~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/netlabel/netlabel_calipso.c

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 // SPDX-License-Identifier: GPL-2.0-or-later
  2 /*
  3  * NetLabel CALIPSO/IPv6 Support
  4  *
  5  * This file defines the CALIPSO/IPv6 functions for the NetLabel system.  The
  6  * NetLabel system manages static and dynamic label mappings for network
  7  * protocols such as CIPSO and CALIPSO.
  8  *
  9  * Authors: Paul Moore <paul@paul-moore.com>
 10  *          Huw Davies <huw@codeweavers.com>
 11  */
 12 
 13 /* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
 14  * (c) Copyright Huw Davies <huw@codeweavers.com>, 2015
 15  */
 16 
 17 #include <linux/types.h>
 18 #include <linux/socket.h>
 19 #include <linux/string.h>
 20 #include <linux/skbuff.h>
 21 #include <linux/audit.h>
 22 #include <linux/slab.h>
 23 #include <net/sock.h>
 24 #include <net/netlink.h>
 25 #include <net/genetlink.h>
 26 #include <net/netlabel.h>
 27 #include <net/calipso.h>
 28 #include <linux/atomic.h>
 29 
 30 #include "netlabel_user.h"
 31 #include "netlabel_calipso.h"
 32 #include "netlabel_mgmt.h"
 33 #include "netlabel_domainhash.h"
 34 
 35 /* Argument struct for calipso_doi_walk() */
 36 struct netlbl_calipso_doiwalk_arg {
 37         struct netlink_callback *nl_cb;
 38         struct sk_buff *skb;
 39         u32 seq;
 40 };
 41 
 42 /* Argument struct for netlbl_domhsh_walk() */
 43 struct netlbl_domhsh_walk_arg {
 44         struct netlbl_audit *audit_info;
 45         u32 doi;
 46 };
 47 
 48 /* NetLabel Generic NETLINK CALIPSO family */
 49 static struct genl_family netlbl_calipso_gnl_family;
 50 
 51 /* NetLabel Netlink attribute policy */
 52 static const struct nla_policy calipso_genl_policy[NLBL_CALIPSO_A_MAX + 1] = {
 53         [NLBL_CALIPSO_A_DOI] = { .type = NLA_U32 },
 54         [NLBL_CALIPSO_A_MTYPE] = { .type = NLA_U32 },
 55 };
 56 
 57 static const struct netlbl_calipso_ops *calipso_ops;
 58 
 59 /**
 60  * netlbl_calipso_ops_register - Register the CALIPSO operations
 61  * @ops: ops to register
 62  *
 63  * Description:
 64  * Register the CALIPSO packet engine operations.
 65  *
 66  */
 67 const struct netlbl_calipso_ops *
 68 netlbl_calipso_ops_register(const struct netlbl_calipso_ops *ops)
 69 {
 70         return xchg(&calipso_ops, ops);
 71 }
 72 EXPORT_SYMBOL(netlbl_calipso_ops_register);
 73 
 74 static const struct netlbl_calipso_ops *netlbl_calipso_ops_get(void)
 75 {
 76         return READ_ONCE(calipso_ops);
 77 }
 78 
 79 /* NetLabel Command Handlers
 80  */
 81 /**
 82  * netlbl_calipso_add_pass - Adds a CALIPSO pass DOI definition
 83  * @info: the Generic NETLINK info block
 84  * @audit_info: NetLabel audit information
 85  *
 86  * Description:
 87  * Create a new CALIPSO_MAP_PASS DOI definition based on the given ADD message
 88  * and add it to the CALIPSO engine.  Return zero on success and non-zero on
 89  * error.
 90  *
 91  */
 92 static int netlbl_calipso_add_pass(struct genl_info *info,
 93                                    struct netlbl_audit *audit_info)
 94 {
 95         int ret_val;
 96         struct calipso_doi *doi_def = NULL;
 97 
 98         doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
 99         if (!doi_def)
100                 return -ENOMEM;
101         doi_def->type = CALIPSO_MAP_PASS;
102         doi_def->doi = nla_get_u32(info->attrs[NLBL_CALIPSO_A_DOI]);
103         ret_val = calipso_doi_add(doi_def, audit_info);
104         if (ret_val != 0)
105                 calipso_doi_free(doi_def);
106 
107         return ret_val;
108 }
109 
110 /**
111  * netlbl_calipso_add - Handle an ADD message
112  * @skb: the NETLINK buffer
113  * @info: the Generic NETLINK info block
114  *
115  * Description:
116  * Create a new DOI definition based on the given ADD message and add it to the
117  * CALIPSO engine.  Returns zero on success, negative values on failure.
118  *
119  */
120 static int netlbl_calipso_add(struct sk_buff *skb, struct genl_info *info)
121 {
122         int ret_val = -EINVAL;
123         struct netlbl_audit audit_info;
124         const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
125 
126         if (!info->attrs[NLBL_CALIPSO_A_DOI] ||
127             !info->attrs[NLBL_CALIPSO_A_MTYPE])
128                 return -EINVAL;
129 
130         if (!ops)
131                 return -EOPNOTSUPP;
132 
133         netlbl_netlink_auditinfo(&audit_info);
134         switch (nla_get_u32(info->attrs[NLBL_CALIPSO_A_MTYPE])) {
135         case CALIPSO_MAP_PASS:
136                 ret_val = netlbl_calipso_add_pass(info, &audit_info);
137                 break;
138         }
139         if (ret_val == 0)
140                 atomic_inc(&netlabel_mgmt_protocount);
141 
142         return ret_val;
143 }
144 
145 /**
146  * netlbl_calipso_list - Handle a LIST message
147  * @skb: the NETLINK buffer
148  * @info: the Generic NETLINK info block
149  *
150  * Description:
151  * Process a user generated LIST message and respond accordingly.
152  * Returns zero on success and negative values on error.
153  *
154  */
155 static int netlbl_calipso_list(struct sk_buff *skb, struct genl_info *info)
156 {
157         int ret_val;
158         struct sk_buff *ans_skb = NULL;
159         void *data;
160         u32 doi;
161         struct calipso_doi *doi_def;
162 
163         if (!info->attrs[NLBL_CALIPSO_A_DOI]) {
164                 ret_val = -EINVAL;
165                 goto list_failure;
166         }
167 
168         doi = nla_get_u32(info->attrs[NLBL_CALIPSO_A_DOI]);
169 
170         doi_def = calipso_doi_getdef(doi);
171         if (!doi_def) {
172                 ret_val = -EINVAL;
173                 goto list_failure;
174         }
175 
176         ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
177         if (!ans_skb) {
178                 ret_val = -ENOMEM;
179                 goto list_failure_put;
180         }
181         data = genlmsg_put_reply(ans_skb, info, &netlbl_calipso_gnl_family,
182                                  0, NLBL_CALIPSO_C_LIST);
183         if (!data) {
184                 ret_val = -ENOMEM;
185                 goto list_failure_put;
186         }
187 
188         ret_val = nla_put_u32(ans_skb, NLBL_CALIPSO_A_MTYPE, doi_def->type);
189         if (ret_val != 0)
190                 goto list_failure_put;
191 
192         calipso_doi_putdef(doi_def);
193 
194         genlmsg_end(ans_skb, data);
195         return genlmsg_reply(ans_skb, info);
196 
197 list_failure_put:
198         calipso_doi_putdef(doi_def);
199 list_failure:
200         kfree_skb(ans_skb);
201         return ret_val;
202 }
203 
204 /**
205  * netlbl_calipso_listall_cb - calipso_doi_walk() callback for LISTALL
206  * @doi_def: the CALIPSO DOI definition
207  * @arg: the netlbl_calipso_doiwalk_arg structure
208  *
209  * Description:
210  * This function is designed to be used as a callback to the
211  * calipso_doi_walk() function for use in generating a response for a LISTALL
212  * message.  Returns the size of the message on success, negative values on
213  * failure.
214  *
215  */
216 static int netlbl_calipso_listall_cb(struct calipso_doi *doi_def, void *arg)
217 {
218         int ret_val = -ENOMEM;
219         struct netlbl_calipso_doiwalk_arg *cb_arg = arg;
220         void *data;
221 
222         data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid,
223                            cb_arg->seq, &netlbl_calipso_gnl_family,
224                            NLM_F_MULTI, NLBL_CALIPSO_C_LISTALL);
225         if (!data)
226                 goto listall_cb_failure;
227 
228         ret_val = nla_put_u32(cb_arg->skb, NLBL_CALIPSO_A_DOI, doi_def->doi);
229         if (ret_val != 0)
230                 goto listall_cb_failure;
231         ret_val = nla_put_u32(cb_arg->skb,
232                               NLBL_CALIPSO_A_MTYPE,
233                               doi_def->type);
234         if (ret_val != 0)
235                 goto listall_cb_failure;
236 
237         genlmsg_end(cb_arg->skb, data);
238         return 0;
239 
240 listall_cb_failure:
241         genlmsg_cancel(cb_arg->skb, data);
242         return ret_val;
243 }
244 
245 /**
246  * netlbl_calipso_listall - Handle a LISTALL message
247  * @skb: the NETLINK buffer
248  * @cb: the NETLINK callback
249  *
250  * Description:
251  * Process a user generated LISTALL message and respond accordingly.  Returns
252  * zero on success and negative values on error.
253  *
254  */
255 static int netlbl_calipso_listall(struct sk_buff *skb,
256                                   struct netlink_callback *cb)
257 {
258         struct netlbl_calipso_doiwalk_arg cb_arg;
259         u32 doi_skip = cb->args[0];
260 
261         cb_arg.nl_cb = cb;
262         cb_arg.skb = skb;
263         cb_arg.seq = cb->nlh->nlmsg_seq;
264 
265         calipso_doi_walk(&doi_skip, netlbl_calipso_listall_cb, &cb_arg);
266 
267         cb->args[0] = doi_skip;
268         return skb->len;
269 }
270 
271 /**
272  * netlbl_calipso_remove_cb - netlbl_calipso_remove() callback for REMOVE
273  * @entry: LSM domain mapping entry
274  * @arg: the netlbl_domhsh_walk_arg structure
275  *
276  * Description:
277  * This function is intended for use by netlbl_calipso_remove() as the callback
278  * for the netlbl_domhsh_walk() function; it removes LSM domain map entries
279  * which are associated with the CALIPSO DOI specified in @arg.  Returns zero on
280  * success, negative values on failure.
281  *
282  */
283 static int netlbl_calipso_remove_cb(struct netlbl_dom_map *entry, void *arg)
284 {
285         struct netlbl_domhsh_walk_arg *cb_arg = arg;
286 
287         if (entry->def.type == NETLBL_NLTYPE_CALIPSO &&
288             entry->def.calipso->doi == cb_arg->doi)
289                 return netlbl_domhsh_remove_entry(entry, cb_arg->audit_info);
290 
291         return 0;
292 }
293 
294 /**
295  * netlbl_calipso_remove - Handle a REMOVE message
296  * @skb: the NETLINK buffer
297  * @info: the Generic NETLINK info block
298  *
299  * Description:
300  * Process a user generated REMOVE message and respond accordingly.  Returns
301  * zero on success, negative values on failure.
302  *
303  */
304 static int netlbl_calipso_remove(struct sk_buff *skb, struct genl_info *info)
305 {
306         int ret_val = -EINVAL;
307         struct netlbl_domhsh_walk_arg cb_arg;
308         struct netlbl_audit audit_info;
309         u32 skip_bkt = 0;
310         u32 skip_chain = 0;
311 
312         if (!info->attrs[NLBL_CALIPSO_A_DOI])
313                 return -EINVAL;
314 
315         netlbl_netlink_auditinfo(&audit_info);
316         cb_arg.doi = nla_get_u32(info->attrs[NLBL_CALIPSO_A_DOI]);
317         cb_arg.audit_info = &audit_info;
318         ret_val = netlbl_domhsh_walk(&skip_bkt, &skip_chain,
319                                      netlbl_calipso_remove_cb, &cb_arg);
320         if (ret_val == 0 || ret_val == -ENOENT) {
321                 ret_val = calipso_doi_remove(cb_arg.doi, &audit_info);
322                 if (ret_val == 0)
323                         atomic_dec(&netlabel_mgmt_protocount);
324         }
325 
326         return ret_val;
327 }
328 
329 /* NetLabel Generic NETLINK Command Definitions
330  */
331 
332 static const struct genl_small_ops netlbl_calipso_ops[] = {
333         {
334         .cmd = NLBL_CALIPSO_C_ADD,
335         .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
336         .flags = GENL_ADMIN_PERM,
337         .doit = netlbl_calipso_add,
338         .dumpit = NULL,
339         },
340         {
341         .cmd = NLBL_CALIPSO_C_REMOVE,
342         .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
343         .flags = GENL_ADMIN_PERM,
344         .doit = netlbl_calipso_remove,
345         .dumpit = NULL,
346         },
347         {
348         .cmd = NLBL_CALIPSO_C_LIST,
349         .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
350         .flags = 0,
351         .doit = netlbl_calipso_list,
352         .dumpit = NULL,
353         },
354         {
355         .cmd = NLBL_CALIPSO_C_LISTALL,
356         .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
357         .flags = 0,
358         .doit = NULL,
359         .dumpit = netlbl_calipso_listall,
360         },
361 };
362 
363 static struct genl_family netlbl_calipso_gnl_family __ro_after_init = {
364         .hdrsize = 0,
365         .name = NETLBL_NLTYPE_CALIPSO_NAME,
366         .version = NETLBL_PROTO_VERSION,
367         .maxattr = NLBL_CALIPSO_A_MAX,
368         .policy = calipso_genl_policy,
369         .module = THIS_MODULE,
370         .small_ops = netlbl_calipso_ops,
371         .n_small_ops = ARRAY_SIZE(netlbl_calipso_ops),
372         .resv_start_op = NLBL_CALIPSO_C_LISTALL + 1,
373 };
374 
375 /* NetLabel Generic NETLINK Protocol Functions
376  */
377 
378 /**
379  * netlbl_calipso_genl_init - Register the CALIPSO NetLabel component
380  *
381  * Description:
382  * Register the CALIPSO packet NetLabel component with the Generic NETLINK
383  * mechanism.  Returns zero on success, negative values on failure.
384  *
385  */
386 int __init netlbl_calipso_genl_init(void)
387 {
388         return genl_register_family(&netlbl_calipso_gnl_family);
389 }
390 
391 /**
392  * calipso_doi_add - Add a new DOI to the CALIPSO protocol engine
393  * @doi_def: the DOI structure
394  * @audit_info: NetLabel audit information
395  *
396  * Description:
397  * The caller defines a new DOI for use by the CALIPSO engine and calls this
398  * function to add it to the list of acceptable domains.  The caller must
399  * ensure that the mapping table specified in @doi_def->map meets all of the
400  * requirements of the mapping type (see calipso.h for details).  Returns
401  * zero on success and non-zero on failure.
402  *
403  */
404 int calipso_doi_add(struct calipso_doi *doi_def,
405                     struct netlbl_audit *audit_info)
406 {
407         int ret_val = -ENOMSG;
408         const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
409 
410         if (ops)
411                 ret_val = ops->doi_add(doi_def, audit_info);
412         return ret_val;
413 }
414 
415 /**
416  * calipso_doi_free - Frees a DOI definition
417  * @doi_def: the DOI definition
418  *
419  * Description:
420  * This function frees all of the memory associated with a DOI definition.
421  *
422  */
423 void calipso_doi_free(struct calipso_doi *doi_def)
424 {
425         const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
426 
427         if (ops)
428                 ops->doi_free(doi_def);
429 }
430 
431 /**
432  * calipso_doi_remove - Remove an existing DOI from the CALIPSO protocol engine
433  * @doi: the DOI value
434  * @audit_info: NetLabel audit information
435  *
436  * Description:
437  * Removes a DOI definition from the CALIPSO engine.  The NetLabel routines will
438  * be called to release their own LSM domain mappings as well as our own
439  * domain list.  Returns zero on success and negative values on failure.
440  *
441  */
442 int calipso_doi_remove(u32 doi, struct netlbl_audit *audit_info)
443 {
444         int ret_val = -ENOMSG;
445         const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
446 
447         if (ops)
448                 ret_val = ops->doi_remove(doi, audit_info);
449         return ret_val;
450 }
451 
452 /**
453  * calipso_doi_getdef - Returns a reference to a valid DOI definition
454  * @doi: the DOI value
455  *
456  * Description:
457  * Searches for a valid DOI definition and if one is found it is returned to
458  * the caller.  Otherwise NULL is returned.  The caller must ensure that
459  * calipso_doi_putdef() is called when the caller is done.
460  *
461  */
462 struct calipso_doi *calipso_doi_getdef(u32 doi)
463 {
464         struct calipso_doi *ret_val = NULL;
465         const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
466 
467         if (ops)
468                 ret_val = ops->doi_getdef(doi);
469         return ret_val;
470 }
471 
472 /**
473  * calipso_doi_putdef - Releases a reference for the given DOI definition
474  * @doi_def: the DOI definition
475  *
476  * Description:
477  * Releases a DOI definition reference obtained from calipso_doi_getdef().
478  *
479  */
480 void calipso_doi_putdef(struct calipso_doi *doi_def)
481 {
482         const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
483 
484         if (ops)
485                 ops->doi_putdef(doi_def);
486 }
487 
488 /**
489  * calipso_doi_walk - Iterate through the DOI definitions
490  * @skip_cnt: skip past this number of DOI definitions, updated
491  * @callback: callback for each DOI definition
492  * @cb_arg: argument for the callback function
493  *
494  * Description:
495  * Iterate over the DOI definition list, skipping the first @skip_cnt entries.
496  * For each entry call @callback, if @callback returns a negative value stop
497  * 'walking' through the list and return.  Updates the value in @skip_cnt upon
498  * return.  Returns zero on success, negative values on failure.
499  *
500  */
501 int calipso_doi_walk(u32 *skip_cnt,
502                      int (*callback)(struct calipso_doi *doi_def, void *arg),
503                      void *cb_arg)
504 {
505         int ret_val = -ENOMSG;
506         const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
507 
508         if (ops)
509                 ret_val = ops->doi_walk(skip_cnt, callback, cb_arg);
510         return ret_val;
511 }
512 
513 /**
514  * calipso_sock_getattr - Get the security attributes from a sock
515  * @sk: the sock
516  * @secattr: the security attributes
517  *
518  * Description:
519  * Query @sk to see if there is a CALIPSO option attached to the sock and if
520  * there is return the CALIPSO security attributes in @secattr.  This function
521  * requires that @sk be locked, or privately held, but it does not do any
522  * locking itself.  Returns zero on success and negative values on failure.
523  *
524  */
525 int calipso_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
526 {
527         int ret_val = -ENOMSG;
528         const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
529 
530         if (ops)
531                 ret_val = ops->sock_getattr(sk, secattr);
532         return ret_val;
533 }
534 
535 /**
536  * calipso_sock_setattr - Add a CALIPSO option to a socket
537  * @sk: the socket
538  * @doi_def: the CALIPSO DOI to use
539  * @secattr: the specific security attributes of the socket
540  *
541  * Description:
542  * Set the CALIPSO option on the given socket using the DOI definition and
543  * security attributes passed to the function.  This function requires
544  * exclusive access to @sk, which means it either needs to be in the
545  * process of being created or locked.  Returns zero on success and negative
546  * values on failure.
547  *
548  */
549 int calipso_sock_setattr(struct sock *sk,
550                          const struct calipso_doi *doi_def,
551                          const struct netlbl_lsm_secattr *secattr)
552 {
553         int ret_val = -ENOMSG;
554         const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
555 
556         if (ops)
557                 ret_val = ops->sock_setattr(sk, doi_def, secattr);
558         return ret_val;
559 }
560 
561 /**
562  * calipso_sock_delattr - Delete the CALIPSO option from a socket
563  * @sk: the socket
564  *
565  * Description:
566  * Removes the CALIPSO option from a socket, if present.
567  *
568  */
569 void calipso_sock_delattr(struct sock *sk)
570 {
571         const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
572 
573         if (ops)
574                 ops->sock_delattr(sk);
575 }
576 
577 /**
578  * calipso_req_setattr - Add a CALIPSO option to a connection request socket
579  * @req: the connection request socket
580  * @doi_def: the CALIPSO DOI to use
581  * @secattr: the specific security attributes of the socket
582  *
583  * Description:
584  * Set the CALIPSO option on the given socket using the DOI definition and
585  * security attributes passed to the function.  Returns zero on success and
586  * negative values on failure.
587  *
588  */
589 int calipso_req_setattr(struct request_sock *req,
590                         const struct calipso_doi *doi_def,
591                         const struct netlbl_lsm_secattr *secattr)
592 {
593         int ret_val = -ENOMSG;
594         const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
595 
596         if (ops)
597                 ret_val = ops->req_setattr(req, doi_def, secattr);
598         return ret_val;
599 }
600 
601 /**
602  * calipso_req_delattr - Delete the CALIPSO option from a request socket
603  * @req: the request socket
604  *
605  * Description:
606  * Removes the CALIPSO option from a request socket, if present.
607  *
608  */
609 void calipso_req_delattr(struct request_sock *req)
610 {
611         const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
612 
613         if (ops)
614                 ops->req_delattr(req);
615 }
616 
617 /**
618  * calipso_optptr - Find the CALIPSO option in the packet
619  * @skb: the packet
620  *
621  * Description:
622  * Parse the packet's IP header looking for a CALIPSO option.  Returns a pointer
623  * to the start of the CALIPSO option on success, NULL if one if not found.
624  *
625  */
626 unsigned char *calipso_optptr(const struct sk_buff *skb)
627 {
628         unsigned char *ret_val = NULL;
629         const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
630 
631         if (ops)
632                 ret_val = ops->skbuff_optptr(skb);
633         return ret_val;
634 }
635 
636 /**
637  * calipso_getattr - Get the security attributes from a memory block.
638  * @calipso: the CALIPSO option
639  * @secattr: the security attributes
640  *
641  * Description:
642  * Inspect @calipso and return the security attributes in @secattr.
643  * Returns zero on success and negative values on failure.
644  *
645  */
646 int calipso_getattr(const unsigned char *calipso,
647                     struct netlbl_lsm_secattr *secattr)
648 {
649         int ret_val = -ENOMSG;
650         const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
651 
652         if (ops)
653                 ret_val = ops->opt_getattr(calipso, secattr);
654         return ret_val;
655 }
656 
657 /**
658  * calipso_skbuff_setattr - Set the CALIPSO option on a packet
659  * @skb: the packet
660  * @doi_def: the CALIPSO DOI to use
661  * @secattr: the security attributes
662  *
663  * Description:
664  * Set the CALIPSO option on the given packet based on the security attributes.
665  * Returns a pointer to the IP header on success and NULL on failure.
666  *
667  */
668 int calipso_skbuff_setattr(struct sk_buff *skb,
669                            const struct calipso_doi *doi_def,
670                            const struct netlbl_lsm_secattr *secattr)
671 {
672         int ret_val = -ENOMSG;
673         const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
674 
675         if (ops)
676                 ret_val = ops->skbuff_setattr(skb, doi_def, secattr);
677         return ret_val;
678 }
679 
680 /**
681  * calipso_skbuff_delattr - Delete any CALIPSO options from a packet
682  * @skb: the packet
683  *
684  * Description:
685  * Removes any and all CALIPSO options from the given packet.  Returns zero on
686  * success, negative values on failure.
687  *
688  */
689 int calipso_skbuff_delattr(struct sk_buff *skb)
690 {
691         int ret_val = -ENOMSG;
692         const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
693 
694         if (ops)
695                 ret_val = ops->skbuff_delattr(skb);
696         return ret_val;
697 }
698 
699 /**
700  * calipso_cache_invalidate - Invalidates the current CALIPSO cache
701  *
702  * Description:
703  * Invalidates and frees any entries in the CALIPSO cache.  Returns zero on
704  * success and negative values on failure.
705  *
706  */
707 void calipso_cache_invalidate(void)
708 {
709         const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
710 
711         if (ops)
712                 ops->cache_invalidate();
713 }
714 
715 /**
716  * calipso_cache_add - Add an entry to the CALIPSO cache
717  * @calipso_ptr: the CALIPSO option
718  * @secattr: the packet's security attributes
719  *
720  * Description:
721  * Add a new entry into the CALIPSO label mapping cache.
722  * Returns zero on success, negative values on failure.
723  *
724  */
725 int calipso_cache_add(const unsigned char *calipso_ptr,
726                       const struct netlbl_lsm_secattr *secattr)
727 
728 {
729         int ret_val = -ENOMSG;
730         const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
731 
732         if (ops)
733                 ret_val = ops->cache_add(calipso_ptr, secattr);
734         return ret_val;
735 }
736 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php