|
Linux Kernel
3.7.1
|
All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
|
Linux Kernel
3.7.1
|
#include <linux/init.h>#include <linux/types.h>#include <linux/rcupdate.h>#include <linux/list.h>#include <linux/spinlock.h>#include <linux/string.h>#include <linux/jhash.h>#include <linux/audit.h>#include <linux/slab.h>#include <net/ip.h>#include <net/icmp.h>#include <net/tcp.h>#include <net/netlabel.h>#include <net/cipso_ipv4.h>#include <linux/atomic.h>#include <asm/bug.h>#include <asm/unaligned.h>Go to the source code of this file.
Data Structures | |
| struct | cipso_v4_map_cache_bkt |
| struct | cipso_v4_map_cache_entry |
Macros | |
| #define | CIPSO_V4_CACHE_BUCKETBITS 7 |
| #define | CIPSO_V4_CACHE_BUCKETS (1 << CIPSO_V4_CACHE_BUCKETBITS) |
| #define | CIPSO_V4_CACHE_REORDERLIMIT 10 |
| #define | CIPSO_V4_OPT_LEN_MAX 40 |
| #define | CIPSO_V4_HDR_LEN 6 |
| #define | CIPSO_V4_TAG_RBM_BLEN 4 |
| #define | CIPSO_V4_TAG_ENUM_BLEN 4 |
| #define | CIPSO_V4_TAG_RNG_BLEN 4 |
| #define | CIPSO_V4_TAG_RNG_CAT_MAX 8 |
| #define | CIPSO_V4_TAG_LOC_BLEN 6 |
Variables | |
| int | cipso_v4_cache_enabled = 1 |
| int | cipso_v4_cache_bucketsize = 10 |
| int | cipso_v4_rbm_optfmt = 0 |
| int | cipso_v4_rbm_strictvalid = 1 |
| #define CIPSO_V4_CACHE_BUCKETBITS 7 |
Definition at line 68 of file cipso_ipv4.c.
| #define CIPSO_V4_CACHE_BUCKETS (1 << CIPSO_V4_CACHE_BUCKETBITS) |
Definition at line 69 of file cipso_ipv4.c.
| #define CIPSO_V4_CACHE_REORDERLIMIT 10 |
Definition at line 70 of file cipso_ipv4.c.
| #define CIPSO_V4_HDR_LEN 6 |
Definition at line 102 of file cipso_ipv4.c.
| #define CIPSO_V4_OPT_LEN_MAX 40 |
Definition at line 98 of file cipso_ipv4.c.
| #define CIPSO_V4_TAG_ENUM_BLEN 4 |
Definition at line 108 of file cipso_ipv4.c.
| #define CIPSO_V4_TAG_LOC_BLEN 6 |
Definition at line 130 of file cipso_ipv4.c.
| #define CIPSO_V4_TAG_RBM_BLEN 4 |
Definition at line 105 of file cipso_ipv4.c.
| #define CIPSO_V4_TAG_RNG_BLEN 4 |
Definition at line 111 of file cipso_ipv4.c.
| #define CIPSO_V4_TAG_RNG_CAT_MAX 8 |
Definition at line 117 of file cipso_ipv4.c.
cipso_v4_cache_add - Add an entry to the CIPSO cache : the packet : the packet's security attributes
Description: Add a new entry into the CIPSO label mapping cache. Add the new entry to head of the cache bucket's list, if the cache bucket is out of room remove the last entry in the list first. It is important to note that there is currently no checking for duplicate keys. Returns zero on success, negative values on failure.
Definition at line 380 of file cipso_ipv4.c.
cipso_v4_cache_invalidate - Invalidates the current CIPSO cache
Description: Invalidates and frees any entries in the CIPSO cache. Returns zero on success and negative values on failure.
Definition at line 277 of file cipso_ipv4.c.
| int cipso_v4_doi_add | ( | struct cipso_v4_doi * | doi_def, |
| struct netlbl_audit * | audit_info | ||
| ) |
cipso_v4_doi_add - Add a new DOI to the CIPSO protocol engine : the DOI structure : NetLabel audit information
Description: The caller defines a new DOI for use by the CIPSO engine and calls this function to add it to the list of acceptable domains. The caller must ensure that the mapping table specified in ->map meets all of the requirements of the mapping type (see cipso_ipv4.h for details). Returns zero on success and non-zero on failure.
Definition at line 467 of file cipso_ipv4.c.
| void cipso_v4_doi_free | ( | struct cipso_v4_doi * | doi_def | ) |
cipso_v4_doi_free - Frees a DOI definition : the entry's RCU field
Description: This function frees all of the memory associated with a DOI definition.
Definition at line 549 of file cipso_ipv4.c.
|
read |
cipso_v4_doi_getdef - Returns a reference to a valid DOI definition : the DOI value
Description: Searches for a valid DOI definition and if one is found it is returned to the caller. Otherwise NULL is returned. The caller must ensure that rcu_read_lock() is held while accessing the returned definition and the DOI definition reference count is decremented when the caller is done.
Definition at line 642 of file cipso_ipv4.c.
| void cipso_v4_doi_putdef | ( | struct cipso_v4_doi * | doi_def | ) |
cipso_v4_doi_putdef - Releases a reference for the given DOI definition : the DOI definition
Description: Releases a DOI definition reference obtained from cipso_v4_doi_getdef().
Definition at line 666 of file cipso_ipv4.c.
| int cipso_v4_doi_remove | ( | u32 | doi, |
| struct netlbl_audit * | audit_info | ||
| ) |
cipso_v4_doi_remove - Remove an existing DOI from the CIPSO protocol engine : the DOI value : the LSM secid to use in the audit message
Description: Removes a DOI definition from the CIPSO engine. The NetLabel routines will be called to release their own LSM domain mappings as well as our own domain list. Returns zero on success and negative values on failure.
Definition at line 594 of file cipso_ipv4.c.
| int cipso_v4_doi_walk | ( | u32 * | skip_cnt, |
| int(*)(struct cipso_v4_doi *doi_def, void *arg) | callback, | ||
| void * | cb_arg | ||
| ) |
cipso_v4_doi_walk - Iterate through the DOI definitions : skip past this number of DOI definitions, updated : callback for each DOI definition : argument for the callback function
Description: Iterate over the DOI definition list, skipping the first entries. For each entry call , if returns a negative value stop 'walking' through the list and return. Updates the value in upon return. Returns zero on success, negative values on failure.
Definition at line 694 of file cipso_ipv4.c.
cipso_v4_error - Send the correct response for a bad packet : the packet : the error code : CIPSO gateway flag
Description: Based on the error code given in , send an ICMP error message back to the originating host. From the IETF draft ...
"If the contents of the CIPSO [option] are valid but the security label is outside of the configured host or port label range, the datagram is discarded and an ICMP 'destination unreachable' (type 3) is generated and returned. The code field of the ICMP is set to 'communication with destination network administratively prohibited' (code 9) or to 'communication with destination host administratively prohibited' (code 10). The value of the code is dependent on whether the originator of the ICMP message is acting as a CIPSO host or a CIPSO gateway. The recipient of the ICMP message MUST be able to handle either value. The same procedure is performed if a CIPSO [option] can not be added to an IP packet because it is too large to fit in the IP options area."
"If the error is triggered by receipt of an ICMP message, the message is discarded and no response is permitted (consistent with general ICMP processing rules)."
Definition at line 1783 of file cipso_ipv4.c.
| void cipso_v4_req_delattr | ( | struct request_sock * | req | ) |
cipso_v4_req_delattr - Delete the CIPSO option from a request socket : the request socket
Description: Removes the CIPSO option from a request socket, if present.
Definition at line 2116 of file cipso_ipv4.c.
| int cipso_v4_req_setattr | ( | struct request_sock * | req, |
| const struct cipso_v4_doi * | doi_def, | ||
| const struct netlbl_lsm_secattr * | secattr | ||
| ) |
cipso_v4_req_setattr - Add a CIPSO option to a connection request socket : the connection request socket : the CIPSO DOI to use : the specific security attributes of the socket
Description: Set the CIPSO option on the given socket using the DOI definition and security attributes passed to the function. Returns zero on success and negative values on failure.
Definition at line 1960 of file cipso_ipv4.c.
cipso_v4_skbuff_delattr - Delete any CIPSO options from a packet : the packet
Description: Removes any and all CIPSO options from the given packet. Returns zero on success, negative values on failure.
Definition at line 2295 of file cipso_ipv4.c.
cipso_v4_skbuff_getattr - Get the security attributes from the CIPSO option : the packet : the security attributes
Description: Parse the given packet's CIPSO option and return the security attributes. Returns zero on success and negative values on failure.
Definition at line 2335 of file cipso_ipv4.c.
| int cipso_v4_skbuff_setattr | ( | struct sk_buff * | skb, |
| const struct cipso_v4_doi * | doi_def, | ||
| const struct netlbl_lsm_secattr * | secattr | ||
| ) |
cipso_v4_sock_delattr - Delete the CIPSO option from a socket : the socket
Description: Removes the CIPSO option from a socket, if present.
Definition at line 2089 of file cipso_ipv4.c.
| int cipso_v4_sock_getattr | ( | struct sock * | sk, |
| struct netlbl_lsm_secattr * | secattr | ||
| ) |
cipso_v4_sock_getattr - Get the security attributes from a sock : the sock : the security attributes
Description: Query to see if there is a CIPSO option attached to the sock and if there is return the CIPSO security attributes in . This function requires that be locked, or privately held, but it does not do any locking itself. Returns zero on success and negative values on failure.
Definition at line 2191 of file cipso_ipv4.c.
| int cipso_v4_sock_setattr | ( | struct sock * | sk, |
| const struct cipso_v4_doi * | doi_def, | ||
| const struct netlbl_lsm_secattr * | secattr | ||
| ) |
cipso_v4_sock_setattr - Add a CIPSO option to a socket : the socket : the CIPSO DOI to use : the specific security attributes of the socket
Description: Set the CIPSO option on the given socket using the DOI definition and security attributes passed to the function. This function requires exclusive access to , which means it either needs to be in the process of being created or locked. Returns zero on success and negative values on failure.
Definition at line 1876 of file cipso_ipv4.c.
cipso_v4_validate - Validate a CIPSO option : the start of the option, on error it is set to point to the error
Description: This routine is called to validate a CIPSO option, it checks all of the fields to ensure that they are at least valid, see the draft snippet below for details. If the option is valid then a zero value is returned and the value of is unchanged. If the option is invalid then a non-zero value is returned and is adjusted to point to the offending portion of the option. From the IETF draft ...
"If any field within the CIPSO options, such as the DOI identifier, is not recognized the IP datagram is discarded and an ICMP 'parameter problem' (type 12) is generated and returned. The ICMP code field is set to 'bad parameter' (code 0) and the pointer is set to the start of the CIPSO field that is unrecognized."
Definition at line 1617 of file cipso_ipv4.c.
| subsys_initcall | ( | cipso_v4_init | ) |
| int cipso_v4_cache_bucketsize = 10 |
Definition at line 67 of file cipso_ipv4.c.
| int cipso_v4_cache_enabled = 1 |
Definition at line 66 of file cipso_ipv4.c.
| int cipso_v4_rbm_optfmt = 0 |
Definition at line 89 of file cipso_ipv4.c.
| int cipso_v4_rbm_strictvalid = 1 |
Definition at line 90 of file cipso_ipv4.c.
1.8.2