From: paul.moore@hp.com
To: netdev@vger.kernel.org, selinux@tycho.nsa.gov
Cc: jmorris@namei.org, Paul Moore <paul.moore@hp.com>
Subject: [PATCH 07/13] NetLabel: fixup the handling of CIPSOv4 tags to allow for multiple tag types
Date: Fri, 17 Nov 2006 17:38:49 -0500 [thread overview]
Message-ID: <20061117224334.941485000@hp.com> (raw)
In-Reply-To: 20061117223842.399078000@hp.com
[-- Attachment #1: netlabel-cipso_tagcleanup --]
[-- Type: text/plain, Size: 7106 bytes --]
From: Paul Moore <paul.moore@hp.com>
While the original CIPSOv4 code had provisions for multiple tag types the
implementation was not as great as it could be, pushing a lot of non-tag
specific processing into the tag specific code blocks. This patch fixes that
issue making it easier to support multiple tag types in the future.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
net/ipv4/cipso_ipv4.c | 115 +++++++++++++++++++++++---------------------------
1 files changed, 54 insertions(+), 61 deletions(-)
Index: net-2.6.20_netlabel-base-work/net/ipv4/cipso_ipv4.c
===================================================================
--- net-2.6.20_netlabel-base-work.orig/net/ipv4/cipso_ipv4.c
+++ net-2.6.20_netlabel-base-work/net/ipv4/cipso_ipv4.c
@@ -959,35 +959,28 @@ static int cipso_v4_map_cat_rbm_ntoh(con
* Protocol Handling Functions
*/
+#define CIPSO_V4_OPT_LEN_MAX 40
#define CIPSO_V4_HDR_LEN 6
/**
* cipso_v4_gentag_hdr - Generate a CIPSO option header
* @doi_def: the DOI definition
- * @len: the total tag length in bytes
+ * @len: the total tag length in bytes, not including this header
* @buf: the CIPSO option buffer
*
* Description:
- * Write a CIPSO header into the beginning of @buffer. Return zero on success,
- * negative values on failure.
+ * Write a CIPSO header into the beginning of @buffer.
*
*/
-static int cipso_v4_gentag_hdr(const struct cipso_v4_doi *doi_def,
- u32 len,
- unsigned char *buf)
+static void cipso_v4_gentag_hdr(const struct cipso_v4_doi *doi_def,
+ unsigned char *buf,
+ u32 len)
{
- if (CIPSO_V4_HDR_LEN + len > 40)
- return -ENOSPC;
-
buf[0] = IPOPT_CIPSO;
buf[1] = CIPSO_V4_HDR_LEN + len;
*(__be32 *)&buf[2] = htonl(doi_def->doi);
-
- return 0;
}
-#define CIPSO_V4_TAG1_CAT_LEN 30
-
/**
* cipso_v4_gentag_rbm - Generate a CIPSO restricted bitmap tag (type #1)
* @doi_def: the DOI definition
@@ -998,71 +991,50 @@ static int cipso_v4_gentag_hdr(const str
* Description:
* Generate a CIPSO option using the restricted bitmap tag, tag type #1. The
* actual buffer length may be larger than the indicated size due to
- * translation between host and network category bitmaps. Returns zero on
- * success, negative values on failure.
+ * translation between host and network category bitmaps. Returns the size of
+ * the tag on success, negative values on failure.
*
*/
static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def,
const struct netlbl_lsm_secattr *secattr,
- unsigned char **buffer,
- u32 *buffer_len)
+ unsigned char *buffer,
+ u32 buffer_len)
{
int ret_val;
- unsigned char *buf = NULL;
- u32 buf_len;
+ u32 tag_len;
u32 level;
if ((secattr->flags & NETLBL_SECATTR_MLS_LVL) == 0)
return -EPERM;
- if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
- buf = kzalloc(CIPSO_V4_HDR_LEN + 4 + CIPSO_V4_TAG1_CAT_LEN,
- GFP_ATOMIC);
- if (buf == NULL)
- return -ENOMEM;
+ ret_val = cipso_v4_map_lvl_hton(doi_def, secattr->mls_lvl, &level);
+ if (ret_val != 0)
+ return ret_val;
+ if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
ret_val = cipso_v4_map_cat_rbm_hton(doi_def,
secattr->mls_cat,
secattr->mls_cat_len,
- &buf[CIPSO_V4_HDR_LEN + 4],
- CIPSO_V4_TAG1_CAT_LEN);
+ &buffer[4],
+ buffer_len - 4);
if (ret_val < 0)
- goto gentag_failure;
+ return ret_val;
/* This will send packets using the "optimized" format when
* possibile as specified in section 3.4.2.6 of the
* CIPSO draft. */
if (cipso_v4_rbm_optfmt && ret_val > 0 && ret_val <= 10)
- buf_len = 14;
+ tag_len = 14;
else
- buf_len = 4 + ret_val;
- } else {
- buf = kzalloc(CIPSO_V4_HDR_LEN + 4, GFP_ATOMIC);
- if (buf == NULL)
- return -ENOMEM;
- buf_len = 4;
- }
-
- ret_val = cipso_v4_map_lvl_hton(doi_def, secattr->mls_lvl, &level);
- if (ret_val != 0)
- goto gentag_failure;
-
- ret_val = cipso_v4_gentag_hdr(doi_def, buf_len, buf);
- if (ret_val != 0)
- goto gentag_failure;
-
- buf[CIPSO_V4_HDR_LEN] = 0x01;
- buf[CIPSO_V4_HDR_LEN + 1] = buf_len;
- buf[CIPSO_V4_HDR_LEN + 3] = level;
+ tag_len = 4 + ret_val;
+ } else
+ tag_len = 4;
+
+ buffer[0] = 0x01;
+ buffer[1] = tag_len;
+ buffer[3] = level;
- *buffer = buf;
- *buffer_len = CIPSO_V4_HDR_LEN + buf_len;
-
- return 0;
-
-gentag_failure:
- kfree(buf);
- return ret_val;
+ return tag_len;
}
/**
@@ -1285,7 +1257,7 @@ int cipso_v4_socket_setattr(const struct
{
int ret_val = -EPERM;
u32 iter;
- unsigned char *buf = NULL;
+ unsigned char *buf;
u32 buf_len = 0;
u32 opt_len;
struct ip_options *opt = NULL;
@@ -1301,17 +1273,28 @@ int cipso_v4_socket_setattr(const struct
if (sk == NULL)
return 0;
+ /* We allocate the maximum CIPSO option size here so we are probably
+ * being a little wasteful, but it makes our life _much_ easier later
+ * on and after all we are only talking about 40 bytes. */
+ buf_len = CIPSO_V4_OPT_LEN_MAX;
+ buf = kmalloc(buf_len, GFP_ATOMIC);
+ if (buf == NULL) {
+ ret_val = -ENOMEM;
+ goto socket_setattr_failure;
+ }
+
/* XXX - This code assumes only one tag per CIPSO option which isn't
* really a good assumption to make but since we only support the MAC
* tags right now it is a safe assumption. */
iter = 0;
do {
+ memset(buf, 0, buf_len);
switch (doi_def->tags[iter]) {
case CIPSO_V4_TAG_RBITMAP:
ret_val = cipso_v4_gentag_rbm(doi_def,
- secattr,
- &buf,
- &buf_len);
+ secattr,
+ &buf[CIPSO_V4_HDR_LEN],
+ buf_len - CIPSO_V4_HDR_LEN);
break;
default:
ret_val = -EPERM;
@@ -1319,11 +1302,13 @@ int cipso_v4_socket_setattr(const struct
}
iter++;
- } while (ret_val != 0 &&
+ } while (ret_val < 0 &&
iter < CIPSO_V4_TAG_MAXCNT &&
doi_def->tags[iter] != CIPSO_V4_TAG_INVALID);
- if (ret_val != 0)
+ if (ret_val < 0)
goto socket_setattr_failure;
+ cipso_v4_gentag_hdr(doi_def, buf, ret_val);
+ buf_len = CIPSO_V4_HDR_LEN + ret_val;
/* We can't use ip_options_get() directly because it makes a call to
* ip_options_get_alloc() which allocates memory with GFP_KERNEL and
@@ -1397,6 +1382,10 @@ int cipso_v4_sock_getattr(struct sock *s
rcu_read_unlock();
return -ENOMSG;
}
+
+ /* XXX - This code assumes only one tag per CIPSO option which isn't
+ * really a good assumption to make but since we only support the MAC
+ * tags right now it is a safe assumption. */
switch (cipso_ptr[6]) {
case CIPSO_V4_TAG_RBITMAP:
ret_val = cipso_v4_parsetag_rbm(doi_def,
@@ -1459,6 +1448,10 @@ int cipso_v4_skbuff_getattr(const struct
doi_def = cipso_v4_doi_getdef(doi);
if (doi_def == NULL)
goto skbuff_getattr_return;
+
+ /* XXX - This code assumes only one tag per CIPSO option which isn't
+ * really a good assumption to make but since we only support the MAC
+ * tags right now it is a safe assumption. */
switch (cipso_ptr[6]) {
case CIPSO_V4_TAG_RBITMAP:
ret_val = cipso_v4_parsetag_rbm(doi_def,
--
paul moore
linux security @ hp
next prev parent reply other threads:[~2006-11-17 22:43 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-11-17 22:38 [PATCH 00/13] NetLabel cleanups for 2.6.20 paul.moore
2006-11-17 22:38 ` [PATCH 01/13] NetLabel: use gfp_t instead of int where it makes sense paul.moore
2006-11-17 22:38 ` [PATCH 02/13] NetLabel: convert the unlabeled accept flag to use RCU paul.moore
2006-11-17 22:38 ` [PATCH 03/13] NetLabel: change netlbl_secattr_init() to return void paul.moore
2006-11-17 22:38 ` [PATCH 04/13] NetLabel: make netlbl_lsm_secattr struct easier/quicker to understand paul.moore
2006-11-17 22:38 ` [PATCH 05/13] NetLabel: check for a CIPSOv4 option before we do call into the CIPSOv4 layer paul.moore
2006-11-17 22:38 ` [PATCH 06/13] NetLabel: add tag verification when adding new CIPSOv4 DOI definitions paul.moore
2006-11-17 22:38 ` paul.moore [this message]
2006-11-17 22:38 ` [PATCH 08/13] NetLabel: return the correct error for translated CIPSOv4 tags paul.moore
2006-11-17 22:38 ` [PATCH 09/13] NetLabel: use the correct CIPSOv4 MLS label limits paul.moore
2006-11-17 22:38 ` [PATCH 10/13] NetLabel: use cipso_v4_doi_search() for local CIPSOv4 functions paul.moore
2006-11-24 1:24 ` Eric Paris
2006-11-24 5:53 ` Al Viro
2006-11-17 22:38 ` [PATCH 11/13] NetLabel: SELinux cleanups paul.moore
2006-11-17 22:38 ` [PATCH 12/13] SELinux: peer secid consolidation for external network labeling paul.moore
2006-11-17 22:38 ` [PATCH 13/13] NetLabel: honor the audit_enabled flag paul.moore
2006-11-18 4:12 ` [PATCH 00/13] NetLabel cleanups for 2.6.20 [GIT] James Morris
2006-11-18 16:10 ` Paul Moore
2006-11-19 3:19 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061117224334.941485000@hp.com \
--to=paul.moore@hp.com \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).