Release 4.7 security/selinux/netif.c
/*
* Network interface table.
*
* Network interfaces (devices) do not have a security field, so we
* maintain a table associating each interface with a SID.
*
* Author: James Morris <jmorris@redhat.com>
*
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
* Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
* Paul Moore <paul@paul-moore.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2,
* as published by the Free Software Foundation.
*/
#include <linux/init.h>
#include <linux/types.h>
#include <linux/slab.h>
#include <linux/stddef.h>
#include <linux/kernel.h>
#include <linux/list.h>
#include <linux/notifier.h>
#include <linux/netdevice.h>
#include <linux/rcupdate.h>
#include <net/net_namespace.h>
#include "security.h"
#include "objsec.h"
#include "netif.h"
#define SEL_NETIF_HASH_SIZE 64
#define SEL_NETIF_HASH_MAX 1024
struct sel_netif {
struct list_head list;
struct netif_security_struct nsec;
struct rcu_head rcu_head;
};
static u32 sel_netif_total;
static LIST_HEAD(sel_netif_list);
static DEFINE_SPINLOCK(sel_netif_lock);
static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE];
/**
* sel_netif_hashfn - Hashing function for the interface table
* @ns: the network namespace
* @ifindex: the network interface
*
* Description:
* This is the hashing function for the network interface table, it returns the
* bucket number for the given interface.
*
*/
static inline u32 sel_netif_hashfn(const struct net *ns, int ifindex)
{
return (((uintptr_t)ns + ifindex) & (SEL_NETIF_HASH_SIZE - 1));
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
andrew morton | andrew morton | 18 | 52.94% | 1 | 33.33% |
paul moore | paul moore | 16 | 47.06% | 2 | 66.67% |
| Total | 34 | 100.00% | 3 | 100.00% |
/**
* sel_netif_find - Search for an interface record
* @ns: the network namespace
* @ifindex: the network interface
*
* Description:
* Search the network interface table and return the record matching @ifindex.
* If an entry can not be found in the table return NULL.
*
*/
static inline struct sel_netif *sel_netif_find(const struct net *ns,
int ifindex)
{
int idx = sel_netif_hashfn(ns, ifindex);
struct sel_netif *netif;
list_for_each_entry_rcu(netif, &sel_netif_hash[idx], list)
if (net_eq(netif->nsec.ns, ns) &&
netif->nsec.ifindex == ifindex)
return netif;
return NULL;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
andrew morton | andrew morton | 38 | 55.88% | 1 | 25.00% |
paul moore | paul moore | 29 | 42.65% | 2 | 50.00% |
james morris | james morris | 1 | 1.47% | 1 | 25.00% |
| Total | 68 | 100.00% | 4 | 100.00% |
/**
* sel_netif_insert - Insert a new interface into the table
* @netif: the new interface record
*
* Description:
* Add a new interface record to the network interface hash table. Returns
* zero on success, negative values on failure.
*
*/
static int sel_netif_insert(struct sel_netif *netif)
{
int idx;
if (sel_netif_total >= SEL_NETIF_HASH_MAX)
return -ENOSPC;
idx = sel_netif_hashfn(netif->nsec.ns, netif->nsec.ifindex);
list_add_rcu(&netif->list, &sel_netif_hash[idx]);
sel_netif_total++;
return 0;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
andrew morton | andrew morton | 42 | 68.85% | 1 | 25.00% |
paul moore | paul moore | 11 | 18.03% | 2 | 50.00% |
james morris | james morris | 8 | 13.11% | 1 | 25.00% |
| Total | 61 | 100.00% | 4 | 100.00% |
/**
* sel_netif_destroy - Remove an interface record from the table
* @netif: the existing interface record
*
* Description:
* Remove an existing interface record from the network interface table.
*
*/
static void sel_netif_destroy(struct sel_netif *netif)
{
list_del_rcu(&netif->list);
sel_netif_total--;
kfree_rcu(netif, rcu_head);
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
james morris | james morris | 18 | 62.07% | 1 | 33.33% |
andrew morton | andrew morton | 9 | 31.03% | 1 | 33.33% |
lai jiangshan | lai jiangshan | 2 | 6.90% | 1 | 33.33% |
| Total | 29 | 100.00% | 3 | 100.00% |
/**
* sel_netif_sid_slow - Lookup the SID of a network interface using the policy
* @ns: the network namespace
* @ifindex: the network interface
* @sid: interface SID
*
* Description:
* This function determines the SID of a network interface by quering the
* security policy. The result is added to the network interface table to
* speedup future queries. Returns zero on success, negative values on
* failure.
*
*/
static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid)
{
int ret;
struct sel_netif *netif;
struct sel_netif *new = NULL;
struct net_device *dev;
/* NOTE: we always use init's network namespace since we don't
* currently support containers */
dev = dev_get_by_index(ns, ifindex);
if (unlikely(dev == NULL)) {
printk(KERN_WARNING
"SELinux: failure in sel_netif_sid_slow(),"
" invalid network interface (%d)\n", ifindex);
return -ENOENT;
}
spin_lock_bh(&sel_netif_lock);
netif = sel_netif_find(ns, ifindex);
if (netif != NULL) {
*sid = netif->nsec.sid;
ret = 0;
goto out;
}
new = kzalloc(sizeof(*new), GFP_ATOMIC);
if (new == NULL) {
ret = -ENOMEM;
goto out;
}
ret = security_netif_sid(dev->name, &new->nsec.sid);
if (ret != 0)
goto out;
new->nsec.ns = ns;
new->nsec.ifindex = ifindex;
ret = sel_netif_insert(new);
if (ret != 0)
goto out;
*sid = new->nsec.sid;
out:
spin_unlock_bh(&sel_netif_lock);
dev_put(dev);
if (unlikely(ret)) {
printk(KERN_WARNING
"SELinux: failure in sel_netif_sid_slow(),"
" unable to determine network interface label (%d)\n",
ifindex);
kfree(new);
}
return ret;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
paul moore | paul moore | 125 | 51.02% | 3 | 50.00% |
andrew morton | andrew morton | 101 | 41.22% | 1 | 16.67% |
james morris | james morris | 19 | 7.76% | 2 | 33.33% |
| Total | 245 | 100.00% | 6 | 100.00% |
/**
* sel_netif_sid - Lookup the SID of a network interface
* @ns: the network namespace
* @ifindex: the network interface
* @sid: interface SID
*
* Description:
* This function determines the SID of a network interface using the fastest
* method possible. First the interface table is queried, but if an entry
* can't be found then the policy is queried and the result is added to the
* table to speedup future queries. Returns zero on success, negative values
* on failure.
*
*/
int sel_netif_sid(struct net *ns, int ifindex, u32 *sid)
{
struct sel_netif *netif;
rcu_read_lock();
netif = sel_netif_find(ns, ifindex);
if (likely(netif != NULL)) {
*sid = netif->nsec.sid;
rcu_read_unlock();
return 0;
}
rcu_read_unlock();
return sel_netif_sid_slow(ns, ifindex, sid);
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
paul moore | paul moore | 34 | 46.58% | 2 | 50.00% |
james morris | james morris | 28 | 38.36% | 1 | 25.00% |
andrew morton | andrew morton | 11 | 15.07% | 1 | 25.00% |
| Total | 73 | 100.00% | 4 | 100.00% |
/**
* sel_netif_kill - Remove an entry from the network interface table
* @ns: the network namespace
* @ifindex: the network interface
*
* Description:
* This function removes the entry matching @ifindex from the network interface
* table if it exists.
*
*/
static void sel_netif_kill(const struct net *ns, int ifindex)
{
struct sel_netif *netif;
rcu_read_lock();
spin_lock_bh(&sel_netif_lock);
netif = sel_netif_find(ns, ifindex);
if (netif)
sel_netif_destroy(netif);
spin_unlock_bh(&sel_netif_lock);
rcu_read_unlock();
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
andrew morton | andrew morton | 27 | 48.21% | 1 | 20.00% |
james morris | james morris | 12 | 21.43% | 1 | 20.00% |
paul moore | paul moore | 11 | 19.64% | 2 | 40.00% |
paul e. mckenney | paul e. mckenney | 6 | 10.71% | 1 | 20.00% |
| Total | 56 | 100.00% | 5 | 100.00% |
/**
* sel_netif_flush - Flush the entire network interface table
*
* Description:
* Remove all entries from the network interface table.
*
*/
void sel_netif_flush(void)
{
int idx;
struct sel_netif *netif;
spin_lock_bh(&sel_netif_lock);
for (idx = 0; idx < SEL_NETIF_HASH_SIZE; idx++)
list_for_each_entry(netif, &sel_netif_hash[idx], list)
sel_netif_destroy(netif);
spin_unlock_bh(&sel_netif_lock);
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
andrew morton | andrew morton | 31 | 58.49% | 1 | 33.33% |
james morris | james morris | 17 | 32.08% | 1 | 33.33% |
paul moore | paul moore | 5 | 9.43% | 1 | 33.33% |
| Total | 53 | 100.00% | 3 | 100.00% |
static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
unsigned long event, void *ptr)
{
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
if (event == NETDEV_DOWN)
sel_netif_kill(dev_net(dev), dev->ifindex);
return NOTIFY_DONE;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
andrew morton | andrew morton | 40 | 80.00% | 1 | 25.00% |
paul moore | paul moore | 7 | 14.00% | 2 | 50.00% |
jiri pirko | jiri pirko | 3 | 6.00% | 1 | 25.00% |
| Total | 50 | 100.00% | 4 | 100.00% |
static struct notifier_block sel_netif_netdev_notifier = {
.notifier_call = sel_netif_netdev_notifier_handler,
};
static __init int sel_netif_init(void)
{
int i;
if (!selinux_enabled)
return 0;
for (i = 0; i < SEL_NETIF_HASH_SIZE; i++)
INIT_LIST_HEAD(&sel_netif_hash[i]);
register_netdevice_notifier(&sel_netif_netdev_notifier);
return 0;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
andrew morton | andrew morton | 47 | 92.16% | 1 | 33.33% |
paul moore | paul moore | 4 | 7.84% | 2 | 66.67% |
| Total | 51 | 100.00% | 3 | 100.00% |
__initcall(sel_netif_init);
Overall Contributors
| Person | Tokens | Prop | Commits | CommitProp |
andrew morton | andrew morton | 438 | 52.52% | 1 | 6.67% |
paul moore | paul moore | 251 | 30.10% | 5 | 33.33% |
james morris | james morris | 121 | 14.51% | 2 | 13.33% |
paul e. mckenney | paul e. mckenney | 6 | 0.72% | 1 | 6.67% |
thomas gleixner | thomas gleixner | 4 | 0.48% | 1 | 6.67% |
jiri pirko | jiri pirko | 3 | 0.36% | 1 | 6.67% |
eric w. biederman | eric w. biederman | 3 | 0.36% | 1 | 6.67% |
tejun heo | tejun heo | 3 | 0.36% | 1 | 6.67% |
gerd knorr | gerd knorr | 3 | 0.36% | 1 | 6.67% |
lai jiangshan | lai jiangshan | 2 | 0.24% | 1 | 6.67% |
| Total | 834 | 100.00% | 15 | 100.00% |
Information contained on this website is for historical information purposes only and does not indicate or represent copyright ownership.