aboutsummaryrefslogtreecommitdiffstats
path: root/net/netlabel
diff options
context:
space:
mode:
authorPaul Moore <pmoore@redhat.com>2013-08-02 14:45:08 -0400
committerDavid S. Miller <davem@davemloft.net>2013-08-02 19:57:01 -0400
commit6a8b7f0c85f1f42eb8b6e68ef3d5ba8020d8e272 (patch)
tree2097e9baf7e2af21a6cc80206df4f3c58c8a4840 /net/netlabel
parent5f671d6b4ec3e6d66c2a868738af2cdea09e7509 (diff)
netlabel: use domain based selectors when address based selectors are not available
NetLabel has the ability to selectively assign network security labels to outbound traffic based on either the LSM's "domain" (different for each LSM), the network destination, or a combination of both. Depending on the type of traffic, local or forwarded, and the type of traffic selector, domain or address based, different hooks are used to label the traffic; the goal being minimal overhead. Unfortunately, there is a bug such that a system using NetLabel domain based traffic selectors does not correctly label outbound local traffic that is not assigned to a socket. The issue is that in these cases the associated NetLabel hook only looks at the address based selectors and not the domain based selectors. This patch corrects this by checking both the domain and address based selectors so that the correct labeling is applied, regardless of the configuration type. In order to acomplish this fix, this patch also simplifies some of the NetLabel domainhash structures to use a more common outbound traffic mapping type: struct netlbl_dommap_def. This simplifies some of the code in this patch and paves the way for further simplifications in the future. Signed-off-by: Paul Moore <pmoore@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netlabel')
-rw-r--r--net/netlabel/netlabel_cipso_v4.c4
-rw-r--r--net/netlabel/netlabel_domainhash.c104
-rw-r--r--net/netlabel/netlabel_domainhash.h46
-rw-r--r--net/netlabel/netlabel_kapi.c88
-rw-r--r--net/netlabel/netlabel_mgmt.c44
-rw-r--r--net/netlabel/netlabel_unlabeled.c2
6 files changed, 130 insertions, 158 deletions
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
index c15042f987bd..a1100640495d 100644
--- a/net/netlabel/netlabel_cipso_v4.c
+++ b/net/netlabel/netlabel_cipso_v4.c
@@ -691,8 +691,8 @@ static int netlbl_cipsov4_remove_cb(struct netlbl_dom_map *entry, void *arg)
691{ 691{
692 struct netlbl_domhsh_walk_arg *cb_arg = arg; 692 struct netlbl_domhsh_walk_arg *cb_arg = arg;
693 693
694 if (entry->type == NETLBL_NLTYPE_CIPSOV4 && 694 if (entry->def.type == NETLBL_NLTYPE_CIPSOV4 &&
695 entry->type_def.cipsov4->doi == cb_arg->doi) 695 entry->def.cipso->doi == cb_arg->doi)
696 return netlbl_domhsh_remove_entry(entry, cb_arg->audit_info); 696 return netlbl_domhsh_remove_entry(entry, cb_arg->audit_info);
697 697
698 return 0; 698 return 0;
diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c
index 6bb1d42f0fac..85d842e6e431 100644
--- a/net/netlabel/netlabel_domainhash.c
+++ b/net/netlabel/netlabel_domainhash.c
@@ -84,15 +84,15 @@ static void netlbl_domhsh_free_entry(struct rcu_head *entry)
84#endif /* IPv6 */ 84#endif /* IPv6 */
85 85
86 ptr = container_of(entry, struct netlbl_dom_map, rcu); 86 ptr = container_of(entry, struct netlbl_dom_map, rcu);
87 if (ptr->type == NETLBL_NLTYPE_ADDRSELECT) { 87 if (ptr->def.type == NETLBL_NLTYPE_ADDRSELECT) {
88 netlbl_af4list_foreach_safe(iter4, tmp4, 88 netlbl_af4list_foreach_safe(iter4, tmp4,
89 &ptr->type_def.addrsel->list4) { 89 &ptr->def.addrsel->list4) {
90 netlbl_af4list_remove_entry(iter4); 90 netlbl_af4list_remove_entry(iter4);
91 kfree(netlbl_domhsh_addr4_entry(iter4)); 91 kfree(netlbl_domhsh_addr4_entry(iter4));
92 } 92 }
93#if IS_ENABLED(CONFIG_IPV6) 93#if IS_ENABLED(CONFIG_IPV6)
94 netlbl_af6list_foreach_safe(iter6, tmp6, 94 netlbl_af6list_foreach_safe(iter6, tmp6,
95 &ptr->type_def.addrsel->list6) { 95 &ptr->def.addrsel->list6) {
96 netlbl_af6list_remove_entry(iter6); 96 netlbl_af6list_remove_entry(iter6);
97 kfree(netlbl_domhsh_addr6_entry(iter6)); 97 kfree(netlbl_domhsh_addr6_entry(iter6));
98 } 98 }
@@ -213,21 +213,21 @@ static void netlbl_domhsh_audit_add(struct netlbl_dom_map *entry,
213 if (addr4 != NULL) { 213 if (addr4 != NULL) {
214 struct netlbl_domaddr4_map *map4; 214 struct netlbl_domaddr4_map *map4;
215 map4 = netlbl_domhsh_addr4_entry(addr4); 215 map4 = netlbl_domhsh_addr4_entry(addr4);
216 type = map4->type; 216 type = map4->def.type;
217 cipsov4 = map4->type_def.cipsov4; 217 cipsov4 = map4->def.cipso;
218 netlbl_af4list_audit_addr(audit_buf, 0, NULL, 218 netlbl_af4list_audit_addr(audit_buf, 0, NULL,
219 addr4->addr, addr4->mask); 219 addr4->addr, addr4->mask);
220#if IS_ENABLED(CONFIG_IPV6) 220#if IS_ENABLED(CONFIG_IPV6)
221 } else if (addr6 != NULL) { 221 } else if (addr6 != NULL) {
222 struct netlbl_domaddr6_map *map6; 222 struct netlbl_domaddr6_map *map6;
223 map6 = netlbl_domhsh_addr6_entry(addr6); 223 map6 = netlbl_domhsh_addr6_entry(addr6);
224 type = map6->type; 224 type = map6->def.type;
225 netlbl_af6list_audit_addr(audit_buf, 0, NULL, 225 netlbl_af6list_audit_addr(audit_buf, 0, NULL,
226 &addr6->addr, &addr6->mask); 226 &addr6->addr, &addr6->mask);
227#endif /* IPv6 */ 227#endif /* IPv6 */
228 } else { 228 } else {
229 type = entry->type; 229 type = entry->def.type;
230 cipsov4 = entry->type_def.cipsov4; 230 cipsov4 = entry->def.cipso;
231 } 231 }
232 switch (type) { 232 switch (type) {
233 case NETLBL_NLTYPE_UNLABELED: 233 case NETLBL_NLTYPE_UNLABELED:
@@ -265,26 +265,25 @@ static int netlbl_domhsh_validate(const struct netlbl_dom_map *entry)
265 if (entry == NULL) 265 if (entry == NULL)
266 return -EINVAL; 266 return -EINVAL;
267 267
268 switch (entry->type) { 268 switch (entry->def.type) {
269 case NETLBL_NLTYPE_UNLABELED: 269 case NETLBL_NLTYPE_UNLABELED:
270 if (entry->type_def.cipsov4 != NULL || 270 if (entry->def.cipso != NULL || entry->def.addrsel != NULL)
271 entry->type_def.addrsel != NULL)
272 return -EINVAL; 271 return -EINVAL;
273 break; 272 break;
274 case NETLBL_NLTYPE_CIPSOV4: 273 case NETLBL_NLTYPE_CIPSOV4:
275 if (entry->type_def.cipsov4 == NULL) 274 if (entry->def.cipso == NULL)
276 return -EINVAL; 275 return -EINVAL;
277 break; 276 break;
278 case NETLBL_NLTYPE_ADDRSELECT: 277 case NETLBL_NLTYPE_ADDRSELECT:
279 netlbl_af4list_foreach(iter4, &entry->type_def.addrsel->list4) { 278 netlbl_af4list_foreach(iter4, &entry->def.addrsel->list4) {
280 map4 = netlbl_domhsh_addr4_entry(iter4); 279 map4 = netlbl_domhsh_addr4_entry(iter4);
281 switch (map4->type) { 280 switch (map4->def.type) {
282 case NETLBL_NLTYPE_UNLABELED: 281 case NETLBL_NLTYPE_UNLABELED:
283 if (map4->type_def.cipsov4 != NULL) 282 if (map4->def.cipso != NULL)
284 return -EINVAL; 283 return -EINVAL;
285 break; 284 break;
286 case NETLBL_NLTYPE_CIPSOV4: 285 case NETLBL_NLTYPE_CIPSOV4:
287 if (map4->type_def.cipsov4 == NULL) 286 if (map4->def.cipso == NULL)
288 return -EINVAL; 287 return -EINVAL;
289 break; 288 break;
290 default: 289 default:
@@ -292,9 +291,9 @@ static int netlbl_domhsh_validate(const struct netlbl_dom_map *entry)
292 } 291 }
293 } 292 }
294#if IS_ENABLED(CONFIG_IPV6) 293#if IS_ENABLED(CONFIG_IPV6)
295 netlbl_af6list_foreach(iter6, &entry->type_def.addrsel->list6) { 294 netlbl_af6list_foreach(iter6, &entry->def.addrsel->list6) {
296 map6 = netlbl_domhsh_addr6_entry(iter6); 295 map6 = netlbl_domhsh_addr6_entry(iter6);
297 switch (map6->type) { 296 switch (map6->def.type) {
298 case NETLBL_NLTYPE_UNLABELED: 297 case NETLBL_NLTYPE_UNLABELED:
299 break; 298 break;
300 default: 299 default:
@@ -402,32 +401,31 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry,
402 rcu_assign_pointer(netlbl_domhsh_def, entry); 401 rcu_assign_pointer(netlbl_domhsh_def, entry);
403 } 402 }
404 403
405 if (entry->type == NETLBL_NLTYPE_ADDRSELECT) { 404 if (entry->def.type == NETLBL_NLTYPE_ADDRSELECT) {
406 netlbl_af4list_foreach_rcu(iter4, 405 netlbl_af4list_foreach_rcu(iter4,
407 &entry->type_def.addrsel->list4) 406 &entry->def.addrsel->list4)
408 netlbl_domhsh_audit_add(entry, iter4, NULL, 407 netlbl_domhsh_audit_add(entry, iter4, NULL,
409 ret_val, audit_info); 408 ret_val, audit_info);
410#if IS_ENABLED(CONFIG_IPV6) 409#if IS_ENABLED(CONFIG_IPV6)
411 netlbl_af6list_foreach_rcu(iter6, 410 netlbl_af6list_foreach_rcu(iter6,
412 &entry->type_def.addrsel->list6) 411 &entry->def.addrsel->list6)
413 netlbl_domhsh_audit_add(entry, NULL, iter6, 412 netlbl_domhsh_audit_add(entry, NULL, iter6,
414 ret_val, audit_info); 413 ret_val, audit_info);
415#endif /* IPv6 */ 414#endif /* IPv6 */
416 } else 415 } else
417 netlbl_domhsh_audit_add(entry, NULL, NULL, 416 netlbl_domhsh_audit_add(entry, NULL, NULL,
418 ret_val, audit_info); 417 ret_val, audit_info);
419 } else if (entry_old->type == NETLBL_NLTYPE_ADDRSELECT && 418 } else if (entry_old->def.type == NETLBL_NLTYPE_ADDRSELECT &&
420 entry->type == NETLBL_NLTYPE_ADDRSELECT) { 419 entry->def.type == NETLBL_NLTYPE_ADDRSELECT) {
421 struct list_head *old_list4; 420 struct list_head *old_list4;
422 struct list_head *old_list6; 421 struct list_head *old_list6;
423 422
424 old_list4 = &entry_old->type_def.addrsel->list4; 423 old_list4 = &entry_old->def.addrsel->list4;
425 old_list6 = &entry_old->type_def.addrsel->list6; 424 old_list6 = &entry_old->def.addrsel->list6;
426 425
427 /* we only allow the addition of address selectors if all of 426 /* we only allow the addition of address selectors if all of
428 * the selectors do not exist in the existing domain map */ 427 * the selectors do not exist in the existing domain map */
429 netlbl_af4list_foreach_rcu(iter4, 428 netlbl_af4list_foreach_rcu(iter4, &entry->def.addrsel->list4)
430 &entry->type_def.addrsel->list4)
431 if (netlbl_af4list_search_exact(iter4->addr, 429 if (netlbl_af4list_search_exact(iter4->addr,
432 iter4->mask, 430 iter4->mask,
433 old_list4)) { 431 old_list4)) {
@@ -435,8 +433,7 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry,
435 goto add_return; 433 goto add_return;
436 } 434 }
437#if IS_ENABLED(CONFIG_IPV6) 435#if IS_ENABLED(CONFIG_IPV6)
438 netlbl_af6list_foreach_rcu(iter6, 436 netlbl_af6list_foreach_rcu(iter6, &entry->def.addrsel->list6)
439 &entry->type_def.addrsel->list6)
440 if (netlbl_af6list_search_exact(&iter6->addr, 437 if (netlbl_af6list_search_exact(&iter6->addr,
441 &iter6->mask, 438 &iter6->mask,
442 old_list6)) { 439 old_list6)) {
@@ -446,7 +443,7 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry,
446#endif /* IPv6 */ 443#endif /* IPv6 */
447 444
448 netlbl_af4list_foreach_safe(iter4, tmp4, 445 netlbl_af4list_foreach_safe(iter4, tmp4,
449 &entry->type_def.addrsel->list4) { 446 &entry->def.addrsel->list4) {
450 netlbl_af4list_remove_entry(iter4); 447 netlbl_af4list_remove_entry(iter4);
451 iter4->valid = 1; 448 iter4->valid = 1;
452 ret_val = netlbl_af4list_add(iter4, old_list4); 449 ret_val = netlbl_af4list_add(iter4, old_list4);
@@ -457,7 +454,7 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry,
457 } 454 }
458#if IS_ENABLED(CONFIG_IPV6) 455#if IS_ENABLED(CONFIG_IPV6)
459 netlbl_af6list_foreach_safe(iter6, tmp6, 456 netlbl_af6list_foreach_safe(iter6, tmp6,
460 &entry->type_def.addrsel->list6) { 457 &entry->def.addrsel->list6) {
461 netlbl_af6list_remove_entry(iter6); 458 netlbl_af6list_remove_entry(iter6);
462 iter6->valid = 1; 459 iter6->valid = 1;
463 ret_val = netlbl_af6list_add(iter6, old_list6); 460 ret_val = netlbl_af6list_add(iter6, old_list6);
@@ -538,18 +535,18 @@ int netlbl_domhsh_remove_entry(struct netlbl_dom_map *entry,
538 struct netlbl_af4list *iter4; 535 struct netlbl_af4list *iter4;
539 struct netlbl_domaddr4_map *map4; 536 struct netlbl_domaddr4_map *map4;
540 537
541 switch (entry->type) { 538 switch (entry->def.type) {
542 case NETLBL_NLTYPE_ADDRSELECT: 539 case NETLBL_NLTYPE_ADDRSELECT:
543 netlbl_af4list_foreach_rcu(iter4, 540 netlbl_af4list_foreach_rcu(iter4,
544 &entry->type_def.addrsel->list4) { 541 &entry->def.addrsel->list4) {
545 map4 = netlbl_domhsh_addr4_entry(iter4); 542 map4 = netlbl_domhsh_addr4_entry(iter4);
546 cipso_v4_doi_putdef(map4->type_def.cipsov4); 543 cipso_v4_doi_putdef(map4->def.cipso);
547 } 544 }
548 /* no need to check the IPv6 list since we currently 545 /* no need to check the IPv6 list since we currently
549 * support only unlabeled protocols for IPv6 */ 546 * support only unlabeled protocols for IPv6 */
550 break; 547 break;
551 case NETLBL_NLTYPE_CIPSOV4: 548 case NETLBL_NLTYPE_CIPSOV4:
552 cipso_v4_doi_putdef(entry->type_def.cipsov4); 549 cipso_v4_doi_putdef(entry->def.cipso);
553 break; 550 break;
554 } 551 }
555 call_rcu(&entry->rcu, netlbl_domhsh_free_entry); 552 call_rcu(&entry->rcu, netlbl_domhsh_free_entry);
@@ -590,20 +587,21 @@ int netlbl_domhsh_remove_af4(const char *domain,
590 entry_map = netlbl_domhsh_search(domain); 587 entry_map = netlbl_domhsh_search(domain);
591 else 588 else
592 entry_map = netlbl_domhsh_search_def(domain); 589 entry_map = netlbl_domhsh_search_def(domain);
593 if (entry_map == NULL || entry_map->type != NETLBL_NLTYPE_ADDRSELECT) 590 if (entry_map == NULL ||
591 entry_map->def.type != NETLBL_NLTYPE_ADDRSELECT)
594 goto remove_af4_failure; 592 goto remove_af4_failure;
595 593
596 spin_lock(&netlbl_domhsh_lock); 594 spin_lock(&netlbl_domhsh_lock);
597 entry_addr = netlbl_af4list_remove(addr->s_addr, mask->s_addr, 595 entry_addr = netlbl_af4list_remove(addr->s_addr, mask->s_addr,
598 &entry_map->type_def.addrsel->list4); 596 &entry_map->def.addrsel->list4);
599 spin_unlock(&netlbl_domhsh_lock); 597 spin_unlock(&netlbl_domhsh_lock);
600 598
601 if (entry_addr == NULL) 599 if (entry_addr == NULL)
602 goto remove_af4_failure; 600 goto remove_af4_failure;
603 netlbl_af4list_foreach_rcu(iter4, &entry_map->type_def.addrsel->list4) 601 netlbl_af4list_foreach_rcu(iter4, &entry_map->def.addrsel->list4)
604 goto remove_af4_single_addr; 602 goto remove_af4_single_addr;
605#if IS_ENABLED(CONFIG_IPV6) 603#if IS_ENABLED(CONFIG_IPV6)
606 netlbl_af6list_foreach_rcu(iter6, &entry_map->type_def.addrsel->list6) 604 netlbl_af6list_foreach_rcu(iter6, &entry_map->def.addrsel->list6)
607 goto remove_af4_single_addr; 605 goto remove_af4_single_addr;
608#endif /* IPv6 */ 606#endif /* IPv6 */
609 /* the domain mapping is empty so remove it from the mapping table */ 607 /* the domain mapping is empty so remove it from the mapping table */
@@ -616,7 +614,7 @@ remove_af4_single_addr:
616 * shouldn't be a problem */ 614 * shouldn't be a problem */
617 synchronize_rcu(); 615 synchronize_rcu();
618 entry = netlbl_domhsh_addr4_entry(entry_addr); 616 entry = netlbl_domhsh_addr4_entry(entry_addr);
619 cipso_v4_doi_putdef(entry->type_def.cipsov4); 617 cipso_v4_doi_putdef(entry->def.cipso);
620 kfree(entry); 618 kfree(entry);
621 return 0; 619 return 0;
622 620
@@ -693,8 +691,8 @@ struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain)
693 * responsible for ensuring that rcu_read_[un]lock() is called. 691 * responsible for ensuring that rcu_read_[un]lock() is called.
694 * 692 *
695 */ 693 */
696struct netlbl_domaddr4_map *netlbl_domhsh_getentry_af4(const char *domain, 694struct netlbl_dommap_def *netlbl_domhsh_getentry_af4(const char *domain,
697 __be32 addr) 695 __be32 addr)
698{ 696{
699 struct netlbl_dom_map *dom_iter; 697 struct netlbl_dom_map *dom_iter;
700 struct netlbl_af4list *addr_iter; 698 struct netlbl_af4list *addr_iter;
@@ -702,15 +700,13 @@ struct netlbl_domaddr4_map *netlbl_domhsh_getentry_af4(const char *domain,
702 dom_iter = netlbl_domhsh_search_def(domain); 700 dom_iter = netlbl_domhsh_search_def(domain);
703 if (dom_iter == NULL) 701 if (dom_iter == NULL)
704 return NULL; 702 return NULL;
705 if (dom_iter->type != NETLBL_NLTYPE_ADDRSELECT)
706 return NULL;
707 703
708 addr_iter = netlbl_af4list_search(addr, 704 if (dom_iter->def.type != NETLBL_NLTYPE_ADDRSELECT)
709 &dom_iter->type_def.addrsel->list4); 705 return &dom_iter->def;
706 addr_iter = netlbl_af4list_search(addr, &dom_iter->def.addrsel->list4);
710 if (addr_iter == NULL) 707 if (addr_iter == NULL)
711 return NULL; 708 return NULL;
712 709 return &(netlbl_domhsh_addr4_entry(addr_iter)->def);
713 return netlbl_domhsh_addr4_entry(addr_iter);
714} 710}
715 711
716#if IS_ENABLED(CONFIG_IPV6) 712#if IS_ENABLED(CONFIG_IPV6)
@@ -725,7 +721,7 @@ struct netlbl_domaddr4_map *netlbl_domhsh_getentry_af4(const char *domain,
725 * responsible for ensuring that rcu_read_[un]lock() is called. 721 * responsible for ensuring that rcu_read_[un]lock() is called.
726 * 722 *
727 */ 723 */
728struct netlbl_domaddr6_map *netlbl_domhsh_getentry_af6(const char *domain, 724struct netlbl_dommap_def *netlbl_domhsh_getentry_af6(const char *domain,
729 const struct in6_addr *addr) 725 const struct in6_addr *addr)
730{ 726{
731 struct netlbl_dom_map *dom_iter; 727 struct netlbl_dom_map *dom_iter;
@@ -734,15 +730,13 @@ struct netlbl_domaddr6_map *netlbl_domhsh_getentry_af6(const char *domain,
734 dom_iter = netlbl_domhsh_search_def(domain); 730 dom_iter = netlbl_domhsh_search_def(domain);
735 if (dom_iter == NULL) 731 if (dom_iter == NULL)
736 return NULL; 732 return NULL;
737 if (dom_iter->type != NETLBL_NLTYPE_ADDRSELECT)
738 return NULL;
739 733
740 addr_iter = netlbl_af6list_search(addr, 734 if (dom_iter->def.type != NETLBL_NLTYPE_ADDRSELECT)
741 &dom_iter->type_def.addrsel->list6); 735 return &dom_iter->def;
736 addr_iter = netlbl_af6list_search(addr, &dom_iter->def.addrsel->list6);
742 if (addr_iter == NULL) 737 if (addr_iter == NULL)
743 return NULL; 738 return NULL;
744 739 return &(netlbl_domhsh_addr6_entry(addr_iter)->def);
745 return netlbl_domhsh_addr6_entry(addr_iter);
746} 740}
747#endif /* IPv6 */ 741#endif /* IPv6 */
748 742
diff --git a/net/netlabel/netlabel_domainhash.h b/net/netlabel/netlabel_domainhash.h
index 90872c4ca30f..b9be0eed8980 100644
--- a/net/netlabel/netlabel_domainhash.h
+++ b/net/netlabel/netlabel_domainhash.h
@@ -43,37 +43,35 @@
43#define NETLBL_DOMHSH_BITSIZE 7 43#define NETLBL_DOMHSH_BITSIZE 7
44 44
45/* Domain mapping definition structures */ 45/* Domain mapping definition structures */
46struct netlbl_domaddr_map {
47 struct list_head list4;
48 struct list_head list6;
49};
50struct netlbl_dommap_def {
51 u32 type;
52 union {
53 struct netlbl_domaddr_map *addrsel;
54 struct cipso_v4_doi *cipso;
55 };
56};
46#define netlbl_domhsh_addr4_entry(iter) \ 57#define netlbl_domhsh_addr4_entry(iter) \
47 container_of(iter, struct netlbl_domaddr4_map, list) 58 container_of(iter, struct netlbl_domaddr4_map, list)
48struct netlbl_domaddr4_map { 59struct netlbl_domaddr4_map {
49 u32 type; 60 struct netlbl_dommap_def def;
50 union {
51 struct cipso_v4_doi *cipsov4;
52 } type_def;
53 61
54 struct netlbl_af4list list; 62 struct netlbl_af4list list;
55}; 63};
56#define netlbl_domhsh_addr6_entry(iter) \ 64#define netlbl_domhsh_addr6_entry(iter) \
57 container_of(iter, struct netlbl_domaddr6_map, list) 65 container_of(iter, struct netlbl_domaddr6_map, list)
58struct netlbl_domaddr6_map { 66struct netlbl_domaddr6_map {
59 u32 type; 67 struct netlbl_dommap_def def;
60
61 /* NOTE: no 'type_def' union needed at present since we don't currently
62 * support any IPv6 labeling protocols */
63 68
64 struct netlbl_af6list list; 69 struct netlbl_af6list list;
65}; 70};
66struct netlbl_domaddr_map { 71
67 struct list_head list4;
68 struct list_head list6;
69};
70struct netlbl_dom_map { 72struct netlbl_dom_map {
71 char *domain; 73 char *domain;
72 u32 type; 74 struct netlbl_dommap_def def;
73 union {
74 struct cipso_v4_doi *cipsov4;
75 struct netlbl_domaddr_map *addrsel;
76 } type_def;
77 75
78 u32 valid; 76 u32 valid;
79 struct list_head list; 77 struct list_head list;
@@ -97,16 +95,16 @@ int netlbl_domhsh_remove_af4(const char *domain,
97int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info); 95int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info);
98int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info); 96int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info);
99struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain); 97struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain);
100struct netlbl_domaddr4_map *netlbl_domhsh_getentry_af4(const char *domain, 98struct netlbl_dommap_def *netlbl_domhsh_getentry_af4(const char *domain,
101 __be32 addr); 99 __be32 addr);
100#if IS_ENABLED(CONFIG_IPV6)
101struct netlbl_dommap_def *netlbl_domhsh_getentry_af6(const char *domain,
102 const struct in6_addr *addr);
103#endif /* IPv6 */
104
102int netlbl_domhsh_walk(u32 *skip_bkt, 105int netlbl_domhsh_walk(u32 *skip_bkt,
103 u32 *skip_chain, 106 u32 *skip_chain,
104 int (*callback) (struct netlbl_dom_map *entry, void *arg), 107 int (*callback) (struct netlbl_dom_map *entry, void *arg),
105 void *cb_arg); 108 void *cb_arg);
106 109
107#if IS_ENABLED(CONFIG_IPV6)
108struct netlbl_domaddr6_map *netlbl_domhsh_getentry_af6(const char *domain,
109 const struct in6_addr *addr);
110#endif /* IPv6 */
111
112#endif 110#endif
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 7c94aedd0912..96a458e12f60 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -122,7 +122,7 @@ int netlbl_cfg_unlbl_map_add(const char *domain,
122 } 122 }
123 123
124 if (addr == NULL && mask == NULL) 124 if (addr == NULL && mask == NULL)
125 entry->type = NETLBL_NLTYPE_UNLABELED; 125 entry->def.type = NETLBL_NLTYPE_UNLABELED;
126 else if (addr != NULL && mask != NULL) { 126 else if (addr != NULL && mask != NULL) {
127 addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC); 127 addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC);
128 if (addrmap == NULL) 128 if (addrmap == NULL)
@@ -137,7 +137,7 @@ int netlbl_cfg_unlbl_map_add(const char *domain,
137 map4 = kzalloc(sizeof(*map4), GFP_ATOMIC); 137 map4 = kzalloc(sizeof(*map4), GFP_ATOMIC);
138 if (map4 == NULL) 138 if (map4 == NULL)
139 goto cfg_unlbl_map_add_failure; 139 goto cfg_unlbl_map_add_failure;
140 map4->type = NETLBL_NLTYPE_UNLABELED; 140 map4->def.type = NETLBL_NLTYPE_UNLABELED;
141 map4->list.addr = addr4->s_addr & mask4->s_addr; 141 map4->list.addr = addr4->s_addr & mask4->s_addr;
142 map4->list.mask = mask4->s_addr; 142 map4->list.mask = mask4->s_addr;
143 map4->list.valid = 1; 143 map4->list.valid = 1;
@@ -154,7 +154,7 @@ int netlbl_cfg_unlbl_map_add(const char *domain,
154 map6 = kzalloc(sizeof(*map6), GFP_ATOMIC); 154 map6 = kzalloc(sizeof(*map6), GFP_ATOMIC);
155 if (map6 == NULL) 155 if (map6 == NULL)
156 goto cfg_unlbl_map_add_failure; 156 goto cfg_unlbl_map_add_failure;
157 map6->type = NETLBL_NLTYPE_UNLABELED; 157 map6->def.type = NETLBL_NLTYPE_UNLABELED;
158 map6->list.addr = *addr6; 158 map6->list.addr = *addr6;
159 map6->list.addr.s6_addr32[0] &= mask6->s6_addr32[0]; 159 map6->list.addr.s6_addr32[0] &= mask6->s6_addr32[0];
160 map6->list.addr.s6_addr32[1] &= mask6->s6_addr32[1]; 160 map6->list.addr.s6_addr32[1] &= mask6->s6_addr32[1];
@@ -174,8 +174,8 @@ int netlbl_cfg_unlbl_map_add(const char *domain,
174 break; 174 break;
175 } 175 }
176 176
177 entry->type_def.addrsel = addrmap; 177 entry->def.addrsel = addrmap;
178 entry->type = NETLBL_NLTYPE_ADDRSELECT; 178 entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
179 } else { 179 } else {
180 ret_val = -EINVAL; 180 ret_val = -EINVAL;
181 goto cfg_unlbl_map_add_failure; 181 goto cfg_unlbl_map_add_failure;
@@ -355,8 +355,8 @@ int netlbl_cfg_cipsov4_map_add(u32 doi,
355 } 355 }
356 356
357 if (addr == NULL && mask == NULL) { 357 if (addr == NULL && mask == NULL) {
358 entry->type_def.cipsov4 = doi_def; 358 entry->def.cipso = doi_def;
359 entry->type = NETLBL_NLTYPE_CIPSOV4; 359 entry->def.type = NETLBL_NLTYPE_CIPSOV4;
360 } else if (addr != NULL && mask != NULL) { 360 } else if (addr != NULL && mask != NULL) {
361 addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC); 361 addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC);
362 if (addrmap == NULL) 362 if (addrmap == NULL)
@@ -367,8 +367,8 @@ int netlbl_cfg_cipsov4_map_add(u32 doi,
367 addrinfo = kzalloc(sizeof(*addrinfo), GFP_ATOMIC); 367 addrinfo = kzalloc(sizeof(*addrinfo), GFP_ATOMIC);
368 if (addrinfo == NULL) 368 if (addrinfo == NULL)
369 goto out_addrinfo; 369 goto out_addrinfo;
370 addrinfo->type_def.cipsov4 = doi_def; 370 addrinfo->def.cipso = doi_def;
371 addrinfo->type = NETLBL_NLTYPE_CIPSOV4; 371 addrinfo->def.type = NETLBL_NLTYPE_CIPSOV4;
372 addrinfo->list.addr = addr->s_addr & mask->s_addr; 372 addrinfo->list.addr = addr->s_addr & mask->s_addr;
373 addrinfo->list.mask = mask->s_addr; 373 addrinfo->list.mask = mask->s_addr;
374 addrinfo->list.valid = 1; 374 addrinfo->list.valid = 1;
@@ -376,8 +376,8 @@ int netlbl_cfg_cipsov4_map_add(u32 doi,
376 if (ret_val != 0) 376 if (ret_val != 0)
377 goto cfg_cipsov4_map_add_failure; 377 goto cfg_cipsov4_map_add_failure;
378 378
379 entry->type_def.addrsel = addrmap; 379 entry->def.addrsel = addrmap;
380 entry->type = NETLBL_NLTYPE_ADDRSELECT; 380 entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
381 } else { 381 } else {
382 ret_val = -EINVAL; 382 ret_val = -EINVAL;
383 goto out_addrmap; 383 goto out_addrmap;
@@ -657,14 +657,14 @@ int netlbl_sock_setattr(struct sock *sk,
657 } 657 }
658 switch (family) { 658 switch (family) {
659 case AF_INET: 659 case AF_INET:
660 switch (dom_entry->type) { 660 switch (dom_entry->def.type) {
661 case NETLBL_NLTYPE_ADDRSELECT: 661 case NETLBL_NLTYPE_ADDRSELECT:
662 ret_val = -EDESTADDRREQ; 662 ret_val = -EDESTADDRREQ;
663 break; 663 break;
664 case NETLBL_NLTYPE_CIPSOV4: 664 case NETLBL_NLTYPE_CIPSOV4:
665 ret_val = cipso_v4_sock_setattr(sk, 665 ret_val = cipso_v4_sock_setattr(sk,
666 dom_entry->type_def.cipsov4, 666 dom_entry->def.cipso,
667 secattr); 667 secattr);
668 break; 668 break;
669 case NETLBL_NLTYPE_UNLABELED: 669 case NETLBL_NLTYPE_UNLABELED:
670 ret_val = 0; 670 ret_val = 0;
@@ -754,23 +754,22 @@ int netlbl_conn_setattr(struct sock *sk,
754{ 754{
755 int ret_val; 755 int ret_val;
756 struct sockaddr_in *addr4; 756 struct sockaddr_in *addr4;
757 struct netlbl_domaddr4_map *af4_entry; 757 struct netlbl_dommap_def *entry;
758 758
759 rcu_read_lock(); 759 rcu_read_lock();
760 switch (addr->sa_family) { 760 switch (addr->sa_family) {
761 case AF_INET: 761 case AF_INET:
762 addr4 = (struct sockaddr_in *)addr; 762 addr4 = (struct sockaddr_in *)addr;
763 af4_entry = netlbl_domhsh_getentry_af4(secattr->domain, 763 entry = netlbl_domhsh_getentry_af4(secattr->domain,
764 addr4->sin_addr.s_addr); 764 addr4->sin_addr.s_addr);
765 if (af4_entry == NULL) { 765 if (entry == NULL) {
766 ret_val = -ENOENT; 766 ret_val = -ENOENT;
767 goto conn_setattr_return; 767 goto conn_setattr_return;
768 } 768 }
769 switch (af4_entry->type) { 769 switch (entry->type) {
770 case NETLBL_NLTYPE_CIPSOV4: 770 case NETLBL_NLTYPE_CIPSOV4:
771 ret_val = cipso_v4_sock_setattr(sk, 771 ret_val = cipso_v4_sock_setattr(sk,
772 af4_entry->type_def.cipsov4, 772 entry->cipso, secattr);
773 secattr);
774 break; 773 break;
775 case NETLBL_NLTYPE_UNLABELED: 774 case NETLBL_NLTYPE_UNLABELED:
776 /* just delete the protocols we support for right now 775 /* just delete the protocols we support for right now
@@ -812,36 +811,21 @@ int netlbl_req_setattr(struct request_sock *req,
812 const struct netlbl_lsm_secattr *secattr) 811 const struct netlbl_lsm_secattr *secattr)
813{ 812{
814 int ret_val; 813 int ret_val;
815 struct netlbl_dom_map *dom_entry; 814 struct netlbl_dommap_def *entry;
816 struct netlbl_domaddr4_map *af4_entry;
817 u32 proto_type;
818 struct cipso_v4_doi *proto_cv4;
819 815
820 rcu_read_lock(); 816 rcu_read_lock();
821 dom_entry = netlbl_domhsh_getentry(secattr->domain);
822 if (dom_entry == NULL) {
823 ret_val = -ENOENT;
824 goto req_setattr_return;
825 }
826 switch (req->rsk_ops->family) { 817 switch (req->rsk_ops->family) {
827 case AF_INET: 818 case AF_INET:
828 if (dom_entry->type == NETLBL_NLTYPE_ADDRSELECT) { 819 entry = netlbl_domhsh_getentry_af4(secattr->domain,
829 struct inet_request_sock *req_inet = inet_rsk(req); 820 inet_rsk(req)->rmt_addr);
830 af4_entry = netlbl_domhsh_getentry_af4(secattr->domain, 821 if (entry == NULL) {
831 req_inet->rmt_addr); 822 ret_val = -ENOENT;
832 if (af4_entry == NULL) { 823 goto req_setattr_return;
833 ret_val = -ENOENT;
834 goto req_setattr_return;
835 }
836 proto_type = af4_entry->type;
837 proto_cv4 = af4_entry->type_def.cipsov4;
838 } else {
839 proto_type = dom_entry->type;
840 proto_cv4 = dom_entry->type_def.cipsov4;
841 } 824 }
842 switch (proto_type) { 825 switch (entry->type) {
843 case NETLBL_NLTYPE_CIPSOV4: 826 case NETLBL_NLTYPE_CIPSOV4:
844 ret_val = cipso_v4_req_setattr(req, proto_cv4, secattr); 827 ret_val = cipso_v4_req_setattr(req,
828 entry->cipso, secattr);
845 break; 829 break;
846 case NETLBL_NLTYPE_UNLABELED: 830 case NETLBL_NLTYPE_UNLABELED:
847 /* just delete the protocols we support for right now 831 /* just delete the protocols we support for right now
@@ -899,23 +883,21 @@ int netlbl_skbuff_setattr(struct sk_buff *skb,
899{ 883{
900 int ret_val; 884 int ret_val;
901 struct iphdr *hdr4; 885 struct iphdr *hdr4;
902 struct netlbl_domaddr4_map *af4_entry; 886 struct netlbl_dommap_def *entry;
903 887
904 rcu_read_lock(); 888 rcu_read_lock();
905 switch (family) { 889 switch (family) {
906 case AF_INET: 890 case AF_INET:
907 hdr4 = ip_hdr(skb); 891 hdr4 = ip_hdr(skb);
908 af4_entry = netlbl_domhsh_getentry_af4(secattr->domain, 892 entry = netlbl_domhsh_getentry_af4(secattr->domain,hdr4->daddr);
909 hdr4->daddr); 893 if (entry == NULL) {
910 if (af4_entry == NULL) {
911 ret_val = -ENOENT; 894 ret_val = -ENOENT;
912 goto skbuff_setattr_return; 895 goto skbuff_setattr_return;
913 } 896 }
914 switch (af4_entry->type) { 897 switch (entry->type) {
915 case NETLBL_NLTYPE_CIPSOV4: 898 case NETLBL_NLTYPE_CIPSOV4:
916 ret_val = cipso_v4_skbuff_setattr(skb, 899 ret_val = cipso_v4_skbuff_setattr(skb, entry->cipso,
917 af4_entry->type_def.cipsov4, 900 secattr);
918 secattr);
919 break; 901 break;
920 case NETLBL_NLTYPE_UNLABELED: 902 case NETLBL_NLTYPE_UNLABELED:
921 /* just delete the protocols we support for right now 903 /* just delete the protocols we support for right now
diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c
index c5384ffc6146..dd1c37d7acbc 100644
--- a/net/netlabel/netlabel_mgmt.c
+++ b/net/netlabel/netlabel_mgmt.c
@@ -104,7 +104,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
104 ret_val = -ENOMEM; 104 ret_val = -ENOMEM;
105 goto add_failure; 105 goto add_failure;
106 } 106 }
107 entry->type = nla_get_u32(info->attrs[NLBL_MGMT_A_PROTOCOL]); 107 entry->def.type = nla_get_u32(info->attrs[NLBL_MGMT_A_PROTOCOL]);
108 if (info->attrs[NLBL_MGMT_A_DOMAIN]) { 108 if (info->attrs[NLBL_MGMT_A_DOMAIN]) {
109 size_t tmp_size = nla_len(info->attrs[NLBL_MGMT_A_DOMAIN]); 109 size_t tmp_size = nla_len(info->attrs[NLBL_MGMT_A_DOMAIN]);
110 entry->domain = kmalloc(tmp_size, GFP_KERNEL); 110 entry->domain = kmalloc(tmp_size, GFP_KERNEL);
@@ -116,12 +116,12 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
116 info->attrs[NLBL_MGMT_A_DOMAIN], tmp_size); 116 info->attrs[NLBL_MGMT_A_DOMAIN], tmp_size);
117 } 117 }
118 118
119 /* NOTE: internally we allow/use a entry->type value of 119 /* NOTE: internally we allow/use a entry->def.type value of
120 * NETLBL_NLTYPE_ADDRSELECT but we don't currently allow users 120 * NETLBL_NLTYPE_ADDRSELECT but we don't currently allow users
121 * to pass that as a protocol value because we need to know the 121 * to pass that as a protocol value because we need to know the
122 * "real" protocol */ 122 * "real" protocol */
123 123
124 switch (entry->type) { 124 switch (entry->def.type) {
125 case NETLBL_NLTYPE_UNLABELED: 125 case NETLBL_NLTYPE_UNLABELED:
126 break; 126 break;
127 case NETLBL_NLTYPE_CIPSOV4: 127 case NETLBL_NLTYPE_CIPSOV4:
@@ -132,7 +132,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
132 cipsov4 = cipso_v4_doi_getdef(tmp_val); 132 cipsov4 = cipso_v4_doi_getdef(tmp_val);
133 if (cipsov4 == NULL) 133 if (cipsov4 == NULL)
134 goto add_failure; 134 goto add_failure;
135 entry->type_def.cipsov4 = cipsov4; 135 entry->def.cipso = cipsov4;
136 break; 136 break;
137 default: 137 default:
138 goto add_failure; 138 goto add_failure;
@@ -172,9 +172,9 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
172 map->list.addr = addr->s_addr & mask->s_addr; 172 map->list.addr = addr->s_addr & mask->s_addr;
173 map->list.mask = mask->s_addr; 173 map->list.mask = mask->s_addr;
174 map->list.valid = 1; 174 map->list.valid = 1;
175 map->type = entry->type; 175 map->def.type = entry->def.type;
176 if (cipsov4) 176 if (cipsov4)
177 map->type_def.cipsov4 = cipsov4; 177 map->def.cipso = cipsov4;
178 178
179 ret_val = netlbl_af4list_add(&map->list, &addrmap->list4); 179 ret_val = netlbl_af4list_add(&map->list, &addrmap->list4);
180 if (ret_val != 0) { 180 if (ret_val != 0) {
@@ -182,8 +182,8 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
182 goto add_failure; 182 goto add_failure;
183 } 183 }
184 184
185 entry->type = NETLBL_NLTYPE_ADDRSELECT; 185 entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
186 entry->type_def.addrsel = addrmap; 186 entry->def.addrsel = addrmap;
187#if IS_ENABLED(CONFIG_IPV6) 187#if IS_ENABLED(CONFIG_IPV6)
188 } else if (info->attrs[NLBL_MGMT_A_IPV6ADDR]) { 188 } else if (info->attrs[NLBL_MGMT_A_IPV6ADDR]) {
189 struct in6_addr *addr; 189 struct in6_addr *addr;
@@ -223,7 +223,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
223 map->list.addr.s6_addr32[3] &= mask->s6_addr32[3]; 223 map->list.addr.s6_addr32[3] &= mask->s6_addr32[3];
224 map->list.mask = *mask; 224 map->list.mask = *mask;
225 map->list.valid = 1; 225 map->list.valid = 1;
226 map->type = entry->type; 226 map->def.type = entry->def.type;
227 227
228 ret_val = netlbl_af6list_add(&map->list, &addrmap->list6); 228 ret_val = netlbl_af6list_add(&map->list, &addrmap->list6);
229 if (ret_val != 0) { 229 if (ret_val != 0) {
@@ -231,8 +231,8 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
231 goto add_failure; 231 goto add_failure;
232 } 232 }
233 233
234 entry->type = NETLBL_NLTYPE_ADDRSELECT; 234 entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
235 entry->type_def.addrsel = addrmap; 235 entry->def.addrsel = addrmap;
236#endif /* IPv6 */ 236#endif /* IPv6 */
237 } 237 }
238 238
@@ -281,14 +281,13 @@ static int netlbl_mgmt_listentry(struct sk_buff *skb,
281 return ret_val; 281 return ret_val;
282 } 282 }
283 283
284 switch (entry->type) { 284 switch (entry->def.type) {
285 case NETLBL_NLTYPE_ADDRSELECT: 285 case NETLBL_NLTYPE_ADDRSELECT:
286 nla_a = nla_nest_start(skb, NLBL_MGMT_A_SELECTORLIST); 286 nla_a = nla_nest_start(skb, NLBL_MGMT_A_SELECTORLIST);
287 if (nla_a == NULL) 287 if (nla_a == NULL)
288 return -ENOMEM; 288 return -ENOMEM;
289 289
290 netlbl_af4list_foreach_rcu(iter4, 290 netlbl_af4list_foreach_rcu(iter4, &entry->def.addrsel->list4) {
291 &entry->type_def.addrsel->list4) {
292 struct netlbl_domaddr4_map *map4; 291 struct netlbl_domaddr4_map *map4;
293 struct in_addr addr_struct; 292 struct in_addr addr_struct;
294 293
@@ -310,13 +309,13 @@ static int netlbl_mgmt_listentry(struct sk_buff *skb,
310 return ret_val; 309 return ret_val;
311 map4 = netlbl_domhsh_addr4_entry(iter4); 310 map4 = netlbl_domhsh_addr4_entry(iter4);
312 ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL, 311 ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL,
313 map4->type); 312 map4->def.type);
314 if (ret_val != 0) 313 if (ret_val != 0)
315 return ret_val; 314 return ret_val;
316 switch (map4->type) { 315 switch (map4->def.type) {
317 case NETLBL_NLTYPE_CIPSOV4: 316 case NETLBL_NLTYPE_CIPSOV4:
318 ret_val = nla_put_u32(skb, NLBL_MGMT_A_CV4DOI, 317 ret_val = nla_put_u32(skb, NLBL_MGMT_A_CV4DOI,
319 map4->type_def.cipsov4->doi); 318 map4->def.cipso->doi);
320 if (ret_val != 0) 319 if (ret_val != 0)
321 return ret_val; 320 return ret_val;
322 break; 321 break;
@@ -325,8 +324,7 @@ static int netlbl_mgmt_listentry(struct sk_buff *skb,
325 nla_nest_end(skb, nla_b); 324 nla_nest_end(skb, nla_b);
326 } 325 }
327#if IS_ENABLED(CONFIG_IPV6) 326#if IS_ENABLED(CONFIG_IPV6)
328 netlbl_af6list_foreach_rcu(iter6, 327 netlbl_af6list_foreach_rcu(iter6, &entry->def.addrsel->list6) {
329 &entry->type_def.addrsel->list6) {
330 struct netlbl_domaddr6_map *map6; 328 struct netlbl_domaddr6_map *map6;
331 329
332 nla_b = nla_nest_start(skb, NLBL_MGMT_A_ADDRSELECTOR); 330 nla_b = nla_nest_start(skb, NLBL_MGMT_A_ADDRSELECTOR);
@@ -345,7 +343,7 @@ static int netlbl_mgmt_listentry(struct sk_buff *skb,
345 return ret_val; 343 return ret_val;
346 map6 = netlbl_domhsh_addr6_entry(iter6); 344 map6 = netlbl_domhsh_addr6_entry(iter6);
347 ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL, 345 ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL,
348 map6->type); 346 map6->def.type);
349 if (ret_val != 0) 347 if (ret_val != 0)
350 return ret_val; 348 return ret_val;
351 349
@@ -356,14 +354,14 @@ static int netlbl_mgmt_listentry(struct sk_buff *skb,
356 nla_nest_end(skb, nla_a); 354 nla_nest_end(skb, nla_a);
357 break; 355 break;
358 case NETLBL_NLTYPE_UNLABELED: 356 case NETLBL_NLTYPE_UNLABELED:
359 ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL, entry->type); 357 ret_val = nla_put_u32(skb,NLBL_MGMT_A_PROTOCOL,entry->def.type);
360 break; 358 break;
361 case NETLBL_NLTYPE_CIPSOV4: 359 case NETLBL_NLTYPE_CIPSOV4:
362 ret_val = nla_put_u32(skb, NLBL_MGMT_A_PROTOCOL, entry->type); 360 ret_val = nla_put_u32(skb,NLBL_MGMT_A_PROTOCOL,entry->def.type);
363 if (ret_val != 0) 361 if (ret_val != 0)
364 return ret_val; 362 return ret_val;
365 ret_val = nla_put_u32(skb, NLBL_MGMT_A_CV4DOI, 363 ret_val = nla_put_u32(skb, NLBL_MGMT_A_CV4DOI,
366 entry->type_def.cipsov4->doi); 364 entry->def.cipso->doi);
367 break; 365 break;
368 } 366 }
369 367
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index af3531926ee0..8f0897407a2c 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -1541,7 +1541,7 @@ int __init netlbl_unlabel_defconf(void)
1541 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 1541 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1542 if (entry == NULL) 1542 if (entry == NULL)
1543 return -ENOMEM; 1543 return -ENOMEM;
1544 entry->type = NETLBL_NLTYPE_UNLABELED; 1544 entry->def.type = NETLBL_NLTYPE_UNLABELED;
1545 ret_val = netlbl_domhsh_add_default(entry, &audit_info); 1545 ret_val = netlbl_domhsh_add_default(entry, &audit_info);
1546 if (ret_val != 0) 1546 if (ret_val != 0)
1547 return ret_val; 1547 return ret_val;