xref: /openbmc/linux/net/ipv4/cipso_ipv4.c (revision ee89bd6b)
1 /*
2  * CIPSO - Commercial IP Security Option
3  *
4  * This is an implementation of the CIPSO 2.2 protocol as specified in
5  * draft-ietf-cipso-ipsecurity-01.txt with additional tag types as found in
6  * FIPS-188.  While CIPSO never became a full IETF RFC standard many vendors
7  * have chosen to adopt the protocol and over the years it has become a
8  * de-facto standard for labeled networking.
9  *
10  * The CIPSO draft specification can be found in the kernel's Documentation
11  * directory as well as the following URL:
12  *   http://tools.ietf.org/id/draft-ietf-cipso-ipsecurity-01.txt
13  * The FIPS-188 specification can be found at the following URL:
14  *   http://www.itl.nist.gov/fipspubs/fip188.htm
15  *
16  * Author: Paul Moore <paul.moore@hp.com>
17  *
18  */
19 
20 /*
21  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
22  *
23  * This program is free software;  you can redistribute it and/or modify
24  * it under the terms of the GNU General Public License as published by
25  * the Free Software Foundation; either version 2 of the License, or
26  * (at your option) any later version.
27  *
28  * This program is distributed in the hope that it will be useful,
29  * but WITHOUT ANY WARRANTY;  without even the implied warranty of
30  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
31  * the GNU General Public License for more details.
32  *
33  * You should have received a copy of the GNU General Public License
34  * along with this program;  if not, write to the Free Software
35  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
36  *
37  */
38 
39 #include <linux/init.h>
40 #include <linux/types.h>
41 #include <linux/rcupdate.h>
42 #include <linux/list.h>
43 #include <linux/spinlock.h>
44 #include <linux/string.h>
45 #include <linux/jhash.h>
46 #include <linux/audit.h>
47 #include <linux/slab.h>
48 #include <net/ip.h>
49 #include <net/icmp.h>
50 #include <net/tcp.h>
51 #include <net/netlabel.h>
52 #include <net/cipso_ipv4.h>
53 #include <linux/atomic.h>
54 #include <asm/bug.h>
55 #include <asm/unaligned.h>
56 
57 /* List of available DOI definitions */
58 /* XXX - This currently assumes a minimal number of different DOIs in use,
59  * if in practice there are a lot of different DOIs this list should
60  * probably be turned into a hash table or something similar so we
61  * can do quick lookups. */
62 static DEFINE_SPINLOCK(cipso_v4_doi_list_lock);
63 static LIST_HEAD(cipso_v4_doi_list);
64 
65 /* Label mapping cache */
66 int cipso_v4_cache_enabled = 1;
67 int cipso_v4_cache_bucketsize = 10;
68 #define CIPSO_V4_CACHE_BUCKETBITS     7
69 #define CIPSO_V4_CACHE_BUCKETS        (1 << CIPSO_V4_CACHE_BUCKETBITS)
70 #define CIPSO_V4_CACHE_REORDERLIMIT   10
71 struct cipso_v4_map_cache_bkt {
72 	spinlock_t lock;
73 	u32 size;
74 	struct list_head list;
75 };
76 struct cipso_v4_map_cache_entry {
77 	u32 hash;
78 	unsigned char *key;
79 	size_t key_len;
80 
81 	struct netlbl_lsm_cache *lsm_data;
82 
83 	u32 activity;
84 	struct list_head list;
85 };
86 static struct cipso_v4_map_cache_bkt *cipso_v4_cache = NULL;
87 
88 /* Restricted bitmap (tag #1) flags */
89 int cipso_v4_rbm_optfmt = 0;
90 int cipso_v4_rbm_strictvalid = 1;
91 
92 /*
93  * Protocol Constants
94  */
95 
96 /* Maximum size of the CIPSO IP option, derived from the fact that the maximum
97  * IPv4 header size is 60 bytes and the base IPv4 header is 20 bytes long. */
98 #define CIPSO_V4_OPT_LEN_MAX          40
99 
100 /* Length of the base CIPSO option, this includes the option type (1 byte), the
101  * option length (1 byte), and the DOI (4 bytes). */
102 #define CIPSO_V4_HDR_LEN              6
103 
104 /* Base length of the restrictive category bitmap tag (tag #1). */
105 #define CIPSO_V4_TAG_RBM_BLEN         4
106 
107 /* Base length of the enumerated category tag (tag #2). */
108 #define CIPSO_V4_TAG_ENUM_BLEN        4
109 
110 /* Base length of the ranged categories bitmap tag (tag #5). */
111 #define CIPSO_V4_TAG_RNG_BLEN         4
112 /* The maximum number of category ranges permitted in the ranged category tag
113  * (tag #5).  You may note that the IETF draft states that the maximum number
114  * of category ranges is 7, but if the low end of the last category range is
115  * zero then it is possible to fit 8 category ranges because the zero should
116  * be omitted. */
117 #define CIPSO_V4_TAG_RNG_CAT_MAX      8
118 
119 /* Base length of the local tag (non-standard tag).
120  *  Tag definition (may change between kernel versions)
121  *
122  * 0          8          16         24         32
123  * +----------+----------+----------+----------+
124  * | 10000000 | 00000110 | 32-bit secid value  |
125  * +----------+----------+----------+----------+
126  * | in (host byte order)|
127  * +----------+----------+
128  *
129  */
130 #define CIPSO_V4_TAG_LOC_BLEN         6
131 
132 /*
133  * Helper Functions
134  */
135 
136 /**
137  * cipso_v4_bitmap_walk - Walk a bitmap looking for a bit
138  * @bitmap: the bitmap
139  * @bitmap_len: length in bits
140  * @offset: starting offset
141  * @state: if non-zero, look for a set (1) bit else look for a cleared (0) bit
142  *
143  * Description:
144  * Starting at @offset, walk the bitmap from left to right until either the
145  * desired bit is found or we reach the end.  Return the bit offset, -1 if
146  * not found, or -2 if error.
147  */
148 static int cipso_v4_bitmap_walk(const unsigned char *bitmap,
149 				u32 bitmap_len,
150 				u32 offset,
151 				u8 state)
152 {
153 	u32 bit_spot;
154 	u32 byte_offset;
155 	unsigned char bitmask;
156 	unsigned char byte;
157 
158 	/* gcc always rounds to zero when doing integer division */
159 	byte_offset = offset / 8;
160 	byte = bitmap[byte_offset];
161 	bit_spot = offset;
162 	bitmask = 0x80 >> (offset % 8);
163 
164 	while (bit_spot < bitmap_len) {
165 		if ((state && (byte & bitmask) == bitmask) ||
166 		    (state == 0 && (byte & bitmask) == 0))
167 			return bit_spot;
168 
169 		bit_spot++;
170 		bitmask >>= 1;
171 		if (bitmask == 0) {
172 			byte = bitmap[++byte_offset];
173 			bitmask = 0x80;
174 		}
175 	}
176 
177 	return -1;
178 }
179 
180 /**
181  * cipso_v4_bitmap_setbit - Sets a single bit in a bitmap
182  * @bitmap: the bitmap
183  * @bit: the bit
184  * @state: if non-zero, set the bit (1) else clear the bit (0)
185  *
186  * Description:
187  * Set a single bit in the bitmask.  Returns zero on success, negative values
188  * on error.
189  */
190 static void cipso_v4_bitmap_setbit(unsigned char *bitmap,
191 				   u32 bit,
192 				   u8 state)
193 {
194 	u32 byte_spot;
195 	u8 bitmask;
196 
197 	/* gcc always rounds to zero when doing integer division */
198 	byte_spot = bit / 8;
199 	bitmask = 0x80 >> (bit % 8);
200 	if (state)
201 		bitmap[byte_spot] |= bitmask;
202 	else
203 		bitmap[byte_spot] &= ~bitmask;
204 }
205 
206 /**
207  * cipso_v4_cache_entry_free - Frees a cache entry
208  * @entry: the entry to free
209  *
210  * Description:
211  * This function frees the memory associated with a cache entry including the
212  * LSM cache data if there are no longer any users, i.e. reference count == 0.
213  *
214  */
215 static void cipso_v4_cache_entry_free(struct cipso_v4_map_cache_entry *entry)
216 {
217 	if (entry->lsm_data)
218 		netlbl_secattr_cache_free(entry->lsm_data);
219 	kfree(entry->key);
220 	kfree(entry);
221 }
222 
223 /**
224  * cipso_v4_map_cache_hash - Hashing function for the CIPSO cache
225  * @key: the hash key
226  * @key_len: the length of the key in bytes
227  *
228  * Description:
229  * The CIPSO tag hashing function.  Returns a 32-bit hash value.
230  *
231  */
232 static u32 cipso_v4_map_cache_hash(const unsigned char *key, u32 key_len)
233 {
234 	return jhash(key, key_len, 0);
235 }
236 
237 /*
238  * Label Mapping Cache Functions
239  */
240 
241 /**
242  * cipso_v4_cache_init - Initialize the CIPSO cache
243  *
244  * Description:
245  * Initializes the CIPSO label mapping cache, this function should be called
246  * before any of the other functions defined in this file.  Returns zero on
247  * success, negative values on error.
248  *
249  */
250 static int cipso_v4_cache_init(void)
251 {
252 	u32 iter;
253 
254 	cipso_v4_cache = kcalloc(CIPSO_V4_CACHE_BUCKETS,
255 				 sizeof(struct cipso_v4_map_cache_bkt),
256 				 GFP_KERNEL);
257 	if (cipso_v4_cache == NULL)
258 		return -ENOMEM;
259 
260 	for (iter = 0; iter < CIPSO_V4_CACHE_BUCKETS; iter++) {
261 		spin_lock_init(&cipso_v4_cache[iter].lock);
262 		cipso_v4_cache[iter].size = 0;
263 		INIT_LIST_HEAD(&cipso_v4_cache[iter].list);
264 	}
265 
266 	return 0;
267 }
268 
269 /**
270  * cipso_v4_cache_invalidate - Invalidates the current CIPSO cache
271  *
272  * Description:
273  * Invalidates and frees any entries in the CIPSO cache.  Returns zero on
274  * success and negative values on failure.
275  *
276  */
277 void cipso_v4_cache_invalidate(void)
278 {
279 	struct cipso_v4_map_cache_entry *entry, *tmp_entry;
280 	u32 iter;
281 
282 	for (iter = 0; iter < CIPSO_V4_CACHE_BUCKETS; iter++) {
283 		spin_lock_bh(&cipso_v4_cache[iter].lock);
284 		list_for_each_entry_safe(entry,
285 					 tmp_entry,
286 					 &cipso_v4_cache[iter].list, list) {
287 			list_del(&entry->list);
288 			cipso_v4_cache_entry_free(entry);
289 		}
290 		cipso_v4_cache[iter].size = 0;
291 		spin_unlock_bh(&cipso_v4_cache[iter].lock);
292 	}
293 }
294 
295 /**
296  * cipso_v4_cache_check - Check the CIPSO cache for a label mapping
297  * @key: the buffer to check
298  * @key_len: buffer length in bytes
299  * @secattr: the security attribute struct to use
300  *
301  * Description:
302  * This function checks the cache to see if a label mapping already exists for
303  * the given key.  If there is a match then the cache is adjusted and the
304  * @secattr struct is populated with the correct LSM security attributes.  The
305  * cache is adjusted in the following manner if the entry is not already the
306  * first in the cache bucket:
307  *
308  *  1. The cache entry's activity counter is incremented
309  *  2. The previous (higher ranking) entry's activity counter is decremented
310  *  3. If the difference between the two activity counters is geater than
311  *     CIPSO_V4_CACHE_REORDERLIMIT the two entries are swapped
312  *
313  * Returns zero on success, -ENOENT for a cache miss, and other negative values
314  * on error.
315  *
316  */
317 static int cipso_v4_cache_check(const unsigned char *key,
318 				u32 key_len,
319 				struct netlbl_lsm_secattr *secattr)
320 {
321 	u32 bkt;
322 	struct cipso_v4_map_cache_entry *entry;
323 	struct cipso_v4_map_cache_entry *prev_entry = NULL;
324 	u32 hash;
325 
326 	if (!cipso_v4_cache_enabled)
327 		return -ENOENT;
328 
329 	hash = cipso_v4_map_cache_hash(key, key_len);
330 	bkt = hash & (CIPSO_V4_CACHE_BUCKETS - 1);
331 	spin_lock_bh(&cipso_v4_cache[bkt].lock);
332 	list_for_each_entry(entry, &cipso_v4_cache[bkt].list, list) {
333 		if (entry->hash == hash &&
334 		    entry->key_len == key_len &&
335 		    memcmp(entry->key, key, key_len) == 0) {
336 			entry->activity += 1;
337 			atomic_inc(&entry->lsm_data->refcount);
338 			secattr->cache = entry->lsm_data;
339 			secattr->flags |= NETLBL_SECATTR_CACHE;
340 			secattr->type = NETLBL_NLTYPE_CIPSOV4;
341 			if (prev_entry == NULL) {
342 				spin_unlock_bh(&cipso_v4_cache[bkt].lock);
343 				return 0;
344 			}
345 
346 			if (prev_entry->activity > 0)
347 				prev_entry->activity -= 1;
348 			if (entry->activity > prev_entry->activity &&
349 			    entry->activity - prev_entry->activity >
350 			    CIPSO_V4_CACHE_REORDERLIMIT) {
351 				__list_del(entry->list.prev, entry->list.next);
352 				__list_add(&entry->list,
353 					   prev_entry->list.prev,
354 					   &prev_entry->list);
355 			}
356 
357 			spin_unlock_bh(&cipso_v4_cache[bkt].lock);
358 			return 0;
359 		}
360 		prev_entry = entry;
361 	}
362 	spin_unlock_bh(&cipso_v4_cache[bkt].lock);
363 
364 	return -ENOENT;
365 }
366 
367 /**
368  * cipso_v4_cache_add - Add an entry to the CIPSO cache
369  * @skb: the packet
370  * @secattr: the packet's security attributes
371  *
372  * Description:
373  * Add a new entry into the CIPSO label mapping cache.  Add the new entry to
374  * head of the cache bucket's list, if the cache bucket is out of room remove
375  * the last entry in the list first.  It is important to note that there is
376  * currently no checking for duplicate keys.  Returns zero on success,
377  * negative values on failure.
378  *
379  */
380 int cipso_v4_cache_add(const struct sk_buff *skb,
381 		       const struct netlbl_lsm_secattr *secattr)
382 {
383 	int ret_val = -EPERM;
384 	u32 bkt;
385 	struct cipso_v4_map_cache_entry *entry = NULL;
386 	struct cipso_v4_map_cache_entry *old_entry = NULL;
387 	unsigned char *cipso_ptr;
388 	u32 cipso_ptr_len;
389 
390 	if (!cipso_v4_cache_enabled || cipso_v4_cache_bucketsize <= 0)
391 		return 0;
392 
393 	cipso_ptr = CIPSO_V4_OPTPTR(skb);
394 	cipso_ptr_len = cipso_ptr[1];
395 
396 	entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
397 	if (entry == NULL)
398 		return -ENOMEM;
399 	entry->key = kmemdup(cipso_ptr, cipso_ptr_len, GFP_ATOMIC);
400 	if (entry->key == NULL) {
401 		ret_val = -ENOMEM;
402 		goto cache_add_failure;
403 	}
404 	entry->key_len = cipso_ptr_len;
405 	entry->hash = cipso_v4_map_cache_hash(cipso_ptr, cipso_ptr_len);
406 	atomic_inc(&secattr->cache->refcount);
407 	entry->lsm_data = secattr->cache;
408 
409 	bkt = entry->hash & (CIPSO_V4_CACHE_BUCKETS - 1);
410 	spin_lock_bh(&cipso_v4_cache[bkt].lock);
411 	if (cipso_v4_cache[bkt].size < cipso_v4_cache_bucketsize) {
412 		list_add(&entry->list, &cipso_v4_cache[bkt].list);
413 		cipso_v4_cache[bkt].size += 1;
414 	} else {
415 		old_entry = list_entry(cipso_v4_cache[bkt].list.prev,
416 				       struct cipso_v4_map_cache_entry, list);
417 		list_del(&old_entry->list);
418 		list_add(&entry->list, &cipso_v4_cache[bkt].list);
419 		cipso_v4_cache_entry_free(old_entry);
420 	}
421 	spin_unlock_bh(&cipso_v4_cache[bkt].lock);
422 
423 	return 0;
424 
425 cache_add_failure:
426 	if (entry)
427 		cipso_v4_cache_entry_free(entry);
428 	return ret_val;
429 }
430 
431 /*
432  * DOI List Functions
433  */
434 
435 /**
436  * cipso_v4_doi_search - Searches for a DOI definition
437  * @doi: the DOI to search for
438  *
439  * Description:
440  * Search the DOI definition list for a DOI definition with a DOI value that
441  * matches @doi.  The caller is responsible for calling rcu_read_[un]lock().
442  * Returns a pointer to the DOI definition on success and NULL on failure.
443  */
444 static struct cipso_v4_doi *cipso_v4_doi_search(u32 doi)
445 {
446 	struct cipso_v4_doi *iter;
447 
448 	list_for_each_entry_rcu(iter, &cipso_v4_doi_list, list)
449 		if (iter->doi == doi && atomic_read(&iter->refcount))
450 			return iter;
451 	return NULL;
452 }
453 
454 /**
455  * cipso_v4_doi_add - Add a new DOI to the CIPSO protocol engine
456  * @doi_def: the DOI structure
457  * @audit_info: NetLabel audit information
458  *
459  * Description:
460  * The caller defines a new DOI for use by the CIPSO engine and calls this
461  * function to add it to the list of acceptable domains.  The caller must
462  * ensure that the mapping table specified in @doi_def->map meets all of the
463  * requirements of the mapping type (see cipso_ipv4.h for details).  Returns
464  * zero on success and non-zero on failure.
465  *
466  */
467 int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,
468 		     struct netlbl_audit *audit_info)
469 {
470 	int ret_val = -EINVAL;
471 	u32 iter;
472 	u32 doi;
473 	u32 doi_type;
474 	struct audit_buffer *audit_buf;
475 
476 	doi = doi_def->doi;
477 	doi_type = doi_def->type;
478 
479 	if (doi_def->doi == CIPSO_V4_DOI_UNKNOWN)
480 		goto doi_add_return;
481 	for (iter = 0; iter < CIPSO_V4_TAG_MAXCNT; iter++) {
482 		switch (doi_def->tags[iter]) {
483 		case CIPSO_V4_TAG_RBITMAP:
484 			break;
485 		case CIPSO_V4_TAG_RANGE:
486 		case CIPSO_V4_TAG_ENUM:
487 			if (doi_def->type != CIPSO_V4_MAP_PASS)
488 				goto doi_add_return;
489 			break;
490 		case CIPSO_V4_TAG_LOCAL:
491 			if (doi_def->type != CIPSO_V4_MAP_LOCAL)
492 				goto doi_add_return;
493 			break;
494 		case CIPSO_V4_TAG_INVALID:
495 			if (iter == 0)
496 				goto doi_add_return;
497 			break;
498 		default:
499 			goto doi_add_return;
500 		}
501 	}
502 
503 	atomic_set(&doi_def->refcount, 1);
504 
505 	spin_lock(&cipso_v4_doi_list_lock);
506 	if (cipso_v4_doi_search(doi_def->doi) != NULL) {
507 		spin_unlock(&cipso_v4_doi_list_lock);
508 		ret_val = -EEXIST;
509 		goto doi_add_return;
510 	}
511 	list_add_tail_rcu(&doi_def->list, &cipso_v4_doi_list);
512 	spin_unlock(&cipso_v4_doi_list_lock);
513 	ret_val = 0;
514 
515 doi_add_return:
516 	audit_buf = netlbl_audit_start(AUDIT_MAC_CIPSOV4_ADD, audit_info);
517 	if (audit_buf != NULL) {
518 		const char *type_str;
519 		switch (doi_type) {
520 		case CIPSO_V4_MAP_TRANS:
521 			type_str = "trans";
522 			break;
523 		case CIPSO_V4_MAP_PASS:
524 			type_str = "pass";
525 			break;
526 		case CIPSO_V4_MAP_LOCAL:
527 			type_str = "local";
528 			break;
529 		default:
530 			type_str = "(unknown)";
531 		}
532 		audit_log_format(audit_buf,
533 				 " cipso_doi=%u cipso_type=%s res=%u",
534 				 doi, type_str, ret_val == 0 ? 1 : 0);
535 		audit_log_end(audit_buf);
536 	}
537 
538 	return ret_val;
539 }
540 
541 /**
542  * cipso_v4_doi_free - Frees a DOI definition
543  * @entry: the entry's RCU field
544  *
545  * Description:
546  * This function frees all of the memory associated with a DOI definition.
547  *
548  */
549 void cipso_v4_doi_free(struct cipso_v4_doi *doi_def)
550 {
551 	if (doi_def == NULL)
552 		return;
553 
554 	switch (doi_def->type) {
555 	case CIPSO_V4_MAP_TRANS:
556 		kfree(doi_def->map.std->lvl.cipso);
557 		kfree(doi_def->map.std->lvl.local);
558 		kfree(doi_def->map.std->cat.cipso);
559 		kfree(doi_def->map.std->cat.local);
560 		break;
561 	}
562 	kfree(doi_def);
563 }
564 
565 /**
566  * cipso_v4_doi_free_rcu - Frees a DOI definition via the RCU pointer
567  * @entry: the entry's RCU field
568  *
569  * Description:
570  * This function is designed to be used as a callback to the call_rcu()
571  * function so that the memory allocated to the DOI definition can be released
572  * safely.
573  *
574  */
575 static void cipso_v4_doi_free_rcu(struct rcu_head *entry)
576 {
577 	struct cipso_v4_doi *doi_def;
578 
579 	doi_def = container_of(entry, struct cipso_v4_doi, rcu);
580 	cipso_v4_doi_free(doi_def);
581 }
582 
583 /**
584  * cipso_v4_doi_remove - Remove an existing DOI from the CIPSO protocol engine
585  * @doi: the DOI value
586  * @audit_secid: the LSM secid to use in the audit message
587  *
588  * Description:
589  * Removes a DOI definition from the CIPSO engine.  The NetLabel routines will
590  * be called to release their own LSM domain mappings as well as our own
591  * domain list.  Returns zero on success and negative values on failure.
592  *
593  */
594 int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info)
595 {
596 	int ret_val;
597 	struct cipso_v4_doi *doi_def;
598 	struct audit_buffer *audit_buf;
599 
600 	spin_lock(&cipso_v4_doi_list_lock);
601 	doi_def = cipso_v4_doi_search(doi);
602 	if (doi_def == NULL) {
603 		spin_unlock(&cipso_v4_doi_list_lock);
604 		ret_val = -ENOENT;
605 		goto doi_remove_return;
606 	}
607 	if (!atomic_dec_and_test(&doi_def->refcount)) {
608 		spin_unlock(&cipso_v4_doi_list_lock);
609 		ret_val = -EBUSY;
610 		goto doi_remove_return;
611 	}
612 	list_del_rcu(&doi_def->list);
613 	spin_unlock(&cipso_v4_doi_list_lock);
614 
615 	cipso_v4_cache_invalidate();
616 	call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu);
617 	ret_val = 0;
618 
619 doi_remove_return:
620 	audit_buf = netlbl_audit_start(AUDIT_MAC_CIPSOV4_DEL, audit_info);
621 	if (audit_buf != NULL) {
622 		audit_log_format(audit_buf,
623 				 " cipso_doi=%u res=%u",
624 				 doi, ret_val == 0 ? 1 : 0);
625 		audit_log_end(audit_buf);
626 	}
627 
628 	return ret_val;
629 }
630 
631 /**
632  * cipso_v4_doi_getdef - Returns a reference to a valid DOI definition
633  * @doi: the DOI value
634  *
635  * Description:
636  * Searches for a valid DOI definition and if one is found it is returned to
637  * the caller.  Otherwise NULL is returned.  The caller must ensure that
638  * rcu_read_lock() is held while accessing the returned definition and the DOI
639  * definition reference count is decremented when the caller is done.
640  *
641  */
642 struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi)
643 {
644 	struct cipso_v4_doi *doi_def;
645 
646 	rcu_read_lock();
647 	doi_def = cipso_v4_doi_search(doi);
648 	if (doi_def == NULL)
649 		goto doi_getdef_return;
650 	if (!atomic_inc_not_zero(&doi_def->refcount))
651 		doi_def = NULL;
652 
653 doi_getdef_return:
654 	rcu_read_unlock();
655 	return doi_def;
656 }
657 
658 /**
659  * cipso_v4_doi_putdef - Releases a reference for the given DOI definition
660  * @doi_def: the DOI definition
661  *
662  * Description:
663  * Releases a DOI definition reference obtained from cipso_v4_doi_getdef().
664  *
665  */
666 void cipso_v4_doi_putdef(struct cipso_v4_doi *doi_def)
667 {
668 	if (doi_def == NULL)
669 		return;
670 
671 	if (!atomic_dec_and_test(&doi_def->refcount))
672 		return;
673 	spin_lock(&cipso_v4_doi_list_lock);
674 	list_del_rcu(&doi_def->list);
675 	spin_unlock(&cipso_v4_doi_list_lock);
676 
677 	cipso_v4_cache_invalidate();
678 	call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu);
679 }
680 
681 /**
682  * cipso_v4_doi_walk - Iterate through the DOI definitions
683  * @skip_cnt: skip past this number of DOI definitions, updated
684  * @callback: callback for each DOI definition
685  * @cb_arg: argument for the callback function
686  *
687  * Description:
688  * Iterate over the DOI definition list, skipping the first @skip_cnt entries.
689  * For each entry call @callback, if @callback returns a negative value stop
690  * 'walking' through the list and return.  Updates the value in @skip_cnt upon
691  * return.  Returns zero on success, negative values on failure.
692  *
693  */
694 int cipso_v4_doi_walk(u32 *skip_cnt,
695 		     int (*callback) (struct cipso_v4_doi *doi_def, void *arg),
696 		     void *cb_arg)
697 {
698 	int ret_val = -ENOENT;
699 	u32 doi_cnt = 0;
700 	struct cipso_v4_doi *iter_doi;
701 
702 	rcu_read_lock();
703 	list_for_each_entry_rcu(iter_doi, &cipso_v4_doi_list, list)
704 		if (atomic_read(&iter_doi->refcount) > 0) {
705 			if (doi_cnt++ < *skip_cnt)
706 				continue;
707 			ret_val = callback(iter_doi, cb_arg);
708 			if (ret_val < 0) {
709 				doi_cnt--;
710 				goto doi_walk_return;
711 			}
712 		}
713 
714 doi_walk_return:
715 	rcu_read_unlock();
716 	*skip_cnt = doi_cnt;
717 	return ret_val;
718 }
719 
720 /*
721  * Label Mapping Functions
722  */
723 
724 /**
725  * cipso_v4_map_lvl_valid - Checks to see if the given level is understood
726  * @doi_def: the DOI definition
727  * @level: the level to check
728  *
729  * Description:
730  * Checks the given level against the given DOI definition and returns a
731  * negative value if the level does not have a valid mapping and a zero value
732  * if the level is defined by the DOI.
733  *
734  */
735 static int cipso_v4_map_lvl_valid(const struct cipso_v4_doi *doi_def, u8 level)
736 {
737 	switch (doi_def->type) {
738 	case CIPSO_V4_MAP_PASS:
739 		return 0;
740 	case CIPSO_V4_MAP_TRANS:
741 		if (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL)
742 			return 0;
743 		break;
744 	}
745 
746 	return -EFAULT;
747 }
748 
749 /**
750  * cipso_v4_map_lvl_hton - Perform a level mapping from the host to the network
751  * @doi_def: the DOI definition
752  * @host_lvl: the host MLS level
753  * @net_lvl: the network/CIPSO MLS level
754  *
755  * Description:
756  * Perform a label mapping to translate a local MLS level to the correct
757  * CIPSO level using the given DOI definition.  Returns zero on success,
758  * negative values otherwise.
759  *
760  */
761 static int cipso_v4_map_lvl_hton(const struct cipso_v4_doi *doi_def,
762 				 u32 host_lvl,
763 				 u32 *net_lvl)
764 {
765 	switch (doi_def->type) {
766 	case CIPSO_V4_MAP_PASS:
767 		*net_lvl = host_lvl;
768 		return 0;
769 	case CIPSO_V4_MAP_TRANS:
770 		if (host_lvl < doi_def->map.std->lvl.local_size &&
771 		    doi_def->map.std->lvl.local[host_lvl] < CIPSO_V4_INV_LVL) {
772 			*net_lvl = doi_def->map.std->lvl.local[host_lvl];
773 			return 0;
774 		}
775 		return -EPERM;
776 	}
777 
778 	return -EINVAL;
779 }
780 
781 /**
782  * cipso_v4_map_lvl_ntoh - Perform a level mapping from the network to the host
783  * @doi_def: the DOI definition
784  * @net_lvl: the network/CIPSO MLS level
785  * @host_lvl: the host MLS level
786  *
787  * Description:
788  * Perform a label mapping to translate a CIPSO level to the correct local MLS
789  * level using the given DOI definition.  Returns zero on success, negative
790  * values otherwise.
791  *
792  */
793 static int cipso_v4_map_lvl_ntoh(const struct cipso_v4_doi *doi_def,
794 				 u32 net_lvl,
795 				 u32 *host_lvl)
796 {
797 	struct cipso_v4_std_map_tbl *map_tbl;
798 
799 	switch (doi_def->type) {
800 	case CIPSO_V4_MAP_PASS:
801 		*host_lvl = net_lvl;
802 		return 0;
803 	case CIPSO_V4_MAP_TRANS:
804 		map_tbl = doi_def->map.std;
805 		if (net_lvl < map_tbl->lvl.cipso_size &&
806 		    map_tbl->lvl.cipso[net_lvl] < CIPSO_V4_INV_LVL) {
807 			*host_lvl = doi_def->map.std->lvl.cipso[net_lvl];
808 			return 0;
809 		}
810 		return -EPERM;
811 	}
812 
813 	return -EINVAL;
814 }
815 
816 /**
817  * cipso_v4_map_cat_rbm_valid - Checks to see if the category bitmap is valid
818  * @doi_def: the DOI definition
819  * @bitmap: category bitmap
820  * @bitmap_len: bitmap length in bytes
821  *
822  * Description:
823  * Checks the given category bitmap against the given DOI definition and
824  * returns a negative value if any of the categories in the bitmap do not have
825  * a valid mapping and a zero value if all of the categories are valid.
826  *
827  */
828 static int cipso_v4_map_cat_rbm_valid(const struct cipso_v4_doi *doi_def,
829 				      const unsigned char *bitmap,
830 				      u32 bitmap_len)
831 {
832 	int cat = -1;
833 	u32 bitmap_len_bits = bitmap_len * 8;
834 	u32 cipso_cat_size;
835 	u32 *cipso_array;
836 
837 	switch (doi_def->type) {
838 	case CIPSO_V4_MAP_PASS:
839 		return 0;
840 	case CIPSO_V4_MAP_TRANS:
841 		cipso_cat_size = doi_def->map.std->cat.cipso_size;
842 		cipso_array = doi_def->map.std->cat.cipso;
843 		for (;;) {
844 			cat = cipso_v4_bitmap_walk(bitmap,
845 						   bitmap_len_bits,
846 						   cat + 1,
847 						   1);
848 			if (cat < 0)
849 				break;
850 			if (cat >= cipso_cat_size ||
851 			    cipso_array[cat] >= CIPSO_V4_INV_CAT)
852 				return -EFAULT;
853 		}
854 
855 		if (cat == -1)
856 			return 0;
857 		break;
858 	}
859 
860 	return -EFAULT;
861 }
862 
863 /**
864  * cipso_v4_map_cat_rbm_hton - Perform a category mapping from host to network
865  * @doi_def: the DOI definition
866  * @secattr: the security attributes
867  * @net_cat: the zero'd out category bitmap in network/CIPSO format
868  * @net_cat_len: the length of the CIPSO bitmap in bytes
869  *
870  * Description:
871  * Perform a label mapping to translate a local MLS category bitmap to the
872  * correct CIPSO bitmap using the given DOI definition.  Returns the minimum
873  * size in bytes of the network bitmap on success, negative values otherwise.
874  *
875  */
876 static int cipso_v4_map_cat_rbm_hton(const struct cipso_v4_doi *doi_def,
877 				     const struct netlbl_lsm_secattr *secattr,
878 				     unsigned char *net_cat,
879 				     u32 net_cat_len)
880 {
881 	int host_spot = -1;
882 	u32 net_spot = CIPSO_V4_INV_CAT;
883 	u32 net_spot_max = 0;
884 	u32 net_clen_bits = net_cat_len * 8;
885 	u32 host_cat_size = 0;
886 	u32 *host_cat_array = NULL;
887 
888 	if (doi_def->type == CIPSO_V4_MAP_TRANS) {
889 		host_cat_size = doi_def->map.std->cat.local_size;
890 		host_cat_array = doi_def->map.std->cat.local;
891 	}
892 
893 	for (;;) {
894 		host_spot = netlbl_secattr_catmap_walk(secattr->attr.mls.cat,
895 						       host_spot + 1);
896 		if (host_spot < 0)
897 			break;
898 
899 		switch (doi_def->type) {
900 		case CIPSO_V4_MAP_PASS:
901 			net_spot = host_spot;
902 			break;
903 		case CIPSO_V4_MAP_TRANS:
904 			if (host_spot >= host_cat_size)
905 				return -EPERM;
906 			net_spot = host_cat_array[host_spot];
907 			if (net_spot >= CIPSO_V4_INV_CAT)
908 				return -EPERM;
909 			break;
910 		}
911 		if (net_spot >= net_clen_bits)
912 			return -ENOSPC;
913 		cipso_v4_bitmap_setbit(net_cat, net_spot, 1);
914 
915 		if (net_spot > net_spot_max)
916 			net_spot_max = net_spot;
917 	}
918 
919 	if (++net_spot_max % 8)
920 		return net_spot_max / 8 + 1;
921 	return net_spot_max / 8;
922 }
923 
924 /**
925  * cipso_v4_map_cat_rbm_ntoh - Perform a category mapping from network to host
926  * @doi_def: the DOI definition
927  * @net_cat: the category bitmap in network/CIPSO format
928  * @net_cat_len: the length of the CIPSO bitmap in bytes
929  * @secattr: the security attributes
930  *
931  * Description:
932  * Perform a label mapping to translate a CIPSO bitmap to the correct local
933  * MLS category bitmap using the given DOI definition.  Returns zero on
934  * success, negative values on failure.
935  *
936  */
937 static int cipso_v4_map_cat_rbm_ntoh(const struct cipso_v4_doi *doi_def,
938 				     const unsigned char *net_cat,
939 				     u32 net_cat_len,
940 				     struct netlbl_lsm_secattr *secattr)
941 {
942 	int ret_val;
943 	int net_spot = -1;
944 	u32 host_spot = CIPSO_V4_INV_CAT;
945 	u32 net_clen_bits = net_cat_len * 8;
946 	u32 net_cat_size = 0;
947 	u32 *net_cat_array = NULL;
948 
949 	if (doi_def->type == CIPSO_V4_MAP_TRANS) {
950 		net_cat_size = doi_def->map.std->cat.cipso_size;
951 		net_cat_array = doi_def->map.std->cat.cipso;
952 	}
953 
954 	for (;;) {
955 		net_spot = cipso_v4_bitmap_walk(net_cat,
956 						net_clen_bits,
957 						net_spot + 1,
958 						1);
959 		if (net_spot < 0) {
960 			if (net_spot == -2)
961 				return -EFAULT;
962 			return 0;
963 		}
964 
965 		switch (doi_def->type) {
966 		case CIPSO_V4_MAP_PASS:
967 			host_spot = net_spot;
968 			break;
969 		case CIPSO_V4_MAP_TRANS:
970 			if (net_spot >= net_cat_size)
971 				return -EPERM;
972 			host_spot = net_cat_array[net_spot];
973 			if (host_spot >= CIPSO_V4_INV_CAT)
974 				return -EPERM;
975 			break;
976 		}
977 		ret_val = netlbl_secattr_catmap_setbit(secattr->attr.mls.cat,
978 						       host_spot,
979 						       GFP_ATOMIC);
980 		if (ret_val != 0)
981 			return ret_val;
982 	}
983 
984 	return -EINVAL;
985 }
986 
987 /**
988  * cipso_v4_map_cat_enum_valid - Checks to see if the categories are valid
989  * @doi_def: the DOI definition
990  * @enumcat: category list
991  * @enumcat_len: length of the category list in bytes
992  *
993  * Description:
994  * Checks the given categories against the given DOI definition and returns a
995  * negative value if any of the categories do not have a valid mapping and a
996  * zero value if all of the categories are valid.
997  *
998  */
999 static int cipso_v4_map_cat_enum_valid(const struct cipso_v4_doi *doi_def,
1000 				       const unsigned char *enumcat,
1001 				       u32 enumcat_len)
1002 {
1003 	u16 cat;
1004 	int cat_prev = -1;
1005 	u32 iter;
1006 
1007 	if (doi_def->type != CIPSO_V4_MAP_PASS || enumcat_len & 0x01)
1008 		return -EFAULT;
1009 
1010 	for (iter = 0; iter < enumcat_len; iter += 2) {
1011 		cat = get_unaligned_be16(&enumcat[iter]);
1012 		if (cat <= cat_prev)
1013 			return -EFAULT;
1014 		cat_prev = cat;
1015 	}
1016 
1017 	return 0;
1018 }
1019 
1020 /**
1021  * cipso_v4_map_cat_enum_hton - Perform a category mapping from host to network
1022  * @doi_def: the DOI definition
1023  * @secattr: the security attributes
1024  * @net_cat: the zero'd out category list in network/CIPSO format
1025  * @net_cat_len: the length of the CIPSO category list in bytes
1026  *
1027  * Description:
1028  * Perform a label mapping to translate a local MLS category bitmap to the
1029  * correct CIPSO category list using the given DOI definition.   Returns the
1030  * size in bytes of the network category bitmap on success, negative values
1031  * otherwise.
1032  *
1033  */
1034 static int cipso_v4_map_cat_enum_hton(const struct cipso_v4_doi *doi_def,
1035 				      const struct netlbl_lsm_secattr *secattr,
1036 				      unsigned char *net_cat,
1037 				      u32 net_cat_len)
1038 {
1039 	int cat = -1;
1040 	u32 cat_iter = 0;
1041 
1042 	for (;;) {
1043 		cat = netlbl_secattr_catmap_walk(secattr->attr.mls.cat,
1044 						 cat + 1);
1045 		if (cat < 0)
1046 			break;
1047 		if ((cat_iter + 2) > net_cat_len)
1048 			return -ENOSPC;
1049 
1050 		*((__be16 *)&net_cat[cat_iter]) = htons(cat);
1051 		cat_iter += 2;
1052 	}
1053 
1054 	return cat_iter;
1055 }
1056 
1057 /**
1058  * cipso_v4_map_cat_enum_ntoh - Perform a category mapping from network to host
1059  * @doi_def: the DOI definition
1060  * @net_cat: the category list in network/CIPSO format
1061  * @net_cat_len: the length of the CIPSO bitmap in bytes
1062  * @secattr: the security attributes
1063  *
1064  * Description:
1065  * Perform a label mapping to translate a CIPSO category list to the correct
1066  * local MLS category bitmap using the given DOI definition.  Returns zero on
1067  * success, negative values on failure.
1068  *
1069  */
1070 static int cipso_v4_map_cat_enum_ntoh(const struct cipso_v4_doi *doi_def,
1071 				      const unsigned char *net_cat,
1072 				      u32 net_cat_len,
1073 				      struct netlbl_lsm_secattr *secattr)
1074 {
1075 	int ret_val;
1076 	u32 iter;
1077 
1078 	for (iter = 0; iter < net_cat_len; iter += 2) {
1079 		ret_val = netlbl_secattr_catmap_setbit(secattr->attr.mls.cat,
1080 				get_unaligned_be16(&net_cat[iter]),
1081 				GFP_ATOMIC);
1082 		if (ret_val != 0)
1083 			return ret_val;
1084 	}
1085 
1086 	return 0;
1087 }
1088 
1089 /**
1090  * cipso_v4_map_cat_rng_valid - Checks to see if the categories are valid
1091  * @doi_def: the DOI definition
1092  * @rngcat: category list
1093  * @rngcat_len: length of the category list in bytes
1094  *
1095  * Description:
1096  * Checks the given categories against the given DOI definition and returns a
1097  * negative value if any of the categories do not have a valid mapping and a
1098  * zero value if all of the categories are valid.
1099  *
1100  */
1101 static int cipso_v4_map_cat_rng_valid(const struct cipso_v4_doi *doi_def,
1102 				      const unsigned char *rngcat,
1103 				      u32 rngcat_len)
1104 {
1105 	u16 cat_high;
1106 	u16 cat_low;
1107 	u32 cat_prev = CIPSO_V4_MAX_REM_CATS + 1;
1108 	u32 iter;
1109 
1110 	if (doi_def->type != CIPSO_V4_MAP_PASS || rngcat_len & 0x01)
1111 		return -EFAULT;
1112 
1113 	for (iter = 0; iter < rngcat_len; iter += 4) {
1114 		cat_high = get_unaligned_be16(&rngcat[iter]);
1115 		if ((iter + 4) <= rngcat_len)
1116 			cat_low = get_unaligned_be16(&rngcat[iter + 2]);
1117 		else
1118 			cat_low = 0;
1119 
1120 		if (cat_high > cat_prev)
1121 			return -EFAULT;
1122 
1123 		cat_prev = cat_low;
1124 	}
1125 
1126 	return 0;
1127 }
1128 
1129 /**
1130  * cipso_v4_map_cat_rng_hton - Perform a category mapping from host to network
1131  * @doi_def: the DOI definition
1132  * @secattr: the security attributes
1133  * @net_cat: the zero'd out category list in network/CIPSO format
1134  * @net_cat_len: the length of the CIPSO category list in bytes
1135  *
1136  * Description:
1137  * Perform a label mapping to translate a local MLS category bitmap to the
1138  * correct CIPSO category list using the given DOI definition.   Returns the
1139  * size in bytes of the network category bitmap on success, negative values
1140  * otherwise.
1141  *
1142  */
1143 static int cipso_v4_map_cat_rng_hton(const struct cipso_v4_doi *doi_def,
1144 				     const struct netlbl_lsm_secattr *secattr,
1145 				     unsigned char *net_cat,
1146 				     u32 net_cat_len)
1147 {
1148 	int iter = -1;
1149 	u16 array[CIPSO_V4_TAG_RNG_CAT_MAX * 2];
1150 	u32 array_cnt = 0;
1151 	u32 cat_size = 0;
1152 
1153 	/* make sure we don't overflow the 'array[]' variable */
1154 	if (net_cat_len >
1155 	    (CIPSO_V4_OPT_LEN_MAX - CIPSO_V4_HDR_LEN - CIPSO_V4_TAG_RNG_BLEN))
1156 		return -ENOSPC;
1157 
1158 	for (;;) {
1159 		iter = netlbl_secattr_catmap_walk(secattr->attr.mls.cat,
1160 						  iter + 1);
1161 		if (iter < 0)
1162 			break;
1163 		cat_size += (iter == 0 ? 0 : sizeof(u16));
1164 		if (cat_size > net_cat_len)
1165 			return -ENOSPC;
1166 		array[array_cnt++] = iter;
1167 
1168 		iter = netlbl_secattr_catmap_walk_rng(secattr->attr.mls.cat,
1169 						      iter);
1170 		if (iter < 0)
1171 			return -EFAULT;
1172 		cat_size += sizeof(u16);
1173 		if (cat_size > net_cat_len)
1174 			return -ENOSPC;
1175 		array[array_cnt++] = iter;
1176 	}
1177 
1178 	for (iter = 0; array_cnt > 0;) {
1179 		*((__be16 *)&net_cat[iter]) = htons(array[--array_cnt]);
1180 		iter += 2;
1181 		array_cnt--;
1182 		if (array[array_cnt] != 0) {
1183 			*((__be16 *)&net_cat[iter]) = htons(array[array_cnt]);
1184 			iter += 2;
1185 		}
1186 	}
1187 
1188 	return cat_size;
1189 }
1190 
1191 /**
1192  * cipso_v4_map_cat_rng_ntoh - Perform a category mapping from network to host
1193  * @doi_def: the DOI definition
1194  * @net_cat: the category list in network/CIPSO format
1195  * @net_cat_len: the length of the CIPSO bitmap in bytes
1196  * @secattr: the security attributes
1197  *
1198  * Description:
1199  * Perform a label mapping to translate a CIPSO category list to the correct
1200  * local MLS category bitmap using the given DOI definition.  Returns zero on
1201  * success, negative values on failure.
1202  *
1203  */
1204 static int cipso_v4_map_cat_rng_ntoh(const struct cipso_v4_doi *doi_def,
1205 				     const unsigned char *net_cat,
1206 				     u32 net_cat_len,
1207 				     struct netlbl_lsm_secattr *secattr)
1208 {
1209 	int ret_val;
1210 	u32 net_iter;
1211 	u16 cat_low;
1212 	u16 cat_high;
1213 
1214 	for (net_iter = 0; net_iter < net_cat_len; net_iter += 4) {
1215 		cat_high = get_unaligned_be16(&net_cat[net_iter]);
1216 		if ((net_iter + 4) <= net_cat_len)
1217 			cat_low = get_unaligned_be16(&net_cat[net_iter + 2]);
1218 		else
1219 			cat_low = 0;
1220 
1221 		ret_val = netlbl_secattr_catmap_setrng(secattr->attr.mls.cat,
1222 						       cat_low,
1223 						       cat_high,
1224 						       GFP_ATOMIC);
1225 		if (ret_val != 0)
1226 			return ret_val;
1227 	}
1228 
1229 	return 0;
1230 }
1231 
1232 /*
1233  * Protocol Handling Functions
1234  */
1235 
1236 /**
1237  * cipso_v4_gentag_hdr - Generate a CIPSO option header
1238  * @doi_def: the DOI definition
1239  * @len: the total tag length in bytes, not including this header
1240  * @buf: the CIPSO option buffer
1241  *
1242  * Description:
1243  * Write a CIPSO header into the beginning of @buffer.
1244  *
1245  */
1246 static void cipso_v4_gentag_hdr(const struct cipso_v4_doi *doi_def,
1247 				unsigned char *buf,
1248 				u32 len)
1249 {
1250 	buf[0] = IPOPT_CIPSO;
1251 	buf[1] = CIPSO_V4_HDR_LEN + len;
1252 	*(__be32 *)&buf[2] = htonl(doi_def->doi);
1253 }
1254 
1255 /**
1256  * cipso_v4_gentag_rbm - Generate a CIPSO restricted bitmap tag (type #1)
1257  * @doi_def: the DOI definition
1258  * @secattr: the security attributes
1259  * @buffer: the option buffer
1260  * @buffer_len: length of buffer in bytes
1261  *
1262  * Description:
1263  * Generate a CIPSO option using the restricted bitmap tag, tag type #1.  The
1264  * actual buffer length may be larger than the indicated size due to
1265  * translation between host and network category bitmaps.  Returns the size of
1266  * the tag on success, negative values on failure.
1267  *
1268  */
1269 static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def,
1270 			       const struct netlbl_lsm_secattr *secattr,
1271 			       unsigned char *buffer,
1272 			       u32 buffer_len)
1273 {
1274 	int ret_val;
1275 	u32 tag_len;
1276 	u32 level;
1277 
1278 	if ((secattr->flags & NETLBL_SECATTR_MLS_LVL) == 0)
1279 		return -EPERM;
1280 
1281 	ret_val = cipso_v4_map_lvl_hton(doi_def,
1282 					secattr->attr.mls.lvl,
1283 					&level);
1284 	if (ret_val != 0)
1285 		return ret_val;
1286 
1287 	if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
1288 		ret_val = cipso_v4_map_cat_rbm_hton(doi_def,
1289 						    secattr,
1290 						    &buffer[4],
1291 						    buffer_len - 4);
1292 		if (ret_val < 0)
1293 			return ret_val;
1294 
1295 		/* This will send packets using the "optimized" format when
1296 		 * possible as specified in  section 3.4.2.6 of the
1297 		 * CIPSO draft. */
1298 		if (cipso_v4_rbm_optfmt && ret_val > 0 && ret_val <= 10)
1299 			tag_len = 14;
1300 		else
1301 			tag_len = 4 + ret_val;
1302 	} else
1303 		tag_len = 4;
1304 
1305 	buffer[0] = CIPSO_V4_TAG_RBITMAP;
1306 	buffer[1] = tag_len;
1307 	buffer[3] = level;
1308 
1309 	return tag_len;
1310 }
1311 
1312 /**
1313  * cipso_v4_parsetag_rbm - Parse a CIPSO restricted bitmap tag
1314  * @doi_def: the DOI definition
1315  * @tag: the CIPSO tag
1316  * @secattr: the security attributes
1317  *
1318  * Description:
1319  * Parse a CIPSO restricted bitmap tag (tag type #1) and return the security
1320  * attributes in @secattr.  Return zero on success, negatives values on
1321  * failure.
1322  *
1323  */
1324 static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,
1325 				 const unsigned char *tag,
1326 				 struct netlbl_lsm_secattr *secattr)
1327 {
1328 	int ret_val;
1329 	u8 tag_len = tag[1];
1330 	u32 level;
1331 
1332 	ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level);
1333 	if (ret_val != 0)
1334 		return ret_val;
1335 	secattr->attr.mls.lvl = level;
1336 	secattr->flags |= NETLBL_SECATTR_MLS_LVL;
1337 
1338 	if (tag_len > 4) {
1339 		secattr->attr.mls.cat =
1340 		                       netlbl_secattr_catmap_alloc(GFP_ATOMIC);
1341 		if (secattr->attr.mls.cat == NULL)
1342 			return -ENOMEM;
1343 
1344 		ret_val = cipso_v4_map_cat_rbm_ntoh(doi_def,
1345 						    &tag[4],
1346 						    tag_len - 4,
1347 						    secattr);
1348 		if (ret_val != 0) {
1349 			netlbl_secattr_catmap_free(secattr->attr.mls.cat);
1350 			return ret_val;
1351 		}
1352 
1353 		secattr->flags |= NETLBL_SECATTR_MLS_CAT;
1354 	}
1355 
1356 	return 0;
1357 }
1358 
1359 /**
1360  * cipso_v4_gentag_enum - Generate a CIPSO enumerated tag (type #2)
1361  * @doi_def: the DOI definition
1362  * @secattr: the security attributes
1363  * @buffer: the option buffer
1364  * @buffer_len: length of buffer in bytes
1365  *
1366  * Description:
1367  * Generate a CIPSO option using the enumerated tag, tag type #2.  Returns the
1368  * size of the tag on success, negative values on failure.
1369  *
1370  */
1371 static int cipso_v4_gentag_enum(const struct cipso_v4_doi *doi_def,
1372 				const struct netlbl_lsm_secattr *secattr,
1373 				unsigned char *buffer,
1374 				u32 buffer_len)
1375 {
1376 	int ret_val;
1377 	u32 tag_len;
1378 	u32 level;
1379 
1380 	if (!(secattr->flags & NETLBL_SECATTR_MLS_LVL))
1381 		return -EPERM;
1382 
1383 	ret_val = cipso_v4_map_lvl_hton(doi_def,
1384 					secattr->attr.mls.lvl,
1385 					&level);
1386 	if (ret_val != 0)
1387 		return ret_val;
1388 
1389 	if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
1390 		ret_val = cipso_v4_map_cat_enum_hton(doi_def,
1391 						     secattr,
1392 						     &buffer[4],
1393 						     buffer_len - 4);
1394 		if (ret_val < 0)
1395 			return ret_val;
1396 
1397 		tag_len = 4 + ret_val;
1398 	} else
1399 		tag_len = 4;
1400 
1401 	buffer[0] = CIPSO_V4_TAG_ENUM;
1402 	buffer[1] = tag_len;
1403 	buffer[3] = level;
1404 
1405 	return tag_len;
1406 }
1407 
1408 /**
1409  * cipso_v4_parsetag_enum - Parse a CIPSO enumerated tag
1410  * @doi_def: the DOI definition
1411  * @tag: the CIPSO tag
1412  * @secattr: the security attributes
1413  *
1414  * Description:
1415  * Parse a CIPSO enumerated tag (tag type #2) and return the security
1416  * attributes in @secattr.  Return zero on success, negatives values on
1417  * failure.
1418  *
1419  */
1420 static int cipso_v4_parsetag_enum(const struct cipso_v4_doi *doi_def,
1421 				  const unsigned char *tag,
1422 				  struct netlbl_lsm_secattr *secattr)
1423 {
1424 	int ret_val;
1425 	u8 tag_len = tag[1];
1426 	u32 level;
1427 
1428 	ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level);
1429 	if (ret_val != 0)
1430 		return ret_val;
1431 	secattr->attr.mls.lvl = level;
1432 	secattr->flags |= NETLBL_SECATTR_MLS_LVL;
1433 
1434 	if (tag_len > 4) {
1435 		secattr->attr.mls.cat =
1436 			               netlbl_secattr_catmap_alloc(GFP_ATOMIC);
1437 		if (secattr->attr.mls.cat == NULL)
1438 			return -ENOMEM;
1439 
1440 		ret_val = cipso_v4_map_cat_enum_ntoh(doi_def,
1441 						     &tag[4],
1442 						     tag_len - 4,
1443 						     secattr);
1444 		if (ret_val != 0) {
1445 			netlbl_secattr_catmap_free(secattr->attr.mls.cat);
1446 			return ret_val;
1447 		}
1448 
1449 		secattr->flags |= NETLBL_SECATTR_MLS_CAT;
1450 	}
1451 
1452 	return 0;
1453 }
1454 
1455 /**
1456  * cipso_v4_gentag_rng - Generate a CIPSO ranged tag (type #5)
1457  * @doi_def: the DOI definition
1458  * @secattr: the security attributes
1459  * @buffer: the option buffer
1460  * @buffer_len: length of buffer in bytes
1461  *
1462  * Description:
1463  * Generate a CIPSO option using the ranged tag, tag type #5.  Returns the
1464  * size of the tag on success, negative values on failure.
1465  *
1466  */
1467 static int cipso_v4_gentag_rng(const struct cipso_v4_doi *doi_def,
1468 			       const struct netlbl_lsm_secattr *secattr,
1469 			       unsigned char *buffer,
1470 			       u32 buffer_len)
1471 {
1472 	int ret_val;
1473 	u32 tag_len;
1474 	u32 level;
1475 
1476 	if (!(secattr->flags & NETLBL_SECATTR_MLS_LVL))
1477 		return -EPERM;
1478 
1479 	ret_val = cipso_v4_map_lvl_hton(doi_def,
1480 					secattr->attr.mls.lvl,
1481 					&level);
1482 	if (ret_val != 0)
1483 		return ret_val;
1484 
1485 	if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
1486 		ret_val = cipso_v4_map_cat_rng_hton(doi_def,
1487 						    secattr,
1488 						    &buffer[4],
1489 						    buffer_len - 4);
1490 		if (ret_val < 0)
1491 			return ret_val;
1492 
1493 		tag_len = 4 + ret_val;
1494 	} else
1495 		tag_len = 4;
1496 
1497 	buffer[0] = CIPSO_V4_TAG_RANGE;
1498 	buffer[1] = tag_len;
1499 	buffer[3] = level;
1500 
1501 	return tag_len;
1502 }
1503 
1504 /**
1505  * cipso_v4_parsetag_rng - Parse a CIPSO ranged tag
1506  * @doi_def: the DOI definition
1507  * @tag: the CIPSO tag
1508  * @secattr: the security attributes
1509  *
1510  * Description:
1511  * Parse a CIPSO ranged tag (tag type #5) and return the security attributes
1512  * in @secattr.  Return zero on success, negatives values on failure.
1513  *
1514  */
1515 static int cipso_v4_parsetag_rng(const struct cipso_v4_doi *doi_def,
1516 				 const unsigned char *tag,
1517 				 struct netlbl_lsm_secattr *secattr)
1518 {
1519 	int ret_val;
1520 	u8 tag_len = tag[1];
1521 	u32 level;
1522 
1523 	ret_val = cipso_v4_map_lvl_ntoh(doi_def, tag[3], &level);
1524 	if (ret_val != 0)
1525 		return ret_val;
1526 	secattr->attr.mls.lvl = level;
1527 	secattr->flags |= NETLBL_SECATTR_MLS_LVL;
1528 
1529 	if (tag_len > 4) {
1530 		secattr->attr.mls.cat =
1531 			               netlbl_secattr_catmap_alloc(GFP_ATOMIC);
1532 		if (secattr->attr.mls.cat == NULL)
1533 			return -ENOMEM;
1534 
1535 		ret_val = cipso_v4_map_cat_rng_ntoh(doi_def,
1536 						    &tag[4],
1537 						    tag_len - 4,
1538 						    secattr);
1539 		if (ret_val != 0) {
1540 			netlbl_secattr_catmap_free(secattr->attr.mls.cat);
1541 			return ret_val;
1542 		}
1543 
1544 		secattr->flags |= NETLBL_SECATTR_MLS_CAT;
1545 	}
1546 
1547 	return 0;
1548 }
1549 
1550 /**
1551  * cipso_v4_gentag_loc - Generate a CIPSO local tag (non-standard)
1552  * @doi_def: the DOI definition
1553  * @secattr: the security attributes
1554  * @buffer: the option buffer
1555  * @buffer_len: length of buffer in bytes
1556  *
1557  * Description:
1558  * Generate a CIPSO option using the local tag.  Returns the size of the tag
1559  * on success, negative values on failure.
1560  *
1561  */
1562 static int cipso_v4_gentag_loc(const struct cipso_v4_doi *doi_def,
1563 			       const struct netlbl_lsm_secattr *secattr,
1564 			       unsigned char *buffer,
1565 			       u32 buffer_len)
1566 {
1567 	if (!(secattr->flags & NETLBL_SECATTR_SECID))
1568 		return -EPERM;
1569 
1570 	buffer[0] = CIPSO_V4_TAG_LOCAL;
1571 	buffer[1] = CIPSO_V4_TAG_LOC_BLEN;
1572 	*(u32 *)&buffer[2] = secattr->attr.secid;
1573 
1574 	return CIPSO_V4_TAG_LOC_BLEN;
1575 }
1576 
1577 /**
1578  * cipso_v4_parsetag_loc - Parse a CIPSO local tag
1579  * @doi_def: the DOI definition
1580  * @tag: the CIPSO tag
1581  * @secattr: the security attributes
1582  *
1583  * Description:
1584  * Parse a CIPSO local tag and return the security attributes in @secattr.
1585  * Return zero on success, negatives values on failure.
1586  *
1587  */
1588 static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def,
1589 				 const unsigned char *tag,
1590 				 struct netlbl_lsm_secattr *secattr)
1591 {
1592 	secattr->attr.secid = *(u32 *)&tag[2];
1593 	secattr->flags |= NETLBL_SECATTR_SECID;
1594 
1595 	return 0;
1596 }
1597 
1598 /**
1599  * cipso_v4_validate - Validate a CIPSO option
1600  * @option: the start of the option, on error it is set to point to the error
1601  *
1602  * Description:
1603  * This routine is called to validate a CIPSO option, it checks all of the
1604  * fields to ensure that they are at least valid, see the draft snippet below
1605  * for details.  If the option is valid then a zero value is returned and
1606  * the value of @option is unchanged.  If the option is invalid then a
1607  * non-zero value is returned and @option is adjusted to point to the
1608  * offending portion of the option.  From the IETF draft ...
1609  *
1610  *  "If any field within the CIPSO options, such as the DOI identifier, is not
1611  *   recognized the IP datagram is discarded and an ICMP 'parameter problem'
1612  *   (type 12) is generated and returned.  The ICMP code field is set to 'bad
1613  *   parameter' (code 0) and the pointer is set to the start of the CIPSO field
1614  *   that is unrecognized."
1615  *
1616  */
1617 int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option)
1618 {
1619 	unsigned char *opt = *option;
1620 	unsigned char *tag;
1621 	unsigned char opt_iter;
1622 	unsigned char err_offset = 0;
1623 	u8 opt_len;
1624 	u8 tag_len;
1625 	struct cipso_v4_doi *doi_def = NULL;
1626 	u32 tag_iter;
1627 
1628 	/* caller already checks for length values that are too large */
1629 	opt_len = opt[1];
1630 	if (opt_len < 8) {
1631 		err_offset = 1;
1632 		goto validate_return;
1633 	}
1634 
1635 	rcu_read_lock();
1636 	doi_def = cipso_v4_doi_search(get_unaligned_be32(&opt[2]));
1637 	if (doi_def == NULL) {
1638 		err_offset = 2;
1639 		goto validate_return_locked;
1640 	}
1641 
1642 	opt_iter = CIPSO_V4_HDR_LEN;
1643 	tag = opt + opt_iter;
1644 	while (opt_iter < opt_len) {
1645 		for (tag_iter = 0; doi_def->tags[tag_iter] != tag[0];)
1646 			if (doi_def->tags[tag_iter] == CIPSO_V4_TAG_INVALID ||
1647 			    ++tag_iter == CIPSO_V4_TAG_MAXCNT) {
1648 				err_offset = opt_iter;
1649 				goto validate_return_locked;
1650 			}
1651 
1652 		tag_len = tag[1];
1653 		if (tag_len > (opt_len - opt_iter)) {
1654 			err_offset = opt_iter + 1;
1655 			goto validate_return_locked;
1656 		}
1657 
1658 		switch (tag[0]) {
1659 		case CIPSO_V4_TAG_RBITMAP:
1660 			if (tag_len < CIPSO_V4_TAG_RBM_BLEN) {
1661 				err_offset = opt_iter + 1;
1662 				goto validate_return_locked;
1663 			}
1664 
1665 			/* We are already going to do all the verification
1666 			 * necessary at the socket layer so from our point of
1667 			 * view it is safe to turn these checks off (and less
1668 			 * work), however, the CIPSO draft says we should do
1669 			 * all the CIPSO validations here but it doesn't
1670 			 * really specify _exactly_ what we need to validate
1671 			 * ... so, just make it a sysctl tunable. */
1672 			if (cipso_v4_rbm_strictvalid) {
1673 				if (cipso_v4_map_lvl_valid(doi_def,
1674 							   tag[3]) < 0) {
1675 					err_offset = opt_iter + 3;
1676 					goto validate_return_locked;
1677 				}
1678 				if (tag_len > CIPSO_V4_TAG_RBM_BLEN &&
1679 				    cipso_v4_map_cat_rbm_valid(doi_def,
1680 							    &tag[4],
1681 							    tag_len - 4) < 0) {
1682 					err_offset = opt_iter + 4;
1683 					goto validate_return_locked;
1684 				}
1685 			}
1686 			break;
1687 		case CIPSO_V4_TAG_ENUM:
1688 			if (tag_len < CIPSO_V4_TAG_ENUM_BLEN) {
1689 				err_offset = opt_iter + 1;
1690 				goto validate_return_locked;
1691 			}
1692 
1693 			if (cipso_v4_map_lvl_valid(doi_def,
1694 						   tag[3]) < 0) {
1695 				err_offset = opt_iter + 3;
1696 				goto validate_return_locked;
1697 			}
1698 			if (tag_len > CIPSO_V4_TAG_ENUM_BLEN &&
1699 			    cipso_v4_map_cat_enum_valid(doi_def,
1700 							&tag[4],
1701 							tag_len - 4) < 0) {
1702 				err_offset = opt_iter + 4;
1703 				goto validate_return_locked;
1704 			}
1705 			break;
1706 		case CIPSO_V4_TAG_RANGE:
1707 			if (tag_len < CIPSO_V4_TAG_RNG_BLEN) {
1708 				err_offset = opt_iter + 1;
1709 				goto validate_return_locked;
1710 			}
1711 
1712 			if (cipso_v4_map_lvl_valid(doi_def,
1713 						   tag[3]) < 0) {
1714 				err_offset = opt_iter + 3;
1715 				goto validate_return_locked;
1716 			}
1717 			if (tag_len > CIPSO_V4_TAG_RNG_BLEN &&
1718 			    cipso_v4_map_cat_rng_valid(doi_def,
1719 						       &tag[4],
1720 						       tag_len - 4) < 0) {
1721 				err_offset = opt_iter + 4;
1722 				goto validate_return_locked;
1723 			}
1724 			break;
1725 		case CIPSO_V4_TAG_LOCAL:
1726 			/* This is a non-standard tag that we only allow for
1727 			 * local connections, so if the incoming interface is
1728 			 * not the loopback device drop the packet. Further,
1729 			 * there is no legitimate reason for setting this from
1730 			 * userspace so reject it if skb is NULL. */
1731 			if (skb == NULL || !(skb->dev->flags & IFF_LOOPBACK)) {
1732 				err_offset = opt_iter;
1733 				goto validate_return_locked;
1734 			}
1735 			if (tag_len != CIPSO_V4_TAG_LOC_BLEN) {
1736 				err_offset = opt_iter + 1;
1737 				goto validate_return_locked;
1738 			}
1739 			break;
1740 		default:
1741 			err_offset = opt_iter;
1742 			goto validate_return_locked;
1743 		}
1744 
1745 		tag += tag_len;
1746 		opt_iter += tag_len;
1747 	}
1748 
1749 validate_return_locked:
1750 	rcu_read_unlock();
1751 validate_return:
1752 	*option = opt + err_offset;
1753 	return err_offset;
1754 }
1755 
1756 /**
1757  * cipso_v4_error - Send the correct response for a bad packet
1758  * @skb: the packet
1759  * @error: the error code
1760  * @gateway: CIPSO gateway flag
1761  *
1762  * Description:
1763  * Based on the error code given in @error, send an ICMP error message back to
1764  * the originating host.  From the IETF draft ...
1765  *
1766  *  "If the contents of the CIPSO [option] are valid but the security label is
1767  *   outside of the configured host or port label range, the datagram is
1768  *   discarded and an ICMP 'destination unreachable' (type 3) is generated and
1769  *   returned.  The code field of the ICMP is set to 'communication with
1770  *   destination network administratively prohibited' (code 9) or to
1771  *   'communication with destination host administratively prohibited'
1772  *   (code 10).  The value of the code is dependent on whether the originator
1773  *   of the ICMP message is acting as a CIPSO host or a CIPSO gateway.  The
1774  *   recipient of the ICMP message MUST be able to handle either value.  The
1775  *   same procedure is performed if a CIPSO [option] can not be added to an
1776  *   IP packet because it is too large to fit in the IP options area."
1777  *
1778  *  "If the error is triggered by receipt of an ICMP message, the message is
1779  *   discarded and no response is permitted (consistent with general ICMP
1780  *   processing rules)."
1781  *
1782  */
1783 void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway)
1784 {
1785 	if (ip_hdr(skb)->protocol == IPPROTO_ICMP || error != -EACCES)
1786 		return;
1787 
1788 	if (gateway)
1789 		icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0);
1790 	else
1791 		icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0);
1792 }
1793 
1794 /**
1795  * cipso_v4_genopt - Generate a CIPSO option
1796  * @buf: the option buffer
1797  * @buf_len: the size of opt_buf
1798  * @doi_def: the CIPSO DOI to use
1799  * @secattr: the security attributes
1800  *
1801  * Description:
1802  * Generate a CIPSO option using the DOI definition and security attributes
1803  * passed to the function.  Returns the length of the option on success and
1804  * negative values on failure.
1805  *
1806  */
1807 static int cipso_v4_genopt(unsigned char *buf, u32 buf_len,
1808 			   const struct cipso_v4_doi *doi_def,
1809 			   const struct netlbl_lsm_secattr *secattr)
1810 {
1811 	int ret_val;
1812 	u32 iter;
1813 
1814 	if (buf_len <= CIPSO_V4_HDR_LEN)
1815 		return -ENOSPC;
1816 
1817 	/* XXX - This code assumes only one tag per CIPSO option which isn't
1818 	 * really a good assumption to make but since we only support the MAC
1819 	 * tags right now it is a safe assumption. */
1820 	iter = 0;
1821 	do {
1822 		memset(buf, 0, buf_len);
1823 		switch (doi_def->tags[iter]) {
1824 		case CIPSO_V4_TAG_RBITMAP:
1825 			ret_val = cipso_v4_gentag_rbm(doi_def,
1826 						   secattr,
1827 						   &buf[CIPSO_V4_HDR_LEN],
1828 						   buf_len - CIPSO_V4_HDR_LEN);
1829 			break;
1830 		case CIPSO_V4_TAG_ENUM:
1831 			ret_val = cipso_v4_gentag_enum(doi_def,
1832 						   secattr,
1833 						   &buf[CIPSO_V4_HDR_LEN],
1834 						   buf_len - CIPSO_V4_HDR_LEN);
1835 			break;
1836 		case CIPSO_V4_TAG_RANGE:
1837 			ret_val = cipso_v4_gentag_rng(doi_def,
1838 						   secattr,
1839 						   &buf[CIPSO_V4_HDR_LEN],
1840 						   buf_len - CIPSO_V4_HDR_LEN);
1841 			break;
1842 		case CIPSO_V4_TAG_LOCAL:
1843 			ret_val = cipso_v4_gentag_loc(doi_def,
1844 						   secattr,
1845 						   &buf[CIPSO_V4_HDR_LEN],
1846 						   buf_len - CIPSO_V4_HDR_LEN);
1847 			break;
1848 		default:
1849 			return -EPERM;
1850 		}
1851 
1852 		iter++;
1853 	} while (ret_val < 0 &&
1854 		 iter < CIPSO_V4_TAG_MAXCNT &&
1855 		 doi_def->tags[iter] != CIPSO_V4_TAG_INVALID);
1856 	if (ret_val < 0)
1857 		return ret_val;
1858 	cipso_v4_gentag_hdr(doi_def, buf, ret_val);
1859 	return CIPSO_V4_HDR_LEN + ret_val;
1860 }
1861 
1862 /**
1863  * cipso_v4_sock_setattr - Add a CIPSO option to a socket
1864  * @sk: the socket
1865  * @doi_def: the CIPSO DOI to use
1866  * @secattr: the specific security attributes of the socket
1867  *
1868  * Description:
1869  * Set the CIPSO option on the given socket using the DOI definition and
1870  * security attributes passed to the function.  This function requires
1871  * exclusive access to @sk, which means it either needs to be in the
1872  * process of being created or locked.  Returns zero on success and negative
1873  * values on failure.
1874  *
1875  */
1876 int cipso_v4_sock_setattr(struct sock *sk,
1877 			  const struct cipso_v4_doi *doi_def,
1878 			  const struct netlbl_lsm_secattr *secattr)
1879 {
1880 	int ret_val = -EPERM;
1881 	unsigned char *buf = NULL;
1882 	u32 buf_len;
1883 	u32 opt_len;
1884 	struct ip_options_rcu *old, *opt = NULL;
1885 	struct inet_sock *sk_inet;
1886 	struct inet_connection_sock *sk_conn;
1887 
1888 	/* In the case of sock_create_lite(), the sock->sk field is not
1889 	 * defined yet but it is not a problem as the only users of these
1890 	 * "lite" PF_INET sockets are functions which do an accept() call
1891 	 * afterwards so we will label the socket as part of the accept(). */
1892 	if (sk == NULL)
1893 		return 0;
1894 
1895 	/* We allocate the maximum CIPSO option size here so we are probably
1896 	 * being a little wasteful, but it makes our life _much_ easier later
1897 	 * on and after all we are only talking about 40 bytes. */
1898 	buf_len = CIPSO_V4_OPT_LEN_MAX;
1899 	buf = kmalloc(buf_len, GFP_ATOMIC);
1900 	if (buf == NULL) {
1901 		ret_val = -ENOMEM;
1902 		goto socket_setattr_failure;
1903 	}
1904 
1905 	ret_val = cipso_v4_genopt(buf, buf_len, doi_def, secattr);
1906 	if (ret_val < 0)
1907 		goto socket_setattr_failure;
1908 	buf_len = ret_val;
1909 
1910 	/* We can't use ip_options_get() directly because it makes a call to
1911 	 * ip_options_get_alloc() which allocates memory with GFP_KERNEL and
1912 	 * we won't always have CAP_NET_RAW even though we _always_ want to
1913 	 * set the IPOPT_CIPSO option. */
1914 	opt_len = (buf_len + 3) & ~3;
1915 	opt = kzalloc(sizeof(*opt) + opt_len, GFP_ATOMIC);
1916 	if (opt == NULL) {
1917 		ret_val = -ENOMEM;
1918 		goto socket_setattr_failure;
1919 	}
1920 	memcpy(opt->opt.__data, buf, buf_len);
1921 	opt->opt.optlen = opt_len;
1922 	opt->opt.cipso = sizeof(struct iphdr);
1923 	kfree(buf);
1924 	buf = NULL;
1925 
1926 	sk_inet = inet_sk(sk);
1927 
1928 	old = rcu_dereference_protected(sk_inet->inet_opt, sock_owned_by_user(sk));
1929 	if (sk_inet->is_icsk) {
1930 		sk_conn = inet_csk(sk);
1931 		if (old)
1932 			sk_conn->icsk_ext_hdr_len -= old->opt.optlen;
1933 		sk_conn->icsk_ext_hdr_len += opt->opt.optlen;
1934 		sk_conn->icsk_sync_mss(sk, sk_conn->icsk_pmtu_cookie);
1935 	}
1936 	rcu_assign_pointer(sk_inet->inet_opt, opt);
1937 	if (old)
1938 		kfree_rcu(old, rcu);
1939 
1940 	return 0;
1941 
1942 socket_setattr_failure:
1943 	kfree(buf);
1944 	kfree(opt);
1945 	return ret_val;
1946 }
1947 
1948 /**
1949  * cipso_v4_req_setattr - Add a CIPSO option to a connection request socket
1950  * @req: the connection request socket
1951  * @doi_def: the CIPSO DOI to use
1952  * @secattr: the specific security attributes of the socket
1953  *
1954  * Description:
1955  * Set the CIPSO option on the given socket using the DOI definition and
1956  * security attributes passed to the function.  Returns zero on success and
1957  * negative values on failure.
1958  *
1959  */
1960 int cipso_v4_req_setattr(struct request_sock *req,
1961 			 const struct cipso_v4_doi *doi_def,
1962 			 const struct netlbl_lsm_secattr *secattr)
1963 {
1964 	int ret_val = -EPERM;
1965 	unsigned char *buf = NULL;
1966 	u32 buf_len;
1967 	u32 opt_len;
1968 	struct ip_options_rcu *opt = NULL;
1969 	struct inet_request_sock *req_inet;
1970 
1971 	/* We allocate the maximum CIPSO option size here so we are probably
1972 	 * being a little wasteful, but it makes our life _much_ easier later
1973 	 * on and after all we are only talking about 40 bytes. */
1974 	buf_len = CIPSO_V4_OPT_LEN_MAX;
1975 	buf = kmalloc(buf_len, GFP_ATOMIC);
1976 	if (buf == NULL) {
1977 		ret_val = -ENOMEM;
1978 		goto req_setattr_failure;
1979 	}
1980 
1981 	ret_val = cipso_v4_genopt(buf, buf_len, doi_def, secattr);
1982 	if (ret_val < 0)
1983 		goto req_setattr_failure;
1984 	buf_len = ret_val;
1985 
1986 	/* We can't use ip_options_get() directly because it makes a call to
1987 	 * ip_options_get_alloc() which allocates memory with GFP_KERNEL and
1988 	 * we won't always have CAP_NET_RAW even though we _always_ want to
1989 	 * set the IPOPT_CIPSO option. */
1990 	opt_len = (buf_len + 3) & ~3;
1991 	opt = kzalloc(sizeof(*opt) + opt_len, GFP_ATOMIC);
1992 	if (opt == NULL) {
1993 		ret_val = -ENOMEM;
1994 		goto req_setattr_failure;
1995 	}
1996 	memcpy(opt->opt.__data, buf, buf_len);
1997 	opt->opt.optlen = opt_len;
1998 	opt->opt.cipso = sizeof(struct iphdr);
1999 	kfree(buf);
2000 	buf = NULL;
2001 
2002 	req_inet = inet_rsk(req);
2003 	opt = xchg(&req_inet->opt, opt);
2004 	if (opt)
2005 		kfree_rcu(opt, rcu);
2006 
2007 	return 0;
2008 
2009 req_setattr_failure:
2010 	kfree(buf);
2011 	kfree(opt);
2012 	return ret_val;
2013 }
2014 
2015 /**
2016  * cipso_v4_delopt - Delete the CIPSO option from a set of IP options
2017  * @opt_ptr: IP option pointer
2018  *
2019  * Description:
2020  * Deletes the CIPSO IP option from a set of IP options and makes the necessary
2021  * adjustments to the IP option structure.  Returns zero on success, negative
2022  * values on failure.
2023  *
2024  */
2025 static int cipso_v4_delopt(struct ip_options_rcu **opt_ptr)
2026 {
2027 	int hdr_delta = 0;
2028 	struct ip_options_rcu *opt = *opt_ptr;
2029 
2030 	if (opt->opt.srr || opt->opt.rr || opt->opt.ts || opt->opt.router_alert) {
2031 		u8 cipso_len;
2032 		u8 cipso_off;
2033 		unsigned char *cipso_ptr;
2034 		int iter;
2035 		int optlen_new;
2036 
2037 		cipso_off = opt->opt.cipso - sizeof(struct iphdr);
2038 		cipso_ptr = &opt->opt.__data[cipso_off];
2039 		cipso_len = cipso_ptr[1];
2040 
2041 		if (opt->opt.srr > opt->opt.cipso)
2042 			opt->opt.srr -= cipso_len;
2043 		if (opt->opt.rr > opt->opt.cipso)
2044 			opt->opt.rr -= cipso_len;
2045 		if (opt->opt.ts > opt->opt.cipso)
2046 			opt->opt.ts -= cipso_len;
2047 		if (opt->opt.router_alert > opt->opt.cipso)
2048 			opt->opt.router_alert -= cipso_len;
2049 		opt->opt.cipso = 0;
2050 
2051 		memmove(cipso_ptr, cipso_ptr + cipso_len,
2052 			opt->opt.optlen - cipso_off - cipso_len);
2053 
2054 		/* determining the new total option length is tricky because of
2055 		 * the padding necessary, the only thing i can think to do at
2056 		 * this point is walk the options one-by-one, skipping the
2057 		 * padding at the end to determine the actual option size and
2058 		 * from there we can determine the new total option length */
2059 		iter = 0;
2060 		optlen_new = 0;
2061 		while (iter < opt->opt.optlen)
2062 			if (opt->opt.__data[iter] != IPOPT_NOP) {
2063 				iter += opt->opt.__data[iter + 1];
2064 				optlen_new = iter;
2065 			} else
2066 				iter++;
2067 		hdr_delta = opt->opt.optlen;
2068 		opt->opt.optlen = (optlen_new + 3) & ~3;
2069 		hdr_delta -= opt->opt.optlen;
2070 	} else {
2071 		/* only the cipso option was present on the socket so we can
2072 		 * remove the entire option struct */
2073 		*opt_ptr = NULL;
2074 		hdr_delta = opt->opt.optlen;
2075 		kfree_rcu(opt, rcu);
2076 	}
2077 
2078 	return hdr_delta;
2079 }
2080 
2081 /**
2082  * cipso_v4_sock_delattr - Delete the CIPSO option from a socket
2083  * @sk: the socket
2084  *
2085  * Description:
2086  * Removes the CIPSO option from a socket, if present.
2087  *
2088  */
2089 void cipso_v4_sock_delattr(struct sock *sk)
2090 {
2091 	int hdr_delta;
2092 	struct ip_options_rcu *opt;
2093 	struct inet_sock *sk_inet;
2094 
2095 	sk_inet = inet_sk(sk);
2096 	opt = rcu_dereference_protected(sk_inet->inet_opt, 1);
2097 	if (opt == NULL || opt->opt.cipso == 0)
2098 		return;
2099 
2100 	hdr_delta = cipso_v4_delopt(&sk_inet->inet_opt);
2101 	if (sk_inet->is_icsk && hdr_delta > 0) {
2102 		struct inet_connection_sock *sk_conn = inet_csk(sk);
2103 		sk_conn->icsk_ext_hdr_len -= hdr_delta;
2104 		sk_conn->icsk_sync_mss(sk, sk_conn->icsk_pmtu_cookie);
2105 	}
2106 }
2107 
2108 /**
2109  * cipso_v4_req_delattr - Delete the CIPSO option from a request socket
2110  * @reg: the request socket
2111  *
2112  * Description:
2113  * Removes the CIPSO option from a request socket, if present.
2114  *
2115  */
2116 void cipso_v4_req_delattr(struct request_sock *req)
2117 {
2118 	struct ip_options_rcu *opt;
2119 	struct inet_request_sock *req_inet;
2120 
2121 	req_inet = inet_rsk(req);
2122 	opt = req_inet->opt;
2123 	if (opt == NULL || opt->opt.cipso == 0)
2124 		return;
2125 
2126 	cipso_v4_delopt(&req_inet->opt);
2127 }
2128 
2129 /**
2130  * cipso_v4_getattr - Helper function for the cipso_v4_*_getattr functions
2131  * @cipso: the CIPSO v4 option
2132  * @secattr: the security attributes
2133  *
2134  * Description:
2135  * Inspect @cipso and return the security attributes in @secattr.  Returns zero
2136  * on success and negative values on failure.
2137  *
2138  */
2139 static int cipso_v4_getattr(const unsigned char *cipso,
2140 			    struct netlbl_lsm_secattr *secattr)
2141 {
2142 	int ret_val = -ENOMSG;
2143 	u32 doi;
2144 	struct cipso_v4_doi *doi_def;
2145 
2146 	if (cipso_v4_cache_check(cipso, cipso[1], secattr) == 0)
2147 		return 0;
2148 
2149 	doi = get_unaligned_be32(&cipso[2]);
2150 	rcu_read_lock();
2151 	doi_def = cipso_v4_doi_search(doi);
2152 	if (doi_def == NULL)
2153 		goto getattr_return;
2154 	/* XXX - This code assumes only one tag per CIPSO option which isn't
2155 	 * really a good assumption to make but since we only support the MAC
2156 	 * tags right now it is a safe assumption. */
2157 	switch (cipso[6]) {
2158 	case CIPSO_V4_TAG_RBITMAP:
2159 		ret_val = cipso_v4_parsetag_rbm(doi_def, &cipso[6], secattr);
2160 		break;
2161 	case CIPSO_V4_TAG_ENUM:
2162 		ret_val = cipso_v4_parsetag_enum(doi_def, &cipso[6], secattr);
2163 		break;
2164 	case CIPSO_V4_TAG_RANGE:
2165 		ret_val = cipso_v4_parsetag_rng(doi_def, &cipso[6], secattr);
2166 		break;
2167 	case CIPSO_V4_TAG_LOCAL:
2168 		ret_val = cipso_v4_parsetag_loc(doi_def, &cipso[6], secattr);
2169 		break;
2170 	}
2171 	if (ret_val == 0)
2172 		secattr->type = NETLBL_NLTYPE_CIPSOV4;
2173 
2174 getattr_return:
2175 	rcu_read_unlock();
2176 	return ret_val;
2177 }
2178 
2179 /**
2180  * cipso_v4_sock_getattr - Get the security attributes from a sock
2181  * @sk: the sock
2182  * @secattr: the security attributes
2183  *
2184  * Description:
2185  * Query @sk to see if there is a CIPSO option attached to the sock and if
2186  * there is return the CIPSO security attributes in @secattr.  This function
2187  * requires that @sk be locked, or privately held, but it does not do any
2188  * locking itself.  Returns zero on success and negative values on failure.
2189  *
2190  */
2191 int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
2192 {
2193 	struct ip_options_rcu *opt;
2194 	int res = -ENOMSG;
2195 
2196 	rcu_read_lock();
2197 	opt = rcu_dereference(inet_sk(sk)->inet_opt);
2198 	if (opt && opt->opt.cipso)
2199 		res = cipso_v4_getattr(opt->opt.__data +
2200 						opt->opt.cipso -
2201 						sizeof(struct iphdr),
2202 				       secattr);
2203 	rcu_read_unlock();
2204 	return res;
2205 }
2206 
2207 /**
2208  * cipso_v4_skbuff_setattr - Set the CIPSO option on a packet
2209  * @skb: the packet
2210  * @secattr: the security attributes
2211  *
2212  * Description:
2213  * Set the CIPSO option on the given packet based on the security attributes.
2214  * Returns a pointer to the IP header on success and NULL on failure.
2215  *
2216  */
2217 int cipso_v4_skbuff_setattr(struct sk_buff *skb,
2218 			    const struct cipso_v4_doi *doi_def,
2219 			    const struct netlbl_lsm_secattr *secattr)
2220 {
2221 	int ret_val;
2222 	struct iphdr *iph;
2223 	struct ip_options *opt = &IPCB(skb)->opt;
2224 	unsigned char buf[CIPSO_V4_OPT_LEN_MAX];
2225 	u32 buf_len = CIPSO_V4_OPT_LEN_MAX;
2226 	u32 opt_len;
2227 	int len_delta;
2228 
2229 	ret_val = cipso_v4_genopt(buf, buf_len, doi_def, secattr);
2230 	if (ret_val < 0)
2231 		return ret_val;
2232 	buf_len = ret_val;
2233 	opt_len = (buf_len + 3) & ~3;
2234 
2235 	/* we overwrite any existing options to ensure that we have enough
2236 	 * room for the CIPSO option, the reason is that we _need_ to guarantee
2237 	 * that the security label is applied to the packet - we do the same
2238 	 * thing when using the socket options and it hasn't caused a problem,
2239 	 * if we need to we can always revisit this choice later */
2240 
2241 	len_delta = opt_len - opt->optlen;
2242 	/* if we don't ensure enough headroom we could panic on the skb_push()
2243 	 * call below so make sure we have enough, we are also "mangling" the
2244 	 * packet so we should probably do a copy-on-write call anyway */
2245 	ret_val = skb_cow(skb, skb_headroom(skb) + len_delta);
2246 	if (ret_val < 0)
2247 		return ret_val;
2248 
2249 	if (len_delta > 0) {
2250 		/* we assume that the header + opt->optlen have already been
2251 		 * "pushed" in ip_options_build() or similar */
2252 		iph = ip_hdr(skb);
2253 		skb_push(skb, len_delta);
2254 		memmove((char *)iph - len_delta, iph, iph->ihl << 2);
2255 		skb_reset_network_header(skb);
2256 		iph = ip_hdr(skb);
2257 	} else if (len_delta < 0) {
2258 		iph = ip_hdr(skb);
2259 		memset(iph + 1, IPOPT_NOP, opt->optlen);
2260 	} else
2261 		iph = ip_hdr(skb);
2262 
2263 	if (opt->optlen > 0)
2264 		memset(opt, 0, sizeof(*opt));
2265 	opt->optlen = opt_len;
2266 	opt->cipso = sizeof(struct iphdr);
2267 	opt->is_changed = 1;
2268 
2269 	/* we have to do the following because we are being called from a
2270 	 * netfilter hook which means the packet already has had the header
2271 	 * fields populated and the checksum calculated - yes this means we
2272 	 * are doing more work than needed but we do it to keep the core
2273 	 * stack clean and tidy */
2274 	memcpy(iph + 1, buf, buf_len);
2275 	if (opt_len > buf_len)
2276 		memset((char *)(iph + 1) + buf_len, 0, opt_len - buf_len);
2277 	if (len_delta != 0) {
2278 		iph->ihl = 5 + (opt_len >> 2);
2279 		iph->tot_len = htons(skb->len);
2280 	}
2281 	ip_send_check(iph);
2282 
2283 	return 0;
2284 }
2285 
2286 /**
2287  * cipso_v4_skbuff_delattr - Delete any CIPSO options from a packet
2288  * @skb: the packet
2289  *
2290  * Description:
2291  * Removes any and all CIPSO options from the given packet.  Returns zero on
2292  * success, negative values on failure.
2293  *
2294  */
2295 int cipso_v4_skbuff_delattr(struct sk_buff *skb)
2296 {
2297 	int ret_val;
2298 	struct iphdr *iph;
2299 	struct ip_options *opt = &IPCB(skb)->opt;
2300 	unsigned char *cipso_ptr;
2301 
2302 	if (opt->cipso == 0)
2303 		return 0;
2304 
2305 	/* since we are changing the packet we should make a copy */
2306 	ret_val = skb_cow(skb, skb_headroom(skb));
2307 	if (ret_val < 0)
2308 		return ret_val;
2309 
2310 	/* the easiest thing to do is just replace the cipso option with noop
2311 	 * options since we don't change the size of the packet, although we
2312 	 * still need to recalculate the checksum */
2313 
2314 	iph = ip_hdr(skb);
2315 	cipso_ptr = (unsigned char *)iph + opt->cipso;
2316 	memset(cipso_ptr, IPOPT_NOOP, cipso_ptr[1]);
2317 	opt->cipso = 0;
2318 	opt->is_changed = 1;
2319 
2320 	ip_send_check(iph);
2321 
2322 	return 0;
2323 }
2324 
2325 /**
2326  * cipso_v4_skbuff_getattr - Get the security attributes from the CIPSO option
2327  * @skb: the packet
2328  * @secattr: the security attributes
2329  *
2330  * Description:
2331  * Parse the given packet's CIPSO option and return the security attributes.
2332  * Returns zero on success and negative values on failure.
2333  *
2334  */
2335 int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
2336 			    struct netlbl_lsm_secattr *secattr)
2337 {
2338 	return cipso_v4_getattr(CIPSO_V4_OPTPTR(skb), secattr);
2339 }
2340 
2341 /*
2342  * Setup Functions
2343  */
2344 
2345 /**
2346  * cipso_v4_init - Initialize the CIPSO module
2347  *
2348  * Description:
2349  * Initialize the CIPSO module and prepare it for use.  Returns zero on success
2350  * and negative values on failure.
2351  *
2352  */
2353 static int __init cipso_v4_init(void)
2354 {
2355 	int ret_val;
2356 
2357 	ret_val = cipso_v4_cache_init();
2358 	if (ret_val != 0)
2359 		panic("Failed to initialize the CIPSO/IPv4 cache (%d)\n",
2360 		      ret_val);
2361 
2362 	return 0;
2363 }
2364 
2365 subsys_initcall(cipso_v4_init);
2366