Loading...
1/*
2 * Network port table
3 *
4 * SELinux must keep a mapping of network ports to labels/SIDs. This
5 * mapping is maintained as part of the normal policy but a fast cache is
6 * needed to reduce the lookup overhead.
7 *
8 * Author: Paul Moore <paul@paul-moore.com>
9 *
10 * This code is heavily based on the "netif" concept originally developed by
11 * James Morris <jmorris@redhat.com>
12 * (see security/selinux/netif.c for more information)
13 *
14 */
15
16/*
17 * (c) Copyright Hewlett-Packard Development Company, L.P., 2008
18 *
19 * This program is free software: you can redistribute it and/or modify
20 * it under the terms of version 2 of the GNU General Public License as
21 * published by the Free Software Foundation.
22 *
23 * This program is distributed in the hope that it will be useful,
24 * but WITHOUT ANY WARRANTY; without even the implied warranty of
25 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 * GNU General Public License for more details.
27 *
28 */
29
30#include <linux/types.h>
31#include <linux/rcupdate.h>
32#include <linux/list.h>
33#include <linux/slab.h>
34#include <linux/spinlock.h>
35#include <linux/in.h>
36#include <linux/in6.h>
37#include <linux/ip.h>
38#include <linux/ipv6.h>
39#include <net/ip.h>
40#include <net/ipv6.h>
41
42#include "netport.h"
43#include "objsec.h"
44
45#define SEL_NETPORT_HASH_SIZE 256
46#define SEL_NETPORT_HASH_BKT_LIMIT 16
47
48struct sel_netport_bkt {
49 int size;
50 struct list_head list;
51};
52
53struct sel_netport {
54 struct netport_security_struct psec;
55
56 struct list_head list;
57 struct rcu_head rcu;
58};
59
60/* NOTE: we are using a combined hash table for both IPv4 and IPv6, the reason
61 * for this is that I suspect most users will not make heavy use of both
62 * address families at the same time so one table will usually end up wasted,
63 * if this becomes a problem we can always add a hash table for each address
64 * family later */
65
66static LIST_HEAD(sel_netport_list);
67static DEFINE_SPINLOCK(sel_netport_lock);
68static struct sel_netport_bkt sel_netport_hash[SEL_NETPORT_HASH_SIZE];
69
70/**
71 * sel_netport_hashfn - Hashing function for the port table
72 * @pnum: port number
73 *
74 * Description:
75 * This is the hashing function for the port table, it returns the bucket
76 * number for the given port.
77 *
78 */
79static unsigned int sel_netport_hashfn(u16 pnum)
80{
81 return (pnum & (SEL_NETPORT_HASH_SIZE - 1));
82}
83
84/**
85 * sel_netport_find - Search for a port record
86 * @protocol: protocol
87 * @port: pnum
88 *
89 * Description:
90 * Search the network port table and return the matching record. If an entry
91 * can not be found in the table return NULL.
92 *
93 */
94static struct sel_netport *sel_netport_find(u8 protocol, u16 pnum)
95{
96 unsigned int idx;
97 struct sel_netport *port;
98
99 idx = sel_netport_hashfn(pnum);
100 list_for_each_entry_rcu(port, &sel_netport_hash[idx].list, list)
101 if (port->psec.port == pnum && port->psec.protocol == protocol)
102 return port;
103
104 return NULL;
105}
106
107/**
108 * sel_netport_insert - Insert a new port into the table
109 * @port: the new port record
110 *
111 * Description:
112 * Add a new port record to the network address hash table.
113 *
114 */
115static void sel_netport_insert(struct sel_netport *port)
116{
117 unsigned int idx;
118
119 /* we need to impose a limit on the growth of the hash table so check
120 * this bucket to make sure it is within the specified bounds */
121 idx = sel_netport_hashfn(port->psec.port);
122 list_add_rcu(&port->list, &sel_netport_hash[idx].list);
123 if (sel_netport_hash[idx].size == SEL_NETPORT_HASH_BKT_LIMIT) {
124 struct sel_netport *tail;
125 tail = list_entry(
126 rcu_dereference_protected(
127 sel_netport_hash[idx].list.prev,
128 lockdep_is_held(&sel_netport_lock)),
129 struct sel_netport, list);
130 list_del_rcu(&tail->list);
131 kfree_rcu(tail, rcu);
132 } else
133 sel_netport_hash[idx].size++;
134}
135
136/**
137 * sel_netport_sid_slow - Lookup the SID of a network address using the policy
138 * @protocol: protocol
139 * @pnum: port
140 * @sid: port SID
141 *
142 * Description:
143 * This function determines the SID of a network port by quering the security
144 * policy. The result is added to the network port table to speedup future
145 * queries. Returns zero on success, negative values on failure.
146 *
147 */
148static int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid)
149{
150 int ret = -ENOMEM;
151 struct sel_netport *port;
152 struct sel_netport *new = NULL;
153
154 spin_lock_bh(&sel_netport_lock);
155 port = sel_netport_find(protocol, pnum);
156 if (port != NULL) {
157 *sid = port->psec.sid;
158 spin_unlock_bh(&sel_netport_lock);
159 return 0;
160 }
161 new = kzalloc(sizeof(*new), GFP_ATOMIC);
162 if (new == NULL)
163 goto out;
164 ret = security_port_sid(protocol, pnum, sid);
165 if (ret != 0)
166 goto out;
167
168 new->psec.port = pnum;
169 new->psec.protocol = protocol;
170 new->psec.sid = *sid;
171 sel_netport_insert(new);
172
173out:
174 spin_unlock_bh(&sel_netport_lock);
175 if (unlikely(ret)) {
176 printk(KERN_WARNING
177 "SELinux: failure in sel_netport_sid_slow(),"
178 " unable to determine network port label\n");
179 kfree(new);
180 }
181 return ret;
182}
183
184/**
185 * sel_netport_sid - Lookup the SID of a network port
186 * @protocol: protocol
187 * @pnum: port
188 * @sid: port SID
189 *
190 * Description:
191 * This function determines the SID of a network port using the fastest method
192 * possible. First the port table is queried, but if an entry can't be found
193 * then the policy is queried and the result is added to the table to speedup
194 * future queries. Returns zero on success, negative values on failure.
195 *
196 */
197int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid)
198{
199 struct sel_netport *port;
200
201 rcu_read_lock();
202 port = sel_netport_find(protocol, pnum);
203 if (port != NULL) {
204 *sid = port->psec.sid;
205 rcu_read_unlock();
206 return 0;
207 }
208 rcu_read_unlock();
209
210 return sel_netport_sid_slow(protocol, pnum, sid);
211}
212
213/**
214 * sel_netport_flush - Flush the entire network port table
215 *
216 * Description:
217 * Remove all entries from the network address table.
218 *
219 */
220void sel_netport_flush(void)
221{
222 unsigned int idx;
223 struct sel_netport *port, *port_tmp;
224
225 spin_lock_bh(&sel_netport_lock);
226 for (idx = 0; idx < SEL_NETPORT_HASH_SIZE; idx++) {
227 list_for_each_entry_safe(port, port_tmp,
228 &sel_netport_hash[idx].list, list) {
229 list_del_rcu(&port->list);
230 kfree_rcu(port, rcu);
231 }
232 sel_netport_hash[idx].size = 0;
233 }
234 spin_unlock_bh(&sel_netport_lock);
235}
236
237static __init int sel_netport_init(void)
238{
239 int iter;
240
241 if (!selinux_enabled)
242 return 0;
243
244 for (iter = 0; iter < SEL_NETPORT_HASH_SIZE; iter++) {
245 INIT_LIST_HEAD(&sel_netport_hash[iter].list);
246 sel_netport_hash[iter].size = 0;
247 }
248
249 return 0;
250}
251
252__initcall(sel_netport_init);
1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * Network port table
4 *
5 * SELinux must keep a mapping of network ports to labels/SIDs. This
6 * mapping is maintained as part of the normal policy but a fast cache is
7 * needed to reduce the lookup overhead.
8 *
9 * Author: Paul Moore <paul@paul-moore.com>
10 *
11 * This code is heavily based on the "netif" concept originally developed by
12 * James Morris <jmorris@redhat.com>
13 * (see security/selinux/netif.c for more information)
14 */
15
16/*
17 * (c) Copyright Hewlett-Packard Development Company, L.P., 2008
18 */
19
20#include <linux/types.h>
21#include <linux/rcupdate.h>
22#include <linux/list.h>
23#include <linux/slab.h>
24#include <linux/spinlock.h>
25#include <linux/in.h>
26#include <linux/in6.h>
27#include <linux/ip.h>
28#include <linux/ipv6.h>
29#include <net/ip.h>
30#include <net/ipv6.h>
31
32#include "netport.h"
33#include "objsec.h"
34
35#define SEL_NETPORT_HASH_SIZE 256
36#define SEL_NETPORT_HASH_BKT_LIMIT 16
37
38struct sel_netport_bkt {
39 int size;
40 struct list_head list;
41};
42
43struct sel_netport {
44 struct netport_security_struct psec;
45
46 struct list_head list;
47 struct rcu_head rcu;
48};
49
50/* NOTE: we are using a combined hash table for both IPv4 and IPv6, the reason
51 * for this is that I suspect most users will not make heavy use of both
52 * address families at the same time so one table will usually end up wasted,
53 * if this becomes a problem we can always add a hash table for each address
54 * family later */
55
56static DEFINE_SPINLOCK(sel_netport_lock);
57static struct sel_netport_bkt sel_netport_hash[SEL_NETPORT_HASH_SIZE];
58
59/**
60 * sel_netport_hashfn - Hashing function for the port table
61 * @pnum: port number
62 *
63 * Description:
64 * This is the hashing function for the port table, it returns the bucket
65 * number for the given port.
66 *
67 */
68static unsigned int sel_netport_hashfn(u16 pnum)
69{
70 return (pnum & (SEL_NETPORT_HASH_SIZE - 1));
71}
72
73/**
74 * sel_netport_find - Search for a port record
75 * @protocol: protocol
76 * @port: pnum
77 *
78 * Description:
79 * Search the network port table and return the matching record. If an entry
80 * can not be found in the table return NULL.
81 *
82 */
83static struct sel_netport *sel_netport_find(u8 protocol, u16 pnum)
84{
85 unsigned int idx;
86 struct sel_netport *port;
87
88 idx = sel_netport_hashfn(pnum);
89 list_for_each_entry_rcu(port, &sel_netport_hash[idx].list, list)
90 if (port->psec.port == pnum && port->psec.protocol == protocol)
91 return port;
92
93 return NULL;
94}
95
96/**
97 * sel_netport_insert - Insert a new port into the table
98 * @port: the new port record
99 *
100 * Description:
101 * Add a new port record to the network address hash table.
102 *
103 */
104static void sel_netport_insert(struct sel_netport *port)
105{
106 unsigned int idx;
107
108 /* we need to impose a limit on the growth of the hash table so check
109 * this bucket to make sure it is within the specified bounds */
110 idx = sel_netport_hashfn(port->psec.port);
111 list_add_rcu(&port->list, &sel_netport_hash[idx].list);
112 if (sel_netport_hash[idx].size == SEL_NETPORT_HASH_BKT_LIMIT) {
113 struct sel_netport *tail;
114 tail = list_entry(
115 rcu_dereference_protected(
116 sel_netport_hash[idx].list.prev,
117 lockdep_is_held(&sel_netport_lock)),
118 struct sel_netport, list);
119 list_del_rcu(&tail->list);
120 kfree_rcu(tail, rcu);
121 } else
122 sel_netport_hash[idx].size++;
123}
124
125/**
126 * sel_netport_sid_slow - Lookup the SID of a network address using the policy
127 * @protocol: protocol
128 * @pnum: port
129 * @sid: port SID
130 *
131 * Description:
132 * This function determines the SID of a network port by querying the security
133 * policy. The result is added to the network port table to speedup future
134 * queries. Returns zero on success, negative values on failure.
135 *
136 */
137static int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid)
138{
139 int ret;
140 struct sel_netport *port;
141 struct sel_netport *new;
142
143 spin_lock_bh(&sel_netport_lock);
144 port = sel_netport_find(protocol, pnum);
145 if (port != NULL) {
146 *sid = port->psec.sid;
147 spin_unlock_bh(&sel_netport_lock);
148 return 0;
149 }
150
151 ret = security_port_sid(&selinux_state, protocol, pnum, sid);
152 if (ret != 0)
153 goto out;
154 new = kzalloc(sizeof(*new), GFP_ATOMIC);
155 if (new) {
156 new->psec.port = pnum;
157 new->psec.protocol = protocol;
158 new->psec.sid = *sid;
159 sel_netport_insert(new);
160 }
161
162out:
163 spin_unlock_bh(&sel_netport_lock);
164 if (unlikely(ret))
165 pr_warn("SELinux: failure in %s(), unable to determine network port label\n",
166 __func__);
167 return ret;
168}
169
170/**
171 * sel_netport_sid - Lookup the SID of a network port
172 * @protocol: protocol
173 * @pnum: port
174 * @sid: port SID
175 *
176 * Description:
177 * This function determines the SID of a network port using the fastest method
178 * possible. First the port table is queried, but if an entry can't be found
179 * then the policy is queried and the result is added to the table to speedup
180 * future queries. Returns zero on success, negative values on failure.
181 *
182 */
183int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid)
184{
185 struct sel_netport *port;
186
187 rcu_read_lock();
188 port = sel_netport_find(protocol, pnum);
189 if (port != NULL) {
190 *sid = port->psec.sid;
191 rcu_read_unlock();
192 return 0;
193 }
194 rcu_read_unlock();
195
196 return sel_netport_sid_slow(protocol, pnum, sid);
197}
198
199/**
200 * sel_netport_flush - Flush the entire network port table
201 *
202 * Description:
203 * Remove all entries from the network address table.
204 *
205 */
206void sel_netport_flush(void)
207{
208 unsigned int idx;
209 struct sel_netport *port, *port_tmp;
210
211 spin_lock_bh(&sel_netport_lock);
212 for (idx = 0; idx < SEL_NETPORT_HASH_SIZE; idx++) {
213 list_for_each_entry_safe(port, port_tmp,
214 &sel_netport_hash[idx].list, list) {
215 list_del_rcu(&port->list);
216 kfree_rcu(port, rcu);
217 }
218 sel_netport_hash[idx].size = 0;
219 }
220 spin_unlock_bh(&sel_netport_lock);
221}
222
223static __init int sel_netport_init(void)
224{
225 int iter;
226
227 if (!selinux_enabled_boot)
228 return 0;
229
230 for (iter = 0; iter < SEL_NETPORT_HASH_SIZE; iter++) {
231 INIT_LIST_HEAD(&sel_netport_hash[iter].list);
232 sel_netport_hash[iter].size = 0;
233 }
234
235 return 0;
236}
237
238__initcall(sel_netport_init);