• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * NetLabel CALIPSO/IPv6 Support
4  *
5  * This file defines the CALIPSO/IPv6 functions for the NetLabel system.  The
6  * NetLabel system manages static and dynamic label mappings for network
7  * protocols such as CIPSO and CALIPSO.
8  *
9  * Authors: Paul Moore <paul@paul-moore.com>
10  *          Huw Davies <huw@codeweavers.com>
11  */
12 
13 /* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
14  * (c) Copyright Huw Davies <huw@codeweavers.com>, 2015
15  */
16 
17 #include <linux/types.h>
18 #include <linux/socket.h>
19 #include <linux/string.h>
20 #include <linux/skbuff.h>
21 #include <linux/audit.h>
22 #include <linux/slab.h>
23 #include <net/sock.h>
24 #include <net/netlink.h>
25 #include <net/genetlink.h>
26 #include <net/netlabel.h>
27 #include <net/calipso.h>
28 #include <linux/atomic.h>
29 
30 #include "netlabel_user.h"
31 #include "netlabel_calipso.h"
32 #include "netlabel_mgmt.h"
33 #include "netlabel_domainhash.h"
34 
35 /* Argument struct for calipso_doi_walk() */
36 struct netlbl_calipso_doiwalk_arg {
37 	struct netlink_callback *nl_cb;
38 	struct sk_buff *skb;
39 	u32 seq;
40 };
41 
42 /* Argument struct for netlbl_domhsh_walk() */
43 struct netlbl_domhsh_walk_arg {
44 	struct netlbl_audit *audit_info;
45 	u32 doi;
46 };
47 
48 /* NetLabel Generic NETLINK CALIPSO family */
49 static struct genl_family netlbl_calipso_gnl_family;
50 
51 /* NetLabel Netlink attribute policy */
52 static const struct nla_policy calipso_genl_policy[NLBL_CALIPSO_A_MAX + 1] = {
53 	[NLBL_CALIPSO_A_DOI] = { .type = NLA_U32 },
54 	[NLBL_CALIPSO_A_MTYPE] = { .type = NLA_U32 },
55 };
56 
57 /* NetLabel Command Handlers
58  */
59 /**
60  * netlbl_calipso_add_pass - Adds a CALIPSO pass DOI definition
61  * @info: the Generic NETLINK info block
62  * @audit_info: NetLabel audit information
63  *
64  * Description:
65  * Create a new CALIPSO_MAP_PASS DOI definition based on the given ADD message
66  * and add it to the CALIPSO engine.  Return zero on success and non-zero on
67  * error.
68  *
69  */
netlbl_calipso_add_pass(struct genl_info * info,struct netlbl_audit * audit_info)70 static int netlbl_calipso_add_pass(struct genl_info *info,
71 				   struct netlbl_audit *audit_info)
72 {
73 	int ret_val;
74 	struct calipso_doi *doi_def = NULL;
75 
76 	doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
77 	if (!doi_def)
78 		return -ENOMEM;
79 	doi_def->type = CALIPSO_MAP_PASS;
80 	doi_def->doi = nla_get_u32(info->attrs[NLBL_CALIPSO_A_DOI]);
81 	ret_val = calipso_doi_add(doi_def, audit_info);
82 	if (ret_val != 0)
83 		calipso_doi_free(doi_def);
84 
85 	return ret_val;
86 }
87 
88 /**
89  * netlbl_calipso_add - Handle an ADD message
90  * @skb: the NETLINK buffer
91  * @info: the Generic NETLINK info block
92  *
93  * Description:
94  * Create a new DOI definition based on the given ADD message and add it to the
95  * CALIPSO engine.  Returns zero on success, negative values on failure.
96  *
97  */
netlbl_calipso_add(struct sk_buff * skb,struct genl_info * info)98 static int netlbl_calipso_add(struct sk_buff *skb, struct genl_info *info)
99 
100 {
101 	int ret_val = -EINVAL;
102 	struct netlbl_audit audit_info;
103 
104 	if (!info->attrs[NLBL_CALIPSO_A_DOI] ||
105 	    !info->attrs[NLBL_CALIPSO_A_MTYPE])
106 		return -EINVAL;
107 
108 	netlbl_netlink_auditinfo(skb, &audit_info);
109 	switch (nla_get_u32(info->attrs[NLBL_CALIPSO_A_MTYPE])) {
110 	case CALIPSO_MAP_PASS:
111 		ret_val = netlbl_calipso_add_pass(info, &audit_info);
112 		break;
113 	}
114 	if (ret_val == 0)
115 		atomic_inc(&netlabel_mgmt_protocount);
116 
117 	return ret_val;
118 }
119 
120 /**
121  * netlbl_calipso_list - Handle a LIST message
122  * @skb: the NETLINK buffer
123  * @info: the Generic NETLINK info block
124  *
125  * Description:
126  * Process a user generated LIST message and respond accordingly.
127  * Returns zero on success and negative values on error.
128  *
129  */
netlbl_calipso_list(struct sk_buff * skb,struct genl_info * info)130 static int netlbl_calipso_list(struct sk_buff *skb, struct genl_info *info)
131 {
132 	int ret_val;
133 	struct sk_buff *ans_skb = NULL;
134 	void *data;
135 	u32 doi;
136 	struct calipso_doi *doi_def;
137 
138 	if (!info->attrs[NLBL_CALIPSO_A_DOI]) {
139 		ret_val = -EINVAL;
140 		goto list_failure;
141 	}
142 
143 	doi = nla_get_u32(info->attrs[NLBL_CALIPSO_A_DOI]);
144 
145 	doi_def = calipso_doi_getdef(doi);
146 	if (!doi_def) {
147 		ret_val = -EINVAL;
148 		goto list_failure;
149 	}
150 
151 	ans_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
152 	if (!ans_skb) {
153 		ret_val = -ENOMEM;
154 		goto list_failure_put;
155 	}
156 	data = genlmsg_put_reply(ans_skb, info, &netlbl_calipso_gnl_family,
157 				 0, NLBL_CALIPSO_C_LIST);
158 	if (!data) {
159 		ret_val = -ENOMEM;
160 		goto list_failure_put;
161 	}
162 
163 	ret_val = nla_put_u32(ans_skb, NLBL_CALIPSO_A_MTYPE, doi_def->type);
164 	if (ret_val != 0)
165 		goto list_failure_put;
166 
167 	calipso_doi_putdef(doi_def);
168 
169 	genlmsg_end(ans_skb, data);
170 	return genlmsg_reply(ans_skb, info);
171 
172 list_failure_put:
173 	calipso_doi_putdef(doi_def);
174 list_failure:
175 	kfree_skb(ans_skb);
176 	return ret_val;
177 }
178 
179 /**
180  * netlbl_calipso_listall_cb - calipso_doi_walk() callback for LISTALL
181  * @doi_def: the CALIPSO DOI definition
182  * @arg: the netlbl_calipso_doiwalk_arg structure
183  *
184  * Description:
185  * This function is designed to be used as a callback to the
186  * calipso_doi_walk() function for use in generating a response for a LISTALL
187  * message.  Returns the size of the message on success, negative values on
188  * failure.
189  *
190  */
netlbl_calipso_listall_cb(struct calipso_doi * doi_def,void * arg)191 static int netlbl_calipso_listall_cb(struct calipso_doi *doi_def, void *arg)
192 {
193 	int ret_val = -ENOMEM;
194 	struct netlbl_calipso_doiwalk_arg *cb_arg = arg;
195 	void *data;
196 
197 	data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid,
198 			   cb_arg->seq, &netlbl_calipso_gnl_family,
199 			   NLM_F_MULTI, NLBL_CALIPSO_C_LISTALL);
200 	if (!data)
201 		goto listall_cb_failure;
202 
203 	ret_val = nla_put_u32(cb_arg->skb, NLBL_CALIPSO_A_DOI, doi_def->doi);
204 	if (ret_val != 0)
205 		goto listall_cb_failure;
206 	ret_val = nla_put_u32(cb_arg->skb,
207 			      NLBL_CALIPSO_A_MTYPE,
208 			      doi_def->type);
209 	if (ret_val != 0)
210 		goto listall_cb_failure;
211 
212 	genlmsg_end(cb_arg->skb, data);
213 	return 0;
214 
215 listall_cb_failure:
216 	genlmsg_cancel(cb_arg->skb, data);
217 	return ret_val;
218 }
219 
220 /**
221  * netlbl_calipso_listall - Handle a LISTALL message
222  * @skb: the NETLINK buffer
223  * @cb: the NETLINK callback
224  *
225  * Description:
226  * Process a user generated LISTALL message and respond accordingly.  Returns
227  * zero on success and negative values on error.
228  *
229  */
netlbl_calipso_listall(struct sk_buff * skb,struct netlink_callback * cb)230 static int netlbl_calipso_listall(struct sk_buff *skb,
231 				  struct netlink_callback *cb)
232 {
233 	struct netlbl_calipso_doiwalk_arg cb_arg;
234 	u32 doi_skip = cb->args[0];
235 
236 	cb_arg.nl_cb = cb;
237 	cb_arg.skb = skb;
238 	cb_arg.seq = cb->nlh->nlmsg_seq;
239 
240 	calipso_doi_walk(&doi_skip, netlbl_calipso_listall_cb, &cb_arg);
241 
242 	cb->args[0] = doi_skip;
243 	return skb->len;
244 }
245 
246 /**
247  * netlbl_calipso_remove_cb - netlbl_calipso_remove() callback for REMOVE
248  * @entry: LSM domain mapping entry
249  * @arg: the netlbl_domhsh_walk_arg structure
250  *
251  * Description:
252  * This function is intended for use by netlbl_calipso_remove() as the callback
253  * for the netlbl_domhsh_walk() function; it removes LSM domain map entries
254  * which are associated with the CALIPSO DOI specified in @arg.  Returns zero on
255  * success, negative values on failure.
256  *
257  */
netlbl_calipso_remove_cb(struct netlbl_dom_map * entry,void * arg)258 static int netlbl_calipso_remove_cb(struct netlbl_dom_map *entry, void *arg)
259 {
260 	struct netlbl_domhsh_walk_arg *cb_arg = arg;
261 
262 	if (entry->def.type == NETLBL_NLTYPE_CALIPSO &&
263 	    entry->def.calipso->doi == cb_arg->doi)
264 		return netlbl_domhsh_remove_entry(entry, cb_arg->audit_info);
265 
266 	return 0;
267 }
268 
269 /**
270  * netlbl_calipso_remove - Handle a REMOVE message
271  * @skb: the NETLINK buffer
272  * @info: the Generic NETLINK info block
273  *
274  * Description:
275  * Process a user generated REMOVE message and respond accordingly.  Returns
276  * zero on success, negative values on failure.
277  *
278  */
netlbl_calipso_remove(struct sk_buff * skb,struct genl_info * info)279 static int netlbl_calipso_remove(struct sk_buff *skb, struct genl_info *info)
280 {
281 	int ret_val = -EINVAL;
282 	struct netlbl_domhsh_walk_arg cb_arg;
283 	struct netlbl_audit audit_info;
284 	u32 skip_bkt = 0;
285 	u32 skip_chain = 0;
286 
287 	if (!info->attrs[NLBL_CALIPSO_A_DOI])
288 		return -EINVAL;
289 
290 	netlbl_netlink_auditinfo(skb, &audit_info);
291 	cb_arg.doi = nla_get_u32(info->attrs[NLBL_CALIPSO_A_DOI]);
292 	cb_arg.audit_info = &audit_info;
293 	ret_val = netlbl_domhsh_walk(&skip_bkt, &skip_chain,
294 				     netlbl_calipso_remove_cb, &cb_arg);
295 	if (ret_val == 0 || ret_val == -ENOENT) {
296 		ret_val = calipso_doi_remove(cb_arg.doi, &audit_info);
297 		if (ret_val == 0)
298 			atomic_dec(&netlabel_mgmt_protocount);
299 	}
300 
301 	return ret_val;
302 }
303 
304 /* NetLabel Generic NETLINK Command Definitions
305  */
306 
307 static const struct genl_small_ops netlbl_calipso_ops[] = {
308 	{
309 	.cmd = NLBL_CALIPSO_C_ADD,
310 	.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
311 	.flags = GENL_ADMIN_PERM,
312 	.doit = netlbl_calipso_add,
313 	.dumpit = NULL,
314 	},
315 	{
316 	.cmd = NLBL_CALIPSO_C_REMOVE,
317 	.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
318 	.flags = GENL_ADMIN_PERM,
319 	.doit = netlbl_calipso_remove,
320 	.dumpit = NULL,
321 	},
322 	{
323 	.cmd = NLBL_CALIPSO_C_LIST,
324 	.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
325 	.flags = 0,
326 	.doit = netlbl_calipso_list,
327 	.dumpit = NULL,
328 	},
329 	{
330 	.cmd = NLBL_CALIPSO_C_LISTALL,
331 	.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
332 	.flags = 0,
333 	.doit = NULL,
334 	.dumpit = netlbl_calipso_listall,
335 	},
336 };
337 
338 static struct genl_family netlbl_calipso_gnl_family __ro_after_init = {
339 	.hdrsize = 0,
340 	.name = NETLBL_NLTYPE_CALIPSO_NAME,
341 	.version = NETLBL_PROTO_VERSION,
342 	.maxattr = NLBL_CALIPSO_A_MAX,
343 	.policy = calipso_genl_policy,
344 	.module = THIS_MODULE,
345 	.small_ops = netlbl_calipso_ops,
346 	.n_small_ops = ARRAY_SIZE(netlbl_calipso_ops),
347 };
348 
349 /* NetLabel Generic NETLINK Protocol Functions
350  */
351 
352 /**
353  * netlbl_calipso_genl_init - Register the CALIPSO NetLabel component
354  *
355  * Description:
356  * Register the CALIPSO packet NetLabel component with the Generic NETLINK
357  * mechanism.  Returns zero on success, negative values on failure.
358  *
359  */
netlbl_calipso_genl_init(void)360 int __init netlbl_calipso_genl_init(void)
361 {
362 	return genl_register_family(&netlbl_calipso_gnl_family);
363 }
364 
365 static const struct netlbl_calipso_ops *calipso_ops;
366 
367 /**
368  * netlbl_calipso_ops_register - Register the CALIPSO operations
369  *
370  * Description:
371  * Register the CALIPSO packet engine operations.
372  *
373  */
374 const struct netlbl_calipso_ops *
netlbl_calipso_ops_register(const struct netlbl_calipso_ops * ops)375 netlbl_calipso_ops_register(const struct netlbl_calipso_ops *ops)
376 {
377 	return xchg(&calipso_ops, ops);
378 }
379 EXPORT_SYMBOL(netlbl_calipso_ops_register);
380 
netlbl_calipso_ops_get(void)381 static const struct netlbl_calipso_ops *netlbl_calipso_ops_get(void)
382 {
383 	return READ_ONCE(calipso_ops);
384 }
385 
386 /**
387  * calipso_doi_add - Add a new DOI to the CALIPSO protocol engine
388  * @doi_def: the DOI structure
389  * @audit_info: NetLabel audit information
390  *
391  * Description:
392  * The caller defines a new DOI for use by the CALIPSO engine and calls this
393  * function to add it to the list of acceptable domains.  The caller must
394  * ensure that the mapping table specified in @doi_def->map meets all of the
395  * requirements of the mapping type (see calipso.h for details).  Returns
396  * zero on success and non-zero on failure.
397  *
398  */
calipso_doi_add(struct calipso_doi * doi_def,struct netlbl_audit * audit_info)399 int calipso_doi_add(struct calipso_doi *doi_def,
400 		    struct netlbl_audit *audit_info)
401 {
402 	int ret_val = -ENOMSG;
403 	const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
404 
405 	if (ops)
406 		ret_val = ops->doi_add(doi_def, audit_info);
407 	return ret_val;
408 }
409 
410 /**
411  * calipso_doi_free - Frees a DOI definition
412  * @doi_def: the DOI definition
413  *
414  * Description:
415  * This function frees all of the memory associated with a DOI definition.
416  *
417  */
calipso_doi_free(struct calipso_doi * doi_def)418 void calipso_doi_free(struct calipso_doi *doi_def)
419 {
420 	const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
421 
422 	if (ops)
423 		ops->doi_free(doi_def);
424 }
425 
426 /**
427  * calipso_doi_remove - Remove an existing DOI from the CALIPSO protocol engine
428  * @doi: the DOI value
429  * @audit_info: NetLabel audit information
430  *
431  * Description:
432  * Removes a DOI definition from the CALIPSO engine.  The NetLabel routines will
433  * be called to release their own LSM domain mappings as well as our own
434  * domain list.  Returns zero on success and negative values on failure.
435  *
436  */
calipso_doi_remove(u32 doi,struct netlbl_audit * audit_info)437 int calipso_doi_remove(u32 doi, struct netlbl_audit *audit_info)
438 {
439 	int ret_val = -ENOMSG;
440 	const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
441 
442 	if (ops)
443 		ret_val = ops->doi_remove(doi, audit_info);
444 	return ret_val;
445 }
446 
447 /**
448  * calipso_doi_getdef - Returns a reference to a valid DOI definition
449  * @doi: the DOI value
450  *
451  * Description:
452  * Searches for a valid DOI definition and if one is found it is returned to
453  * the caller.  Otherwise NULL is returned.  The caller must ensure that
454  * calipso_doi_putdef() is called when the caller is done.
455  *
456  */
calipso_doi_getdef(u32 doi)457 struct calipso_doi *calipso_doi_getdef(u32 doi)
458 {
459 	struct calipso_doi *ret_val = NULL;
460 	const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
461 
462 	if (ops)
463 		ret_val = ops->doi_getdef(doi);
464 	return ret_val;
465 }
466 
467 /**
468  * calipso_doi_putdef - Releases a reference for the given DOI definition
469  * @doi_def: the DOI definition
470  *
471  * Description:
472  * Releases a DOI definition reference obtained from calipso_doi_getdef().
473  *
474  */
calipso_doi_putdef(struct calipso_doi * doi_def)475 void calipso_doi_putdef(struct calipso_doi *doi_def)
476 {
477 	const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
478 
479 	if (ops)
480 		ops->doi_putdef(doi_def);
481 }
482 
483 /**
484  * calipso_doi_walk - Iterate through the DOI definitions
485  * @skip_cnt: skip past this number of DOI definitions, updated
486  * @callback: callback for each DOI definition
487  * @cb_arg: argument for the callback function
488  *
489  * Description:
490  * Iterate over the DOI definition list, skipping the first @skip_cnt entries.
491  * For each entry call @callback, if @callback returns a negative value stop
492  * 'walking' through the list and return.  Updates the value in @skip_cnt upon
493  * return.  Returns zero on success, negative values on failure.
494  *
495  */
calipso_doi_walk(u32 * skip_cnt,int (* callback)(struct calipso_doi * doi_def,void * arg),void * cb_arg)496 int calipso_doi_walk(u32 *skip_cnt,
497 		     int (*callback)(struct calipso_doi *doi_def, void *arg),
498 		     void *cb_arg)
499 {
500 	int ret_val = -ENOMSG;
501 	const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
502 
503 	if (ops)
504 		ret_val = ops->doi_walk(skip_cnt, callback, cb_arg);
505 	return ret_val;
506 }
507 
508 /**
509  * calipso_sock_getattr - Get the security attributes from a sock
510  * @sk: the sock
511  * @secattr: the security attributes
512  *
513  * Description:
514  * Query @sk to see if there is a CALIPSO option attached to the sock and if
515  * there is return the CALIPSO security attributes in @secattr.  This function
516  * requires that @sk be locked, or privately held, but it does not do any
517  * locking itself.  Returns zero on success and negative values on failure.
518  *
519  */
calipso_sock_getattr(struct sock * sk,struct netlbl_lsm_secattr * secattr)520 int calipso_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
521 {
522 	int ret_val = -ENOMSG;
523 	const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
524 
525 	if (ops)
526 		ret_val = ops->sock_getattr(sk, secattr);
527 	return ret_val;
528 }
529 
530 /**
531  * calipso_sock_setattr - Add a CALIPSO option to a socket
532  * @sk: the socket
533  * @doi_def: the CALIPSO DOI to use
534  * @secattr: the specific security attributes of the socket
535  *
536  * Description:
537  * Set the CALIPSO option on the given socket using the DOI definition and
538  * security attributes passed to the function.  This function requires
539  * exclusive access to @sk, which means it either needs to be in the
540  * process of being created or locked.  Returns zero on success and negative
541  * values on failure.
542  *
543  */
calipso_sock_setattr(struct sock * sk,const struct calipso_doi * doi_def,const struct netlbl_lsm_secattr * secattr)544 int calipso_sock_setattr(struct sock *sk,
545 			 const struct calipso_doi *doi_def,
546 			 const struct netlbl_lsm_secattr *secattr)
547 {
548 	int ret_val = -ENOMSG;
549 	const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
550 
551 	if (ops)
552 		ret_val = ops->sock_setattr(sk, doi_def, secattr);
553 	return ret_val;
554 }
555 
556 /**
557  * calipso_sock_delattr - Delete the CALIPSO option from a socket
558  * @sk: the socket
559  *
560  * Description:
561  * Removes the CALIPSO option from a socket, if present.
562  *
563  */
calipso_sock_delattr(struct sock * sk)564 void calipso_sock_delattr(struct sock *sk)
565 {
566 	const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
567 
568 	if (ops)
569 		ops->sock_delattr(sk);
570 }
571 
572 /**
573  * calipso_req_setattr - Add a CALIPSO option to a connection request socket
574  * @req: the connection request socket
575  * @doi_def: the CALIPSO DOI to use
576  * @secattr: the specific security attributes of the socket
577  *
578  * Description:
579  * Set the CALIPSO option on the given socket using the DOI definition and
580  * security attributes passed to the function.  Returns zero on success and
581  * negative values on failure.
582  *
583  */
calipso_req_setattr(struct request_sock * req,const struct calipso_doi * doi_def,const struct netlbl_lsm_secattr * secattr)584 int calipso_req_setattr(struct request_sock *req,
585 			const struct calipso_doi *doi_def,
586 			const struct netlbl_lsm_secattr *secattr)
587 {
588 	int ret_val = -ENOMSG;
589 	const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
590 
591 	if (ops)
592 		ret_val = ops->req_setattr(req, doi_def, secattr);
593 	return ret_val;
594 }
595 
596 /**
597  * calipso_req_delattr - Delete the CALIPSO option from a request socket
598  * @req: the request socket
599  *
600  * Description:
601  * Removes the CALIPSO option from a request socket, if present.
602  *
603  */
calipso_req_delattr(struct request_sock * req)604 void calipso_req_delattr(struct request_sock *req)
605 {
606 	const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
607 
608 	if (ops)
609 		ops->req_delattr(req);
610 }
611 
612 /**
613  * calipso_optptr - Find the CALIPSO option in the packet
614  * @skb: the packet
615  *
616  * Description:
617  * Parse the packet's IP header looking for a CALIPSO option.  Returns a pointer
618  * to the start of the CALIPSO option on success, NULL if one if not found.
619  *
620  */
calipso_optptr(const struct sk_buff * skb)621 unsigned char *calipso_optptr(const struct sk_buff *skb)
622 {
623 	unsigned char *ret_val = NULL;
624 	const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
625 
626 	if (ops)
627 		ret_val = ops->skbuff_optptr(skb);
628 	return ret_val;
629 }
630 
631 /**
632  * calipso_getattr - Get the security attributes from a memory block.
633  * @calipso: the CALIPSO option
634  * @secattr: the security attributes
635  *
636  * Description:
637  * Inspect @calipso and return the security attributes in @secattr.
638  * Returns zero on success and negative values on failure.
639  *
640  */
calipso_getattr(const unsigned char * calipso,struct netlbl_lsm_secattr * secattr)641 int calipso_getattr(const unsigned char *calipso,
642 		    struct netlbl_lsm_secattr *secattr)
643 {
644 	int ret_val = -ENOMSG;
645 	const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
646 
647 	if (ops)
648 		ret_val = ops->opt_getattr(calipso, secattr);
649 	return ret_val;
650 }
651 
652 /**
653  * calipso_skbuff_setattr - Set the CALIPSO option on a packet
654  * @skb: the packet
655  * @doi_def: the CALIPSO DOI to use
656  * @secattr: the security attributes
657  *
658  * Description:
659  * Set the CALIPSO option on the given packet based on the security attributes.
660  * Returns a pointer to the IP header on success and NULL on failure.
661  *
662  */
calipso_skbuff_setattr(struct sk_buff * skb,const struct calipso_doi * doi_def,const struct netlbl_lsm_secattr * secattr)663 int calipso_skbuff_setattr(struct sk_buff *skb,
664 			   const struct calipso_doi *doi_def,
665 			   const struct netlbl_lsm_secattr *secattr)
666 {
667 	int ret_val = -ENOMSG;
668 	const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
669 
670 	if (ops)
671 		ret_val = ops->skbuff_setattr(skb, doi_def, secattr);
672 	return ret_val;
673 }
674 
675 /**
676  * calipso_skbuff_delattr - Delete any CALIPSO options from a packet
677  * @skb: the packet
678  *
679  * Description:
680  * Removes any and all CALIPSO options from the given packet.  Returns zero on
681  * success, negative values on failure.
682  *
683  */
calipso_skbuff_delattr(struct sk_buff * skb)684 int calipso_skbuff_delattr(struct sk_buff *skb)
685 {
686 	int ret_val = -ENOMSG;
687 	const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
688 
689 	if (ops)
690 		ret_val = ops->skbuff_delattr(skb);
691 	return ret_val;
692 }
693 
694 /**
695  * calipso_cache_invalidate - Invalidates the current CALIPSO cache
696  *
697  * Description:
698  * Invalidates and frees any entries in the CALIPSO cache.  Returns zero on
699  * success and negative values on failure.
700  *
701  */
calipso_cache_invalidate(void)702 void calipso_cache_invalidate(void)
703 {
704 	const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
705 
706 	if (ops)
707 		ops->cache_invalidate();
708 }
709 
710 /**
711  * calipso_cache_add - Add an entry to the CALIPSO cache
712  * @calipso_ptr: the CALIPSO option
713  * @secattr: the packet's security attributes
714  *
715  * Description:
716  * Add a new entry into the CALIPSO label mapping cache.
717  * Returns zero on success, negative values on failure.
718  *
719  */
calipso_cache_add(const unsigned char * calipso_ptr,const struct netlbl_lsm_secattr * secattr)720 int calipso_cache_add(const unsigned char *calipso_ptr,
721 		      const struct netlbl_lsm_secattr *secattr)
722 
723 {
724 	int ret_val = -ENOMSG;
725 	const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
726 
727 	if (ops)
728 		ret_val = ops->cache_add(calipso_ptr, secattr);
729 	return ret_val;
730 }
731