diff options
| author | Paul Moore <paul.moore@hp.com> | 2006-11-17 17:38:46 -0500 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-12-03 00:24:07 -0500 |
| commit | 701a90bad99b8081a824cca52c178c8fc8f46bb2 (patch) | |
| tree | 5fed88e6707e9122d7f16e4c5d8fea7c69e090ac /net | |
| parent | c6fa82a9dd6160e0bc980cb0401c16bf62f2fe66 (diff) | |
NetLabel: make netlbl_lsm_secattr struct easier/quicker to understand
The existing netlbl_lsm_secattr struct required the LSM to check all of the
fields to determine if any security attributes were present resulting in a lot
of work in the common case of no attributes. This patch adds a 'flags' field
which is used to indicate which attributes are present in the structure; this
should allow the LSM to do a quick comparison to determine if the structure
holds any security attributes.
Example:
if (netlbl_lsm_secattr->flags)
/* security attributes present */
else
/* NO security attributes present */
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/cipso_ipv4.c | 22 | ||||
| -rw-r--r-- | net/netlabel/netlabel_kapi.c | 5 |
2 files changed, 18 insertions, 9 deletions
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index 095038ad72a4..f0a0785047fe 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c | |||
| @@ -319,6 +319,7 @@ static int cipso_v4_cache_check(const unsigned char *key, | |||
| 319 | entry->activity += 1; | 319 | entry->activity += 1; |
| 320 | atomic_inc(&entry->lsm_data->refcount); | 320 | atomic_inc(&entry->lsm_data->refcount); |
| 321 | secattr->cache = entry->lsm_data; | 321 | secattr->cache = entry->lsm_data; |
| 322 | secattr->flags |= NETLBL_SECATTR_CACHE; | ||
| 322 | if (prev_entry == NULL) { | 323 | if (prev_entry == NULL) { |
| 323 | spin_unlock_bh(&cipso_v4_cache[bkt].lock); | 324 | spin_unlock_bh(&cipso_v4_cache[bkt].lock); |
| 324 | return 0; | 325 | return 0; |
| @@ -991,12 +992,15 @@ static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def, | |||
| 991 | unsigned char **buffer, | 992 | unsigned char **buffer, |
| 992 | u32 *buffer_len) | 993 | u32 *buffer_len) |
| 993 | { | 994 | { |
| 994 | int ret_val = -EPERM; | 995 | int ret_val; |
| 995 | unsigned char *buf = NULL; | 996 | unsigned char *buf = NULL; |
| 996 | u32 buf_len; | 997 | u32 buf_len; |
| 997 | u32 level; | 998 | u32 level; |
| 998 | 999 | ||
| 999 | if (secattr->mls_cat) { | 1000 | if ((secattr->flags & NETLBL_SECATTR_MLS_LVL) == 0) |
| 1001 | return -EPERM; | ||
| 1002 | |||
| 1003 | if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { | ||
| 1000 | buf = kzalloc(CIPSO_V4_HDR_LEN + 4 + CIPSO_V4_TAG1_CAT_LEN, | 1004 | buf = kzalloc(CIPSO_V4_HDR_LEN + 4 + CIPSO_V4_TAG1_CAT_LEN, |
| 1001 | GFP_ATOMIC); | 1005 | GFP_ATOMIC); |
| 1002 | if (buf == NULL) | 1006 | if (buf == NULL) |
| @@ -1013,10 +1017,10 @@ static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def, | |||
| 1013 | /* This will send packets using the "optimized" format when | 1017 | /* This will send packets using the "optimized" format when |
| 1014 | * possibile as specified in section 3.4.2.6 of the | 1018 | * possibile as specified in section 3.4.2.6 of the |
| 1015 | * CIPSO draft. */ | 1019 | * CIPSO draft. */ |
| 1016 | if (cipso_v4_rbm_optfmt && (ret_val > 0 && ret_val < 10)) | 1020 | if (cipso_v4_rbm_optfmt && ret_val > 0 && ret_val <= 10) |
| 1017 | ret_val = 10; | 1021 | buf_len = 14; |
| 1018 | 1022 | else | |
| 1019 | buf_len = 4 + ret_val; | 1023 | buf_len = 4 + ret_val; |
| 1020 | } else { | 1024 | } else { |
| 1021 | buf = kzalloc(CIPSO_V4_HDR_LEN + 4, GFP_ATOMIC); | 1025 | buf = kzalloc(CIPSO_V4_HDR_LEN + 4, GFP_ATOMIC); |
| 1022 | if (buf == NULL) | 1026 | if (buf == NULL) |
| @@ -1070,7 +1074,7 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def, | |||
| 1070 | if (ret_val != 0) | 1074 | if (ret_val != 0) |
| 1071 | return ret_val; | 1075 | return ret_val; |
| 1072 | secattr->mls_lvl = level; | 1076 | secattr->mls_lvl = level; |
| 1073 | secattr->mls_lvl_vld = 1; | 1077 | secattr->flags |= NETLBL_SECATTR_MLS_LVL; |
| 1074 | 1078 | ||
| 1075 | if (tag_len > 4) { | 1079 | if (tag_len > 4) { |
| 1076 | switch (doi_def->type) { | 1080 | switch (doi_def->type) { |
| @@ -1094,8 +1098,10 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def, | |||
| 1094 | if (ret_val < 0) { | 1098 | if (ret_val < 0) { |
| 1095 | kfree(secattr->mls_cat); | 1099 | kfree(secattr->mls_cat); |
| 1096 | return ret_val; | 1100 | return ret_val; |
| 1101 | } else if (ret_val > 0) { | ||
| 1102 | secattr->mls_cat_len = ret_val; | ||
| 1103 | secattr->flags |= NETLBL_SECATTR_MLS_CAT; | ||
| 1097 | } | 1104 | } |
| 1098 | secattr->mls_cat_len = ret_val; | ||
| 1099 | } | 1105 | } |
| 1100 | 1106 | ||
| 1101 | return 0; | 1107 | return 0; |
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index ff971103fd0c..da2f1975a042 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c | |||
| @@ -62,6 +62,9 @@ int netlbl_socket_setattr(const struct socket *sock, | |||
| 62 | int ret_val = -ENOENT; | 62 | int ret_val = -ENOENT; |
| 63 | struct netlbl_dom_map *dom_entry; | 63 | struct netlbl_dom_map *dom_entry; |
| 64 | 64 | ||
| 65 | if ((secattr->flags & NETLBL_SECATTR_DOMAIN) == 0) | ||
| 66 | return -ENOENT; | ||
| 67 | |||
| 65 | rcu_read_lock(); | 68 | rcu_read_lock(); |
| 66 | dom_entry = netlbl_domhsh_getentry(secattr->domain); | 69 | dom_entry = netlbl_domhsh_getentry(secattr->domain); |
| 67 | if (dom_entry == NULL) | 70 | if (dom_entry == NULL) |
| @@ -200,7 +203,7 @@ void netlbl_cache_invalidate(void) | |||
| 200 | int netlbl_cache_add(const struct sk_buff *skb, | 203 | int netlbl_cache_add(const struct sk_buff *skb, |
| 201 | const struct netlbl_lsm_secattr *secattr) | 204 | const struct netlbl_lsm_secattr *secattr) |
| 202 | { | 205 | { |
| 203 | if (secattr->cache == NULL) | 206 | if ((secattr->flags & NETLBL_SECATTR_CACHE) == 0) |
| 204 | return -ENOMSG; | 207 | return -ENOMSG; |
| 205 | 208 | ||
| 206 | if (CIPSO_V4_OPTEXIST(skb)) | 209 | if (CIPSO_V4_OPTEXIST(skb)) |