06 Dec, 2009
1 commit
-
Conflicts:
drivers/net/pcmcia/fmvj18x_cs.c
drivers/net/pcmcia/nmclan_cs.c
drivers/net/pcmcia/xirc2ps_cs.c
drivers/net/wireless/ray_cs.c
10 Nov, 2009
1 commit
-
For SELinux to do better filtering in userspace we send the name of the
module along with the AVC denial when a program is denied module_request.Example output:
type=SYSCALL msg=audit(11/03/2009 10:59:43.510:9) : arch=x86_64 syscall=write success=yes exit=2 a0=3 a1=7fc28c0d56c0 a2=2 a3=7fffca0d7440 items=0 ppid=1727 pid=1729 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc.nfsd exe=/usr/sbin/rpc.nfsd subj=system_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(11/03/2009 10:59:43.510:9) : avc: denied { module_request } for pid=1729 comm=rpc.nfsd kmod="net-pf-10" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=systemSigned-off-by: Eric Paris
Signed-off-by: James Morris
19 Oct, 2009
1 commit
-
In order to have better cache layouts of struct sock (separate zones
for rx/tx paths), we need this preliminary patch.Goal is to transfert fields used at lookup time in the first
read-mostly cache line (inside struct sock_common) and move sk_refcnt
to a separate cache line (only written by rx path)This patch adds inet_ prefix to daddr, rcv_saddr, dport, num, saddr,
sport and id fields. This allows a future patch to define these
fields as macros, like sk_refcnt, without name clashes.Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
24 Sep, 2009
1 commit
-
Currently the audit subsystem prints uncompressed IPv6 addresses which not
only differs from common usage but also results in ridiculously large audit
strings which is not a good thing. This patch fixes this by simply converting
audit to always print compressed IPv6 addresses.Old message example:
audit(1253576792.161:30): avc: denied { ingress } for
saddr=0000:0000:0000:0000:0000:0000:0000:0001 src=5000
daddr=0000:0000:0000:0000:0000:0000:0000:0001 dest=35502 netif=lo
scontext=system_u:object_r:unlabeled_t:s15:c0.c1023
tcontext=system_u:object_r:lo_netif_t:s0-s15:c0.c1023 tclass=netifNew message example:
audit(1253576792.161:30): avc: denied { ingress } for
saddr=::1 src=5000 daddr=::1 dest=35502 netif=lo
scontext=system_u:object_r:unlabeled_t:s15:c0.c1023
tcontext=system_u:object_r:lo_netif_t:s0-s15:c0.c1023 tclass=netifSigned-off-by: Paul Moore
Signed-off-by: Eric Paris
Signed-off-by: Al Viro
17 Aug, 2009
1 commit
-
Convert avc_audit in security/selinux/avc.c to use lsm_audit.h,
for better maintainability.- changed selinux to use common_audit_data instead of
avc_audit_data
- eliminated code in avc.c and used code from lsm_audit.h instead.Had to add a LSM_AUDIT_NO_AUDIT to lsm_audit.h so that avc_audit
can call common_lsm_audit and do the pre and post callbacks without
doing the actual dump. This makes it so that the patched version
behaves the same way as the unpatched version.Also added a denied field to the selinux_audit_data private space,
once again to make it so that the patched version behaves like the
unpatched.I've tested and confirmed that AVCs look the same before and after
this patch.Signed-off-by: Thomas Liu
Acked-by: Stephen Smalley
Signed-off-by: James Morris
14 Apr, 2009
1 commit
-
This patch creates auditing functions usable by LSM to audit security
events. It provides standard dumping of FS, NET, task etc ... events
(code borrowed from SELinux)
and provides 2 callbacks to define LSM specific auditing, which should be
flexible enough to convert SELinux too.Signed-off-by: Etienne Basset
Acked-by: Casey Schaufler
cked-by: Eric Paris
Signed-off-by: James Morris
