Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1765850AbXHXMy4 (ORCPT ); Fri, 24 Aug 2007 08:54:56 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1762561AbXHXMyj (ORCPT ); Fri, 24 Aug 2007 08:54:39 -0400 Received: from rv-out-0910.google.com ([209.85.198.184]:11238 "EHLO rv-out-0910.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1762089AbXHXMyg (ORCPT ); Fri, 24 Aug 2007 08:54:36 -0400 DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=E8AzbPBGu0yrPfwKEsQ46JAGPj8+GenBqWLJs9ohpTrJpi2gFHt59dR/m3JqPQ+S+PrDbl9zbv6Sm16MTEpt2hrkjnbNzyec3X5IhR0ZIewLVdlCOONYiN9Gl+2j8Zgb5S7LL272NK0/PJBKpfvYaUkuVq1DT6ftiLoDhAAjHZE= Message-ID: <46CED507.8010203@gmail.com> Date: Fri, 24 Aug 2007 21:54:31 +0900 From: Kentaro Takeda User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, chrisw@sous-sol.org Subject: [TOMOYO 10/15] Networking access control functions. References: <46CED214.6050505@gmail.com> In-Reply-To: <46CED214.6050505@gmail.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 24439 Lines: 1010 Network access control functions for TOMOYO Linux. TOMOYO Linux checks permission by the following four parameters. * protocol type (TCP, UDP, RAW) * access type (bind, listen, connect, accept) * IP address (Both IPv4 and IPv6 are available) * port number In order to check 'TCP accept' and 'UDP accept'(recv), LSM expansion patch ([TOMOYO /]) is needed. Each permission can be automatically accumulated into the policy of each domain using 'learning mode'. Signed-off-by: Kentaro Takeda Signed-off-by: Tetsuo Handa --- security/tomoyo/net.c | 983 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 983 insertions(+) --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ linux-2.6/security/tomoyo/net.c 2007-08-24 15:51:37.000000000 +0900 @@ -0,0 +1,983 @@ +/* + * security/tomoyo/net.c + * + * Network access control functions for TOMOYO Linux. + */ + +#include "tomoyo.h" +#include "realpath.h" +#include + +/************************* AUDIT FUNCTIONS *************************/ + +static int tmy_audit_network_log(const int is_ipv6, + const char *operation, + const u32 *address, + const u16 port, + const int is_granted, + const int is_enforce) +{ + char *buf; + int len = 256; + + if (is_granted) { + if (!tmy_audit_grant()) + return 0; + } else { + if (!tmy_audit_reject()) + return 0; + } + + buf = tmy_init_audit_log(&len); + if (!buf) + return -ENOMEM; + + snprintf(buf + strlen(buf), len - strlen(buf) - 1, + TMY_ALLOW_NETWORK "%s ", operation); + + if (is_ipv6) + tmy_print_ipv6(buf + strlen(buf), len - strlen(buf), + (const u16 *) address); + else { + u32 ip = *address; + snprintf(buf + strlen(buf), len - strlen(buf) - 1, + NIPQUAD_FMT, NIPQUAD(ip)); + } + + snprintf(buf + strlen(buf), len - strlen(buf) - 1, " %u", port); + + return tmy_write_audit_log(buf, is_granted, is_enforce); +} + +/************************* ADDRESS GROUP HANDLER *************************/ + +/* List of address group. */ +static struct addr_group_entry *group_list; + +static int tmy_add_addr_group_entry(const char *group_name, + const u8 is_ipv6, + const u16 *min_address, + const u16 *max_address, + const int is_delete) +{ + static DECLARE_MUTEX(lock); + struct addr_group_entry *new_group; + struct addr_group_entry *group; + struct addr_group_member *new_member; + struct addr_group_member *member; + const struct path_info *saved_group_name; + int error = -ENOMEM; + + if (!tmy_correct_path(group_name, 0, 0, 0, __FUNCTION__) || + !group_name[0]) + return -EINVAL; + + saved_group_name = tmy_save_name(group_name); + if (!saved_group_name) + return -ENOMEM; + + down(&lock); + + for (group = group_list; group; group = group->next) { + + if (saved_group_name != group->group_name) + continue; + + for (member = group->first_member; + member; + member = member->next) { + + if (member->is_ipv6 != is_ipv6) + continue; + + if (is_ipv6) { + if (memcmp(member->min.ipv6, min_address, 16) || + memcmp(member->max.ipv6, max_address, 16)) + continue; + } else { + if (member->min.ipv4 != * (u32 *) min_address || + member->max.ipv4 != * (u32 *) max_address) + continue; + } + + member->is_deleted = is_delete; + error = 0; + goto out; + } + break; + } + + if (is_delete) { + error = -ENOENT; + goto out; + } + + if (!group) { + new_group = tmy_alloc_element(sizeof(*new_group)); + if (!new_group) + goto out; + new_group->group_name = saved_group_name; + mb(); /* Instead of using spinlock. */ + group = group_list; + if (group) { + while (group->next) + group = group->next; + group->next = new_group; + } else + group_list = new_group; + group = new_group; + } + + new_member = tmy_alloc_element(sizeof(*new_member)); + if (!new_member) + goto out; + + new_member->is_ipv6 = is_ipv6; + + if (is_ipv6) { + memmove(new_member->min.ipv6, min_address, 16); + memmove(new_member->max.ipv6, max_address, 16); + } else { + new_member->min.ipv4 = * (u32 *) min_address; + new_member->max.ipv4 = * (u32 *) max_address; + } + + mb(); /* Instead of using spinlock. */ + + member = group->first_member; + if (member) { + while (member->next) + member = member->next; + member->next = new_member; + } else + group->first_member = new_member; + + error = 0; +out: ; + up(&lock); + + return error; +} + +/** + * tmy_add_addr_group_policy - add or delete address group policy. + * @data: a line to parse. + * @is_delete: is this delete request? + * + * Returns zero on success. + * Returns nonzero on failure. + */ +int tmy_add_addr_group_policy(char *data, const int is_delete) +{ + int count; + int is_ipv6; + u16 min_address[8]; + u16 max_address[8]; + unsigned int min[8]; + unsigned int max[8]; + char *cp = strchr(data, ' '); + + if (!cp) + return -EINVAL; + + *cp++ = '\0'; + count = sscanf(cp, + NIP6_FMT "-" NIP6_FMT, + &min[0], &min[1], &min[2], &min[3], + &min[4], &min[5], &min[6], &min[7], + &max[0], &max[1], &max[2], &max[3], + &max[4], &max[5], &max[6], &max[7]); + + if (count == 8 || count == 16) { + + int i; + + for (i = 0; i < 8; i++) { + min_address[i] = htons((u16) min[i]); + max_address[i] = htons((u16) max[i]); + } + if (count == 8) + memmove(max_address, min_address, sizeof(min_address)); + is_ipv6 = 1; + + goto ok; + + } + + count = sscanf(cp, + NIPQUAD_FMT "-" NIPQUAD_FMT, + &min[0], &min[1], + &min[2], &min[3], + &max[0], &max[1], + &max[2], &max[3]); + + if (count == 4 || count == 8) { + u32 ip = ((((u8) min[0]) << 24) + + (((u8) min[1]) << 16) + + (((u8) min[2]) << 8) + + (u8) min[3]); + + * (u32 *) min_address = ip; + + if (count == 8) + ip = ((((u8) max[0]) << 24) + + (((u8) max[1]) << 16) + + (((u8) max[2]) << 8) + + (u8) max[3]); + + * (u32 *) max_address = ip; + is_ipv6 = 0; + + goto ok; + + } + + return -EINVAL; + +ok: ; + return tmy_add_addr_group_entry(data, is_ipv6, min_address, max_address, + is_delete); +} + +static struct addr_group_entry *tmy_new_addr_group(const char *name) +{ + int i; + struct addr_group_entry *group; + + for (i = 0; i <= 1; i++) { + for (group = group_list; group; group = group->next) { + + if (strcmp(name, group->group_name->name) == 0) + return group; + + } + + if (i == 0) { + /* + * Add a dummy entry to create new address group + * and delete that entry. + */ + const u16 dum[2] = { 0, 0 }; + tmy_add_addr_group_entry(name, 0, dum, dum, 0); + tmy_add_addr_group_entry(name, 0, dum, dum, 1); + } + } + + return NULL; +} + +static int tmy_address_match_group(const u8 is_ipv6, + const u32 *address, + const struct addr_group_entry *group) +{ + struct addr_group_member *member; + const u32 ip = ntohl(*address); + + for (member = group->first_member; member; member = member->next) { + + if (member->is_deleted) + continue; + + if (member->is_ipv6) { + + if (is_ipv6 && + memcmp(member->min.ipv6, address, 16) <= 0 && + memcmp(address, member->max.ipv6, 16) <= 0) + return 1; + + } else { + + if (!is_ipv6 && + member->min.ipv4 <= ip && + ip <= member->max.ipv4) + return 1; + + } + } + + return 0; +} + +static int tmy_read_addr_group(struct io_buffer *head, + struct addr_group_entry *group, + struct addr_group_member *member) +{ + char buf[128]; + if (!member) + return 0; + + if (member->is_ipv6) { + + const u16 *min_addr = member->min.ipv6; + const u16 *max_addr = member->max.ipv6; + + tmy_print_ipv6(buf, sizeof(buf), min_addr); + + if (memcmp(min_addr, max_addr, 16)) { + char *cp = strchr(buf, '\0'); + int len = sizeof(buf) - strlen(buf); + + *cp++ = '-'; + tmy_print_ipv6(cp, len, max_addr); + } + + } else { + + const u32 min_addr = member->min.ipv4; + const u32 max_addr = member->max.ipv4; + + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf) - 1, + NIPQUAD_FMT, HIPQUAD(min_addr)); + + if (min_addr != max_addr) { + const int len = strlen(buf); + + snprintf(buf + len, sizeof(buf) - 1 - len, + "-" NIPQUAD_FMT, HIPQUAD(max_addr)); + } + + } + + return tmy_io_printf(head, TMY_ADDRESS_GROUP "%s %s\n", + group->group_name->name, buf); +} + +/** + * tmy_read_addr_group_policy - read address group policy + * @head: pointer to "struct io_buffer". + * + * Returns nonzero if reading incomplete. + * Returns zero otherwise. + */ +int tmy_read_addr_group_policy(struct io_buffer *head) +{ + struct addr_group_entry *group = head->read_var1; + struct addr_group_member *member = head->read_var2; + + if (!group) + group = group_list; + + while (group) { + head->read_var1 = group; + if (!member) + member = group->first_member; + while (member) { + + head->read_var2 = member; + if (member->is_deleted) { + member = member->next; + continue; + } + + if (tmy_read_addr_group(head, group, member)) + break; + + member = member->next; + } + if (member) + break; + head->read_var2 = NULL; + group = group->next; + } + return group ? -ENOMEM : 0; +} + +/*********************** NETWORK NETWORK ACL HANDLER ***********************/ + +/** + * tmy_print_ipv6 - print ipv6 address + * @buffer: pointer to buffer to save the result. + * @buffer_len: sizeof @buffer . + * @ip: pointer to an IPv6 address in network byte order. + * + * Returns @buffer . + */ +char *tmy_print_ipv6(char *buffer, const int buffer_len, const u16 *ip) +{ + memset(buffer, 0, buffer_len); + snprintf(buffer, buffer_len - 1, NIP6_FMT, + ntohs(ip[0]), ntohs(ip[1]), ntohs(ip[2]), ntohs(ip[3]), + ntohs(ip[4]), ntohs(ip[5]), ntohs(ip[6]), ntohs(ip[7])); + return buffer; +} + +/** + * tmy_network2keyword - get keyword from access control index. + * @operation: index number. + * + * Returns keyword that corresponds with @operation . + */ +const char *tmy_network2keyword(const unsigned int operation) +{ + const char *keyword = "unknown"; + switch (operation) { + case TMY_NETWORK_ACL_UDP_BIND: + keyword = "UDP bind"; + break; + case TMY_NETWORK_ACL_UDP_CONNECT: + keyword = "UDP connect"; + break; + case TMY_NETWORK_ACL_TCP_BIND: + keyword = "TCP bind"; + break; + case TMY_NETWORK_ACL_TCP_LISTEN: + keyword = "TCP listen"; + break; + case TMY_NETWORK_ACL_TCP_CONNECT: + keyword = "TCP connect"; + break; + case TMY_NETWORK_ACL_TCP_ACCEPT: + keyword = "TCP accept"; + break; + case TMY_NETWORK_ACL_RAW_BIND: + keyword = "RAW bind"; + break; + case TMY_NETWORK_ACL_RAW_CONNECT: + keyword = "RAW connect"; + break; + } + return keyword; +} + +/* Compare IPv4/IPv6 address. */ +static int tmy_cmp_network_entry(const u8 record_type, + struct net_acl *acl, + const struct addr_group_entry *group, + const u32 min_ip, + const u32 max_ip, + const u32 *min_address, + const u32 *max_address) +{ + int found = 0; + + switch (record_type) { + + case TMY_TYPE_ADDRESS_GROUP: + if (acl->u.group == group) + found = 1; + break; + + case TMY_TYPE_IPv4: + if (acl->u.ipv4.min == min_ip && + max_ip == acl->u.ipv4.max) + found = 1; + break; + + case TMY_TYPE_IPv6: + if (memcmp(acl->u.ipv6.min, min_address, 16) == 0 && + memcmp(max_address, acl->u.ipv6.max, 16) == 0) + found = 1; + break; + + } + + return found; +} + +/* + * @is_add: 1 add this entry if not quota exceeded + * -1 always add this entry + * 0 remove this entry + */ +static int tmy_add_network_entry(const u8 operation, + const u8 record_type, + const struct addr_group_entry *group, + const u32 *min_address, + const u32 *max_address, + const u16 min_port, + const u16 max_port, + struct domain_info *domain, + const struct condition_list *cond, + const u8 is_add) +{ + struct acl_info *ptr; + int error = -ENOMEM; + /* using host byte order to allow u32 comparison than memcmp().*/ + const u32 min_ip = ntohl(*min_address); + const u32 max_ip = ntohl(*max_address); + + if (!domain) + return -EINVAL; + + down(&domain_acl_lock); + + if (!is_add) + goto remove; + + ptr = domain->first_acl_ptr; + if (!ptr) + goto first_entry; + + while (1) { + struct net_acl *acl = (struct net_acl *) ptr; + + if (ptr->type == TMY_TYPE_IP_NETWORK_ACL && + ptr->cond == cond && + acl->operation_type == operation && + acl->record_type == record_type && + acl->min_port == min_port && + max_port == acl->max_port && + tmy_cmp_network_entry(record_type, acl, + group, min_ip, max_ip, + min_address, + max_address)) { + ptr->is_deleted = 0; + error = 0; + break; + } + + if (ptr->next) { + ptr = ptr->next; + continue; + } +first_entry: ; + if (is_add == 1 && tmy_too_many_acl(domain)) + break; + + /* Not found. Append it to the tail. */ + acl = tmy_alloc_element(sizeof(*acl)); + if (!acl) + break; + + acl->head.type = TMY_TYPE_IP_NETWORK_ACL; + acl->head.cond = cond; + acl->operation_type = operation; + acl->record_type = record_type; + + if (record_type == TMY_TYPE_ADDRESS_GROUP) + acl->u.group = group; + else if (record_type == TMY_TYPE_IPv4) { + acl->u.ipv4.min = min_ip; + acl->u.ipv4.max = max_ip; + } else { + memmove(acl->u.ipv6.min, min_address, 16); + memmove(acl->u.ipv6.max, max_address, 16); + } + + acl->min_port = min_port; + acl->max_port = max_port; + error = tmy_add_acl(ptr, domain, + (struct acl_info *) acl); + break; + } + goto ok; +remove: ; + error = -ENOENT; + for (ptr = domain->first_acl_ptr; ptr; ptr = ptr->next) { + struct net_acl *acl = (struct net_acl *) ptr; + if (ptr->type != TMY_TYPE_IP_NETWORK_ACL || + ptr->cond != cond || + ptr->is_deleted || + acl->operation_type != operation || + acl->record_type != record_type || + acl->min_port != min_port || + acl->max_port != max_port || + !tmy_cmp_network_entry(record_type, acl, + group, min_ip, max_ip, + min_address, + max_address)) + continue; + + error = tmy_del_acl(ptr); + break; + } +ok: ; + up(&domain_acl_lock); + + return error; +} + +/* Check network permission. */ +static int tmy_network_entry(const int is_ipv6, + const int operation, + const u32 *address, + const u16 port) +{ + struct domain_info * const domain = TMY_SECURITY->domain; + struct acl_info *ptr; + const char *keyword = tmy_network2keyword(operation); + const int is_enforce = tmy_enforce(TMY_MAC_FOR_NETWORK); + /* using host byte order to allow u32 comparison than memcmp().*/ + const u32 ip = ntohl(*address); + + if (!tmy_flags(TMY_MAC_FOR_NETWORK)) + return 0; + + for (ptr = domain->first_acl_ptr; ptr; ptr = ptr->next) { + struct net_acl *acl = (struct net_acl *) ptr; + + if (ptr->type != TMY_TYPE_IP_NETWORK_ACL || + ptr->is_deleted || + acl->operation_type != operation || + port < acl->min_port || + acl->max_port < port || + tmy_check_condition(ptr->cond, NULL)) + continue; + + if (acl->record_type == TMY_TYPE_ADDRESS_GROUP && + tmy_address_match_group(is_ipv6, address, acl->u.group)) + break; + + else if (acl->record_type == TMY_TYPE_IPv4 && !is_ipv6 && + (acl->u.ipv4.min <= ip && ip <= acl->u.ipv4.max)) + break; + + else if (acl->record_type == TMY_TYPE_IPv6 && is_ipv6 && + memcmp(acl->u.ipv6.min, address, 16) <= 0 && + memcmp(address, acl->u.ipv6.max, 16) <= 0) + break; + + } + + tmy_audit_network_log(is_ipv6, keyword, address, + port, ptr != 0, is_enforce); + + if (ptr) + return 0; + + if (is_enforce) { + + if (is_ipv6) { + + char buf[64]; + + tmy_print_ipv6(buf, sizeof(buf), (const u16 *) address); + return tmy_supervisor("%s\n" TMY_ALLOW_NETWORK + "%s %s %u\n", + domain->domainname->name, keyword, + buf, port); + + } + + return tmy_supervisor("%s\n" TMY_ALLOW_NETWORK + "%s " NIPQUAD_FMT " %u\n", + domain->domainname->name, keyword, + HIPQUAD(ip), port); + + } + + if (tmy_accept(TMY_MAC_FOR_NETWORK)) + tmy_add_network_entry(operation, + is_ipv6 ? TMY_TYPE_IPv6 : TMY_TYPE_IPv4, + NULL, address, address, + port, port, domain, NULL, 1); + + return 0; +} + +/** + * tmy_add_signal_policy - add or delete signal policy. + * @data: a line to parse. + * @domain: pointer to "struct domain_info". + * @cond: pointer to "struct condition_list". May be NULL. + * @is_delete: is this delete request? + * + * Returns zero on success. + * Returns nonzero on failure. + */ +int tmy_add_network_policy(char *data, + struct domain_info *domain, + const struct condition_list *cond, + const int is_delete) +{ + u8 sock_type; + u8 operation; + u8 record_type; + u16 min_address[8]; + u16 max_address[8]; + unsigned int min[8]; + unsigned int max[8]; + struct addr_group_entry *group = NULL; + u16 min_port; + u16 max_port; + int count; + char *cp1 = NULL; + char *cp2 = NULL; + + cp1 = strchr(data, ' '); + if (!cp1) + goto out; + cp1++; + + if (strncmp(data, "TCP ", 4) == 0) + sock_type = SOCK_STREAM; + else if (strncmp(data, "UDP ", 4) == 0) + sock_type = SOCK_DGRAM; + else if (strncmp(data, "RAW ", 4) == 0) + sock_type = SOCK_RAW; + else + goto out; + + cp2 = strchr(cp1, ' '); + if (!cp2) + goto out; + cp2++; + + if (strncmp(cp1, "bind ", 5) == 0) { + switch (sock_type) { + case SOCK_STREAM: + operation = TMY_NETWORK_ACL_TCP_BIND; + break; + case SOCK_DGRAM: + operation = TMY_NETWORK_ACL_UDP_BIND; + break; + default: + operation = TMY_NETWORK_ACL_RAW_BIND; + break; + } + } else if (strncmp(cp1, "connect ", 8) == 0) { + switch (sock_type) { + case SOCK_STREAM: + operation = TMY_NETWORK_ACL_TCP_CONNECT; + break; + case SOCK_DGRAM: + operation = TMY_NETWORK_ACL_UDP_CONNECT; + break; + default: + operation = TMY_NETWORK_ACL_RAW_CONNECT; + break; + } + } else if (sock_type == SOCK_STREAM && + strncmp(cp1, "listen ", 7) == 0) + operation = TMY_NETWORK_ACL_TCP_LISTEN; + + else if (sock_type == SOCK_STREAM && + strncmp(cp1, "accept ", 7) == 0) + operation = TMY_NETWORK_ACL_TCP_ACCEPT; + + else + goto out; + + cp1 = strchr(cp2, ' '); + if (!cp1) + goto out; + *cp1++ = '\0'; + + count = sscanf(cp2, + NIP6_FMT "-" NIP6_FMT, + &min[0], &min[1], &min[2], &min[3], + &min[4], &min[5], &min[6], &min[7], + &max[0], &max[1], &max[2], &max[3], + &max[4], &max[5], &max[6], &max[7]); + + if (count == 8 || count == 16) { + + int i; + + for (i = 0; i < 8; i++) { + min_address[i] = htons((u16) min[i]); + max_address[i] = htons((u16) max[i]); + } + + if (count == 8) + memmove(max_address, min_address, sizeof(min_address)); + record_type = TMY_TYPE_IPv6; + + goto ok; + + } + + count = sscanf(cp2, + NIPQUAD_FMT "-" NIPQUAD_FMT, + &min[0], &min[1], &min[2], &min[3], + &max[0], &max[1], &max[2], &max[3]); + + if (count == 4 || count == 8) { + + u32 ip = htonl((((u8) min[0]) << 24) + + (((u8) min[1]) << 16) + + (((u8) min[2]) << 8) + + (u8) min[3]); + * (u32 *) min_address = ip; + + if (count == 8) + ip = htonl((((u8) max[0]) << 24) + + (((u8) max[1]) << 16) + + (((u8) max[2]) << 8) + + (u8) max[3]); + * (u32 *) max_address = ip; + record_type = TMY_TYPE_IPv4; + + goto ok; + + } + + if (*cp2 == '@') { + + group = tmy_new_addr_group(cp2 + 1); + if (!group) + return -ENOMEM; + record_type = TMY_TYPE_ADDRESS_GROUP; + + goto ok; + } + + goto out; + +ok: ; + if (strchr(cp1, ' ')) + goto out; + + count = sscanf(cp1, "%hu-%hu", &min_port, &max_port); + if (count != 1 && count != 2) + goto out; + + if (count == 1) + max_port = min_port; + + return tmy_add_network_entry(operation, record_type, group, + (u32 *) min_address, + (u32 *) max_address, + min_port, max_port, domain, + cond, is_delete ? 0 : -1); + +out: ; + return -EINVAL; +} + +/** + * tmy_network_listen_acl - check permission for listen(2) operation. + * @is_ipv6: is @address an IPv6 address? + * @address: pointer to IPv4/IPv6 address in network byte order. + * @port: TCP or UDP's port number. + * + * Returns zero if permission granted. + * Returns nonzero if permission denied. + */ +int tmy_network_listen_acl(const int is_ipv6, + const u8 *address, + const u16 port) +{ + return tmy_network_entry(is_ipv6, + TMY_NETWORK_ACL_TCP_LISTEN, + (const u32 *) address, + ntohs(port)); +} + +/** + * tmy_network_connect_acl - check permission for connect(2) operation. + * @is_ipv6: is @address an IPv6 address? + * @sock_type: socket type (TCP, UDP or IP). + * @address: pointer to IPv4/IPv6 address in network byte order. + * @port: TCP or UDP's port number or IP's protocol number. + * + * Returns zero if permission granted. + * Returns nonzero if permission denied. + */ +int tmy_network_connect_acl(const int is_ipv6, + const int sock_type, + const u8 *address, + const u16 port) +{ + int type; + + switch (sock_type) { + case SOCK_STREAM: + type = TMY_NETWORK_ACL_TCP_CONNECT; + break; + case SOCK_DGRAM: + type = TMY_NETWORK_ACL_UDP_CONNECT; + break; + default: + type = TMY_NETWORK_ACL_RAW_CONNECT; + break; + } + + return tmy_network_entry(is_ipv6, type, + (const u32 *) address, ntohs(port)); +} + +/** + * tmy_network_bind_acl - check permission for bind(2) operation. + * @is_ipv6: is @address an IPv6 address? + * @sock_type: socket type (TCP, UDP or IP). + * @address: pointer to IPv4/IPv6 address in network byte order. + * @port: TCP or UDP's port number or IP's protocol number. + * + * Returns zero if permission granted. + * Returns nonzero if permission denied. + */ +int tmy_network_bind_acl(const int is_ipv6, + const int sock_type, + const u8 *address, + const u16 port) +{ + int type; + + switch (sock_type) { + case SOCK_STREAM: + type = TMY_NETWORK_ACL_TCP_BIND; + break; + case SOCK_DGRAM: + type = TMY_NETWORK_ACL_UDP_BIND; + break; + default: + type = TMY_NETWORK_ACL_RAW_BIND; + break; + } + + return tmy_network_entry(is_ipv6, type, + (const u32 *) address, ntohs(port)); +} + +/** + * tmy_network_sendmsg_acl - check permission for sendmsg(2) operation. + * @is_ipv6: is @address an IPv6 address? + * @sock_type: socket type (UDP or IP). + * @address: pointer to IPv4/IPv6 address in network byte order. + * @port: UDP's port number or IP's protocol number. + * + * Returns zero if permission granted. + * Returns nonzero if permission denied. + */ +int tmy_network_sendmsg_acl(const int is_ipv6, + const int sock_type, + const u8 *address, + const u16 port) +{ + int type; + + if (sock_type == SOCK_DGRAM) + type = SOCK_DGRAM; + else + type = TMY_NETWORK_ACL_RAW_CONNECT; + + return tmy_network_entry(is_ipv6, type, + (const u32 *) address, ntohs(port)); +} + +/** + * tmy_network_accept_acl - check permission for accept(2) operation. + * @is_ipv6: is @address an IPv6 address? + * @address: pointer to IPv4/IPv6 address in network byte order. + * @port: TCP client's port number. + * + * Returns zero if permission granted. + * Returns nonzero if permission denied. + */ +int tmy_network_accept_acl(const int is_ipv6, const u8 *address, + const u16 port) +{ + return tmy_network_entry(is_ipv6, TMY_NETWORK_ACL_TCP_ACCEPT, + (const u32 *) address, ntohs(port)); +} + +/** + * tmy_network_recvmsg_acl - check permission for recvmsg(2) operation. + * @is_ipv6: is @address an IPv6 address? + * @sock_type: socket type (UDP or IP). + * @address: pointer to IPv4/IPv6 address in network byte order. + * @port: UDP's port number or IP's protocol number. + * + * Returns zero if permission granted. + * Returns nonzero if permission denied. + */ +int tmy_network_recvmsg_acl(const int is_ipv6, const int sock_type, + const u8 *address, const u16 port) +{ + return tmy_network_entry(is_ipv6, sock_type == SOCK_DGRAM ? + TMY_NETWORK_ACL_UDP_CONNECT : + TMY_NETWORK_ACL_RAW_CONNECT, + (const u32 *) address, ntohs(port)); +} - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/