/*1* CIPSO - Commercial IP Security Option2*3* This is an implementation of the CIPSO 2.2 protocol as specified in4* draft-ietf-cipso-ipsecurity-01.txt with additional tag types as found in5* FIPS-188. While CIPSO never became a full IETF RFC standard many vendors6* have chosen to adopt the protocol and over the years it has become a7* de-facto standard for labeled networking.8*9* The CIPSO draft specification can be found in the kernel's Documentation10* directory as well as the following URL:11* http://tools.ietf.org/id/draft-ietf-cipso-ipsecurity-01.txt12* The FIPS-188 specification can be found at the following URL:13* http://www.itl.nist.gov/fipspubs/fip188.htm14*15* Author: Paul Moore <[email protected]>16*17*/1819/*20* (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 200821*22* This program is free software; you can redistribute it and/or modify23* it under the terms of the GNU General Public License as published by24* the Free Software Foundation; either version 2 of the License, or25* (at your option) any later version.26*27* This program is distributed in the hope that it will be useful,28* but WITHOUT ANY WARRANTY; without even the implied warranty of29* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See30* the GNU General Public License for more details.31*32* You should have received a copy of the GNU General Public License33* along with this program; if not, write to the Free Software34* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA35*36*/3738#include <linux/init.h>39#include <linux/types.h>40#include <linux/rcupdate.h>41#include <linux/list.h>42#include <linux/spinlock.h>43#include <linux/string.h>44#include <linux/jhash.h>45#include <linux/audit.h>46#include <linux/slab.h>47#include <net/ip.h>48#include <net/icmp.h>49#include <net/tcp.h>50#include <net/netlabel.h>51#include <net/cipso_ipv4.h>52#include <asm/atomic.h>53#include <asm/bug.h>54#include <asm/unaligned.h>5556/* List of available DOI definitions */57/* XXX - This currently assumes a minimal number of different DOIs in use,58* if in practice there are a lot of different DOIs this list should59* probably be turned into a hash table or something similar so we60* can do quick lookups. */61static DEFINE_SPINLOCK(cipso_v4_doi_list_lock);62static LIST_HEAD(cipso_v4_doi_list);6364/* Label mapping cache */65int cipso_v4_cache_enabled = 1;66int cipso_v4_cache_bucketsize = 10;67#define CIPSO_V4_CACHE_BUCKETBITS 768#define CIPSO_V4_CACHE_BUCKETS (1 << CIPSO_V4_CACHE_BUCKETBITS)69#define CIPSO_V4_CACHE_REORDERLIMIT 1070struct cipso_v4_map_cache_bkt {71spinlock_t lock;72u32 size;73struct list_head list;74};75struct cipso_v4_map_cache_entry {76u32 hash;77unsigned char *key;78size_t key_len;7980struct netlbl_lsm_cache *lsm_data;8182u32 activity;83struct list_head list;84};85static struct cipso_v4_map_cache_bkt *cipso_v4_cache = NULL;8687/* Restricted bitmap (tag #1) flags */88int cipso_v4_rbm_optfmt = 0;89int cipso_v4_rbm_strictvalid = 1;9091/*92* Protocol Constants93*/9495/* Maximum size of the CIPSO IP option, derived from the fact that the maximum96* IPv4 header size is 60 bytes and the base IPv4 header is 20 bytes long. */97#define CIPSO_V4_OPT_LEN_MAX 409899/* Length of the base CIPSO option, this includes the option type (1 byte), the100* option length (1 byte), and the DOI (4 bytes). */101#define CIPSO_V4_HDR_LEN 6102103/* Base length of the restrictive category bitmap tag (tag #1). */104#define CIPSO_V4_TAG_RBM_BLEN 4105106/* Base length of the enumerated category tag (tag #2). */107#define CIPSO_V4_TAG_ENUM_BLEN 4108109/* Base length of the ranged categories bitmap tag (tag #5). */110#define CIPSO_V4_TAG_RNG_BLEN 4111/* The maximum number of category ranges permitted in the ranged category tag112* (tag #5). You may note that the IETF draft states that the maximum number113* of category ranges is 7, but if the low end of the last category range is114* zero then it is possible to fit 8 category ranges because the zero should115* be omitted. */116#define CIPSO_V4_TAG_RNG_CAT_MAX 8117118/* Base length of the local tag (non-standard tag).119* Tag definition (may change between kernel versions)120*121* 0 8 16 24 32122* +----------+----------+----------+----------+123* | 10000000 | 00000110 | 32-bit secid value |124* +----------+----------+----------+----------+125* | in (host byte order)|126* +----------+----------+127*128*/129#define CIPSO_V4_TAG_LOC_BLEN 6130131/*132* Helper Functions133*/134135/**136* cipso_v4_bitmap_walk - Walk a bitmap looking for a bit137* @bitmap: the bitmap138* @bitmap_len: length in bits139* @offset: starting offset140* @state: if non-zero, look for a set (1) bit else look for a cleared (0) bit141*142* Description:143* Starting at @offset, walk the bitmap from left to right until either the144* desired bit is found or we reach the end. Return the bit offset, -1 if145* not found, or -2 if error.146*/147static int cipso_v4_bitmap_walk(const unsigned char *bitmap,148u32 bitmap_len,149u32 offset,150u8 state)151{152u32 bit_spot;153u32 byte_offset;154unsigned char bitmask;155unsigned char byte;156157/* gcc always rounds to zero when doing integer division */158byte_offset = offset / 8;159byte = bitmap[byte_offset];160bit_spot = offset;161bitmask = 0x80 >> (offset % 8);162163while (bit_spot < bitmap_len) {164if ((state && (byte & bitmask) == bitmask) ||165(state == 0 && (byte & bitmask) == 0))166return bit_spot;167168bit_spot++;169bitmask >>= 1;170if (bitmask == 0) {171byte = bitmap[++byte_offset];172bitmask = 0x80;173}174}175176return -1;177}178179/**180* cipso_v4_bitmap_setbit - Sets a single bit in a bitmap181* @bitmap: the bitmap182* @bit: the bit183* @state: if non-zero, set the bit (1) else clear the bit (0)184*185* Description:186* Set a single bit in the bitmask. Returns zero on success, negative values187* on error.188*/189static void cipso_v4_bitmap_setbit(unsigned char *bitmap,190u32 bit,191u8 state)192{193u32 byte_spot;194u8 bitmask;195196/* gcc always rounds to zero when doing integer division */197byte_spot = bit / 8;198bitmask = 0x80 >> (bit % 8);199if (state)200bitmap[byte_spot] |= bitmask;201else202bitmap[byte_spot] &= ~bitmask;203}204205/**206* cipso_v4_cache_entry_free - Frees a cache entry207* @entry: the entry to free208*209* Description:210* This function frees the memory associated with a cache entry including the211* LSM cache data if there are no longer any users, i.e. reference count == 0.212*213*/214static void cipso_v4_cache_entry_free(struct cipso_v4_map_cache_entry *entry)215{216if (entry->lsm_data)217netlbl_secattr_cache_free(entry->lsm_data);218kfree(entry->key);219kfree(entry);220}221222/**223* cipso_v4_map_cache_hash - Hashing function for the CIPSO cache224* @key: the hash key225* @key_len: the length of the key in bytes226*227* Description:228* The CIPSO tag hashing function. Returns a 32-bit hash value.229*230*/231static u32 cipso_v4_map_cache_hash(const unsigned char *key, u32 key_len)232{233return jhash(key, key_len, 0);234}235236/*237* Label Mapping Cache Functions238*/239240/**241* cipso_v4_cache_init - Initialize the CIPSO cache242*243* Description:244* Initializes the CIPSO label mapping cache, this function should be called245* before any of the other functions defined in this file. Returns zero on246* success, negative values on error.247*248*/249static int cipso_v4_cache_init(void)250{251u32 iter;252253cipso_v4_cache = kcalloc(CIPSO_V4_CACHE_BUCKETS,254sizeof(struct cipso_v4_map_cache_bkt),255GFP_KERNEL);256if (cipso_v4_cache == NULL)257return -ENOMEM;258259for (iter = 0; iter < CIPSO_V4_CACHE_BUCKETS; iter++) {260spin_lock_init(&cipso_v4_cache[iter].lock);261cipso_v4_cache[iter].size = 0;262INIT_LIST_HEAD(&cipso_v4_cache[iter].list);263}264265return 0;266}267268/**269* cipso_v4_cache_invalidate - Invalidates the current CIPSO cache270*271* Description:272* Invalidates and frees any entries in the CIPSO cache. Returns zero on273* success and negative values on failure.274*275*/276void cipso_v4_cache_invalidate(void)277{278struct cipso_v4_map_cache_entry *entry, *tmp_entry;279u32 iter;280281for (iter = 0; iter < CIPSO_V4_CACHE_BUCKETS; iter++) {282spin_lock_bh(&cipso_v4_cache[iter].lock);283list_for_each_entry_safe(entry,284tmp_entry,285&cipso_v4_cache[iter].list, list) {286list_del(&entry->list);287cipso_v4_cache_entry_free(entry);288}289cipso_v4_cache[iter].size = 0;290spin_unlock_bh(&cipso_v4_cache[iter].lock);291}292}293294/**295* cipso_v4_cache_check - Check the CIPSO cache for a label mapping296* @key: the buffer to check297* @key_len: buffer length in bytes298* @secattr: the security attribute struct to use299*300* Description:301* This function checks the cache to see if a label mapping already exists for302* the given key. If there is a match then the cache is adjusted and the303* @secattr struct is populated with the correct LSM security attributes. The304* cache is adjusted in the following manner if the entry is not already the305* first in the cache bucket:306*307* 1. The cache entry's activity counter is incremented308* 2. The previous (higher ranking) entry's activity counter is decremented309* 3. If the difference between the two activity counters is geater than310* CIPSO_V4_CACHE_REORDERLIMIT the two entries are swapped311*312* Returns zero on success, -ENOENT for a cache miss, and other negative values313* on error.314*315*/316static int cipso_v4_cache_check(const unsigned char *key,317u32 key_len,318struct netlbl_lsm_secattr *secattr)319{320u32 bkt;321struct cipso_v4_map_cache_entry *entry;322struct cipso_v4_map_cache_entry *prev_entry = NULL;323u32 hash;324325if (!cipso_v4_cache_enabled)326return -ENOENT;327328hash = cipso_v4_map_cache_hash(key, key_len);329bkt = hash & (CIPSO_V4_CACHE_BUCKETS - 1);330spin_lock_bh(&cipso_v4_cache[bkt].lock);331list_for_each_entry(entry, &cipso_v4_cache[bkt].list, list) {332if (entry->hash == hash &&333entry->key_len == key_len &&334memcmp(entry->key, key, key_len) == 0) {335entry->activity += 1;336atomic_inc(&entry->lsm_data->refcount);337secattr->cache = entry->lsm_data;338secattr->flags |= NETLBL_SECATTR_CACHE;339secattr->type = NETLBL_NLTYPE_CIPSOV4;340if (prev_entry == NULL) {341spin_unlock_bh(&cipso_v4_cache[bkt].lock);342return 0;343}344345if (prev_entry->activity > 0)346prev_entry->activity -= 1;347if (entry->activity > prev_entry->activity &&348entry->activity - prev_entry->activity >349CIPSO_V4_CACHE_REORDERLIMIT) {350__list_del(entry->list.prev, entry->list.next);351__list_add(&entry->list,352prev_entry->list.prev,353&prev_entry->list);354}355356spin_unlock_bh(&cipso_v4_cache[bkt].lock);357return 0;358}359prev_entry = entry;360}361spin_unlock_bh(&cipso_v4_cache[bkt].lock);362363return -ENOENT;364}365366/**367* cipso_v4_cache_add - Add an entry to the CIPSO cache368* @skb: the packet369* @secattr: the packet's security attributes370*371* Description:372* Add a new entry into the CIPSO label mapping cache. Add the new entry to373* head of the cache bucket's list, if the cache bucket is out of room remove374* the last entry in the list first. It is important to note that there is375* currently no checking for duplicate keys. Returns zero on success,376* negative values on failure.377*378*/379int cipso_v4_cache_add(const struct sk_buff *skb,380const struct netlbl_lsm_secattr *secattr)381{382int ret_val = -EPERM;383u32 bkt;384struct cipso_v4_map_cache_entry *entry = NULL;385struct cipso_v4_map_cache_entry *old_entry = NULL;386unsigned char *cipso_ptr;387u32 cipso_ptr_len;388389if (!cipso_v4_cache_enabled || cipso_v4_cache_bucketsize <= 0)390return 0;391392cipso_ptr = CIPSO_V4_OPTPTR(skb);393cipso_ptr_len = cipso_ptr[1];394395entry = kzalloc(sizeof(*entry), GFP_ATOMIC);396if (entry == NULL)397return -ENOMEM;398entry->key = kmemdup(cipso_ptr, cipso_ptr_len, GFP_ATOMIC);399if (entry->key == NULL) {400ret_val = -ENOMEM;401goto cache_add_failure;402}403entry->key_len = cipso_ptr_len;404entry->hash = cipso_v4_map_cache_hash(cipso_ptr, cipso_ptr_len);405atomic_inc(&secattr->cache->refcount);406entry->lsm_data = secattr->cache;407408bkt = entry->hash & (CIPSO_V4_CACHE_BUCKETS - 1);409spin_lock_bh(&cipso_v4_cache[bkt].lock);410if (cipso_v4_cache[bkt].size < cipso_v4_cache_bucketsize) {411list_add(&entry->list, &cipso_v4_cache[bkt].list);412cipso_v4_cache[bkt].size += 1;413} else {414old_entry = list_entry(cipso_v4_cache[bkt].list.prev,415struct cipso_v4_map_cache_entry, list);416list_del(&old_entry->list);417list_add(&entry->list, &cipso_v4_cache[bkt].list);418cipso_v4_cache_entry_free(old_entry);419}420spin_unlock_bh(&cipso_v4_cache[bkt].lock);421422return 0;423424cache_add_failure:425if (entry)426cipso_v4_cache_entry_free(entry);427return ret_val;428}429430/*431* DOI List Functions432*/433434/**435* cipso_v4_doi_search - Searches for a DOI definition436* @doi: the DOI to search for437*438* Description:439* Search the DOI definition list for a DOI definition with a DOI value that440* matches @doi. The caller is responsible for calling rcu_read_[un]lock().441* Returns a pointer to the DOI definition on success and NULL on failure.442*/443static struct cipso_v4_doi *cipso_v4_doi_search(u32 doi)444{445struct cipso_v4_doi *iter;446447list_for_each_entry_rcu(iter, &cipso_v4_doi_list, list)448if (iter->doi == doi && atomic_read(&iter->refcount))449return iter;450return NULL;451}452453/**454* cipso_v4_doi_add - Add a new DOI to the CIPSO protocol engine455* @doi_def: the DOI structure456* @audit_info: NetLabel audit information457*458* Description:459* The caller defines a new DOI for use by the CIPSO engine and calls this460* function to add it to the list of acceptable domains. The caller must461* ensure that the mapping table specified in @doi_def->map meets all of the462* requirements of the mapping type (see cipso_ipv4.h for details). Returns463* zero on success and non-zero on failure.464*465*/466int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,467struct netlbl_audit *audit_info)468{469int ret_val = -EINVAL;470u32 iter;471u32 doi;472u32 doi_type;473struct audit_buffer *audit_buf;474475doi = doi_def->doi;476doi_type = doi_def->type;477478if (doi_def == NULL || doi_def->doi == CIPSO_V4_DOI_UNKNOWN)479goto doi_add_return;480for (iter = 0; iter < CIPSO_V4_TAG_MAXCNT; iter++) {481switch (doi_def->tags[iter]) {482case CIPSO_V4_TAG_RBITMAP:483break;484case CIPSO_V4_TAG_RANGE:485case CIPSO_V4_TAG_ENUM:486if (doi_def->type != CIPSO_V4_MAP_PASS)487goto doi_add_return;488break;489case CIPSO_V4_TAG_LOCAL:490if (doi_def->type != CIPSO_V4_MAP_LOCAL)491goto doi_add_return;492break;493case CIPSO_V4_TAG_INVALID:494if (iter == 0)495goto doi_add_return;496break;497default:498goto doi_add_return;499}500}501502atomic_set(&doi_def->refcount, 1);503504spin_lock(&cipso_v4_doi_list_lock);505if (cipso_v4_doi_search(doi_def->doi) != NULL) {506spin_unlock(&cipso_v4_doi_list_lock);507ret_val = -EEXIST;508goto doi_add_return;509}510list_add_tail_rcu(&doi_def->list, &cipso_v4_doi_list);511spin_unlock(&cipso_v4_doi_list_lock);512ret_val = 0;513514doi_add_return:515audit_buf = netlbl_audit_start(AUDIT_MAC_CIPSOV4_ADD, audit_info);516if (audit_buf != NULL) {517const char *type_str;518switch (doi_type) {519case CIPSO_V4_MAP_TRANS:520type_str = "trans";521break;522case CIPSO_V4_MAP_PASS:523type_str = "pass";524break;525case CIPSO_V4_MAP_LOCAL:526type_str = "local";527break;528default:529type_str = "(unknown)";530}531audit_log_format(audit_buf,532" cipso_doi=%u cipso_type=%s res=%u",533doi, type_str, ret_val == 0 ? 1 : 0);534audit_log_end(audit_buf);535}536537return ret_val;538}539540/**541* cipso_v4_doi_free - Frees a DOI definition542* @entry: the entry's RCU field543*544* Description:545* This function frees all of the memory associated with a DOI definition.546*547*/548void cipso_v4_doi_free(struct cipso_v4_doi *doi_def)549{550if (doi_def == NULL)551return;552553switch (doi_def->type) {554case CIPSO_V4_MAP_TRANS:555kfree(doi_def->map.std->lvl.cipso);556kfree(doi_def->map.std->lvl.local);557kfree(doi_def->map.std->cat.cipso);558kfree(doi_def->map.std->cat.local);559break;560}561kfree(doi_def);562}563564/**565* cipso_v4_doi_free_rcu - Frees a DOI definition via the RCU pointer566* @entry: the entry's RCU field567*568* Description:569* This function is designed to be used as a callback to the call_rcu()570* function so that the memory allocated to the DOI definition can be released571* safely.572*573*/574static void cipso_v4_doi_free_rcu(struct rcu_head *entry)575{576struct cipso_v4_doi *doi_def;577578doi_def = container_of(entry, struct cipso_v4_doi, rcu);579cipso_v4_doi_free(doi_def);580}581582/**583* cipso_v4_doi_remove - Remove an existing DOI from the CIPSO protocol engine584* @doi: the DOI value585* @audit_secid: the LSM secid to use in the audit message586*587* Description:588* Removes a DOI definition from the CIPSO engine. The NetLabel routines will589* be called to release their own LSM domain mappings as well as our own590* domain list. Returns zero on success and negative values on failure.591*592*/593int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info)594{595int ret_val;596struct cipso_v4_doi *doi_def;597struct audit_buffer *audit_buf;598599spin_lock(&cipso_v4_doi_list_lock);600doi_def = cipso_v4_doi_search(doi);601if (doi_def == NULL) {602spin_unlock(&cipso_v4_doi_list_lock);603ret_val = -ENOENT;604goto doi_remove_return;605}606if (!atomic_dec_and_test(&doi_def->refcount)) {607spin_unlock(&cipso_v4_doi_list_lock);608ret_val = -EBUSY;609goto doi_remove_return;610}611list_del_rcu(&doi_def->list);612spin_unlock(&cipso_v4_doi_list_lock);613614cipso_v4_cache_invalidate();615call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu);616ret_val = 0;617618doi_remove_return:619audit_buf = netlbl_audit_start(AUDIT_MAC_CIPSOV4_DEL, audit_info);620if (audit_buf != NULL) {621audit_log_format(audit_buf,622" cipso_doi=%u res=%u",623doi, ret_val == 0 ? 1 : 0);624audit_log_end(audit_buf);625}626627return ret_val;628}629630/**631* cipso_v4_doi_getdef - Returns a reference to a valid DOI definition632* @doi: the DOI value633*634* Description:635* Searches for a valid DOI definition and if one is found it is returned to636* the caller. Otherwise NULL is returned. The caller must ensure that637* rcu_read_lock() is held while accessing the returned definition and the DOI638* definition reference count is decremented when the caller is done.639*640*/641struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi)642{643struct cipso_v4_doi *doi_def;644645rcu_read_lock();646doi_def = cipso_v4_doi_search(doi);647if (doi_def == NULL)648goto doi_getdef_return;649if (!atomic_inc_not_zero(&doi_def->refcount))650doi_def = NULL;651652doi_getdef_return:653rcu_read_unlock();654return doi_def;655}656657/**658* cipso_v4_doi_putdef - Releases a reference for the given DOI definition659* @doi_def: the DOI definition660*661* Description:662* Releases a DOI definition reference obtained from cipso_v4_doi_getdef().663*664*/665void cipso_v4_doi_putdef(struct cipso_v4_doi *doi_def)666{667if (doi_def == NULL)668return;669670if (!atomic_dec_and_test(&doi_def->refcount))671return;672spin_lock(&cipso_v4_doi_list_lock);673list_del_rcu(&doi_def->list);674spin_unlock(&cipso_v4_doi_list_lock);675676cipso_v4_cache_invalidate();677call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu);678}679680/**681* cipso_v4_doi_walk - Iterate through the DOI definitions682* @skip_cnt: skip past this number of DOI definitions, updated683* @callback: callback for each DOI definition684* @cb_arg: argument for the callback function685*686* Description:687* Iterate over the DOI definition list, skipping the first @skip_cnt entries.688* For each entry call @callback, if @callback returns a negative value stop689* 'walking' through the list and return. Updates the value in @skip_cnt upon690* return. Returns zero on success, negative values on failure.691*692*/693int cipso_v4_doi_walk(u32 *skip_cnt,694int (*callback) (struct cipso_v4_doi *doi_def, void *arg),695void *cb_arg)696{697int ret_val = -ENOENT;698u32 doi_cnt = 0;699struct cipso_v4_doi *iter_doi;700701rcu_read_lock();702list_for_each_entry_rcu(iter_doi, &cipso_v4_doi_list, list)703if (atomic_read(&iter_doi->refcount) > 0) {704if (doi_cnt++ < *skip_cnt)705continue;706ret_val = callback(iter_doi, cb_arg);707if (ret_val < 0) {708doi_cnt--;709goto doi_walk_return;710}711}712713doi_walk_return:714rcu_read_unlock();715*skip_cnt = doi_cnt;716return ret_val;717}718719/*720* Label Mapping Functions721*/722723/**724* cipso_v4_map_lvl_valid - Checks to see if the given level is understood725* @doi_def: the DOI definition726* @level: the level to check727*728* Description:729* Checks the given level against the given DOI definition and returns a730* negative value if the level does not have a valid mapping and a zero value731* if the level is defined by the DOI.732*733*/734static int cipso_v4_map_lvl_valid(const struct cipso_v4_doi *doi_def, u8 level)735{736switch (doi_def->type) {737case CIPSO_V4_MAP_PASS:738return 0;739case CIPSO_V4_MAP_TRANS:740if (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL)741return 0;742break;743}744745return -EFAULT;746}747748/**749* cipso_v4_map_lvl_hton - Perform a level mapping from the host to the network750* @doi_def: the DOI definition751* @host_lvl: the host MLS level752* @net_lvl: the network/CIPSO MLS level753*754* Description:755* Perform a label mapping to translate a local MLS level to the correct756* CIPSO level using the given DOI definition. Returns zero on success,757* negative values otherwise.758*759*/760static int cipso_v4_map_lvl_hton(const struct cipso_v4_doi *doi_def,761u32 host_lvl,762u32 *net_lvl)763{764switch (doi_def->type) {765case CIPSO_V4_MAP_PASS:766*net_lvl = host_lvl;767return 0;768case CIPSO_V4_MAP_TRANS:769if (host_lvl < doi_def->map.std->lvl.local_size &&770doi_def->map.std->lvl.local[host_lvl] < CIPSO_V4_INV_LVL) {771*net_lvl = doi_def->map.std->lvl.local[host_lvl];772return 0;773}774return -EPERM;775}776777return -EINVAL;778}779780/**781* cipso_v4_map_lvl_ntoh - Perform a level mapping from the network to the host782* @doi_def: the DOI definition783* @net_lvl: the network/CIPSO MLS level784* @host_lvl: the host MLS level785*786* Description:787* Perform a label mapping to translate a CIPSO level to the correct local MLS788* level using the given DOI definition. Returns zero on success, negative789* values otherwise.790*791*/792static int cipso_v4_map_lvl_ntoh(const struct cipso_v4_doi *doi_def,793u32 net_lvl,794u32 *host_lvl)795{796struct cipso_v4_std_map_tbl *map_tbl;797798switch (doi_def->type) {799case CIPSO_V4_MAP_PASS:800*host_lvl = net_lvl;801return 0;802case CIPSO_V4_MAP_TRANS:803map_tbl = doi_def->map.std;804if (net_lvl < map_tbl->lvl.cipso_size &&805map_tbl->lvl.cipso[net_lvl] < CIPSO_V4_INV_LVL) {806*host_lvl = doi_def->map.std->lvl.cipso[net_lvl];807return 0;808}809return -EPERM;810}811812return -EINVAL;813}814815/**816* cipso_v4_map_cat_rbm_valid - Checks to see if the category bitmap is valid817* @doi_def: the DOI definition818* @bitmap: category bitmap819* @bitmap_len: bitmap length in bytes820*821* Description:822* Checks the given category bitmap against the given DOI definition and823* returns a negative value if any of the categories in the bitmap do not have824* a valid mapping and a zero value if all of the categories are valid.825*826*/827static int cipso_v4_map_cat_rbm_valid(const struct cipso_v4_doi *doi_def,828const unsigned char *bitmap,829u32 bitmap_len)830{831int cat = -1;832u32 bitmap_len_bits = bitmap_len * 8;833u32 cipso_cat_size;834u32 *cipso_array;835836switch (doi_def->type) {837case CIPSO_V4_MAP_PASS:838return 0;839case CIPSO_V4_MAP_TRANS:840cipso_cat_size = doi_def->map.std->cat.cipso_size;841cipso_array = doi_def->map.std->cat.cipso;842for (;;) {843cat = cipso_v4_bitmap_walk(bitmap,844bitmap_len_bits,845cat + 1,8461);847if (cat < 0)848break;849if (cat >= cipso_cat_size ||850cipso_array[cat] >= CIPSO_V4_INV_CAT)851return -EFAULT;852}853854if (cat == -1)855return 0;856break;857}858859return -EFAULT;860}861862/**863* cipso_v4_map_cat_rbm_hton - Perform a category mapping from host to network864* @doi_def: the DOI definition865* @secattr: the security attributes866* @net_cat: the zero'd out category bitmap in network/CIPSO format867* @net_cat_len: the length of the CIPSO bitmap in bytes868*869* Description:870* Perform a label mapping to translate a local MLS category bitmap to the871* correct CIPSO bitmap using the given DOI definition. Returns the minimum872* size in bytes of the network bitmap on success, negative values otherwise.873*874*/875static int cipso_v4_map_cat_rbm_hton(const struct cipso_v4_doi *doi_def,876const struct netlbl_lsm_secattr *secattr,877unsigned char *net_cat,878u32 net_cat_len)879{880int host_spot = -1;881u32 net_spot = CIPSO_V4_INV_CAT;882u32 net_spot_max = 0;883u32 net_clen_bits = net_cat_len * 8;884u32 host_cat_size = 0;885u32 *host_cat_array = NULL;886887if (doi_def->type == CIPSO_V4_MAP_TRANS) {888host_cat_size = doi_def->map.std->cat.local_size;889host_cat_array = doi_def->map.std->cat.local;890}891892for (;;) {893host_spot = netlbl_secattr_catmap_walk(secattr->attr.mls.cat,894host_spot + 1);895if (host_spot < 0)896break;897898switch (doi_def->type) {899case CIPSO_V4_MAP_PASS:900net_spot = host_spot;901break;902case CIPSO_V4_MAP_TRANS:903if (host_spot >= host_cat_size)904return -EPERM;905net_spot = host_cat_array[host_spot];906if (net_spot >= CIPSO_V4_INV_CAT)907return -EPERM;908break;909}910if (net_spot >= net_clen_bits)911return -ENOSPC;912cipso_v4_bitmap_setbit(net_cat, net_spot, 1);913914if (net_spot > net_spot_max)915net_spot_max = net_spot;916}917918if (++net_spot_max % 8)919return net_spot_max / 8 + 1;920return net_spot_max / 8;921}922923/**924* cipso_v4_map_cat_rbm_ntoh - Perform a category mapping from network to host925* @doi_def: the DOI definition926* @net_cat: the category bitmap in network/CIPSO format927* @net_cat_len: the length of the CIPSO bitmap in bytes928* @secattr: the security attributes929*930* Description:931* Perform a label mapping to translate a CIPSO bitmap to the correct local932* MLS category bitmap using the given DOI definition. Returns zero on933* success, negative values on failure.934*935*/936static int cipso_v4_map_cat_rbm_ntoh(const struct cipso_v4_doi *doi_def,937const unsigned char *net_cat,938u32 net_cat_len,939struct netlbl_lsm_secattr *secattr)940{941int ret_val;942int net_spot = -1;943u32 host_spot = CIPSO_V4_INV_CAT;944u32 net_clen_bits = net_cat_len * 8;945u32 net_cat_size = 0;946u32 *net_cat_array = NULL;947948if (doi_def->type == CIPSO_V4_MAP_TRANS) {949net_cat_size = doi_def->map.std->cat.cipso_size;950net_cat_array = doi_def->map.std->cat.cipso;951}952953for (;;) {954net_spot = cipso_v4_bitmap_walk(net_cat,955net_clen_bits,956net_spot + 1,9571);958if (net_spot < 0) {959if (net_spot == -2)960return -EFAULT;961return 0;962}963964switch (doi_def->type) {965case CIPSO_V4_MAP_PASS:966host_spot = net_spot;967break;968case CIPSO_V4_MAP_TRANS:969if (net_spot >= net_cat_size)970return -EPERM;971host_spot = net_cat_array[net_spot];972if (host_spot >= CIPSO_V4_INV_CAT)973return -EPERM;974break;975}976ret_val = netlbl_secattr_catmap_setbit(secattr->attr.mls.cat,977host_spot,978GFP_ATOMIC);979if (ret_val != 0)980return ret_val;981}982983return -EINVAL;984}985986/**987* cipso_v4_map_cat_enum_valid - Checks to see if the categories are valid988* @doi_def: the DOI definition989* @enumcat: category list990* @enumcat_len: length of the category list in bytes991*992* Description:993* Checks the given categories against the given DOI definition and returns a994* negative value if any of the categories do not have a valid mapping and a995* zero value if all of the categories are valid.996*997*/998static int cipso_v4_map_cat_enum_valid(const struct cipso_v4_doi *doi_def,999const unsigned char *enumcat,1000u32 enumcat_len)1001{1002u16 cat;1003int cat_prev = -1;1004u32 iter;10051006if (doi_def->type != CIPSO_V4_MAP_PASS || enumcat_len & 0x01)1007return -EFAULT;10081009for (iter = 0; iter < enumcat_len; iter += 2) {1010cat = get_unaligned_be16(&enumcat[iter]);1011if (cat <= cat_prev)1012return -EFAULT;1013cat_prev = cat;1014}10151016return 0;1017}10181019/**1020* cipso_v4_map_cat_enum_hton - Perform a category mapping from host to network1021* @doi_def: the DOI definition1022* @secattr: the security attributes1023* @net_cat: the zero'd out category list in network/CIPSO format1024* @net_cat_len: the length of the CIPSO category list in bytes1025*1026* Description:1027* Perform a label mapping to translate a local MLS category bitmap to the1028* correct CIPSO category list using the given DOI definition. Returns the1029* size in bytes of the network category bitmap on success, negative values1030* otherwise.1031*1032*/1033static int cipso_v4_map_cat_enum_hton(const struct cipso_v4_doi *doi_def,1034const struct netlbl_lsm_secattr *secattr,1035unsigned char *net_cat,1036u32 net_cat_len)1037{1038int cat = -1;1039u32 cat_iter = 0;10401041for (;;) {1042cat = netlbl_secattr_catmap_walk(secattr->attr.mls.cat,1043cat + 1);1044if (cat < 0)1045break;1046if ((cat_iter + 2) > net_cat_len)1047return -ENOSPC;10481049*((__be16 *)&net_cat[cat_iter]) = htons(cat);1050cat_iter += 2;1051}10521053return cat_iter;1054}10551056/**1057* cipso_v4_map_cat_enum_ntoh - Perform a category mapping from network to host1058* @doi_def: the DOI definition1059* @net_cat: the category list in network/CIPSO format1060* @net_cat_len: the length of the CIPSO bitmap in bytes1061* @secattr: the security attributes1062*1063* Description:1064* Perform a label mapping to translate a CIPSO category list to the correct1065* local MLS category bitmap using the given DOI definition. Returns zero on1066* success, negative values on failure.1067*1068*/1069static int cipso_v4_map_cat_enum_ntoh(const struct cipso_v4_doi *doi_def,1070const unsigned char *net_cat,1071u32 net_cat_len,1072struct netlbl_lsm_secattr *secattr)1073{1074int ret_val;1075u32 iter;10761077for (iter = 0; iter < net_cat_len; iter += 2) {1078ret_val = netlbl_secattr_catmap_setbit(secattr->attr.mls.cat,1079get_unaligned_be16(&net_cat[iter]),1080GFP_ATOMIC);1081if (ret_val != 0)1082return ret_val;1083}10841085return 0;1086}10871088/**1089* cipso_v4_map_cat_rng_valid - Checks to see if the categories are valid1090* @doi_def: the DOI definition1091* @rngcat: category list1092* @rngcat_len: length of the category list in bytes1093*1094* Description:1095* Checks the given categories against the given DOI definition and returns a1096* negative value if any of the categories do not have a valid mapping and a1097* zero value if all of the categories are valid.1098*1099*/1100static int cipso_v4_map_cat_rng_valid(const struct cipso_v4_doi *doi_def,1101const unsigned char *rngcat,1102u32 rngcat_len)1103{1104u16 cat_high;1105u16 cat_low;1106u32 cat_prev = CIPSO_V4_MAX_REM_CATS + 1;1107u32 iter;11081109if (doi_def->type != CIPSO_V4_MAP_PASS || rngcat_len & 0x01)1110return -EFAULT;11111112for (iter = 0; iter < rngcat_len; iter += 4) {1113cat_high = get_unaligned_be16(&rngcat[iter]);1114if ((iter + 4) <= rngcat_len)1115cat_low = get_unaligned_be16(&rngcat[iter + 2]);1116else1117cat_low = 0;11181119if (cat_high > cat_prev)1120return -EFAULT;11211122cat_prev = cat_low;1123}11241125return 0;1126}11271128/**1129* cipso_v4_map_cat_rng_hton - Perform a category mapping from host to network1130* @doi_def: the DOI definition1131* @secattr: the security attributes1132* @net_cat: the zero'd out category list in network/CIPSO format1133* @net_cat_len: the length of the CIPSO category list in bytes1134*1135* Description:1136* Perform a label mapping to translate a local MLS category bitmap to the1137* correct CIPSO category list using the given DOI definition. Returns the1138* size in bytes of the network category bitmap on success, negative values1139* otherwise.1140*1141*/1142static int cipso_v4_map_cat_rng_hton(const struct cipso_v4_doi *doi_def,1143const struct netlbl_lsm_secattr *secattr,1144unsigned char *net_cat,1145u32 net_cat_len)1146{1147int iter = -1;1148u16 array[CIPSO_V4_TAG_RNG_CAT_MAX * 2];1149u32 array_cnt = 0;1150u32 cat_size = 0;11511152/* make sure we don't overflow the 'array[]' variable */1153if (net_cat_len >1154(CIPSO_V4_OPT_LEN_MAX - CIPSO_V4_HDR_LEN - CIPSO_V4_TAG_RNG_BLEN))1155return -ENOSPC;11561157for (;;) {1158iter = netlbl_secattr_catmap_walk(secattr->attr.mls.cat,1159iter + 1);1160if (iter < 0)1161break;1162cat_size += (iter == 0 ? 0 : sizeof(u16));1163if (cat_size > net_cat_len)1164return -ENOSPC;1165array[array_cnt++] = iter;11661167iter = netlbl_secattr_catmap_walk_rng(secattr->attr.mls.cat,1168iter);1169if (iter < 0)1170return -EFAULT;1171cat_size += sizeof(u16);1172if (cat_size > net_cat_len)1173return -ENOSPC;1174array[array_cnt++] = iter;1175}11761177for (iter = 0; array_cnt > 0;) {1178*((__be16 *)&net_cat[iter]) = htons(array[--array_cnt]);1179iter += 2;1180array_cnt--;1181if (array[array_cnt] != 0) {1182*((__be16 *)&net_cat[iter]) = htons(array[array_cnt]);1183iter += 2;1184}1185}11861187return cat_size;1188}11891190/**1191* cipso_v4_map_cat_rng_ntoh - Perform a category mapping from network to host1192* @doi_def: the DOI definition1193* @net_cat: the category list in network/CIPSO format1194* @net_cat_len: the length of the CIPSO bitmap in bytes1195* @secattr: the security attributes1196*1197* Description:1198* Perform a label mapping to translate a CIPSO category list to the correct1199* local MLS category bitmap using the given DOI definition. Returns zero on1200* success, negative values on failure.1201*1202*/1203static int cipso_v4_map_cat_rng_ntoh(const struct cipso_v4_doi *doi_def,1204const unsigned char *net_cat,1205u32 net_cat_len,1206struct netlbl_lsm_secattr *secattr)1207{1208int ret_val;1209u32 net_iter;1210u16 cat_low;1211u16 cat_high;12121213for (net_iter = 0; net_iter < net_cat_len; net_iter += 4) {1214cat_high = get_unaligned_be16(&net_cat[net_iter]);1215if ((net_iter + 4) <= net_cat_len)1216cat_low = get_unaligned_be16(&net_cat[net_iter + 2]);1217else1218cat_low = 0;12191220ret_val = netlbl_secattr_catmap_setrng(secattr->attr.mls.cat,1221cat_low,1222cat_high,1223GFP_ATOMIC);1224if (ret_val != 0)1225return ret_val;1226}12271228return 0;1229}12301231/*1232* Protocol Handling Functions1233*/12341235/**1236* cipso_v4_gentag_hdr - Generate a CIPSO option header1237* @doi_def: the DOI definition1238* @len: the total tag length in bytes, not including this header1239* @buf: the CIPSO option buffer1240*1241* Description:1242* Write a CIPSO header into the beginning of @buffer.1243*1244*/1245static void cipso_v4_gentag_hdr(const struct cipso_v4_doi *doi_def,1246unsigned char *buf,1247u32 len)1248{1249buf[0] = IPOPT_CIPSO;1250buf[1] = CIPSO_V4_HDR_LEN + len;1251*(__be32 *)&buf[2] = htonl(doi_def->doi);1252}12531254/**1255* cipso_v4_gentag_rbm - Generate a CIPSO restricted bitmap tag (type #1)1256* @doi_def: the DOI definition1257* @secattr: the security attributes1258* @buffer: the option buffer1259* @buffer_len: length of buffer in bytes1260*1261* Description:1262* Generate a CIPSO option using the restricted bitmap tag, tag type #1. The1263* actual buffer length may be larger than the indicated size due to1264* translation between host and network category bitmaps. Returns the size of1265* the tag on success, negative values on failure.1266*1267*/1268static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def,1269const struct netlbl_lsm_secattr *secattr,1270unsigned char *buffer,1271u32 buffer_len)1272{1273int ret_val;1274u32 tag_len;1275u32 level;12761277if ((secattr->flags & NETLBL_SECATTR_MLS_LVL) == 0)1278return -EPERM;12791280ret_val = cipso_v4_map_lvl_hton(doi_def,1281secattr->attr.mls.lvl,1282&level);1283if (ret_val != 0)1284return ret_val;12851286if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {1287ret_val = cipso_v4_map_cat_rbm_hton(doi_def,1288secattr,1289&buffer[4],1290buffer_len - 4);1291if (ret_val < 0)1292return ret_val;12931294/* This will send packets using the "optimized" format when1295* possible as specified in section 3.4.2.6 of the1296* CIPSO draft. */1297if (cipso_v4_rbm_optfmt && ret_val > 0 && ret_val <= 10)1298tag_len = 14;1299else1300tag_len = 4 + ret_val;1301} else1302tag_len = 4;13031304buffer[0] = CIPSO_V4_TAG_RBITMAP;1305buffer[1] = tag_len;1306buffer[3] = level;13071308return tag_len;1309}13101311/**1312* cipso_v4_parsetag_rbm - Parse a CIPSO restricted bitmap tag1313* @doi_def: the DOI definition1314* @tag: the CIPSO tag1315* @secattr: the security attributes1316*1317* Description:1318* Parse a CIPSO restricted bitmap tag (tag type #1) and return the security1319* attributes in @secattr. Return zero on success, negatives values on1320* failure.1321*1322*/1323static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,1324const unsigned char *tag,1325struct netlbl_lsm_secattr *secattr)1326{1327int ret_val;1328u8 tag_len = tag[1];1329u32 level;13301331ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level);1332if (ret_val != 0)1333return ret_val;1334secattr->attr.mls.lvl = level;1335secattr->flags |= NETLBL_SECATTR_MLS_LVL;13361337if (tag_len > 4) {1338secattr->attr.mls.cat =1339netlbl_secattr_catmap_alloc(GFP_ATOMIC);1340if (secattr->attr.mls.cat == NULL)1341return -ENOMEM;13421343ret_val = cipso_v4_map_cat_rbm_ntoh(doi_def,1344&tag[4],1345tag_len - 4,1346secattr);1347if (ret_val != 0) {1348netlbl_secattr_catmap_free(secattr->attr.mls.cat);1349return ret_val;1350}13511352secattr->flags |= NETLBL_SECATTR_MLS_CAT;1353}13541355return 0;1356}13571358/**1359* cipso_v4_gentag_enum - Generate a CIPSO enumerated tag (type #2)1360* @doi_def: the DOI definition1361* @secattr: the security attributes1362* @buffer: the option buffer1363* @buffer_len: length of buffer in bytes1364*1365* Description:1366* Generate a CIPSO option using the enumerated tag, tag type #2. Returns the1367* size of the tag on success, negative values on failure.1368*1369*/1370static int cipso_v4_gentag_enum(const struct cipso_v4_doi *doi_def,1371const struct netlbl_lsm_secattr *secattr,1372unsigned char *buffer,1373u32 buffer_len)1374{1375int ret_val;1376u32 tag_len;1377u32 level;13781379if (!(secattr->flags & NETLBL_SECATTR_MLS_LVL))1380return -EPERM;13811382ret_val = cipso_v4_map_lvl_hton(doi_def,1383secattr->attr.mls.lvl,1384&level);1385if (ret_val != 0)1386return ret_val;13871388if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {1389ret_val = cipso_v4_map_cat_enum_hton(doi_def,1390secattr,1391&buffer[4],1392buffer_len - 4);1393if (ret_val < 0)1394return ret_val;13951396tag_len = 4 + ret_val;1397} else1398tag_len = 4;13991400buffer[0] = CIPSO_V4_TAG_ENUM;1401buffer[1] = tag_len;1402buffer[3] = level;14031404return tag_len;1405}14061407/**1408* cipso_v4_parsetag_enum - Parse a CIPSO enumerated tag1409* @doi_def: the DOI definition1410* @tag: the CIPSO tag1411* @secattr: the security attributes1412*1413* Description:1414* Parse a CIPSO enumerated tag (tag type #2) and return the security1415* attributes in @secattr. Return zero on success, negatives values on1416* failure.1417*1418*/1419static int cipso_v4_parsetag_enum(const struct cipso_v4_doi *doi_def,1420const unsigned char *tag,1421struct netlbl_lsm_secattr *secattr)1422{1423int ret_val;1424u8 tag_len = tag[1];1425u32 level;14261427ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level);1428if (ret_val != 0)1429return ret_val;1430secattr->attr.mls.lvl = level;1431secattr->flags |= NETLBL_SECATTR_MLS_LVL;14321433if (tag_len > 4) {1434secattr->attr.mls.cat =1435netlbl_secattr_catmap_alloc(GFP_ATOMIC);1436if (secattr->attr.mls.cat == NULL)1437return -ENOMEM;14381439ret_val = cipso_v4_map_cat_enum_ntoh(doi_def,1440&tag[4],1441tag_len - 4,1442secattr);1443if (ret_val != 0) {1444netlbl_secattr_catmap_free(secattr->attr.mls.cat);1445return ret_val;1446}14471448secattr->flags |= NETLBL_SECATTR_MLS_CAT;1449}14501451return 0;1452}14531454/**1455* cipso_v4_gentag_rng - Generate a CIPSO ranged tag (type #5)1456* @doi_def: the DOI definition1457* @secattr: the security attributes1458* @buffer: the option buffer1459* @buffer_len: length of buffer in bytes1460*1461* Description:1462* Generate a CIPSO option using the ranged tag, tag type #5. Returns the1463* size of the tag on success, negative values on failure.1464*1465*/1466static int cipso_v4_gentag_rng(const struct cipso_v4_doi *doi_def,1467const struct netlbl_lsm_secattr *secattr,1468unsigned char *buffer,1469u32 buffer_len)1470{1471int ret_val;1472u32 tag_len;1473u32 level;14741475if (!(secattr->flags & NETLBL_SECATTR_MLS_LVL))1476return -EPERM;14771478ret_val = cipso_v4_map_lvl_hton(doi_def,1479secattr->attr.mls.lvl,1480&level);1481if (ret_val != 0)1482return ret_val;14831484if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {1485ret_val = cipso_v4_map_cat_rng_hton(doi_def,1486secattr,1487&buffer[4],1488buffer_len - 4);1489if (ret_val < 0)1490return ret_val;14911492tag_len = 4 + ret_val;1493} else1494tag_len = 4;14951496buffer[0] = CIPSO_V4_TAG_RANGE;1497buffer[1] = tag_len;1498buffer[3] = level;14991500return tag_len;1501}15021503/**1504* cipso_v4_parsetag_rng - Parse a CIPSO ranged tag1505* @doi_def: the DOI definition1506* @tag: the CIPSO tag1507* @secattr: the security attributes1508*1509* Description:1510* Parse a CIPSO ranged tag (tag type #5) and return the security attributes1511* in @secattr. Return zero on success, negatives values on failure.1512*1513*/1514static int cipso_v4_parsetag_rng(const struct cipso_v4_doi *doi_def,1515const unsigned char *tag,1516struct netlbl_lsm_secattr *secattr)1517{1518int ret_val;1519u8 tag_len = tag[1];1520u32 level;15211522ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level);1523if (ret_val != 0)1524return ret_val;1525secattr->attr.mls.lvl = level;1526secattr->flags |= NETLBL_SECATTR_MLS_LVL;15271528if (tag_len > 4) {1529secattr->attr.mls.cat =1530netlbl_secattr_catmap_alloc(GFP_ATOMIC);1531if (secattr->attr.mls.cat == NULL)1532return -ENOMEM;15331534ret_val = cipso_v4_map_cat_rng_ntoh(doi_def,1535&tag[4],1536tag_len - 4,1537secattr);1538if (ret_val != 0) {1539netlbl_secattr_catmap_free(secattr->attr.mls.cat);1540return ret_val;1541}15421543secattr->flags |= NETLBL_SECATTR_MLS_CAT;1544}15451546return 0;1547}15481549/**1550* cipso_v4_gentag_loc - Generate a CIPSO local tag (non-standard)1551* @doi_def: the DOI definition1552* @secattr: the security attributes1553* @buffer: the option buffer1554* @buffer_len: length of buffer in bytes1555*1556* Description:1557* Generate a CIPSO option using the local tag. Returns the size of the tag1558* on success, negative values on failure.1559*1560*/1561static int cipso_v4_gentag_loc(const struct cipso_v4_doi *doi_def,1562const struct netlbl_lsm_secattr *secattr,1563unsigned char *buffer,1564u32 buffer_len)1565{1566if (!(secattr->flags & NETLBL_SECATTR_SECID))1567return -EPERM;15681569buffer[0] = CIPSO_V4_TAG_LOCAL;1570buffer[1] = CIPSO_V4_TAG_LOC_BLEN;1571*(u32 *)&buffer[2] = secattr->attr.secid;15721573return CIPSO_V4_TAG_LOC_BLEN;1574}15751576/**1577* cipso_v4_parsetag_loc - Parse a CIPSO local tag1578* @doi_def: the DOI definition1579* @tag: the CIPSO tag1580* @secattr: the security attributes1581*1582* Description:1583* Parse a CIPSO local tag and return the security attributes in @secattr.1584* Return zero on success, negatives values on failure.1585*1586*/1587static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def,1588const unsigned char *tag,1589struct netlbl_lsm_secattr *secattr)1590{1591secattr->attr.secid = *(u32 *)&tag[2];1592secattr->flags |= NETLBL_SECATTR_SECID;15931594return 0;1595}15961597/**1598* cipso_v4_validate - Validate a CIPSO option1599* @option: the start of the option, on error it is set to point to the error1600*1601* Description:1602* This routine is called to validate a CIPSO option, it checks all of the1603* fields to ensure that they are at least valid, see the draft snippet below1604* for details. If the option is valid then a zero value is returned and1605* the value of @option is unchanged. If the option is invalid then a1606* non-zero value is returned and @option is adjusted to point to the1607* offending portion of the option. From the IETF draft ...1608*1609* "If any field within the CIPSO options, such as the DOI identifier, is not1610* recognized the IP datagram is discarded and an ICMP 'parameter problem'1611* (type 12) is generated and returned. The ICMP code field is set to 'bad1612* parameter' (code 0) and the pointer is set to the start of the CIPSO field1613* that is unrecognized."1614*1615*/1616int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option)1617{1618unsigned char *opt = *option;1619unsigned char *tag;1620unsigned char opt_iter;1621unsigned char err_offset = 0;1622u8 opt_len;1623u8 tag_len;1624struct cipso_v4_doi *doi_def = NULL;1625u32 tag_iter;16261627/* caller already checks for length values that are too large */1628opt_len = opt[1];1629if (opt_len < 8) {1630err_offset = 1;1631goto validate_return;1632}16331634rcu_read_lock();1635doi_def = cipso_v4_doi_search(get_unaligned_be32(&opt[2]));1636if (doi_def == NULL) {1637err_offset = 2;1638goto validate_return_locked;1639}16401641opt_iter = CIPSO_V4_HDR_LEN;1642tag = opt + opt_iter;1643while (opt_iter < opt_len) {1644for (tag_iter = 0; doi_def->tags[tag_iter] != tag[0];)1645if (doi_def->tags[tag_iter] == CIPSO_V4_TAG_INVALID ||1646++tag_iter == CIPSO_V4_TAG_MAXCNT) {1647err_offset = opt_iter;1648goto validate_return_locked;1649}16501651tag_len = tag[1];1652if (tag_len > (opt_len - opt_iter)) {1653err_offset = opt_iter + 1;1654goto validate_return_locked;1655}16561657switch (tag[0]) {1658case CIPSO_V4_TAG_RBITMAP:1659if (tag_len < CIPSO_V4_TAG_RBM_BLEN) {1660err_offset = opt_iter + 1;1661goto validate_return_locked;1662}16631664/* We are already going to do all the verification1665* necessary at the socket layer so from our point of1666* view it is safe to turn these checks off (and less1667* work), however, the CIPSO draft says we should do1668* all the CIPSO validations here but it doesn't1669* really specify _exactly_ what we need to validate1670* ... so, just make it a sysctl tunable. */1671if (cipso_v4_rbm_strictvalid) {1672if (cipso_v4_map_lvl_valid(doi_def,1673tag[3]) < 0) {1674err_offset = opt_iter + 3;1675goto validate_return_locked;1676}1677if (tag_len > CIPSO_V4_TAG_RBM_BLEN &&1678cipso_v4_map_cat_rbm_valid(doi_def,1679&tag[4],1680tag_len - 4) < 0) {1681err_offset = opt_iter + 4;1682goto validate_return_locked;1683}1684}1685break;1686case CIPSO_V4_TAG_ENUM:1687if (tag_len < CIPSO_V4_TAG_ENUM_BLEN) {1688err_offset = opt_iter + 1;1689goto validate_return_locked;1690}16911692if (cipso_v4_map_lvl_valid(doi_def,1693tag[3]) < 0) {1694err_offset = opt_iter + 3;1695goto validate_return_locked;1696}1697if (tag_len > CIPSO_V4_TAG_ENUM_BLEN &&1698cipso_v4_map_cat_enum_valid(doi_def,1699&tag[4],1700tag_len - 4) < 0) {1701err_offset = opt_iter + 4;1702goto validate_return_locked;1703}1704break;1705case CIPSO_V4_TAG_RANGE:1706if (tag_len < CIPSO_V4_TAG_RNG_BLEN) {1707err_offset = opt_iter + 1;1708goto validate_return_locked;1709}17101711if (cipso_v4_map_lvl_valid(doi_def,1712tag[3]) < 0) {1713err_offset = opt_iter + 3;1714goto validate_return_locked;1715}1716if (tag_len > CIPSO_V4_TAG_RNG_BLEN &&1717cipso_v4_map_cat_rng_valid(doi_def,1718&tag[4],1719tag_len - 4) < 0) {1720err_offset = opt_iter + 4;1721goto validate_return_locked;1722}1723break;1724case CIPSO_V4_TAG_LOCAL:1725/* This is a non-standard tag that we only allow for1726* local connections, so if the incoming interface is1727* not the loopback device drop the packet. */1728if (!(skb->dev->flags & IFF_LOOPBACK)) {1729err_offset = opt_iter;1730goto validate_return_locked;1731}1732if (tag_len != CIPSO_V4_TAG_LOC_BLEN) {1733err_offset = opt_iter + 1;1734goto validate_return_locked;1735}1736break;1737default:1738err_offset = opt_iter;1739goto validate_return_locked;1740}17411742tag += tag_len;1743opt_iter += tag_len;1744}17451746validate_return_locked:1747rcu_read_unlock();1748validate_return:1749*option = opt + err_offset;1750return err_offset;1751}17521753/**1754* cipso_v4_error - Send the correct response for a bad packet1755* @skb: the packet1756* @error: the error code1757* @gateway: CIPSO gateway flag1758*1759* Description:1760* Based on the error code given in @error, send an ICMP error message back to1761* the originating host. From the IETF draft ...1762*1763* "If the contents of the CIPSO [option] are valid but the security label is1764* outside of the configured host or port label range, the datagram is1765* discarded and an ICMP 'destination unreachable' (type 3) is generated and1766* returned. The code field of the ICMP is set to 'communication with1767* destination network administratively prohibited' (code 9) or to1768* 'communication with destination host administratively prohibited'1769* (code 10). The value of the code is dependent on whether the originator1770* of the ICMP message is acting as a CIPSO host or a CIPSO gateway. The1771* recipient of the ICMP message MUST be able to handle either value. The1772* same procedure is performed if a CIPSO [option] can not be added to an1773* IP packet because it is too large to fit in the IP options area."1774*1775* "If the error is triggered by receipt of an ICMP message, the message is1776* discarded and no response is permitted (consistent with general ICMP1777* processing rules)."1778*1779*/1780void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway)1781{1782if (ip_hdr(skb)->protocol == IPPROTO_ICMP || error != -EACCES)1783return;17841785if (gateway)1786icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0);1787else1788icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0);1789}17901791/**1792* cipso_v4_genopt - Generate a CIPSO option1793* @buf: the option buffer1794* @buf_len: the size of opt_buf1795* @doi_def: the CIPSO DOI to use1796* @secattr: the security attributes1797*1798* Description:1799* Generate a CIPSO option using the DOI definition and security attributes1800* passed to the function. Returns the length of the option on success and1801* negative values on failure.1802*1803*/1804static int cipso_v4_genopt(unsigned char *buf, u32 buf_len,1805const struct cipso_v4_doi *doi_def,1806const struct netlbl_lsm_secattr *secattr)1807{1808int ret_val;1809u32 iter;18101811if (buf_len <= CIPSO_V4_HDR_LEN)1812return -ENOSPC;18131814/* XXX - This code assumes only one tag per CIPSO option which isn't1815* really a good assumption to make but since we only support the MAC1816* tags right now it is a safe assumption. */1817iter = 0;1818do {1819memset(buf, 0, buf_len);1820switch (doi_def->tags[iter]) {1821case CIPSO_V4_TAG_RBITMAP:1822ret_val = cipso_v4_gentag_rbm(doi_def,1823secattr,1824&buf[CIPSO_V4_HDR_LEN],1825buf_len - CIPSO_V4_HDR_LEN);1826break;1827case CIPSO_V4_TAG_ENUM:1828ret_val = cipso_v4_gentag_enum(doi_def,1829secattr,1830&buf[CIPSO_V4_HDR_LEN],1831buf_len - CIPSO_V4_HDR_LEN);1832break;1833case CIPSO_V4_TAG_RANGE:1834ret_val = cipso_v4_gentag_rng(doi_def,1835secattr,1836&buf[CIPSO_V4_HDR_LEN],1837buf_len - CIPSO_V4_HDR_LEN);1838break;1839case CIPSO_V4_TAG_LOCAL:1840ret_val = cipso_v4_gentag_loc(doi_def,1841secattr,1842&buf[CIPSO_V4_HDR_LEN],1843buf_len - CIPSO_V4_HDR_LEN);1844break;1845default:1846return -EPERM;1847}18481849iter++;1850} while (ret_val < 0 &&1851iter < CIPSO_V4_TAG_MAXCNT &&1852doi_def->tags[iter] != CIPSO_V4_TAG_INVALID);1853if (ret_val < 0)1854return ret_val;1855cipso_v4_gentag_hdr(doi_def, buf, ret_val);1856return CIPSO_V4_HDR_LEN + ret_val;1857}18581859static void opt_kfree_rcu(struct rcu_head *head)1860{1861kfree(container_of(head, struct ip_options_rcu, rcu));1862}18631864/**1865* cipso_v4_sock_setattr - Add a CIPSO option to a socket1866* @sk: the socket1867* @doi_def: the CIPSO DOI to use1868* @secattr: the specific security attributes of the socket1869*1870* Description:1871* Set the CIPSO option on the given socket using the DOI definition and1872* security attributes passed to the function. This function requires1873* exclusive access to @sk, which means it either needs to be in the1874* process of being created or locked. Returns zero on success and negative1875* values on failure.1876*1877*/1878int cipso_v4_sock_setattr(struct sock *sk,1879const struct cipso_v4_doi *doi_def,1880const struct netlbl_lsm_secattr *secattr)1881{1882int ret_val = -EPERM;1883unsigned char *buf = NULL;1884u32 buf_len;1885u32 opt_len;1886struct ip_options_rcu *old, *opt = NULL;1887struct inet_sock *sk_inet;1888struct inet_connection_sock *sk_conn;18891890/* In the case of sock_create_lite(), the sock->sk field is not1891* defined yet but it is not a problem as the only users of these1892* "lite" PF_INET sockets are functions which do an accept() call1893* afterwards so we will label the socket as part of the accept(). */1894if (sk == NULL)1895return 0;18961897/* We allocate the maximum CIPSO option size here so we are probably1898* being a little wasteful, but it makes our life _much_ easier later1899* on and after all we are only talking about 40 bytes. */1900buf_len = CIPSO_V4_OPT_LEN_MAX;1901buf = kmalloc(buf_len, GFP_ATOMIC);1902if (buf == NULL) {1903ret_val = -ENOMEM;1904goto socket_setattr_failure;1905}19061907ret_val = cipso_v4_genopt(buf, buf_len, doi_def, secattr);1908if (ret_val < 0)1909goto socket_setattr_failure;1910buf_len = ret_val;19111912/* We can't use ip_options_get() directly because it makes a call to1913* ip_options_get_alloc() which allocates memory with GFP_KERNEL and1914* we won't always have CAP_NET_RAW even though we _always_ want to1915* set the IPOPT_CIPSO option. */1916opt_len = (buf_len + 3) & ~3;1917opt = kzalloc(sizeof(*opt) + opt_len, GFP_ATOMIC);1918if (opt == NULL) {1919ret_val = -ENOMEM;1920goto socket_setattr_failure;1921}1922memcpy(opt->opt.__data, buf, buf_len);1923opt->opt.optlen = opt_len;1924opt->opt.cipso = sizeof(struct iphdr);1925kfree(buf);1926buf = NULL;19271928sk_inet = inet_sk(sk);19291930old = rcu_dereference_protected(sk_inet->inet_opt, sock_owned_by_user(sk));1931if (sk_inet->is_icsk) {1932sk_conn = inet_csk(sk);1933if (old)1934sk_conn->icsk_ext_hdr_len -= old->opt.optlen;1935sk_conn->icsk_ext_hdr_len += opt->opt.optlen;1936sk_conn->icsk_sync_mss(sk, sk_conn->icsk_pmtu_cookie);1937}1938rcu_assign_pointer(sk_inet->inet_opt, opt);1939if (old)1940call_rcu(&old->rcu, opt_kfree_rcu);19411942return 0;19431944socket_setattr_failure:1945kfree(buf);1946kfree(opt);1947return ret_val;1948}19491950/**1951* cipso_v4_req_setattr - Add a CIPSO option to a connection request socket1952* @req: the connection request socket1953* @doi_def: the CIPSO DOI to use1954* @secattr: the specific security attributes of the socket1955*1956* Description:1957* Set the CIPSO option on the given socket using the DOI definition and1958* security attributes passed to the function. Returns zero on success and1959* negative values on failure.1960*1961*/1962int cipso_v4_req_setattr(struct request_sock *req,1963const struct cipso_v4_doi *doi_def,1964const struct netlbl_lsm_secattr *secattr)1965{1966int ret_val = -EPERM;1967unsigned char *buf = NULL;1968u32 buf_len;1969u32 opt_len;1970struct ip_options_rcu *opt = NULL;1971struct inet_request_sock *req_inet;19721973/* We allocate the maximum CIPSO option size here so we are probably1974* being a little wasteful, but it makes our life _much_ easier later1975* on and after all we are only talking about 40 bytes. */1976buf_len = CIPSO_V4_OPT_LEN_MAX;1977buf = kmalloc(buf_len, GFP_ATOMIC);1978if (buf == NULL) {1979ret_val = -ENOMEM;1980goto req_setattr_failure;1981}19821983ret_val = cipso_v4_genopt(buf, buf_len, doi_def, secattr);1984if (ret_val < 0)1985goto req_setattr_failure;1986buf_len = ret_val;19871988/* We can't use ip_options_get() directly because it makes a call to1989* ip_options_get_alloc() which allocates memory with GFP_KERNEL and1990* we won't always have CAP_NET_RAW even though we _always_ want to1991* set the IPOPT_CIPSO option. */1992opt_len = (buf_len + 3) & ~3;1993opt = kzalloc(sizeof(*opt) + opt_len, GFP_ATOMIC);1994if (opt == NULL) {1995ret_val = -ENOMEM;1996goto req_setattr_failure;1997}1998memcpy(opt->opt.__data, buf, buf_len);1999opt->opt.optlen = opt_len;2000opt->opt.cipso = sizeof(struct iphdr);2001kfree(buf);2002buf = NULL;20032004req_inet = inet_rsk(req);2005opt = xchg(&req_inet->opt, opt);2006if (opt)2007call_rcu(&opt->rcu, opt_kfree_rcu);20082009return 0;20102011req_setattr_failure:2012kfree(buf);2013kfree(opt);2014return ret_val;2015}20162017/**2018* cipso_v4_delopt - Delete the CIPSO option from a set of IP options2019* @opt_ptr: IP option pointer2020*2021* Description:2022* Deletes the CIPSO IP option from a set of IP options and makes the necessary2023* adjustments to the IP option structure. Returns zero on success, negative2024* values on failure.2025*2026*/2027static int cipso_v4_delopt(struct ip_options_rcu **opt_ptr)2028{2029int hdr_delta = 0;2030struct ip_options_rcu *opt = *opt_ptr;20312032if (opt->opt.srr || opt->opt.rr || opt->opt.ts || opt->opt.router_alert) {2033u8 cipso_len;2034u8 cipso_off;2035unsigned char *cipso_ptr;2036int iter;2037int optlen_new;20382039cipso_off = opt->opt.cipso - sizeof(struct iphdr);2040cipso_ptr = &opt->opt.__data[cipso_off];2041cipso_len = cipso_ptr[1];20422043if (opt->opt.srr > opt->opt.cipso)2044opt->opt.srr -= cipso_len;2045if (opt->opt.rr > opt->opt.cipso)2046opt->opt.rr -= cipso_len;2047if (opt->opt.ts > opt->opt.cipso)2048opt->opt.ts -= cipso_len;2049if (opt->opt.router_alert > opt->opt.cipso)2050opt->opt.router_alert -= cipso_len;2051opt->opt.cipso = 0;20522053memmove(cipso_ptr, cipso_ptr + cipso_len,2054opt->opt.optlen - cipso_off - cipso_len);20552056/* determining the new total option length is tricky because of2057* the padding necessary, the only thing i can think to do at2058* this point is walk the options one-by-one, skipping the2059* padding at the end to determine the actual option size and2060* from there we can determine the new total option length */2061iter = 0;2062optlen_new = 0;2063while (iter < opt->opt.optlen)2064if (opt->opt.__data[iter] != IPOPT_NOP) {2065iter += opt->opt.__data[iter + 1];2066optlen_new = iter;2067} else2068iter++;2069hdr_delta = opt->opt.optlen;2070opt->opt.optlen = (optlen_new + 3) & ~3;2071hdr_delta -= opt->opt.optlen;2072} else {2073/* only the cipso option was present on the socket so we can2074* remove the entire option struct */2075*opt_ptr = NULL;2076hdr_delta = opt->opt.optlen;2077call_rcu(&opt->rcu, opt_kfree_rcu);2078}20792080return hdr_delta;2081}20822083/**2084* cipso_v4_sock_delattr - Delete the CIPSO option from a socket2085* @sk: the socket2086*2087* Description:2088* Removes the CIPSO option from a socket, if present.2089*2090*/2091void cipso_v4_sock_delattr(struct sock *sk)2092{2093int hdr_delta;2094struct ip_options_rcu *opt;2095struct inet_sock *sk_inet;20962097sk_inet = inet_sk(sk);2098opt = rcu_dereference_protected(sk_inet->inet_opt, 1);2099if (opt == NULL || opt->opt.cipso == 0)2100return;21012102hdr_delta = cipso_v4_delopt(&sk_inet->inet_opt);2103if (sk_inet->is_icsk && hdr_delta > 0) {2104struct inet_connection_sock *sk_conn = inet_csk(sk);2105sk_conn->icsk_ext_hdr_len -= hdr_delta;2106sk_conn->icsk_sync_mss(sk, sk_conn->icsk_pmtu_cookie);2107}2108}21092110/**2111* cipso_v4_req_delattr - Delete the CIPSO option from a request socket2112* @reg: the request socket2113*2114* Description:2115* Removes the CIPSO option from a request socket, if present.2116*2117*/2118void cipso_v4_req_delattr(struct request_sock *req)2119{2120struct ip_options_rcu *opt;2121struct inet_request_sock *req_inet;21222123req_inet = inet_rsk(req);2124opt = req_inet->opt;2125if (opt == NULL || opt->opt.cipso == 0)2126return;21272128cipso_v4_delopt(&req_inet->opt);2129}21302131/**2132* cipso_v4_getattr - Helper function for the cipso_v4_*_getattr functions2133* @cipso: the CIPSO v4 option2134* @secattr: the security attributes2135*2136* Description:2137* Inspect @cipso and return the security attributes in @secattr. Returns zero2138* on success and negative values on failure.2139*2140*/2141static int cipso_v4_getattr(const unsigned char *cipso,2142struct netlbl_lsm_secattr *secattr)2143{2144int ret_val = -ENOMSG;2145u32 doi;2146struct cipso_v4_doi *doi_def;21472148if (cipso_v4_cache_check(cipso, cipso[1], secattr) == 0)2149return 0;21502151doi = get_unaligned_be32(&cipso[2]);2152rcu_read_lock();2153doi_def = cipso_v4_doi_search(doi);2154if (doi_def == NULL)2155goto getattr_return;2156/* XXX - This code assumes only one tag per CIPSO option which isn't2157* really a good assumption to make but since we only support the MAC2158* tags right now it is a safe assumption. */2159switch (cipso[6]) {2160case CIPSO_V4_TAG_RBITMAP:2161ret_val = cipso_v4_parsetag_rbm(doi_def, &cipso[6], secattr);2162break;2163case CIPSO_V4_TAG_ENUM:2164ret_val = cipso_v4_parsetag_enum(doi_def, &cipso[6], secattr);2165break;2166case CIPSO_V4_TAG_RANGE:2167ret_val = cipso_v4_parsetag_rng(doi_def, &cipso[6], secattr);2168break;2169case CIPSO_V4_TAG_LOCAL:2170ret_val = cipso_v4_parsetag_loc(doi_def, &cipso[6], secattr);2171break;2172}2173if (ret_val == 0)2174secattr->type = NETLBL_NLTYPE_CIPSOV4;21752176getattr_return:2177rcu_read_unlock();2178return ret_val;2179}21802181/**2182* cipso_v4_sock_getattr - Get the security attributes from a sock2183* @sk: the sock2184* @secattr: the security attributes2185*2186* Description:2187* Query @sk to see if there is a CIPSO option attached to the sock and if2188* there is return the CIPSO security attributes in @secattr. This function2189* requires that @sk be locked, or privately held, but it does not do any2190* locking itself. Returns zero on success and negative values on failure.2191*2192*/2193int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)2194{2195struct ip_options_rcu *opt;2196int res = -ENOMSG;21972198rcu_read_lock();2199opt = rcu_dereference(inet_sk(sk)->inet_opt);2200if (opt && opt->opt.cipso)2201res = cipso_v4_getattr(opt->opt.__data +2202opt->opt.cipso -2203sizeof(struct iphdr),2204secattr);2205rcu_read_unlock();2206return res;2207}22082209/**2210* cipso_v4_skbuff_setattr - Set the CIPSO option on a packet2211* @skb: the packet2212* @secattr: the security attributes2213*2214* Description:2215* Set the CIPSO option on the given packet based on the security attributes.2216* Returns a pointer to the IP header on success and NULL on failure.2217*2218*/2219int cipso_v4_skbuff_setattr(struct sk_buff *skb,2220const struct cipso_v4_doi *doi_def,2221const struct netlbl_lsm_secattr *secattr)2222{2223int ret_val;2224struct iphdr *iph;2225struct ip_options *opt = &IPCB(skb)->opt;2226unsigned char buf[CIPSO_V4_OPT_LEN_MAX];2227u32 buf_len = CIPSO_V4_OPT_LEN_MAX;2228u32 opt_len;2229int len_delta;22302231ret_val = cipso_v4_genopt(buf, buf_len, doi_def, secattr);2232if (ret_val < 0)2233return ret_val;2234buf_len = ret_val;2235opt_len = (buf_len + 3) & ~3;22362237/* we overwrite any existing options to ensure that we have enough2238* room for the CIPSO option, the reason is that we _need_ to guarantee2239* that the security label is applied to the packet - we do the same2240* thing when using the socket options and it hasn't caused a problem,2241* if we need to we can always revisit this choice later */22422243len_delta = opt_len - opt->optlen;2244/* if we don't ensure enough headroom we could panic on the skb_push()2245* call below so make sure we have enough, we are also "mangling" the2246* packet so we should probably do a copy-on-write call anyway */2247ret_val = skb_cow(skb, skb_headroom(skb) + len_delta);2248if (ret_val < 0)2249return ret_val;22502251if (len_delta > 0) {2252/* we assume that the header + opt->optlen have already been2253* "pushed" in ip_options_build() or similar */2254iph = ip_hdr(skb);2255skb_push(skb, len_delta);2256memmove((char *)iph - len_delta, iph, iph->ihl << 2);2257skb_reset_network_header(skb);2258iph = ip_hdr(skb);2259} else if (len_delta < 0) {2260iph = ip_hdr(skb);2261memset(iph + 1, IPOPT_NOP, opt->optlen);2262} else2263iph = ip_hdr(skb);22642265if (opt->optlen > 0)2266memset(opt, 0, sizeof(*opt));2267opt->optlen = opt_len;2268opt->cipso = sizeof(struct iphdr);2269opt->is_changed = 1;22702271/* we have to do the following because we are being called from a2272* netfilter hook which means the packet already has had the header2273* fields populated and the checksum calculated - yes this means we2274* are doing more work than needed but we do it to keep the core2275* stack clean and tidy */2276memcpy(iph + 1, buf, buf_len);2277if (opt_len > buf_len)2278memset((char *)(iph + 1) + buf_len, 0, opt_len - buf_len);2279if (len_delta != 0) {2280iph->ihl = 5 + (opt_len >> 2);2281iph->tot_len = htons(skb->len);2282}2283ip_send_check(iph);22842285return 0;2286}22872288/**2289* cipso_v4_skbuff_delattr - Delete any CIPSO options from a packet2290* @skb: the packet2291*2292* Description:2293* Removes any and all CIPSO options from the given packet. Returns zero on2294* success, negative values on failure.2295*2296*/2297int cipso_v4_skbuff_delattr(struct sk_buff *skb)2298{2299int ret_val;2300struct iphdr *iph;2301struct ip_options *opt = &IPCB(skb)->opt;2302unsigned char *cipso_ptr;23032304if (opt->cipso == 0)2305return 0;23062307/* since we are changing the packet we should make a copy */2308ret_val = skb_cow(skb, skb_headroom(skb));2309if (ret_val < 0)2310return ret_val;23112312/* the easiest thing to do is just replace the cipso option with noop2313* options since we don't change the size of the packet, although we2314* still need to recalculate the checksum */23152316iph = ip_hdr(skb);2317cipso_ptr = (unsigned char *)iph + opt->cipso;2318memset(cipso_ptr, IPOPT_NOOP, cipso_ptr[1]);2319opt->cipso = 0;2320opt->is_changed = 1;23212322ip_send_check(iph);23232324return 0;2325}23262327/**2328* cipso_v4_skbuff_getattr - Get the security attributes from the CIPSO option2329* @skb: the packet2330* @secattr: the security attributes2331*2332* Description:2333* Parse the given packet's CIPSO option and return the security attributes.2334* Returns zero on success and negative values on failure.2335*2336*/2337int cipso_v4_skbuff_getattr(const struct sk_buff *skb,2338struct netlbl_lsm_secattr *secattr)2339{2340return cipso_v4_getattr(CIPSO_V4_OPTPTR(skb), secattr);2341}23422343/*2344* Setup Functions2345*/23462347/**2348* cipso_v4_init - Initialize the CIPSO module2349*2350* Description:2351* Initialize the CIPSO module and prepare it for use. Returns zero on success2352* and negative values on failure.2353*2354*/2355static int __init cipso_v4_init(void)2356{2357int ret_val;23582359ret_val = cipso_v4_cache_init();2360if (ret_val != 0)2361panic("Failed to initialize the CIPSO/IPv4 cache (%d)\n",2362ret_val);23632364return 0;2365}23662367subsys_initcall(cipso_v4_init);236823692370