[redhat-lspp] [RFC] [SELXFRM 1/4] Add support to core networking

[Venkat Yekkirala <vyekkirala TrustedCS com>]

This patch adds a security sid to the flow key itself making the flow cache
lookps based on the sid seemless.

This patch also adds support for handling security for sock. Security at the
sock level is needed to enforce policy even when a sock is orphaned (such as
in the TCP LAST_ACK state).

Signed-off-by: Venkat Yekkirala <vyekkirala TrustedCS com>

---

 include/net/flow.h |    5 +++--
 net/core/flow.c    |    7 ++-----
 net/core/sock.c    |    4 ++++
 3 files changed, 9 insertions(+), 7 deletions(-)

diff -purN -X linux-2.6.16.i686.lspp34/Documentation/dontdiff
linux-2.6.16.i686.lspp34/include/net/flow.h
linux-2.6.16.i686.ipsec/include/net/flow.h
--- linux-2.6.16.i686.lspp34/include/net/flow.h	2006-06-09
09:01:30.000000000 -0500
+++ linux-2.6.16.i686.ipsec/include/net/flow.h	2006-06-08
18:16:52.000000000 -0500
@@ -78,6 +78,7 @@ struct flowi {
 #define fl_icmp_type	uli_u.icmpt.type
 #define fl_icmp_code	uli_u.icmpt.code
 #define fl_ipsec_spi	uli_u.spi
+	__u32           sid;
 } __attribute__((__aligned__(BITS_PER_LONG/8)));
 
 #define FLOW_DIR_IN	0
@@ -85,10 +86,10 @@ struct flowi {
 #define FLOW_DIR_FWD	2
 
 struct sock;
-typedef void (*flow_resolve_t)(struct flowi *key, u32 sk_sid, u16 family,
u8 dir,
+typedef void (*flow_resolve_t)(struct flowi *key, u16 family, u8 dir,
 			       void **objp, atomic_t **obj_refp);
 
-extern void *flow_cache_lookup(struct flowi *key, u32 sk_sid, u16 family,
u8 dir,
+extern void *flow_cache_lookup(struct flowi *key, u16 family, u8 dir,
 	 		       flow_resolve_t resolver);
 extern void flow_cache_flush(void);
 extern atomic_t flow_cache_genid;
diff -purN -X linux-2.6.16.i686.lspp34/Documentation/dontdiff
linux-2.6.16.i686.lspp34/net/core/flow.c
linux-2.6.16.i686.ipsec/net/core/flow.c
--- linux-2.6.16.i686.lspp34/net/core/flow.c	2006-06-09
09:01:31.000000000 -0500
+++ linux-2.6.16.i686.ipsec/net/core/flow.c	2006-06-08
18:16:52.000000000 -0500
@@ -32,7 +32,6 @@ struct flow_cache_entry {
 	u8			dir;
 	struct flowi		key;
 	u32			genid;
-	u32			sk_sid;
 	void			*object;
 	atomic_t		*object_ref;
 };
@@ -165,7 +164,7 @@ static int flow_key_compare(struct flowi
 	return 0;
 }
 
-void *flow_cache_lookup(struct flowi *key, u32 sk_sid, u16 family, u8 dir,
+void *flow_cache_lookup(struct flowi *key, u16 family, u8 dir,
 			flow_resolve_t resolver)
 {
 	struct flow_cache_entry *fle, **head;
@@ -189,7 +188,6 @@ void *flow_cache_lookup(struct flowi *ke
 	for (fle = *head; fle; fle = fle->next) {
 		if (fle->family == family &&
 		    fle->dir == dir &&
-		    fle->sk_sid == sk_sid &&
 		    flow_key_compare(key, &fle->key) == 0) {
 			if (fle->genid == atomic_read(&flow_cache_genid)) {
 				void *ret = fle->object;
@@ -214,7 +212,6 @@ void *flow_cache_lookup(struct flowi *ke
 			*head = fle;
 			fle->family = family;
 			fle->dir = dir;
-			fle->sk_sid = sk_sid;
 			memcpy(&fle->key, key, sizeof(*key));
 			fle->object = NULL;
 			flow_count(cpu)++;
@@ -226,7 +223,7 @@ nocache:
 		void *obj;
 		atomic_t *obj_ref;
 
-		resolver(key, sk_sid, family, dir, &obj, &obj_ref);
+		resolver(key, family, dir, &obj, &obj_ref);
 
 		if (fle) {
 			fle->genid = atomic_read(&flow_cache_genid);
diff -purN -X linux-2.6.16.i686.lspp34/Documentation/dontdiff
linux-2.6.16.i686.lspp34/net/core/sock.c
linux-2.6.16.i686.ipsec/net/core/sock.c
--- linux-2.6.16.i686.lspp34/net/core/sock.c	2006-06-09
09:01:38.000000000 -0500
+++ linux-2.6.16.i686.ipsec/net/core/sock.c	2006-06-08
18:16:52.000000000 -0500
@@ -820,7 +820,11 @@ struct sock *sk_clone(struct sock *sk, c
 	if (newsk != NULL) {
 		struct sk_filter *filter;
 
+		/* Save/restore the LSM security pointer around the copy */
+		void *sptr = newsk->sk_security;
 		memcpy(newsk, sk, sk->sk_prot->obj_size);
+		newsk->sk_security = sptr;
+		security_sk_clone(sk, newsk);
 
 		/* SANITY */
 		sk_node_init(&newsk->sk_node);