linux-toradex.git/net/netlabel, branch v2.6.30.2 Linux kernel for Apalis and Colibri modules netlabel: Always remove the correct address selector 2009-04-22T07:46:09+00:00 Paul Moore paul.moore@hp.com 2009-04-21T10:04:22+00:00 50b2ff1bc47baacb8e9882b2b2a74b240ddbeecf The NetLabel address selector mechanism has a problem where it can get mistakenly remove the wrong selector when similar addresses are used. The problem is caused when multiple addresses are configured that have different netmasks but the same address, e.g. 127.0.0.0/8 and 127.0.0.0/24. This patch fixes the problem. Reported-by: Etienne Basset <etienne.basset@numericable.fr> Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Tested-by: Etienne Basset <etienne.basset@numericable.fr> Signed-off-by: David S. Miller <davem@davemloft.net> 
The NetLabel address selector mechanism has a problem where it can get
mistakenly remove the wrong selector when similar addresses are used.  The
problem is caused when multiple addresses are configured that have different
netmasks but the same address, e.g. 127.0.0.0/8 and 127.0.0.0/24.  This patch
fixes the problem.

Reported-by: Etienne Basset <etienne.basset@numericable.fr>
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
Tested-by: Etienne Basset <etienne.basset@numericable.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections 2009-03-28T04:01:37+00:00 Paul Moore paul.moore@hp.com 2009-03-27T21:10:54+00:00 07feee8f812f7327a46186f7604df312c8c81962 This patch cleans up a lot of the Smack network access control code. The largest changes are to fix the labeling of incoming TCP connections in a manner similar to the recent SELinux changes which use the security_inet_conn_request() hook to label the request_sock and let the label move to the child socket via the normal network stack mechanisms. In addition to the incoming TCP connection fixes this patch also removes the smk_labled field from the socket_smack struct as the minor optimization advantage was outweighed by the difficulty in maintaining it's proper state. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: James Morris <jmorris@namei.org> 
This patch cleans up a lot of the Smack network access control code.  The
largest changes are to fix the labeling of incoming TCP connections in a
manner similar to the recent SELinux changes which use the
security_inet_conn_request() hook to label the request_sock and let the label
move to the child socket via the normal network stack mechanisms.  In addition
to the incoming TCP connection fixes this patch also removes the smk_labled
field from the socket_smack struct as the minor optimization advantage was
outweighed by the difficulty in maintaining it's proper state.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <jmorris@namei.org>
netlabel: Label incoming TCP connections correctly in SELinux 2009-03-28T04:01:36+00:00 Paul Moore paul.moore@hp.com 2009-03-27T21:10:34+00:00 389fb800ac8be2832efedd19978a2b8ced37eb61 The current NetLabel/SELinux behavior for incoming TCP connections works but only through a series of happy coincidences that rely on the limited nature of standard CIPSO (only able to convey MLS attributes) and the write equality imposed by the SELinux MLS constraints. The problem is that network sockets created as the result of an incoming TCP connection were not on-the-wire labeled based on the security attributes of the parent socket but rather based on the wire label of the remote peer. The issue had to do with how IP options were managed as part of the network stack and where the LSM hooks were in relation to the code which set the IP options on these newly created child sockets. While NetLabel/SELinux did correctly set the socket's on-the-wire label it was promptly cleared by the network stack and reset based on the IP options of the remote peer. This patch, in conjunction with a prior patch that adjusted the LSM hook locations, works to set the correct on-the-wire label format for new incoming connections through the security_inet_conn_request() hook. Besides the correct behavior there are many advantages to this change, the most significant is that all of the NetLabel socket labeling code in SELinux now lives in hooks which can return error codes to the core stack which allows us to finally get ride of the selinux_netlbl_inode_permission() logic which greatly simplfies the NetLabel/SELinux glue code. In the process of developing this patch I also ran into a small handful of AF_INET6 cleanliness issues that have been fixed which should make the code safer and easier to extend in the future. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: James Morris <jmorris@namei.org> 
The current NetLabel/SELinux behavior for incoming TCP connections works but
only through a series of happy coincidences that rely on the limited nature of
standard CIPSO (only able to convey MLS attributes) and the write equality
imposed by the SELinux MLS constraints.  The problem is that network sockets
created as the result of an incoming TCP connection were not on-the-wire
labeled based on the security attributes of the parent socket but rather based
on the wire label of the remote peer.  The issue had to do with how IP options
were managed as part of the network stack and where the LSM hooks were in
relation to the code which set the IP options on these newly created child
sockets.  While NetLabel/SELinux did correctly set the socket's on-the-wire
label it was promptly cleared by the network stack and reset based on the IP
options of the remote peer.

This patch, in conjunction with a prior patch that adjusted the LSM hook
locations, works to set the correct on-the-wire label format for new incoming
connections through the security_inet_conn_request() hook.  Besides the
correct behavior there are many advantages to this change, the most significant
is that all of the NetLabel socket labeling code in SELinux now lives in hooks
which can return error codes to the core stack which allows us to finally get
ride of the selinux_netlbl_inode_permission() logic which greatly simplfies
the NetLabel/SELinux glue code.  In the process of developing this patch I
also ran into a small handful of AF_INET6 cleanliness issues that have been
fixed which should make the code safer and easier to extend in the future.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <jmorris@namei.org>
netlabel: Update kernel configuration API 2008-12-31T17:54:11+00:00 Paul Moore paul.moore@hp.com 2008-12-31T17:54:11+00:00 6c2e8ac0953fccdd24dc6c4b9e08e8f1cd68cf07 Update the NetLabel kernel API to expose the new features added in kernel releases 2.6.25 and 2.6.28: the static/fallback label functionality and network address based selectors. Signed-off-by: Paul Moore <paul.moore@hp.com> 
Update the NetLabel kernel API to expose the new features added in kernel
releases 2.6.25 and 2.6.28: the static/fallback label functionality and network
address based selectors.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2008-12-16T04:03:50+00:00 David S. Miller davem@davemloft.net 2008-12-16T04:03:50+00:00 eb14f019597cd86c21a6c601d7e900f40030c2e7 Conflicts: drivers/net/e1000e/ich8lan.c 
Conflicts:

	drivers/net/e1000e/ich8lan.c
netlabel: Compiler warning and NULL pointer dereference fix 2008-12-12T05:31:50+00:00 Paul Moore paul.moore@hp.com 2008-12-12T05:31:50+00:00 ec8f2375d7584969501918651241f91eca2a6ad3 Fix the two compiler warnings show below. Thanks to Geert Uytterhoeven for finding and reporting the problem. net/netlabel/netlabel_unlabeled.c:567: warning: 'entry' may be used uninitialized in this function net/netlabel/netlabel_unlabeled.c:629: warning: 'entry' may be used uninitialized in this function Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Fix the two compiler warnings show below.  Thanks to Geert Uytterhoeven for
finding and reporting the problem.

 net/netlabel/netlabel_unlabeled.c:567: warning: 'entry' may be used
   uninitialized in this function
 net/netlabel/netlabel_unlabeled.c:629: warning: 'entry' may be used
   uninitialized in this function

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2008-12-06T06:54:40+00:00 David S. Miller davem@davemloft.net 2008-12-06T06:54:40+00:00 730c30ec646bd252a9448a66ecd51d794853513f Conflicts: drivers/net/wireless/iwlwifi/iwl-core.c drivers/net/wireless/iwlwifi/iwl-sta.c 
Conflicts:

	drivers/net/wireless/iwlwifi/iwl-core.c
	drivers/net/wireless/iwlwifi/iwl-sta.c
netlabel: Fix a potential NULL pointer dereference 2008-12-03T08:37:04+00:00 Paul Moore paul.moore@hp.com 2008-12-03T08:37:04+00:00 d25830e5507f6bc815f5dd7e2eb65f172e878a2b Fix a potential NULL pointer dereference seen when trying to remove a static label configuration with an invalid address/mask combination. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Fix a potential NULL pointer dereference seen when trying to remove a
static label configuration with an invalid address/mask combination.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net: remove redundant argument comments 2008-11-22T01:15:03+00:00 Qinghuang Feng qhfeng.kernel@gmail.com 2008-11-22T01:15:03+00:00 cf005b1d0e34d8c964347331c43de089c674a5a1 Remove redundant argument comments in files of net/* Signed-off-by: Qinghuang Feng <qhfeng.kernel@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Remove redundant argument comments in files of net/*

Signed-off-by: Qinghuang Feng <qhfeng.kernel@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net: replace NIPQUAD() in net/*/ 2008-10-31T07:54:56+00:00 Harvey Harrison harvey.harrison@gmail.com 2008-10-31T07:54:56+00:00 21454aaad30651ba0dcc16fe5271bc12ee21f132 Using NIPQUAD() with NIPQUAD_FMT, %d.%d.%d.%d or %u.%u.%u.%u can be replaced with %pI4 Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Using NIPQUAD() with NIPQUAD_FMT, %d.%d.%d.%d or %u.%u.%u.%u
can be replaced with %pI4

Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>