| Age | Commit message (Collapse) | Author |
|---|
|
Capabilities have long been the default when CONFIG_SECURITY=n,
and its help text suggests turning it on when CONFIG_SECURITY=y.
But it is set to default n.
Default it to y instead.
Signed-off-by: Serge Hallyn <serue@us.ibm.com>
Acked-by: Matt LaPlante <kernel1@cyberdogtech.com>
Signed-off-by: James Morris <jmorris@namei.org>
|
|
selinux_set_mnt_opts() can become static.
Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: James Morris <jmorris@namei.org>
|
|
Currently network traffic can be sliently dropped due to non-avc errors which
can lead to much confusion when trying to debug the problem. This patch adds
warning messages so that when these events occur there is a user visible
notification.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
|
|
This patch implements packet ingress/egress controls for SELinux which allow
SELinux security policy to control the flow of all IPv4 and IPv6 packets into
and out of the system. Currently SELinux does not have proper control over
forwarded packets and this patch corrects this problem.
Special thanks to Venkat Yekkirala <vyekkirala@trustedcs.com> whose earlier
work on this topic eventually led to this patch.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
|
|
This patch adds auditing support to the NetLabel static labeling mechanism.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
|
|
Most trusted OSs, with the exception of Linux, have the ability to specify
static security labels for unlabeled networks. This patch adds this ability to
the NetLabel packet labeling framework.
If the NetLabel subsystem is called to determine the security attributes of an
incoming packet it first checks to see if any recognized NetLabel packet
labeling protocols are in-use on the packet. If none can be found then the
unlabled connection table is queried and based on the packets incoming
interface and address it is matched with a security label as configured by the
administrator using the netlabel_tools package. The matching security label is
returned to the caller just as if the packet was explicitly labeled using a
labeling protocol.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
|
|
Now that the SELinux NetLabel "base SID" is always the netmsg initial SID we
can do a big optimization - caching the SID and not just the MLS attributes.
This not only saves a lot of per-packet memory allocations and copies but it
has a nice side effect of removing a chunk of code.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
|
|
This patch introduces a mechanism for checking when labeled IPsec or SECMARK
are in use by keeping introducing a configuration reference counter for each
subsystem. In the case of labeled IPsec, whenever a labeled SA or SPD entry
is created the labeled IPsec/XFRM reference count is increased and when the
entry is removed it is decreased. In the case of SECMARK, when a SECMARK
target is created the reference count is increased and later decreased when the
target is removed. These reference counters allow SELinux to quickly determine
if either of these subsystems are enabled.
NetLabel already has a similar mechanism which provides the netlbl_enabled()
function.
This patch also renames the selinux_relabel_packet_permission() function to
selinux_secmark_relabel_packet_permission() as the original name and
description were misleading in that they referenced a single packet label which
is not the case.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
|
|
Rework the handling of network peer labels so that the different peer labeling
subsystems work better together. This includes moving both subsystems to a
single "peer" object class which involves not only changes to the permission
checks but an improved method of consolidating multiple packet peer labels.
As part of this work the inbound packet permission check code has been heavily
modified to handle both the old and new behavior in as sane a fashion as
possible.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
|
|
Add additional Flask definitions to support the new "peer" object class and
additional permissions to the netif, node, and packet object classes. Also,
bring the kernel Flask definitions up to date with the Fedora SELinux policies
by adding the "flow_in" and "flow_out" permissions to the "packet" class.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
|
|
Add a new policy capabilities bitmap to SELinux policy version 22. This bitmap
will enable the security server to query the policy to determine which features
it supports.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
|
|
functions
This patch adds a SELinux IP address/node SID caching mechanism similar to the
sel_netif_*() functions. The node SID queries in the SELinux hooks files are
also modified to take advantage of this new functionality. In addition, remove
the address length information from the sk_buff parsing routines as it is
redundant since we already have the address family.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
|
|
Instead of storing the packet's network interface name store the ifindex. This
allows us to defer the need to lookup the net_device structure until the audit
record is generated meaning that in the majority of cases we never need to
bother with this at all.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
|
|
The current SELinux netif code requires the caller have a valid net_device
struct pointer to lookup network interface information. However, we don't
always have a valid net_device pointer so convert the netif code to use
the ifindex values we always have as part of the sk_buff. This patch also
removes the default message SID from the network interface record, it is
not being used and therefore is "dead code".
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
|
|
function
In order to do any sort of IP header inspection of incoming packets we need to
know which address family, AF_INET/AF_INET6/etc., it belongs to and since the
sk_buff structure does not store this information we need to pass along the
address family separate from the packet itself.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
|
|
This patch adds support to the NetLabel LSM secattr struct for a secid token
and a type field, paving the way for full LSM/SELinux context support and
"static" or "fallback" labels. In addition, this patch adds a fair amount
of documentation to the core NetLabel structures used as part of the
NetLabel kernel API.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
|
|
Currently we use two separate spinlocks to protect both the hash/mapping table
and the default entry. This could be considered a bit foolish because it adds
complexity without offering any real performance advantage. This patch
removes the dedicated default spinlock and protects the default entry with the
hash/mapping table spinlock.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
|
|
The NetLabel/LSM domain hash table search function used an argument to specify
if the default entry should be returned if an exact match couldn't be found in
the hash table. This is a bit against the kernel's style so make two separate
functions to represent the separate behaviors.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
|
|
This patch removes some unneeded RCU read locks as we can treat the reads as
"safe" even without RCU. It also converts the NetLabel configuration refcount
from a spinlock protected u32 into atomic_t to be more consistent with the rest
of the kernel.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
|
|
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6.25: (1470 commits)
[IPV6] ADDRLABEL: Fix double free on label deletion.
[PPP]: Sparse warning fixes.
[IPV4] fib_trie: remove unneeded NULL check
[IPV4] fib_trie: More whitespace cleanup.
[NET_SCHED]: Use nla_policy for attribute validation in ematches
[NET_SCHED]: Use nla_policy for attribute validation in actions
[NET_SCHED]: Use nla_policy for attribute validation in classifiers
[NET_SCHED]: Use nla_policy for attribute validation in packet schedulers
[NET_SCHED]: sch_api: introduce constant for rate table size
[NET_SCHED]: Use typeful attribute parsing helpers
[NET_SCHED]: Use typeful attribute construction helpers
[NET_SCHED]: Use NLA_PUT_STRING for string dumping
[NET_SCHED]: Use nla_nest_start/nla_nest_end
[NET_SCHED]: Propagate nla_parse return value
[NET_SCHED]: act_api: use PTR_ERR in tcf_action_init/tcf_action_get
[NET_SCHED]: act_api: use nlmsg_parse
[NET_SCHED]: act_api: fix netlink API conversion bug
[NET_SCHED]: sch_netem: use nla_parse_nested_compat
[NET_SCHED]: sch_atm: fix format string warning
[NETNS]: Add namespace for ICMP replying code.
...
|
|
* 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus: (68 commits)
[MIPS] remove Documentation/mips/GT64120.README
[MIPS] Malta: remaining bits of the board support code cleanup
[MIPS] Malta: make the helper function static
[MIPS] Malta: fix braces at single statement blocks
[MIPS] Malta, Atlas: move an extern function declaration to the header file
[MIPS] Malta: Use C89 style for comments
[MIPS] Malta: else should follow close brace in malta_int.c
[MIPS] Malta: remove a superfluous comment
[MIPS] Malta: include <linux/cpu.h> instead of <asm/cpu.h>
[MIPS] Malta, Atlas, Sead: remove an extern from .c files
[MIPS] Malta: fix oversized lines in malta_int.c
[MIPS] Malta: remove a dead function declaration
[MIPS] Malta: use tabs not spaces
[MIPS] Malta: set up the screen info in a separate function
[MIPS] Malta: check the PCI clock frequency in a separate function
[MIPS] Malta: use the KERN_ facility level in printk()
[MIPS] Malta: use Linux kernel style for structure initialization
[MIPS]: constify function pointer tables
[MIPS] compat: handle argument endianess of sys32_(f)truncate64 with merge_64
[MIPS] Cobalt 64-bits kernels can be safely unmarked experimental
...
|
|
* git://git.kernel.org/pub/scm/linux/kernel/git/sam/kbuild: (79 commits)
Remove references to "make dep"
kconfig: document use of HAVE_*
Introduce new section reference annotations tags: __ref, __refdata, __refconst
kbuild: warn about ld added unique sections
kbuild: add verbose option to Section mismatch reporting in modpost
kconfig: tristate choices with mixed tristate and boolean values
asm-generic/vmlix.lds.h: simplify __mem{init,exit}* dependencies
remove __attribute_used__
kbuild: support ARCH=x86 in buildtar
kconfig: remove "enable"
kbuild: simplified warning report in modpost
kbuild: introduce a few helpers in modpost
kbuild: use simpler section mismatch warnings in modpost
kbuild: link vmlinux.o before kallsyms passes
kbuild: introduce new option to enhance section mismatch analysis
Use separate sections for __dev/__cpu/__mem code/data
compiler.h: introduce __section()
all archs: consolidate init and exit sections in vmlinux.lds.h
kbuild: check section names consistently in modpost
kbuild: introduce blacklisting in modpost
...
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-for-linus
* 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-for-linus:
Module: check to see if we have a built in module with the same name
module: add module taint on ndiswrapper
module: fix the module name length in param_sysfs_builtin
module: make module_address_lookup safe
module: better OOPS and lockdep coverage for loading modules
module: Fix gratuitous sprintf in module.c
module: wait for dependent modules doing init.
module: Don't report discarded init pages as kernel text.
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: (50 commits)
jbd2: sparse pointer use of zero as null
jbd2: Use round-jiffies() function for the "5 second" ext4/jbd2 wakeup
jbd2: Mark jbd2 slabs as SLAB_TEMPORARY
jbd2: add lockdep support
ext4: Use the ext4_ext_actual_len() helper function
ext4: fix uniniatilized extent splitting error
ext4: Check for return value from sb_set_blocksize
ext4: Add stripe= option to /proc/mounts
ext4: Enable the multiblock allocator by default
ext4: Add multi block allocator for ext4
ext4: Add new functions for searching extent tree
ext4: Add ext4_find_next_bit()
ext4: fix up EXT4FS_DEBUG builds
ext4: Fix ext4_show_options to show the correct mount options.
ext4: Add EXT4_IOC_MIGRATE ioctl
ext4: Add inode version support in ext4
vfs: Add 64 bit i_version support
ext4: Add the journal checksum feature
jbd2: jbd2 stats through procfs
ext4: Take read lock during overwrite case.
...
|
|
Based upon the 2.4 kernel, the information presented in the
Documentation/mips/GT64120.README file is outdated. Worse,
the document contents are plain misleading nowadays because
the text mentions files and directories, which have been
deleted, moved or restructured for 2.6.
This patch removes the documentation, which is no more valid.
Signed-off-by: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
This patch factors out the code, which handles the Bonito system
controller. The case of not supporting the DMA coherency is handled
separately to make the logic obvious. Besides, a couple of empty
lines added to beautify the code even further.
No functional changes introduced.
Signed-off-by: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
One helper function can become static. This patch adds the needed
keyword.
No functional changes introduced.
Signed-off-by: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
This patch fixes a couple of warnings reported by checkpatch.pl.
No functional changes introduced.
Signed-off-by: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
This was compile-tested using default configs for the boards
affected by this change.
This patch does not introduce any functional changes.
Signed-off-by: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
Remove comments in C99 style and make checkpatch.pl happy.
No functional changes introduced.
Signed-off-by: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
This patch fixes two errors reported by checkpatch.pl.
No functional changes introduced.
Signed-off-by: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
Using the "We die here" comment right before calling the die()
function is an extremely vivid example of overcommenting.
Remove the redundant comment and save one line.
No functional changes introduced.
Signed-off-by: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
The checkpatch.pl script reported a few warnings about header files.
This patch fixes these warnings.
Compile-tested using the default Malta config.
No functional changes introduced.
Signed-off-by: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
This patch moves the "extern" declaration for the function
mips_reboot_setup() from the board setup .c files to the
header file include/asm-mips/mips-boards/generic.h.
This fixes a warning produced by the checkpatch.pl script.
No functional changes introduced.
This was compile-tested by building the kernel for all
three boards affected by this change. All builds finished
successfully.
Signed-off-by: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
This patch fixes all "line over 80 characters" warnings found
in arch/mips/mips-boards/malta/malta_int.c by the checkpatch.pl
script.
No functional changes introduced.
Signed-off-by: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
Neither is the mips_rtc_get_time() routine defined anywhere in
the MIPS architecture-specific code, nor does anyone call it any
more. This patch removes the extern declaration of this fossil.
This patch does not introduce any functional changes.
Signed-off-by: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
This patch fixes all "use tabs not spaces" warnings reported by
the checkpatch.pl script on the board-specific files.
No functional changes introduced.
Signed-off-by: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
This patch adds a separate short and sweet function to initialize
the screen_info global variable.
This improves readability of the Malta board setup code.
No functional changes introduced.
Signed-off-by: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
This patch adds a separate short and sweet function to check the
PCI clock frequency. This is to improve readability of the Malta
setup code.
Along the way, a couple of coding style violations are fixed.
No functional changes introduced.
Signed-off-by: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
This patch adds the KERN_ macros to printk() calls. Where applicable,
spaces are replaced by tabs.
These changes noticeably reduce the number of errors and warnings
reported by the checkpatch.pl script for the malta_int.c file.
Before the patch: total: 47 errors, 20 warnings, 354 lines checked
After the patch: total: 34 errors, 7 warnings, 355 lines checked
No functional changes introduced.
Signed-off-by: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
This patch reformats the structure initialization code thus
making the latter look idiomatic.
No functional changes introduced.
Signed-off-by: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
64-bits Cobalt kernels run fine.
Signed-off-by: Florian Fainelli <florian.fainelli@telecomint.eu>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
The Qemu platform was originally implemented to have an easily supportable
platform until Qemu reaches a state where it emulates a real world system.
Since the latest release Qemu is capable of emulating the MIPSsim and
Malta platforms, so this goal has been reached. The Qemu plaform is also
rather underfeatured so less useful than a Malta emulation.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
Signed-off-by: Vitaly Wool <vitalywool@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
I also changed the name to pvc_mutex, and moved the define to the file
it's used in which allows it to be static.
Signed-off-by: Daniel Walker <dwalker@mvista.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
This patch adds support for the GPIO connected system button on the MTX-1
boards. Default configuration is updated accordingly.
Signed-off-by: Florian Fainelli <florian.fainelli@telecomint.eu>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
Originally noticed by Jiri Olsa <olsajiri@gmail.com>.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
|
Moved the eXcite local config to excite directory.
Signed-off-by: Yoichi Yuasa <yoichi_yuasa@tripeaks.co.jp>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
|
