Doug / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit 6a8b7f0c85f1f42eb8b6e68ef3d5ba8020d8e272

Authored by Paul Moore
Committed by David S. Miller
1 parent 5f671d6b4e
Exists in smarc-imx_3.14.28_1.0.0_ga and in 1 other branch imx_3.14.28_1.0.0_ga

netlabel: use domain based selectors when address based selectors are not available 

NetLabel has the ability to selectively assign network security labels
to outbound traffic based on either the LSM's "domain" (different for
each LSM), the network destination, or a combination of both.  Depending
on the type of traffic, local or forwarded, and the type of traffic
selector, domain or address based, different hooks are used to label the
traffic; the goal being minimal overhead.

Unfortunately, there is a bug such that a system using NetLabel domain
based traffic selectors does not correctly label outbound local traffic
that is not assigned to a socket.  The issue is that in these cases
the associated NetLabel hook only looks at the address based selectors
and not the domain based selectors.  This patch corrects this by
checking both the domain and address based selectors so that the correct
labeling is applied, regardless of the configuration type.

In order to acomplish this fix, this patch also simplifies some of the
NetLabel domainhash structures to use a more common outbound traffic
mapping type: struct netlbl_dommap_def.  This simplifies some of the code
in this patch and paves the way for further simplifications in the
future.

Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Showing 6 changed files with 130 additions and 158 deletions Side-by-side Diff

net/netlabel/netlabel_cipso_v4.c
Diff comments   View file @ 6a8b7f0
... ... @@ -691,8 +691,8 @@
691 691 {
692 692 struct netlbl_domhsh_walk_arg *cb_arg = arg;
693 693  
694   - if (entry->type == NETLBL_NLTYPE_CIPSOV4 &&
695   - entry->type_def.cipsov4->doi == cb_arg->doi)
  694 + if (entry->def.type == NETLBL_NLTYPE_CIPSOV4 &&
  695 + entry->def.cipso->doi == cb_arg->doi)
696 696 return netlbl_domhsh_remove_entry(entry, cb_arg->audit_info);
697 697  
698 698 return 0;
net/netlabel/netlabel_domainhash.c
Diff comments   View file @ 6a8b7f0
... ... @@ -84,15 +84,15 @@
84 84 #endif /* IPv6 */
85 85  
86 86 ptr = container_of(entry, struct netlbl_dom_map, rcu);
87   - if (ptr->type == NETLBL_NLTYPE_ADDRSELECT) {
  87 + if (ptr->def.type == NETLBL_NLTYPE_ADDRSELECT) {
88 88 netlbl_af4list_foreach_safe(iter4, tmp4,
89   - &ptr->type_def.addrsel->list4) {
  89 + &ptr->def.addrsel->list4) {
90 90 netlbl_af4list_remove_entry(iter4);
91 91 kfree(netlbl_domhsh_addr4_entry(iter4));
92 92 }
93 93 #if IS_ENABLED(CONFIG_IPV6)
94 94 netlbl_af6list_foreach_safe(iter6, tmp6,
95   - &ptr->type_def.addrsel->list6) {
  95 + &ptr->def.addrsel->list6) {
96 96 netlbl_af6list_remove_entry(iter6);
97 97 kfree(netlbl_domhsh_addr6_entry(iter6));
98 98 }
99 99  
100 100  
... ... @@ -213,21 +213,21 @@
213 213 if (addr4 != NULL) {
214 214 struct netlbl_domaddr4_map *map4;
215 215 map4 = netlbl_domhsh_addr4_entry(addr4);
216   - type = map4->type;
217   - cipsov4 = map4->type_def.cipsov4;
  216 + type = map4->def.type;
  217 + cipsov4 = map4->def.cipso;
218 218 netlbl_af4list_audit_addr(audit_buf, 0, NULL,
219 219 addr4->addr, addr4->mask);
220 220 #if IS_ENABLED(CONFIG_IPV6)
221 221 } else if (addr6 != NULL) {
222 222 struct netlbl_domaddr6_map *map6;
223 223 map6 = netlbl_domhsh_addr6_entry(addr6);
224   - type = map6->type;
  224 + type = map6->def.type;
225 225 netlbl_af6list_audit_addr(audit_buf, 0, NULL,
226 226 &addr6->addr, &addr6->mask);
227 227 #endif /* IPv6 */
228 228 } else {
229   - type = entry->type;
230   - cipsov4 = entry->type_def.cipsov4;
  229 + type = entry->def.type;
  230 + cipsov4 = entry->def.cipso;
231 231 }
232 232 switch (type) {
233 233 case NETLBL_NLTYPE_UNLABELED:
234 234  
235 235  
236 236  
237 237  
238 238  
239 239  
... ... @@ -265,26 +265,25 @@
265 265 if (entry == NULL)
266 266 return -EINVAL;
267 267  
268   - switch (entry->type) {
  268 + switch (entry->def.type) {
269 269 case NETLBL_NLTYPE_UNLABELED:
270   - if (entry->type_def.cipsov4 != NULL ||
271   - entry->type_def.addrsel != NULL)
  270 + if (entry->def.cipso != NULL || entry->def.addrsel != NULL)
272 271 return -EINVAL;
273 272 break;
274 273 case NETLBL_NLTYPE_CIPSOV4:
275   - if (entry->type_def.cipsov4 == NULL)
  274 + if (entry->def.cipso == NULL)
276 275 return -EINVAL;
277 276 break;
278 277 case NETLBL_NLTYPE_ADDRSELECT:
279   - netlbl_af4list_foreach(iter4, &entry->type_def.addrsel->list4) {
  278 + netlbl_af4list_foreach(iter4, &entry->def.addrsel->list4) {
280 279 map4 = netlbl_domhsh_addr4_entry(iter4);
281   - switch (map4->type) {
  280 + switch (map4->def.type) {
282 281 case NETLBL_NLTYPE_UNLABELED:
283   - if (map4->type_def.cipsov4 != NULL)
  282 + if (map4->def.cipso != NULL)
284 283 return -EINVAL;
285 284 break;
286 285 case NETLBL_NLTYPE_CIPSOV4:
287   - if (map4->type_def.cipsov4 == NULL)
  286 + if (map4->def.cipso == NULL)
288 287 return -EINVAL;
289 288 break;
290 289 default:
291 290  
... ... @@ -292,9 +291,9 @@
292 291 }
293 292 }
294 293 #if IS_ENABLED(CONFIG_IPV6)
295   - netlbl_af6list_foreach(iter6, &entry->type_def.addrsel->list6) {
  294 + netlbl_af6list_foreach(iter6, &entry->def.addrsel->list6) {
296 295 map6 = netlbl_domhsh_addr6_entry(iter6);
297   - switch (map6->type) {
  296 + switch (map6->def.type) {
298 297 case NETLBL_NLTYPE_UNLABELED:
299 298 break;
300 299 default:
301 300  
302 301  
303 302  
304 303  
305 304  
... ... @@ -402,32 +401,31 @@
402 401 rcu_assign_pointer(netlbl_domhsh_def, entry);
403 402 }
404 403  
405   - if (entry->type == NETLBL_NLTYPE_ADDRSELECT) {
  404 + if (entry->def.type == NETLBL_NLTYPE_ADDRSELECT) {
406 405 netlbl_af4list_foreach_rcu(iter4,
407   - &entry->type_def.addrsel->list4)
  406 + &entry->def.addrsel->list4)
408 407 netlbl_domhsh_audit_add(entry, iter4, NULL,
409 408 ret_val, audit_info);
410 409 #if IS_ENABLED(CONFIG_IPV6)
411 410 netlbl_af6list_foreach_rcu(iter6,
412   - &entry->type_def.addrsel->list6)
  411 + &entry->def.addrsel->list6)
413 412 netlbl_domhsh_audit_add(entry, NULL, iter6,
414 413 ret_val, audit_info);
415 414 #endif /* IPv6 */
416 415 } else
417 416 netlbl_domhsh_audit_add(entry, NULL, NULL,
418 417 ret_val, audit_info);
419   - } else if (entry_old->type == NETLBL_NLTYPE_ADDRSELECT &&
420   - entry->type == NETLBL_NLTYPE_ADDRSELECT) {
  418 + } else if (entry_old->def.type == NETLBL_NLTYPE_ADDRSELECT &&
  419 + entry->def.type == NETLBL_NLTYPE_ADDRSELECT) {
421 420 struct list_head *old_list4;
422 421 struct list_head *old_list6;
423 422  
424   - old_list4 = &entry_old->type_def.addrsel->list4;
425   - old_list6 = &entry_old->type_def.addrsel->list6;
  423 + old_list4 = &entry_old->def.addrsel->list4;
  424 + old_list6 = &entry_old->def.addrsel->list6;
426 425  
427 426 /* we only allow the addition of address selectors if all of
428 427 * the selectors do not exist in the existing domain map */
429   - netlbl_af4list_foreach_rcu(iter4,
430   - &entry->type_def.addrsel->list4)
  428 + netlbl_af4list_foreach_rcu(iter4, &entry->def.addrsel->list4)
431 429 if (netlbl_af4list_search_exact(iter4->addr,
432 430 iter4->mask,
433 431 old_list4)) {
... ... @@ -435,8 +433,7 @@
435 433 goto add_return;
436 434 }
437 435 #if IS_ENABLED(CONFIG_IPV6)
438   - netlbl_af6list_foreach_rcu(iter6,
439   - &entry->type_def.addrsel->list6)
  436 + netlbl_af6list_foreach_rcu(iter6, &entry->def.addrsel->list6)
440 437 if (netlbl_af6list_search_exact(&iter6->addr,
441 438 &iter6->mask,
442 439 old_list6)) {
... ... @@ -446,7 +443,7 @@
446 443 #endif /* IPv6 */
447 444  
448 445 netlbl_af4list_foreach_safe(iter4, tmp4,
449   - &entry->type_def.addrsel->list4) {
  446 + &entry->def.addrsel->list4) {
450 447 netlbl_af4list_remove_entry(iter4);
451 448 iter4->valid = 1;
452 449 ret_val = netlbl_af4list_add(iter4, old_list4);
... ... @@ -457,7 +454,7 @@
457 454 }
458 455 #if IS_ENABLED(CONFIG_IPV6)
459 456 netlbl_af6list_foreach_safe(iter6, tmp6,
460   - &entry->type_def.addrsel->list6) {
  457 + &entry->def.addrsel->list6) {
461 458 netlbl_af6list_remove_entry(iter6);
462 459 iter6->valid = 1;
463 460 ret_val = netlbl_af6list_add(iter6, old_list6);
464 461  
465 462  
466 463  
... ... @@ -538,18 +535,18 @@
538 535 struct netlbl_af4list *iter4;
539 536 struct netlbl_domaddr4_map *map4;
540 537  
541   - switch (entry->type) {
  538 + switch (entry->def.type) {
542 539 case NETLBL_NLTYPE_ADDRSELECT:
543 540 netlbl_af4list_foreach_rcu(iter4,
544   - &entry->type_def.addrsel->list4) {
  541 + &entry->def.addrsel->list4) {
545 542 map4 = netlbl_domhsh_addr4_entry(iter4);
546   - cipso_v4_doi_putdef(map4->type_def.cipsov4);
  543 + cipso_v4_doi_putdef(map4->def.cipso);
547 544 }
548 545 /* no need to check the IPv6 list since we currently
549 546 * support only unlabeled protocols for IPv6 */
550 547 break;
551 548 case NETLBL_NLTYPE_CIPSOV4:
552   - cipso_v4_doi_putdef(entry->type_def.cipsov4);
  549 + cipso_v4_doi_putdef(entry->def.cipso);
553 550 break;
554 551 }
555 552 call_rcu(&entry->rcu, netlbl_domhsh_free_entry);
556 553  
557 554  
558 555  
... ... @@ -590,20 +587,21 @@
590 587 entry_map = netlbl_domhsh_search(domain);
591 588 else
592 589 entry_map = netlbl_domhsh_search_def(domain);
593   - if (entry_map == NULL || entry_map->type != NETLBL_NLTYPE_ADDRSELECT)
  590 + if (entry_map == NULL ||
  591 + entry_map->def.type != NETLBL_NLTYPE_ADDRSELECT)
594 592 goto remove_af4_failure;
595 593  
596 594 spin_lock(&netlbl_domhsh_lock);
597 595 entry_addr = netlbl_af4list_remove(addr->s_addr, mask->s_addr,
598   - &entry_map->type_def.addrsel->list4);
  596 + &entry_map->def.addrsel->list4);
599 597 spin_unlock(&netlbl_domhsh_lock);
600 598  
601 599 if (entry_addr == NULL)
602 600 goto remove_af4_failure;
603   - netlbl_af4list_foreach_rcu(iter4, &entry_map->type_def.addrsel->list4)
  601 + netlbl_af4list_foreach_rcu(iter4, &entry_map->def.addrsel->list4)
604 602 goto remove_af4_single_addr;
605 603 #if IS_ENABLED(CONFIG_IPV6)
606   - netlbl_af6list_foreach_rcu(iter6, &entry_map->type_def.addrsel->list6)
  604 + netlbl_af6list_foreach_rcu(iter6, &entry_map->def.addrsel->list6)
607 605 goto remove_af4_single_addr;
608 606 #endif /* IPv6 */
609 607 /* the domain mapping is empty so remove it from the mapping table */
... ... @@ -616,7 +614,7 @@
616 614 * shouldn't be a problem */
617 615 synchronize_rcu();
618 616 entry = netlbl_domhsh_addr4_entry(entry_addr);
619   - cipso_v4_doi_putdef(entry->type_def.cipsov4);
  617 + cipso_v4_doi_putdef(entry->def.cipso);
620 618 kfree(entry);
621 619 return 0;
622 620  
... ... @@ -693,8 +691,8 @@
693 691 * responsible for ensuring that rcu_read_[un]lock() is called.
694 692 *
695 693 */
696   -struct netlbl_domaddr4_map *netlbl_domhsh_getentry_af4(const char *domain,
697   - __be32 addr)
  694 +struct netlbl_dommap_def *netlbl_domhsh_getentry_af4(const char *domain,
  695 + __be32 addr)
698 696 {
699 697 struct netlbl_dom_map *dom_iter;
700 698 struct netlbl_af4list *addr_iter;
701 699  
702 700  
... ... @@ -702,15 +700,13 @@
702 700 dom_iter = netlbl_domhsh_search_def(domain);
703 701 if (dom_iter == NULL)
704 702 return NULL;
705   - if (dom_iter->type != NETLBL_NLTYPE_ADDRSELECT)
706   - return NULL;
707 703  
708   - addr_iter = netlbl_af4list_search(addr,
709   - &dom_iter->type_def.addrsel->list4);
  704 + if (dom_iter->def.type != NETLBL_NLTYPE_ADDRSELECT)
  705 + return &dom_iter->def;
  706 + addr_iter = netlbl_af4list_search(addr, &dom_iter->def.addrsel->list4);
710 707 if (addr_iter == NULL)
711 708 return NULL;
712   -
713   - return netlbl_domhsh_addr4_entry(addr_iter);
  709 + return &(netlbl_domhsh_addr4_entry(addr_iter)->def);
714 710 }
715 711  
716 712 #if IS_ENABLED(CONFIG_IPV6)
... ... @@ -725,7 +721,7 @@
725 721 * responsible for ensuring that rcu_read_[un]lock() is called.
726 722 *
727 723 */
728   -struct netlbl_domaddr6_map *netlbl_domhsh_getentry_af6(const char *domain,
  724 +struct netlbl_dommap_def *netlbl_domhsh_getentry_af6(const char *domain,
729 725 const struct in6_addr *addr)
730 726 {
731 727 struct netlbl_dom_map *dom_iter;
732 728  
733 729  
... ... @@ -734,15 +730,13 @@
734 730 dom_iter = netlbl_domhsh_search_def(domain);
735 731 if (dom_iter == NULL)
736 732 return NULL;
737   - if (dom_iter->type != NETLBL_NLTYPE_ADDRSELECT)
738   - return NULL;
739 733  
740   - addr_iter = netlbl_af6list_search(addr,
741   - &dom_iter->type_def.addrsel->list6);
  734 + if (dom_iter->def.type != NETLBL_NLTYPE_ADDRSELECT)
  735 + return &dom_iter->def;
  736 + addr_iter = netlbl_af6list_search(addr, &dom_iter->def.addrsel->list6);
742 737 if (addr_iter == NULL)
743 738 return NULL;
744   -
745   - return netlbl_domhsh_addr6_entry(addr_iter);
  739 + return &(netlbl_domhsh_addr6_entry(addr_iter)->def);
746 740 }
747 741 #endif /* IPv6 */
748 742  
net/netlabel/netlabel_domainhash.h
Diff comments   View file @ 6a8b7f0
... ... @@ -43,37 +43,35 @@
43 43 #define NETLBL_DOMHSH_BITSIZE 7
44 44  
45 45 /* Domain mapping definition structures */
  46 +struct netlbl_domaddr_map {
  47 + struct list_head list4;
  48 + struct list_head list6;
  49 +};
  50 +struct netlbl_dommap_def {
  51 + u32 type;
  52 + union {
  53 + struct netlbl_domaddr_map *addrsel;
  54 + struct cipso_v4_doi *cipso;
  55 + };
  56 +};
46 57 #define netlbl_domhsh_addr4_entry(iter) \
47 58 container_of(iter, struct netlbl_domaddr4_map, list)
48 59 struct netlbl_domaddr4_map {
49   - u32 type;
50   - union {
51   - struct cipso_v4_doi *cipsov4;
52   - } type_def;
  60 + struct netlbl_dommap_def def;
53 61  
54 62 struct netlbl_af4list list;
55 63 };
56 64 #define netlbl_domhsh_addr6_entry(iter) \
57 65 container_of(iter, struct netlbl_domaddr6_map, list)
58 66 struct netlbl_domaddr6_map {
59   - u32 type;
  67 + struct netlbl_dommap_def def;
60 68  
61   - /* NOTE: no 'type_def' union needed at present since we don't currently
62   - * support any IPv6 labeling protocols */
63   -
64 69 struct netlbl_af6list list;
65 70 };
66   -struct netlbl_domaddr_map {
67   - struct list_head list4;
68   - struct list_head list6;
69   -};
  71 +
70 72 struct netlbl_dom_map {
71 73 char *domain;
72   - u32 type;
73   - union {
74   - struct cipso_v4_doi *cipsov4;
75   - struct netlbl_domaddr_map *addrsel;
76   - } type_def;
  74 + struct netlbl_dommap_def def;
77 75  
78 76 u32 valid;
79 77 struct list_head list;
80 78  
... ... @@ -97,17 +95,17 @@
97 95 int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info);
98 96 int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info);
99 97 struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain);
100   -struct netlbl_domaddr4_map *netlbl_domhsh_getentry_af4(const char *domain,
101   - __be32 addr);
  98 +struct netlbl_dommap_def *netlbl_domhsh_getentry_af4(const char *domain,
  99 + __be32 addr);
  100 +#if IS_ENABLED(CONFIG_IPV6)
  101 +struct netlbl_dommap_def *netlbl_domhsh_getentry_af6(const char *domain,
  102 + const struct in6_addr *addr);
  103 +#endif /* IPv6 */
  104 +
102 105 int netlbl_domhsh_walk(u32 *skip_bkt,
103 106 u32 *skip_chain,
104 107 int (*callback) (struct netlbl_dom_map *entry, void *arg),
105 108 void *cb_arg);
106   -
107   -#if IS_ENABLED(CONFIG_IPV6)
108   -struct netlbl_domaddr6_map *netlbl_domhsh_getentry_af6(const char *domain,
109   - const struct in6_addr *addr);
110   -#endif /* IPv6 */
111 109  
112 110 #endif
net/netlabel/netlabel_kapi.c
Diff comments   View file @ 6a8b7f0
... ... @@ -122,7 +122,7 @@
122 122 }
123 123  
124 124 if (addr == NULL && mask == NULL)
125   - entry->type = NETLBL_NLTYPE_UNLABELED;
  125 + entry->def.type = NETLBL_NLTYPE_UNLABELED;
126 126 else if (addr != NULL && mask != NULL) {
127 127 addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC);
128 128 if (addrmap == NULL)
... ... @@ -137,7 +137,7 @@
137 137 map4 = kzalloc(sizeof(*map4), GFP_ATOMIC);
138 138 if (map4 == NULL)
139 139 goto cfg_unlbl_map_add_failure;
140   - map4->type = NETLBL_NLTYPE_UNLABELED;
  140 + map4->def.type = NETLBL_NLTYPE_UNLABELED;
141 141 map4->list.addr = addr4->s_addr & mask4->s_addr;
142 142 map4->list.mask = mask4->s_addr;
143 143 map4->list.valid = 1;
... ... @@ -154,7 +154,7 @@
154 154 map6 = kzalloc(sizeof(*map6), GFP_ATOMIC);
155 155 if (map6 == NULL)
156 156 goto cfg_unlbl_map_add_failure;
157   - map6->type = NETLBL_NLTYPE_UNLABELED;
  157 + map6->def.type = NETLBL_NLTYPE_UNLABELED;
158 158 map6->list.addr = *addr6;
159 159 map6->list.addr.s6_addr32[0] &= mask6->s6_addr32[0];
160 160 map6->list.addr.s6_addr32[1] &= mask6->s6_addr32[1];
... ... @@ -174,8 +174,8 @@
174 174 break;
175 175 }
176 176  
177   - entry->type_def.addrsel = addrmap;
178   - entry->type = NETLBL_NLTYPE_ADDRSELECT;
  177 + entry->def.addrsel = addrmap;
  178 + entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
179 179 } else {
180 180 ret_val = -EINVAL;
181 181 goto cfg_unlbl_map_add_failure;
... ... @@ -355,8 +355,8 @@
355 355 }
356 356  
357 357 if (addr == NULL && mask == NULL) {
358   - entry->type_def.cipsov4 = doi_def;
359   - entry->type = NETLBL_NLTYPE_CIPSOV4;
  358 + entry->def.cipso = doi_def;
  359 + entry->def.type = NETLBL_NLTYPE_CIPSOV4;
360 360 } else if (addr != NULL && mask != NULL) {
361 361 addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC);
362 362 if (addrmap == NULL)
... ... @@ -367,8 +367,8 @@
367 367 addrinfo = kzalloc(sizeof(*addrinfo), GFP_ATOMIC);
368 368 if (addrinfo == NULL)
369 369 goto out_addrinfo;
370   - addrinfo->type_def.cipsov4 = doi_def;
371   - addrinfo->type = NETLBL_NLTYPE_CIPSOV4;
  370 + addrinfo->def.cipso = doi_def;
  371 + addrinfo->def.type = NETLBL_NLTYPE_CIPSOV4;
372 372 addrinfo->list.addr = addr->s_addr & mask->s_addr;
373 373 addrinfo->list.mask = mask->s_addr;
374 374 addrinfo->list.valid = 1;
... ... @@ -376,8 +376,8 @@
376 376 if (ret_val != 0)
377 377 goto cfg_cipsov4_map_add_failure;
378 378  
379   - entry->type_def.addrsel = addrmap;
380   - entry->type = NETLBL_NLTYPE_ADDRSELECT;
  379 + entry->def.addrsel = addrmap;
  380 + entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
381 381 } else {
382 382 ret_val = -EINVAL;
383 383 goto out_addrmap;
384 384  
... ... @@ -657,14 +657,14 @@
657 657 }
658 658 switch (family) {
659 659 case AF_INET:
660   - switch (dom_entry->type) {
  660 + switch (dom_entry->def.type) {
661 661 case NETLBL_NLTYPE_ADDRSELECT:
662 662 ret_val = -EDESTADDRREQ;
663 663 break;
664 664 case NETLBL_NLTYPE_CIPSOV4:
665 665 ret_val = cipso_v4_sock_setattr(sk,
666   - dom_entry->type_def.cipsov4,
667   - secattr);
  666 + dom_entry->def.cipso,
  667 + secattr);
668 668 break;
669 669 case NETLBL_NLTYPE_UNLABELED:
670 670 ret_val = 0;
671 671  
672 672  
673 673  
... ... @@ -754,23 +754,22 @@
754 754 {
755 755 int ret_val;
756 756 struct sockaddr_in *addr4;
757   - struct netlbl_domaddr4_map *af4_entry;
  757 + struct netlbl_dommap_def *entry;
758 758  
759 759 rcu_read_lock();
760 760 switch (addr->sa_family) {
761 761 case AF_INET:
762 762 addr4 = (struct sockaddr_in *)addr;
763   - af4_entry = netlbl_domhsh_getentry_af4(secattr->domain,
764   - addr4->sin_addr.s_addr);
765   - if (af4_entry == NULL) {
  763 + entry = netlbl_domhsh_getentry_af4(secattr->domain,
  764 + addr4->sin_addr.s_addr);
  765 + if (entry == NULL) {
766 766 ret_val = -ENOENT;
767 767 goto conn_setattr_return;
768 768 }
769   - switch (af4_entry->type) {
  769 + switch (entry->type) {
770 770 case NETLBL_NLTYPE_CIPSOV4:
771 771 ret_val = cipso_v4_sock_setattr(sk,
772   - af4_entry->type_def.cipsov4,
773   - secattr);
  772 + entry->cipso, secattr);
774 773 break;
775 774 case NETLBL_NLTYPE_UNLABELED:
776 775 /* just delete the protocols we support for right now
777 776  
778 777  
779 778  
780 779  
... ... @@ -812,36 +811,21 @@
812 811 const struct netlbl_lsm_secattr *secattr)
813 812 {
814 813 int ret_val;
815   - struct netlbl_dom_map *dom_entry;
816   - struct netlbl_domaddr4_map *af4_entry;
817   - u32 proto_type;
818   - struct cipso_v4_doi *proto_cv4;
  814 + struct netlbl_dommap_def *entry;
819 815  
820 816 rcu_read_lock();
821   - dom_entry = netlbl_domhsh_getentry(secattr->domain);
822   - if (dom_entry == NULL) {
823   - ret_val = -ENOENT;
824   - goto req_setattr_return;
825   - }
826 817 switch (req->rsk_ops->family) {
827 818 case AF_INET:
828   - if (dom_entry->type == NETLBL_NLTYPE_ADDRSELECT) {
829   - struct inet_request_sock *req_inet = inet_rsk(req);
830   - af4_entry = netlbl_domhsh_getentry_af4(secattr->domain,
831   - req_inet->rmt_addr);
832   - if (af4_entry == NULL) {
833   - ret_val = -ENOENT;
834   - goto req_setattr_return;
835   - }
836   - proto_type = af4_entry->type;
837   - proto_cv4 = af4_entry->type_def.cipsov4;
838   - } else {
839   - proto_type = dom_entry->type;
840   - proto_cv4 = dom_entry->type_def.cipsov4;
  819 + entry = netlbl_domhsh_getentry_af4(secattr->domain,
  820 + inet_rsk(req)->rmt_addr);
  821 + if (entry == NULL) {
  822 + ret_val = -ENOENT;
  823 + goto req_setattr_return;
841 824 }
842   - switch (proto_type) {
  825 + switch (entry->type) {
843 826 case NETLBL_NLTYPE_CIPSOV4:
844   - ret_val = cipso_v4_req_setattr(req, proto_cv4, secattr);
  827 + ret_val = cipso_v4_req_setattr(req,
  828 + entry->cipso, secattr);
845 829 break;
846 830 case NETLBL_NLTYPE_UNLABELED:
847 831 /* just delete the protocols we support for right now
848 832  
849 833  
850 834  
... ... @@ -899,23 +883,21 @@
899 883 {
900 884 int ret_val;
901 885 struct iphdr *hdr4;
902   - struct netlbl_domaddr4_map *af4_entry;
  886 + struct netlbl_dommap_def *entry;
903 887  
904 888 rcu_read_lock();
905 889 switch (family) {
906 890 case AF_INET:
907 891 hdr4 = ip_hdr(skb);
908   - af4_entry = netlbl_domhsh_getentry_af4(secattr->domain,
909   - hdr4->daddr);
910   - if (af4_entry == NULL) {
  892 + entry = netlbl_domhsh_getentry_af4(secattr->domain,hdr4->daddr);
  893 + if (entry == NULL) {
911 894 ret_val = -ENOENT;
912 895 goto skbuff_setattr_return;
913 896 }
914   - switch (af4_entry->type) {
  897 + switch (entry->type) {
915 898 case NETLBL_NLTYPE_CIPSOV4:
916   - ret_val = cipso_v4_skbuff_setattr(skb,
917   - af4_entry->type_def.cipsov4,
918   - secattr);
  899 + ret_val = cipso_v4_skbuff_setattr(skb, entry->cipso,
  900 + secattr);
919 901 break;
920 902 case NETLBL_NLTYPE_UNLABELED:
921 903 /* just delete the protocols we support for right now
net/netlabel/netlabel_mgmt.c
Diff comments   View file @ 6a8b7f0
... ... @@ -104,7 +104,7 @@
104 104 ret_val = -ENOMEM;
105 105 goto add_failure;
106 106 }
107   - entry->type = nla_get_u32(info->attrs[NLBL_MGMT_A_PROTOCOL]);
  107 + entry->def.type = nla_get_u32(info->attrs[NLBL_MGMT_A_PROTOCOL]);
108 108 if (info->attrs[NLBL_MGMT_A_DOMAIN]) {
109 109 size_t tmp_size = nla_len(info->attrs[NLBL_MGMT_A_DOMAIN]);
110 110 entry->domain = kmalloc(tmp_size, GFP_KERNEL);
111 111  
... ... @@ -116,12 +116,12 @@
116 116 info->attrs[NLBL_MGMT_A_DOMAIN], tmp_size);
117 117 }
118 118  
119   - /* NOTE: internally we allow/use a entry->type value of
  119 + /* NOTE: internally we allow/use a entry->def.type value of
120 120 * NETLBL_NLTYPE_ADDRSELECT but we don't currently allow users
121 121 * to pass that as a protocol value because we need to know the
122 122 * "real" protocol */
123 123  
124   - switch (entry->type) {
  124 + switch (entry->def.type) {
125 125 case NETLBL_NLTYPE_UNLABELED:
126 126 break;
127 127 case NETLBL_NLTYPE_CIPSOV4:
... ... @@ -132,7 +132,7 @@
132 132 cipsov4 = cipso_v4_doi_getdef(tmp_val);
133 133 if (cipsov4 == NULL)
134 134 goto add_failure;
135   - entry->type_def.cipsov4 = cipsov4;
  135 + entry->def.cipso = cipsov4;
136 136 break;
137 137 default:
138 138 goto add_failure;
139 139  
... ... @@ -172,9 +172,9 @@
172 172 map->list.addr = addr->s_addr & mask->s_addr;
173 173 map->list.mask = mask->s_addr;
174 174 map->list.valid = 1;
175   - map->type = entry->type;
  175 + map->def.type = entry->def.type;
176 176 if (cipsov4)
177   - map->type_def.cipsov4 = cipsov4;
  177 + map->def.cipso = cipsov4;
178 178  
179 179 ret_val = netlbl_af4list_add(&map->list, &addrmap->list4);
180 180 if (ret_val != 0) {
... ... @@ -182,8 +182,8 @@
182 182 goto add_failure;
183 183 }
184 184  
185   - entry->type = NETLBL_NLTYPE_ADDRSELECT;
186   - entry->type_def.addrsel = addrmap;
  185 + entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
  186 + entry->def.addrsel = addrmap;
187 187 #if IS_ENABLED(CONFIG_IPV6)
188 188 } else if (info->attrs[NLBL_MGMT_A_IPV6ADDR]) {
189 189 struct in6_addr *addr;
... ... @@ -223,7 +223,7 @@
223 223 map->list.addr.s6_addr32[3] &= mask->s6_addr32[3];
224 224 map->list.mask = *mask;
225 225 map->list.valid = 1;
226   - map->type = entry->type;
  226 + map->def.type = entry->def.type;
227 227  
228 228 ret_val = netlbl_af6list_add(&map->list, &addrmap->list6);
229 229 if (ret_val != 0) {
... ... @@ -231,8 +231,8 @@
231 231 goto add_failure;
232 232 }
233 233  
234   - entry->type = NETLBL_NLTYPE_ADDRSELECT;
235   - entry->type_def.addrsel = addrmap;
  234 + entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
  235 + entry->def.addrsel = addrmap;
236 236 #endif /* IPv6 */
237 237 }
238 238  
239 239  
... ... @@ -281,14 +281,13 @@
281 281 return ret_val;
282 282 }
283 283  
284   - switch (entry->type) {
  284 + switch (entry->def.type) {
285 285 case NETLBL_NLTYPE_ADDRSELECT:
286 286 nla_a = nla_nest_start(skb, NLBL_MGMT_A_SELECTORLIST);
287 287 if (nla_a == NULL)
288 288 return -ENOMEM;
289 289  
290   - netlbl_af4list_foreach_rcu(iter4,
291   - &entry->type_def.addrsel->list4) {
  290 + netlbl_af4list_foreach_rcu(iter4, &entry->def.addrsel->list4) {
292 291 struct netlbl_domaddr4_map *map4;
293 292 struct in_addr addr_struct;
294 293  
295 294  
296 295  
... ... @@ -310,13 +309,13 @@
310 309 return ret_val;
311 310 map4 = netlbl_domhsh_addr4_entry(iter4);
312 311 ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL,
313   - map4->type);
  312 + map4->def.type);
314 313 if (ret_val != 0)
315 314 return ret_val;
316   - switch (map4->type) {
  315 + switch (map4->def.type) {
317 316 case NETLBL_NLTYPE_CIPSOV4:
318 317 ret_val = nla_put_u32(skb, NLBL_MGMT_A_CV4DOI,
319   - map4->type_def.cipsov4->doi);
  318 + map4->def.cipso->doi);
320 319 if (ret_val != 0)
321 320 return ret_val;
322 321 break;
... ... @@ -325,8 +324,7 @@
325 324 nla_nest_end(skb, nla_b);
326 325 }
327 326 #if IS_ENABLED(CONFIG_IPV6)
328   - netlbl_af6list_foreach_rcu(iter6,
329   - &entry->type_def.addrsel->list6) {
  327 + netlbl_af6list_foreach_rcu(iter6, &entry->def.addrsel->list6) {
330 328 struct netlbl_domaddr6_map *map6;
331 329  
332 330 nla_b = nla_nest_start(skb, NLBL_MGMT_A_ADDRSELECTOR);
... ... @@ -345,7 +343,7 @@
345 343 return ret_val;
346 344 map6 = netlbl_domhsh_addr6_entry(iter6);
347 345 ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL,
348   - map6->type);
  346 + map6->def.type);
349 347 if (ret_val != 0)
350 348 return ret_val;
351 349  
352 350  
353 351  
... ... @@ -356,14 +354,14 @@
356 354 nla_nest_end(skb, nla_a);
357 355 break;
358 356 case NETLBL_NLTYPE_UNLABELED:
359   - ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL, entry->type);
  357 + ret_val = nla_put_u32(skb,NLBL_MGMT_A_PROTOCOL,entry->def.type);
360 358 break;
361 359 case NETLBL_NLTYPE_CIPSOV4:
362   - ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL, entry->type);
  360 + ret_val = nla_put_u32(skb,NLBL_MGMT_A_PROTOCOL,entry->def.type);
363 361 if (ret_val != 0)
364 362 return ret_val;
365 363 ret_val = nla_put_u32(skb, NLBL_MGMT_A_CV4DOI,
366   - entry->type_def.cipsov4->doi);
  364 + entry->def.cipso->doi);
367 365 break;
368 366 }
369 367  
net/netlabel/netlabel_unlabeled.c
Diff comments   View file @ 6a8b7f0
... ... @@ -1541,7 +1541,7 @@
1541 1541 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1542 1542 if (entry == NULL)
1543 1543 return -ENOMEM;
1544   - entry->type = NETLBL_NLTYPE_UNLABELED;
  1544 + entry->def.type = NETLBL_NLTYPE_UNLABELED;
1545 1545 ret_val = netlbl_domhsh_add_default(entry, &audit_info);
1546 1546 if (ret_val != 0)
1547 1547 return ret_val;