.gear/netlabel_tools.spec | 63 +++++++++ .gear/rules | 3 + .../tags/e9493c33ab8ccc76d26f3e1dfcc8396e22e8d4c7 | 6 + .gear/tags/list | 1 + include/libnetlabel.h | 2 + include/netlabel.h | 3 + libnetlabel/mod_mgmt.c | 149 +++++++++++++++++++++ netlabelctl/main.c | 1 + netlabelctl/map.c | 41 ++++++ 9 files changed, 269 insertions(+) diff --git a/.gear/netlabel_tools.spec b/.gear/netlabel_tools.spec new file mode 100644 index 0000000..96a8ba8 --- /dev/null +++ b/.gear/netlabel_tools.spec @@ -0,0 +1,63 @@ +Name: netlabel_tools +Version: 0.30.0 +Release: alt2%ubt +Summary: Configuration tools for the Linux NetLabel subsystem +License: %gpl2only +Group: System/Base +Url: https://github.com/netlabel/netlabel_tools + +Source: %name-%version.tar +Patch1: %name-%version-alt.patch + +BuildRequires(pre): rpm-build-licenses rpm-build-ubt +BuildRequires: libnl-devel doxygen systemd-devel + +%description +NetLabel is a packet labeling framework that has been present in the upstream +Linux Kernel since 2.6.19. The NetLabel Tools project is a set of userspace +tools and libraries designed to make it easier to use and manage the Linux +Kernel's NetLabel configuration. + +%prep +%setup +%patch1 -p1 + +%build +%autoreconf +%configure --with-systemdsystemunitdir=auto +%make_build + +%install +%makeinstall_std + +%files +%config(noreplace) %_sysconfdir/netlabel.rules +%systemd_unitdir/netlabel.service +%_sbindir/netlabel-config +%_sbindir/netlabelctl +%_man8dir/netlabel-config.8.* +%_man8dir/netlabelctl.8.* + +%changelog +* Tue Apr 03 2018 Aleksei Nikiforov 0.30.0-alt2%ubt +- Updated to upstream version 0.30.0. + +* Thu Mar 22 2018 Igor Vlasenko 0.21-alt2 +- NMU: added URL + +* Wed Jan 18 2017 Anton Farygin 0.21-alt1%ubt +- added ubt tag +- netlabel.rules marked as non-replaced config + +* Tue Jan 17 2017 Anton Farygin 0.21-alt1 +- updated to 0.21 + +* Tue Jan 12 2016 Mikhail Efremov 0.20-alt3 +- Don't specify extensions for man pages. +- Port to libnl3. + +* Wed Jul 17 2013 Andriy Stepanov 0.20-alt2 +- Add mark s0 flag + +* Thu Jun 20 2013 Andriy Stepanov 0.20-alt1 +- Initial build for ALT Linux diff --git a/.gear/rules b/.gear/rules new file mode 100644 index 0000000..415efe4 --- /dev/null +++ b/.gear/rules @@ -0,0 +1,3 @@ +spec: .gear/netlabel_tools.spec +tar: v@version@:. +diff: v@version@:. . name=@name@-@version@-alt.patch diff --git a/.gear/tags/e9493c33ab8ccc76d26f3e1dfcc8396e22e8d4c7 b/.gear/tags/e9493c33ab8ccc76d26f3e1dfcc8396e22e8d4c7 new file mode 100644 index 0000000..f553b67 --- /dev/null +++ b/.gear/tags/e9493c33ab8ccc76d26f3e1dfcc8396e22e8d4c7 @@ -0,0 +1,6 @@ +object 341fe04eb75127b94af9bc6dbfa809e021e09364 +type commit +tag v0.30.0 +tagger Paul Moore 1481237290 -0500 + +version 0.30.0 diff --git a/.gear/tags/list b/.gear/tags/list new file mode 100644 index 0000000..985b403 --- /dev/null +++ b/.gear/tags/list @@ -0,0 +1 @@ +e9493c33ab8ccc76d26f3e1dfcc8396e22e8d4c7 v0.30.0 diff --git a/include/libnetlabel.h b/include/libnetlabel.h index a377337..ef7280d 100644 --- a/include/libnetlabel.h +++ b/include/libnetlabel.h @@ -324,6 +324,8 @@ int nlbl_mgmt_deldef(struct nlbl_handle *hndl); int nlbl_mgmt_listall(struct nlbl_handle *hndl, struct nlbl_dommap **domains); int nlbl_mgmt_listdef(struct nlbl_handle *hndl, uint16_t family, struct nlbl_dommap *domain); +int nlbl_mgmt_s0_set(struct nlbl_handle *hndl, uint8_t mark_flag); +int nlbl_mgmt_s0_get(struct nlbl_handle *hndl, uint8_t *mark_flag); /* Unlabeled Traffic */ int nlbl_unlbl_accept(struct nlbl_handle *hndl, uint8_t allow_flag); diff --git a/include/netlabel.h b/include/netlabel.h index 3dc8711..389c273 100644 --- a/include/netlabel.h +++ b/include/netlabel.h @@ -69,6 +69,8 @@ enum { NLBL_MGMT_C_LISTDEF, NLBL_MGMT_C_PROTOCOLS, NLBL_MGMT_C_VERSION, + NLBL_MGMT_C_S0_SET, + NLBL_MGMT_C_S0_GET, __NLBL_MGMT_C_MAX, }; #define NLBL_MGMT_C_MAX (__NLBL_MGMT_C_MAX - 1) @@ -90,6 +92,7 @@ enum { NLBL_MGMT_A_SELECTORLIST, NLBL_MGMT_A_FAMILY, NLBL_MGMT_A_CLPDOI, + NLBL_MGMT_A_S0, __NLBL_MGMT_A_MAX, }; #define NLBL_MGMT_A_MAX (__NLBL_MGMT_A_MAX - 1) diff --git a/libnetlabel/mod_mgmt.c b/libnetlabel/mod_mgmt.c index e334ab5..6a36369 100644 --- a/libnetlabel/mod_mgmt.c +++ b/libnetlabel/mod_mgmt.c @@ -285,6 +285,155 @@ init_return: */ /** + * Set the mark s0 flag + * @param hndl the NetLabel handle + * @param mark_flag the desired s0 flag setting + * + * Set the mark s0 flag in the NetLabel system; if @mark_flag is + * true then set the mark s0 flag, otherwise clear the flag. If @hndl is NULL + * then the function will handle opening and closing it's own NetLabel handle. + * Returns zero on success, negative values on failure. + * + */ +int nlbl_mgmt_s0_set(struct nlbl_handle *hndl, uint8_t mark_flag) +{ + int ret_val = -ENOMEM; + struct nlbl_handle *p_hndl = hndl; + nlbl_msg *msg = NULL; + nlbl_msg *ans_msg = NULL; + + /* sanity checks */ + if (nlbl_mgmt_fid == 0) + return -ENOPROTOOPT; + + /* open a handle if we need one */ + if (p_hndl == NULL) { + p_hndl = nlbl_comm_open(); + if (p_hndl == NULL) + goto accept_return; + } + + /* create a new message */ + msg = nlbl_mgmt_msg_new(NLBL_MGMT_C_S0_SET, 0); + if (msg == NULL) + goto accept_return; + + /* add the required attributes to the message */ + if (mark_flag) + ret_val = nla_put_u8(msg, NLBL_MGMT_A_S0, 1); + else + ret_val = nla_put_u8(msg, NLBL_MGMT_A_S0, 0); + if (ret_val != 0) + goto accept_return; + + /* send the request */ + ret_val = nlbl_comm_send(p_hndl, msg); + if (ret_val <= 0) { + if (ret_val == 0) + ret_val = -ENODATA; + goto accept_return; + } + + /* read the response */ + ret_val = nlbl_mgmt_recv(p_hndl, &ans_msg); + if (ret_val <= 0) { + if (ret_val == 0) + ret_val = -ENODATA; + goto accept_return; + } + + /* process the response */ + ret_val = nlbl_mgmt_parse_ack(ans_msg); + +accept_return: + if (hndl == NULL) + nlbl_comm_close(p_hndl); + nlbl_msg_free(msg); + nlbl_msg_free(ans_msg); + return ret_val; +} + +/** + * Query the s0 mark flag + * @param hndl the NetLabel handle + * @param mark_flag the current s0 mark flag setting + * + * Query the s0 mark flag in the NetLabel system. If @hndl is NULL then + * the function will handle opening and closing it's own NetLabel handle. + * Returns zero on success, negative values on failure. + * + */ +int nlbl_mgmt_s0_get(struct nlbl_handle *hndl, uint8_t *mark_flag) +{ + int ret_val = -ENOMEM; + struct nlbl_handle *p_hndl = hndl; + nlbl_msg *msg = NULL; + nlbl_msg *ans_msg = NULL; + struct genlmsghdr *genl_hdr; + struct nlattr *nla; + + /* sanity checks */ + if (mark_flag == NULL) + return -EINVAL; + if (nlbl_mgmt_fid == 0) + return -ENOPROTOOPT; + + /* open a handle if we need one */ + if (p_hndl == NULL) { + p_hndl = nlbl_comm_open(); + if (p_hndl == NULL) + goto list_return; + } + + /* create a new message */ + msg = nlbl_mgmt_msg_new(NLBL_MGMT_C_S0_GET, 0); + if (msg == NULL) + goto list_return; + + /* send the request */ + ret_val = nlbl_comm_send(p_hndl, msg); + if (ret_val <= 0) { + if (ret_val == 0) + ret_val = -ENODATA; + goto list_return; + } + + /* read the response */ + ret_val = nlbl_mgmt_recv(p_hndl, &ans_msg); + if (ret_val <= 0) { + if (ret_val == 0) + ret_val = -ENODATA; + goto list_return; + } + + /* check the response */ + ret_val = nlbl_mgmt_parse_ack(ans_msg); + if (ret_val < 0 && ret_val != -ENOMSG) + goto list_return; + genl_hdr = nlbl_msg_genlhdr(ans_msg); + if (genl_hdr == NULL || genl_hdr->cmd != NLBL_MGMT_C_S0_GET) { + ret_val = -EBADMSG; + goto list_return; + } + + /* process the response */ + nla = nlbl_attr_find(ans_msg, NLBL_MGMT_A_S0); + if (nla == NULL) + goto list_return; + *mark_flag = nla_get_u8(nla); + + ret_val = 0; + +list_return: + if (hndl == NULL) + nlbl_comm_close(p_hndl); + nlbl_msg_free(msg); + nlbl_msg_free(ans_msg); + return ret_val; +} + + +/** * Determine the supported list of NetLabel protocols * @param hndl the NetLabel handle * @param protocols protocol array diff --git a/netlabelctl/main.c b/netlabelctl/main.c index 0aa1d56..48b5f9a 100644 --- a/netlabelctl/main.c +++ b/netlabelctl/main.c @@ -97,6 +97,7 @@ static void nlctl_help_print(FILE *fp) " version\n" " protocols\n" " map : Domain/Protocol mapping\n" + " s0 on|off\n" " add default|domain: [address:[/]]\n" " protocol:[,]\n" " del default|domain:\n" diff --git a/netlabelctl/map.c b/netlabelctl/map.c index 6ebc4f5..d075c19 100644 --- a/netlabelctl/map.c +++ b/netlabelctl/map.c @@ -35,6 +35,39 @@ #include "netlabelctl.h" /** + * Set the NetLabel s0 flag + * @param argc the number of arguments + * @param argv the argument list + * + * Set the kernel's label s0 flag. Returns zero on success, + * negative values on failure. + * + */ +int map_s0(int argc, char *argv[]) +{ + int rc; + uint8_t flag; + + /* sanity check */ + if (argc != 1 || argv == NULL || argv[0] == NULL) + return -EINVAL; + + /* set or reset the flag? */ + if (strcasecmp(argv[0], "on") == 0 || strcmp(argv[0], "1") == 0) + flag = 1; + else if (strcasecmp(argv[0], "off") == 0 || strcmp(argv[0], "0") == 0) + flag = 0; + else + return -EINVAL; + + rc = nlbl_mgmt_s0_set(NULL, flag); + if (rc < 0) + return rc; + + return 0; +} + +/** * Add a domain mapping to NetLabel * @param argc the number of arguments * @param argv the argument list @@ -330,6 +363,11 @@ static int map_list(int argc, char *argv[]) size_t count, def_count; uint32_t iter; uint16_t *family, families[] = {AF_INET, AF_INET6, AF_UNSPEC /* terminator */}; + uint8_t flag; + + /* display the s0 mark flag */ + rc = nlbl_mgmt_s0_get(NULL, &flag); + printf("Mark s0 packets: %s\n", ((rc < 0) ? "unsupported" : (flag ? "on" : "off"))); /* get the list of mappings */ rc = nlbl_mgmt_listall(NULL, &mapping); @@ -405,6 +443,9 @@ int map_main(int argc, char *argv[]) } else if (strcmp(argv[0], "list") == 0) { /* list the domain mappings */ rc = map_list(argc - 1, argv + 1); + } else if (strcmp(argv[0], "s0") == 0) { + /* accept flag */ + rc = map_s0(argc - 1, argv + 1); } else { /* unknown request */ rc = -EINVAL;