summaryrefslogtreecommitdiff
path: root/net/netlabel/netlabel_kapi.c
diff options
context:
space:
mode:
authorHuw Davies <huw@codeweavers.com>2016-06-27 22:06:17 +0300
committerPaul Moore <paul@paul-moore.com>2016-06-27 22:06:17 +0300
commit4fee5242bf41d9ad641d4c1b821e36eb7ba37fbf (patch)
tree6b79290fc0dbeffe30945235ca86576b652c84dd /net/netlabel/netlabel_kapi.c
parent2e532b702834c07f614caf4489feb691e713232a (diff)
downloadlinux-4fee5242bf41d9ad641d4c1b821e36eb7ba37fbf.tar.xz
calipso: Add a label cache.
This works in exactly the same way as the CIPSO label cache. The idea is to allow the lsm to cache the result of a secattr lookup so that it doesn't need to perform the lookup for every skbuff. It introduces two sysctl controls: calipso_cache_enable - enables/disables the cache. calipso_cache_bucket_size - sets the size of a cache bucket. Signed-off-by: Huw Davies <huw@codeweavers.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'net/netlabel/netlabel_kapi.c')
-rw-r--r--net/netlabel/netlabel_kapi.c24
1 files changed, 19 insertions, 5 deletions
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index a42ce3c15d70..fbad7187d4fc 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -1281,11 +1281,15 @@ void netlbl_skbuff_err(struct sk_buff *skb, u16 family, int error, int gateway)
void netlbl_cache_invalidate(void)
{
cipso_v4_cache_invalidate();
+#if IS_ENABLED(CONFIG_IPV6)
+ calipso_cache_invalidate();
+#endif /* IPv6 */
}
/**
* netlbl_cache_add - Add an entry to a NetLabel protocol cache
* @skb: the packet
+ * @family: the family
* @secattr: the packet's security attributes
*
* Description:
@@ -1294,7 +1298,7 @@ void netlbl_cache_invalidate(void)
* values on error.
*
*/
-int netlbl_cache_add(const struct sk_buff *skb,
+int netlbl_cache_add(const struct sk_buff *skb, u16 family,
const struct netlbl_lsm_secattr *secattr)
{
unsigned char *ptr;
@@ -1302,10 +1306,20 @@ int netlbl_cache_add(const struct sk_buff *skb,
if ((secattr->flags & NETLBL_SECATTR_CACHE) == 0)
return -ENOMSG;
- ptr = cipso_v4_optptr(skb);
- if (ptr)
- return cipso_v4_cache_add(ptr, secattr);
-
+ switch (family) {
+ case AF_INET:
+ ptr = cipso_v4_optptr(skb);
+ if (ptr)
+ return cipso_v4_cache_add(ptr, secattr);
+ break;
+#if IS_ENABLED(CONFIG_IPV6)
+ case AF_INET6:
+ ptr = calipso_optptr(skb);
+ if (ptr)
+ return calipso_cache_add(ptr, secattr);
+ break;
+#endif /* IPv6 */
+ }
return -ENOMSG;
}