linux.git/net/netlabel, branch v2.6.26-rc7 Clone of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Audit: collect sessionid in netlink messages 2008-04-28T10:18:03+00:00 Eric Paris eparis@redhat.com 2008-04-18T14:09:25+00:00 2532386f480eefbdd67b48be55fb4fb3e5a6081c Previously I added sessionid output to all audit messages where it was available but we still didn't know the sessionid of the sender of netlink messages. This patch adds that information to netlink messages so we can audit who sent netlink messages. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Previously I added sessionid output to all audit messages where it was
available but we still didn't know the sessionid of the sender of
netlink messages.  This patch adds that information to netlink messages
so we can audit who sent netlink messages.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[NETLABEL]: Fix NULL deref in netlbl_unlabel_staticlist_gen() if ifindex not found 2008-04-18T06:22:54+00:00 Jesper Juhl jesper.juhl@gmail.com 2008-04-18T06:22:54+00:00 794eb6bf20ebf992c040ea831cd3a9c64b0c1f7a dev_get_by_index() may return NULL if nothing is found. In net/netlabel/netlabel_unlabeled.c::netlbl_unlabel_staticlist_gen() the function is called, but the return value is never checked. If it returns NULL then we'll deref a NULL pointer on the very next line. I checked the callers, and I don't think this can actually happen today, but code changes over time and in the future it might happen and it does no harm to be defensive and check for the failure, so that if/when it happens we'll fail gracefully instead of crashing. Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
dev_get_by_index() may return NULL if nothing is found. In 
net/netlabel/netlabel_unlabeled.c::netlbl_unlabel_staticlist_gen() the 
function is called, but the return value is never checked. If it returns 
NULL then we'll deref a NULL pointer on the very next line.
I checked the callers, and I don't think this can actually happen today, 
but code changes over time and in the future it might happen and it does 
no harm to be defensive and check for the failure, so that if/when it 
happens we'll fail gracefully instead of crashing.

Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Acked-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NET] NETNS: Omit net_device->nd_net without CONFIG_NET_NS. 2008-03-25T19:39:53+00:00 YOSHIFUJI Hideaki yoshfuji@linux-ipv6.org 2008-03-25T12:47:49+00:00 c346dca10840a874240c78efe3f39acf4312a1f2 Introduce per-net_device inlines: dev_net(), dev_net_set(). Without CONFIG_NET_NS, no namespace other than &init_net exists. Let's explicitly define them to help compiler optimizations. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> 
Introduce per-net_device inlines: dev_net(), dev_net_set().
Without CONFIG_NET_NS, no namespace other than &init_net exists.
Let's explicitly define them to help compiler optimizations.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
[NETLABEL]: Move some initialization code into __init section. 2008-02-18T06:33:57+00:00 Pavel Emelyanov xemul@openvz.org 2008-02-18T06:33:57+00:00 05705e4e1158ad2c1a22817f27d91ff0758fd0a9 Everything that is called from netlbl_init() can be marked with __init. This moves 620 bytes from .text section to .text.init one. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Everything that is called from netlbl_init() can be marked with
__init. This moves 620 bytes from .text section to .text.init one.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Acked-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETLABEL]: Shrink the genl-ops registration code. 2008-02-18T06:33:16+00:00 Pavel Emelyanov xemul@openvz.org 2008-02-18T06:33:16+00:00 227c43c3bca76df704231324405980851dc7f528 Turning them to array and registration in a loop saves 80 lines of code and ~300 bytes from text section. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Turning them to array and registration in a loop saves
80 lines of code and ~300 bytes from text section.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Acked-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETLABLE]: Hide netlbl_unlabel_audit_addr6 under ifdef CONFIG_IPV6. 2008-02-13T06:38:06+00:00 Pavel Emelyanov xemul@openvz.org 2008-02-13T06:38:06+00:00 370125f0a48a2584a2506fd567d690df6d87cf2c This one is called from under this config only, so move it in the same place. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
This one is called from under this config only, so move
it in the same place.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETLABEL]: Don't produce unused variables when IPv6 is off. 2008-02-13T06:37:19+00:00 Pavel Emelyanov xemul@openvz.org 2008-02-13T06:37:19+00:00 56628b1d8964eb7ac924154d60b5d874bfb2b1e8 Some code declares variables on the stack, but uses them under #ifdef CONFIG_IPV6, so thay become unused when ipv6 is off. Fortunately, they are used in a switch's case branches, so the fix is rather simple. Is it OK from coding style POV to add braces inside "cases", or should I better avoid such style and rework the patch? Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
Some code declares variables on the stack, but uses them
under #ifdef CONFIG_IPV6, so thay become unused when ipv6
is off. Fortunately, they are used in a switch's case
branches, so the fix is rather simple.

Is it OK from coding style POV to add braces inside "cases",
or should I better avoid such style and rework the patch?

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETLABEL]: Compilation for CONFIG_AUDIT=n case. 2008-02-13T06:35:37+00:00 Pavel Emelyanov xemul@openvz.org 2008-02-13T06:35:37+00:00 94de7feb2dee6d0039ecbe98ae8b63bbb63808b6 The audit_log_start() will expand into an empty do { } while (0) construction and the audit_ctx becomes unused. The solution: push current->audit_context into audit_log_start() directly, since it is not required in any other place in the calling function. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
The audit_log_start() will expand into an empty do { } while (0)
construction and the audit_ctx becomes unused.

The solution: push current->audit_context into audit_log_start()
directly, since it is not required in any other place in the 
calling function.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETLABEL]: Fix lookup logic of netlbl_domhsh_search_def. 2008-02-13T06:15:14+00:00 Pavel Emelyanov xemul@openvz.org 2008-02-13T06:15:14+00:00 4c3a0a254e5d706d3fe01bf42261534858d05586 Currently, if the call to netlbl_domhsh_search succeeds the return result will still be NULL. Fix that, by returning the found entry (if any). Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Currently, if the call to netlbl_domhsh_search succeeds the
return result will still be NULL.

Fix that, by returning the found entry (if any).

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Acked-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
NetLabel: introduce a new kernel configuration API for NetLabel 2008-02-05T17:44:20+00:00 Paul Moore paul.moore@hp.com 2008-02-05T06:29:47+00:00 eda61d32e8ad1d9102872f9a0abf3344bf9c5e67 Add a new set of configuration functions to the NetLabel/LSM API so that LSMs can perform their own configuration of the NetLabel subsystem without relying on assistance from userspace. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: James Morris <jmorris@namei.org> Cc: Chris Wright <chrisw@sous-sol.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
Add a new set of configuration functions to the NetLabel/LSM API so that
LSMs can perform their own configuration of the NetLabel subsystem without
relying on assistance from userspace.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: James Morris <jmorris@namei.org>
Cc: Chris Wright <chrisw@sous-sol.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>