Sākums Izpētīt Palīdzība
Pierakstīties
rama982
/
kernel_xiaomi_lancelot
Vērot 1
Pievienot zvaigznīti 0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Koks: b940215a20
Atzari Tagi
kernel_xiaom...
/
net
/
netlabel
/
netlabel_domainhash.c

netlabel_domainhash.c 28 KB
Vēsture Neapstrādāts

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987 
  1. /*
    2. 

  2.  * NetLabel Domain Hash Table
    3. 

  3.  *
    4. 

  4.  * This file manages the domain hash table that NetLabel uses to determine
    5. 

  5.  * which network labeling protocol to use for a given domain.  The NetLabel
    6. 

  6.  * system manages static and dynamic label mappings for network protocols such
    7. 

  7.  * as CIPSO and RIPSO.
    8. 

  8.  *
    9. 

  9.  * Author: Paul Moore <paul@paul-moore.com>
    10. 

  10.  *
    11. 

  11.  */
    12. 

  12. 

  13. /*
    14. 

  14.  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
    15. 

  15.  *
    16. 

  16.  * This program is free software;  you can redistribute it and/or modify
    17. 

  17.  * it under the terms of the GNU General Public License as published by
    18. 

  18.  * the Free Software Foundation; either version 2 of the License, or
    19. 

  19.  * (at your option) any later version.
    20. 

  20.  *
    21. 

  21.  * This program is distributed in the hope that it will be useful,
    22. 

  22.  * but WITHOUT ANY WARRANTY;  without even the implied warranty of
    23. 

  23.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
    24. 

  24.  * the GNU General Public License for more details.
    25. 

  25.  *
    26. 

  26.  * You should have received a copy of the GNU General Public License
    27. 

  27.  * along with this program;  if not, see <http://www.gnu.org/licenses/>.
    28. 

  28.  *
    29. 

  29.  */
    30. 

  30. 

  31. #include <linux/types.h>
    32. 

  32. #include <linux/rculist.h>
    33. 

  33. #include <linux/skbuff.h>
    34. 

  34. #include <linux/spinlock.h>
    35. 

  35. #include <linux/string.h>
    36. 

  36. #include <linux/audit.h>
    37. 

  37. #include <linux/slab.h>
    38. 

  38. #include <net/netlabel.h>
    39. 

  39. #include <net/cipso_ipv4.h>
    40. 

  40. #include <net/calipso.h>
    41. 

  41. #include <asm/bug.h>
    42. 

  42. 

  43. #include "netlabel_mgmt.h"
    44. 

  44. #include "netlabel_addrlist.h"
    45. 

  45. #include "netlabel_calipso.h"
    46. 

  46. #include "netlabel_domainhash.h"
    47. 

  47. #include "netlabel_user.h"
    48. 

  48. 

  49. struct netlbl_domhsh_tbl {
    50. 

  50. 	struct list_head *tbl;
    51. 

  51. 	u32 size;
    52. 

  52. };
    53. 

  53. 

  54. /* Domain hash table */
    55. 

  55. /* updates should be so rare that having one spinlock for the entire hash table
    56. 

  56.  * should be okay */
    57. 

  57. static DEFINE_SPINLOCK(netlbl_domhsh_lock);
    58. 

  58. #define netlbl_domhsh_rcu_deref(p) \
    59. 

  59. 	rcu_dereference_check(p, lockdep_is_held(&netlbl_domhsh_lock))
    60. 

  60. static struct netlbl_domhsh_tbl __rcu *netlbl_domhsh;
    61. 

  61. static struct netlbl_dom_map __rcu *netlbl_domhsh_def_ipv4;
    62. 

  62. static struct netlbl_dom_map __rcu *netlbl_domhsh_def_ipv6;
    63. 

  63. 

  64. /*
    65. 

  65.  * Domain Hash Table Helper Functions
    66. 

  66.  */
    67. 

  67. 

  68. /**
    69. 

  69.  * netlbl_domhsh_free_entry - Frees a domain hash table entry
    70. 

  70.  * @entry: the entry's RCU field
    71. 

  71.  *
    72. 

  72.  * Description:
    73. 

  73.  * This function is designed to be used as a callback to the call_rcu()
    74. 

  74.  * function so that the memory allocated to a hash table entry can be released
    75. 

  75.  * safely.
    76. 

  76.  *
    77. 

  77.  */
    78. 

  78. static void netlbl_domhsh_free_entry(struct rcu_head *entry)
    79. 

  79. {
    80. 

  80. 	struct netlbl_dom_map *ptr;
    81. 

  81. 	struct netlbl_af4list *iter4;
    82. 

  82. 	struct netlbl_af4list *tmp4;
    83. 

  83. #if IS_ENABLED(CONFIG_IPV6)
    84. 

  84. 	struct netlbl_af6list *iter6;
    85. 

  85. 	struct netlbl_af6list *tmp6;
    86. 

  86. #endif /* IPv6 */
    87. 

  87. 

  88. 	ptr = container_of(entry, struct netlbl_dom_map, rcu);
    89. 

  89. 	if (ptr->def.type == NETLBL_NLTYPE_ADDRSELECT) {
    90. 

  90. 		netlbl_af4list_foreach_safe(iter4, tmp4,
    91. 

  91. 					    &ptr->def.addrsel->list4) {
    92. 

  92. 			netlbl_af4list_remove_entry(iter4);
    93. 

  93. 			kfree(netlbl_domhsh_addr4_entry(iter4));
    94. 

  94. 		}
    95. 

  95. #if IS_ENABLED(CONFIG_IPV6)
    96. 

  96. 		netlbl_af6list_foreach_safe(iter6, tmp6,
    97. 

  97. 					    &ptr->def.addrsel->list6) {
    98. 

  98. 			netlbl_af6list_remove_entry(iter6);
    99. 

  99. 			kfree(netlbl_domhsh_addr6_entry(iter6));
    100. 

  100. 		}
    101. 

  101. #endif /* IPv6 */
    102. 

  102. 		kfree(ptr->def.addrsel);
    103. 

  103. 	}
    104. 

  104. 	kfree(ptr->domain);
    105. 

  105. 	kfree(ptr);
    106. 

  106. }
    107. 

  107. 

  108. /**
    109. 

  109.  * netlbl_domhsh_hash - Hashing function for the domain hash table
    110. 

  110.  * @domain: the domain name to hash
    111. 

  111.  *
    112. 

  112.  * Description:
    113. 

  113.  * This is the hashing function for the domain hash table, it returns the
    114. 

  114.  * correct bucket number for the domain.  The caller is responsible for
    115. 

  115.  * ensuring that the hash table is protected with either a RCU read lock or the
    116. 

  116.  * hash table lock.
    117. 

  117.  *
    118. 

  118.  */
    119. 

  119. static u32 netlbl_domhsh_hash(const char *key)
    120. 

  120. {
    121. 

  121. 	u32 iter;
    122. 

  122. 	u32 val;
    123. 

  123. 	u32 len;
    124. 

  124. 

  125. 	/* This is taken (with slight modification) from
    126. 

  126. 	 * security/selinux/ss/symtab.c:symhash() */
    127. 

  127. 

  128. 	for (iter = 0, val = 0, len = strlen(key); iter < len; iter++)
    129. 

  129. 		val = (val << 4 | (val >> (8 * sizeof(u32) - 4))) ^ key[iter];
    130. 

  130. 	return val & (netlbl_domhsh_rcu_deref(netlbl_domhsh)->size - 1);
    131. 

  131. }
    132. 

  132. 

  133. static bool netlbl_family_match(u16 f1, u16 f2)
    134. 

  134. {
    135. 

  135. 	return (f1 == f2) || (f1 == AF_UNSPEC) || (f2 == AF_UNSPEC);
    136. 

  136. }
    137. 

  137. 

  138. /**
    139. 

  139.  * netlbl_domhsh_search - Search for a domain entry
    140. 

  140.  * @domain: the domain
    141. 

  141.  * @family: the address family
    142. 

  142.  *
    143. 

  143.  * Description:
    144. 

  144.  * Searches the domain hash table and returns a pointer to the hash table
    145. 

  145.  * entry if found, otherwise NULL is returned.  @family may be %AF_UNSPEC
    146. 

  146.  * which matches any address family entries.  The caller is responsible for
    147. 

  147.  * ensuring that the hash table is protected with either a RCU read lock or the
    148. 

  148.  * hash table lock.
    149. 

  149.  *
    150. 

  150.  */
    151. 

  151. static struct netlbl_dom_map *netlbl_domhsh_search(const char *domain,
    152. 

  152. 						   u16 family)
    153. 

  153. {
    154. 

  154. 	u32 bkt;
    155. 

  155. 	struct list_head *bkt_list;
    156. 

  156. 	struct netlbl_dom_map *iter;
    157. 

  157. 

  158. 	if (domain != NULL) {
    159. 

  159. 		bkt = netlbl_domhsh_hash(domain);
    160. 

  160. 		bkt_list = &netlbl_domhsh_rcu_deref(netlbl_domhsh)->tbl[bkt];
    161. 

  161. 		list_for_each_entry_rcu(iter, bkt_list, list)
    162. 

  162. 			if (iter->valid &&
    163. 

  163. 			    netlbl_family_match(iter->family, family) &&
    164. 

  164. 			    strcmp(iter->domain, domain) == 0)
    165. 

  165. 				return iter;
    166. 

  166. 	}
    167. 

  167. 

  168. 	return NULL;
    169. 

  169. }
    170. 

  170. 

  171. /**
    172. 

  172.  * netlbl_domhsh_search_def - Search for a domain entry
    173. 

  173.  * @domain: the domain
    174. 

  174.  * @family: the address family
    175. 

  175.  *
    176. 

  176.  * Description:
    177. 

  177.  * Searches the domain hash table and returns a pointer to the hash table
    178. 

  178.  * entry if an exact match is found, if an exact match is not present in the
    179. 

  179.  * hash table then the default entry is returned if valid otherwise NULL is
    180. 

  180.  * returned.  @family may be %AF_UNSPEC which matches any address family
    181. 

  181.  * entries.  The caller is responsible ensuring that the hash table is
    182. 

  182.  * protected with either a RCU read lock or the hash table lock.
    183. 

  183.  *
    184. 

  184.  */
    185. 

  185. static struct netlbl_dom_map *netlbl_domhsh_search_def(const char *domain,
    186. 

  186. 						       u16 family)
    187. 

  187. {
    188. 

  188. 	struct netlbl_dom_map *entry;
    189. 

  189. 

  190. 	entry = netlbl_domhsh_search(domain, family);
    191. 

  191. 	if (entry != NULL)
    192. 

  192. 		return entry;
    193. 

  193. 	if (family == AF_INET || family == AF_UNSPEC) {
    194. 

  194. 		entry = netlbl_domhsh_rcu_deref(netlbl_domhsh_def_ipv4);
    195. 

  195. 		if (entry != NULL && entry->valid)
    196. 

  196. 			return entry;
    197. 

  197. 	}
    198. 

  198. 	if (family == AF_INET6 || family == AF_UNSPEC) {
    199. 

  199. 		entry = netlbl_domhsh_rcu_deref(netlbl_domhsh_def_ipv6);
    200. 

  200. 		if (entry != NULL && entry->valid)
    201. 

  201. 			return entry;
    202. 

  202. 	}
    203. 

  203. 

  204. 	return NULL;
    205. 

  205. }
    206. 

  206. 

  207. /**
    208. 

  208.  * netlbl_domhsh_audit_add - Generate an audit entry for an add event
    209. 

  209.  * @entry: the entry being added
    210. 

  210.  * @addr4: the IPv4 address information
    211. 

  211.  * @addr6: the IPv6 address information
    212. 

  212.  * @result: the result code
    213. 

  213.  * @audit_info: NetLabel audit information
    214. 

  214.  *
    215. 

  215.  * Description:
    216. 

  216.  * Generate an audit record for adding a new NetLabel/LSM mapping entry with
    217. 

  217.  * the given information.  Caller is responsible for holding the necessary
    218. 

  218.  * locks.
    219. 

  219.  *
    220. 

  220.  */
    221. 

  221. static void netlbl_domhsh_audit_add(struct netlbl_dom_map *entry,
    222. 

  222. 				    struct netlbl_af4list *addr4,
    223. 

  223. 				    struct netlbl_af6list *addr6,
    224. 

  224. 				    int result,
    225. 

  225. 				    struct netlbl_audit *audit_info)
    226. 

  226. {
    227. 

  227. 	struct audit_buffer *audit_buf;
    228. 

  228. 	struct cipso_v4_doi *cipsov4 = NULL;
    229. 

  229. 	struct calipso_doi *calipso = NULL;
    230. 

  230. 	u32 type;
    231. 

  231. 

  232. 	audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info);
    233. 

  233. 	if (audit_buf != NULL) {
    234. 

  234. 		audit_log_format(audit_buf, " nlbl_domain=%s",
    235. 

  235. 				 entry->domain ? entry->domain : "(default)");
    236. 

  236. 		if (addr4 != NULL) {
    237. 

  237. 			struct netlbl_domaddr4_map *map4;
    238. 

  238. 			map4 = netlbl_domhsh_addr4_entry(addr4);
    239. 

  239. 			type = map4->def.type;
    240. 

  240. 			cipsov4 = map4->def.cipso;
    241. 

  241. 			netlbl_af4list_audit_addr(audit_buf, 0, NULL,
    242. 

  242. 						  addr4->addr, addr4->mask);
    243. 

  243. #if IS_ENABLED(CONFIG_IPV6)
    244. 

  244. 		} else if (addr6 != NULL) {
    245. 

  245. 			struct netlbl_domaddr6_map *map6;
    246. 

  246. 			map6 = netlbl_domhsh_addr6_entry(addr6);
    247. 

  247. 			type = map6->def.type;
    248. 

  248. 			calipso = map6->def.calipso;
    249. 

  249. 			netlbl_af6list_audit_addr(audit_buf, 0, NULL,
    250. 

  250. 						  &addr6->addr, &addr6->mask);
    251. 

  251. #endif /* IPv6 */
    252. 

  252. 		} else {
    253. 

  253. 			type = entry->def.type;
    254. 

  254. 			cipsov4 = entry->def.cipso;
    255. 

  255. 			calipso = entry->def.calipso;
    256. 

  256. 		}
    257. 

  257. 		switch (type) {
    258. 

  258. 		case NETLBL_NLTYPE_UNLABELED:
    259. 

  259. 			audit_log_format(audit_buf, " nlbl_protocol=unlbl");
    260. 

  260. 			break;
    261. 

  261. 		case NETLBL_NLTYPE_CIPSOV4:
    262. 

  262. 			BUG_ON(cipsov4 == NULL);
    263. 

  263. 			audit_log_format(audit_buf,
    264. 

  264. 					 " nlbl_protocol=cipsov4 cipso_doi=%u",
    265. 

  265. 					 cipsov4->doi);
    266. 

  266. 			break;
    267. 

  267. 		case NETLBL_NLTYPE_CALIPSO:
    268. 

  268. 			BUG_ON(calipso == NULL);
    269. 

  269. 			audit_log_format(audit_buf,
    270. 

  270. 					 " nlbl_protocol=calipso calipso_doi=%u",
    271. 

  271. 					 calipso->doi);
    272. 

  272. 			break;
    273. 

  273. 		}
    274. 

  274. 		audit_log_format(audit_buf, " res=%u", result == 0 ? 1 : 0);
    275. 

  275. 		audit_log_end(audit_buf);
    276. 

  276. 	}
    277. 

  277. }
    278. 

  278. 

  279. /**
    280. 

  280.  * netlbl_domhsh_validate - Validate a new domain mapping entry
    281. 

  281.  * @entry: the entry to validate
    282. 

  282.  *
    283. 

  283.  * This function validates the new domain mapping entry to ensure that it is
    284. 

  284.  * a valid entry.  Returns zero on success, negative values on failure.
    285. 

  285.  *
    286. 

  286.  */
    287. 

  287. static int netlbl_domhsh_validate(const struct netlbl_dom_map *entry)
    288. 

  288. {
    289. 

  289. 	struct netlbl_af4list *iter4;
    290. 

  290. 	struct netlbl_domaddr4_map *map4;
    291. 

  291. #if IS_ENABLED(CONFIG_IPV6)
    292. 

  292. 	struct netlbl_af6list *iter6;
    293. 

  293. 	struct netlbl_domaddr6_map *map6;
    294. 

  294. #endif /* IPv6 */
    295. 

  295. 

  296. 	if (entry == NULL)
    297. 

  297. 		return -EINVAL;
    298. 

  298. 

  299. 	if (entry->family != AF_INET && entry->family != AF_INET6 &&
    300. 

  300. 	    (entry->family != AF_UNSPEC ||
    301. 

  301. 	     entry->def.type != NETLBL_NLTYPE_UNLABELED))
    302. 

  302. 		return -EINVAL;
    303. 

  303. 

  304. 	switch (entry->def.type) {
    305. 

  305. 	case NETLBL_NLTYPE_UNLABELED:
    306. 

  306. 		if (entry->def.cipso != NULL || entry->def.calipso != NULL ||
    307. 

  307. 		    entry->def.addrsel != NULL)
    308. 

  308. 			return -EINVAL;
    309. 

  309. 		break;
    310. 

  310. 	case NETLBL_NLTYPE_CIPSOV4:
    311. 

  311. 		if (entry->family != AF_INET ||
    312. 

  312. 		    entry->def.cipso == NULL)
    313. 

  313. 			return -EINVAL;
    314. 

  314. 		break;
    315. 

  315. 	case NETLBL_NLTYPE_CALIPSO:
    316. 

  316. 		if (entry->family != AF_INET6 ||
    317. 

  317. 		    entry->def.calipso == NULL)
    318. 

  318. 			return -EINVAL;
    319. 

  319. 		break;
    320. 

  320. 	case NETLBL_NLTYPE_ADDRSELECT:
    321. 

  321. 		netlbl_af4list_foreach(iter4, &entry->def.addrsel->list4) {
    322. 

  322. 			map4 = netlbl_domhsh_addr4_entry(iter4);
    323. 

  323. 			switch (map4->def.type) {
    324. 

  324. 			case NETLBL_NLTYPE_UNLABELED:
    325. 

  325. 				if (map4->def.cipso != NULL)
    326. 

  326. 					return -EINVAL;
    327. 

  327. 				break;
    328. 

  328. 			case NETLBL_NLTYPE_CIPSOV4:
    329. 

  329. 				if (map4->def.cipso == NULL)
    330. 

  330. 					return -EINVAL;
    331. 

  331. 				break;
    332. 

  332. 			default:
    333. 

  333. 				return -EINVAL;
    334. 

  334. 			}
    335. 

  335. 		}
    336. 

  336. #if IS_ENABLED(CONFIG_IPV6)
    337. 

  337. 		netlbl_af6list_foreach(iter6, &entry->def.addrsel->list6) {
    338. 

  338. 			map6 = netlbl_domhsh_addr6_entry(iter6);
    339. 

  339. 			switch (map6->def.type) {
    340. 

  340. 			case NETLBL_NLTYPE_UNLABELED:
    341. 

  341. 				if (map6->def.calipso != NULL)
    342. 

  342. 					return -EINVAL;
    343. 

  343. 				break;
    344. 

  344. 			case NETLBL_NLTYPE_CALIPSO:
    345. 

  345. 				if (map6->def.calipso == NULL)
    346. 

  346. 					return -EINVAL;
    347. 

  347. 				break;
    348. 

  348. 			default:
    349. 

  349. 				return -EINVAL;
    350. 

  350. 			}
    351. 

  351. 		}
    352. 

  352. #endif /* IPv6 */
    353. 

  353. 		break;
    354. 

  354. 	default:
    355. 

  355. 		return -EINVAL;
    356. 

  356. 	}
    357. 

  357. 

  358. 	return 0;
    359. 

  359. }
    360. 

  360. 

  361. /*
    362. 

  362.  * Domain Hash Table Functions
    363. 

  363.  */
    364. 

  364. 

  365. /**
    366. 

  366.  * netlbl_domhsh_init - Init for the domain hash
    367. 

  367.  * @size: the number of bits to use for the hash buckets
    368. 

  368.  *
    369. 

  369.  * Description:
    370. 

  370.  * Initializes the domain hash table, should be called only by
    371. 

  371.  * netlbl_user_init() during initialization.  Returns zero on success, non-zero
    372. 

  372.  * values on error.
    373. 

  373.  *
    374. 

  374.  */
    375. 

  375. int __init netlbl_domhsh_init(u32 size)
    376. 

  376. {
    377. 

  377. 	u32 iter;
    378. 

  378. 	struct netlbl_domhsh_tbl *hsh_tbl;
    379. 

  379. 

  380. 	if (size == 0)
    381. 

  381. 		return -EINVAL;
    382. 

  382. 

  383. 	hsh_tbl = kmalloc(sizeof(*hsh_tbl), GFP_KERNEL);
    384. 

  384. 	if (hsh_tbl == NULL)
    385. 

  385. 		return -ENOMEM;
    386. 

  386. 	hsh_tbl->size = 1 << size;
    387. 

  387. 	hsh_tbl->tbl = kcalloc(hsh_tbl->size,
    388. 

  388. 			       sizeof(struct list_head),
    389. 

  389. 			       GFP_KERNEL);
    390. 

  390. 	if (hsh_tbl->tbl == NULL) {
    391. 

  391. 		kfree(hsh_tbl);
    392. 

  392. 		return -ENOMEM;
    393. 

  393. 	}
    394. 

  394. 	for (iter = 0; iter < hsh_tbl->size; iter++)
    395. 

  395. 		INIT_LIST_HEAD(&hsh_tbl->tbl[iter]);
    396. 

  396. 

  397. 	spin_lock(&netlbl_domhsh_lock);
    398. 

  398. 	rcu_assign_pointer(netlbl_domhsh, hsh_tbl);
    399. 

  399. 	spin_unlock(&netlbl_domhsh_lock);
    400. 

  400. 

  401. 	return 0;
    402. 

  402. }
    403. 

  403. 

  404. /**
    405. 

  405.  * netlbl_domhsh_add - Adds a entry to the domain hash table
    406. 

  406.  * @entry: the entry to add
    407. 

  407.  * @audit_info: NetLabel audit information
    408. 

  408.  *
    409. 

  409.  * Description:
    410. 

  410.  * Adds a new entry to the domain hash table and handles any updates to the
    411. 

  411.  * lower level protocol handler (i.e. CIPSO).  @entry->family may be set to
    412. 

  412.  * %AF_UNSPEC which will add an entry that matches all address families.  This
    413. 

  413.  * is only useful for the unlabelled type and will only succeed if there is no
    414. 

  414.  * existing entry for any address family with the same domain.  Returns zero
    415. 

  415.  * on success, negative on failure.
    416. 

  416.  *
    417. 

  417.  */
    418. 

  418. int netlbl_domhsh_add(struct netlbl_dom_map *entry,
    419. 

  419. 		      struct netlbl_audit *audit_info)
    420. 

  420. {
    421. 

  421. 	int ret_val = 0;
    422. 

  422. 	struct netlbl_dom_map *entry_old, *entry_b;
    423. 

  423. 	struct netlbl_af4list *iter4;
    424. 

  424. 	struct netlbl_af4list *tmp4;
    425. 

  425. #if IS_ENABLED(CONFIG_IPV6)
    426. 

  426. 	struct netlbl_af6list *iter6;
    427. 

  427. 	struct netlbl_af6list *tmp6;
    428. 

  428. #endif /* IPv6 */
    429. 

  429. 

  430. 	ret_val = netlbl_domhsh_validate(entry);
    431. 

  431. 	if (ret_val != 0)
    432. 

  432. 		return ret_val;
    433. 

  433. 

  434. 	/* XXX - we can remove this RCU read lock as the spinlock protects the
    435. 

  435. 	 *       entire function, but before we do we need to fixup the
    436. 

  436. 	 *       netlbl_af[4,6]list RCU functions to do "the right thing" with
    437. 

  437. 	 *       respect to rcu_dereference() when only a spinlock is held. */
    438. 

  438. 	rcu_read_lock();
    439. 

  439. 	spin_lock(&netlbl_domhsh_lock);
    440. 

  440. 	if (entry->domain != NULL)
    441. 

  441. 		entry_old = netlbl_domhsh_search(entry->domain, entry->family);
    442. 

  442. 	else
    443. 

  443. 		entry_old = netlbl_domhsh_search_def(entry->domain,
    444. 

  444. 						     entry->family);
    445. 

  445. 	if (entry_old == NULL) {
    446. 

  446. 		entry->valid = 1;
    447. 

  447. 

  448. 		if (entry->domain != NULL) {
    449. 

  449. 			u32 bkt = netlbl_domhsh_hash(entry->domain);
    450. 

  450. 			list_add_tail_rcu(&entry->list,
    451. 

  451. 				    &rcu_dereference(netlbl_domhsh)->tbl[bkt]);
    452. 

  452. 		} else {
    453. 

  453. 			INIT_LIST_HEAD(&entry->list);
    454. 

  454. 			switch (entry->family) {
    455. 

  455. 			case AF_INET:
    456. 

  456. 				rcu_assign_pointer(netlbl_domhsh_def_ipv4,
    457. 

  457. 						   entry);
    458. 

  458. 				break;
    459. 

  459. 			case AF_INET6:
    460. 

  460. 				rcu_assign_pointer(netlbl_domhsh_def_ipv6,
    461. 

  461. 						   entry);
    462. 

  462. 				break;
    463. 

  463. 			case AF_UNSPEC:
    464. 

  464. 				if (entry->def.type !=
    465. 

  465. 				    NETLBL_NLTYPE_UNLABELED) {
    466. 

  466. 					ret_val = -EINVAL;
    467. 

  467. 					goto add_return;
    468. 

  468. 				}
    469. 

  469. 				entry_b = kzalloc(sizeof(*entry_b), GFP_ATOMIC);
    470. 

  470. 				if (entry_b == NULL) {
    471. 

  471. 					ret_val = -ENOMEM;
    472. 

  472. 					goto add_return;
    473. 

  473. 				}
    474. 

  474. 				entry_b->family = AF_INET6;
    475. 

  475. 				entry_b->def.type = NETLBL_NLTYPE_UNLABELED;
    476. 

  476. 				entry_b->valid = 1;
    477. 

  477. 				entry->family = AF_INET;
    478. 

  478. 				rcu_assign_pointer(netlbl_domhsh_def_ipv4,
    479. 

  479. 						   entry);
    480. 

  480. 				rcu_assign_pointer(netlbl_domhsh_def_ipv6,
    481. 

  481. 						   entry_b);
    482. 

  482. 				break;
    483. 

  483. 			default:
    484. 

  484. 				/* Already checked in
    485. 

  485. 				 * netlbl_domhsh_validate(). */
    486. 

  486. 				ret_val = -EINVAL;
    487. 

  487. 				goto add_return;
    488. 

  488. 			}
    489. 

  489. 		}
    490. 

  490. 

  491. 		if (entry->def.type == NETLBL_NLTYPE_ADDRSELECT) {
    492. 

  492. 			netlbl_af4list_foreach_rcu(iter4,
    493. 

  493. 						   &entry->def.addrsel->list4)
    494. 

  494. 				netlbl_domhsh_audit_add(entry, iter4, NULL,
    495. 

  495. 							ret_val, audit_info);
    496. 

  496. #if IS_ENABLED(CONFIG_IPV6)
    497. 

  497. 			netlbl_af6list_foreach_rcu(iter6,
    498. 

  498. 						   &entry->def.addrsel->list6)
    499. 

  499. 				netlbl_domhsh_audit_add(entry, NULL, iter6,
    500. 

  500. 							ret_val, audit_info);
    501. 

  501. #endif /* IPv6 */
    502. 

  502. 		} else
    503. 

  503. 			netlbl_domhsh_audit_add(entry, NULL, NULL,
    504. 

  504. 						ret_val, audit_info);
    505. 

  505. 	} else if (entry_old->def.type == NETLBL_NLTYPE_ADDRSELECT &&
    506. 

  506. 		   entry->def.type == NETLBL_NLTYPE_ADDRSELECT) {
    507. 

  507. 		struct list_head *old_list4;
    508. 

  508. 		struct list_head *old_list6;
    509. 

  509. 

  510. 		old_list4 = &entry_old->def.addrsel->list4;
    511. 

  511. 		old_list6 = &entry_old->def.addrsel->list6;
    512. 

  512. 

  513. 		/* we only allow the addition of address selectors if all of
    514. 

  514. 		 * the selectors do not exist in the existing domain map */
    515. 

  515. 		netlbl_af4list_foreach_rcu(iter4, &entry->def.addrsel->list4)
    516. 

  516. 			if (netlbl_af4list_search_exact(iter4->addr,
    517. 

  517. 							iter4->mask,
    518. 

  518. 							old_list4)) {
    519. 

  519. 				ret_val = -EEXIST;
    520. 

  520. 				goto add_return;
    521. 

  521. 			}
    522. 

  522. #if IS_ENABLED(CONFIG_IPV6)
    523. 

  523. 		netlbl_af6list_foreach_rcu(iter6, &entry->def.addrsel->list6)
    524. 

  524. 			if (netlbl_af6list_search_exact(&iter6->addr,
    525. 

  525. 							&iter6->mask,
    526. 

  526. 							old_list6)) {
    527. 

  527. 				ret_val = -EEXIST;
    528. 

  528. 				goto add_return;
    529. 

  529. 			}
    530. 

  530. #endif /* IPv6 */
    531. 

  531. 

  532. 		netlbl_af4list_foreach_safe(iter4, tmp4,
    533. 

  533. 					    &entry->def.addrsel->list4) {
    534. 

  534. 			netlbl_af4list_remove_entry(iter4);
    535. 

  535. 			iter4->valid = 1;
    536. 

  536. 			ret_val = netlbl_af4list_add(iter4, old_list4);
    537. 

  537. 			netlbl_domhsh_audit_add(entry_old, iter4, NULL,
    538. 

  538. 						ret_val, audit_info);
    539. 

  539. 			if (ret_val != 0)
    540. 

  540. 				goto add_return;
    541. 

  541. 		}
    542. 

  542. #if IS_ENABLED(CONFIG_IPV6)
    543. 

  543. 		netlbl_af6list_foreach_safe(iter6, tmp6,
    544. 

  544. 					    &entry->def.addrsel->list6) {
    545. 

  545. 			netlbl_af6list_remove_entry(iter6);
    546. 

  546. 			iter6->valid = 1;
    547. 

  547. 			ret_val = netlbl_af6list_add(iter6, old_list6);
    548. 

  548. 			netlbl_domhsh_audit_add(entry_old, NULL, iter6,
    549. 

  549. 						ret_val, audit_info);
    550. 

  550. 			if (ret_val != 0)
    551. 

  551. 				goto add_return;
    552. 

  552. 		}
    553. 

  553. #endif /* IPv6 */
    554. 

  554. 		/* cleanup the new entry since we've moved everything over */
    555. 

  555. 		netlbl_domhsh_free_entry(&entry->rcu);
    556. 

  556. 	} else
    557. 

  557. 		ret_val = -EINVAL;
    558. 

  558. 

  559. add_return:
    560. 

  560. 	spin_unlock(&netlbl_domhsh_lock);
    561. 

  561. 	rcu_read_unlock();
    562. 

  562. 	return ret_val;
    563. 

  563. }
    564. 

  564. 

  565. /**
    566. 

  566.  * netlbl_domhsh_add_default - Adds the default entry to the domain hash table
    567. 

  567.  * @entry: the entry to add
    568. 

  568.  * @audit_info: NetLabel audit information
    569. 

  569.  *
    570. 

  570.  * Description:
    571. 

  571.  * Adds a new default entry to the domain hash table and handles any updates
    572. 

  572.  * to the lower level protocol handler (i.e. CIPSO).  Returns zero on success,
    573. 

  573.  * negative on failure.
    574. 

  574.  *
    575. 

  575.  */
    576. 

  576. int netlbl_domhsh_add_default(struct netlbl_dom_map *entry,
    577. 

  577. 			      struct netlbl_audit *audit_info)
    578. 

  578. {
    579. 

  579. 	return netlbl_domhsh_add(entry, audit_info);
    580. 

  580. }
    581. 

  581. 

  582. /**
    583. 

  583.  * netlbl_domhsh_remove_entry - Removes a given entry from the domain table
    584. 

  584.  * @entry: the entry to remove
    585. 

  585.  * @audit_info: NetLabel audit information
    586. 

  586.  *
    587. 

  587.  * Description:
    588. 

  588.  * Removes an entry from the domain hash table and handles any updates to the
    589. 

  589.  * lower level protocol handler (i.e. CIPSO).  Caller is responsible for
    590. 

  590.  * ensuring that the RCU read lock is held.  Returns zero on success, negative
    591. 

  591.  * on failure.
    592. 

  592.  *
    593. 

  593.  */
    594. 

  594. int netlbl_domhsh_remove_entry(struct netlbl_dom_map *entry,
    595. 

  595. 			       struct netlbl_audit *audit_info)
    596. 

  596. {
    597. 

  597. 	int ret_val = 0;
    598. 

  598. 	struct audit_buffer *audit_buf;
    599. 

  599. 	struct netlbl_af4list *iter4;
    600. 

  600. 	struct netlbl_domaddr4_map *map4;
    601. 

  601. #if IS_ENABLED(CONFIG_IPV6)
    602. 

  602. 	struct netlbl_af6list *iter6;
    603. 

  603. 	struct netlbl_domaddr6_map *map6;
    604. 

  604. #endif /* IPv6 */
    605. 

  605. 

  606. 	if (entry == NULL)
    607. 

  607. 		return -ENOENT;
    608. 

  608. 

  609. 	spin_lock(&netlbl_domhsh_lock);
    610. 

  610. 	if (entry->valid) {
    611. 

  611. 		entry->valid = 0;
    612. 

  612. 		if (entry == rcu_dereference(netlbl_domhsh_def_ipv4))
    613. 

  613. 			RCU_INIT_POINTER(netlbl_domhsh_def_ipv4, NULL);
    614. 

  614. 		else if (entry == rcu_dereference(netlbl_domhsh_def_ipv6))
    615. 

  615. 			RCU_INIT_POINTER(netlbl_domhsh_def_ipv6, NULL);
    616. 

  616. 		else
    617. 

  617. 			list_del_rcu(&entry->list);
    618. 

  618. 	} else
    619. 

  619. 		ret_val = -ENOENT;
    620. 

  620. 	spin_unlock(&netlbl_domhsh_lock);
    621. 

  621. 

  622. 	if (ret_val)
    623. 

  623. 		return ret_val;
    624. 

  624. 

  625. 	audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info);
    626. 

  626. 	if (audit_buf != NULL) {
    627. 

  627. 		audit_log_format(audit_buf,
    628. 

  628. 				 " nlbl_domain=%s res=%u",
    629. 

  629. 				 entry->domain ? entry->domain : "(default)",
    630. 

  630. 				 ret_val == 0 ? 1 : 0);
    631. 

  631. 		audit_log_end(audit_buf);
    632. 

  632. 	}
    633. 

  633. 

  634. 	switch (entry->def.type) {
    635. 

  635. 	case NETLBL_NLTYPE_ADDRSELECT:
    636. 

  636. 		netlbl_af4list_foreach_rcu(iter4, &entry->def.addrsel->list4) {
    637. 

  637. 			map4 = netlbl_domhsh_addr4_entry(iter4);
    638. 

  638. 			cipso_v4_doi_putdef(map4->def.cipso);
    639. 

  639. 		}
    640. 

  640. #if IS_ENABLED(CONFIG_IPV6)
    641. 

  641. 		netlbl_af6list_foreach_rcu(iter6, &entry->def.addrsel->list6) {
    642. 

  642. 			map6 = netlbl_domhsh_addr6_entry(iter6);
    643. 

  643. 			calipso_doi_putdef(map6->def.calipso);
    644. 

  644. 		}
    645. 

  645. #endif /* IPv6 */
    646. 

  646. 		break;
    647. 

  647. 	case NETLBL_NLTYPE_CIPSOV4:
    648. 

  648. 		cipso_v4_doi_putdef(entry->def.cipso);
    649. 

  649. 		break;
    650. 

  650. #if IS_ENABLED(CONFIG_IPV6)
    651. 

  651. 	case NETLBL_NLTYPE_CALIPSO:
    652. 

  652. 		calipso_doi_putdef(entry->def.calipso);
    653. 

  653. 		break;
    654. 

  654. #endif /* IPv6 */
    655. 

  655. 	}
    656. 

  656. 	call_rcu(&entry->rcu, netlbl_domhsh_free_entry);
    657. 

  657. 

  658. 	return ret_val;
    659. 

  659. }
    660. 

  660. 

  661. /**
    662. 

  662.  * netlbl_domhsh_remove_af4 - Removes an address selector entry
    663. 

  663.  * @domain: the domain
    664. 

  664.  * @addr: IPv4 address
    665. 

  665.  * @mask: IPv4 address mask
    666. 

  666.  * @audit_info: NetLabel audit information
    667. 

  667.  *
    668. 

  668.  * Description:
    669. 

  669.  * Removes an individual address selector from a domain mapping and potentially
    670. 

  670.  * the entire mapping if it is empty.  Returns zero on success, negative values
    671. 

  671.  * on failure.
    672. 

  672.  *
    673. 

  673.  */
    674. 

  674. int netlbl_domhsh_remove_af4(const char *domain,
    675. 

  675. 			     const struct in_addr *addr,
    676. 

  676. 			     const struct in_addr *mask,
    677. 

  677. 			     struct netlbl_audit *audit_info)
    678. 

  678. {
    679. 

  679. 	struct netlbl_dom_map *entry_map;
    680. 

  680. 	struct netlbl_af4list *entry_addr;
    681. 

  681. 	struct netlbl_af4list *iter4;
    682. 

  682. #if IS_ENABLED(CONFIG_IPV6)
    683. 

  683. 	struct netlbl_af6list *iter6;
    684. 

  684. #endif /* IPv6 */
    685. 

  685. 	struct netlbl_domaddr4_map *entry;
    686. 

  686. 

  687. 	rcu_read_lock();
    688. 

  688. 

  689. 	if (domain)
    690. 

  690. 		entry_map = netlbl_domhsh_search(domain, AF_INET);
    691. 

  691. 	else
    692. 

  692. 		entry_map = netlbl_domhsh_search_def(domain, AF_INET);
    693. 

  693. 	if (entry_map == NULL ||
    694. 

  694. 	    entry_map->def.type != NETLBL_NLTYPE_ADDRSELECT)
    695. 

  695. 		goto remove_af4_failure;
    696. 

  696. 

  697. 	spin_lock(&netlbl_domhsh_lock);
    698. 

  698. 	entry_addr = netlbl_af4list_remove(addr->s_addr, mask->s_addr,
    699. 

  699. 					   &entry_map->def.addrsel->list4);
    700. 

  700. 	spin_unlock(&netlbl_domhsh_lock);
    701. 

  701. 

  702. 	if (entry_addr == NULL)
    703. 

  703. 		goto remove_af4_failure;
    704. 

  704. 	netlbl_af4list_foreach_rcu(iter4, &entry_map->def.addrsel->list4)
    705. 

  705. 		goto remove_af4_single_addr;
    706. 

  706. #if IS_ENABLED(CONFIG_IPV6)
    707. 

  707. 	netlbl_af6list_foreach_rcu(iter6, &entry_map->def.addrsel->list6)
    708. 

  708. 		goto remove_af4_single_addr;
    709. 

  709. #endif /* IPv6 */
    710. 

  710. 	/* the domain mapping is empty so remove it from the mapping table */
    711. 

  711. 	netlbl_domhsh_remove_entry(entry_map, audit_info);
    712. 

  712. 

  713. remove_af4_single_addr:
    714. 

  714. 	rcu_read_unlock();
    715. 

  715. 	/* yick, we can't use call_rcu here because we don't have a rcu head
    716. 

  716. 	 * pointer but hopefully this should be a rare case so the pause
    717. 

  717. 	 * shouldn't be a problem */
    718. 

  718. 	synchronize_rcu();
    719. 

  719. 	entry = netlbl_domhsh_addr4_entry(entry_addr);
    720. 

  720. 	cipso_v4_doi_putdef(entry->def.cipso);
    721. 

  721. 	kfree(entry);
    722. 

  722. 	return 0;
    723. 

  723. 

  724. remove_af4_failure:
    725. 

  725. 	rcu_read_unlock();
    726. 

  726. 	return -ENOENT;
    727. 

  727. }
    728. 

  728. 

  729. #if IS_ENABLED(CONFIG_IPV6)
    730. 

  730. /**
    731. 

  731.  * netlbl_domhsh_remove_af6 - Removes an address selector entry
    732. 

  732.  * @domain: the domain
    733. 

  733.  * @addr: IPv6 address
    734. 

  734.  * @mask: IPv6 address mask
    735. 

  735.  * @audit_info: NetLabel audit information
    736. 

  736.  *
    737. 

  737.  * Description:
    738. 

  738.  * Removes an individual address selector from a domain mapping and potentially
    739. 

  739.  * the entire mapping if it is empty.  Returns zero on success, negative values
    740. 

  740.  * on failure.
    741. 

  741.  *
    742. 

  742.  */
    743. 

  743. int netlbl_domhsh_remove_af6(const char *domain,
    744. 

  744. 			     const struct in6_addr *addr,
    745. 

  745. 			     const struct in6_addr *mask,
    746. 

  746. 			     struct netlbl_audit *audit_info)
    747. 

  747. {
    748. 

  748. 	struct netlbl_dom_map *entry_map;
    749. 

  749. 	struct netlbl_af6list *entry_addr;
    750. 

  750. 	struct netlbl_af4list *iter4;
    751. 

  751. 	struct netlbl_af6list *iter6;
    752. 

  752. 	struct netlbl_domaddr6_map *entry;
    753. 

  753. 

  754. 	rcu_read_lock();
    755. 

  755. 

  756. 	if (domain)
    757. 

  757. 		entry_map = netlbl_domhsh_search(domain, AF_INET6);
    758. 

  758. 	else
    759. 

  759. 		entry_map = netlbl_domhsh_search_def(domain, AF_INET6);
    760. 

  760. 	if (entry_map == NULL ||
    761. 

  761. 	    entry_map->def.type != NETLBL_NLTYPE_ADDRSELECT)
    762. 

  762. 		goto remove_af6_failure;
    763. 

  763. 

  764. 	spin_lock(&netlbl_domhsh_lock);
    765. 

  765. 	entry_addr = netlbl_af6list_remove(addr, mask,
    766. 

  766. 					   &entry_map->def.addrsel->list6);
    767. 

  767. 	spin_unlock(&netlbl_domhsh_lock);
    768. 

  768. 

  769. 	if (entry_addr == NULL)
    770. 

  770. 		goto remove_af6_failure;
    771. 

  771. 	netlbl_af4list_foreach_rcu(iter4, &entry_map->def.addrsel->list4)
    772. 

  772. 		goto remove_af6_single_addr;
    773. 

  773. 	netlbl_af6list_foreach_rcu(iter6, &entry_map->def.addrsel->list6)
    774. 

  774. 		goto remove_af6_single_addr;
    775. 

  775. 	/* the domain mapping is empty so remove it from the mapping table */
    776. 

  776. 	netlbl_domhsh_remove_entry(entry_map, audit_info);
    777. 

  777. 

  778. remove_af6_single_addr:
    779. 

  779. 	rcu_read_unlock();
    780. 

  780. 	/* yick, we can't use call_rcu here because we don't have a rcu head
    781. 

  781. 	 * pointer but hopefully this should be a rare case so the pause
    782. 

  782. 	 * shouldn't be a problem */
    783. 

  783. 	synchronize_rcu();
    784. 

  784. 	entry = netlbl_domhsh_addr6_entry(entry_addr);
    785. 

  785. 	calipso_doi_putdef(entry->def.calipso);
    786. 

  786. 	kfree(entry);
    787. 

  787. 	return 0;
    788. 

  788. 

  789. remove_af6_failure:
    790. 

  790. 	rcu_read_unlock();
    791. 

  791. 	return -ENOENT;
    792. 

  792. }
    793. 

  793. #endif /* IPv6 */
    794. 

  794. 

  795. /**
    796. 

  796.  * netlbl_domhsh_remove - Removes an entry from the domain hash table
    797. 

  797.  * @domain: the domain to remove
    798. 

  798.  * @family: address family
    799. 

  799.  * @audit_info: NetLabel audit information
    800. 

  800.  *
    801. 

  801.  * Description:
    802. 

  802.  * Removes an entry from the domain hash table and handles any updates to the
    803. 

  803.  * lower level protocol handler (i.e. CIPSO).  @family may be %AF_UNSPEC which
    804. 

  804.  * removes all address family entries.  Returns zero on success, negative on
    805. 

  805.  * failure.
    806. 

  806.  *
    807. 

  807.  */
    808. 

  808. int netlbl_domhsh_remove(const char *domain, u16 family,
    809. 

  809. 			 struct netlbl_audit *audit_info)
    810. 

  810. {
    811. 

  811. 	int ret_val = -EINVAL;
    812. 

  812. 	struct netlbl_dom_map *entry;
    813. 

  813. 

  814. 	rcu_read_lock();
    815. 

  815. 

  816. 	if (family == AF_INET || family == AF_UNSPEC) {
    817. 

  817. 		if (domain)
    818. 

  818. 			entry = netlbl_domhsh_search(domain, AF_INET);
    819. 

  819. 		else
    820. 

  820. 			entry = netlbl_domhsh_search_def(domain, AF_INET);
    821. 

  821. 		ret_val = netlbl_domhsh_remove_entry(entry, audit_info);
    822. 

  822. 		if (ret_val && ret_val != -ENOENT)
    823. 

  823. 			goto done;
    824. 

  824. 	}
    825. 

  825. 	if (family == AF_INET6 || family == AF_UNSPEC) {
    826. 

  826. 		int ret_val2;
    827. 

  827. 

  828. 		if (domain)
    829. 

  829. 			entry = netlbl_domhsh_search(domain, AF_INET6);
    830. 

  830. 		else
    831. 

  831. 			entry = netlbl_domhsh_search_def(domain, AF_INET6);
    832. 

  832. 		ret_val2 = netlbl_domhsh_remove_entry(entry, audit_info);
    833. 

  833. 		if (ret_val2 != -ENOENT)
    834. 

  834. 			ret_val = ret_val2;
    835. 

  835. 	}
    836. 

  836. done:
    837. 

  837. 	rcu_read_unlock();
    838. 

  838. 

  839. 	return ret_val;
    840. 

  840. }
    841. 

  841. 

  842. /**
    843. 

  843.  * netlbl_domhsh_remove_default - Removes the default entry from the table
    844. 

  844.  * @family: address family
    845. 

  845.  * @audit_info: NetLabel audit information
    846. 

  846.  *
    847. 

  847.  * Description:
    848. 

  848.  * Removes/resets the default entry corresponding to @family from the domain
    849. 

  849.  * hash table and handles any updates to the lower level protocol handler
    850. 

  850.  * (i.e. CIPSO).  @family may be %AF_UNSPEC which removes all address family
    851. 

  851.  * entries.  Returns zero on success, negative on failure.
    852. 

  852.  *
    853. 

  853.  */
    854. 

  854. int netlbl_domhsh_remove_default(u16 family, struct netlbl_audit *audit_info)
    855. 

  855. {
    856. 

  856. 	return netlbl_domhsh_remove(NULL, family, audit_info);
    857. 

  857. }
    858. 

  858. 

  859. /**
    860. 

  860.  * netlbl_domhsh_getentry - Get an entry from the domain hash table
    861. 

  861.  * @domain: the domain name to search for
    862. 

  862.  * @family: address family
    863. 

  863.  *
    864. 

  864.  * Description:
    865. 

  865.  * Look through the domain hash table searching for an entry to match @domain,
    866. 

  866.  * with address family @family, return a pointer to a copy of the entry or
    867. 

  867.  * NULL.  The caller is responsible for ensuring that rcu_read_[un]lock() is
    868. 

  868.  * called.
    869. 

  869.  *
    870. 

  870.  */
    871. 

  871. struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain, u16 family)
    872. 

  872. {
    873. 

  873. 	if (family == AF_UNSPEC)
    874. 

  874. 		return NULL;
    875. 

  875. 	return netlbl_domhsh_search_def(domain, family);
    876. 

  876. }
    877. 

  877. 

  878. /**
    879. 

  879.  * netlbl_domhsh_getentry_af4 - Get an entry from the domain hash table
    880. 

  880.  * @domain: the domain name to search for
    881. 

  881.  * @addr: the IP address to search for
    882. 

  882.  *
    883. 

  883.  * Description:
    884. 

  884.  * Look through the domain hash table searching for an entry to match @domain
    885. 

  885.  * and @addr, return a pointer to a copy of the entry or NULL.  The caller is
    886. 

  886.  * responsible for ensuring that rcu_read_[un]lock() is called.
    887. 

  887.  *
    888. 

  888.  */
    889. 

  889. struct netlbl_dommap_def *netlbl_domhsh_getentry_af4(const char *domain,
    890. 

  890. 						     __be32 addr)
    891. 

  891. {
    892. 

  892. 	struct netlbl_dom_map *dom_iter;
    893. 

  893. 	struct netlbl_af4list *addr_iter;
    894. 

  894. 

  895. 	dom_iter = netlbl_domhsh_search_def(domain, AF_INET);
    896. 

  896. 	if (dom_iter == NULL)
    897. 

  897. 		return NULL;
    898. 

  898. 

  899. 	if (dom_iter->def.type != NETLBL_NLTYPE_ADDRSELECT)
    900. 

  900. 		return &dom_iter->def;
    901. 

  901. 	addr_iter = netlbl_af4list_search(addr, &dom_iter->def.addrsel->list4);
    902. 

  902. 	if (addr_iter == NULL)
    903. 

  903. 		return NULL;
    904. 

  904. 	return &(netlbl_domhsh_addr4_entry(addr_iter)->def);
    905. 

  905. }
    906. 

  906. 

  907. #if IS_ENABLED(CONFIG_IPV6)
    908. 

  908. /**
    909. 

  909.  * netlbl_domhsh_getentry_af6 - Get an entry from the domain hash table
    910. 

  910.  * @domain: the domain name to search for
    911. 

  911.  * @addr: the IP address to search for
    912. 

  912.  *
    913. 

  913.  * Description:
    914. 

  914.  * Look through the domain hash table searching for an entry to match @domain
    915. 

  915.  * and @addr, return a pointer to a copy of the entry or NULL.  The caller is
    916. 

  916.  * responsible for ensuring that rcu_read_[un]lock() is called.
    917. 

  917.  *
    918. 

  918.  */
    919. 

  919. struct netlbl_dommap_def *netlbl_domhsh_getentry_af6(const char *domain,
    920. 

  920. 						   const struct in6_addr *addr)
    921. 

  921. {
    922. 

  922. 	struct netlbl_dom_map *dom_iter;
    923. 

  923. 	struct netlbl_af6list *addr_iter;
    924. 

  924. 

  925. 	dom_iter = netlbl_domhsh_search_def(domain, AF_INET6);
    926. 

  926. 	if (dom_iter == NULL)
    927. 

  927. 		return NULL;
    928. 

  928. 

  929. 	if (dom_iter->def.type != NETLBL_NLTYPE_ADDRSELECT)
    930. 

  930. 		return &dom_iter->def;
    931. 

  931. 	addr_iter = netlbl_af6list_search(addr, &dom_iter->def.addrsel->list6);
    932. 

  932. 	if (addr_iter == NULL)
    933. 

  933. 		return NULL;
    934. 

  934. 	return &(netlbl_domhsh_addr6_entry(addr_iter)->def);
    935. 

  935. }
    936. 

  936. #endif /* IPv6 */
    937. 

  937. 

  938. /**
    939. 

  939.  * netlbl_domhsh_walk - Iterate through the domain mapping hash table
    940. 

  940.  * @skip_bkt: the number of buckets to skip at the start
    941. 

  941.  * @skip_chain: the number of entries to skip in the first iterated bucket
    942. 

  942.  * @callback: callback for each entry
    943. 

  943.  * @cb_arg: argument for the callback function
    944. 

  944.  *
    945. 

  945.  * Description:
    946. 

  946.  * Interate over the domain mapping hash table, skipping the first @skip_bkt
    947. 

  947.  * buckets and @skip_chain entries.  For each entry in the table call
    948. 

  948.  * @callback, if @callback returns a negative value stop 'walking' through the
    949. 

  949.  * table and return.  Updates the values in @skip_bkt and @skip_chain on
    950. 

  950.  * return.  Returns zero on success, negative values on failure.
    951. 

  951.  *
    952. 

  952.  */
    953. 

  953. int netlbl_domhsh_walk(u32 *skip_bkt,
    954. 

  954. 		     u32 *skip_chain,
    955. 

  955. 		     int (*callback) (struct netlbl_dom_map *entry, void *arg),
    956. 

  956. 		     void *cb_arg)
    957. 

  957. {
    958. 

  958. 	int ret_val = -ENOENT;
    959. 

  959. 	u32 iter_bkt;
    960. 

  960. 	struct list_head *iter_list;
    961. 

  961. 	struct netlbl_dom_map *iter_entry;
    962. 

  962. 	u32 chain_cnt = 0;
    963. 

  963. 

  964. 	rcu_read_lock();
    965. 

  965. 	for (iter_bkt = *skip_bkt;
    966. 

  966. 	     iter_bkt < rcu_dereference(netlbl_domhsh)->size;
    967. 

  967. 	     iter_bkt++, chain_cnt = 0) {
    968. 

  968. 		iter_list = &rcu_dereference(netlbl_domhsh)->tbl[iter_bkt];
    969. 

  969. 		list_for_each_entry_rcu(iter_entry, iter_list, list)
    970. 

  970. 			if (iter_entry->valid) {
    971. 

  971. 				if (chain_cnt++ < *skip_chain)
    972. 

  972. 					continue;
    973. 

  973. 				ret_val = callback(iter_entry, cb_arg);
    974. 

  974. 				if (ret_val < 0) {
    975. 

  975. 					chain_cnt--;
    976. 

  976. 					goto walk_return;
    977. 

  977. 				}
    978. 

  978. 			}
    979. 

  979. 	}
    980. 

  980. 

  981. walk_return:
    982. 

  982. 	rcu_read_unlock();
    983. 

  983. 	*skip_bkt = iter_bkt;
    984. 

  984. 	*skip_chain = chain_cnt;
    985. 

  985. 	return ret_val;
    986. 

  986. }
    987. 

  987.