netlabel: Add functionality to set the security attributes of a packet

This patch builds upon the new NetLabel address selector functionality by providing the NetLabel KAPI and CIPSO engine support needed to enable the new packet-based labeling. The only new addition to the NetLabel KAPI at this point is shown below: * int netlbl_skbuff_setattr(skb, family, secattr) ... and is designed to be called from a Netfilter hook after the packet's IP header has been populated such as in the FORWARD or LOCAL_OUT hooks. This patch also provides the necessary SELinux hooks to support this new functionality. Smack support is not currently included due to uncertainty regarding the permissions needed to expand the Smack network access controls. Signed-off-by: Paul Moore <paul.moore@hp.com> Reviewed-by: James Morris <jmorris@namei.org>
author: Paul Moore <paul.moore@hp.com> 2008-10-10 10:16:32 -0400
committer: Paul Moore <paul.moore@hp.com> 2008-10-10 10:16:32 -0400
commit: 948bf85c1bc9a84754786a9d5dd99b7ecc46451e (patch)
tree: a4706be1f4a5a37408774ef3c4cab8cf2e7775b5 /net
parent: 63c41688743760631188cf0f4ae986a6793ccb0a (diff)
2 files changed, 243 insertions, 39 deletions
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index bf87eddfec30..e13d6dbb66ab 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -13,7 +13,7 @@
 */
 /*
- * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
+ * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
 *
 * This program is free software;  you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -1665,48 +1665,27 @@ void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway)
 }
 /**
- * cipso_v4_sock_setattr - Add a CIPSO option to a socket
+ * cipso_v4_genopt - Generate a CIPSO option
- * @sk: the socket
+ * @buf: the option buffer
+ * @buf_len: the size of opt_buf
 * @doi_def: the CIPSO DOI to use
- * @secattr: the specific security attributes of the socket
+ * @secattr: the security attributes
 *
 * Description:
- * Set the CIPSO option on the given socket using the DOI definition and
+ * Generate a CIPSO option using the DOI definition and security attributes
- * security attributes passed to the function.  This function requires
+ * passed to the function.  Returns the length of the option on success and
- * exclusive access to @sk, which means it either needs to be in the
+ * negative values on failure.
- * process of being created or locked.  Returns zero on success and negative
- * values on failure.
 *
 */
-int cipso_v4_sock_setattr(struct sock *sk,
+static int cipso_v4_genopt(unsigned char *buf, u32 buf_len,
-                          const struct cipso_v4_doi *doi_def,
+                           const struct cipso_v4_doi *doi_def,
-                          const struct netlbl_lsm_secattr *secattr)
+                           const struct netlbl_lsm_secattr *secattr)
 {
-        int ret_val = -EPERM;
+        int ret_val;
        u32 iter;
-        unsigned char *buf;
-        u32 buf_len = 0;
-        u32 opt_len;
-        struct ip_options *opt = NULL;
-        struct inet_sock *sk_inet;
-        struct inet_connection_sock *sk_conn;
-        /* In the case of sock_create_lite(), the sock->sk field is not
-         * defined yet but it is not a problem as the only users of these
-         * "lite" PF_INET sockets are functions which do an accept() call
-         * afterwards so we will label the socket as part of the accept(). */
-        if (sk == NULL)
-                return 0;
-        /* We allocate the maximum CIPSO option size here so we are probably
+        if (buf_len <= CIPSO_V4_HDR_LEN)
-         * being a little wasteful, but it makes our life _much_ easier later
+                return -ENOSPC;
-         * on and after all we are only talking about 40 bytes. */
-        buf_len = CIPSO_V4_OPT_LEN_MAX;
-        buf = kmalloc(buf_len, GFP_ATOMIC);
-        if (buf == NULL) {
-                ret_val = -ENOMEM;
-                goto socket_setattr_failure;
-        }
        /* XXX - This code assumes only one tag per CIPSO option which isn't
         * really a good assumption to make but since we only support the MAC
@@ -1734,8 +1713,7 @@ int cipso_v4_sock_setattr(struct sock *sk,
                                                   buf_len - CIPSO_V4_HDR_LEN);
                        break;
                default:
-                        ret_val = -EPERM;
+                        return -EPERM;
-                        goto socket_setattr_failure;
                }
                iter++;
@@ -1743,9 +1721,58 @@ int cipso_v4_sock_setattr(struct sock *sk,
                 iter < CIPSO_V4_TAG_MAXCNT &&
                 doi_def->tags[iter] != CIPSO_V4_TAG_INVALID);
        if (ret_val < 0)
-                goto socket_setattr_failure;
+                return ret_val;
        cipso_v4_gentag_hdr(doi_def, buf, ret_val);
-        buf_len = CIPSO_V4_HDR_LEN + ret_val;
+        return CIPSO_V4_HDR_LEN + ret_val;
+}
+/**
+ * cipso_v4_sock_setattr - Add a CIPSO option to a socket
+ * @sk: the socket
+ * @doi_def: the CIPSO DOI to use
+ * @secattr: the specific security attributes of the socket
+ *
+ * Description:
+ * Set the CIPSO option on the given socket using the DOI definition and
+ * security attributes passed to the function.  This function requires
+ * exclusive access to @sk, which means it either needs to be in the
+ * process of being created or locked.  Returns zero on success and negative
+ * values on failure.
+ *
+ */
+int cipso_v4_sock_setattr(struct sock *sk,
+                          const struct cipso_v4_doi *doi_def,
+                          const struct netlbl_lsm_secattr *secattr)
+{
+        int ret_val = -EPERM;
+        unsigned char *buf = NULL;
+        u32 buf_len;
+        u32 opt_len;
+        struct ip_options *opt = NULL;
+        struct inet_sock *sk_inet;
+        struct inet_connection_sock *sk_conn;
+        /* In the case of sock_create_lite(), the sock->sk field is not
+         * defined yet but it is not a problem as the only users of these
+         * "lite" PF_INET sockets are functions which do an accept() call
+         * afterwards so we will label the socket as part of the accept(). */
+        if (sk == NULL)
+                return 0;
+        /* We allocate the maximum CIPSO option size here so we are probably
+         * being a little wasteful, but it makes our life _much_ easier later
+         * on and after all we are only talking about 40 bytes. */
+        buf_len = CIPSO_V4_OPT_LEN_MAX;
+        buf = kmalloc(buf_len, GFP_ATOMIC);
+        if (buf == NULL) {
+                ret_val = -ENOMEM;
+                goto socket_setattr_failure;
+        }
+        ret_val = cipso_v4_genopt(buf, buf_len, doi_def, secattr);
+        if (ret_val < 0)
+                goto socket_setattr_failure;
+        buf_len = ret_val;
        /* We can't use ip_options_get() directly because it makes a call to
         * ip_options_get_alloc() which allocates memory with GFP_KERNEL and
@@ -1854,6 +1881,123 @@ int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
 }
 /**
+ * cipso_v4_skbuff_setattr - Set the CIPSO option on a packet
+ * @skb: the packet
+ * @secattr: the security attributes
+ *
+ * Description:
+ * Set the CIPSO option on the given packet based on the security attributes.
+ * Returns a pointer to the IP header on success and NULL on failure.
+ *
+ */
+int cipso_v4_skbuff_setattr(struct sk_buff *skb,
+                            const struct cipso_v4_doi *doi_def,
+                            const struct netlbl_lsm_secattr *secattr)
+{
+        int ret_val;
+        struct iphdr *iph;
+        struct ip_options *opt = &IPCB(skb)->opt;
+        unsigned char buf[CIPSO_V4_OPT_LEN_MAX];
+        u32 buf_len = CIPSO_V4_OPT_LEN_MAX;
+        u32 opt_len;
+        int len_delta;
+        buf_len = cipso_v4_genopt(buf, buf_len, doi_def, secattr);
+        if (buf_len < 0)
+                return buf_len;
+        opt_len = (buf_len + 3) & ~3;
+        /* we overwrite any existing options to ensure that we have enough
+         * room for the CIPSO option, the reason is that we _need_ to guarantee
+         * that the security label is applied to the packet - we do the same
+         * thing when using the socket options and it hasn't caused a problem,
+         * if we need to we can always revisit this choice later */
+        len_delta = opt_len - opt->optlen;
+        /* if we don't ensure enough headroom we could panic on the skb_push()
+         * call below so make sure we have enough, we are also "mangling" the
+         * packet so we should probably do a copy-on-write call anyway */
+        ret_val = skb_cow(skb, skb_headroom(skb) + len_delta);
+        if (ret_val < 0)
+                return ret_val;
+        if (len_delta > 0) {
+                /* we assume that the header + opt->optlen have already been
+                 * "pushed" in ip_options_build() or similar */
+                iph = ip_hdr(skb);
+                skb_push(skb, len_delta);
+                memmove((char *)iph - len_delta, iph, iph->ihl << 2);
+                skb_reset_network_header(skb);
+                iph = ip_hdr(skb);
+        } else if (len_delta < 0) {
+                iph = ip_hdr(skb);
+                memset(iph + 1, IPOPT_NOP, opt->optlen);
+        } else
+                iph = ip_hdr(skb);
+        if (opt->optlen > 0)
+                memset(opt, 0, sizeof(*opt));
+        opt->optlen = opt_len;
+        opt->cipso = sizeof(struct iphdr);
+        opt->is_changed = 1;
+        /* we have to do the following because we are being called from a
+         * netfilter hook which means the packet already has had the header
+         * fields populated and the checksum calculated - yes this means we
+         * are doing more work than needed but we do it to keep the core
+         * stack clean and tidy */
+        memcpy(iph + 1, buf, buf_len);
+        if (opt_len > buf_len)
+                memset((char *)(iph + 1) + buf_len, 0, opt_len - buf_len);
+        if (len_delta != 0) {
+                iph->ihl = 5 + (opt_len >> 2);
+                iph->tot_len = htons(skb->len);
+        }
+        ip_send_check(iph);
+        return 0;
+}
+/**
+ * cipso_v4_skbuff_delattr - Delete any CIPSO options from a packet
+ * @skb: the packet
+ *
+ * Description:
+ * Removes any and all CIPSO options from the given packet.  Returns zero on
+ * success, negative values on failure.
+ *
+ */
+int cipso_v4_skbuff_delattr(struct sk_buff *skb)
+{
+        int ret_val;
+        struct iphdr *iph;
+        struct ip_options *opt = &IPCB(skb)->opt;
+        unsigned char *cipso_ptr;
+        if (opt->cipso == 0)
+                return 0;
+        /* since we are changing the packet we should make a copy */
+        ret_val = skb_cow(skb, skb_headroom(skb));
+        if (ret_val < 0)
+                return ret_val;
+        /* the easiest thing to do is just replace the cipso option with noop
+         * options since we don't change the size of the packet, although we
+         * still need to recalculate the checksum */
+        iph = ip_hdr(skb);
+        cipso_ptr = (unsigned char *)iph + opt->cipso;
+        memset(cipso_ptr, IPOPT_NOOP, cipso_ptr[1]);
+        opt->cipso = 0;
+        opt->is_changed = 1;
+        ip_send_check(iph);
+        return 0;
+}
+/**
 * cipso_v4_skbuff_getattr - Get the security attributes from the CIPSO option
 * @skb: the packet
 * @secattr: the security attributes
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 8b820dc98060..cc8047d1f505 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -473,6 +473,66 @@ int netlbl_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
 }
 /**
+ * netlbl_skbuff_setattr - Label a packet using the correct protocol
+ * @skb: the packet
+ * @family: protocol family
+ * @secattr: the security attributes
+ *
+ * Description:
+ * Attach the correct label to the given packet using the security attributes
+ * specified in @secattr.  Returns zero on success, negative values on failure.
+ *
+ */
+int netlbl_skbuff_setattr(struct sk_buff *skb,
+                          u16 family,
+                          const struct netlbl_lsm_secattr *secattr)
+{
+        int ret_val;
+        struct iphdr *hdr4;
+        struct netlbl_domaddr4_map *af4_entry;
+        rcu_read_lock();
+        switch (family) {
+        case AF_INET:
+                hdr4 = ip_hdr(skb);
+                af4_entry = netlbl_domhsh_getentry_af4(secattr->domain,
+                                                       hdr4->daddr);
+                if (af4_entry == NULL) {
+                        ret_val = -ENOENT;
+                        goto skbuff_setattr_return;
+                }
+                switch (af4_entry->type) {
+                case NETLBL_NLTYPE_CIPSOV4:
+                        ret_val = cipso_v4_skbuff_setattr(skb,
+                                                   af4_entry->type_def.cipsov4,
+                                                   secattr);
+                        break;
+                case NETLBL_NLTYPE_UNLABELED:
+                        /* just delete the protocols we support for right now
+                         * but we could remove other protocols if needed */
+                        ret_val = cipso_v4_skbuff_delattr(skb);
+                        break;
+                default:
+                        ret_val = -ENOENT;
+                }
+                break;
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+        case AF_INET6:
+                /* since we don't support any IPv6 labeling protocols right
+                 * now we can optimize everything away until we do */
+                ret_val = 0;
+                break;
+#endif /* IPv6 */
+        default:
+                ret_val = 0;
+        }
+skbuff_setattr_return:
+        rcu_read_unlock();
+        return ret_val;
+}
+/**
 * netlbl_skbuff_getattr - Determine the security attributes of a packet
 * @skb: the packet
 * @family: protocol family
author	Paul Moore <paul.moore@hp.com>	2008-10-10 10:16:32 -0400
committer	Paul Moore <paul.moore@hp.com>	2008-10-10 10:16:32 -0400
commit	948bf85c1bc9a84754786a9d5dd99b7ecc46451e (patch)
tree	a4706be1f4a5a37408774ef3c4cab8cf2e7775b5 /net
parent	63c41688743760631188cf0f4ae986a6793ccb0a (diff)

diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index bf87eddfec30..e13d6dbb66ab 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c
@@ -13,7 +13,7 @@
13	*/	13	*/
14		14
15	/*	15	/*
16	* (c) Copyright Hewlett-Packard Development Company, L.P., 2006	16	* (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
17	*	17	*
18	* This program is free software; you can redistribute it and/or modify	18	* This program is free software; you can redistribute it and/or modify
19	* it under the terms of the GNU General Public License as published by	19	* it under the terms of the GNU General Public License as published by
@@ -1665,48 +1665,27 @@ void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway)
1665	}	1665	}
1666		1666
1667	/**	1667	/**
1668	* cipso_v4_sock_setattr - Add a CIPSO option to a socket	1668	* cipso_v4_genopt - Generate a CIPSO option
1669	* @sk: the socket	1669	* @buf: the option buffer
		1670	* @buf_len: the size of opt_buf
1670	* @doi_def: the CIPSO DOI to use	1671	* @doi_def: the CIPSO DOI to use
1671	* @secattr: the specific security attributes of the socket	1672	* @secattr: the security attributes
1672	*	1673	*
1673	* Description:	1674	* Description:
1674	* Set the CIPSO option on the given socket using the DOI definition and	1675	* Generate a CIPSO option using the DOI definition and security attributes
1675	* security attributes passed to the function. This function requires	1676	* passed to the function. Returns the length of the option on success and
1676	* exclusive access to @sk, which means it either needs to be in the	1677	* negative values on failure.
1677	* process of being created or locked. Returns zero on success and negative
1678	* values on failure.
1679	*	1678	*
1680	*/	1679	*/
1681	int cipso_v4_sock_setattr(struct sock *sk,	1680	static int cipso_v4_genopt(unsigned char *buf, u32 buf_len,
1682	const struct cipso_v4_doi *doi_def,	1681	const struct cipso_v4_doi *doi_def,
1683	const struct netlbl_lsm_secattr *secattr)	1682	const struct netlbl_lsm_secattr *secattr)
1684	{	1683	{
1685	int ret_val = -EPERM;	1684	int ret_val;
1686	u32 iter;	1685	u32 iter;
1687	unsigned char *buf;
1688	u32 buf_len = 0;
1689	u32 opt_len;
1690	struct ip_options *opt = NULL;
1691	struct inet_sock *sk_inet;
1692	struct inet_connection_sock *sk_conn;
1693
1694	/* In the case of sock_create_lite(), the sock->sk field is not
1695	* defined yet but it is not a problem as the only users of these
1696	* "lite" PF_INET sockets are functions which do an accept() call
1697	* afterwards so we will label the socket as part of the accept(). */
1698	if (sk == NULL)
1699	return 0;
1700		1686
1701	/* We allocate the maximum CIPSO option size here so we are probably	1687	if (buf_len <= CIPSO_V4_HDR_LEN)
1702	* being a little wasteful, but it makes our life _much_ easier later	1688	return -ENOSPC;
1703	* on and after all we are only talking about 40 bytes. */
1704	buf_len = CIPSO_V4_OPT_LEN_MAX;
1705	buf = kmalloc(buf_len, GFP_ATOMIC);
1706	if (buf == NULL) {
1707	ret_val = -ENOMEM;
1708	goto socket_setattr_failure;
1709	}
1710		1689
1711	/* XXX - This code assumes only one tag per CIPSO option which isn't	1690	/* XXX - This code assumes only one tag per CIPSO option which isn't
1712	* really a good assumption to make but since we only support the MAC	1691	* really a good assumption to make but since we only support the MAC
@@ -1734,8 +1713,7 @@ int cipso_v4_sock_setattr(struct sock *sk,
1734	buf_len - CIPSO_V4_HDR_LEN);	1713	buf_len - CIPSO_V4_HDR_LEN);
1735	break;	1714	break;
1736	default:	1715	default:
1737	ret_val = -EPERM;	1716	return -EPERM;
1738	goto socket_setattr_failure;
1739	}	1717	}
1740		1718
1741	iter++;	1719	iter++;
@@ -1743,9 +1721,58 @@ int cipso_v4_sock_setattr(struct sock *sk,
1743	iter < CIPSO_V4_TAG_MAXCNT &&	1721	iter < CIPSO_V4_TAG_MAXCNT &&
1744	doi_def->tags[iter] != CIPSO_V4_TAG_INVALID);	1722	doi_def->tags[iter] != CIPSO_V4_TAG_INVALID);
1745	if (ret_val < 0)	1723	if (ret_val < 0)
1746	goto socket_setattr_failure;	1724	return ret_val;
1747	cipso_v4_gentag_hdr(doi_def, buf, ret_val);	1725	cipso_v4_gentag_hdr(doi_def, buf, ret_val);
1748	buf_len = CIPSO_V4_HDR_LEN + ret_val;	1726	return CIPSO_V4_HDR_LEN + ret_val;
		1727	}
		1728
		1729	/**
		1730	* cipso_v4_sock_setattr - Add a CIPSO option to a socket
		1731	* @sk: the socket
		1732	* @doi_def: the CIPSO DOI to use
		1733	* @secattr: the specific security attributes of the socket
		1734	*
		1735	* Description:
		1736	* Set the CIPSO option on the given socket using the DOI definition and
		1737	* security attributes passed to the function. This function requires
		1738	* exclusive access to @sk, which means it either needs to be in the
		1739	* process of being created or locked. Returns zero on success and negative
		1740	* values on failure.
		1741	*
		1742	*/
		1743	int cipso_v4_sock_setattr(struct sock *sk,
		1744	const struct cipso_v4_doi *doi_def,
		1745	const struct netlbl_lsm_secattr *secattr)
		1746	{
		1747	int ret_val = -EPERM;
		1748	unsigned char *buf = NULL;
		1749	u32 buf_len;
		1750	u32 opt_len;
		1751	struct ip_options *opt = NULL;
		1752	struct inet_sock *sk_inet;
		1753	struct inet_connection_sock *sk_conn;
		1754
		1755	/* In the case of sock_create_lite(), the sock->sk field is not
		1756	* defined yet but it is not a problem as the only users of these
		1757	* "lite" PF_INET sockets are functions which do an accept() call
		1758	* afterwards so we will label the socket as part of the accept(). */
		1759	if (sk == NULL)
		1760	return 0;
		1761
		1762	/* We allocate the maximum CIPSO option size here so we are probably
		1763	* being a little wasteful, but it makes our life _much_ easier later
		1764	* on and after all we are only talking about 40 bytes. */
		1765	buf_len = CIPSO_V4_OPT_LEN_MAX;
		1766	buf = kmalloc(buf_len, GFP_ATOMIC);
		1767	if (buf == NULL) {
		1768	ret_val = -ENOMEM;
		1769	goto socket_setattr_failure;
		1770	}
		1771
		1772	ret_val = cipso_v4_genopt(buf, buf_len, doi_def, secattr);
		1773	if (ret_val < 0)
		1774	goto socket_setattr_failure;
		1775	buf_len = ret_val;
1749		1776
1750	/* We can't use ip_options_get() directly because it makes a call to	1777	/* We can't use ip_options_get() directly because it makes a call to
1751	* ip_options_get_alloc() which allocates memory with GFP_KERNEL and	1778	* ip_options_get_alloc() which allocates memory with GFP_KERNEL and
@@ -1854,6 +1881,123 @@ int cipso_v4_sock_getattr(struct sock sk, struct netlbl_lsm_secattr secattr)
1854	}	1881	}
1855		1882
1856	/**	1883	/**
		1884	* cipso_v4_skbuff_setattr - Set the CIPSO option on a packet
		1885	* @skb: the packet
		1886	* @secattr: the security attributes
		1887	*
		1888	* Description:
		1889	* Set the CIPSO option on the given packet based on the security attributes.
		1890	* Returns a pointer to the IP header on success and NULL on failure.
		1891	*
		1892	*/
		1893	int cipso_v4_skbuff_setattr(struct sk_buff *skb,
		1894	const struct cipso_v4_doi *doi_def,
		1895	const struct netlbl_lsm_secattr *secattr)
		1896	{
		1897	int ret_val;
		1898	struct iphdr *iph;
		1899	struct ip_options *opt = &IPCB(skb)->opt;
		1900	unsigned char buf[CIPSO_V4_OPT_LEN_MAX];
		1901	u32 buf_len = CIPSO_V4_OPT_LEN_MAX;
		1902	u32 opt_len;
		1903	int len_delta;
		1904
		1905	buf_len = cipso_v4_genopt(buf, buf_len, doi_def, secattr);
		1906	if (buf_len < 0)
		1907	return buf_len;
		1908	opt_len = (buf_len + 3) & ~3;
		1909
		1910	/* we overwrite any existing options to ensure that we have enough
		1911	* room for the CIPSO option, the reason is that we _need_ to guarantee
		1912	* that the security label is applied to the packet - we do the same
		1913	* thing when using the socket options and it hasn't caused a problem,
		1914	* if we need to we can always revisit this choice later */
		1915
		1916	len_delta = opt_len - opt->optlen;
		1917	/* if we don't ensure enough headroom we could panic on the skb_push()
		1918	* call below so make sure we have enough, we are also "mangling" the
		1919	* packet so we should probably do a copy-on-write call anyway */
		1920	ret_val = skb_cow(skb, skb_headroom(skb) + len_delta);
		1921	if (ret_val < 0)
		1922	return ret_val;
		1923
		1924	if (len_delta > 0) {
		1925	/* we assume that the header + opt->optlen have already been
		1926	* "pushed" in ip_options_build() or similar */
		1927	iph = ip_hdr(skb);
		1928	skb_push(skb, len_delta);
		1929	memmove((char *)iph - len_delta, iph, iph->ihl << 2);
		1930	skb_reset_network_header(skb);
		1931	iph = ip_hdr(skb);
		1932	} else if (len_delta < 0) {
		1933	iph = ip_hdr(skb);
		1934	memset(iph + 1, IPOPT_NOP, opt->optlen);
		1935	} else
		1936	iph = ip_hdr(skb);
		1937
		1938	if (opt->optlen > 0)
		1939	memset(opt, 0, sizeof(*opt));
		1940	opt->optlen = opt_len;
		1941	opt->cipso = sizeof(struct iphdr);
		1942	opt->is_changed = 1;
		1943
		1944	/* we have to do the following because we are being called from a
		1945	* netfilter hook which means the packet already has had the header
		1946	* fields populated and the checksum calculated - yes this means we
		1947	* are doing more work than needed but we do it to keep the core
		1948	* stack clean and tidy */
		1949	memcpy(iph + 1, buf, buf_len);
		1950	if (opt_len > buf_len)
		1951	memset((char *)(iph + 1) + buf_len, 0, opt_len - buf_len);
		1952	if (len_delta != 0) {
		1953	iph->ihl = 5 + (opt_len >> 2);
		1954	iph->tot_len = htons(skb->len);
		1955	}
		1956	ip_send_check(iph);
		1957
		1958	return 0;
		1959	}
		1960
		1961	/**
		1962	* cipso_v4_skbuff_delattr - Delete any CIPSO options from a packet
		1963	* @skb: the packet
		1964	*
		1965	* Description:
		1966	* Removes any and all CIPSO options from the given packet. Returns zero on
		1967	* success, negative values on failure.
		1968	*
		1969	*/
		1970	int cipso_v4_skbuff_delattr(struct sk_buff *skb)
		1971	{
		1972	int ret_val;
		1973	struct iphdr *iph;
		1974	struct ip_options *opt = &IPCB(skb)->opt;
		1975	unsigned char *cipso_ptr;
		1976
		1977	if (opt->cipso == 0)
		1978	return 0;
		1979
		1980	/* since we are changing the packet we should make a copy */
		1981	ret_val = skb_cow(skb, skb_headroom(skb));
		1982	if (ret_val < 0)
		1983	return ret_val;
		1984
		1985	/* the easiest thing to do is just replace the cipso option with noop
		1986	* options since we don't change the size of the packet, although we
		1987	* still need to recalculate the checksum */
		1988
		1989	iph = ip_hdr(skb);
		1990	cipso_ptr = (unsigned char *)iph + opt->cipso;
		1991	memset(cipso_ptr, IPOPT_NOOP, cipso_ptr[1]);
		1992	opt->cipso = 0;
		1993	opt->is_changed = 1;
		1994
		1995	ip_send_check(iph);
		1996
		1997	return 0;
		1998	}
		1999
		2000	/**
1857	* cipso_v4_skbuff_getattr - Get the security attributes from the CIPSO option	2001	* cipso_v4_skbuff_getattr - Get the security attributes from the CIPSO option
1858	* @skb: the packet	2002	* @skb: the packet
1859	* @secattr: the security attributes	2003	* @secattr: the security attributes


diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index 8b820dc98060..cc8047d1f505 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c
@@ -473,6 +473,66 @@ int netlbl_sock_getattr(struct sock sk, struct netlbl_lsm_secattr secattr)
473	}	473	}
474		474
475	/**	475	/**
		476	* netlbl_skbuff_setattr - Label a packet using the correct protocol
		477	* @skb: the packet
		478	* @family: protocol family
		479	* @secattr: the security attributes
		480	*
		481	* Description:
		482	* Attach the correct label to the given packet using the security attributes
		483	* specified in @secattr. Returns zero on success, negative values on failure.
		484	*
		485	*/
		486	int netlbl_skbuff_setattr(struct sk_buff *skb,
		487	u16 family,
		488	const struct netlbl_lsm_secattr *secattr)
		489	{
		490	int ret_val;
		491	struct iphdr *hdr4;
		492	struct netlbl_domaddr4_map *af4_entry;
		493
		494	rcu_read_lock();
		495	switch (family) {
		496	case AF_INET:
		497	hdr4 = ip_hdr(skb);
		498	af4_entry = netlbl_domhsh_getentry_af4(secattr->domain,
		499	hdr4->daddr);
		500	if (af4_entry == NULL) {
		501	ret_val = -ENOENT;
		502	goto skbuff_setattr_return;
		503	}
		504	switch (af4_entry->type) {
		505	case NETLBL_NLTYPE_CIPSOV4:
		506	ret_val = cipso_v4_skbuff_setattr(skb,
		507	af4_entry->type_def.cipsov4,
		508	secattr);
		509	break;
		510	case NETLBL_NLTYPE_UNLABELED:
		511	/* just delete the protocols we support for right now
		512	* but we could remove other protocols if needed */
		513	ret_val = cipso_v4_skbuff_delattr(skb);
		514	break;
		515	default:
		516	ret_val = -ENOENT;
		517	}
		518	break;
		519	#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
		520	case AF_INET6:
		521	/* since we don't support any IPv6 labeling protocols right
		522	* now we can optimize everything away until we do */
		523	ret_val = 0;
		524	break;
		525	#endif /* IPv6 */
		526	default:
		527	ret_val = 0;
		528	}
		529
		530	skbuff_setattr_return:
		531	rcu_read_unlock();
		532	return ret_val;
		533	}
		534
		535	/**
476	* netlbl_skbuff_getattr - Determine the security attributes of a packet	536	* netlbl_skbuff_getattr - Determine the security attributes of a packet
477	* @skb: the packet	537	* @skb: the packet
478	* @family: protocol family	538	* @family: protocol family