03 Dec, 2006
4 commits
-
The original NetLabel category bitmap was a straight char bitmap which worked
fine for the initial release as it only supported 240 bits due to limitations
in the CIPSO restricted bitmap tag (tag type 0x01). This patch converts that
straight char bitmap into an extensibile/sparse bitmap in order to lay the
foundation for other CIPSO tag types and protocols.This patch also has a nice side effect in that all of the security attributes
passed by NetLabel into the LSM are now in a format which is in the host's
native byte/bit ordering which makes the LSM specific code much simpler; look
at the changes in security/selinux/ss/ebitmap.c as an example.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
The existing netlbl_lsm_secattr struct required the LSM to check all of the
fields to determine if any security attributes were present resulting in a lot
of work in the common case of no attributes. This patch adds a 'flags' field
which is used to indicate which attributes are present in the structure; this
should allow the LSM to do a quick comparison to determine if the structure
holds any security attributes.Example:
if (netlbl_lsm_secattr->flags)
/* security attributes present */
else
/* NO security attributes present */Signed-off-by: Paul Moore
Signed-off-by: James Morris -
The netlbl_secattr_init() function would always return 0 making it pointless
to have a return value. This patch changes the function to return void.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
There were a few places in the NetLabel code where the int type was being used
instead of the gfp_t type, this patch corrects this mistake.Signed-off-by: Paul Moore
Signed-off-by: James Morris
16 Oct, 2006
1 commit
-
Signed-off-by: Al Viro
Signed-off-by: Linus Torvalds
12 Oct, 2006
1 commit
-
Testing revealed a problem with the NetLabel cache where a cached entry could
be freed while in use by the LSM layer causing an oops and other problems.
This patch fixes that problem by introducing a reference counter to the cache
entry so that it is only freed when it is no longer in use.Signed-off-by: Paul Moore
Signed-off-by: James Morris
30 Sep, 2006
1 commit
-
Fix some issues Steve Grubb had with the way NetLabel was using the audit
subsystem. This should make NetLabel more consistent with other kernel
generated audit messages specifying configuration changes.Signed-off-by: Paul Moore
Acked-by: Steve Grubb
Signed-off-by: David S. Miller
29 Sep, 2006
1 commit
-
This patch adds audit support to NetLabel, including six new audit message
types shown below.#define AUDIT_MAC_UNLBL_ACCEPT 1406
#define AUDIT_MAC_UNLBL_DENY 1407
#define AUDIT_MAC_CIPSOV4_ADD 1408
#define AUDIT_MAC_CIPSOV4_DEL 1409
#define AUDIT_MAC_MAP_ADD 1410
#define AUDIT_MAC_MAP_DEL 1411Signed-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller
26 Sep, 2006
2 commits
-
At the suggestion of Thomas Graf, rewrite NetLabel's use of Netlink attributes
to better follow the common Netlink attribute usage.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller -
Fix a problem where NetLabel would always set the value of
sk_security_struct->peer_sid in selinux_netlbl_sock_graft() to the context of
the socket, causing problems when users would query the context of the
connection. This patch fixes this so that the value in
sk_security_struct->peer_sid is only set when the connection is NetLabel based,
otherwise the value is untouched.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller
25 Sep, 2006
1 commit
-
Signed-off-by: Al Viro
Signed-off-by: Linus Torvalds
23 Sep, 2006
2 commits
-
Add some missing include files to the NetLabel related header files.
Signed-off-by: Paul Moore
Signed-off-by: David S. Miller -
Changes to the core network stack to support the NetLabel subsystem. This
includes changes to the IPv4 option handling to support CIPSO labels.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller