source-git / netlabel_tools

Clone
Source Code
GIT

Blame netlabelctl/map.c

c8 master
  1.   51d0f77bbcf12b10be3bb020844f5a92da4634e4
  2.   netlabelctl
  3.   map.c
Blob History Raw
Packit 51d0f7 
/*
Packit 51d0f7 
 * Domain/Protocol Mapping Functions
Packit 51d0f7 
 *
Packit 51d0f7 
 * Author: Paul Moore <paul@paul-moore.com>
Packit 51d0f7 
 *
Packit 51d0f7 
 */
Packit 51d0f7
Packit 51d0f7 
/*
Packit 51d0f7 
 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
Packit 51d0f7 
 *
Packit 51d0f7 
 * This program is free software: you can redistribute it and/or modify
Packit 51d0f7 
 * it under the terms of version 2 of the GNU General Public License as
Packit 51d0f7 
 * published by the Free Software Foundation.
Packit 51d0f7 
 *
Packit 51d0f7 
 * This program is distributed in the hope that it will be useful,
Packit 51d0f7 
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
Packit 51d0f7 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
Packit 51d0f7 
 * GNU General Public License for more details.
Packit 51d0f7 
 *
Packit 51d0f7 
 * You should have received a copy of the GNU General Public License
Packit 51d0f7 
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
Packit 51d0f7 
 *
Packit 51d0f7 
 */
Packit 51d0f7
Packit 51d0f7 
#include <stdlib.h>
Packit 51d0f7 
#include <stdio.h>
Packit 51d0f7 
#include <string.h>
Packit 51d0f7 
#include <errno.h>
Packit 51d0f7 
#include <sys/types.h>
Packit 51d0f7 
#include <sys/socket.h>
Packit 51d0f7 
#include <arpa/inet.h>
Packit 51d0f7
Packit 51d0f7 
#include <libnetlabel.h>
Packit 51d0f7
Packit 51d0f7 
#include "netlabelctl.h"
Packit 51d0f7
Packit 51d0f7 
/**
Packit 51d0f7 
 * Add a domain mapping to NetLabel
Packit 51d0f7 
 * @param argc the number of arguments
Packit 51d0f7 
 * @param argv the argument list
Packit 51d0f7 
 *
Packit 51d0f7 
 * Add the specified domain mapping to the NetLabel system.  Returns zero on
Packit 51d0f7 
 * success, negative values on failure.
Packit 51d0f7 
 *
Packit 51d0f7 
 */
Packit 51d0f7 
static int map_add(int argc, char *argv[])
Packit 51d0f7 
{
Packit 51d0f7 
	uint32_t iter;
Packit 51d0f7 
	uint8_t def_flag = 0;
Packit 51d0f7 
	struct nlbl_dommap domain;
Packit 51d0f7 
	struct nlbl_netaddr addr;
Packit 51d0f7 
	char *domain_proto_extra = NULL;
Packit 51d0f7
Packit 51d0f7 
	/* sanity checks */
Packit 51d0f7 
	if (argc <= 0 || argv == NULL || argv[0] == NULL)
Packit 51d0f7 
		return -EINVAL;
Packit 51d0f7
Packit 51d0f7 
	memset(&domain, 0, sizeof(domain));
Packit 51d0f7 
	memset(&addr, 0, sizeof(addr));
Packit 51d0f7
Packit 51d0f7 
	/* parse the arguments */
Packit 51d0f7 
	for (iter = 0; iter < argc && argv[iter] != NULL; iter++) {
Packit 51d0f7 
		if (strncmp(argv[iter], "domain:", 7) == 0) {
Packit 51d0f7 
			domain.domain = argv[iter] + 7;
Packit 51d0f7 
		} else if (strncmp(argv[iter], "address:", 8) == 0) {
Packit 51d0f7 
			if (nlctl_addr_parse(argv[iter] + 8, &addr) != 0)
Packit 51d0f7 
				return -EINVAL;
Packit 51d0f7 
		} else if (strncmp(argv[iter], "protocol:", 9) == 0) {
Packit 51d0f7 
			/* protocol specifics */
Packit 51d0f7 
			if (strncmp(argv[iter] + 9, "cipsov4", 7) == 0 ||
Packit 51d0f7 
			    strncmp(argv[iter] + 9, "cipso", 5) == 0) {
Packit 51d0f7 
				domain.proto_type = NETLBL_NLTYPE_CIPSOV4;
Packit 51d0f7 
				domain.family = AF_INET;
Packit 51d0f7 
			} else if (strncmp(argv[iter] + 9, "calipso", 7) == 0) {
Packit 51d0f7 
				domain.proto_type = NETLBL_NLTYPE_CALIPSO;
Packit 51d0f7 
				domain.family = AF_INET6;
Packit 51d0f7 
			} else if (strncmp(argv[iter] + 9, "unlbl", 5) == 0) {
Packit 51d0f7 
				domain.proto_type = NETLBL_NLTYPE_UNLABELED;
Packit 51d0f7 
				domain.family = AF_UNSPEC;
Packit 51d0f7 
			} else {
Packit 51d0f7 
				return -EINVAL;
Packit 51d0f7 
			}
Packit 51d0f7 
			domain_proto_extra = strstr(argv[iter] + 9, ",");
Packit 51d0f7 
			if (domain_proto_extra)
Packit 51d0f7 
				domain_proto_extra++;
Packit 51d0f7 
		} else if (strncmp(argv[iter], "default", 7) == 0) {
Packit 51d0f7 
			def_flag = 1;
Packit 51d0f7 
		} else
Packit 51d0f7 
			return -EINVAL;
Packit 51d0f7 
	}
Packit 51d0f7
Packit 51d0f7 
	/* handle the protocol "extra" field */
Packit 51d0f7 
	switch (domain.proto_type) {
Packit 51d0f7 
	case NETLBL_NLTYPE_CIPSOV4:
Packit 51d0f7 
		if (domain_proto_extra == NULL)
Packit 51d0f7 
			return -EINVAL;
Packit 51d0f7 
		domain.proto.cip_doi = atoi(domain_proto_extra);
Packit 51d0f7 
		break;
Packit 51d0f7 
	case NETLBL_NLTYPE_CALIPSO:
Packit 51d0f7 
		if (domain_proto_extra == NULL)
Packit 51d0f7 
			return -EINVAL;
Packit 51d0f7 
		domain.proto.clp_doi = atoi(domain_proto_extra);
Packit 51d0f7 
		break;
Packit 51d0f7 
	case NETLBL_NLTYPE_UNLABELED:
Packit 51d0f7 
		if (domain_proto_extra != NULL) {
Packit 51d0f7 
			int family = atoi(domain_proto_extra);
Packit 51d0f7 
			switch (family) {
Packit 51d0f7 
			case 4:
Packit 51d0f7 
				domain.family = AF_INET;
Packit 51d0f7 
				break;
Packit 51d0f7 
			case 6:
Packit 51d0f7 
				domain.family = AF_INET6;
Packit 51d0f7 
				break;
Packit 51d0f7 
			default:
Packit 51d0f7 
				return -EINVAL;
Packit 51d0f7 
			}
Packit 51d0f7 
		}
Packit 51d0f7 
		break;
Packit 51d0f7 
	}
Packit 51d0f7
Packit 51d0f7 
	if (domain.family == AF_UNSPEC && addr.type != 0)
Packit 51d0f7 
		domain.family = addr.type;
Packit 51d0f7
Packit 51d0f7 
	/* add the mapping */
Packit 51d0f7 
	if (def_flag != 0)
Packit 51d0f7 
		return nlbl_mgmt_adddef(NULL, &domain, &addr);
Packit 51d0f7 
	else
Packit 51d0f7 
		return nlbl_mgmt_add(NULL, &domain, &addr);
Packit 51d0f7 
}
Packit 51d0f7
Packit 51d0f7 
/**
Packit 51d0f7 
 * Delete a domain mapping from NetLabel
Packit 51d0f7 
 * @param argc the number of arguments
Packit 51d0f7 
 * @param argv the argument list
Packit 51d0f7 
 *
Packit 51d0f7 
 * Description:
Packit 51d0f7 
 * Remove the specified domain mapping from the NetLabel system.  Returns zero
Packit 51d0f7 
 * on success, negative values on failure.
Packit 51d0f7 
 *
Packit 51d0f7 
 */
Packit 51d0f7 
static int map_del(int argc, char *argv[])
Packit 51d0f7 
{
Packit 51d0f7 
	uint32_t iter;
Packit 51d0f7 
	uint32_t def_flag = 0;
Packit 51d0f7 
	char *domain = NULL;
Packit 51d0f7
Packit 51d0f7 
	/* sanity checks */
Packit 51d0f7 
	if (argc <= 0 || argv == NULL || argv[0] == NULL)
Packit 51d0f7 
		return -EINVAL;
Packit 51d0f7
Packit 51d0f7 
	/* parse the arguments */
Packit 51d0f7 
	for (iter = 0; iter < argc && argv[iter] != NULL; iter++) {
Packit 51d0f7 
		if (strncmp(argv[iter], "domain:", 7) == 0) {
Packit 51d0f7 
			domain = argv[iter] + 7;
Packit 51d0f7 
		} else if (strncmp(argv[iter], "default", 7) == 0) {
Packit 51d0f7 
			def_flag = 1;
Packit 51d0f7 
		} else
Packit 51d0f7 
			return -EINVAL;
Packit 51d0f7 
	}
Packit 51d0f7
Packit 51d0f7 
	/* remove the mapping */
Packit 51d0f7 
	if (def_flag != 0)
Packit 51d0f7 
		return nlbl_mgmt_deldef(NULL);
Packit 51d0f7 
	else
Packit 51d0f7 
		return nlbl_mgmt_del(NULL, domain);
Packit 51d0f7 
}
Packit 51d0f7
Packit 51d0f7 
/**
Packit 51d0f7 
 * Output the NetLabel domain mappings
Packit 51d0f7 
 * @param mapping the domain mappings
Packit 51d0f7 
 * @param count the number of domain mappings
Packit 51d0f7 
 *
Packit 51d0f7 
 * Helper function to be called by map_list().  Note that we have preserved
Packit 51d0f7 
 * the "CIPSOv4" so we don't break any scripts that may be in use.
Packit 51d0f7 
 *
Packit 51d0f7 
 */
Packit 51d0f7 
static void map_list_print(struct nlbl_dommap *mapping, size_t count)
Packit 51d0f7 
{
Packit 51d0f7 
	uint32_t iter_a;
Packit 51d0f7 
	struct nlbl_dommap_addr *iter_b;
Packit 51d0f7
Packit 51d0f7 
	for (iter_a = 0; iter_a < count; iter_a++) {
Packit 51d0f7 
		/* domain string */
Packit 51d0f7 
		printf("domain:");
Packit 51d0f7 
		if (mapping[iter_a].domain != NULL)
Packit 51d0f7 
			printf("\"%s\",", mapping[iter_a].domain);
Packit 51d0f7 
		else
Packit 51d0f7 
			printf("DEFAULT,");
Packit 51d0f7 
		/* protocol */
Packit 51d0f7 
		switch (mapping[iter_a].proto_type) {
Packit 51d0f7 
		case NETLBL_NLTYPE_UNLABELED:
Packit 51d0f7 
			printf("UNLABELED");
Packit 51d0f7 
			if (mapping[iter_a].family == AF_INET)
Packit 51d0f7 
				printf(",4");
Packit 51d0f7 
			else if (mapping[iter_a].family == AF_INET6)
Packit 51d0f7 
				printf(",6");
Packit 51d0f7 
			break;
Packit 51d0f7 
		case NETLBL_NLTYPE_CIPSOV4:
Packit 51d0f7 
			printf("CIPSOv4,%u", mapping[iter_a].proto.cip_doi);
Packit 51d0f7 
			break;
Packit 51d0f7 
		case NETLBL_NLTYPE_CALIPSO:
Packit 51d0f7 
			printf("CALIPSO,%u", mapping[iter_a].proto.clp_doi);
Packit 51d0f7 
			break;
Packit 51d0f7 
		case NETLBL_NLTYPE_ADDRSELECT:
Packit 51d0f7 
			iter_b = mapping[iter_a].proto.addrsel;
Packit 51d0f7 
			while (iter_b) {
Packit 51d0f7 
				printf("address:");
Packit 51d0f7 
				nlctl_addr_print(&iter_b->addr);
Packit 51d0f7 
				printf(",protocol:");
Packit 51d0f7 
				switch (iter_b->proto_type) {
Packit 51d0f7 
				case NETLBL_NLTYPE_UNLABELED:
Packit 51d0f7 
					printf("UNLABELED");
Packit 51d0f7 
					break;
Packit 51d0f7 
				case NETLBL_NLTYPE_CIPSOV4:
Packit 51d0f7 
					printf("CIPSOv4,%u",
Packit 51d0f7 
					       iter_b->proto.cip_doi);
Packit 51d0f7 
					break;
Packit 51d0f7 
				case NETLBL_NLTYPE_CALIPSO:
Packit 51d0f7 
					printf("CALIPSO,%u",
Packit 51d0f7 
					       iter_b->proto.clp_doi);
Packit 51d0f7 
					break;
Packit 51d0f7 
				default:
Packit 51d0f7 
					printf("UNKNOWN(%u)",
Packit 51d0f7 
					       iter_b->proto_type);
Packit 51d0f7 
					break;
Packit 51d0f7 
				}
Packit 51d0f7 
				iter_b = iter_b->next;
Packit 51d0f7 
				if (iter_b)
Packit 51d0f7 
					printf(",");
Packit 51d0f7 
			}
Packit 51d0f7 
			break;
Packit 51d0f7 
		default:
Packit 51d0f7 
			printf("UNKNOWN(%u)", mapping[iter_a].proto_type);
Packit 51d0f7 
			break;
Packit 51d0f7 
		}
Packit 51d0f7 
		if (iter_a + 1 < count)
Packit 51d0f7 
			printf(" ");
Packit 51d0f7 
	}
Packit 51d0f7 
	printf("\n");
Packit 51d0f7 
}
Packit 51d0f7
Packit 51d0f7 
/**
Packit 51d0f7 
 * Output the NetLabel domain mappings in human readable format
Packit 51d0f7 
 * @param mapping the domain mappings
Packit 51d0f7 
 * @param count the number of domain mappings
Packit 51d0f7 
 *
Packit 51d0f7 
 * Helper function to be called by map_list().
Packit 51d0f7 
 *
Packit 51d0f7 
 */
Packit 51d0f7 
static void map_list_print_pretty(struct nlbl_dommap *mapping, size_t count)
Packit 51d0f7 
{
Packit 51d0f7 
	uint32_t iter_a;
Packit 51d0f7 
	struct nlbl_dommap_addr *iter_b;
Packit 51d0f7
Packit 51d0f7 
	printf("Configured NetLabel domain mappings (%zu)\n", count);
Packit 51d0f7 
	for (iter_a = 0; iter_a < count; iter_a++) {
Packit 51d0f7 
		/* domain string */
Packit 51d0f7 
		printf(" domain: ");
Packit 51d0f7 
		if (mapping[iter_a].domain != NULL)
Packit 51d0f7 
			printf("\"%s\"", mapping[iter_a].domain);
Packit 51d0f7 
		else
Packit 51d0f7 
			printf("DEFAULT");
Packit 51d0f7 
		/* family */
Packit 51d0f7 
		if (mapping[iter_a].family == AF_INET)
Packit 51d0f7 
			printf(" (IPv4)\n");
Packit 51d0f7 
		else if (mapping[iter_a].family == AF_INET6)
Packit 51d0f7 
			printf(" (IPv6)\n");
Packit 51d0f7 
		else if (mapping[iter_a].family == AF_UNSPEC)
Packit 51d0f7 
			printf(" (IPv4/IPv6)\n");
Packit 51d0f7 
		/* protocol */
Packit 51d0f7 
		switch (mapping[iter_a].proto_type) {
Packit 51d0f7 
		case NETLBL_NLTYPE_UNLABELED:
Packit 51d0f7 
			printf("   protocol: UNLABELED\n");
Packit 51d0f7 
			break;
Packit 51d0f7 
		case NETLBL_NLTYPE_CIPSOV4:
Packit 51d0f7 
			printf("   protocol: CIPSO, DOI = %u\n",
Packit 51d0f7 
			       mapping[iter_a].proto.cip_doi);
Packit 51d0f7 
			break;
Packit 51d0f7 
		case NETLBL_NLTYPE_CALIPSO:
Packit 51d0f7 
			printf("   protocol: CALIPSO, DOI = %u\n",
Packit 51d0f7 
			       mapping[iter_a].proto.clp_doi);
Packit 51d0f7 
			break;
Packit 51d0f7 
		case NETLBL_NLTYPE_ADDRSELECT:
Packit 51d0f7 
			iter_b = mapping[iter_a].proto.addrsel;
Packit 51d0f7 
			while (iter_b) {
Packit 51d0f7 
				printf("   address: ");
Packit 51d0f7 
				nlctl_addr_print(&iter_b->addr);
Packit 51d0f7 
				printf("\n"
Packit 51d0f7 
				       "    protocol: ");
Packit 51d0f7 
				switch (iter_b->proto_type) {
Packit 51d0f7 
				case NETLBL_NLTYPE_UNLABELED:
Packit 51d0f7 
					printf("UNLABELED\n");
Packit 51d0f7 
					break;
Packit 51d0f7 
				case NETLBL_NLTYPE_CIPSOV4:
Packit 51d0f7 
					printf("CIPSO, DOI = %u\n",
Packit 51d0f7 
					       iter_b->proto.cip_doi);
Packit 51d0f7 
					break;
Packit 51d0f7 
				case NETLBL_NLTYPE_CALIPSO:
Packit 51d0f7 
					printf("CALIPSO, DOI = %u\n",
Packit 51d0f7 
					       iter_b->proto.clp_doi);
Packit 51d0f7 
					break;
Packit 51d0f7 
				default:
Packit 51d0f7 
					printf("UNKNOWN(%u)\n",
Packit 51d0f7 
					       iter_b->proto_type);
Packit 51d0f7 
					break;
Packit 51d0f7 
				}
Packit 51d0f7 
				iter_b = iter_b->next;
Packit 51d0f7 
			}
Packit 51d0f7 
			break;
Packit 51d0f7 
		default:
Packit 51d0f7 
			printf("UNKNOWN(%u)\n", mapping[iter_a].proto_type);
Packit 51d0f7 
			break;
Packit 51d0f7 
		}
Packit 51d0f7 
	}
Packit 51d0f7 
}
Packit 51d0f7
Packit 51d0f7 
/**
Packit 51d0f7 
 * List the NetLabel domains mappings
Packit 51d0f7 
 * @param argc the number of arguments
Packit 51d0f7 
 * @param argv the argument list
Packit 51d0f7 
 *
Packit 51d0f7 
 * List the configured NetLabel domain mappings.  Returns zero on success,
Packit 51d0f7 
 * negative values on failure.
Packit 51d0f7 
 *
Packit 51d0f7 
 */
Packit 51d0f7 
static int map_list(int argc, char *argv[])
Packit 51d0f7 
{
Packit 51d0f7 
	int rc;
Packit 51d0f7 
	struct nlbl_dommap *mapping, *mapping_new;
Packit 51d0f7 
	size_t count, def_count;
Packit 51d0f7 
	uint32_t iter;
Packit 51d0f7 
	uint16_t *family, families[] = {AF_INET, AF_INET6, AF_UNSPEC /* terminator */};
Packit 51d0f7
Packit 51d0f7 
	/* get the list of mappings */
Packit 51d0f7 
	rc = nlbl_mgmt_listall(NULL, &mapping);
Packit 51d0f7 
	if (rc < 0)
Packit 51d0f7 
		return rc;
Packit 51d0f7 
	count = rc;
Packit 51d0f7
Packit 51d0f7 
	/* get the default mapping */
Packit 51d0f7 
	mapping_new = realloc(mapping, sizeof(*mapping) * (count + 2));
Packit 51d0f7 
	if (mapping_new == NULL)
Packit 51d0f7 
		goto list_return;
Packit 51d0f7 
	mapping = mapping_new;
Packit 51d0f7 
	memset(&mapping[count], 0, sizeof(*mapping) * 2);
Packit 51d0f7
Packit 51d0f7 
	for (family = families, def_count = 0; *family != AF_UNSPEC; family++) {
Packit 51d0f7 
		rc = nlbl_mgmt_listdef(NULL, *family, &mapping[count + def_count]);
Packit 51d0f7 
		if (rc < 0 && rc != -ENOENT)
Packit 51d0f7 
			goto list_return;
Packit 51d0f7 
		else if (rc == 0)
Packit 51d0f7 
			def_count += 1;
Packit 51d0f7 
		else
Packit 51d0f7 
			rc = 0;
Packit 51d0f7 
	}
Packit 51d0f7
Packit 51d0f7 
	/* If both defaults are unlabeled then combine them into a single entry */
Packit 51d0f7 
	if (def_count == 2 && mapping[count].proto_type == NETLBL_NLTYPE_UNLABELED &&
Packit 51d0f7 
	    mapping[count + 1].proto_type == NETLBL_NLTYPE_UNLABELED) {
Packit 51d0f7 
		mapping[count].family = AF_UNSPEC;
Packit 51d0f7 
		def_count--;
Packit 51d0f7 
	}
Packit 51d0f7 
	count += def_count;
Packit 51d0f7
Packit 51d0f7 
	/* display the results */
Packit 51d0f7 
	if (opt_pretty != 0)
Packit 51d0f7 
		map_list_print_pretty(mapping, count);
Packit 51d0f7 
	else
Packit 51d0f7 
		map_list_print(mapping, count);
Packit 51d0f7
Packit 51d0f7 
list_return:
Packit 51d0f7 
	if (mapping != NULL) {
Packit 51d0f7 
		for (iter = 0; iter < count; iter++)
Packit 51d0f7 
			if (mapping[iter].domain != NULL)
Packit 51d0f7 
				free(mapping[iter].domain);
Packit 51d0f7 
		free(mapping);
Packit 51d0f7 
	}
Packit 51d0f7 
	return rc;
Packit 51d0f7 
}
Packit 51d0f7
Packit 51d0f7 
/**
Packit 51d0f7 
 * Entry point for the NetLabel mapping functions
Packit 51d0f7 
 * @param argc the number of arguments
Packit 51d0f7 
 * @param argv the argument list
Packit 51d0f7 
 *
Packit 51d0f7 
 * Parses the argument list and performs the requested operation.  Returns zero
Packit 51d0f7 
 * on success, negative values on failure.
Packit 51d0f7 
 *
Packit 51d0f7 
 */
Packit 51d0f7 
int map_main(int argc, char *argv[])
Packit 51d0f7 
{
Packit 51d0f7 
	int rc;
Packit 51d0f7
Packit 51d0f7 
	/* sanity checks */
Packit 51d0f7 
	if (argc <= 0 || argv == NULL || argv[0] == NULL)
Packit 51d0f7 
		return -EINVAL;
Packit 51d0f7
Packit 51d0f7 
	/* handle the request */
Packit 51d0f7 
	if (strcmp(argv[0], "add") == 0) {
Packit 51d0f7 
		/* add a domain mapping */
Packit 51d0f7 
		rc = map_add(argc - 1, argv + 1);
Packit 51d0f7 
	} else if (strcmp(argv[0], "del") == 0) {
Packit 51d0f7 
		/* delete a domain mapping */
Packit 51d0f7 
		rc = map_del(argc - 1, argv + 1);
Packit 51d0f7 
	} else if (strcmp(argv[0], "list") == 0) {
Packit 51d0f7 
		/* list the domain mappings */
Packit 51d0f7 
		rc = map_list(argc - 1, argv + 1);
Packit 51d0f7 
	} else {
Packit 51d0f7 
		/* unknown request */
Packit 51d0f7 
		rc = -EINVAL;
Packit 51d0f7 
	}
Packit 51d0f7
Packit 51d0f7 
	return rc;
Packit 51d0f7 
}

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation