1 /* 2 * NetLabel Kernel API 3 * 4 * This file defines the kernel API for the NetLabel system. The NetLabel 5 * system manages static and dynamic label mappings for network protocols such 6 * as CIPSO and RIPSO. 7 * 8 * Author: Paul Moore <paul.moore@hp.com> 9 * 10 */ 11 12 /* 13 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008 14 * 15 * This program is free software; you can redistribute it and/or modify 16 * it under the terms of the GNU General Public License as published by 17 * the Free Software Foundation; either version 2 of the License, or 18 * (at your option) any later version. 19 * 20 * This program is distributed in the hope that it will be useful, 21 * but WITHOUT ANY WARRANTY; without even the implied warranty of 22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See 23 * the GNU General Public License for more details. 24 * 25 * You should have received a copy of the GNU General Public License 26 * along with this program; if not, write to the Free Software 27 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 28 * 29 */ 30 31 #include <linux/init.h> 32 #include <linux/types.h> 33 #include <linux/audit.h> 34 #include <net/ip.h> 35 #include <net/netlabel.h> 36 #include <net/cipso_ipv4.h> 37 #include <asm/bug.h> 38 #include <asm/atomic.h> 39 40 #include "netlabel_domainhash.h" 41 #include "netlabel_unlabeled.h" 42 #include "netlabel_cipso_v4.h" 43 #include "netlabel_user.h" 44 #include "netlabel_mgmt.h" 45 46 /* 47 * Configuration Functions 48 */ 49 50 /** 51 * netlbl_cfg_map_del - Remove a NetLabel/LSM domain mapping 52 * @domain: the domain mapping to remove 53 * @audit_info: NetLabel audit information 54 * 55 * Description: 56 * Removes a NetLabel/LSM domain mapping. A @domain value of NULL causes the 57 * default domain mapping to be removed. Returns zero on success, negative 58 * values on failure. 59 * 60 */ 61 int netlbl_cfg_map_del(const char *domain, struct netlbl_audit *audit_info) 62 { 63 return netlbl_domhsh_remove(domain, audit_info); 64 } 65 66 /** 67 * netlbl_cfg_unlbl_add_map - Add an unlabeled NetLabel/LSM domain mapping 68 * @domain: the domain mapping to add 69 * @audit_info: NetLabel audit information 70 * 71 * Description: 72 * Adds a new unlabeled NetLabel/LSM domain mapping. A @domain value of NULL 73 * causes a new default domain mapping to be added. Returns zero on success, 74 * negative values on failure. 75 * 76 */ 77 int netlbl_cfg_unlbl_add_map(const char *domain, 78 struct netlbl_audit *audit_info) 79 { 80 int ret_val = -ENOMEM; 81 struct netlbl_dom_map *entry; 82 83 entry = kzalloc(sizeof(*entry), GFP_ATOMIC); 84 if (entry == NULL) 85 return -ENOMEM; 86 if (domain != NULL) { 87 entry->domain = kstrdup(domain, GFP_ATOMIC); 88 if (entry->domain == NULL) 89 goto cfg_unlbl_add_map_failure; 90 } 91 entry->type = NETLBL_NLTYPE_UNLABELED; 92 93 ret_val = netlbl_domhsh_add(entry, audit_info); 94 if (ret_val != 0) 95 goto cfg_unlbl_add_map_failure; 96 97 return 0; 98 99 cfg_unlbl_add_map_failure: 100 if (entry != NULL) 101 kfree(entry->domain); 102 kfree(entry); 103 return ret_val; 104 } 105 106 /** 107 * netlbl_cfg_cipsov4_add_map - Add a new CIPSOv4 DOI definition and mapping 108 * @doi_def: the DOI definition 109 * @domain: the domain mapping to add 110 * @audit_info: NetLabel audit information 111 * 112 * Description: 113 * Add a new CIPSOv4 DOI definition and NetLabel/LSM domain mapping for this 114 * new DOI definition to the NetLabel subsystem. A @domain value of NULL adds 115 * a new default domain mapping. Returns zero on success, negative values on 116 * failure. 117 * 118 */ 119 int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def, 120 const char *domain, 121 struct netlbl_audit *audit_info) 122 { 123 int ret_val = -ENOMEM; 124 u32 doi; 125 u32 doi_type; 126 struct netlbl_dom_map *entry; 127 const char *type_str; 128 struct audit_buffer *audit_buf; 129 130 doi = doi_def->doi; 131 doi_type = doi_def->type; 132 133 entry = kzalloc(sizeof(*entry), GFP_ATOMIC); 134 if (entry == NULL) 135 return -ENOMEM; 136 if (domain != NULL) { 137 entry->domain = kstrdup(domain, GFP_ATOMIC); 138 if (entry->domain == NULL) 139 goto cfg_cipsov4_add_map_failure; 140 } 141 142 ret_val = cipso_v4_doi_add(doi_def); 143 if (ret_val != 0) 144 goto cfg_cipsov4_add_map_failure_remove_doi; 145 entry->type = NETLBL_NLTYPE_CIPSOV4; 146 entry->type_def.cipsov4 = cipso_v4_doi_getdef(doi); 147 if (entry->type_def.cipsov4 == NULL) { 148 ret_val = -ENOENT; 149 goto cfg_cipsov4_add_map_failure_remove_doi; 150 } 151 ret_val = netlbl_domhsh_add(entry, audit_info); 152 if (ret_val != 0) 153 goto cfg_cipsov4_add_map_failure_release_doi; 154 155 cfg_cipsov4_add_map_return: 156 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, 157 audit_info); 158 if (audit_buf != NULL) { 159 switch (doi_type) { 160 case CIPSO_V4_MAP_TRANS: 161 type_str = "trans"; 162 break; 163 case CIPSO_V4_MAP_PASS: 164 type_str = "pass"; 165 break; 166 case CIPSO_V4_MAP_LOCAL: 167 type_str = "local"; 168 break; 169 default: 170 type_str = "(unknown)"; 171 } 172 audit_log_format(audit_buf, 173 " cipso_doi=%u cipso_type=%s res=%u", 174 doi, type_str, ret_val == 0 ? 1 : 0); 175 audit_log_end(audit_buf); 176 } 177 178 return ret_val; 179 180 cfg_cipsov4_add_map_failure_release_doi: 181 cipso_v4_doi_putdef(doi_def); 182 cfg_cipsov4_add_map_failure_remove_doi: 183 cipso_v4_doi_remove(doi, audit_info); 184 cfg_cipsov4_add_map_failure: 185 if (entry != NULL) 186 kfree(entry->domain); 187 kfree(entry); 188 goto cfg_cipsov4_add_map_return; 189 } 190 191 /* 192 * Security Attribute Functions 193 */ 194 195 /** 196 * netlbl_secattr_catmap_walk - Walk a LSM secattr catmap looking for a bit 197 * @catmap: the category bitmap 198 * @offset: the offset to start searching at, in bits 199 * 200 * Description: 201 * This function walks a LSM secattr category bitmap starting at @offset and 202 * returns the spot of the first set bit or -ENOENT if no bits are set. 203 * 204 */ 205 int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap, 206 u32 offset) 207 { 208 struct netlbl_lsm_secattr_catmap *iter = catmap; 209 u32 node_idx; 210 u32 node_bit; 211 NETLBL_CATMAP_MAPTYPE bitmap; 212 213 if (offset > iter->startbit) { 214 while (offset >= (iter->startbit + NETLBL_CATMAP_SIZE)) { 215 iter = iter->next; 216 if (iter == NULL) 217 return -ENOENT; 218 } 219 node_idx = (offset - iter->startbit) / NETLBL_CATMAP_MAPSIZE; 220 node_bit = offset - iter->startbit - 221 (NETLBL_CATMAP_MAPSIZE * node_idx); 222 } else { 223 node_idx = 0; 224 node_bit = 0; 225 } 226 bitmap = iter->bitmap[node_idx] >> node_bit; 227 228 for (;;) { 229 if (bitmap != 0) { 230 while ((bitmap & NETLBL_CATMAP_BIT) == 0) { 231 bitmap >>= 1; 232 node_bit++; 233 } 234 return iter->startbit + 235 (NETLBL_CATMAP_MAPSIZE * node_idx) + node_bit; 236 } 237 if (++node_idx >= NETLBL_CATMAP_MAPCNT) { 238 if (iter->next != NULL) { 239 iter = iter->next; 240 node_idx = 0; 241 } else 242 return -ENOENT; 243 } 244 bitmap = iter->bitmap[node_idx]; 245 node_bit = 0; 246 } 247 248 return -ENOENT; 249 } 250 251 /** 252 * netlbl_secattr_catmap_walk_rng - Find the end of a string of set bits 253 * @catmap: the category bitmap 254 * @offset: the offset to start searching at, in bits 255 * 256 * Description: 257 * This function walks a LSM secattr category bitmap starting at @offset and 258 * returns the spot of the first cleared bit or -ENOENT if the offset is past 259 * the end of the bitmap. 260 * 261 */ 262 int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap, 263 u32 offset) 264 { 265 struct netlbl_lsm_secattr_catmap *iter = catmap; 266 u32 node_idx; 267 u32 node_bit; 268 NETLBL_CATMAP_MAPTYPE bitmask; 269 NETLBL_CATMAP_MAPTYPE bitmap; 270 271 if (offset > iter->startbit) { 272 while (offset >= (iter->startbit + NETLBL_CATMAP_SIZE)) { 273 iter = iter->next; 274 if (iter == NULL) 275 return -ENOENT; 276 } 277 node_idx = (offset - iter->startbit) / NETLBL_CATMAP_MAPSIZE; 278 node_bit = offset - iter->startbit - 279 (NETLBL_CATMAP_MAPSIZE * node_idx); 280 } else { 281 node_idx = 0; 282 node_bit = 0; 283 } 284 bitmask = NETLBL_CATMAP_BIT << node_bit; 285 286 for (;;) { 287 bitmap = iter->bitmap[node_idx]; 288 while (bitmask != 0 && (bitmap & bitmask) != 0) { 289 bitmask <<= 1; 290 node_bit++; 291 } 292 293 if (bitmask != 0) 294 return iter->startbit + 295 (NETLBL_CATMAP_MAPSIZE * node_idx) + 296 node_bit - 1; 297 else if (++node_idx >= NETLBL_CATMAP_MAPCNT) { 298 if (iter->next == NULL) 299 return iter->startbit + NETLBL_CATMAP_SIZE - 1; 300 iter = iter->next; 301 node_idx = 0; 302 } 303 bitmask = NETLBL_CATMAP_BIT; 304 node_bit = 0; 305 } 306 307 return -ENOENT; 308 } 309 310 /** 311 * netlbl_secattr_catmap_setbit - Set a bit in a LSM secattr catmap 312 * @catmap: the category bitmap 313 * @bit: the bit to set 314 * @flags: memory allocation flags 315 * 316 * Description: 317 * Set the bit specified by @bit in @catmap. Returns zero on success, 318 * negative values on failure. 319 * 320 */ 321 int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap *catmap, 322 u32 bit, 323 gfp_t flags) 324 { 325 struct netlbl_lsm_secattr_catmap *iter = catmap; 326 u32 node_bit; 327 u32 node_idx; 328 329 while (iter->next != NULL && 330 bit >= (iter->startbit + NETLBL_CATMAP_SIZE)) 331 iter = iter->next; 332 if (bit >= (iter->startbit + NETLBL_CATMAP_SIZE)) { 333 iter->next = netlbl_secattr_catmap_alloc(flags); 334 if (iter->next == NULL) 335 return -ENOMEM; 336 iter = iter->next; 337 iter->startbit = bit & ~(NETLBL_CATMAP_SIZE - 1); 338 } 339 340 /* gcc always rounds to zero when doing integer division */ 341 node_idx = (bit - iter->startbit) / NETLBL_CATMAP_MAPSIZE; 342 node_bit = bit - iter->startbit - (NETLBL_CATMAP_MAPSIZE * node_idx); 343 iter->bitmap[node_idx] |= NETLBL_CATMAP_BIT << node_bit; 344 345 return 0; 346 } 347 348 /** 349 * netlbl_secattr_catmap_setrng - Set a range of bits in a LSM secattr catmap 350 * @catmap: the category bitmap 351 * @start: the starting bit 352 * @end: the last bit in the string 353 * @flags: memory allocation flags 354 * 355 * Description: 356 * Set a range of bits, starting at @start and ending with @end. Returns zero 357 * on success, negative values on failure. 358 * 359 */ 360 int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap, 361 u32 start, 362 u32 end, 363 gfp_t flags) 364 { 365 int ret_val = 0; 366 struct netlbl_lsm_secattr_catmap *iter = catmap; 367 u32 iter_max_spot; 368 u32 spot; 369 370 /* XXX - This could probably be made a bit faster by combining writes 371 * to the catmap instead of setting a single bit each time, but for 372 * right now skipping to the start of the range in the catmap should 373 * be a nice improvement over calling the individual setbit function 374 * repeatedly from a loop. */ 375 376 while (iter->next != NULL && 377 start >= (iter->startbit + NETLBL_CATMAP_SIZE)) 378 iter = iter->next; 379 iter_max_spot = iter->startbit + NETLBL_CATMAP_SIZE; 380 381 for (spot = start; spot <= end && ret_val == 0; spot++) { 382 if (spot >= iter_max_spot && iter->next != NULL) { 383 iter = iter->next; 384 iter_max_spot = iter->startbit + NETLBL_CATMAP_SIZE; 385 } 386 ret_val = netlbl_secattr_catmap_setbit(iter, spot, GFP_ATOMIC); 387 } 388 389 return ret_val; 390 } 391 392 /* 393 * LSM Functions 394 */ 395 396 /** 397 * netlbl_enabled - Determine if the NetLabel subsystem is enabled 398 * 399 * Description: 400 * The LSM can use this function to determine if it should use NetLabel 401 * security attributes in it's enforcement mechanism. Currently, NetLabel is 402 * considered to be enabled when it's configuration contains a valid setup for 403 * at least one labeled protocol (i.e. NetLabel can understand incoming 404 * labeled packets of at least one type); otherwise NetLabel is considered to 405 * be disabled. 406 * 407 */ 408 int netlbl_enabled(void) 409 { 410 /* At some point we probably want to expose this mechanism to the user 411 * as well so that admins can toggle NetLabel regardless of the 412 * configuration */ 413 return (atomic_read(&netlabel_mgmt_protocount) > 0); 414 } 415 416 /** 417 * netlbl_socket_setattr - Label a socket using the correct protocol 418 * @sk: the socket to label 419 * @secattr: the security attributes 420 * 421 * Description: 422 * Attach the correct label to the given socket using the security attributes 423 * specified in @secattr. This function requires exclusive access to @sk, 424 * which means it either needs to be in the process of being created or locked. 425 * Returns zero on success, -EDESTADDRREQ if the domain is configured to use 426 * network address selectors (can't blindly label the socket), and negative 427 * values on all other failures. 428 * 429 */ 430 int netlbl_sock_setattr(struct sock *sk, 431 const struct netlbl_lsm_secattr *secattr) 432 { 433 int ret_val = -ENOENT; 434 struct netlbl_dom_map *dom_entry; 435 436 rcu_read_lock(); 437 dom_entry = netlbl_domhsh_getentry(secattr->domain); 438 if (dom_entry == NULL) 439 goto socket_setattr_return; 440 switch (dom_entry->type) { 441 case NETLBL_NLTYPE_ADDRSELECT: 442 ret_val = -EDESTADDRREQ; 443 break; 444 case NETLBL_NLTYPE_CIPSOV4: 445 ret_val = cipso_v4_sock_setattr(sk, 446 dom_entry->type_def.cipsov4, 447 secattr); 448 break; 449 case NETLBL_NLTYPE_UNLABELED: 450 ret_val = 0; 451 break; 452 default: 453 ret_val = -ENOENT; 454 } 455 456 socket_setattr_return: 457 rcu_read_unlock(); 458 return ret_val; 459 } 460 461 /** 462 * netlbl_sock_delattr - Delete all the NetLabel labels on a socket 463 * @sk: the socket 464 * 465 * Description: 466 * Remove all the NetLabel labeling from @sk. The caller is responsible for 467 * ensuring that @sk is locked. 468 * 469 */ 470 void netlbl_sock_delattr(struct sock *sk) 471 { 472 cipso_v4_sock_delattr(sk); 473 } 474 475 /** 476 * netlbl_sock_getattr - Determine the security attributes of a sock 477 * @sk: the sock 478 * @secattr: the security attributes 479 * 480 * Description: 481 * Examines the given sock to see if any NetLabel style labeling has been 482 * applied to the sock, if so it parses the socket label and returns the 483 * security attributes in @secattr. Returns zero on success, negative values 484 * on failure. 485 * 486 */ 487 int netlbl_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr) 488 { 489 return cipso_v4_sock_getattr(sk, secattr); 490 } 491 492 /** 493 * netlbl_conn_setattr - Label a connected socket using the correct protocol 494 * @sk: the socket to label 495 * @addr: the destination address 496 * @secattr: the security attributes 497 * 498 * Description: 499 * Attach the correct label to the given connected socket using the security 500 * attributes specified in @secattr. The caller is responsible for ensuring 501 * that @sk is locked. Returns zero on success, negative values on failure. 502 * 503 */ 504 int netlbl_conn_setattr(struct sock *sk, 505 struct sockaddr *addr, 506 const struct netlbl_lsm_secattr *secattr) 507 { 508 int ret_val; 509 struct sockaddr_in *addr4; 510 struct netlbl_domaddr4_map *af4_entry; 511 512 rcu_read_lock(); 513 switch (addr->sa_family) { 514 case AF_INET: 515 addr4 = (struct sockaddr_in *)addr; 516 af4_entry = netlbl_domhsh_getentry_af4(secattr->domain, 517 addr4->sin_addr.s_addr); 518 if (af4_entry == NULL) { 519 ret_val = -ENOENT; 520 goto conn_setattr_return; 521 } 522 switch (af4_entry->type) { 523 case NETLBL_NLTYPE_CIPSOV4: 524 ret_val = cipso_v4_sock_setattr(sk, 525 af4_entry->type_def.cipsov4, 526 secattr); 527 break; 528 case NETLBL_NLTYPE_UNLABELED: 529 /* just delete the protocols we support for right now 530 * but we could remove other protocols if needed */ 531 cipso_v4_sock_delattr(sk); 532 ret_val = 0; 533 break; 534 default: 535 ret_val = -ENOENT; 536 } 537 break; 538 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 539 case AF_INET6: 540 /* since we don't support any IPv6 labeling protocols right 541 * now we can optimize everything away until we do */ 542 ret_val = 0; 543 break; 544 #endif /* IPv6 */ 545 default: 546 ret_val = 0; 547 } 548 549 conn_setattr_return: 550 rcu_read_unlock(); 551 return ret_val; 552 } 553 554 /** 555 * netlbl_skbuff_setattr - Label a packet using the correct protocol 556 * @skb: the packet 557 * @family: protocol family 558 * @secattr: the security attributes 559 * 560 * Description: 561 * Attach the correct label to the given packet using the security attributes 562 * specified in @secattr. Returns zero on success, negative values on failure. 563 * 564 */ 565 int netlbl_skbuff_setattr(struct sk_buff *skb, 566 u16 family, 567 const struct netlbl_lsm_secattr *secattr) 568 { 569 int ret_val; 570 struct iphdr *hdr4; 571 struct netlbl_domaddr4_map *af4_entry; 572 573 rcu_read_lock(); 574 switch (family) { 575 case AF_INET: 576 hdr4 = ip_hdr(skb); 577 af4_entry = netlbl_domhsh_getentry_af4(secattr->domain, 578 hdr4->daddr); 579 if (af4_entry == NULL) { 580 ret_val = -ENOENT; 581 goto skbuff_setattr_return; 582 } 583 switch (af4_entry->type) { 584 case NETLBL_NLTYPE_CIPSOV4: 585 ret_val = cipso_v4_skbuff_setattr(skb, 586 af4_entry->type_def.cipsov4, 587 secattr); 588 break; 589 case NETLBL_NLTYPE_UNLABELED: 590 /* just delete the protocols we support for right now 591 * but we could remove other protocols if needed */ 592 ret_val = cipso_v4_skbuff_delattr(skb); 593 break; 594 default: 595 ret_val = -ENOENT; 596 } 597 break; 598 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 599 case AF_INET6: 600 /* since we don't support any IPv6 labeling protocols right 601 * now we can optimize everything away until we do */ 602 ret_val = 0; 603 break; 604 #endif /* IPv6 */ 605 default: 606 ret_val = 0; 607 } 608 609 skbuff_setattr_return: 610 rcu_read_unlock(); 611 return ret_val; 612 } 613 614 /** 615 * netlbl_skbuff_getattr - Determine the security attributes of a packet 616 * @skb: the packet 617 * @family: protocol family 618 * @secattr: the security attributes 619 * 620 * Description: 621 * Examines the given packet to see if a recognized form of packet labeling 622 * is present, if so it parses the packet label and returns the security 623 * attributes in @secattr. Returns zero on success, negative values on 624 * failure. 625 * 626 */ 627 int netlbl_skbuff_getattr(const struct sk_buff *skb, 628 u16 family, 629 struct netlbl_lsm_secattr *secattr) 630 { 631 if (CIPSO_V4_OPTEXIST(skb) && 632 cipso_v4_skbuff_getattr(skb, secattr) == 0) 633 return 0; 634 635 return netlbl_unlabel_getattr(skb, family, secattr); 636 } 637 638 /** 639 * netlbl_skbuff_err - Handle a LSM error on a sk_buff 640 * @skb: the packet 641 * @error: the error code 642 * @gateway: true if host is acting as a gateway, false otherwise 643 * 644 * Description: 645 * Deal with a LSM problem when handling the packet in @skb, typically this is 646 * a permission denied problem (-EACCES). The correct action is determined 647 * according to the packet's labeling protocol. 648 * 649 */ 650 void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway) 651 { 652 if (CIPSO_V4_OPTEXIST(skb)) 653 cipso_v4_error(skb, error, gateway); 654 } 655 656 /** 657 * netlbl_cache_invalidate - Invalidate all of the NetLabel protocol caches 658 * 659 * Description: 660 * For all of the NetLabel protocols that support some form of label mapping 661 * cache, invalidate the cache. Returns zero on success, negative values on 662 * error. 663 * 664 */ 665 void netlbl_cache_invalidate(void) 666 { 667 cipso_v4_cache_invalidate(); 668 } 669 670 /** 671 * netlbl_cache_add - Add an entry to a NetLabel protocol cache 672 * @skb: the packet 673 * @secattr: the packet's security attributes 674 * 675 * Description: 676 * Add the LSM security attributes for the given packet to the underlying 677 * NetLabel protocol's label mapping cache. Returns zero on success, negative 678 * values on error. 679 * 680 */ 681 int netlbl_cache_add(const struct sk_buff *skb, 682 const struct netlbl_lsm_secattr *secattr) 683 { 684 if ((secattr->flags & NETLBL_SECATTR_CACHE) == 0) 685 return -ENOMSG; 686 687 if (CIPSO_V4_OPTEXIST(skb)) 688 return cipso_v4_cache_add(skb, secattr); 689 690 return -ENOMSG; 691 } 692 693 /* 694 * Setup Functions 695 */ 696 697 /** 698 * netlbl_init - Initialize NetLabel 699 * 700 * Description: 701 * Perform the required NetLabel initialization before first use. 702 * 703 */ 704 static int __init netlbl_init(void) 705 { 706 int ret_val; 707 708 printk(KERN_INFO "NetLabel: Initializing\n"); 709 printk(KERN_INFO "NetLabel: domain hash size = %u\n", 710 (1 << NETLBL_DOMHSH_BITSIZE)); 711 printk(KERN_INFO "NetLabel: protocols =" 712 " UNLABELED" 713 " CIPSOv4" 714 "\n"); 715 716 ret_val = netlbl_domhsh_init(NETLBL_DOMHSH_BITSIZE); 717 if (ret_val != 0) 718 goto init_failure; 719 720 ret_val = netlbl_unlabel_init(NETLBL_UNLHSH_BITSIZE); 721 if (ret_val != 0) 722 goto init_failure; 723 724 ret_val = netlbl_netlink_init(); 725 if (ret_val != 0) 726 goto init_failure; 727 728 ret_val = netlbl_unlabel_defconf(); 729 if (ret_val != 0) 730 goto init_failure; 731 printk(KERN_INFO "NetLabel: unlabeled traffic allowed by default\n"); 732 733 return 0; 734 735 init_failure: 736 panic("NetLabel: failed to initialize properly (%d)\n", ret_val); 737 } 738 739 subsys_initcall(netlbl_init); 740