Loading...
1/*
2 * Network port table
3 *
4 * SELinux must keep a mapping of network ports to labels/SIDs. This
5 * mapping is maintained as part of the normal policy but a fast cache is
6 * needed to reduce the lookup overhead.
7 *
8 * Author: Paul Moore <paul@paul-moore.com>
9 *
10 * This code is heavily based on the "netif" concept originally developed by
11 * James Morris <jmorris@redhat.com>
12 * (see security/selinux/netif.c for more information)
13 *
14 */
15
16/*
17 * (c) Copyright Hewlett-Packard Development Company, L.P., 2008
18 *
19 * This program is free software: you can redistribute it and/or modify
20 * it under the terms of version 2 of the GNU General Public License as
21 * published by the Free Software Foundation.
22 *
23 * This program is distributed in the hope that it will be useful,
24 * but WITHOUT ANY WARRANTY; without even the implied warranty of
25 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 * GNU General Public License for more details.
27 *
28 */
29
30#include <linux/types.h>
31#include <linux/rcupdate.h>
32#include <linux/list.h>
33#include <linux/slab.h>
34#include <linux/spinlock.h>
35#include <linux/in.h>
36#include <linux/in6.h>
37#include <linux/ip.h>
38#include <linux/ipv6.h>
39#include <net/ip.h>
40#include <net/ipv6.h>
41
42#include "netport.h"
43#include "objsec.h"
44
45#define SEL_NETPORT_HASH_SIZE 256
46#define SEL_NETPORT_HASH_BKT_LIMIT 16
47
48struct sel_netport_bkt {
49 int size;
50 struct list_head list;
51};
52
53struct sel_netport {
54 struct netport_security_struct psec;
55
56 struct list_head list;
57 struct rcu_head rcu;
58};
59
60/* NOTE: we are using a combined hash table for both IPv4 and IPv6, the reason
61 * for this is that I suspect most users will not make heavy use of both
62 * address families at the same time so one table will usually end up wasted,
63 * if this becomes a problem we can always add a hash table for each address
64 * family later */
65
66static LIST_HEAD(sel_netport_list);
67static DEFINE_SPINLOCK(sel_netport_lock);
68static struct sel_netport_bkt sel_netport_hash[SEL_NETPORT_HASH_SIZE];
69
70/**
71 * sel_netport_hashfn - Hashing function for the port table
72 * @pnum: port number
73 *
74 * Description:
75 * This is the hashing function for the port table, it returns the bucket
76 * number for the given port.
77 *
78 */
79static unsigned int sel_netport_hashfn(u16 pnum)
80{
81 return (pnum & (SEL_NETPORT_HASH_SIZE - 1));
82}
83
84/**
85 * sel_netport_find - Search for a port record
86 * @protocol: protocol
87 * @port: pnum
88 *
89 * Description:
90 * Search the network port table and return the matching record. If an entry
91 * can not be found in the table return NULL.
92 *
93 */
94static struct sel_netport *sel_netport_find(u8 protocol, u16 pnum)
95{
96 unsigned int idx;
97 struct sel_netport *port;
98
99 idx = sel_netport_hashfn(pnum);
100 list_for_each_entry_rcu(port, &sel_netport_hash[idx].list, list)
101 if (port->psec.port == pnum && port->psec.protocol == protocol)
102 return port;
103
104 return NULL;
105}
106
107/**
108 * sel_netport_insert - Insert a new port into the table
109 * @port: the new port record
110 *
111 * Description:
112 * Add a new port record to the network address hash table.
113 *
114 */
115static void sel_netport_insert(struct sel_netport *port)
116{
117 unsigned int idx;
118
119 /* we need to impose a limit on the growth of the hash table so check
120 * this bucket to make sure it is within the specified bounds */
121 idx = sel_netport_hashfn(port->psec.port);
122 list_add_rcu(&port->list, &sel_netport_hash[idx].list);
123 if (sel_netport_hash[idx].size == SEL_NETPORT_HASH_BKT_LIMIT) {
124 struct sel_netport *tail;
125 tail = list_entry(
126 rcu_dereference_protected(
127 sel_netport_hash[idx].list.prev,
128 lockdep_is_held(&sel_netport_lock)),
129 struct sel_netport, list);
130 list_del_rcu(&tail->list);
131 kfree_rcu(tail, rcu);
132 } else
133 sel_netport_hash[idx].size++;
134}
135
136/**
137 * sel_netport_sid_slow - Lookup the SID of a network address using the policy
138 * @protocol: protocol
139 * @pnum: port
140 * @sid: port SID
141 *
142 * Description:
143 * This function determines the SID of a network port by quering the security
144 * policy. The result is added to the network port table to speedup future
145 * queries. Returns zero on success, negative values on failure.
146 *
147 */
148static int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid)
149{
150 int ret = -ENOMEM;
151 struct sel_netport *port;
152 struct sel_netport *new = NULL;
153
154 spin_lock_bh(&sel_netport_lock);
155 port = sel_netport_find(protocol, pnum);
156 if (port != NULL) {
157 *sid = port->psec.sid;
158 spin_unlock_bh(&sel_netport_lock);
159 return 0;
160 }
161 new = kzalloc(sizeof(*new), GFP_ATOMIC);
162 if (new == NULL)
163 goto out;
164 ret = security_port_sid(protocol, pnum, sid);
165 if (ret != 0)
166 goto out;
167
168 new->psec.port = pnum;
169 new->psec.protocol = protocol;
170 new->psec.sid = *sid;
171 sel_netport_insert(new);
172
173out:
174 spin_unlock_bh(&sel_netport_lock);
175 if (unlikely(ret)) {
176 printk(KERN_WARNING
177 "SELinux: failure in sel_netport_sid_slow(),"
178 " unable to determine network port label\n");
179 kfree(new);
180 }
181 return ret;
182}
183
184/**
185 * sel_netport_sid - Lookup the SID of a network port
186 * @protocol: protocol
187 * @pnum: port
188 * @sid: port SID
189 *
190 * Description:
191 * This function determines the SID of a network port using the fastest method
192 * possible. First the port table is queried, but if an entry can't be found
193 * then the policy is queried and the result is added to the table to speedup
194 * future queries. Returns zero on success, negative values on failure.
195 *
196 */
197int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid)
198{
199 struct sel_netport *port;
200
201 rcu_read_lock();
202 port = sel_netport_find(protocol, pnum);
203 if (port != NULL) {
204 *sid = port->psec.sid;
205 rcu_read_unlock();
206 return 0;
207 }
208 rcu_read_unlock();
209
210 return sel_netport_sid_slow(protocol, pnum, sid);
211}
212
213/**
214 * sel_netport_flush - Flush the entire network port table
215 *
216 * Description:
217 * Remove all entries from the network address table.
218 *
219 */
220void sel_netport_flush(void)
221{
222 unsigned int idx;
223 struct sel_netport *port, *port_tmp;
224
225 spin_lock_bh(&sel_netport_lock);
226 for (idx = 0; idx < SEL_NETPORT_HASH_SIZE; idx++) {
227 list_for_each_entry_safe(port, port_tmp,
228 &sel_netport_hash[idx].list, list) {
229 list_del_rcu(&port->list);
230 kfree_rcu(port, rcu);
231 }
232 sel_netport_hash[idx].size = 0;
233 }
234 spin_unlock_bh(&sel_netport_lock);
235}
236
237static __init int sel_netport_init(void)
238{
239 int iter;
240
241 if (!selinux_enabled)
242 return 0;
243
244 for (iter = 0; iter < SEL_NETPORT_HASH_SIZE; iter++) {
245 INIT_LIST_HEAD(&sel_netport_hash[iter].list);
246 sel_netport_hash[iter].size = 0;
247 }
248
249 return 0;
250}
251
252__initcall(sel_netport_init);
1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * Network port table
4 *
5 * SELinux must keep a mapping of network ports to labels/SIDs. This
6 * mapping is maintained as part of the normal policy but a fast cache is
7 * needed to reduce the lookup overhead.
8 *
9 * Author: Paul Moore <paul@paul-moore.com>
10 *
11 * This code is heavily based on the "netif" concept originally developed by
12 * James Morris <jmorris@redhat.com>
13 * (see security/selinux/netif.c for more information)
14 */
15
16/*
17 * (c) Copyright Hewlett-Packard Development Company, L.P., 2008
18 */
19
20#include <linux/types.h>
21#include <linux/rcupdate.h>
22#include <linux/list.h>
23#include <linux/slab.h>
24#include <linux/spinlock.h>
25#include <linux/in.h>
26#include <linux/in6.h>
27#include <linux/ip.h>
28#include <linux/ipv6.h>
29#include <net/ip.h>
30#include <net/ipv6.h>
31
32#include "netport.h"
33#include "objsec.h"
34
35#define SEL_NETPORT_HASH_SIZE 256
36#define SEL_NETPORT_HASH_BKT_LIMIT 16
37
38struct sel_netport_bkt {
39 int size;
40 struct list_head list;
41};
42
43struct sel_netport {
44 struct netport_security_struct psec;
45
46 struct list_head list;
47 struct rcu_head rcu;
48};
49
50/* NOTE: we are using a combined hash table for both IPv4 and IPv6, the reason
51 * for this is that I suspect most users will not make heavy use of both
52 * address families at the same time so one table will usually end up wasted,
53 * if this becomes a problem we can always add a hash table for each address
54 * family later */
55
56static LIST_HEAD(sel_netport_list);
57static DEFINE_SPINLOCK(sel_netport_lock);
58static struct sel_netport_bkt sel_netport_hash[SEL_NETPORT_HASH_SIZE];
59
60/**
61 * sel_netport_hashfn - Hashing function for the port table
62 * @pnum: port number
63 *
64 * Description:
65 * This is the hashing function for the port table, it returns the bucket
66 * number for the given port.
67 *
68 */
69static unsigned int sel_netport_hashfn(u16 pnum)
70{
71 return (pnum & (SEL_NETPORT_HASH_SIZE - 1));
72}
73
74/**
75 * sel_netport_find - Search for a port record
76 * @protocol: protocol
77 * @port: pnum
78 *
79 * Description:
80 * Search the network port table and return the matching record. If an entry
81 * can not be found in the table return NULL.
82 *
83 */
84static struct sel_netport *sel_netport_find(u8 protocol, u16 pnum)
85{
86 unsigned int idx;
87 struct sel_netport *port;
88
89 idx = sel_netport_hashfn(pnum);
90 list_for_each_entry_rcu(port, &sel_netport_hash[idx].list, list)
91 if (port->psec.port == pnum && port->psec.protocol == protocol)
92 return port;
93
94 return NULL;
95}
96
97/**
98 * sel_netport_insert - Insert a new port into the table
99 * @port: the new port record
100 *
101 * Description:
102 * Add a new port record to the network address hash table.
103 *
104 */
105static void sel_netport_insert(struct sel_netport *port)
106{
107 unsigned int idx;
108
109 /* we need to impose a limit on the growth of the hash table so check
110 * this bucket to make sure it is within the specified bounds */
111 idx = sel_netport_hashfn(port->psec.port);
112 list_add_rcu(&port->list, &sel_netport_hash[idx].list);
113 if (sel_netport_hash[idx].size == SEL_NETPORT_HASH_BKT_LIMIT) {
114 struct sel_netport *tail;
115 tail = list_entry(
116 rcu_dereference_protected(
117 sel_netport_hash[idx].list.prev,
118 lockdep_is_held(&sel_netport_lock)),
119 struct sel_netport, list);
120 list_del_rcu(&tail->list);
121 kfree_rcu(tail, rcu);
122 } else
123 sel_netport_hash[idx].size++;
124}
125
126/**
127 * sel_netport_sid_slow - Lookup the SID of a network address using the policy
128 * @protocol: protocol
129 * @pnum: port
130 * @sid: port SID
131 *
132 * Description:
133 * This function determines the SID of a network port by quering the security
134 * policy. The result is added to the network port table to speedup future
135 * queries. Returns zero on success, negative values on failure.
136 *
137 */
138static int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid)
139{
140 int ret;
141 struct sel_netport *port;
142 struct sel_netport *new;
143
144 spin_lock_bh(&sel_netport_lock);
145 port = sel_netport_find(protocol, pnum);
146 if (port != NULL) {
147 *sid = port->psec.sid;
148 spin_unlock_bh(&sel_netport_lock);
149 return 0;
150 }
151
152 ret = security_port_sid(&selinux_state, protocol, pnum, sid);
153 if (ret != 0)
154 goto out;
155 new = kzalloc(sizeof(*new), GFP_ATOMIC);
156 if (new) {
157 new->psec.port = pnum;
158 new->psec.protocol = protocol;
159 new->psec.sid = *sid;
160 sel_netport_insert(new);
161 }
162
163out:
164 spin_unlock_bh(&sel_netport_lock);
165 if (unlikely(ret))
166 pr_warn("SELinux: failure in %s(), unable to determine network port label\n",
167 __func__);
168 return ret;
169}
170
171/**
172 * sel_netport_sid - Lookup the SID of a network port
173 * @protocol: protocol
174 * @pnum: port
175 * @sid: port SID
176 *
177 * Description:
178 * This function determines the SID of a network port using the fastest method
179 * possible. First the port table is queried, but if an entry can't be found
180 * then the policy is queried and the result is added to the table to speedup
181 * future queries. Returns zero on success, negative values on failure.
182 *
183 */
184int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid)
185{
186 struct sel_netport *port;
187
188 rcu_read_lock();
189 port = sel_netport_find(protocol, pnum);
190 if (port != NULL) {
191 *sid = port->psec.sid;
192 rcu_read_unlock();
193 return 0;
194 }
195 rcu_read_unlock();
196
197 return sel_netport_sid_slow(protocol, pnum, sid);
198}
199
200/**
201 * sel_netport_flush - Flush the entire network port table
202 *
203 * Description:
204 * Remove all entries from the network address table.
205 *
206 */
207void sel_netport_flush(void)
208{
209 unsigned int idx;
210 struct sel_netport *port, *port_tmp;
211
212 spin_lock_bh(&sel_netport_lock);
213 for (idx = 0; idx < SEL_NETPORT_HASH_SIZE; idx++) {
214 list_for_each_entry_safe(port, port_tmp,
215 &sel_netport_hash[idx].list, list) {
216 list_del_rcu(&port->list);
217 kfree_rcu(port, rcu);
218 }
219 sel_netport_hash[idx].size = 0;
220 }
221 spin_unlock_bh(&sel_netport_lock);
222}
223
224static __init int sel_netport_init(void)
225{
226 int iter;
227
228 if (!selinux_enabled)
229 return 0;
230
231 for (iter = 0; iter < SEL_NETPORT_HASH_SIZE; iter++) {
232 INIT_LIST_HEAD(&sel_netport_hash[iter].list);
233 sel_netport_hash[iter].size = 0;
234 }
235
236 return 0;
237}
238
239__initcall(sel_netport_init);