X-Git-Url: http://git.rot13.org/?a=blobdiff_plain;f=net%2Fnetlabel%2Fnetlabel_kapi.c;h=4f50949722a95a6e082404601b98c98f39190821;hb=c21723edd5f6c288ab613ed658b7140e07fc7209;hp=e03a3282c5512017efad8b4c8a1213fb264b5ac3;hpb=4c1ac1b49122b805adfa4efc620592f68dccf5db;p=powerpc.git diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index e03a3282c5..4f50949722 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c @@ -38,6 +38,7 @@ #include "netlabel_domainhash.h" #include "netlabel_unlabeled.h" #include "netlabel_user.h" +#include "netlabel_mgmt.h" /* * Security Attribute Functions @@ -244,37 +245,53 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap, * LSM Functions */ +/** + * netlbl_enabled - Determine if the NetLabel subsystem is enabled + * + * Description: + * The LSM can use this function to determine if it should use NetLabel + * security attributes in it's enforcement mechanism. Currently, NetLabel is + * considered to be enabled when it's configuration contains a valid setup for + * at least one labeled protocol (i.e. NetLabel can understand incoming + * labeled packets of at least one type); otherwise NetLabel is considered to + * be disabled. + * + */ +int netlbl_enabled(void) +{ + /* At some point we probably want to expose this mechanism to the user + * as well so that admins can toggle NetLabel regardless of the + * configuration */ + return (netlbl_mgmt_protocount_value() > 0 ? 1 : 0); +} + /** * netlbl_socket_setattr - Label a socket using the correct protocol - * @sock: the socket to label + * @sk: the socket to label * @secattr: the security attributes * * Description: * Attach the correct label to the given socket using the security attributes - * specified in @secattr. This function requires exclusive access to - * @sock->sk, which means it either needs to be in the process of being - * created or locked via lock_sock(sock->sk). Returns zero on success, - * negative values on failure. + * specified in @secattr. This function requires exclusive access to @sk, + * which means it either needs to be in the process of being created or locked. + * Returns zero on success, negative values on failure. * */ -int netlbl_socket_setattr(const struct socket *sock, - const struct netlbl_lsm_secattr *secattr) +int netlbl_sock_setattr(struct sock *sk, + const struct netlbl_lsm_secattr *secattr) { int ret_val = -ENOENT; struct netlbl_dom_map *dom_entry; - if ((secattr->flags & NETLBL_SECATTR_DOMAIN) == 0) - return -ENOENT; - rcu_read_lock(); dom_entry = netlbl_domhsh_getentry(secattr->domain); if (dom_entry == NULL) goto socket_setattr_return; switch (dom_entry->type) { case NETLBL_NLTYPE_CIPSOV4: - ret_val = cipso_v4_socket_setattr(sock, - dom_entry->type_def.cipsov4, - secattr); + ret_val = cipso_v4_sock_setattr(sk, + dom_entry->type_def.cipsov4, + secattr); break; case NETLBL_NLTYPE_UNLABELED: ret_val = 0; @@ -311,30 +328,6 @@ int netlbl_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr) return netlbl_unlabel_getattr(secattr); } -/** - * netlbl_socket_getattr - Determine the security attributes of a socket - * @sock: the socket - * @secattr: the security attributes - * - * Description: - * Examines the given socket to see any NetLabel style labeling has been - * applied to the socket, if so it parses the socket label and returns the - * security attributes in @secattr. Returns zero on success, negative values - * on failure. - * - */ -int netlbl_socket_getattr(const struct socket *sock, - struct netlbl_lsm_secattr *secattr) -{ - int ret_val; - - ret_val = cipso_v4_socket_getattr(sock, secattr); - if (ret_val == 0) - return 0; - - return netlbl_unlabel_getattr(secattr); -} - /** * netlbl_skbuff_getattr - Determine the security attributes of a packet * @skb: the packet