summaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorHuw Davies <huw@codeweavers.com>2016-06-27 21:06:17 +0200
committerPaul Moore <paul@paul-moore.com>2016-06-27 21:06:17 +0200
commit4fee5242bf41d9ad641d4c1b821e36eb7ba37fbf (patch)
tree6b79290fc0dbeffe30945235ca86576b652c84dd /include
parentcalipso: Add validation of CALIPSO option. (diff)
downloadlinux-4fee5242bf41d9ad641d4c1b821e36eb7ba37fbf.tar.xz
linux-4fee5242bf41d9ad641d4c1b821e36eb7ba37fbf.zip
calipso: Add a label cache.
This works in exactly the same way as the CIPSO label cache. The idea is to allow the lsm to cache the result of a secattr lookup so that it doesn't need to perform the lookup for every skbuff. It introduces two sysctl controls: calipso_cache_enable - enables/disables the cache. calipso_cache_bucket_size - sets the size of a cache bucket. Signed-off-by: Huw Davies <huw@codeweavers.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'include')
-rw-r--r--include/net/calipso.h6
-rw-r--r--include/net/netlabel.h9
2 files changed, 13 insertions, 2 deletions
diff --git a/include/net/calipso.h b/include/net/calipso.h
index 85404e2375d8..b1b30cd36601 100644
--- a/include/net/calipso.h
+++ b/include/net/calipso.h
@@ -62,6 +62,12 @@ struct calipso_doi {
struct rcu_head rcu;
};
+/*
+ * Sysctl Variables
+ */
+extern int calipso_cache_enabled;
+extern int calipso_cache_bucketsize;
+
#ifdef CONFIG_NETLABEL
int __init calipso_init(void);
void calipso_exit(void);
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index d8a46a8ed512..a306bc7d2642 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -235,6 +235,8 @@ struct netlbl_lsm_secattr {
* @skbuff_optptr: find option in packet
* @skbuff_setattr: set the skbuff's attr
* @skbuff_delattr: remove the skbuff's attr
+ * @cache_invalidate: invalidate cache
+ * @cache_add: add cache entry
*
* Description:
* This structure is filled out by the CALIPSO engine and passed
@@ -269,6 +271,9 @@ struct netlbl_calipso_ops {
const struct calipso_doi *doi_def,
const struct netlbl_lsm_secattr *secattr);
int (*skbuff_delattr)(struct sk_buff *skb);
+ void (*cache_invalidate)(void);
+ int (*cache_add)(const unsigned char *calipso_ptr,
+ const struct netlbl_lsm_secattr *secattr);
};
/*
@@ -494,7 +499,7 @@ void netlbl_skbuff_err(struct sk_buff *skb, u16 family, int error, int gateway);
* LSM label mapping cache operations
*/
void netlbl_cache_invalidate(void);
-int netlbl_cache_add(const struct sk_buff *skb,
+int netlbl_cache_add(const struct sk_buff *skb, u16 family,
const struct netlbl_lsm_secattr *secattr);
/*
@@ -647,7 +652,7 @@ static inline void netlbl_cache_invalidate(void)
{
return;
}
-static inline int netlbl_cache_add(const struct sk_buff *skb,
+static inline int netlbl_cache_add(const struct sk_buff *skb, u16 family,
const struct netlbl_lsm_secattr *secattr)
{
return 0;