netlabel: Update kernel configuration API

 */

#ifdef CONFIG_NETLABEL

int cipso_v4_doi_add(struct cipso_v4_doi *doi_def);

int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,

		     struct netlbl_audit *audit_info);

void cipso_v4_doi_free(struct cipso_v4_doi *doi_def);

int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info);

struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi);

		     int (*callback) (struct cipso_v4_doi *doi_def, void *arg),

	             void *cb_arg);

#else

static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def)

static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,

				   struct netlbl_audit *audit_info)

{

	return -ENOSYS;

}

#include <linux/types.h>

#include <linux/net.h>

#include <linux/skbuff.h>

#include <linux/in.h>

#include <linux/in6.h>

#include <net/netlink.h>

#include <asm/atomic.h>

/*

 * LSM configuration operations

 */

int netlbl_cfg_map_del(const char *domain, struct netlbl_audit *audit_info);

int netlbl_cfg_unlbl_add_map(const char *domain,

int netlbl_cfg_map_del(const char *domain,

		       u16 family,

		       const void *addr,

		       const void *mask,

		       struct netlbl_audit *audit_info);

int netlbl_cfg_unlbl_map_add(const char *domain,

			     u16 family,

			     const void *addr,

			     const void *mask,

			     struct netlbl_audit *audit_info);

int netlbl_cfg_unlbl_static_add(struct net *net,

				const char *dev_name,

				const void *addr,

				const void *mask,

				u16 family,

				u32 secid,

				struct netlbl_audit *audit_info);

int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def,

int netlbl_cfg_unlbl_static_del(struct net *net,

				const char *dev_name,

				const void *addr,

				const void *mask,

				u16 family,

				struct netlbl_audit *audit_info);

int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,

			   struct netlbl_audit *audit_info);

void netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info);

int netlbl_cfg_cipsov4_map_add(u32 doi,

			       const char *domain,

			       const struct in_addr *addr,

			       const struct in_addr *mask,

			       struct netlbl_audit *audit_info);

/*

 * LSM security attribute operations

 */

void netlbl_cache_invalidate(void);

int netlbl_cache_add(const struct sk_buff *skb,

		     const struct netlbl_lsm_secattr *secattr);

/*

 * Protocol engine operations

 */

struct audit_buffer *netlbl_audit_start(int type,

					struct netlbl_audit *audit_info);

#else

static inline int netlbl_cfg_map_del(const char *domain,

				     u16 family,

				     const void *addr,

				     const void *mask,

				     struct netlbl_audit *audit_info)

{

	return -ENOSYS;

}

static inline int netlbl_cfg_unlbl_map_add(const char *domain,

					   u16 family,

					   void *addr,

					   void *mask,

					   struct netlbl_audit *audit_info)

{

	return -ENOSYS;

}

static inline int netlbl_cfg_unlbl_static_add(struct net *net,

					      const char *dev_name,

					      const void *addr,

					      const void *mask,

					      u16 family,

					      u32 secid,

					      struct netlbl_audit *audit_info)

{

	return -ENOSYS;

}

static inline int netlbl_cfg_unlbl_static_del(struct net *net,

					      const char *dev_name,

					      const void *addr,

					      const void *mask,

					      u16 family,

					      struct netlbl_audit *audit_info)

{

	return -ENOSYS;

}

static inline int netlbl_cfg_unlbl_add_map(const char *domain,

static inline int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,

					 struct netlbl_audit *audit_info)

{

	return -ENOSYS;

}

static inline int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def,

static inline void netlbl_cfg_cipsov4_del(u32 doi,

					  struct netlbl_audit *audit_info)

{

	return;

}

static inline int netlbl_cfg_cipsov4_map_add(u32 doi,

					     const char *domain,

					     const struct in_addr *addr,

					     const struct in_addr *mask,

					     struct netlbl_audit *audit_info)

{

	return -ENOSYS;

{

	return 0;

}

static inline struct audit_buffer *netlbl_audit_start(int type,

						struct netlbl_audit *audit_info)

{

	return NULL;

}

#endif /* CONFIG_NETLABEL */

#endif /* _NETLABEL_H */

#include <linux/spinlock.h>

#include <linux/string.h>

#include <linux/jhash.h>

#include <linux/audit.h>

#include <net/ip.h>

#include <net/icmp.h>

#include <net/tcp.h>

/**

 * cipso_v4_doi_add - Add a new DOI to the CIPSO protocol engine

 * @doi_def: the DOI structure

 * @audit_info: NetLabel audit information

 *

 * Description:

 * The caller defines a new DOI for use by the CIPSO engine and calls this

 * zero on success and non-zero on failure.

 *

 */

int cipso_v4_doi_add(struct cipso_v4_doi *doi_def)

int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,

		     struct netlbl_audit *audit_info)

{

	int ret_val = -EINVAL;

	u32 iter;

	u32 doi;

	u32 doi_type;

	struct audit_buffer *audit_buf;

	doi = doi_def->doi;

	doi_type = doi_def->type;

	if (doi_def == NULL || doi_def->doi == CIPSO_V4_DOI_UNKNOWN)

		return -EINVAL;

		goto doi_add_return;

	for (iter = 0; iter < CIPSO_V4_TAG_MAXCNT; iter++) {

		switch (doi_def->tags[iter]) {

		case CIPSO_V4_TAG_RBITMAP:

			break;

		case CIPSO_V4_TAG_RANGE:

			if (doi_def->type != CIPSO_V4_MAP_PASS)

				return -EINVAL;

			break;

		case CIPSO_V4_TAG_INVALID:

			if (iter == 0)

				return -EINVAL;

			break;

		case CIPSO_V4_TAG_ENUM:

			if (doi_def->type != CIPSO_V4_MAP_PASS)

				return -EINVAL;

				goto doi_add_return;

			break;

		case CIPSO_V4_TAG_LOCAL:

			if (doi_def->type != CIPSO_V4_MAP_LOCAL)

				return -EINVAL;

				goto doi_add_return;

			break;

		case CIPSO_V4_TAG_INVALID:

			if (iter == 0)

				goto doi_add_return;

			break;

		default:

			return -EINVAL;

			goto doi_add_return;

		}

	}

	atomic_set(&doi_def->refcount, 1);

	spin_lock(&cipso_v4_doi_list_lock);

	if (cipso_v4_doi_search(doi_def->doi) != NULL)

		goto doi_add_failure;

	if (cipso_v4_doi_search(doi_def->doi) != NULL) {

		spin_unlock(&cipso_v4_doi_list_lock);

		ret_val = -EEXIST;

		goto doi_add_return;

	}

	list_add_tail_rcu(&doi_def->list, &cipso_v4_doi_list);

	spin_unlock(&cipso_v4_doi_list_lock);

	ret_val = 0;

	return 0;

doi_add_return:

	audit_buf = netlbl_audit_start(AUDIT_MAC_CIPSOV4_ADD, audit_info);

	if (audit_buf != NULL) {

		const char *type_str;

		switch (doi_type) {

		case CIPSO_V4_MAP_TRANS:

			type_str = "trans";

			break;

		case CIPSO_V4_MAP_PASS:

			type_str = "pass";

			break;

		case CIPSO_V4_MAP_LOCAL:

			type_str = "local";

			break;

		default:

			type_str = "(unknown)";

		}

		audit_log_format(audit_buf,

				 " cipso_doi=%u cipso_type=%s res=%u",

				 doi, type_str, ret_val == 0 ? 1 : 0);

		audit_log_end(audit_buf);

	}

doi_add_failure:

	spin_unlock(&cipso_v4_doi_list_lock);

	return -EEXIST;

	return ret_val;

}

/**

 */

int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info)

{

	int ret_val;

	struct cipso_v4_doi *doi_def;

	struct audit_buffer *audit_buf;

	spin_lock(&cipso_v4_doi_list_lock);

	doi_def = cipso_v4_doi_search(doi);

	if (doi_def == NULL) {

		spin_unlock(&cipso_v4_doi_list_lock);

		return -ENOENT;

		ret_val = -ENOENT;

		goto doi_remove_return;

	}

	if (!atomic_dec_and_test(&doi_def->refcount)) {

		spin_unlock(&cipso_v4_doi_list_lock);

		return -EBUSY;

		ret_val = -EBUSY;

		goto doi_remove_return;

	}

	list_del_rcu(&doi_def->list);

	spin_unlock(&cipso_v4_doi_list_lock);

	cipso_v4_cache_invalidate();

	call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu);

	ret_val = 0;

	return 0;

doi_remove_return:

	audit_buf = netlbl_audit_start(AUDIT_MAC_CIPSOV4_DEL, audit_info);

	if (audit_buf != NULL) {

		audit_log_format(audit_buf,

				 " cipso_doi=%u res=%u",

				 doi, ret_val == 0 ? 1 : 0);

		audit_log_end(audit_buf);

	}

	return ret_val;

}

/**

/**

 * netlbl_cipsov4_add_std - Adds a CIPSO V4 DOI definition

 * @info: the Generic NETLINK info block

 * @audit_info: NetLabel audit information

 *

 * Description:

 * Create a new CIPSO_V4_MAP_TRANS DOI definition based on the given ADD

 * non-zero on error.

 *

 */

static int netlbl_cipsov4_add_std(struct genl_info *info)

static int netlbl_cipsov4_add_std(struct genl_info *info,

				  struct netlbl_audit *audit_info)

{

	int ret_val = -EINVAL;

	struct cipso_v4_doi *doi_def = NULL;

			}

	}

	ret_val = cipso_v4_doi_add(doi_def);

	ret_val = cipso_v4_doi_add(doi_def, audit_info);

	if (ret_val != 0)

		goto add_std_failure;

	return 0;

/**

 * netlbl_cipsov4_add_pass - Adds a CIPSO V4 DOI definition

 * @info: the Generic NETLINK info block

 * @audit_info: NetLabel audit information

 *

 * Description:

 * Create a new CIPSO_V4_MAP_PASS DOI definition based on the given ADD message

 * error.

 *

 */

static int netlbl_cipsov4_add_pass(struct genl_info *info)

static int netlbl_cipsov4_add_pass(struct genl_info *info,

				   struct netlbl_audit *audit_info)

{

	int ret_val;

	struct cipso_v4_doi *doi_def = NULL;

	if (ret_val != 0)

		goto add_pass_failure;

	ret_val = cipso_v4_doi_add(doi_def);

	ret_val = cipso_v4_doi_add(doi_def, audit_info);

	if (ret_val != 0)

		goto add_pass_failure;

	return 0;

/**

 * netlbl_cipsov4_add_local - Adds a CIPSO V4 DOI definition

 * @info: the Generic NETLINK info block

 * @audit_info: NetLabel audit information

 *

 * Description:

 * Create a new CIPSO_V4_MAP_LOCAL DOI definition based on the given ADD

 * non-zero on error.

 *

 */

static int netlbl_cipsov4_add_local(struct genl_info *info)

static int netlbl_cipsov4_add_local(struct genl_info *info,

				    struct netlbl_audit *audit_info)

{

	int ret_val;

	struct cipso_v4_doi *doi_def = NULL;

	if (ret_val != 0)

		goto add_local_failure;

	ret_val = cipso_v4_doi_add(doi_def);

	ret_val = cipso_v4_doi_add(doi_def, audit_info);

	if (ret_val != 0)

		goto add_local_failure;

	return 0;

{

	int ret_val = -EINVAL;

	u32 type;

	u32 doi;

	const char *type_str = "(unknown)";

	struct audit_buffer *audit_buf;

	struct netlbl_audit audit_info;

	if (!info->attrs[NLBL_CIPSOV4_A_DOI] ||

	    !info->attrs[NLBL_CIPSOV4_A_MTYPE])

		return -EINVAL;

	doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);

	netlbl_netlink_auditinfo(skb, &audit_info);

	type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]);

	switch (type) {

	switch (nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE])) {

	case CIPSO_V4_MAP_TRANS:

		type_str = "trans";

		ret_val = netlbl_cipsov4_add_std(info);

		ret_val = netlbl_cipsov4_add_std(info, &audit_info);

		break;

	case CIPSO_V4_MAP_PASS:

		type_str = "pass";

		ret_val = netlbl_cipsov4_add_pass(info);

		ret_val = netlbl_cipsov4_add_pass(info, &audit_info);

		break;

	case CIPSO_V4_MAP_LOCAL:

		type_str = "local";

		ret_val = netlbl_cipsov4_add_local(info);

		ret_val = netlbl_cipsov4_add_local(info, &audit_info);

		break;

	}

	if (ret_val == 0)

		atomic_inc(&netlabel_mgmt_protocount);

	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,

					      &audit_info);

	if (audit_buf != NULL) {

		audit_log_format(audit_buf,

				 " cipso_doi=%u cipso_type=%s res=%u",

				 doi,

				 type_str,

				 ret_val == 0 ? 1 : 0);

		audit_log_end(audit_buf);

	}

	return ret_val;

}

static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info)

{

	int ret_val = -EINVAL;

	u32 doi = 0;

	struct netlbl_domhsh_walk_arg cb_arg;

	struct audit_buffer *audit_buf;

	struct netlbl_audit audit_info;

	u32 skip_bkt = 0;

	u32 skip_chain = 0;

	if (!info->attrs[NLBL_CIPSOV4_A_DOI])

		return -EINVAL;

	doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);

	netlbl_netlink_auditinfo(skb, &audit_info);

	cb_arg.doi = doi;

	cb_arg.doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);

	cb_arg.audit_info = &audit_info;

	ret_val = netlbl_domhsh_walk(&skip_bkt, &skip_chain,

				     netlbl_cipsov4_remove_cb, &cb_arg);

	if (ret_val == 0 || ret_val == -ENOENT) {

		ret_val = cipso_v4_doi_remove(doi, &audit_info);

		ret_val = cipso_v4_doi_remove(cb_arg.doi, &audit_info);

		if (ret_val == 0)

			atomic_dec(&netlabel_mgmt_protocount);

	}

	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,

					      &audit_info);

	if (audit_buf != NULL) {

		audit_log_format(audit_buf,

				 " cipso_doi=%u res=%u",

				 doi,

				 ret_val == 0 ? 1 : 0);

		audit_log_end(audit_buf);

	}

	return ret_val;

}

	return ret_val;

}

/**

 * netlbl_domhsh_remove_af4 - Removes an address selector entry

 * @domain: the domain

 * @addr: IPv4 address

 * @mask: IPv4 address mask

 * @audit_info: NetLabel audit information

 *

 * Description:

 * Removes an individual address selector from a domain mapping and potentially

 * the entire mapping if it is empty.  Returns zero on success, negative values

 * on failure.

 *

 */

int netlbl_domhsh_remove_af4(const char *domain,

			     const struct in_addr *addr,

			     const struct in_addr *mask,

			     struct netlbl_audit *audit_info)

{

	struct netlbl_dom_map *entry_map;

	struct netlbl_af4list *entry_addr;

	struct netlbl_af4list *iter4;

#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)

	struct netlbl_af6list *iter6;

#endif /* IPv6 */

	struct netlbl_domaddr4_map *entry;

	rcu_read_lock();

	if (domain)

		entry_map = netlbl_domhsh_search(domain);

	else

		entry_map = netlbl_domhsh_search_def(domain);

	if (entry_map == NULL || entry_map->type != NETLBL_NLTYPE_ADDRSELECT)

		goto remove_af4_failure;

	spin_lock(&netlbl_domhsh_lock);

	entry_addr = netlbl_af4list_remove(addr->s_addr, mask->s_addr,

					   &entry_map->type_def.addrsel->list4);

	spin_unlock(&netlbl_domhsh_lock);

	if (entry_addr == NULL)

		goto remove_af4_failure;

	netlbl_af4list_foreach_rcu(iter4, &entry_map->type_def.addrsel->list4)

		goto remove_af4_single_addr;

#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)

	netlbl_af6list_foreach_rcu(iter6, &entry_map->type_def.addrsel->list6)

		goto remove_af4_single_addr;

#endif /* IPv6 */

	/* the domain mapping is empty so remove it from the mapping table */

	netlbl_domhsh_remove_entry(entry_map, audit_info);

remove_af4_single_addr:

	rcu_read_unlock();

	/* yick, we can't use call_rcu here because we don't have a rcu head

	 * pointer but hopefully this should be a rare case so the pause

	 * shouldn't be a problem */

	synchronize_rcu();

	entry = netlbl_domhsh_addr4_entry(entry_addr);

	cipso_v4_doi_putdef(entry->type_def.cipsov4);

	kfree(entry);

	return 0;

remove_af4_failure:

	rcu_read_unlock();

	return -ENOENT;

}

/**

 * netlbl_domhsh_remove - Removes an entry from the domain hash table

 * @domain: the domain to remove