22 May, 2009
1 commit
-
Use genl_register_family_with_ops() instead of a copy. This fixes genetlink
family leak on error path.Signed-off-by: Michał Mirosław
Signed-off-by: David S. Miller
22 Nov, 2008
1 commit
-
Remove redundant argument comments in files of net/*
Signed-off-by: Qinghuang Feng
Signed-off-by: David S. Miller
30 Oct, 2008
1 commit
-
Fix the compiler warnings below, thanks to Andrew Morton for finding them.
net/netlabel/netlabel_mgmt.c: In function `netlbl_mgmt_listentry':
net/netlabel/netlabel_mgmt.c:268: warning: 'ret_val' might be used
uninitialized in this functionSigned-off-by: Paul Moore
10 Oct, 2008
2 commits
-
This patch extends the NetLabel traffic labeling capabilities to individual
packets based not only on the LSM domain but the by the destination address
as well. The changes here only affect the core NetLabel infrastructre,
changes to the NetLabel KAPI and individial protocol engines are also
required but are split out into a different patch to ease review.Signed-off-by: Paul Moore
Reviewed-by: James Morris -
NetLabel has always had a list of backpointers in the CIPSO DOI definition
structure which pointed to the NetLabel LSM domain mapping structures which
referenced the CIPSO DOI struct. The rationale for this was that when an
administrator removed a CIPSO DOI from the system all of the associated
NetLabel LSM domain mappings should be removed as well; a list of
backpointers made this a simple operation.Unfortunately, while the backpointers did make the removal easier they were
a bit of a mess from an implementation point of view which was making
further development difficult. Since the removal of a CIPSO DOI is a
realtively rare event it seems to make sense to remove this backpointer
list as the optimization was hurting us more then it was helping. However,
we still need to be able to track when a CIPSO DOI definition is being used
so replace the backpointer list with a reference count. In order to
preserve the current functionality of removing the associated LSM domain
mappings when a CIPSO DOI is removed we walk the LSM domain mapping table,
removing the relevant entries.Signed-off-by: Paul Moore
Reviewed-by: James Morris
11 Jul, 2008
1 commit
-
So, no need to kfree_skb here on the error path. In this case we can
simply return.Signed-off-by: Denis V. Lunev
Acked-by: Paul Moore
Signed-off-by: David S. Miller
18 Feb, 2008
2 commits
-
Everything that is called from netlbl_init() can be marked with
__init. This moves 620 bytes from .text section to .text.init one.Signed-off-by: Pavel Emelyanov
Acked-by: Paul Moore
Signed-off-by: David S. Miller -
Turning them to array and registration in a loop saves
80 lines of code and ~300 bytes from text section.Signed-off-by: Pavel Emelyanov
Acked-by: Paul Moore
Signed-off-by: David S. Miller
30 Jan, 2008
1 commit
-
This patch removes some unneeded RCU read locks as we can treat the reads as
"safe" even without RCU. It also converts the NetLabel configuration refcount
from a spinlock protected u32 into atomic_t to be more consistent with the rest
of the kernel.Signed-off-by: Paul Moore
Signed-off-by: James Morris
21 Dec, 2007
1 commit
-
Signed-off-by: Joe Perches
Signed-off-by: David S. Miller
26 Oct, 2007
1 commit
-
This fixes some awkward, and perhaps even problematic, RCU lock usage in the
NetLabel code as well as some other related trivial cleanups found when
looking through the RCU locking. Most of the changes involve removing the
redundant RCU read locks wrapping spinlocks in the case of a RCU writer.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller
19 Jul, 2007
1 commit
-
Create a new NetLabel KAPI interface, netlbl_enabled(), which reports on the
current runtime status of NetLabel based on the existing configuration. LSMs
that make use of NetLabel, i.e. SELinux, can use this new function to determine
if they should perform NetLabel access checks. This patch changes the
NetLabel/SELinux glue code such that SELinux only enforces NetLabel related
access checks when netlbl_enabled() returns true.At present NetLabel is considered to be enabled when there is at least one
labeled protocol configuration present. The result is that by default NetLabel
is considered to be disabled, however, as soon as an administrator configured
a CIPSO DOI definition NetLabel is enabled and SELinux starts enforcing
NetLabel related access controls - including unlabeled packet controls.This patch also tries to consolidate the multiple "#ifdef CONFIG_NETLABEL"
blocks into a single block to ease future review as recommended by Linus.Signed-off-by: Paul Moore
Signed-off-by: James Morris
08 Jun, 2007
1 commit
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
03 Dec, 2006
3 commits
-
By modyfing genlmsg_put() to take a genl_family and by adding
genlmsg_put_reply() the process of constructing the netlink
and generic netlink headers is simplified.Signed-off-by: Thomas Graf
Acked-by: Paul Moore
Signed-off-by: David S. Miller -
A generic netlink user has no interest in knowing how to
address the source of the original request.Signed-off-by: Thomas Graf
Acked-by: Paul Moore
Signed-off-by: David S. Miller -
Account for the netlink message header size directly in nlmsg_new()
instead of relying on the caller calculate it correctly.Replaces error handling of message construction functions when
constructing notifications with bug traps since a failure implies
a bug in calculating the size of the skb.Signed-off-by: Thomas Graf
Acked-by: Paul Moore
Signed-off-by: David S. Miller
30 Sep, 2006
1 commit
-
Fix some issues Steve Grubb had with the way NetLabel was using the audit
subsystem. This should make NetLabel more consistent with other kernel
generated audit messages specifying configuration changes.Signed-off-by: Paul Moore
Acked-by: Steve Grubb
Signed-off-by: David S. Miller
29 Sep, 2006
1 commit
-
This patch adds audit support to NetLabel, including six new audit message
types shown below.#define AUDIT_MAC_UNLBL_ACCEPT 1406
#define AUDIT_MAC_UNLBL_DENY 1407
#define AUDIT_MAC_CIPSOV4_ADD 1408
#define AUDIT_MAC_CIPSOV4_DEL 1409
#define AUDIT_MAC_MAP_ADD 1410
#define AUDIT_MAC_MAP_DEL 1411Signed-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller
26 Sep, 2006
1 commit
-
At the suggestion of Thomas Graf, rewrite NetLabel's use of Netlink attributes
to better follow the common Netlink attribute usage.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller
23 Sep, 2006
1 commit
-
Add a new kernel subsystem, NetLabel, to provide explicit packet
labeling services (CIPSO, RIPSO, etc.) to LSM developers. NetLabel is
designed to work in conjunction with a LSM to intercept and decode
security labels on incoming network packets as well as ensure that
outgoing network packets are labeled according to the security
mechanism employed by the LSM. The NetLabel subsystem is configured
through a Generic NETLINK interface described in the header files
included in this patch.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller