/*
* Callbacks for user-supplied memory allocation, supplemental
* auditing, and locking routines.
*
* Author : Eamon Walsh <ewalsh@epoch.ncsc.mil>
*
* Netlink code derived in part from sample code by
* James Morris <jmorris@redhat.com>.
*/
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <asm/types.h>
#include <linux/netlink.h>
#include "selinux_netlink.h"
#include "avc_internal.h"
#ifndef NETLINK_SELINUX
#define NETLINK_SELINUX 7
#endif
/* callback pointers */
void *(*avc_func_malloc)(size_t) = NULL;
void (*avc_func_free)(void*) = NULL;
void (*avc_func_log)(const char*, ...) = NULL;
void (*avc_func_audit)(void*,security_class_t,char*,size_t) = NULL;
int avc_using_threads = 0;
void *(*avc_func_create_thread)(void (*)(void)) = NULL;
void (*avc_func_stop_thread)(void*) = NULL;
void *(*avc_func_alloc_lock)(void) = NULL;
void (*avc_func_get_lock)(void*) = NULL;
void (*avc_func_release_lock)(void*) = NULL;
void (*avc_func_free_lock)(void*) = NULL;
/* message prefix string and avc enforcing mode */
char avc_prefix[AVC_PREFIX_SIZE] = "uavc";
int avc_enforcing = 1;
int avc_netlink_trouble = 0;
/* netlink socket code */
static int fd;
int avc_netlink_open(int blocking) {
int len, rc = 0;
struct sockaddr_nl addr;
fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_SELINUX);
if (fd < 0) {
rc = fd;
goto out;
}
if (!blocking && fcntl(fd, F_SETFL, O_NONBLOCK)) {
close(fd);
rc = -1;
goto out;
}
len = sizeof(addr);
memset(&addr, 0, len);
addr.nl_family = AF_NETLINK;
addr.nl_groups = SELNL_GRP_AVC;
if (bind(fd, (struct sockaddr *)&addr, len) < 0) {
close(fd);
rc = -1;
goto out;
}
out:
return rc;
}
void avc_netlink_close(void) {
close(fd);
}
int avc_netlink_check_nb(void) {
int rc;
struct sockaddr_nl nladdr;
socklen_t nladdrlen = sizeof nladdr;
char buf[1024];
struct nlmsghdr *nlh;
while (1) {
rc = recvfrom(fd, buf, sizeof(buf), 0, (struct sockaddr*)&nladdr, &nladdrlen);
if (rc < 0) {
if (errno == EINTR)
continue;
if (errno != EAGAIN) {
avc_log("%s: socket error during read: %d\n", avc_prefix, errno);
} else {
errno = 0;
rc = 0;
}
goto out;
}
if (nladdrlen != sizeof nladdr) {
avc_log("%s: warning: netlink address truncated, len %d?\n",
avc_prefix, nladdrlen);
rc = -1;
goto out;
}
if (nladdr.nl_pid) {
avc_log("%s: warning: received spoofed netlink packet from: %d\n",
avc_prefix, nladdr.nl_pid);
continue;
}
if (rc == 0) {
avc_log("%s: warning: received EOF on socket\n", avc_prefix);
goto out;
}
nlh = (struct nlmsghdr *)buf;
if (nlh->nlmsg_flags & MSG_TRUNC || nlh->nlmsg_len > (unsigned)rc) {
avc_log("%s: warning: incomplete netlink message\n", avc_prefix);
goto out;
}
rc = 0;
switch (nlh->nlmsg_type) {
case NLMSG_ERROR: {
struct nlmsgerr *err = NLMSG_DATA(nlh);
/* Netlink ack */
if (err->error == 0)
break;
errno = -err->error;
avc_log("%s: netlink error: %d\n", avc_prefix, errno);
rc = -1;
goto out;
}
case SELNL_MSG_SETENFORCE: {
struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh);
avc_log("%s: received setenforce notice (enforcing=%d)\n",
avc_prefix, msg->val);
avc_enforcing = msg->val;
break;
}
case SELNL_MSG_POLICYLOAD: {
struct selnl_msg_policyload *msg = NLMSG_DATA(nlh);
avc_log("%s: received policyload notice (seqno=%d)\n",
avc_prefix, msg->seqno);
rc = avc_ss_reset(msg->seqno);
if (rc < 0) {
avc_log("%s: cache reset returned %d (errno %d)\n",
avc_prefix, rc, errno);
goto out;
}
break;
}
default:
avc_log("%s: warning: unknown netlink message %d\n",
avc_prefix, nlh->nlmsg_type);
}
}
out:
return rc;
}
/* run routine for the netlink listening thread */
void avc_netlink_loop(void) {
int ret;
struct sockaddr_nl nladdr;
socklen_t nladdrlen = sizeof nladdr;
char buf[1024];
struct nlmsghdr *nlh;
while (1) {
ret = recvfrom(fd, buf, sizeof(buf), 0, (struct sockaddr*)&nladdr, &nladdrlen);
if (ret < 0) {
if (errno == EINTR)
continue;
avc_log("%s: netlink thread: recvfrom: error %d\n", avc_prefix, errno);
goto out;
}
if (nladdrlen != sizeof nladdr) {
avc_log("%s: warning: netlink address truncated, len %d?\n",
avc_prefix, nladdrlen);
ret = -1;
goto out;
}
if (nladdr.nl_pid) {
avc_log("%s: warning: received spoofed netlink packet from: %d\n",
avc_prefix, nladdr.nl_pid);
continue;
}
if (ret == 0) {
avc_log("%s: netlink thread: received EOF on socket\n", avc_prefix);
goto out;
}
nlh = (struct nlmsghdr *)buf;
if (nlh->nlmsg_flags & MSG_TRUNC || nlh->nlmsg_len > (unsigned) ret) {
avc_log("%s: netlink thread: incomplete netlink message\n", avc_prefix);
goto out;
}
switch (nlh->nlmsg_type) {
case NLMSG_ERROR: {
struct nlmsgerr *err = NLMSG_DATA(nlh);
/* Netlink ack */
if (err->error == 0)
break;
avc_log("%s: netlink thread: msg: error %d\n", avc_prefix, -err->error);
goto out;
}
case SELNL_MSG_SETENFORCE: {
struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh);
avc_log("%s: received setenforce notice (enforcing=%d)\n",
avc_prefix, msg->val);
avc_enforcing = msg->val;
break;
}
case SELNL_MSG_POLICYLOAD: {
struct selnl_msg_policyload *msg = NLMSG_DATA(nlh);
avc_log("%s: received policyload notice (seqno=%d)\n",
avc_prefix, msg->seqno);
ret = avc_ss_reset(msg->seqno);
if (ret < 0) {
avc_log("%s: netlink thread: cache reset returned %d (errno %d)\n",
avc_prefix, ret, errno);
goto out;
}
break;
}
default:
avc_log("%s: netlink thread: warning: unknown msg type %d\n",
avc_prefix, nlh->nlmsg_type);
}
}
out:
close(fd);
avc_netlink_trouble = 1;
avc_log("%s: netlink thread: errors encountered, terminating\n",
avc_prefix);
}