linux.git/net/netlabel, branch v2.6.22-rc4 Clone of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git SELinux: extract the NetLabel SELinux support from the security server 2007-04-26T05:35:48+00:00 Paul Moore paul.moore@hp.com 2007-02-28T20:14:22+00:00 5778eabd9cdbf16ea3e40248c452b4fd25554d11 Up until this patch the functions which have provided NetLabel support to SELinux have been integrated into the SELinux security server, which for various reasons is not really ideal. This patch makes an effort to extract as much of the NetLabel support from the security server as possibile and move it into it's own file within the SELinux directory structure. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org> 
Up until this patch the functions which have provided NetLabel support to
SELinux have been integrated into the SELinux security server, which for
various reasons is not really ideal.  This patch makes an effort to extract as
much of the NetLabel support from the security server as possibile and move it
into it's own file within the SELinux directory structure.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
[NET]: Fix kfree(skb) 2007-02-28T17:42:14+00:00 Patrick McHardy kaber@trash.net 2007-02-27T17:57:37+00:00 b08d5840d2c5a6ac0bce172f4c861974d718e34b Signed-off-by: Patrick McHardy <kaber@trash.net> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: Patrick McHardy <kaber@trash.net>
Acked-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NET] NETLABEL: Fix whitespace errors. 2007-02-11T07:19:56+00:00 YOSHIFUJI Hideaki yoshfuji@linux-ipv6.org 2007-02-09T14:25:05+00:00 e1a95265b44ca31456adaacebebcde12714f0c03 Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
NetLabel: correct CIPSO tag handling when adding new DOI definitions 2007-01-09T08:30:01+00:00 Paul Moore paul.moore@hp.com 2007-01-05T20:08:22+00:00 2a2f11c227bdf292b3a2900ad04139d301b56ac4 The current netlbl_cipsov4_add_common() function has two problems which are fixed with this patch. The first is an off-by-one bug where it is possibile to overflow the doi_def->tags[] array. The second is a bug where the same doi_def->tags[] array was not always fully initialized, which caused sporadic failures. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org> 
The current netlbl_cipsov4_add_common() function has two problems which are
fixed with this patch.  The first is an off-by-one bug where it is possibile to
overflow the doi_def->tags[] array.  The second is a bug where the same
doi_def->tags[] array was not always fully initialized, which caused sporadic
failures.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
NetLabel: correctly fill in unused CIPSOv4 level and category mappings 2006-12-22T19:11:58+00:00 Paul Moore paul.moore@hp.com 2006-12-15T21:49:28+00:00 caff5b6a6bfd0c55b359b2b4acd8c14f828b689e Back when the original NetLabel patches were being changed to use Netlink attributes correctly some code was accidentially dropped which set all of the undefined CIPSOv4 level and category mappings to a sentinel value. The result is the mappings data in the kernel contains bogus mappings which always map to zero. This patch restores the old/correct behavior by initializing the mapping data to the correct sentinel value. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org> 
Back when the original NetLabel patches were being changed to use Netlink
attributes correctly some code was accidentially dropped which set all of the
undefined CIPSOv4 level and category mappings to a sentinel value.  The result
is the mappings data in the kernel contains bogus mappings which always map to
zero.  This patch restores the old/correct behavior by initializing the mapping
data to the correct sentinel value.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
NetLabel: perform input validation earlier on CIPSOv4 DOI add ops 2006-12-22T19:11:56+00:00 Paul Moore paul.moore@hp.com 2006-12-15T21:49:27+00:00 1fd2a25b77bb6755d38aca50b826ff8dca81d762 There are a couple of cases where the user input for a CIPSOv4 DOI add operation was not being done soon enough; the result was unexpected behavior which was resulting in oops/panics/lockups on some platforms. This patch moves the existing input validation code earlier in the code path to protect against bogus user input. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org> 
There are a couple of cases where the user input for a CIPSOv4 DOI add
operation was not being done soon enough; the result was unexpected behavior
which was resulting in oops/panics/lockups on some platforms.  This patch moves
the existing input validation code earlier in the code path to protect against
bogus user input.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
NetLabel: convert to an extensibile/sparse category bitmap 2006-12-03T05:31:36+00:00 Paul Moore paul.moore@hp.com 2006-11-29T18:18:18+00:00 02752760359db6b00a3ffb1acfc13ef8d9eb1e3f The original NetLabel category bitmap was a straight char bitmap which worked fine for the initial release as it only supported 240 bits due to limitations in the CIPSO restricted bitmap tag (tag type 0x01). This patch converts that straight char bitmap into an extensibile/sparse bitmap in order to lay the foundation for other CIPSO tag types and protocols. This patch also has a nice side effect in that all of the security attributes passed by NetLabel into the LSM are now in a format which is in the host's native byte/bit ordering which makes the LSM specific code much simpler; look at the changes in security/selinux/ss/ebitmap.c as an example. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org> 
The original NetLabel category bitmap was a straight char bitmap which worked
fine for the initial release as it only supported 240 bits due to limitations
in the CIPSO restricted bitmap tag (tag type 0x01).  This patch converts that
straight char bitmap into an extensibile/sparse bitmap in order to lay the
foundation for other CIPSO tag types and protocols.

This patch also has a nice side effect in that all of the security attributes
passed by NetLabel into the LSM are now in a format which is in the host's
native byte/bit ordering which makes the LSM specific code much simpler; look
at the changes in security/selinux/ss/ebitmap.c as an example.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
NetLabel: honor the audit_enabled flag 2006-12-03T05:24:15+00:00 Paul Moore paul.moore@hp.com 2006-11-17T22:38:55+00:00 de64688ffb952a65ddbc5295ccd235d35f292593 The audit_enabled flag is used to signal when syscall auditing is to be performed. While NetLabel uses a Netlink interface instead of syscalls, it is reasonable to consider the NetLabel Netlink interface as a form of syscall so pay attention to the audit_enabled flag when generating audit messages in NetLabel. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org> 
The audit_enabled flag is used to signal when syscall auditing is to be
performed.  While NetLabel uses a Netlink interface instead of syscalls, it is
reasonable to consider the NetLabel Netlink interface as a form of syscall so
pay attention to the audit_enabled flag when generating audit messages in
NetLabel.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
NetLabel: check for a CIPSOv4 option before we do call into the CIPSOv4 layer 2006-12-03T05:24:08+00:00 Paul Moore paul.moore@hp.com 2006-11-17T22:38:47+00:00 05e00cbf5036929355020dab4837b637203a0742 Right now the NetLabel code always jumps into the CIPSOv4 layer to determine if a CIPSO IP option is present. However, we can do this check directly in the NetLabel code by making use of the CIPSO_V4_OPTEXIST() macro which should save us a function call in the common case of not having a CIPSOv4 option present. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org> 
Right now the NetLabel code always jumps into the CIPSOv4 layer to determine if
a CIPSO IP option is present.  However, we can do this check directly in the
NetLabel code by making use of the CIPSO_V4_OPTEXIST() macro which should save
us a function call in the common case of not having a CIPSOv4 option present.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
NetLabel: make netlbl_lsm_secattr struct easier/quicker to understand 2006-12-03T05:24:07+00:00 Paul Moore paul.moore@hp.com 2006-11-17T22:38:46+00:00 701a90bad99b8081a824cca52c178c8fc8f46bb2 The existing netlbl_lsm_secattr struct required the LSM to check all of the fields to determine if any security attributes were present resulting in a lot of work in the common case of no attributes. This patch adds a 'flags' field which is used to indicate which attributes are present in the structure; this should allow the LSM to do a quick comparison to determine if the structure holds any security attributes. Example: if (netlbl_lsm_secattr->flags) /* security attributes present */ else /* NO security attributes present */ Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org> 
The existing netlbl_lsm_secattr struct required the LSM to check all of the
fields to determine if any security attributes were present resulting in a lot
of work in the common case of no attributes.  This patch adds a 'flags' field
which is used to indicate which attributes are present in the structure; this
should allow the LSM to do a quick comparison to determine if the structure
holds any security attributes.

Example:

 if (netlbl_lsm_secattr->flags)
	/* security attributes present */
 else
	/* NO security attributes present */

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>