Eric Lee / smarc-fsl-linux-kernel

21 Oct, 2010

1 commit

  • 2606fd1fa   secmark: make secmark object handling generic ... Browse Code »

    Right now secmark has lots of direct selinux calls. Use all LSM calls and
    remove all SELinux specific knowledge. The only SELinux specific knowledge
    we leave is the mode. The only point is to make sure that other LSMs at
    least test this generic code before they assume it works. (They may also
    have to make changes if they do not represent labels as strings)

    Signed-off-by: Eric Paris
    Acked-by: Paul Moore
    Acked-by: Patrick McHardy
    Signed-off-by: James Morris

    Eric Paris
     

15 Sep, 2009

1 commit

  • 8a478905a   SELinux: inline selinux_is_enabled in !CONFIG_SECURITY_SELINUX ... Browse Code »

    Without this patch building a kernel emits millions of warning like:

    include/linux/selinux.h:92: warning: ?selinux_is_enabled? defined but not used

    When it is build without CONFIG_SECURITY_SELINUX. This is harmless, but
    the function should be inlined, so it gets compiled out.

    Reported-by: Linus Torvalds
    Signed-off-by: Eric Paris
    Signed-off-by: James Morris

    Eric Paris
     

14 Sep, 2009

1 commit

19 Apr, 2008

2 commits

  • 9d57a7f9e   SELinux: use new audit hooks, remove redundant exports ... Browse Code »

    Setup the new Audit LSM hooks for SELinux.
    Remove the now redundant exported SELinux Audit interface.

    Audit: Export 'audit_krule' and 'audit_field' to the public
    since their internals are needed by the implementation of the
    new LSM hook 'audit_rule_known'.

    Signed-off-by: Casey Schaufler
    Signed-off-by: Ahmed S. Darwish
    Acked-by: James Morris

    Ahmed S. Darwish
     
  • 6b89a74be   SELinux: remove redundant exports ... Browse Code »

    Remove the following exported SELinux interfaces:
    selinux_get_inode_sid(inode, sid)
    selinux_get_ipc_sid(ipcp, sid)
    selinux_get_task_sid(tsk, sid)
    selinux_sid_to_string(sid, ctx, len)

    They can be substitued with the following generic equivalents
    respectively:
    new LSM hook, inode_getsecid(inode, secid)
    new LSM hook, ipc_getsecid*(ipcp, secid)
    LSM hook, task_getsecid(tsk, secid)
    LSM hook, sid_to_secctx(sid, ctx, len)

    Signed-off-by: Casey Schaufler
    Signed-off-by: Ahmed S. Darwish
    Acked-by: James Morris
    Reviewed-by: Paul Moore

    Ahmed S. Darwish
     

30 Jan, 2008

1 commit

  • d621d35e5   SELinux: Enable dynamic enable/disable of the network access checks ... Browse Code »

    This patch introduces a mechanism for checking when labeled IPsec or SECMARK
    are in use by keeping introducing a configuration reference counter for each
    subsystem. In the case of labeled IPsec, whenever a labeled SA or SPD entry
    is created the labeled IPsec/XFRM reference count is increased and when the
    entry is removed it is decreased. In the case of SECMARK, when a SECMARK
    target is created the reference count is increased and later decreased when the
    target is removed. These reference counters allow SELinux to quickly determine
    if either of these subsystems are enabled.

    NetLabel already has a similar mechanism which provides the netlbl_enabled()
    function.

    This patch also renames the selinux_relabel_packet_permission() function to
    selinux_secmark_relabel_packet_permission() as the original name and
    description were misleading in that they referenced a single packet label which
    is not the case.

    Signed-off-by: Paul Moore
    Signed-off-by: James Morris

    Paul Moore
     

17 Nov, 2007

1 commit

  • ec4187817   SELinux: return EOPNOTSUPP not ENOTSUPP ... Browse Code »

    ENOTSUPP is not a valid error code in the kernel (it is defined in some
    NFS internal error codes and has been improperly used other places). In
    the !CONFIG_SECURITY_SELINUX case though it is possible that we could
    return this from selinux_audit_rule_init(). This patch just returns the
    userspace valid EOPNOTSUPP.

    Signed-off-by: Eric Paris
    Signed-off-by: James Morris

    Eric Paris
     

26 Sep, 2006

3 commits

18 Jun, 2006

1 commit

01 May, 2006

4 commits

  • e7c349701   [PATCH] Reworked patch for labels on user space messages ... Browse Code »

    The below patch should be applied after the inode and ipc sid patches.
    This patch is a reworking of Tim's patch that has been updated to match
    the inode and ipc patches since its similar.

    [updated:
    > Stephen Smalley also wanted to change a variable from isec to tsec in the
    > user sid patch. ]

    Signed-off-by: Steve Grubb
    Signed-off-by: Al Viro

    Steve Grubb
     
  • 9c7aa6aa7   [PATCH] change lspp ipc auditing ... Browse Code »

    Hi,

    The patch below converts IPC auditing to collect sid's and convert to context
    string only if it needs to output an audit record. This patch depends on the
    inode audit change patch already being applied.

    Signed-off-by: Steve Grubb

    Signed-off-by: Al Viro

    Steve Grubb
     
  • 1b50eed9c   [PATCH] audit inode patch ... Browse Code »

    Previously, we were gathering the context instead of the sid. Now in this patch,
    we gather just the sid and convert to context only if an audit event is being
    output.

    This patch brings the performance hit from 146% down to 23%

    Signed-off-by: Al Viro

    Steve Grubb
     
  • 376bd9cb3   [PATCH] support for context based audit filtering ... Browse Code »

    The following patch provides selinux interfaces that will allow the audit
    system to perform filtering based on the process context (user, role, type,
    sensitivity, and clearance). These interfaces will allow the selinux
    module to perform efficient matches based on lower level selinux constructs,
    rather than relying on context retrievals and string comparisons within
    the audit module. It also allows for dominance checks on the mls portion
    of the contexts that are impossible with only string comparisons.

    Signed-off-by: Darrel Goeddel
    Signed-off-by: Al Viro

    Darrel Goeddel