diff options
| author | Paul Moore <paul.moore@hp.com> | 2008-10-10 10:16:31 -0400 |
|---|---|---|
| committer | Paul Moore <paul.moore@hp.com> | 2008-10-10 10:16:31 -0400 |
| commit | b1edeb102397546438ab4624489c6ccd7b410d97 (patch) | |
| tree | ce7033f678ffe46ec3f517bb2771b9cbb04d62bb /net/netlabel/netlabel_kapi.c | |
| parent | a8134296ba9940b5b271d908666e532d34430a3c (diff) | |
netlabel: Replace protocol/NetLabel linking with refrerence counts
NetLabel has always had a list of backpointers in the CIPSO DOI definition
structure which pointed to the NetLabel LSM domain mapping structures which
referenced the CIPSO DOI struct. The rationale for this was that when an
administrator removed a CIPSO DOI from the system all of the associated
NetLabel LSM domain mappings should be removed as well; a list of
backpointers made this a simple operation.
Unfortunately, while the backpointers did make the removal easier they were
a bit of a mess from an implementation point of view which was making
further development difficult. Since the removal of a CIPSO DOI is a
realtively rare event it seems to make sense to remove this backpointer
list as the optimization was hurting us more then it was helping. However,
we still need to be able to track when a CIPSO DOI definition is being used
so replace the backpointer list with a reference count. In order to
preserve the current functionality of removing the associated LSM domain
mappings when a CIPSO DOI is removed we walk the LSM domain mapping table,
removing the relevant entries.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Reviewed-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'net/netlabel/netlabel_kapi.c')
| -rw-r--r-- | net/netlabel/netlabel_kapi.c | 43 |
1 files changed, 24 insertions, 19 deletions
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index 22faba620e4b..7d8ecea93914 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c | |||
| @@ -121,10 +121,15 @@ int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def, | |||
| 121 | struct netlbl_audit *audit_info) | 121 | struct netlbl_audit *audit_info) |
| 122 | { | 122 | { |
| 123 | int ret_val = -ENOMEM; | 123 | int ret_val = -ENOMEM; |
| 124 | u32 doi; | ||
| 125 | u32 doi_type; | ||
| 124 | struct netlbl_dom_map *entry; | 126 | struct netlbl_dom_map *entry; |
| 125 | const char *type_str; | 127 | const char *type_str; |
| 126 | struct audit_buffer *audit_buf; | 128 | struct audit_buffer *audit_buf; |
| 127 | 129 | ||
| 130 | doi = doi_def->doi; | ||
| 131 | doi_type = doi_def->type; | ||
| 132 | |||
| 128 | entry = kzalloc(sizeof(*entry), GFP_ATOMIC); | 133 | entry = kzalloc(sizeof(*entry), GFP_ATOMIC); |
| 129 | if (entry == NULL) | 134 | if (entry == NULL) |
| 130 | return -ENOMEM; | 135 | return -ENOMEM; |
| @@ -133,32 +138,25 @@ int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def, | |||
| 133 | if (entry->domain == NULL) | 138 | if (entry->domain == NULL) |
| 134 | goto cfg_cipsov4_add_map_failure; | 139 | goto cfg_cipsov4_add_map_failure; |
| 135 | } | 140 | } |
| 136 | entry->type = NETLBL_NLTYPE_CIPSOV4; | ||
| 137 | entry->type_def.cipsov4 = doi_def; | ||
| 138 | |||
| 139 | /* Grab a RCU read lock here so nothing happens to the doi_def variable | ||
| 140 | * between adding it to the CIPSOv4 protocol engine and adding a | ||
| 141 | * domain mapping for it. */ | ||
| 142 | 141 | ||
| 143 | rcu_read_lock(); | ||
| 144 | ret_val = cipso_v4_doi_add(doi_def); | 142 | ret_val = cipso_v4_doi_add(doi_def); |
| 145 | if (ret_val != 0) | 143 | if (ret_val != 0) |
| 146 | goto cfg_cipsov4_add_map_failure_unlock; | 144 | goto cfg_cipsov4_add_map_failure_remove_doi; |
| 145 | entry->type = NETLBL_NLTYPE_CIPSOV4; | ||
| 146 | entry->type_def.cipsov4 = cipso_v4_doi_getdef(doi); | ||
| 147 | if (entry->type_def.cipsov4 == NULL) { | ||
| 148 | ret_val = -ENOENT; | ||
| 149 | goto cfg_cipsov4_add_map_failure_remove_doi; | ||
| 150 | } | ||
| 147 | ret_val = netlbl_domhsh_add(entry, audit_info); | 151 | ret_val = netlbl_domhsh_add(entry, audit_info); |
| 148 | if (ret_val != 0) | 152 | if (ret_val != 0) |
| 149 | goto cfg_cipsov4_add_map_failure_remove_doi; | 153 | goto cfg_cipsov4_add_map_failure_release_doi; |
| 150 | rcu_read_unlock(); | ||
| 151 | |||
| 152 | return 0; | ||
| 153 | 154 | ||
| 154 | cfg_cipsov4_add_map_failure_remove_doi: | 155 | cfg_cipsov4_add_map_return: |
| 155 | cipso_v4_doi_remove(doi_def->doi, audit_info, netlbl_cipsov4_doi_free); | ||
| 156 | cfg_cipsov4_add_map_failure_unlock: | ||
| 157 | rcu_read_unlock(); | ||
| 158 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, | 156 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, |
| 159 | audit_info); | 157 | audit_info); |
| 160 | if (audit_buf != NULL) { | 158 | if (audit_buf != NULL) { |
| 161 | switch (doi_def->type) { | 159 | switch (doi_type) { |
| 162 | case CIPSO_V4_MAP_STD: | 160 | case CIPSO_V4_MAP_STD: |
| 163 | type_str = "std"; | 161 | type_str = "std"; |
| 164 | break; | 162 | break; |
| @@ -170,14 +168,21 @@ cfg_cipsov4_add_map_failure_unlock: | |||
| 170 | } | 168 | } |
| 171 | audit_log_format(audit_buf, | 169 | audit_log_format(audit_buf, |
| 172 | " cipso_doi=%u cipso_type=%s res=%u", | 170 | " cipso_doi=%u cipso_type=%s res=%u", |
| 173 | doi_def->doi, type_str, ret_val == 0 ? 1 : 0); | 171 | doi, type_str, ret_val == 0 ? 1 : 0); |
| 174 | audit_log_end(audit_buf); | 172 | audit_log_end(audit_buf); |
| 175 | } | 173 | } |
| 174 | |||
| 175 | return ret_val; | ||
| 176 | |||
| 177 | cfg_cipsov4_add_map_failure_release_doi: | ||
| 178 | cipso_v4_doi_putdef(doi_def); | ||
| 179 | cfg_cipsov4_add_map_failure_remove_doi: | ||
| 180 | cipso_v4_doi_remove(doi, audit_info); | ||
| 176 | cfg_cipsov4_add_map_failure: | 181 | cfg_cipsov4_add_map_failure: |
| 177 | if (entry != NULL) | 182 | if (entry != NULL) |
| 178 | kfree(entry->domain); | 183 | kfree(entry->domain); |
| 179 | kfree(entry); | 184 | kfree(entry); |
| 180 | return ret_val; | 185 | goto cfg_cipsov4_add_map_return; |
| 181 | } | 186 | } |
| 182 | 187 | ||
| 183 | /* | 188 | /* |