[NetLabel]: core NetLabel subsystem

Add a new kernel subsystem, NetLabel, to provide explicit packet labeling services (CIPSO, RIPSO, etc.) to LSM developers. NetLabel is designed to work in conjunction with a LSM to intercept and decode security labels on incoming network packets as well as ensure that outgoing network packets are labeled according to the security mechanism employed by the LSM. The NetLabel subsystem is configured through a Generic NETLINK interface described in the header files included in this patch. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Paul Moore <paul.moore@hp.com> 2006-08-03 19:48:37 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2006-09-22 17:53:34 -0400
commit: d15c345fe3b8dfda0fa5a1d2143a35fffa746a43 (patch)
tree: 7de6afd5f4de2fca01eaca879e342ab493dc0bba /net/netlabel/netlabel_domainhash.c
parent: 446fda4f26822b2d42ab3396aafcedf38a9ff2b6 (diff)
1 files changed, 513 insertions, 0 deletions
diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c
new file mode 100644
index 00000000000..5bb3fad4a11
--- /dev/null
+++ b/net/netlabel/netlabel_domainhash.c
@@ -0,0 +1,513 @@
+/*
+ * NetLabel Domain Hash Table
+ *
+ * This file manages the domain hash table that NetLabel uses to determine
+ * which network labeling protocol to use for a given domain.  The NetLabel
+ * system manages static and dynamic label mappings for network protocols such
+ * as CIPSO and RIPSO.
+ *
+ * Author: Paul Moore <paul.moore@hp.com>
+ *
+ */
+/*
+ * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
+ *
+ * This program is free software;  you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY;  without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+ * the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program;  if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ */
+#include <linux/types.h>
+#include <linux/rcupdate.h>
+#include <linux/list.h>
+#include <linux/skbuff.h>
+#include <linux/spinlock.h>
+#include <linux/string.h>
+#include <net/netlabel.h>
+#include <net/cipso_ipv4.h>
+#include <asm/bug.h>
+#include "netlabel_mgmt.h"
+#include "netlabel_domainhash.h"
+struct netlbl_domhsh_tbl {
+        struct list_head *tbl;
+        u32 size;
+};
+/* Domain hash table */
+/* XXX - updates should be so rare that having one spinlock for the entire
+ * hash table should be okay */
+DEFINE_SPINLOCK(netlbl_domhsh_lock);
+static struct netlbl_domhsh_tbl *netlbl_domhsh = NULL;
+/* Default domain mapping */
+DEFINE_SPINLOCK(netlbl_domhsh_def_lock);
+static struct netlbl_dom_map *netlbl_domhsh_def = NULL;
+/*
+ * Domain Hash Table Helper Functions
+ */
+/**
+ * netlbl_domhsh_free_entry - Frees a domain hash table entry
+ * @entry: the entry's RCU field
+ *
+ * Description:
+ * This function is designed to be used as a callback to the call_rcu()
+ * function so that the memory allocated to a hash table entry can be released
+ * safely.
+ *
+ */
+static void netlbl_domhsh_free_entry(struct rcu_head *entry)
+{
+        struct netlbl_dom_map *ptr;
+        ptr = container_of(entry, struct netlbl_dom_map, rcu);
+        kfree(ptr->domain);
+        kfree(ptr);
+}
+/**
+ * netlbl_domhsh_hash - Hashing function for the domain hash table
+ * @domain: the domain name to hash
+ *
+ * Description:
+ * This is the hashing function for the domain hash table, it returns the
+ * correct bucket number for the domain.  The caller is responsibile for
+ * calling the rcu_read_[un]lock() functions.
+ *
+ */
+static u32 netlbl_domhsh_hash(const char *key)
+{
+        u32 iter;
+        u32 val;
+        u32 len;
+        /* This is taken (with slight modification) from
+         * security/selinux/ss/symtab.c:symhash() */
+        for (iter = 0, val = 0, len = strlen(key); iter < len; iter++)
+                val = (val << 4 | (val >> (8 * sizeof(u32) - 4))) ^ key[iter];
+        return val & (rcu_dereference(netlbl_domhsh)->size - 1);
+}
+/**
+ * netlbl_domhsh_search - Search for a domain entry
+ * @domain: the domain
+ * @def: return default if no match is found
+ *
+ * Description:
+ * Searches the domain hash table and returns a pointer to the hash table
+ * entry if found, otherwise NULL is returned.  If @def is non-zero and a
+ * match is not found in the domain hash table the default mapping is returned
+ * if it exists.  The caller is responsibile for the rcu hash table locks
+ * (i.e. the caller much call rcu_read_[un]lock()).
+ *
+ */
+static struct netlbl_dom_map *netlbl_domhsh_search(const char *domain, u32 def)
+{
+        u32 bkt;
+        struct netlbl_dom_map *iter;
+        if (domain != NULL) {
+                bkt = netlbl_domhsh_hash(domain);
+                list_for_each_entry_rcu(iter, &netlbl_domhsh->tbl[bkt], list)
+                        if (iter->valid && strcmp(iter->domain, domain) == 0)
+                                return iter;
+        }
+        if (def != 0) {
+                iter = rcu_dereference(netlbl_domhsh_def);
+                if (iter != NULL && iter->valid)
+                        return iter;
+        }
+        return NULL;
+}
+/*
+ * Domain Hash Table Functions
+ */
+/**
+ * netlbl_domhsh_init - Init for the domain hash
+ * @size: the number of bits to use for the hash buckets
+ *
+ * Description:
+ * Initializes the domain hash table, should be called only by
+ * netlbl_user_init() during initialization.  Returns zero on success, non-zero
+ * values on error.
+ *
+ */
+int netlbl_domhsh_init(u32 size)
+{
+        u32 iter;
+        struct netlbl_domhsh_tbl *hsh_tbl;
+        if (size == 0)
+                return -EINVAL;
+        hsh_tbl = kmalloc(sizeof(*hsh_tbl), GFP_KERNEL);
+        if (hsh_tbl == NULL)
+                return -ENOMEM;
+        hsh_tbl->size = 1 << size;
+        hsh_tbl->tbl = kcalloc(hsh_tbl->size,
+                               sizeof(struct list_head),
+                               GFP_KERNEL);
+        if (hsh_tbl->tbl == NULL) {
+                kfree(hsh_tbl);
+                return -ENOMEM;
+        }
+        for (iter = 0; iter < hsh_tbl->size; iter++)
+                INIT_LIST_HEAD(&hsh_tbl->tbl[iter]);
+        rcu_read_lock();
+        spin_lock(&netlbl_domhsh_lock);
+        rcu_assign_pointer(netlbl_domhsh, hsh_tbl);
+        spin_unlock(&netlbl_domhsh_lock);
+        rcu_read_unlock();
+        return 0;
+}
+/**
+ * netlbl_domhsh_add - Adds a entry to the domain hash table
+ * @entry: the entry to add
+ *
+ * Description:
+ * Adds a new entry to the domain hash table and handles any updates to the
+ * lower level protocol handler (i.e. CIPSO).  Returns zero on success,
+ * negative on failure.
+ *
+ */
+int netlbl_domhsh_add(struct netlbl_dom_map *entry)
+{
+        int ret_val;
+        u32 bkt;
+        switch (entry->type) {
+        case NETLBL_NLTYPE_UNLABELED:
+                ret_val = 0;
+                break;
+        case NETLBL_NLTYPE_CIPSOV4:
+                ret_val = cipso_v4_doi_domhsh_add(entry->type_def.cipsov4,
+                                                  entry->domain);
+                break;
+        default:
+                return -EINVAL;
+        }
+        if (ret_val != 0)
+                return ret_val;
+        entry->valid = 1;
+        INIT_RCU_HEAD(&entry->rcu);
+        ret_val = 0;
+        rcu_read_lock();
+        if (entry->domain != NULL) {
+                bkt = netlbl_domhsh_hash(entry->domain);
+                spin_lock(&netlbl_domhsh_lock);
+                if (netlbl_domhsh_search(entry->domain, 0) == NULL)
+                        list_add_tail_rcu(&entry->list,
+                                          &netlbl_domhsh->tbl[bkt]);
+                else
+                        ret_val = -EEXIST;
+                spin_unlock(&netlbl_domhsh_lock);
+        } else if (entry->domain == NULL) {
+                INIT_LIST_HEAD(&entry->list);
+                spin_lock(&netlbl_domhsh_def_lock);
+                if (rcu_dereference(netlbl_domhsh_def) == NULL)
+                        rcu_assign_pointer(netlbl_domhsh_def, entry);
+                else
+                        ret_val = -EEXIST;
+                spin_unlock(&netlbl_domhsh_def_lock);
+        } else
+                ret_val = -EINVAL;
+        rcu_read_unlock();
+        if (ret_val != 0) {
+                switch (entry->type) {
+                case NETLBL_NLTYPE_CIPSOV4:
+                        if (cipso_v4_doi_domhsh_remove(entry->type_def.cipsov4,
+                                                       entry->domain) != 0)
+                                BUG();
+                        break;
+                }
+        }
+        return ret_val;
+}
+/**
+ * netlbl_domhsh_add_default - Adds the default entry to the domain hash table
+ * @entry: the entry to add
+ *
+ * Description:
+ * Adds a new default entry to the domain hash table and handles any updates
+ * to the lower level protocol handler (i.e. CIPSO).  Returns zero on success,
+ * negative on failure.
+ *
+ */
+int netlbl_domhsh_add_default(struct netlbl_dom_map *entry)
+{
+        return netlbl_domhsh_add(entry);
+}
+/**
+ * netlbl_domhsh_remove - Removes an entry from the domain hash table
+ * @domain: the domain to remove
+ *
+ * Description:
+ * Removes an entry from the domain hash table and handles any updates to the
+ * lower level protocol handler (i.e. CIPSO).  Returns zero on success,
+ * negative on failure.
+ *
+ */
+int netlbl_domhsh_remove(const char *domain)
+{
+        int ret_val = -ENOENT;
+        struct netlbl_dom_map *entry;
+        rcu_read_lock();
+        if (domain != NULL)
+                entry = netlbl_domhsh_search(domain, 0);
+        else
+                entry = netlbl_domhsh_search(domain, 1);
+        if (entry == NULL)
+                goto remove_return;
+        switch (entry->type) {
+        case NETLBL_NLTYPE_UNLABELED:
+                break;
+        case NETLBL_NLTYPE_CIPSOV4:
+                ret_val = cipso_v4_doi_domhsh_remove(entry->type_def.cipsov4,
+                                                     entry->domain);
+                if (ret_val != 0)
+                        goto remove_return;
+                break;
+        }
+        ret_val = 0;
+        if (entry != rcu_dereference(netlbl_domhsh_def)) {
+                spin_lock(&netlbl_domhsh_lock);
+                if (entry->valid) {
+                        entry->valid = 0;
+                        list_del_rcu(&entry->list);
+                } else
+                        ret_val = -ENOENT;
+                spin_unlock(&netlbl_domhsh_lock);
+        } else {
+                spin_lock(&netlbl_domhsh_def_lock);
+                if (entry->valid) {
+                        entry->valid = 0;
+                        rcu_assign_pointer(netlbl_domhsh_def, NULL);
+                } else
+                        ret_val = -ENOENT;
+                spin_unlock(&netlbl_domhsh_def_lock);
+        }
+        if (ret_val == 0)
+                call_rcu(&entry->rcu, netlbl_domhsh_free_entry);
+remove_return:
+        rcu_read_unlock();
+        return ret_val;
+}
+/**
+ * netlbl_domhsh_remove_default - Removes the default entry from the table
+ *
+ * Description:
+ * Removes/resets the default entry for the domain hash table and handles any
+ * updates to the lower level protocol handler (i.e. CIPSO).  Returns zero on
+ * success, non-zero on failure.
+ *
+ */
+int netlbl_domhsh_remove_default(void)
+{
+        return netlbl_domhsh_remove(NULL);
+}
+/**
+ * netlbl_domhsh_getentry - Get an entry from the domain hash table
+ * @domain: the domain name to search for
+ *
+ * Description:
+ * Look through the domain hash table searching for an entry to match @domain,
+ * return a pointer to a copy of the entry or NULL.  The caller is responsibile
+ * for ensuring that rcu_read_[un]lock() is called.
+ *
+ */
+struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain)
+{
+        return netlbl_domhsh_search(domain, 1);
+}
+/**
+ * netlbl_domhsh_dump - Dump the domain hash table into a sk_buff
+ *
+ * Description:
+ * Dump the domain hash table into a buffer suitable for returning to an
+ * application in response to a NetLabel management DOMAIN message.  This
+ * function may fail if another process is growing the hash table at the same
+ * time.  The returned sk_buff has room at the front of the sk_buff for
+ * @headroom bytes.  See netlabel.h for the DOMAIN message format.  Returns a
+ * pointer to a sk_buff on success, NULL on error.
+ *
+ */
+struct sk_buff *netlbl_domhsh_dump(size_t headroom)
+{
+        struct sk_buff *skb = NULL;
+        ssize_t buf_len;
+        u32 bkt_iter;
+        u32 dom_cnt = 0;
+        struct netlbl_domhsh_tbl *hsh_tbl;
+        struct netlbl_dom_map *list_iter;
+        ssize_t tmp_len;
+        buf_len = NETLBL_LEN_U32;
+        rcu_read_lock();
+        hsh_tbl = rcu_dereference(netlbl_domhsh);
+        for (bkt_iter = 0; bkt_iter < hsh_tbl->size; bkt_iter++)
+                list_for_each_entry_rcu(list_iter,
+                                        &hsh_tbl->tbl[bkt_iter], list) {
+                        buf_len += NETLBL_LEN_U32 +
+                                nla_total_size(strlen(list_iter->domain) + 1);
+                        switch (list_iter->type) {
+                        case NETLBL_NLTYPE_UNLABELED:
+                                break;
+                        case NETLBL_NLTYPE_CIPSOV4:
+                                buf_len += 2 * NETLBL_LEN_U32;
+                                break;
+                        }
+                        dom_cnt++;
+                }
+        skb = netlbl_netlink_alloc_skb(headroom, buf_len, GFP_ATOMIC);
+        if (skb == NULL)
+                goto dump_failure;
+        if (nla_put_u32(skb, NLA_U32, dom_cnt) != 0)
+                goto dump_failure;
+        buf_len -= NETLBL_LEN_U32;
+        hsh_tbl = rcu_dereference(netlbl_domhsh);
+        for (bkt_iter = 0; bkt_iter < hsh_tbl->size; bkt_iter++)
+                list_for_each_entry_rcu(list_iter,
+                                        &hsh_tbl->tbl[bkt_iter], list) {
+                        tmp_len = nla_total_size(strlen(list_iter->domain) +
+                                                 1);
+                        if (buf_len < NETLBL_LEN_U32 + tmp_len)
+                                goto dump_failure;
+                        if (nla_put_string(skb,
+                                           NLA_STRING,
+                                           list_iter->domain) != 0)
+                                goto dump_failure;
+                        if (nla_put_u32(skb, NLA_U32, list_iter->type) != 0)
+                                goto dump_failure;
+                        buf_len -= NETLBL_LEN_U32 + tmp_len;
+                        switch (list_iter->type) {
+                        case NETLBL_NLTYPE_UNLABELED:
+                                break;
+                        case NETLBL_NLTYPE_CIPSOV4:
+                                if (buf_len < 2 * NETLBL_LEN_U32)
+                                        goto dump_failure;
+                                if (nla_put_u32(skb,
+                                       NLA_U32,
+                                       list_iter->type_def.cipsov4->type) != 0)
+                                        goto dump_failure;
+                                if (nla_put_u32(skb,
+                                       NLA_U32,
+                                       list_iter->type_def.cipsov4->doi) != 0)
+                                        goto dump_failure;
+                                buf_len -= 2 * NETLBL_LEN_U32;
+                                break;
+                        }
+                }
+        rcu_read_unlock();
+        return skb;
+dump_failure:
+        rcu_read_unlock();
+        kfree_skb(skb);
+        return NULL;
+}
+/**
+ * netlbl_domhsh_dump_default - Dump the default domain mapping into a sk_buff
+ *
+ * Description:
+ * Dump the default domain mapping into a buffer suitable for returning to an
+ * application in response to a NetLabel management DEFDOMAIN message.  This
+ * function may fail if another process is changing the default domain mapping
+ * at the same time.  The returned sk_buff has room at the front of the
+ * skb_buff for @headroom bytes.  See netlabel.h for the DEFDOMAIN message
+ * format.  Returns a pointer to a sk_buff on success, NULL on error.
+ *
+ */
+struct sk_buff *netlbl_domhsh_dump_default(size_t headroom)
+{
+        struct sk_buff *skb;
+        ssize_t buf_len;
+        struct netlbl_dom_map *entry;
+        buf_len = NETLBL_LEN_U32;
+        rcu_read_lock();
+        entry = rcu_dereference(netlbl_domhsh_def);
+        if (entry != NULL)
+                switch (entry->type) {
+                case NETLBL_NLTYPE_UNLABELED:
+                        break;
+                case NETLBL_NLTYPE_CIPSOV4:
+                        buf_len += 2 * NETLBL_LEN_U32;
+                        break;
+                }
+        skb = netlbl_netlink_alloc_skb(headroom, buf_len, GFP_ATOMIC);
+        if (skb == NULL)
+                goto dump_default_failure;
+        if (entry != rcu_dereference(netlbl_domhsh_def))
+                goto dump_default_failure;
+        if (entry != NULL) {
+                if (nla_put_u32(skb, NLA_U32, entry->type) != 0)
+                        goto dump_default_failure;
+                buf_len -= NETLBL_LEN_U32;
+                switch (entry->type) {
+                case NETLBL_NLTYPE_UNLABELED:
+                        break;
+                case NETLBL_NLTYPE_CIPSOV4:
+                        if (buf_len < 2 * NETLBL_LEN_U32)
+                                goto dump_default_failure;
+                        if (nla_put_u32(skb,
+                                        NLA_U32,
+                                        entry->type_def.cipsov4->type) != 0)
+                                goto dump_default_failure;
+                        if (nla_put_u32(skb,
+                                        NLA_U32,
+                                        entry->type_def.cipsov4->doi) != 0)
+                                goto dump_default_failure;
+                        buf_len -= 2 * NETLBL_LEN_U32;
+                        break;
+                }
+        } else
+                nla_put_u32(skb, NLA_U32, NETLBL_NLTYPE_NONE);
+        rcu_read_unlock();
+        return skb;
+dump_default_failure:
+        rcu_read_unlock();
+        kfree_skb(skb);
+        return NULL;
+}
author	Paul Moore <paul.moore@hp.com>	2006-08-03 19:48:37 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2006-09-22 17:53:34 -0400
commit	d15c345fe3b8dfda0fa5a1d2143a35fffa746a43 (patch)
tree	7de6afd5f4de2fca01eaca879e342ab493dc0bba /net/netlabel/netlabel_domainhash.c
parent	446fda4f26822b2d42ab3396aafcedf38a9ff2b6 (diff)

diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c new file mode 100644 index 00000000000..5bb3fad4a11 --- /dev/null +++ b/net/netlabel/netlabel_domainhash.c
@@ -0,0 +1,513 @@
	1	/*
	2	* NetLabel Domain Hash Table
	3	*
	4	* This file manages the domain hash table that NetLabel uses to determine
	5	* which network labeling protocol to use for a given domain. The NetLabel
	6	* system manages static and dynamic label mappings for network protocols such
	7	* as CIPSO and RIPSO.
	8	*
	9	* Author: Paul Moore <paul.moore@hp.com>
	10	*
	11	*/
	12
	13	/*
	14	* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
	15	*
	16	* This program is free software; you can redistribute it and/or modify
	17	* it under the terms of the GNU General Public License as published by
	18	* the Free Software Foundation; either version 2 of the License, or
	19	* (at your option) any later version.
	20	*
	21	* This program is distributed in the hope that it will be useful,
	22	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	23	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
	24	* the GNU General Public License for more details.
	25	*
	26	* You should have received a copy of the GNU General Public License
	27	* along with this program; if not, write to the Free Software
	28	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	29	*
	30	*/
	31
	32	#include <linux/types.h>
	33	#include <linux/rcupdate.h>
	34	#include <linux/list.h>
	35	#include <linux/skbuff.h>
	36	#include <linux/spinlock.h>
	37	#include <linux/string.h>
	38	#include <net/netlabel.h>
	39	#include <net/cipso_ipv4.h>
	40	#include <asm/bug.h>
	41
	42	#include "netlabel_mgmt.h"
	43	#include "netlabel_domainhash.h"
	44
	45	struct netlbl_domhsh_tbl {
	46	struct list_head *tbl;
	47	u32 size;
	48	};
	49
	50	/* Domain hash table */
	51	/* XXX - updates should be so rare that having one spinlock for the entire
	52	* hash table should be okay */
	53	DEFINE_SPINLOCK(netlbl_domhsh_lock);
	54	static struct netlbl_domhsh_tbl *netlbl_domhsh = NULL;
	55
	56	/* Default domain mapping */
	57	DEFINE_SPINLOCK(netlbl_domhsh_def_lock);
	58	static struct netlbl_dom_map *netlbl_domhsh_def = NULL;
	59
	60	/*
	61	* Domain Hash Table Helper Functions
	62	*/
	63
	64	/**
	65	* netlbl_domhsh_free_entry - Frees a domain hash table entry
	66	* @entry: the entry's RCU field
	67	*
	68	* Description:
	69	* This function is designed to be used as a callback to the call_rcu()
	70	* function so that the memory allocated to a hash table entry can be released
	71	* safely.
	72	*
	73	*/
	74	static void netlbl_domhsh_free_entry(struct rcu_head *entry)
	75	{
	76	struct netlbl_dom_map *ptr;
	77
	78	ptr = container_of(entry, struct netlbl_dom_map, rcu);
	79	kfree(ptr->domain);
	80	kfree(ptr);
	81	}
	82
	83	/**
	84	* netlbl_domhsh_hash - Hashing function for the domain hash table
	85	* @domain: the domain name to hash
	86	*
	87	* Description:
	88	* This is the hashing function for the domain hash table, it returns the
	89	* correct bucket number for the domain. The caller is responsibile for
	90	* calling the rcu_read_[un]lock() functions.
	91	*
	92	*/
	93	static u32 netlbl_domhsh_hash(const char *key)
	94	{
	95	u32 iter;
	96	u32 val;
	97	u32 len;
	98
	99	/* This is taken (with slight modification) from
	100	* security/selinux/ss/symtab.c:symhash() */
	101
	102	for (iter = 0, val = 0, len = strlen(key); iter < len; iter++)
	103	val = (val << 4 \| (val >> (8 * sizeof(u32) - 4))) ^ key[iter];
	104	return val & (rcu_dereference(netlbl_domhsh)->size - 1);
	105	}
	106
	107	/**
	108	* netlbl_domhsh_search - Search for a domain entry
	109	* @domain: the domain
	110	* @def: return default if no match is found
	111	*
	112	* Description:
	113	* Searches the domain hash table and returns a pointer to the hash table
	114	* entry if found, otherwise NULL is returned. If @def is non-zero and a
	115	* match is not found in the domain hash table the default mapping is returned
	116	* if it exists. The caller is responsibile for the rcu hash table locks
	117	* (i.e. the caller much call rcu_read_[un]lock()).
	118	*
	119	*/
	120	static struct netlbl_dom_map netlbl_domhsh_search(const char domain, u32 def)
	121	{
	122	u32 bkt;
	123	struct netlbl_dom_map *iter;
	124
	125	if (domain != NULL) {
	126	bkt = netlbl_domhsh_hash(domain);
	127	list_for_each_entry_rcu(iter, &netlbl_domhsh->tbl[bkt], list)
	128	if (iter->valid && strcmp(iter->domain, domain) == 0)
	129	return iter;
	130	}
	131
	132	if (def != 0) {
	133	iter = rcu_dereference(netlbl_domhsh_def);
	134	if (iter != NULL && iter->valid)
	135	return iter;
	136	}
	137
	138	return NULL;
	139	}
	140
	141	/*
	142	* Domain Hash Table Functions
	143	*/
	144
	145	/**
	146	* netlbl_domhsh_init - Init for the domain hash
	147	* @size: the number of bits to use for the hash buckets
	148	*
	149	* Description:
	150	* Initializes the domain hash table, should be called only by
	151	* netlbl_user_init() during initialization. Returns zero on success, non-zero
	152	* values on error.
	153	*
	154	*/
	155	int netlbl_domhsh_init(u32 size)
	156	{
	157	u32 iter;
	158	struct netlbl_domhsh_tbl *hsh_tbl;
	159
	160	if (size == 0)
	161	return -EINVAL;
	162
	163	hsh_tbl = kmalloc(sizeof(*hsh_tbl), GFP_KERNEL);
	164	if (hsh_tbl == NULL)
	165	return -ENOMEM;
	166	hsh_tbl->size = 1 << size;
	167	hsh_tbl->tbl = kcalloc(hsh_tbl->size,
	168	sizeof(struct list_head),
	169	GFP_KERNEL);
	170	if (hsh_tbl->tbl == NULL) {
	171	kfree(hsh_tbl);
	172	return -ENOMEM;
	173	}
	174	for (iter = 0; iter < hsh_tbl->size; iter++)
	175	INIT_LIST_HEAD(&hsh_tbl->tbl[iter]);
	176
	177	rcu_read_lock();
	178	spin_lock(&netlbl_domhsh_lock);
	179	rcu_assign_pointer(netlbl_domhsh, hsh_tbl);
	180	spin_unlock(&netlbl_domhsh_lock);
	181	rcu_read_unlock();
	182
	183	return 0;
	184	}
	185
	186	/**
	187	* netlbl_domhsh_add - Adds a entry to the domain hash table
	188	* @entry: the entry to add
	189	*
	190	* Description:
	191	* Adds a new entry to the domain hash table and handles any updates to the
	192	* lower level protocol handler (i.e. CIPSO). Returns zero on success,
	193	* negative on failure.
	194	*
	195	*/
	196	int netlbl_domhsh_add(struct netlbl_dom_map *entry)
	197	{
	198	int ret_val;
	199	u32 bkt;
	200
	201	switch (entry->type) {
	202	case NETLBL_NLTYPE_UNLABELED:
	203	ret_val = 0;
	204	break;
	205	case NETLBL_NLTYPE_CIPSOV4:
	206	ret_val = cipso_v4_doi_domhsh_add(entry->type_def.cipsov4,
	207	entry->domain);
	208	break;
	209	default:
	210	return -EINVAL;
	211	}
	212	if (ret_val != 0)
	213	return ret_val;
	214
	215	entry->valid = 1;
	216	INIT_RCU_HEAD(&entry->rcu);
	217
	218	ret_val = 0;
	219	rcu_read_lock();
	220	if (entry->domain != NULL) {
	221	bkt = netlbl_domhsh_hash(entry->domain);
	222	spin_lock(&netlbl_domhsh_lock);
	223	if (netlbl_domhsh_search(entry->domain, 0) == NULL)
	224	list_add_tail_rcu(&entry->list,
	225	&netlbl_domhsh->tbl[bkt]);
	226	else
	227	ret_val = -EEXIST;
	228	spin_unlock(&netlbl_domhsh_lock);
	229	} else if (entry->domain == NULL) {
	230	INIT_LIST_HEAD(&entry->list);
	231	spin_lock(&netlbl_domhsh_def_lock);
	232	if (rcu_dereference(netlbl_domhsh_def) == NULL)
	233	rcu_assign_pointer(netlbl_domhsh_def, entry);
	234	else
	235	ret_val = -EEXIST;
	236	spin_unlock(&netlbl_domhsh_def_lock);
	237	} else
	238	ret_val = -EINVAL;
	239	rcu_read_unlock();
	240
	241	if (ret_val != 0) {
	242	switch (entry->type) {
	243	case NETLBL_NLTYPE_CIPSOV4:
	244	if (cipso_v4_doi_domhsh_remove(entry->type_def.cipsov4,
	245	entry->domain) != 0)
	246	BUG();
	247	break;
	248	}
	249	}
	250
	251	return ret_val;
	252	}
	253
	254	/**
	255	* netlbl_domhsh_add_default - Adds the default entry to the domain hash table
	256	* @entry: the entry to add
	257	*
	258	* Description:
	259	* Adds a new default entry to the domain hash table and handles any updates
	260	* to the lower level protocol handler (i.e. CIPSO). Returns zero on success,
	261	* negative on failure.
	262	*
	263	*/
	264	int netlbl_domhsh_add_default(struct netlbl_dom_map *entry)
	265	{
	266	return netlbl_domhsh_add(entry);
	267	}
	268
	269	/**
	270	* netlbl_domhsh_remove - Removes an entry from the domain hash table
	271	* @domain: the domain to remove
	272	*
	273	* Description:
	274	* Removes an entry from the domain hash table and handles any updates to the
	275	* lower level protocol handler (i.e. CIPSO). Returns zero on success,
	276	* negative on failure.
	277	*
	278	*/
	279	int netlbl_domhsh_remove(const char *domain)
	280	{
	281	int ret_val = -ENOENT;
	282	struct netlbl_dom_map *entry;
	283
	284	rcu_read_lock();
	285	if (domain != NULL)
	286	entry = netlbl_domhsh_search(domain, 0);
	287	else
	288	entry = netlbl_domhsh_search(domain, 1);
	289	if (entry == NULL)
	290	goto remove_return;
	291	switch (entry->type) {
	292	case NETLBL_NLTYPE_UNLABELED:
	293	break;
	294	case NETLBL_NLTYPE_CIPSOV4:
	295	ret_val = cipso_v4_doi_domhsh_remove(entry->type_def.cipsov4,
	296	entry->domain);
	297	if (ret_val != 0)
	298	goto remove_return;
	299	break;
	300	}
	301	ret_val = 0;
	302	if (entry != rcu_dereference(netlbl_domhsh_def)) {
	303	spin_lock(&netlbl_domhsh_lock);
	304	if (entry->valid) {
	305	entry->valid = 0;
	306	list_del_rcu(&entry->list);
	307	} else
	308	ret_val = -ENOENT;
	309	spin_unlock(&netlbl_domhsh_lock);
	310	} else {
	311	spin_lock(&netlbl_domhsh_def_lock);
	312	if (entry->valid) {
	313	entry->valid = 0;
	314	rcu_assign_pointer(netlbl_domhsh_def, NULL);
	315	} else
	316	ret_val = -ENOENT;
	317	spin_unlock(&netlbl_domhsh_def_lock);
	318	}
	319	if (ret_val == 0)
	320	call_rcu(&entry->rcu, netlbl_domhsh_free_entry);
	321
	322	remove_return:
	323	rcu_read_unlock();
	324	return ret_val;
	325	}
	326
	327	/**
	328	* netlbl_domhsh_remove_default - Removes the default entry from the table
	329	*
	330	* Description:
	331	* Removes/resets the default entry for the domain hash table and handles any
	332	* updates to the lower level protocol handler (i.e. CIPSO). Returns zero on
	333	* success, non-zero on failure.
	334	*
	335	*/
	336	int netlbl_domhsh_remove_default(void)
	337	{
	338	return netlbl_domhsh_remove(NULL);
	339	}
	340
	341	/**
	342	* netlbl_domhsh_getentry - Get an entry from the domain hash table
	343	* @domain: the domain name to search for
	344	*
	345	* Description:
	346	* Look through the domain hash table searching for an entry to match @domain,
	347	* return a pointer to a copy of the entry or NULL. The caller is responsibile
	348	* for ensuring that rcu_read_[un]lock() is called.
	349	*
	350	*/
	351	struct netlbl_dom_map netlbl_domhsh_getentry(const char domain)
	352	{
	353	return netlbl_domhsh_search(domain, 1);
	354	}
	355
	356	/**
	357	* netlbl_domhsh_dump - Dump the domain hash table into a sk_buff
	358	*
	359	* Description:
	360	* Dump the domain hash table into a buffer suitable for returning to an
	361	* application in response to a NetLabel management DOMAIN message. This
	362	* function may fail if another process is growing the hash table at the same
	363	* time. The returned sk_buff has room at the front of the sk_buff for
	364	* @headroom bytes. See netlabel.h for the DOMAIN message format. Returns a
	365	* pointer to a sk_buff on success, NULL on error.
	366	*
	367	*/
	368	struct sk_buff *netlbl_domhsh_dump(size_t headroom)
	369	{
	370	struct sk_buff *skb = NULL;
	371	ssize_t buf_len;
	372	u32 bkt_iter;
	373	u32 dom_cnt = 0;
	374	struct netlbl_domhsh_tbl *hsh_tbl;
	375	struct netlbl_dom_map *list_iter;
	376	ssize_t tmp_len;
	377
	378	buf_len = NETLBL_LEN_U32;
	379	rcu_read_lock();
	380	hsh_tbl = rcu_dereference(netlbl_domhsh);
	381	for (bkt_iter = 0; bkt_iter < hsh_tbl->size; bkt_iter++)
	382	list_for_each_entry_rcu(list_iter,
	383	&hsh_tbl->tbl[bkt_iter], list) {
	384	buf_len += NETLBL_LEN_U32 +
	385	nla_total_size(strlen(list_iter->domain) + 1);
	386	switch (list_iter->type) {
	387	case NETLBL_NLTYPE_UNLABELED:
	388	break;
	389	case NETLBL_NLTYPE_CIPSOV4:
	390	buf_len += 2 * NETLBL_LEN_U32;
	391	break;
	392	}
	393	dom_cnt++;
	394	}
	395
	396	skb = netlbl_netlink_alloc_skb(headroom, buf_len, GFP_ATOMIC);
	397	if (skb == NULL)
	398	goto dump_failure;
	399
	400	if (nla_put_u32(skb, NLA_U32, dom_cnt) != 0)
	401	goto dump_failure;
	402	buf_len -= NETLBL_LEN_U32;
	403	hsh_tbl = rcu_dereference(netlbl_domhsh);
	404	for (bkt_iter = 0; bkt_iter < hsh_tbl->size; bkt_iter++)
	405	list_for_each_entry_rcu(list_iter,
	406	&hsh_tbl->tbl[bkt_iter], list) {
	407	tmp_len = nla_total_size(strlen(list_iter->domain) +
	408	1);
	409	if (buf_len < NETLBL_LEN_U32 + tmp_len)
	410	goto dump_failure;
	411	if (nla_put_string(skb,
	412	NLA_STRING,
	413	list_iter->domain) != 0)
	414	goto dump_failure;
	415	if (nla_put_u32(skb, NLA_U32, list_iter->type) != 0)
	416	goto dump_failure;
	417	buf_len -= NETLBL_LEN_U32 + tmp_len;
	418	switch (list_iter->type) {
	419	case NETLBL_NLTYPE_UNLABELED:
	420	break;
	421	case NETLBL_NLTYPE_CIPSOV4:
	422	if (buf_len < 2 * NETLBL_LEN_U32)
	423	goto dump_failure;
	424	if (nla_put_u32(skb,
	425	NLA_U32,
	426	list_iter->type_def.cipsov4->type) != 0)
	427	goto dump_failure;
	428	if (nla_put_u32(skb,
	429	NLA_U32,
	430	list_iter->type_def.cipsov4->doi) != 0)
	431	goto dump_failure;
	432	buf_len -= 2 * NETLBL_LEN_U32;
	433	break;
	434	}
	435	}
	436	rcu_read_unlock();
	437
	438	return skb;
	439
	440	dump_failure:
	441	rcu_read_unlock();
	442	kfree_skb(skb);
	443	return NULL;
	444	}
	445
	446	/**
	447	* netlbl_domhsh_dump_default - Dump the default domain mapping into a sk_buff
	448	*
	449	* Description:
	450	* Dump the default domain mapping into a buffer suitable for returning to an
	451	* application in response to a NetLabel management DEFDOMAIN message. This
	452	* function may fail if another process is changing the default domain mapping
	453	* at the same time. The returned sk_buff has room at the front of the
	454	* skb_buff for @headroom bytes. See netlabel.h for the DEFDOMAIN message
	455	* format. Returns a pointer to a sk_buff on success, NULL on error.
	456	*
	457	*/
	458	struct sk_buff *netlbl_domhsh_dump_default(size_t headroom)
	459	{
	460	struct sk_buff *skb;
	461	ssize_t buf_len;
	462	struct netlbl_dom_map *entry;
	463
	464	buf_len = NETLBL_LEN_U32;
	465	rcu_read_lock();
	466	entry = rcu_dereference(netlbl_domhsh_def);
	467	if (entry != NULL)
	468	switch (entry->type) {
	469	case NETLBL_NLTYPE_UNLABELED:
	470	break;
	471	case NETLBL_NLTYPE_CIPSOV4:
	472	buf_len += 2 * NETLBL_LEN_U32;
	473	break;
	474	}
	475
	476	skb = netlbl_netlink_alloc_skb(headroom, buf_len, GFP_ATOMIC);
	477	if (skb == NULL)
	478	goto dump_default_failure;
	479
	480	if (entry != rcu_dereference(netlbl_domhsh_def))
	481	goto dump_default_failure;
	482	if (entry != NULL) {
	483	if (nla_put_u32(skb, NLA_U32, entry->type) != 0)
	484	goto dump_default_failure;
	485	buf_len -= NETLBL_LEN_U32;
	486	switch (entry->type) {
	487	case NETLBL_NLTYPE_UNLABELED:
	488	break;
	489	case NETLBL_NLTYPE_CIPSOV4:
	490	if (buf_len < 2 * NETLBL_LEN_U32)
	491	goto dump_default_failure;
	492	if (nla_put_u32(skb,
	493	NLA_U32,
	494	entry->type_def.cipsov4->type) != 0)
	495	goto dump_default_failure;
	496	if (nla_put_u32(skb,
	497	NLA_U32,
	498	entry->type_def.cipsov4->doi) != 0)
	499	goto dump_default_failure;
	500	buf_len -= 2 * NETLBL_LEN_U32;
	501	break;
	502	}
	503	} else
	504	nla_put_u32(skb, NLA_U32, NETLBL_NLTYPE_NONE);
	505	rcu_read_unlock();
	506
	507	return skb;
	508
	509	dump_default_failure:
	510	rcu_read_unlock();
	511	kfree_skb(skb);
	512	return NULL;
	513	}