diff options
author | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-04-27 13:47:29 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-04-27 13:47:29 -0400 |
commit | a205752d1ad2d37d6597aaae5a56fc396a770868 (patch) | |
tree | 1def76b02da90b98cefd66c4ba3904697963c358 /net/ipv4/cipso_ipv4.c | |
parent | 39bc89fd4019b164002adaacef92c4140e37955a (diff) | |
parent | e900a7d90ae1486ac95c10e0b7337fc2c2eda529 (diff) |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
selinux: preserve boolean values across policy reloads
selinux: change numbering of boolean directory inodes in selinuxfs
selinux: remove unused enumeration constant from selinuxfs
selinux: explicitly number all selinuxfs inodes
selinux: export initial SID contexts via selinuxfs
selinux: remove userland security class and permission definitions
SELinux: move security_skb_extlbl_sid() out of the security server
MAINTAINERS: update selinux entry
SELinux: rename selinux_netlabel.h to netlabel.h
SELinux: extract the NetLabel SELinux support from the security server
NetLabel: convert a BUG_ON in the CIPSO code to a runtime check
NetLabel: cleanup and document CIPSO constants
Diffstat (limited to 'net/ipv4/cipso_ipv4.c')
-rw-r--r-- | net/ipv4/cipso_ipv4.c | 41 |
1 files changed, 32 insertions, 9 deletions
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index 11a3404d65af..e1f18489db1d 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c | |||
@@ -92,6 +92,33 @@ int cipso_v4_rbm_optfmt = 0; | |||
92 | int cipso_v4_rbm_strictvalid = 1; | 92 | int cipso_v4_rbm_strictvalid = 1; |
93 | 93 | ||
94 | /* | 94 | /* |
95 | * Protocol Constants | ||
96 | */ | ||
97 | |||
98 | /* Maximum size of the CIPSO IP option, derived from the fact that the maximum | ||
99 | * IPv4 header size is 60 bytes and the base IPv4 header is 20 bytes long. */ | ||
100 | #define CIPSO_V4_OPT_LEN_MAX 40 | ||
101 | |||
102 | /* Length of the base CIPSO option, this includes the option type (1 byte), the | ||
103 | * option length (1 byte), and the DOI (4 bytes). */ | ||
104 | #define CIPSO_V4_HDR_LEN 6 | ||
105 | |||
106 | /* Base length of the restrictive category bitmap tag (tag #1). */ | ||
107 | #define CIPSO_V4_TAG_RBM_BLEN 4 | ||
108 | |||
109 | /* Base length of the enumerated category tag (tag #2). */ | ||
110 | #define CIPSO_V4_TAG_ENUM_BLEN 4 | ||
111 | |||
112 | /* Base length of the ranged categories bitmap tag (tag #5). */ | ||
113 | #define CIPSO_V4_TAG_RNG_BLEN 4 | ||
114 | /* The maximum number of category ranges permitted in the ranged category tag | ||
115 | * (tag #5). You may note that the IETF draft states that the maximum number | ||
116 | * of category ranges is 7, but if the low end of the last category range is | ||
117 | * zero then it is possibile to fit 8 category ranges because the zero should | ||
118 | * be omitted. */ | ||
119 | #define CIPSO_V4_TAG_RNG_CAT_MAX 8 | ||
120 | |||
121 | /* | ||
95 | * Helper Functions | 122 | * Helper Functions |
96 | */ | 123 | */ |
97 | 124 | ||
@@ -1109,16 +1136,15 @@ static int cipso_v4_map_cat_rng_hton(const struct cipso_v4_doi *doi_def, | |||
1109 | unsigned char *net_cat, | 1136 | unsigned char *net_cat, |
1110 | u32 net_cat_len) | 1137 | u32 net_cat_len) |
1111 | { | 1138 | { |
1112 | /* The constant '16' is not random, it is the maximum number of | ||
1113 | * high/low category range pairs as permitted by the CIPSO draft based | ||
1114 | * on a maximum IPv4 header length of 60 bytes - the BUG_ON() assertion | ||
1115 | * does a sanity check to make sure we don't overflow the array. */ | ||
1116 | int iter = -1; | 1139 | int iter = -1; |
1117 | u16 array[16]; | 1140 | u16 array[CIPSO_V4_TAG_RNG_CAT_MAX * 2]; |
1118 | u32 array_cnt = 0; | 1141 | u32 array_cnt = 0; |
1119 | u32 cat_size = 0; | 1142 | u32 cat_size = 0; |
1120 | 1143 | ||
1121 | BUG_ON(net_cat_len > 30); | 1144 | /* make sure we don't overflow the 'array[]' variable */ |
1145 | if (net_cat_len > | ||
1146 | (CIPSO_V4_OPT_LEN_MAX - CIPSO_V4_HDR_LEN - CIPSO_V4_TAG_RNG_BLEN)) | ||
1147 | return -ENOSPC; | ||
1122 | 1148 | ||
1123 | for (;;) { | 1149 | for (;;) { |
1124 | iter = netlbl_secattr_catmap_walk(secattr->mls_cat, iter + 1); | 1150 | iter = netlbl_secattr_catmap_walk(secattr->mls_cat, iter + 1); |
@@ -1196,9 +1222,6 @@ static int cipso_v4_map_cat_rng_ntoh(const struct cipso_v4_doi *doi_def, | |||
1196 | * Protocol Handling Functions | 1222 | * Protocol Handling Functions |
1197 | */ | 1223 | */ |
1198 | 1224 | ||
1199 | #define CIPSO_V4_OPT_LEN_MAX 40 | ||
1200 | #define CIPSO_V4_HDR_LEN 6 | ||
1201 | |||
1202 | /** | 1225 | /** |
1203 | * cipso_v4_gentag_hdr - Generate a CIPSO option header | 1226 | * cipso_v4_gentag_hdr - Generate a CIPSO option header |
1204 | * @doi_def: the DOI definition | 1227 | * @doi_def: the DOI definition |