diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2008-10-13 13:00:44 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-10-13 13:00:44 -0400 |
commit | 8d71ff0bef9cf4e70108a9a2762f2361e607abde (patch) | |
tree | a79487fceb6ec18e956373a3019416a43b269f1d /include | |
parent | 244dc4e54b73567fae7f8fd9ba56584be9375442 (diff) | |
parent | 92562927826fceb2f8e69c89e28161b8c1e0b125 (diff) |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (24 commits)
integrity: special fs magic
As pointed out by Jonathan Corbet, the timer must be deleted before
ERROR: code indent should use tabs where possible
The tpm_dev_release function is only called for platform devices, not pnp
Protect tpm_chip_list when transversing it.
Renames num_open to is_open, as only one process can open the file at a time.
Remove the BKL calls from the TPM driver, which were added in the overall
netlabel: Add configuration support for local labeling
cipso: Add support for native local labeling and fixup mapping names
netlabel: Changes to the NetLabel security attributes to allow LSMs to pass full contexts
selinux: Cache NetLabel secattrs in the socket's security struct
selinux: Set socket NetLabel based on connection endpoint
netlabel: Add functionality to set the security attributes of a packet
netlabel: Add network address selectors to the NetLabel/LSM domain mapping
netlabel: Add a generic way to create ordered linked lists of network addrs
netlabel: Replace protocol/NetLabel linking with refrerence counts
smack: Fix missing calls to netlbl_skbuff_err()
selinux: Fix missing calls to netlbl_skbuff_err()
selinux: Fix a problem in security_netlbl_sid_to_secattr()
selinux: Better local/forward check in selinux_ip_postroute()
...
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/magic.h | 4 | ||||
-rw-r--r-- | include/net/cipso_ipv4.h | 55 | ||||
-rw-r--r-- | include/net/netlabel.h | 51 |
3 files changed, 78 insertions, 32 deletions
diff --git a/include/linux/magic.h b/include/linux/magic.h index 1fa0c2ce4dec..f7f3fdddbef0 100644 --- a/include/linux/magic.h +++ b/include/linux/magic.h | |||
@@ -6,6 +6,10 @@ | |||
6 | #define AFS_SUPER_MAGIC 0x5346414F | 6 | #define AFS_SUPER_MAGIC 0x5346414F |
7 | #define AUTOFS_SUPER_MAGIC 0x0187 | 7 | #define AUTOFS_SUPER_MAGIC 0x0187 |
8 | #define CODA_SUPER_MAGIC 0x73757245 | 8 | #define CODA_SUPER_MAGIC 0x73757245 |
9 | #define DEBUGFS_MAGIC 0x64626720 | ||
10 | #define SYSFS_MAGIC 0x62656572 | ||
11 | #define SECURITYFS_MAGIC 0x73636673 | ||
12 | #define TMPFS_MAGIC 0x01021994 | ||
9 | #define EFS_SUPER_MAGIC 0x414A53 | 13 | #define EFS_SUPER_MAGIC 0x414A53 |
10 | #define EXT2_SUPER_MAGIC 0xEF53 | 14 | #define EXT2_SUPER_MAGIC 0xEF53 |
11 | #define EXT3_SUPER_MAGIC 0xEF53 | 15 | #define EXT3_SUPER_MAGIC 0xEF53 |
diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h index a6bb94530cfd..9909774eb998 100644 --- a/include/net/cipso_ipv4.h +++ b/include/net/cipso_ipv4.h | |||
@@ -40,11 +40,12 @@ | |||
40 | #include <linux/net.h> | 40 | #include <linux/net.h> |
41 | #include <linux/skbuff.h> | 41 | #include <linux/skbuff.h> |
42 | #include <net/netlabel.h> | 42 | #include <net/netlabel.h> |
43 | #include <asm/atomic.h> | ||
43 | 44 | ||
44 | /* known doi values */ | 45 | /* known doi values */ |
45 | #define CIPSO_V4_DOI_UNKNOWN 0x00000000 | 46 | #define CIPSO_V4_DOI_UNKNOWN 0x00000000 |
46 | 47 | ||
47 | /* tag types */ | 48 | /* standard tag types */ |
48 | #define CIPSO_V4_TAG_INVALID 0 | 49 | #define CIPSO_V4_TAG_INVALID 0 |
49 | #define CIPSO_V4_TAG_RBITMAP 1 | 50 | #define CIPSO_V4_TAG_RBITMAP 1 |
50 | #define CIPSO_V4_TAG_ENUM 2 | 51 | #define CIPSO_V4_TAG_ENUM 2 |
@@ -52,10 +53,14 @@ | |||
52 | #define CIPSO_V4_TAG_PBITMAP 6 | 53 | #define CIPSO_V4_TAG_PBITMAP 6 |
53 | #define CIPSO_V4_TAG_FREEFORM 7 | 54 | #define CIPSO_V4_TAG_FREEFORM 7 |
54 | 55 | ||
56 | /* non-standard tag types (tags > 127) */ | ||
57 | #define CIPSO_V4_TAG_LOCAL 128 | ||
58 | |||
55 | /* doi mapping types */ | 59 | /* doi mapping types */ |
56 | #define CIPSO_V4_MAP_UNKNOWN 0 | 60 | #define CIPSO_V4_MAP_UNKNOWN 0 |
57 | #define CIPSO_V4_MAP_STD 1 | 61 | #define CIPSO_V4_MAP_TRANS 1 |
58 | #define CIPSO_V4_MAP_PASS 2 | 62 | #define CIPSO_V4_MAP_PASS 2 |
63 | #define CIPSO_V4_MAP_LOCAL 3 | ||
59 | 64 | ||
60 | /* limits */ | 65 | /* limits */ |
61 | #define CIPSO_V4_MAX_REM_LVLS 255 | 66 | #define CIPSO_V4_MAX_REM_LVLS 255 |
@@ -79,10 +84,9 @@ struct cipso_v4_doi { | |||
79 | } map; | 84 | } map; |
80 | u8 tags[CIPSO_V4_TAG_MAXCNT]; | 85 | u8 tags[CIPSO_V4_TAG_MAXCNT]; |
81 | 86 | ||
82 | u32 valid; | 87 | atomic_t refcount; |
83 | struct list_head list; | 88 | struct list_head list; |
84 | struct rcu_head rcu; | 89 | struct rcu_head rcu; |
85 | struct list_head dom_list; | ||
86 | }; | 90 | }; |
87 | 91 | ||
88 | /* Standard CIPSO mapping table */ | 92 | /* Standard CIPSO mapping table */ |
@@ -128,25 +132,26 @@ extern int cipso_v4_rbm_strictvalid; | |||
128 | 132 | ||
129 | #ifdef CONFIG_NETLABEL | 133 | #ifdef CONFIG_NETLABEL |
130 | int cipso_v4_doi_add(struct cipso_v4_doi *doi_def); | 134 | int cipso_v4_doi_add(struct cipso_v4_doi *doi_def); |
131 | int cipso_v4_doi_remove(u32 doi, | 135 | void cipso_v4_doi_free(struct cipso_v4_doi *doi_def); |
132 | struct netlbl_audit *audit_info, | 136 | int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info); |
133 | void (*callback) (struct rcu_head * head)); | ||
134 | struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi); | 137 | struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi); |
138 | void cipso_v4_doi_putdef(struct cipso_v4_doi *doi_def); | ||
135 | int cipso_v4_doi_walk(u32 *skip_cnt, | 139 | int cipso_v4_doi_walk(u32 *skip_cnt, |
136 | int (*callback) (struct cipso_v4_doi *doi_def, void *arg), | 140 | int (*callback) (struct cipso_v4_doi *doi_def, void *arg), |
137 | void *cb_arg); | 141 | void *cb_arg); |
138 | int cipso_v4_doi_domhsh_add(struct cipso_v4_doi *doi_def, const char *domain); | ||
139 | int cipso_v4_doi_domhsh_remove(struct cipso_v4_doi *doi_def, | ||
140 | const char *domain); | ||
141 | #else | 142 | #else |
142 | static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def) | 143 | static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def) |
143 | { | 144 | { |
144 | return -ENOSYS; | 145 | return -ENOSYS; |
145 | } | 146 | } |
146 | 147 | ||
148 | static inline void cipso_v4_doi_free(struct cipso_v4_doi *doi_def) | ||
149 | { | ||
150 | return; | ||
151 | } | ||
152 | |||
147 | static inline int cipso_v4_doi_remove(u32 doi, | 153 | static inline int cipso_v4_doi_remove(u32 doi, |
148 | struct netlbl_audit *audit_info, | 154 | struct netlbl_audit *audit_info) |
149 | void (*callback) (struct rcu_head * head)) | ||
150 | { | 155 | { |
151 | return 0; | 156 | return 0; |
152 | } | 157 | } |
@@ -206,10 +211,15 @@ void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway); | |||
206 | int cipso_v4_sock_setattr(struct sock *sk, | 211 | int cipso_v4_sock_setattr(struct sock *sk, |
207 | const struct cipso_v4_doi *doi_def, | 212 | const struct cipso_v4_doi *doi_def, |
208 | const struct netlbl_lsm_secattr *secattr); | 213 | const struct netlbl_lsm_secattr *secattr); |
214 | void cipso_v4_sock_delattr(struct sock *sk); | ||
209 | int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr); | 215 | int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr); |
216 | int cipso_v4_skbuff_setattr(struct sk_buff *skb, | ||
217 | const struct cipso_v4_doi *doi_def, | ||
218 | const struct netlbl_lsm_secattr *secattr); | ||
219 | int cipso_v4_skbuff_delattr(struct sk_buff *skb); | ||
210 | int cipso_v4_skbuff_getattr(const struct sk_buff *skb, | 220 | int cipso_v4_skbuff_getattr(const struct sk_buff *skb, |
211 | struct netlbl_lsm_secattr *secattr); | 221 | struct netlbl_lsm_secattr *secattr); |
212 | int cipso_v4_validate(unsigned char **option); | 222 | int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option); |
213 | #else | 223 | #else |
214 | static inline void cipso_v4_error(struct sk_buff *skb, | 224 | static inline void cipso_v4_error(struct sk_buff *skb, |
215 | int error, | 225 | int error, |
@@ -225,19 +235,36 @@ static inline int cipso_v4_sock_setattr(struct sock *sk, | |||
225 | return -ENOSYS; | 235 | return -ENOSYS; |
226 | } | 236 | } |
227 | 237 | ||
238 | static inline void cipso_v4_sock_delattr(struct sock *sk) | ||
239 | { | ||
240 | } | ||
241 | |||
228 | static inline int cipso_v4_sock_getattr(struct sock *sk, | 242 | static inline int cipso_v4_sock_getattr(struct sock *sk, |
229 | struct netlbl_lsm_secattr *secattr) | 243 | struct netlbl_lsm_secattr *secattr) |
230 | { | 244 | { |
231 | return -ENOSYS; | 245 | return -ENOSYS; |
232 | } | 246 | } |
233 | 247 | ||
248 | static inline int cipso_v4_skbuff_setattr(struct sk_buff *skb, | ||
249 | const struct cipso_v4_doi *doi_def, | ||
250 | const struct netlbl_lsm_secattr *secattr) | ||
251 | { | ||
252 | return -ENOSYS; | ||
253 | } | ||
254 | |||
255 | static inline int cipso_v4_skbuff_delattr(struct sk_buff *skb) | ||
256 | { | ||
257 | return -ENOSYS; | ||
258 | } | ||
259 | |||
234 | static inline int cipso_v4_skbuff_getattr(const struct sk_buff *skb, | 260 | static inline int cipso_v4_skbuff_getattr(const struct sk_buff *skb, |
235 | struct netlbl_lsm_secattr *secattr) | 261 | struct netlbl_lsm_secattr *secattr) |
236 | { | 262 | { |
237 | return -ENOSYS; | 263 | return -ENOSYS; |
238 | } | 264 | } |
239 | 265 | ||
240 | static inline int cipso_v4_validate(unsigned char **option) | 266 | static inline int cipso_v4_validate(const struct sk_buff *skb, |
267 | unsigned char **option) | ||
241 | { | 268 | { |
242 | return -ENOSYS; | 269 | return -ENOSYS; |
243 | } | 270 | } |
diff --git a/include/net/netlabel.h b/include/net/netlabel.h index e4d2d6baa983..17c442a4514e 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h | |||
@@ -9,7 +9,7 @@ | |||
9 | */ | 9 | */ |
10 | 10 | ||
11 | /* | 11 | /* |
12 | * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 | 12 | * (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008 |
13 | * | 13 | * |
14 | * This program is free software; you can redistribute it and/or modify | 14 | * This program is free software; you can redistribute it and/or modify |
15 | * it under the terms of the GNU General Public License as published by | 15 | * it under the terms of the GNU General Public License as published by |
@@ -72,8 +72,10 @@ struct cipso_v4_doi; | |||
72 | /* NetLabel NETLINK protocol version | 72 | /* NetLabel NETLINK protocol version |
73 | * 1: initial version | 73 | * 1: initial version |
74 | * 2: added static labels for unlabeled connections | 74 | * 2: added static labels for unlabeled connections |
75 | * 3: network selectors added to the NetLabel/LSM domain mapping and the | ||
76 | * CIPSO_V4_MAP_LOCAL CIPSO mapping was added | ||
75 | */ | 77 | */ |
76 | #define NETLBL_PROTO_VERSION 2 | 78 | #define NETLBL_PROTO_VERSION 3 |
77 | 79 | ||
78 | /* NetLabel NETLINK types/families */ | 80 | /* NetLabel NETLINK types/families */ |
79 | #define NETLBL_NLTYPE_NONE 0 | 81 | #define NETLBL_NLTYPE_NONE 0 |
@@ -87,6 +89,8 @@ struct cipso_v4_doi; | |||
87 | #define NETLBL_NLTYPE_CIPSOV6_NAME "NLBL_CIPSOv6" | 89 | #define NETLBL_NLTYPE_CIPSOV6_NAME "NLBL_CIPSOv6" |
88 | #define NETLBL_NLTYPE_UNLABELED 5 | 90 | #define NETLBL_NLTYPE_UNLABELED 5 |
89 | #define NETLBL_NLTYPE_UNLABELED_NAME "NLBL_UNLBL" | 91 | #define NETLBL_NLTYPE_UNLABELED_NAME "NLBL_UNLBL" |
92 | #define NETLBL_NLTYPE_ADDRSELECT 6 | ||
93 | #define NETLBL_NLTYPE_ADDRSELECT_NAME "NLBL_ADRSEL" | ||
90 | 94 | ||
91 | /* | 95 | /* |
92 | * NetLabel - Kernel API for accessing the network packet label mappings. | 96 | * NetLabel - Kernel API for accessing the network packet label mappings. |
@@ -200,7 +204,7 @@ struct netlbl_lsm_secattr { | |||
200 | u32 type; | 204 | u32 type; |
201 | char *domain; | 205 | char *domain; |
202 | struct netlbl_lsm_cache *cache; | 206 | struct netlbl_lsm_cache *cache; |
203 | union { | 207 | struct { |
204 | struct { | 208 | struct { |
205 | struct netlbl_lsm_secattr_catmap *cat; | 209 | struct netlbl_lsm_secattr_catmap *cat; |
206 | u32 lvl; | 210 | u32 lvl; |
@@ -352,12 +356,9 @@ static inline void netlbl_secattr_free(struct netlbl_lsm_secattr *secattr) | |||
352 | int netlbl_cfg_map_del(const char *domain, struct netlbl_audit *audit_info); | 356 | int netlbl_cfg_map_del(const char *domain, struct netlbl_audit *audit_info); |
353 | int netlbl_cfg_unlbl_add_map(const char *domain, | 357 | int netlbl_cfg_unlbl_add_map(const char *domain, |
354 | struct netlbl_audit *audit_info); | 358 | struct netlbl_audit *audit_info); |
355 | int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def, | ||
356 | struct netlbl_audit *audit_info); | ||
357 | int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def, | 359 | int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def, |
358 | const char *domain, | 360 | const char *domain, |
359 | struct netlbl_audit *audit_info); | 361 | struct netlbl_audit *audit_info); |
360 | int netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info); | ||
361 | 362 | ||
362 | /* | 363 | /* |
363 | * LSM security attribute operations | 364 | * LSM security attribute operations |
@@ -380,12 +381,19 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap, | |||
380 | int netlbl_enabled(void); | 381 | int netlbl_enabled(void); |
381 | int netlbl_sock_setattr(struct sock *sk, | 382 | int netlbl_sock_setattr(struct sock *sk, |
382 | const struct netlbl_lsm_secattr *secattr); | 383 | const struct netlbl_lsm_secattr *secattr); |
384 | void netlbl_sock_delattr(struct sock *sk); | ||
383 | int netlbl_sock_getattr(struct sock *sk, | 385 | int netlbl_sock_getattr(struct sock *sk, |
384 | struct netlbl_lsm_secattr *secattr); | 386 | struct netlbl_lsm_secattr *secattr); |
387 | int netlbl_conn_setattr(struct sock *sk, | ||
388 | struct sockaddr *addr, | ||
389 | const struct netlbl_lsm_secattr *secattr); | ||
390 | int netlbl_skbuff_setattr(struct sk_buff *skb, | ||
391 | u16 family, | ||
392 | const struct netlbl_lsm_secattr *secattr); | ||
385 | int netlbl_skbuff_getattr(const struct sk_buff *skb, | 393 | int netlbl_skbuff_getattr(const struct sk_buff *skb, |
386 | u16 family, | 394 | u16 family, |
387 | struct netlbl_lsm_secattr *secattr); | 395 | struct netlbl_lsm_secattr *secattr); |
388 | void netlbl_skbuff_err(struct sk_buff *skb, int error); | 396 | void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway); |
389 | 397 | ||
390 | /* | 398 | /* |
391 | * LSM label mapping cache operations | 399 | * LSM label mapping cache operations |
@@ -404,22 +412,12 @@ static inline int netlbl_cfg_unlbl_add_map(const char *domain, | |||
404 | { | 412 | { |
405 | return -ENOSYS; | 413 | return -ENOSYS; |
406 | } | 414 | } |
407 | static inline int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def, | ||
408 | struct netlbl_audit *audit_info) | ||
409 | { | ||
410 | return -ENOSYS; | ||
411 | } | ||
412 | static inline int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def, | 415 | static inline int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def, |
413 | const char *domain, | 416 | const char *domain, |
414 | struct netlbl_audit *audit_info) | 417 | struct netlbl_audit *audit_info) |
415 | { | 418 | { |
416 | return -ENOSYS; | 419 | return -ENOSYS; |
417 | } | 420 | } |
418 | static inline int netlbl_cfg_cipsov4_del(u32 doi, | ||
419 | struct netlbl_audit *audit_info) | ||
420 | { | ||
421 | return -ENOSYS; | ||
422 | } | ||
423 | static inline int netlbl_secattr_catmap_walk( | 421 | static inline int netlbl_secattr_catmap_walk( |
424 | struct netlbl_lsm_secattr_catmap *catmap, | 422 | struct netlbl_lsm_secattr_catmap *catmap, |
425 | u32 offset) | 423 | u32 offset) |
@@ -456,18 +454,35 @@ static inline int netlbl_sock_setattr(struct sock *sk, | |||
456 | { | 454 | { |
457 | return -ENOSYS; | 455 | return -ENOSYS; |
458 | } | 456 | } |
457 | static inline void netlbl_sock_delattr(struct sock *sk) | ||
458 | { | ||
459 | } | ||
459 | static inline int netlbl_sock_getattr(struct sock *sk, | 460 | static inline int netlbl_sock_getattr(struct sock *sk, |
460 | struct netlbl_lsm_secattr *secattr) | 461 | struct netlbl_lsm_secattr *secattr) |
461 | { | 462 | { |
462 | return -ENOSYS; | 463 | return -ENOSYS; |
463 | } | 464 | } |
465 | static inline int netlbl_conn_setattr(struct sock *sk, | ||
466 | struct sockaddr *addr, | ||
467 | const struct netlbl_lsm_secattr *secattr) | ||
468 | { | ||
469 | return -ENOSYS; | ||
470 | } | ||
471 | static inline int netlbl_skbuff_setattr(struct sk_buff *skb, | ||
472 | u16 family, | ||
473 | const struct netlbl_lsm_secattr *secattr) | ||
474 | { | ||
475 | return -ENOSYS; | ||
476 | } | ||
464 | static inline int netlbl_skbuff_getattr(const struct sk_buff *skb, | 477 | static inline int netlbl_skbuff_getattr(const struct sk_buff *skb, |
465 | u16 family, | 478 | u16 family, |
466 | struct netlbl_lsm_secattr *secattr) | 479 | struct netlbl_lsm_secattr *secattr) |
467 | { | 480 | { |
468 | return -ENOSYS; | 481 | return -ENOSYS; |
469 | } | 482 | } |
470 | static inline void netlbl_skbuff_err(struct sk_buff *skb, int error) | 483 | static inline void netlbl_skbuff_err(struct sk_buff *skb, |
484 | int error, | ||
485 | int gateway) | ||
471 | { | 486 | { |
472 | return; | 487 | return; |
473 | } | 488 | } |