オープンソース・ソフトウェアの開発とダウンロード

TOMOYO

Subversion リポジトリの参照

/[tomoyo]/trunk/1.8.x/ccs-patch/security/ccsecurity/network.c

Contents of /trunk/1.8.x/ccs-patch/security/ccsecurity/network.c

Parent Directory Parent Directory | Revision Log Revision Log

Revision 240 - (show annotations) (download) (as text)
Fri May 25 12:57:26 2007 UTC (17 years ago) by kumaneko
Original Path: trunk/ccs-patch/fs/tomoyo_network.c
File MIME type: text/x-csrc
File size: 19582 byte(s) 
1.4.1-rc2
1 /*
2 * fs/tomoyo_network.c
3 *
4 * Implementation of the Domain-Based Mandatory Access Control.
5 *
6 * Copyright (C) 2005-2007 NTT DATA CORPORATION
7 *
8 * Version: 1.4.1-rc2 2007/05/25
9 *
10 * This file is applicable to both 2.4.30 and 2.6.11 and later.
11 * See README.ccs for ChangeLog.
12 *
13 */
14 /***** TOMOYO Linux start. *****/
15
16 #include <linux/ccs_common.h>
17 #include <linux/tomoyo.h>
18 #include <linux/realpath.h>
19 #include <net/ip.h>
20
21 /************************* VARIABLES *************************/
22
23 extern struct semaphore domain_acl_lock;
24
25 /************************* AUDIT FUNCTIONS *************************/
26
27 #ifdef CONFIG_TOMOYO_AUDIT
28 static int AuditNetworkLog(const int is_ipv6, const char *operation, const u32 *address, const u16 port, const int is_granted)
29 {
30 char *buf;
31 int len = 256;
32 if (CanSaveAuditLog(is_granted) < 0) return -ENOMEM;
33 if ((buf = InitAuditLog(&len)) == NULL) return -ENOMEM;
34 snprintf(buf + strlen(buf), len - strlen(buf) - 1, KEYWORD_ALLOW_NETWORK "%s ", operation);
35 if (is_ipv6) {
36 print_ipv6(buf + strlen(buf), len - strlen(buf), (const u16 *) address);
37 } else {
38 u32 ip = *address;
39 snprintf(buf + strlen(buf), len - strlen(buf) - 1, "%u.%u.%u.%u", NIPQUAD(ip));
40 }
41 snprintf(buf + strlen(buf), len - strlen(buf) - 1, " %u\n", port);
42 return WriteAuditLog(buf, is_granted);
43 }
44 #else
45 static inline void AuditNetworkLog(const int is_ipv6, const char *operation, const u32 *address, const u16 port, const int is_granted) {}
46 #endif
47
48 /************************* ADDRESS GROUP HANDLER *************************/
49
50 static struct address_group_entry *group_list = NULL;
51
52 static int AddAddressGroupEntry(const char *group_name, const u8 is_ipv6, const u16 *min_address, const u16 *max_address, const int is_delete)
53 {
54 static DECLARE_MUTEX(lock);
55 struct address_group_entry *new_group, *group;
56 struct address_group_member *new_member, *member;
57 const struct path_info *saved_group_name;
58 int error = -ENOMEM;
59 if (!IsCorrectPath(group_name, 0, 0, 0, __FUNCTION__) || !group_name[0]) return -EINVAL;
60 if ((saved_group_name = SaveName(group_name)) == NULL) return -ENOMEM;
61 down(&lock);
62 for (group = group_list; group; group = group->next) {
63 if (saved_group_name != group->group_name) continue;
64 for (member = group->first_member; member; member = member->next) {
65 if (member->is_ipv6 != is_ipv6) continue;
66 if (is_ipv6) {
67 if (memcmp(member->min.ipv6, min_address, 16) || memcmp(member->max.ipv6, max_address, 16)) continue;
68 } else {
69 if (member->min.ipv4 != * (u32 *) min_address || member->max.ipv4 != * (u32 *) max_address) continue;
70 }
71 member->is_deleted = is_delete;
72 error = 0;
73 goto out;
74 }
75 break;
76 }
77 if (is_delete) {
78 error = -ENOENT;
79 goto out;
80 }
81 if (!group) {
82 if ((new_group = alloc_element(sizeof(*new_group))) == NULL) goto out;
83 new_group->group_name = saved_group_name;
84 mb(); /* Instead of using spinlock. */
85 if ((group = group_list) != NULL) {
86 while (group->next) group = group->next; group->next = new_group;
87 } else {
88 group_list= new_group;
89 }
90 group = new_group;
91 }
92 if ((new_member = alloc_element(sizeof(*new_member))) == NULL) goto out;
93 new_member->is_ipv6 = is_ipv6;
94 if (is_ipv6) {
95 memmove(new_member->min.ipv6, min_address, 16);
96 memmove(new_member->max.ipv6, max_address, 16);
97 } else {
98 new_member->min.ipv4 = * (u32 *) min_address;
99 new_member->max.ipv4 = * (u32 *) max_address;
100 }
101 mb(); /* Instead of using spinlock. */
102 if ((member = group->first_member) != NULL) {
103 while (member->next) member = member->next; member->next = new_member;
104 } else {
105 group->first_member = new_member;
106 }
107 error = 0;
108 out:
109 up(&lock);
110 return error;
111 }
112
113 int AddAddressGroupPolicy(char *data, const int is_delete)
114 {
115 int count, is_ipv6;
116 u16 min_address[8], max_address[8];
117 char *cp = strchr(data, ' ');
118 if (!cp) return -EINVAL;
119 *cp++ = '\0';
120 if ((count = sscanf(cp, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx-%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx",
121 &min_address[0], &min_address[1], &min_address[2], &min_address[3],
122 &min_address[4], &min_address[5], &min_address[6], &min_address[7],
123 &max_address[0], &max_address[1], &max_address[2], &max_address[3],
124 &max_address[4], &max_address[5], &max_address[6], &max_address[7])) == 8 || count == 16) {
125 int i;
126 for (i = 0; i < 8; i++) {
127 min_address[i] = htons(min_address[i]);
128 max_address[i] = htons(max_address[i]);
129 }
130 if (count == 8) memmove(max_address, min_address, sizeof(min_address));
131 is_ipv6 = 1;
132 } else if ((count = sscanf(cp, "%hu.%hu.%hu.%hu-%hu.%hu.%hu.%hu",
133 &min_address[0], &min_address[1], &min_address[2], &min_address[3],
134 &max_address[0], &max_address[1], &max_address[2], &max_address[3])) == 4 || count == 8) {
135 u32 ip = ((((u8) min_address[0]) << 24) + (((u8) min_address[1]) << 16) + (((u8) min_address[2]) << 8) + (u8) min_address[3]);
136 * (u32 *) min_address = ip;
137 if (count == 8) ip = ((((u8) max_address[0]) << 24) + (((u8) max_address[1]) << 16) + (((u8) max_address[2]) << 8) + (u8) max_address[3]);
138 * (u32 *) max_address = ip;
139 is_ipv6 = 0;
140 } else {
141 return -EINVAL;
142 }
143 return AddAddressGroupEntry(data, is_ipv6, min_address, max_address, is_delete);
144 }
145
146 static struct address_group_entry *FindOrAssignNewAddressGroup(const char *group_name)
147 {
148 int i;
149 struct address_group_entry *group;
150 for (i = 0; i <= 1; i++) {
151 for (group = group_list; group; group = group->next) {
152 if (strcmp(group_name, group->group_name->name) == 0) return group;
153 }
154 if (i == 0) {
155 const u16 dummy[2] = { 0, 0 };
156 AddAddressGroupEntry(group_name, 0, dummy, dummy, 0);
157 AddAddressGroupEntry(group_name, 0, dummy, dummy, 1);
158 }
159 }
160 return NULL;
161 }
162
163 static int AddressMatchesToGroup(const u8 is_ipv6, const u32 *address, const struct address_group_entry *group)
164 {
165 struct address_group_member *member;
166 const u32 ip = ntohl(*address);
167 for (member = group->first_member; member; member = member->next) {
168 if (member->is_deleted) continue;
169 if (member->is_ipv6) {
170 if (is_ipv6 && memcmp(member->min.ipv6, address, 16) <= 0 && memcmp(address, member->max.ipv6, 16) <= 0) return 1;
171 } else {
172 if (!is_ipv6 && member->min.ipv4 <= ip && ip <= member->max.ipv4) return 1;
173 }
174 }
175 return 0;
176 }
177
178 int ReadAddressGroupPolicy(struct io_buffer *head)
179 {
180 struct address_group_entry *group = head->read_var1;
181 struct address_group_member *member = head->read_var2;
182 if (!group) group = group_list;
183 while (group) {
184 head->read_var1 = group;
185 if (!member) member = group->first_member;
186 while (member) {
187 head->read_var2 = member;
188 if (!member->is_deleted) {
189 char buf[128];
190 if (member->is_ipv6) {
191 const u16 *min_address = member->min.ipv6, *max_address = member->max.ipv6;
192 print_ipv6(buf, sizeof(buf), min_address);
193 if (memcmp(min_address, max_address, 16)) {
194 char *cp = strchr(buf, '\0');
195 *cp++ = '-';
196 print_ipv6(cp, sizeof(buf) - strlen(buf), max_address);
197 }
198 } else {
199 const u32 min_address = member->min.ipv4, max_address = member->max.ipv4;
200 memset(buf, 0, sizeof(buf));
201 snprintf(buf, sizeof(buf) - 1, "%u.%u.%u.%u", HIPQUAD(min_address));
202 if (min_address != max_address) {
203 const int len = strlen(buf);
204 snprintf(buf + len, sizeof(buf) - 1 - len, "-%u.%u.%u.%u", HIPQUAD(max_address));
205 }
206 }
207 if (io_printf(head, KEYWORD_ADDRESS_GROUP "%s %s\n", group->group_name->name, buf)) break;
208 }
209 member = member->next;
210 }
211 if (member) break;
212 head->read_var2 = NULL;
213 group = group->next;
214 }
215 return group ? -ENOMEM : 0;
216 }
217
218 /************************* NETWORK NETWORK ACL HANDLER *************************/
219
220 char *print_ipv6(char *buffer, const int buffer_len, const u16 *ip)
221 {
222 memset(buffer, 0, buffer_len);
223 snprintf(buffer, buffer_len - 1, "%x:%x:%x:%x:%x:%x:%x:%x", ntohs(ip[0]), ntohs(ip[1]), ntohs(ip[2]), ntohs(ip[3]), ntohs(ip[4]), ntohs(ip[5]), ntohs(ip[6]), ntohs(ip[7]));
224 return buffer;
225 }
226
227 const char *network2keyword(const unsigned int operation)
228 {
229 const char *keyword = "unknown";
230 switch (operation) {
231 case NETWORK_ACL_UDP_BIND:
232 keyword = "UDP bind";
233 break;
234 case NETWORK_ACL_UDP_CONNECT:
235 keyword = "UDP connect";
236 break;
237 case NETWORK_ACL_TCP_BIND:
238 keyword = "TCP bind";
239 break;
240 case NETWORK_ACL_TCP_LISTEN:
241 keyword = "TCP listen";
242 break;
243 case NETWORK_ACL_TCP_CONNECT:
244 keyword = "TCP connect";
245 break;
246 case NETWORK_ACL_TCP_ACCEPT:
247 keyword = "TCP accept";
248 break;
249 case NETWORK_ACL_RAW_BIND:
250 keyword = "RAW bind";
251 break;
252 case NETWORK_ACL_RAW_CONNECT:
253 keyword = "RAW connect";
254 break;
255 }
256 return keyword;
257 }
258
259 static int AddNetworkEntry(const u8 operation, const u8 record_type, const struct address_group_entry *group, const u32 *min_address, const u32 *max_address, const u16 min_port, const u16 max_port, struct domain_info *domain, const u8 is_add, const struct condition_list *condition)
260 {
261 struct acl_info *ptr;
262 int error = -ENOMEM;
263 const u32 min_ip = ntohl(*min_address), max_ip = ntohl(*max_address); /* using host byte order to allow u32 comparison than memcmp().*/
264 if (!domain) return -EINVAL;
265 down(&domain_acl_lock);
266 if (is_add) {
267 if ((ptr = domain->first_acl_ptr) == NULL) goto first_entry;
268 while (1) {
269 struct ip_network_acl_record *new_ptr;
270 if (ptr->type == TYPE_IP_NETWORK_ACL && ptr->u.b[0] == operation && ptr->u.b[1] == record_type && ptr->cond == condition && ((struct ip_network_acl_record *) ptr)->min_port == min_port && max_port == ((struct ip_network_acl_record *) ptr)->max_port) {
271 if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) {
272 if (((struct ip_network_acl_record *) ptr)->u.group == group) {
273 ptr->is_deleted = 0;
274 /* Found. Nothing to do. */
275 error = 0;
276 break;
277 }
278 } else if (record_type == IP_RECORD_TYPE_IPv4) {
279 if (((struct ip_network_acl_record *) ptr)->u.ipv4.min == min_ip && max_ip == ((struct ip_network_acl_record *) ptr)->u.ipv4.max) {
280 ptr->is_deleted = 0;
281 /* Found. Nothing to do. */
282 error = 0;
283 break;
284 }
285 } else if (record_type == IP_RECORD_TYPE_IPv6) {
286 if (memcmp(((struct ip_network_acl_record *) ptr)->u.ipv6.min, min_address, 16) == 0 && memcmp(max_address, ((struct ip_network_acl_record *) ptr)->u.ipv6.max, 16) == 0) {
287 ptr->is_deleted = 0;
288 /* Found. Nothing to do. */
289 error = 0;
290 break;
291 }
292 }
293 }
294 if (ptr->next) {
295 ptr = ptr->next;
296 continue;
297 }
298 first_entry: ;
299 if (is_add == 1 && TooManyDomainACL(domain)) break;
300 /* Not found. Append it to the tail. */
301 if ((new_ptr = alloc_element(sizeof(*new_ptr))) == NULL) break;
302 new_ptr->head.type = TYPE_IP_NETWORK_ACL;
303 new_ptr->head.u.b[0] = operation;
304 new_ptr->head.u.b[1] = record_type;
305 new_ptr->head.cond = condition;
306 if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) {
307 new_ptr->u.group = group;
308 } else if (record_type == IP_RECORD_TYPE_IPv4) {
309 new_ptr->u.ipv4.min = min_ip;
310 new_ptr->u.ipv4.max = max_ip;
311 } else {
312 memmove(new_ptr->u.ipv6.min, min_address, 16);
313 memmove(new_ptr->u.ipv6.max, max_address, 16);
314 }
315 new_ptr->min_port = min_port;
316 new_ptr->max_port = max_port;
317 error = AddDomainACL(ptr, domain, (struct acl_info *) new_ptr);
318 break;
319 }
320 } else {
321 error = -ENOENT;
322 for (ptr = domain->first_acl_ptr; ptr; ptr = ptr->next) {
323 if (ptr->type != TYPE_IP_NETWORK_ACL || ptr->is_deleted || ptr->u.b[0] != operation || ptr->u.b[1] != record_type || ptr->cond != condition || ((struct ip_network_acl_record *) ptr)->min_port != min_port || ((struct ip_network_acl_record *) ptr)->max_port != max_port) continue;
324 if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) {
325 if (((struct ip_network_acl_record *) ptr)->u.group != group) continue;
326 } else if (record_type == IP_RECORD_TYPE_IPv4) {
327 if (((struct ip_network_acl_record *) ptr)->u.ipv4.min != min_ip || max_ip != ((struct ip_network_acl_record *) ptr)->u.ipv4.max) continue;
328 } else if (record_type == IP_RECORD_TYPE_IPv6) {
329 if (memcmp(((struct ip_network_acl_record *) ptr)->u.ipv6.min, min_address, 16) || memcmp(max_address, ((struct ip_network_acl_record *) ptr)->u.ipv6.max, 16)) continue;
330 }
331 error = DelDomainACL(ptr);
332 break;
333 }
334 }
335 up(&domain_acl_lock);
336 return error;
337 }
338
339 static int CheckNetworkEntry(const int is_ipv6, const int operation, const u32 *address, const u16 port)
340 {
341 struct domain_info * const domain = current->domain_info;
342 struct acl_info *ptr;
343 const char *keyword = network2keyword(operation);
344 const int is_enforce = CheckCCSEnforce(CCS_TOMOYO_MAC_FOR_NETWORK);
345 const u32 ip = ntohl(*address); /* using host byte order to allow u32 comparison than memcmp().*/
346 if (!CheckCCSFlags(CCS_TOMOYO_MAC_FOR_NETWORK)) return 0;
347 for (ptr = domain->first_acl_ptr; ptr; ptr = ptr->next) {
348 if (ptr->type != TYPE_IP_NETWORK_ACL || ptr->is_deleted || ptr->u.b[0] != operation || port < ((struct ip_network_acl_record *) ptr)->min_port || ((struct ip_network_acl_record *) ptr)->max_port < port || CheckCondition(ptr->cond, NULL)) continue;
349 if (ptr->u.b[1] == IP_RECORD_TYPE_ADDRESS_GROUP) {
350 if (AddressMatchesToGroup(is_ipv6, address, ((struct ip_network_acl_record *) ptr)->u.group)) break;
351 } else if (ptr->u.b[1] == IP_RECORD_TYPE_IPv4) {
352 if (!is_ipv6 && ((struct ip_network_acl_record *) ptr)->u.ipv4.min <= ip && ip <= ((struct ip_network_acl_record *) ptr)->u.ipv4.max) break;
353 } else {
354 if (is_ipv6 && memcmp(((struct ip_network_acl_record *) ptr)->u.ipv6.min, address, 16) <= 0 && memcmp(address, ((struct ip_network_acl_record *) ptr)->u.ipv6.max, 16) <= 0) break;
355 }
356 }
357 if (ptr) {
358 AuditNetworkLog(is_ipv6, keyword, address, port, 1);
359 return 0;
360 }
361 if (TomoyoVerboseMode()) {
362 if (is_ipv6) {
363 char buf[64];
364 print_ipv6(buf, sizeof(buf), (const u16 *) address);
365 printk("TOMOYO-%s: %s to %s %u denied for %s\n", GetMSG(is_enforce), keyword, buf, port, GetLastName(domain));
366 } else {
367 printk("TOMOYO-%s: %s to %u.%u.%u.%u %u denied for %s\n", GetMSG(is_enforce), keyword, HIPQUAD(ip), port, GetLastName(domain));
368 }
369 }
370 AuditNetworkLog(is_ipv6, keyword, address, port, 0);
371 if (is_enforce) {
372 if (is_ipv6) {
373 char buf[64];
374 print_ipv6(buf, sizeof(buf), (const u16 *) address);
375 return CheckSupervisor("%s\n" KEYWORD_ALLOW_NETWORK "%s %s %u\n", domain->domainname->name, keyword, buf, port);
376 }
377 return CheckSupervisor("%s\n" KEYWORD_ALLOW_NETWORK "%s %u.%u.%u.%u %u\n", domain->domainname->name, keyword, HIPQUAD(ip), port);
378 }
379 if (CheckCCSAccept(CCS_TOMOYO_MAC_FOR_NETWORK)) AddNetworkEntry(operation, is_ipv6 ? IP_RECORD_TYPE_IPv6: IP_RECORD_TYPE_IPv4, NULL, address, address, port, port, domain, 1, NULL);
380 return 0;
381 }
382
383 int AddNetworkPolicy(char *data, struct domain_info *domain, const int is_delete)
384 {
385 u8 sock_type, operation, record_type;
386 u16 min_address[8], max_address[8];
387 struct address_group_entry *group = NULL;
388 u16 min_port, max_port;
389 int count;
390 char *cp1 = NULL, *cp2 = NULL;
391 const struct condition_list *condition = NULL;
392 cp1 = FindConditionPart(data);
393 if (cp1 && (condition = FindOrAssignNewCondition(cp1)) == NULL) goto out;
394 if ((cp1 = strchr(data, ' ')) == NULL) goto out; cp1++;
395 if (strncmp(data, "TCP ", 4) == 0) sock_type = SOCK_STREAM;
396 else if (strncmp(data, "UDP ", 4) == 0) sock_type = SOCK_DGRAM;
397 else if (strncmp(data, "RAW ", 4) == 0) sock_type = SOCK_RAW;
398 else goto out;
399 if ((cp2 = strchr(cp1, ' ')) == NULL) goto out; cp2++;
400 if (strncmp(cp1, "bind ", 5) == 0) {
401 operation = (sock_type == SOCK_STREAM) ? NETWORK_ACL_TCP_BIND : (sock_type == SOCK_DGRAM) ? NETWORK_ACL_UDP_BIND : NETWORK_ACL_RAW_BIND;
402 } else if (strncmp(cp1, "connect ", 8) == 0) {
403 operation = (sock_type == SOCK_STREAM) ? NETWORK_ACL_TCP_CONNECT : (sock_type == SOCK_DGRAM) ? NETWORK_ACL_UDP_CONNECT : NETWORK_ACL_RAW_CONNECT;
404 } else if (sock_type == SOCK_STREAM && strncmp(cp1, "listen ", 7) == 0) {
405 operation = NETWORK_ACL_TCP_LISTEN;
406 } else if (sock_type == SOCK_STREAM && strncmp(cp1, "accept ", 7) == 0) {
407 operation = NETWORK_ACL_TCP_ACCEPT;
408 } else {
409 goto out;
410 }
411 if ((cp1 = strchr(cp2, ' ')) == NULL) goto out; *cp1++ = '\0';
412 if ((count = sscanf(cp2, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx-%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx",
413 &min_address[0], &min_address[1], &min_address[2], &min_address[3],
414 &min_address[4], &min_address[5], &min_address[6], &min_address[7],
415 &max_address[0], &max_address[1], &max_address[2], &max_address[3],
416 &max_address[4], &max_address[5], &max_address[6], &max_address[7])) == 8 || count == 16) {
417 int i;
418 for (i = 0; i < 8; i++) {
419 min_address[i] = htons(min_address[i]);
420 max_address[i] = htons(max_address[i]);
421 }
422 if (count == 8) memmove(max_address, min_address, sizeof(min_address));
423 record_type = IP_RECORD_TYPE_IPv6;
424 } else if ((count = sscanf(cp2, "%hu.%hu.%hu.%hu-%hu.%hu.%hu.%hu",
425 &min_address[0], &min_address[1], &min_address[2], &min_address[3],
426 &max_address[0], &max_address[1], &max_address[2], &max_address[3])) == 4 || count == 8) {
427 u32 ip = htonl((((u8) min_address[0]) << 24) + (((u8) min_address[1]) << 16) + (((u8) min_address[2]) << 8) + (u8) min_address[3]);
428 * (u32 *) min_address = ip;
429 if (count == 8) ip = htonl((((u8) max_address[0]) << 24) + (((u8) max_address[1]) << 16) + (((u8) max_address[2]) << 8) + (u8) max_address[3]);
430 * (u32 *) max_address = ip;
431 record_type = IP_RECORD_TYPE_IPv4;
432 } else if (*cp2 == '@') {
433 if ((group = FindOrAssignNewAddressGroup(cp2 + 1)) == NULL) return -ENOMEM;
434 record_type = IP_RECORD_TYPE_ADDRESS_GROUP;
435 } else {
436 goto out;
437 }
438 if (strchr(cp1, ' ')) goto out;
439 if ((count = sscanf(cp1, "%hu-%hu", &min_port, &max_port)) == 1 || count == 2) {
440 if (count == 1) max_port = min_port;
441 return AddNetworkEntry(operation, record_type, group, (u32 *) min_address, (u32 *) max_address, min_port, max_port, domain, is_delete ? 0 : -1, condition);
442 }
443 out: ;
444 return -EINVAL;
445 }
446
447 int CheckNetworkListenACL(const int is_ipv6, const u8 *address, const u16 port)
448 {
449 return CheckNetworkEntry(is_ipv6, NETWORK_ACL_TCP_LISTEN, (const u32 *) address, ntohs(port));
450 }
451 EXPORT_SYMBOL(CheckNetworkListenACL);
452
453 int CheckNetworkConnectACL(const int is_ipv6, const int sock_type, const u8 *address, const u16 port)
454 {
455 return CheckNetworkEntry(is_ipv6, sock_type == SOCK_STREAM ? NETWORK_ACL_TCP_CONNECT : (sock_type == SOCK_DGRAM ? NETWORK_ACL_UDP_CONNECT : NETWORK_ACL_RAW_CONNECT), (const u32 *) address, ntohs(port));
456 }
457 EXPORT_SYMBOL(CheckNetworkConnectACL);
458
459 int CheckNetworkBindACL(const int is_ipv6, const int sock_type, const u8 *address, const u16 port)
460 {
461 return CheckNetworkEntry(is_ipv6, sock_type == SOCK_STREAM ? NETWORK_ACL_TCP_BIND : (sock_type == SOCK_DGRAM ? NETWORK_ACL_UDP_BIND : NETWORK_ACL_RAW_BIND), (const u32 *) address, ntohs(port));
462 }
463 EXPORT_SYMBOL(CheckNetworkBindACL);
464
465 int CheckNetworkAcceptACL(const int is_ipv6, const u8 *address, const u16 port)
466 {
467 return CheckNetworkEntry(is_ipv6, NETWORK_ACL_TCP_ACCEPT, (const u32 *) address, ntohs(port));
468 }
469 EXPORT_SYMBOL(CheckNetworkAcceptACL);
470
471 int CheckNetworkSendMsgACL(const int is_ipv6, const int sock_type, const u8 *address, const u16 port)
472 {
473 return CheckNetworkEntry(is_ipv6, sock_type == SOCK_DGRAM ? NETWORK_ACL_UDP_CONNECT : NETWORK_ACL_RAW_CONNECT, (const u32 *) address, ntohs(port));
474 }
475 EXPORT_SYMBOL(CheckNetworkSendMsgACL);
476
477 int CheckNetworkRecvMsgACL(const int is_ipv6, const int sock_type, const u8 *address, const u16 port)
478 {
479 return CheckNetworkEntry(is_ipv6, sock_type == SOCK_DGRAM ? NETWORK_ACL_UDP_CONNECT : NETWORK_ACL_RAW_CONNECT, (const u32 *) address, ntohs(port));
480 }
481 EXPORT_SYMBOL(CheckNetworkRecvMsgACL);
482
483 /***** TOMOYO Linux end. *****/
Back to OSDN">Back to OSDN
 ViewVC Help
Powered by ViewVC 1.1.26  
サイト情報
ソフトウェアを探す
ソフトウェアを作る
コミュニティ
ヘルプ