[PATCH 0/4] Fix the NetLabel LSM category mappings

[PATCH 0/4] Fix the NetLabel LSM category mappings

[Paul Moore]

As you will see in the patch descriptions below, the NetLabel LSM
category mappings are very badly broken.  This patchset should repair
things and make life better in the future.  The first three patches
are straight-up bug fixes; the fourth patch doesn't actually fix any
faulty logic in the code, but rather shortens some stupidly long
function and structure names relating to the NetLabel category
mappings.  I should probably do something similar with a lot of other
NetLabel APIs, but that is for another time.

Thanks to Christian Evans for pointing out one of the original
problems.  I don't think he realized how many problems there really
were, but I still owe him one for getting me to revisit this ugly,
nasty code.  I apologize it took so long to get a fix out and that
things were broken this badly in the first place.

Casey, I'm CC'ing you here because this patchset does touch some of
the Smack code, but as you can see the changes are trivial.  I will
be very surprised if you find anything objectionable in there.
However, if you do, let me know and I'll fix it.

DaveM/netdev folks, you guys are included here for the obvious reason
that a good chunk of the code changes live in net/*.  However, the
net/* related changes are all within the NetLabel code and not in the
core networking stack so I doubt this is something you'll care too
much about.  I'm going to guess that as far as you're concerned, this
is just another bugfix to a subsystem you don't really care about.

DaveM, unless you have any objections, I'm planning on pushing this
via the SELinux tree up through James' LSM tree since that seems to
make the most sense to me.  If you would rather push it via the netdev
tree please let me know.

-Paul

---

Paul Moore (4):
      netlabel: fix a problem when setting bits below the previously lowest bit
      netlabel: fix the horribly broken catmap functions
      netlabel: fix the catmap walking functions
      netlabel: shorter names for the NetLabel catmap funcs/structs


 include/net/netlabel.h        |   94 +++++++-----
 net/ipv4/cipso_ipv4.c         |   47 ++----
 net/netlabel/netlabel_kapi.c  |  327 ++++++++++++++++++++++++++++-------------
 security/selinux/ss/ebitmap.c |  133 +++++++----------
 security/selinux/ss/ebitmap.h |    8 +
 security/smack/smack_access.c |   11 +
 security/smack/smack_lsm.c    |    6 -
 security/smack/smackfs.c      |   14 +-
 8 files changed, 366 insertions(+), 274 deletions(-)

[PATCH 1/4] netlabel: fix a problem when setting bits below the previously lowest bit

[Paul Moore]

The NetLabel category (catmap) functions have a problem in that they
assume categories will be set in an increasing manner, e.g. the next
category set will always be larger than the last.  Unfortunately, this
is not a valid assumption and could result in problems when attempting
to set categories less than the startbit in the lowest catmap node.
In some cases kernel panics and other nasties can result.

This patch corrects the problem by checking for this and allocating a
new catmap node instance and placing it at the front of the list.

Cc: stable@vger.kernel.org
Reported-by: Christian Evans <frodox@zoho.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
---
 include/net/netlabel.h        |    8 ++++----
 net/ipv4/cipso_ipv4.c         |    6 +++---
 net/netlabel/netlabel_kapi.c  |   26 ++++++++++++++++++--------
 security/smack/smack_access.c |    2 +-
 4 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 4fe018c..1c40d65 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -394,10 +394,10 @@ int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
 			       u32 offset);
 int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
 				   u32 offset);
-int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap *catmap,
+int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap **catmap,
 				 u32 bit,
 				 gfp_t flags);
-int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
+int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap **catmap,
 				 u32 start,
 				 u32 end,
 				 gfp_t flags);
@@ -505,14 +505,14 @@ static inline int netlbl_secattr_catmap_walk_rng(
 	return -ENOENT;
 }
 static inline int netlbl_secattr_catmap_setbit(
-	                              struct netlbl_lsm_secattr_catmap *catmap,
+				      struct netlbl_lsm_secattr_catmap **catmap,
 				      u32 bit,
 				      gfp_t flags)
 {
 	return 0;
 }
 static inline int netlbl_secattr_catmap_setrng(
-	                              struct netlbl_lsm_secattr_catmap *catmap,
+				      struct netlbl_lsm_secattr_catmap **catmap,
 				      u32 start,
 				      u32 end,
 				      gfp_t flags)
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 69e77c8..dd433c9 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -973,7 +973,7 @@ static int cipso_v4_map_cat_rbm_ntoh(const struct cipso_v4_doi *doi_def,
 				return -EPERM;
 			break;
 		}
-		ret_val = netlbl_secattr_catmap_setbit(secattr->attr.mls.cat,
+		ret_val = netlbl_secattr_catmap_setbit(&secattr->attr.mls.cat,
 						       host_spot,
 						       GFP_ATOMIC);
 		if (ret_val != 0)
@@ -1075,7 +1075,7 @@ static int cipso_v4_map_cat_enum_ntoh(const struct cipso_v4_doi *doi_def,
 	u32 iter;
 
 	for (iter = 0; iter < net_cat_len; iter += 2) {
-		ret_val = netlbl_secattr_catmap_setbit(secattr->attr.mls.cat,
+		ret_val = netlbl_secattr_catmap_setbit(&secattr->attr.mls.cat,
 				get_unaligned_be16(&net_cat[iter]),
 				GFP_ATOMIC);
 		if (ret_val != 0)
@@ -1217,7 +1217,7 @@ static int cipso_v4_map_cat_rng_ntoh(const struct cipso_v4_doi *doi_def,
 		else
 			cat_low = 0;
 
-		ret_val = netlbl_secattr_catmap_setrng(secattr->attr.mls.cat,
+		ret_val = netlbl_secattr_catmap_setrng(&secattr->attr.mls.cat,
 						       cat_low,
 						       cat_high,
 						       GFP_ATOMIC);
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 3045a96..84e810b 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -522,7 +522,7 @@ int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
 
 /**
  * netlbl_secattr_catmap_setbit - Set a bit in a LSM secattr catmap
- * @catmap: the category bitmap
+ * @catmap: pointer to the category bitmap
  * @bit: the bit to set
  * @flags: memory allocation flags
  *
@@ -531,18 +531,25 @@ int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
  * negative values on failure.
  *
  */
-int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap *catmap,
+int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap **catmap,
 				 u32 bit,
 				 gfp_t flags)
 {
-	struct netlbl_lsm_secattr_catmap *iter = catmap;
+	struct netlbl_lsm_secattr_catmap *iter = *catmap;
 	u32 node_bit;
 	u32 node_idx;
 
 	while (iter->next != NULL &&
 	       bit >= (iter->startbit + NETLBL_CATMAP_SIZE))
 		iter = iter->next;
-	if (bit >= (iter->startbit + NETLBL_CATMAP_SIZE)) {
+	if (bit < iter->startbit) {
+		iter = netlbl_secattr_catmap_alloc(flags);
+		if (iter == NULL)
+			return -ENOMEM;
+		iter->next = *catmap;
+		iter->startbit = bit & ~(NETLBL_CATMAP_SIZE - 1);
+		*catmap = iter;
+	} else if (bit >= (iter->startbit + NETLBL_CATMAP_SIZE)) {
 		iter->next = netlbl_secattr_catmap_alloc(flags);
 		if (iter->next == NULL)
 			return -ENOMEM;
@@ -560,7 +567,7 @@ int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap *catmap,
 
 /**
  * netlbl_secattr_catmap_setrng - Set a range of bits in a LSM secattr catmap
- * @catmap: the category bitmap
+ * @catmap: pointer to the category bitmap
  * @start: the starting bit
  * @end: the last bit in the string
  * @flags: memory allocation flags
@@ -570,15 +577,16 @@ int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap *catmap,
  * on success, negative values on failure.
  *
  */
-int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
+int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap **catmap,
 				 u32 start,
 				 u32 end,
 				 gfp_t flags)
 {
 	int ret_val = 0;
-	struct netlbl_lsm_secattr_catmap *iter = catmap;
+	struct netlbl_lsm_secattr_catmap *iter = *catmap;
 	u32 iter_max_spot;
 	u32 spot;
+	u32 orig_spot = iter->startbit;
 
 	/* XXX - This could probably be made a bit faster by combining writes
 	 * to the catmap instead of setting a single bit each time, but for
@@ -596,7 +604,9 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
 			iter = iter->next;
 			iter_max_spot = iter->startbit + NETLBL_CATMAP_SIZE;
 		}
-		ret_val = netlbl_secattr_catmap_setbit(iter, spot, flags);
+		ret_val = netlbl_secattr_catmap_setbit(&iter, spot, flags);
+		if (iter->startbit < orig_spot)
+			*catmap = iter;
 	}
 
 	return ret_val;
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 14293cd..9ecf4f4 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -444,7 +444,7 @@ int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap,
 		for (m = 0x80; m != 0; m >>= 1, cat++) {
 			if ((m & *cp) == 0)
 				continue;
-			rc = netlbl_secattr_catmap_setbit(sap->attr.mls.cat,
+			rc = netlbl_secattr_catmap_setbit(&sap->attr.mls.cat,
 							  cat, GFP_ATOMIC);
 			if (rc < 0) {
 				netlbl_secattr_catmap_free(sap->attr.mls.cat);

Re: [PATCH 1/4] netlabel: fix a problem when setting bits below the previously lowest bit

[Casey Schaufler]

On 7/31/2014 2:44 PM, Paul Moore wrote:
> The NetLabel category (catmap) functions have a problem in that they
> assume categories will be set in an increasing manner, e.g. the next
> category set will always be larger than the last.  Unfortunately, this
> is not a valid assumption and could result in problems when attempting
> to set categories less than the startbit in the lowest catmap node.
> In some cases kernel panics and other nasties can result.
>
> This patch corrects the problem by checking for this and allocating a
> new catmap node instance and placing it at the front of the list.
>
> Cc: stable@vger.kernel.org
> Reported-by: Christian Evans <frodox@zoho.com>
> Signed-off-by: Paul Moore <pmoore@redhat.com>

Tested-by: Casey Schaufler <casey@schaufler-ca.com>

> ---
>  include/net/netlabel.h        |    8 ++++----
>  net/ipv4/cipso_ipv4.c         |    6 +++---
>  net/netlabel/netlabel_kapi.c  |   26 ++++++++++++++++++--------
>  security/smack/smack_access.c |    2 +-
>  4 files changed, 26 insertions(+), 16 deletions(-)
>
> diff --git a/include/net/netlabel.h b/include/net/netlabel.h
> index 4fe018c..1c40d65 100644
> --- a/include/net/netlabel.h
> +++ b/include/net/netlabel.h
> @@ -394,10 +394,10 @@ int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
>  			       u32 offset);
>  int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
>  				   u32 offset);
> -int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap *catmap,
> +int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap **catmap,
>  				 u32 bit,
>  				 gfp_t flags);
> -int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
> +int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap **catmap,
>  				 u32 start,
>  				 u32 end,
>  				 gfp_t flags);
> @@ -505,14 +505,14 @@ static inline int netlbl_secattr_catmap_walk_rng(
>  	return -ENOENT;
>  }
>  static inline int netlbl_secattr_catmap_setbit(
> -	                              struct netlbl_lsm_secattr_catmap *catmap,
> +				      struct netlbl_lsm_secattr_catmap **catmap,
>  				      u32 bit,
>  				      gfp_t flags)
>  {
>  	return 0;
>  }
>  static inline int netlbl_secattr_catmap_setrng(
> -	                              struct netlbl_lsm_secattr_catmap *catmap,
> +				      struct netlbl_lsm_secattr_catmap **catmap,
>  				      u32 start,
>  				      u32 end,
>  				      gfp_t flags)
> diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
> index 69e77c8..dd433c9 100644
> --- a/net/ipv4/cipso_ipv4.c
> +++ b/net/ipv4/cipso_ipv4.c
> @@ -973,7 +973,7 @@ static int cipso_v4_map_cat_rbm_ntoh(const struct cipso_v4_doi *doi_def,
>  				return -EPERM;
>  			break;
>  		}
> -		ret_val = netlbl_secattr_catmap_setbit(secattr->attr.mls.cat,
> +		ret_val = netlbl_secattr_catmap_setbit(&secattr->attr.mls.cat,
>  						       host_spot,
>  						       GFP_ATOMIC);
>  		if (ret_val != 0)
> @@ -1075,7 +1075,7 @@ static int cipso_v4_map_cat_enum_ntoh(const struct cipso_v4_doi *doi_def,
>  	u32 iter;
>  
>  	for (iter = 0; iter < net_cat_len; iter += 2) {
> -		ret_val = netlbl_secattr_catmap_setbit(secattr->attr.mls.cat,
> +		ret_val = netlbl_secattr_catmap_setbit(&secattr->attr.mls.cat,
>  				get_unaligned_be16(&net_cat[iter]),
>  				GFP_ATOMIC);
>  		if (ret_val != 0)
> @@ -1217,7 +1217,7 @@ static int cipso_v4_map_cat_rng_ntoh(const struct cipso_v4_doi *doi_def,
>  		else
>  			cat_low = 0;
>  
> -		ret_val = netlbl_secattr_catmap_setrng(secattr->attr.mls.cat,
> +		ret_val = netlbl_secattr_catmap_setrng(&secattr->attr.mls.cat,
>  						       cat_low,
>  						       cat_high,
>  						       GFP_ATOMIC);
> diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
> index 3045a96..84e810b 100644
> --- a/net/netlabel/netlabel_kapi.c
> +++ b/net/netlabel/netlabel_kapi.c
> @@ -522,7 +522,7 @@ int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
>  
>  /**
>   * netlbl_secattr_catmap_setbit - Set a bit in a LSM secattr catmap
> - * @catmap: the category bitmap
> + * @catmap: pointer to the category bitmap
>   * @bit: the bit to set
>   * @flags: memory allocation flags
>   *
> @@ -531,18 +531,25 @@ int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
>   * negative values on failure.
>   *
>   */
> -int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap *catmap,
> +int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap **catmap,
>  				 u32 bit,
>  				 gfp_t flags)
>  {
> -	struct netlbl_lsm_secattr_catmap *iter = catmap;
> +	struct netlbl_lsm_secattr_catmap *iter = *catmap;
>  	u32 node_bit;
>  	u32 node_idx;
>  
>  	while (iter->next != NULL &&
>  	       bit >= (iter->startbit + NETLBL_CATMAP_SIZE))
>  		iter = iter->next;
> -	if (bit >= (iter->startbit + NETLBL_CATMAP_SIZE)) {
> +	if (bit < iter->startbit) {
> +		iter = netlbl_secattr_catmap_alloc(flags);
> +		if (iter == NULL)
> +			return -ENOMEM;
> +		iter->next = *catmap;
> +		iter->startbit = bit & ~(NETLBL_CATMAP_SIZE - 1);
> +		*catmap = iter;
> +	} else if (bit >= (iter->startbit + NETLBL_CATMAP_SIZE)) {
>  		iter->next = netlbl_secattr_catmap_alloc(flags);
>  		if (iter->next == NULL)
>  			return -ENOMEM;
> @@ -560,7 +567,7 @@ int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap *catmap,
>  
>  /**
>   * netlbl_secattr_catmap_setrng - Set a range of bits in a LSM secattr catmap
> - * @catmap: the category bitmap
> + * @catmap: pointer to the category bitmap
>   * @start: the starting bit
>   * @end: the last bit in the string
>   * @flags: memory allocation flags
> @@ -570,15 +577,16 @@ int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap *catmap,
>   * on success, negative values on failure.
>   *
>   */
> -int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
> +int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap **catmap,
>  				 u32 start,
>  				 u32 end,
>  				 gfp_t flags)
>  {
>  	int ret_val = 0;
> -	struct netlbl_lsm_secattr_catmap *iter = catmap;
> +	struct netlbl_lsm_secattr_catmap *iter = *catmap;
>  	u32 iter_max_spot;
>  	u32 spot;
> +	u32 orig_spot = iter->startbit;
>  
>  	/* XXX - This could probably be made a bit faster by combining writes
>  	 * to the catmap instead of setting a single bit each time, but for
> @@ -596,7 +604,9 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
>  			iter = iter->next;
>  			iter_max_spot = iter->startbit + NETLBL_CATMAP_SIZE;
>  		}
> -		ret_val = netlbl_secattr_catmap_setbit(iter, spot, flags);
> +		ret_val = netlbl_secattr_catmap_setbit(&iter, spot, flags);
> +		if (iter->startbit < orig_spot)
> +			*catmap = iter;
>  	}
>  
>  	return ret_val;
> diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
> index 14293cd..9ecf4f4 100644
> --- a/security/smack/smack_access.c
> +++ b/security/smack/smack_access.c
> @@ -444,7 +444,7 @@ int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap,
>  		for (m = 0x80; m != 0; m >>= 1, cat++) {
>  			if ((m & *cp) == 0)
>  				continue;
> -			rc = netlbl_secattr_catmap_setbit(sap->attr.mls.cat,
> +			rc = netlbl_secattr_catmap_setbit(&sap->attr.mls.cat,
>  							  cat, GFP_ATOMIC);
>  			if (rc < 0) {
>  				netlbl_secattr_catmap_free(sap->attr.mls.cat);
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

[PATCH 2/4] netlabel: fix the horribly broken catmap functions

[Paul Moore]

The NetLabel secattr catmap functions, and the SELinux import/export
glue routines, were broken in many horrible ways and the SELinux glue
code fiddled with the NetLabel catmap structures in ways that we
probably shouldn't allow.  At some point this "worked", but that was
likely due to a bit of dumb luck and sub-par testing (both inflicted
by yours truly).  This patch corrects these problems by basically
gutting the code in favor of something less obtuse and restoring the
NetLabel abstractions in the SELinux catmap glue code.

Everything is working now, and if it decides to break itself in the
future this code will be much easier to debug than the code it
replaces.

One noteworthy side effect of the changes is that it is no longer
necessary to allocate a NetLabel catmap before calling one of the
NetLabel APIs to set a bit in the catmap.  NetLabel will automatically
allocate the catmap nodes when needed, resulting in less allocations
when the lowest bit is greater than 255 and less code in the LSMs.

Cc: stable@vger.kernel.org
Reported-by: Christian Evans <frodox@zoho.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
---
 include/net/netlabel.h        |   26 +++++
 net/ipv4/cipso_ipv4.c         |   12 --
 net/netlabel/netlabel_kapi.c  |  216 ++++++++++++++++++++++++++++++++---------
 security/selinux/ss/ebitmap.c |  127 +++++++++---------------
 security/smack/smack_access.c |    5 -
 5 files changed, 240 insertions(+), 146 deletions(-)

diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 1c40d65..bda7a12 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -285,11 +285,11 @@ static inline void netlbl_secattr_catmap_free(
 {
 	struct netlbl_lsm_secattr_catmap *iter;
 
-	do {
+	while (catmap) {
 		iter = catmap;
 		catmap = catmap->next;
 		kfree(iter);
-	} while (catmap);
+	}
 }
 
 /**
@@ -394,6 +394,9 @@ int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
 			       u32 offset);
 int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
 				   u32 offset);
+int netlbl_secattr_catmap_getlong(struct netlbl_lsm_secattr_catmap *catmap,
+				  u32 *offset,
+				  unsigned long *bitmap);
 int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap **catmap,
 				 u32 bit,
 				 gfp_t flags);
@@ -401,6 +404,10 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap **catmap,
 				 u32 start,
 				 u32 end,
 				 gfp_t flags);
+int netlbl_secattr_catmap_setlong(struct netlbl_lsm_secattr_catmap **catmap,
+				  u32 offset,
+				  unsigned long bitmap,
+				  gfp_t flags);
 
 /*
  * LSM protocol operations (NetLabel LSM/kernel API)
@@ -504,6 +511,13 @@ static inline int netlbl_secattr_catmap_walk_rng(
 {
 	return -ENOENT;
 }
+static inline int netlbl_secattr_catmap_getlong(
+				      struct netlbl_lsm_secattr_catmap *catmap,
+				      u32 *offset,
+				      unsigned long *bitmap)
+{
+	return 0;
+}
 static inline int netlbl_secattr_catmap_setbit(
 				      struct netlbl_lsm_secattr_catmap **catmap,
 				      u32 bit,
@@ -519,6 +533,14 @@ static inline int netlbl_secattr_catmap_setrng(
 {
 	return 0;
 }
+static int netlbl_secattr_catmap_setlong(
+				      struct netlbl_lsm_secattr_catmap **catmap,
+				      u32 offset,
+				      unsigned long bitmap,
+				      gfp_t flags)
+{
+	return 0;
+}
 static inline int netlbl_enabled(void)
 {
 	return 0;
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index dd433c9..8a0c7bd 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1335,10 +1335,6 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,
 	secattr->flags |= NETLBL_SECATTR_MLS_LVL;
 
 	if (tag_len > 4) {
-		secattr->attr.mls.cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
-		if (secattr->attr.mls.cat == NULL)
-			return -ENOMEM;
-
 		ret_val = cipso_v4_map_cat_rbm_ntoh(doi_def,
 						    &tag[4],
 						    tag_len - 4,
@@ -1430,10 +1426,6 @@ static int cipso_v4_parsetag_enum(const struct cipso_v4_doi *doi_def,
 	secattr->flags |= NETLBL_SECATTR_MLS_LVL;
 
 	if (tag_len > 4) {
-		secattr->attr.mls.cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
-		if (secattr->attr.mls.cat == NULL)
-			return -ENOMEM;
-
 		ret_val = cipso_v4_map_cat_enum_ntoh(doi_def,
 						     &tag[4],
 						     tag_len - 4,
@@ -1524,10 +1516,6 @@ static int cipso_v4_parsetag_rng(const struct cipso_v4_doi *doi_def,
 	secattr->flags |= NETLBL_SECATTR_MLS_LVL;
 
 	if (tag_len > 4) {
-		secattr->attr.mls.cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
-		if (secattr->attr.mls.cat == NULL)
-			return -ENOMEM;
-
 		ret_val = cipso_v4_map_cat_rng_ntoh(doi_def,
 						    &tag[4],
 						    tag_len - 4,
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 84e810b..d9e1046 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -405,6 +405,63 @@ out_entry:
  * Security Attribute Functions
  */
 
+#define _CM_F_NONE	0x00000000
+#define _CM_F_ALLOC	0x00000001
+
+/**
+ * _netlbl_secattr_catmap_getnode - Get a individual node from a catmap
+ * @catmap: pointer to the category bitmap
+ * @offset: the requested offset
+ * @cm_flags: catmap flags, see _CM_F_*
+ * @gfp_flags: memory allocation flags
+ *
+ * Description:
+ * Iterate through the catmap looking for the node associated with @offset; if
+ * the _CM_F_ALLOC flag is set in @cm_flags and there is no associated node,
+ * one will be created and inserted into the catmap.  Returns a pointer to the
+ * node on success, NULL on failure.
+ *
+ */
+static struct netlbl_lsm_secattr_catmap *_netlbl_secattr_catmap_getnode(
+				struct netlbl_lsm_secattr_catmap **catmap,
+				u32 offset,
+				unsigned int cm_flags,
+				gfp_t gfp_flags)
+{
+	struct netlbl_lsm_secattr_catmap *iter = *catmap;
+	struct netlbl_lsm_secattr_catmap *prev = NULL;
+
+	if (iter == NULL || offset < iter->startbit)
+		goto secattr_catmap_getnode_alloc;
+	while (iter && offset >= (iter->startbit + NETLBL_CATMAP_SIZE)) {
+		prev = iter;
+		iter = iter->next;
+	}
+	if (iter == NULL || offset < iter->startbit)
+		goto secattr_catmap_getnode_alloc;
+
+	return iter;
+
+secattr_catmap_getnode_alloc:
+	if (!(cm_flags & _CM_F_ALLOC))
+		return NULL;
+
+	iter = netlbl_secattr_catmap_alloc(gfp_flags);
+	if (iter == NULL)
+		return NULL;
+	iter->startbit = offset & ~(NETLBL_CATMAP_SIZE - 1);
+
+	if (prev == NULL) {
+		iter->next = *catmap;
+		*catmap = iter;
+	} else {
+		iter->next = prev->next;
+		prev->next = iter;
+	}
+
+	return iter;
+}
+
 /**
  * netlbl_secattr_catmap_walk - Walk a LSM secattr catmap looking for a bit
  * @catmap: the category bitmap
@@ -521,6 +578,54 @@ int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
 }
 
 /**
+ * netlbl_secattr_catmap_getlong - Export an unsigned long bitmap
+ * @catmap: pointer to the category bitmap
+ * @offset: pointer to the requested offset
+ * @bitmap: the exported bitmap
+ *
+ * Description:
+ * Export a bitmap with an offset greater than or equal to @offset and return
+ * it in @bitmap.  The @offset must be aligned to an unsigned long and will be
+ * updated on return if different from what was requested; if the catmap is
+ * empty at the requested offset and beyond, the @offset is set to (u32)-1.
+ * Returns zero on sucess, negative values on failure.
+ *
+ */
+int netlbl_secattr_catmap_getlong(struct netlbl_lsm_secattr_catmap *catmap,
+				  u32 *offset,
+				  unsigned long *bitmap)
+{
+	struct netlbl_lsm_secattr_catmap *iter;
+	u32 off = *offset;
+	u32 idx;
+
+	/* only allow aligned offsets */
+	if ((off & (BITS_PER_LONG - 1)) != 0)
+		return -EINVAL;
+
+	if (off < catmap->startbit) {
+		off = catmap->startbit;
+		*offset = off;
+	}
+	iter = _netlbl_secattr_catmap_getnode(&catmap, off, _CM_F_NONE, 0);
+	if (iter == NULL) {
+		*offset = (u32)-1;
+		return 0;
+	}
+
+	if (off < iter->startbit) {
+		off = iter->startbit;
+		*offset = off;
+	} else
+		off -= iter->startbit;
+
+	idx = off / NETLBL_CATMAP_MAPSIZE;
+	*bitmap = iter->bitmap[idx] >> (off % NETLBL_CATMAP_SIZE);
+
+	return 0;
+}
+
+/**
  * netlbl_secattr_catmap_setbit - Set a bit in a LSM secattr catmap
  * @catmap: pointer to the category bitmap
  * @bit: the bit to set
@@ -535,32 +640,16 @@ int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap **catmap,
 				 u32 bit,
 				 gfp_t flags)
 {
-	struct netlbl_lsm_secattr_catmap *iter = *catmap;
-	u32 node_bit;
-	u32 node_idx;
+	struct netlbl_lsm_secattr_catmap *iter;
+	u32 idx;
 
-	while (iter->next != NULL &&
-	       bit >= (iter->startbit + NETLBL_CATMAP_SIZE))
-		iter = iter->next;
-	if (bit < iter->startbit) {
-		iter = netlbl_secattr_catmap_alloc(flags);
-		if (iter == NULL)
-			return -ENOMEM;
-		iter->next = *catmap;
-		iter->startbit = bit & ~(NETLBL_CATMAP_SIZE - 1);
-		*catmap = iter;
-	} else if (bit >= (iter->startbit + NETLBL_CATMAP_SIZE)) {
-		iter->next = netlbl_secattr_catmap_alloc(flags);
-		if (iter->next == NULL)
-			return -ENOMEM;
-		iter = iter->next;
-		iter->startbit = bit & ~(NETLBL_CATMAP_SIZE - 1);
-	}
+	iter = _netlbl_secattr_catmap_getnode(catmap, bit, _CM_F_ALLOC, flags);
+	if (iter == NULL)
+		return -ENOMEM;
 
-	/* gcc always rounds to zero when doing integer division */
-	node_idx = (bit - iter->startbit) / NETLBL_CATMAP_MAPSIZE;
-	node_bit = bit - iter->startbit - (NETLBL_CATMAP_MAPSIZE * node_idx);
-	iter->bitmap[node_idx] |= NETLBL_CATMAP_BIT << node_bit;
+	bit -= iter->startbit;
+	idx = bit / NETLBL_CATMAP_MAPSIZE;
+	iter->bitmap[idx] |= NETLBL_CATMAP_BIT << (bit % NETLBL_CATMAP_MAPSIZE);
 
 	return 0;
 }
@@ -582,34 +671,61 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap **catmap,
 				 u32 end,
 				 gfp_t flags)
 {
-	int ret_val = 0;
-	struct netlbl_lsm_secattr_catmap *iter = *catmap;
-	u32 iter_max_spot;
-	u32 spot;
-	u32 orig_spot = iter->startbit;
-
-	/* XXX - This could probably be made a bit faster by combining writes
-	 * to the catmap instead of setting a single bit each time, but for
-	 * right now skipping to the start of the range in the catmap should
-	 * be a nice improvement over calling the individual setbit function
-	 * repeatedly from a loop. */
-
-	while (iter->next != NULL &&
-	       start >= (iter->startbit + NETLBL_CATMAP_SIZE))
-		iter = iter->next;
-	iter_max_spot = iter->startbit + NETLBL_CATMAP_SIZE;
-
-	for (spot = start; spot <= end && ret_val == 0; spot++) {
-		if (spot >= iter_max_spot && iter->next != NULL) {
-			iter = iter->next;
-			iter_max_spot = iter->startbit + NETLBL_CATMAP_SIZE;
-		}
-		ret_val = netlbl_secattr_catmap_setbit(&iter, spot, flags);
-		if (iter->startbit < orig_spot)
-			*catmap = iter;
+	int rc = 0;
+	u32 spot = start;
+
+	while (rc == 0 && spot <= end) {
+		if (((spot & (BITS_PER_LONG - 1)) != 0) &&
+		    ((end - spot) > BITS_PER_LONG)) {
+			rc = netlbl_secattr_catmap_setlong(catmap,
+							   spot,
+							   (unsigned long)-1,
+							   flags);
+			spot += BITS_PER_LONG;
+		} else
+			rc = netlbl_secattr_catmap_setbit(catmap,
+							  spot++,
+							  flags);
 	}
 
-	return ret_val;
+	return rc;
+}
+
+/**
+ * netlbl_secattr_catmap_setlong - Import an unsigned long bitmap
+ * @catmap: pointer to the category bitmap
+ * @offset: offset to the start of the imported bitmap
+ * @bitmap: the bitmap to import
+ * @flags: memory allocation flags
+ *
+ * Description:
+ * Import the bitmap specified in @bitmap into @catmap, using the offset
+ * in @offset.  The offset must be aligned to an unsigned long.  Returns zero
+ * on success, negative values on failure.
+ *
+ */
+int netlbl_secattr_catmap_setlong(struct netlbl_lsm_secattr_catmap **catmap,
+				  u32 offset,
+				  unsigned long bitmap,
+				  gfp_t flags)
+{
+	struct netlbl_lsm_secattr_catmap *iter;
+	u32 idx;
+
+	/* only allow aligned offsets */
+	if ((offset & (BITS_PER_LONG - 1)) != 0)
+		return -EINVAL;
+
+	iter = _netlbl_secattr_catmap_getnode(catmap,
+					      offset, _CM_F_ALLOC, flags);
+	if (iter == NULL)
+		return -ENOMEM;
+
+	offset -= iter->startbit;
+	idx = offset / NETLBL_CATMAP_MAPSIZE;
+	iter->bitmap[idx] |= bitmap << (offset % NETLBL_CATMAP_MAPSIZE);
+
+	return 0;
 }
 
 /*
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index 820313a..842deca 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -89,48 +89,33 @@ int ebitmap_netlbl_export(struct ebitmap *ebmap,
 			  struct netlbl_lsm_secattr_catmap **catmap)
 {
 	struct ebitmap_node *e_iter = ebmap->node;
-	struct netlbl_lsm_secattr_catmap *c_iter;
-	u32 cmap_idx, cmap_sft;
-	int i;
-
-	/* NetLabel's NETLBL_CATMAP_MAPTYPE is defined as an array of u64,
-	 * however, it is not always compatible with an array of unsigned long
-	 * in ebitmap_node.
-	 * In addition, you should pay attention the following implementation
-	 * assumes unsigned long has a width equal with or less than 64-bit.
-	 */
+	unsigned long e_map;
+	u32 offset;
+	unsigned int iter;
+	int rc;
 
 	if (e_iter == NULL) {
 		*catmap = NULL;
 		return 0;
 	}
 
-	c_iter = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
-	if (c_iter == NULL)
-		return -ENOMEM;
-	*catmap = c_iter;
-	c_iter->startbit = e_iter->startbit & ~(NETLBL_CATMAP_SIZE - 1);
+	if (*catmap != NULL)
+		netlbl_secattr_catmap_free(*catmap);
+	*catmap = NULL;
 
 	while (e_iter) {
-		for (i = 0; i < EBITMAP_UNIT_NUMS; i++) {
-			unsigned int delta, e_startbit, c_endbit;
-
-			e_startbit = e_iter->startbit + i * EBITMAP_UNIT_SIZE;
-			c_endbit = c_iter->startbit + NETLBL_CATMAP_SIZE;
-			if (e_startbit >= c_endbit) {
-				c_iter->next
-				  = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
-				if (c_iter->next == NULL)
+		offset = e_iter->startbit;
+		for (iter = 0; iter < EBITMAP_UNIT_NUMS; iter++) {
+			e_map = e_iter->maps[iter];
+			if (e_map != 0) {
+				rc = netlbl_secattr_catmap_setlong(catmap,
+								   offset,
+								   e_map,
+								   GFP_ATOMIC);
+				if (rc != 0)
 					goto netlbl_export_failure;
-				c_iter = c_iter->next;
-				c_iter->startbit
-				  = e_startbit & ~(NETLBL_CATMAP_SIZE - 1);
 			}
-			delta = e_startbit - c_iter->startbit;
-			cmap_idx = delta / NETLBL_CATMAP_MAPSIZE;
-			cmap_sft = delta % NETLBL_CATMAP_MAPSIZE;
-			c_iter->bitmap[cmap_idx]
-				|= e_iter->maps[i] << cmap_sft;
+			offset += EBITMAP_UNIT_SIZE;
 		}
 		e_iter = e_iter->next;
 	}
@@ -155,56 +140,42 @@ netlbl_export_failure:
 int ebitmap_netlbl_import(struct ebitmap *ebmap,
 			  struct netlbl_lsm_secattr_catmap *catmap)
 {
+	int rc;
 	struct ebitmap_node *e_iter = NULL;
-	struct ebitmap_node *emap_prev = NULL;
-	struct netlbl_lsm_secattr_catmap *c_iter = catmap;
-	u32 c_idx, c_pos, e_idx, e_sft;
-
-	/* NetLabel's NETLBL_CATMAP_MAPTYPE is defined as an array of u64,
-	 * however, it is not always compatible with an array of unsigned long
-	 * in ebitmap_node.
-	 * In addition, you should pay attention the following implementation
-	 * assumes unsigned long has a width equal with or less than 64-bit.
-	 */
-
-	do {
-		for (c_idx = 0; c_idx < NETLBL_CATMAP_MAPCNT; c_idx++) {
-			unsigned int delta;
-			u64 map = c_iter->bitmap[c_idx];
-
-			if (!map)
-				continue;
+	struct ebitmap_node *e_prev = NULL;
+	u32 offset = 0, idx;
+	unsigned long bitmap;
+
+	for (;;) {
+		rc = netlbl_secattr_catmap_getlong(catmap, &offset, &bitmap);
+		if (rc < 0)
+			goto netlbl_import_failure;
+		if (offset == (u32)-1)
+			return 0;
 
-			c_pos = c_iter->startbit
-				+ c_idx * NETLBL_CATMAP_MAPSIZE;
-			if (!e_iter
-			    || c_pos >= e_iter->startbit + EBITMAP_SIZE) {
-				e_iter = kzalloc(sizeof(*e_iter), GFP_ATOMIC);
-				if (!e_iter)
-					goto netlbl_import_failure;
-				e_iter->startbit
-					= c_pos - (c_pos % EBITMAP_SIZE);
-				if (emap_prev == NULL)
-					ebmap->node = e_iter;
-				else
-					emap_prev->next = e_iter;
-				emap_prev = e_iter;
-			}
-			delta = c_pos - e_iter->startbit;
-			e_idx = delta / EBITMAP_UNIT_SIZE;
-			e_sft = delta % EBITMAP_UNIT_SIZE;
-			while (map) {
-				e_iter->maps[e_idx++] |= map & (-1UL);
-				map = EBITMAP_SHIFT_UNIT_SIZE(map);
-			}
+		if (e_iter == NULL ||
+		    offset >= e_iter->startbit + EBITMAP_SIZE) {
+			e_prev = e_iter;
+			e_iter = kzalloc(sizeof(*e_iter), GFP_ATOMIC);
+			if (e_iter == NULL)
+				goto netlbl_import_failure;
+			e_iter->startbit = offset & ~(EBITMAP_SIZE - 1);
+			if (e_prev == NULL)
+				ebmap->node = e_iter;
+			else
+				e_prev->next = e_iter;
+			ebmap->highbit = e_iter->startbit + EBITMAP_SIZE;
 		}
-		c_iter = c_iter->next;
-	} while (c_iter);
-	if (e_iter != NULL)
-		ebmap->highbit = e_iter->startbit + EBITMAP_SIZE;
-	else
-		ebitmap_destroy(ebmap);
 
+		/* offset will always be aligned to an unsigned long */
+		idx = EBITMAP_NODE_INDEX(e_iter, offset);
+		e_iter->maps[idx] = bitmap;
+
+		/* next */
+		offset += EBITMAP_UNIT_SIZE;
+	}
+
+	/* NOTE: we should never reach this return */
 	return 0;
 
 netlbl_import_failure:
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 9ecf4f4..ea1bc50 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -435,10 +435,7 @@ int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap,
 
 	sap->flags |= NETLBL_SECATTR_MLS_CAT;
 	sap->attr.mls.lvl = level;
-	sap->attr.mls.cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
-	if (!sap->attr.mls.cat)
-		return -ENOMEM;
-	sap->attr.mls.cat->startbit = 0;
+	sap->attr.mls.cat = NULL;
 
 	for (cat = 1, cp = catset, byte = 0; byte < len; cp++, byte++)
 		for (m = 0x80; m != 0; m >>= 1, cat++) {

Re: [PATCH 2/4] netlabel: fix the horribly broken catmap functions

[Casey Schaufler]

On 7/31/2014 2:44 PM, Paul Moore wrote:
> The NetLabel secattr catmap functions, and the SELinux import/export
> glue routines, were broken in many horrible ways and the SELinux glue
> code fiddled with the NetLabel catmap structures in ways that we
> probably shouldn't allow.  At some point this "worked", but that was
> likely due to a bit of dumb luck and sub-par testing (both inflicted
> by yours truly).  This patch corrects these problems by basically
> gutting the code in favor of something less obtuse and restoring the
> NetLabel abstractions in the SELinux catmap glue code.
>
> Everything is working now, and if it decides to break itself in the
> future this code will be much easier to debug than the code it
> replaces.
>
> One noteworthy side effect of the changes is that it is no longer
> necessary to allocate a NetLabel catmap before calling one of the
> NetLabel APIs to set a bit in the catmap.  NetLabel will automatically
> allocate the catmap nodes when needed, resulting in less allocations
> when the lowest bit is greater than 255 and less code in the LSMs.
>
> Cc: stable@vger.kernel.org
> Reported-by: Christian Evans <frodox@zoho.com>
> Signed-off-by: Paul Moore <pmoore@redhat.com>

Tested-by: Casey Schaufler <casey@schaufler-ca.com>


> ---
>  include/net/netlabel.h        |   26 +++++
>  net/ipv4/cipso_ipv4.c         |   12 --
>  net/netlabel/netlabel_kapi.c  |  216 ++++++++++++++++++++++++++++++++---------
>  security/selinux/ss/ebitmap.c |  127 +++++++++---------------
>  security/smack/smack_access.c |    5 -
>  5 files changed, 240 insertions(+), 146 deletions(-)
>
> diff --git a/include/net/netlabel.h b/include/net/netlabel.h
> index 1c40d65..bda7a12 100644
> --- a/include/net/netlabel.h
> +++ b/include/net/netlabel.h
> @@ -285,11 +285,11 @@ static inline void netlbl_secattr_catmap_free(
>  {
>  	struct netlbl_lsm_secattr_catmap *iter;
>  
> -	do {
> +	while (catmap) {
>  		iter = catmap;
>  		catmap = catmap->next;
>  		kfree(iter);
> -	} while (catmap);
> +	}
>  }
>  
>  /**
> @@ -394,6 +394,9 @@ int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
>  			       u32 offset);
>  int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
>  				   u32 offset);
> +int netlbl_secattr_catmap_getlong(struct netlbl_lsm_secattr_catmap *catmap,
> +				  u32 *offset,
> +				  unsigned long *bitmap);
>  int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap **catmap,
>  				 u32 bit,
>  				 gfp_t flags);
> @@ -401,6 +404,10 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap **catmap,
>  				 u32 start,
>  				 u32 end,
>  				 gfp_t flags);
> +int netlbl_secattr_catmap_setlong(struct netlbl_lsm_secattr_catmap **catmap,
> +				  u32 offset,
> +				  unsigned long bitmap,
> +				  gfp_t flags);
>  
>  /*
>   * LSM protocol operations (NetLabel LSM/kernel API)
> @@ -504,6 +511,13 @@ static inline int netlbl_secattr_catmap_walk_rng(
>  {
>  	return -ENOENT;
>  }
> +static inline int netlbl_secattr_catmap_getlong(
> +				      struct netlbl_lsm_secattr_catmap *catmap,
> +				      u32 *offset,
> +				      unsigned long *bitmap)
> +{
> +	return 0;
> +}
>  static inline int netlbl_secattr_catmap_setbit(
>  				      struct netlbl_lsm_secattr_catmap **catmap,
>  				      u32 bit,
> @@ -519,6 +533,14 @@ static inline int netlbl_secattr_catmap_setrng(
>  {
>  	return 0;
>  }
> +static int netlbl_secattr_catmap_setlong(
> +				      struct netlbl_lsm_secattr_catmap **catmap,
> +				      u32 offset,
> +				      unsigned long bitmap,
> +				      gfp_t flags)
> +{
> +	return 0;
> +}
>  static inline int netlbl_enabled(void)
>  {
>  	return 0;
> diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
> index dd433c9..8a0c7bd 100644
> --- a/net/ipv4/cipso_ipv4.c
> +++ b/net/ipv4/cipso_ipv4.c
> @@ -1335,10 +1335,6 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,
>  	secattr->flags |= NETLBL_SECATTR_MLS_LVL;
>  
>  	if (tag_len > 4) {
> -		secattr->attr.mls.cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
> -		if (secattr->attr.mls.cat == NULL)
> -			return -ENOMEM;
> -
>  		ret_val = cipso_v4_map_cat_rbm_ntoh(doi_def,
>  						    &tag[4],
>  						    tag_len - 4,
> @@ -1430,10 +1426,6 @@ static int cipso_v4_parsetag_enum(const struct cipso_v4_doi *doi_def,
>  	secattr->flags |= NETLBL_SECATTR_MLS_LVL;
>  
>  	if (tag_len > 4) {
> -		secattr->attr.mls.cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
> -		if (secattr->attr.mls.cat == NULL)
> -			return -ENOMEM;
> -
>  		ret_val = cipso_v4_map_cat_enum_ntoh(doi_def,
>  						     &tag[4],
>  						     tag_len - 4,
> @@ -1524,10 +1516,6 @@ static int cipso_v4_parsetag_rng(const struct cipso_v4_doi *doi_def,
>  	secattr->flags |= NETLBL_SECATTR_MLS_LVL;
>  
>  	if (tag_len > 4) {
> -		secattr->attr.mls.cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
> -		if (secattr->attr.mls.cat == NULL)
> -			return -ENOMEM;
> -
>  		ret_val = cipso_v4_map_cat_rng_ntoh(doi_def,
>  						    &tag[4],
>  						    tag_len - 4,
> diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
> index 84e810b..d9e1046 100644
> --- a/net/netlabel/netlabel_kapi.c
> +++ b/net/netlabel/netlabel_kapi.c
> @@ -405,6 +405,63 @@ out_entry:
>   * Security Attribute Functions
>   */
>  
> +#define _CM_F_NONE	0x00000000
> +#define _CM_F_ALLOC	0x00000001
> +
> +/**
> + * _netlbl_secattr_catmap_getnode - Get a individual node from a catmap
> + * @catmap: pointer to the category bitmap
> + * @offset: the requested offset
> + * @cm_flags: catmap flags, see _CM_F_*
> + * @gfp_flags: memory allocation flags
> + *
> + * Description:
> + * Iterate through the catmap looking for the node associated with @offset; if
> + * the _CM_F_ALLOC flag is set in @cm_flags and there is no associated node,
> + * one will be created and inserted into the catmap.  Returns a pointer to the
> + * node on success, NULL on failure.
> + *
> + */
> +static struct netlbl_lsm_secattr_catmap *_netlbl_secattr_catmap_getnode(
> +				struct netlbl_lsm_secattr_catmap **catmap,
> +				u32 offset,
> +				unsigned int cm_flags,
> +				gfp_t gfp_flags)
> +{
> +	struct netlbl_lsm_secattr_catmap *iter = *catmap;
> +	struct netlbl_lsm_secattr_catmap *prev = NULL;
> +
> +	if (iter == NULL || offset < iter->startbit)
> +		goto secattr_catmap_getnode_alloc;
> +	while (iter && offset >= (iter->startbit + NETLBL_CATMAP_SIZE)) {
> +		prev = iter;
> +		iter = iter->next;
> +	}
> +	if (iter == NULL || offset < iter->startbit)
> +		goto secattr_catmap_getnode_alloc;
> +
> +	return iter;
> +
> +secattr_catmap_getnode_alloc:
> +	if (!(cm_flags & _CM_F_ALLOC))
> +		return NULL;
> +
> +	iter = netlbl_secattr_catmap_alloc(gfp_flags);
> +	if (iter == NULL)
> +		return NULL;
> +	iter->startbit = offset & ~(NETLBL_CATMAP_SIZE - 1);
> +
> +	if (prev == NULL) {
> +		iter->next = *catmap;
> +		*catmap = iter;
> +	} else {
> +		iter->next = prev->next;
> +		prev->next = iter;
> +	}
> +
> +	return iter;
> +}
> +
>  /**
>   * netlbl_secattr_catmap_walk - Walk a LSM secattr catmap looking for a bit
>   * @catmap: the category bitmap
> @@ -521,6 +578,54 @@ int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
>  }
>  
>  /**
> + * netlbl_secattr_catmap_getlong - Export an unsigned long bitmap
> + * @catmap: pointer to the category bitmap
> + * @offset: pointer to the requested offset
> + * @bitmap: the exported bitmap
> + *
> + * Description:
> + * Export a bitmap with an offset greater than or equal to @offset and return
> + * it in @bitmap.  The @offset must be aligned to an unsigned long and will be
> + * updated on return if different from what was requested; if the catmap is
> + * empty at the requested offset and beyond, the @offset is set to (u32)-1.
> + * Returns zero on sucess, negative values on failure.
> + *
> + */
> +int netlbl_secattr_catmap_getlong(struct netlbl_lsm_secattr_catmap *catmap,
> +				  u32 *offset,
> +				  unsigned long *bitmap)
> +{
> +	struct netlbl_lsm_secattr_catmap *iter;
> +	u32 off = *offset;
> +	u32 idx;
> +
> +	/* only allow aligned offsets */
> +	if ((off & (BITS_PER_LONG - 1)) != 0)
> +		return -EINVAL;
> +
> +	if (off < catmap->startbit) {
> +		off = catmap->startbit;
> +		*offset = off;
> +	}
> +	iter = _netlbl_secattr_catmap_getnode(&catmap, off, _CM_F_NONE, 0);
> +	if (iter == NULL) {
> +		*offset = (u32)-1;
> +		return 0;
> +	}
> +
> +	if (off < iter->startbit) {
> +		off = iter->startbit;
> +		*offset = off;
> +	} else
> +		off -= iter->startbit;
> +
> +	idx = off / NETLBL_CATMAP_MAPSIZE;
> +	*bitmap = iter->bitmap[idx] >> (off % NETLBL_CATMAP_SIZE);
> +
> +	return 0;
> +}
> +
> +/**
>   * netlbl_secattr_catmap_setbit - Set a bit in a LSM secattr catmap
>   * @catmap: pointer to the category bitmap
>   * @bit: the bit to set
> @@ -535,32 +640,16 @@ int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap **catmap,
>  				 u32 bit,
>  				 gfp_t flags)
>  {
> -	struct netlbl_lsm_secattr_catmap *iter = *catmap;
> -	u32 node_bit;
> -	u32 node_idx;
> +	struct netlbl_lsm_secattr_catmap *iter;
> +	u32 idx;
>  
> -	while (iter->next != NULL &&
> -	       bit >= (iter->startbit + NETLBL_CATMAP_SIZE))
> -		iter = iter->next;
> -	if (bit < iter->startbit) {
> -		iter = netlbl_secattr_catmap_alloc(flags);
> -		if (iter == NULL)
> -			return -ENOMEM;
> -		iter->next = *catmap;
> -		iter->startbit = bit & ~(NETLBL_CATMAP_SIZE - 1);
> -		*catmap = iter;
> -	} else if (bit >= (iter->startbit + NETLBL_CATMAP_SIZE)) {
> -		iter->next = netlbl_secattr_catmap_alloc(flags);
> -		if (iter->next == NULL)
> -			return -ENOMEM;
> -		iter = iter->next;
> -		iter->startbit = bit & ~(NETLBL_CATMAP_SIZE - 1);
> -	}
> +	iter = _netlbl_secattr_catmap_getnode(catmap, bit, _CM_F_ALLOC, flags);
> +	if (iter == NULL)
> +		return -ENOMEM;
>  
> -	/* gcc always rounds to zero when doing integer division */
> -	node_idx = (bit - iter->startbit) / NETLBL_CATMAP_MAPSIZE;
> -	node_bit = bit - iter->startbit - (NETLBL_CATMAP_MAPSIZE * node_idx);
> -	iter->bitmap[node_idx] |= NETLBL_CATMAP_BIT << node_bit;
> +	bit -= iter->startbit;
> +	idx = bit / NETLBL_CATMAP_MAPSIZE;
> +	iter->bitmap[idx] |= NETLBL_CATMAP_BIT << (bit % NETLBL_CATMAP_MAPSIZE);
>  
>  	return 0;
>  }
> @@ -582,34 +671,61 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap **catmap,
>  				 u32 end,
>  				 gfp_t flags)
>  {
> -	int ret_val = 0;
> -	struct netlbl_lsm_secattr_catmap *iter = *catmap;
> -	u32 iter_max_spot;
> -	u32 spot;
> -	u32 orig_spot = iter->startbit;
> -
> -	/* XXX - This could probably be made a bit faster by combining writes
> -	 * to the catmap instead of setting a single bit each time, but for
> -	 * right now skipping to the start of the range in the catmap should
> -	 * be a nice improvement over calling the individual setbit function
> -	 * repeatedly from a loop. */
> -
> -	while (iter->next != NULL &&
> -	       start >= (iter->startbit + NETLBL_CATMAP_SIZE))
> -		iter = iter->next;
> -	iter_max_spot = iter->startbit + NETLBL_CATMAP_SIZE;
> -
> -	for (spot = start; spot <= end && ret_val == 0; spot++) {
> -		if (spot >= iter_max_spot && iter->next != NULL) {
> -			iter = iter->next;
> -			iter_max_spot = iter->startbit + NETLBL_CATMAP_SIZE;
> -		}
> -		ret_val = netlbl_secattr_catmap_setbit(&iter, spot, flags);
> -		if (iter->startbit < orig_spot)
> -			*catmap = iter;
> +	int rc = 0;
> +	u32 spot = start;
> +
> +	while (rc == 0 && spot <= end) {
> +		if (((spot & (BITS_PER_LONG - 1)) != 0) &&
> +		    ((end - spot) > BITS_PER_LONG)) {
> +			rc = netlbl_secattr_catmap_setlong(catmap,
> +							   spot,
> +							   (unsigned long)-1,
> +							   flags);
> +			spot += BITS_PER_LONG;
> +		} else
> +			rc = netlbl_secattr_catmap_setbit(catmap,
> +							  spot++,
> +							  flags);
>  	}
>  
> -	return ret_val;
> +	return rc;
> +}
> +
> +/**
> + * netlbl_secattr_catmap_setlong - Import an unsigned long bitmap
> + * @catmap: pointer to the category bitmap
> + * @offset: offset to the start of the imported bitmap
> + * @bitmap: the bitmap to import
> + * @flags: memory allocation flags
> + *
> + * Description:
> + * Import the bitmap specified in @bitmap into @catmap, using the offset
> + * in @offset.  The offset must be aligned to an unsigned long.  Returns zero
> + * on success, negative values on failure.
> + *
> + */
> +int netlbl_secattr_catmap_setlong(struct netlbl_lsm_secattr_catmap **catmap,
> +				  u32 offset,
> +				  unsigned long bitmap,
> +				  gfp_t flags)
> +{
> +	struct netlbl_lsm_secattr_catmap *iter;
> +	u32 idx;
> +
> +	/* only allow aligned offsets */
> +	if ((offset & (BITS_PER_LONG - 1)) != 0)
> +		return -EINVAL;
> +
> +	iter = _netlbl_secattr_catmap_getnode(catmap,
> +					      offset, _CM_F_ALLOC, flags);
> +	if (iter == NULL)
> +		return -ENOMEM;
> +
> +	offset -= iter->startbit;
> +	idx = offset / NETLBL_CATMAP_MAPSIZE;
> +	iter->bitmap[idx] |= bitmap << (offset % NETLBL_CATMAP_MAPSIZE);
> +
> +	return 0;
>  }
>  
>  /*
> diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
> index 820313a..842deca 100644
> --- a/security/selinux/ss/ebitmap.c
> +++ b/security/selinux/ss/ebitmap.c
> @@ -89,48 +89,33 @@ int ebitmap_netlbl_export(struct ebitmap *ebmap,
>  			  struct netlbl_lsm_secattr_catmap **catmap)
>  {
>  	struct ebitmap_node *e_iter = ebmap->node;
> -	struct netlbl_lsm_secattr_catmap *c_iter;
> -	u32 cmap_idx, cmap_sft;
> -	int i;
> -
> -	/* NetLabel's NETLBL_CATMAP_MAPTYPE is defined as an array of u64,
> -	 * however, it is not always compatible with an array of unsigned long
> -	 * in ebitmap_node.
> -	 * In addition, you should pay attention the following implementation
> -	 * assumes unsigned long has a width equal with or less than 64-bit.
> -	 */
> +	unsigned long e_map;
> +	u32 offset;
> +	unsigned int iter;
> +	int rc;
>  
>  	if (e_iter == NULL) {
>  		*catmap = NULL;
>  		return 0;
>  	}
>  
> -	c_iter = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
> -	if (c_iter == NULL)
> -		return -ENOMEM;
> -	*catmap = c_iter;
> -	c_iter->startbit = e_iter->startbit & ~(NETLBL_CATMAP_SIZE - 1);
> +	if (*catmap != NULL)
> +		netlbl_secattr_catmap_free(*catmap);
> +	*catmap = NULL;
>  
>  	while (e_iter) {
> -		for (i = 0; i < EBITMAP_UNIT_NUMS; i++) {
> -			unsigned int delta, e_startbit, c_endbit;
> -
> -			e_startbit = e_iter->startbit + i * EBITMAP_UNIT_SIZE;
> -			c_endbit = c_iter->startbit + NETLBL_CATMAP_SIZE;
> -			if (e_startbit >= c_endbit) {
> -				c_iter->next
> -				  = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
> -				if (c_iter->next == NULL)
> +		offset = e_iter->startbit;
> +		for (iter = 0; iter < EBITMAP_UNIT_NUMS; iter++) {
> +			e_map = e_iter->maps[iter];
> +			if (e_map != 0) {
> +				rc = netlbl_secattr_catmap_setlong(catmap,
> +								   offset,
> +								   e_map,
> +								   GFP_ATOMIC);
> +				if (rc != 0)
>  					goto netlbl_export_failure;
> -				c_iter = c_iter->next;
> -				c_iter->startbit
> -				  = e_startbit & ~(NETLBL_CATMAP_SIZE - 1);
>  			}
> -			delta = e_startbit - c_iter->startbit;
> -			cmap_idx = delta / NETLBL_CATMAP_MAPSIZE;
> -			cmap_sft = delta % NETLBL_CATMAP_MAPSIZE;
> -			c_iter->bitmap[cmap_idx]
> -				|= e_iter->maps[i] << cmap_sft;
> +			offset += EBITMAP_UNIT_SIZE;
>  		}
>  		e_iter = e_iter->next;
>  	}
> @@ -155,56 +140,42 @@ netlbl_export_failure:
>  int ebitmap_netlbl_import(struct ebitmap *ebmap,
>  			  struct netlbl_lsm_secattr_catmap *catmap)
>  {
> +	int rc;
>  	struct ebitmap_node *e_iter = NULL;
> -	struct ebitmap_node *emap_prev = NULL;
> -	struct netlbl_lsm_secattr_catmap *c_iter = catmap;
> -	u32 c_idx, c_pos, e_idx, e_sft;
> -
> -	/* NetLabel's NETLBL_CATMAP_MAPTYPE is defined as an array of u64,
> -	 * however, it is not always compatible with an array of unsigned long
> -	 * in ebitmap_node.
> -	 * In addition, you should pay attention the following implementation
> -	 * assumes unsigned long has a width equal with or less than 64-bit.
> -	 */
> -
> -	do {
> -		for (c_idx = 0; c_idx < NETLBL_CATMAP_MAPCNT; c_idx++) {
> -			unsigned int delta;
> -			u64 map = c_iter->bitmap[c_idx];
> -
> -			if (!map)
> -				continue;
> +	struct ebitmap_node *e_prev = NULL;
> +	u32 offset = 0, idx;
> +	unsigned long bitmap;
> +
> +	for (;;) {
> +		rc = netlbl_secattr_catmap_getlong(catmap, &offset, &bitmap);
> +		if (rc < 0)
> +			goto netlbl_import_failure;
> +		if (offset == (u32)-1)
> +			return 0;
>  
> -			c_pos = c_iter->startbit
> -				+ c_idx * NETLBL_CATMAP_MAPSIZE;
> -			if (!e_iter
> -			    || c_pos >= e_iter->startbit + EBITMAP_SIZE) {
> -				e_iter = kzalloc(sizeof(*e_iter), GFP_ATOMIC);
> -				if (!e_iter)
> -					goto netlbl_import_failure;
> -				e_iter->startbit
> -					= c_pos - (c_pos % EBITMAP_SIZE);
> -				if (emap_prev == NULL)
> -					ebmap->node = e_iter;
> -				else
> -					emap_prev->next = e_iter;
> -				emap_prev = e_iter;
> -			}
> -			delta = c_pos - e_iter->startbit;
> -			e_idx = delta / EBITMAP_UNIT_SIZE;
> -			e_sft = delta % EBITMAP_UNIT_SIZE;
> -			while (map) {
> -				e_iter->maps[e_idx++] |= map & (-1UL);
> -				map = EBITMAP_SHIFT_UNIT_SIZE(map);
> -			}
> +		if (e_iter == NULL ||
> +		    offset >= e_iter->startbit + EBITMAP_SIZE) {
> +			e_prev = e_iter;
> +			e_iter = kzalloc(sizeof(*e_iter), GFP_ATOMIC);
> +			if (e_iter == NULL)
> +				goto netlbl_import_failure;
> +			e_iter->startbit = offset & ~(EBITMAP_SIZE - 1);
> +			if (e_prev == NULL)
> +				ebmap->node = e_iter;
> +			else
> +				e_prev->next = e_iter;
> +			ebmap->highbit = e_iter->startbit + EBITMAP_SIZE;
>  		}
> -		c_iter = c_iter->next;
> -	} while (c_iter);
> -	if (e_iter != NULL)
> -		ebmap->highbit = e_iter->startbit + EBITMAP_SIZE;
> -	else
> -		ebitmap_destroy(ebmap);
>  
> +		/* offset will always be aligned to an unsigned long */
> +		idx = EBITMAP_NODE_INDEX(e_iter, offset);
> +		e_iter->maps[idx] = bitmap;
> +
> +		/* next */
> +		offset += EBITMAP_UNIT_SIZE;
> +	}
> +
> +	/* NOTE: we should never reach this return */
>  	return 0;
>  
>  netlbl_import_failure:
> diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
> index 9ecf4f4..ea1bc50 100644
> --- a/security/smack/smack_access.c
> +++ b/security/smack/smack_access.c
> @@ -435,10 +435,7 @@ int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap,
>  
>  	sap->flags |= NETLBL_SECATTR_MLS_CAT;
>  	sap->attr.mls.lvl = level;
> -	sap->attr.mls.cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
> -	if (!sap->attr.mls.cat)
> -		return -ENOMEM;
> -	sap->attr.mls.cat->startbit = 0;
> +	sap->attr.mls.cat = NULL;
>  
>  	for (cat = 1, cp = catset, byte = 0; byte < len; cp++, byte++)
>  		for (m = 0x80; m != 0; m >>= 1, cat++) {
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

[PATCH 3/4] netlabel: fix the catmap walking functions

[Paul Moore]

The two NetLabel LSM secattr catmap walk functions didn't handle
certain edge conditions correctly, causing incorrect security labels
to be generated in some cases.  This patch corrects these problems and
converts the functions to use the new _netlbl_secattr_catmap_getnode()
function in order to reduce the amount of repeated code.

Cc: stable@vger.kernel.org
Signed-off-by: Paul Moore <pmoore@redhat.com>
---
 net/netlabel/netlabel_kapi.c |  102 ++++++++++++++++++++++--------------------
 1 file changed, 54 insertions(+), 48 deletions(-)

diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index d9e1046..bc38838 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -407,6 +407,7 @@ out_entry:
 
 #define _CM_F_NONE	0x00000000
 #define _CM_F_ALLOC	0x00000001
+#define _CM_F_WALK	0x00000002
 
 /**
  * _netlbl_secattr_catmap_getnode - Get a individual node from a catmap
@@ -416,10 +417,11 @@ out_entry:
  * @gfp_flags: memory allocation flags
  *
  * Description:
- * Iterate through the catmap looking for the node associated with @offset; if
- * the _CM_F_ALLOC flag is set in @cm_flags and there is no associated node,
- * one will be created and inserted into the catmap.  Returns a pointer to the
- * node on success, NULL on failure.
+ * Iterate through the catmap looking for the node associated with @offset.
+ * If the _CM_F_ALLOC flag is set in @cm_flags and there is no associated node,
+ * one will be created and inserted into the catmap.  If the _CM_F_WALK flag is
+ * set in @cm_flags and there is no associated node, the next highest node will
+ * be returned.  Returns a pointer to the node on success, NULL on failure.
  *
  */
 static struct netlbl_lsm_secattr_catmap *_netlbl_secattr_catmap_getnode(
@@ -431,17 +433,22 @@ static struct netlbl_lsm_secattr_catmap *_netlbl_secattr_catmap_getnode(
 	struct netlbl_lsm_secattr_catmap *iter = *catmap;
 	struct netlbl_lsm_secattr_catmap *prev = NULL;
 
-	if (iter == NULL || offset < iter->startbit)
+	if (iter == NULL)
 		goto secattr_catmap_getnode_alloc;
+	if (offset < iter->startbit)
+		goto secattr_catmap_getnode_walk;
 	while (iter && offset >= (iter->startbit + NETLBL_CATMAP_SIZE)) {
 		prev = iter;
 		iter = iter->next;
 	}
 	if (iter == NULL || offset < iter->startbit)
-		goto secattr_catmap_getnode_alloc;
+		goto secattr_catmap_getnode_walk;
 
 	return iter;
 
+secattr_catmap_getnode_walk:
+	if (cm_flags & _CM_F_WALK)
+		return iter;
 secattr_catmap_getnode_alloc:
 	if (!(cm_flags & _CM_F_ALLOC))
 		return NULL;
@@ -476,43 +483,41 @@ int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
 			       u32 offset)
 {
 	struct netlbl_lsm_secattr_catmap *iter = catmap;
-	u32 node_idx;
-	u32 node_bit;
+	u32 idx;
+	u32 bit;
 	NETLBL_CATMAP_MAPTYPE bitmap;
 
+	iter = _netlbl_secattr_catmap_getnode(&catmap, offset, _CM_F_WALK, 0);
+	if (iter == NULL)
+		return -ENOENT;
 	if (offset > iter->startbit) {
-		while (offset >= (iter->startbit + NETLBL_CATMAP_SIZE)) {
-			iter = iter->next;
-			if (iter == NULL)
-				return -ENOENT;
-		}
-		node_idx = (offset - iter->startbit) / NETLBL_CATMAP_MAPSIZE;
-		node_bit = offset - iter->startbit -
-			   (NETLBL_CATMAP_MAPSIZE * node_idx);
+		offset -= iter->startbit;
+		idx = offset / NETLBL_CATMAP_MAPSIZE;
+		bit = offset % NETLBL_CATMAP_MAPSIZE;
 	} else {
-		node_idx = 0;
-		node_bit = 0;
+		idx = 0;
+		bit = 0;
 	}
-	bitmap = iter->bitmap[node_idx] >> node_bit;
+	bitmap = iter->bitmap[idx] >> bit;
 
 	for (;;) {
 		if (bitmap != 0) {
 			while ((bitmap & NETLBL_CATMAP_BIT) == 0) {
 				bitmap >>= 1;
-				node_bit++;
+				bit++;
 			}
 			return iter->startbit +
-				(NETLBL_CATMAP_MAPSIZE * node_idx) + node_bit;
+			       (NETLBL_CATMAP_MAPSIZE * idx) + bit;
 		}
-		if (++node_idx >= NETLBL_CATMAP_MAPCNT) {
+		if (++idx >= NETLBL_CATMAP_MAPCNT) {
 			if (iter->next != NULL) {
 				iter = iter->next;
-				node_idx = 0;
+				idx = 0;
 			} else
 				return -ENOENT;
 		}
-		bitmap = iter->bitmap[node_idx];
-		node_bit = 0;
+		bitmap = iter->bitmap[idx];
+		bit = 0;
 	}
 
 	return -ENOENT;
@@ -532,46 +537,47 @@ int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
 int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
 				   u32 offset)
 {
-	struct netlbl_lsm_secattr_catmap *iter = catmap;
-	u32 node_idx;
-	u32 node_bit;
+	struct netlbl_lsm_secattr_catmap *iter;
+	struct netlbl_lsm_secattr_catmap *prev = NULL;
+	u32 idx;
+	u32 bit;
 	NETLBL_CATMAP_MAPTYPE bitmask;
 	NETLBL_CATMAP_MAPTYPE bitmap;
 
+	iter = _netlbl_secattr_catmap_getnode(&catmap, offset, _CM_F_WALK, 0);
+	if (iter == NULL)
+		return -ENOENT;
 	if (offset > iter->startbit) {
-		while (offset >= (iter->startbit + NETLBL_CATMAP_SIZE)) {
-			iter = iter->next;
-			if (iter == NULL)
-				return -ENOENT;
-		}
-		node_idx = (offset - iter->startbit) / NETLBL_CATMAP_MAPSIZE;
-		node_bit = offset - iter->startbit -
-			   (NETLBL_CATMAP_MAPSIZE * node_idx);
+		offset -= iter->startbit;
+		idx = offset / NETLBL_CATMAP_MAPSIZE;
+		bit = offset % NETLBL_CATMAP_MAPSIZE;
 	} else {
-		node_idx = 0;
-		node_bit = 0;
+		idx = 0;
+		bit = 0;
 	}
-	bitmask = NETLBL_CATMAP_BIT << node_bit;
+	bitmask = NETLBL_CATMAP_BIT << bit;
 
 	for (;;) {
-		bitmap = iter->bitmap[node_idx];
+		bitmap = iter->bitmap[idx];
 		while (bitmask != 0 && (bitmap & bitmask) != 0) {
 			bitmask <<= 1;
-			node_bit++;
+			bit++;
 		}
 
-		if (bitmask != 0)
+		if (prev && idx == 0 && bit == 0)
+			return prev->startbit + NETLBL_CATMAP_SIZE - 1;
+		else if (bitmask != 0)
 			return iter->startbit +
-				(NETLBL_CATMAP_MAPSIZE * node_idx) +
-				node_bit - 1;
-		else if (++node_idx >= NETLBL_CATMAP_MAPCNT) {
+				(NETLBL_CATMAP_MAPSIZE * idx) + bit - 1;
+		else if (++idx >= NETLBL_CATMAP_MAPCNT) {
 			if (iter->next == NULL)
-				return iter->startbit +	NETLBL_CATMAP_SIZE - 1;
+				return iter->startbit + NETLBL_CATMAP_SIZE - 1;
+			prev = iter;
 			iter = iter->next;
-			node_idx = 0;
+			idx = 0;
 		}
 		bitmask = NETLBL_CATMAP_BIT;
-		node_bit = 0;
+		bit = 0;
 	}
 
 	return -ENOENT;

Re: [PATCH 3/4] netlabel: fix the catmap walking functions

[Casey Schaufler]

On 7/31/2014 2:44 PM, Paul Moore wrote:
> The two NetLabel LSM secattr catmap walk functions didn't handle
> certain edge conditions correctly, causing incorrect security labels
> to be generated in some cases.  This patch corrects these problems and
> converts the functions to use the new _netlbl_secattr_catmap_getnode()
> function in order to reduce the amount of repeated code.
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Paul Moore <pmoore@redhat.com>

Tested-by: Casey Schaufler <casey@schaufler-ca.com>

> ---
>  net/netlabel/netlabel_kapi.c |  102 ++++++++++++++++++++++--------------------
>  1 file changed, 54 insertions(+), 48 deletions(-)
>
> diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
> index d9e1046..bc38838 100644
> --- a/net/netlabel/netlabel_kapi.c
> +++ b/net/netlabel/netlabel_kapi.c
> @@ -407,6 +407,7 @@ out_entry:
>  
>  #define _CM_F_NONE	0x00000000
>  #define _CM_F_ALLOC	0x00000001
> +#define _CM_F_WALK	0x00000002
>  
>  /**
>   * _netlbl_secattr_catmap_getnode - Get a individual node from a catmap
> @@ -416,10 +417,11 @@ out_entry:
>   * @gfp_flags: memory allocation flags
>   *
>   * Description:
> - * Iterate through the catmap looking for the node associated with @offset; if
> - * the _CM_F_ALLOC flag is set in @cm_flags and there is no associated node,
> - * one will be created and inserted into the catmap.  Returns a pointer to the
> - * node on success, NULL on failure.
> + * Iterate through the catmap looking for the node associated with @offset.
> + * If the _CM_F_ALLOC flag is set in @cm_flags and there is no associated node,
> + * one will be created and inserted into the catmap.  If the _CM_F_WALK flag is
> + * set in @cm_flags and there is no associated node, the next highest node will
> + * be returned.  Returns a pointer to the node on success, NULL on failure.
>   *
>   */
>  static struct netlbl_lsm_secattr_catmap *_netlbl_secattr_catmap_getnode(
> @@ -431,17 +433,22 @@ static struct netlbl_lsm_secattr_catmap *_netlbl_secattr_catmap_getnode(
>  	struct netlbl_lsm_secattr_catmap *iter = *catmap;
>  	struct netlbl_lsm_secattr_catmap *prev = NULL;
>  
> -	if (iter == NULL || offset < iter->startbit)
> +	if (iter == NULL)
>  		goto secattr_catmap_getnode_alloc;
> +	if (offset < iter->startbit)
> +		goto secattr_catmap_getnode_walk;
>  	while (iter && offset >= (iter->startbit + NETLBL_CATMAP_SIZE)) {
>  		prev = iter;
>  		iter = iter->next;
>  	}
>  	if (iter == NULL || offset < iter->startbit)
> -		goto secattr_catmap_getnode_alloc;
> +		goto secattr_catmap_getnode_walk;
>  
>  	return iter;
>  
> +secattr_catmap_getnode_walk:
> +	if (cm_flags & _CM_F_WALK)
> +		return iter;
>  secattr_catmap_getnode_alloc:
>  	if (!(cm_flags & _CM_F_ALLOC))
>  		return NULL;
> @@ -476,43 +483,41 @@ int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
>  			       u32 offset)
>  {
>  	struct netlbl_lsm_secattr_catmap *iter = catmap;
> -	u32 node_idx;
> -	u32 node_bit;
> +	u32 idx;
> +	u32 bit;
>  	NETLBL_CATMAP_MAPTYPE bitmap;
>  
> +	iter = _netlbl_secattr_catmap_getnode(&catmap, offset, _CM_F_WALK, 0);
> +	if (iter == NULL)
> +		return -ENOENT;
>  	if (offset > iter->startbit) {
> -		while (offset >= (iter->startbit + NETLBL_CATMAP_SIZE)) {
> -			iter = iter->next;
> -			if (iter == NULL)
> -				return -ENOENT;
> -		}
> -		node_idx = (offset - iter->startbit) / NETLBL_CATMAP_MAPSIZE;
> -		node_bit = offset - iter->startbit -
> -			   (NETLBL_CATMAP_MAPSIZE * node_idx);
> +		offset -= iter->startbit;
> +		idx = offset / NETLBL_CATMAP_MAPSIZE;
> +		bit = offset % NETLBL_CATMAP_MAPSIZE;
>  	} else {
> -		node_idx = 0;
> -		node_bit = 0;
> +		idx = 0;
> +		bit = 0;
>  	}
> -	bitmap = iter->bitmap[node_idx] >> node_bit;
> +	bitmap = iter->bitmap[idx] >> bit;
>  
>  	for (;;) {
>  		if (bitmap != 0) {
>  			while ((bitmap & NETLBL_CATMAP_BIT) == 0) {
>  				bitmap >>= 1;
> -				node_bit++;
> +				bit++;
>  			}
>  			return iter->startbit +
> -				(NETLBL_CATMAP_MAPSIZE * node_idx) + node_bit;
> +			       (NETLBL_CATMAP_MAPSIZE * idx) + bit;
>  		}
> -		if (++node_idx >= NETLBL_CATMAP_MAPCNT) {
> +		if (++idx >= NETLBL_CATMAP_MAPCNT) {
>  			if (iter->next != NULL) {
>  				iter = iter->next;
> -				node_idx = 0;
> +				idx = 0;
>  			} else
>  				return -ENOENT;
>  		}
> -		bitmap = iter->bitmap[node_idx];
> -		node_bit = 0;
> +		bitmap = iter->bitmap[idx];
> +		bit = 0;
>  	}
>  
>  	return -ENOENT;
> @@ -532,46 +537,47 @@ int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
>  int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
>  				   u32 offset)
>  {
> -	struct netlbl_lsm_secattr_catmap *iter = catmap;
> -	u32 node_idx;
> -	u32 node_bit;
> +	struct netlbl_lsm_secattr_catmap *iter;
> +	struct netlbl_lsm_secattr_catmap *prev = NULL;
> +	u32 idx;
> +	u32 bit;
>  	NETLBL_CATMAP_MAPTYPE bitmask;
>  	NETLBL_CATMAP_MAPTYPE bitmap;
>  
> +	iter = _netlbl_secattr_catmap_getnode(&catmap, offset, _CM_F_WALK, 0);
> +	if (iter == NULL)
> +		return -ENOENT;
>  	if (offset > iter->startbit) {
> -		while (offset >= (iter->startbit + NETLBL_CATMAP_SIZE)) {
> -			iter = iter->next;
> -			if (iter == NULL)
> -				return -ENOENT;
> -		}
> -		node_idx = (offset - iter->startbit) / NETLBL_CATMAP_MAPSIZE;
> -		node_bit = offset - iter->startbit -
> -			   (NETLBL_CATMAP_MAPSIZE * node_idx);
> +		offset -= iter->startbit;
> +		idx = offset / NETLBL_CATMAP_MAPSIZE;
> +		bit = offset % NETLBL_CATMAP_MAPSIZE;
>  	} else {
> -		node_idx = 0;
> -		node_bit = 0;
> +		idx = 0;
> +		bit = 0;
>  	}
> -	bitmask = NETLBL_CATMAP_BIT << node_bit;
> +	bitmask = NETLBL_CATMAP_BIT << bit;
>  
>  	for (;;) {
> -		bitmap = iter->bitmap[node_idx];
> +		bitmap = iter->bitmap[idx];
>  		while (bitmask != 0 && (bitmap & bitmask) != 0) {
>  			bitmask <<= 1;
> -			node_bit++;
> +			bit++;
>  		}
>  
> -		if (bitmask != 0)
> +		if (prev && idx == 0 && bit == 0)
> +			return prev->startbit + NETLBL_CATMAP_SIZE - 1;
> +		else if (bitmask != 0)
>  			return iter->startbit +
> -				(NETLBL_CATMAP_MAPSIZE * node_idx) +
> -				node_bit - 1;
> -		else if (++node_idx >= NETLBL_CATMAP_MAPCNT) {
> +				(NETLBL_CATMAP_MAPSIZE * idx) + bit - 1;
> +		else if (++idx >= NETLBL_CATMAP_MAPCNT) {
>  			if (iter->next == NULL)
> -				return iter->startbit +	NETLBL_CATMAP_SIZE - 1;
> +				return iter->startbit + NETLBL_CATMAP_SIZE - 1;
> +			prev = iter;
>  			iter = iter->next;
> -			node_idx = 0;
> +			idx = 0;
>  		}
>  		bitmask = NETLBL_CATMAP_BIT;
> -		node_bit = 0;
> +		bit = 0;
>  	}
>  
>  	return -ENOENT;
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

[PATCH 4/4] netlabel: shorter names for the NetLabel catmap funcs/structs

[Paul Moore]

Historically the NetLabel LSM secattr catmap functions and data
structures have had very long names which makes a mess of the NetLabel
code and anyone who uses NetLabel.  This patch renames the catmap
functions and structures from "*_secattr_catmap_*" to just "*_catmap_*"
which improves things greatly.

There are no substantial code or logic changes in this patch.

Signed-off-by: Paul Moore <pmoore@redhat.com>
---
 include/net/netlabel.h        |  100 +++++++++++++++++---------------------
 net/ipv4/cipso_ipv4.c         |   35 ++++++-------
 net/netlabel/netlabel_kapi.c  |  109 ++++++++++++++++++++---------------------
 security/selinux/ss/ebitmap.c |   18 +++----
 security/selinux/ss/ebitmap.h |    8 ++-
 security/smack/smack_access.c |    6 +-
 security/smack/smack_lsm.c    |    6 +-
 security/smack/smackfs.c      |   14 +++--
 8 files changed, 139 insertions(+), 157 deletions(-)

diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index bda7a12..a4fc39b 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -139,7 +139,7 @@ struct netlbl_lsm_cache {
 };
 
 /**
- * struct netlbl_lsm_secattr_catmap - NetLabel LSM secattr category bitmap
+ * struct netlbl_lsm_catmap - NetLabel LSM secattr category bitmap
  * @startbit: the value of the lowest order bit in the bitmap
  * @bitmap: the category bitmap
  * @next: pointer to the next bitmap "node" or NULL
@@ -162,10 +162,10 @@ struct netlbl_lsm_cache {
 #define NETLBL_CATMAP_SIZE              (NETLBL_CATMAP_MAPSIZE * \
 					 NETLBL_CATMAP_MAPCNT)
 #define NETLBL_CATMAP_BIT               (NETLBL_CATMAP_MAPTYPE)0x01
-struct netlbl_lsm_secattr_catmap {
+struct netlbl_lsm_catmap {
 	u32 startbit;
 	NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT];
-	struct netlbl_lsm_secattr_catmap *next;
+	struct netlbl_lsm_catmap *next;
 };
 
 /**
@@ -209,7 +209,7 @@ struct netlbl_lsm_secattr {
 	struct netlbl_lsm_cache *cache;
 	struct {
 		struct {
-			struct netlbl_lsm_secattr_catmap *cat;
+			struct netlbl_lsm_catmap *cat;
 			u32 lvl;
 		} mls;
 		u32 secid;
@@ -258,7 +258,7 @@ static inline void netlbl_secattr_cache_free(struct netlbl_lsm_cache *cache)
 }
 
 /**
- * netlbl_secattr_catmap_alloc - Allocate a LSM secattr catmap
+ * netlbl_catmap_alloc - Allocate a LSM secattr catmap
  * @flags: memory allocation flags
  *
  * Description:
@@ -266,24 +266,22 @@ static inline void netlbl_secattr_cache_free(struct netlbl_lsm_cache *cache)
  * on failure.
  *
  */
-static inline struct netlbl_lsm_secattr_catmap *netlbl_secattr_catmap_alloc(
-	                                                           gfp_t flags)
+static inline struct netlbl_lsm_catmap *netlbl_catmap_alloc(gfp_t flags)
 {
-	return kzalloc(sizeof(struct netlbl_lsm_secattr_catmap), flags);
+	return kzalloc(sizeof(struct netlbl_lsm_catmap), flags);
 }
 
 /**
- * netlbl_secattr_catmap_free - Free a LSM secattr catmap
+ * netlbl_catmap_free - Free a LSM secattr catmap
  * @catmap: the category bitmap
  *
  * Description:
  * Free a LSM secattr catmap.
  *
  */
-static inline void netlbl_secattr_catmap_free(
-	                              struct netlbl_lsm_secattr_catmap *catmap)
+static inline void netlbl_catmap_free(struct netlbl_lsm_catmap *catmap)
 {
-	struct netlbl_lsm_secattr_catmap *iter;
+	struct netlbl_lsm_catmap *iter;
 
 	while (catmap) {
 		iter = catmap;
@@ -321,7 +319,7 @@ static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr)
 	if (secattr->flags & NETLBL_SECATTR_CACHE)
 		netlbl_secattr_cache_free(secattr->cache);
 	if (secattr->flags & NETLBL_SECATTR_MLS_CAT)
-		netlbl_secattr_catmap_free(secattr->attr.mls.cat);
+		netlbl_catmap_free(secattr->attr.mls.cat);
 }
 
 /**
@@ -390,24 +388,22 @@ int netlbl_cfg_cipsov4_map_add(u32 doi,
 /*
  * LSM security attribute operations
  */
-int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
-			       u32 offset);
-int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
-				   u32 offset);
-int netlbl_secattr_catmap_getlong(struct netlbl_lsm_secattr_catmap *catmap,
-				  u32 *offset,
-				  unsigned long *bitmap);
-int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap **catmap,
-				 u32 bit,
-				 gfp_t flags);
-int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap **catmap,
-				 u32 start,
-				 u32 end,
-				 gfp_t flags);
-int netlbl_secattr_catmap_setlong(struct netlbl_lsm_secattr_catmap **catmap,
-				  u32 offset,
-				  unsigned long bitmap,
-				  gfp_t flags);
+int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap, u32 offset);
+int netlbl_catmap_walkrng(struct netlbl_lsm_catmap *catmap, u32 offset);
+int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap,
+			  u32 *offset,
+			  unsigned long *bitmap);
+int netlbl_catmap_setbit(struct netlbl_lsm_catmap **catmap,
+			 u32 bit,
+			 gfp_t flags);
+int netlbl_catmap_setrng(struct netlbl_lsm_catmap **catmap,
+			 u32 start,
+			 u32 end,
+			 gfp_t flags);
+int netlbl_catmap_setlong(struct netlbl_lsm_catmap **catmap,
+			  u32 offset,
+			  unsigned long bitmap,
+			  gfp_t flags);
 
 /*
  * LSM protocol operations (NetLabel LSM/kernel API)
@@ -499,45 +495,39 @@ static inline int netlbl_cfg_cipsov4_map_add(u32 doi,
 {
 	return -ENOSYS;
 }
-static inline int netlbl_secattr_catmap_walk(
-	                              struct netlbl_lsm_secattr_catmap *catmap,
-				      u32 offset)
+static inline int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap,
+				     u32 offset)
 {
 	return -ENOENT;
 }
-static inline int netlbl_secattr_catmap_walk_rng(
-				      struct netlbl_lsm_secattr_catmap *catmap,
-				      u32 offset)
+static inline int netlbl_catmap_walkrng(struct netlbl_lsm_catmap *catmap,
+					u32 offset)
 {
 	return -ENOENT;
 }
-static inline int netlbl_secattr_catmap_getlong(
-				      struct netlbl_lsm_secattr_catmap *catmap,
-				      u32 *offset,
-				      unsigned long *bitmap)
+static inline int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap,
+					u32 *offset,
+					unsigned long *bitmap)
 {
 	return 0;
 }
-static inline int netlbl_secattr_catmap_setbit(
-				      struct netlbl_lsm_secattr_catmap **catmap,
-				      u32 bit,
-				      gfp_t flags)
+static inline int netlbl_catmap_setbit(struct netlbl_lsm_catmap **catmap,
+				       u32 bit,
+				       gfp_t flags)
 {
 	return 0;
 }
-static inline int netlbl_secattr_catmap_setrng(
-				      struct netlbl_lsm_secattr_catmap **catmap,
-				      u32 start,
-				      u32 end,
-				      gfp_t flags)
+static inline int netlbl_catmap_setrng(struct netlbl_lsm_catmap **catmap,
+				       u32 start,
+				       u32 end,
+				       gfp_t flags)
 {
 	return 0;
 }
-static int netlbl_secattr_catmap_setlong(
-				      struct netlbl_lsm_secattr_catmap **catmap,
-				      u32 offset,
-				      unsigned long bitmap,
-				      gfp_t flags)
+static int netlbl_catmap_setlong(struct netlbl_lsm_catmap **catmap,
+				 u32 offset,
+				 unsigned long bitmap,
+				 gfp_t flags)
 {
 	return 0;
 }
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 8a0c7bd..05b708b 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -890,8 +890,8 @@ static int cipso_v4_map_cat_rbm_hton(const struct cipso_v4_doi *doi_def,
 	}
 
 	for (;;) {
-		host_spot = netlbl_secattr_catmap_walk(secattr->attr.mls.cat,
-						       host_spot + 1);
+		host_spot = netlbl_catmap_walk(secattr->attr.mls.cat,
+					       host_spot + 1);
 		if (host_spot < 0)
 			break;
 
@@ -973,7 +973,7 @@ static int cipso_v4_map_cat_rbm_ntoh(const struct cipso_v4_doi *doi_def,
 				return -EPERM;
 			break;
 		}
-		ret_val = netlbl_secattr_catmap_setbit(&secattr->attr.mls.cat,
+		ret_val = netlbl_catmap_setbit(&secattr->attr.mls.cat,
 						       host_spot,
 						       GFP_ATOMIC);
 		if (ret_val != 0)
@@ -1039,8 +1039,7 @@ static int cipso_v4_map_cat_enum_hton(const struct cipso_v4_doi *doi_def,
 	u32 cat_iter = 0;
 
 	for (;;) {
-		cat = netlbl_secattr_catmap_walk(secattr->attr.mls.cat,
-						 cat + 1);
+		cat = netlbl_catmap_walk(secattr->attr.mls.cat, cat + 1);
 		if (cat < 0)
 			break;
 		if ((cat_iter + 2) > net_cat_len)
@@ -1075,9 +1074,9 @@ static int cipso_v4_map_cat_enum_ntoh(const struct cipso_v4_doi *doi_def,
 	u32 iter;
 
 	for (iter = 0; iter < net_cat_len; iter += 2) {
-		ret_val = netlbl_secattr_catmap_setbit(&secattr->attr.mls.cat,
-				get_unaligned_be16(&net_cat[iter]),
-				GFP_ATOMIC);
+		ret_val = netlbl_catmap_setbit(&secattr->attr.mls.cat,
+					     get_unaligned_be16(&net_cat[iter]),
+					     GFP_ATOMIC);
 		if (ret_val != 0)
 			return ret_val;
 	}
@@ -1155,8 +1154,7 @@ static int cipso_v4_map_cat_rng_hton(const struct cipso_v4_doi *doi_def,
 		return -ENOSPC;
 
 	for (;;) {
-		iter = netlbl_secattr_catmap_walk(secattr->attr.mls.cat,
-						  iter + 1);
+		iter = netlbl_catmap_walk(secattr->attr.mls.cat, iter + 1);
 		if (iter < 0)
 			break;
 		cat_size += (iter == 0 ? 0 : sizeof(u16));
@@ -1164,8 +1162,7 @@ static int cipso_v4_map_cat_rng_hton(const struct cipso_v4_doi *doi_def,
 			return -ENOSPC;
 		array[array_cnt++] = iter;
 
-		iter = netlbl_secattr_catmap_walk_rng(secattr->attr.mls.cat,
-						      iter);
+		iter = netlbl_catmap_walkrng(secattr->attr.mls.cat, iter);
 		if (iter < 0)
 			return -EFAULT;
 		cat_size += sizeof(u16);
@@ -1217,10 +1214,10 @@ static int cipso_v4_map_cat_rng_ntoh(const struct cipso_v4_doi *doi_def,
 		else
 			cat_low = 0;
 
-		ret_val = netlbl_secattr_catmap_setrng(&secattr->attr.mls.cat,
-						       cat_low,
-						       cat_high,
-						       GFP_ATOMIC);
+		ret_val = netlbl_catmap_setrng(&secattr->attr.mls.cat,
+					       cat_low,
+					       cat_high,
+					       GFP_ATOMIC);
 		if (ret_val != 0)
 			return ret_val;
 	}
@@ -1340,7 +1337,7 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,
 						    tag_len - 4,
 						    secattr);
 		if (ret_val != 0) {
-			netlbl_secattr_catmap_free(secattr->attr.mls.cat);
+			netlbl_catmap_free(secattr->attr.mls.cat);
 			return ret_val;
 		}
 
@@ -1431,7 +1428,7 @@ static int cipso_v4_parsetag_enum(const struct cipso_v4_doi *doi_def,
 						     tag_len - 4,
 						     secattr);
 		if (ret_val != 0) {
-			netlbl_secattr_catmap_free(secattr->attr.mls.cat);
+			netlbl_catmap_free(secattr->attr.mls.cat);
 			return ret_val;
 		}
 
@@ -1521,7 +1518,7 @@ static int cipso_v4_parsetag_rng(const struct cipso_v4_doi *doi_def,
 						    tag_len - 4,
 						    secattr);
 		if (ret_val != 0) {
-			netlbl_secattr_catmap_free(secattr->attr.mls.cat);
+			netlbl_catmap_free(secattr->attr.mls.cat);
 			return ret_val;
 		}
 
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index bc38838..05ea4a4 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -410,7 +410,7 @@ out_entry:
 #define _CM_F_WALK	0x00000002
 
 /**
- * _netlbl_secattr_catmap_getnode - Get a individual node from a catmap
+ * _netlbl_catmap_getnode - Get a individual node from a catmap
  * @catmap: pointer to the category bitmap
  * @offset: the requested offset
  * @cm_flags: catmap flags, see _CM_F_*
@@ -424,36 +424,36 @@ out_entry:
  * be returned.  Returns a pointer to the node on success, NULL on failure.
  *
  */
-static struct netlbl_lsm_secattr_catmap *_netlbl_secattr_catmap_getnode(
-				struct netlbl_lsm_secattr_catmap **catmap,
-				u32 offset,
-				unsigned int cm_flags,
-				gfp_t gfp_flags)
+static struct netlbl_lsm_catmap *_netlbl_catmap_getnode(
+					     struct netlbl_lsm_catmap **catmap,
+					     u32 offset,
+					     unsigned int cm_flags,
+					     gfp_t gfp_flags)
 {
-	struct netlbl_lsm_secattr_catmap *iter = *catmap;
-	struct netlbl_lsm_secattr_catmap *prev = NULL;
+	struct netlbl_lsm_catmap *iter = *catmap;
+	struct netlbl_lsm_catmap *prev = NULL;
 
 	if (iter == NULL)
-		goto secattr_catmap_getnode_alloc;
+		goto catmap_getnode_alloc;
 	if (offset < iter->startbit)
-		goto secattr_catmap_getnode_walk;
+		goto catmap_getnode_walk;
 	while (iter && offset >= (iter->startbit + NETLBL_CATMAP_SIZE)) {
 		prev = iter;
 		iter = iter->next;
 	}
 	if (iter == NULL || offset < iter->startbit)
-		goto secattr_catmap_getnode_walk;
+		goto catmap_getnode_walk;
 
 	return iter;
 
-secattr_catmap_getnode_walk:
+catmap_getnode_walk:
 	if (cm_flags & _CM_F_WALK)
 		return iter;
-secattr_catmap_getnode_alloc:
+catmap_getnode_alloc:
 	if (!(cm_flags & _CM_F_ALLOC))
 		return NULL;
 
-	iter = netlbl_secattr_catmap_alloc(gfp_flags);
+	iter = netlbl_catmap_alloc(gfp_flags);
 	if (iter == NULL)
 		return NULL;
 	iter->startbit = offset & ~(NETLBL_CATMAP_SIZE - 1);
@@ -470,7 +470,7 @@ secattr_catmap_getnode_alloc:
 }
 
 /**
- * netlbl_secattr_catmap_walk - Walk a LSM secattr catmap looking for a bit
+ * netlbl_catmap_walk - Walk a LSM secattr catmap looking for a bit
  * @catmap: the category bitmap
  * @offset: the offset to start searching at, in bits
  *
@@ -479,15 +479,14 @@ secattr_catmap_getnode_alloc:
  * returns the spot of the first set bit or -ENOENT if no bits are set.
  *
  */
-int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
-			       u32 offset)
+int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap, u32 offset)
 {
-	struct netlbl_lsm_secattr_catmap *iter = catmap;
+	struct netlbl_lsm_catmap *iter = catmap;
 	u32 idx;
 	u32 bit;
 	NETLBL_CATMAP_MAPTYPE bitmap;
 
-	iter = _netlbl_secattr_catmap_getnode(&catmap, offset, _CM_F_WALK, 0);
+	iter = _netlbl_catmap_getnode(&catmap, offset, _CM_F_WALK, 0);
 	if (iter == NULL)
 		return -ENOENT;
 	if (offset > iter->startbit) {
@@ -524,7 +523,7 @@ int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
 }
 
 /**
- * netlbl_secattr_catmap_walk_rng - Find the end of a string of set bits
+ * netlbl_catmap_walkrng - Find the end of a string of set bits
  * @catmap: the category bitmap
  * @offset: the offset to start searching at, in bits
  *
@@ -534,17 +533,16 @@ int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
  * the end of the bitmap.
  *
  */
-int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
-				   u32 offset)
+int netlbl_catmap_walkrng(struct netlbl_lsm_catmap *catmap, u32 offset)
 {
-	struct netlbl_lsm_secattr_catmap *iter;
-	struct netlbl_lsm_secattr_catmap *prev = NULL;
+	struct netlbl_lsm_catmap *iter;
+	struct netlbl_lsm_catmap *prev = NULL;
 	u32 idx;
 	u32 bit;
 	NETLBL_CATMAP_MAPTYPE bitmask;
 	NETLBL_CATMAP_MAPTYPE bitmap;
 
-	iter = _netlbl_secattr_catmap_getnode(&catmap, offset, _CM_F_WALK, 0);
+	iter = _netlbl_catmap_getnode(&catmap, offset, _CM_F_WALK, 0);
 	if (iter == NULL)
 		return -ENOENT;
 	if (offset > iter->startbit) {
@@ -584,7 +582,7 @@ int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
 }
 
 /**
- * netlbl_secattr_catmap_getlong - Export an unsigned long bitmap
+ * netlbl_catmap_getlong - Export an unsigned long bitmap
  * @catmap: pointer to the category bitmap
  * @offset: pointer to the requested offset
  * @bitmap: the exported bitmap
@@ -597,11 +595,11 @@ int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
  * Returns zero on sucess, negative values on failure.
  *
  */
-int netlbl_secattr_catmap_getlong(struct netlbl_lsm_secattr_catmap *catmap,
-				  u32 *offset,
-				  unsigned long *bitmap)
+int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap,
+			  u32 *offset,
+			  unsigned long *bitmap)
 {
-	struct netlbl_lsm_secattr_catmap *iter;
+	struct netlbl_lsm_catmap *iter;
 	u32 off = *offset;
 	u32 idx;
 
@@ -613,7 +611,7 @@ int netlbl_secattr_catmap_getlong(struct netlbl_lsm_secattr_catmap *catmap,
 		off = catmap->startbit;
 		*offset = off;
 	}
-	iter = _netlbl_secattr_catmap_getnode(&catmap, off, _CM_F_NONE, 0);
+	iter = _netlbl_catmap_getnode(&catmap, off, _CM_F_NONE, 0);
 	if (iter == NULL) {
 		*offset = (u32)-1;
 		return 0;
@@ -632,7 +630,7 @@ int netlbl_secattr_catmap_getlong(struct netlbl_lsm_secattr_catmap *catmap,
 }
 
 /**
- * netlbl_secattr_catmap_setbit - Set a bit in a LSM secattr catmap
+ * netlbl_catmap_setbit - Set a bit in a LSM secattr catmap
  * @catmap: pointer to the category bitmap
  * @bit: the bit to set
  * @flags: memory allocation flags
@@ -642,14 +640,14 @@ int netlbl_secattr_catmap_getlong(struct netlbl_lsm_secattr_catmap *catmap,
  * negative values on failure.
  *
  */
-int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap **catmap,
-				 u32 bit,
-				 gfp_t flags)
+int netlbl_catmap_setbit(struct netlbl_lsm_catmap **catmap,
+			 u32 bit,
+			 gfp_t flags)
 {
-	struct netlbl_lsm_secattr_catmap *iter;
+	struct netlbl_lsm_catmap *iter;
 	u32 idx;
 
-	iter = _netlbl_secattr_catmap_getnode(catmap, bit, _CM_F_ALLOC, flags);
+	iter = _netlbl_catmap_getnode(catmap, bit, _CM_F_ALLOC, flags);
 	if (iter == NULL)
 		return -ENOMEM;
 
@@ -661,7 +659,7 @@ int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap **catmap,
 }
 
 /**
- * netlbl_secattr_catmap_setrng - Set a range of bits in a LSM secattr catmap
+ * netlbl_catmap_setrng - Set a range of bits in a LSM secattr catmap
  * @catmap: pointer to the category bitmap
  * @start: the starting bit
  * @end: the last bit in the string
@@ -672,10 +670,10 @@ int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap **catmap,
  * on success, negative values on failure.
  *
  */
-int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap **catmap,
-				 u32 start,
-				 u32 end,
-				 gfp_t flags)
+int netlbl_catmap_setrng(struct netlbl_lsm_catmap **catmap,
+			 u32 start,
+			 u32 end,
+			 gfp_t flags)
 {
 	int rc = 0;
 	u32 spot = start;
@@ -683,22 +681,20 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap **catmap,
 	while (rc == 0 && spot <= end) {
 		if (((spot & (BITS_PER_LONG - 1)) != 0) &&
 		    ((end - spot) > BITS_PER_LONG)) {
-			rc = netlbl_secattr_catmap_setlong(catmap,
-							   spot,
-							   (unsigned long)-1,
-							   flags);
+			rc = netlbl_catmap_setlong(catmap,
+						   spot,
+						   (unsigned long)-1,
+						   flags);
 			spot += BITS_PER_LONG;
 		} else
-			rc = netlbl_secattr_catmap_setbit(catmap,
-							  spot++,
-							  flags);
+			rc = netlbl_catmap_setbit(catmap, spot++, flags);
 	}
 
 	return rc;
 }
 
 /**
- * netlbl_secattr_catmap_setlong - Import an unsigned long bitmap
+ * netlbl_catmap_setlong - Import an unsigned long bitmap
  * @catmap: pointer to the category bitmap
  * @offset: offset to the start of the imported bitmap
  * @bitmap: the bitmap to import
@@ -710,20 +706,19 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap **catmap,
  * on success, negative values on failure.
  *
  */
-int netlbl_secattr_catmap_setlong(struct netlbl_lsm_secattr_catmap **catmap,
-				  u32 offset,
-				  unsigned long bitmap,
-				  gfp_t flags)
+int netlbl_catmap_setlong(struct netlbl_lsm_catmap **catmap,
+			  u32 offset,
+			  unsigned long bitmap,
+			  gfp_t flags)
 {
-	struct netlbl_lsm_secattr_catmap *iter;
+	struct netlbl_lsm_catmap *iter;
 	u32 idx;
 
 	/* only allow aligned offsets */
 	if ((offset & (BITS_PER_LONG - 1)) != 0)
 		return -EINVAL;
 
-	iter = _netlbl_secattr_catmap_getnode(catmap,
-					      offset, _CM_F_ALLOC, flags);
+	iter = _netlbl_catmap_getnode(catmap, offset, _CM_F_ALLOC, flags);
 	if (iter == NULL)
 		return -ENOMEM;
 
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index 842deca..afe6a26 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -86,7 +86,7 @@ int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src)
  *
  */
 int ebitmap_netlbl_export(struct ebitmap *ebmap,
-			  struct netlbl_lsm_secattr_catmap **catmap)
+			  struct netlbl_lsm_catmap **catmap)
 {
 	struct ebitmap_node *e_iter = ebmap->node;
 	unsigned long e_map;
@@ -100,7 +100,7 @@ int ebitmap_netlbl_export(struct ebitmap *ebmap,
 	}
 
 	if (*catmap != NULL)
-		netlbl_secattr_catmap_free(*catmap);
+		netlbl_catmap_free(*catmap);
 	*catmap = NULL;
 
 	while (e_iter) {
@@ -108,10 +108,10 @@ int ebitmap_netlbl_export(struct ebitmap *ebmap,
 		for (iter = 0; iter < EBITMAP_UNIT_NUMS; iter++) {
 			e_map = e_iter->maps[iter];
 			if (e_map != 0) {
-				rc = netlbl_secattr_catmap_setlong(catmap,
-								   offset,
-								   e_map,
-								   GFP_ATOMIC);
+				rc = netlbl_catmap_setlong(catmap,
+							   offset,
+							   e_map,
+							   GFP_ATOMIC);
 				if (rc != 0)
 					goto netlbl_export_failure;
 			}
@@ -123,7 +123,7 @@ int ebitmap_netlbl_export(struct ebitmap *ebmap,
 	return 0;
 
 netlbl_export_failure:
-	netlbl_secattr_catmap_free(*catmap);
+	netlbl_catmap_free(*catmap);
 	return -ENOMEM;
 }
 
@@ -138,7 +138,7 @@ netlbl_export_failure:
  *
  */
 int ebitmap_netlbl_import(struct ebitmap *ebmap,
-			  struct netlbl_lsm_secattr_catmap *catmap)
+			  struct netlbl_lsm_catmap *catmap)
 {
 	int rc;
 	struct ebitmap_node *e_iter = NULL;
@@ -147,7 +147,7 @@ int ebitmap_netlbl_import(struct ebitmap *ebmap,
 	unsigned long bitmap;
 
 	for (;;) {
-		rc = netlbl_secattr_catmap_getlong(catmap, &offset, &bitmap);
+		rc = netlbl_catmap_getlong(catmap, &offset, &bitmap);
 		if (rc < 0)
 			goto netlbl_import_failure;
 		if (offset == (u32)-1)
diff --git a/security/selinux/ss/ebitmap.h b/security/selinux/ss/ebitmap.h
index 712c8a7..9637b8c 100644
--- a/security/selinux/ss/ebitmap.h
+++ b/security/selinux/ss/ebitmap.h
@@ -132,17 +132,17 @@ int ebitmap_write(struct ebitmap *e, void *fp);
 
 #ifdef CONFIG_NETLABEL
 int ebitmap_netlbl_export(struct ebitmap *ebmap,
-			  struct netlbl_lsm_secattr_catmap **catmap);
+			  struct netlbl_lsm_catmap **catmap);
 int ebitmap_netlbl_import(struct ebitmap *ebmap,
-			  struct netlbl_lsm_secattr_catmap *catmap);
+			  struct netlbl_lsm_catmap *catmap);
 #else
 static inline int ebitmap_netlbl_export(struct ebitmap *ebmap,
-				struct netlbl_lsm_secattr_catmap **catmap)
+					struct netlbl_lsm_catmap **catmap)
 {
 	return -ENOMEM;
 }
 static inline int ebitmap_netlbl_import(struct ebitmap *ebmap,
-				struct netlbl_lsm_secattr_catmap *catmap)
+					struct netlbl_lsm_catmap *catmap)
 {
 	return -ENOMEM;
 }
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index ea1bc50..732df7b9 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -441,10 +441,10 @@ int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap,
 		for (m = 0x80; m != 0; m >>= 1, cat++) {
 			if ((m & *cp) == 0)
 				continue;
-			rc = netlbl_secattr_catmap_setbit(&sap->attr.mls.cat,
-							  cat, GFP_ATOMIC);
+			rc = netlbl_catmap_setbit(&sap->attr.mls.cat,
+						  cat, GFP_ATOMIC);
 			if (rc < 0) {
-				netlbl_secattr_catmap_free(sap->attr.mls.cat);
+				netlbl_catmap_free(sap->attr.mls.cat);
 				return rc;
 			}
 		}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 14f52be..c32bba5 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3091,9 +3091,9 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
 				break;
 			}
 			for (acat = -1, kcat = -1; acat == kcat; ) {
-				acat = netlbl_secattr_catmap_walk(
-					sap->attr.mls.cat, acat + 1);
-				kcat = netlbl_secattr_catmap_walk(
+				acat = netlbl_catmap_walk(sap->attr.mls.cat,
+							  acat + 1);
+				kcat = netlbl_catmap_walk(
 					skp->smk_netlabel.attr.mls.cat,
 					kcat + 1);
 				if (acat < 0 || kcat < 0)
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 3198cfe..893b06b 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -777,7 +777,7 @@ static int cipso_seq_show(struct seq_file *s, void *v)
 	struct list_head  *list = v;
 	struct smack_known *skp =
 		 list_entry(list, struct smack_known, list);
-	struct netlbl_lsm_secattr_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
+	struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
 	char sep = '/';
 	int i;
 
@@ -794,8 +794,8 @@ static int cipso_seq_show(struct seq_file *s, void *v)
 
 	seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
 
-	for (i = netlbl_secattr_catmap_walk(cmp, 0); i >= 0;
-	     i = netlbl_secattr_catmap_walk(cmp, i + 1)) {
+	for (i = netlbl_catmap_walk(cmp, 0); i >= 0;
+	     i = netlbl_catmap_walk(cmp, i + 1)) {
 		seq_printf(s, "%c%d", sep, i);
 		sep = ',';
 	}
@@ -916,7 +916,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
 
 	rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN);
 	if (rc >= 0) {
-		netlbl_secattr_catmap_free(skp->smk_netlabel.attr.mls.cat);
+		netlbl_catmap_free(skp->smk_netlabel.attr.mls.cat);
 		skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat;
 		skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl;
 		rc = count;
@@ -966,14 +966,14 @@ static int cipso2_seq_show(struct seq_file *s, void *v)
 	struct list_head  *list = v;
 	struct smack_known *skp =
 		 list_entry(list, struct smack_known, list);
-	struct netlbl_lsm_secattr_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
+	struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
 	char sep = '/';
 	int i;
 
 	seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
 
-	for (i = netlbl_secattr_catmap_walk(cmp, 0); i >= 0;
-	     i = netlbl_secattr_catmap_walk(cmp, i + 1)) {
+	for (i = netlbl_catmap_walk(cmp, 0); i >= 0;
+	     i = netlbl_catmap_walk(cmp, i + 1)) {
 		seq_printf(s, "%c%d", sep, i);
 		sep = ',';
 	}

Re: [PATCH 4/4] netlabel: shorter names for the NetLabel catmap funcs/structs

[Casey Schaufler]

On 7/31/2014 2:44 PM, Paul Moore wrote:
> Historically the NetLabel LSM secattr catmap functions and data
> structures have had very long names which makes a mess of the NetLabel
> code and anyone who uses NetLabel.  This patch renames the catmap
> functions and structures from "*_secattr_catmap_*" to just "*_catmap_*"
> which improves things greatly.
>
> There are no substantial code or logic changes in this patch.
>
> Signed-off-by: Paul Moore <pmoore@redhat.com>

Tested-by: Casey Schaufler <casey@schaufler-ca.com>

> ---
>  include/net/netlabel.h        |  100 +++++++++++++++++---------------------
>  net/ipv4/cipso_ipv4.c         |   35 ++++++-------
>  net/netlabel/netlabel_kapi.c  |  109 ++++++++++++++++++++---------------------
>  security/selinux/ss/ebitmap.c |   18 +++----
>  security/selinux/ss/ebitmap.h |    8 ++-
>  security/smack/smack_access.c |    6 +-
>  security/smack/smack_lsm.c    |    6 +-
>  security/smack/smackfs.c      |   14 +++--
>  8 files changed, 139 insertions(+), 157 deletions(-)
>
> diff --git a/include/net/netlabel.h b/include/net/netlabel.h
> index bda7a12..a4fc39b 100644
> --- a/include/net/netlabel.h
> +++ b/include/net/netlabel.h
> @@ -139,7 +139,7 @@ struct netlbl_lsm_cache {
>  };
>  
>  /**
> - * struct netlbl_lsm_secattr_catmap - NetLabel LSM secattr category bitmap
> + * struct netlbl_lsm_catmap - NetLabel LSM secattr category bitmap
>   * @startbit: the value of the lowest order bit in the bitmap
>   * @bitmap: the category bitmap
>   * @next: pointer to the next bitmap "node" or NULL
> @@ -162,10 +162,10 @@ struct netlbl_lsm_cache {
>  #define NETLBL_CATMAP_SIZE              (NETLBL_CATMAP_MAPSIZE * \
>  					 NETLBL_CATMAP_MAPCNT)
>  #define NETLBL_CATMAP_BIT               (NETLBL_CATMAP_MAPTYPE)0x01
> -struct netlbl_lsm_secattr_catmap {
> +struct netlbl_lsm_catmap {
>  	u32 startbit;
>  	NETLBL_CATMAP_MAPTYPE bitmap[NETLBL_CATMAP_MAPCNT];
> -	struct netlbl_lsm_secattr_catmap *next;
> +	struct netlbl_lsm_catmap *next;
>  };
>  
>  /**
> @@ -209,7 +209,7 @@ struct netlbl_lsm_secattr {
>  	struct netlbl_lsm_cache *cache;
>  	struct {
>  		struct {
> -			struct netlbl_lsm_secattr_catmap *cat;
> +			struct netlbl_lsm_catmap *cat;
>  			u32 lvl;
>  		} mls;
>  		u32 secid;
> @@ -258,7 +258,7 @@ static inline void netlbl_secattr_cache_free(struct netlbl_lsm_cache *cache)
>  }
>  
>  /**
> - * netlbl_secattr_catmap_alloc - Allocate a LSM secattr catmap
> + * netlbl_catmap_alloc - Allocate a LSM secattr catmap
>   * @flags: memory allocation flags
>   *
>   * Description:
> @@ -266,24 +266,22 @@ static inline void netlbl_secattr_cache_free(struct netlbl_lsm_cache *cache)
>   * on failure.
>   *
>   */
> -static inline struct netlbl_lsm_secattr_catmap *netlbl_secattr_catmap_alloc(
> -	                                                           gfp_t flags)
> +static inline struct netlbl_lsm_catmap *netlbl_catmap_alloc(gfp_t flags)
>  {
> -	return kzalloc(sizeof(struct netlbl_lsm_secattr_catmap), flags);
> +	return kzalloc(sizeof(struct netlbl_lsm_catmap), flags);
>  }
>  
>  /**
> - * netlbl_secattr_catmap_free - Free a LSM secattr catmap
> + * netlbl_catmap_free - Free a LSM secattr catmap
>   * @catmap: the category bitmap
>   *
>   * Description:
>   * Free a LSM secattr catmap.
>   *
>   */
> -static inline void netlbl_secattr_catmap_free(
> -	                              struct netlbl_lsm_secattr_catmap *catmap)
> +static inline void netlbl_catmap_free(struct netlbl_lsm_catmap *catmap)
>  {
> -	struct netlbl_lsm_secattr_catmap *iter;
> +	struct netlbl_lsm_catmap *iter;
>  
>  	while (catmap) {
>  		iter = catmap;
> @@ -321,7 +319,7 @@ static inline void netlbl_secattr_destroy(struct netlbl_lsm_secattr *secattr)
>  	if (secattr->flags & NETLBL_SECATTR_CACHE)
>  		netlbl_secattr_cache_free(secattr->cache);
>  	if (secattr->flags & NETLBL_SECATTR_MLS_CAT)
> -		netlbl_secattr_catmap_free(secattr->attr.mls.cat);
> +		netlbl_catmap_free(secattr->attr.mls.cat);
>  }
>  
>  /**
> @@ -390,24 +388,22 @@ int netlbl_cfg_cipsov4_map_add(u32 doi,
>  /*
>   * LSM security attribute operations
>   */
> -int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
> -			       u32 offset);
> -int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
> -				   u32 offset);
> -int netlbl_secattr_catmap_getlong(struct netlbl_lsm_secattr_catmap *catmap,
> -				  u32 *offset,
> -				  unsigned long *bitmap);
> -int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap **catmap,
> -				 u32 bit,
> -				 gfp_t flags);
> -int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap **catmap,
> -				 u32 start,
> -				 u32 end,
> -				 gfp_t flags);
> -int netlbl_secattr_catmap_setlong(struct netlbl_lsm_secattr_catmap **catmap,
> -				  u32 offset,
> -				  unsigned long bitmap,
> -				  gfp_t flags);
> +int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap, u32 offset);
> +int netlbl_catmap_walkrng(struct netlbl_lsm_catmap *catmap, u32 offset);
> +int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap,
> +			  u32 *offset,
> +			  unsigned long *bitmap);
> +int netlbl_catmap_setbit(struct netlbl_lsm_catmap **catmap,
> +			 u32 bit,
> +			 gfp_t flags);
> +int netlbl_catmap_setrng(struct netlbl_lsm_catmap **catmap,
> +			 u32 start,
> +			 u32 end,
> +			 gfp_t flags);
> +int netlbl_catmap_setlong(struct netlbl_lsm_catmap **catmap,
> +			  u32 offset,
> +			  unsigned long bitmap,
> +			  gfp_t flags);
>  
>  /*
>   * LSM protocol operations (NetLabel LSM/kernel API)
> @@ -499,45 +495,39 @@ static inline int netlbl_cfg_cipsov4_map_add(u32 doi,
>  {
>  	return -ENOSYS;
>  }
> -static inline int netlbl_secattr_catmap_walk(
> -	                              struct netlbl_lsm_secattr_catmap *catmap,
> -				      u32 offset)
> +static inline int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap,
> +				     u32 offset)
>  {
>  	return -ENOENT;
>  }
> -static inline int netlbl_secattr_catmap_walk_rng(
> -				      struct netlbl_lsm_secattr_catmap *catmap,
> -				      u32 offset)
> +static inline int netlbl_catmap_walkrng(struct netlbl_lsm_catmap *catmap,
> +					u32 offset)
>  {
>  	return -ENOENT;
>  }
> -static inline int netlbl_secattr_catmap_getlong(
> -				      struct netlbl_lsm_secattr_catmap *catmap,
> -				      u32 *offset,
> -				      unsigned long *bitmap)
> +static inline int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap,
> +					u32 *offset,
> +					unsigned long *bitmap)
>  {
>  	return 0;
>  }
> -static inline int netlbl_secattr_catmap_setbit(
> -				      struct netlbl_lsm_secattr_catmap **catmap,
> -				      u32 bit,
> -				      gfp_t flags)
> +static inline int netlbl_catmap_setbit(struct netlbl_lsm_catmap **catmap,
> +				       u32 bit,
> +				       gfp_t flags)
>  {
>  	return 0;
>  }
> -static inline int netlbl_secattr_catmap_setrng(
> -				      struct netlbl_lsm_secattr_catmap **catmap,
> -				      u32 start,
> -				      u32 end,
> -				      gfp_t flags)
> +static inline int netlbl_catmap_setrng(struct netlbl_lsm_catmap **catmap,
> +				       u32 start,
> +				       u32 end,
> +				       gfp_t flags)
>  {
>  	return 0;
>  }
> -static int netlbl_secattr_catmap_setlong(
> -				      struct netlbl_lsm_secattr_catmap **catmap,
> -				      u32 offset,
> -				      unsigned long bitmap,
> -				      gfp_t flags)
> +static int netlbl_catmap_setlong(struct netlbl_lsm_catmap **catmap,
> +				 u32 offset,
> +				 unsigned long bitmap,
> +				 gfp_t flags)
>  {
>  	return 0;
>  }
> diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
> index 8a0c7bd..05b708b 100644
> --- a/net/ipv4/cipso_ipv4.c
> +++ b/net/ipv4/cipso_ipv4.c
> @@ -890,8 +890,8 @@ static int cipso_v4_map_cat_rbm_hton(const struct cipso_v4_doi *doi_def,
>  	}
>  
>  	for (;;) {
> -		host_spot = netlbl_secattr_catmap_walk(secattr->attr.mls.cat,
> -						       host_spot + 1);
> +		host_spot = netlbl_catmap_walk(secattr->attr.mls.cat,
> +					       host_spot + 1);
>  		if (host_spot < 0)
>  			break;
>  
> @@ -973,7 +973,7 @@ static int cipso_v4_map_cat_rbm_ntoh(const struct cipso_v4_doi *doi_def,
>  				return -EPERM;
>  			break;
>  		}
> -		ret_val = netlbl_secattr_catmap_setbit(&secattr->attr.mls.cat,
> +		ret_val = netlbl_catmap_setbit(&secattr->attr.mls.cat,
>  						       host_spot,
>  						       GFP_ATOMIC);
>  		if (ret_val != 0)
> @@ -1039,8 +1039,7 @@ static int cipso_v4_map_cat_enum_hton(const struct cipso_v4_doi *doi_def,
>  	u32 cat_iter = 0;
>  
>  	for (;;) {
> -		cat = netlbl_secattr_catmap_walk(secattr->attr.mls.cat,
> -						 cat + 1);
> +		cat = netlbl_catmap_walk(secattr->attr.mls.cat, cat + 1);
>  		if (cat < 0)
>  			break;
>  		if ((cat_iter + 2) > net_cat_len)
> @@ -1075,9 +1074,9 @@ static int cipso_v4_map_cat_enum_ntoh(const struct cipso_v4_doi *doi_def,
>  	u32 iter;
>  
>  	for (iter = 0; iter < net_cat_len; iter += 2) {
> -		ret_val = netlbl_secattr_catmap_setbit(&secattr->attr.mls.cat,
> -				get_unaligned_be16(&net_cat[iter]),
> -				GFP_ATOMIC);
> +		ret_val = netlbl_catmap_setbit(&secattr->attr.mls.cat,
> +					     get_unaligned_be16(&net_cat[iter]),
> +					     GFP_ATOMIC);
>  		if (ret_val != 0)
>  			return ret_val;
>  	}
> @@ -1155,8 +1154,7 @@ static int cipso_v4_map_cat_rng_hton(const struct cipso_v4_doi *doi_def,
>  		return -ENOSPC;
>  
>  	for (;;) {
> -		iter = netlbl_secattr_catmap_walk(secattr->attr.mls.cat,
> -						  iter + 1);
> +		iter = netlbl_catmap_walk(secattr->attr.mls.cat, iter + 1);
>  		if (iter < 0)
>  			break;
>  		cat_size += (iter == 0 ? 0 : sizeof(u16));
> @@ -1164,8 +1162,7 @@ static int cipso_v4_map_cat_rng_hton(const struct cipso_v4_doi *doi_def,
>  			return -ENOSPC;
>  		array[array_cnt++] = iter;
>  
> -		iter = netlbl_secattr_catmap_walk_rng(secattr->attr.mls.cat,
> -						      iter);
> +		iter = netlbl_catmap_walkrng(secattr->attr.mls.cat, iter);
>  		if (iter < 0)
>  			return -EFAULT;
>  		cat_size += sizeof(u16);
> @@ -1217,10 +1214,10 @@ static int cipso_v4_map_cat_rng_ntoh(const struct cipso_v4_doi *doi_def,
>  		else
>  			cat_low = 0;
>  
> -		ret_val = netlbl_secattr_catmap_setrng(&secattr->attr.mls.cat,
> -						       cat_low,
> -						       cat_high,
> -						       GFP_ATOMIC);
> +		ret_val = netlbl_catmap_setrng(&secattr->attr.mls.cat,
> +					       cat_low,
> +					       cat_high,
> +					       GFP_ATOMIC);
>  		if (ret_val != 0)
>  			return ret_val;
>  	}
> @@ -1340,7 +1337,7 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,
>  						    tag_len - 4,
>  						    secattr);
>  		if (ret_val != 0) {
> -			netlbl_secattr_catmap_free(secattr->attr.mls.cat);
> +			netlbl_catmap_free(secattr->attr.mls.cat);
>  			return ret_val;
>  		}
>  
> @@ -1431,7 +1428,7 @@ static int cipso_v4_parsetag_enum(const struct cipso_v4_doi *doi_def,
>  						     tag_len - 4,
>  						     secattr);
>  		if (ret_val != 0) {
> -			netlbl_secattr_catmap_free(secattr->attr.mls.cat);
> +			netlbl_catmap_free(secattr->attr.mls.cat);
>  			return ret_val;
>  		}
>  
> @@ -1521,7 +1518,7 @@ static int cipso_v4_parsetag_rng(const struct cipso_v4_doi *doi_def,
>  						    tag_len - 4,
>  						    secattr);
>  		if (ret_val != 0) {
> -			netlbl_secattr_catmap_free(secattr->attr.mls.cat);
> +			netlbl_catmap_free(secattr->attr.mls.cat);
>  			return ret_val;
>  		}
>  
> diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
> index bc38838..05ea4a4 100644
> --- a/net/netlabel/netlabel_kapi.c
> +++ b/net/netlabel/netlabel_kapi.c
> @@ -410,7 +410,7 @@ out_entry:
>  #define _CM_F_WALK	0x00000002
>  
>  /**
> - * _netlbl_secattr_catmap_getnode - Get a individual node from a catmap
> + * _netlbl_catmap_getnode - Get a individual node from a catmap
>   * @catmap: pointer to the category bitmap
>   * @offset: the requested offset
>   * @cm_flags: catmap flags, see _CM_F_*
> @@ -424,36 +424,36 @@ out_entry:
>   * be returned.  Returns a pointer to the node on success, NULL on failure.
>   *
>   */
> -static struct netlbl_lsm_secattr_catmap *_netlbl_secattr_catmap_getnode(
> -				struct netlbl_lsm_secattr_catmap **catmap,
> -				u32 offset,
> -				unsigned int cm_flags,
> -				gfp_t gfp_flags)
> +static struct netlbl_lsm_catmap *_netlbl_catmap_getnode(
> +					     struct netlbl_lsm_catmap **catmap,
> +					     u32 offset,
> +					     unsigned int cm_flags,
> +					     gfp_t gfp_flags)
>  {
> -	struct netlbl_lsm_secattr_catmap *iter = *catmap;
> -	struct netlbl_lsm_secattr_catmap *prev = NULL;
> +	struct netlbl_lsm_catmap *iter = *catmap;
> +	struct netlbl_lsm_catmap *prev = NULL;
>  
>  	if (iter == NULL)
> -		goto secattr_catmap_getnode_alloc;
> +		goto catmap_getnode_alloc;
>  	if (offset < iter->startbit)
> -		goto secattr_catmap_getnode_walk;
> +		goto catmap_getnode_walk;
>  	while (iter && offset >= (iter->startbit + NETLBL_CATMAP_SIZE)) {
>  		prev = iter;
>  		iter = iter->next;
>  	}
>  	if (iter == NULL || offset < iter->startbit)
> -		goto secattr_catmap_getnode_walk;
> +		goto catmap_getnode_walk;
>  
>  	return iter;
>  
> -secattr_catmap_getnode_walk:
> +catmap_getnode_walk:
>  	if (cm_flags & _CM_F_WALK)
>  		return iter;
> -secattr_catmap_getnode_alloc:
> +catmap_getnode_alloc:
>  	if (!(cm_flags & _CM_F_ALLOC))
>  		return NULL;
>  
> -	iter = netlbl_secattr_catmap_alloc(gfp_flags);
> +	iter = netlbl_catmap_alloc(gfp_flags);
>  	if (iter == NULL)
>  		return NULL;
>  	iter->startbit = offset & ~(NETLBL_CATMAP_SIZE - 1);
> @@ -470,7 +470,7 @@ secattr_catmap_getnode_alloc:
>  }
>  
>  /**
> - * netlbl_secattr_catmap_walk - Walk a LSM secattr catmap looking for a bit
> + * netlbl_catmap_walk - Walk a LSM secattr catmap looking for a bit
>   * @catmap: the category bitmap
>   * @offset: the offset to start searching at, in bits
>   *
> @@ -479,15 +479,14 @@ secattr_catmap_getnode_alloc:
>   * returns the spot of the first set bit or -ENOENT if no bits are set.
>   *
>   */
> -int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
> -			       u32 offset)
> +int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap, u32 offset)
>  {
> -	struct netlbl_lsm_secattr_catmap *iter = catmap;
> +	struct netlbl_lsm_catmap *iter = catmap;
>  	u32 idx;
>  	u32 bit;
>  	NETLBL_CATMAP_MAPTYPE bitmap;
>  
> -	iter = _netlbl_secattr_catmap_getnode(&catmap, offset, _CM_F_WALK, 0);
> +	iter = _netlbl_catmap_getnode(&catmap, offset, _CM_F_WALK, 0);
>  	if (iter == NULL)
>  		return -ENOENT;
>  	if (offset > iter->startbit) {
> @@ -524,7 +523,7 @@ int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
>  }
>  
>  /**
> - * netlbl_secattr_catmap_walk_rng - Find the end of a string of set bits
> + * netlbl_catmap_walkrng - Find the end of a string of set bits
>   * @catmap: the category bitmap
>   * @offset: the offset to start searching at, in bits
>   *
> @@ -534,17 +533,16 @@ int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
>   * the end of the bitmap.
>   *
>   */
> -int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
> -				   u32 offset)
> +int netlbl_catmap_walkrng(struct netlbl_lsm_catmap *catmap, u32 offset)
>  {
> -	struct netlbl_lsm_secattr_catmap *iter;
> -	struct netlbl_lsm_secattr_catmap *prev = NULL;
> +	struct netlbl_lsm_catmap *iter;
> +	struct netlbl_lsm_catmap *prev = NULL;
>  	u32 idx;
>  	u32 bit;
>  	NETLBL_CATMAP_MAPTYPE bitmask;
>  	NETLBL_CATMAP_MAPTYPE bitmap;
>  
> -	iter = _netlbl_secattr_catmap_getnode(&catmap, offset, _CM_F_WALK, 0);
> +	iter = _netlbl_catmap_getnode(&catmap, offset, _CM_F_WALK, 0);
>  	if (iter == NULL)
>  		return -ENOENT;
>  	if (offset > iter->startbit) {
> @@ -584,7 +582,7 @@ int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
>  }
>  
>  /**
> - * netlbl_secattr_catmap_getlong - Export an unsigned long bitmap
> + * netlbl_catmap_getlong - Export an unsigned long bitmap
>   * @catmap: pointer to the category bitmap
>   * @offset: pointer to the requested offset
>   * @bitmap: the exported bitmap
> @@ -597,11 +595,11 @@ int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
>   * Returns zero on sucess, negative values on failure.
>   *
>   */
> -int netlbl_secattr_catmap_getlong(struct netlbl_lsm_secattr_catmap *catmap,
> -				  u32 *offset,
> -				  unsigned long *bitmap)
> +int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap,
> +			  u32 *offset,
> +			  unsigned long *bitmap)
>  {
> -	struct netlbl_lsm_secattr_catmap *iter;
> +	struct netlbl_lsm_catmap *iter;
>  	u32 off = *offset;
>  	u32 idx;
>  
> @@ -613,7 +611,7 @@ int netlbl_secattr_catmap_getlong(struct netlbl_lsm_secattr_catmap *catmap,
>  		off = catmap->startbit;
>  		*offset = off;
>  	}
> -	iter = _netlbl_secattr_catmap_getnode(&catmap, off, _CM_F_NONE, 0);
> +	iter = _netlbl_catmap_getnode(&catmap, off, _CM_F_NONE, 0);
>  	if (iter == NULL) {
>  		*offset = (u32)-1;
>  		return 0;
> @@ -632,7 +630,7 @@ int netlbl_secattr_catmap_getlong(struct netlbl_lsm_secattr_catmap *catmap,
>  }
>  
>  /**
> - * netlbl_secattr_catmap_setbit - Set a bit in a LSM secattr catmap
> + * netlbl_catmap_setbit - Set a bit in a LSM secattr catmap
>   * @catmap: pointer to the category bitmap
>   * @bit: the bit to set
>   * @flags: memory allocation flags
> @@ -642,14 +640,14 @@ int netlbl_secattr_catmap_getlong(struct netlbl_lsm_secattr_catmap *catmap,
>   * negative values on failure.
>   *
>   */
> -int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap **catmap,
> -				 u32 bit,
> -				 gfp_t flags)
> +int netlbl_catmap_setbit(struct netlbl_lsm_catmap **catmap,
> +			 u32 bit,
> +			 gfp_t flags)
>  {
> -	struct netlbl_lsm_secattr_catmap *iter;
> +	struct netlbl_lsm_catmap *iter;
>  	u32 idx;
>  
> -	iter = _netlbl_secattr_catmap_getnode(catmap, bit, _CM_F_ALLOC, flags);
> +	iter = _netlbl_catmap_getnode(catmap, bit, _CM_F_ALLOC, flags);
>  	if (iter == NULL)
>  		return -ENOMEM;
>  
> @@ -661,7 +659,7 @@ int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap **catmap,
>  }
>  
>  /**
> - * netlbl_secattr_catmap_setrng - Set a range of bits in a LSM secattr catmap
> + * netlbl_catmap_setrng - Set a range of bits in a LSM secattr catmap
>   * @catmap: pointer to the category bitmap
>   * @start: the starting bit
>   * @end: the last bit in the string
> @@ -672,10 +670,10 @@ int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap **catmap,
>   * on success, negative values on failure.
>   *
>   */
> -int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap **catmap,
> -				 u32 start,
> -				 u32 end,
> -				 gfp_t flags)
> +int netlbl_catmap_setrng(struct netlbl_lsm_catmap **catmap,
> +			 u32 start,
> +			 u32 end,
> +			 gfp_t flags)
>  {
>  	int rc = 0;
>  	u32 spot = start;
> @@ -683,22 +681,20 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap **catmap,
>  	while (rc == 0 && spot <= end) {
>  		if (((spot & (BITS_PER_LONG - 1)) != 0) &&
>  		    ((end - spot) > BITS_PER_LONG)) {
> -			rc = netlbl_secattr_catmap_setlong(catmap,
> -							   spot,
> -							   (unsigned long)-1,
> -							   flags);
> +			rc = netlbl_catmap_setlong(catmap,
> +						   spot,
> +						   (unsigned long)-1,
> +						   flags);
>  			spot += BITS_PER_LONG;
>  		} else
> -			rc = netlbl_secattr_catmap_setbit(catmap,
> -							  spot++,
> -							  flags);
> +			rc = netlbl_catmap_setbit(catmap, spot++, flags);
>  	}
>  
>  	return rc;
>  }
>  
>  /**
> - * netlbl_secattr_catmap_setlong - Import an unsigned long bitmap
> + * netlbl_catmap_setlong - Import an unsigned long bitmap
>   * @catmap: pointer to the category bitmap
>   * @offset: offset to the start of the imported bitmap
>   * @bitmap: the bitmap to import
> @@ -710,20 +706,19 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap **catmap,
>   * on success, negative values on failure.
>   *
>   */
> -int netlbl_secattr_catmap_setlong(struct netlbl_lsm_secattr_catmap **catmap,
> -				  u32 offset,
> -				  unsigned long bitmap,
> -				  gfp_t flags)
> +int netlbl_catmap_setlong(struct netlbl_lsm_catmap **catmap,
> +			  u32 offset,
> +			  unsigned long bitmap,
> +			  gfp_t flags)
>  {
> -	struct netlbl_lsm_secattr_catmap *iter;
> +	struct netlbl_lsm_catmap *iter;
>  	u32 idx;
>  
>  	/* only allow aligned offsets */
>  	if ((offset & (BITS_PER_LONG - 1)) != 0)
>  		return -EINVAL;
>  
> -	iter = _netlbl_secattr_catmap_getnode(catmap,
> -					      offset, _CM_F_ALLOC, flags);
> +	iter = _netlbl_catmap_getnode(catmap, offset, _CM_F_ALLOC, flags);
>  	if (iter == NULL)
>  		return -ENOMEM;
>  
> diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
> index 842deca..afe6a26 100644
> --- a/security/selinux/ss/ebitmap.c
> +++ b/security/selinux/ss/ebitmap.c
> @@ -86,7 +86,7 @@ int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src)
>   *
>   */
>  int ebitmap_netlbl_export(struct ebitmap *ebmap,
> -			  struct netlbl_lsm_secattr_catmap **catmap)
> +			  struct netlbl_lsm_catmap **catmap)
>  {
>  	struct ebitmap_node *e_iter = ebmap->node;
>  	unsigned long e_map;
> @@ -100,7 +100,7 @@ int ebitmap_netlbl_export(struct ebitmap *ebmap,
>  	}
>  
>  	if (*catmap != NULL)
> -		netlbl_secattr_catmap_free(*catmap);
> +		netlbl_catmap_free(*catmap);
>  	*catmap = NULL;
>  
>  	while (e_iter) {
> @@ -108,10 +108,10 @@ int ebitmap_netlbl_export(struct ebitmap *ebmap,
>  		for (iter = 0; iter < EBITMAP_UNIT_NUMS; iter++) {
>  			e_map = e_iter->maps[iter];
>  			if (e_map != 0) {
> -				rc = netlbl_secattr_catmap_setlong(catmap,
> -								   offset,
> -								   e_map,
> -								   GFP_ATOMIC);
> +				rc = netlbl_catmap_setlong(catmap,
> +							   offset,
> +							   e_map,
> +							   GFP_ATOMIC);
>  				if (rc != 0)
>  					goto netlbl_export_failure;
>  			}
> @@ -123,7 +123,7 @@ int ebitmap_netlbl_export(struct ebitmap *ebmap,
>  	return 0;
>  
>  netlbl_export_failure:
> -	netlbl_secattr_catmap_free(*catmap);
> +	netlbl_catmap_free(*catmap);
>  	return -ENOMEM;
>  }
>  
> @@ -138,7 +138,7 @@ netlbl_export_failure:
>   *
>   */
>  int ebitmap_netlbl_import(struct ebitmap *ebmap,
> -			  struct netlbl_lsm_secattr_catmap *catmap)
> +			  struct netlbl_lsm_catmap *catmap)
>  {
>  	int rc;
>  	struct ebitmap_node *e_iter = NULL;
> @@ -147,7 +147,7 @@ int ebitmap_netlbl_import(struct ebitmap *ebmap,
>  	unsigned long bitmap;
>  
>  	for (;;) {
> -		rc = netlbl_secattr_catmap_getlong(catmap, &offset, &bitmap);
> +		rc = netlbl_catmap_getlong(catmap, &offset, &bitmap);
>  		if (rc < 0)
>  			goto netlbl_import_failure;
>  		if (offset == (u32)-1)
> diff --git a/security/selinux/ss/ebitmap.h b/security/selinux/ss/ebitmap.h
> index 712c8a7..9637b8c 100644
> --- a/security/selinux/ss/ebitmap.h
> +++ b/security/selinux/ss/ebitmap.h
> @@ -132,17 +132,17 @@ int ebitmap_write(struct ebitmap *e, void *fp);
>  
>  #ifdef CONFIG_NETLABEL
>  int ebitmap_netlbl_export(struct ebitmap *ebmap,
> -			  struct netlbl_lsm_secattr_catmap **catmap);
> +			  struct netlbl_lsm_catmap **catmap);
>  int ebitmap_netlbl_import(struct ebitmap *ebmap,
> -			  struct netlbl_lsm_secattr_catmap *catmap);
> +			  struct netlbl_lsm_catmap *catmap);
>  #else
>  static inline int ebitmap_netlbl_export(struct ebitmap *ebmap,
> -				struct netlbl_lsm_secattr_catmap **catmap)
> +					struct netlbl_lsm_catmap **catmap)
>  {
>  	return -ENOMEM;
>  }
>  static inline int ebitmap_netlbl_import(struct ebitmap *ebmap,
> -				struct netlbl_lsm_secattr_catmap *catmap)
> +					struct netlbl_lsm_catmap *catmap)
>  {
>  	return -ENOMEM;
>  }
> diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
> index ea1bc50..732df7b9 100644
> --- a/security/smack/smack_access.c
> +++ b/security/smack/smack_access.c
> @@ -441,10 +441,10 @@ int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap,
>  		for (m = 0x80; m != 0; m >>= 1, cat++) {
>  			if ((m & *cp) == 0)
>  				continue;
> -			rc = netlbl_secattr_catmap_setbit(&sap->attr.mls.cat,
> -							  cat, GFP_ATOMIC);
> +			rc = netlbl_catmap_setbit(&sap->attr.mls.cat,
> +						  cat, GFP_ATOMIC);
>  			if (rc < 0) {
> -				netlbl_secattr_catmap_free(sap->attr.mls.cat);
> +				netlbl_catmap_free(sap->attr.mls.cat);
>  				return rc;
>  			}
>  		}
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 14f52be..c32bba5 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -3091,9 +3091,9 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
>  				break;
>  			}
>  			for (acat = -1, kcat = -1; acat == kcat; ) {
> -				acat = netlbl_secattr_catmap_walk(
> -					sap->attr.mls.cat, acat + 1);
> -				kcat = netlbl_secattr_catmap_walk(
> +				acat = netlbl_catmap_walk(sap->attr.mls.cat,
> +							  acat + 1);
> +				kcat = netlbl_catmap_walk(
>  					skp->smk_netlabel.attr.mls.cat,
>  					kcat + 1);
>  				if (acat < 0 || kcat < 0)
> diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
> index 3198cfe..893b06b 100644
> --- a/security/smack/smackfs.c
> +++ b/security/smack/smackfs.c
> @@ -777,7 +777,7 @@ static int cipso_seq_show(struct seq_file *s, void *v)
>  	struct list_head  *list = v;
>  	struct smack_known *skp =
>  		 list_entry(list, struct smack_known, list);
> -	struct netlbl_lsm_secattr_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
> +	struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
>  	char sep = '/';
>  	int i;
>  
> @@ -794,8 +794,8 @@ static int cipso_seq_show(struct seq_file *s, void *v)
>  
>  	seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
>  
> -	for (i = netlbl_secattr_catmap_walk(cmp, 0); i >= 0;
> -	     i = netlbl_secattr_catmap_walk(cmp, i + 1)) {
> +	for (i = netlbl_catmap_walk(cmp, 0); i >= 0;
> +	     i = netlbl_catmap_walk(cmp, i + 1)) {
>  		seq_printf(s, "%c%d", sep, i);
>  		sep = ',';
>  	}
> @@ -916,7 +916,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
>  
>  	rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN);
>  	if (rc >= 0) {
> -		netlbl_secattr_catmap_free(skp->smk_netlabel.attr.mls.cat);
> +		netlbl_catmap_free(skp->smk_netlabel.attr.mls.cat);
>  		skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat;
>  		skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl;
>  		rc = count;
> @@ -966,14 +966,14 @@ static int cipso2_seq_show(struct seq_file *s, void *v)
>  	struct list_head  *list = v;
>  	struct smack_known *skp =
>  		 list_entry(list, struct smack_known, list);
> -	struct netlbl_lsm_secattr_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
> +	struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
>  	char sep = '/';
>  	int i;
>  
>  	seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
>  
> -	for (i = netlbl_secattr_catmap_walk(cmp, 0); i >= 0;
> -	     i = netlbl_secattr_catmap_walk(cmp, i + 1)) {
> +	for (i = netlbl_catmap_walk(cmp, 0); i >= 0;
> +	     i = netlbl_catmap_walk(cmp, i + 1)) {
>  		seq_printf(s, "%c%d", sep, i);
>  		sep = ',';
>  	}
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: [PATCH 0/4] Fix the NetLabel LSM category mappings

[Casey Schaufler]

On 7/31/2014 2:44 PM, Paul Moore wrote:
> As you will see in the patch descriptions below, the NetLabel LSM
> category mappings are very badly broken.  This patchset should repair
> things and make life better in the future.  The first three patches
> are straight-up bug fixes; the fourth patch doesn't actually fix any
> faulty logic in the code, but rather shortens some stupidly long
> function and structure names relating to the NetLabel category
> mappings.  I should probably do something similar with a lot of other
> NetLabel APIs, but that is for another time.
>
> Thanks to Christian Evans for pointing out one of the original
> problems.  I don't think he realized how many problems there really
> were, but I still owe him one for getting me to revisit this ugly,
> nasty code.  I apologize it took so long to get a fix out and that
> things were broken this badly in the first place.
>
> Casey, I'm CC'ing you here because this patchset does touch some of
> the Smack code, but as you can see the changes are trivial.  I will
> be very surprised if you find anything objectionable in there.
> However, if you do, let me know and I'll fix it.

The code passes my tests. I'll mark the patches "Tested-by:".

> DaveM/netdev folks, you guys are included here for the obvious reason
> that a good chunk of the code changes live in net/*.  However, the
> net/* related changes are all within the NetLabel code and not in the
> core networking stack so I doubt this is something you'll care too
> much about.  I'm going to guess that as far as you're concerned, this
> is just another bugfix to a subsystem you don't really care about.
>
> DaveM, unless you have any objections, I'm planning on pushing this
> via the SELinux tree up through James' LSM tree since that seems to
> make the most sense to me.  If you would rather push it via the netdev
> tree please let me know.
>
> -Paul
>
> ---
>
> Paul Moore (4):
>       netlabel: fix a problem when setting bits below the previously lowest bit
>       netlabel: fix the horribly broken catmap functions
>       netlabel: fix the catmap walking functions
>       netlabel: shorter names for the NetLabel catmap funcs/structs
>
>
>  include/net/netlabel.h        |   94 +++++++-----
>  net/ipv4/cipso_ipv4.c         |   47 ++----
>  net/netlabel/netlabel_kapi.c  |  327 ++++++++++++++++++++++++++++-------------
>  security/selinux/ss/ebitmap.c |  133 +++++++----------
>  security/selinux/ss/ebitmap.h |    8 +
>  security/smack/smack_access.c |   11 +
>  security/smack/smack_lsm.c    |    6 -
>  security/smack/smackfs.c      |   14 +-
>  8 files changed, 366 insertions(+), 274 deletions(-)
>

Re: [PATCH 0/4] Fix the NetLabel LSM category mappings

[Paul Moore]

On Thursday, July 31, 2014 03:47:29 PM Casey Schaufler wrote:
> On 7/31/2014 2:44 PM, Paul Moore wrote:
> > As you will see in the patch descriptions below, the NetLabel LSM
> > category mappings are very badly broken.  This patchset should repair
> > things and make life better in the future.  The first three patches
> > are straight-up bug fixes; the fourth patch doesn't actually fix any
> > faulty logic in the code, but rather shortens some stupidly long
> > function and structure names relating to the NetLabel category
> > mappings.  I should probably do something similar with a lot of other
> > NetLabel APIs, but that is for another time.
> > 
> > Thanks to Christian Evans for pointing out one of the original
> > problems.  I don't think he realized how many problems there really
> > were, but I still owe him one for getting me to revisit this ugly,
> > nasty code.  I apologize it took so long to get a fix out and that
> > things were broken this badly in the first place.
> > 
> > Casey, I'm CC'ing you here because this patchset does touch some of
> > the Smack code, but as you can see the changes are trivial.  I will
> > be very surprised if you find anything objectionable in there.
> > However, if you do, let me know and I'll fix it.
> 
> The code passes my tests. I'll mark the patches "Tested-by:".

Great, thanks for testing.

-- 
paul moore
security and virtualization @ redhat

Re: [PATCH 0/4] Fix the NetLabel LSM category mappings

[David Miller]

From: Paul Moore <pmoore@redhat.com>
Date: Thu, 31 Jul 2014 17:44:19 -0400

> DaveM, unless you have any objections, I'm planning on pushing this
> via the SELinux tree up through James' LSM tree since that seems to
> make the most sense to me.  If you would rather push it via the netdev
> tree please let me know.

No objections, thanks Paul.