Eric Lee / linux-smarc-t335x-v3.2

21 Oct, 2010

1 commit

  • 2606fd1fa   secmark: make secmark object handling generic ... Browse Code »

    Right now secmark has lots of direct selinux calls. Use all LSM calls and
    remove all SELinux specific knowledge. The only SELinux specific knowledge
    we leave is the mode. The only point is to make sure that other LSMs at
    least test this generic code before they assume it works. (They may also
    have to make changes if they do not represent labels as strings)

    Signed-off-by: Eric Paris
    Acked-by: Paul Moore
    Acked-by: Patrick McHardy
    Signed-off-by: James Morris

    Eric Paris
     

14 Sep, 2009

1 commit

14 Nov, 2008

2 commits

  • 86a264abe   CRED: Wrap current->cred and a few other accessors ... Browse Code »

    Wrap current->cred and a few other accessors to hide their actual
    implementation.

    Signed-off-by: David Howells
    Acked-by: James Morris
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    David Howells
     
  • b6dff3ec5   CRED: Separate task security context from task_struct ... Browse Code »

    Separate the task security context from task_struct. At this point, the
    security data is temporarily embedded in the task_struct with two pointers
    pointing to it.

    Note that the Alpha arch is altered as it refers to (E)UID and (E)GID in
    entry.S via asm-offsets.

    With comment fixes Signed-off-by: Marc Dionne

    Signed-off-by: David Howells
    Acked-by: James Morris
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    David Howells
     

19 Apr, 2008

1 commit

  • 6b89a74be   SELinux: remove redundant exports ... Browse Code »

    Remove the following exported SELinux interfaces:
    selinux_get_inode_sid(inode, sid)
    selinux_get_ipc_sid(ipcp, sid)
    selinux_get_task_sid(tsk, sid)
    selinux_sid_to_string(sid, ctx, len)

    They can be substitued with the following generic equivalents
    respectively:
    new LSM hook, inode_getsecid(inode, secid)
    new LSM hook, ipc_getsecid*(ipcp, secid)
    LSM hook, task_getsecid(tsk, secid)
    LSM hook, sid_to_secctx(sid, ctx, len)

    Signed-off-by: Casey Schaufler
    Signed-off-by: Ahmed S. Darwish
    Acked-by: James Morris
    Reviewed-by: Paul Moore

    Ahmed S. Darwish
     

30 Jan, 2008

1 commit

  • d621d35e5   SELinux: Enable dynamic enable/disable of the network access checks ... Browse Code »

    This patch introduces a mechanism for checking when labeled IPsec or SECMARK
    are in use by keeping introducing a configuration reference counter for each
    subsystem. In the case of labeled IPsec, whenever a labeled SA or SPD entry
    is created the labeled IPsec/XFRM reference count is increased and when the
    entry is removed it is decreased. In the case of SECMARK, when a SECMARK
    target is created the reference count is increased and later decreased when the
    target is removed. These reference counters allow SELinux to quickly determine
    if either of these subsystems are enabled.

    NetLabel already has a similar mechanism which provides the netlbl_enabled()
    function.

    This patch also renames the selinux_relabel_packet_permission() function to
    selinux_secmark_relabel_packet_permission() as the original name and
    description were misleading in that they referenced a single packet label which
    is not the case.

    Signed-off-by: Paul Moore
    Signed-off-by: James Morris

    Paul Moore
     

26 Sep, 2006

2 commits

18 Jun, 2006

1 commit

01 May, 2006

4 commits

  • e7c349701   [PATCH] Reworked patch for labels on user space messages ... Browse Code »

    The below patch should be applied after the inode and ipc sid patches.
    This patch is a reworking of Tim's patch that has been updated to match
    the inode and ipc patches since its similar.

    [updated:
    > Stephen Smalley also wanted to change a variable from isec to tsec in the
    > user sid patch. ]

    Signed-off-by: Steve Grubb
    Signed-off-by: Al Viro

    Steve Grubb
     
  • 9c7aa6aa7   [PATCH] change lspp ipc auditing ... Browse Code »

    Hi,

    The patch below converts IPC auditing to collect sid's and convert to context
    string only if it needs to output an audit record. This patch depends on the
    inode audit change patch already being applied.

    Signed-off-by: Steve Grubb

    Signed-off-by: Al Viro

    Steve Grubb
     
  • 1b50eed9c   [PATCH] audit inode patch ... Browse Code »

    Previously, we were gathering the context instead of the sid. Now in this patch,
    we gather just the sid and convert to context only if an audit event is being
    output.

    This patch brings the performance hit from 146% down to 23%

    Signed-off-by: Al Viro

    Steve Grubb
     
  • 376bd9cb3   [PATCH] support for context based audit filtering ... Browse Code »

    The following patch provides selinux interfaces that will allow the audit
    system to perform filtering based on the process context (user, role, type,
    sensitivity, and clearance). These interfaces will allow the selinux
    module to perform efficient matches based on lower level selinux constructs,
    rather than relying on context retrievals and string comparisons within
    the audit module. It also allows for dominance checks on the mls portion
    of the contexts that are impossible with only string comparisons.

    Signed-off-by: Darrel Goeddel
    Signed-off-by: Al Viro

    Darrel Goeddel