netlabel: Add network address selectors to the NetLabel/LSM domain mapping

This patch extends the NetLabel traffic labeling capabilities to individual packets based not only on the LSM domain but the by the destination address as well. The changes here only affect the core NetLabel infrastructre, changes to the NetLabel KAPI and individial protocol engines are also required but are split out into a different patch to ease review. Signed-off-by: Paul Moore <paul.moore@hp.com> Reviewed-by: James Morris <jmorris@namei.org>
author: Paul Moore <paul.moore@hp.com> 2008-10-10 10:16:32 -0400
committer: Paul Moore <paul.moore@hp.com> 2008-10-10 10:16:32 -0400
commit: 63c41688743760631188cf0f4ae986a6793ccb0a (patch)
tree: b270091d7b763e8b6c5073d4ca618f0d36065188 /net/netlabel/netlabel_domainhash.c
parent: 61e1068219950c672ce979719ad2be3aadb00d7d (diff)
1 files changed, 253 insertions, 37 deletions
diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c
index 0243f0c57b41..5fadf10e5ddf 100644
--- a/net/netlabel/netlabel_domainhash.c
+++ b/net/netlabel/netlabel_domainhash.c
@@ -11,7 +11,7 @@
 */
 /*
- * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
+ * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
 *
 * This program is free software;  you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -40,6 +40,7 @@
 #include <asm/bug.h>
 #include "netlabel_mgmt.h"
+#include "netlabel_addrlist.h"
 #include "netlabel_domainhash.h"
 #include "netlabel_user.h"
@@ -72,8 +73,28 @@ static struct netlbl_dom_map *netlbl_domhsh_def = NULL;
 static void netlbl_domhsh_free_entry(struct rcu_head *entry)
 {
        struct netlbl_dom_map *ptr;
+        struct netlbl_af4list *iter4;
+        struct netlbl_af4list *tmp4;
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+        struct netlbl_af6list *iter6;
+        struct netlbl_af6list *tmp6;
+#endif /* IPv6 */
        ptr = container_of(entry, struct netlbl_dom_map, rcu);
+        if (ptr->type == NETLBL_NLTYPE_ADDRSELECT) {
+                netlbl_af4list_foreach_safe(iter4, tmp4,
+                                            &ptr->type_def.addrsel->list4) {
+                        netlbl_af4list_remove_entry(iter4);
+                        kfree(netlbl_domhsh_addr4_entry(iter4));
+                }
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+                netlbl_af6list_foreach_safe(iter6, tmp6,
+                                            &ptr->type_def.addrsel->list6) {
+                        netlbl_af6list_remove_entry(iter6);
+                        kfree(netlbl_domhsh_addr6_entry(iter6));
+                }
+#endif /* IPv6 */
+        }
        kfree(ptr->domain);
        kfree(ptr);
 }
@@ -156,6 +177,69 @@ static struct netlbl_dom_map *netlbl_domhsh_search_def(const char *domain)
        return entry;
 }
+/**
+ * netlbl_domhsh_audit_add - Generate an audit entry for an add event
+ * @entry: the entry being added
+ * @addr4: the IPv4 address information
+ * @addr6: the IPv6 address information
+ * @result: the result code
+ * @audit_info: NetLabel audit information
+ *
+ * Description:
+ * Generate an audit record for adding a new NetLabel/LSM mapping entry with
+ * the given information.  Caller is responsibile for holding the necessary
+ * locks.
+ *
+ */
+static void netlbl_domhsh_audit_add(struct netlbl_dom_map *entry,
+                                    struct netlbl_af4list *addr4,
+                                    struct netlbl_af6list *addr6,
+                                    int result,
+                                    struct netlbl_audit *audit_info)
+{
+        struct audit_buffer *audit_buf;
+        struct cipso_v4_doi *cipsov4 = NULL;
+        u32 type;
+        audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info);
+        if (audit_buf != NULL) {
+                audit_log_format(audit_buf, " nlbl_domain=%s",
+                                 entry->domain ? entry->domain : "(default)");
+                if (addr4 != NULL) {
+                        struct netlbl_domaddr4_map *map4;
+                        map4 = netlbl_domhsh_addr4_entry(addr4);
+                        type = map4->type;
+                        cipsov4 = map4->type_def.cipsov4;
+                        netlbl_af4list_audit_addr(audit_buf, 0, NULL,
+                                                  addr4->addr, addr4->mask);
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+                } else if (addr6 != NULL) {
+                        struct netlbl_domaddr6_map *map6;
+                        map6 = netlbl_domhsh_addr6_entry(addr6);
+                        type = map6->type;
+                        netlbl_af6list_audit_addr(audit_buf, 0, NULL,
+                                                  &addr6->addr, &addr6->mask);
+#endif /* IPv6 */
+                } else {
+                        type = entry->type;
+                        cipsov4 = entry->type_def.cipsov4;
+                }
+                switch (type) {
+                case NETLBL_NLTYPE_UNLABELED:
+                        audit_log_format(audit_buf, " nlbl_protocol=unlbl");
+                        break;
+                case NETLBL_NLTYPE_CIPSOV4:
+                        BUG_ON(cipsov4 == NULL);
+                        audit_log_format(audit_buf,
+                                         " nlbl_protocol=cipsov4 cipso_doi=%u",
+                                         cipsov4->doi);
+                        break;
+                }
+                audit_log_format(audit_buf, " res=%u", result == 0 ? 1 : 0);
+                audit_log_end(audit_buf);
+        }
+}
 /*
 * Domain Hash Table Functions
 */
@@ -213,50 +297,106 @@ int __init netlbl_domhsh_init(u32 size)
 int netlbl_domhsh_add(struct netlbl_dom_map *entry,
                      struct netlbl_audit *audit_info)
 {
-        int ret_val;
+        int ret_val = 0;
-        u32 bkt;
+        struct netlbl_dom_map *entry_old;
-        struct audit_buffer *audit_buf;
+        struct netlbl_af4list *iter4;
+        struct netlbl_af4list *tmp4;
-        entry->valid = 1;
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-        INIT_RCU_HEAD(&entry->rcu);
+        struct netlbl_af6list *iter6;
+        struct netlbl_af6list *tmp6;
+#endif /* IPv6 */
        rcu_read_lock();
        spin_lock(&netlbl_domhsh_lock);
-        if (entry->domain != NULL) {
+        if (entry->domain != NULL)
-                bkt = netlbl_domhsh_hash(entry->domain);
+                entry_old = netlbl_domhsh_search(entry->domain);
-                if (netlbl_domhsh_search(entry->domain) == NULL)
+        else
+                entry_old = netlbl_domhsh_search_def(entry->domain);
+        if (entry_old == NULL) {
+                entry->valid = 1;
+                INIT_RCU_HEAD(&entry->rcu);
+                if (entry->domain != NULL) {
+                        u32 bkt = netlbl_domhsh_hash(entry->domain);
                        list_add_tail_rcu(&entry->list,
                                    &rcu_dereference(netlbl_domhsh)->tbl[bkt]);
-                else
+                } else {
-                        ret_val = -EEXIST;
+                        INIT_LIST_HEAD(&entry->list);
-        } else {
-                INIT_LIST_HEAD(&entry->list);
-                if (rcu_dereference(netlbl_domhsh_def) == NULL)
                        rcu_assign_pointer(netlbl_domhsh_def, entry);
-                else
-                        ret_val = -EEXIST;
-        }
-        spin_unlock(&netlbl_domhsh_lock);
-        audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info);
-        if (audit_buf != NULL) {
-                audit_log_format(audit_buf,
-                                 " nlbl_domain=%s",
-                                 entry->domain ? entry->domain : "(default)");
-                switch (entry->type) {
-                case NETLBL_NLTYPE_UNLABELED:
-                        audit_log_format(audit_buf, " nlbl_protocol=unlbl");
-                        break;
-                case NETLBL_NLTYPE_CIPSOV4:
-                        audit_log_format(audit_buf,
-                                         " nlbl_protocol=cipsov4 cipso_doi=%u",
-                                         entry->type_def.cipsov4->doi);
-                        break;
                }
-                audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
-                audit_log_end(audit_buf);
-        }
-        rcu_read_unlock();
+                if (entry->type == NETLBL_NLTYPE_ADDRSELECT) {
+                        netlbl_af4list_foreach_rcu(iter4,
+                                               &entry->type_def.addrsel->list4)
+                                netlbl_domhsh_audit_add(entry, iter4, NULL,
+                                                        ret_val, audit_info);
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+                        netlbl_af6list_foreach_rcu(iter6,
+                                               &entry->type_def.addrsel->list6)
+                                netlbl_domhsh_audit_add(entry, NULL, iter6,
+                                                        ret_val, audit_info);
+#endif /* IPv6 */
+                } else
+                        netlbl_domhsh_audit_add(entry, NULL, NULL,
+                                                ret_val, audit_info);
+        } else if (entry_old->type == NETLBL_NLTYPE_ADDRSELECT &&
+                   entry->type == NETLBL_NLTYPE_ADDRSELECT) {
+                struct list_head *old_list4;
+                struct list_head *old_list6;
+                old_list4 = &entry_old->type_def.addrsel->list4;
+                old_list6 = &entry_old->type_def.addrsel->list6;
+                /* we only allow the addition of address selectors if all of
+                 * the selectors do not exist in the existing domain map */
+                netlbl_af4list_foreach_rcu(iter4,
+                                           &entry->type_def.addrsel->list4)
+                        if (netlbl_af4list_search_exact(iter4->addr,
+                                                        iter4->mask,
+                                                        old_list4)) {
+                                ret_val = -EEXIST;
+                                goto add_return;
+                        }
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+                netlbl_af6list_foreach_rcu(iter6,
+                                           &entry->type_def.addrsel->list6)
+                        if (netlbl_af6list_search_exact(&iter6->addr,
+                                                        &iter6->mask,
+                                                        old_list6)) {
+                                ret_val = -EEXIST;
+                                goto add_return;
+                        }
+#endif /* IPv6 */
+                netlbl_af4list_foreach_safe(iter4, tmp4,
+                                            &entry->type_def.addrsel->list4) {
+                        netlbl_af4list_remove_entry(iter4);
+                        iter4->valid = 1;
+                        ret_val = netlbl_af4list_add(iter4, old_list4);
+                        netlbl_domhsh_audit_add(entry_old, iter4, NULL,
+                                                ret_val, audit_info);
+                        if (ret_val != 0)
+                                goto add_return;
+                }
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+                netlbl_af6list_foreach_safe(iter6, tmp6,
+                                            &entry->type_def.addrsel->list6) {
+                        netlbl_af6list_remove_entry(iter6);
+                        iter6->valid = 1;
+                        ret_val = netlbl_af6list_add(iter6, old_list6);
+                        netlbl_domhsh_audit_add(entry_old, NULL, iter6,
+                                                ret_val, audit_info);
+                        if (ret_val != 0)
+                                goto add_return;
+                }
+#endif /* IPv6 */
+        } else
+                ret_val = -EINVAL;
+add_return:
+        spin_unlock(&netlbl_domhsh_lock);
+        rcu_read_unlock();
        return ret_val;
 }
@@ -319,7 +459,19 @@ int netlbl_domhsh_remove_entry(struct netlbl_dom_map *entry,
        }
        if (ret_val == 0) {
+                struct netlbl_af4list *iter4;
+                struct netlbl_domaddr4_map *map4;
                switch (entry->type) {
+                case NETLBL_NLTYPE_ADDRSELECT:
+                        netlbl_af4list_foreach_rcu(iter4,
+                                             &entry->type_def.addrsel->list4) {
+                                map4 = netlbl_domhsh_addr4_entry(iter4);
+                                cipso_v4_doi_putdef(map4->type_def.cipsov4);
+                        }
+                        /* no need to check the IPv6 list since we currently
+                         * support only unlabeled protocols for IPv6 */
+                        break;
                case NETLBL_NLTYPE_CIPSOV4:
                        cipso_v4_doi_putdef(entry->type_def.cipsov4);
                        break;
@@ -388,6 +540,70 @@ struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain)
 }
 /**
+ * netlbl_domhsh_getentry_af4 - Get an entry from the domain hash table
+ * @domain: the domain name to search for
+ * @addr: the IP address to search for
+ *
+ * Description:
+ * Look through the domain hash table searching for an entry to match @domain
+ * and @addr, return a pointer to a copy of the entry or NULL.  The caller is
+ * responsible for ensuring that rcu_read_[un]lock() is called.
+ *
+ */
+struct netlbl_domaddr4_map *netlbl_domhsh_getentry_af4(const char *domain,
+                                                       __be32 addr)
+{
+        struct netlbl_dom_map *dom_iter;
+        struct netlbl_af4list *addr_iter;
+        dom_iter = netlbl_domhsh_search_def(domain);
+        if (dom_iter == NULL)
+                return NULL;
+        if (dom_iter->type != NETLBL_NLTYPE_ADDRSELECT)
+                return NULL;
+        addr_iter = netlbl_af4list_search(addr,
+                                          &dom_iter->type_def.addrsel->list4);
+        if (addr_iter == NULL)
+                return NULL;
+        return netlbl_domhsh_addr4_entry(addr_iter);
+}
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+/**
+ * netlbl_domhsh_getentry_af6 - Get an entry from the domain hash table
+ * @domain: the domain name to search for
+ * @addr: the IP address to search for
+ *
+ * Description:
+ * Look through the domain hash table searching for an entry to match @domain
+ * and @addr, return a pointer to a copy of the entry or NULL.  The caller is
+ * responsible for ensuring that rcu_read_[un]lock() is called.
+ *
+ */
+struct netlbl_domaddr6_map *netlbl_domhsh_getentry_af6(const char *domain,
+                                                   const struct in6_addr *addr)
+{
+        struct netlbl_dom_map *dom_iter;
+        struct netlbl_af6list *addr_iter;
+        dom_iter = netlbl_domhsh_search_def(domain);
+        if (dom_iter == NULL)
+                return NULL;
+        if (dom_iter->type != NETLBL_NLTYPE_ADDRSELECT)
+                return NULL;
+        addr_iter = netlbl_af6list_search(addr,
+                                          &dom_iter->type_def.addrsel->list6);
+        if (addr_iter == NULL)
+                return NULL;
+        return netlbl_domhsh_addr6_entry(addr_iter);
+}
+#endif /* IPv6 */
+/**
 * netlbl_domhsh_walk - Iterate through the domain mapping hash table
 * @skip_bkt: the number of buckets to skip at the start
 * @skip_chain: the number of entries to skip in the first iterated bucket
author	Paul Moore <paul.moore@hp.com>	2008-10-10 10:16:32 -0400
committer	Paul Moore <paul.moore@hp.com>	2008-10-10 10:16:32 -0400
commit	63c41688743760631188cf0f4ae986a6793ccb0a (patch)
tree	b270091d7b763e8b6c5073d4ca618f0d36065188 /net/netlabel/netlabel_domainhash.c
parent	61e1068219950c672ce979719ad2be3aadb00d7d (diff)

diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c index 0243f0c57b41..5fadf10e5ddf 100644 --- a/net/netlabel/netlabel_domainhash.c +++ b/net/netlabel/netlabel_domainhash.c
@@ -11,7 +11,7 @@
11	*/	11	*/
12		12
13	/*	13	/*
14	* (c) Copyright Hewlett-Packard Development Company, L.P., 2006	14	* (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
15	*	15	*
16	* This program is free software; you can redistribute it and/or modify	16	* This program is free software; you can redistribute it and/or modify
17	* it under the terms of the GNU General Public License as published by	17	* it under the terms of the GNU General Public License as published by
@@ -40,6 +40,7 @@
40	#include <asm/bug.h>	40	#include <asm/bug.h>
41		41
42	#include "netlabel_mgmt.h"	42	#include "netlabel_mgmt.h"
		43	#include "netlabel_addrlist.h"
43	#include "netlabel_domainhash.h"	44	#include "netlabel_domainhash.h"
44	#include "netlabel_user.h"	45	#include "netlabel_user.h"
45		46
@@ -72,8 +73,28 @@ static struct netlbl_dom_map *netlbl_domhsh_def = NULL;
72	static void netlbl_domhsh_free_entry(struct rcu_head *entry)	73	static void netlbl_domhsh_free_entry(struct rcu_head *entry)
73	{	74	{
74	struct netlbl_dom_map *ptr;	75	struct netlbl_dom_map *ptr;
		76	struct netlbl_af4list *iter4;
		77	struct netlbl_af4list *tmp4;
		78	#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
		79	struct netlbl_af6list *iter6;
		80	struct netlbl_af6list *tmp6;
		81	#endif /* IPv6 */
75		82
76	ptr = container_of(entry, struct netlbl_dom_map, rcu);	83	ptr = container_of(entry, struct netlbl_dom_map, rcu);
		84	if (ptr->type == NETLBL_NLTYPE_ADDRSELECT) {
		85	netlbl_af4list_foreach_safe(iter4, tmp4,
		86	&ptr->type_def.addrsel->list4) {
		87	netlbl_af4list_remove_entry(iter4);
		88	kfree(netlbl_domhsh_addr4_entry(iter4));
		89	}
		90	#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
		91	netlbl_af6list_foreach_safe(iter6, tmp6,
		92	&ptr->type_def.addrsel->list6) {
		93	netlbl_af6list_remove_entry(iter6);
		94	kfree(netlbl_domhsh_addr6_entry(iter6));
		95	}
		96	#endif /* IPv6 */
		97	}
77	kfree(ptr->domain);	98	kfree(ptr->domain);
78	kfree(ptr);	99	kfree(ptr);
79	}	100	}
@@ -156,6 +177,69 @@ static struct netlbl_dom_map netlbl_domhsh_search_def(const char domain)
156	return entry;	177	return entry;
157	}	178	}
158		179
		180	/**
		181	* netlbl_domhsh_audit_add - Generate an audit entry for an add event
		182	* @entry: the entry being added
		183	* @addr4: the IPv4 address information
		184	* @addr6: the IPv6 address information
		185	* @result: the result code
		186	* @audit_info: NetLabel audit information
		187	*
		188	* Description:
		189	* Generate an audit record for adding a new NetLabel/LSM mapping entry with
		190	* the given information. Caller is responsibile for holding the necessary
		191	* locks.
		192	*
		193	*/
		194	static void netlbl_domhsh_audit_add(struct netlbl_dom_map *entry,
		195	struct netlbl_af4list *addr4,
		196	struct netlbl_af6list *addr6,
		197	int result,
		198	struct netlbl_audit *audit_info)
		199	{
		200	struct audit_buffer *audit_buf;
		201	struct cipso_v4_doi *cipsov4 = NULL;
		202	u32 type;
		203
		204	audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info);
		205	if (audit_buf != NULL) {
		206	audit_log_format(audit_buf, " nlbl_domain=%s",
		207	entry->domain ? entry->domain : "(default)");
		208	if (addr4 != NULL) {
		209	struct netlbl_domaddr4_map *map4;
		210	map4 = netlbl_domhsh_addr4_entry(addr4);
		211	type = map4->type;
		212	cipsov4 = map4->type_def.cipsov4;
		213	netlbl_af4list_audit_addr(audit_buf, 0, NULL,
		214	addr4->addr, addr4->mask);
		215	#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
		216	} else if (addr6 != NULL) {
		217	struct netlbl_domaddr6_map *map6;
		218	map6 = netlbl_domhsh_addr6_entry(addr6);
		219	type = map6->type;
		220	netlbl_af6list_audit_addr(audit_buf, 0, NULL,
		221	&addr6->addr, &addr6->mask);
		222	#endif /* IPv6 */
		223	} else {
		224	type = entry->type;
		225	cipsov4 = entry->type_def.cipsov4;
		226	}
		227	switch (type) {
		228	case NETLBL_NLTYPE_UNLABELED:
		229	audit_log_format(audit_buf, " nlbl_protocol=unlbl");
		230	break;
		231	case NETLBL_NLTYPE_CIPSOV4:
		232	BUG_ON(cipsov4 == NULL);
		233	audit_log_format(audit_buf,
		234	" nlbl_protocol=cipsov4 cipso_doi=%u",
		235	cipsov4->doi);
		236	break;
		237	}
		238	audit_log_format(audit_buf, " res=%u", result == 0 ? 1 : 0);
		239	audit_log_end(audit_buf);
		240	}
		241	}
		242
159	/*	243	/*
160	* Domain Hash Table Functions	244	* Domain Hash Table Functions
161	*/	245	*/
@@ -213,50 +297,106 @@ int __init netlbl_domhsh_init(u32 size)
213	int netlbl_domhsh_add(struct netlbl_dom_map *entry,	297	int netlbl_domhsh_add(struct netlbl_dom_map *entry,
214	struct netlbl_audit *audit_info)	298	struct netlbl_audit *audit_info)
215	{	299	{
216	int ret_val;	300	int ret_val = 0;
217	u32 bkt;	301	struct netlbl_dom_map *entry_old;
218	struct audit_buffer *audit_buf;	302	struct netlbl_af4list *iter4;
219		303	struct netlbl_af4list *tmp4;
220	entry->valid = 1;	304	#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
221	INIT_RCU_HEAD(&entry->rcu);	305	struct netlbl_af6list *iter6;
		306	struct netlbl_af6list *tmp6;
		307	#endif /* IPv6 */
222		308
223	rcu_read_lock();	309	rcu_read_lock();
		310
224	spin_lock(&netlbl_domhsh_lock);	311	spin_lock(&netlbl_domhsh_lock);
225	if (entry->domain != NULL) {	312	if (entry->domain != NULL)
226	bkt = netlbl_domhsh_hash(entry->domain);	313	entry_old = netlbl_domhsh_search(entry->domain);
227	if (netlbl_domhsh_search(entry->domain) == NULL)	314	else
		315	entry_old = netlbl_domhsh_search_def(entry->domain);
		316	if (entry_old == NULL) {
		317	entry->valid = 1;
		318	INIT_RCU_HEAD(&entry->rcu);
		319
		320	if (entry->domain != NULL) {
		321	u32 bkt = netlbl_domhsh_hash(entry->domain);
228	list_add_tail_rcu(&entry->list,	322	list_add_tail_rcu(&entry->list,
229	&rcu_dereference(netlbl_domhsh)->tbl[bkt]);	323	&rcu_dereference(netlbl_domhsh)->tbl[bkt]);
230	else	324	} else {
231	ret_val = -EEXIST;	325	INIT_LIST_HEAD(&entry->list);
232	} else {
233	INIT_LIST_HEAD(&entry->list);
234	if (rcu_dereference(netlbl_domhsh_def) == NULL)
235	rcu_assign_pointer(netlbl_domhsh_def, entry);	326	rcu_assign_pointer(netlbl_domhsh_def, entry);
236	else
237	ret_val = -EEXIST;
238	}
239	spin_unlock(&netlbl_domhsh_lock);
240	audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info);
241	if (audit_buf != NULL) {
242	audit_log_format(audit_buf,
243	" nlbl_domain=%s",
244	entry->domain ? entry->domain : "(default)");
245	switch (entry->type) {
246	case NETLBL_NLTYPE_UNLABELED:
247	audit_log_format(audit_buf, " nlbl_protocol=unlbl");
248	break;
249	case NETLBL_NLTYPE_CIPSOV4:
250	audit_log_format(audit_buf,
251	" nlbl_protocol=cipsov4 cipso_doi=%u",
252	entry->type_def.cipsov4->doi);
253	break;
254	}	327	}
255	audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
256	audit_log_end(audit_buf);
257	}
258	rcu_read_unlock();
259		328
		329	if (entry->type == NETLBL_NLTYPE_ADDRSELECT) {
		330	netlbl_af4list_foreach_rcu(iter4,
		331	&entry->type_def.addrsel->list4)
		332	netlbl_domhsh_audit_add(entry, iter4, NULL,
		333	ret_val, audit_info);
		334	#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
		335	netlbl_af6list_foreach_rcu(iter6,
		336	&entry->type_def.addrsel->list6)
		337	netlbl_domhsh_audit_add(entry, NULL, iter6,
		338	ret_val, audit_info);
		339	#endif /* IPv6 */
		340	} else
		341	netlbl_domhsh_audit_add(entry, NULL, NULL,
		342	ret_val, audit_info);
		343	} else if (entry_old->type == NETLBL_NLTYPE_ADDRSELECT &&
		344	entry->type == NETLBL_NLTYPE_ADDRSELECT) {
		345	struct list_head *old_list4;
		346	struct list_head *old_list6;
		347
		348	old_list4 = &entry_old->type_def.addrsel->list4;
		349	old_list6 = &entry_old->type_def.addrsel->list6;
		350
		351	/* we only allow the addition of address selectors if all of
		352	* the selectors do not exist in the existing domain map */
		353	netlbl_af4list_foreach_rcu(iter4,
		354	&entry->type_def.addrsel->list4)
		355	if (netlbl_af4list_search_exact(iter4->addr,
		356	iter4->mask,
		357	old_list4)) {
		358	ret_val = -EEXIST;
		359	goto add_return;
		360	}
		361	#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
		362	netlbl_af6list_foreach_rcu(iter6,
		363	&entry->type_def.addrsel->list6)
		364	if (netlbl_af6list_search_exact(&iter6->addr,
		365	&iter6->mask,
		366	old_list6)) {
		367	ret_val = -EEXIST;
		368	goto add_return;
		369	}
		370	#endif /* IPv6 */
		371
		372	netlbl_af4list_foreach_safe(iter4, tmp4,
		373	&entry->type_def.addrsel->list4) {
		374	netlbl_af4list_remove_entry(iter4);
		375	iter4->valid = 1;
		376	ret_val = netlbl_af4list_add(iter4, old_list4);
		377	netlbl_domhsh_audit_add(entry_old, iter4, NULL,
		378	ret_val, audit_info);
		379	if (ret_val != 0)
		380	goto add_return;
		381	}
		382	#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
		383	netlbl_af6list_foreach_safe(iter6, tmp6,
		384	&entry->type_def.addrsel->list6) {
		385	netlbl_af6list_remove_entry(iter6);
		386	iter6->valid = 1;
		387	ret_val = netlbl_af6list_add(iter6, old_list6);
		388	netlbl_domhsh_audit_add(entry_old, NULL, iter6,
		389	ret_val, audit_info);
		390	if (ret_val != 0)
		391	goto add_return;
		392	}
		393	#endif /* IPv6 */
		394	} else
		395	ret_val = -EINVAL;
		396
		397	add_return:
		398	spin_unlock(&netlbl_domhsh_lock);
		399	rcu_read_unlock();
260	return ret_val;	400	return ret_val;
261	}	401	}
262		402
@@ -319,7 +459,19 @@ int netlbl_domhsh_remove_entry(struct netlbl_dom_map *entry,
319	}	459	}
320		460
321	if (ret_val == 0) {	461	if (ret_val == 0) {
		462	struct netlbl_af4list *iter4;
		463	struct netlbl_domaddr4_map *map4;
		464
322	switch (entry->type) {	465	switch (entry->type) {
		466	case NETLBL_NLTYPE_ADDRSELECT:
		467	netlbl_af4list_foreach_rcu(iter4,
		468	&entry->type_def.addrsel->list4) {
		469	map4 = netlbl_domhsh_addr4_entry(iter4);
		470	cipso_v4_doi_putdef(map4->type_def.cipsov4);
		471	}
		472	/* no need to check the IPv6 list since we currently
		473	* support only unlabeled protocols for IPv6 */
		474	break;
323	case NETLBL_NLTYPE_CIPSOV4:	475	case NETLBL_NLTYPE_CIPSOV4:
324	cipso_v4_doi_putdef(entry->type_def.cipsov4);	476	cipso_v4_doi_putdef(entry->type_def.cipsov4);
325	break;	477	break;
@@ -388,6 +540,70 @@ struct netlbl_dom_map netlbl_domhsh_getentry(const char domain)
388	}	540	}
389		541
390	/**	542	/**
		543	* netlbl_domhsh_getentry_af4 - Get an entry from the domain hash table
		544	* @domain: the domain name to search for
		545	* @addr: the IP address to search for
		546	*
		547	* Description:
		548	* Look through the domain hash table searching for an entry to match @domain
		549	* and @addr, return a pointer to a copy of the entry or NULL. The caller is
		550	* responsible for ensuring that rcu_read_[un]lock() is called.
		551	*
		552	*/
		553	struct netlbl_domaddr4_map netlbl_domhsh_getentry_af4(const char domain,
		554	__be32 addr)
		555	{
		556	struct netlbl_dom_map *dom_iter;
		557	struct netlbl_af4list *addr_iter;
		558
		559	dom_iter = netlbl_domhsh_search_def(domain);
		560	if (dom_iter == NULL)
		561	return NULL;
		562	if (dom_iter->type != NETLBL_NLTYPE_ADDRSELECT)
		563	return NULL;
		564
		565	addr_iter = netlbl_af4list_search(addr,
		566	&dom_iter->type_def.addrsel->list4);
		567	if (addr_iter == NULL)
		568	return NULL;
		569
		570	return netlbl_domhsh_addr4_entry(addr_iter);
		571	}
		572
		573	#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
		574	/**
		575	* netlbl_domhsh_getentry_af6 - Get an entry from the domain hash table
		576	* @domain: the domain name to search for
		577	* @addr: the IP address to search for
		578	*
		579	* Description:
		580	* Look through the domain hash table searching for an entry to match @domain
		581	* and @addr, return a pointer to a copy of the entry or NULL. The caller is
		582	* responsible for ensuring that rcu_read_[un]lock() is called.
		583	*
		584	*/
		585	struct netlbl_domaddr6_map netlbl_domhsh_getentry_af6(const char domain,
		586	const struct in6_addr *addr)
		587	{
		588	struct netlbl_dom_map *dom_iter;
		589	struct netlbl_af6list *addr_iter;
		590
		591	dom_iter = netlbl_domhsh_search_def(domain);
		592	if (dom_iter == NULL)
		593	return NULL;
		594	if (dom_iter->type != NETLBL_NLTYPE_ADDRSELECT)
		595	return NULL;
		596
		597	addr_iter = netlbl_af6list_search(addr,
		598	&dom_iter->type_def.addrsel->list6);
		599	if (addr_iter == NULL)
		600	return NULL;
		601
		602	return netlbl_domhsh_addr6_entry(addr_iter);
		603	}
		604	#endif /* IPv6 */
		605
		606	/**
391	* netlbl_domhsh_walk - Iterate through the domain mapping hash table	607	* netlbl_domhsh_walk - Iterate through the domain mapping hash table
392	* @skip_bkt: the number of buckets to skip at the start	608	* @skip_bkt: the number of buckets to skip at the start
393	* @skip_chain: the number of entries to skip in the first iterated bucket	609	* @skip_chain: the number of entries to skip in the first iterated bucket