Skip to content

L
linux

xiphi1978 / linux

通知 2
Star 0
Fork 0
L
linux

体验新版 GitCode,发现更多精彩内容 >>

提交 7e472020 编写于 作者: L Linus Torvalds
浏览文件
操作

Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 

* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
  [NetLabel]: update docs with website information
  [NetLabel]: rework the Netlink attribute handling (part 2)
  [NetLabel]: rework the Netlink attribute handling (part 1)
  [Netlink]: add nla_validate_nested()
  [NETLINK]: add nla_for_each_nested() to the interface list
  [NetLabel]: change the SELinux permissions
  [NetLabel]: make the CIPSOv4 cache spinlocks bottom half safe
  [NetLabel]: correct improper handling of non-NetLabel peer contexts
  [TCP]: make cubic the default
  [TCP]: default congestion control menu
  [ATM] he: Fix __init/__devinit conflict
  [NETFILTER]: Add dscp,DSCP headers to header-y
  [DCCP]: Introduce dccp_probe
  [DCCP]: Use constants for CCIDs
  [DCCP]: Introduce constants for CCID numbers
  [DCCP]: Allow default/fallback service code.
上级 7b29122f 4cc67735
展开全部 隐藏空白更改
内联 并排
Showing with 1389 addition and 1505 deletion
Documentation/networking/dccp.txt
浏览文件 @ 7e472020
DCCP protocol
============
Last updated: 10 November 2005
Contents
========
......@@ -42,8 +41,11 @@ Socket options
DCCP_SOCKOPT_PACKET_SIZE is used for CCID3 to set default packet size for
calculations.
DCCP_SOCKOPT_SERVICE sets the service. This is compulsory as per the
specification. If you don't set it you will get EPROTO.
DCCP_SOCKOPT_SERVICE sets the service. The specification mandates use of
service codes (RFC 4340, sec. 8.1.2); if this socket option is not set,
the socket will fall back to 0 (which means that no meaningful service code
is present). Connecting sockets set at most one service option; for
listening sockets, multiple service codes can be specified.
Notes
=====
......
MAINTAINERS
浏览文件 @ 7e472020
......@@ -2031,6 +2031,13 @@ L: netfilter@lists.netfilter.org
L: netfilter-devel@lists.netfilter.org
S: Supported
NETLABEL
P: Paul Moore
M: paul.moore@hp.com
W: http://netlabel.sf.net
L: netdev@vger.kernel.org
S: Supported
NETROM NETWORK LAYER
P: Ralf Baechle
M: ralf@linux-mips.org
......
drivers/atm/he.c
浏览文件 @ 7e472020
......@@ -454,7 +454,7 @@ rate_to_atmf(unsigned rate) /* cps to atm forum format */
return (NONZERO | (exp << 9) | (rate & 0x1ff));
}
static void __init
static void __devinit
he_init_rx_lbfp0(struct he_dev *he_dev)
{
unsigned i, lbm_offset, lbufd_index, lbuf_addr, lbuf_count;
......@@ -485,7 +485,7 @@ he_init_rx_lbfp0(struct he_dev *he_dev)
he_writel(he_dev, he_dev->r0_numbuffs, RLBF0_C);
}
static void __init
static void __devinit
he_init_rx_lbfp1(struct he_dev *he_dev)
{
unsigned i, lbm_offset, lbufd_index, lbuf_addr, lbuf_count;
......@@ -516,7 +516,7 @@ he_init_rx_lbfp1(struct he_dev *he_dev)
he_writel(he_dev, he_dev->r1_numbuffs, RLBF1_C);
}
static void __init
static void __devinit
he_init_tx_lbfp(struct he_dev *he_dev)
{
unsigned i, lbm_offset, lbufd_index, lbuf_addr, lbuf_count;
......@@ -546,7 +546,7 @@ he_init_tx_lbfp(struct he_dev *he_dev)
he_writel(he_dev, lbufd_index - 1, TLBF_T);
}
static int __init
static int __devinit
he_init_tpdrq(struct he_dev *he_dev)
{
he_dev->tpdrq_base = pci_alloc_consistent(he_dev->pci_dev,
......@@ -568,7 +568,7 @@ he_init_tpdrq(struct he_dev *he_dev)
return 0;
}
static void __init
static void __devinit
he_init_cs_block(struct he_dev *he_dev)
{
unsigned clock, rate, delta;
......@@ -664,7 +664,7 @@ he_init_cs_block(struct he_dev *he_dev)
}
static int __init
static int __devinit
he_init_cs_block_rcm(struct he_dev *he_dev)
{
unsigned (*rategrid)[16][16];
......@@ -785,7 +785,7 @@ he_init_cs_block_rcm(struct he_dev *he_dev)
return 0;
}
static int __init
static int __devinit
he_init_group(struct he_dev *he_dev, int group)
{
int i;
......@@ -955,7 +955,7 @@ he_init_group(struct he_dev *he_dev, int group)
return 0;
}
static int __init
static int __devinit
he_init_irq(struct he_dev *he_dev)
{
int i;
......
include/linux/dccp.h
浏览文件 @ 7e472020
......@@ -169,6 +169,12 @@ enum {
DCCPO_MAX_CCID_SPECIFIC = 255,
};
/* DCCP CCIDS */
enum {
DCCPC_CCID2 = 2,
DCCPC_CCID3 = 3,
};
/* DCCP features */
enum {
DCCPF_RESERVED = 0,
......@@ -320,7 +326,7 @@ static inline unsigned int dccp_hdr_len(const struct sk_buff *skb)
/* initial values for each feature */
#define DCCPF_INITIAL_SEQUENCE_WINDOW 100
#define DCCPF_INITIAL_ACK_RATIO 2
#define DCCPF_INITIAL_CCID 2
#define DCCPF_INITIAL_CCID DCCPC_CCID2
#define DCCPF_INITIAL_SEND_ACK_VECTOR 1
/* FIXME: for now we're default to 1 but it should really be 0 */
#define DCCPF_INITIAL_SEND_NDP_COUNT 1
......@@ -404,6 +410,7 @@ struct dccp_service_list {
};
#define DCCP_SERVICE_INVALID_VALUE htonl((__u32)-1)
#define DCCP_SERVICE_CODE_IS_ABSENT 0
static inline int dccp_list_has_service(const struct dccp_service_list *sl,
const __be32 service)
......@@ -484,11 +491,6 @@ static inline struct dccp_minisock *dccp_msk(const struct sock *sk)
return (struct dccp_minisock *)&dccp_sk(sk)->dccps_minisock;
}
static inline int dccp_service_not_initialized(const struct sock *sk)
{
return dccp_sk(sk)->dccps_service == DCCP_SERVICE_INVALID_VALUE;
}
static inline const char *dccp_role(const struct sock *sk)
{
switch (dccp_sk(sk)->dccps_role) {
......
include/linux/netfilter/Kbuild
浏览文件 @ 7e472020
......@@ -10,6 +10,8 @@ header-y += xt_connmark.h
header-y += xt_CONNMARK.h
header-y += xt_conntrack.h
header-y += xt_dccp.h
header-y += xt_dscp.h
header-y += xt_DSCP.h
header-y += xt_esp.h
header-y += xt_helper.h
header-y += xt_length.h
......
include/net/cipso_ipv4.h
浏览文件 @ 7e472020
......@@ -130,8 +130,9 @@ extern int cipso_v4_rbm_strictvalid;
int cipso_v4_doi_add(struct cipso_v4_doi *doi_def);
int cipso_v4_doi_remove(u32 doi, void (*callback) (struct rcu_head * head));
struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi);
struct sk_buff *cipso_v4_doi_dump_all(size_t headroom);
struct sk_buff *cipso_v4_doi_dump(u32 doi, size_t headroom);
int cipso_v4_doi_walk(u32 *skip_cnt,
int (*callback) (struct cipso_v4_doi *doi_def, void *arg),
void *cb_arg);
int cipso_v4_doi_domhsh_add(struct cipso_v4_doi *doi_def, const char *domain);
int cipso_v4_doi_domhsh_remove(struct cipso_v4_doi *doi_def,
const char *domain);
......@@ -152,14 +153,11 @@ static inline struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi)
return NULL;
}
static inline struct sk_buff *cipso_v4_doi_dump_all(size_t headroom)
static inline int cipso_v4_doi_walk(u32 *skip_cnt,
int (*callback) (struct cipso_v4_doi *doi_def, void *arg),
void *cb_arg)
{
return NULL;
}
static inline struct sk_buff *cipso_v4_doi_dump(u32 doi, size_t headroom)
{
return NULL;
return 0;
}
static inline int cipso_v4_doi_domhsh_add(struct cipso_v4_doi *doi_def,
......@@ -205,6 +203,7 @@ void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway);
int cipso_v4_socket_setattr(const struct socket *sock,
const struct cipso_v4_doi *doi_def,
const struct netlbl_lsm_secattr *secattr);
int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr);
int cipso_v4_socket_getattr(const struct socket *sock,
struct netlbl_lsm_secattr *secattr);
int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
......@@ -225,6 +224,12 @@ static inline int cipso_v4_socket_setattr(const struct socket *sock,
return -ENOSYS;
}
static inline int cipso_v4_sock_getattr(struct sock *sk,
struct netlbl_lsm_secattr *secattr)
{
return -ENOSYS;
}
static inline int cipso_v4_socket_getattr(const struct socket *sock,
struct netlbl_lsm_secattr *secattr)
{
......
include/net/netlabel.h
浏览文件 @ 7e472020
......@@ -57,9 +57,8 @@
* The payload is dependent on the subsystem specified in the
* 'nlmsghdr->nlmsg_type' and should be defined below, supporting functions
* should be defined in the corresponding net/netlabel/netlabel_<subsys>.h|c
* file. All of the fields in the NetLabel payload are NETLINK attributes, the
* length of each field is the length of the NETLINK attribute payload, see
* include/net/netlink.h for more information on NETLINK attributes.
* file. All of the fields in the NetLabel payload are NETLINK attributes, see
* the include/net/netlink.h file for more information on NETLINK attributes.
*
*/
......@@ -82,50 +81,6 @@
#define NETLBL_NLTYPE_UNLABELED 5
#define NETLBL_NLTYPE_UNLABELED_NAME "NLBL_UNLBL"
/* NetLabel return codes */
#define NETLBL_E_OK 0
/*
* Helper functions
*/
#define NETLBL_LEN_U8 nla_total_size(sizeof(u8))
#define NETLBL_LEN_U16 nla_total_size(sizeof(u16))
#define NETLBL_LEN_U32 nla_total_size(sizeof(u32))
/**
* netlbl_netlink_alloc_skb - Allocate a NETLINK message buffer
* @head: the amount of headroom in bytes
* @body: the desired size (minus headroom) in bytes
* @gfp_flags: the alloc flags to pass to alloc_skb()
*
* Description:
* Allocate a NETLINK message buffer based on the sizes given in @head and
* @body. If @head is greater than zero skb_reserve() is called to reserve
* @head bytes at the start of the buffer. Returns a valid sk_buff pointer on
* success, NULL on failure.
*
*/
static inline struct sk_buff *netlbl_netlink_alloc_skb(size_t head,
size_t body,
gfp_t gfp_flags)
{
struct sk_buff *skb;
skb = alloc_skb(NLMSG_ALIGN(head + body), gfp_flags);
if (skb == NULL)
return NULL;
if (head > 0) {
skb_reserve(skb, head);
if (skb_tailroom(skb) < body) {
kfree_skb(skb);
return NULL;
}
}
return skb;
}
/*
* NetLabel - Kernel API for accessing the network packet label mappings.
*
......@@ -238,6 +193,8 @@ static inline void netlbl_secattr_free(struct netlbl_lsm_secattr *secattr,
#ifdef CONFIG_NETLABEL
int netlbl_socket_setattr(const struct socket *sock,
const struct netlbl_lsm_secattr *secattr);
int netlbl_sock_getattr(struct sock *sk,
struct netlbl_lsm_secattr *secattr);
int netlbl_socket_getattr(const struct socket *sock,
struct netlbl_lsm_secattr *secattr);
int netlbl_skbuff_getattr(const struct sk_buff *skb,
......@@ -250,6 +207,12 @@ static inline int netlbl_socket_setattr(const struct socket *sock,
return -ENOSYS;
}
static inline int netlbl_sock_getattr(struct sock *sk,
struct netlbl_lsm_secattr *secattr)
{
return -ENOSYS;
}
static inline int netlbl_socket_getattr(const struct socket *sock,
struct netlbl_lsm_secattr *secattr)
{
......
include/net/netlink.h
浏览文件 @ 7e472020
......@@ -146,11 +146,13 @@
* nla_ok(nla, remaining) does nla fit into remaining bytes?
* nla_next(nla, remaining) get next netlink attribute
* nla_validate() validate a stream of attributes
* nla_validate_nested() validate a stream of nested attributes
* nla_find() find attribute in stream of attributes
* nla_find_nested() find attribute in nested attributes
* nla_parse() parse and validate stream of attrs
* nla_parse_nested() parse nested attribuets
* nla_for_each_attr() loop over all attributes
* nla_for_each_nested() loop over the nested attributes
*=========================================================================
*/
......@@ -949,6 +951,24 @@ static inline int nla_nest_cancel(struct sk_buff *skb, struct nlattr *start)
return nlmsg_trim(skb, start);
}
/**
* nla_validate_nested - Validate a stream of nested attributes
* @start: container attribute
* @maxtype: maximum attribute type to be expected
* @policy: validation policy
*
* Validates all attributes in the nested attribute stream against the
* specified policy. Attributes with a type exceeding maxtype will be
* ignored. See documenation of struct nla_policy for more details.
*
* Returns 0 on success or a negative error code.
*/
static inline int nla_validate_nested(struct nlattr *start, int maxtype,
struct nla_policy *policy)
{
return nla_validate(nla_data(start), nla_len(start), maxtype, policy);
}
/**
* nla_for_each_attr - iterate over a stream of attributes
* @pos: loop counter, set to current attribute
......
net/dccp/Kconfig
浏览文件 @ 7e472020
......@@ -40,6 +40,22 @@ config IP_DCCP_DEBUG
Just say N.
config NET_DCCPPROBE
tristate "DCCP connection probing"
depends on PROC_FS && KPROBES
---help---
This module allows for capturing the changes to DCCP connection
state in response to incoming packets. It is used for debugging
DCCP congestion avoidance modules. If you don't understand
what was just said, you don't need it: say N.
Documentation on how to use the packet generator can be found
at http://linux-net.osdl.org/index.php/DccpProbe
To compile this code as a module, choose M here: the
module will be called dccp_probe.
endmenu
endmenu
net/dccp/Makefile
浏览文件 @ 7e472020
......@@ -11,9 +11,11 @@ dccp_ipv4-y := ipv4.o
dccp-$(CONFIG_IP_DCCP_ACKVEC) += ackvec.o
obj-$(CONFIG_INET_DCCP_DIAG) += dccp_diag.o
obj-$(CONFIG_NET_DCCPPROBE) += dccp_probe.o
dccp-$(CONFIG_SYSCTL) += sysctl.o
dccp_diag-y := diag.o
dccp_probe-y := probe.o
obj-y += ccids/
net/dccp/ccids/ccid2.c
浏览文件 @ 7e472020
......@@ -808,7 +808,7 @@ static void ccid2_hc_rx_packet_recv(struct sock *sk, struct sk_buff *skb)
}
static struct ccid_operations ccid2 = {
.ccid_id = 2,
.ccid_id = DCCPC_CCID2,
.ccid_name = "ccid2",
.ccid_owner = THIS_MODULE,
.ccid_hc_tx_obj_size = sizeof(struct ccid2_hc_tx_sock),
......
net/dccp/ccids/ccid3.c
浏览文件 @ 7e472020
......@@ -1240,7 +1240,7 @@ static int ccid3_hc_tx_getsockopt(struct sock *sk, const int optname, int len,
}
static struct ccid_operations ccid3 = {
.ccid_id = 3,
.ccid_id = DCCPC_CCID3,
.ccid_name = "ccid3",
.ccid_owner = THIS_MODULE,
.ccid_hc_tx_obj_size = sizeof(struct ccid3_hc_tx_sock),
......
net/dccp/ipv4.c
浏览文件 @ 7e472020
......@@ -56,9 +56,6 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
dp->dccps_role = DCCP_ROLE_CLIENT;
if (dccp_service_not_initialized(sk))
return -EPROTO;
if (addr_len < sizeof(struct sockaddr_in))
return -EINVAL;
......
net/dccp/probe.c 0 → 100644
浏览文件 @ 7e472020
/*
* dccp_probe - Observe the DCCP flow with kprobes.
*
* The idea for this came from Werner Almesberger's umlsim
* Copyright (C) 2004, Stephen Hemminger <shemminger@osdl.org>
*
* Modified for DCCP from Stephen Hemminger's code
* Copyright (C) 2006, Ian McDonald <ian.mcdonald@jandi.co.nz>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include <linux/kernel.h>
#include <linux/kprobes.h>
#include <linux/socket.h>
#include <linux/dccp.h>
#include <linux/proc_fs.h>
#include <linux/module.h>
#include <linux/kfifo.h>
#include <linux/vmalloc.h>
#include "dccp.h"
#include "ccid.h"
#include "ccids/ccid3.h"
static int port;
static int bufsize = 64 * 1024;
static const char procname[] = "dccpprobe";
struct {
struct kfifo *fifo;
spinlock_t lock;
wait_queue_head_t wait;
struct timeval tstart;
} dccpw;
static void printl(const char *fmt, ...)
{
va_list args;
int len;
struct timeval now;
char tbuf[256];
va_start(args, fmt);
do_gettimeofday(&now);
now.tv_sec -= dccpw.tstart.tv_sec;
now.tv_usec -= dccpw.tstart.tv_usec;
if (now.tv_usec < 0) {
--now.tv_sec;
now.tv_usec += 1000000;
}
len = sprintf(tbuf, "%lu.%06lu ",
(unsigned long) now.tv_sec,
(unsigned long) now.tv_usec);
len += vscnprintf(tbuf+len, sizeof(tbuf)-len, fmt, args);
va_end(args);
kfifo_put(dccpw.fifo, tbuf, len);
wake_up(&dccpw.wait);
}
static int jdccp_sendmsg(struct kiocb *iocb, struct sock *sk,
struct msghdr *msg, size_t size)
{
const struct dccp_minisock *dmsk = dccp_msk(sk);
const struct inet_sock *inet = inet_sk(sk);
const struct ccid3_hc_tx_sock *hctx;
if (dmsk->dccpms_tx_ccid == DCCPC_CCID3)
hctx = ccid3_hc_tx_sk(sk);
else
hctx = NULL;
if (port == 0 || ntohs(inet->dport) == port ||
ntohs(inet->sport) == port) {
if (hctx)
printl("%d.%d.%d.%d:%u %d.%d.%d.%d:%u %d %d %d %d %d\n",
NIPQUAD(inet->saddr), ntohs(inet->sport),
NIPQUAD(inet->daddr), ntohs(inet->dport), size,
hctx->ccid3hctx_s, hctx->ccid3hctx_rtt,
hctx->ccid3hctx_p, hctx->ccid3hctx_t_ipi);
else
printl("%d.%d.%d.%d:%u %d.%d.%d.%d:%u %d\n",
NIPQUAD(inet->saddr), ntohs(inet->sport),
NIPQUAD(inet->daddr), ntohs(inet->dport), size);
}
jprobe_return();
return 0;
}
static struct jprobe dccp_send_probe = {
.kp = { .addr = (kprobe_opcode_t *)&dccp_sendmsg, },
.entry = (kprobe_opcode_t *)&jdccp_sendmsg,
};
static int dccpprobe_open(struct inode *inode, struct file *file)
{
kfifo_reset(dccpw.fifo);
do_gettimeofday(&dccpw.tstart);
return 0;
}
static ssize_t dccpprobe_read(struct file *file, char __user *buf,
size_t len, loff_t *ppos)
{
int error = 0, cnt = 0;
unsigned char *tbuf;
if (!buf || len < 0)
return -EINVAL;
if (len == 0)
return 0;
tbuf = vmalloc(len);
if (!tbuf)
return -ENOMEM;
error = wait_event_interruptible(dccpw.wait,
__kfifo_len(dccpw.fifo) != 0);
if (error)
goto out_free;
cnt = kfifo_get(dccpw.fifo, tbuf, len);
error = copy_to_user(buf, tbuf, cnt);
out_free:
vfree(tbuf);
return error ? error : cnt;
}
static struct file_operations dccpprobe_fops = {
.owner = THIS_MODULE,
.open = dccpprobe_open,
.read = dccpprobe_read,
};
static __init int dccpprobe_init(void)
{
int ret = -ENOMEM;
init_waitqueue_head(&dccpw.wait);
spin_lock_init(&dccpw.lock);
dccpw.fifo = kfifo_alloc(bufsize, GFP_KERNEL, &dccpw.lock);
if (!proc_net_fops_create(procname, S_IRUSR, &dccpprobe_fops))
goto err0;
ret = register_jprobe(&dccp_send_probe);
if (ret)
goto err1;
pr_info("DCCP watch registered (port=%d)\n", port);
return 0;
err1:
proc_net_remove(procname);
err0:
kfifo_free(dccpw.fifo);
return ret;
}
module_init(dccpprobe_init);
static __exit void dccpprobe_exit(void)
{
kfifo_free(dccpw.fifo);
proc_net_remove(procname);
unregister_jprobe(&dccp_send_probe);
}
module_exit(dccpprobe_exit);
MODULE_PARM_DESC(port, "Port to match (0=all)");
module_param(port, int, 0);
MODULE_PARM_DESC(bufsize, "Log buffer size (default 64k)");
module_param(bufsize, int, 0);
MODULE_AUTHOR("Ian McDonald <ian.mcdonald@jandi.co.nz>");
MODULE_DESCRIPTION("DCCP snooper");
MODULE_LICENSE("GPL");
net/dccp/proto.c
浏览文件 @ 7e472020
......@@ -217,7 +217,7 @@ int dccp_init_sock(struct sock *sk, const __u8 ctl_sock_initialized)
icsk->icsk_sync_mss = dccp_sync_mss;
dp->dccps_mss_cache = 536;
dp->dccps_role = DCCP_ROLE_UNDEFINED;
dp->dccps_service = DCCP_SERVICE_INVALID_VALUE;
dp->dccps_service = DCCP_SERVICE_CODE_IS_ABSENT;
dp->dccps_l_ack_ratio = dp->dccps_r_ack_ratio = 1;
return 0;
......@@ -267,12 +267,6 @@ static inline int dccp_listen_start(struct sock *sk)
struct dccp_sock *dp = dccp_sk(sk);
dp->dccps_role = DCCP_ROLE_LISTEN;
/*
* Apps need to use setsockopt(DCCP_SOCKOPT_SERVICE)
* before calling listen()
*/
if (dccp_service_not_initialized(sk))
return -EPROTO;
return inet_csk_listen_start(sk, TCP_SYNQ_HSIZE);
}
......@@ -540,9 +534,6 @@ static int dccp_getsockopt_service(struct sock *sk, int len,
int err = -ENOENT, slen = 0, total_len = sizeof(u32);
lock_sock(sk);
if (dccp_service_not_initialized(sk))
goto out;
if ((sl = dp->dccps_service_list) != NULL) {
slen = sl->dccpsl_nr * sizeof(u32);
total_len += slen;
......
net/ipv4/Kconfig
浏览文件 @ 7e472020
......@@ -448,24 +448,22 @@ config INET_TCP_DIAG
depends on INET_DIAG
def_tristate INET_DIAG
config TCP_CONG_ADVANCED
menuconfig TCP_CONG_ADVANCED
bool "TCP: advanced congestion control"
---help---
Support for selection of various TCP congestion control
modules.
Nearly all users can safely say no here, and a safe default
selection will be made (BIC-TCP with new Reno as a fallback).
selection will be made (CUBIC with new Reno as a fallback).
If unsure, say N.
# TCP Reno is builtin (required as fallback)
menu "TCP congestion control"
depends on TCP_CONG_ADVANCED
if TCP_CONG_ADVANCED
config TCP_CONG_BIC
tristate "Binary Increase Congestion (BIC) control"
default y
default m
---help---
BIC-TCP is a sender-side only change that ensures a linear RTT
fairness under large windows while offering both scalability and
......@@ -479,7 +477,7 @@ config TCP_CONG_BIC
config TCP_CONG_CUBIC
tristate "CUBIC TCP"
default m
default y
---help---
This is version 2.0 of BIC-TCP which uses a cubic growth function
among other techniques.
......@@ -574,12 +572,49 @@ config TCP_CONG_VENO
loss packets.
See http://www.ntu.edu.sg/home5/ZHOU0022/papers/CPFu03a.pdf
endmenu
choice
prompt "Default TCP congestion control"
default DEFAULT_CUBIC
help
Select the TCP congestion control that will be used by default
for all connections.
config TCP_CONG_BIC
config DEFAULT_BIC
bool "Bic" if TCP_CONG_BIC=y
config DEFAULT_CUBIC
bool "Cubic" if TCP_CONG_CUBIC=y
config DEFAULT_HTCP
bool "Htcp" if TCP_CONG_HTCP=y
config DEFAULT_VEGAS
bool "Vegas" if TCP_CONG_VEGAS=y
config DEFAULT_WESTWOOD
bool "Westwood" if TCP_CONG_WESTWOOD=y
config DEFAULT_RENO
bool "Reno"
endchoice
endif
config TCP_CONG_CUBIC
tristate
depends on !TCP_CONG_ADVANCED
default y
config DEFAULT_TCP_CONG
string
default "bic" if DEFAULT_BIC
default "cubic" if DEFAULT_CUBIC
default "htcp" if DEFAULT_HTCP
default "vegas" if DEFAULT_VEGAS
default "westwood" if DEFAULT_WESTWOOD
default "reno" if DEFAULT_RENO
default "cubic"
source "net/ipv4/ipvs/Kconfig"
net/ipv4/cipso_ipv4.c
浏览文件 @ 7e472020
......@@ -259,7 +259,7 @@ void cipso_v4_cache_invalidate(void)
u32 iter;
for (iter = 0; iter < CIPSO_V4_CACHE_BUCKETS; iter++) {
spin_lock(&cipso_v4_cache[iter].lock);
spin_lock_bh(&cipso_v4_cache[iter].lock);
list_for_each_entry_safe(entry,
tmp_entry,
&cipso_v4_cache[iter].list, list) {
......@@ -267,7 +267,7 @@ void cipso_v4_cache_invalidate(void)
cipso_v4_cache_entry_free(entry);
}
cipso_v4_cache[iter].size = 0;
spin_unlock(&cipso_v4_cache[iter].lock);
spin_unlock_bh(&cipso_v4_cache[iter].lock);
}
return;
......@@ -309,7 +309,7 @@ static int cipso_v4_cache_check(const unsigned char *key,
hash = cipso_v4_map_cache_hash(key, key_len);
bkt = hash & (CIPSO_V4_CACHE_BUCKETBITS - 1);
spin_lock(&cipso_v4_cache[bkt].lock);
spin_lock_bh(&cipso_v4_cache[bkt].lock);
list_for_each_entry(entry, &cipso_v4_cache[bkt].list, list) {
if (entry->hash == hash &&
entry->key_len == key_len &&
......@@ -318,7 +318,7 @@ static int cipso_v4_cache_check(const unsigned char *key,
secattr->cache.free = entry->lsm_data.free;
secattr->cache.data = entry->lsm_data.data;
if (prev_entry == NULL) {
spin_unlock(&cipso_v4_cache[bkt].lock);
spin_unlock_bh(&cipso_v4_cache[bkt].lock);
return 0;
}
......@@ -333,12 +333,12 @@ static int cipso_v4_cache_check(const unsigned char *key,
&prev_entry->list);
}
spin_unlock(&cipso_v4_cache[bkt].lock);
spin_unlock_bh(&cipso_v4_cache[bkt].lock);
return 0;
}
prev_entry = entry;
}
spin_unlock(&cipso_v4_cache[bkt].lock);
spin_unlock_bh(&cipso_v4_cache[bkt].lock);
return -ENOENT;
}
......@@ -387,7 +387,7 @@ int cipso_v4_cache_add(const struct sk_buff *skb,
entry->lsm_data.data = secattr->cache.data;
bkt = entry->hash & (CIPSO_V4_CACHE_BUCKETBITS - 1);
spin_lock(&cipso_v4_cache[bkt].lock);
spin_lock_bh(&cipso_v4_cache[bkt].lock);
if (cipso_v4_cache[bkt].size < cipso_v4_cache_bucketsize) {
list_add(&entry->list, &cipso_v4_cache[bkt].list);
cipso_v4_cache[bkt].size += 1;
......@@ -398,7 +398,7 @@ int cipso_v4_cache_add(const struct sk_buff *skb,
list_add(&entry->list, &cipso_v4_cache[bkt].list);
cipso_v4_cache_entry_free(old_entry);
}
spin_unlock(&cipso_v4_cache[bkt].lock);
spin_unlock_bh(&cipso_v4_cache[bkt].lock);
return 0;
......@@ -530,197 +530,42 @@ struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi)
}
/**
* cipso_v4_doi_dump_all - Dump all the CIPSO DOI definitions into a sk_buff
* @headroom: the amount of headroom to allocate for the sk_buff
* cipso_v4_doi_walk - Iterate through the DOI definitions
* @skip_cnt: skip past this number of DOI definitions, updated
* @callback: callback for each DOI definition
* @cb_arg: argument for the callback function
*
* Description:
* Dump a list of all the configured DOI values into a sk_buff. The returned
* sk_buff has room at the front of the sk_buff for @headroom bytes. See
* net/netlabel/netlabel_cipso_v4.h for the LISTALL message format. This
* function may fail if another process is changing the DOI list at the same
* time. Returns a pointer to a sk_buff on success, NULL on error.
* Iterate over the DOI definition list, skipping the first @skip_cnt entries.
* For each entry call @callback, if @callback returns a negative value stop
* 'walking' through the list and return. Updates the value in @skip_cnt upon
* return. Returns zero on success, negative values on failure.
*
*/
struct sk_buff *cipso_v4_doi_dump_all(size_t headroom)
int cipso_v4_doi_walk(u32 *skip_cnt,
int (*callback) (struct cipso_v4_doi *doi_def, void *arg),
void *cb_arg)
{
struct sk_buff *skb = NULL;
struct cipso_v4_doi *iter;
int ret_val = -ENOENT;
u32 doi_cnt = 0;
ssize_t buf_len;
struct cipso_v4_doi *iter_doi;
buf_len = NETLBL_LEN_U32;
rcu_read_lock();
list_for_each_entry_rcu(iter, &cipso_v4_doi_list, list)
if (iter->valid) {
doi_cnt += 1;
buf_len += 2 * NETLBL_LEN_U32;
}
skb = netlbl_netlink_alloc_skb(headroom, buf_len, GFP_ATOMIC);
if (skb == NULL)
goto doi_dump_all_failure;
if (nla_put_u32(skb, NLA_U32, doi_cnt) != 0)
goto doi_dump_all_failure;
buf_len -= NETLBL_LEN_U32;
list_for_each_entry_rcu(iter, &cipso_v4_doi_list, list)
if (iter->valid) {
if (buf_len < 2 * NETLBL_LEN_U32)
goto doi_dump_all_failure;
if (nla_put_u32(skb, NLA_U32, iter->doi) != 0)
goto doi_dump_all_failure;
if (nla_put_u32(skb, NLA_U32, iter->type) != 0)
goto doi_dump_all_failure;
buf_len -= 2 * NETLBL_LEN_U32;
}
rcu_read_unlock();
return skb;
doi_dump_all_failure:
rcu_read_unlock();
kfree(skb);
return NULL;
}
/**
* cipso_v4_doi_dump - Dump a CIPSO DOI definition into a sk_buff
* @doi: the DOI value
* @headroom: the amount of headroom to allocate for the sk_buff
*
* Description:
* Lookup the DOI definition matching @doi and dump it's contents into a
* sk_buff. The returned sk_buff has room at the front of the sk_buff for
* @headroom bytes. See net/netlabel/netlabel_cipso_v4.h for the LIST message
* format. This function may fail if another process is changing the DOI list
* at the same time. Returns a pointer to a sk_buff on success, NULL on error.
*
*/
struct sk_buff *cipso_v4_doi_dump(u32 doi, size_t headroom)
{
struct sk_buff *skb = NULL;
struct cipso_v4_doi *iter;
u32 tag_cnt = 0;
u32 lvl_cnt = 0;
u32 cat_cnt = 0;
ssize_t buf_len;
ssize_t tmp;
rcu_read_lock();
iter = cipso_v4_doi_getdef(doi);
if (iter == NULL)
goto doi_dump_failure;
buf_len = NETLBL_LEN_U32;
switch (iter->type) {
case CIPSO_V4_MAP_PASS:
buf_len += NETLBL_LEN_U32;
while(tag_cnt < CIPSO_V4_TAG_MAXCNT &&
iter->tags[tag_cnt] != CIPSO_V4_TAG_INVALID) {
tag_cnt += 1;
buf_len += NETLBL_LEN_U8;
}
break;
case CIPSO_V4_MAP_STD:
buf_len += 3 * NETLBL_LEN_U32;
while (tag_cnt < CIPSO_V4_TAG_MAXCNT &&
iter->tags[tag_cnt] != CIPSO_V4_TAG_INVALID) {
tag_cnt += 1;
buf_len += NETLBL_LEN_U8;
}
for (tmp = 0; tmp < iter->map.std->lvl.local_size; tmp++)
if (iter->map.std->lvl.local[tmp] !=
CIPSO_V4_INV_LVL) {
lvl_cnt += 1;
buf_len += NETLBL_LEN_U32 + NETLBL_LEN_U8;
}
for (tmp = 0; tmp < iter->map.std->cat.local_size; tmp++)
if (iter->map.std->cat.local[tmp] !=
CIPSO_V4_INV_CAT) {
cat_cnt += 1;
buf_len += NETLBL_LEN_U32 + NETLBL_LEN_U16;
list_for_each_entry_rcu(iter_doi, &cipso_v4_doi_list, list)
if (iter_doi->valid) {
if (doi_cnt++ < *skip_cnt)
continue;
ret_val = callback(iter_doi, cb_arg);
if (ret_val < 0) {
doi_cnt--;
goto doi_walk_return;
}
break;
}
skb = netlbl_netlink_alloc_skb(headroom, buf_len, GFP_ATOMIC);
if (skb == NULL)
goto doi_dump_failure;
if (nla_put_u32(skb, NLA_U32, iter->type) != 0)
goto doi_dump_failure;
buf_len -= NETLBL_LEN_U32;
if (iter != cipso_v4_doi_getdef(doi))
goto doi_dump_failure;
switch (iter->type) {
case CIPSO_V4_MAP_PASS:
if (nla_put_u32(skb, NLA_U32, tag_cnt) != 0)
goto doi_dump_failure;
buf_len -= NETLBL_LEN_U32;
for (tmp = 0;
tmp < CIPSO_V4_TAG_MAXCNT &&
iter->tags[tmp] != CIPSO_V4_TAG_INVALID;
tmp++) {
if (buf_len < NETLBL_LEN_U8)
goto doi_dump_failure;
if (nla_put_u8(skb, NLA_U8, iter->tags[tmp]) != 0)
goto doi_dump_failure;
buf_len -= NETLBL_LEN_U8;
}
break;
case CIPSO_V4_MAP_STD:
if (nla_put_u32(skb, NLA_U32, tag_cnt) != 0)
goto doi_dump_failure;
if (nla_put_u32(skb, NLA_U32, lvl_cnt) != 0)
goto doi_dump_failure;
if (nla_put_u32(skb, NLA_U32, cat_cnt) != 0)
goto doi_dump_failure;
buf_len -= 3 * NETLBL_LEN_U32;
for (tmp = 0;
tmp < CIPSO_V4_TAG_MAXCNT &&
iter->tags[tmp] != CIPSO_V4_TAG_INVALID;
tmp++) {
if (buf_len < NETLBL_LEN_U8)
goto doi_dump_failure;
if (nla_put_u8(skb, NLA_U8, iter->tags[tmp]) != 0)
goto doi_dump_failure;
buf_len -= NETLBL_LEN_U8;
}
for (tmp = 0; tmp < iter->map.std->lvl.local_size; tmp++)
if (iter->map.std->lvl.local[tmp] !=
CIPSO_V4_INV_LVL) {
if (buf_len < NETLBL_LEN_U32 + NETLBL_LEN_U8)
goto doi_dump_failure;
if (nla_put_u32(skb, NLA_U32, tmp) != 0)
goto doi_dump_failure;
if (nla_put_u8(skb,
NLA_U8,
iter->map.std->lvl.local[tmp]) != 0)
goto doi_dump_failure;
buf_len -= NETLBL_LEN_U32 + NETLBL_LEN_U8;
}
for (tmp = 0; tmp < iter->map.std->cat.local_size; tmp++)
if (iter->map.std->cat.local[tmp] !=
CIPSO_V4_INV_CAT) {
if (buf_len < NETLBL_LEN_U32 + NETLBL_LEN_U16)
goto doi_dump_failure;
if (nla_put_u32(skb, NLA_U32, tmp) != 0)
goto doi_dump_failure;
if (nla_put_u16(skb,
NLA_U16,
iter->map.std->cat.local[tmp]) != 0)
goto doi_dump_failure;
buf_len -= NETLBL_LEN_U32 + NETLBL_LEN_U16;
}
break;
}
rcu_read_unlock();
return skb;
doi_dump_failure:
doi_walk_return:
rcu_read_unlock();
kfree(skb);
return NULL;
*skip_cnt = doi_cnt;
return ret_val;
}
/**
......@@ -1486,43 +1331,40 @@ int cipso_v4_socket_setattr(const struct socket *sock,
}
/**
* cipso_v4_socket_getattr - Get the security attributes from a socket
* @sock: the socket
* cipso_v4_sock_getattr - Get the security attributes from a sock
* @sk: the sock
* @secattr: the security attributes
*
* Description:
* Query @sock to see if there is a CIPSO option attached to the socket and if
* there is return the CIPSO security attributes in @secattr. Returns zero on
* success and negative values on failure.
* Query @sk to see if there is a CIPSO option attached to the sock and if
* there is return the CIPSO security attributes in @secattr. This function
* requires that @sk be locked, or privately held, but it does not do any
* locking itself. Returns zero on success and negative values on failure.
*
*/
int cipso_v4_socket_getattr(const struct socket *sock,
struct netlbl_lsm_secattr *secattr)
int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
{
int ret_val = -ENOMSG;
struct sock *sk;
struct inet_sock *sk_inet;
unsigned char *cipso_ptr;
u32 doi;
struct cipso_v4_doi *doi_def;
sk = sock->sk;
lock_sock(sk);
sk_inet = inet_sk(sk);
if (sk_inet->opt == NULL || sk_inet->opt->cipso == 0)
goto socket_getattr_return;
return -ENOMSG;
cipso_ptr = sk_inet->opt->__data + sk_inet->opt->cipso -
sizeof(struct iphdr);
ret_val = cipso_v4_cache_check(cipso_ptr, cipso_ptr[1], secattr);
if (ret_val == 0)
goto socket_getattr_return;
return ret_val;
doi = ntohl(*(u32 *)&cipso_ptr[2]);
rcu_read_lock();
doi_def = cipso_v4_doi_getdef(doi);
if (doi_def == NULL) {
rcu_read_unlock();
goto socket_getattr_return;
return -ENOMSG;
}
switch (cipso_ptr[6]) {
case CIPSO_V4_TAG_RBITMAP:
......@@ -1533,8 +1375,29 @@ int cipso_v4_socket_getattr(const struct socket *sock,
}
rcu_read_unlock();
socket_getattr_return:
release_sock(sk);
return ret_val;
}
/**
* cipso_v4_socket_getattr - Get the security attributes from a socket
* @sock: the socket
* @secattr: the security attributes
*
* Description:
* Query @sock to see if there is a CIPSO option attached to the socket and if
* there is return the CIPSO security attributes in @secattr. Returns zero on
* success and negative values on failure.
*
*/
int cipso_v4_socket_getattr(const struct socket *sock,
struct netlbl_lsm_secattr *secattr)
{
int ret_val;
lock_sock(sock->sk);
ret_val = cipso_v4_sock_getattr(sock->sk, secattr);
release_sock(sock->sk);
return ret_val;
}
......
net/ipv4/sysctl_net_ipv4.c
浏览文件 @ 7e472020
......@@ -129,6 +129,12 @@ static int sysctl_tcp_congestion_control(ctl_table *table, int __user *name,
return ret;
}
static int __init tcp_congestion_default(void)
{
return tcp_set_default_congestion_control(CONFIG_DEFAULT_TCP_CONG);
}
late_initcall(tcp_congestion_default);
ctl_table ipv4_table[] = {
{
......
net/ipv4/tcp_cong.c
浏览文件 @ 7e472020
......@@ -48,7 +48,7 @@ int tcp_register_congestion_control(struct tcp_congestion_ops *ca)
printk(KERN_NOTICE "TCP %s already registered\n", ca->name);
ret = -EEXIST;
} else {
list_add_rcu(&ca->list, &tcp_cong_list);
list_add_tail_rcu(&ca->list, &tcp_cong_list);
printk(KERN_INFO "TCP %s registered\n", ca->name);
}
spin_unlock(&tcp_cong_list_lock);
......
net/netlabel/Kconfig
浏览文件 @ 7e472020
......@@ -9,6 +9,9 @@ config NETLABEL
---help---
NetLabel provides support for explicit network packet labeling
protocols such as CIPSO and RIPSO. For more information see
Documentation/netlabel.
Documentation/netlabel as well as the NetLabel SourceForge project
for configuration tools and additional documentation.
* http://netlabel.sf.net
If you are unsure, say N.
net/netlabel/netlabel_cipso_v4.c
浏览文件 @ 7e472020
此差异已折叠。
net/netlabel/netlabel_cipso_v4.h
浏览文件 @ 7e472020
......@@ -34,175 +34,71 @@
#include <net/netlabel.h>
/*
* The following NetLabel payloads are supported by the CIPSO subsystem, all
* of which are preceeded by the nlmsghdr struct.
* The following NetLabel payloads are supported by the CIPSO subsystem.
*
* o ACK:
* Sent by the kernel in response to an applications message, applications
* should never send this message.
* o ADD:
* Sent by an application to add a new DOI mapping table.
*
* +----------------------+-----------------------+
* | seq number (32 bits) | return code (32 bits) |
* +----------------------+-----------------------+
* Required attributes:
*
* seq number: the sequence number of the original message, taken from the
* nlmsghdr structure
* return code: return value, based on errno values
* NLBL_CIPSOV4_A_DOI
* NLBL_CIPSOV4_A_MTYPE
* NLBL_CIPSOV4_A_TAGLST
*
* o ADD:
* Sent by an application to add a new DOI mapping table, after completion
* of the task the kernel should ACK this message.
*
* +---------------+--------------------+---------------------+
* | DOI (32 bits) | map type (32 bits) | tag count (32 bits) | ...
* +---------------+--------------------+---------------------+
*
* +-----------------+
* | tag #X (8 bits) | ... repeated
* +-----------------+
*
* +-------------- ---- --- -- -
* | mapping data
* +-------------- ---- --- -- -
*
* DOI: the DOI value
* map type: the mapping table type (defined in the cipso_ipv4.h header
* as CIPSO_V4_MAP_*)
* tag count: the number of tags, must be greater than zero
* tag: the CIPSO tag for the DOI, tags listed first are given
* higher priorirty when sending packets
* mapping data: specific to the map type (see below)
*
* CIPSO_V4_MAP_STD
*
* +------------------+-----------------------+----------------------+
* | levels (32 bits) | max l level (32 bits) | max r level (8 bits) | ...
* +------------------+-----------------------+----------------------+
*
* +----------------------+---------------------+---------------------+
* | categories (32 bits) | max l cat (32 bits) | max r cat (16 bits) | ...
* +----------------------+---------------------+---------------------+
*
* +--------------------------+-------------------------+
* | local level #X (32 bits) | CIPSO level #X (8 bits) | ... repeated
* +--------------------------+-------------------------+
*
* +-----------------------------+-----------------------------+
* | local category #X (32 bits) | CIPSO category #X (16 bits) | ... repeated
* +-----------------------------+-----------------------------+
*
* levels: the number of level mappings
* max l level: the highest local level
* max r level: the highest remote/CIPSO level
* categories: the number of category mappings
* max l cat: the highest local category
* max r cat: the highest remote/CIPSO category
* local level: the local part of a level mapping
* CIPSO level: the remote/CIPSO part of a level mapping
* local category: the local part of a category mapping
* CIPSO category: the remote/CIPSO part of a category mapping
*
* CIPSO_V4_MAP_PASS
*
* No mapping data is needed for this map type.
* If using CIPSO_V4_MAP_STD the following attributes are required:
*
* NLBL_CIPSOV4_A_MLSLVLLST
* NLBL_CIPSOV4_A_MLSCATLST
*
* If using CIPSO_V4_MAP_PASS no additional attributes are required.
*
* o REMOVE:
* Sent by an application to remove a specific DOI mapping table from the
* CIPSO V4 system. The kernel should ACK this message.
* CIPSO V4 system.
*
* +---------------+
* | DOI (32 bits) |
* +---------------+
* Required attributes:
*
* DOI: the DOI value
* NLBL_CIPSOV4_A_DOI
*
* o LIST:
* Sent by an application to list the details of a DOI definition. The
* kernel should send an ACK on error or a response as indicated below. The
* application generated message format is shown below.
* Sent by an application to list the details of a DOI definition. On
* success the kernel should send a response using the following format.
*
* +---------------+
* | DOI (32 bits) |
* +---------------+
* Required attributes:
*
* DOI: the DOI value
* NLBL_CIPSOV4_A_DOI
*
* The valid response message format depends on the type of the DOI mapping,
* the known formats are shown below.
*
* +--------------------+
* | map type (32 bits) | ...
* +--------------------+
*
* map type: the DOI mapping table type (defined in the cipso_ipv4.h
* header as CIPSO_V4_MAP_*)
*
* (map type == CIPSO_V4_MAP_STD)
*
* +----------------+------------------+----------------------+
* | tags (32 bits) | levels (32 bits) | categories (32 bits) | ...
* +----------------+------------------+----------------------+
* the defined formats are shown below.
*
* +-----------------+
* | tag #X (8 bits) | ... repeated
* +-----------------+
* Required attributes:
*
* +--------------------------+-------------------------+
* | local level #X (32 bits) | CIPSO level #X (8 bits) | ... repeated
* +--------------------------+-------------------------+
* NLBL_CIPSOV4_A_MTYPE
* NLBL_CIPSOV4_A_TAGLST
*
* +-----------------------------+-----------------------------+
* | local category #X (32 bits) | CIPSO category #X (16 bits) | ... repeated
* +-----------------------------+-----------------------------+
* If using CIPSO_V4_MAP_STD the following attributes are required:
*
* tags: the number of CIPSO tag types
* levels: the number of level mappings
* categories: the number of category mappings
* tag: the tag number, tags listed first are given higher
* priority when sending packets
* local level: the local part of a level mapping
* CIPSO level: the remote/CIPSO part of a level mapping
* local category: the local part of a category mapping
* CIPSO category: the remote/CIPSO part of a category mapping
* NLBL_CIPSOV4_A_MLSLVLLST
* NLBL_CIPSOV4_A_MLSCATLST
*
* (map type == CIPSO_V4_MAP_PASS)
*
* +----------------+
* | tags (32 bits) | ...
* +----------------+
*
* +-----------------+
* | tag #X (8 bits) | ... repeated
* +-----------------+
*
* tags: the number of CIPSO tag types
* tag: the tag number, tags listed first are given higher
* priority when sending packets
* If using CIPSO_V4_MAP_PASS no additional attributes are required.
*
* o LISTALL:
* This message is sent by an application to list the valid DOIs on the
* system. There is no payload and the kernel should respond with an ACK
* or the following message.
*
* +---------------------+------------------+-----------------------+
* | DOI count (32 bits) | DOI #X (32 bits) | map type #X (32 bits) |
* +---------------------+------------------+-----------------------+
* system. When sent by an application there is no payload and the
* NLM_F_DUMP flag should be set. The kernel should respond with a series of
* the following messages.
*
* +-----------------------+
* | map type #X (32 bits) | ...
* +-----------------------+
* Required attributes:
*
* DOI count: the number of DOIs
* DOI: the DOI value
* map type: the DOI mapping table type (defined in the cipso_ipv4.h
* header as CIPSO_V4_MAP_*)
* NLBL_CIPSOV4_A_DOI
* NLBL_CIPSOV4_A_MTYPE
*
*/
/* NetLabel CIPSOv4 commands */
enum {
NLBL_CIPSOV4_C_UNSPEC,
NLBL_CIPSOV4_C_ACK,
NLBL_CIPSOV4_C_ADD,
NLBL_CIPSOV4_C_REMOVE,
NLBL_CIPSOV4_C_LIST,
......@@ -211,6 +107,59 @@ enum {
};
#define NLBL_CIPSOV4_C_MAX (__NLBL_CIPSOV4_C_MAX - 1)
/* NetLabel CIPSOv4 attributes */
enum {
NLBL_CIPSOV4_A_UNSPEC,
NLBL_CIPSOV4_A_DOI,
/* (NLA_U32)
* the DOI value */
NLBL_CIPSOV4_A_MTYPE,
/* (NLA_U32)
* the mapping table type (defined in the cipso_ipv4.h header as
* CIPSO_V4_MAP_*) */
NLBL_CIPSOV4_A_TAG,
/* (NLA_U8)
* a CIPSO tag type, meant to be used within a NLBL_CIPSOV4_A_TAGLST
* attribute */
NLBL_CIPSOV4_A_TAGLST,
/* (NLA_NESTED)
* the CIPSO tag list for the DOI, there must be at least one
* NLBL_CIPSOV4_A_TAG attribute, tags listed first are given higher
* priorirty when sending packets */
NLBL_CIPSOV4_A_MLSLVLLOC,
/* (NLA_U32)
* the local MLS sensitivity level */
NLBL_CIPSOV4_A_MLSLVLREM,
/* (NLA_U32)
* the remote MLS sensitivity level */
NLBL_CIPSOV4_A_MLSLVL,
/* (NLA_NESTED)
* a MLS sensitivity level mapping, must contain only one attribute of
* each of the following types: NLBL_CIPSOV4_A_MLSLVLLOC and
* NLBL_CIPSOV4_A_MLSLVLREM */
NLBL_CIPSOV4_A_MLSLVLLST,
/* (NLA_NESTED)
* the CIPSO level mappings, there must be at least one
* NLBL_CIPSOV4_A_MLSLVL attribute */
NLBL_CIPSOV4_A_MLSCATLOC,
/* (NLA_U32)
* the local MLS category */
NLBL_CIPSOV4_A_MLSCATREM,
/* (NLA_U32)
* the remote MLS category */
NLBL_CIPSOV4_A_MLSCAT,
/* (NLA_NESTED)
* a MLS category mapping, must contain only one attribute of each of
* the following types: NLBL_CIPSOV4_A_MLSCATLOC and
* NLBL_CIPSOV4_A_MLSCATREM */
NLBL_CIPSOV4_A_MLSCATLST,
/* (NLA_NESTED)
* the CIPSO category mappings, there must be at least one
* NLBL_CIPSOV4_A_MLSCAT attribute */
__NLBL_CIPSOV4_A_MAX,
};
#define NLBL_CIPSOV4_A_MAX (__NLBL_CIPSOV4_A_MAX - 1)
/* NetLabel protocol functions */
int netlbl_cipsov4_genl_init(void);
......
net/netlabel/netlabel_domainhash.c
浏览文件 @ 7e472020
......@@ -354,160 +354,51 @@ struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain)
}
/**
* netlbl_domhsh_dump - Dump the domain hash table into a sk_buff
* netlbl_domhsh_walk - Iterate through the domain mapping hash table
* @skip_bkt: the number of buckets to skip at the start
* @skip_chain: the number of entries to skip in the first iterated bucket
* @callback: callback for each entry
* @cb_arg: argument for the callback function
*
* Description:
* Dump the domain hash table into a buffer suitable for returning to an
* application in response to a NetLabel management DOMAIN message. This
* function may fail if another process is growing the hash table at the same
* time. The returned sk_buff has room at the front of the sk_buff for
* @headroom bytes. See netlabel.h for the DOMAIN message format. Returns a
* pointer to a sk_buff on success, NULL on error.
* Interate over the domain mapping hash table, skipping the first @skip_bkt
* buckets and @skip_chain entries. For each entry in the table call
* @callback, if @callback returns a negative value stop 'walking' through the
* table and return. Updates the values in @skip_bkt and @skip_chain on
* return. Returns zero on succcess, negative values on failure.
*
*/
struct sk_buff *netlbl_domhsh_dump(size_t headroom)
int netlbl_domhsh_walk(u32 *skip_bkt,
u32 *skip_chain,
int (*callback) (struct netlbl_dom_map *entry, void *arg),
void *cb_arg)
{
struct sk_buff *skb = NULL;
ssize_t buf_len;
u32 bkt_iter;
u32 dom_cnt = 0;
struct netlbl_domhsh_tbl *hsh_tbl;
struct netlbl_dom_map *list_iter;
ssize_t tmp_len;
int ret_val = -ENOENT;
u32 iter_bkt;
struct netlbl_dom_map *iter_entry;
u32 chain_cnt = 0;
buf_len = NETLBL_LEN_U32;
rcu_read_lock();
hsh_tbl = rcu_dereference(netlbl_domhsh);
for (bkt_iter = 0; bkt_iter < hsh_tbl->size; bkt_iter++)
list_for_each_entry_rcu(list_iter,
&hsh_tbl->tbl[bkt_iter], list) {
buf_len += NETLBL_LEN_U32 +
nla_total_size(strlen(list_iter->domain) + 1);
switch (list_iter->type) {
case NETLBL_NLTYPE_UNLABELED:
break;
case NETLBL_NLTYPE_CIPSOV4:
buf_len += 2 * NETLBL_LEN_U32;
break;
}
dom_cnt++;
}
skb = netlbl_netlink_alloc_skb(headroom, buf_len, GFP_ATOMIC);
if (skb == NULL)
goto dump_failure;
if (nla_put_u32(skb, NLA_U32, dom_cnt) != 0)
goto dump_failure;
buf_len -= NETLBL_LEN_U32;
hsh_tbl = rcu_dereference(netlbl_domhsh);
for (bkt_iter = 0; bkt_iter < hsh_tbl->size; bkt_iter++)
list_for_each_entry_rcu(list_iter,
&hsh_tbl->tbl[bkt_iter], list) {
tmp_len = nla_total_size(strlen(list_iter->domain) +
1);
if (buf_len < NETLBL_LEN_U32 + tmp_len)
goto dump_failure;
if (nla_put_string(skb,
NLA_STRING,
list_iter->domain) != 0)
goto dump_failure;
if (nla_put_u32(skb, NLA_U32, list_iter->type) != 0)
goto dump_failure;
buf_len -= NETLBL_LEN_U32 + tmp_len;
switch (list_iter->type) {
case NETLBL_NLTYPE_UNLABELED:
break;
case NETLBL_NLTYPE_CIPSOV4:
if (buf_len < 2 * NETLBL_LEN_U32)
goto dump_failure;
if (nla_put_u32(skb,
NLA_U32,
list_iter->type_def.cipsov4->type) != 0)
goto dump_failure;
if (nla_put_u32(skb,
NLA_U32,
list_iter->type_def.cipsov4->doi) != 0)
goto dump_failure;
buf_len -= 2 * NETLBL_LEN_U32;
break;
for (iter_bkt = *skip_bkt;
iter_bkt < rcu_dereference(netlbl_domhsh)->size;
iter_bkt++, chain_cnt = 0) {
list_for_each_entry_rcu(iter_entry,
&netlbl_domhsh->tbl[iter_bkt],
list)
if (iter_entry->valid) {
if (chain_cnt++ < *skip_chain)
continue;
ret_val = callback(iter_entry, cb_arg);
if (ret_val < 0) {
chain_cnt--;
goto walk_return;
}
}
}
rcu_read_unlock();
return skb;
dump_failure:
rcu_read_unlock();
kfree_skb(skb);
return NULL;
}
/**
* netlbl_domhsh_dump_default - Dump the default domain mapping into a sk_buff
*
* Description:
* Dump the default domain mapping into a buffer suitable for returning to an
* application in response to a NetLabel management DEFDOMAIN message. This
* function may fail if another process is changing the default domain mapping
* at the same time. The returned sk_buff has room at the front of the
* skb_buff for @headroom bytes. See netlabel.h for the DEFDOMAIN message
* format. Returns a pointer to a sk_buff on success, NULL on error.
*
*/
struct sk_buff *netlbl_domhsh_dump_default(size_t headroom)
{
struct sk_buff *skb;
ssize_t buf_len;
struct netlbl_dom_map *entry;
buf_len = NETLBL_LEN_U32;
rcu_read_lock();
entry = rcu_dereference(netlbl_domhsh_def);
if (entry != NULL)
switch (entry->type) {
case NETLBL_NLTYPE_UNLABELED:
break;
case NETLBL_NLTYPE_CIPSOV4:
buf_len += 2 * NETLBL_LEN_U32;
break;
}
skb = netlbl_netlink_alloc_skb(headroom, buf_len, GFP_ATOMIC);
if (skb == NULL)
goto dump_default_failure;
if (entry != rcu_dereference(netlbl_domhsh_def))
goto dump_default_failure;
if (entry != NULL) {
if (nla_put_u32(skb, NLA_U32, entry->type) != 0)
goto dump_default_failure;
buf_len -= NETLBL_LEN_U32;
switch (entry->type) {
case NETLBL_NLTYPE_UNLABELED:
break;
case NETLBL_NLTYPE_CIPSOV4:
if (buf_len < 2 * NETLBL_LEN_U32)
goto dump_default_failure;
if (nla_put_u32(skb,
NLA_U32,
entry->type_def.cipsov4->type) != 0)
goto dump_default_failure;
if (nla_put_u32(skb,
NLA_U32,
entry->type_def.cipsov4->doi) != 0)
goto dump_default_failure;
buf_len -= 2 * NETLBL_LEN_U32;
break;
}
} else
nla_put_u32(skb, NLA_U32, NETLBL_NLTYPE_NONE);
rcu_read_unlock();
return skb;
}
dump_default_failure:
walk_return:
rcu_read_unlock();
kfree_skb(skb);
return NULL;
*skip_bkt = iter_bkt;
*skip_chain = chain_cnt;
return ret_val;
}
net/netlabel/netlabel_domainhash.h
浏览文件 @ 7e472020
......@@ -61,7 +61,9 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry);
int netlbl_domhsh_add_default(struct netlbl_dom_map *entry);
int netlbl_domhsh_remove_default(void);
struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain);
struct sk_buff *netlbl_domhsh_dump(size_t headroom);
struct sk_buff *netlbl_domhsh_dump_default(size_t headroom);
int netlbl_domhsh_walk(u32 *skip_bkt,
u32 *skip_chain,
int (*callback) (struct netlbl_dom_map *entry, void *arg),
void *cb_arg);
#endif
net/netlabel/netlabel_kapi.c
浏览文件 @ 7e472020
......@@ -84,6 +84,29 @@ int netlbl_socket_setattr(const struct socket *sock,
return ret_val;
}
/**
* netlbl_sock_getattr - Determine the security attributes of a sock
* @sk: the sock
* @secattr: the security attributes
*
* Description:
* Examines the given sock to see any NetLabel style labeling has been
* applied to the sock, if so it parses the socket label and returns the
* security attributes in @secattr. Returns zero on success, negative values
* on failure.
*
*/
int netlbl_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
{
int ret_val;
ret_val = cipso_v4_sock_getattr(sk, secattr);
if (ret_val == 0)
return 0;
return netlbl_unlabel_getattr(secattr);
}
/**
* netlbl_socket_getattr - Determine the security attributes of a socket
* @sock: the socket
......
net/netlabel/netlabel_mgmt.c
浏览文件 @ 7e472020
此差异已折叠。
net/netlabel/netlabel_mgmt.h
浏览文件 @ 7e472020
......@@ -34,212 +34,137 @@
#include <net/netlabel.h>
/*
* The following NetLabel payloads are supported by the management interface,
* all of which are preceeded by the nlmsghdr struct.
*
* o ACK:
* Sent by the kernel in response to an applications message, applications
* should never send this message.
*
* +----------------------+-----------------------+
* | seq number (32 bits) | return code (32 bits) |
* +----------------------+-----------------------+
*
* seq number: the sequence number of the original message, taken from the
* nlmsghdr structure
* return code: return value, based on errno values
* The following NetLabel payloads are supported by the management interface.
*
* o ADD:
* Sent by an application to add a domain mapping to the NetLabel system.
* The kernel should respond with an ACK.
*
* +-------------------+
* | domains (32 bits) | ...
* +-------------------+
*
* domains: the number of domains in the message
*
* +--------------------------+-------------------------+
* | domain string (variable) | protocol type (32 bits) | ...
* +--------------------------+-------------------------+
*
* +-------------- ---- --- -- -
* | mapping data ... repeated
* +-------------- ---- --- -- -
* Required attributes:
*
* domain string: the domain string, NULL terminated
* protocol type: the protocol type (defined by NETLBL_NLTYPE_*)
* mapping data: specific to the map type (see below)
* NLBL_MGMT_A_DOMAIN
* NLBL_MGMT_A_PROTOCOL
*
* NETLBL_NLTYPE_UNLABELED
* If using NETLBL_NLTYPE_CIPSOV4 the following attributes are required:
*
* No mapping data for this protocol type.
* NLBL_MGMT_A_CV4DOI
*
* NETLBL_NLTYPE_CIPSOV4
*
* +---------------+
* | doi (32 bits) |
* +---------------+
*
* doi: the CIPSO DOI value
* If using NETLBL_NLTYPE_UNLABELED no other attributes are required.
*
* o REMOVE:
* Sent by an application to remove a domain mapping from the NetLabel
* system. The kernel should ACK this message.
*
* +-------------------+
* | domains (32 bits) | ...
* +-------------------+
* system.
*
* domains: the number of domains in the message
* Required attributes:
*
* +--------------------------+
* | domain string (variable) | ...
* +--------------------------+
* NLBL_MGMT_A_DOMAIN
*
* domain string: the domain string, NULL terminated
*
* o LIST:
* o LISTALL:
* This message can be sent either from an application or by the kernel in
* response to an application generated LIST message. When sent by an
* application there is no payload. The kernel should respond to a LIST
* message either with a LIST message on success or an ACK message on
* failure.
*
* +-------------------+
* | domains (32 bits) | ...
* +-------------------+
*
* domains: the number of domains in the message
* response to an application generated LISTALL message. When sent by an
* application there is no payload and the NLM_F_DUMP flag should be set.
* The kernel should respond with a series of the following messages.
*
* +--------------------------+
* | domain string (variable) | ...
* +--------------------------+
* Required attributes:
*
* +-------------------------+-------------- ---- --- -- -
* | protocol type (32 bits) | mapping data ... repeated
* +-------------------------+-------------- ---- --- -- -
* NLBL_MGMT_A_DOMAIN
* NLBL_MGMT_A_PROTOCOL
*
* domain string: the domain string, NULL terminated
* protocol type: the protocol type (defined by NETLBL_NLTYPE_*)
* mapping data: specific to the map type (see below)
* If using NETLBL_NLTYPE_CIPSOV4 the following attributes are required:
*
* NETLBL_NLTYPE_UNLABELED
* NLBL_MGMT_A_CV4DOI
*
* No mapping data for this protocol type.
*
* NETLBL_NLTYPE_CIPSOV4
*
* +----------------+---------------+
* | type (32 bits) | doi (32 bits) |
* +----------------+---------------+
*
* type: the CIPSO mapping table type (defined in the cipso_ipv4.h header
* as CIPSO_V4_MAP_*)
* doi: the CIPSO DOI value
* If using NETLBL_NLTYPE_UNLABELED no other attributes are required.
*
* o ADDDEF:
* Sent by an application to set the default domain mapping for the NetLabel
* system. The kernel should respond with an ACK.
* system.
*
* +-------------------------+-------------- ---- --- -- -
* | protocol type (32 bits) | mapping data ... repeated
* +-------------------------+-------------- ---- --- -- -
* Required attributes:
*
* protocol type: the protocol type (defined by NETLBL_NLTYPE_*)
* mapping data: specific to the map type (see below)
* NLBL_MGMT_A_PROTOCOL
*
* NETLBL_NLTYPE_UNLABELED
* If using NETLBL_NLTYPE_CIPSOV4 the following attributes are required:
*
* No mapping data for this protocol type.
* NLBL_MGMT_A_CV4DOI
*
* NETLBL_NLTYPE_CIPSOV4
*
* +---------------+
* | doi (32 bits) |
* +---------------+
*
* doi: the CIPSO DOI value
* If using NETLBL_NLTYPE_UNLABELED no other attributes are required.
*
* o REMOVEDEF:
* Sent by an application to remove the default domain mapping from the
* NetLabel system, there is no payload. The kernel should ACK this message.
* NetLabel system, there is no payload.
*
* o LISTDEF:
* This message can be sent either from an application or by the kernel in
* response to an application generated LISTDEF message. When sent by an
* application there is no payload. The kernel should respond to a
* LISTDEF message either with a LISTDEF message on success or an ACK message
* on failure.
*
* +-------------------------+-------------- ---- --- -- -
* | protocol type (32 bits) | mapping data ... repeated
* +-------------------------+-------------- ---- --- -- -
* application there is no payload. On success the kernel should send a
* response using the following format.
*
* protocol type: the protocol type (defined by NETLBL_NLTYPE_*)
* mapping data: specific to the map type (see below)
* Required attributes:
*
* NETLBL_NLTYPE_UNLABELED
* NLBL_MGMT_A_PROTOCOL
*
* No mapping data for this protocol type.
* If using NETLBL_NLTYPE_CIPSOV4 the following attributes are required:
*
* NETLBL_NLTYPE_CIPSOV4
* NLBL_MGMT_A_CV4DOI
*
* +----------------+---------------+
* | type (32 bits) | doi (32 bits) |
* +----------------+---------------+
* If using NETLBL_NLTYPE_UNLABELED no other attributes are required.
*
* type: the CIPSO mapping table type (defined in the cipso_ipv4.h header
* as CIPSO_V4_MAP_*)
* doi: the CIPSO DOI value
* o PROTOCOLS:
* Sent by an application to request a list of configured NetLabel protocols
* in the kernel. When sent by an application there is no payload and the
* NLM_F_DUMP flag should be set. The kernel should respond with a series of
* the following messages.
*
* o MODULES:
* Sent by an application to request a list of configured NetLabel modules
* in the kernel. When sent by an application there is no payload.
* Required attributes:
*
* +-------------------+
* | modules (32 bits) | ...
* +-------------------+
*
* modules: the number of modules in the message, if this is an application
* generated message and the value is zero then return a list of
* the configured modules
*
* +------------------+
* | module (32 bits) | ... repeated
* +------------------+
*
* module: the module number as defined by NETLBL_NLTYPE_*
* NLBL_MGMT_A_PROTOCOL
*
* o VERSION:
* Sent by an application to request the NetLabel version string. When sent
* by an application there is no payload. This message type is also used by
* the kernel to respond to an VERSION request.
* Sent by an application to request the NetLabel version. When sent by an
* application there is no payload. This message type is also used by the
* kernel to respond to an VERSION request.
*
* +-------------------+
* | version (32 bits) |
* +-------------------+
* Required attributes:
*
* version: the protocol version number
* NLBL_MGMT_A_VERSION
*
*/
/* NetLabel Management commands */
enum {
NLBL_MGMT_C_UNSPEC,
NLBL_MGMT_C_ACK,
NLBL_MGMT_C_ADD,
NLBL_MGMT_C_REMOVE,
NLBL_MGMT_C_LIST,
NLBL_MGMT_C_LISTALL,
NLBL_MGMT_C_ADDDEF,
NLBL_MGMT_C_REMOVEDEF,
NLBL_MGMT_C_LISTDEF,
NLBL_MGMT_C_MODULES,
NLBL_MGMT_C_PROTOCOLS,
NLBL_MGMT_C_VERSION,
__NLBL_MGMT_C_MAX,
};
#define NLBL_MGMT_C_MAX (__NLBL_MGMT_C_MAX - 1)
/* NetLabel Management attributes */
enum {
NLBL_MGMT_A_UNSPEC,
NLBL_MGMT_A_DOMAIN,
/* (NLA_NUL_STRING)
* the NULL terminated LSM domain string */
NLBL_MGMT_A_PROTOCOL,
/* (NLA_U32)
* the NetLabel protocol type (defined by NETLBL_NLTYPE_*) */
NLBL_MGMT_A_VERSION,
/* (NLA_U32)
* the NetLabel protocol version number (defined by
* NETLBL_PROTO_VERSION) */
NLBL_MGMT_A_CV4DOI,
/* (NLA_U32)
* the CIPSOv4 DOI value */
__NLBL_MGMT_A_MAX,
};
#define NLBL_MGMT_A_MAX (__NLBL_MGMT_A_MAX - 1)
/* NetLabel protocol functions */
int netlbl_mgmt_genl_init(void);
......
net/netlabel/netlabel_unlabeled.c
浏览文件 @ 7e472020
......@@ -55,9 +55,13 @@ static struct genl_family netlbl_unlabel_gnl_family = {
.hdrsize = 0,
.name = NETLBL_NLTYPE_UNLABELED_NAME,
.version = NETLBL_PROTO_VERSION,
.maxattr = 0,
.maxattr = NLBL_UNLABEL_A_MAX,
};
/* NetLabel Netlink attribute policy */
static struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
[NLBL_UNLABEL_A_ACPTFLG] = { .type = NLA_U8 },
};
/*
* NetLabel Command Handlers
......@@ -75,31 +79,18 @@ static struct genl_family netlbl_unlabel_gnl_family = {
*/
static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info)
{
int ret_val;
struct nlattr *data = netlbl_netlink_payload_data(skb);
u32 value;
ret_val = netlbl_netlink_cap_check(skb, CAP_NET_ADMIN);
if (ret_val != 0)
return ret_val;
int ret_val = -EINVAL;
u8 value;
if (netlbl_netlink_payload_len(skb) == NETLBL_LEN_U32) {
value = nla_get_u32(data);
if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) {
value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]);
if (value == 1 || value == 0) {
atomic_set(&netlabel_unlabel_accept_flg, value);
netlbl_netlink_send_ack(info,
netlbl_unlabel_gnl_family.id,
NLBL_UNLABEL_C_ACK,
NETLBL_E_OK);
return 0;
ret_val = 0;
}
}
netlbl_netlink_send_ack(info,
netlbl_unlabel_gnl_family.id,
NLBL_UNLABEL_C_ACK,
EINVAL);
return -EINVAL;
return ret_val;
}
/**
......@@ -114,39 +105,39 @@ static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info)
*/
static int netlbl_unlabel_list(struct sk_buff *skb, struct genl_info *info)
{
int ret_val = -ENOMEM;
int ret_val = -EINVAL;
struct sk_buff *ans_skb;
void *data;
ans_skb = netlbl_netlink_alloc_skb(0,
GENL_HDRLEN + NETLBL_LEN_U32,
GFP_KERNEL);
ans_skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
if (ans_skb == NULL)
goto list_failure;
if (netlbl_netlink_hdr_put(ans_skb,
info->snd_pid,
0,
netlbl_unlabel_gnl_family.id,
NLBL_UNLABEL_C_LIST) == NULL)
data = netlbl_netlink_hdr_put(ans_skb,
info->snd_pid,
info->snd_seq,
netlbl_unlabel_gnl_family.id,
0,
NLBL_UNLABEL_C_LIST);
if (data == NULL) {
ret_val = -ENOMEM;
goto list_failure;
}
ret_val = nla_put_u32(ans_skb,
NLA_U32,
atomic_read(&netlabel_unlabel_accept_flg));
ret_val = nla_put_u8(ans_skb,
NLBL_UNLABEL_A_ACPTFLG,
atomic_read(&netlabel_unlabel_accept_flg));
if (ret_val != 0)
goto list_failure;
ret_val = netlbl_netlink_snd(ans_skb, info->snd_pid);
genlmsg_end(ans_skb, data);
ret_val = genlmsg_unicast(ans_skb, info->snd_pid);
if (ret_val != 0)
goto list_failure;
return 0;
list_failure:
netlbl_netlink_send_ack(info,
netlbl_unlabel_gnl_family.id,
NLBL_UNLABEL_C_ACK,
-ret_val);
kfree(ans_skb);
return ret_val;
}
......@@ -157,7 +148,8 @@ static int netlbl_unlabel_list(struct sk_buff *skb, struct genl_info *info)
static struct genl_ops netlbl_unlabel_genl_c_accept = {
.cmd = NLBL_UNLABEL_C_ACCEPT,
.flags = 0,
.flags = GENL_ADMIN_PERM,
.policy = netlbl_unlabel_genl_policy,
.doit = netlbl_unlabel_accept,
.dumpit = NULL,
};
......@@ -165,6 +157,7 @@ static struct genl_ops netlbl_unlabel_genl_c_accept = {
static struct genl_ops netlbl_unlabel_genl_c_list = {
.cmd = NLBL_UNLABEL_C_LIST,
.flags = 0,
.policy = netlbl_unlabel_genl_policy,
.doit = netlbl_unlabel_list,
.dumpit = NULL,
};
......@@ -218,10 +211,8 @@ int netlbl_unlabel_genl_init(void)
*/
int netlbl_unlabel_getattr(struct netlbl_lsm_secattr *secattr)
{
if (atomic_read(&netlabel_unlabel_accept_flg) == 1) {
memset(secattr, 0, sizeof(*secattr));
return 0;
}
if (atomic_read(&netlabel_unlabel_accept_flg) == 1)
return netlbl_secattr_init(secattr);
return -ENOMSG;
}
......
net/netlabel/netlabel_unlabeled.h
浏览文件 @ 7e472020
......@@ -36,56 +36,47 @@
/*
* The following NetLabel payloads are supported by the Unlabeled subsystem.
*
* o ACK:
* Sent by the kernel in response to an applications message, applications
* should never send this message.
*
* +----------------------+-----------------------+
* | seq number (32 bits) | return code (32 bits) |
* +----------------------+-----------------------+
*
* seq number: the sequence number of the original message, taken from the
* nlmsghdr structure
* return code: return value, based on errno values
*
* o ACCEPT
* This message is sent from an application to specify if the kernel should
* allow unlabled packets to pass if they do not match any of the static
* mappings defined in the unlabeled module.
*
* +-----------------+
* | allow (32 bits) |
* +-----------------+
* Required attributes:
*
* allow: if true (1) then allow the packets to pass, if false (0) then
* reject the packets
* NLBL_UNLABEL_A_ACPTFLG
*
* o LIST
* This message can be sent either from an application or by the kernel in
* response to an application generated LIST message. When sent by an
* application there is no payload. The kernel should respond to a LIST
* message either with a LIST message on success or an ACK message on
* failure.
* message with a LIST message on success.
*
* +-----------------------+
* | accept flag (32 bits) |
* +-----------------------+
* Required attributes:
*
* accept flag: if true (1) then unlabeled packets are allowed to pass,
* if false (0) then unlabeled packets are rejected
* NLBL_UNLABEL_A_ACPTFLG
*
*/
/* NetLabel Unlabeled commands */
enum {
NLBL_UNLABEL_C_UNSPEC,
NLBL_UNLABEL_C_ACK,
NLBL_UNLABEL_C_ACCEPT,
NLBL_UNLABEL_C_LIST,
__NLBL_UNLABEL_C_MAX,
};
#define NLBL_UNLABEL_C_MAX (__NLBL_UNLABEL_C_MAX - 1)
/* NetLabel Unlabeled attributes */
enum {
NLBL_UNLABEL_A_UNSPEC,
NLBL_UNLABEL_A_ACPTFLG,
/* (NLA_U8)
* if true then unlabeled packets are allowed to pass, else unlabeled
* packets are rejected */
__NLBL_UNLABEL_A_MAX,
};
#define NLBL_UNLABEL_A_MAX (__NLBL_UNLABEL_A_MAX - 1)
/* NetLabel protocol functions */
int netlbl_unlabel_genl_init(void);
......
net/netlabel/netlabel_user.c
浏览文件 @ 7e472020
......@@ -74,85 +74,3 @@ int netlbl_netlink_init(void)
return 0;
}
/*
* NetLabel Common Protocol Functions
*/
/**
* netlbl_netlink_send_ack - Send an ACK message
* @info: the generic NETLINK information
* @genl_family: the generic NETLINK family ID value
* @ack_cmd: the generic NETLINK family ACK command value
* @ret_code: return code to use
*
* Description:
* This function sends an ACK message to the sender of the NETLINK message
* specified by @info.
*
*/
void netlbl_netlink_send_ack(const struct genl_info *info,
u32 genl_family,
u8 ack_cmd,
u32 ret_code)
{
size_t data_size;
struct sk_buff *skb;
data_size = GENL_HDRLEN + 2 * NETLBL_LEN_U32;
skb = netlbl_netlink_alloc_skb(0, data_size, GFP_KERNEL);
if (skb == NULL)
return;
if (netlbl_netlink_hdr_put(skb,
info->snd_pid,
0,
genl_family,
ack_cmd) == NULL)
goto send_ack_failure;
if (nla_put_u32(skb, NLA_U32, info->snd_seq) != 0)
goto send_ack_failure;
if (nla_put_u32(skb, NLA_U32, ret_code) != 0)
goto send_ack_failure;
netlbl_netlink_snd(skb, info->snd_pid);
return;
send_ack_failure:
kfree_skb(skb);
}
/*
* NETLINK I/O Functions
*/
/**
* netlbl_netlink_snd - Send a NetLabel message
* @skb: NetLabel message
* @pid: destination PID
*
* Description:
* Sends a unicast NetLabel message over the NETLINK socket.
*
*/
int netlbl_netlink_snd(struct sk_buff *skb, u32 pid)
{
return genlmsg_unicast(skb, pid);
}
/**
* netlbl_netlink_snd - Send a NetLabel message
* @skb: NetLabel message
* @pid: sending PID
* @group: multicast group id
*
* Description:
* Sends a multicast NetLabel message over the NETLINK socket to all members
* of @group except @pid.
*
*/
int netlbl_netlink_snd_multicast(struct sk_buff *skb, u32 pid, u32 group)
{
return genlmsg_multicast(skb, pid, group, GFP_KERNEL);
}
net/netlabel/netlabel_user.h
浏览文件 @ 7e472020
......@@ -40,72 +40,6 @@
/* NetLabel NETLINK helper functions */
/**
* netlbl_netlink_cap_check - Check the NETLINK msg capabilities
* @skb: the NETLINK buffer
* @req_cap: the required capability
*
* Description:
* Check the NETLINK buffer's capabilities against the required capabilities.
* Returns zero on success, negative values on failure.
*
*/
static inline int netlbl_netlink_cap_check(const struct sk_buff *skb,
kernel_cap_t req_cap)
{
if (cap_raised(NETLINK_CB(skb).eff_cap, req_cap))
return 0;
return -EPERM;
}
/**
* netlbl_getinc_u8 - Read a u8 value from a nlattr stream and move on
* @nla: the attribute
* @rem_len: remaining length
*
* Description:
* Return a u8 value pointed to by @nla and advance it to the next attribute.
*
*/
static inline u8 netlbl_getinc_u8(struct nlattr **nla, int *rem_len)
{
u8 val = nla_get_u8(*nla);
*nla = nla_next(*nla, rem_len);
return val;
}
/**
* netlbl_getinc_u16 - Read a u16 value from a nlattr stream and move on
* @nla: the attribute
* @rem_len: remaining length
*
* Description:
* Return a u16 value pointed to by @nla and advance it to the next attribute.
*
*/
static inline u16 netlbl_getinc_u16(struct nlattr **nla, int *rem_len)
{
u16 val = nla_get_u16(*nla);
*nla = nla_next(*nla, rem_len);
return val;
}
/**
* netlbl_getinc_u32 - Read a u32 value from a nlattr stream and move on
* @nla: the attribute
* @rem_len: remaining length
*
* Description:
* Return a u32 value pointed to by @nla and advance it to the next attribute.
*
*/
static inline u32 netlbl_getinc_u32(struct nlattr **nla, int *rem_len)
{
u32 val = nla_get_u32(*nla);
*nla = nla_next(*nla, rem_len);
return val;
}
/**
* netlbl_netlink_hdr_put - Write the NETLINK buffers into a sk_buff
* @skb: the packet
......@@ -124,6 +58,7 @@ static inline void *netlbl_netlink_hdr_put(struct sk_buff *skb,
u32 pid,
u32 seq,
int type,
int flags,
u8 cmd)
{
return genlmsg_put(skb,
......@@ -131,85 +66,13 @@ static inline void *netlbl_netlink_hdr_put(struct sk_buff *skb,
seq,
type,
0,
0,
flags,
cmd,
NETLBL_PROTO_VERSION);
}
/**
* netlbl_netlink_hdr_push - Write the NETLINK buffers into a sk_buff
* @skb: the packet
* @pid: the PID of the receipient
* @seq: the sequence number
* @type: the generic NETLINK message family type
* @cmd: command
*
* Description:
* Write both a NETLINK nlmsghdr structure and a Generic NETLINK genlmsghdr
* struct to the packet.
*
*/
static inline void netlbl_netlink_hdr_push(struct sk_buff *skb,
u32 pid,
u32 seq,
int type,
u8 cmd)
{
struct nlmsghdr *nlh;
struct genlmsghdr *hdr;
nlh = (struct nlmsghdr *)skb_push(skb, NLMSG_SPACE(GENL_HDRLEN));
nlh->nlmsg_type = type;
nlh->nlmsg_len = skb->len;
nlh->nlmsg_flags = 0;
nlh->nlmsg_pid = pid;
nlh->nlmsg_seq = seq;
hdr = nlmsg_data(nlh);
hdr->cmd = cmd;
hdr->version = NETLBL_PROTO_VERSION;
hdr->reserved = 0;
}
/**
* netlbl_netlink_payload_len - Return the length of the payload
* @skb: the NETLINK buffer
*
* Description:
* This function returns the length of the NetLabel payload.
*
*/
static inline u32 netlbl_netlink_payload_len(const struct sk_buff *skb)
{
return nlmsg_len((struct nlmsghdr *)skb->data) - GENL_HDRLEN;
}
/**
* netlbl_netlink_payload_data - Returns a pointer to the start of the payload
* @skb: the NETLINK buffer
*
* Description:
* This function returns a pointer to the start of the NetLabel payload.
*
*/
static inline void *netlbl_netlink_payload_data(const struct sk_buff *skb)
{
return (unsigned char *)nlmsg_data((struct nlmsghdr *)skb->data) +
GENL_HDRLEN;
}
/* NetLabel common protocol functions */
void netlbl_netlink_send_ack(const struct genl_info *info,
u32 genl_family,
u8 ack_cmd,
u32 ret_code);
/* NetLabel NETLINK I/O functions */
int netlbl_netlink_init(void);
int netlbl_netlink_snd(struct sk_buff *skb, u32 pid);
int netlbl_netlink_snd_multicast(struct sk_buff *skb, u32 pid, u32 group);
#endif
security/selinux/ss/services.c
浏览文件 @ 7e472020
......@@ -2502,14 +2502,24 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
{
struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
struct sk_security_struct *sksec = sk->sk_security;
struct netlbl_lsm_secattr secattr;
u32 nlbl_peer_sid;
sksec->sclass = isec->sclass;
if (sk->sk_family != PF_INET)
return;
netlbl_secattr_init(&secattr);
if (netlbl_sock_getattr(sk, &secattr) == 0 &&
selinux_netlbl_secattr_to_sid(NULL,
&secattr,
sksec->sid,
&nlbl_peer_sid) == 0)
sksec->peer_sid = nlbl_peer_sid;
netlbl_secattr_destroy(&secattr, 0);
sksec->nlbl_state = NLBL_REQUIRE;
sksec->peer_sid = sksec->sid;
/* Try to set the NetLabel on the socket to save time later, if we fail
* here we will pick up the pieces in later calls to
......@@ -2601,7 +2611,7 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
u32 netlbl_sid;
u32 recv_perm;
rc = selinux_netlbl_skbuff_getsid(skb, sksec->sid, &netlbl_sid);
rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &netlbl_sid);
if (rc != 0)
return rc;
......@@ -2610,13 +2620,13 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
switch (sksec->sclass) {
case SECCLASS_UDP_SOCKET:
recv_perm = UDP_SOCKET__RECV_MSG;
recv_perm = UDP_SOCKET__RECVFROM;
break;
case SECCLASS_TCP_SOCKET:
recv_perm = TCP_SOCKET__RECV_MSG;
recv_perm = TCP_SOCKET__RECVFROM;
break;
default:
recv_perm = RAWIP_SOCKET__RECV_MSG;
recv_perm = RAWIP_SOCKET__RECVFROM;
}
rc = avc_has_perm(sksec->sid,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册