netlabel: Add network address selectors to the NetLabel/LSM domain mapping

This patch extends the NetLabel traffic labeling capabilities to individual packets based not only on the LSM domain but the by the destination address as well. The changes here only affect the core NetLabel infrastructre, changes to the NetLabel KAPI and individial protocol engines are also required but are split out into a different patch to ease review. Signed-off-by: Paul Moore <paul.moore@hp.com> Reviewed-by: James Morris <jmorris@namei.org>
author: Paul Moore <paul.moore@hp.com> 2008-10-10 10:16:32 -0400
committer: Paul Moore <paul.moore@hp.com> 2008-10-10 10:16:32 -0400
commit: 63c41688743760631188cf0f4ae986a6793ccb0a (patch)
tree: b270091d7b763e8b6c5073d4ca618f0d36065188 /net/netlabel/netlabel_unlabeled.c
parent: 61e1068219950c672ce979719ad2be3aadb00d7d (diff)
1 files changed, 13 insertions, 83 deletions
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index ab8131a8e489..e8a5c32b0f10 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -146,76 +146,6 @@ static const struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1
 };
 /*
- * Audit Helper Functions
- */
-/**
- * netlbl_unlabel_audit_addr4 - Audit an IPv4 address
- * @audit_buf: audit buffer
- * @dev: network interface
- * @addr: IP address
- * @mask: IP address mask
- *
- * Description:
- * Write the IPv4 address and address mask, if necessary, to @audit_buf.
- *
- */
-static void netlbl_unlabel_audit_addr4(struct audit_buffer *audit_buf,
-                                     const char *dev,
-                                     __be32 addr, __be32 mask)
-{
-        u32 mask_val = ntohl(mask);
-        if (dev != NULL)
-                audit_log_format(audit_buf, " netif=%s", dev);
-        audit_log_format(audit_buf, " src=" NIPQUAD_FMT, NIPQUAD(addr));
-        if (mask_val != 0xffffffff) {
-                u32 mask_len = 0;
-                while (mask_val > 0) {
-                        mask_val <<= 1;
-                        mask_len++;
-                }
-                audit_log_format(audit_buf, " src_prefixlen=%d", mask_len);
-        }
-}
-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-/**
- * netlbl_unlabel_audit_addr6 - Audit an IPv6 address
- * @audit_buf: audit buffer
- * @dev: network interface
- * @addr: IP address
- * @mask: IP address mask
- *
- * Description:
- * Write the IPv6 address and address mask, if necessary, to @audit_buf.
- *
- */
-static void netlbl_unlabel_audit_addr6(struct audit_buffer *audit_buf,
-                                     const char *dev,
-                                     const struct in6_addr *addr,
-                                     const struct in6_addr *mask)
-{
-        if (dev != NULL)
-                audit_log_format(audit_buf, " netif=%s", dev);
-        audit_log_format(audit_buf, " src=" NIP6_FMT, NIP6(*addr));
-        if (ntohl(mask->s6_addr32[3]) != 0xffffffff) {
-                u32 mask_len = 0;
-                u32 mask_val;
-                int iter = -1;
-                while (ntohl(mask->s6_addr32[++iter]) == 0xffffffff)
-                        mask_len += 32;
-                mask_val = ntohl(mask->s6_addr32[iter]);
-                while (mask_val > 0) {
-                        mask_val <<= 1;
-                        mask_len++;
-                }
-                audit_log_format(audit_buf, " src_prefixlen=%d", mask_len);
-        }
-}
-#endif /* IPv6 */
-/*
 * Unlabeled Connection Hash Table Functions
 */
@@ -571,10 +501,10 @@ static int netlbl_unlhsh_add(struct net *net,
                mask4 = (struct in_addr *)mask;
                ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid);
                if (audit_buf != NULL)
-                        netlbl_unlabel_audit_addr4(audit_buf,
+                        netlbl_af4list_audit_addr(audit_buf, 1,
-                                                   dev_name,
+                                                  dev_name,
-                                                   addr4->s_addr,
+                                                  addr4->s_addr,
-                                                   mask4->s_addr);
+                                                  mask4->s_addr);
                break;
        }
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
@@ -585,9 +515,9 @@ static int netlbl_unlhsh_add(struct net *net,
                mask6 = (struct in6_addr *)mask;
                ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid);
                if (audit_buf != NULL)
-                        netlbl_unlabel_audit_addr6(audit_buf,
+                        netlbl_af6list_audit_addr(audit_buf, 1,
-                                                   dev_name,
+                                                  dev_name,
-                                                   addr6, mask6);
+                                                  addr6, mask6);
                break;
        }
 #endif /* IPv6 */
@@ -652,9 +582,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
                                              audit_info);
        if (audit_buf != NULL) {
                dev = dev_get_by_index(net, iface->ifindex);
-                netlbl_unlabel_audit_addr4(audit_buf,
+                netlbl_af4list_audit_addr(audit_buf, 1,
-                                           (dev != NULL ? dev->name : NULL),
+                                          (dev != NULL ? dev->name : NULL),
-                                           addr->s_addr, mask->s_addr);
+                                          addr->s_addr, mask->s_addr);
                if (dev != NULL)
                        dev_put(dev);
                if (entry && security_secid_to_secctx(entry->secid,
@@ -712,9 +642,9 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
                                              audit_info);
        if (audit_buf != NULL) {
                dev = dev_get_by_index(net, iface->ifindex);
-                netlbl_unlabel_audit_addr6(audit_buf,
+                netlbl_af6list_audit_addr(audit_buf, 1,
-                                           (dev != NULL ? dev->name : NULL),
+                                          (dev != NULL ? dev->name : NULL),
-                                           addr, mask);
+                                          addr, mask);
                if (dev != NULL)
                        dev_put(dev);
                if (entry && security_secid_to_secctx(entry->secid,
author	Paul Moore <paul.moore@hp.com>	2008-10-10 10:16:32 -0400
committer	Paul Moore <paul.moore@hp.com>	2008-10-10 10:16:32 -0400
commit	63c41688743760631188cf0f4ae986a6793ccb0a (patch)
tree	b270091d7b763e8b6c5073d4ca618f0d36065188 /net/netlabel/netlabel_unlabeled.c
parent	61e1068219950c672ce979719ad2be3aadb00d7d (diff)

diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index ab8131a8e489..e8a5c32b0f10 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c
@@ -146,76 +146,6 @@ static const struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1
146	};	146	};
147		147
148	/*	148	/*
149	* Audit Helper Functions
150	*/
151
152	/**
153	* netlbl_unlabel_audit_addr4 - Audit an IPv4 address
154	* @audit_buf: audit buffer
155	* @dev: network interface
156	* @addr: IP address
157	* @mask: IP address mask
158	*
159	* Description:
160	* Write the IPv4 address and address mask, if necessary, to @audit_buf.
161	*
162	*/
163	static void netlbl_unlabel_audit_addr4(struct audit_buffer *audit_buf,
164	const char *dev,
165	__be32 addr, __be32 mask)
166	{
167	u32 mask_val = ntohl(mask);
168
169	if (dev != NULL)
170	audit_log_format(audit_buf, " netif=%s", dev);
171	audit_log_format(audit_buf, " src=" NIPQUAD_FMT, NIPQUAD(addr));
172	if (mask_val != 0xffffffff) {
173	u32 mask_len = 0;
174	while (mask_val > 0) {
175	mask_val <<= 1;
176	mask_len++;
177	}
178	audit_log_format(audit_buf, " src_prefixlen=%d", mask_len);
179	}
180	}
181
182	#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
183	/**
184	* netlbl_unlabel_audit_addr6 - Audit an IPv6 address
185	* @audit_buf: audit buffer
186	* @dev: network interface
187	* @addr: IP address
188	* @mask: IP address mask
189	*
190	* Description:
191	* Write the IPv6 address and address mask, if necessary, to @audit_buf.
192	*
193	*/
194	static void netlbl_unlabel_audit_addr6(struct audit_buffer *audit_buf,
195	const char *dev,
196	const struct in6_addr *addr,
197	const struct in6_addr *mask)
198	{
199	if (dev != NULL)
200	audit_log_format(audit_buf, " netif=%s", dev);
201	audit_log_format(audit_buf, " src=" NIP6_FMT, NIP6(*addr));
202	if (ntohl(mask->s6_addr32[3]) != 0xffffffff) {
203	u32 mask_len = 0;
204	u32 mask_val;
205	int iter = -1;
206	while (ntohl(mask->s6_addr32[++iter]) == 0xffffffff)
207	mask_len += 32;
208	mask_val = ntohl(mask->s6_addr32[iter]);
209	while (mask_val > 0) {
210	mask_val <<= 1;
211	mask_len++;
212	}
213	audit_log_format(audit_buf, " src_prefixlen=%d", mask_len);
214	}
215	}
216	#endif /* IPv6 */
217
218	/*
219	* Unlabeled Connection Hash Table Functions	149	* Unlabeled Connection Hash Table Functions
220	*/	150	*/
221		151
@@ -571,10 +501,10 @@ static int netlbl_unlhsh_add(struct net *net,
571	mask4 = (struct in_addr *)mask;	501	mask4 = (struct in_addr *)mask;
572	ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid);	502	ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid);
573	if (audit_buf != NULL)	503	if (audit_buf != NULL)
574	netlbl_unlabel_audit_addr4(audit_buf,	504	netlbl_af4list_audit_addr(audit_buf, 1,
575	dev_name,	505	dev_name,
576	addr4->s_addr,	506	addr4->s_addr,
577	mask4->s_addr);	507	mask4->s_addr);
578	break;	508	break;
579	}	509	}
580	#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)	510	#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
@@ -585,9 +515,9 @@ static int netlbl_unlhsh_add(struct net *net,
585	mask6 = (struct in6_addr *)mask;	515	mask6 = (struct in6_addr *)mask;
586	ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid);	516	ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid);
587	if (audit_buf != NULL)	517	if (audit_buf != NULL)
588	netlbl_unlabel_audit_addr6(audit_buf,	518	netlbl_af6list_audit_addr(audit_buf, 1,
589	dev_name,	519	dev_name,
590	addr6, mask6);	520	addr6, mask6);
591	break;	521	break;
592	}	522	}
593	#endif /* IPv6 */	523	#endif /* IPv6 */
@@ -652,9 +582,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
652	audit_info);	582	audit_info);
653	if (audit_buf != NULL) {	583	if (audit_buf != NULL) {
654	dev = dev_get_by_index(net, iface->ifindex);	584	dev = dev_get_by_index(net, iface->ifindex);
655	netlbl_unlabel_audit_addr4(audit_buf,	585	netlbl_af4list_audit_addr(audit_buf, 1,
656	(dev != NULL ? dev->name : NULL),	586	(dev != NULL ? dev->name : NULL),
657	addr->s_addr, mask->s_addr);	587	addr->s_addr, mask->s_addr);
658	if (dev != NULL)	588	if (dev != NULL)
659	dev_put(dev);	589	dev_put(dev);
660	if (entry && security_secid_to_secctx(entry->secid,	590	if (entry && security_secid_to_secctx(entry->secid,
@@ -712,9 +642,9 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
712	audit_info);	642	audit_info);
713	if (audit_buf != NULL) {	643	if (audit_buf != NULL) {
714	dev = dev_get_by_index(net, iface->ifindex);	644	dev = dev_get_by_index(net, iface->ifindex);
715	netlbl_unlabel_audit_addr6(audit_buf,	645	netlbl_af6list_audit_addr(audit_buf, 1,
716	(dev != NULL ? dev->name : NULL),	646	(dev != NULL ? dev->name : NULL),
717	addr, mask);	647	addr, mask);
718	if (dev != NULL)	648	if (dev != NULL)
719	dev_put(dev);	649	dev_put(dev);
720	if (entry && security_secid_to_secctx(entry->secid,	650	if (entry && security_secid_to_secctx(entry->secid,