source-git / netlabel_tools

Clone
Source Code
GIT

Blame netlabelctl/cipso.c

c8 master
  1.   82e8b8573d17333cd8b6bfe0db1c1ada9cacb921
  2.   netlabelctl
  3.   cipso.c
Blob History Raw
Packit 51d0f7 
/*
Packit 51d0f7 
 * CIPSO/IPv4 Functions
Packit 51d0f7 
 *
Packit 51d0f7 
 * Author: Paul Moore <paul@paul-moore.com>
Packit 51d0f7 
 *
Packit 51d0f7 
 */
Packit 51d0f7
Packit 51d0f7 
/*
Packit 51d0f7 
 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
Packit 51d0f7 
 *
Packit 51d0f7 
 * This program is free software: you can redistribute it and/or modify
Packit 51d0f7 
 * it under the terms of version 2 of the GNU General Public License as
Packit 51d0f7 
 * published by the Free Software Foundation.
Packit 51d0f7 
 *
Packit 51d0f7 
 * This program is distributed in the hope that it will be useful,
Packit 51d0f7 
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
Packit 51d0f7 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
Packit 51d0f7 
 * GNU General Public License for more details.
Packit 51d0f7 
 *
Packit 51d0f7 
 * You should have received a copy of the GNU General Public License
Packit 51d0f7 
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
Packit 51d0f7 
 *
Packit 51d0f7 
 */
Packit 51d0f7
Packit 51d0f7
Packit 51d0f7 
#include <stdlib.h>
Packit 51d0f7 
#include <stdio.h>
Packit 51d0f7 
#include <string.h>
Packit 51d0f7 
#include <errno.h>
Packit 51d0f7
Packit 51d0f7 
#include <libnetlabel.h>
Packit 51d0f7
Packit 51d0f7 
#include "netlabelctl.h"
Packit 51d0f7
Packit 51d0f7 
/**
Packit 51d0f7 
 * Add a CIPSO label mapping
Packit 51d0f7 
 * @param argc the number of arguments
Packit 51d0f7 
 * @param argv the argument list
Packit 51d0f7 
 *
Packit 51d0f7 
 * Add a CIPSO label mapping to the NetLabel system.  Returns zero on
Packit 51d0f7 
 * success, negative values on failure.
Packit 51d0f7 
 *
Packit 51d0f7 
 */
Packit 51d0f7 
static int cipso_add(int argc, char *argv[])
Packit 51d0f7 
{
Packit 51d0f7 
	int rc;
Packit 51d0f7 
	uint32_t iter;
Packit 51d0f7 
	uint32_t cipso_type = CIPSO_V4_MAP_UNKNOWN;
Packit 51d0f7 
	nlbl_cip_doi doi = 0;
Packit 51d0f7 
	struct nlbl_cip_tag_a tags = { .array = NULL, .size = 0 };
Packit 51d0f7 
	struct nlbl_cip_lvl_a lvls = { .array = NULL, .size = 0 };
Packit 51d0f7 
	struct nlbl_cip_cat_a cats = { .array = NULL, .size = 0 };
Packit 51d0f7 
	char *token_ptr;
Packit 51d0f7
Packit 51d0f7 
	/* sanity checks */
Packit 51d0f7 
	if (argc <= 0 || argv == NULL || argv[0] == NULL)
Packit 51d0f7 
		return -EINVAL;
Packit 51d0f7
Packit 51d0f7 
	/* parse the arguments */
Packit 51d0f7 
	for (iter = 0; iter < argc && argv[iter] != NULL; iter++) {
Packit 51d0f7 
		if (strcmp(argv[iter], "trans") == 0) {
Packit 51d0f7 
			cipso_type = CIPSO_V4_MAP_TRANS;
Packit 51d0f7 
		} else if (strcmp(argv[iter], "std") == 0) {
Packit 51d0f7 
			fprintf(stderr,
Packit 51d0f7 
				MSG_OLD("use 'trans' instead of 'std'\n"));
Packit 51d0f7 
			cipso_type = CIPSO_V4_MAP_TRANS;
Packit 51d0f7 
		} else if (strcmp(argv[iter], "pass") == 0) {
Packit 51d0f7 
			cipso_type = CIPSO_V4_MAP_PASS;
Packit 51d0f7 
		} else if (strcmp(argv[iter], "local") == 0) {
Packit 51d0f7 
			cipso_type = CIPSO_V4_MAP_LOCAL;
Packit 51d0f7 
		} else if (strncmp(argv[iter], "doi:", 4) == 0) {
Packit 51d0f7 
			/* doi */
Packit 51d0f7 
			doi = atoi(argv[iter] + 4);
Packit 51d0f7 
		} else if (strncmp(argv[iter], "tags:", 5) == 0) {
Packit 51d0f7 
			/* tags */
Packit 51d0f7 
			token_ptr = strtok(argv[iter] + 5, ",");
Packit 51d0f7 
			while (token_ptr != NULL) {
Packit 51d0f7 
				tags.array = realloc(tags.array,
Packit 51d0f7 
						     sizeof(nlbl_cip_tag) *
Packit 51d0f7 
						     (tags.size + 1));
Packit 51d0f7 
				if (tags.array == NULL) {
Packit 51d0f7 
					rc = -ENOMEM;
Packit 51d0f7 
					goto add_return;
Packit 51d0f7 
				}
Packit 51d0f7 
				tags.array[tags.size++] = atoi(token_ptr);
Packit 51d0f7 
				token_ptr = strtok(NULL, ",");
Packit 51d0f7 
			}
Packit 51d0f7 
		} else if (strncmp(argv[iter], "levels:", 7) == 0) {
Packit 51d0f7 
			/* levels */
Packit 51d0f7 
			token_ptr = strtok(argv[iter] + 7, "=");
Packit 51d0f7 
			while (token_ptr != NULL) {
Packit 51d0f7 
				lvls.array = realloc(lvls.array,
Packit 51d0f7 
						     sizeof(nlbl_cip_lvl) * 2 *
Packit 51d0f7 
						     (lvls.size + 1));
Packit 51d0f7 
				if (lvls.array == NULL) {
Packit 51d0f7 
					rc = -ENOMEM;
Packit 51d0f7 
					goto add_return;
Packit 51d0f7 
				}
Packit 51d0f7 
				/* XXX - should be more robust for bad input */
Packit 51d0f7 
				lvls.array[lvls.size * 2] = atoi(token_ptr);
Packit 51d0f7 
				token_ptr = strtok(NULL, ",");
Packit 51d0f7 
				lvls.array[lvls.size * 2 + 1] = atoi(token_ptr);
Packit 51d0f7 
				token_ptr = strtok(NULL, "=");
Packit 51d0f7 
				lvls.size++;
Packit 51d0f7 
			}
Packit 51d0f7 
		} else if (strncmp(argv[iter], "categories:", 11) == 0) {
Packit 51d0f7 
			/* categories */
Packit 51d0f7 
			token_ptr = strtok(argv[iter] + 11, "=");
Packit 51d0f7 
			while (token_ptr != NULL) {
Packit 51d0f7 
				cats.array = realloc(cats.array,
Packit 51d0f7 
						     sizeof(nlbl_cip_cat) * 2 *
Packit 51d0f7 
						     (cats.size + 1));
Packit 51d0f7 
				if (cats.array == NULL) {
Packit 51d0f7 
					rc = -ENOMEM;
Packit 51d0f7 
					goto add_return;
Packit 51d0f7 
				}
Packit 51d0f7 
				/* XXX - should be more robust for bad input */
Packit 51d0f7 
				cats.array[cats.size * 2] = atoi(token_ptr);
Packit 51d0f7 
				token_ptr = strtok(NULL, ",");
Packit 51d0f7 
				cats.array[cats.size * 2 + 1] = atoi(token_ptr);
Packit 51d0f7 
				token_ptr = strtok(NULL, "=");
Packit 51d0f7 
				cats.size++;
Packit 51d0f7 
			}
Packit 51d0f7 
		} else
Packit 51d0f7 
			return -EINVAL;
Packit 51d0f7 
	}
Packit 51d0f7
Packit 51d0f7 
	/* add the cipso mapping */
Packit 51d0f7 
	switch (cipso_type) {
Packit 51d0f7 
	case CIPSO_V4_MAP_TRANS:
Packit 51d0f7 
		/* translated mapping */
Packit 51d0f7 
		rc = nlbl_cipso_add_trans(NULL, doi, &tags, &lvls, &cats);
Packit 51d0f7 
		break;
Packit 51d0f7 
	case CIPSO_V4_MAP_PASS:
Packit 51d0f7 
		/* pass through mapping */
Packit 51d0f7 
		rc = nlbl_cipso_add_pass(NULL, doi, &tags);
Packit 51d0f7 
		break;
Packit 51d0f7 
	case CIPSO_V4_MAP_LOCAL:
Packit 51d0f7 
		/* local mapping */
Packit 51d0f7 
		rc = nlbl_cipso_add_local(NULL, doi);
Packit 51d0f7 
		break;
Packit 51d0f7 
	default:
Packit 51d0f7 
		rc = -EINVAL;
Packit 51d0f7 
	}
Packit 51d0f7
Packit 51d0f7 
add_return:
Packit 51d0f7 
	if (tags.array != NULL)
Packit 51d0f7 
		free(tags.array);
Packit 51d0f7 
	if (lvls.array != NULL)
Packit 51d0f7 
		free(lvls.array);
Packit 51d0f7 
	if (cats.array != NULL)
Packit 51d0f7 
		free(cats.array);
Packit 51d0f7 
	return rc;
Packit 51d0f7 
}
Packit 51d0f7
Packit 51d0f7 
/**
Packit 51d0f7 
 * Remove a CIPSO label mapping
Packit 51d0f7 
 * @param argc the number of arguments
Packit 51d0f7 
 * @param argv the argument list
Packit 51d0f7 
 *
Packit 51d0f7 
 * Remove a CIPSO label mapping from the NetLabel system.  Returns zero on
Packit 51d0f7 
 * success, negative values on failure.
Packit 51d0f7 
 *
Packit 51d0f7 
 */
Packit 51d0f7 
static int cipso_del(int argc, char *argv[])
Packit 51d0f7 
{
Packit 51d0f7 
	uint32_t iter;
Packit 51d0f7 
	nlbl_cip_doi doi = 0;
Packit 51d0f7
Packit 51d0f7 
	/* sanity checks */
Packit 51d0f7 
	if (argc <= 0 || argv == NULL || argv[0] == NULL)
Packit 51d0f7 
		return -EINVAL;
Packit 51d0f7
Packit 51d0f7 
	/* parse the arguments */
Packit 51d0f7 
	for (iter = 0; iter < argc && argv[iter] != NULL; iter++) {
Packit 51d0f7 
		if (strncmp(argv[iter], "doi:", 4) == 0) {
Packit 51d0f7 
			/* doi */
Packit 51d0f7 
			doi = atoi(argv[iter] + 4);
Packit 51d0f7 
		} else
Packit 51d0f7 
			return -EINVAL;
Packit 51d0f7 
	}
Packit 51d0f7
Packit 51d0f7 
	/* delete the mapping */
Packit 51d0f7 
	return nlbl_cipso_del(NULL, doi);
Packit 51d0f7 
}
Packit 51d0f7
Packit 51d0f7 
/**
Packit 51d0f7 
 * List all of the CIPSO label mappings
Packit 51d0f7 
 * @param argc the number of arguments
Packit 51d0f7 
 * @param argv the argument list
Packit 51d0f7 
 *
Packit 51d0f7 
 * List the configured CIPSO label mappings.  Returns zero on success,
Packit 51d0f7 
 * negative values on failure.
Packit 51d0f7 
 *
Packit 51d0f7 
 */
Packit 51d0f7 
static int cipso_list_all(void)
Packit 51d0f7 
{
Packit 51d0f7 
	int rc;
Packit 51d0f7 
	uint32_t iter;
Packit 51d0f7 
	nlbl_cip_doi *doi_list = NULL;
Packit 51d0f7 
	nlbl_cip_mtype *mtype_list = NULL;
Packit 51d0f7 
	size_t count;
Packit 51d0f7
Packit 51d0f7 
	rc = nlbl_cipso_listall(NULL, &doi_list, &mtype_list);
Packit 51d0f7 
	if (rc < 0)
Packit 51d0f7 
		goto list_all_return;
Packit 51d0f7 
	count = rc;
Packit 51d0f7
Packit 51d0f7 
	if (opt_pretty != 0) {
Packit 51d0f7 
		printf("Configured CIPSO mappings (%zu)\n", count);
Packit 51d0f7 
		for (iter = 0; iter < count; iter++) {
Packit 51d0f7 
			/* doi value */
Packit 51d0f7 
			printf(" DOI value : %u\n", doi_list[iter]);
Packit 51d0f7 
			/* map type */
Packit 51d0f7 
			printf("   mapping type : ");
Packit 51d0f7 
			switch (mtype_list[iter]) {
Packit 51d0f7 
			case CIPSO_V4_MAP_TRANS:
Packit 51d0f7 
				printf("TRANSLATED\n");
Packit 51d0f7 
				break;
Packit 51d0f7 
			case CIPSO_V4_MAP_PASS:
Packit 51d0f7 
				printf("PASS_THROUGH\n");
Packit 51d0f7 
				break;
Packit 51d0f7 
			case CIPSO_V4_MAP_LOCAL:
Packit 51d0f7 
				printf("LOCAL\n");
Packit 51d0f7 
				break;
Packit 51d0f7 
			default:
Packit 51d0f7 
				printf("UNKNOWN(%u)\n", mtype_list[iter]);
Packit 51d0f7 
				break;
Packit 51d0f7 
			}
Packit 51d0f7 
		}
Packit 51d0f7 
	} else {
Packit 51d0f7 
		for (iter = 0; iter < count; iter++) {
Packit 51d0f7 
			/* doi value */
Packit 51d0f7 
			printf("%u,", doi_list[iter]);
Packit 51d0f7 
			/* map type */
Packit 51d0f7 
			switch (mtype_list[iter]) {
Packit 51d0f7 
			case CIPSO_V4_MAP_TRANS:
Packit 51d0f7 
				printf("TRANSLATED");
Packit 51d0f7 
				break;
Packit 51d0f7 
			case CIPSO_V4_MAP_PASS:
Packit 51d0f7 
				printf("PASS_THROUGH");
Packit 51d0f7 
				break;
Packit 51d0f7 
			case CIPSO_V4_MAP_LOCAL:
Packit 51d0f7 
				printf("LOCAL");
Packit 51d0f7 
				break;
Packit 51d0f7 
			default:
Packit 51d0f7 
				printf("UNKNOWN(%u)", mtype_list[iter]);
Packit 51d0f7 
				break;
Packit 51d0f7 
			}
Packit 51d0f7 
			if (iter + 1 < count)
Packit 51d0f7 
				printf(" ");
Packit 51d0f7 
		}
Packit 51d0f7 
		printf("\n");
Packit 51d0f7 
	}
Packit 51d0f7
Packit 51d0f7 
	rc = 0;
Packit 51d0f7
Packit 51d0f7 
list_all_return:
Packit 51d0f7 
	if (doi_list != NULL)
Packit 51d0f7 
		free(doi_list);
Packit 51d0f7 
	if (mtype_list != NULL)
Packit 51d0f7 
		free(mtype_list);
Packit 51d0f7 
	return rc;
Packit 51d0f7 
}
Packit 51d0f7
Packit 51d0f7 
/**
Packit 51d0f7 
 * List a specific CIPSO DOI label mapping
Packit 51d0f7 
 * @param doi the DOI value
Packit 51d0f7 
 *
Packit 51d0f7 
 * List the configured CIPSO label mapping.  Returns zero on success,
Packit 51d0f7 
 * negative values on failure.
Packit 51d0f7 
 *
Packit 51d0f7 
 */
Packit 51d0f7 
static int cipso_list_doi(uint32_t doi)
Packit 51d0f7 
{
Packit 51d0f7 
	int rc;
Packit 51d0f7 
	uint32_t iter;
Packit 51d0f7 
	nlbl_cip_mtype maptype;
Packit 51d0f7 
	struct nlbl_cip_tag_a tags = { .array = NULL, .size = 0 };
Packit 51d0f7 
	struct nlbl_cip_lvl_a lvls = { .array = NULL, .size = 0 };
Packit 51d0f7 
	struct nlbl_cip_cat_a cats = { .array = NULL, .size = 0 };
Packit 51d0f7
Packit 51d0f7 
	rc = nlbl_cipso_list(NULL, doi, &maptype, &tags, &lvls, &cats);
Packit 51d0f7 
	if (rc < 0)
Packit 51d0f7 
		return rc;
Packit 51d0f7
Packit 51d0f7 
	if (opt_pretty != 0) {
Packit 51d0f7 
		printf("Configured CIPSO mapping (DOI = %u)\n", doi);
Packit 51d0f7 
		printf(" tags (%zu): \n", tags.size);
Packit 51d0f7 
		for (iter = 0; iter < tags.size; iter++) {
Packit 51d0f7 
			switch (tags.array[iter]) {
Packit 51d0f7 
			case 1:
Packit 51d0f7 
				printf("   RESTRICTED BITMAP\n");
Packit 51d0f7 
				break;
Packit 51d0f7 
			case 2:
Packit 51d0f7 
				printf("   ENUMERATED\n");
Packit 51d0f7 
				break;
Packit 51d0f7 
			case 5:
Packit 51d0f7 
				printf("   RANGED\n");
Packit 51d0f7 
				break;
Packit 51d0f7 
			case 6:
Packit 51d0f7 
				printf("   PERMISSIVE_BITMAP\n");
Packit 51d0f7 
				break;
Packit 51d0f7 
			case 7:
Packit 51d0f7 
				printf("   FREEFORM\n");
Packit 51d0f7 
				break;
Packit 51d0f7 
			case 128:
Packit 51d0f7 
				printf("   LOCAL\n");
Packit 51d0f7 
				break;
Packit 51d0f7 
			default:
Packit 51d0f7 
				printf("   UNKNOWN(%u)\n", tags.array[iter]);
Packit 51d0f7 
				break;
Packit 51d0f7 
			}
Packit 51d0f7 
		}
Packit 51d0f7 
		switch (maptype) {
Packit 51d0f7 
		case CIPSO_V4_MAP_TRANS:
Packit 51d0f7 
			/* levels */
Packit 51d0f7 
			printf(" levels (%zu): \n", lvls.size);
Packit 51d0f7 
			for (iter = 0; iter < lvls.size; iter++)
Packit 51d0f7 
				printf("   %u = %u\n",
Packit 51d0f7 
				       lvls.array[iter * 2],
Packit 51d0f7 
				       lvls.array[iter * 2 + 1]);
Packit 51d0f7 
			/* categories */
Packit 51d0f7 
			printf(" categories (%zu): \n", cats.size);
Packit 51d0f7 
			for (iter = 0; iter < cats.size; iter++)
Packit 51d0f7 
				printf("   %u = %u\n",
Packit 51d0f7 
				       cats.array[iter * 2],
Packit 51d0f7 
				       cats.array[iter * 2 + 1]);
Packit 51d0f7 
			break;
Packit 51d0f7 
		}
Packit 51d0f7 
	} else {
Packit 51d0f7 
		/* tags */
Packit 51d0f7 
		printf("tags:");
Packit 51d0f7 
		for (iter = 0; iter < tags.size; iter++) {
Packit 51d0f7 
			printf("%u", tags.array[iter]);
Packit 51d0f7 
			if (iter + 1 < tags.size)
Packit 51d0f7 
				printf(",");
Packit 51d0f7 
		}
Packit 51d0f7 
		switch (maptype) {
Packit 51d0f7 
		case CIPSO_V4_MAP_TRANS:
Packit 51d0f7 
			/* levels */
Packit 51d0f7 
			printf(" levels:");
Packit 51d0f7 
			for (iter = 0; iter < lvls.size; iter++) {
Packit 51d0f7 
				printf("%u=%u",
Packit 51d0f7 
				       lvls.array[iter * 2],
Packit 51d0f7 
				       lvls.array[iter * 2 + 1]);
Packit 51d0f7 
				if (iter + 1 < lvls.size)
Packit 51d0f7 
					printf(",");
Packit 51d0f7 
			}
Packit 51d0f7 
			/* categories */
Packit 51d0f7 
			printf(" categories:");
Packit 51d0f7 
			for (iter = 0; iter < cats.size; iter++) {
Packit 51d0f7 
				printf("%u=%u",
Packit 51d0f7 
				       cats.array[iter * 2],
Packit 51d0f7 
				       cats.array[iter * 2 + 1]);
Packit 51d0f7 
				if (iter + 1 < cats.size)
Packit 51d0f7 
					printf(",");
Packit 51d0f7 
			}
Packit 51d0f7 
			break;
Packit 51d0f7 
		}
Packit 51d0f7 
		printf("\n");
Packit 51d0f7 
	}
Packit 51d0f7
Packit 51d0f7 
	return 0;
Packit 51d0f7 
}
Packit 51d0f7
Packit 51d0f7 
/**
Packit 51d0f7 
 * List the CIPSO label mappings
Packit 51d0f7 
 * @param argc the number of arguments
Packit 51d0f7 
 * @param argv the argument list
Packit 51d0f7 
 *
Packit 51d0f7 
 * List the configured CIPSO label mappings.  Returns zero on success,
Packit 51d0f7 
 * negative values on failure.
Packit 51d0f7 
 *
Packit 51d0f7 
 */
Packit 51d0f7 
static int cipso_list(int argc, char *argv[])
Packit 51d0f7 
{
Packit 51d0f7 
	uint32_t iter;
Packit 51d0f7 
	uint32_t doi_flag = 0;
Packit 51d0f7 
	nlbl_cip_doi doi = 0;
Packit 51d0f7
Packit 51d0f7 
	/* parse the arguments */
Packit 51d0f7 
	for (iter = 0; iter < argc && argv[iter] != NULL; iter++) {
Packit 51d0f7 
		if (strncmp(argv[iter], "doi:", 4) == 0) {
Packit 51d0f7 
			/* doi */
Packit 51d0f7 
			doi = atoi(argv[iter] + 4);
Packit 51d0f7 
			doi_flag = 1;
Packit 51d0f7 
		} else
Packit 51d0f7 
			return -EINVAL;
Packit 51d0f7 
	}
Packit 51d0f7
Packit 51d0f7 
	if (doi_flag != 0)
Packit 51d0f7 
		return cipso_list_doi(doi);
Packit 51d0f7 
	else
Packit 51d0f7 
		return cipso_list_all();
Packit 51d0f7 
}
Packit 51d0f7
Packit 51d0f7 
/**
Packit 51d0f7 
 * Entry point for the NetLabel CIPSO/IPv4 functions
Packit 51d0f7 
 * @param argc the number of arguments
Packit 51d0f7 
 * @param argv the argument list
Packit 51d0f7 
 *
Packit 51d0f7 
 * Parses the argument list and performs the requested operation.  Returns zero
Packit 51d0f7 
 * on success, negative values on failure.
Packit 51d0f7 
 *
Packit 51d0f7 
 */
Packit 51d0f7 
int cipso_main(int argc, char *argv[])
Packit 51d0f7 
{
Packit 51d0f7 
	int rc;
Packit 51d0f7
Packit 51d0f7 
	/* sanity checks */
Packit 51d0f7 
	if (argc <= 0 || argv == NULL || argv[0] == NULL)
Packit 51d0f7 
		return -EINVAL;
Packit 51d0f7
Packit 51d0f7 
	/* handle the request */
Packit 51d0f7 
	if (strcmp(argv[0], "add") == 0) {
Packit 51d0f7 
		/* add */
Packit 51d0f7 
		rc = cipso_add(argc - 1, argv + 1);
Packit 51d0f7 
	} else if (strcmp(argv[0], "del") == 0) {
Packit 51d0f7 
		/* delete */
Packit 51d0f7 
		rc = cipso_del(argc - 1, argv + 1);
Packit 51d0f7 
	} else if (strcmp(argv[0], "list") == 0) {
Packit 51d0f7 
		/* list */
Packit 51d0f7 
		rc = cipso_list(argc - 1, argv + 1);
Packit 51d0f7 
	} else {
Packit 51d0f7 
		/* unknown request */
Packit 51d0f7 
		rc = -EINVAL;
Packit 51d0f7 
	}
Packit 51d0f7
Packit 51d0f7 
	return rc;
Packit 51d0f7 
}

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation