linux-toradex.git/net/ipv4/ip_options.c, branch v2.6.19.2 Linux kernel for Apalis and Colibri modules [NetLabel]: protect the CIPSOv4 socket option from setsockopt() 2006-10-30T23:24:49+00:00 Paul Moore paul.moore@hp.com 2006-10-30T23:22:15+00:00 f8687afefcc821fc47c75775eec87731fe3de360 This patch makes two changes to protect applications from either removing or tampering with the CIPSOv4 IP option on a socket. The first is the requirement that applications have the CAP_NET_RAW capability to set an IPOPT_CIPSO option on a socket; this prevents untrusted applications from setting their own CIPSOv4 security attributes on the packets they send. The second change is to SELinux and it prevents applications from setting any IPv4 options when there is an IPOPT_CIPSO option already present on the socket; this prevents applications from removing CIPSOv4 security attributes from the packets they send. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
This patch makes two changes to protect applications from either removing or
tampering with the CIPSOv4 IP option on a socket.  The first is the requirement
that applications have the CAP_NET_RAW capability to set an IPOPT_CIPSO option
on a socket; this prevents untrusted applications from setting their own
CIPSOv4 security attributes on the packets they send.  The second change is to
SELinux and it prevents applications from setting any IPv4 options when there
is an IPOPT_CIPSO option already present on the socket; this prevents
applications from removing CIPSOv4 security attributes from the packets they
send.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[IPV4]: trivial ip_options.c annotations 2006-09-29T01:01:55+00:00 Al Viro viro@zeniv.linux.org.uk 2006-09-28T01:28:47+00:00 e25d2ca6b2808c427704b01608baf0f7dea1696e Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
[IPV4]: struct ip_options annotations 2006-09-29T01:01:53+00:00 Al Viro viro@zeniv.linux.org.uk 2006-09-28T01:28:07+00:00 3ca3c68e76686bee058937ade2b96f4de58ee434 ->faddr is net-endian; annotated as such, variables inferred to be net-endian annotated. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> 
->faddr is net-endian; annotated as such, variables inferred to be net-endian
annotated.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
[IPV4]: ip_options_build() annotations 2006-09-29T01:01:18+00:00 Al Viro viro@zeniv.linux.org.uk 2006-09-27T05:27:05+00:00 8712f774dc47ec6353c9b75317d6db62e58d9367 daddr is net-endian Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> 
daddr is net-endian

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
[IPV4]: inet_addr_type() annotations 2006-09-29T01:01:07+00:00 Al Viro viro@zeniv.linux.org.uk 2006-09-27T05:17:51+00:00 fd6832220974809141b3981e380b78690bba8911 argument and inferred net-endian variables in callers annotated. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> 
argument and inferred net-endian variables in callers annotated.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
[IPV4]: ip_route_input() annotations 2006-09-29T00:54:02+00:00 Al Viro viro@zeniv.linux.org.uk 2006-09-27T04:25:20+00:00 9e12bb22e32389b41222c9d9fb55724fed83a038 ip_route_input() takes net-endian source and destination address. * Annotated as such. * arguments of its invocations annotated where needed. * local helpers getting the same values passed to by it (ip_route_input_mc(), ip_route_input_slow(), ip_handle_martian_source(), ip_mkroute_input(), ip_mkroute_input_def(), __mkroute_input()) annotated Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> 
ip_route_input() takes net-endian source and destination address.
* Annotated as such.
* arguments of its invocations annotated where needed.
* local helpers getting the same values passed to by it (ip_route_input_mc(),
ip_route_input_slow(), ip_handle_martian_source(), ip_mkroute_input(),
ip_mkroute_input_def(), __mkroute_input()) annotated

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
[INET]: Remove is_setbyuser patch 2006-09-22T21:54:10+00:00 Louis Nyffenegger louis.nyffenegger@gmail.com 2006-08-08T07:56:11+00:00 1a01912ae0a5666c4c24eaae2b4821711e2ad79a The value is_setbyuser from struct ip_options is never used and set only one time (http://linux-net.osdl.org/index.php/TODO#IPV4). This little patch removes it from the kernel source. Signed-off-by: Louis Nyffenegger <louis.nyffenegger@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
The value is_setbyuser from struct ip_options is never used and set
only one time (http://linux-net.osdl.org/index.php/TODO#IPV4).
This little patch removes it from the kernel source.

Signed-off-by: Louis Nyffenegger <louis.nyffenegger@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NetLabel]: core network changes 2006-09-22T21:53:32+00:00 Paul Moore paul.moore@hp.com 2006-08-03T23:46:20+00:00 11a03f78fbf15a866ba3bf6359a75cdfd1ced703 Changes to the core network stack to support the NetLabel subsystem. This includes changes to the IPv4 option handling to support CIPSO labels. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Changes to the core network stack to support the NetLabel subsystem.  This
includes changes to the IPv4 option handling to support CIPSO labels.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[IPV4]: Get rid of redundant IPCB->opts initialisation 2006-07-21T21:29:53+00:00 Herbert Xu herbert@gondor.apana.org.au 2006-07-21T21:29:53+00:00 5d9c5a32920c5c0e6716b0f6ed16157783dc56a4 Now that we always zero the IPCB->opts in ip_rcv, it is no longer necessary to do so before calling netif_rx for tunneled packets. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> 
Now that we always zero the IPCB->opts in ip_rcv, it is no longer
necessary to do so before calling netif_rx for tunneled packets.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
[IPV4]: ip_options_fragment() has no effect on fragmentation 2006-05-09T22:18:50+00:00 Wei Yongjun weiyj@soft.fujitsu.com 2006-05-09T22:18:50+00:00 63cbd2fda38f3d1f107c4fd6261e5660be3eccf9 Fix error point to options in ip_options_fragment(). optptr get a error pointer to the ipv4 header, correct is pointer to ipv4 options. Signed-off-by: Wei Yongjun <weiyj@soft.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Fix error point to options in ip_options_fragment(). optptr get a
error pointer to the ipv4 header, correct is pointer to ipv4 options.

Signed-off-by: Wei Yongjun <weiyj@soft.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>