Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
netif.c
Go to the documentation of this file.
1 /*
2  * Network interface table.
3  *
4  * Network interfaces (devices) do not have a security field, so we
5  * maintain a table associating each interface with a SID.
6  *
7  * Author: James Morris <[email protected]>
8  *
9  * Copyright (C) 2003 Red Hat, Inc., James Morris <[email protected]>
10  * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
11  * Paul Moore <[email protected]>
12  *
13  * This program is free software; you can redistribute it and/or modify
14  * it under the terms of the GNU General Public License version 2,
15  * as published by the Free Software Foundation.
16  */
17 #include <linux/init.h>
18 #include <linux/types.h>
19 #include <linux/slab.h>
20 #include <linux/stddef.h>
21 #include <linux/kernel.h>
22 #include <linux/list.h>
23 #include <linux/notifier.h>
24 #include <linux/netdevice.h>
25 #include <linux/rcupdate.h>
26 #include <net/net_namespace.h>
27 
28 #include "security.h"
29 #include "objsec.h"
30 #include "netif.h"
31 
32 #define SEL_NETIF_HASH_SIZE 64
33 #define SEL_NETIF_HASH_MAX 1024
34 
35 struct sel_netif {
36  struct list_head list;
37  struct netif_security_struct nsec;
38  struct rcu_head rcu_head;
39 };
40 
41 static u32 sel_netif_total;
42 static LIST_HEAD(sel_netif_list);
43 static DEFINE_SPINLOCK(sel_netif_lock);
44 static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE];
45 
55 static inline u32 sel_netif_hashfn(int ifindex)
56 {
57  return (ifindex & (SEL_NETIF_HASH_SIZE - 1));
58 }
59 
69 static inline struct sel_netif *sel_netif_find(int ifindex)
70 {
71  int idx = sel_netif_hashfn(ifindex);
72  struct sel_netif *netif;
73 
74  list_for_each_entry_rcu(netif, &sel_netif_hash[idx], list)
75  /* all of the devices should normally fit in the hash, so we
76  * optimize for that case */
77  if (likely(netif->nsec.ifindex == ifindex))
78  return netif;
79 
80  return NULL;
81 }
82 
92 static int sel_netif_insert(struct sel_netif *netif)
93 {
94  int idx;
95 
96  if (sel_netif_total >= SEL_NETIF_HASH_MAX)
97  return -ENOSPC;
98 
99  idx = sel_netif_hashfn(netif->nsec.ifindex);
100  list_add_rcu(&netif->list, &sel_netif_hash[idx]);
101  sel_netif_total++;
102 
103  return 0;
104 }
105 
114 static void sel_netif_destroy(struct sel_netif *netif)
115 {
116  list_del_rcu(&netif->list);
117  sel_netif_total--;
118  kfree_rcu(netif, rcu_head);
119 }
120 
133 static int sel_netif_sid_slow(int ifindex, u32 *sid)
134 {
135  int ret;
136  struct sel_netif *netif;
137  struct sel_netif *new = NULL;
138  struct net_device *dev;
139 
140  /* NOTE: we always use init's network namespace since we don't
141  * currently support containers */
142 
143  dev = dev_get_by_index(&init_net, ifindex);
144  if (unlikely(dev == NULL)) {
145  printk(KERN_WARNING
146  "SELinux: failure in sel_netif_sid_slow(),"
147  " invalid network interface (%d)\n", ifindex);
148  return -ENOENT;
149  }
150 
151  spin_lock_bh(&sel_netif_lock);
152  netif = sel_netif_find(ifindex);
153  if (netif != NULL) {
154  *sid = netif->nsec.sid;
155  ret = 0;
156  goto out;
157  }
158  new = kzalloc(sizeof(*new), GFP_ATOMIC);
159  if (new == NULL) {
160  ret = -ENOMEM;
161  goto out;
162  }
163  ret = security_netif_sid(dev->name, &new->nsec.sid);
164  if (ret != 0)
165  goto out;
166  new->nsec.ifindex = ifindex;
167  ret = sel_netif_insert(new);
168  if (ret != 0)
169  goto out;
170  *sid = new->nsec.sid;
171 
172 out:
173  spin_unlock_bh(&sel_netif_lock);
174  dev_put(dev);
175  if (unlikely(ret)) {
176  printk(KERN_WARNING
177  "SELinux: failure in sel_netif_sid_slow(),"
178  " unable to determine network interface label (%d)\n",
179  ifindex);
180  kfree(new);
181  }
182  return ret;
183 }
184 
198 int sel_netif_sid(int ifindex, u32 *sid)
199 {
200  struct sel_netif *netif;
201 
202  rcu_read_lock();
203  netif = sel_netif_find(ifindex);
204  if (likely(netif != NULL)) {
205  *sid = netif->nsec.sid;
206  rcu_read_unlock();
207  return 0;
208  }
209  rcu_read_unlock();
210 
211  return sel_netif_sid_slow(ifindex, sid);
212 }
213 
223 static void sel_netif_kill(int ifindex)
224 {
225  struct sel_netif *netif;
226 
227  rcu_read_lock();
228  spin_lock_bh(&sel_netif_lock);
229  netif = sel_netif_find(ifindex);
230  if (netif)
231  sel_netif_destroy(netif);
232  spin_unlock_bh(&sel_netif_lock);
233  rcu_read_unlock();
234 }
235 
243 static void sel_netif_flush(void)
244 {
245  int idx;
246  struct sel_netif *netif;
247 
248  spin_lock_bh(&sel_netif_lock);
249  for (idx = 0; idx < SEL_NETIF_HASH_SIZE; idx++)
250  list_for_each_entry(netif, &sel_netif_hash[idx], list)
251  sel_netif_destroy(netif);
252  spin_unlock_bh(&sel_netif_lock);
253 }
254 
255 static int sel_netif_avc_callback(u32 event)
256 {
257  if (event == AVC_CALLBACK_RESET) {
258  sel_netif_flush();
259  synchronize_net();
260  }
261  return 0;
262 }
263 
264 static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
265  unsigned long event, void *ptr)
266 {
267  struct net_device *dev = ptr;
268 
269  if (dev_net(dev) != &init_net)
270  return NOTIFY_DONE;
271 
272  if (event == NETDEV_DOWN)
273  sel_netif_kill(dev->ifindex);
274 
275  return NOTIFY_DONE;
276 }
277 
278 static struct notifier_block sel_netif_netdev_notifier = {
279  .notifier_call = sel_netif_netdev_notifier_handler,
280 };
281 
282 static __init int sel_netif_init(void)
283 {
284  int i, err;
285 
286  if (!selinux_enabled)
287  return 0;
288 
289  for (i = 0; i < SEL_NETIF_HASH_SIZE; i++)
290  INIT_LIST_HEAD(&sel_netif_hash[i]);
291 
292  register_netdevice_notifier(&sel_netif_netdev_notifier);
293 
294  err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET);
295  if (err)
296  panic("avc_add_callback() failed, error %d\n", err);
297 
298  return err;
299 }
300 
301 __initcall(sel_netif_init);
302 
Generated on Thu Jan 10 2013 15:03:19 for Linux Kernel by   doxygen 1.8.2