
if (is_enforce) { |
if (is_enforce) { |
658 |
int error = ccs_check_supervisor(&r, KEYWORD_ALLOW_NETWORK |
int err = ccs_check_supervisor(&r, KEYWORD_ALLOW_NETWORK |
659 |
"%s %s %u\n", keyword, buf, |
"%s %s %u\n", keyword, buf, |
660 |
port); |
port); |
661 |
if (error == 1) |
if (err == 1) |
662 |
goto retry; |
goto retry; |
663 |
return error; |
error = err; |
664 |
|
goto done; |
665 |
} |
} |
666 |
if (r.mode == 1 && ccs_domain_quota_ok(r.domain)) |
if (r.mode == 1 && ccs_domain_quota_ok(r.cookie.u.domain)) |
667 |
ccs_update_network_entry(operation, is_ipv6 ? |
ccs_update_network_entry(operation, is_ipv6 ? |
668 |
IP_RECORD_TYPE_IPv6 : |
IP_RECORD_TYPE_IPv6 : |
669 |
IP_RECORD_TYPE_IPv4, |
IP_RECORD_TYPE_IPv4, |
670 |
NULL, address, address, port, port, |
NULL, address, address, port, port, |
671 |
r.domain, ccs_handler_cond(), 0); |
r.cookie.u.domain, ccs_handler_cond(), |
672 |
return 0; |
false); |
673 |
|
error = 0; |
674 |
|
done: |
675 |
|
ccs_exit_request_info(&r); |
676 |
|
return error; |
677 |
} |
} |
678 |
|
|
679 |
/** |
/** |
687 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
688 |
*/ |
*/ |
689 |
int ccs_write_network_policy(char *data, struct ccs_domain_info *domain, |
int ccs_write_network_policy(char *data, struct ccs_domain_info *domain, |
690 |
const struct ccs_condition_list *condition, |
struct ccs_condition_list *condition, |
691 |
const bool is_delete) |
const bool is_delete) |
692 |
{ |
{ |
693 |
u8 sock_type; |
u8 sock_type; |
695 |
u8 record_type; |
u8 record_type; |
696 |
u16 min_address[8]; |
u16 min_address[8]; |
697 |
u16 max_address[8]; |
u16 max_address[8]; |
698 |
struct ccs_address_group_entry *group = NULL; |
const char *group_name = NULL; |
699 |
u16 min_port; |
u16 min_port; |
700 |
u16 max_port; |
u16 max_port; |
701 |
u8 count; |
u8 count; |
758 |
default: |
default: |
759 |
if (*cp2 != '@') |
if (*cp2 != '@') |
760 |
goto out; |
goto out; |
761 |
group = ccs_find_or_assign_new_address_group(cp2 + 1); |
group_name = cp2 + 1; |
|
if (!group) |
|
|
return -ENOMEM; |
|
762 |
record_type = IP_RECORD_TYPE_ADDRESS_GROUP; |
record_type = IP_RECORD_TYPE_ADDRESS_GROUP; |
763 |
break; |
break; |
764 |
} |
} |
769 |
goto out; |
goto out; |
770 |
if (count == 1) |
if (count == 1) |
771 |
max_port = min_port; |
max_port = min_port; |
772 |
return ccs_update_network_entry(operation, record_type, group, |
return ccs_update_network_entry(operation, record_type, group_name, |
773 |
(u32 *) min_address, |
(u32 *) min_address, |
774 |
(u32 *) max_address, |
(u32 *) max_address, |
775 |
min_port, max_port, domain, condition, |
min_port, max_port, domain, condition, |
1209 |
#endif |
#endif |
1210 |
#endif |
#endif |
1211 |
|
|
1212 |
|
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 12) |
1213 |
|
static void skb_kill_datagram(struct sock *sk, struct sk_buff *skb, |
1214 |
|
unsigned int flags) |
1215 |
|
{ |
1216 |
|
/* Clear queue. */ |
1217 |
|
if (flags & MSG_PEEK) { |
1218 |
|
int clear = 0; |
1219 |
|
spin_lock_irq(&sk->sk_receive_queue.lock); |
1220 |
|
if (skb == skb_peek(&sk->sk_receive_queue)) { |
1221 |
|
__skb_unlink(skb, &sk->sk_receive_queue); |
1222 |
|
clear = 1; |
1223 |
|
} |
1224 |
|
spin_unlock_irq(&sk->sk_receive_queue.lock); |
1225 |
|
if (clear) |
1226 |
|
kfree_skb(skb); |
1227 |
|
} |
1228 |
|
skb_free_datagram(sk, skb); |
1229 |
|
} |
1230 |
|
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 16) |
1231 |
|
static void skb_kill_datagram(struct sock *sk, struct sk_buff *skb, |
1232 |
|
unsigned int flags) |
1233 |
|
{ |
1234 |
|
/* Clear queue. */ |
1235 |
|
if (flags & MSG_PEEK) { |
1236 |
|
int clear = 0; |
1237 |
|
spin_lock_bh(&sk->sk_receive_queue.lock); |
1238 |
|
if (skb == skb_peek(&sk->sk_receive_queue)) { |
1239 |
|
__skb_unlink(skb, &sk->sk_receive_queue); |
1240 |
|
clear = 1; |
1241 |
|
} |
1242 |
|
spin_unlock_bh(&sk->sk_receive_queue.lock); |
1243 |
|
if (clear) |
1244 |
|
kfree_skb(skb); |
1245 |
|
} |
1246 |
|
skb_free_datagram(sk, skb); |
1247 |
|
} |
1248 |
|
#endif |
1249 |
|
|
1250 |
/* |
/* |
1251 |
* Check permission for receiving a datagram via a UDP or RAW socket. |
* Check permission for receiving a datagram via a UDP or RAW socket. |
1252 |
* |
* |
1253 |
* Currently, the LSM hook for this purpose is not provided. |
* Currently, the LSM hook for this purpose is not provided. |
1254 |
*/ |
*/ |
1255 |
int ccs_socket_recv_datagram_permission(struct sock *sk, struct sk_buff *skb, |
int ccs_socket_recvmsg_permission(struct sock *sk, struct sk_buff *skb, |
1256 |
const unsigned int flags) |
const unsigned int flags) |
1257 |
{ |
{ |
1258 |
int error = 0; |
int error = 0; |
1259 |
const unsigned int type = sk->sk_type; |
const unsigned int type = sk->sk_type; |
1260 |
/* Nothing to do if I didn't receive a datagram. */ |
if (type != SOCK_DGRAM && type != SOCK_RAW) |
|
if (!skb) |
|
|
return 0; |
|
|
/* Nothing to do if I can't sleep. */ |
|
|
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0) |
|
|
if (in_interrupt()) |
|
|
return 0; |
|
|
#else |
|
|
if (in_atomic()) |
|
1261 |
return 0; |
return 0; |
|
#endif |
|
1262 |
/* Nothing to do if I am a kernel service. */ |
/* Nothing to do if I am a kernel service. */ |
1263 |
if (segment_eq(get_fs(), KERNEL_DS)) |
if (segment_eq(get_fs(), KERNEL_DS)) |
1264 |
return 0; |
return 0; |
|
if (type != SOCK_DGRAM && type != SOCK_RAW) |
|
|
return 0; |
|
1265 |
|
|
1266 |
switch (sk->sk_family) { |
switch (sk->sk_family) { |
1267 |
struct in6_addr sin6; |
struct in6_addr sin6; |
1297 |
} |
} |
1298 |
if (!error) |
if (!error) |
1299 |
return 0; |
return 0; |
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25) |
|
|
lock_sock(sk); |
|
|
#endif |
|
1300 |
/* |
/* |
1301 |
* Remove from queue if MSG_PEEK is used so that |
* Remove from queue if MSG_PEEK is used so that |
1302 |
* the head message from unwanted source in receive queue will not |
* the head message from unwanted source in receive queue will not |
1303 |
* prevent the caller from picking up next message from wanted source |
* prevent the caller from picking up next message from wanted source |
1304 |
* when the caller is using MSG_PEEK flag for picking up. |
* when the caller is using MSG_PEEK flag for picking up. |
1305 |
*/ |
*/ |
|
if (flags & MSG_PEEK) { |
|
|
unsigned long cpu_flags; |
|
|
/***** CRITICAL SECTION START *****/ |
|
|
spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags); |
|
|
if (skb == skb_peek(&sk->sk_receive_queue)) { |
|
|
__skb_unlink(skb, &sk->sk_receive_queue); |
|
|
atomic_dec(&skb->users); |
|
|
} |
|
|
spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags); |
|
|
/***** CRITICAL SECTION END *****/ |
|
|
} |
|
|
/* Drop reference count. */ |
|
|
skb_free_datagram(sk, skb); |
|
1306 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25) |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25) |
1307 |
release_sock(sk); |
if (type == SOCK_DGRAM) |
1308 |
|
lock_sock(sk); |
1309 |
|
#endif |
1310 |
|
skb_kill_datagram(sk, skb, flags); |
1311 |
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25) |
1312 |
|
if (type == SOCK_DGRAM) |
1313 |
|
release_sock(sk); |
1314 |
#endif |
#endif |
1315 |
/* Hope less harmful than -EPERM. */ |
/* Hope less harmful than -EPERM. */ |
1316 |
return -EAGAIN; |
return -ENOMEM; |
1317 |
} |
} |
1318 |
|
EXPORT_SYMBOL(ccs_socket_recvmsg_permission); |