aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2013-11-13 03:40:34 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2013-11-13 03:40:34 -0500
commit42a2d923cc349583ebf6fdd52a7d35e1c2f7e6bd (patch)
tree2b2b0c03b5389c1301800119333967efafd994ca /security
parent5cbb3d216e2041700231bcfc383ee5f8b7fc8b74 (diff)
parent75ecab1df14d90e86cebef9ec5c76befde46e65f (diff)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
Pull networking updates from David Miller: 1) The addition of nftables. No longer will we need protocol aware firewall filtering modules, it can all live in userspace. At the core of nftables is a, for lack of a better term, virtual machine that executes byte codes to inspect packet or metadata (arriving interface index, etc.) and make verdict decisions. Besides support for loading packet contents and comparing them, the interpreter supports lookups in various datastructures as fundamental operations. For example sets are supports, and therefore one could create a set of whitelist IP address entries which have ACCEPT verdicts attached to them, and use the appropriate byte codes to do such lookups. Since the interpreted code is composed in userspace, userspace can do things like optimize things before giving it to the kernel. Another major improvement is the capability of atomically updating portions of the ruleset. In the existing netfilter implementation, one has to update the entire rule set in order to make a change and this is very expensive. Userspace tools exist to create nftables rules using existing netfilter rule sets, but both kernel implementations will need to co-exist for quite some time as we transition from the old to the new stuff. Kudos to Patrick McHardy, Pablo Neira Ayuso, and others who have worked so hard on this. 2) Daniel Borkmann and Hannes Frederic Sowa made several improvements to our pseudo-random number generator, mostly used for things like UDP port randomization and netfitler, amongst other things. In particular the taus88 generater is updated to taus113, and test cases are added. 3) Support 64-bit rates in HTB and TBF schedulers, from Eric Dumazet and Yang Yingliang. 4) Add support for new 577xx tigon3 chips to tg3 driver, from Nithin Sujir. 5) Fix two fatal flaws in TCP dynamic right sizing, from Eric Dumazet, Neal Cardwell, and Yuchung Cheng. 6) Allow IP_TOS and IP_TTL to be specified in sendmsg() ancillary control message data, much like other socket option attributes. From Francesco Fusco. 7) Allow applications to specify a cap on the rate computed automatically by the kernel for pacing flows, via a new SO_MAX_PACING_RATE socket option. From Eric Dumazet. 8) Make the initial autotuned send buffer sizing in TCP more closely reflect actual needs, from Eric Dumazet. 9) Currently early socket demux only happens for TCP sockets, but we can do it for connected UDP sockets too. Implementation from Shawn Bohrer. 10) Refactor inet socket demux with the goal of improving hash demux performance for listening sockets. With the main goals being able to use RCU lookups on even request sockets, and eliminating the listening lock contention. From Eric Dumazet. 11) The bonding layer has many demuxes in it's fast path, and an RCU conversion was started back in 3.11, several changes here extend the RCU usage to even more locations. From Ding Tianhong and Wang Yufen, based upon suggestions by Nikolay Aleksandrov and Veaceslav Falico. 12) Allow stackability of segmentation offloads to, in particular, allow segmentation offloading over tunnels. From Eric Dumazet. 13) Significantly improve the handling of secret keys we input into the various hash functions in the inet hashtables, TCP fast open, as well as syncookies. From Hannes Frederic Sowa. The key fundamental operation is "net_get_random_once()" which uses static keys. Hannes even extended this to ipv4/ipv6 fragmentation handling and our generic flow dissector. 14) The generic driver layer takes care now to set the driver data to NULL on device removal, so it's no longer necessary for drivers to explicitly set it to NULL any more. Many drivers have been cleaned up in this way, from Jingoo Han. 15) Add a BPF based packet scheduler classifier, from Daniel Borkmann. 16) Improve CRC32 interfaces and generic SKB checksum iterators so that SCTP's checksumming can more cleanly be handled. Also from Daniel Borkmann. 17) Add a new PMTU discovery mode, IP_PMTUDISC_INTERFACE, which forces using the interface MTU value. This helps avoid PMTU attacks, particularly on DNS servers. From Hannes Frederic Sowa. 18) Use generic XPS for transmit queue steering rather than internal (re-)implementation in virtio-net. From Jason Wang. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (1622 commits) random32: add test cases for taus113 implementation random32: upgrade taus88 generator to taus113 from errata paper random32: move rnd_state to linux/random.h random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized random32: add periodic reseeding random32: fix off-by-one in seeding requirement PHY: Add RTL8201CP phy_driver to realtek xtsonic: add missing platform_set_drvdata() in xtsonic_probe() macmace: add missing platform_set_drvdata() in mace_probe() ethernet/arc/arc_emac: add missing platform_set_drvdata() in arc_emac_probe() ipv6: protect for_each_sk_fl_rcu in mem_check with rcu_read_lock_bh vlan: Implement vlan_dev_get_egress_qos_mask as an inline. ixgbe: add warning when max_vfs is out of range. igb: Update link modes display in ethtool netfilter: push reasm skb through instead of original frag skbs ip6_output: fragment outgoing reassembled skb properly MAINTAINERS: mv643xx_eth: take over maintainership from Lennart net_sched: tbf: support of 64bit rates ixgbe: deleting dfwd stations out of order can cause null ptr deref ixgbe: fix build err, num_rx_queues is only available with CONFIG_RPS ...
Diffstat (limited to 'security')
-rw-r--r--security/lsm_audit.c7
-rw-r--r--security/selinux/hooks.c12
2 files changed, 10 insertions, 9 deletions
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 8d8d97dbb389..234bc2ab450c 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -302,18 +302,19 @@ static void dump_common_audit_data(struct audit_buffer *ab,
302 "faddr", "fport"); 302 "faddr", "fport");
303 break; 303 break;
304 } 304 }
305#if IS_ENABLED(CONFIG_IPV6)
305 case AF_INET6: { 306 case AF_INET6: {
306 struct inet_sock *inet = inet_sk(sk); 307 struct inet_sock *inet = inet_sk(sk);
307 struct ipv6_pinfo *inet6 = inet6_sk(sk);
308 308
309 print_ipv6_addr(ab, &inet6->rcv_saddr, 309 print_ipv6_addr(ab, &sk->sk_v6_rcv_saddr,
310 inet->inet_sport, 310 inet->inet_sport,
311 "laddr", "lport"); 311 "laddr", "lport");
312 print_ipv6_addr(ab, &inet6->daddr, 312 print_ipv6_addr(ab, &sk->sk_v6_daddr,
313 inet->inet_dport, 313 inet->inet_dport,
314 "faddr", "fport"); 314 "faddr", "fport");
315 break; 315 break;
316 } 316 }
317#endif
317 case AF_UNIX: 318 case AF_UNIX:
318 u = unix_sk(sk); 319 u = unix_sk(sk);
319 if (u->path.dentry) { 320 if (u->path.dentry) {
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5b5231068516..c540795fb3f2 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3928,7 +3928,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3928 if (snum) { 3928 if (snum) {
3929 int low, high; 3929 int low, high;
3930 3930
3931 inet_get_local_port_range(&low, &high); 3931 inet_get_local_port_range(sock_net(sk), &low, &high);
3932 3932
3933 if (snum < max(PROT_SOCK, low) || snum > high) { 3933 if (snum < max(PROT_SOCK, low) || snum > high) {
3934 err = sel_netport_sid(sk->sk_protocol, 3934 err = sel_netport_sid(sk->sk_protocol,
@@ -4667,7 +4667,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4667 return NF_ACCEPT; 4667 return NF_ACCEPT;
4668} 4668}
4669 4669
4670static unsigned int selinux_ipv4_forward(unsigned int hooknum, 4670static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
4671 struct sk_buff *skb, 4671 struct sk_buff *skb,
4672 const struct net_device *in, 4672 const struct net_device *in,
4673 const struct net_device *out, 4673 const struct net_device *out,
@@ -4677,7 +4677,7 @@ static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4677} 4677}
4678 4678
4679#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4679#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4680static unsigned int selinux_ipv6_forward(unsigned int hooknum, 4680static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
4681 struct sk_buff *skb, 4681 struct sk_buff *skb,
4682 const struct net_device *in, 4682 const struct net_device *in,
4683 const struct net_device *out, 4683 const struct net_device *out,
@@ -4709,7 +4709,7 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
4709 return NF_ACCEPT; 4709 return NF_ACCEPT;
4710} 4710}
4711 4711
4712static unsigned int selinux_ipv4_output(unsigned int hooknum, 4712static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
4713 struct sk_buff *skb, 4713 struct sk_buff *skb,
4714 const struct net_device *in, 4714 const struct net_device *in,
4715 const struct net_device *out, 4715 const struct net_device *out,
@@ -4836,7 +4836,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4836 return NF_ACCEPT; 4836 return NF_ACCEPT;
4837} 4837}
4838 4838
4839static unsigned int selinux_ipv4_postroute(unsigned int hooknum, 4839static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
4840 struct sk_buff *skb, 4840 struct sk_buff *skb,
4841 const struct net_device *in, 4841 const struct net_device *in,
4842 const struct net_device *out, 4842 const struct net_device *out,
@@ -4846,7 +4846,7 @@ static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4846} 4846}
4847 4847
4848#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4848#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4849static unsigned int selinux_ipv6_postroute(unsigned int hooknum, 4849static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
4850 struct sk_buff *skb, 4850 struct sk_buff *skb,
4851 const struct net_device *in, 4851 const struct net_device *in,
4852 const struct net_device *out, 4852 const struct net_device *out,