[redhat-lspp] Re: [RFC 3/7] NetLabel: CIPSOv4 engine

Sat Jul 8 15:06:56 UTC 2006

On Thursday 06 July 2006 17:34, paul.moore at hp.com wrote:
> Index: linux-2.6.17.i686-quilt/net/ipv4/cipso_ipv4.c
> ===================================================================
> --- /dev/null
> +++ linux-2.6.17.i686-quilt/net/ipv4/cipso_ipv4.c
> +static int cipso_v4_bitmap_walk(const unsigned char *bitmap,
> +				const u32 bitmap_len,
> +				const u32 offset,
> +				const u8 state)
> +{

const on pass by value

> +	bitmask = 0x80 >> offset % 8;

Might not be bad to add a pair of parenthesis to clarify the order of intended 
evaluation.

> +static void cipso_v4_bitmap_setbit(unsigned char *bitmap,
> +				   const u32 bit,
> +				   const u8 state)

const on pass by value

> +	bitmask = 0x80 >> bit % 8;

same as above

> +static void cipso_v4_doi_domhsh_free(struct rcu_head *entry)
> +{
> +	struct cipso_v4_domhsh_entry *ptr;
> +
> +	ptr = container_of(entry, struct cipso_v4_domhsh_entry, rcu);
> +	if (ptr->domain)
> +		kfree(ptr->domain);

'if' isn't needed

> +static void cipso_v4_cache_entry_free(struct cipso_v4_map_cache_entry
> *entry) +{
> +	if (entry->lsm_data.free)
> +		entry->lsm_data.free(entry->lsm_data.data);
> +	if (entry->key)
> +		kfree(entry->key);

same

> +static u32 cipso_v4_map_cache_hash(const unsigned char *key, const u32
> key_len) +{

const on pass by value

> +static int cipso_v4_cache_init(const u32 bkt_size)

same

> +static int cipso_v4_cache_check(const unsigned char *key,
> +				const u32 key_len,
> +				struct netlbl_lsm_secattr *secattr)
> +{

same

> +static struct cipso_v4_doi *cipso_v4_doi_search(const u32 doi)

same

> +int cipso_v4_doi_remove(const u32 doi,
> +			void (*callback) (struct rcu_head * head))

same

> +struct cipso_v4_doi *cipso_v4_doi_getdef(const u32 doi)

same

> +struct sk_buff *cipso_v4_doi_dump(const u32 doi, const size_t headroom)

same 

> +{
> +	struct sk_buff *skb;
> +	unsigned char *buf;
> +	struct cipso_v4_doi *iter;
> +	u32 doi_cnt = 0;
> +	u32 tag_cnt = 0;
> +	u32 lvl_cnt = 0;
> +	u32 cat_cnt = 0;
> +        ssize_t buf_len;

indent seems to have changed here

> +int cipso_v4_doi_domhsh_add(struct cipso_v4_doi *doi_def, const char
> *domain) +{
<snip>
> +	rcu_read_lock();
> +	list_for_each_entry_rcu(iter, &doi_def->dom_list, list)
> +		if (iter->valid &&
> +		    ((domain != NULL && iter->domain != NULL &&
> +		      strcmp(iter->domain, domain) == 0) ||
> +		     (domain == NULL && iter->domain == NULL))) {
> +			rcu_read_unlock();
> +			if (new_dom->domain != NULL)
> +				kfree(new_dom->domain);

'if' not needed

> +static int cipso_v4_map_lvl_valid(const struct cipso_v4_doi *doi_def,
> +				  const u8 level)

const on pass by value

> +static int cipso_v4_map_lvl_hton(const struct cipso_v4_doi *doi_def,
> +				 const u32 host_lvl,
> +				 u32 *net_lvl)

same

> +static int cipso_v4_map_lvl_ntoh(const struct cipso_v4_doi *doi_def,
> +				 const u32 net_lvl,
> +				 u32 *host_lvl)

same

> +static int cipso_v4_map_cat_rbm_valid(const struct cipso_v4_doi *doi_def,
> +				      const unsigned char *bitmap,
> +				      const u32 bitmap_len)

same

> +static int cipso_v4_map_cat_rbm_hton(const struct cipso_v4_doi *doi_def,
> +				     const unsigned char *host_cat,
> +				     const u32 host_cat_len,
> +				     unsigned char *net_cat,
> +				     const u32 net_cat_len)

same

> +static int cipso_v4_map_cat_rbm_ntoh(const struct cipso_v4_doi *doi_def,
> +				     const unsigned char *net_cat,
> +				     const u32 net_cat_len,
> +				     unsigned char *host_cat,
> +				     const u32 host_cat_len)

same 

> +static int cipso_v4_gentag_hdr(const struct cipso_v4_doi *doi_def,
> +			       const u32 len,
> +			       unsigned char *buf)

same

> +static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def,
> +			       const struct netlbl_lsm_secattr *secattr,
> +			       unsigned char **buffer,
> +			       u32 *buffer_len)

same 

> +{
> +	int ret_val = -EPERM;
> +	unsigned char *buf = NULL;
> +	u32 buf_len;
> +	u32 level;
> +
> +	if (secattr->set_mls_cat) {
> +		buf = kzalloc(CIPSO_V4_HDR_LEN + 4 + CIPSO_V4_TAG1_CAT_LEN,
> +			      GFP_ATOMIC);
> +		if (buf == NULL)
> +			return -ENOMEM;
> +
> +		ret_val = cipso_v4_map_cat_rbm_hton(doi_def,
> +						    secattr->mls_cat,
> +						    secattr->mls_cat_len,
> +						    &buf[CIPSO_V4_HDR_LEN + 4],
> +						    CIPSO_V4_TAG1_CAT_LEN);
> +		if (ret_val < 0)
> +			goto gentag_failure;
> +
> +		/* XXX - this will send packets using the "optimized" format
> +		   when possibile as specified in  section 3.4.2.6 of the
> +		   CIPSO draft */
> +		if (cipso_v4_rbm_optfmt && (ret_val > 0 && ret_val < 10))
> +			ret_val = 10;
> +
> +		buf_len = 4 + ret_val;
> +	} else {
> +		buf = kzalloc(CIPSO_V4_HDR_LEN + 4, GFP_ATOMIC);
> +		if (buf == NULL)
> +			return -ENOMEM;
> +		buf_len = 4;
> +	}
> +
> +	ret_val = cipso_v4_map_lvl_hton(doi_def, secattr->mls_lvl, &level);
> +	if (ret_val != 0)
> +		goto gentag_failure;
> +
> +	ret_val = cipso_v4_gentag_hdr(doi_def, buf_len, buf);
> +	if (ret_val != 0)
> +		goto gentag_failure;
> +
> +	buf[CIPSO_V4_HDR_LEN] = 0x01;
> +	buf[CIPSO_V4_HDR_LEN + 1] = buf_len;
> +	buf[CIPSO_V4_HDR_LEN + 3] = level;
> +
> +	*buffer = buf;
> +	*buffer_len = CIPSO_V4_HDR_LEN + buf_len;
> +
> +	return 0;
> +
> +gentag_failure:
> +	if (buf)
> +		kfree(buf);

'if' is not needed. you always have a buffer when you get here.

> +	return ret_val;
> +}

> +int cipso_v4_error(struct sk_buff *skb,
> +		   const int error,
> +		   const u32 gateway)

const on pbv

> +int cipso_v4_socket_setattr(const struct socket *sock,
> +			    const struct cipso_v4_doi *doi_def,
> +			    const struct netlbl_lsm_secattr *secattr)
> +{

<snip>

> +socket_setattr_failure:
> +	if (buf)
> +		kfree(buf);
> +	if (opt)
> +		kfree(opt);

no need for 'if'

-Steve