From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa.local.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.1 From: Anton Midyukov To: devel-kernel@lists.altlinux.org Date: Tue, 3 Mar 2026 17:27:12 +0300 Message-ID: <20260303142712.79380-1-antohami@altlinux.org> X-Mailer: git-send-email 2.50.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [d-kernel] [PATCH] [6.12] net/netlabel: Add mark s0 flag for NetLabel subsystem X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Mar 2026 14:27:30 -0000 Archived-At: List-Archive: List-Post: This is an adaptation of the original patch by Andriy Stepanov stanv@. Link: https://git.altlinux.org/people/stanv/packages/?p=kernel-image.git;a=commit;h=8640613b901959a2bc028e97880df7ecf7be81ef Link: https://www.altlinux.org/Sl#ALT_Linux Signed-off-by: Anton Midyukov --- net/netlabel/netlabel_kapi.c | 122 +++++++++++++++++++++++++++++++++ net/netlabel/netlabel_mgmt.c | 127 ++++++++++++++++++++++++++++++++++- net/netlabel/netlabel_mgmt.h | 8 +++ 3 files changed, 256 insertions(+), 1 deletion(-) diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index 33b77084a4e5..99bd464399fe 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c @@ -997,6 +997,20 @@ int netlbl_sock_setattr(struct sock *sk, ret_val = -EDESTADDRREQ; break; case NETLBL_NLTYPE_CIPSOV4: + /* Our target is skipping marking packets with s0. + * If 'map' command doesn't have specified 'address' and 'domain' + * then netlabel takes 'default' rule. + * Default rule is to mark packets corresponding to socket IP option. + * Socket has IP option. Linux's network subsystem automatically assigns + * for any packets socket's IP option. + */ + if (!netlbl_mgmt_s0_flg() + && secattr->flags & NETLBL_SECATTR_MLS_LVL + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) + && secattr->attr.mls.lvl == 0) { + ret_val = 0; + break; + } ret_val = cipso_v4_sock_setattr(sk, dom_entry->def.cipso, secattr, sk_locked); @@ -1015,6 +1029,20 @@ int netlbl_sock_setattr(struct sock *sk, ret_val = -EDESTADDRREQ; break; case NETLBL_NLTYPE_CALIPSO: + /* Our target is skipping marking packets with s0. + * If 'map' command doesn't have specified 'address' and 'domain' + * then netlabel takes 'default' rule. + * Default rule is to mark packets corresponding to socket IP option. + * Socket has IP option. Linux's network subsystem automatically assigns + * for any packets socket's IP option. + */ + if (!netlbl_mgmt_s0_flg() + && secattr->flags & NETLBL_SECATTR_MLS_LVL + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) + && secattr->attr.mls.lvl == 0) { + ret_val = 0; + break; + } ret_val = calipso_sock_setattr(sk, dom_entry->def.calipso, secattr); @@ -1149,6 +1177,23 @@ int netlbl_conn_setattr(struct sock *sk, } switch (entry->type) { case NETLBL_NLTYPE_CIPSOV4: + /* Our target is skipping marking packets with s0. + * If 'map' command doesn't have specified 'address' and 'domain' + * then netlabel takes 'default' rule. + * Default rule is to mark packets corresponding to socket IP option. + * Socket has IP option. Linux's network subsystem automatically assigns + * for any packets socket's IP option. + */ + if (!netlbl_mgmt_s0_flg() + && secattr->flags & NETLBL_SECATTR_MLS_LVL + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) + && secattr->attr.mls.lvl == 0) { + /* just delete the protocols we support for right now + * but we could remove other protocols if needed */ + cipso_v4_sock_delattr(sk); + ret_val = 0; + break; + } ret_val = cipso_v4_sock_setattr(sk, entry->cipso, secattr, netlbl_sk_lock_check(sk)); @@ -1179,6 +1224,23 @@ int netlbl_conn_setattr(struct sock *sk, } switch (entry->type) { case NETLBL_NLTYPE_CALIPSO: + /* Our target is skipping marking packets with s0. + * If 'map' command doesn't have specified 'address' and 'domain' + * then netlabel takes 'default' rule. + * Default rule is to mark packets corresponding to socket IP option. + * Socket has IP option. Linux's network subsystem automatically assigns + * for any packets socket's IP option. + */ + if (!netlbl_mgmt_s0_flg() + && secattr->flags & NETLBL_SECATTR_MLS_LVL + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) + && secattr->attr.mls.lvl == 0) { + /* just delete the protocols we support for right now + * but we could remove other protocols if needed */ + calipso_sock_delattr(sk); + ret_val = 0; + break; + } ret_val = calipso_sock_setattr(sk, entry->calipso, secattr); break; @@ -1230,6 +1292,23 @@ int netlbl_req_setattr(struct request_sock *req, } switch (entry->type) { case NETLBL_NLTYPE_CIPSOV4: + /* Our target is skipping marking packets with s0. + * If 'map' command doesn't have specified 'address' and 'domain' + * then netlabel takes 'default' rule. + * Default rule is to mark packets corresponding to socket IP option. + * Socket has IP option. Linux's network subsystem automatically assigns + * for any packets socket's IP option. + */ + if (!netlbl_mgmt_s0_flg() + && secattr->flags & NETLBL_SECATTR_MLS_LVL + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) + && secattr->attr.mls.lvl == 0) { + /* just delete the protocols we support for right now + * but we could remove other protocols if needed */ + cipso_v4_req_delattr(req); + ret_val = 0; + break; + } ret_val = cipso_v4_req_setattr(req, entry->cipso, secattr); break; @@ -1251,6 +1330,23 @@ int netlbl_req_setattr(struct request_sock *req, } switch (entry->type) { case NETLBL_NLTYPE_CALIPSO: + /* Our target is skipping marking packets with s0. + * If 'map' command doesn't have specified 'address' and 'domain' + * then netlabel takes 'default' rule. + * Default rule is to mark packets corresponding to socket IP option. + * Socket has IP option. Linux's network subsystem automatically assigns + * for any packets socket's IP option. + */ + if (!netlbl_mgmt_s0_flg() + && secattr->flags & NETLBL_SECATTR_MLS_LVL + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) + && secattr->attr.mls.lvl == 0) { + /* just delete the protocols we support for right now + * but we could remove other protocols if needed */ + calipso_req_delattr(req); + ret_val = 0; + break; + } ret_val = calipso_req_setattr(req, entry->calipso, secattr); break; @@ -1328,6 +1424,19 @@ int netlbl_skbuff_setattr(struct sk_buff *skb, } switch (entry->type) { case NETLBL_NLTYPE_CIPSOV4: + /* Our target is skipping marking packets with s0. + * We can't change function netlbl_domhsh_getentry_af4, + * due it is used in other places. Thus, let's place code + * just right here. */ + if (!netlbl_mgmt_s0_flg() + && secattr->flags & NETLBL_SECATTR_MLS_LVL + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) + && secattr->attr.mls.lvl == 0) { + /* just delete the protocols we support for right now + * but we could remove other protocols if needed */ + ret_val = cipso_v4_skbuff_delattr(skb); + break; + } ret_val = cipso_v4_skbuff_setattr(skb, entry->cipso, secattr); break; @@ -1351,6 +1460,19 @@ int netlbl_skbuff_setattr(struct sk_buff *skb, } switch (entry->type) { case NETLBL_NLTYPE_CALIPSO: + /* Our target is skipping marking packets with s0. + * We can't change function netlbl_domhsh_getentry_af4, + * due it is used in other places. Thus, let's place code + * just right here. */ + if (!netlbl_mgmt_s0_flg() + && secattr->flags & NETLBL_SECATTR_MLS_LVL + && !(secattr->flags & NETLBL_SECATTR_MLS_CAT) + && secattr->attr.mls.lvl == 0) { + /* just delete the protocols we support for right now + * but we could remove other protocols if needed */ + ret_val = calipso_skbuff_delattr(skb); + break; + } ret_val = calipso_skbuff_setattr(skb, entry->calipso, secattr); break; diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c index 689eaa2afbec..8ddd9314a496 100644 --- a/net/netlabel/netlabel_mgmt.c +++ b/net/netlabel/netlabel_mgmt.c @@ -45,6 +45,9 @@ struct netlbl_domhsh_walk_arg { u32 seq; }; +/* Accept unlabeled packets flag */ +static u8 netlabel_mgmt_s0_flg = 0; + /* NetLabel Generic NETLINK CIPSOv4 family */ static struct genl_family netlbl_mgmt_gnl_family; @@ -56,12 +59,48 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = { [NLBL_MGMT_A_CV4DOI] = { .type = NLA_U32 }, [NLBL_MGMT_A_FAMILY] = { .type = NLA_U16 }, [NLBL_MGMT_A_CLPDOI] = { .type = NLA_U32 }, + [NLBL_MGMT_A_S0] = { .type = NLA_U8 }, }; /* * Helper Functions */ +/** + * netlbl_mgmt_s0_flg - Get the state of the s0 mark flag + */ +int netlbl_mgmt_s0_flg(void) +{ + return netlabel_mgmt_s0_flg; +} + +/** + * netlbl_mgmt_s0_update - Set the s0 mark flag + * @value: desired value + * @audit_info: NetLabel audit information + * + * Description: + * Set the value of the s0 mark flag to @value. + * + */ +static void netlbl_mgmt_s0_update(u8 value, + struct netlbl_audit *audit_info) +{ + struct audit_buffer *audit_buf; + u8 old_val; + + old_val = netlabel_mgmt_s0_flg; + netlabel_mgmt_s0_flg = value; + // XXX: change type + audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW, + audit_info); + if (audit_buf != NULL) { + audit_log_format(audit_buf, + " mark_s0=%u old=%u", value, old_val); + audit_log_end(audit_buf); + } +} + /** * netlbl_mgmt_add_common - Handle an ADD message * @info: the Generic NETLINK info block @@ -408,6 +447,73 @@ static int netlbl_mgmt_listentry(struct sk_buff *skb, * NetLabel Command Handlers */ +/** + * netlbl_mgmt_s0_set - Handle an s0 mark message + * @skb: the NETLINK buffer + * @info: the Generic NETLINK info block + * + * Description: + * Process a user generated s0 mark message and set the accept flag accordingly. + * Returns zero on success, negative values on failure. + * + */ +static int netlbl_mgmt_s0_set(struct sk_buff *skb, struct genl_info *info) +{ + u8 value; + struct netlbl_audit audit_info; + + if (info->attrs[NLBL_MGMT_A_S0]) { + value = nla_get_u8(info->attrs[NLBL_MGMT_A_S0]); + if (value == 1 || value == 0) { + netlbl_netlink_auditinfo(&audit_info); + netlbl_mgmt_s0_update(value, &audit_info); + return 0; + } + } + + return -EINVAL; +} + +/** + * netlbl_mgmt_s0_get - Handle an s0 mark message + * @skb: the NETLINK buffer + * @info: the Generic NETLINK info block + * + * Description: + * Process a user generated s0 mark message and respond with the current status. + * Returns zero on success, negative values on failure. + * + */ +static int netlbl_mgmt_s0_get(struct sk_buff *skb, struct genl_info *info) +{ + int ret_val = -EINVAL; + struct sk_buff *ans_skb; + void *data; + + ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); + if (ans_skb == NULL) + goto list_failure; + data = genlmsg_put_reply(ans_skb, info, &netlbl_mgmt_gnl_family, + 0, NLBL_MGMT_C_S0_GET); + if (data == NULL) { + ret_val = -ENOMEM; + goto list_failure; + } + + ret_val = nla_put_u8(ans_skb, + NLBL_MGMT_A_S0, + netlabel_mgmt_s0_flg); + if (ret_val != 0) + goto list_failure; + + genlmsg_end(ans_skb, data); + return genlmsg_reply(ans_skb, info); + +list_failure: + kfree_skb(ans_skb); + return ret_val; +} + /** * netlbl_mgmt_add - Handle an ADD message * @skb: the NETLINK buffer @@ -815,6 +921,20 @@ static const struct genl_small_ops netlbl_mgmt_genl_ops[] = { .doit = netlbl_mgmt_version, .dumpit = NULL, }, + { + .cmd = NLBL_MGMT_C_S0_GET, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, + .flags = 0, + .doit = netlbl_mgmt_s0_get, + .dumpit = NULL, + }, + { + .cmd = NLBL_MGMT_C_S0_SET, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, + .flags = GENL_ADMIN_PERM, + .doit = netlbl_mgmt_s0_set, + .dumpit = NULL, + }, }; static struct genl_family netlbl_mgmt_gnl_family __ro_after_init = { @@ -826,7 +946,7 @@ static struct genl_family netlbl_mgmt_gnl_family __ro_after_init = { .module = THIS_MODULE, .small_ops = netlbl_mgmt_genl_ops, .n_small_ops = ARRAY_SIZE(netlbl_mgmt_genl_ops), - .resv_start_op = NLBL_MGMT_C_VERSION + 1, + .resv_start_op = NLBL_MGMT_C_S0_GET + 1, }; /* @@ -843,5 +963,10 @@ static struct genl_family netlbl_mgmt_gnl_family __ro_after_init = { */ int __init netlbl_mgmt_genl_init(void) { + struct netlbl_audit audit_info; + + /* set default s0 mark flag */ + netlbl_mgmt_s0_update(1, &audit_info); + return genl_register_family(&netlbl_mgmt_gnl_family); } diff --git a/net/netlabel/netlabel_mgmt.h b/net/netlabel/netlabel_mgmt.h index db20dfbbd8c4..db53cd1c132c 100644 --- a/net/netlabel/netlabel_mgmt.h +++ b/net/netlabel/netlabel_mgmt.h @@ -167,6 +167,8 @@ enum { NLBL_MGMT_C_LISTDEF, NLBL_MGMT_C_PROTOCOLS, NLBL_MGMT_C_VERSION, + NLBL_MGMT_C_S0_SET, + NLBL_MGMT_C_S0_GET, __NLBL_MGMT_C_MAX, }; @@ -212,6 +214,9 @@ enum { NLBL_MGMT_A_CLPDOI, /* (NLA_U32) * the CALIPSO DOI value */ + NLBL_MGMT_A_S0, + /* (NLA_U8) + * if true then S0 packets are not marked, else marked */ __NLBL_MGMT_A_MAX, }; #define NLBL_MGMT_A_MAX (__NLBL_MGMT_A_MAX - 1) @@ -222,4 +227,7 @@ int netlbl_mgmt_genl_init(void); /* NetLabel configured protocol reference counter */ extern atomic_t netlabel_mgmt_protocount; +/* Status of markup s0 packets flag. */ +int netlbl_mgmt_s0_flg(void); + #endif -- 2.50.1