09 Jun, 2007
2 commits
-
IPv4 options are not very well aligned within the packet and the
format of a CIPSO option is even worse. The result is that the CIPSO
engine in the kernel does a few unaligned accesses when parsing and
validating incoming packets with CIPSO options attached which generate
error messages on certain alignment sensitive platforms. This patch
fixes this by marking these unaligned accesses with the
get_unaliagned() macro.Signed-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller -
The current NetLabel code has some redundant APIs which allow both
"struct socket" and "struct sock" types to be used; this may have made
sense at some point but it is wasteful now. Remove the functions that
operate on sockets and convert the callers. Not only does this make
the code smaller and more consistent but it pushes the locking burden
up to the caller which can be more intelligent about the locks. Also,
perform the same conversion (socket to sock) on the SELinux/NetLabel
glue code where it make sense.Signed-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller
09 May, 2007
1 commit
-
Signed-off-by: Michael Opdenacker
Signed-off-by: Adrian Bunk
28 Apr, 2007
1 commit
-
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
selinux: preserve boolean values across policy reloads
selinux: change numbering of boolean directory inodes in selinuxfs
selinux: remove unused enumeration constant from selinuxfs
selinux: explicitly number all selinuxfs inodes
selinux: export initial SID contexts via selinuxfs
selinux: remove userland security class and permission definitions
SELinux: move security_skb_extlbl_sid() out of the security server
MAINTAINERS: update selinux entry
SELinux: rename selinux_netlabel.h to netlabel.h
SELinux: extract the NetLabel SELinux support from the security server
NetLabel: convert a BUG_ON in the CIPSO code to a runtime check
NetLabel: cleanup and document CIPSO constants
26 Apr, 2007
4 commits
-
This patch changes a BUG_ON in the CIPSO code to a runtime check. It should
also increase the readability of the code as it replaces an unexplained
constant with a well defined macro.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
This patch collects all of the CIPSO constants and puts them in one place; it
also documents each value explaining how the value is derived.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
Add whitespace around keywords.
Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
13 Mar, 2007
1 commit
-
Commit 484b366932be0b73a22c74a82748ca10a721643e added support for the CIPSO
ranged categories tag. However, it appears that I made a mistake when rebasing
then patch to the latest upstream sources for submission and dropped the part
of the patch that actually parses the tag on incoming packets. This patch
fixes this mistake by adding the required function call to the
cipso_v4_skbuff_getattr() function.I've run this patch over the weekend and have not noticed any problems.
Signed-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller
03 Mar, 2007
1 commit
-
The current CIPSO engine has a problem where it does not verify that
the given sensitivity level has a valid CIPSO mapping when the "std"
CIPSO DOI type is used. The end result is that bad packets are sent
on the wire which should have never been sent in the first place.
This patch corrects this problem by verifying the sensitivity level
mapping similar to what is done with the category mapping. This patch
also changes the returned error code in this case to -EPERM to better
match what the category mapping verification code returns.Signed-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller
03 Dec, 2006
12 commits
-
Add support for the ranged tag (tag type #5) to the CIPSOv4 protocol.
The ranged tag allows for seven, or eight if zero is the lowest category,
category ranges to be specified in a CIPSO option. Each range is specified by
two unsigned 16 bit fields, each with a maximum value of 65534. The two values
specify the start and end of the category range; if the start of the category
range is zero then it is omitted.See Documentation/netlabel/draft-ietf-cipso-ipsecurity-01.txt for more details.
Signed-off-by: Paul Moore
Signed-off-by: James Morris -
Add support for the enumerated tag (tag type #2) to the CIPSOv4 protocol.
The enumerated tag allows for 15 categories to be specified in a CIPSO option,
where each category is an unsigned 16 bit field with a maximum value of 65534.See Documentation/netlabel/draft-ietf-cipso-ipsecurity-01.txt for more details.
Signed-off-by: Paul Moore
Signed-off-by: James Morris -
The original NetLabel category bitmap was a straight char bitmap which worked
fine for the initial release as it only supported 240 bits due to limitations
in the CIPSO restricted bitmap tag (tag type 0x01). This patch converts that
straight char bitmap into an extensibile/sparse bitmap in order to lay the
foundation for other CIPSO tag types and protocols.This patch also has a nice side effect in that all of the security attributes
passed by NetLabel into the LSM are now in a format which is in the host's
native byte/bit ordering which makes the LSM specific code much simpler; look
at the changes in security/selinux/ss/ebitmap.c as an example.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
Signed-off-by: Al Viro
Signed-off-by: David S. Miller -
The cipso_v4_doi_search() function behaves the same as cipso_v4_doi_getdef()
but is a local, static function so use it whenever possibile in the CIPSOv4
code base.Signed-of-by: Paul Moore
Signed-off-by: James Morris
-
The CIPSOv4 translated tag #1 mapping does not always return the correct error
code if the desired mapping does not exist; instead of returning -EPERM it
returns -ENOSPC indicating that the buffer is not large enough to hold the
translated value. This was caused by failing to check a specific error
condition. This patch fixes this so that unknown mappings return
-EPERM which is consistent with the rest of the related CIPSOv4 code.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
While the original CIPSOv4 code had provisions for multiple tag types the
implementation was not as great as it could be, pushing a lot of non-tag
specific processing into the tag specific code blocks. This patch fixes that
issue making it easier to support multiple tag types in the future.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
Currently the CIPSOv4 engine does not do any sort of checking when a new DOI
definition is added. The tags are still verified but only as a side effect of
normal NetLabel operation (packet processing, socket labeling, etc.) which
would cause application errors due to the faulty configuration. This patch
adds tag checking when new DOI definition are added allowing us to catch these
configuration problems when they happen.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
Right now the NetLabel code always jumps into the CIPSOv4 layer to determine if
a CIPSO IP option is present. However, we can do this check directly in the
NetLabel code by making use of the CIPSO_V4_OPTEXIST() macro which should save
us a function call in the common case of not having a CIPSOv4 option present.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
The existing netlbl_lsm_secattr struct required the LSM to check all of the
fields to determine if any security attributes were present resulting in a lot
of work in the common case of no attributes. This patch adds a 'flags' field
which is used to indicate which attributes are present in the structure; this
should allow the LSM to do a quick comparison to determine if the structure
holds any security attributes.Example:
if (netlbl_lsm_secattr->flags)
/* security attributes present */
else
/* NO security attributes present */Signed-off-by: Paul Moore
Signed-off-by: James Morris -
Code diff stats:
[acme@newtoy net-2.6.20]$ codiff /tmp/cipso_ipv4.o.before /tmp/cipso_ipv4.o.after
/pub/scm/linux/kernel/git/acme/net-2.6.20/net/ipv4/cipso_ipv4.c:
cipso_v4_cache_add | -46
1 function changed, 46 bytes removed
[acme@newtoy net-2.6.20]$Signed-off-by: Arnaldo Carvalho de Melo
-
Signed-off-by: Al Viro
Signed-off-by: David S. Miller
31 Oct, 2006
1 commit
-
This patch makes two changes to protect applications from either removing or
tampering with the CIPSOv4 IP option on a socket. The first is the requirement
that applications have the CAP_NET_RAW capability to set an IPOPT_CIPSO option
on a socket; this prevents untrusted applications from setting their own
CIPSOv4 security attributes on the packets they send. The second change is to
SELinux and it prevents applications from setting any IPv4 options when there
is an IPOPT_CIPSO option already present on the socket; this prevents
applications from removing CIPSOv4 security attributes from the packets they
send.Signed-off-by: Paul Moore
Signed-off-by: James Morris
Signed-off-by: David S. Miller
16 Oct, 2006
2 commits
-
The CIPSO passthrough mapping had a problem when sending categories which
would cause no or incorrect categories to be sent on the wire with a packet.
This patch fixes the problem which was a simple off-by-one bug.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
Fix several places in the CIPSO code where it was dereferencing fields which
did not have valid pointers by moving those pointer dereferences into code
blocks where the pointers are valid.Signed-off-by: Paul Moore
Signed-off-by: James Morris
12 Oct, 2006
1 commit
-
Testing revealed a problem with the NetLabel cache where a cached entry could
be freed while in use by the LSM layer causing an oops and other problems.
This patch fixes that problem by introducing a reference counter to the cache
entry so that it is only freed when it is no longer in use.Signed-off-by: Paul Moore
Signed-off-by: James Morris
30 Sep, 2006
1 commit
-
Fix some issues Steve Grubb had with the way NetLabel was using the audit
subsystem. This should make NetLabel more consistent with other kernel
generated audit messages specifying configuration changes.Signed-off-by: Paul Moore
Acked-by: Steve Grubb
Signed-off-by: David S. Miller
29 Sep, 2006
1 commit
-
This patch adds audit support to NetLabel, including six new audit message
types shown below.#define AUDIT_MAC_UNLBL_ACCEPT 1406
#define AUDIT_MAC_UNLBL_DENY 1407
#define AUDIT_MAC_CIPSOV4_ADD 1408
#define AUDIT_MAC_CIPSOV4_DEL 1409
#define AUDIT_MAC_MAP_ADD 1410
#define AUDIT_MAC_MAP_DEL 1411Signed-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller
26 Sep, 2006
3 commits
-
At the suggestion of Thomas Graf, rewrite NetLabel's use of Netlink attributes
to better follow the common Netlink attribute usage.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller -
The CIPSOv4 cache traversal routines are triggered both the userspace events
(cache invalidation due to DOI removal or updated SELinux policy) and network
packet processing events. As a result there is a problem with the existing
CIPSOv4 cache spinlocks as they are not bottom-half/softirq safe. This patch
converts the CIPSOv4 cache spin_[un]lock() calls into spin_[un]lock_bh() calls
to address this problem.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller -
Fix a problem where NetLabel would always set the value of
sk_security_struct->peer_sid in selinux_netlbl_sock_graft() to the context of
the socket, causing problems when users would query the context of the
connection. This patch fixes this so that the value in
sk_security_struct->peer_sid is only set when the connection is NetLabel based,
otherwise the value is untouched.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller
23 Sep, 2006
2 commits
-
This patch makes needlessly global code static.
Signed-off-by: Adrian Bunk
Signed-off-by: David S. Miller -
Add support for the Commercial IP Security Option (CIPSO) to the IPv4
network stack. CIPSO has become a de-facto standard for
trusted/labeled networking amongst existing Trusted Operating Systems
such as Trusted Solaris, HP-UX CMW, etc. This implementation is
designed to be used with the NetLabel subsystem to provide explicit
packet labeling to LSM developers.The CIPSO/IPv4 packet labeling works by the LSM calling a NetLabel API
function which attaches a CIPSO label (IPv4 option) to a given socket;
this in turn attaches the CIPSO label to every packet leaving the
socket without any extra processing on the outbound side. On the
inbound side the individual packet's sk_buff is examined through a
call to a NetLabel API function to determine if a CIPSO/IPv4 label is
present and if so the security attributes of the CIPSO label are
returned to the caller of the NetLabel API function.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller
