| netlabel_kapi.c (3faa8f982f958961fda68b8d63e682fe77a032d4) | netlabel_kapi.c (ceba1832b1b2da0149c51de62a847c00bca1677a) |
|---|---|
| 1/* 2 * NetLabel Kernel API 3 * 4 * This file defines the kernel API for the NetLabel system. The NetLabel 5 * system manages static and dynamic label mappings for network protocols such 6 * as CIPSO and RIPSO. 7 * 8 * Author: Paul Moore <paul@paul-moore.com> --- 23 unchanged lines hidden (view full) --- 32#include <linux/slab.h> 33#include <linux/audit.h> 34#include <linux/in.h> 35#include <linux/in6.h> 36#include <net/ip.h> 37#include <net/ipv6.h> 38#include <net/netlabel.h> 39#include <net/cipso_ipv4.h> | 1/* 2 * NetLabel Kernel API 3 * 4 * This file defines the kernel API for the NetLabel system. The NetLabel 5 * system manages static and dynamic label mappings for network protocols such 6 * as CIPSO and RIPSO. 7 * 8 * Author: Paul Moore <paul@paul-moore.com> --- 23 unchanged lines hidden (view full) --- 32#include <linux/slab.h> 33#include <linux/audit.h> 34#include <linux/in.h> 35#include <linux/in6.h> 36#include <net/ip.h> 37#include <net/ipv6.h> 38#include <net/netlabel.h> 39#include <net/cipso_ipv4.h> |
| 40#include <net/calipso.h> |
|
| 40#include <asm/bug.h> 41#include <linux/atomic.h> 42 43#include "netlabel_domainhash.h" 44#include "netlabel_unlabeled.h" 45#include "netlabel_cipso_v4.h" | 41#include <asm/bug.h> 42#include <linux/atomic.h> 43 44#include "netlabel_domainhash.h" 45#include "netlabel_unlabeled.h" 46#include "netlabel_cipso_v4.h" |
| 47#include "netlabel_calipso.h" |
|
| 46#include "netlabel_user.h" 47#include "netlabel_mgmt.h" 48#include "netlabel_addrlist.h" 49 50/* 51 * Configuration Functions 52 */ 53 --- 462 unchanged lines hidden (view full) --- 516 return -ENOENT; 517 } 518 bitmap = iter->bitmap[idx]; 519 bit = 0; 520 } 521 522 return -ENOENT; 523} | 48#include "netlabel_user.h" 49#include "netlabel_mgmt.h" 50#include "netlabel_addrlist.h" 51 52/* 53 * Configuration Functions 54 */ 55 --- 462 unchanged lines hidden (view full) --- 518 return -ENOENT; 519 } 520 bitmap = iter->bitmap[idx]; 521 bit = 0; 522 } 523 524 return -ENOENT; 525} |
| 526EXPORT_SYMBOL(netlbl_catmap_walk); |
|
| 524 525/** 526 * netlbl_catmap_walkrng - Find the end of a string of set bits 527 * @catmap: the category bitmap 528 * @offset: the offset to start searching at, in bits 529 * 530 * Description: 531 * This function walks a LSM secattr category bitmap starting at @offset and --- 119 unchanged lines hidden (view full) --- 651 return -ENOMEM; 652 653 bit -= iter->startbit; 654 idx = bit / NETLBL_CATMAP_MAPSIZE; 655 iter->bitmap[idx] |= NETLBL_CATMAP_BIT << (bit % NETLBL_CATMAP_MAPSIZE); 656 657 return 0; 658} | 527 528/** 529 * netlbl_catmap_walkrng - Find the end of a string of set bits 530 * @catmap: the category bitmap 531 * @offset: the offset to start searching at, in bits 532 * 533 * Description: 534 * This function walks a LSM secattr category bitmap starting at @offset and --- 119 unchanged lines hidden (view full) --- 654 return -ENOMEM; 655 656 bit -= iter->startbit; 657 idx = bit / NETLBL_CATMAP_MAPSIZE; 658 iter->bitmap[idx] |= NETLBL_CATMAP_BIT << (bit % NETLBL_CATMAP_MAPSIZE); 659 660 return 0; 661} |
| 662EXPORT_SYMBOL(netlbl_catmap_setbit); |
|
| 659 660/** 661 * netlbl_catmap_setrng - Set a range of bits in a LSM secattr catmap 662 * @catmap: pointer to the category bitmap 663 * @start: the starting bit 664 * @end: the last bit in the string 665 * @flags: memory allocation flags 666 * --- 198 unchanged lines hidden (view full) --- 865 ret_val = 0; 866 break; 867 default: 868 ret_val = -ENOENT; 869 } 870 break; 871#if IS_ENABLED(CONFIG_IPV6) 872 case AF_INET6: | 663 664/** 665 * netlbl_catmap_setrng - Set a range of bits in a LSM secattr catmap 666 * @catmap: pointer to the category bitmap 667 * @start: the starting bit 668 * @end: the last bit in the string 669 * @flags: memory allocation flags 670 * --- 198 unchanged lines hidden (view full) --- 869 ret_val = 0; 870 break; 871 default: 872 ret_val = -ENOENT; 873 } 874 break; 875#if IS_ENABLED(CONFIG_IPV6) 876 case AF_INET6: |
| 873 /* since we don't support any IPv6 labeling protocols right 874 * now we can optimize everything away until we do */ 875 ret_val = 0; | 877 switch (dom_entry->def.type) { 878 case NETLBL_NLTYPE_ADDRSELECT: 879 ret_val = -EDESTADDRREQ; 880 break; 881 case NETLBL_NLTYPE_CALIPSO: 882 ret_val = calipso_sock_setattr(sk, 883 dom_entry->def.calipso, 884 secattr); 885 break; 886 case NETLBL_NLTYPE_UNLABELED: 887 ret_val = 0; 888 break; 889 default: 890 ret_val = -ENOENT; 891 } |
| 876 break; 877#endif /* IPv6 */ 878 default: 879 ret_val = -EPROTONOSUPPORT; 880 } 881 882socket_setattr_return: 883 rcu_read_unlock(); --- 10 unchanged lines hidden (view full) --- 894 * 895 */ 896void netlbl_sock_delattr(struct sock *sk) 897{ 898 switch (sk->sk_family) { 899 case AF_INET: 900 cipso_v4_sock_delattr(sk); 901 break; | 892 break; 893#endif /* IPv6 */ 894 default: 895 ret_val = -EPROTONOSUPPORT; 896 } 897 898socket_setattr_return: 899 rcu_read_unlock(); --- 10 unchanged lines hidden (view full) --- 910 * 911 */ 912void netlbl_sock_delattr(struct sock *sk) 913{ 914 switch (sk->sk_family) { 915 case AF_INET: 916 cipso_v4_sock_delattr(sk); 917 break; |
| 918#if IS_ENABLED(CONFIG_IPV6) 919 case AF_INET6: 920 calipso_sock_delattr(sk); 921 break; 922#endif /* IPv6 */ |
|
| 902 } 903} 904 905/** 906 * netlbl_sock_getattr - Determine the security attributes of a sock 907 * @sk: the sock 908 * @secattr: the security attributes 909 * --- 10 unchanged lines hidden (view full) --- 920 int ret_val; 921 922 switch (sk->sk_family) { 923 case AF_INET: 924 ret_val = cipso_v4_sock_getattr(sk, secattr); 925 break; 926#if IS_ENABLED(CONFIG_IPV6) 927 case AF_INET6: | 923 } 924} 925 926/** 927 * netlbl_sock_getattr - Determine the security attributes of a sock 928 * @sk: the sock 929 * @secattr: the security attributes 930 * --- 10 unchanged lines hidden (view full) --- 941 int ret_val; 942 943 switch (sk->sk_family) { 944 case AF_INET: 945 ret_val = cipso_v4_sock_getattr(sk, secattr); 946 break; 947#if IS_ENABLED(CONFIG_IPV6) 948 case AF_INET6: |
| 928 ret_val = -ENOMSG; | 949 ret_val = calipso_sock_getattr(sk, secattr); |
| 929 break; 930#endif /* IPv6 */ 931 default: 932 ret_val = -EPROTONOSUPPORT; 933 } 934 935 return ret_val; 936} --- 11 unchanged lines hidden (view full) --- 948 * 949 */ 950int netlbl_conn_setattr(struct sock *sk, 951 struct sockaddr *addr, 952 const struct netlbl_lsm_secattr *secattr) 953{ 954 int ret_val; 955 struct sockaddr_in *addr4; | 950 break; 951#endif /* IPv6 */ 952 default: 953 ret_val = -EPROTONOSUPPORT; 954 } 955 956 return ret_val; 957} --- 11 unchanged lines hidden (view full) --- 969 * 970 */ 971int netlbl_conn_setattr(struct sock *sk, 972 struct sockaddr *addr, 973 const struct netlbl_lsm_secattr *secattr) 974{ 975 int ret_val; 976 struct sockaddr_in *addr4; |
| 977#if IS_ENABLED(CONFIG_IPV6) 978 struct sockaddr_in6 *addr6; 979#endif |
|
| 956 struct netlbl_dommap_def *entry; 957 958 rcu_read_lock(); 959 switch (addr->sa_family) { 960 case AF_INET: 961 addr4 = (struct sockaddr_in *)addr; 962 entry = netlbl_domhsh_getentry_af4(secattr->domain, 963 addr4->sin_addr.s_addr); --- 4 unchanged lines hidden (view full) --- 968 switch (entry->type) { 969 case NETLBL_NLTYPE_CIPSOV4: 970 ret_val = cipso_v4_sock_setattr(sk, 971 entry->cipso, secattr); 972 break; 973 case NETLBL_NLTYPE_UNLABELED: 974 /* just delete the protocols we support for right now 975 * but we could remove other protocols if needed */ | 980 struct netlbl_dommap_def *entry; 981 982 rcu_read_lock(); 983 switch (addr->sa_family) { 984 case AF_INET: 985 addr4 = (struct sockaddr_in *)addr; 986 entry = netlbl_domhsh_getentry_af4(secattr->domain, 987 addr4->sin_addr.s_addr); --- 4 unchanged lines hidden (view full) --- 992 switch (entry->type) { 993 case NETLBL_NLTYPE_CIPSOV4: 994 ret_val = cipso_v4_sock_setattr(sk, 995 entry->cipso, secattr); 996 break; 997 case NETLBL_NLTYPE_UNLABELED: 998 /* just delete the protocols we support for right now 999 * but we could remove other protocols if needed */ |
| 976 cipso_v4_sock_delattr(sk); | 1000 netlbl_sock_delattr(sk); |
| 977 ret_val = 0; 978 break; 979 default: 980 ret_val = -ENOENT; 981 } 982 break; 983#if IS_ENABLED(CONFIG_IPV6) 984 case AF_INET6: | 1001 ret_val = 0; 1002 break; 1003 default: 1004 ret_val = -ENOENT; 1005 } 1006 break; 1007#if IS_ENABLED(CONFIG_IPV6) 1008 case AF_INET6: |
| 985 /* since we don't support any IPv6 labeling protocols right 986 * now we can optimize everything away until we do */ 987 ret_val = 0; | 1009 addr6 = (struct sockaddr_in6 *)addr; 1010 entry = netlbl_domhsh_getentry_af6(secattr->domain, 1011 &addr6->sin6_addr); 1012 if (entry == NULL) { 1013 ret_val = -ENOENT; 1014 goto conn_setattr_return; 1015 } 1016 switch (entry->type) { 1017 case NETLBL_NLTYPE_CALIPSO: 1018 ret_val = calipso_sock_setattr(sk, 1019 entry->calipso, secattr); 1020 break; 1021 case NETLBL_NLTYPE_UNLABELED: 1022 /* just delete the protocols we support for right now 1023 * but we could remove other protocols if needed */ 1024 netlbl_sock_delattr(sk); 1025 ret_val = 0; 1026 break; 1027 default: 1028 ret_val = -ENOENT; 1029 } |
| 988 break; 989#endif /* IPv6 */ 990 default: 991 ret_val = -EPROTONOSUPPORT; 992 } 993 994conn_setattr_return: 995 rcu_read_unlock(); --- 296 unchanged lines hidden --- | 1030 break; 1031#endif /* IPv6 */ 1032 default: 1033 ret_val = -EPROTONOSUPPORT; 1034 } 1035 1036conn_setattr_return: 1037 rcu_read_unlock(); --- 296 unchanged lines hidden --- |