netlabel_tools-master/0000755000175000017500000000000013630015602015225 5ustar paultagpaultagnetlabel_tools-master/netlabelctl/0000755000175000017500000000000013630015602017516 5ustar paultagpaultagnetlabel_tools-master/netlabelctl/cipso.c0000644000175000017500000002420713630015602021004 0ustar paultagpaultag/* * CIPSO/IPv4 Functions * * Author: Paul Moore * */ /* * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 * * This program is free software: you can redistribute it and/or modify * it under the terms of version 2 of the GNU General Public License as * published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * */ #include #include #include #include #include #include "netlabelctl.h" /** * Add a CIPSO label mapping * @param argc the number of arguments * @param argv the argument list * * Add a CIPSO label mapping to the NetLabel system. Returns zero on * success, negative values on failure. * */ static int cipso_add(int argc, char *argv[]) { int rc; uint32_t iter; uint32_t cipso_type = CIPSO_V4_MAP_UNKNOWN; nlbl_cip_doi doi = 0; struct nlbl_cip_tag_a tags = { .array = NULL, .size = 0 }; struct nlbl_cip_lvl_a lvls = { .array = NULL, .size = 0 }; struct nlbl_cip_cat_a cats = { .array = NULL, .size = 0 }; char *token_ptr; /* sanity checks */ if (argc <= 0 || argv == NULL || argv[0] == NULL) return -EINVAL; /* parse the arguments */ for (iter = 0; iter < argc && argv[iter] != NULL; iter++) { if (strcmp(argv[iter], "trans") == 0) { cipso_type = CIPSO_V4_MAP_TRANS; } else if (strcmp(argv[iter], "std") == 0) { fprintf(stderr, MSG_OLD("use 'trans' instead of 'std'\n")); cipso_type = CIPSO_V4_MAP_TRANS; } else if (strcmp(argv[iter], "pass") == 0) { cipso_type = CIPSO_V4_MAP_PASS; } else if (strcmp(argv[iter], "local") == 0) { cipso_type = CIPSO_V4_MAP_LOCAL; } else if (strncmp(argv[iter], "doi:", 4) == 0) { /* doi */ doi = atoi(argv[iter] + 4); } else if (strncmp(argv[iter], "tags:", 5) == 0) { /* tags */ token_ptr = strtok(argv[iter] + 5, ","); while (token_ptr != NULL) { tags.array = realloc(tags.array, sizeof(nlbl_cip_tag) * (tags.size + 1)); if (tags.array == NULL) { rc = -ENOMEM; goto add_return; } tags.array[tags.size++] = atoi(token_ptr); token_ptr = strtok(NULL, ","); } } else if (strncmp(argv[iter], "levels:", 7) == 0) { /* levels */ token_ptr = strtok(argv[iter] + 7, "="); while (token_ptr != NULL) { lvls.array = realloc(lvls.array, sizeof(nlbl_cip_lvl) * 2 * (lvls.size + 1)); if (lvls.array == NULL) { rc = -ENOMEM; goto add_return; } /* XXX - should be more robust for bad input */ lvls.array[lvls.size * 2] = atoi(token_ptr); token_ptr = strtok(NULL, ","); lvls.array[lvls.size * 2 + 1] = atoi(token_ptr); token_ptr = strtok(NULL, "="); lvls.size++; } } else if (strncmp(argv[iter], "categories:", 11) == 0) { /* categories */ token_ptr = strtok(argv[iter] + 11, "="); while (token_ptr != NULL) { cats.array = realloc(cats.array, sizeof(nlbl_cip_cat) * 2 * (cats.size + 1)); if (cats.array == NULL) { rc = -ENOMEM; goto add_return; } /* XXX - should be more robust for bad input */ cats.array[cats.size * 2] = atoi(token_ptr); token_ptr = strtok(NULL, ","); cats.array[cats.size * 2 + 1] = atoi(token_ptr); token_ptr = strtok(NULL, "="); cats.size++; } } else return -EINVAL; } /* add the cipso mapping */ switch (cipso_type) { case CIPSO_V4_MAP_TRANS: /* translated mapping */ rc = nlbl_cipso_add_trans(NULL, doi, &tags, &lvls, &cats); break; case CIPSO_V4_MAP_PASS: /* pass through mapping */ rc = nlbl_cipso_add_pass(NULL, doi, &tags); break; case CIPSO_V4_MAP_LOCAL: /* local mapping */ rc = nlbl_cipso_add_local(NULL, doi); break; default: rc = -EINVAL; } add_return: if (tags.array != NULL) free(tags.array); if (lvls.array != NULL) free(lvls.array); if (cats.array != NULL) free(cats.array); return rc; } /** * Remove a CIPSO label mapping * @param argc the number of arguments * @param argv the argument list * * Remove a CIPSO label mapping from the NetLabel system. Returns zero on * success, negative values on failure. * */ static int cipso_del(int argc, char *argv[]) { uint32_t iter; nlbl_cip_doi doi = 0; /* sanity checks */ if (argc <= 0 || argv == NULL || argv[0] == NULL) return -EINVAL; /* parse the arguments */ for (iter = 0; iter < argc && argv[iter] != NULL; iter++) { if (strncmp(argv[iter], "doi:", 4) == 0) { /* doi */ doi = atoi(argv[iter] + 4); } else return -EINVAL; } /* delete the mapping */ return nlbl_cipso_del(NULL, doi); } /** * List all of the CIPSO label mappings * @param argc the number of arguments * @param argv the argument list * * List the configured CIPSO label mappings. Returns zero on success, * negative values on failure. * */ static int cipso_list_all(void) { int rc; uint32_t iter; nlbl_cip_doi *doi_list = NULL; nlbl_cip_mtype *mtype_list = NULL; size_t count; rc = nlbl_cipso_listall(NULL, &doi_list, &mtype_list); if (rc < 0) goto list_all_return; count = rc; if (opt_pretty != 0) { printf("Configured CIPSO mappings (%zu)\n", count); for (iter = 0; iter < count; iter++) { /* doi value */ printf(" DOI value : %u\n", doi_list[iter]); /* map type */ printf(" mapping type : "); switch (mtype_list[iter]) { case CIPSO_V4_MAP_TRANS: printf("TRANSLATED\n"); break; case CIPSO_V4_MAP_PASS: printf("PASS_THROUGH\n"); break; case CIPSO_V4_MAP_LOCAL: printf("LOCAL\n"); break; default: printf("UNKNOWN(%u)\n", mtype_list[iter]); break; } } } else { for (iter = 0; iter < count; iter++) { /* doi value */ printf("%u,", doi_list[iter]); /* map type */ switch (mtype_list[iter]) { case CIPSO_V4_MAP_TRANS: printf("TRANSLATED"); break; case CIPSO_V4_MAP_PASS: printf("PASS_THROUGH"); break; case CIPSO_V4_MAP_LOCAL: printf("LOCAL"); break; default: printf("UNKNOWN(%u)", mtype_list[iter]); break; } if (iter + 1 < count) printf(" "); } printf("\n"); } rc = 0; list_all_return: if (doi_list != NULL) free(doi_list); if (mtype_list != NULL) free(mtype_list); return rc; } /** * List a specific CIPSO DOI label mapping * @param doi the DOI value * * List the configured CIPSO label mapping. Returns zero on success, * negative values on failure. * */ static int cipso_list_doi(uint32_t doi) { int rc; uint32_t iter; nlbl_cip_mtype maptype; struct nlbl_cip_tag_a tags = { .array = NULL, .size = 0 }; struct nlbl_cip_lvl_a lvls = { .array = NULL, .size = 0 }; struct nlbl_cip_cat_a cats = { .array = NULL, .size = 0 }; rc = nlbl_cipso_list(NULL, doi, &maptype, &tags, &lvls, &cats); if (rc < 0) return rc; if (opt_pretty != 0) { printf("Configured CIPSO mapping (DOI = %u)\n", doi); printf(" tags (%zu): \n", tags.size); for (iter = 0; iter < tags.size; iter++) { switch (tags.array[iter]) { case 1: printf(" RESTRICTED BITMAP\n"); break; case 2: printf(" ENUMERATED\n"); break; case 5: printf(" RANGED\n"); break; case 6: printf(" PERMISSIVE_BITMAP\n"); break; case 7: printf(" FREEFORM\n"); break; case 128: printf(" LOCAL\n"); break; default: printf(" UNKNOWN(%u)\n", tags.array[iter]); break; } } switch (maptype) { case CIPSO_V4_MAP_TRANS: /* levels */ printf(" levels (%zu): \n", lvls.size); for (iter = 0; iter < lvls.size; iter++) printf(" %u = %u\n", lvls.array[iter * 2], lvls.array[iter * 2 + 1]); /* categories */ printf(" categories (%zu): \n", cats.size); for (iter = 0; iter < cats.size; iter++) printf(" %u = %u\n", cats.array[iter * 2], cats.array[iter * 2 + 1]); break; } } else { /* tags */ printf("tags:"); for (iter = 0; iter < tags.size; iter++) { printf("%u", tags.array[iter]); if (iter + 1 < tags.size) printf(","); } switch (maptype) { case CIPSO_V4_MAP_TRANS: /* levels */ printf(" levels:"); for (iter = 0; iter < lvls.size; iter++) { printf("%u=%u", lvls.array[iter * 2], lvls.array[iter * 2 + 1]); if (iter + 1 < lvls.size) printf(","); } /* categories */ printf(" categories:"); for (iter = 0; iter < cats.size; iter++) { printf("%u=%u", cats.array[iter * 2], cats.array[iter * 2 + 1]); if (iter + 1 < cats.size) printf(","); } break; } printf("\n"); } return 0; } /** * List the CIPSO label mappings * @param argc the number of arguments * @param argv the argument list * * List the configured CIPSO label mappings. Returns zero on success, * negative values on failure. * */ static int cipso_list(int argc, char *argv[]) { uint32_t iter; uint32_t doi_flag = 0; nlbl_cip_doi doi = 0; /* parse the arguments */ for (iter = 0; iter < argc && argv[iter] != NULL; iter++) { if (strncmp(argv[iter], "doi:", 4) == 0) { /* doi */ doi = atoi(argv[iter] + 4); doi_flag = 1; } else return -EINVAL; } if (doi_flag != 0) return cipso_list_doi(doi); else return cipso_list_all(); } /** * Entry point for the NetLabel CIPSO/IPv4 functions * @param argc the number of arguments * @param argv the argument list * * Parses the argument list and performs the requested operation. Returns zero * on success, negative values on failure. * */ int cipso_main(int argc, char *argv[]) { int rc; /* sanity checks */ if (argc <= 0 || argv == NULL || argv[0] == NULL) return -EINVAL; /* handle the request */ if (strcmp(argv[0], "add") == 0) { /* add */ rc = cipso_add(argc - 1, argv + 1); } else if (strcmp(argv[0], "del") == 0) { /* delete */ rc = cipso_del(argc - 1, argv + 1); } else if (strcmp(argv[0], "list") == 0) { /* list */ rc = cipso_list(argc - 1, argv + 1); } else { /* unknown request */ rc = -EINVAL; } return rc; } netlabel_tools-master/netlabelctl/calipso.c0000644000175000017500000001362213630015602021320 0ustar paultagpaultag/* * CALIPSO Functions * * Author: Paul Moore * Author: Huw Davies * */ /* * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 * (c) Copyright Huw Davies , 2015 * * This program is free software: you can redistribute it and/or modify * it under the terms of version 2 of the GNU General Public License as * published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * */ #include #include #include #include #include #include "netlabelctl.h" /** * Add a CALIPSO label mapping * @param argc the number of arguments * @param argv the argument list * * Add a CALIPSO label mapping to the NetLabel system. Returns zero on * success, negative values on failure. * */ static int calipso_add(int argc, char *argv[]) { int rc; uint32_t calipso_type = CALIPSO_MAP_UNKNOWN; uint32_t iter; nlbl_clp_doi doi = 0; /* sanity checks */ if (argc <= 0 || argv == NULL || argv[0] == NULL) return -EINVAL; /* parse the arguments */ for (iter = 0; iter < argc && argv[iter] != NULL; iter++) { if (strcmp(argv[iter], "pass") == 0) { calipso_type = CALIPSO_MAP_PASS; } else if (strncmp(argv[iter], "doi:", 4) == 0) { /* doi */ doi = atoi(argv[iter] + 4); } else return -EINVAL; } /* add the calipso mapping */ switch (calipso_type) { case CALIPSO_MAP_PASS: /* pass through mapping */ rc = nlbl_calipso_add_pass(NULL, doi); break; default: rc = -EINVAL; } return rc; } /** * Remove a CALIPSO label mapping * @param argc the number of arguments * @param argv the argument list * * Remove a CALIPSO label mapping from the NetLabel system. Returns zero on * success, negative values on failure. * */ static int calipso_del(int argc, char *argv[]) { uint32_t iter; nlbl_clp_doi doi = 0; /* sanity checks */ if (argc <= 0 || argv == NULL || argv[0] == NULL) return -EINVAL; /* parse the arguments */ for (iter = 0; iter < argc && argv[iter] != NULL; iter++) { if (strncmp(argv[iter], "doi:", 4) == 0) { /* doi */ doi = atoi(argv[iter] + 4); } else return -EINVAL; } /* delete the mapping */ return nlbl_calipso_del(NULL, doi); } /** * List all of the CALIPSO label mappings * * List the configured CALIPSO label mappings. Returns zero on success, * negative values on failure. * */ static int calipso_list_all(void) { int rc; uint32_t iter; nlbl_clp_doi *doi_list = NULL; nlbl_clp_mtype *mtype_list = NULL; size_t count; rc = nlbl_calipso_listall(NULL, &doi_list, &mtype_list); if (rc < 0) goto list_all_return; count = rc; if (opt_pretty != 0) { printf("Configured CALIPSO mappings (%zu)\n", count); for (iter = 0; iter < count; iter++) { /* doi value */ printf(" DOI value : %u\n", doi_list[iter]); /* map type */ printf(" mapping type : "); switch (mtype_list[iter]) { case CALIPSO_MAP_PASS: printf("PASS_THROUGH\n"); break; default: printf("UNKNOWN(%u)\n", mtype_list[iter]); break; } } } else { for (iter = 0; iter < count; iter++) { /* doi value */ printf("%u,", doi_list[iter]); /* map type */ switch (mtype_list[iter]) { case CALIPSO_MAP_PASS: printf("PASS_THROUGH"); break; default: printf("UNKNOWN(%u)", mtype_list[iter]); break; } if (iter + 1 < count) printf(" "); } printf("\n"); } rc = 0; list_all_return: if (doi_list != NULL) free(doi_list); if (mtype_list != NULL) free(mtype_list); return rc; } /** * List a specific CALIPSO DOI label mapping * @param doi the DOI value * * List the configured CALIPSO label mapping. Returns zero on success, * negative values on failure. * */ static int calipso_list_doi(uint32_t doi) { int rc; nlbl_clp_mtype maptype; rc = nlbl_calipso_list(NULL, doi, &maptype); if (rc < 0) return rc; if (opt_pretty != 0) { printf("Configured CALIPSO mapping (DOI = %u)\n", doi); switch (maptype) { case CALIPSO_MAP_PASS: printf(" type: PASS_THROUGH\n"); break; } } else { switch (maptype) { case CALIPSO_MAP_PASS: printf("type:PASS_THROUGH"); break; } printf("\n"); } return 0; } /** * List the CALIPSO label mappings * @param argc the number of arguments * @param argv the argument list * * List the configured CALIPSO label mappings. Returns zero on success, * negative values on failure. * */ static int calipso_list(int argc, char *argv[]) { uint32_t iter; uint32_t doi_flag = 0; nlbl_clp_doi doi = 0; /* parse the arguments */ for (iter = 0; iter < argc && argv[iter] != NULL; iter++) { if (strncmp(argv[iter], "doi:", 4) == 0) { /* doi */ doi = atoi(argv[iter] + 4); doi_flag = 1; } else return -EINVAL; } if (doi_flag != 0) return calipso_list_doi(doi); else return calipso_list_all(); } /** * Entry point for the NetLabel CALIPSO functions * @param argc the number of arguments * @param argv the argument list * * Parses the argument list and performs the requested operation. Returns zero * on success, negative values on failure. * */ int calipso_main(int argc, char *argv[]) { int rc; /* sanity checks */ if (argc <= 0 || argv == NULL || argv[0] == NULL) return -EINVAL; /* handle the request */ if (strcmp(argv[0], "add") == 0) { /* add */ rc = calipso_add(argc - 1, argv + 1); } else if (strcmp(argv[0], "del") == 0) { /* delete */ rc = calipso_del(argc - 1, argv + 1); } else if (strcmp(argv[0], "list") == 0) { /* list */ rc = calipso_list(argc - 1, argv + 1); } else { /* unknown request */ rc = -EINVAL; } return rc; } netlabel_tools-master/netlabelctl/mgmt.c0000644000175000017500000000622313630015602020631 0ustar paultagpaultag/* * Management Functions * * Author: Paul Moore * */ /* * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 * * This program is free software: you can redistribute it and/or modify * it under the terms of version 2 of the GNU General Public License as * published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * */ #include #include #include #include #include #include "netlabelctl.h" /** * Display a list of the kernel's NetLabel protocols * * Request the kernel's supported NetLabel protocols and display the list to * the user. Returns zero on success, negative values on failure. * */ static int mgmt_protocols(void) { int rc; nlbl_proto *list = NULL; size_t count; uint32_t iter; rc = nlbl_mgmt_protocols(NULL, &list); if (rc < 0) return rc; count = rc; printf(MSG("NetLabel protocols : ")); for (iter = 0; iter < count; iter++) { switch (list[iter]) { case NETLBL_NLTYPE_UNLABELED: printf("UNLABELED"); break; case NETLBL_NLTYPE_RIPSO: printf("RIPSO"); break; case NETLBL_NLTYPE_CIPSOV4: /* preserve "CIPSOv4" for any scripts */ if (opt_pretty) printf("CIPSO"); else printf("CIPSOv4"); break; case NETLBL_NLTYPE_CIPSOV6: printf("CIPSOv6"); break; case NETLBL_NLTYPE_CALIPSO: printf("CALIPSO"); break; default: printf("UNKNOWN(%u)", list[iter]); break; } if (iter + 1 < count) printf("%s", (opt_pretty ? " " : ",")); } printf("\n"); if (list != NULL) free(list); return 0; } /** * Display the kernel's NetLabel version * * Request the kernel's NetLabel version string and display it to the user. * Returns zero on success, negative values on failure. * */ static int mgmt_version(void) { int rc; uint32_t kernel_ver; rc = nlbl_mgmt_version(NULL, &kernel_ver); if (rc < 0) return rc; if (opt_pretty != 0) { printf("Supported NetLabel protocol versions\n" " kernel : %u\n" " %s : %u\n", kernel_ver, nlctl_name, NETLBL_PROTO_VERSION); } else printf("%u\n", kernel_ver); return 0; } /** * Entry point for the NetLabel management functions * @param argc the number of arguments * @param argv the argument list * * Description: * Parses the argument list and performs the requested operation. Returns zero * on success, negative values on failure. * */ int mgmt_main(int argc, char *argv[]) { int rc; /* sanity checks */ if (argc <= 0 || argv == NULL || argv[0] == NULL) return -EINVAL; /* handle the request */ if (strcmp(argv[0], "version") == 0) { /* kernel version */ rc = mgmt_version(); } else if (strcmp(argv[0], "protocols") == 0) { /* module list */ rc = mgmt_protocols(); } else { /* unknown request */ rc = -EINVAL; } return rc; } netlabel_tools-master/netlabelctl/netlabel-config0000755000175000017500000000656713630015602022513 0ustar paultagpaultag#!/bin/bash # # NetLabel configuration helper script # http://netlabel.sf.net # # # Configuration file: # /etc/netlabel.rules # # Return values: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - insufficient privilege # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # set the PATH PATH="/sbin:/bin:/usr/sbin:/usr/bin" # core configuration CFG_FILE="/etc/netlabel.rules" #### # functions # # clear/reset the unlabeled traffic configuration function nlbl_reset_unlbl() { # remove the static/fallback labels local list=$(netlabelctl unlbl list) for i in $list; do [[ "$(echo $i | cut -d':' -f 1)" == "accept" ]] && continue local iface=$(echo $i | cut -d',' -f 1 | cut -d':' -f 2) local addr=$(echo $i | cut -d',' -f 2 | cut -d':' -f 2) if [[ "$iface" == "DEFAULT" ]]; then netlabelctl unlbl del default address:$addr else netlabelctl unlbl del interface:$iface address:$addr fi done # reset the unlabeled traffic handling # NOTE: only turn this off if you _really_ know what you are doing netlabelctl unlbl accept on return 0 } # clear/reset the CIPSO DOIs function nlbl_reset_cipso() { # NOTE: make sure there are no mappings left which use these DOIs else # you will run into errors if the DOI is currently in use local list=$(netlabelctl cipso list) for i in $list; do local doi=$(echo $i | cut -d',' -f 1) netlabelctl cipso del doi:$doi done return 0 } # clear/reset the CALIPSO DOIs function nlbl_reset_calipso() { # NOTE: make sure there are no mappings left which use these DOIs else # you will run into errors if the DOI is currently in use local list=$(netlabelctl calipso list) for i in $list; do local doi=$(echo $i | cut -d',' -f 1) netlabelctl calipso del doi:$doi done return 0 } # clear/reset the NetLabel outbound traffic mapping function nlbl_reset_map() { # remove the existing mapping domains local list=$(netlabelctl map list) for i in $list; do local dmn=$(echo $i | cut -d':' -f 2 | cut -d',' -f 1) if [[ "$dmn" == "DEFAULT" ]]; then netlabelctl map del default else netlabelctl map del domain:${dmn//\"/} fi done # allow the kernel to settle # XXX: this is awkward but necessary as of early 2013 sleep 1 # reset the default mapping netlabelctl map add default protocol:unlbl return 0 } # clear/reset the NetLabel configuration function nlbl_reset() { # NOTE: ordering is important here, see nlbl_reset_cipso() for details nlbl_reset_map nlbl_reset_cipso nlbl_reset_calipso nlbl_reset_unlbl return 0 } # load the NetLabel configuration from the configuration file function nlbl_load() { local ret_rc=0 local line_num=0 local line while read line; do line_num=$(($line_num + 1)) # skip comments and blank lines echo "$line" | egrep '^#|^$' >& /dev/null && continue # perform the configuration output=$(netlabelctl $line 2>&1) rc=$? if [[ $rc -ne 0 ]]; then ret_rc=1 echo "error: line $line_num \"$line\"" echo "$output" fi done < "$CFG_FILE" return $ret_rc } #### # main # rc=0 # sanity checks [[ "$(id -u)" == "0" ]] || exit 4 which netlabelctl >& /dev/null || exit 5 [[ -r "$CFG_FILE" ]] || exit 6 # operation case "$1" in load) nlbl_load rc=$? ;; reset) nlbl_reset rc=$? ;; *) # unknown/unimplemented operation rc=3 ;; esac exit $rc netlabel_tools-master/netlabelctl/unlabeled.c0000644000175000017500000001560213630015602021621 0ustar paultagpaultag/* * Unlabeled Functions * * Author: Paul Moore * */ /* * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2007 * * This program is free software: you can redistribute it and/or modify * it under the terms of version 2 of the GNU General Public License as * published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * */ #include #include #include #include #include #include #include #include #include "netlabelctl.h" /** * Set the NetLabel accept flag * @param argc the number of arguments * @param argv the argument list * * Set the kernel's unlabeled packet allow flag. Returns zero on success, * negative values on failure. * */ static int unlbl_accept(int argc, char *argv[]) { int rc; uint8_t flag; /* sanity check */ if (argc != 1 || argv == NULL || argv[0] == NULL) return -EINVAL; /* set or reset the flag? */ if (strcasecmp(argv[0], "on") == 0 || strcmp(argv[0], "1") == 0) flag = 1; else if (strcasecmp(argv[0], "off") == 0 || strcmp(argv[0], "0") == 0) flag = 0; else return -EINVAL; rc = nlbl_unlbl_accept(NULL, flag); if (rc < 0) return rc; return 0; } /** * Query the NetLabel unlabeled module and display the results * * Query the unlabeled module and display the results. Returns zero on * success, negative values on failure. * */ static int unlbl_list(void) { int rc; uint8_t flag; struct nlbl_addrmap *addr_p = NULL, *addr_p_new; struct nlbl_addrmap *addrdef_p = NULL; struct nlbl_addrmap *iter_p; size_t count; uint32_t iter; /* display the accept flag */ rc = nlbl_unlbl_list(NULL, &flag); if (rc < 0) return rc; if (opt_pretty != 0) printf("Accept unlabeled packets : %s\n", (flag ? "on" : "off")); else printf("accept:%s", (flag ? "on" : "off")); /* get the static label mappings */ rc = nlbl_unlbl_staticlist(NULL, &addr_p); if (rc < 0) return rc; count = rc; rc = nlbl_unlbl_staticlistdef(NULL, &addrdef_p); if (rc > 0) { addr_p_new = realloc(addr_p, sizeof(*addr_p) * (count + rc)); if (addr_p_new == NULL) goto list_return; addr_p = addr_p_new; memcpy(&addr_p[count], addrdef_p, sizeof(*addr_p) * rc); count += rc; } /* display the static label mappings */ if (opt_pretty != 0) { printf("Configured NetLabel address mappings (%zu)\n", count); for (iter = 0; iter < count; iter++) { iter_p = &addr_p[iter]; /* interface */ if (iter == 0 || iter_p->dev == NULL || strcmp(addr_p[iter - 1].dev, iter_p->dev) != 0) { printf(" interface: "); if (iter_p->dev != NULL) printf("%s\n", iter_p->dev); else printf("DEFAULT\n"); } /* address */ printf(" address: "); nlctl_addr_print(&iter_p->addr); printf("\n"); /* label */ printf(" label: \"%s\"\n", iter_p->label); } } else { if (count > 0) printf(" "); for (iter = 0; iter < count; iter++) { iter_p = &addr_p[iter]; /* interface */ printf("interface:"); if (iter_p->dev != NULL) printf("%s,", iter_p->dev); else printf("DEFAULT,"); /* address */ printf("address:"); nlctl_addr_print(&iter_p->addr); printf(","); /* label */ printf("label:\"%s\"", iter_p->label); if (iter + 1 < count) printf(" "); } printf("\n"); } list_return: if (addr_p != NULL) { for (iter = 0; iter < count; iter++) { if (addr_p[iter].dev != NULL) free(addr_p[iter].dev); if (addr_p[iter].label != NULL) free(addr_p[iter].label); } free(addr_p); } return rc; } /** * Add a static/fallback label configuration * @param argc the number of arguments * @param argv the argument list * * Add a fallback label configuration to the kernel. Returns zero on success, * negative values on failure. * */ static int unlbl_add(int argc, char *argv[]) { uint32_t iter; uint8_t def_flag = 0; nlbl_netdev dev = NULL; struct nlbl_netaddr addr; nlbl_secctx label = NULL; /* sanity checks */ if (argc <= 0 || argv == NULL || argv[0] == NULL) return -EINVAL; memset(&addr, 0, sizeof(addr)); /* parse the arguments */ for (iter = 0; iter < argc && argv[iter] != NULL; iter++) { if (strncmp(argv[iter], "interface:", 10) == 0) { dev = argv[iter] + 10; } else if (strncmp(argv[iter], "default", 7) == 0) { def_flag = 1; } else if (strncmp(argv[iter], "label:", 6) == 0) { label = argv[iter] + 6; } else if (strncmp(argv[iter], "address:", 8) == 0) { if (nlctl_addr_parse(argv[iter] + 8, &addr) != 0) return -EINVAL; } } /* add the mapping */ if (def_flag != 0) return nlbl_unlbl_staticadddef(NULL, &addr, label); else return nlbl_unlbl_staticadd(NULL, dev, &addr, label); } /** * Delete a static/fallback label configuration * @param argc the number of arguments * @param argv the argument list * * Deletes a fallback label configuration to the kernel. Returns zero on * success, negative values on failure. * */ static int unlbl_del(int argc, char *argv[]) { uint32_t iter; uint8_t def_flag = 0; nlbl_netdev dev = NULL; struct nlbl_netaddr addr; /* sanity checks */ if (argc <= 0 || argv == NULL || argv[0] == NULL) return -EINVAL; memset(&addr, 0, sizeof(addr)); /* parse the arguments */ for (iter = 0; iter < argc && argv[iter] != NULL; iter++) { if (strncmp(argv[iter], "interface:", 10) == 0) { dev = argv[iter] + 10; } else if (strncmp(argv[iter], "default", 7) == 0) { def_flag = 1; } else if (strncmp(argv[iter], "address:", 8) == 0) { if (nlctl_addr_parse(argv[iter] + 8, &addr) != 0) return -EINVAL; } } /* add the mapping */ if (def_flag != 0) return nlbl_unlbl_staticdeldef(NULL, &addr); else return nlbl_unlbl_staticdel(NULL, dev, &addr); } /** * Entry point for the NetLabel unlabeled functions * @param argc the number of arguments * @param argv the argument list * * Parses the argument list and performs the requested operation. Returns zero * on success, negative values on failure. * */ int unlbl_main(int argc, char *argv[]) { int rc; /* sanity checks */ if (argc <= 0 || argv == NULL || argv[0] == NULL) return -EINVAL; /* handle the request */ if (strcmp(argv[0], "accept") == 0) { /* accept flag */ rc = unlbl_accept(argc - 1, argv + 1); } else if (strcmp(argv[0], "list") == 0) { /* list */ rc = unlbl_list(); } else if (strcmp(argv[0], "add") == 0) { /* add */ rc = unlbl_add(argc - 1, argv + 1); } else if (strcmp(argv[0], "del") == 0) { /* del */ rc = unlbl_del(argc - 1, argv + 1); } else { /* unknown request */ rc = -EINVAL; } return rc; } netlabel_tools-master/netlabelctl/map.c0000644000175000017500000002466213630015602020451 0ustar paultagpaultag/* * Domain/Protocol Mapping Functions * * Author: Paul Moore * */ /* * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008 * * This program is free software: you can redistribute it and/or modify * it under the terms of version 2 of the GNU General Public License as * published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * */ #include #include #include #include #include #include #include #include #include "netlabelctl.h" /** * Add a domain mapping to NetLabel * @param argc the number of arguments * @param argv the argument list * * Add the specified domain mapping to the NetLabel system. Returns zero on * success, negative values on failure. * */ static int map_add(int argc, char *argv[]) { uint32_t iter; uint8_t def_flag = 0; struct nlbl_dommap domain; struct nlbl_netaddr addr; char *domain_proto_extra = NULL; /* sanity checks */ if (argc <= 0 || argv == NULL || argv[0] == NULL) return -EINVAL; memset(&domain, 0, sizeof(domain)); memset(&addr, 0, sizeof(addr)); /* parse the arguments */ for (iter = 0; iter < argc && argv[iter] != NULL; iter++) { if (strncmp(argv[iter], "domain:", 7) == 0) { domain.domain = argv[iter] + 7; } else if (strncmp(argv[iter], "address:", 8) == 0) { if (nlctl_addr_parse(argv[iter] + 8, &addr) != 0) return -EINVAL; } else if (strncmp(argv[iter], "protocol:", 9) == 0) { /* protocol specifics */ if (strncmp(argv[iter] + 9, "cipsov4", 7) == 0 || strncmp(argv[iter] + 9, "cipso", 5) == 0) { domain.proto_type = NETLBL_NLTYPE_CIPSOV4; domain.family = AF_INET; } else if (strncmp(argv[iter] + 9, "calipso", 7) == 0) { domain.proto_type = NETLBL_NLTYPE_CALIPSO; domain.family = AF_INET6; } else if (strncmp(argv[iter] + 9, "unlbl", 5) == 0) { domain.proto_type = NETLBL_NLTYPE_UNLABELED; domain.family = AF_UNSPEC; } else { return -EINVAL; } domain_proto_extra = strstr(argv[iter] + 9, ","); if (domain_proto_extra) domain_proto_extra++; } else if (strncmp(argv[iter], "default", 7) == 0) { def_flag = 1; } else return -EINVAL; } /* handle the protocol "extra" field */ switch (domain.proto_type) { case NETLBL_NLTYPE_CIPSOV4: if (domain_proto_extra == NULL) return -EINVAL; domain.proto.cip_doi = atoi(domain_proto_extra); break; case NETLBL_NLTYPE_CALIPSO: if (domain_proto_extra == NULL) return -EINVAL; domain.proto.clp_doi = atoi(domain_proto_extra); break; case NETLBL_NLTYPE_UNLABELED: if (domain_proto_extra != NULL) { int family = atoi(domain_proto_extra); switch (family) { case 4: domain.family = AF_INET; break; case 6: domain.family = AF_INET6; break; default: return -EINVAL; } } break; } if (domain.family == AF_UNSPEC && addr.type != 0) domain.family = addr.type; /* add the mapping */ if (def_flag != 0) return nlbl_mgmt_adddef(NULL, &domain, &addr); else return nlbl_mgmt_add(NULL, &domain, &addr); } /** * Delete a domain mapping from NetLabel * @param argc the number of arguments * @param argv the argument list * * Description: * Remove the specified domain mapping from the NetLabel system. Returns zero * on success, negative values on failure. * */ static int map_del(int argc, char *argv[]) { uint32_t iter; uint32_t def_flag = 0; char *domain = NULL; /* sanity checks */ if (argc <= 0 || argv == NULL || argv[0] == NULL) return -EINVAL; /* parse the arguments */ for (iter = 0; iter < argc && argv[iter] != NULL; iter++) { if (strncmp(argv[iter], "domain:", 7) == 0) { domain = argv[iter] + 7; } else if (strncmp(argv[iter], "default", 7) == 0) { def_flag = 1; } else return -EINVAL; } /* remove the mapping */ if (def_flag != 0) return nlbl_mgmt_deldef(NULL); else return nlbl_mgmt_del(NULL, domain); } /** * Output the NetLabel domain mappings * @param mapping the domain mappings * @param count the number of domain mappings * * Helper function to be called by map_list(). Note that we have preserved * the "CIPSOv4" so we don't break any scripts that may be in use. * */ static void map_list_print(struct nlbl_dommap *mapping, size_t count) { uint32_t iter_a; struct nlbl_dommap_addr *iter_b; for (iter_a = 0; iter_a < count; iter_a++) { /* domain string */ printf("domain:"); if (mapping[iter_a].domain != NULL) printf("\"%s\",", mapping[iter_a].domain); else printf("DEFAULT,"); /* protocol */ switch (mapping[iter_a].proto_type) { case NETLBL_NLTYPE_UNLABELED: printf("UNLABELED"); if (mapping[iter_a].family == AF_INET) printf(",4"); else if (mapping[iter_a].family == AF_INET6) printf(",6"); break; case NETLBL_NLTYPE_CIPSOV4: printf("CIPSOv4,%u", mapping[iter_a].proto.cip_doi); break; case NETLBL_NLTYPE_CALIPSO: printf("CALIPSO,%u", mapping[iter_a].proto.clp_doi); break; case NETLBL_NLTYPE_ADDRSELECT: iter_b = mapping[iter_a].proto.addrsel; while (iter_b) { printf("address:"); nlctl_addr_print(&iter_b->addr); printf(",protocol:"); switch (iter_b->proto_type) { case NETLBL_NLTYPE_UNLABELED: printf("UNLABELED"); break; case NETLBL_NLTYPE_CIPSOV4: printf("CIPSOv4,%u", iter_b->proto.cip_doi); break; case NETLBL_NLTYPE_CALIPSO: printf("CALIPSO,%u", iter_b->proto.clp_doi); break; default: printf("UNKNOWN(%u)", iter_b->proto_type); break; } iter_b = iter_b->next; if (iter_b) printf(","); } break; default: printf("UNKNOWN(%u)", mapping[iter_a].proto_type); break; } if (iter_a + 1 < count) printf(" "); } printf("\n"); } /** * Output the NetLabel domain mappings in human readable format * @param mapping the domain mappings * @param count the number of domain mappings * * Helper function to be called by map_list(). * */ static void map_list_print_pretty(struct nlbl_dommap *mapping, size_t count) { uint32_t iter_a; struct nlbl_dommap_addr *iter_b; printf("Configured NetLabel domain mappings (%zu)\n", count); for (iter_a = 0; iter_a < count; iter_a++) { /* domain string */ printf(" domain: "); if (mapping[iter_a].domain != NULL) printf("\"%s\"", mapping[iter_a].domain); else printf("DEFAULT"); /* family */ if (mapping[iter_a].family == AF_INET) printf(" (IPv4)\n"); else if (mapping[iter_a].family == AF_INET6) printf(" (IPv6)\n"); else if (mapping[iter_a].family == AF_UNSPEC) printf(" (IPv4/IPv6)\n"); /* protocol */ switch (mapping[iter_a].proto_type) { case NETLBL_NLTYPE_UNLABELED: printf(" protocol: UNLABELED\n"); break; case NETLBL_NLTYPE_CIPSOV4: printf(" protocol: CIPSO, DOI = %u\n", mapping[iter_a].proto.cip_doi); break; case NETLBL_NLTYPE_CALIPSO: printf(" protocol: CALIPSO, DOI = %u\n", mapping[iter_a].proto.clp_doi); break; case NETLBL_NLTYPE_ADDRSELECT: iter_b = mapping[iter_a].proto.addrsel; while (iter_b) { printf(" address: "); nlctl_addr_print(&iter_b->addr); printf("\n" " protocol: "); switch (iter_b->proto_type) { case NETLBL_NLTYPE_UNLABELED: printf("UNLABELED\n"); break; case NETLBL_NLTYPE_CIPSOV4: printf("CIPSO, DOI = %u\n", iter_b->proto.cip_doi); break; case NETLBL_NLTYPE_CALIPSO: printf("CALIPSO, DOI = %u\n", iter_b->proto.clp_doi); break; default: printf("UNKNOWN(%u)\n", iter_b->proto_type); break; } iter_b = iter_b->next; } break; default: printf("UNKNOWN(%u)\n", mapping[iter_a].proto_type); break; } } } /** * List the NetLabel domains mappings * @param argc the number of arguments * @param argv the argument list * * List the configured NetLabel domain mappings. Returns zero on success, * negative values on failure. * */ static int map_list(int argc, char *argv[]) { int rc; struct nlbl_dommap *mapping, *mapping_new; size_t count, def_count; uint32_t iter; uint16_t *family, families[] = {AF_INET, AF_INET6, AF_UNSPEC /* terminator */}; /* get the list of mappings */ rc = nlbl_mgmt_listall(NULL, &mapping); if (rc < 0) return rc; count = rc; /* get the default mapping */ mapping_new = realloc(mapping, sizeof(*mapping) * (count + 2)); if (mapping_new == NULL) goto list_return; mapping = mapping_new; memset(&mapping[count], 0, sizeof(*mapping) * 2); for (family = families, def_count = 0; *family != AF_UNSPEC; family++) { rc = nlbl_mgmt_listdef(NULL, *family, &mapping[count + def_count]); if (rc < 0 && rc != -ENOENT) goto list_return; else if (rc == 0) def_count += 1; else rc = 0; } /* If both defaults are unlabeled then combine them into a single entry */ if (def_count == 2 && mapping[count].proto_type == NETLBL_NLTYPE_UNLABELED && mapping[count + 1].proto_type == NETLBL_NLTYPE_UNLABELED) { mapping[count].family = AF_UNSPEC; def_count--; } count += def_count; /* display the results */ if (opt_pretty != 0) map_list_print_pretty(mapping, count); else map_list_print(mapping, count); list_return: if (mapping != NULL) { for (iter = 0; iter < count; iter++) if (mapping[iter].domain != NULL) free(mapping[iter].domain); free(mapping); } return rc; } /** * Entry point for the NetLabel mapping functions * @param argc the number of arguments * @param argv the argument list * * Parses the argument list and performs the requested operation. Returns zero * on success, negative values on failure. * */ int map_main(int argc, char *argv[]) { int rc; /* sanity checks */ if (argc <= 0 || argv == NULL || argv[0] == NULL) return -EINVAL; /* handle the request */ if (strcmp(argv[0], "add") == 0) { /* add a domain mapping */ rc = map_add(argc - 1, argv + 1); } else if (strcmp(argv[0], "del") == 0) { /* delete a domain mapping */ rc = map_del(argc - 1, argv + 1); } else if (strcmp(argv[0], "list") == 0) { /* list the domain mappings */ rc = map_list(argc - 1, argv + 1); } else { /* unknown request */ rc = -EINVAL; } return rc; } netlabel_tools-master/netlabelctl/main.c0000644000175000017500000002167313630015602020617 0ustar paultagpaultag/* * NetLabel Control Utility, netlabelctl * * Author: Paul Moore * */ /* * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 * * This program is free software: you can redistribute it and/or modify * it under the terms of version 2 of the GNU General Public License as * published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * */ #include #include #include #include #include #include #include #include #include #include "netlabelctl.h" /* return values */ #define RET_OK 0 #define RET_ERR 1 #define RET_USAGE 2 /* option variables */ uint32_t opt_verbose = 0; uint32_t opt_timeout = 10; uint32_t opt_pretty = 0; /* program name */ char *nlctl_name = NULL; /** * Display usage information * @param fp the output file pointer * * Display brief usage information. * */ static void nlctl_usage_print(FILE *fp) { fprintf(fp, "usage: %s [] []\n", nlctl_name); } /** * Display version information * @param fp the output file pointer * * Display the version string. * */ static void nlctl_ver_print(FILE *fp) { fprintf(fp, "NetLabel Control Utility, version %s\n", VERSION); } /** * Display help information * @param fp the output file pointer * * Display help and usage information. * */ static void nlctl_help_print(FILE *fp) { nlctl_ver_print(fp); fprintf(fp, " Usage: %s [] []\n" "\n" " Flags:\n" " -h : help/usage message\n" " -p : make the output pretty\n" " -t : timeout\n" " -v : verbose mode\n" "\n" " Modules and Commands:\n" " mgmt : NetLabel management\n" " version\n" " protocols\n" " map : Domain/Protocol mapping\n" " add default|domain: [address:[/]]\n" " protocol:[,]\n" " del default|domain:\n" " list\n" " unlbl : Unlabeled packet handling\n" " accept on|off\n" " add default|interface: address:[/]\n" " label: