From: Paul Moore <pmoore@redhat.com>
Date: Fri, 1 Jun 2012 05:54:56 +0000 (+0000)
Subject: cipso: handle CIPSO options correctly when NetLabel is disabled
X-Git-Tag: v3.2.23~19
X-Git-Url: https://git.openpandora.org/cgi-bin/gitweb.cgi?p=pandora-kernel.git;a=commitdiff_plain;h=dff31bdf228689241933ea5bf62ba98de3eec42e;hp=dff31bdf228689241933ea5bf62ba98de3eec42e

cipso: handle CIPSO options correctly when NetLabel is disabled

[ Upstream commit 20e2a86485967c385d7c7befc1646e4d1d39362e ]

When NetLabel is not enabled, e.g. CONFIG_NETLABEL=n, and the system
receives a CIPSO tagged packet it is dropped (cipso_v4_validate()
returns non-zero).  In most cases this is the correct and desired
behavior, however, in the case where we are simply forwarding the
traffic, e.g. acting as a network bridge, this becomes a problem.

This patch fixes the forwarding problem by providing the basic CIPSO
validation code directly in ip_options_compile() without the need for
the NetLabel or CIPSO code.  The new validation code can not perform
any of the CIPSO option label/value verification that
cipso_v4_validate() does, but it can verify the basic CIPSO option
format.

The behavior when NetLabel is enabled is unchanged.

Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---