+/*
+ * Seq_file read operations for /smack/netlabel
+ */
+
+static void *netlbladdr_seq_start(struct seq_file *s, loff_t *pos)
+{
+ if (*pos == SEQ_READ_FINISHED)
+ return NULL;
+
+ return smack_netlbladdrs;
+}
+
+static void *netlbladdr_seq_next(struct seq_file *s, void *v, loff_t *pos)
+{
+ struct smk_netlbladdr *skp = ((struct smk_netlbladdr *) v)->smk_next;
+
+ if (skp == NULL)
+ *pos = SEQ_READ_FINISHED;
+
+ return skp;
+}
+/*
+#define BEMASK 0x80000000
+*/
+#define BEMASK 0x00000001
+#define BEBITS (sizeof(__be32) * 8)
+
+/*
+ * Print host/label pairs
+ */
+static int netlbladdr_seq_show(struct seq_file *s, void *v)
+{
+ struct smk_netlbladdr *skp = (struct smk_netlbladdr *) v;
+ unsigned char *hp = (char *) &skp->smk_host.sin_addr.s_addr;
+ __be32 bebits;
+ int maskn = 0;
+
+ for (bebits = BEMASK; bebits != 0; maskn++, bebits <<= 1)
+ if ((skp->smk_mask.s_addr & bebits) == 0)
+ break;
+
+ seq_printf(s, "%u.%u.%u.%u/%d %s\n",
+ hp[0], hp[1], hp[2], hp[3], maskn, skp->smk_label);
+
+ return 0;
+}
+
+static void netlbladdr_seq_stop(struct seq_file *s, void *v)
+{
+ /* No-op */
+}
+
+static struct seq_operations netlbladdr_seq_ops = {
+ .start = netlbladdr_seq_start,
+ .stop = netlbladdr_seq_stop,
+ .next = netlbladdr_seq_next,
+ .show = netlbladdr_seq_show,
+};
+
+/**
+ * smk_open_netlbladdr - open() for /smack/netlabel
+ * @inode: inode structure representing file
+ * @file: "netlabel" file pointer
+ *
+ * Connect our netlbladdr_seq_* operations with /smack/netlabel
+ * file_operations
+ */
+static int smk_open_netlbladdr(struct inode *inode, struct file *file)
+{
+ return seq_open(file, &netlbladdr_seq_ops);
+}
+
+/**
+ * smk_write_netlbladdr - write() for /smack/netlabel
+ * @filp: file pointer, not actually used
+ * @buf: where to get the data from
+ * @count: bytes sent
+ * @ppos: where to start
+ *
+ * Accepts only one netlbladdr per write call.
+ * Returns number of bytes written or error code, as appropriate
+ */
+static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
+ size_t count, loff_t *ppos)
+{
+ struct smk_netlbladdr *skp;
+ struct sockaddr_in newname;
+ char smack[SMK_LABELLEN];
+ char *sp;
+ char data[SMK_NETLBLADDRMAX];
+ char *host = (char *)&newname.sin_addr.s_addr;
+ int rc;
+ struct netlbl_audit audit_info;
+ struct in_addr mask;
+ unsigned int m;
+ __be32 bebits = BEMASK;
+ __be32 nsa;
+
+ /*
+ * Must have privilege.
+ * No partial writes.
+ * Enough data must be present.
+ * "<addr/mask, as a.b.c.d/e><space><label>"
+ * "<addr, as a.b.c.d><space><label>"
+ */
+ if (!capable(CAP_MAC_ADMIN))
+ return -EPERM;
+ if (*ppos != 0)
+ return -EINVAL;
+ if (count < SMK_NETLBLADDRMIN || count > SMK_NETLBLADDRMAX)
+ return -EINVAL;
+ if (copy_from_user(data, buf, count) != 0)
+ return -EFAULT;
+
+ data[count] = '\0';
+
+ rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%d %s",
+ &host[0], &host[1], &host[2], &host[3], &m, smack);
+ if (rc != 6) {
+ rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd %s",
+ &host[0], &host[1], &host[2], &host[3], smack);
+ if (rc != 5)
+ return -EINVAL;
+ m = BEBITS;
+ }
+ if (m > BEBITS)
+ return -EINVAL;
+
+ sp = smk_import(smack, 0);
+ if (sp == NULL)
+ return -EINVAL;
+
+ for (mask.s_addr = 0; m > 0; m--) {
+ mask.s_addr |= bebits;
+ bebits <<= 1;
+ }
+ /*
+ * Only allow one writer at a time. Writes should be
+ * quite rare and small in any case.
+ */
+ mutex_lock(&smk_netlbladdr_lock);
+
+ nsa = newname.sin_addr.s_addr;
+ for (skp = smack_netlbladdrs; skp != NULL; skp = skp->smk_next)
+ if (skp->smk_host.sin_addr.s_addr == nsa &&
+ skp->smk_mask.s_addr == mask.s_addr)
+ break;
+
+ smk_netlabel_audit_set(&audit_info);
+
+ if (skp == NULL) {
+ skp = kzalloc(sizeof(*skp), GFP_KERNEL);
+ if (skp == NULL)
+ rc = -ENOMEM;
+ else {
+ rc = 0;
+ skp->smk_host.sin_addr.s_addr = newname.sin_addr.s_addr;
+ skp->smk_mask.s_addr = mask.s_addr;
+ skp->smk_next = smack_netlbladdrs;
+ skp->smk_label = sp;
+ smack_netlbladdrs = skp;
+ }
+ } else {
+ rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
+ &skp->smk_host.sin_addr, &skp->smk_mask,
+ PF_INET, &audit_info);
+ skp->smk_label = sp;
+ }
+
+ /*
+ * Now tell netlabel about the single label nature of
+ * this host so that incoming packets get labeled.
+ */
+
+ if (rc == 0)
+ rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
+ &skp->smk_host.sin_addr, &skp->smk_mask, PF_INET,
+ smack_to_secid(skp->smk_label), &audit_info);
+
+ if (rc == 0)
+ rc = count;
+
+ mutex_unlock(&smk_netlbladdr_lock);
+
+ return rc;
+}
+
+static const struct file_operations smk_netlbladdr_ops = {
+ .open = smk_open_netlbladdr,
+ .read = seq_read,
+ .llseek = seq_lseek,
+ .write = smk_write_netlbladdr,
+ .release = seq_release,
+};
+