21 Oct, 2010
2 commits
-
Right now secmark has lots of direct selinux calls. Use all LSM calls and
remove all SELinux specific knowledge. The only SELinux specific knowledge
we leave is the mode. The only point is to make sure that other LSMs at
least test this generic code before they assume it works. (They may also
have to make changes if they do not represent labels as strings)Signed-off-by: Eric Paris
Acked-by: Paul Moore
Acked-by: Patrick McHardy
Signed-off-by: James Morris -
Commit 4a5a5c73 attempted to pass decent error messages back to userspace for
netfilter errors. In xt_SECMARK.c however the patch screwed up and returned
on 0 (aka no error) early and didn't finish setting up secmark. This results
in a kernel BUG if you use SECMARK.Signed-off-by: Eric Paris
Acked-by: Paul Moore
Signed-off-by: James Morris
12 May, 2010
1 commit
-
Signed-off-by: Jan Engelhardt
25 Mar, 2010
3 commits
-
When extended status codes are available, such as ENOMEM on failed
allocations, or subsequent functions (e.g. nf_ct_get_l3proto), passing
them up to userspace seems like a good idea compared to just always
EINVAL.Signed-off-by: Jan Engelhardt
-
Part of the transition of done by this semantic patch:
//
@ rule1 @
struct xt_target ops;
identifier check;
@@
ops.checkentry = check;@@
identifier rule1.check;
@@
check(...) { }@@
identifier rule1.check;
@@
check(...) { }
//Signed-off-by: Jan Engelhardt
-
Restore function signatures from bool to int so that we can report
memory allocation failures or similar using -ENOMEM rather than
always having to pass -EINVAL back.//
@@
type bool;
identifier check, par;
@@
-bool check
+int check
(struct xt_tgchk_param *par) { ... }
//Minus the change it does to xt_ct_find_proto.
Signed-off-by: Jan Engelhardt
18 Mar, 2010
1 commit
-
Signed-off-by: Jan Engelhardt
08 Oct, 2008
5 commits
-
This patch does this for target extensions' destroy functions.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
This patch does this for target extensions' checkentry functions.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
This patch does this for target extensions' target functions.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
When a match or target is looked up using xt_find_{match,target},
Xtables will also search the NFPROTO_UNSPEC module list. This allows
for protocol-independent extensions (like xt_time) to be reused from
other components (e.g. arptables, ebtables).Extensions that take different codepaths depending on match->family
or target->family of course cannot use NFPROTO_UNSPEC within the
registration structure (e.g. xt_pkttype).Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
10 Jun, 2008
1 commit
-
The following patch implements a new "security" table for iptables, so
that MAC (SELinux etc.) networking rules can be managed separately to
standard DAC rules.This is to help with distro integration of the new secmark-based
network controls, per various previous discussions.The need for a separate table arises from the fact that existing tools
and usage of iptables will likely clash with centralized MAC policy
management.The SECMARK and CONNSECMARK targets will still be valid in the mangle
table to prevent breakage of existing users.Signed-off-by: James Morris
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
14 Feb, 2008
1 commit
-
This patch makes the needlessly global secmark_tg_destroy() static.
Signed-off-by: Adrian Bunk
Signed-off-by: David S. Miller
30 Jan, 2008
1 commit
-
This patch introduces a mechanism for checking when labeled IPsec or SECMARK
are in use by keeping introducing a configuration reference counter for each
subsystem. In the case of labeled IPsec, whenever a labeled SA or SPD entry
is created the labeled IPsec/XFRM reference count is increased and when the
entry is removed it is decreased. In the case of SECMARK, when a SECMARK
target is created the reference count is increased and later decreased when the
target is removed. These reference counters allow SELinux to quickly determine
if either of these subsystems are enabled.NetLabel already has a similar mechanism which provides the netlbl_enabled()
function.This patch also renames the selinux_relabel_packet_permission() function to
selinux_secmark_relabel_packet_permission() as the original name and
description were misleading in that they referenced a single packet label which
is not the case.Signed-off-by: Paul Moore
Signed-off-by: James Morris
29 Jan, 2008
2 commits
-
Updates the MODULE_DESCRIPTION() tags for all Netfilter modules,
actually describing what the module does and not just
"netfilter XYZ target".Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Give all Netfilter modules consistent and unique symbol names.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
16 Oct, 2007
1 commit
-
With all the users of the double pointers removed, this patch mops up by
finally replacing all occurances of sk_buff ** in the netfilter API by
sk_buff *.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
11 Jul, 2007
2 commits
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Switch the return type of target checkentry functions to boolean.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
13 Feb, 2007
1 commit
-
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
09 Feb, 2007
1 commit
-
Remove unnecessary if() constructs before assignment.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
23 Sep, 2006
4 commits
-
Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
The size is verified by x_tables and isn't needed by the modules anymore.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
03 Aug, 2006
1 commit
-
The patch below fixes a problem in the iptables SECMARK target, where
the user-supplied 'selctx' string may not be nul-terminated.From initial analysis, it seems that the strlen() called from
selinux_string_to_sid() could run until it arbitrarily finds a zero,
and possibly cause a kernel oops before then.The impact of this appears limited because the operation requires
CAP_NET_ADMIN, which is essentially always root. Also, the module is
not yet in wide use.Signed-off-by: James Morris
Signed-off-by: Stephen Smalley
Signed-off-by: David S. Miller
18 Jun, 2006
1 commit
-
Add a SECMARK target to xtables, allowing the admin to apply security
marks to packets via both iptables and ip6tables.The target currently handles SELinux security marking, but can be
extended for other purposes as needed.Signed-off-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller