|
Packit |
51d0f7 |
/*
|
|
Packit |
51d0f7 |
* Unlabeled Functions
|
|
Packit |
51d0f7 |
*
|
|
Packit |
51d0f7 |
* Author: Paul Moore <paul@paul-moore.com>
|
|
Packit |
51d0f7 |
*
|
|
Packit |
51d0f7 |
*/
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
/*
|
|
Packit |
51d0f7 |
* (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2007
|
|
Packit |
51d0f7 |
*
|
|
Packit |
51d0f7 |
* This program is free software: you can redistribute it and/or modify
|
|
Packit |
51d0f7 |
* it under the terms of version 2 of the GNU General Public License as
|
|
Packit |
51d0f7 |
* published by the Free Software Foundation.
|
|
Packit |
51d0f7 |
*
|
|
Packit |
51d0f7 |
* This program is distributed in the hope that it will be useful,
|
|
Packit |
51d0f7 |
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit |
51d0f7 |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Packit |
51d0f7 |
* GNU General Public License for more details.
|
|
Packit |
51d0f7 |
*
|
|
Packit |
51d0f7 |
* You should have received a copy of the GNU General Public License
|
|
Packit |
51d0f7 |
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
Packit |
51d0f7 |
*
|
|
Packit |
51d0f7 |
*/
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
#include <stdlib.h>
|
|
Packit |
51d0f7 |
#include <stdio.h>
|
|
Packit |
51d0f7 |
#include <string.h>
|
|
Packit |
51d0f7 |
#include <errno.h>
|
|
Packit |
51d0f7 |
#include <sys/types.h>
|
|
Packit |
51d0f7 |
#include <sys/socket.h>
|
|
Packit |
51d0f7 |
#include <arpa/inet.h>
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
#include <libnetlabel.h>
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
#include "netlabelctl.h"
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
/**
|
|
Packit |
51d0f7 |
* Set the NetLabel accept flag
|
|
Packit |
51d0f7 |
* @param argc the number of arguments
|
|
Packit |
51d0f7 |
* @param argv the argument list
|
|
Packit |
51d0f7 |
*
|
|
Packit |
51d0f7 |
* Set the kernel's unlabeled packet allow flag. Returns zero on success,
|
|
Packit |
51d0f7 |
* negative values on failure.
|
|
Packit |
51d0f7 |
*
|
|
Packit |
51d0f7 |
*/
|
|
Packit |
51d0f7 |
static int unlbl_accept(int argc, char *argv[])
|
|
Packit |
51d0f7 |
{
|
|
Packit |
51d0f7 |
int rc;
|
|
Packit |
51d0f7 |
uint8_t flag;
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
/* sanity check */
|
|
Packit |
51d0f7 |
if (argc != 1 || argv == NULL || argv[0] == NULL)
|
|
Packit |
51d0f7 |
return -EINVAL;
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
/* set or reset the flag? */
|
|
Packit |
51d0f7 |
if (strcasecmp(argv[0], "on") == 0 || strcmp(argv[0], "1") == 0)
|
|
Packit |
51d0f7 |
flag = 1;
|
|
Packit |
51d0f7 |
else if (strcasecmp(argv[0], "off") == 0 || strcmp(argv[0], "0") == 0)
|
|
Packit |
51d0f7 |
flag = 0;
|
|
Packit |
51d0f7 |
else
|
|
Packit |
51d0f7 |
return -EINVAL;
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
rc = nlbl_unlbl_accept(NULL, flag);
|
|
Packit |
51d0f7 |
if (rc < 0)
|
|
Packit |
51d0f7 |
return rc;
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
return 0;
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
/**
|
|
Packit |
51d0f7 |
* Query the NetLabel unlabeled module and display the results
|
|
Packit |
51d0f7 |
*
|
|
Packit |
51d0f7 |
* Query the unlabeled module and display the results. Returns zero on
|
|
Packit |
51d0f7 |
* success, negative values on failure.
|
|
Packit |
51d0f7 |
*
|
|
Packit |
51d0f7 |
*/
|
|
Packit |
51d0f7 |
static int unlbl_list(void)
|
|
Packit |
51d0f7 |
{
|
|
Packit |
51d0f7 |
int rc;
|
|
Packit |
51d0f7 |
uint8_t flag;
|
|
Packit |
51d0f7 |
struct nlbl_addrmap *addr_p = NULL, *addr_p_new;
|
|
Packit |
51d0f7 |
struct nlbl_addrmap *addrdef_p = NULL;
|
|
Packit |
51d0f7 |
struct nlbl_addrmap *iter_p;
|
|
Packit |
51d0f7 |
size_t count;
|
|
Packit |
51d0f7 |
uint32_t iter;
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
/* display the accept flag */
|
|
Packit |
51d0f7 |
rc = nlbl_unlbl_list(NULL, &flag;;
|
|
Packit |
51d0f7 |
if (rc < 0)
|
|
Packit |
51d0f7 |
return rc;
|
|
Packit |
51d0f7 |
if (opt_pretty != 0)
|
|
Packit |
51d0f7 |
printf("Accept unlabeled packets : %s\n",
|
|
Packit |
51d0f7 |
(flag ? "on" : "off"));
|
|
Packit |
51d0f7 |
else
|
|
Packit |
51d0f7 |
printf("accept:%s", (flag ? "on" : "off"));
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
/* get the static label mappings */
|
|
Packit |
51d0f7 |
rc = nlbl_unlbl_staticlist(NULL, &addr_p);
|
|
Packit |
51d0f7 |
if (rc < 0)
|
|
Packit |
51d0f7 |
return rc;
|
|
Packit |
51d0f7 |
count = rc;
|
|
Packit |
51d0f7 |
rc = nlbl_unlbl_staticlistdef(NULL, &addrdef_p);
|
|
Packit |
51d0f7 |
if (rc > 0) {
|
|
Packit |
51d0f7 |
addr_p_new = realloc(addr_p, sizeof(*addr_p) * (count + rc));
|
|
Packit |
51d0f7 |
if (addr_p_new == NULL)
|
|
Packit |
51d0f7 |
goto list_return;
|
|
Packit |
51d0f7 |
addr_p = addr_p_new;
|
|
Packit |
51d0f7 |
memcpy(&addr_p[count], addrdef_p, sizeof(*addr_p) * rc);
|
|
Packit |
51d0f7 |
count += rc;
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
/* display the static label mappings */
|
|
Packit |
51d0f7 |
if (opt_pretty != 0) {
|
|
Packit |
51d0f7 |
printf("Configured NetLabel address mappings (%zu)\n", count);
|
|
Packit |
51d0f7 |
for (iter = 0; iter < count; iter++) {
|
|
Packit |
51d0f7 |
iter_p = &addr_p[iter];
|
|
Packit |
51d0f7 |
/* interface */
|
|
Packit |
51d0f7 |
if (iter == 0 ||
|
|
Packit |
51d0f7 |
iter_p->dev == NULL ||
|
|
Packit |
51d0f7 |
strcmp(addr_p[iter - 1].dev, iter_p->dev) != 0) {
|
|
Packit |
51d0f7 |
printf(" interface: ");
|
|
Packit |
51d0f7 |
if (iter_p->dev != NULL)
|
|
Packit |
51d0f7 |
printf("%s\n", iter_p->dev);
|
|
Packit |
51d0f7 |
else
|
|
Packit |
51d0f7 |
printf("DEFAULT\n");
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
/* address */
|
|
Packit |
51d0f7 |
printf(" address: ");
|
|
Packit |
51d0f7 |
nlctl_addr_print(&iter_p->addr);
|
|
Packit |
51d0f7 |
printf("\n");
|
|
Packit |
51d0f7 |
/* label */
|
|
Packit |
51d0f7 |
printf(" label: \"%s\"\n", iter_p->label);
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
} else {
|
|
Packit |
51d0f7 |
if (count > 0)
|
|
Packit |
51d0f7 |
printf(" ");
|
|
Packit |
51d0f7 |
for (iter = 0; iter < count; iter++) {
|
|
Packit |
51d0f7 |
iter_p = &addr_p[iter];
|
|
Packit |
51d0f7 |
/* interface */
|
|
Packit |
51d0f7 |
printf("interface:");
|
|
Packit |
51d0f7 |
if (iter_p->dev != NULL)
|
|
Packit |
51d0f7 |
printf("%s,", iter_p->dev);
|
|
Packit |
51d0f7 |
else
|
|
Packit |
51d0f7 |
printf("DEFAULT,");
|
|
Packit |
51d0f7 |
/* address */
|
|
Packit |
51d0f7 |
printf("address:");
|
|
Packit |
51d0f7 |
nlctl_addr_print(&iter_p->addr);
|
|
Packit |
51d0f7 |
printf(",");
|
|
Packit |
51d0f7 |
/* label */
|
|
Packit |
51d0f7 |
printf("label:\"%s\"", iter_p->label);
|
|
Packit |
51d0f7 |
if (iter + 1 < count)
|
|
Packit |
51d0f7 |
printf(" ");
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
printf("\n");
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
list_return:
|
|
Packit |
51d0f7 |
if (addr_p != NULL) {
|
|
Packit |
51d0f7 |
for (iter = 0; iter < count; iter++) {
|
|
Packit |
51d0f7 |
if (addr_p[iter].dev != NULL)
|
|
Packit |
51d0f7 |
free(addr_p[iter].dev);
|
|
Packit |
51d0f7 |
if (addr_p[iter].label != NULL)
|
|
Packit |
51d0f7 |
free(addr_p[iter].label);
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
free(addr_p);
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
return rc;
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
/**
|
|
Packit |
51d0f7 |
* Add a static/fallback label configuration
|
|
Packit |
51d0f7 |
* @param argc the number of arguments
|
|
Packit |
51d0f7 |
* @param argv the argument list
|
|
Packit |
51d0f7 |
*
|
|
Packit |
51d0f7 |
* Add a fallback label configuration to the kernel. Returns zero on success,
|
|
Packit |
51d0f7 |
* negative values on failure.
|
|
Packit |
51d0f7 |
*
|
|
Packit |
51d0f7 |
*/
|
|
Packit |
51d0f7 |
static int unlbl_add(int argc, char *argv[])
|
|
Packit |
51d0f7 |
{
|
|
Packit |
51d0f7 |
uint32_t iter;
|
|
Packit |
51d0f7 |
uint8_t def_flag = 0;
|
|
Packit |
51d0f7 |
nlbl_netdev dev = NULL;
|
|
Packit |
51d0f7 |
struct nlbl_netaddr addr;
|
|
Packit |
51d0f7 |
nlbl_secctx label = NULL;
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
/* sanity checks */
|
|
Packit |
51d0f7 |
if (argc <= 0 || argv == NULL || argv[0] == NULL)
|
|
Packit |
51d0f7 |
return -EINVAL;
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
memset(&addr, 0, sizeof(addr));
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
/* parse the arguments */
|
|
Packit |
51d0f7 |
for (iter = 0; iter < argc && argv[iter] != NULL; iter++) {
|
|
Packit |
51d0f7 |
if (strncmp(argv[iter], "interface:", 10) == 0) {
|
|
Packit |
51d0f7 |
dev = argv[iter] + 10;
|
|
Packit |
51d0f7 |
} else if (strncmp(argv[iter], "default", 7) == 0) {
|
|
Packit |
51d0f7 |
def_flag = 1;
|
|
Packit |
51d0f7 |
} else if (strncmp(argv[iter], "label:", 6) == 0) {
|
|
Packit |
51d0f7 |
label = argv[iter] + 6;
|
|
Packit |
51d0f7 |
} else if (strncmp(argv[iter], "address:", 8) == 0) {
|
|
Packit |
51d0f7 |
if (nlctl_addr_parse(argv[iter] + 8, &addr) != 0)
|
|
Packit |
51d0f7 |
return -EINVAL;
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
/* add the mapping */
|
|
Packit |
51d0f7 |
if (def_flag != 0)
|
|
Packit |
51d0f7 |
return nlbl_unlbl_staticadddef(NULL, &addr, label);
|
|
Packit |
51d0f7 |
else
|
|
Packit |
51d0f7 |
return nlbl_unlbl_staticadd(NULL, dev, &addr, label);
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
/**
|
|
Packit |
51d0f7 |
* Delete a static/fallback label configuration
|
|
Packit |
51d0f7 |
* @param argc the number of arguments
|
|
Packit |
51d0f7 |
* @param argv the argument list
|
|
Packit |
51d0f7 |
*
|
|
Packit |
51d0f7 |
* Deletes a fallback label configuration to the kernel. Returns zero on
|
|
Packit |
51d0f7 |
* success, negative values on failure.
|
|
Packit |
51d0f7 |
*
|
|
Packit |
51d0f7 |
*/
|
|
Packit |
51d0f7 |
static int unlbl_del(int argc, char *argv[])
|
|
Packit |
51d0f7 |
{
|
|
Packit |
51d0f7 |
uint32_t iter;
|
|
Packit |
51d0f7 |
uint8_t def_flag = 0;
|
|
Packit |
51d0f7 |
nlbl_netdev dev = NULL;
|
|
Packit |
51d0f7 |
struct nlbl_netaddr addr;
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
/* sanity checks */
|
|
Packit |
51d0f7 |
if (argc <= 0 || argv == NULL || argv[0] == NULL)
|
|
Packit |
51d0f7 |
return -EINVAL;
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
memset(&addr, 0, sizeof(addr));
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
/* parse the arguments */
|
|
Packit |
51d0f7 |
for (iter = 0; iter < argc && argv[iter] != NULL; iter++) {
|
|
Packit |
51d0f7 |
if (strncmp(argv[iter], "interface:", 10) == 0) {
|
|
Packit |
51d0f7 |
dev = argv[iter] + 10;
|
|
Packit |
51d0f7 |
} else if (strncmp(argv[iter], "default", 7) == 0) {
|
|
Packit |
51d0f7 |
def_flag = 1;
|
|
Packit |
51d0f7 |
} else if (strncmp(argv[iter], "address:", 8) == 0) {
|
|
Packit |
51d0f7 |
if (nlctl_addr_parse(argv[iter] + 8, &addr) != 0)
|
|
Packit |
51d0f7 |
return -EINVAL;
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
/* add the mapping */
|
|
Packit |
51d0f7 |
if (def_flag != 0)
|
|
Packit |
51d0f7 |
return nlbl_unlbl_staticdeldef(NULL, &addr);
|
|
Packit |
51d0f7 |
else
|
|
Packit |
51d0f7 |
return nlbl_unlbl_staticdel(NULL, dev, &addr);
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
/**
|
|
Packit |
51d0f7 |
* Entry point for the NetLabel unlabeled functions
|
|
Packit |
51d0f7 |
* @param argc the number of arguments
|
|
Packit |
51d0f7 |
* @param argv the argument list
|
|
Packit |
51d0f7 |
*
|
|
Packit |
51d0f7 |
* Parses the argument list and performs the requested operation. Returns zero
|
|
Packit |
51d0f7 |
* on success, negative values on failure.
|
|
Packit |
51d0f7 |
*
|
|
Packit |
51d0f7 |
*/
|
|
Packit |
51d0f7 |
int unlbl_main(int argc, char *argv[])
|
|
Packit |
51d0f7 |
{
|
|
Packit |
51d0f7 |
int rc;
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
/* sanity checks */
|
|
Packit |
51d0f7 |
if (argc <= 0 || argv == NULL || argv[0] == NULL)
|
|
Packit |
51d0f7 |
return -EINVAL;
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
/* handle the request */
|
|
Packit |
51d0f7 |
if (strcmp(argv[0], "accept") == 0) {
|
|
Packit |
51d0f7 |
/* accept flag */
|
|
Packit |
51d0f7 |
rc = unlbl_accept(argc - 1, argv + 1);
|
|
Packit |
51d0f7 |
} else if (strcmp(argv[0], "list") == 0) {
|
|
Packit |
51d0f7 |
/* list */
|
|
Packit |
51d0f7 |
rc = unlbl_list();
|
|
Packit |
51d0f7 |
} else if (strcmp(argv[0], "add") == 0) {
|
|
Packit |
51d0f7 |
/* add */
|
|
Packit |
51d0f7 |
rc = unlbl_add(argc - 1, argv + 1);
|
|
Packit |
51d0f7 |
} else if (strcmp(argv[0], "del") == 0) {
|
|
Packit |
51d0f7 |
/* del */
|
|
Packit |
51d0f7 |
rc = unlbl_del(argc - 1, argv + 1);
|
|
Packit |
51d0f7 |
} else {
|
|
Packit |
51d0f7 |
/* unknown request */
|
|
Packit |
51d0f7 |
rc = -EINVAL;
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
return rc;
|
|
Packit |
51d0f7 |
}
|