Eric Lee / smarc-fsl-linux-kernel

15 Nov, 2020

1 commit

  • 1ba86d436   netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist() ... Browse Code »

    Static checking revealed that a previous fix to
    netlbl_unlabel_staticlist() leaves a stack variable uninitialized,
    this patches fixes that.

    Fixes: 866358ec331f ("netlabel: fix our progress tracking in netlbl_unlabel_staticlist()")
    Reported-by: Dan Carpenter
    Signed-off-by: Paul Moore
    Reviewed-by: James Morris
    Link: https://lore.kernel.org/r/160530304068.15651.18355773009751195447.stgit@sifl
    Signed-off-by: Jakub Kicinski

    Paul Moore
     

11 Nov, 2020

1 commit

  • 866358ec3   netlabel: fix our progress tracking in netlbl_unlabel_staticlist() ... Browse Code »

    The current NetLabel code doesn't correctly keep track of the netlink
    dump state in some cases, in particular when multiple interfaces with
    large configurations are loaded. The problem manifests itself by not
    reporting the full configuration to userspace, even though it is
    loaded and active in the kernel. This patch fixes this by ensuring
    that the dump state is properly reset when necessary inside the
    netlbl_unlabel_staticlist() function.

    Fixes: 8cc44579d1bd ("NetLabel: Introduce static network labels for unlabeled connections")
    Signed-off-by: Paul Moore
    Link: https://lore.kernel.org/r/160484450633.3752.16512718263560813473.stgit@sifl
    Signed-off-by: Jakub Kicinski

    Paul Moore
     

03 Oct, 2020

1 commit

09 Sep, 2020

1 commit

  • 8c70b2681   netlabel: Fix some kernel-doc warnings ... Browse Code »

    Fixes the following W=1 kernel build warning(s):

    net/netlabel/netlabel_calipso.c:438: warning: Excess function parameter 'audit_secid' description in 'calipso_doi_remove'
    net/netlabel/netlabel_calipso.c:605: warning: Excess function parameter 'reg' description in 'calipso_req_delattr'

    Reported-by: Hulk Robot
    Signed-off-by: Wang Hai
    Acked-by: Paul Moore
    Signed-off-by: David S. Miller

    Wang Hai
     

05 Sep, 2020

1 commit

  • 44a8c4f33   Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net ... Browse Code »

    We got slightly different patches removing a double word
    in a comment in net/ipv4/raw.c - picked the version from net.

    Simple conflict in drivers/net/ethernet/ibm/ibmvnic.c. Use cached
    values instead of VNIC login response buffer (following what
    commit 507ebe6444a4 ("ibmvnic: Fix use-after-free of VNIC login
    response buffer") did).

    Signed-off-by: Jakub Kicinski

    Jakub Kicinski
     

29 Aug, 2020

1 commit

  • 0f091e433   netlabel: remove unused param from audit_log_format() ... Browse Code »

    Commit d3b990b7f327 ("netlabel: fix problems with mapping removal")
    added a check to return an error if ret_val != 0, before ret_val is
    later used in a log message. Now it will unconditionally print "...
    res=1". So just drop the check.

    Addresses-Coverity: ("Dead code")
    Fixes: d3b990b7f327 ("netlabel: fix problems with mapping removal")
    Signed-off-by: Alex Dewar
    Acked-by: Paul Moore
    Signed-off-by: David S. Miller

    Alex Dewar
     

25 Aug, 2020

1 commit

  • d3b990b7f   netlabel: fix problems with mapping removal ... Browse Code »

    This patch fixes two main problems seen when removing NetLabel
    mappings: memory leaks and potentially extra audit noise.

    The memory leaks are caused by not properly free'ing the mapping's
    address selector struct when free'ing the entire entry as well as
    not properly cleaning up a temporary mapping entry when adding new
    address selectors to an existing entry. This patch fixes both these
    problems such that kmemleak reports no NetLabel associated leaks
    after running the SELinux test suite.

    The potentially extra audit noise was caused by the auditing code in
    netlbl_domhsh_remove_entry() being called regardless of the entry's
    validity. If another thread had already marked the entry as invalid,
    but not removed/free'd it from the list of mappings, then it was
    possible that an additional mapping removal audit record would be
    generated. This patch fixes this by returning early from the removal
    function when the entry was previously marked invalid. This change
    also had the side benefit of improving the code by decreasing the
    indentation level of large chunk of code by one (accounting for most
    of the diffstat).

    Fixes: 63c416887437 ("netlabel: Add network address selectors to the NetLabel/LSM domain mapping")
    Reported-by: Stephen Smalley
    Signed-off-by: Paul Moore
    Signed-off-by: David S. Miller

    Paul Moore
     

14 Jul, 2020

1 commit

14 Jun, 2020

1 commit

  • a7f7f6248   treewide: replace '---help---' in Kconfig files with 'help' ... Browse Code »

    Since commit 84af7a6194e4 ("checkpatch: kconfig: prefer 'help' over
    '---help---'"), the number of '---help---' has been gradually
    decreasing, but there are still more than 2400 instances.

    This commit finishes the conversion. While I touched the lines,
    I also fixed the indentation.

    There are a variety of indentation styles found.

    a) 4 spaces + '---help---'
    b) 7 spaces + '---help---'
    c) 8 spaces + '---help---'
    d) 1 space + 1 tab + '---help---'
    e) 1 tab + '---help---' (correct indentation)
    f) 1 tab + 1 space + '---help---'
    g) 1 tab + 2 spaces + '---help---'

    In order to convert all of them to 1 tab + 'help', I ran the
    following commend:

    $ find . -name 'Kconfig*' | xargs sed -i 's/^[[:space:]]*---help---/\thelp/'

    Signed-off-by: Masahiro Yamada

    Masahiro Yamada
     

13 May, 2020

1 commit

  • eead1c2ea   netlabel: cope with NULL catmap ... Browse Code »

    The cipso and calipso code can set the MLS_CAT attribute on
    successful parsing, even if the corresponding catmap has
    not been allocated, as per current configuration and external
    input.

    Later, selinux code tries to access the catmap if the MLS_CAT flag
    is present via netlbl_catmap_getlong(). That may cause null ptr
    dereference while processing incoming network traffic.

    Address the issue setting the MLS_CAT flag only if the catmap is
    really allocated. Additionally let netlbl_catmap_getlong() cope
    with NULL catmap.

    Reported-by: Matthew Sheets
    Fixes: 4b8feff251da ("netlabel: fix the horribly broken catmap functions")
    Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.")
    Signed-off-by: Paolo Abeni
    Acked-by: Paul Moore
    Signed-off-by: David S. Miller

    Paolo Abeni
     

23 Apr, 2020

1 commit

19 Feb, 2020

2 commits

02 Sep, 2019

1 commit

21 May, 2019

2 commits

  • 1ccea77e2   treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 ... Browse Code »

    Based on 2 normalized pattern(s):

    this program is free software you can redistribute it and or modify
    it under the terms of the gnu general public license as published by
    the free software foundation either version 2 of the license or at
    your option any later version this program is distributed in the
    hope that it will be useful but without any warranty without even
    the implied warranty of merchantability or fitness for a particular
    purpose see the gnu general public license for more details you
    should have received a copy of the gnu general public license along
    with this program if not see http www gnu org licenses

    this program is free software you can redistribute it and or modify
    it under the terms of the gnu general public license as published by
    the free software foundation either version 2 of the license or at
    your option any later version this program is distributed in the
    hope that it will be useful but without any warranty without even
    the implied warranty of merchantability or fitness for a particular
    purpose see the gnu general public license for more details [based]
    [from] [clk] [highbank] [c] you should have received a copy of the
    gnu general public license along with this program if not see http
    www gnu org licenses

    extracted by the scancode license scanner the SPDX license identifier

    GPL-2.0-or-later

    has been chosen to replace the boilerplate/reference in 355 file(s).

    Signed-off-by: Thomas Gleixner
    Reviewed-by: Kate Stewart
    Reviewed-by: Jilayne Lovejoy
    Reviewed-by: Steve Winslow
    Reviewed-by: Allison Randal
    Cc: linux-spdx@vger.kernel.org
    Link: https://lkml.kernel.org/r/20190519154041.837383322@linutronix.de
    Signed-off-by: Greg Kroah-Hartman

    Thomas Gleixner
     
  • ec8f24b7f   treewide: Add SPDX license identifier - Makefile/Kconfig ... Browse Code »

    Add SPDX license identifiers to all Make/Kconfig files which:

    - Have no license information of any form

    These files fall under the project license, GPL v2 only. The resulting SPDX
    license identifier is:

    GPL-2.0-only

    Signed-off-by: Thomas Gleixner
    Signed-off-by: Greg Kroah-Hartman

    Thomas Gleixner
     

28 Apr, 2019

3 commits

  • ef6243acb   genetlink: optionally validate strictly/dumps ... Browse Code »

    Add options to strictly validate messages and dump messages,
    sometimes perhaps validating dump messages non-strictly may
    be required, so add an option for that as well.

    Since none of this can really be applied to existing commands,
    set the options everwhere using the following spatch:

    @@
    identifier ops;
    expression X;
    @@
    struct genl_ops ops[] = {
    ...,
    {
    .cmd = X,
    + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
    ...
    },
    ...
    };

    For new commands one should just not copy the .validate 'opt-out'
    flags and thus get strict validation.

    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     
  • 8cb081746   netlink: make validation more configurable for future strictness ... Browse Code »

    We currently have two levels of strict validation:

    1) liberal (default)
    - undefined (type >= max) & NLA_UNSPEC attributes accepted
    - attribute length >= expected accepted
    - garbage at end of message accepted
    2) strict (opt-in)
    - NLA_UNSPEC attributes accepted
    - attribute length >= expected accepted

    Split out parsing strictness into four different options:
    * TRAILING - check that there's no trailing data after parsing
    attributes (in message or nested)
    * MAXTYPE - reject attrs > max known type
    * UNSPEC - reject attributes with NLA_UNSPEC policy entries
    * STRICT_ATTRS - strictly validate attribute size

    The default for future things should be *everything*.
    The current *_strict() is a combination of TRAILING and MAXTYPE,
    and is renamed to _deprecated_strict().
    The current regular parsing has none of this, and is renamed to
    *_parse_deprecated().

    Additionally it allows us to selectively set one of the new flags
    even on old policies. Notably, the UNSPEC flag could be useful in
    this case, since it can be arranged (by filling in the policy) to
    not be an incompatible userspace ABI change, but would then going
    forward prevent forgetting attribute entries. Similar can apply
    to the POLICY flag.

    We end up with the following renames:
    * nla_parse -> nla_parse_deprecated
    * nla_parse_strict -> nla_parse_deprecated_strict
    * nlmsg_parse -> nlmsg_parse_deprecated
    * nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
    * nla_parse_nested -> nla_parse_nested_deprecated
    * nla_validate_nested -> nla_validate_nested_deprecated

    Using spatch, of course:
    @@
    expression TB, MAX, HEAD, LEN, POL, EXT;
    @@
    -nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
    +nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)

    @@
    expression NLH, HDRLEN, TB, MAX, POL, EXT;
    @@
    -nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
    +nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)

    @@
    expression NLH, HDRLEN, TB, MAX, POL, EXT;
    @@
    -nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
    +nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)

    @@
    expression TB, MAX, NLA, POL, EXT;
    @@
    -nla_parse_nested(TB, MAX, NLA, POL, EXT)
    +nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)

    @@
    expression START, MAX, POL, EXT;
    @@
    -nla_validate_nested(START, MAX, POL, EXT)
    +nla_validate_nested_deprecated(START, MAX, POL, EXT)

    @@
    expression NLH, HDRLEN, MAX, POL, EXT;
    @@
    -nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
    +nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)

    For this patch, don't actually add the strict, non-renamed versions
    yet so that it breaks compile if I get it wrong.

    Also, while at it, make nla_validate and nla_parse go down to a
    common __nla_validate_parse() function to avoid code duplication.

    Ultimately, this allows us to have very strict validation for every
    new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
    next patch, while existing things will continue to work as is.

    In effect then, this adds fully strict validation for any new command.

    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     
  • ae0be8de9   netlink: make nla_nest_start() add NLA_F_NESTED flag ... Browse Code »

    Even if the NLA_F_NESTED flag was introduced more than 11 years ago, most
    netlink based interfaces (including recently added ones) are still not
    setting it in kernel generated messages. Without the flag, message parsers
    not aware of attribute semantics (e.g. wireshark dissector or libmnl's
    mnl_nlmsg_fprintf()) cannot recognize nested attributes and won't display
    the structure of their contents.

    Unfortunately we cannot just add the flag everywhere as there may be
    userspace applications which check nlattr::nla_type directly rather than
    through a helper masking out the flags. Therefore the patch renames
    nla_nest_start() to nla_nest_start_noflag() and introduces nla_nest_start()
    as a wrapper adding NLA_F_NESTED. The calls which add NLA_F_NESTED manually
    are rewritten to use nla_nest_start().

    Except for changes in include/net/netlink.h, the patch was generated using
    this semantic patch:

    @@ expression E1, E2; @@
    -nla_nest_start(E1, E2)
    +nla_nest_start_noflag(E1, E2)

    @@ expression E1, E2; @@
    -nla_nest_start_noflag(E1, E2 | NLA_F_NESTED)
    +nla_nest_start(E1, E2)

    Signed-off-by: Michal Kubecek
    Acked-by: Jiri Pirko
    Acked-by: David Ahern
    Signed-off-by: David S. Miller

    Michal Kubecek
     

22 Mar, 2019

1 commit

  • 3b0f31f2b   genetlink: make policy common to family ... Browse Code »

    Since maxattr is common, the policy can't really differ sanely,
    so make it common as well.

    The only user that did in fact manage to make a non-common policy
    is taskstats, which has to be really careful about it (since it's
    still using a common maxattr!). This is no longer supported, but
    we can fake it using pre_doit.

    This reduces the size of e.g. nl80211.o (which has lots of commands):

    text data bss dec hex filename
    398745 14323 2240 415308 6564c net/wireless/nl80211.o (before)
    397913 14331 2240 414484 65314 net/wireless/nl80211.o (after)
    --------------------------------
    -832 +8 0 -824

    Which is obviously just 8 bytes for each command, and an added 8
    bytes for the new policy pointer. I'm not sure why the ops list is
    counted as .text though.

    Most of the code transformations were done using the following spatch:
    @ops@
    identifier OPS;
    expression POLICY;
    @@
    struct genl_ops OPS[] = {
    ...,
    {
    - .policy = POLICY,
    },
    ...
    };

    @@
    identifier ops.OPS;
    expression ops.POLICY;
    identifier fam;
    expression M;
    @@
    struct genl_family fam = {
    .ops = OPS,
    .maxattr = M,
    + .policy = POLICY,
    ...
    };

    This also gets rid of devlink_nl_cmd_region_read_dumpit() accessing
    the cb->data as ops, which we want to change in a later genl patch.

    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     

28 Feb, 2019

1 commit

  • 5578de483   netlabel: fix out-of-bounds memory accesses ... Browse Code »

    There are two array out-of-bounds memory accesses, one in
    cipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk(). Both
    errors are embarassingly simple, and the fixes are straightforward.

    As a FYI for anyone backporting this patch to kernels prior to v4.8,
    you'll want to apply the netlbl_bitmap_walk() patch to
    cipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before
    Linux v4.8.

    Reported-by: Jann Horn
    Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine")
    Fixes: 3faa8f982f95 ("netlabel: Move bitmap manipulation functions to the NetLabel core.")
    Signed-off-by: Paul Moore
    Signed-off-by: David S. Miller

    Paul Moore
     

22 Sep, 2018

1 commit

  • f88b4c01b   netlabel: check for IPV4MASK in addrinfo_get ... Browse Code »

    netlbl_unlabel_addrinfo_get() assumes that if it finds the
    NLBL_UNLABEL_A_IPV4ADDR attribute, it must also have the
    NLBL_UNLABEL_A_IPV4MASK attribute as well. However, this is
    not necessarily the case as the current checks in
    netlbl_unlabel_staticadd() and friends are not sufficent to
    enforce this.

    If passed a netlink message with NLBL_UNLABEL_A_IPV4ADDR,
    NLBL_UNLABEL_A_IPV6ADDR, and NLBL_UNLABEL_A_IPV6MASK attributes,
    these functions will all call netlbl_unlabel_addrinfo_get() which
    will then attempt dereference NULL when fetching the non-existent
    NLBL_UNLABEL_A_IPV4MASK attribute:

    Unable to handle kernel NULL pointer dereference at virtual address 0
    Process unlab (pid: 31762, stack limit = 0xffffff80502d8000)
    Call trace:
    netlbl_unlabel_addrinfo_get+0x44/0xd8
    netlbl_unlabel_staticremovedef+0x98/0xe0
    genl_rcv_msg+0x354/0x388
    netlink_rcv_skb+0xac/0x118
    genl_rcv+0x34/0x48
    netlink_unicast+0x158/0x1f0
    netlink_sendmsg+0x32c/0x338
    sock_sendmsg+0x44/0x60
    ___sys_sendmsg+0x1d0/0x2a8
    __sys_sendmsg+0x64/0xb4
    SyS_sendmsg+0x34/0x4c
    el0_svc_naked+0x34/0x38
    Code: 51001149 7100113f 540000a0 f9401508 (79400108)
    ---[ end trace f6438a488e737143 ]---
    Kernel panic - not syncing: Fatal exception

    Signed-off-by: Sean Tranchetti

    Signed-off-by: David S. Miller

    Sean Tranchetti
     

19 Jun, 2018

1 commit

15 May, 2018

1 commit

  • cdfb6b341   audit: use inline function to get audit context ... Browse Code »

    Recognizing that the audit context is an internal audit value, use an
    access function to retrieve the audit context pointer for the task
    rather than reaching directly into the task struct to get it.

    Signed-off-by: Richard Guy Briggs
    [PM: merge fuzz in auditsc.c and selinuxfs.c, checkpatch.pl fixes]
    Signed-off-by: Paul Moore

    Richard Guy Briggs
     

15 Feb, 2018

1 commit

18 Nov, 2017

1 commit

07 Nov, 2017

1 commit

02 Nov, 2017

1 commit

  • b24413180   License cleanup: add SPDX GPL-2.0 license identifier to files with no license ... Browse Code »

    Many source files in the tree are missing licensing information, which
    makes it harder for compliance tools to determine the correct license.

    By default all files without license information are under the default
    license of the kernel, which is GPL version 2.

    Update the files which contain no license information with the 'GPL-2.0'
    SPDX license identifier. The SPDX identifier is a legally binding
    shorthand, which can be used instead of the full boiler plate text.

    This patch is based on work done by Thomas Gleixner and Kate Stewart and
    Philippe Ombredanne.

    How this work was done:

    Patches were generated and checked against linux-4.14-rc6 for a subset of
    the use cases:
    - file had no licensing information it it.
    - file was a */uapi/* one with no licensing information in it,
    - file was a */uapi/* one with existing licensing information,

    Further patches will be generated in subsequent months to fix up cases
    where non-standard license headers were used, and references to license
    had to be inferred by heuristics based on keywords.

    The analysis to determine which SPDX License Identifier to be applied to
    a file was done in a spreadsheet of side by side results from of the
    output of two independent scanners (ScanCode & Windriver) producing SPDX
    tag:value files created by Philippe Ombredanne. Philippe prepared the
    base worksheet, and did an initial spot review of a few 1000 files.

    The 4.13 kernel was the starting point of the analysis with 60,537 files
    assessed. Kate Stewart did a file by file comparison of the scanner
    results in the spreadsheet to determine which SPDX license identifier(s)
    to be applied to the file. She confirmed any determination that was not
    immediately clear with lawyers working with the Linux Foundation.

    Criteria used to select files for SPDX license identifier tagging was:
    - Files considered eligible had to be source code files.
    - Make and config files were included as candidates if they contained >5
    lines of source
    - File already had some variant of a license header in it (even if
    Reviewed-by: Philippe Ombredanne
    Reviewed-by: Thomas Gleixner
    Signed-off-by: Greg Kroah-Hartman

    Greg Kroah-Hartman
     

25 Oct, 2017

1 commit

  • 6aa7de059   locking/atomics: COCCINELLE/treewide: Convert trivial ACCESS_ONCE() patterns to … ... Browse Code »

    …READ_ONCE()/WRITE_ONCE()

    Please do not apply this to mainline directly, instead please re-run the
    coccinelle script shown below and apply its output.

    For several reasons, it is desirable to use {READ,WRITE}_ONCE() in
    preference to ACCESS_ONCE(), and new code is expected to use one of the
    former. So far, there's been no reason to change most existing uses of
    ACCESS_ONCE(), as these aren't harmful, and changing them results in
    churn.

    However, for some features, the read/write distinction is critical to
    correct operation. To distinguish these cases, separate read/write
    accessors must be used. This patch migrates (most) remaining
    ACCESS_ONCE() instances to {READ,WRITE}_ONCE(), using the following
    coccinelle script:

    ----
    // Convert trivial ACCESS_ONCE() uses to equivalent READ_ONCE() and
    // WRITE_ONCE()

    // $ make coccicheck COCCI=/home/mark/once.cocci SPFLAGS="--include-headers" MODE=patch

    virtual patch

    @ depends on patch @
    expression E1, E2;
    @@

    - ACCESS_ONCE(E1) = E2
    + WRITE_ONCE(E1, E2)

    @ depends on patch @
    expression E;
    @@

    - ACCESS_ONCE(E)
    + READ_ONCE(E)
    ----

    Signed-off-by: Mark Rutland <mark.rutland@arm.com>
    Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: davem@davemloft.net
    Cc: linux-arch@vger.kernel.org
    Cc: mpe@ellerman.id.au
    Cc: shuah@kernel.org
    Cc: snitzer@redhat.com
    Cc: thor.thayer@linux.intel.com
    Cc: tj@kernel.org
    Cc: viro@zeniv.linux.org.uk
    Cc: will.deacon@arm.com
    Link: http://lkml.kernel.org/r/1508792849-3115-19-git-send-email-paulmck@linux.vnet.ibm.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

    Mark Rutland
     

14 Apr, 2017

1 commit

07 Jan, 2017

1 commit

28 Oct, 2016

3 commits

  • 56989f6d8   genetlink: mark families as __ro_after_init ... Browse Code »

    Now genl_register_family() is the only thing (other than the
    users themselves, perhaps, but I didn't find any doing that)
    writing to the family struct.

    In all families that I found, genl_register_family() is only
    called from __init functions (some indirectly, in which case
    I've add __init annotations to clarifly things), so all can
    actually be marked __ro_after_init.

    This protects the data structure from accidental corruption.

    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     
  • 489111e5c   genetlink: statically initialize families ... Browse Code »

    Instead of providing macros/inline functions to initialize
    the families, make all users initialize them statically and
    get rid of the macros.

    This reduces the kernel code size by about 1.6k on x86-64
    (with allyesconfig).

    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     
  • a07ea4d99   genetlink: no longer support using static family IDs ... Browse Code »

    Static family IDs have never really been used, the only
    use case was the workaround I introduced for those users
    that assumed their family ID was also their multicast
    group ID.

    Additionally, because static family IDs would never be
    reserved by the generic netlink code, using a relatively
    low ID would only work for built-in families that can be
    registered immediately after generic netlink is started,
    which is basically only the control family (apart from
    the workaround code, which I also had to add code for so
    it would reserve those IDs)

    Thus, anything other than GENL_ID_GENERATE is flawed and
    luckily not used except in the cases I mentioned. Move
    those workarounds into a few lines of code, and then get
    rid of GENL_ID_GENERATE entirely, making it more robust.

    Signed-off-by: Johannes Berg
    Signed-off-by: David S. Miller

    Johannes Berg
     

28 Jun, 2016

6 commits

  • 3f09354ac   netlabel: Implement CALIPSO config functions for SMACK. ... Browse Code »

    SMACK uses similar functions to control CIPSO, these are
    the equivalent functions for CALIPSO and follow exactly
    the same semantics.

    int netlbl_cfg_calipso_add(struct calipso_doi *doi_def,
    struct netlbl_audit *audit_info)
    Adds a CALIPSO doi.

    void netlbl_cfg_calipso_del(u32 doi, struct netlbl_audit *audit_info)
    Removes a CALIPSO doi.

    int netlbl_cfg_calipso_map_add(u32 doi, const char *domain,
    const struct in6_addr *addr,
    const struct in6_addr *mask,
    struct netlbl_audit *audit_info)
    Creates a mapping between a domain and a CALIPSO doi. If
    addr and mask are non-NULL this creates an address-selector
    type mapping.

    This also extends netlbl_cfg_map_del() to remove IPv6 address-selector
    mappings.

    Signed-off-by: Huw Davies
    Signed-off-by: Paul Moore

    Huw Davies
     
  • 4fee5242b   calipso: Add a label cache. ... Browse Code »

    This works in exactly the same way as the CIPSO label cache.
    The idea is to allow the lsm to cache the result of a secattr
    lookup so that it doesn't need to perform the lookup for
    every skbuff.

    It introduces two sysctl controls:
    calipso_cache_enable - enables/disables the cache.
    calipso_cache_bucket_size - sets the size of a cache bucket.

    Signed-off-by: Huw Davies
    Signed-off-by: Paul Moore

    Huw Davies
     
  • a04e71f63   netlabel: Pass a family parameter to netlbl_skbuff_err(). ... Browse Code »

    This makes it possible to route the error to the appropriate
    labelling engine. CALIPSO is far less verbose than CIPSO
    when encountering a bogus packet, so there is no need for a
    CALIPSO error handler.

    Signed-off-by: Huw Davies
    Signed-off-by: Paul Moore

    Huw Davies
     
  • 2917f57b6   calipso: Allow the lsm to label the skbuff directly. ... Browse Code »

    In some cases, the lsm needs to add the label to the skbuff directly.
    A NF_INET_LOCAL_OUT IPv6 hook is added to selinux to match the IPv4
    behaviour. This allows selinux to label the skbuffs that it requires.

    Signed-off-by: Huw Davies
    Signed-off-by: Paul Moore

    Huw Davies
     
  • e1adea927   calipso: Allow request sockets to be relabelled by the lsm. ... Browse Code »

    Request sockets need to have a label that takes into account the
    incoming connection as well as their parent's label. This is used
    for the outgoing SYN-ACK and for their child full-socket.

    Signed-off-by: Huw Davies
    Signed-off-by: Paul Moore

    Huw Davies
     
  • ceba1832b   calipso: Set the calipso socket label to match the secattr. ... Browse Code »

    CALIPSO is a hop-by-hop IPv6 option. A lot of this patch is based on
    the equivalent CISPO code. The main difference is due to manipulating
    the options in the hop-by-hop header.

    Signed-off-by: Huw Davies
    Signed-off-by: Paul Moore

    Huw Davies