08 Jun, 2007
1 commit
-
Currently we check for permission before deleting entries from SAD and
SPD, (see security_xfrm_policy_delete() security_xfrm_state_delete())
However we are not checking for authorization when flushing the SPD and
the SAD completely. It was perhaps missed in the original security hooks
patch.This patch adds a security check when flushing entries from the SAD and
SPD. It runs the entire database and checks each entry for a denial.
If the process attempting the flush is unable to remove all of the
entries a denial is logged the the flush function returns an error
without removing anything.This is particularly useful when a process may need to create or delete
its own xfrm entries used for things like labeled networking but that
same process should not be able to delete other entries or flush the
entire database.Signed-off-by: Joy Latten
Signed-off-by: Eric Paris
Signed-off-by: James Morris
05 May, 2007
2 commits
-
Aggregate the SPD info TLVs.
Signed-off-by: Jamal Hadi Salim
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Aggregate the SAD info TLVs.
Signed-off-by: Jamal Hadi Salim
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
29 Apr, 2007
1 commit
-
With this patch you can use iproute2 in user space to efficiently see
how many policies exist in different directions.Signed-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller
27 Apr, 2007
1 commit
-
This brings the SAD info in sync with net-2.6.22/net-2.6
Signed-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller
26 Apr, 2007
9 commits
-
On a system with a lot of SAs, counting SAD entries chews useful
CPU time since you need to dump the whole SAD to user space;
i.e something like ip xfrm state ls | grep -i src | wc -l
I have seen taking literally minutes on a 40K SAs when the system
is swapping.
With this patch, some of the SAD info (that was already being tracked)
is exposed to user space. i.e you do:
ip xfrm state count
And you get the count; you can also pass -s to the command line and
get the hash info.Signed-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller -
Spring cleaning time...
There seems to be a lot of places in the network code that have
extra bogus semicolons after conditionals. Most commonly is a
bogus semicolon after: switch() { }Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
Switch cb_lock to mutex and allow netlink kernel users to override it
with a subsystem specific mutex for consistent locking in dump callbacks.
All netlink_dump_start users have been audited not to rely on any
side-effects of the previously used spinlock.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Now that all users of netlink_dump_start() use netlink_run_queue()
to process the receive queue, it is possible to return -EINTR from
netlink_dump_start() directly, therefore simplying the callers.Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
The error pointer argument in netlink message handlers is used
to signal the special case where processing has to be interrupted
because a dump was started but no error happened. Instead it is
simpler and more clear to return -EINTR and have netlink_run_queue()
deal with getting the queue right.nfnetlink passed on this error pointer to its subsystem handlers
but only uses it to signal the start of a netlink dump. Therefore
it can be removed there as well.This patch also cleans up the error handling in the affected
message handlers to be consistent since it had to be touched anyway.Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
Changes netlink_rcv_skb() to skip netlink controll messages and don't
pass them on to the message handler.Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
netlink_rcv_skb() is changed to skip messages which don't have the
NLM_F_REQUEST bit to avoid every netlink family having to perform this
check on their own.Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
So that it is also an offset from skb->head, reduces its size from 8 to 4 bytes
on 64bit architectures, allowing us to combine the 4 bytes hole left by the
layer headers conversion, reducing struct sk_buff size to 256 bytes, i.e. 4
64byte cachelines, and since the sk_buff slab cache is SLAB_HWCACHE_ALIGN...
:-)Many calculations that previously required that skb->{transport,network,
mac}_header be first converted to a pointer now can be done directly, being
meaningful as offsets or pointers.Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller
14 Apr, 2007
1 commit
-
When sending a security context of 50+ characters in an ACQUIRE
message, following kernel panic occurred.kernel BUG in xfrm_send_acquire at net/xfrm/xfrm_user.c:1781!
cpu 0x3: Vector: 700 (Program Check) at [c0000000421bb2e0]
pc: c00000000033b074: .xfrm_send_acquire+0x240/0x2c8
lr: c00000000033b014: .xfrm_send_acquire+0x1e0/0x2c8
sp: c0000000421bb560
msr: 8000000000029032
current = 0xc00000000fce8f00
paca = 0xc000000000464b00
pid = 2303, comm = ping
kernel BUG in xfrm_send_acquire at net/xfrm/xfrm_user.c:1781!
enter ? for help
3:mon> t
[c0000000421bb650] c00000000033538c .km_query+0x6c/0xec
[c0000000421bb6f0] c000000000337374 .xfrm_state_find+0x7f4/0xb88
[c0000000421bb7f0] c000000000332350 .xfrm_tmpl_resolve+0xc4/0x21c
[c0000000421bb8d0] c0000000003326e8 .xfrm_lookup+0x1a0/0x5b0
[c0000000421bba00] c0000000002e6ea0 .ip_route_output_flow+0x88/0xb4
[c0000000421bbaa0] c0000000003106d8 .ip4_datagram_connect+0x218/0x374
[c0000000421bbbd0] c00000000031bc00 .inet_dgram_connect+0xac/0xd4
[c0000000421bbc60] c0000000002b11ac .sys_connect+0xd8/0x120
[c0000000421bbd90] c0000000002d38d0 .compat_sys_socketcall+0xdc/0x214
[c0000000421bbe30] c00000000000869c syscall_exit+0x0/0x40
--- Exception: c00 (System Call) at 0000000007f0ca9c
SP (fc0ef8f0) is in userspaceWe are using size of security context from xfrm_policy to determine
how much space to alloc skb and then putting security context from
xfrm_state into skb. Should have been using size of security context
from xfrm_state to alloc skb. Following fix does thatSigned-off-by: Joy Latten
Acked-by: James Morris
Signed-off-by: David S. Miller
23 Mar, 2007
1 commit
-
Turning up the warnings on gcc makes it emit warnings
about the placement of 'inline' in function declarations.
Here's everything that was under net/Signed-off-by: Dave Jones
Signed-off-by: David S. Miller
08 Mar, 2007
2 commits
-
Inside pfkey_delete and xfrm_del_sa the audit hooks were not called if
there was any permission/security failures in attempting to do the del
operation (such as permission denied from security_xfrm_state_delete).
This patch moves the audit hook to the exit path such that all failures
(and successes) will actually get audited.Signed-off-by: Eric Paris
Acked-by: Venkat Yekkirala
Acked-by: James Morris
Signed-off-by: David S. Miller -
The security hooks to check permissions to remove an xfrm_policy were
actually done after the policy was removed. Since the unlinking and
deletion are done in xfrm_policy_by* functions this moves the hooks
inside those 2 functions. There we have all the information needed to
do the security check and it can be done before the deletion. Since
auditing requires the result of that security check err has to be passed
back and forth from the xfrm_policy_by* functions.This patch also fixes a bug where a deletion that failed the security
check could cause improper accounting on the xfrm_policy
(xfrm_get_policy didn't have a put on the exit path for the hold taken
by xfrm_policy_by*)It also fixes the return code when no policy is found in
xfrm_add_pol_expire. In old code (at least back in the 2.6.18 days) err
wasn't used before the return when no policy is found and so the
initialization would cause err to be ENOENT. But since err has since
been used above when we don't get a policy back from the xfrm_policy_by*
function we would always return 0 instead of the intended ENOENT. Also
fixed some white space damage in the same area.Signed-off-by: Eric Paris
Acked-by: Venkat Yekkirala
Acked-by: James Morris
Signed-off-by: David S. Miller
01 Mar, 2007
2 commits
-
Signed-off-by: Patrick McHardy
Acked-by: Paul Moore
Signed-off-by: David S. Miller -
As noted by Kent Yoder, this function will always return an
error. Make sure it returns zero on success.Signed-off-by: David S. Miller
13 Feb, 2007
1 commit
-
Make sure that this function is called correctly, and
add BUG() checking to ensure the arguments are sane.Based upon a patch by Joy Latten.
Signed-off-by: David S. Miller
11 Feb, 2007
1 commit
-
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
09 Feb, 2007
1 commit
-
Add user interface for handling XFRM_MSG_MIGRATE. The message is issued
by user application. When kernel receives the message, procedure of
updating XFRM databases will take place.Signed-off-by: Shinta Sugimoto
Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
04 Jan, 2007
1 commit
-
All ->doit handlers want a struct rtattr **, so pass down the right
type.Signed-off-by: Christoph Hellwig
Signed-off-by: David S. Miller
07 Dec, 2006
1 commit
-
An audit message occurs when an ipsec SA
or ipsec policy is created/deleted.Signed-off-by: Joy Latten
Signed-off-by: James Morris
Signed-off-by: David S. Miller
04 Dec, 2006
1 commit
-
Since we never checked the ->family value of templates
before, many applications simply leave it at zero.
Detect this and fix it up to be the pol->family value.Also, do not clobber xp->family while reading in templates,
that is not necessary.Signed-off-by: David S. Miller
03 Dec, 2006
7 commits
-
aevents can not uniquely identify an SA. We break the ABI with this
patch, but consensus is that since it is not yet utilized by any
(known) application then it is fine (better do it now than later).Signed-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller -
Signed-off-by: Miika Komu
Signed-off-by: Diego Beltrami
Signed-off-by: Kazunori Miyazawa
Signed-off-by: David S. Miller -
Caught by the EyeBalls(tm) of Thomas Graf
Signed-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller -
Might as well make flush notifier prettier when subpolicy used
Signed-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller -
The destination PID is passed directly to netlink_unicast()
respectively netlink_multicast().Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
Signed-off-by: Arnaldo Carvalho de Melo
-
Make copy_to_user_policy_type take a type instead a policy and
fix its users to pass the typeSigned-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller
26 Nov, 2006
1 commit
-
When application uses XFRM_MSG_GETSA to get state entry through
netlink socket and kernel has no matching one, the application expects
reply message with error status by kernel.Kernel doesn't send the message back in the case of Mobile IPv6 route
optimization protocols (i.e. routing header or destination options
header). This is caused by incorrect return code "0" from
net/xfrm/xfrm_user.c(xfrm_user_state_lookup) and it makes kernel skip
to acknowledge at net/netlink/af_netlink.c(netlink_rcv_skb).This patch fix to reply ESRCH to application.
Signed-off-by: Masahide NAKAMURA
Signed-off-by: TAKAMIYA Noriaki
Signed-off-by: David S. Miller
22 Nov, 2006
2 commits
-
I actually dont have a test case for these; i just found them by
inspection. Refer to patch "[XFRM]: Sub-policies broke policy events"
for more infoSigned-off-by: Jamal Hadi Salim
Acked-by: Masahide NAKAMURA
Signed-off-by: David S. Miller -
XFRM policy events are broken when sub-policy feature is turned on.
A simple test to verify this:
run ip xfrm mon on one window and add then delete a policy on another
window ..Signed-off-by: Jamal Hadi Salim
Acked-by: Masahide NAKAMURA
Signed-off-by: David S. Miller
31 Oct, 2006
1 commit
-
Use memcpy() to move xfrm_address_t objects in and out
of netlink messages. The vast majority of xfrm_user was
doing this properly, except for copy_from_user_state()
and copy_to_user_state().Signed-off-by: David S. Miller
12 Oct, 2006
1 commit
-
Currently when an IPSec policy rule doesn't specify a security
context, it is assumed to be "unlabeled" by SELinux, and so
the IPSec policy rule fails to match to a flow that it would
otherwise match to, unless one has explicitly added an SELinux
policy rule allowing the flow to "polmatch" to the "unlabeled"
IPSec policy rules. In the absence of such an explicitly added
SELinux policy rule, the IPSec policy rule fails to match and
so the packet(s) flow in clear text without the otherwise applicable
xfrm(s) applied.The above SELinux behavior violates the SELinux security notion of
"deny by default" which should actually translate to "encrypt by
default" in the above case.This was first reported by Evgeniy Polyakov and the way James Morris
was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.With this patch applied, SELinux "polmatching" of flows Vs. IPSec
policy rules will only come into play when there's a explicit context
specified for the IPSec policy rule (which also means there's corresponding
SELinux policy allowing appropriate domains/flows to polmatch to this context).Secondly, when a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return errors other than access denied,
such as -EINVAL. We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.The solution for this is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).This patch: Fix the selinux side of things.
This makes sure SELinux polmatching of flow contexts to IPSec policy
rules comes into play only when an explicit context is associated
with the IPSec policy rule.Also, this no longer defaults the context of a socket policy to
the context of the socket since the "no explicit context" case
is now handled properly.Signed-off-by: Venkat Yekkirala
Signed-off-by: James Morris
04 Oct, 2006
1 commit
-
This patch introduces the BEET mode (Bound End-to-End Tunnel) with as
specified by the ietf draft at the following link:http://www.ietf.org/internet-drafts/draft-nikander-esp-beet-mode-06.txt
The patch provides only single family support (i.e. inner family =
outer family).Signed-off-by: Diego Beltrami
Signed-off-by: Miika Komu
Signed-off-by: Herbert Xu
Signed-off-by: Abhinav Pathak
Signed-off-by: Jeff Ahrenholz
Signed-off-by: David S. Miller
23 Sep, 2006
1 commit
-
Sub policy can be used through netlink socket.
PF_KEY uses main only and it is TODO to support sub.Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller