NetLabel: make netlbl_lsm_secattr struct easier/quicker to understand

The existing netlbl_lsm_secattr struct required the LSM to check all of the fields to determine if any security attributes were present resulting in a lot of work in the common case of no attributes. This patch adds a 'flags' field which is used to indicate which attributes are present in the structure; this should allow the LSM to do a quick comparison to determine if the structure holds any security attributes. Example: if (netlbl_lsm_secattr->flags) /* security attributes present */ else /* NO security attributes present */ Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
author: Paul Moore <paul.moore@hp.com> 2006-11-17 17:38:46 -0500
committer: David S. Miller <davem@sunset.davemloft.net> 2006-12-03 00:24:07 -0500
commit: 701a90bad99b8081a824cca52c178c8fc8f46bb2 (patch)
tree: 5fed88e6707e9122d7f16e4c5d8fea7c69e090ac /net/ipv4/cipso_ipv4.c
parent: c6fa82a9dd6160e0bc980cb0401c16bf62f2fe66 (diff)
1 files changed, 14 insertions, 8 deletions
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 095038ad72a4..f0a0785047fe 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -319,6 +319,7 @@ static int cipso_v4_cache_check(const unsigned char *key,
                        entry->activity += 1;
                        atomic_inc(&entry->lsm_data->refcount);
                        secattr->cache = entry->lsm_data;
+                        secattr->flags |= NETLBL_SECATTR_CACHE;
                        if (prev_entry == NULL) {
                                spin_unlock_bh(&cipso_v4_cache[bkt].lock);
                                return 0;
@@ -991,12 +992,15 @@ static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def,
                               unsigned char **buffer,
                               u32 *buffer_len)
 {
-        int ret_val = -EPERM;
+        int ret_val;
        unsigned char *buf = NULL;
        u32 buf_len;
        u32 level;
-        if (secattr->mls_cat) {
+        if ((secattr->flags & NETLBL_SECATTR_MLS_LVL) == 0)
+                return -EPERM;
+        if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
                buf = kzalloc(CIPSO_V4_HDR_LEN + 4 + CIPSO_V4_TAG1_CAT_LEN,
                              GFP_ATOMIC);
                if (buf == NULL)
@@ -1013,10 +1017,10 @@ static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def,
                /* This will send packets using the "optimized" format when
                 * possibile as specified in  section 3.4.2.6 of the
                 * CIPSO draft. */
-                if (cipso_v4_rbm_optfmt && (ret_val > 0 && ret_val < 10))
+                if (cipso_v4_rbm_optfmt && ret_val > 0 && ret_val <= 10)
-                        ret_val = 10;
+                        buf_len = 14;
+                else
-                buf_len = 4 + ret_val;
+                        buf_len = 4 + ret_val;
        } else {
                buf = kzalloc(CIPSO_V4_HDR_LEN + 4, GFP_ATOMIC);
                if (buf == NULL)
@@ -1070,7 +1074,7 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,
        if (ret_val != 0)
                return ret_val;
        secattr->mls_lvl = level;
-        secattr->mls_lvl_vld = 1;
+        secattr->flags |= NETLBL_SECATTR_MLS_LVL;
        if (tag_len > 4) {
                switch (doi_def->type) {
@@ -1094,8 +1098,10 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,
                if (ret_val < 0) {
                        kfree(secattr->mls_cat);
                        return ret_val;
+                } else if (ret_val > 0) {
+                        secattr->mls_cat_len = ret_val;
+                        secattr->flags |= NETLBL_SECATTR_MLS_CAT;
                }
-                secattr->mls_cat_len = ret_val;
        }
        return 0;
author	Paul Moore <paul.moore@hp.com>	2006-11-17 17:38:46 -0500
committer	David S. Miller <davem@sunset.davemloft.net>	2006-12-03 00:24:07 -0500
commit	701a90bad99b8081a824cca52c178c8fc8f46bb2 (patch)
tree	5fed88e6707e9122d7f16e4c5d8fea7c69e090ac /net/ipv4/cipso_ipv4.c
parent	c6fa82a9dd6160e0bc980cb0401c16bf62f2fe66 (diff)

diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index 095038ad72a4..f0a0785047fe 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c
@@ -319,6 +319,7 @@ static int cipso_v4_cache_check(const unsigned char *key,
319	entry->activity += 1;	319	entry->activity += 1;
320	atomic_inc(&entry->lsm_data->refcount);	320	atomic_inc(&entry->lsm_data->refcount);
321	secattr->cache = entry->lsm_data;	321	secattr->cache = entry->lsm_data;
		322	secattr->flags \|= NETLBL_SECATTR_CACHE;
322	if (prev_entry == NULL) {	323	if (prev_entry == NULL) {
323	spin_unlock_bh(&cipso_v4_cache[bkt].lock);	324	spin_unlock_bh(&cipso_v4_cache[bkt].lock);
324	return 0;	325	return 0;
@@ -991,12 +992,15 @@ static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def,
991	unsigned char **buffer,	992	unsigned char **buffer,
992	u32 *buffer_len)	993	u32 *buffer_len)
993	{	994	{
994	int ret_val = -EPERM;	995	int ret_val;
995	unsigned char *buf = NULL;	996	unsigned char *buf = NULL;
996	u32 buf_len;	997	u32 buf_len;
997	u32 level;	998	u32 level;
998		999
999	if (secattr->mls_cat) {	1000	if ((secattr->flags & NETLBL_SECATTR_MLS_LVL) == 0)
		1001	return -EPERM;
		1002
		1003	if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
1000	buf = kzalloc(CIPSO_V4_HDR_LEN + 4 + CIPSO_V4_TAG1_CAT_LEN,	1004	buf = kzalloc(CIPSO_V4_HDR_LEN + 4 + CIPSO_V4_TAG1_CAT_LEN,
1001	GFP_ATOMIC);	1005	GFP_ATOMIC);
1002	if (buf == NULL)	1006	if (buf == NULL)
@@ -1013,10 +1017,10 @@ static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def,
1013	/* This will send packets using the "optimized" format when	1017	/* This will send packets using the "optimized" format when
1014	* possibile as specified in section 3.4.2.6 of the	1018	* possibile as specified in section 3.4.2.6 of the
1015	* CIPSO draft. */	1019	* CIPSO draft. */
1016	if (cipso_v4_rbm_optfmt && (ret_val > 0 && ret_val < 10))	1020	if (cipso_v4_rbm_optfmt && ret_val > 0 && ret_val <= 10)
1017	ret_val = 10;	1021	buf_len = 14;
1018		1022	else
1019	buf_len = 4 + ret_val;	1023	buf_len = 4 + ret_val;
1020	} else {	1024	} else {
1021	buf = kzalloc(CIPSO_V4_HDR_LEN + 4, GFP_ATOMIC);	1025	buf = kzalloc(CIPSO_V4_HDR_LEN + 4, GFP_ATOMIC);
1022	if (buf == NULL)	1026	if (buf == NULL)
@@ -1070,7 +1074,7 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,
1070	if (ret_val != 0)	1074	if (ret_val != 0)
1071	return ret_val;	1075	return ret_val;
1072	secattr->mls_lvl = level;	1076	secattr->mls_lvl = level;
1073	secattr->mls_lvl_vld = 1;	1077	secattr->flags \|= NETLBL_SECATTR_MLS_LVL;
1074		1078
1075	if (tag_len > 4) {	1079	if (tag_len > 4) {
1076	switch (doi_def->type) {	1080	switch (doi_def->type) {
@@ -1094,8 +1098,10 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,
1094	if (ret_val < 0) {	1098	if (ret_val < 0) {
1095	kfree(secattr->mls_cat);	1099	kfree(secattr->mls_cat);
1096	return ret_val;	1100	return ret_val;
		1101	} else if (ret_val > 0) {
		1102	secattr->mls_cat_len = ret_val;
		1103	secattr->flags \|= NETLBL_SECATTR_MLS_CAT;
1097	}	1104	}
1098	secattr->mls_cat_len = ret_val;
1099	}	1105	}
1100		1106
1101	return 0;	1107	return 0;