Commit | Line | Data |
---|---|---|
cb72d382 HD |
1 | /* |
2 | * CALIPSO - Common Architecture Label IPv6 Security Option | |
3 | * | |
4 | * This is an implementation of the CALIPSO protocol as specified in | |
5 | * RFC 5570. | |
6 | * | |
7 | * Authors: Paul Moore <paul.moore@hp.com> | |
8 | * Huw Davies <huw@codeweavers.com> | |
9 | * | |
10 | */ | |
11 | ||
12 | /* (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008 | |
13 | * (c) Copyright Huw Davies <huw@codeweavers.com>, 2015 | |
14 | * | |
15 | * This program is free software; you can redistribute it and/or modify | |
16 | * it under the terms of the GNU General Public License as published by | |
17 | * the Free Software Foundation; either version 2 of the License, or | |
18 | * (at your option) any later version. | |
19 | * | |
20 | * This program is distributed in the hope that it will be useful, | |
21 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
22 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See | |
23 | * the GNU General Public License for more details. | |
24 | * | |
25 | * You should have received a copy of the GNU General Public License | |
26 | * along with this program; if not, see <http://www.gnu.org/licenses/>. | |
27 | * | |
28 | */ | |
29 | ||
30 | #include <linux/init.h> | |
31 | #include <linux/types.h> | |
32 | #include <linux/rcupdate.h> | |
33 | #include <linux/list.h> | |
34 | #include <linux/spinlock.h> | |
35 | #include <linux/string.h> | |
36 | #include <linux/jhash.h> | |
37 | #include <linux/audit.h> | |
38 | #include <linux/slab.h> | |
39 | #include <net/ip.h> | |
40 | #include <net/icmp.h> | |
41 | #include <net/tcp.h> | |
42 | #include <net/netlabel.h> | |
43 | #include <net/calipso.h> | |
44 | #include <linux/atomic.h> | |
45 | #include <linux/bug.h> | |
46 | #include <asm/unaligned.h> | |
ceba1832 HD |
47 | #include <linux/crc-ccitt.h> |
48 | ||
49 | /* Maximium size of the calipso option including | |
50 | * the two-byte TLV header. | |
51 | */ | |
52 | #define CALIPSO_OPT_LEN_MAX (2 + 252) | |
53 | ||
54 | /* Size of the minimum calipso option including | |
55 | * the two-byte TLV header. | |
56 | */ | |
57 | #define CALIPSO_HDR_LEN (2 + 8) | |
58 | ||
59 | /* Maximium size of the calipso option including | |
60 | * the two-byte TLV header and upto 3 bytes of | |
61 | * leading pad and 7 bytes of trailing pad. | |
62 | */ | |
63 | #define CALIPSO_OPT_LEN_MAX_WITH_PAD (3 + CALIPSO_OPT_LEN_MAX + 7) | |
64 | ||
2917f57b HD |
65 | /* Maximium size of u32 aligned buffer required to hold calipso |
66 | * option. Max of 3 initial pad bytes starting from buffer + 3. | |
67 | * i.e. the worst case is when the previous tlv finishes on 4n + 3. | |
68 | */ | |
69 | #define CALIPSO_MAX_BUFFER (6 + CALIPSO_OPT_LEN_MAX) | |
cb72d382 HD |
70 | |
71 | /* List of available DOI definitions */ | |
72 | static DEFINE_SPINLOCK(calipso_doi_list_lock); | |
73 | static LIST_HEAD(calipso_doi_list); | |
74 | ||
75 | /* DOI List Functions | |
76 | */ | |
77 | ||
78 | /** | |
79 | * calipso_doi_search - Searches for a DOI definition | |
80 | * @doi: the DOI to search for | |
81 | * | |
82 | * Description: | |
83 | * Search the DOI definition list for a DOI definition with a DOI value that | |
84 | * matches @doi. The caller is responsible for calling rcu_read_[un]lock(). | |
85 | * Returns a pointer to the DOI definition on success and NULL on failure. | |
86 | */ | |
87 | static struct calipso_doi *calipso_doi_search(u32 doi) | |
88 | { | |
89 | struct calipso_doi *iter; | |
90 | ||
91 | list_for_each_entry_rcu(iter, &calipso_doi_list, list) | |
92 | if (iter->doi == doi && atomic_read(&iter->refcount)) | |
93 | return iter; | |
94 | return NULL; | |
95 | } | |
96 | ||
97 | /** | |
98 | * calipso_doi_add - Add a new DOI to the CALIPSO protocol engine | |
99 | * @doi_def: the DOI structure | |
100 | * @audit_info: NetLabel audit information | |
101 | * | |
102 | * Description: | |
103 | * The caller defines a new DOI for use by the CALIPSO engine and calls this | |
104 | * function to add it to the list of acceptable domains. The caller must | |
105 | * ensure that the mapping table specified in @doi_def->map meets all of the | |
106 | * requirements of the mapping type (see calipso.h for details). Returns | |
107 | * zero on success and non-zero on failure. | |
108 | * | |
109 | */ | |
110 | static int calipso_doi_add(struct calipso_doi *doi_def, | |
111 | struct netlbl_audit *audit_info) | |
112 | { | |
113 | int ret_val = -EINVAL; | |
114 | u32 doi; | |
115 | u32 doi_type; | |
116 | struct audit_buffer *audit_buf; | |
117 | ||
118 | doi = doi_def->doi; | |
119 | doi_type = doi_def->type; | |
120 | ||
121 | if (doi_def->doi == CALIPSO_DOI_UNKNOWN) | |
122 | goto doi_add_return; | |
123 | ||
124 | atomic_set(&doi_def->refcount, 1); | |
125 | ||
126 | spin_lock(&calipso_doi_list_lock); | |
127 | if (calipso_doi_search(doi_def->doi)) { | |
128 | spin_unlock(&calipso_doi_list_lock); | |
129 | ret_val = -EEXIST; | |
130 | goto doi_add_return; | |
131 | } | |
132 | list_add_tail_rcu(&doi_def->list, &calipso_doi_list); | |
133 | spin_unlock(&calipso_doi_list_lock); | |
134 | ret_val = 0; | |
135 | ||
136 | doi_add_return: | |
137 | audit_buf = netlbl_audit_start(AUDIT_MAC_CALIPSO_ADD, audit_info); | |
138 | if (audit_buf) { | |
139 | const char *type_str; | |
140 | ||
141 | switch (doi_type) { | |
142 | case CALIPSO_MAP_PASS: | |
143 | type_str = "pass"; | |
144 | break; | |
145 | default: | |
146 | type_str = "(unknown)"; | |
147 | } | |
148 | audit_log_format(audit_buf, | |
149 | " calipso_doi=%u calipso_type=%s res=%u", | |
150 | doi, type_str, ret_val == 0 ? 1 : 0); | |
151 | audit_log_end(audit_buf); | |
152 | } | |
153 | ||
154 | return ret_val; | |
155 | } | |
156 | ||
157 | /** | |
158 | * calipso_doi_free - Frees a DOI definition | |
159 | * @doi_def: the DOI definition | |
160 | * | |
161 | * Description: | |
162 | * This function frees all of the memory associated with a DOI definition. | |
163 | * | |
164 | */ | |
165 | static void calipso_doi_free(struct calipso_doi *doi_def) | |
166 | { | |
167 | kfree(doi_def); | |
168 | } | |
169 | ||
a5e34490 HD |
170 | /** |
171 | * calipso_doi_free_rcu - Frees a DOI definition via the RCU pointer | |
172 | * @entry: the entry's RCU field | |
173 | * | |
174 | * Description: | |
175 | * This function is designed to be used as a callback to the call_rcu() | |
176 | * function so that the memory allocated to the DOI definition can be released | |
177 | * safely. | |
178 | * | |
179 | */ | |
180 | static void calipso_doi_free_rcu(struct rcu_head *entry) | |
181 | { | |
182 | struct calipso_doi *doi_def; | |
183 | ||
184 | doi_def = container_of(entry, struct calipso_doi, rcu); | |
185 | calipso_doi_free(doi_def); | |
186 | } | |
187 | ||
d7cce015 HD |
188 | /** |
189 | * calipso_doi_remove - Remove an existing DOI from the CALIPSO protocol engine | |
190 | * @doi: the DOI value | |
191 | * @audit_secid: the LSM secid to use in the audit message | |
192 | * | |
193 | * Description: | |
194 | * Removes a DOI definition from the CALIPSO engine. The NetLabel routines will | |
195 | * be called to release their own LSM domain mappings as well as our own | |
196 | * domain list. Returns zero on success and negative values on failure. | |
197 | * | |
198 | */ | |
199 | static int calipso_doi_remove(u32 doi, struct netlbl_audit *audit_info) | |
200 | { | |
201 | int ret_val; | |
202 | struct calipso_doi *doi_def; | |
203 | struct audit_buffer *audit_buf; | |
204 | ||
205 | spin_lock(&calipso_doi_list_lock); | |
206 | doi_def = calipso_doi_search(doi); | |
207 | if (!doi_def) { | |
208 | spin_unlock(&calipso_doi_list_lock); | |
209 | ret_val = -ENOENT; | |
210 | goto doi_remove_return; | |
211 | } | |
212 | if (!atomic_dec_and_test(&doi_def->refcount)) { | |
213 | spin_unlock(&calipso_doi_list_lock); | |
214 | ret_val = -EBUSY; | |
215 | goto doi_remove_return; | |
216 | } | |
217 | list_del_rcu(&doi_def->list); | |
218 | spin_unlock(&calipso_doi_list_lock); | |
219 | ||
220 | call_rcu(&doi_def->rcu, calipso_doi_free_rcu); | |
221 | ret_val = 0; | |
222 | ||
223 | doi_remove_return: | |
224 | audit_buf = netlbl_audit_start(AUDIT_MAC_CALIPSO_DEL, audit_info); | |
225 | if (audit_buf) { | |
226 | audit_log_format(audit_buf, | |
227 | " calipso_doi=%u res=%u", | |
228 | doi, ret_val == 0 ? 1 : 0); | |
229 | audit_log_end(audit_buf); | |
230 | } | |
231 | ||
232 | return ret_val; | |
233 | } | |
234 | ||
a5e34490 HD |
235 | /** |
236 | * calipso_doi_getdef - Returns a reference to a valid DOI definition | |
237 | * @doi: the DOI value | |
238 | * | |
239 | * Description: | |
240 | * Searches for a valid DOI definition and if one is found it is returned to | |
241 | * the caller. Otherwise NULL is returned. The caller must ensure that | |
242 | * calipso_doi_putdef() is called when the caller is done. | |
243 | * | |
244 | */ | |
245 | static struct calipso_doi *calipso_doi_getdef(u32 doi) | |
246 | { | |
247 | struct calipso_doi *doi_def; | |
248 | ||
249 | rcu_read_lock(); | |
250 | doi_def = calipso_doi_search(doi); | |
251 | if (!doi_def) | |
252 | goto doi_getdef_return; | |
253 | if (!atomic_inc_not_zero(&doi_def->refcount)) | |
254 | doi_def = NULL; | |
255 | ||
256 | doi_getdef_return: | |
257 | rcu_read_unlock(); | |
258 | return doi_def; | |
259 | } | |
260 | ||
261 | /** | |
262 | * calipso_doi_putdef - Releases a reference for the given DOI definition | |
263 | * @doi_def: the DOI definition | |
264 | * | |
265 | * Description: | |
266 | * Releases a DOI definition reference obtained from calipso_doi_getdef(). | |
267 | * | |
268 | */ | |
269 | static void calipso_doi_putdef(struct calipso_doi *doi_def) | |
270 | { | |
271 | if (!doi_def) | |
272 | return; | |
273 | ||
274 | if (!atomic_dec_and_test(&doi_def->refcount)) | |
275 | return; | |
276 | spin_lock(&calipso_doi_list_lock); | |
277 | list_del_rcu(&doi_def->list); | |
278 | spin_unlock(&calipso_doi_list_lock); | |
279 | ||
280 | call_rcu(&doi_def->rcu, calipso_doi_free_rcu); | |
281 | } | |
282 | ||
e1ce69df HD |
283 | /** |
284 | * calipso_doi_walk - Iterate through the DOI definitions | |
285 | * @skip_cnt: skip past this number of DOI definitions, updated | |
286 | * @callback: callback for each DOI definition | |
287 | * @cb_arg: argument for the callback function | |
288 | * | |
289 | * Description: | |
290 | * Iterate over the DOI definition list, skipping the first @skip_cnt entries. | |
291 | * For each entry call @callback, if @callback returns a negative value stop | |
292 | * 'walking' through the list and return. Updates the value in @skip_cnt upon | |
293 | * return. Returns zero on success, negative values on failure. | |
294 | * | |
295 | */ | |
296 | static int calipso_doi_walk(u32 *skip_cnt, | |
297 | int (*callback)(struct calipso_doi *doi_def, | |
298 | void *arg), | |
299 | void *cb_arg) | |
300 | { | |
301 | int ret_val = -ENOENT; | |
302 | u32 doi_cnt = 0; | |
303 | struct calipso_doi *iter_doi; | |
304 | ||
305 | rcu_read_lock(); | |
306 | list_for_each_entry_rcu(iter_doi, &calipso_doi_list, list) | |
307 | if (atomic_read(&iter_doi->refcount) > 0) { | |
308 | if (doi_cnt++ < *skip_cnt) | |
309 | continue; | |
310 | ret_val = callback(iter_doi, cb_arg); | |
311 | if (ret_val < 0) { | |
312 | doi_cnt--; | |
313 | goto doi_walk_return; | |
314 | } | |
315 | } | |
316 | ||
317 | doi_walk_return: | |
318 | rcu_read_unlock(); | |
319 | *skip_cnt = doi_cnt; | |
320 | return ret_val; | |
321 | } | |
322 | ||
ceba1832 HD |
323 | /** |
324 | * calipso_map_cat_hton - Perform a category mapping from host to network | |
325 | * @doi_def: the DOI definition | |
326 | * @secattr: the security attributes | |
327 | * @net_cat: the zero'd out category bitmap in network/CALIPSO format | |
328 | * @net_cat_len: the length of the CALIPSO bitmap in bytes | |
329 | * | |
330 | * Description: | |
331 | * Perform a label mapping to translate a local MLS category bitmap to the | |
332 | * correct CALIPSO bitmap using the given DOI definition. Returns the minimum | |
333 | * size in bytes of the network bitmap on success, negative values otherwise. | |
334 | * | |
335 | */ | |
336 | static int calipso_map_cat_hton(const struct calipso_doi *doi_def, | |
337 | const struct netlbl_lsm_secattr *secattr, | |
338 | unsigned char *net_cat, | |
339 | u32 net_cat_len) | |
340 | { | |
341 | int spot = -1; | |
342 | u32 net_spot_max = 0; | |
343 | u32 net_clen_bits = net_cat_len * 8; | |
344 | ||
345 | for (;;) { | |
346 | spot = netlbl_catmap_walk(secattr->attr.mls.cat, | |
347 | spot + 1); | |
348 | if (spot < 0) | |
349 | break; | |
350 | if (spot >= net_clen_bits) | |
351 | return -ENOSPC; | |
352 | netlbl_bitmap_setbit(net_cat, spot, 1); | |
353 | ||
354 | if (spot > net_spot_max) | |
355 | net_spot_max = spot; | |
356 | } | |
357 | ||
358 | return (net_spot_max / 32 + 1) * 4; | |
359 | } | |
360 | ||
361 | /** | |
362 | * calipso_map_cat_ntoh - Perform a category mapping from network to host | |
363 | * @doi_def: the DOI definition | |
364 | * @net_cat: the category bitmap in network/CALIPSO format | |
365 | * @net_cat_len: the length of the CALIPSO bitmap in bytes | |
366 | * @secattr: the security attributes | |
367 | * | |
368 | * Description: | |
369 | * Perform a label mapping to translate a CALIPSO bitmap to the correct local | |
370 | * MLS category bitmap using the given DOI definition. Returns zero on | |
371 | * success, negative values on failure. | |
372 | * | |
373 | */ | |
374 | static int calipso_map_cat_ntoh(const struct calipso_doi *doi_def, | |
375 | const unsigned char *net_cat, | |
376 | u32 net_cat_len, | |
377 | struct netlbl_lsm_secattr *secattr) | |
378 | { | |
379 | int ret_val; | |
380 | int spot = -1; | |
381 | u32 net_clen_bits = net_cat_len * 8; | |
382 | ||
383 | for (;;) { | |
384 | spot = netlbl_bitmap_walk(net_cat, | |
385 | net_clen_bits, | |
386 | spot + 1, | |
387 | 1); | |
388 | if (spot < 0) { | |
389 | if (spot == -2) | |
390 | return -EFAULT; | |
391 | return 0; | |
392 | } | |
393 | ||
394 | ret_val = netlbl_catmap_setbit(&secattr->attr.mls.cat, | |
395 | spot, | |
396 | GFP_ATOMIC); | |
397 | if (ret_val != 0) | |
398 | return ret_val; | |
399 | } | |
400 | ||
401 | return -EINVAL; | |
402 | } | |
403 | ||
404 | /** | |
405 | * calipso_pad_write - Writes pad bytes in TLV format | |
406 | * @buf: the buffer | |
407 | * @offset: offset from start of buffer to write padding | |
408 | * @count: number of pad bytes to write | |
409 | * | |
410 | * Description: | |
411 | * Write @count bytes of TLV padding into @buffer starting at offset @offset. | |
412 | * @count should be less than 8 - see RFC 4942. | |
413 | * | |
414 | */ | |
415 | static int calipso_pad_write(unsigned char *buf, unsigned int offset, | |
416 | unsigned int count) | |
417 | { | |
418 | if (WARN_ON_ONCE(count >= 8)) | |
419 | return -EINVAL; | |
420 | ||
421 | switch (count) { | |
422 | case 0: | |
423 | break; | |
424 | case 1: | |
425 | buf[offset] = IPV6_TLV_PAD1; | |
426 | break; | |
427 | default: | |
428 | buf[offset] = IPV6_TLV_PADN; | |
429 | buf[offset + 1] = count - 2; | |
430 | if (count > 2) | |
431 | memset(buf + offset + 2, 0, count - 2); | |
432 | break; | |
433 | } | |
434 | return 0; | |
435 | } | |
436 | ||
437 | /** | |
438 | * calipso_genopt - Generate a CALIPSO option | |
439 | * @buf: the option buffer | |
440 | * @start: offset from which to write | |
441 | * @buf_len: the size of opt_buf | |
442 | * @doi_def: the CALIPSO DOI to use | |
443 | * @secattr: the security attributes | |
444 | * | |
445 | * Description: | |
446 | * Generate a CALIPSO option using the DOI definition and security attributes | |
447 | * passed to the function. This also generates upto three bytes of leading | |
448 | * padding that ensures that the option is 4n + 2 aligned. It returns the | |
449 | * number of bytes written (including any initial padding). | |
450 | */ | |
451 | static int calipso_genopt(unsigned char *buf, u32 start, u32 buf_len, | |
452 | const struct calipso_doi *doi_def, | |
453 | const struct netlbl_lsm_secattr *secattr) | |
454 | { | |
455 | int ret_val; | |
456 | u32 len, pad; | |
457 | u16 crc; | |
458 | static const unsigned char padding[4] = {2, 1, 0, 3}; | |
459 | unsigned char *calipso; | |
460 | ||
461 | /* CALIPSO has 4n + 2 alignment */ | |
462 | pad = padding[start & 3]; | |
463 | if (buf_len <= start + pad + CALIPSO_HDR_LEN) | |
464 | return -ENOSPC; | |
465 | ||
466 | if ((secattr->flags & NETLBL_SECATTR_MLS_LVL) == 0) | |
467 | return -EPERM; | |
468 | ||
469 | len = CALIPSO_HDR_LEN; | |
470 | ||
471 | if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { | |
472 | ret_val = calipso_map_cat_hton(doi_def, | |
473 | secattr, | |
474 | buf + start + pad + len, | |
475 | buf_len - start - pad - len); | |
476 | if (ret_val < 0) | |
477 | return ret_val; | |
478 | len += ret_val; | |
479 | } | |
480 | ||
481 | calipso_pad_write(buf, start, pad); | |
482 | calipso = buf + start + pad; | |
483 | ||
484 | calipso[0] = IPV6_TLV_CALIPSO; | |
485 | calipso[1] = len - 2; | |
486 | *(__be32 *)(calipso + 2) = htonl(doi_def->doi); | |
487 | calipso[6] = (len - CALIPSO_HDR_LEN) / 4; | |
488 | calipso[7] = secattr->attr.mls.lvl, | |
489 | crc = ~crc_ccitt(0xffff, calipso, len); | |
490 | calipso[8] = crc & 0xff; | |
491 | calipso[9] = (crc >> 8) & 0xff; | |
492 | return pad + len; | |
493 | } | |
494 | ||
495 | /* Hop-by-hop hdr helper functions | |
496 | */ | |
497 | ||
498 | /** | |
499 | * calipso_opt_update - Replaces socket's hop options with a new set | |
500 | * @sk: the socket | |
501 | * @hop: new hop options | |
502 | * | |
503 | * Description: | |
504 | * Replaces @sk's hop options with @hop. @hop may be NULL to leave | |
505 | * the socket with no hop options. | |
506 | * | |
507 | */ | |
508 | static int calipso_opt_update(struct sock *sk, struct ipv6_opt_hdr *hop) | |
509 | { | |
510 | struct ipv6_txoptions *old = txopt_get(inet6_sk(sk)), *txopts; | |
511 | ||
512 | txopts = ipv6_renew_options_kern(sk, old, IPV6_HOPOPTS, | |
513 | hop, hop ? ipv6_optlen(hop) : 0); | |
514 | txopt_put(old); | |
515 | if (IS_ERR(txopts)) | |
516 | return PTR_ERR(txopts); | |
517 | ||
518 | txopts = ipv6_update_options(sk, txopts); | |
519 | if (txopts) { | |
520 | atomic_sub(txopts->tot_len, &sk->sk_omem_alloc); | |
521 | txopt_put(txopts); | |
522 | } | |
523 | ||
524 | return 0; | |
525 | } | |
526 | ||
527 | /** | |
528 | * calipso_tlv_len - Returns the length of the TLV | |
529 | * @opt: the option header | |
530 | * @offset: offset of the TLV within the header | |
531 | * | |
532 | * Description: | |
533 | * Returns the length of the TLV option at offset @offset within | |
534 | * the option header @opt. Checks that the entire TLV fits inside | |
535 | * the option header, returns a negative value if this is not the case. | |
536 | */ | |
537 | static int calipso_tlv_len(struct ipv6_opt_hdr *opt, unsigned int offset) | |
538 | { | |
539 | unsigned char *tlv = (unsigned char *)opt; | |
540 | unsigned int opt_len = ipv6_optlen(opt), tlv_len; | |
541 | ||
542 | if (offset < sizeof(*opt) || offset >= opt_len) | |
543 | return -EINVAL; | |
544 | if (tlv[offset] == IPV6_TLV_PAD1) | |
545 | return 1; | |
546 | if (offset + 1 >= opt_len) | |
547 | return -EINVAL; | |
548 | tlv_len = tlv[offset + 1] + 2; | |
549 | if (offset + tlv_len > opt_len) | |
550 | return -EINVAL; | |
551 | return tlv_len; | |
552 | } | |
553 | ||
554 | /** | |
555 | * calipso_opt_find - Finds the CALIPSO option in an IPv6 hop options header | |
556 | * @hop: the hop options header | |
557 | * @start: on return holds the offset of any leading padding | |
558 | * @end: on return holds the offset of the first non-pad TLV after CALIPSO | |
559 | * | |
560 | * Description: | |
561 | * Finds the space occupied by a CALIPSO option (including any leading and | |
562 | * trailing padding). | |
563 | * | |
564 | * If a CALIPSO option exists set @start and @end to the | |
565 | * offsets within @hop of the start of padding before the first | |
566 | * CALIPSO option and the end of padding after the first CALIPSO | |
567 | * option. In this case the function returns 0. | |
568 | * | |
569 | * In the absence of a CALIPSO option, @start and @end will be | |
570 | * set to the start and end of any trailing padding in the header. | |
571 | * This is useful when appending a new option, as the caller may want | |
572 | * to overwrite some of this padding. In this case the function will | |
573 | * return -ENOENT. | |
574 | */ | |
575 | static int calipso_opt_find(struct ipv6_opt_hdr *hop, unsigned int *start, | |
576 | unsigned int *end) | |
577 | { | |
578 | int ret_val = -ENOENT, tlv_len; | |
579 | unsigned int opt_len, offset, offset_s = 0, offset_e = 0; | |
580 | unsigned char *opt = (unsigned char *)hop; | |
581 | ||
582 | opt_len = ipv6_optlen(hop); | |
583 | offset = sizeof(*hop); | |
584 | ||
585 | while (offset < opt_len) { | |
586 | tlv_len = calipso_tlv_len(hop, offset); | |
587 | if (tlv_len < 0) | |
588 | return tlv_len; | |
589 | ||
590 | switch (opt[offset]) { | |
591 | case IPV6_TLV_PAD1: | |
592 | case IPV6_TLV_PADN: | |
593 | if (offset_e) | |
594 | offset_e = offset; | |
595 | break; | |
596 | case IPV6_TLV_CALIPSO: | |
597 | ret_val = 0; | |
598 | offset_e = offset; | |
599 | break; | |
600 | default: | |
601 | if (offset_e == 0) | |
602 | offset_s = offset; | |
603 | else | |
604 | goto out; | |
605 | } | |
606 | offset += tlv_len; | |
607 | } | |
608 | ||
609 | out: | |
610 | if (offset_s) | |
611 | *start = offset_s + calipso_tlv_len(hop, offset_s); | |
612 | else | |
613 | *start = sizeof(*hop); | |
614 | if (offset_e) | |
615 | *end = offset_e + calipso_tlv_len(hop, offset_e); | |
616 | else | |
617 | *end = opt_len; | |
618 | ||
619 | return ret_val; | |
620 | } | |
621 | ||
622 | /** | |
623 | * calipso_opt_insert - Inserts a CALIPSO option into an IPv6 hop opt hdr | |
624 | * @hop: the original hop options header | |
625 | * @doi_def: the CALIPSO DOI to use | |
626 | * @secattr: the specific security attributes of the socket | |
627 | * | |
628 | * Description: | |
629 | * Creates a new hop options header based on @hop with a | |
630 | * CALIPSO option added to it. If @hop already contains a CALIPSO | |
631 | * option this is overwritten, otherwise the new option is appended | |
632 | * after any existing options. If @hop is NULL then the new header | |
633 | * will contain just the CALIPSO option and any needed padding. | |
634 | * | |
635 | */ | |
636 | static struct ipv6_opt_hdr * | |
637 | calipso_opt_insert(struct ipv6_opt_hdr *hop, | |
638 | const struct calipso_doi *doi_def, | |
639 | const struct netlbl_lsm_secattr *secattr) | |
640 | { | |
641 | unsigned int start, end, buf_len, pad, hop_len; | |
642 | struct ipv6_opt_hdr *new; | |
643 | int ret_val; | |
644 | ||
645 | if (hop) { | |
646 | hop_len = ipv6_optlen(hop); | |
647 | ret_val = calipso_opt_find(hop, &start, &end); | |
648 | if (ret_val && ret_val != -ENOENT) | |
649 | return ERR_PTR(ret_val); | |
650 | } else { | |
651 | hop_len = 0; | |
652 | start = sizeof(*hop); | |
653 | end = 0; | |
654 | } | |
655 | ||
656 | buf_len = hop_len + start - end + CALIPSO_OPT_LEN_MAX_WITH_PAD; | |
657 | new = kzalloc(buf_len, GFP_ATOMIC); | |
658 | if (!new) | |
659 | return ERR_PTR(-ENOMEM); | |
660 | ||
661 | if (start > sizeof(*hop)) | |
662 | memcpy(new, hop, start); | |
663 | ret_val = calipso_genopt((unsigned char *)new, start, buf_len, doi_def, | |
664 | secattr); | |
665 | if (ret_val < 0) | |
666 | return ERR_PTR(ret_val); | |
667 | ||
668 | buf_len = start + ret_val; | |
669 | /* At this point buf_len aligns to 4n, so (buf_len & 4) pads to 8n */ | |
670 | pad = ((buf_len & 4) + (end & 7)) & 7; | |
671 | calipso_pad_write((unsigned char *)new, buf_len, pad); | |
672 | buf_len += pad; | |
673 | ||
674 | if (end != hop_len) { | |
675 | memcpy((char *)new + buf_len, (char *)hop + end, hop_len - end); | |
676 | buf_len += hop_len - end; | |
677 | } | |
678 | new->nexthdr = 0; | |
679 | new->hdrlen = buf_len / 8 - 1; | |
680 | ||
681 | return new; | |
682 | } | |
683 | ||
684 | /** | |
685 | * calipso_opt_del - Removes the CALIPSO option from an option header | |
686 | * @hop: the original header | |
687 | * @new: the new header | |
688 | * | |
689 | * Description: | |
690 | * Creates a new header based on @hop without any CALIPSO option. If @hop | |
691 | * doesn't contain a CALIPSO option it returns -ENOENT. If @hop contains | |
692 | * no other non-padding options, it returns zero with @new set to NULL. | |
693 | * Otherwise it returns zero, creates a new header without the CALIPSO | |
694 | * option (and removing as much padding as possible) and returns with | |
695 | * @new set to that header. | |
696 | * | |
697 | */ | |
698 | static int calipso_opt_del(struct ipv6_opt_hdr *hop, | |
699 | struct ipv6_opt_hdr **new) | |
700 | { | |
701 | int ret_val; | |
702 | unsigned int start, end, delta, pad, hop_len; | |
703 | ||
704 | ret_val = calipso_opt_find(hop, &start, &end); | |
705 | if (ret_val) | |
706 | return ret_val; | |
707 | ||
708 | hop_len = ipv6_optlen(hop); | |
709 | if (start == sizeof(*hop) && end == hop_len) { | |
710 | /* There's no other option in the header so return NULL */ | |
711 | *new = NULL; | |
712 | return 0; | |
713 | } | |
714 | ||
715 | delta = (end - start) & ~7; | |
716 | *new = kzalloc(hop_len - delta, GFP_ATOMIC); | |
717 | if (!*new) | |
718 | return -ENOMEM; | |
719 | ||
720 | memcpy(*new, hop, start); | |
721 | (*new)->hdrlen -= delta / 8; | |
722 | pad = (end - start) & 7; | |
723 | calipso_pad_write((unsigned char *)*new, start, pad); | |
724 | if (end != hop_len) | |
725 | memcpy((char *)*new + start + pad, (char *)hop + end, | |
726 | hop_len - end); | |
727 | ||
728 | return 0; | |
729 | } | |
730 | ||
731 | /** | |
732 | * calipso_opt_getattr - Get the security attributes from a memory block | |
733 | * @calipso: the CALIPSO option | |
734 | * @secattr: the security attributes | |
735 | * | |
736 | * Description: | |
737 | * Inspect @calipso and return the security attributes in @secattr. | |
738 | * Returns zero on success and negative values on failure. | |
739 | * | |
740 | */ | |
741 | static int calipso_opt_getattr(const unsigned char *calipso, | |
742 | struct netlbl_lsm_secattr *secattr) | |
743 | { | |
744 | int ret_val = -ENOMSG; | |
745 | u32 doi, len = calipso[1], cat_len = calipso[6] * 4; | |
746 | struct calipso_doi *doi_def; | |
747 | ||
748 | if (cat_len + 8 > len) | |
749 | return -EINVAL; | |
750 | ||
751 | doi = get_unaligned_be32(calipso + 2); | |
752 | rcu_read_lock(); | |
753 | doi_def = calipso_doi_search(doi); | |
754 | if (!doi_def) | |
755 | goto getattr_return; | |
756 | ||
757 | secattr->attr.mls.lvl = calipso[7]; | |
758 | secattr->flags |= NETLBL_SECATTR_MLS_LVL; | |
759 | ||
760 | if (cat_len) { | |
761 | ret_val = calipso_map_cat_ntoh(doi_def, | |
762 | calipso + 10, | |
763 | cat_len, | |
764 | secattr); | |
765 | if (ret_val != 0) { | |
766 | netlbl_catmap_free(secattr->attr.mls.cat); | |
767 | goto getattr_return; | |
768 | } | |
769 | ||
770 | secattr->flags |= NETLBL_SECATTR_MLS_CAT; | |
771 | } | |
772 | ||
773 | secattr->type = NETLBL_NLTYPE_CALIPSO; | |
774 | ||
775 | getattr_return: | |
776 | rcu_read_unlock(); | |
777 | return ret_val; | |
778 | } | |
779 | ||
780 | /* sock functions. | |
781 | */ | |
782 | ||
783 | /** | |
784 | * calipso_sock_getattr - Get the security attributes from a sock | |
785 | * @sk: the sock | |
786 | * @secattr: the security attributes | |
787 | * | |
788 | * Description: | |
789 | * Query @sk to see if there is a CALIPSO option attached to the sock and if | |
790 | * there is return the CALIPSO security attributes in @secattr. This function | |
791 | * requires that @sk be locked, or privately held, but it does not do any | |
792 | * locking itself. Returns zero on success and negative values on failure. | |
793 | * | |
794 | */ | |
795 | static int calipso_sock_getattr(struct sock *sk, | |
796 | struct netlbl_lsm_secattr *secattr) | |
797 | { | |
798 | struct ipv6_opt_hdr *hop; | |
799 | int opt_len, len, ret_val = -ENOMSG, offset; | |
800 | unsigned char *opt; | |
801 | struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); | |
802 | ||
803 | if (!txopts || !txopts->hopopt) | |
804 | goto done; | |
805 | ||
806 | hop = txopts->hopopt; | |
807 | opt = (unsigned char *)hop; | |
808 | opt_len = ipv6_optlen(hop); | |
809 | offset = sizeof(*hop); | |
810 | while (offset < opt_len) { | |
811 | len = calipso_tlv_len(hop, offset); | |
812 | if (len < 0) { | |
813 | ret_val = len; | |
814 | goto done; | |
815 | } | |
816 | switch (opt[offset]) { | |
817 | case IPV6_TLV_CALIPSO: | |
818 | if (len < CALIPSO_HDR_LEN) | |
819 | ret_val = -EINVAL; | |
820 | else | |
821 | ret_val = calipso_opt_getattr(&opt[offset], | |
822 | secattr); | |
823 | goto done; | |
824 | default: | |
825 | offset += len; | |
826 | break; | |
827 | } | |
828 | } | |
829 | done: | |
830 | txopt_put(txopts); | |
831 | return ret_val; | |
832 | } | |
833 | ||
834 | /** | |
835 | * calipso_sock_setattr - Add a CALIPSO option to a socket | |
836 | * @sk: the socket | |
837 | * @doi_def: the CALIPSO DOI to use | |
838 | * @secattr: the specific security attributes of the socket | |
839 | * | |
840 | * Description: | |
841 | * Set the CALIPSO option on the given socket using the DOI definition and | |
842 | * security attributes passed to the function. This function requires | |
843 | * exclusive access to @sk, which means it either needs to be in the | |
844 | * process of being created or locked. Returns zero on success and negative | |
845 | * values on failure. | |
846 | * | |
847 | */ | |
848 | static int calipso_sock_setattr(struct sock *sk, | |
849 | const struct calipso_doi *doi_def, | |
850 | const struct netlbl_lsm_secattr *secattr) | |
851 | { | |
852 | int ret_val; | |
853 | struct ipv6_opt_hdr *old, *new; | |
854 | struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); | |
855 | ||
856 | old = NULL; | |
857 | if (txopts) | |
858 | old = txopts->hopopt; | |
859 | ||
860 | new = calipso_opt_insert(old, doi_def, secattr); | |
861 | txopt_put(txopts); | |
862 | if (IS_ERR(new)) | |
863 | return PTR_ERR(new); | |
864 | ||
865 | ret_val = calipso_opt_update(sk, new); | |
866 | ||
867 | kfree(new); | |
868 | return ret_val; | |
869 | } | |
870 | ||
871 | /** | |
872 | * calipso_sock_delattr - Delete the CALIPSO option from a socket | |
873 | * @sk: the socket | |
874 | * | |
875 | * Description: | |
876 | * Removes the CALIPSO option from a socket, if present. | |
877 | * | |
878 | */ | |
879 | static void calipso_sock_delattr(struct sock *sk) | |
880 | { | |
881 | struct ipv6_opt_hdr *new_hop; | |
882 | struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); | |
883 | ||
884 | if (!txopts || !txopts->hopopt) | |
885 | goto done; | |
886 | ||
887 | if (calipso_opt_del(txopts->hopopt, &new_hop)) | |
888 | goto done; | |
889 | ||
890 | calipso_opt_update(sk, new_hop); | |
891 | kfree(new_hop); | |
892 | ||
893 | done: | |
894 | txopt_put(txopts); | |
895 | } | |
896 | ||
e1adea92 HD |
897 | /* request sock functions. |
898 | */ | |
899 | ||
900 | /** | |
901 | * calipso_req_setattr - Add a CALIPSO option to a connection request socket | |
902 | * @req: the connection request socket | |
903 | * @doi_def: the CALIPSO DOI to use | |
904 | * @secattr: the specific security attributes of the socket | |
905 | * | |
906 | * Description: | |
907 | * Set the CALIPSO option on the given socket using the DOI definition and | |
908 | * security attributes passed to the function. Returns zero on success and | |
909 | * negative values on failure. | |
910 | * | |
911 | */ | |
912 | static int calipso_req_setattr(struct request_sock *req, | |
913 | const struct calipso_doi *doi_def, | |
914 | const struct netlbl_lsm_secattr *secattr) | |
915 | { | |
916 | struct ipv6_txoptions *txopts; | |
917 | struct inet_request_sock *req_inet = inet_rsk(req); | |
918 | struct ipv6_opt_hdr *old, *new; | |
919 | struct sock *sk = sk_to_full_sk(req_to_sk(req)); | |
920 | ||
921 | if (req_inet->ipv6_opt && req_inet->ipv6_opt->hopopt) | |
922 | old = req_inet->ipv6_opt->hopopt; | |
923 | else | |
924 | old = NULL; | |
925 | ||
926 | new = calipso_opt_insert(old, doi_def, secattr); | |
927 | if (IS_ERR(new)) | |
928 | return PTR_ERR(new); | |
929 | ||
930 | txopts = ipv6_renew_options_kern(sk, req_inet->ipv6_opt, IPV6_HOPOPTS, | |
931 | new, new ? ipv6_optlen(new) : 0); | |
932 | ||
933 | kfree(new); | |
934 | ||
935 | if (IS_ERR(txopts)) | |
936 | return PTR_ERR(txopts); | |
937 | ||
938 | txopts = xchg(&req_inet->ipv6_opt, txopts); | |
939 | if (txopts) { | |
940 | atomic_sub(txopts->tot_len, &sk->sk_omem_alloc); | |
941 | txopt_put(txopts); | |
942 | } | |
943 | ||
944 | return 0; | |
945 | } | |
946 | ||
947 | /** | |
948 | * calipso_req_delattr - Delete the CALIPSO option from a request socket | |
949 | * @reg: the request socket | |
950 | * | |
951 | * Description: | |
952 | * Removes the CALIPSO option from a request socket, if present. | |
953 | * | |
954 | */ | |
955 | static void calipso_req_delattr(struct request_sock *req) | |
956 | { | |
957 | struct inet_request_sock *req_inet = inet_rsk(req); | |
958 | struct ipv6_opt_hdr *new; | |
959 | struct ipv6_txoptions *txopts; | |
960 | struct sock *sk = sk_to_full_sk(req_to_sk(req)); | |
961 | ||
962 | if (!req_inet->ipv6_opt || !req_inet->ipv6_opt->hopopt) | |
963 | return; | |
964 | ||
965 | if (calipso_opt_del(req_inet->ipv6_opt->hopopt, &new)) | |
966 | return; /* Nothing to do */ | |
967 | ||
968 | txopts = ipv6_renew_options_kern(sk, req_inet->ipv6_opt, IPV6_HOPOPTS, | |
969 | new, new ? ipv6_optlen(new) : 0); | |
970 | ||
971 | if (!IS_ERR(txopts)) { | |
972 | txopts = xchg(&req_inet->ipv6_opt, txopts); | |
973 | if (txopts) { | |
974 | atomic_sub(txopts->tot_len, &sk->sk_omem_alloc); | |
975 | txopt_put(txopts); | |
976 | } | |
977 | } | |
978 | kfree(new); | |
979 | } | |
980 | ||
2917f57b HD |
981 | /* skbuff functions. |
982 | */ | |
983 | ||
984 | /** | |
985 | * calipso_skbuff_optptr - Find the CALIPSO option in the packet | |
986 | * @skb: the packet | |
987 | * | |
988 | * Description: | |
989 | * Parse the packet's IP header looking for a CALIPSO option. Returns a pointer | |
990 | * to the start of the CALIPSO option on success, NULL if one if not found. | |
991 | * | |
992 | */ | |
993 | static unsigned char *calipso_skbuff_optptr(const struct sk_buff *skb) | |
994 | { | |
995 | const struct ipv6hdr *ip6_hdr = ipv6_hdr(skb); | |
996 | int offset; | |
997 | ||
998 | if (ip6_hdr->nexthdr != NEXTHDR_HOP) | |
999 | return NULL; | |
1000 | ||
1001 | offset = ipv6_find_tlv(skb, sizeof(*ip6_hdr), IPV6_TLV_CALIPSO); | |
1002 | if (offset >= 0) | |
1003 | return (unsigned char *)ip6_hdr + offset; | |
1004 | ||
1005 | return NULL; | |
1006 | } | |
1007 | ||
1008 | /** | |
1009 | * calipso_skbuff_setattr - Set the CALIPSO option on a packet | |
1010 | * @skb: the packet | |
1011 | * @doi_def: the CALIPSO DOI to use | |
1012 | * @secattr: the security attributes | |
1013 | * | |
1014 | * Description: | |
1015 | * Set the CALIPSO option on the given packet based on the security attributes. | |
1016 | * Returns a pointer to the IP header on success and NULL on failure. | |
1017 | * | |
1018 | */ | |
1019 | static int calipso_skbuff_setattr(struct sk_buff *skb, | |
1020 | const struct calipso_doi *doi_def, | |
1021 | const struct netlbl_lsm_secattr *secattr) | |
1022 | { | |
1023 | int ret_val; | |
1024 | struct ipv6hdr *ip6_hdr; | |
1025 | struct ipv6_opt_hdr *hop; | |
1026 | unsigned char buf[CALIPSO_MAX_BUFFER]; | |
1027 | int len_delta, new_end, pad; | |
1028 | unsigned int start, end; | |
1029 | ||
1030 | ip6_hdr = ipv6_hdr(skb); | |
1031 | if (ip6_hdr->nexthdr == NEXTHDR_HOP) { | |
1032 | hop = (struct ipv6_opt_hdr *)(ip6_hdr + 1); | |
1033 | ret_val = calipso_opt_find(hop, &start, &end); | |
1034 | if (ret_val && ret_val != -ENOENT) | |
1035 | return ret_val; | |
1036 | } else { | |
1037 | start = 0; | |
1038 | end = 0; | |
1039 | } | |
1040 | ||
1041 | memset(buf, 0, sizeof(buf)); | |
1042 | ret_val = calipso_genopt(buf, start & 3, sizeof(buf), doi_def, secattr); | |
1043 | if (ret_val < 0) | |
1044 | return ret_val; | |
1045 | ||
1046 | new_end = start + ret_val; | |
1047 | /* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */ | |
1048 | pad = ((new_end & 4) + (end & 7)) & 7; | |
1049 | len_delta = new_end - (int)end + pad; | |
1050 | ret_val = skb_cow(skb, skb_headroom(skb) + len_delta); | |
1051 | if (ret_val < 0) | |
1052 | return ret_val; | |
1053 | ||
1054 | if (len_delta) { | |
1055 | if (len_delta > 0) | |
1056 | skb_push(skb, len_delta); | |
1057 | else | |
1058 | skb_pull(skb, -len_delta); | |
1059 | memmove((char *)ip6_hdr - len_delta, ip6_hdr, | |
1060 | sizeof(*ip6_hdr) + start); | |
1061 | skb_reset_network_header(skb); | |
1062 | ip6_hdr = ipv6_hdr(skb); | |
1063 | } | |
1064 | ||
1065 | hop = (struct ipv6_opt_hdr *)(ip6_hdr + 1); | |
1066 | if (start == 0) { | |
1067 | struct ipv6_opt_hdr *new_hop = (struct ipv6_opt_hdr *)buf; | |
1068 | ||
1069 | new_hop->nexthdr = ip6_hdr->nexthdr; | |
1070 | new_hop->hdrlen = len_delta / 8 - 1; | |
1071 | ip6_hdr->nexthdr = NEXTHDR_HOP; | |
1072 | } else { | |
1073 | hop->hdrlen += len_delta / 8; | |
1074 | } | |
1075 | memcpy((char *)hop + start, buf + (start & 3), new_end - start); | |
1076 | calipso_pad_write((unsigned char *)hop, new_end, pad); | |
1077 | ||
1078 | return 0; | |
1079 | } | |
1080 | ||
1081 | /** | |
1082 | * calipso_skbuff_delattr - Delete any CALIPSO options from a packet | |
1083 | * @skb: the packet | |
1084 | * | |
1085 | * Description: | |
1086 | * Removes any and all CALIPSO options from the given packet. Returns zero on | |
1087 | * success, negative values on failure. | |
1088 | * | |
1089 | */ | |
1090 | static int calipso_skbuff_delattr(struct sk_buff *skb) | |
1091 | { | |
1092 | int ret_val; | |
1093 | struct ipv6hdr *ip6_hdr; | |
1094 | struct ipv6_opt_hdr *old_hop; | |
1095 | u32 old_hop_len, start = 0, end = 0, delta, size, pad; | |
1096 | ||
1097 | if (!calipso_skbuff_optptr(skb)) | |
1098 | return 0; | |
1099 | ||
1100 | /* since we are changing the packet we should make a copy */ | |
1101 | ret_val = skb_cow(skb, skb_headroom(skb)); | |
1102 | if (ret_val < 0) | |
1103 | return ret_val; | |
1104 | ||
1105 | ip6_hdr = ipv6_hdr(skb); | |
1106 | old_hop = (struct ipv6_opt_hdr *)(ip6_hdr + 1); | |
1107 | old_hop_len = ipv6_optlen(old_hop); | |
1108 | ||
1109 | ret_val = calipso_opt_find(old_hop, &start, &end); | |
1110 | if (ret_val) | |
1111 | return ret_val; | |
1112 | ||
1113 | if (start == sizeof(*old_hop) && end == old_hop_len) { | |
1114 | /* There's no other option in the header so we delete | |
1115 | * the whole thing. */ | |
1116 | delta = old_hop_len; | |
1117 | size = sizeof(*ip6_hdr); | |
1118 | ip6_hdr->nexthdr = old_hop->nexthdr; | |
1119 | } else { | |
1120 | delta = (end - start) & ~7; | |
1121 | if (delta) | |
1122 | old_hop->hdrlen -= delta / 8; | |
1123 | pad = (end - start) & 7; | |
1124 | size = sizeof(*ip6_hdr) + start + pad; | |
1125 | calipso_pad_write((unsigned char *)old_hop, start, pad); | |
1126 | } | |
1127 | ||
1128 | if (delta) { | |
1129 | skb_pull(skb, delta); | |
1130 | memmove((char *)ip6_hdr + delta, ip6_hdr, size); | |
1131 | skb_reset_network_header(skb); | |
1132 | } | |
1133 | ||
1134 | return 0; | |
1135 | } | |
1136 | ||
cb72d382 HD |
1137 | static const struct netlbl_calipso_ops ops = { |
1138 | .doi_add = calipso_doi_add, | |
1139 | .doi_free = calipso_doi_free, | |
d7cce015 | 1140 | .doi_remove = calipso_doi_remove, |
a5e34490 HD |
1141 | .doi_getdef = calipso_doi_getdef, |
1142 | .doi_putdef = calipso_doi_putdef, | |
e1ce69df | 1143 | .doi_walk = calipso_doi_walk, |
ceba1832 HD |
1144 | .sock_getattr = calipso_sock_getattr, |
1145 | .sock_setattr = calipso_sock_setattr, | |
1146 | .sock_delattr = calipso_sock_delattr, | |
e1adea92 HD |
1147 | .req_setattr = calipso_req_setattr, |
1148 | .req_delattr = calipso_req_delattr, | |
2917f57b HD |
1149 | .opt_getattr = calipso_opt_getattr, |
1150 | .skbuff_optptr = calipso_skbuff_optptr, | |
1151 | .skbuff_setattr = calipso_skbuff_setattr, | |
1152 | .skbuff_delattr = calipso_skbuff_delattr, | |
cb72d382 HD |
1153 | }; |
1154 | ||
1155 | /** | |
1156 | * calipso_init - Initialize the CALIPSO module | |
1157 | * | |
1158 | * Description: | |
1159 | * Initialize the CALIPSO module and prepare it for use. Returns zero on | |
1160 | * success and negative values on failure. | |
1161 | * | |
1162 | */ | |
1163 | int __init calipso_init(void) | |
1164 | { | |
1165 | netlbl_calipso_ops_register(&ops); | |
1166 | return 0; | |
1167 | } | |
1168 | ||
1169 | void calipso_exit(void) | |
1170 | { | |
1171 | netlbl_calipso_ops_register(NULL); | |
1172 | } |