6 files changed, 131 insertions, 35 deletions
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 9b7d6f2ac9a3..ffbc7f28335a 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -144,10 +144,9 @@ struct netlbl_lsm_secattr {
 };
 /*
- * LSM security attribute operations
+ * LSM security attribute operations (inline)
 */
 /**
 * netlbl_secattr_cache_alloc - Allocate and initialize a secattr cache
 * @flags: the memory allocation flags
@@ -283,6 +282,9 @@ static inline void netlbl_secattr_free(struct netlbl_lsm_secattr *secattr)
 }
 #ifdef CONFIG_NETLABEL
+/*
+ * LSM security attribute operations
+ */
 int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
                               u32 offset);
 int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
@@ -294,6 +296,25 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
                                 u32 start,
                                 u32 end,
                                 gfp_t flags);
+/*
+ * LSM protocol operations
+ */
+int netlbl_enabled(void);
+int netlbl_sock_setattr(struct sock *sk,
+                        const struct netlbl_lsm_secattr *secattr);
+int netlbl_sock_getattr(struct sock *sk,
+                        struct netlbl_lsm_secattr *secattr);
+int netlbl_skbuff_getattr(const struct sk_buff *skb,
+                          struct netlbl_lsm_secattr *secattr);
+void netlbl_skbuff_err(struct sk_buff *skb, int error);
+/*
+ * LSM label mapping cache operations
+ */
+void netlbl_cache_invalidate(void);
+int netlbl_cache_add(const struct sk_buff *skb,
+                     const struct netlbl_lsm_secattr *secattr);
 #else
 static inline int netlbl_secattr_catmap_walk(
                                      struct netlbl_lsm_secattr_catmap *catmap,
@@ -301,14 +322,12 @@ static inline int netlbl_secattr_catmap_walk(
 {
        return -ENOENT;
 }
 static inline int netlbl_secattr_catmap_walk_rng(
                                      struct netlbl_lsm_secattr_catmap *catmap,
                                      u32 offset)
 {
        return -ENOENT;
 }
 static inline int netlbl_secattr_catmap_setbit(
                                      struct netlbl_lsm_secattr_catmap *catmap,
                                      u32 bit,
@@ -316,7 +335,6 @@ static inline int netlbl_secattr_catmap_setbit(
 {
        return 0;
 }
 static inline int netlbl_secattr_catmap_setrng(
                                      struct netlbl_lsm_secattr_catmap *catmap,
                                      u32 start,
@@ -325,59 +343,33 @@ static inline int netlbl_secattr_catmap_setrng(
 {
        return 0;
 }
-#endif
+static inline int netlbl_enabled(void)
+{
-/*
+        return 0;
- * LSM protocol operations
+}
- */
-#ifdef CONFIG_NETLABEL
-int netlbl_sock_setattr(struct sock *sk,
-                        const struct netlbl_lsm_secattr *secattr);
-int netlbl_sock_getattr(struct sock *sk,
-                        struct netlbl_lsm_secattr *secattr);
-int netlbl_skbuff_getattr(const struct sk_buff *skb,
-                          struct netlbl_lsm_secattr *secattr);
-void netlbl_skbuff_err(struct sk_buff *skb, int error);
-#else
 static inline int netlbl_sock_setattr(struct sock *sk,
                                     const struct netlbl_lsm_secattr *secattr)
 {
        return -ENOSYS;
 }
 static inline int netlbl_sock_getattr(struct sock *sk,
                                      struct netlbl_lsm_secattr *secattr)
 {
        return -ENOSYS;
 }
 static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,
                                        struct netlbl_lsm_secattr *secattr)
 {
        return -ENOSYS;
 }
 static inline void netlbl_skbuff_err(struct sk_buff *skb, int error)
 {
        return;
 }
-#endif /* CONFIG_NETLABEL */
-/*
- * LSM label mapping cache operations
- */
-#ifdef CONFIG_NETLABEL
-void netlbl_cache_invalidate(void);
-int netlbl_cache_add(const struct sk_buff *skb,
-                     const struct netlbl_lsm_secattr *secattr);
-#else
 static inline void netlbl_cache_invalidate(void)
 {
        return;
 }
 static inline int netlbl_cache_add(const struct sk_buff *skb,
                                   const struct netlbl_lsm_secattr *secattr)
 {
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
index 24b660f16ce3..c060e3f991f1 100644
--- a/net/netlabel/netlabel_cipso_v4.c
+++ b/net/netlabel/netlabel_cipso_v4.c
@@ -41,6 +41,7 @@
 #include "netlabel_user.h"
 #include "netlabel_cipso_v4.h"
+#include "netlabel_mgmt.h"
 /* Argument struct for cipso_v4_doi_walk() */
 struct netlbl_cipsov4_doiwalk_arg {
@@ -419,6 +420,8 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
                ret_val = netlbl_cipsov4_add_pass(info);
                break;
        }
+        if (ret_val == 0)
+                netlbl_mgmt_protocount_inc();
        audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
                                              &audit_info);
@@ -694,6 +697,8 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info)
        ret_val = cipso_v4_doi_remove(doi,
                                      &audit_info,
                                      netlbl_cipsov4_doi_free);
+        if (ret_val == 0)
+                netlbl_mgmt_protocount_dec();
        audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,
                                              &audit_info);
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index b165712aaa70..4f50949722a9 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -38,6 +38,7 @@
 #include "netlabel_domainhash.h"
 #include "netlabel_unlabeled.h"
 #include "netlabel_user.h"
+#include "netlabel_mgmt.h"
 /*
 * Security Attribute Functions
@@ -245,6 +246,26 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
 */
 /**
+ * netlbl_enabled - Determine if the NetLabel subsystem is enabled
+ *
+ * Description:
+ * The LSM can use this function to determine if it should use NetLabel
+ * security attributes in it's enforcement mechanism.  Currently, NetLabel is
+ * considered to be enabled when it's configuration contains a valid setup for
+ * at least one labeled protocol (i.e. NetLabel can understand incoming
+ * labeled packets of at least one type); otherwise NetLabel is considered to
+ * be disabled.
+ *
+ */
+int netlbl_enabled(void)
+{
+        /* At some point we probably want to expose this mechanism to the user
+         * as well so that admins can toggle NetLabel regardless of the
+         * configuration */
+        return (netlbl_mgmt_protocount_value() > 0 ? 1 : 0);
+}
+/**
 * netlbl_socket_setattr - Label a socket using the correct protocol
 * @sk: the socket to label
 * @secattr: the security attributes
diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c
index e00fc219c72b..5315dacc5222 100644
--- a/net/netlabel/netlabel_mgmt.c
+++ b/net/netlabel/netlabel_mgmt.c
@@ -42,6 +42,10 @@
 #include "netlabel_user.h"
 #include "netlabel_mgmt.h"
+/* NetLabel configured protocol count */
+static DEFINE_SPINLOCK(netlabel_mgmt_protocount_lock);
+static u32 netlabel_mgmt_protocount = 0;
 /* Argument struct for netlbl_domhsh_walk() */
 struct netlbl_domhsh_walk_arg {
        struct netlink_callback *nl_cb;
@@ -67,6 +71,67 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = {
 };
 /*
+ * NetLabel Misc Managment Functions
+ */
+/**
+ * netlbl_mgmt_protocount_inc - Increment the configured labeled protocol count
+ *
+ * Description:
+ * Increment the number of labeled protocol configurations in the current
+ * NetLabel configuration.  Keep track of this for use in determining if
+ * NetLabel label enforcement should be active/enabled or not in the LSM.
+ *
+ */
+void netlbl_mgmt_protocount_inc(void)
+{
+        rcu_read_lock();
+        spin_lock(&netlabel_mgmt_protocount_lock);
+        netlabel_mgmt_protocount++;
+        spin_unlock(&netlabel_mgmt_protocount_lock);
+        rcu_read_unlock();
+}
+/**
+ * netlbl_mgmt_protocount_dec - Decrement the configured labeled protocol count
+ *
+ * Description:
+ * Decrement the number of labeled protocol configurations in the current
+ * NetLabel configuration.  Keep track of this for use in determining if
+ * NetLabel label enforcement should be active/enabled or not in the LSM.
+ *
+ */
+void netlbl_mgmt_protocount_dec(void)
+{
+        rcu_read_lock();
+        spin_lock(&netlabel_mgmt_protocount_lock);
+        if (netlabel_mgmt_protocount > 0)
+                netlabel_mgmt_protocount--;
+        spin_unlock(&netlabel_mgmt_protocount_lock);
+        rcu_read_unlock();
+}
+/**
+ * netlbl_mgmt_protocount_value - Return the number of configured protocols
+ *
+ * Description:
+ * Return the number of labeled protocols in the current NetLabel
+ * configuration.  This value is useful in  determining if NetLabel label
+ * enforcement should be active/enabled or not in the LSM.
+ *
+ */
+u32 netlbl_mgmt_protocount_value(void)
+{
+        u32 val;
+        rcu_read_lock();
+        val = netlabel_mgmt_protocount;
+        rcu_read_unlock();
+        return val;
+}
+/*
 * NetLabel Command Handlers
 */
diff --git a/net/netlabel/netlabel_mgmt.h b/net/netlabel/netlabel_mgmt.h
index 3642d3bfc8eb..ccb2b3923591 100644
--- a/net/netlabel/netlabel_mgmt.h
+++ b/net/netlabel/netlabel_mgmt.h
@@ -168,4 +168,9 @@ enum {
 /* NetLabel protocol functions */
 int netlbl_mgmt_genl_init(void);
+/* NetLabel misc management functions */
+void netlbl_mgmt_protocount_inc(void);
+void netlbl_mgmt_protocount_dec(void);
+u32 netlbl_mgmt_protocount_value(void);
 #endif
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index e64eca246f1a..ed9155b29c1a 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -155,6 +155,11 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
        int rc;
        struct netlbl_lsm_secattr secattr;
+        if (!netlbl_enabled()) {
+                *sid = SECSID_NULL;
+                return 0;
+        }
        netlbl_secattr_init(&secattr);
        rc = netlbl_skbuff_getattr(skb, &secattr);
        if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
@@ -298,6 +303,9 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
        u32 netlbl_sid;
        u32 recv_perm;
+        if (!netlbl_enabled())
+                return 0;
        rc = selinux_netlbl_skbuff_getsid(skb,
                                          SECINITSID_UNLABELED,
                                          &netlbl_sid);

diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 9b7d6f2ac9a3..ffbc7f28335a 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h
@@ -144,10 +144,9 @@ struct netlbl_lsm_secattr {
144	};	144	};
145		145
146	/*	146	/*
147	* LSM security attribute operations	147	* LSM security attribute operations (inline)
148	*/	148	*/
149		149
150
151	/**	150	/**
152	* netlbl_secattr_cache_alloc - Allocate and initialize a secattr cache	151	* netlbl_secattr_cache_alloc - Allocate and initialize a secattr cache
153	* @flags: the memory allocation flags	152	* @flags: the memory allocation flags
@@ -283,6 +282,9 @@ static inline void netlbl_secattr_free(struct netlbl_lsm_secattr *secattr)
283	}	282	}
284		283
285	#ifdef CONFIG_NETLABEL	284	#ifdef CONFIG_NETLABEL
		285	/*
		286	* LSM security attribute operations
		287	*/
286	int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,	288	int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap,
287	u32 offset);	289	u32 offset);
288	int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,	290	int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap,
@@ -294,6 +296,25 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
294	u32 start,	296	u32 start,
295	u32 end,	297	u32 end,
296	gfp_t flags);	298	gfp_t flags);
		299
		300	/*
		301	* LSM protocol operations
		302	*/
		303	int netlbl_enabled(void);
		304	int netlbl_sock_setattr(struct sock *sk,
		305	const struct netlbl_lsm_secattr *secattr);
		306	int netlbl_sock_getattr(struct sock *sk,
		307	struct netlbl_lsm_secattr *secattr);
		308	int netlbl_skbuff_getattr(const struct sk_buff *skb,
		309	struct netlbl_lsm_secattr *secattr);
		310	void netlbl_skbuff_err(struct sk_buff *skb, int error);
		311
		312	/*
		313	* LSM label mapping cache operations
		314	*/
		315	void netlbl_cache_invalidate(void);
		316	int netlbl_cache_add(const struct sk_buff *skb,
		317	const struct netlbl_lsm_secattr *secattr);
297	#else	318	#else
298	static inline int netlbl_secattr_catmap_walk(	319	static inline int netlbl_secattr_catmap_walk(
299	struct netlbl_lsm_secattr_catmap *catmap,	320	struct netlbl_lsm_secattr_catmap *catmap,
@@ -301,14 +322,12 @@ static inline int netlbl_secattr_catmap_walk(
301	{	322	{
302	return -ENOENT;	323	return -ENOENT;
303	}	324	}
304
305	static inline int netlbl_secattr_catmap_walk_rng(	325	static inline int netlbl_secattr_catmap_walk_rng(
306	struct netlbl_lsm_secattr_catmap *catmap,	326	struct netlbl_lsm_secattr_catmap *catmap,
307	u32 offset)	327	u32 offset)
308	{	328	{
309	return -ENOENT;	329	return -ENOENT;
310	}	330	}
311
312	static inline int netlbl_secattr_catmap_setbit(	331	static inline int netlbl_secattr_catmap_setbit(
313	struct netlbl_lsm_secattr_catmap *catmap,	332	struct netlbl_lsm_secattr_catmap *catmap,
314	u32 bit,	333	u32 bit,
@@ -316,7 +335,6 @@ static inline int netlbl_secattr_catmap_setbit(
316	{	335	{
317	return 0;	336	return 0;
318	}	337	}
319
320	static inline int netlbl_secattr_catmap_setrng(	338	static inline int netlbl_secattr_catmap_setrng(
321	struct netlbl_lsm_secattr_catmap *catmap,	339	struct netlbl_lsm_secattr_catmap *catmap,
322	u32 start,	340	u32 start,
@@ -325,59 +343,33 @@ static inline int netlbl_secattr_catmap_setrng(
325	{	343	{
326	return 0;	344	return 0;
327	}	345	}
328	#endif	346	static inline int netlbl_enabled(void)
329		347	{
330	/*	348	return 0;
331	* LSM protocol operations	349	}
332	*/
333
334	#ifdef CONFIG_NETLABEL
335	int netlbl_sock_setattr(struct sock *sk,
336	const struct netlbl_lsm_secattr *secattr);
337	int netlbl_sock_getattr(struct sock *sk,
338	struct netlbl_lsm_secattr *secattr);
339	int netlbl_skbuff_getattr(const struct sk_buff *skb,
340	struct netlbl_lsm_secattr *secattr);
341	void netlbl_skbuff_err(struct sk_buff *skb, int error);
342	#else
343	static inline int netlbl_sock_setattr(struct sock *sk,	350	static inline int netlbl_sock_setattr(struct sock *sk,
344	const struct netlbl_lsm_secattr *secattr)	351	const struct netlbl_lsm_secattr *secattr)
345	{	352	{
346	return -ENOSYS;	353	return -ENOSYS;
347	}	354	}
348
349	static inline int netlbl_sock_getattr(struct sock *sk,	355	static inline int netlbl_sock_getattr(struct sock *sk,
350	struct netlbl_lsm_secattr *secattr)	356	struct netlbl_lsm_secattr *secattr)
351	{	357	{
352	return -ENOSYS;	358	return -ENOSYS;
353	}	359	}
354
355	static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,	360	static inline int netlbl_skbuff_getattr(const struct sk_buff *skb,
356	struct netlbl_lsm_secattr *secattr)	361	struct netlbl_lsm_secattr *secattr)
357	{	362	{
358	return -ENOSYS;	363	return -ENOSYS;
359	}	364	}
360
361	static inline void netlbl_skbuff_err(struct sk_buff *skb, int error)	365	static inline void netlbl_skbuff_err(struct sk_buff *skb, int error)
362	{	366	{
363	return;	367	return;
364	}	368	}
365	#endif /* CONFIG_NETLABEL */
366
367	/*
368	* LSM label mapping cache operations
369	*/
370
371	#ifdef CONFIG_NETLABEL
372	void netlbl_cache_invalidate(void);
373	int netlbl_cache_add(const struct sk_buff *skb,
374	const struct netlbl_lsm_secattr *secattr);
375	#else
376	static inline void netlbl_cache_invalidate(void)	369	static inline void netlbl_cache_invalidate(void)
377	{	370	{
378	return;	371	return;
379	}	372	}
380
381	static inline int netlbl_cache_add(const struct sk_buff *skb,	373	static inline int netlbl_cache_add(const struct sk_buff *skb,
382	const struct netlbl_lsm_secattr *secattr)	374	const struct netlbl_lsm_secattr *secattr)
383	{	375	{


diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c index 24b660f16ce3..c060e3f991f1 100644 --- a/net/netlabel/netlabel_cipso_v4.c +++ b/net/netlabel/netlabel_cipso_v4.c
@@ -41,6 +41,7 @@
41		41
42	#include "netlabel_user.h"	42	#include "netlabel_user.h"
43	#include "netlabel_cipso_v4.h"	43	#include "netlabel_cipso_v4.h"
		44	#include "netlabel_mgmt.h"
44		45
45	/* Argument struct for cipso_v4_doi_walk() */	46	/* Argument struct for cipso_v4_doi_walk() */
46	struct netlbl_cipsov4_doiwalk_arg {	47	struct netlbl_cipsov4_doiwalk_arg {
@@ -419,6 +420,8 @@ static int netlbl_cipsov4_add(struct sk_buff skb, struct genl_info info)
419	ret_val = netlbl_cipsov4_add_pass(info);	420	ret_val = netlbl_cipsov4_add_pass(info);
420	break;	421	break;
421	}	422	}
		423	if (ret_val == 0)
		424	netlbl_mgmt_protocount_inc();
422		425
423	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,	426	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
424	&audit_info);	427	&audit_info);
@@ -694,6 +697,8 @@ static int netlbl_cipsov4_remove(struct sk_buff skb, struct genl_info info)
694	ret_val = cipso_v4_doi_remove(doi,	697	ret_val = cipso_v4_doi_remove(doi,
695	&audit_info,	698	&audit_info,
696	netlbl_cipsov4_doi_free);	699	netlbl_cipsov4_doi_free);
		700	if (ret_val == 0)
		701	netlbl_mgmt_protocount_dec();
697		702
698	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,	703	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,
699	&audit_info);	704	&audit_info);


diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index b165712aaa70..4f50949722a9 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c
@@ -38,6 +38,7 @@
38	#include "netlabel_domainhash.h"	38	#include "netlabel_domainhash.h"
39	#include "netlabel_unlabeled.h"	39	#include "netlabel_unlabeled.h"
40	#include "netlabel_user.h"	40	#include "netlabel_user.h"
		41	#include "netlabel_mgmt.h"
41		42
42	/*	43	/*
43	* Security Attribute Functions	44	* Security Attribute Functions
@@ -245,6 +246,26 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
245	*/	246	*/
246		247
247	/**	248	/**
		249	* netlbl_enabled - Determine if the NetLabel subsystem is enabled
		250	*
		251	* Description:
		252	* The LSM can use this function to determine if it should use NetLabel
		253	* security attributes in it's enforcement mechanism. Currently, NetLabel is
		254	* considered to be enabled when it's configuration contains a valid setup for
		255	* at least one labeled protocol (i.e. NetLabel can understand incoming
		256	* labeled packets of at least one type); otherwise NetLabel is considered to
		257	* be disabled.
		258	*
		259	*/
		260	int netlbl_enabled(void)
		261	{
		262	/* At some point we probably want to expose this mechanism to the user
		263	* as well so that admins can toggle NetLabel regardless of the
		264	* configuration */
		265	return (netlbl_mgmt_protocount_value() > 0 ? 1 : 0);
		266	}
		267
		268	/**
248	* netlbl_socket_setattr - Label a socket using the correct protocol	269	* netlbl_socket_setattr - Label a socket using the correct protocol
249	* @sk: the socket to label	270	* @sk: the socket to label
250	* @secattr: the security attributes	271	* @secattr: the security attributes


diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c index e00fc219c72b..5315dacc5222 100644 --- a/net/netlabel/netlabel_mgmt.c +++ b/net/netlabel/netlabel_mgmt.c
@@ -42,6 +42,10 @@
42	#include "netlabel_user.h"	42	#include "netlabel_user.h"
43	#include "netlabel_mgmt.h"	43	#include "netlabel_mgmt.h"
44		44
		45	/* NetLabel configured protocol count */
		46	static DEFINE_SPINLOCK(netlabel_mgmt_protocount_lock);
		47	static u32 netlabel_mgmt_protocount = 0;
		48
45	/* Argument struct for netlbl_domhsh_walk() */	49	/* Argument struct for netlbl_domhsh_walk() */
46	struct netlbl_domhsh_walk_arg {	50	struct netlbl_domhsh_walk_arg {
47	struct netlink_callback *nl_cb;	51	struct netlink_callback *nl_cb;
@@ -67,6 +71,67 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = {
67	};	71	};
68		72
69	/*	73	/*
		74	* NetLabel Misc Managment Functions
		75	*/
		76
		77	/**
		78	* netlbl_mgmt_protocount_inc - Increment the configured labeled protocol count
		79	*
		80	* Description:
		81	* Increment the number of labeled protocol configurations in the current
		82	* NetLabel configuration. Keep track of this for use in determining if
		83	* NetLabel label enforcement should be active/enabled or not in the LSM.
		84	*
		85	*/
		86	void netlbl_mgmt_protocount_inc(void)
		87	{
		88	rcu_read_lock();
		89	spin_lock(&netlabel_mgmt_protocount_lock);
		90	netlabel_mgmt_protocount++;
		91	spin_unlock(&netlabel_mgmt_protocount_lock);
		92	rcu_read_unlock();
		93	}
		94
		95	/**
		96	* netlbl_mgmt_protocount_dec - Decrement the configured labeled protocol count
		97	*
		98	* Description:
		99	* Decrement the number of labeled protocol configurations in the current
		100	* NetLabel configuration. Keep track of this for use in determining if
		101	* NetLabel label enforcement should be active/enabled or not in the LSM.
		102	*
		103	*/
		104	void netlbl_mgmt_protocount_dec(void)
		105	{
		106	rcu_read_lock();
		107	spin_lock(&netlabel_mgmt_protocount_lock);
		108	if (netlabel_mgmt_protocount > 0)
		109	netlabel_mgmt_protocount--;
		110	spin_unlock(&netlabel_mgmt_protocount_lock);
		111	rcu_read_unlock();
		112	}
		113
		114	/**
		115	* netlbl_mgmt_protocount_value - Return the number of configured protocols
		116	*
		117	* Description:
		118	* Return the number of labeled protocols in the current NetLabel
		119	* configuration. This value is useful in determining if NetLabel label
		120	* enforcement should be active/enabled or not in the LSM.
		121	*
		122	*/
		123	u32 netlbl_mgmt_protocount_value(void)
		124	{
		125	u32 val;
		126
		127	rcu_read_lock();
		128	val = netlabel_mgmt_protocount;
		129	rcu_read_unlock();
		130
		131	return val;
		132	}
		133
		134	/*
70	* NetLabel Command Handlers	135	* NetLabel Command Handlers
71	*/	136	*/
72		137


diff --git a/net/netlabel/netlabel_mgmt.h b/net/netlabel/netlabel_mgmt.h index 3642d3bfc8eb..ccb2b3923591 100644 --- a/net/netlabel/netlabel_mgmt.h +++ b/net/netlabel/netlabel_mgmt.h
@@ -168,4 +168,9 @@ enum {
168	/* NetLabel protocol functions */	168	/* NetLabel protocol functions */
169	int netlbl_mgmt_genl_init(void);	169	int netlbl_mgmt_genl_init(void);
170		170
		171	/* NetLabel misc management functions */
		172	void netlbl_mgmt_protocount_inc(void);
		173	void netlbl_mgmt_protocount_dec(void);
		174	u32 netlbl_mgmt_protocount_value(void);
		175
171	#endif	176	#endif


diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index e64eca246f1a..ed9155b29c1a 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c
@@ -155,6 +155,11 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff skb, u32 base_sid, u32 sid)
155	int rc;	155	int rc;
156	struct netlbl_lsm_secattr secattr;	156	struct netlbl_lsm_secattr secattr;
157		157
		158	if (!netlbl_enabled()) {
		159	*sid = SECSID_NULL;
		160	return 0;
		161	}
		162
158	netlbl_secattr_init(&secattr);	163	netlbl_secattr_init(&secattr);
159	rc = netlbl_skbuff_getattr(skb, &secattr);	164	rc = netlbl_skbuff_getattr(skb, &secattr);
160	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)	165	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
@@ -298,6 +303,9 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
298	u32 netlbl_sid;	303	u32 netlbl_sid;
299	u32 recv_perm;	304	u32 recv_perm;
300		305
		306	if (!netlbl_enabled())
		307	return 0;
		308
301	rc = selinux_netlbl_skbuff_getsid(skb,	309	rc = selinux_netlbl_skbuff_getsid(skb,
302	SECINITSID_UNLABELED,	310	SECINITSID_UNLABELED,
303	&netlbl_sid);	311	&netlbl_sid);