[net-next] netlabel: Remove unused cfg_calipso funcs

Message ID	20250220140808.71674-1-linux@treblig.org (mailing list archive)
State	Deferred
Delegated to:	Netdev Maintainers
Headers	show Received: from mx.treblig.org (mx.treblig.org [46.235.229.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 135321BBBF7; Thu, 20 Feb 2025 14:08:16 +0000 (UTC) From: linux@treblig.org To: paul@paul-moore.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org Cc: linux-security-module@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, "Dr. David Alan Gilbert" <linux@treblig.org> Subject: [PATCH net-next] netlabel: Remove unused cfg_calipso funcs Date: Thu, 20 Feb 2025 14:08:08 +0000 Message-ID: <20250220140808.71674-1-linux@treblig.org> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[net-next] netlabel: Remove unused cfg_calipso funcs \| expand [net-next] netlabel: Remove unused cfg_calipso funcs

Context	Check	Description
netdev/series_format	success	Single patches do not need cover letters
netdev/tree_selection	success	Clearly marked for net-next
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 0 this patch: 0
netdev/build_tools	success	Errors and warnings before: 26 (+1) this patch: 26 (+1)
netdev/cc_maintainers	success	CCed 7 of 7 maintainers
netdev/build_clang	success	Errors and warnings before: 0 this patch: 0
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	No Fixes tag
netdev/build_allmodconfig_warn	success	Errors and warnings before: 10 this patch: 10
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 177 lines checked
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 31 this patch: 29
netdev/source_inline	success	Was 0 now: 0

Dr. David Alan Gilbert Feb. 20, 2025, 2:08 p.m. UTC

From: "Dr. David Alan Gilbert" <linux@treblig.org>

netlbl_cfg_calipso_map_add(), netlbl_cfg_calipso_add() and
netlbl_cfg_calipso_del() were added in 2016 as part of
commit 3f09354ac84c ("netlabel: Implement CALIPSO config functions for
SMACK.")

Remove them.

(I see a few other changes in that original commit, whether they
are reachable I'm not sure).

Signed-off-by: Dr. David Alan Gilbert <linux@treblig.org>
---
 include/net/netlabel.h       |  26 -------
 net/netlabel/netlabel_kapi.c | 133 -----------------------------------
 2 files changed, 159 deletions(-)

Casey Schaufler Feb. 20, 2025, 3:35 p.m. UTC | #1

On 2/20/2025 6:08 AM, linux@treblig.org wrote:
> From: "Dr. David Alan Gilbert" <linux@treblig.org>
>
> netlbl_cfg_calipso_map_add(), netlbl_cfg_calipso_add() and
> netlbl_cfg_calipso_del() were added in 2016 as part of
> commit 3f09354ac84c ("netlabel: Implement CALIPSO config functions for
> SMACK.")
>
> Remove them.

Please don't. The Smack CALIPSO implementation has been delayed
for a number of reasons, some better than others, but is still on
the roadmap.

>
> (I see a few other changes in that original commit, whether they
> are reachable I'm not sure).
>
> Signed-off-by: Dr. David Alan Gilbert <linux@treblig.org>
> ---
>  include/net/netlabel.h       |  26 -------
>  net/netlabel/netlabel_kapi.c | 133 -----------------------------------
>  2 files changed, 159 deletions(-)
>
> diff --git a/include/net/netlabel.h b/include/net/netlabel.h
> index 02914b1df38b..37c9bcfd5345 100644
> --- a/include/net/netlabel.h
> +++ b/include/net/netlabel.h
> @@ -435,14 +435,6 @@ int netlbl_cfg_cipsov4_map_add(u32 doi,
>  			       const struct in_addr *addr,
>  			       const struct in_addr *mask,
>  			       struct netlbl_audit *audit_info);
> -int netlbl_cfg_calipso_add(struct calipso_doi *doi_def,
> -			   struct netlbl_audit *audit_info);
> -void netlbl_cfg_calipso_del(u32 doi, struct netlbl_audit *audit_info);
> -int netlbl_cfg_calipso_map_add(u32 doi,
> -			       const char *domain,
> -			       const struct in6_addr *addr,
> -			       const struct in6_addr *mask,
> -			       struct netlbl_audit *audit_info);
>  /*
>   * LSM security attribute operations
>   */
> @@ -561,24 +553,6 @@ static inline int netlbl_cfg_cipsov4_map_add(u32 doi,
>  {
>  	return -ENOSYS;
>  }
> -static inline int netlbl_cfg_calipso_add(struct calipso_doi *doi_def,
> -					 struct netlbl_audit *audit_info)
> -{
> -	return -ENOSYS;
> -}
> -static inline void netlbl_cfg_calipso_del(u32 doi,
> -					  struct netlbl_audit *audit_info)
> -{
> -	return;
> -}
> -static inline int netlbl_cfg_calipso_map_add(u32 doi,
> -					     const char *domain,
> -					     const struct in6_addr *addr,
> -					     const struct in6_addr *mask,
> -					     struct netlbl_audit *audit_info)
> -{
> -	return -ENOSYS;
> -}
>  static inline int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap,
>  				     u32 offset)
>  {
> diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
> index cd9160bbc919..13b4bc1c30ec 100644
> --- a/net/netlabel/netlabel_kapi.c
> +++ b/net/netlabel/netlabel_kapi.c
> @@ -394,139 +394,6 @@ int netlbl_cfg_cipsov4_map_add(u32 doi,
>  	return ret_val;
>  }
>  
> -/**
> - * netlbl_cfg_calipso_add - Add a new CALIPSO DOI definition
> - * @doi_def: CALIPSO DOI definition
> - * @audit_info: NetLabel audit information
> - *
> - * Description:
> - * Add a new CALIPSO DOI definition as defined by @doi_def.  Returns zero on
> - * success and negative values on failure.
> - *
> - */
> -int netlbl_cfg_calipso_add(struct calipso_doi *doi_def,
> -			   struct netlbl_audit *audit_info)
> -{
> -#if IS_ENABLED(CONFIG_IPV6)
> -	return calipso_doi_add(doi_def, audit_info);
> -#else /* IPv6 */
> -	return -ENOSYS;
> -#endif /* IPv6 */
> -}
> -
> -/**
> - * netlbl_cfg_calipso_del - Remove an existing CALIPSO DOI definition
> - * @doi: CALIPSO DOI
> - * @audit_info: NetLabel audit information
> - *
> - * Description:
> - * Remove an existing CALIPSO DOI definition matching @doi.  Returns zero on
> - * success and negative values on failure.
> - *
> - */
> -void netlbl_cfg_calipso_del(u32 doi, struct netlbl_audit *audit_info)
> -{
> -#if IS_ENABLED(CONFIG_IPV6)
> -	calipso_doi_remove(doi, audit_info);
> -#endif /* IPv6 */
> -}
> -
> -/**
> - * netlbl_cfg_calipso_map_add - Add a new CALIPSO DOI mapping
> - * @doi: the CALIPSO DOI
> - * @domain: the domain mapping to add
> - * @addr: IP address
> - * @mask: IP address mask
> - * @audit_info: NetLabel audit information
> - *
> - * Description:
> - * Add a new NetLabel/LSM domain mapping for the given CALIPSO DOI to the
> - * NetLabel subsystem.  A @domain value of NULL adds a new default domain
> - * mapping.  Returns zero on success, negative values on failure.
> - *
> - */
> -int netlbl_cfg_calipso_map_add(u32 doi,
> -			       const char *domain,
> -			       const struct in6_addr *addr,
> -			       const struct in6_addr *mask,
> -			       struct netlbl_audit *audit_info)
> -{
> -#if IS_ENABLED(CONFIG_IPV6)
> -	int ret_val = -ENOMEM;
> -	struct calipso_doi *doi_def;
> -	struct netlbl_dom_map *entry;
> -	struct netlbl_domaddr_map *addrmap = NULL;
> -	struct netlbl_domaddr6_map *addrinfo = NULL;
> -
> -	doi_def = calipso_doi_getdef(doi);
> -	if (doi_def == NULL)
> -		return -ENOENT;
> -
> -	entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
> -	if (entry == NULL)
> -		goto out_entry;
> -	entry->family = AF_INET6;
> -	if (domain != NULL) {
> -		entry->domain = kstrdup(domain, GFP_ATOMIC);
> -		if (entry->domain == NULL)
> -			goto out_domain;
> -	}
> -
> -	if (addr == NULL && mask == NULL) {
> -		entry->def.calipso = doi_def;
> -		entry->def.type = NETLBL_NLTYPE_CALIPSO;
> -	} else if (addr != NULL && mask != NULL) {
> -		addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC);
> -		if (addrmap == NULL)
> -			goto out_addrmap;
> -		INIT_LIST_HEAD(&addrmap->list4);
> -		INIT_LIST_HEAD(&addrmap->list6);
> -
> -		addrinfo = kzalloc(sizeof(*addrinfo), GFP_ATOMIC);
> -		if (addrinfo == NULL)
> -			goto out_addrinfo;
> -		addrinfo->def.calipso = doi_def;
> -		addrinfo->def.type = NETLBL_NLTYPE_CALIPSO;
> -		addrinfo->list.addr = *addr;
> -		addrinfo->list.addr.s6_addr32[0] &= mask->s6_addr32[0];
> -		addrinfo->list.addr.s6_addr32[1] &= mask->s6_addr32[1];
> -		addrinfo->list.addr.s6_addr32[2] &= mask->s6_addr32[2];
> -		addrinfo->list.addr.s6_addr32[3] &= mask->s6_addr32[3];
> -		addrinfo->list.mask = *mask;
> -		addrinfo->list.valid = 1;
> -		ret_val = netlbl_af6list_add(&addrinfo->list, &addrmap->list6);
> -		if (ret_val != 0)
> -			goto cfg_calipso_map_add_failure;
> -
> -		entry->def.addrsel = addrmap;
> -		entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
> -	} else {
> -		ret_val = -EINVAL;
> -		goto out_addrmap;
> -	}
> -
> -	ret_val = netlbl_domhsh_add(entry, audit_info);
> -	if (ret_val != 0)
> -		goto cfg_calipso_map_add_failure;
> -
> -	return 0;
> -
> -cfg_calipso_map_add_failure:
> -	kfree(addrinfo);
> -out_addrinfo:
> -	kfree(addrmap);
> -out_addrmap:
> -	kfree(entry->domain);
> -out_domain:
> -	kfree(entry);
> -out_entry:
> -	calipso_doi_putdef(doi_def);
> -	return ret_val;
> -#else /* IPv6 */
> -	return -ENOSYS;
> -#endif /* IPv6 */
> -}
> -
>  /*
>   * Security Attribute Functions
>   */

Dr. David Alan Gilbert Feb. 20, 2025, 4:48 p.m. UTC | #2

* Casey Schaufler (casey@schaufler-ca.com) wrote:
> On 2/20/2025 6:08 AM, linux@treblig.org wrote:
> > From: "Dr. David Alan Gilbert" <linux@treblig.org>
> >
> > netlbl_cfg_calipso_map_add(), netlbl_cfg_calipso_add() and
> > netlbl_cfg_calipso_del() were added in 2016 as part of
> > commit 3f09354ac84c ("netlabel: Implement CALIPSO config functions for
> > SMACK.")
> >
> > Remove them.
> 
> Please don't. The Smack CALIPSO implementation has been delayed
> for a number of reasons, some better than others, but is still on
> the roadmap.

Hmm OK.
If it makes it to 10 years next year then perhaps it should hold
a birthday party!

Dave

> 
> >
> > (I see a few other changes in that original commit, whether they
> > are reachable I'm not sure).
> >
> > Signed-off-by: Dr. David Alan Gilbert <linux@treblig.org>
> > ---
> >  include/net/netlabel.h       |  26 -------
> >  net/netlabel/netlabel_kapi.c | 133 -----------------------------------
> >  2 files changed, 159 deletions(-)
> >
> > diff --git a/include/net/netlabel.h b/include/net/netlabel.h
> > index 02914b1df38b..37c9bcfd5345 100644
> > --- a/include/net/netlabel.h
> > +++ b/include/net/netlabel.h
> > @@ -435,14 +435,6 @@ int netlbl_cfg_cipsov4_map_add(u32 doi,
> >  			       const struct in_addr *addr,
> >  			       const struct in_addr *mask,
> >  			       struct netlbl_audit *audit_info);
> > -int netlbl_cfg_calipso_add(struct calipso_doi *doi_def,
> > -			   struct netlbl_audit *audit_info);
> > -void netlbl_cfg_calipso_del(u32 doi, struct netlbl_audit *audit_info);
> > -int netlbl_cfg_calipso_map_add(u32 doi,
> > -			       const char *domain,
> > -			       const struct in6_addr *addr,
> > -			       const struct in6_addr *mask,
> > -			       struct netlbl_audit *audit_info);
> >  /*
> >   * LSM security attribute operations
> >   */
> > @@ -561,24 +553,6 @@ static inline int netlbl_cfg_cipsov4_map_add(u32 doi,
> >  {
> >  	return -ENOSYS;
> >  }
> > -static inline int netlbl_cfg_calipso_add(struct calipso_doi *doi_def,
> > -					 struct netlbl_audit *audit_info)
> > -{
> > -	return -ENOSYS;
> > -}
> > -static inline void netlbl_cfg_calipso_del(u32 doi,
> > -					  struct netlbl_audit *audit_info)
> > -{
> > -	return;
> > -}
> > -static inline int netlbl_cfg_calipso_map_add(u32 doi,
> > -					     const char *domain,
> > -					     const struct in6_addr *addr,
> > -					     const struct in6_addr *mask,
> > -					     struct netlbl_audit *audit_info)
> > -{
> > -	return -ENOSYS;
> > -}
> >  static inline int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap,
> >  				     u32 offset)
> >  {
> > diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
> > index cd9160bbc919..13b4bc1c30ec 100644
> > --- a/net/netlabel/netlabel_kapi.c
> > +++ b/net/netlabel/netlabel_kapi.c
> > @@ -394,139 +394,6 @@ int netlbl_cfg_cipsov4_map_add(u32 doi,
> >  	return ret_val;
> >  }
> >  
> > -/**
> > - * netlbl_cfg_calipso_add - Add a new CALIPSO DOI definition
> > - * @doi_def: CALIPSO DOI definition
> > - * @audit_info: NetLabel audit information
> > - *
> > - * Description:
> > - * Add a new CALIPSO DOI definition as defined by @doi_def.  Returns zero on
> > - * success and negative values on failure.
> > - *
> > - */
> > -int netlbl_cfg_calipso_add(struct calipso_doi *doi_def,
> > -			   struct netlbl_audit *audit_info)
> > -{
> > -#if IS_ENABLED(CONFIG_IPV6)
> > -	return calipso_doi_add(doi_def, audit_info);
> > -#else /* IPv6 */
> > -	return -ENOSYS;
> > -#endif /* IPv6 */
> > -}
> > -
> > -/**
> > - * netlbl_cfg_calipso_del - Remove an existing CALIPSO DOI definition
> > - * @doi: CALIPSO DOI
> > - * @audit_info: NetLabel audit information
> > - *
> > - * Description:
> > - * Remove an existing CALIPSO DOI definition matching @doi.  Returns zero on
> > - * success and negative values on failure.
> > - *
> > - */
> > -void netlbl_cfg_calipso_del(u32 doi, struct netlbl_audit *audit_info)
> > -{
> > -#if IS_ENABLED(CONFIG_IPV6)
> > -	calipso_doi_remove(doi, audit_info);
> > -#endif /* IPv6 */
> > -}
> > -
> > -/**
> > - * netlbl_cfg_calipso_map_add - Add a new CALIPSO DOI mapping
> > - * @doi: the CALIPSO DOI
> > - * @domain: the domain mapping to add
> > - * @addr: IP address
> > - * @mask: IP address mask
> > - * @audit_info: NetLabel audit information
> > - *
> > - * Description:
> > - * Add a new NetLabel/LSM domain mapping for the given CALIPSO DOI to the
> > - * NetLabel subsystem.  A @domain value of NULL adds a new default domain
> > - * mapping.  Returns zero on success, negative values on failure.
> > - *
> > - */
> > -int netlbl_cfg_calipso_map_add(u32 doi,
> > -			       const char *domain,
> > -			       const struct in6_addr *addr,
> > -			       const struct in6_addr *mask,
> > -			       struct netlbl_audit *audit_info)
> > -{
> > -#if IS_ENABLED(CONFIG_IPV6)
> > -	int ret_val = -ENOMEM;
> > -	struct calipso_doi *doi_def;
> > -	struct netlbl_dom_map *entry;
> > -	struct netlbl_domaddr_map *addrmap = NULL;
> > -	struct netlbl_domaddr6_map *addrinfo = NULL;
> > -
> > -	doi_def = calipso_doi_getdef(doi);
> > -	if (doi_def == NULL)
> > -		return -ENOENT;
> > -
> > -	entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
> > -	if (entry == NULL)
> > -		goto out_entry;
> > -	entry->family = AF_INET6;
> > -	if (domain != NULL) {
> > -		entry->domain = kstrdup(domain, GFP_ATOMIC);
> > -		if (entry->domain == NULL)
> > -			goto out_domain;
> > -	}
> > -
> > -	if (addr == NULL && mask == NULL) {
> > -		entry->def.calipso = doi_def;
> > -		entry->def.type = NETLBL_NLTYPE_CALIPSO;
> > -	} else if (addr != NULL && mask != NULL) {
> > -		addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC);
> > -		if (addrmap == NULL)
> > -			goto out_addrmap;
> > -		INIT_LIST_HEAD(&addrmap->list4);
> > -		INIT_LIST_HEAD(&addrmap->list6);
> > -
> > -		addrinfo = kzalloc(sizeof(*addrinfo), GFP_ATOMIC);
> > -		if (addrinfo == NULL)
> > -			goto out_addrinfo;
> > -		addrinfo->def.calipso = doi_def;
> > -		addrinfo->def.type = NETLBL_NLTYPE_CALIPSO;
> > -		addrinfo->list.addr = *addr;
> > -		addrinfo->list.addr.s6_addr32[0] &= mask->s6_addr32[0];
> > -		addrinfo->list.addr.s6_addr32[1] &= mask->s6_addr32[1];
> > -		addrinfo->list.addr.s6_addr32[2] &= mask->s6_addr32[2];
> > -		addrinfo->list.addr.s6_addr32[3] &= mask->s6_addr32[3];
> > -		addrinfo->list.mask = *mask;
> > -		addrinfo->list.valid = 1;
> > -		ret_val = netlbl_af6list_add(&addrinfo->list, &addrmap->list6);
> > -		if (ret_val != 0)
> > -			goto cfg_calipso_map_add_failure;
> > -
> > -		entry->def.addrsel = addrmap;
> > -		entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
> > -	} else {
> > -		ret_val = -EINVAL;
> > -		goto out_addrmap;
> > -	}
> > -
> > -	ret_val = netlbl_domhsh_add(entry, audit_info);
> > -	if (ret_val != 0)
> > -		goto cfg_calipso_map_add_failure;
> > -
> > -	return 0;
> > -
> > -cfg_calipso_map_add_failure:
> > -	kfree(addrinfo);
> > -out_addrinfo:
> > -	kfree(addrmap);
> > -out_addrmap:
> > -	kfree(entry->domain);
> > -out_domain:
> > -	kfree(entry);
> > -out_entry:
> > -	calipso_doi_putdef(doi_def);
> > -	return ret_val;
> > -#else /* IPv6 */
> > -	return -ENOSYS;
> > -#endif /* IPv6 */
> > -}
> > -
> >  /*
> >   * Security Attribute Functions
> >   */
>

Casey Schaufler Feb. 20, 2025, 5:03 p.m. UTC | #3

On 2/20/2025 8:48 AM, Dr. David Alan Gilbert wrote:
> * Casey Schaufler (casey@schaufler-ca.com) wrote:
>> On 2/20/2025 6:08 AM, linux@treblig.org wrote:
>>> From: "Dr. David Alan Gilbert" <linux@treblig.org>
>>>
>>> netlbl_cfg_calipso_map_add(), netlbl_cfg_calipso_add() and
>>> netlbl_cfg_calipso_del() were added in 2016 as part of
>>> commit 3f09354ac84c ("netlabel: Implement CALIPSO config functions for
>>> SMACK.")
>>>
>>> Remove them.
>> Please don't. The Smack CALIPSO implementation has been delayed
>> for a number of reasons, some better than others, but is still on
>> the roadmap.
> Hmm OK.
> If it makes it to 10 years next year then perhaps it should hold
> a birthday party!

The difference between network and security developers is that a
network developer thinks 10 microseconds is a long time, while a
security developer thinks 10 years is no time at all.

>
> Dave
>
>>> (I see a few other changes in that original commit, whether they
>>> are reachable I'm not sure).
>>>
>>> Signed-off-by: Dr. David Alan Gilbert <linux@treblig.org>
>>> ---
>>>  include/net/netlabel.h       |  26 -------
>>>  net/netlabel/netlabel_kapi.c | 133 -----------------------------------
>>>  2 files changed, 159 deletions(-)
>>>
>>> diff --git a/include/net/netlabel.h b/include/net/netlabel.h
>>> index 02914b1df38b..37c9bcfd5345 100644
>>> --- a/include/net/netlabel.h
>>> +++ b/include/net/netlabel.h
>>> @@ -435,14 +435,6 @@ int netlbl_cfg_cipsov4_map_add(u32 doi,
>>>  			       const struct in_addr *addr,
>>>  			       const struct in_addr *mask,
>>>  			       struct netlbl_audit *audit_info);
>>> -int netlbl_cfg_calipso_add(struct calipso_doi *doi_def,
>>> -			   struct netlbl_audit *audit_info);
>>> -void netlbl_cfg_calipso_del(u32 doi, struct netlbl_audit *audit_info);
>>> -int netlbl_cfg_calipso_map_add(u32 doi,
>>> -			       const char *domain,
>>> -			       const struct in6_addr *addr,
>>> -			       const struct in6_addr *mask,
>>> -			       struct netlbl_audit *audit_info);
>>>  /*
>>>   * LSM security attribute operations
>>>   */
>>> @@ -561,24 +553,6 @@ static inline int netlbl_cfg_cipsov4_map_add(u32 doi,
>>>  {
>>>  	return -ENOSYS;
>>>  }
>>> -static inline int netlbl_cfg_calipso_add(struct calipso_doi *doi_def,
>>> -					 struct netlbl_audit *audit_info)
>>> -{
>>> -	return -ENOSYS;
>>> -}
>>> -static inline void netlbl_cfg_calipso_del(u32 doi,
>>> -					  struct netlbl_audit *audit_info)
>>> -{
>>> -	return;
>>> -}
>>> -static inline int netlbl_cfg_calipso_map_add(u32 doi,
>>> -					     const char *domain,
>>> -					     const struct in6_addr *addr,
>>> -					     const struct in6_addr *mask,
>>> -					     struct netlbl_audit *audit_info)
>>> -{
>>> -	return -ENOSYS;
>>> -}
>>>  static inline int netlbl_catmap_walk(struct netlbl_lsm_catmap *catmap,
>>>  				     u32 offset)
>>>  {
>>> diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
>>> index cd9160bbc919..13b4bc1c30ec 100644
>>> --- a/net/netlabel/netlabel_kapi.c
>>> +++ b/net/netlabel/netlabel_kapi.c
>>> @@ -394,139 +394,6 @@ int netlbl_cfg_cipsov4_map_add(u32 doi,
>>>  	return ret_val;
>>>  }
>>>  
>>> -/**
>>> - * netlbl_cfg_calipso_add - Add a new CALIPSO DOI definition
>>> - * @doi_def: CALIPSO DOI definition
>>> - * @audit_info: NetLabel audit information
>>> - *
>>> - * Description:
>>> - * Add a new CALIPSO DOI definition as defined by @doi_def.  Returns zero on
>>> - * success and negative values on failure.
>>> - *
>>> - */
>>> -int netlbl_cfg_calipso_add(struct calipso_doi *doi_def,
>>> -			   struct netlbl_audit *audit_info)
>>> -{
>>> -#if IS_ENABLED(CONFIG_IPV6)
>>> -	return calipso_doi_add(doi_def, audit_info);
>>> -#else /* IPv6 */
>>> -	return -ENOSYS;
>>> -#endif /* IPv6 */
>>> -}
>>> -
>>> -/**
>>> - * netlbl_cfg_calipso_del - Remove an existing CALIPSO DOI definition
>>> - * @doi: CALIPSO DOI
>>> - * @audit_info: NetLabel audit information
>>> - *
>>> - * Description:
>>> - * Remove an existing CALIPSO DOI definition matching @doi.  Returns zero on
>>> - * success and negative values on failure.
>>> - *
>>> - */
>>> -void netlbl_cfg_calipso_del(u32 doi, struct netlbl_audit *audit_info)
>>> -{
>>> -#if IS_ENABLED(CONFIG_IPV6)
>>> -	calipso_doi_remove(doi, audit_info);
>>> -#endif /* IPv6 */
>>> -}
>>> -
>>> -/**
>>> - * netlbl_cfg_calipso_map_add - Add a new CALIPSO DOI mapping
>>> - * @doi: the CALIPSO DOI
>>> - * @domain: the domain mapping to add
>>> - * @addr: IP address
>>> - * @mask: IP address mask
>>> - * @audit_info: NetLabel audit information
>>> - *
>>> - * Description:
>>> - * Add a new NetLabel/LSM domain mapping for the given CALIPSO DOI to the
>>> - * NetLabel subsystem.  A @domain value of NULL adds a new default domain
>>> - * mapping.  Returns zero on success, negative values on failure.
>>> - *
>>> - */
>>> -int netlbl_cfg_calipso_map_add(u32 doi,
>>> -			       const char *domain,
>>> -			       const struct in6_addr *addr,
>>> -			       const struct in6_addr *mask,
>>> -			       struct netlbl_audit *audit_info)
>>> -{
>>> -#if IS_ENABLED(CONFIG_IPV6)
>>> -	int ret_val = -ENOMEM;
>>> -	struct calipso_doi *doi_def;
>>> -	struct netlbl_dom_map *entry;
>>> -	struct netlbl_domaddr_map *addrmap = NULL;
>>> -	struct netlbl_domaddr6_map *addrinfo = NULL;
>>> -
>>> -	doi_def = calipso_doi_getdef(doi);
>>> -	if (doi_def == NULL)
>>> -		return -ENOENT;
>>> -
>>> -	entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
>>> -	if (entry == NULL)
>>> -		goto out_entry;
>>> -	entry->family = AF_INET6;
>>> -	if (domain != NULL) {
>>> -		entry->domain = kstrdup(domain, GFP_ATOMIC);
>>> -		if (entry->domain == NULL)
>>> -			goto out_domain;
>>> -	}
>>> -
>>> -	if (addr == NULL && mask == NULL) {
>>> -		entry->def.calipso = doi_def;
>>> -		entry->def.type = NETLBL_NLTYPE_CALIPSO;
>>> -	} else if (addr != NULL && mask != NULL) {
>>> -		addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC);
>>> -		if (addrmap == NULL)
>>> -			goto out_addrmap;
>>> -		INIT_LIST_HEAD(&addrmap->list4);
>>> -		INIT_LIST_HEAD(&addrmap->list6);
>>> -
>>> -		addrinfo = kzalloc(sizeof(*addrinfo), GFP_ATOMIC);
>>> -		if (addrinfo == NULL)
>>> -			goto out_addrinfo;
>>> -		addrinfo->def.calipso = doi_def;
>>> -		addrinfo->def.type = NETLBL_NLTYPE_CALIPSO;
>>> -		addrinfo->list.addr = *addr;
>>> -		addrinfo->list.addr.s6_addr32[0] &= mask->s6_addr32[0];
>>> -		addrinfo->list.addr.s6_addr32[1] &= mask->s6_addr32[1];
>>> -		addrinfo->list.addr.s6_addr32[2] &= mask->s6_addr32[2];
>>> -		addrinfo->list.addr.s6_addr32[3] &= mask->s6_addr32[3];
>>> -		addrinfo->list.mask = *mask;
>>> -		addrinfo->list.valid = 1;
>>> -		ret_val = netlbl_af6list_add(&addrinfo->list, &addrmap->list6);
>>> -		if (ret_val != 0)
>>> -			goto cfg_calipso_map_add_failure;
>>> -
>>> -		entry->def.addrsel = addrmap;
>>> -		entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
>>> -	} else {
>>> -		ret_val = -EINVAL;
>>> -		goto out_addrmap;
>>> -	}
>>> -
>>> -	ret_val = netlbl_domhsh_add(entry, audit_info);
>>> -	if (ret_val != 0)
>>> -		goto cfg_calipso_map_add_failure;
>>> -
>>> -	return 0;
>>> -
>>> -cfg_calipso_map_add_failure:
>>> -	kfree(addrinfo);
>>> -out_addrinfo:
>>> -	kfree(addrmap);
>>> -out_addrmap:
>>> -	kfree(entry->domain);
>>> -out_domain:
>>> -	kfree(entry);
>>> -out_entry:
>>> -	calipso_doi_putdef(doi_def);
>>> -	return ret_val;
>>> -#else /* IPv6 */
>>> -	return -ENOSYS;
>>> -#endif /* IPv6 */
>>> -}
>>> -
>>>  /*
>>>   * Security Attribute Functions
>>>   */

Paul Moore Feb. 20, 2025, 5:37 p.m. UTC | #4

On Thu, Feb 20, 2025 at 12:03 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> On 2/20/2025 8:48 AM, Dr. David Alan Gilbert wrote:
> > * Casey Schaufler (casey@schaufler-ca.com) wrote:
> >> On 2/20/2025 6:08 AM, linux@treblig.org wrote:
> >>> From: "Dr. David Alan Gilbert" <linux@treblig.org>
> >>>
> >>> netlbl_cfg_calipso_map_add(), netlbl_cfg_calipso_add() and
> >>> netlbl_cfg_calipso_del() were added in 2016 as part of
> >>> commit 3f09354ac84c ("netlabel: Implement CALIPSO config functions for
> >>> SMACK.")
> >>>
> >>> Remove them.
> >> Please don't. The Smack CALIPSO implementation has been delayed
> >> for a number of reasons, some better than others, but is still on
> >> the roadmap.
> > Hmm OK.
> > If it makes it to 10 years next year then perhaps it should hold
> > a birthday party!
>
> The difference between network and security developers is that a
> network developer thinks 10 microseconds is a long time, while a
> security developer thinks 10 years is no time at all.

 :)

There are also far more devs interested in working on the network
stack than there are those interested in working on access control
mechanisms.  Sadly those of us playing in the access control space
often have to make hard choice about what things to work on, and
somethings get delayed far more than we would like.

[net-next] netlabel: Remove unused cfg_calipso funcs

Checks

Commit Message

Comments

Patch